letsencrypt updates: renew location for .well-known, add support for multiple hostnames

templates/web.letsencrypt.ssl.template.yml

@@ -26,7 +26,6 @@ run:
 
         events {
           worker_connections 768;
-          # multi_accept on;
         }
 
         http {
@@ -71,8 +70,15 @@ run:
         LETSENCRYPT_DIR="/shared/letsencrypt"
         /usr/sbin/nginx -c /etc/nginx/letsencrypt.conf
 
+        extra_domains() {
+          if [ -n "$DISCOURSE_HOSTNAME_ALIASES" ]; then
+            domains=$(echo $DISCOURSE_HOSTNAME_ALIASES | sed "s/,/ -d /g")
+            echo "-d $domains"
+          fi
+        }
+
         issue_cert() {
-          LE_WORKING_DIR="${LETSENCRYPT_DIR}" ${LETSENCRYPT_DIR}/acme.sh --issue $2 -d ${DISCOURSE_HOSTNAME} --keylength $1 -w /var/www/discourse/public
+          LE_WORKING_DIR="${LETSENCRYPT_DIR}" ${LETSENCRYPT_DIR}/acme.sh --issue $2 -d ${DISCOURSE_HOSTNAME} $(extra_domains) --keylength $1 -w /var/www/discourse/public
         }
 
         cert_exists() {

templates/web.ssl.template.yml

@@ -27,6 +27,13 @@ run:
         cat << EOF > /etc/nginx/conf.d/outlets/before-server/20-redirect-http-to-https.conf
         server {
           listen 80;
+          listen [::]:80;
+
+          location ~ /.well-known {
+            root /var/www/discourse/public;
+            allow all;
+          }
+
           return 301 https://${DISCOURSE_HOSTNAME}$request_uri;
         }
         EOF
@@ -35,6 +42,7 @@ run:
 
         cat << EOF > /etc/nginx/conf.d/outlets/server/20-https.conf
         listen 443 ssl;
+        listen [::]:443 ssl;
         http2 on;
 
         ssl_protocols TLSv1.2 TLSv1.3;
@@ -58,8 +66,3 @@ run:
         cat << EOF > /etc/nginx/conf.d/outlets/discourse/20-https.conf
         add_header Strict-Transport-Security 'max-age=31536000';
         EOF
-
-        if [ -f "/proc/net/if_inet6" ] ; then
-          sed -i 's/listen 80;/listen 80;\nlisten [::]:80;/g' /etc/nginx/conf.d/outlets/before-server/20-redirect-http-to-https.conf
-          sed -i 's/listen 443 ssl;/listen 443 ssl;\nlisten [::]:443 ssl;/g' /etc/nginx/conf.d/outlets/server/20-https.conf
-        fi