117 lines
4.4 KiB
PowerShell
117 lines
4.4 KiB
PowerShell
|
# SSL Certificate Setup Script for VPS Deployment (PowerShell)
|
||
|
|
# This script helps set up SSL certificates for your nginx configuration
|
||
|
|
|
||
|
|
param(
|
||
|
|
[string]$Domain = "candivista.com",
|
||
|
|
[string]$Email = "your-email@example.com"
|
||
|
|
)
|
||
|
|
|
||
|
|
$ErrorActionPreference = "Stop"
|
||
|
|
|
||
|
|
$NginxConfDir = ".\nginx"
|
||
|
|
$SslDir = ".\nginx\ssl"
|
||
|
|
|
||
|
|
Write-Host "Setting up SSL certificates for $Domain" -ForegroundColor Green
|
||
|
|
|
||
|
|
# Create SSL directory if it doesn't exist
|
||
|
|
if (!(Test-Path $SslDir)) {
|
||
|
|
New-Item -ItemType Directory -Path $SslDir -Force
|
||
|
|
}
|
||
|
|
|
||
|
|
# Check if we have a domain name or just IP
|
||
|
|
if ($Domain -match '^\d+\.\d+\.\d+\.\d+$') {
|
||
|
|
Write-Host "IP address detected: $Domain" -ForegroundColor Yellow
|
||
|
|
Write-Host "For IP addresses, you'll need to use self-signed certificates or a service like Cloudflare" -ForegroundColor Yellow
|
||
|
|
Write-Host "Generating self-signed certificate..." -ForegroundColor Yellow
|
||
|
|
|
||
|
|
# Check if OpenSSL is available
|
||
|
|
try {
|
||
|
|
$opensslVersion = & openssl version 2>$null
|
||
|
|
if ($LASTEXITCODE -ne 0) {
|
||
|
|
throw "OpenSSL not found"
|
||
|
|
}
|
||
|
|
}
|
||
|
|
catch {
|
||
|
|
Write-Host "OpenSSL not found. Please install OpenSSL or use WSL/Linux subsystem." -ForegroundColor Red
|
||
|
|
Write-Host "Alternative: Use Cloudflare for SSL termination" -ForegroundColor Yellow
|
||
|
|
exit 1
|
||
|
|
}
|
||
|
|
|
||
|
|
# Generate self-signed certificate
|
||
|
|
& openssl req -x509 -nodes -days 365 -newkey rsa:2048 `
|
||
|
|
-keyout "$SslDir\key.pem" `
|
||
|
|
-out "$SslDir\cert.pem" `
|
||
|
|
-subj "/C=US/ST=State/L=City/O=Organization/CN=$Domain"
|
||
|
|
|
||
|
|
if ($LASTEXITCODE -eq 0) {
|
||
|
|
Write-Host "Self-signed certificate generated successfully!" -ForegroundColor Green
|
||
|
|
Write-Host "Note: Browsers will show a security warning for self-signed certificates." -ForegroundColor Yellow
|
||
|
|
Write-Host "For production, consider using Cloudflare or a domain name with Let's Encrypt." -ForegroundColor Yellow
|
||
|
|
} else {
|
||
|
|
Write-Host "Failed to generate self-signed certificate" -ForegroundColor Red
|
||
|
|
exit 1
|
||
|
|
}
|
||
|
|
} else {
|
||
|
|
Write-Host "Domain name detected: $Domain" -ForegroundColor Green
|
||
|
|
Write-Host "Setting up Let's Encrypt certificate..." -ForegroundColor Green
|
||
|
|
|
||
|
|
# Check if certbot is available
|
||
|
|
try {
|
||
|
|
$certbotVersion = & certbot --version 2>$null
|
||
|
|
if ($LASTEXITCODE -ne 0) {
|
||
|
|
throw "Certbot not found"
|
||
|
|
}
|
||
|
|
}
|
||
|
|
catch {
|
||
|
|
Write-Host "Certbot not found. Please install certbot first:" -ForegroundColor Red
|
||
|
|
Write-Host " Windows: Use WSL or install via pip" -ForegroundColor Yellow
|
||
|
|
Write-Host " Linux: sudo apt-get install certbot" -ForegroundColor Yellow
|
||
|
|
Write-Host " macOS: brew install certbot" -ForegroundColor Yellow
|
||
|
|
exit 1
|
||
|
|
}
|
||
|
|
|
||
|
|
# Create webroot directory for Let's Encrypt challenge
|
||
|
|
$webrootDir = "$SslDir\webroot\.well-known\acme-challenge"
|
||
|
|
if (!(Test-Path $webrootDir)) {
|
||
|
|
New-Item -ItemType Directory -Path $webrootDir -Force
|
||
|
|
}
|
||
|
|
|
||
|
|
# Get certificate
|
||
|
|
& certbot certonly --webroot `
|
||
|
|
-w "$SslDir\webroot" `
|
||
|
|
-d $Domain `
|
||
|
|
--email $Email `
|
||
|
|
--agree-tos `
|
||
|
|
--non-interactive
|
||
|
|
|
||
|
|
if ($LASTEXITCODE -eq 0) {
|
||
|
|
# Copy certificates to our SSL directory
|
||
|
|
Copy-Item "/etc/letsencrypt/live/$Domain/fullchain.pem" "$SslDir\cert.pem"
|
||
|
|
Copy-Item "/etc/letsencrypt/live/$Domain/privkey.pem" "$SslDir\key.pem"
|
||
|
|
|
||
|
|
Write-Host "Let's Encrypt certificate installed successfully!" -ForegroundColor Green
|
||
|
|
|
||
|
|
# Create renewal script
|
||
|
|
$renewScript = @"
|
||
|
|
#!/bin/bash
|
||
|
|
certbot renew --quiet
|
||
|
|
docker-compose restart nginx
|
||
|
|
"@
|
||
|
|
$renewScript | Out-File -FilePath "$SslDir\renew.sh" -Encoding UTF8
|
||
|
|
|
||
|
|
Write-Host "Auto-renewal script created!" -ForegroundColor Green
|
||
|
|
} else {
|
||
|
|
Write-Host "Failed to obtain Let's Encrypt certificate" -ForegroundColor Red
|
||
|
|
exit 1
|
||
|
|
}
|
||
|
|
}
|
||
|
|
|
||
|
|
Write-Host "SSL setup complete!" -ForegroundColor Green
|
||
|
|
Write-Host "Certificate: $SslDir\cert.pem" -ForegroundColor Cyan
|
||
|
|
Write-Host "Private key: $SslDir\key.pem" -ForegroundColor Cyan
|
||
|
|
Write-Host ""
|
||
|
|
Write-Host "Next steps:" -ForegroundColor Yellow
|
||
|
|
Write-Host "1. Update your .env file with production values" -ForegroundColor White
|
||
|
|
Write-Host "2. Run: docker-compose -f docker-compose.yml --env-file env.production up -d" -ForegroundColor White
|
||
|
|
Write-Host "3. Test your setup: https://$Domain" -ForegroundColor White
|