diff --git a/data/Dockerfiles/acme/acme.sh b/data/Dockerfiles/acme/acme.sh index 3296086f..4f5cb803 100755 --- a/data/Dockerfiles/acme/acme.sh +++ b/data/Dockerfiles/acme/acme.sh @@ -155,6 +155,18 @@ while true; do fi if [[ ! -f ${ACME_BASE}/acme/account.pem ]]; then log_f "Generating missing Lets Encrypt account key..." + if [[ ! -z ${ACME_CONTACT} ]]; then + if ! verify_email "${ACME_CONTACT}"; then + log_f "Invalid email address, will not start registration!" + sleep 365d + exec $(readlink -f "$0") + else + ACME_CONTACT_PARAMETER="--contact mailto:${ACME_CONTACT}" + log_f "Valid email address, using ${ACME_CONTACT} for registration" + fi + else + ACME_CONTACT_PARAMETER="" + fi openssl genrsa 4096 > ${ACME_BASE}/acme/account.pem else log_f "Using existing Lets Encrypt account key ${ACME_BASE}/acme/account.pem" @@ -207,19 +219,6 @@ while true; do IPV6=$(get_ipv6) log_f "OK: ${IPV4}, ${IPV6:-"0000:0000:0000:0000:0000:0000:0000:0000"}" - # Hard-fail on CAA errors for MAILCOW_HOSTNAME - MH_PARENT_DOMAIN=$(echo ${MAILCOW_HOSTNAME} | cut -d. -f2-) - MH_CAAS=( $(dig CAA ${MH_PARENT_DOMAIN} +short | sed -n 's/\d issue "\(.*\)"/\1/p') ) - if [[ ! -z ${MH_CAAS} ]]; then - if [[ ${MH_CAAS[@]} =~ "letsencrypt.org" ]]; then - log_f "Validated CAA for parent domain ${MH_PARENT_DOMAIN}" - else - log_f "Skipping ACME validation: Lets Encrypt disallowed for ${MAILCOW_HOSTNAME} by CAA record, retrying in 1h..." - sleep 1h - exec $(readlink -f "$0") - fi - fi - ######################################### # IP and webroot challenge verification # SQL_DOMAINS=$(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT domain FROM domain WHERE backupmx=0 and active=1" -Bs) @@ -290,7 +289,7 @@ while true; do VALIDATED_CERTIFICATES+=("${CERT_NAME}") # obtain server certificate if required - DOMAINS=${SERVER_SAN_VALIDATED[@]} /srv/obtain-certificate.sh rsa + ACME_CONTACT_PARAMETER=${ACME_CONTACT_PARAMETER} DOMAINS=${SERVER_SAN_VALIDATED[@]} /srv/obtain-certificate.sh rsa RETURN="$?" if [[ "$RETURN" == "0" ]]; then # 0 = cert created successfully CERT_AMOUNT_CHANGED=1 diff --git a/data/Dockerfiles/acme/functions.sh b/data/Dockerfiles/acme/functions.sh index 98d86dc6..183be01b 100644 --- a/data/Dockerfiles/acme/functions.sh +++ b/data/Dockerfiles/acme/functions.sh @@ -16,6 +16,15 @@ log_f() { fi } +verify_email(){ + regex="^(([A-Za-z0-9]+((\.|\-|\_|\+)?[A-Za-z0-9]?)*[A-Za-z0-9]+)|[A-Za-z0-9]+)@(([A-Za-z0-9]+)+((\.|\-|\_)?([A-Za-z0-9]+)+)*)+\.([A-Za-z]{2,})+$" + if [[ $1 =~ ${regex} ]]; then + return 0 + else + return 1 + fi +} + verify_hash_match(){ CERT_HASH=$(openssl x509 -in "${1}" -noout -pubkey | openssl md5) KEY_HASH=$(openssl pkey -in "${2}" -pubout | openssl md5) @@ -60,6 +69,17 @@ check_domain(){ DOMAIN=$1 A_DOMAIN=$(dig A ${DOMAIN} +short | tail -n 1) AAAA_DOMAIN=$(dig AAAA ${DOMAIN} +short | tail -n 1) + # Hard-fail on CAA errors for MAILCOW_HOSTNAME + PARENT_DOMAIN=$(echo ${DOMAIN} | cut -d. -f2-) + CAAS=( $(dig CAA ${PARENT_DOMAIN} +short | sed -n 's/\d issue "\(.*\)"/\1/p') ) + if [[ ! -z ${CAAS} ]]; then + if [[ ${CAAS[@]} =~ "letsencrypt.org" ]]; then + log_f "Validated CAA for parent domain ${PARENT_DOMAIN}" + else + log_f "Lets Encrypt disallowed for ${PARENT_DOMAIN} by CAA record" + return 1 + fi + fi # Check if CNAME without v6 enabled target if [[ ! -z ${AAAA_DOMAIN} ]] && [[ -z $(echo ${AAAA_DOMAIN} | grep "^\([0-9a-fA-F]\{0,4\}:\)\{1,7\}[0-9a-fA-F]\{0,4\}$") ]]; then AAAA_DOMAIN= diff --git a/data/Dockerfiles/acme/obtain-certificate.sh b/data/Dockerfiles/acme/obtain-certificate.sh index 8264a2cb..a151dff2 100644 --- a/data/Dockerfiles/acme/obtain-certificate.sh +++ b/data/Dockerfiles/acme/obtain-certificate.sh @@ -93,8 +93,8 @@ until dig letsencrypt.org +time=3 +tries=1 @unbound > /dev/null; do sleep 2 done log_f "Resolver OK" - -ACME_RESPONSE=$(acme-tiny ${DIRECTORY_URL} \ +log_f "Using command acme-tiny ${DIRECTORY_URL} ${ACME_CONTACT_PARAMETER} --account-key ${ACME_BASE}/acme/account.pem --disable-check --csr ${CSR} --acme-dir /var/www/acme/" +ACME_RESPONSE=$(acme-tiny ${DIRECTORY_URL} ${ACME_CONTACT_PARAMETER} \ --account-key ${ACME_BASE}/acme/account.pem \ --disable-check \ --csr ${CSR} \ diff --git a/docker-compose.yml b/docker-compose.yml index 67db19d4..8d79cc53 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -384,11 +384,12 @@ services: acme-mailcow: depends_on: - nginx-mailcow - image: mailcow/acme:1.78 + image: mailcow/acme:1.79 dns: - ${IPV4_NETWORK:-172.22.1}.254 environment: - LOG_LINES=${LOG_LINES:-9999} + - ACME_CONTACT=${ACME_CONTACT:-} - ADDITIONAL_SAN=${ADDITIONAL_SAN} - MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME} - DBNAME=${DBNAME} diff --git a/generate_config.sh b/generate_config.sh index 61a90aa0..1c6886b8 100755 --- a/generate_config.sh +++ b/generate_config.sh @@ -336,6 +336,13 @@ DOVECOT_MASTER_USER= # LEAVE EMPTY IF UNSURE DOVECOT_MASTER_PASS= +# Let's Encrypt registration contact information +# Optional: Leave empty for none +# This value is only used on first order! +# Setting it at a later point will require the following steps: +# https://mailcow.github.io/mailcow-dockerized-docs/debug-reset-tls/ +ACME_CONTACT= + EOF mkdir -p data/assets/ssl diff --git a/update.sh b/update.sh index d5114c9f..be40daa3 100755 --- a/update.sh +++ b/update.sh @@ -223,6 +223,7 @@ CONFIG_ARRAY=( "XMPP_S2S_PORT" "XMPP_HTTPS_PORT" "ADDITIONAL_SERVER_NAMES" + "ACME_CONTACT" ) sed -i --follow-symlinks '$a\' mailcow.conf @@ -433,6 +434,15 @@ for option in ${CONFIG_ARRAY[@]}; do if ! grep -q ${option} mailcow.conf; then echo "XMPP_HTTPS_PORT=5443" >> mailcow.conf fi + elif [[ ${option} == "ACME_CONTACT" ]]; then + if ! grep -q ${option} mailcow.conf; then + echo '# Let\'s Encrypt registration contact information' >> mailcow.conf + echo '# Optional: Leave empty for none' >> mailcow.conf + echo '# This value is only used on first order!' >> mailcow.conf + echo '# Setting it at a later point will require the following steps:' >> mailcow.conf + echo '# https://mailcow.github.io/mailcow-dockerized-docs/debug-reset-tls/' >> mailcow.conf + echo 'ACME_CONTACT=' >> mailcow.conf + fi elif ! grep -q ${option} mailcow.conf; then echo "Adding new option \"${option}\" to mailcow.conf" echo "${option}=n" >> mailcow.conf