From ce6976d3ab8d3bd1f473ea42e99e5d806f4d05ba Mon Sep 17 00:00:00 2001 From: Eric Gullickson <16152721+ericgullickson@users.noreply.github.com> Date: Sat, 20 Dec 2025 11:45:00 -0600 Subject: [PATCH] Fix Let's Encrypt certificate deployment issues MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Change CF_DNS_API_TOKEN_FILE to CLOUDFLARE_DNS_API_TOKEN_FILE (correct env var for Traefik/lego) - Fix inject-secrets.sh to clean up Docker-created directories before injecting secrets - Add detection for GitLab variables set as Variable type instead of File type - Improve error messages to help diagnose configuration issues 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 --- docker-compose.yml | 2 +- scripts/inject-secrets.sh | 41 +++++++++++++++++++++++++++++++++------ 2 files changed, 36 insertions(+), 7 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index cdfe42e..a680a1e 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -7,7 +7,7 @@ services: command: - --configFile=/etc/traefik/traefik.yml environment: - CF_DNS_API_TOKEN_FILE: /run/secrets/cloudflare-dns-token + CLOUDFLARE_DNS_API_TOKEN_FILE: /run/secrets/cloudflare-dns-token ports: - "80:80" - "443:443" diff --git a/scripts/inject-secrets.sh b/scripts/inject-secrets.sh index 76999a9..267a019 100755 --- a/scripts/inject-secrets.sh +++ b/scripts/inject-secrets.sh @@ -6,6 +6,10 @@ # GitLab File variables provide the PATH to a temporary file containing the secret. # This script copies those files to the expected secrets/app/ location. # +# IMPORTANT: In GitLab, variables MUST be set as "File" type, not "Variable" type. +# File type variables provide a PATH to a temp file containing the secret. +# Variable type provides the raw value, which will NOT work with this script. +# # Required GitLab CI/CD Variables (File type): # - POSTGRES_PASSWORD # - AUTH0_CLIENT_SECRET @@ -22,11 +26,32 @@ set -euo pipefail DEPLOY_PATH="${DEPLOY_PATH:-/opt/motovaultpro}" SECRETS_DIR="${DEPLOY_PATH}/secrets/app" +# List of all secret files (must match docker-compose volume mounts) +SECRET_FILES=( + "postgres-password.txt" + "auth0-client-secret.txt" + "google-maps-api-key.txt" + "google-maps-map-id.txt" + "cloudflare-dns-token.txt" +) + echo "Injecting secrets..." echo " Deploy path: $DEPLOY_PATH" echo " Secrets dir: $SECRETS_DIR" -# Clean up any incorrectly created directories and create secrets directory +# Step 1: Clean up any incorrectly created directories +# Docker creates directories when bind-mounting files that don't exist +echo "" +echo "Cleaning up any corrupted secret paths..." +for file in "${SECRET_FILES[@]}"; do + target_path="${SECRETS_DIR}/${file}" + if [ -d "$target_path" ]; then + echo " Removing directory: $file" + rm -rf "$target_path" + fi +done + +# Step 2: Ensure secrets directory exists if [ -e "$SECRETS_DIR" ] && [ ! -d "$SECRETS_DIR" ]; then echo " Removing invalid secrets path..." rm -rf "$SECRETS_DIR" @@ -45,19 +70,23 @@ inject_secret() { if [ -z "$source_path" ]; then echo " ERROR: Variable $var_name is not set" + echo " Ensure it exists in GitLab CI/CD Variables" + return 1 + fi + + # Check if it looks like a raw value instead of a file path + if [[ ! "$source_path" =~ ^/ ]]; then + echo " ERROR: $var_name appears to be a raw value, not a file path" + echo " In GitLab, change the variable Type from 'Variable' to 'File'" return 1 fi if [ ! -f "$source_path" ]; then echo " ERROR: File not found for $var_name at $source_path" + echo " Ensure the variable is set as 'File' type in GitLab" return 1 fi - # Remove if exists as directory (cleanup from bad previous runs) - if [ -d "$target_path" ]; then - rm -rf "$target_path" - fi - # Copy the secret file (644 so container users can read) cp "$source_path" "$target_path" chmod 644 "$target_path"