fix: Fix combined PEM creation related to DOMAIN env var (#123)

* fix: Fix combined PEM creation related to `DOMAIN` env var

* Reorder environment variables in env var table

* Add `COMBINED_PEM` env var entry

* Reformat table in README.md

README.md

@@ -81,22 +81,23 @@ If you don't want to wait for a release or want to test new "bleeding-edge" func
 
 There are some environment variables if you want to customize various things inside the Docker container:
 
-| Variable                | Default              | Value         | Description                                                                 |
-| ----------------------- | -------------------- | ------------- | --------------------------------------------------------------------------- |
-| `ACME_FILE_PATH`        | `/traefik/acme.json` | `<filepath>`  | Full file path to Traefik's certificates storage.                           |
-| `CERTIFICATE_FILE_NAME` | `cert`               | `<filename>`  | The file name (without extension) of the generated certificates.            |
-| `CERTIFICATE_FILE_EXT`  | `.pem`               | `<extension>` | The file extension of the generated certificates.                           |
-| `COMBINE_PKCS12`        | unset                | `yes`         | If set to `yes`, an additional combined PKCS12 file is created.             |
-| `CONVERT_KEYS_TO_RSA`   | unset                | `yes`         | If set to `yes`, keys are created in RSA format also.             |
-| `DOMAIN`                | unset                | `<extension>` | Extract only for specified domains (comma-separated list) - instead of all. |
-| `OVERRIDE_UID`          | unset                | `<number>`    | Change ownership of certificate and key to given `UID`.                     |
-| `OVERRIDE_GID`          | unset                | `<number>`    | Change ownership of certificate and key to given `GID`.                     |
-| `PKCS12_PASSWORD`       | unset                | `<password>`  | Password for the combined PKCS12, see also `COMBINE_PKCS12`.                |
-| `POST_HOOK_FILE_PATH`   | `/hook/hook.sh`      | `<filepath>`  | Full file path to the post hook script that should be executed after dumping process |
-| `PRIVATE_KEY_FILE_NAME` | `key`                | `<filename>`  | The file name (without extension) of the generated private keys.            |
-| `PRIVATE_KEY_FILE_EXT`  | `.pem`               | `<extension>` | The file extension of the generated private keys.                           |
-| `RSA_KEY_FILE_NAME`     | `rsakey`             | `<filename>`  | The file name (without extension) of the generated private keys in RSA format, see also `CONVERT_KEYS_TO_RSA`. |
-| `RSA_KEY_FILE_EXT`      | `.pem`               | `<extension>` | The file extension of the generated private keys in RSA format, see also `CONVERT_KEYS_TO_RSA`. |
+| Variable                | Default              | Value            | Description                                                                 |
+| ----------------------- | -------------------- | ---------------- | --------------------------------------------------------------------------- |
+| `ACME_FILE_PATH`        | `/traefik/acme.json` | `<filepath>`     | Full file path to Traefik's certificates storage.                           |
+| `DOMAIN`                | unset                | `<extension>`    | Extract only for specified domains (comma-separated list) - instead of all. |
+| `OVERRIDE_UID`          | unset                | `<number>`       | Change ownership of certificate and key to given `UID`.                     |
+| `OVERRIDE_GID`          | unset                | `<number>`       | Change ownership of certificate and key to given `GID`.                     |
+| `COMBINE_PKCS12`        | unset                | `yes`            | If set to `yes`, an additional combined PKCS12 file is created.             |
+| `PKCS12_PASSWORD`       | unset                | `<password>`     | Password for the combined PKCS12, see also `COMBINE_PKCS12`.                |
+| `POST_HOOK_FILE_PATH`   | `/hook/hook.sh`      | `<filepath>`     | Full file path to the post hook script that should be executed after dumping process |
+| `PRIVATE_KEY_FILE_NAME` | `key`                | `<filename>`     | The file name (without extension) of the generated private keys.            |
+| `PRIVATE_KEY_FILE_EXT`  | `.pem`               | `<extension>`    | The file extension of the generated private keys.                           |
+| `CERTIFICATE_FILE_NAME` | `cert`               | `<filename>`     | The file name (without extension) of the generated certificates.            |
+| `CERTIFICATE_FILE_EXT`  | `.pem`               | `<extension>`    | The file extension of the generated certificates.                           |
+| `COMBINED_PEM`          | unset                | `<filename>.pem` | The file name (with extension) of the combined PEM file (no combined certificate + key PEM file will be generated if this env var is not set!)
+| `CONVERT_KEYS_TO_RSA`   | unset                | `yes`            | If set to `yes`, keys are created in RSA format also.                       |
+| `RSA_KEY_FILE_NAME`     | `rsakey`             | `<filename>`     | The file name (without extension) of the generated private keys in RSA format, see also `CONVERT_KEYS_TO_RSA`. |
+| `RSA_KEY_FILE_EXT`      | `.pem`               | `<extension>`    | The file extension of the generated private keys in RSA format, see also `CONVERT_KEYS_TO_RSA`. |
 
 See below examples for usage.
 

bin/dump.sh

@@ -127,24 +127,38 @@ dump() {
 }
 
 combine_pem() {
-  if [[ -n "${COMBINED_PEM}" ]]; then
-    if [[ ! "${COMBINED_PEM}" = *\.pem ]]; then
-      #Check if combined_pem filename does have .pem at end of filename
-      log "COMBINED_PEM=${COMBINED_PEM} does not have .pem at end of filename."
-    else
-      if [[ "${#DOMAINS[@]}" -gt 1 ]]; then
-        for i in "${DOMAINS[@]}"; do
-          if [[ -f ${outputdir}/${i}/${certificate_file} && -f ${outputdir}/${i}/${privatekey_file} ]]; then
-            log "Combining key and cert for domain ${i} to single pem with name ${i}/${COMBINED_PEM}"
-            cat ${outputdir}/"${i}"/"${certificate_file}" ${outputdir}/"${i}"/"${privatekey_file}" >${outputdir}/"${i}"/"${COMBINED_PEM}"
-          fi
-        done
-      else
-        if [[ -f ${outputdir}/${certificate_file} && -f ${outputdir}/${privatekey_file} ]]; then
-          log "Combining key and cert to single pem with name ${COMBINED_PEM}"
-          cat ${outputdir}/"${certificate_file}" ${outputdir}/"${privatekey_file}" >${outputdir}/"${COMBINED_PEM}"
-        fi
+  if [[ -z "${COMBINED_PEM+x}" ]]; then
+    return
+  fi
+
+  if [[ ! "${COMBINED_PEM}" = *\.pem ]]; then
+    log "COMBINED_PEM=${COMBINED_PEM} does not have .pem at end of file name, omitting combining PEM step"
+    return
+  fi
+
+  if [[ -z "${DOMAIN}" || "${#DOMAINS[@]}" -gt 1 ]]; then
+    local outputdir_subdirs=("${outputdir}"/*/)
+    for subdir in "${outputdir_subdirs[@]}"; do
+      local current_domain
+      current_domain=$(basename "${subdir}" /)
+
+      local cert_file="${outputdir}/${current_domain}/${certificate_file}"
+      local key_file="${outputdir}/${current_domain}/${privatekey_file}"
+      local combined_pem_file="${outputdir}/${current_domain}/${COMBINED_PEM}"
+
+      if [[ -f ${cert_file} && -f ${key_file} ]]; then
+        log "Combining key and certificate for domain ${current_domain} to single PEM with name ${i}/${COMBINED_PEM}"
+        cat "${cert_file}" "${key_file}" > "${combined_pem_file}"
       fi
+    done
+  else
+    local cert_file="${outputdir}/${certificate_file}"
+    local key_file="${outputdir}/${privatekey_file}"
+    local combined_pem_file="${outputdir}/${COMBINED_PEM}"
+
+    if [[ -f ${cert_file} && -f ${key_file} ]]; then
+      log "Combining key and cert to single PEM with name ${COMBINED_PEM}"
+      cat "${cert_file}" "${key_file}" > "${combined_pem_file}"
     fi
   fi
 }