[Config, Update] Add ACME_CONTACT
parent
5df8a24c84
commit
0cbd4ec273
|
@ -155,6 +155,18 @@ while true; do
|
||||||
fi
|
fi
|
||||||
if [[ ! -f ${ACME_BASE}/acme/account.pem ]]; then
|
if [[ ! -f ${ACME_BASE}/acme/account.pem ]]; then
|
||||||
log_f "Generating missing Lets Encrypt account key..."
|
log_f "Generating missing Lets Encrypt account key..."
|
||||||
|
if [[ ! -z ${ACME_CONTACT} ]]; then
|
||||||
|
if ! verify_email "${ACME_CONTACT}"; then
|
||||||
|
log_f "Invalid email address, will not start registration!"
|
||||||
|
sleep 365d
|
||||||
|
exec $(readlink -f "$0")
|
||||||
|
else
|
||||||
|
ACME_CONTACT_PARAMETER="--contact mailto:${ACME_CONTACT}"
|
||||||
|
log_f "Valid email address, using ${ACME_CONTACT} for registration"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
ACME_CONTACT_PARAMETER=""
|
||||||
|
fi
|
||||||
openssl genrsa 4096 > ${ACME_BASE}/acme/account.pem
|
openssl genrsa 4096 > ${ACME_BASE}/acme/account.pem
|
||||||
else
|
else
|
||||||
log_f "Using existing Lets Encrypt account key ${ACME_BASE}/acme/account.pem"
|
log_f "Using existing Lets Encrypt account key ${ACME_BASE}/acme/account.pem"
|
||||||
|
@ -207,19 +219,6 @@ while true; do
|
||||||
IPV6=$(get_ipv6)
|
IPV6=$(get_ipv6)
|
||||||
log_f "OK: ${IPV4}, ${IPV6:-"0000:0000:0000:0000:0000:0000:0000:0000"}"
|
log_f "OK: ${IPV4}, ${IPV6:-"0000:0000:0000:0000:0000:0000:0000:0000"}"
|
||||||
|
|
||||||
# Hard-fail on CAA errors for MAILCOW_HOSTNAME
|
|
||||||
MH_PARENT_DOMAIN=$(echo ${MAILCOW_HOSTNAME} | cut -d. -f2-)
|
|
||||||
MH_CAAS=( $(dig CAA ${MH_PARENT_DOMAIN} +short | sed -n 's/\d issue "\(.*\)"/\1/p') )
|
|
||||||
if [[ ! -z ${MH_CAAS} ]]; then
|
|
||||||
if [[ ${MH_CAAS[@]} =~ "letsencrypt.org" ]]; then
|
|
||||||
log_f "Validated CAA for parent domain ${MH_PARENT_DOMAIN}"
|
|
||||||
else
|
|
||||||
log_f "Skipping ACME validation: Lets Encrypt disallowed for ${MAILCOW_HOSTNAME} by CAA record, retrying in 1h..."
|
|
||||||
sleep 1h
|
|
||||||
exec $(readlink -f "$0")
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
#########################################
|
#########################################
|
||||||
# IP and webroot challenge verification #
|
# IP and webroot challenge verification #
|
||||||
SQL_DOMAINS=$(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT domain FROM domain WHERE backupmx=0 and active=1" -Bs)
|
SQL_DOMAINS=$(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT domain FROM domain WHERE backupmx=0 and active=1" -Bs)
|
||||||
|
@ -290,7 +289,7 @@ while true; do
|
||||||
VALIDATED_CERTIFICATES+=("${CERT_NAME}")
|
VALIDATED_CERTIFICATES+=("${CERT_NAME}")
|
||||||
|
|
||||||
# obtain server certificate if required
|
# obtain server certificate if required
|
||||||
DOMAINS=${SERVER_SAN_VALIDATED[@]} /srv/obtain-certificate.sh rsa
|
ACME_CONTACT_PARAMETER=${ACME_CONTACT_PARAMETER} DOMAINS=${SERVER_SAN_VALIDATED[@]} /srv/obtain-certificate.sh rsa
|
||||||
RETURN="$?"
|
RETURN="$?"
|
||||||
if [[ "$RETURN" == "0" ]]; then # 0 = cert created successfully
|
if [[ "$RETURN" == "0" ]]; then # 0 = cert created successfully
|
||||||
CERT_AMOUNT_CHANGED=1
|
CERT_AMOUNT_CHANGED=1
|
||||||
|
|
|
@ -16,6 +16,15 @@ log_f() {
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
verify_email(){
|
||||||
|
regex="^(([A-Za-z0-9]+((\.|\-|\_|\+)?[A-Za-z0-9]?)*[A-Za-z0-9]+)|[A-Za-z0-9]+)@(([A-Za-z0-9]+)+((\.|\-|\_)?([A-Za-z0-9]+)+)*)+\.([A-Za-z]{2,})+$"
|
||||||
|
if [[ $1 =~ ${regex} ]]; then
|
||||||
|
return 0
|
||||||
|
else
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
verify_hash_match(){
|
verify_hash_match(){
|
||||||
CERT_HASH=$(openssl x509 -in "${1}" -noout -pubkey | openssl md5)
|
CERT_HASH=$(openssl x509 -in "${1}" -noout -pubkey | openssl md5)
|
||||||
KEY_HASH=$(openssl pkey -in "${2}" -pubout | openssl md5)
|
KEY_HASH=$(openssl pkey -in "${2}" -pubout | openssl md5)
|
||||||
|
@ -60,6 +69,17 @@ check_domain(){
|
||||||
DOMAIN=$1
|
DOMAIN=$1
|
||||||
A_DOMAIN=$(dig A ${DOMAIN} +short | tail -n 1)
|
A_DOMAIN=$(dig A ${DOMAIN} +short | tail -n 1)
|
||||||
AAAA_DOMAIN=$(dig AAAA ${DOMAIN} +short | tail -n 1)
|
AAAA_DOMAIN=$(dig AAAA ${DOMAIN} +short | tail -n 1)
|
||||||
|
# Hard-fail on CAA errors for MAILCOW_HOSTNAME
|
||||||
|
PARENT_DOMAIN=$(echo ${DOMAIN} | cut -d. -f2-)
|
||||||
|
CAAS=( $(dig CAA ${PARENT_DOMAIN} +short | sed -n 's/\d issue "\(.*\)"/\1/p') )
|
||||||
|
if [[ ! -z ${CAAS} ]]; then
|
||||||
|
if [[ ${CAAS[@]} =~ "letsencrypt.org" ]]; then
|
||||||
|
log_f "Validated CAA for parent domain ${PARENT_DOMAIN}"
|
||||||
|
else
|
||||||
|
log_f "Lets Encrypt disallowed for ${PARENT_DOMAIN} by CAA record"
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
# Check if CNAME without v6 enabled target
|
# Check if CNAME without v6 enabled target
|
||||||
if [[ ! -z ${AAAA_DOMAIN} ]] && [[ -z $(echo ${AAAA_DOMAIN} | grep "^\([0-9a-fA-F]\{0,4\}:\)\{1,7\}[0-9a-fA-F]\{0,4\}$") ]]; then
|
if [[ ! -z ${AAAA_DOMAIN} ]] && [[ -z $(echo ${AAAA_DOMAIN} | grep "^\([0-9a-fA-F]\{0,4\}:\)\{1,7\}[0-9a-fA-F]\{0,4\}$") ]]; then
|
||||||
AAAA_DOMAIN=
|
AAAA_DOMAIN=
|
||||||
|
|
|
@ -93,8 +93,8 @@ until dig letsencrypt.org +time=3 +tries=1 @unbound > /dev/null; do
|
||||||
sleep 2
|
sleep 2
|
||||||
done
|
done
|
||||||
log_f "Resolver OK"
|
log_f "Resolver OK"
|
||||||
|
log_f "Using command acme-tiny ${DIRECTORY_URL} ${ACME_CONTACT_PARAMETER} --account-key ${ACME_BASE}/acme/account.pem --disable-check --csr ${CSR} --acme-dir /var/www/acme/"
|
||||||
ACME_RESPONSE=$(acme-tiny ${DIRECTORY_URL} \
|
ACME_RESPONSE=$(acme-tiny ${DIRECTORY_URL} ${ACME_CONTACT_PARAMETER} \
|
||||||
--account-key ${ACME_BASE}/acme/account.pem \
|
--account-key ${ACME_BASE}/acme/account.pem \
|
||||||
--disable-check \
|
--disable-check \
|
||||||
--csr ${CSR} \
|
--csr ${CSR} \
|
||||||
|
|
|
@ -384,11 +384,12 @@ services:
|
||||||
acme-mailcow:
|
acme-mailcow:
|
||||||
depends_on:
|
depends_on:
|
||||||
- nginx-mailcow
|
- nginx-mailcow
|
||||||
image: mailcow/acme:1.78
|
image: mailcow/acme:1.79
|
||||||
dns:
|
dns:
|
||||||
- ${IPV4_NETWORK:-172.22.1}.254
|
- ${IPV4_NETWORK:-172.22.1}.254
|
||||||
environment:
|
environment:
|
||||||
- LOG_LINES=${LOG_LINES:-9999}
|
- LOG_LINES=${LOG_LINES:-9999}
|
||||||
|
- ACME_CONTACT=${ACME_CONTACT:-}
|
||||||
- ADDITIONAL_SAN=${ADDITIONAL_SAN}
|
- ADDITIONAL_SAN=${ADDITIONAL_SAN}
|
||||||
- MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
|
- MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
|
||||||
- DBNAME=${DBNAME}
|
- DBNAME=${DBNAME}
|
||||||
|
|
|
@ -336,6 +336,13 @@ DOVECOT_MASTER_USER=
|
||||||
# LEAVE EMPTY IF UNSURE
|
# LEAVE EMPTY IF UNSURE
|
||||||
DOVECOT_MASTER_PASS=
|
DOVECOT_MASTER_PASS=
|
||||||
|
|
||||||
|
# Let's Encrypt registration contact information
|
||||||
|
# Optional: Leave empty for none
|
||||||
|
# This value is only used on first order!
|
||||||
|
# Setting it at a later point will require the following steps:
|
||||||
|
# https://mailcow.github.io/mailcow-dockerized-docs/debug-reset-tls/
|
||||||
|
ACME_CONTACT=
|
||||||
|
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
mkdir -p data/assets/ssl
|
mkdir -p data/assets/ssl
|
||||||
|
|
10
update.sh
10
update.sh
|
@ -223,6 +223,7 @@ CONFIG_ARRAY=(
|
||||||
"XMPP_S2S_PORT"
|
"XMPP_S2S_PORT"
|
||||||
"XMPP_HTTPS_PORT"
|
"XMPP_HTTPS_PORT"
|
||||||
"ADDITIONAL_SERVER_NAMES"
|
"ADDITIONAL_SERVER_NAMES"
|
||||||
|
"ACME_CONTACT"
|
||||||
)
|
)
|
||||||
|
|
||||||
sed -i --follow-symlinks '$a\' mailcow.conf
|
sed -i --follow-symlinks '$a\' mailcow.conf
|
||||||
|
@ -433,6 +434,15 @@ for option in ${CONFIG_ARRAY[@]}; do
|
||||||
if ! grep -q ${option} mailcow.conf; then
|
if ! grep -q ${option} mailcow.conf; then
|
||||||
echo "XMPP_HTTPS_PORT=5443" >> mailcow.conf
|
echo "XMPP_HTTPS_PORT=5443" >> mailcow.conf
|
||||||
fi
|
fi
|
||||||
|
elif [[ ${option} == "ACME_CONTACT" ]]; then
|
||||||
|
if ! grep -q ${option} mailcow.conf; then
|
||||||
|
echo '# Let\'s Encrypt registration contact information' >> mailcow.conf
|
||||||
|
echo '# Optional: Leave empty for none' >> mailcow.conf
|
||||||
|
echo '# This value is only used on first order!' >> mailcow.conf
|
||||||
|
echo '# Setting it at a later point will require the following steps:' >> mailcow.conf
|
||||||
|
echo '# https://mailcow.github.io/mailcow-dockerized-docs/debug-reset-tls/' >> mailcow.conf
|
||||||
|
echo 'ACME_CONTACT=' >> mailcow.conf
|
||||||
|
fi
|
||||||
elif ! grep -q ${option} mailcow.conf; then
|
elif ! grep -q ${option} mailcow.conf; then
|
||||||
echo "Adding new option \"${option}\" to mailcow.conf"
|
echo "Adding new option \"${option}\" to mailcow.conf"
|
||||||
echo "${option}=n" >> mailcow.conf
|
echo "${option}=n" >> mailcow.conf
|
||||||
|
|
Loading…
Reference in New Issue