nginx-proxy · buchdag · Dec 14, 2021 · Aug 3, 2021 · Dec 12, 2021
diff --git a/app/letsencrypt_service b/app/letsencrypt_service
@@ -152,7 +152,7 @@ function update_cert {
     params_issue_arr+=(--webroot /usr/share/nginx/html)
 
     local -n cert_keysize="LETSENCRYPT_${cid}_KEYSIZE"
-    if [[ -z "$cert_keysize" || "$cert_keysize" == "<no value>" ]] || \
+    if [[ -z "$cert_keysize" ]] || \
         [[ ! "$cert_keysize" =~ ^(2048|3072|4096|ec-256|ec-384)$ ]]; then
         cert_keysize=$DEFAULT_KEY_SIZE
     fi
@@ -168,7 +168,7 @@ function update_cert {
     local config_home
     # If we don't have a LETSENCRYPT_EMAIL from the proxied container
     # and DEFAULT_EMAIL is set to a non empty value, use the latter.
-    if [[ -z "$accountemail" || "$accountemail" == "<no value>" ]]; then
+    if [[ -z "$accountemail" ]]; then
         if [[ -n "${DEFAULT_EMAIL// }" ]]; then
             accountemail="$DEFAULT_EMAIL"
         else
@@ -184,7 +184,7 @@ function update_cert {
     fi 
 
     local -n acme_ca_uri="ACME_${cid}_CA_URI"
-    if [[ -z "$acme_ca_uri" || "$acme_ca_uri" == "<no value>" ]]; then
+    if [[ -z "$acme_ca_uri" ]]; then
         # Use default or user provided ACME end point
         acme_ca_uri="$ACME_CA_URI"
     fi
@@ -229,15 +229,15 @@ function update_cert {
         local -n eab_kid="ACME_${cid}_EAB_KID"
         local -n eab_hmac_key="ACME_${cid}_EAB_HMAC_KEY"
         local -n zerossl_api_key="ZEROSSL_${cid}_API_KEY"
-        if [[ -z "$zerossl_api_key" || "$zerossl_api_key" == "<no value>" ]]; then
+        if [[ -z "$zerossl_api_key" ]]; then
             # Try using the default API key
             zerossl_api_key="$ZEROSSL_API_KEY"
         fi
         if [[ ! -f "$account_file" ]]; then
-            if [[ -n "${eab_kid// }" && "$eab_kid" != "<no value>" && -n "${eab_hmac_key// }" && "$eab_hmac_key" != "<no value>" ]]; then
+            if [[ -n "${eab_kid}" && -n "${eab_hmac_key}" ]]; then
                 # Register the ACME account with the per container EAB credentials.
                 params_register_arr+=(--eab-kid "$eab_kid" --eab-hmac-key "$eab_hmac_key")
-            elif [[ -n "${zerossl_api_key// }" && "$zerossl_api_key" != "<no value>" ]]; then
+            elif [[ -n "${zerossl_api_key}" ]]; then
                 # We have a Zero SSL API key but no per-container EAB kid and hmac key.
                 # Generate a set of ACME EAB credentials using the ZeroSSL API.
                 local zerossl_api_response
@@ -293,7 +293,7 @@ function update_cert {
     fi
 
     local -n acme_preferred_chain="ACME_${cid}_PREFERRED_CHAIN"
-    if [[ -n "${acme_preferred_chain// }" && "$acme_preferred_chain" != "<no value>" ]]; then
+    if [[ -n "${acme_preferred_chain}" ]]; then
         # Using amce.sh --preferred-chain to select alternate chain.
         params_issue_arr+=(--preferred-chain "$acme_preferred_chain")
     fi

diff --git a/app/letsencrypt_service_data.tmpl b/app/letsencrypt_service_data.tmpl
@@ -3,11 +3,13 @@ LETSENCRYPT_CONTAINERS=(
         {{ if trim $hosts }}
             {{ range $container := $containers }}
                 {{ if parseBool (coalesce $container.Env.LETSENCRYPT_SINGLE_DOMAIN_CERTS "false") }}
+                    {{/* Explicit per-domain splitting of the certificate */}}
                     {{ range $host := split $hosts "," }}
                         {{ $host := trim $host }}
                         {{- "\t"}}'{{ printf "%.12s" $container.ID }}_{{ sha1 $host }}'
                     {{ end }}
                 {{ else }}
+                    {{/* Default: multi-domain (SAN) certificate */}}
                     {{- "\t"}}'{{ printf "%.12s" $container.ID }}'
                 {{ end }}
             {{ end }}
@@ -18,42 +20,55 @@ LETSENCRYPT_CONTAINERS=(
 {{ range $hosts, $containers := groupBy $ "Env.LETSENCRYPT_HOST" }}
     {{ $hosts := trimSuffix "," $hosts }}
     {{ range $container := $containers }}
+        {{/* Trim spaces and set empty values on per-container environment variables */}}
+        {{ $KEYSIZE := trim (coalesce $container.Env.LETSENCRYPT_KEYSIZE "") }}
+        {{ $STAGING := trim (coalesce $container.Env.LETSENCRYPT_TEST "") }}
+        {{ $EMAIL := trim (coalesce $container.Env.LETSENCRYPT_EMAIL "") }}
+        {{ $CA_URI := trim (coalesce $container.Env.ACME_CA_URI "") }}
+        {{ $PREFERRED_CHAIN := trim (coalesce $container.Env.ACME_PREFERRED_CHAIN "") }}
+        {{ $OCSP := trim (coalesce $container.Env.ACME_OCSP "") }}
+        {{ $EAB_KID := trim (coalesce $container.Env.ACME_EAB_KID "") }}
+        {{ $EAB_HMAC_KEY := trim (coalesce $container.Env.ACME_EAB_HMAC_KEY "") }}
+        {{ $ZEROSSL_API_KEY := trim (coalesce $container.Env.ZEROSSL_API_KEY "") }}
+        {{ $RESTART_CONTAINER := trim (coalesce $container.Env.LETSENCRYPT_RESTART_CONTAINER "") }}
         {{ $cid := printf "%.12s" $container.ID }}
         {{ if parseBool (coalesce $container.Env.LETSENCRYPT_SINGLE_DOMAIN_CERTS "false") }}
+            {{/* Explicit per-domain splitting of the certificate */}}
             {{ range $host := split $hosts "," }}
                 {{ $host := trim $host }}
                 {{ $host := trimSuffix "." $host }}
                 {{ $hostHash := sha1 $host }}
                 {{- "\n" }}LETSENCRYPT_{{ $cid }}_{{ $hostHash }}_HOST=('{{ $host }}')
-                {{- "\n" }}LETSENCRYPT_{{ $cid }}_{{ $hostHash }}_KEYSIZE="{{ $container.Env.LETSENCRYPT_KEYSIZE }}"
-                {{- "\n" }}LETSENCRYPT_{{ $cid }}_{{ $hostHash }}_TEST="{{ $container.Env.LETSENCRYPT_TEST }}"
-                {{- "\n" }}LETSENCRYPT_{{ $cid }}_{{ $hostHash }}_EMAIL="{{ $container.Env.LETSENCRYPT_EMAIL }}"
-                {{- "\n" }}ACME_{{ $cid }}_{{ $hostHash }}_CA_URI="{{ $container.Env.ACME_CA_URI }}"
-                {{- "\n" }}ACME_{{ $cid }}_{{ $hostHash }}_PREFERRED_CHAIN="{{ $container.Env.ACME_PREFERRED_CHAIN }}"
-                {{- "\n" }}ACME_{{ $cid }}_{{ $hostHash }}_OCSP="{{ $container.Env.ACME_OCSP }}"
-                {{- "\n" }}ACME_{{ $cid }}_{{ $hostHash }}_EAB_KID="{{ $container.Env.ACME_EAB_KID }}"
-                {{- "\n" }}ACME_{{ $cid }}_{{ $hostHash }}_EAB_HMAC_KEY="{{ $container.Env.ACME_EAB_HMAC_KEY }}"
-                {{- "\n" }}ZEROSSL_{{ $cid }}_{{ $hostHash }}_API_KEY="{{ $container.Env.ZEROSSL_API_KEY }}"
-                {{- "\n" }}LETSENCRYPT_{{ $cid }}_{{ $hostHash }}_RESTART_CONTAINER="{{ $container.Env.LETSENCRYPT_RESTART_CONTAINER }}"
+                {{- "\n" }}LETSENCRYPT_{{ $cid }}_{{ $hostHash }}_KEYSIZE="{{ $KEYSIZE }}"
+                {{- "\n" }}LETSENCRYPT_{{ $cid }}_{{ $hostHash }}_TEST="{{ $STAGING }}"
+                {{- "\n" }}LETSENCRYPT_{{ $cid }}_{{ $hostHash }}_EMAIL="{{ $EMAIL }}"
+                {{- "\n" }}ACME_{{ $cid }}_{{ $hostHash }}_CA_URI="{{ $CA_URI }}"
+                {{- "\n" }}ACME_{{ $cid }}_{{ $hostHash }}_PREFERRED_CHAIN="{{ $PREFERRED_CHAIN }}"
+                {{- "\n" }}ACME_{{ $cid }}_{{ $hostHash }}_OCSP="{{ $OCSP }}"
+                {{- "\n" }}ACME_{{ $cid }}_{{ $hostHash }}_EAB_KID="{{ $EAB_KID }}"
+                {{- "\n" }}ACME_{{ $cid }}_{{ $hostHash }}_EAB_HMAC_KEY="{{ $EAB_HMAC_KEY }}"
+                {{- "\n" }}ZEROSSL_{{ $cid }}_{{ $hostHash }}_API_KEY="{{ $ZEROSSL_API_KEY }}"
+                {{- "\n" }}LETSENCRYPT_{{ $cid }}_{{ $hostHash }}_RESTART_CONTAINER="{{ $RESTART_CONTAINER }}"
             {{ end }}
         {{ else }}
+            {{/* Default: multi-domain (SAN) certificate */}}
             {{- "\n" }}LETSENCRYPT_{{ $cid }}_HOST=( 
                     {{- range $host := split $hosts "," }}
                         {{- $host := trim $host }}
                         {{- $host := trimSuffix "." $host -}}
                         '{{ $host }}'{{ " " }} 
                     {{- end -}}
             )
-            {{- "\n" }}LETSENCRYPT_{{ $cid }}_KEYSIZE="{{ $container.Env.LETSENCRYPT_KEYSIZE }}"
-            {{- "\n" }}LETSENCRYPT_{{ $cid }}_TEST="{{ $container.Env.LETSENCRYPT_TEST }}"
-            {{- "\n" }}LETSENCRYPT_{{ $cid }}_EMAIL="{{ $container.Env.LETSENCRYPT_EMAIL }}"
-            {{- "\n" }}ACME_{{ $cid }}_CA_URI="{{ $container.Env.ACME_CA_URI }}"
-            {{- "\n" }}ACME_{{ $cid }}_PREFERRED_CHAIN="{{ $container.Env.ACME_PREFERRED_CHAIN }}"
-            {{- "\n" }}ACME_{{ $cid }}_OCSP="{{ $container.Env.ACME_OCSP }}"
-            {{- "\n" }}ACME_{{ $cid }}_EAB_KID="{{ $container.Env.ACME_EAB_KID }}"
-            {{- "\n" }}ACME_{{ $cid }}_EAB_HMAC_KEY="{{ $container.Env.ACME_EAB_HMAC_KEY }}"
-            {{- "\n" }}ZEROSSL_{{ $cid }}_API_KEY="{{ $container.Env.ZEROSSL_API_KEY }}"
-            {{- "\n" }}LETSENCRYPT_{{ $cid }}_RESTART_CONTAINER="{{ $container.Env.LETSENCRYPT_RESTART_CONTAINER }}"
+            {{- "\n" }}LETSENCRYPT_{{ $cid }}_KEYSIZE="{{ $KEYSIZE }}"
+            {{- "\n" }}LETSENCRYPT_{{ $cid }}_TEST="{{ $STAGING }}"
+            {{- "\n" }}LETSENCRYPT_{{ $cid }}_EMAIL="{{ $EMAIL }}"
+            {{- "\n" }}ACME_{{ $cid }}_CA_URI="{{ $CA_URI }}"
+            {{- "\n" }}ACME_{{ $cid }}_PREFERRED_CHAIN="{{ $PREFERRED_CHAIN }}"
+            {{- "\n" }}ACME_{{ $cid }}_OCSP="{{ $OCSP }}"
+            {{- "\n" }}ACME_{{ $cid }}_EAB_KID="{{ $EAB_KID }}"
+            {{- "\n" }}ACME_{{ $cid }}_EAB_HMAC_KEY="{{ $EAB_HMAC_KEY }}"
+            {{- "\n" }}ZEROSSL_{{ $cid }}_API_KEY="{{ $ZEROSSL_API_KEY }}"
+            {{- "\n" }}LETSENCRYPT_{{ $cid }}_RESTART_CONTAINER="{{ $RESTART_CONTAINER }}"
         {{ end }}
     {{ end }}
 {{ end }}