Skip to content
Open
Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
a30084d
added support for le shortlived profile
Sausageroll2077 May 5, 2026
828618f
Included the enviroment for cert_profile with a link to the Let's enc…
Sausageroll2077 May 5, 2026
295cd10
Added change to changelog
Sausageroll2077 May 5, 2026
22bcba6
Changes logic to check for old root ca. to stop constant certificate …
Sausageroll2077 May 5, 2026
bcca92b
Restore revocation body in DST Root CA X3 check
Sausageroll2077 May 5, 2026
feaf30f
remove the check for old root
Sausageroll2077 May 8, 2026
36fe23e
Increase renewal cron frequency and randomize offset for ARI
Sausageroll2077 May 8, 2026
9a0c50d
Move cron randomization to init-renew and fix stale log message
Sausageroll2077 May 8, 2026
ad40eb7
Update renewal cron to twice daily with ARI and fix docs
Sausageroll2077 May 9, 2026
0af9b47
Show next scheduled renewal check time at startup
Sausageroll2077 May 9, 2026
fc7d29c
Merge branch 'cron-changes'
Sausageroll2077 May 9, 2026
bf4afc9
Fix changelog entry tense to match imperative style>
Sausageroll2077 May 9, 2026
084d30f
Merge branch 'linuxserver:master' into master
Sausageroll2077 May 9, 2026
875e491
Merge branch 'master' into master
Sausageroll2077 May 12, 2026
faf6caf
Merge branch 'master' into master
Sausageroll2077 May 14, 2026
cc37ea2
Merge remote-tracking branch 'upstream/master'
Sausageroll2077 Jun 5, 2026
b267017
Merge branch 'master' into master
Sausageroll2077 Jun 6, 2026
cf8e2c8
Merge branch 'linuxserver:master' into master
Sausageroll2077 Jun 14, 2026
44652d2
Merge branch 'master' into master
Sausageroll2077 Jun 21, 2026
feda5ea
Merge branch 'master' into master
Sausageroll2077 Jun 26, 2026
fe87a40
Merge branch 'master' into master
Sausageroll2077 Jun 29, 2026
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions readme-vars.yml
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ opt_param_usage_include_env: true
opt_param_env_vars:
- {env_var: "SUBDOMAINS", env_value: "www,", desc: "Subdomains you'd like the cert to cover (comma separated, no spaces) ie. `www,ftp,cloud`. For a wildcard cert, set this *exactly* to `wildcard` (wildcard cert is available via `dns` validation only)"}
- {env_var: "CERTPROVIDER", env_value: "", desc: "Optionally define the cert provider. Set to `zerossl` for ZeroSSL certs (requires existing [ZeroSSL account](https://app.zerossl.com/signup) and the e-mail address entered in `EMAIL` env var). Otherwise defaults to Let's Encrypt."}
- {env_var: "CERT_PROFILE", env_value: "", desc: "Optionally define a cert profile to use for cert generation. This is useful if you want to use a custom cert profile instead of the default one. Currently only supported for Let's Encrypt. See https://letsencrypt.org/docs/profiles/ "}
- {env_var: "DNSPLUGIN", env_value: "cloudflare", desc: "Required if `VALIDATION` is set to `dns`. Options are `acmedns`, `aliyun`, `azure`, `bunny`, `cloudflare`, `cpanel`, `desec`, `digitalocean`, `directadmin`, `dnsimple`, `dnsmadeeasy`, `dnspod`, `do`, `domeneshop`, `dreamhost`, `duckdns`, `dynu`, `freedns`, `gandi`, `gehirn`, `glesys`, `godaddy`, `google`, `he`, `hetzner`, `hetzner-cloud`, `infomaniak`, `inwx`, `ionos`, `linode`, `loopia`, `luadns`, `namecheap`, `netcup`, `njalla`, `nsone`, `ovh`, `porkbun`, `rfc2136`, `route53`, `sakuracloud`, `standalone`, `transip`, and `vultr`. Also need to enter the credentials into the corresponding ini (or json for some plugins) file under `/config/dns-conf`."}
- {env_var: "PROPAGATION", env_value: "", desc: "Optionally override (in seconds) the default propagation time for the dns plugins."}
- {env_var: "EMAIL", env_value: "", desc: "Optional e-mail address used for cert expiration notifications (Required for ZeroSSL)."}
Expand Down Expand Up @@ -219,6 +220,7 @@ init_diagram: |
"swag:latest" <- Base Images
# changelog
changelogs:
- {date: "05.05.26:", desc: "Added support for Let's Encrypt cert profiles." }
- {date: "23.01.26:", desc: "Reorder init to fix proxy conf version checks."}
- {date: "21.12.25:", desc: "Add support for hetzner-cloud dns validation."}
- {date: "04.11.25:", desc: "Switch default Gandi credentials from API Key to Token, allow DNS propagation time for Azure DNS plugin."}
Expand Down
25 changes: 21 additions & 4 deletions root/etc/s6-overlay/s6-rc.d/init-certbot-config/run
Original file line number Diff line number Diff line change
Expand Up @@ -12,12 +12,13 @@ EXTRA_DOMAINS=${EXTRA_DOMAINS}\\n\
ONLY_SUBDOMAINS=${ONLY_SUBDOMAINS}\\n\
VALIDATION=${VALIDATION}\\n\
CERTPROVIDER=${CERTPROVIDER}\\n\
CERT_PROFILE=${CERT_PROFILE}\\n\
DNSPLUGIN=${DNSPLUGIN}\\n\
EMAIL=${EMAIL}\\n\
STAGING=${STAGING}\\n"

# Sanitize variables
SANED_VARS=(DNSPLUGIN EMAIL EXTRA_DOMAINS ONLY_SUBDOMAINS STAGING SUBDOMAINS URL VALIDATION CERTPROVIDER)
SANED_VARS=(DNSPLUGIN EMAIL EXTRA_DOMAINS ONLY_SUBDOMAINS STAGING SUBDOMAINS URL VALIDATION CERTPROVIDER CERT_PROFILE)
for i in "${SANED_VARS[@]}"; do
export echo "${i}"="${!i//\"/}"
export echo "${i}"="$(echo "${!i}" | tr '[:upper:]' '[:lower:]')"
Expand Down Expand Up @@ -80,7 +81,7 @@ if [[ -f "/config/donoteditthisfile.conf" ]]; then
mv /config/donoteditthisfile.conf /config/.donoteditthisfile.conf
fi
if [[ ! -f "/config/.donoteditthisfile.conf" ]]; then
echo -e "ORIGURL=\"${URL}\" ORIGSUBDOMAINS=\"${SUBDOMAINS}\" ORIGONLY_SUBDOMAINS=\"${ONLY_SUBDOMAINS}\" ORIGEXTRA_DOMAINS=\"${EXTRA_DOMAINS}\" ORIGVALIDATION=\"${VALIDATION}\" ORIGDNSPLUGIN=\"${DNSPLUGIN}\" ORIGPROPAGATION=\"${PROPAGATION}\" ORIGSTAGING=\"${STAGING}\" ORIGCERTPROVIDER=\"${CERTPROVIDER}\" ORIGEMAIL=\"${EMAIL}\"" >/config/.donoteditthisfile.conf
echo -e "ORIGURL=\"${URL}\" ORIGSUBDOMAINS=\"${SUBDOMAINS}\" ORIGONLY_SUBDOMAINS=\"${ONLY_SUBDOMAINS}\" ORIGEXTRA_DOMAINS=\"${EXTRA_DOMAINS}\" ORIGVALIDATION=\"${VALIDATION}\" ORIGDNSPLUGIN=\"${DNSPLUGIN}\" ORIGPROPAGATION=\"${PROPAGATION}\" ORIGSTAGING=\"${STAGING}\" ORIGCERTPROVIDER=\"${CERTPROVIDER}\" ORIGEMAIL=\"${EMAIL}\" ORIGCERT_PROFILE=\"${CERT_PROFILE}\"" >/config/.donoteditthisfile.conf
echo "Created .donoteditthisfile.conf"
fi

Expand Down Expand Up @@ -186,7 +187,8 @@ if [[ ! "${URL}" = "${ORIGURL}" ]] ||
[[ ! "${DNSPLUGIN}" = "${ORIGDNSPLUGIN}" ]] ||
[[ ! "${PROPAGATION}" = "${ORIGPROPAGATION}" ]] ||
[[ ! "${STAGING}" = "${ORIGSTAGING}" ]] ||
[[ ! "${CERTPROVIDER}" = "${ORIGCERTPROVIDER}" ]]; then
[[ ! "${CERTPROVIDER}" = "${ORIGCERTPROVIDER}" ]] ||
[[ ! "${CERT_PROFILE}" = "${ORIGCERT_PROFILE}" ]]; then
echo "Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created"
if [[ "${ORIGCERTPROVIDER}" = "zerossl" ]]; then
REV_ACMESERVER=("https://acme.zerossl.com/v2/DV90")
Expand All @@ -204,7 +206,7 @@ if [[ ! "${URL}" = "${ORIGURL}" ]] ||
fi

# saving new variables
echo -e "ORIGURL=\"${URL}\" ORIGSUBDOMAINS=\"${SUBDOMAINS}\" ORIGONLY_SUBDOMAINS=\"${ONLY_SUBDOMAINS}\" ORIGEXTRA_DOMAINS=\"${EXTRA_DOMAINS}\" ORIGVALIDATION=\"${VALIDATION}\" ORIGDNSPLUGIN=\"${DNSPLUGIN}\" ORIGPROPAGATION=\"${PROPAGATION}\" ORIGSTAGING=\"${STAGING}\" ORIGCERTPROVIDER=\"${CERTPROVIDER}\" ORIGEMAIL=\"${EMAIL}\"" >/config/.donoteditthisfile.conf
echo -e "ORIGURL=\"${URL}\" ORIGSUBDOMAINS=\"${SUBDOMAINS}\" ORIGONLY_SUBDOMAINS=\"${ONLY_SUBDOMAINS}\" ORIGEXTRA_DOMAINS=\"${EXTRA_DOMAINS}\" ORIGVALIDATION=\"${VALIDATION}\" ORIGDNSPLUGIN=\"${DNSPLUGIN}\" ORIGPROPAGATION=\"${PROPAGATION}\" ORIGSTAGING=\"${STAGING}\" ORIGCERTPROVIDER=\"${CERTPROVIDER}\" ORIGEMAIL=\"${EMAIL}\" ORIGCERT_PROFILE=\"${CERT_PROFILE}\"" >/config/.donoteditthisfile.conf

# Check if the cert is using the old LE root cert, revoke and regen if necessary
if [[ -f "/config/keys/letsencrypt/chain.pem" ]] && { [[ "${CERTPROVIDER}" == "letsencrypt" ]] || [[ "${CERTPROVIDER}" == "" ]]; } && [[ "${STAGING}" != "true" ]] && ! openssl x509 -in /config/keys/letsencrypt/chain.pem -noout -issuer | grep -q "ISRG Root X"; then
Expand Down Expand Up @@ -239,6 +241,21 @@ fi

set_ini_value "server" "${ACMESERVER}" /config/etc/letsencrypt/cli.ini

# set certificate profile (e.g. "shortlived" for 6-day certs, "classic" for 90-day)
# Profiles are a Let's Encrypt ACME feature; ZeroSSL ignores it.
if [[ -n "${CERT_PROFILE}" ]]; then
if [[ "${CERTPROVIDER}" = "zerossl" ]]; then
echo "ZeroSSL does not support ACME profiles, ignoring CERT_PROFILE variable"
sed -i "/^preferred-profile\b/d" /config/etc/letsencrypt/cli.ini
else
echo "Requesting certificate with profile: ${CERT_PROFILE}"
set_ini_value "preferred-profile" "${CERT_PROFILE}" /config/etc/letsencrypt/cli.ini
fi
else
# remove if previously set so going back to default works
sed -i "/^preferred-profile\b/d" /config/etc/letsencrypt/cli.ini
fi

# figuring out domain only vs domain & subdomains vs subdomains only
DOMAINS_ARRAY=()
if [[ -z "${SUBDOMAINS}" ]] || [[ "${ONLY_SUBDOMAINS}" != true ]]; then
Expand Down