|
#!/bin/bash
|
|
|
|
# SSL Certificate Setup Script for VPS Deployment
|
|
# This script helps set up SSL certificates for your nginx configuration
|
|
|
|
set -e
|
|
|
|
DOMAIN="candivista.com"
|
|
EMAIL="blindxfish@gmail.com" # Change this to your email
|
|
NGINX_CONF_DIR="./nginx"
|
|
SSL_DIR="./nginx/ssl"
|
|
|
|
echo "Setting up SSL certificates for $DOMAIN"
|
|
|
|
# Create SSL directory if it doesn't exist
|
|
mkdir -p "$SSL_DIR"
|
|
|
|
# Check if we have a domain name or just IP
|
|
if [[ $DOMAIN =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
|
|
echo "IP address detected: $DOMAIN"
|
|
echo "For IP addresses, you'll need to use self-signed certificates or a service like Cloudflare"
|
|
echo "Generating self-signed certificate..."
|
|
|
|
# Generate self-signed certificate
|
|
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
|
|
-keyout "$SSL_DIR/key.pem" \
|
|
-out "$SSL_DIR/cert.pem" \
|
|
-subj "/C=US/ST=State/L=City/O=Organization/CN=$DOMAIN"
|
|
|
|
echo "Self-signed certificate generated successfully!"
|
|
echo "Note: Browsers will show a security warning for self-signed certificates."
|
|
echo "For production, consider using Cloudflare or a domain name with Let's Encrypt."
|
|
|
|
else
|
|
echo "Domain name detected: $DOMAIN"
|
|
echo "Setting up Let's Encrypt certificate..."
|
|
|
|
# Install certbot if not already installed
|
|
if ! command -v certbot &> /dev/null; then
|
|
echo "Installing certbot..."
|
|
if [[ "$OSTYPE" == "linux-gnu"* ]]; then
|
|
sudo apt-get update
|
|
sudo apt-get install -y certbot
|
|
elif [[ "$OSTYPE" == "darwin"* ]]; then
|
|
brew install certbot
|
|
else
|
|
echo "Please install certbot manually for your OS"
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
# Create webroot directory for Let's Encrypt challenge
|
|
mkdir -p "$SSL_DIR/webroot/.well-known/acme-challenge"
|
|
|
|
# Get certificate
|
|
sudo certbot certonly --webroot \
|
|
-w "$SSL_DIR/webroot" \
|
|
-d "$DOMAIN" \
|
|
--email "$EMAIL" \
|
|
--agree-tos \
|
|
--non-interactive
|
|
|
|
# Copy certificates to our SSL directory
|
|
sudo cp "/etc/letsencrypt/live/$DOMAIN/fullchain.pem" "$SSL_DIR/cert.pem"
|
|
sudo cp "/etc/letsencrypt/live/$DOMAIN/privkey.pem" "$SSL_DIR/key.pem"
|
|
sudo chown $(whoami):$(whoami) "$SSL_DIR/cert.pem" "$SSL_DIR/key.pem"
|
|
|
|
echo "Let's Encrypt certificate installed successfully!"
|
|
echo "Setting up auto-renewal..."
|
|
|
|
# Add renewal script
|
|
cat > "$SSL_DIR/renew.sh" << 'EOF'
|
|
#!/bin/bash
|
|
certbot renew --quiet
|
|
docker-compose restart nginx
|
|
EOF
|
|
|
|
chmod +x "$SSL_DIR/renew.sh"
|
|
|
|
# Add to crontab for auto-renewal
|
|
(crontab -l 2>/dev/null; echo "0 12 * * * $SSL_DIR/renew.sh") | crontab -
|
|
|
|
echo "Auto-renewal configured!"
|
|
fi
|
|
|
|
echo "SSL setup complete!"
|
|
echo "Certificate: $SSL_DIR/cert.pem"
|
|
echo "Private key: $SSL_DIR/key.pem"
|
|
echo ""
|
|
echo "Next steps:"
|
|
echo "1. Update your .env file with production values"
|
|
echo "2. Run: docker-compose -f docker-compose.yml --env-file env.production up -d"
|
|
echo "3. Test your setup: https://$DOMAIN"
|