diff --git a/docker/cert.sh b/docker/cert.sh index 185a9b7f..d39bf799 100644 --- a/docker/cert.sh +++ b/docker/cert.sh @@ -18,41 +18,65 @@ function WARN() { echo -e "${WARN} ${1}" } -# 仅当启用HTTPS且需要自动签发时执行 -if [ "$ENABLE_SSL" = "true" ] && [ "$AUTO_ISSUE_CERT" = "true" ]; then +# 核心条件验证 +if [ "$ENABLE_SSL" = "true" ] && \ + [ "$AUTO_ISSUE_CERT" = "true" ] && \ + [ -n "$SSL_DOMAIN" ]; then + INFO "▄■▀▄■▀▄■▀▄■▀▄■▀ 证书管理开始 ▀■▄▀■▄▀■▄▀■▄▀■▄" # 创建证书目录 mkdir -p /config/certs/"${SSL_DOMAIN}" chown moviepilot:moviepilot /config/certs -R - # 安装acme.sh + # 安装acme.sh(使用官方安装脚本) if [ ! -d "/config/acme.sh" ]; then INFO "→ 安装acme.sh..." - git clone https://github.com/acmesh-official/acme.sh.git /config/acme.sh - cd /config/acme.sh - ./acme.sh --install --home /config/acme.sh \ - --config-home /config/acme.sh/data \ - --cert-home /config/certs \ - --accountemail "${SSL_EMAIL}" + + # 生成安装参数 + INSTALL_ARGS=( + "--install-online" + "--home" "/config/acme.sh" + "--config-home" "/config/acme.sh/data" + "--cert-home" "/config/certs" + ) + + # 添加邮箱参数(如果设置) + if [ -n "$SSL_EMAIL" ]; then + INSTALL_ARGS+=("--accountemail" "$SSL_EMAIL") + else + WARN "未设置SSL_EMAIL,建议配置邮箱用于证书过期提醒" + fi + + # 执行官方安装命令 + curl -sSL https://get.acme.sh | sh -s -- "${INSTALL_ARGS[@]}" fi # 签发证书(仅当证书不存在时) if [ ! -f "/config/certs/${SSL_DOMAIN}/fullchain.pem" ]; then - # 检查必要参数 - [ -z "${DNS_PROVIDER}" ] && { ERROR "必须指定DNS_PROVIDER环境变量"; exit 1; } - [ -z "${SSL_DOMAIN}" ] && { ERROR "必须指定SSL_DOMAIN环境变量"; exit 1; } + # 必要参数检查 + REQUIRED_VARS=("DNS_PROVIDER") + for var in "${REQUIRED_VARS[@]}"; do + eval "value=\${${var}}" + [ -z "$value" ] && { ERROR "必须设置环境变量: ${var}"; exit 1; } + done INFO "→ 签发证书: ${SSL_DOMAIN} (DNS验证方式: ${DNS_PROVIDER})" - # 导出所有ACME_ENV_开头的环境变量(自动去除前缀) + # 加载ACME环境变量(带安全过滤) INFO "正在加载ACME环境变量..." - for acme_var in $(env | grep '^ACME_ENV_'); do - key="${acme_var#ACME_ENV_}" + env | grep '^ACME_ENV_' | while read -r line; do + key="${line#ACME_ENV_}" key="${key%%=*}" - value="${acme_var#ACME_ENV_${key}=}" - export "${key}=${value}" - INFO "已加载环境变量: ${key}=******" + value="${line#ACME_ENV_${key}=}" + + # 过滤非法变量名 + if [[ "$key" =~ ^[a-zA-Z_][a-zA-Z0-9_]*$ ]]; then + export "$key"="$value" + INFO "已加载环境变量: ${key}=******" + else + WARN "跳过无效变量名: ${key}" + fi done # 签发证书 @@ -61,6 +85,7 @@ if [ "$ENABLE_SSL" = "true" ] && [ "$AUTO_ISSUE_CERT" = "true" ]; then --domain "${SSL_DOMAIN}" \ --key-file /config/certs/"${SSL_DOMAIN}"/privkey.pem \ --fullchain-file /config/certs/"${SSL_DOMAIN}"/fullchain.pem \ + --reloadcmd "nginx -s reload" \ --force # 创建稳定符号链接 @@ -74,4 +99,7 @@ if [ "$ENABLE_SSL" = "true" ] && [ "$AUTO_ISSUE_CERT" = "true" ]; then service cron start INFO "▄■▀▄■▀▄■▀▄■▀▄■▀ 证书管理完成 ▀■▄▀■▄▀■▄▀■▄▀■▄" + +elif [ "$ENABLE_SSL" = "true" ] && [ "$AUTO_ISSUE_CERT" = "true" ] && [ -z "$SSL_DOMAIN" ]; then + WARN "已启用自动签发证书但未设置SSL_DOMAIN,跳过证书管理" fi \ No newline at end of file diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index 0b389101..9669ced6 100644 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -32,8 +32,8 @@ if [ "$ENABLE_SSL" = "true" ]; then server_name ${SSL_DOMAIN:-moviepilot}; # SSL证书路径 - ssl_certificate /etc/ssl/certs/latest/fullchain.pem; - ssl_certificate_key /etc/ssl/certs/latest/privkey.pem; + ssl_certificate /config/certs/latest/fullchain.pem; + ssl_certificate_key /config/certs/latest/privkey.pem; # SSL安全配置 ssl_protocols TLSv1.2 TLSv1.3;