From 19325ffb2a87629abc4d3fcc5f8f496aba6b7249 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Wed, 14 Jun 2017 07:24:32 +0200
Subject: [PATCH] Validate additional SAN

---
 data/Dockerfiles/acme/docker-entrypoint.sh | 26 +++++++++++++++++-----
 1 file changed, 21 insertions(+), 5 deletions(-)

diff --git a/data/Dockerfiles/acme/docker-entrypoint.sh b/data/Dockerfiles/acme/docker-entrypoint.sh
index 3b7d7560..cc230ab2 100755
--- a/data/Dockerfiles/acme/docker-entrypoint.sh
+++ b/data/Dockerfiles/acme/docker-entrypoint.sh
@@ -13,18 +13,19 @@ restart_containers(){
 
 while true; do
 
-	# Autodiscover and Autoconfig (Thunderbird)
 	declare -a SQL_DOMAIN_ARR
 	declare -a DOMAIN_ARR
 	declare -a DOMAIN_ARR
+	declare -a ADDITIONAL_VALIDATED_SAN
+	IFS=' ' read -r -a ADDITIONAL_SAN_ARR <<< "${ADDITIONAL_SAN}"
+	IPV4=$(curl -4s https://mailcow.email/ip.php)
 
 	while read line; do
 		SQL_DOMAIN_ARR+=("${line}")
 	done < <(mysql -h mysql-mailcow -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT domain FROM domain" -Bs)
 
 	for SQL_DOMAIN in "${SQL_DOMAIN_ARR[@]}"; do
-		IPV4=$(curl -4s https://mailcow.email/ip.php)
-		A_CONFIG=$(dig A autoconfig.${SQL_DOMAIN} +short @208.67.220.222)
+		A_CONFIG=$(dig A autoconfig.${SQL_DOMAIN} +short)
 		if [[ ! -z ${A_CONFIG} ]]; then
 			echo "Found A record for autoconfig.${SQL_DOMAIN}: ${A_CONFIG}"
 			if [[ ${IPV4} == ${A_CONFIG} ]]; then
@@ -37,7 +38,7 @@ while true; do
 			echo "No A record for autoconfig.${SQL_DOMAIN} found"
 		fi
 
-        A_DISCOVER=$(dig A autodiscover.${SQL_DOMAIN} +short @208.67.220.222)
+        A_DISCOVER=$(dig A autodiscover.${SQL_DOMAIN} +short)
 		if [[ ! -z ${A_DISCOVER} ]]; then
 			echo "Found A record for autodiscover.${SQL_DOMAIN}: ${A_CONFIG}"
 			if [[ ${IPV4} == ${A_DISCOVER} ]]; then
@@ -51,12 +52,27 @@ while true; do
 		fi
 	done
 
+	for SAN in "${ADDITIONAL_SAN_ARR[@]}"; do
+		A_SAN=$(dig A ${SAN} +short)
+		if [[ ! -z ${A_SAN} ]]; then
+			echo "Found A record for ${SAN}: ${A_SAN}"
+			if [[ ${IPV4} == ${A_SAN} ]]; then
+				echo "Confirmed A record ${SAN}"
+				ADDITIONAL_VALIDATED_SAN+=("${SAN}")
+			else
+				echo "Cannot match Your IP against hostname ${SAN}"
+			fi
+		else
+			echo "No A record for ${SAN} found"
+		fi
+	done
+
 	acme-client \
 		-v -e -b -N -n \
 		-f ${ACME_BASE}/acme/private/account.key \
 		-k ${ACME_BASE}/acme/private/privkey.pem \
 		-c ${ACME_BASE}/acme \
-		${MAILCOW_HOSTNAME} ${CONFIG_DOMAINS[*]} ${ADDITIONAL_SAN}
+		${MAILCOW_HOSTNAME} ${CONFIG_DOMAINS[*]} ${ADDITIONAL_VALIDATED_SAN[*]}
 
 	case "$?" in
 		0) # new certs