[WebAuthn] update mailcow.conf

update.sh

@@ -307,6 +307,7 @@ CONFIG_ARRAY=(
   "ADDITIONAL_SERVER_NAMES"
   "ACME_CONTACT"
   "WATCHDOG_VERBOSE"
+  "WEBAUTHN_DISABLE_ROOTCA"
 )
 
 sed -i --follow-symlinks '$a\' mailcow.conf
@@ -514,6 +515,25 @@ for option in ${CONFIG_ARRAY[@]}; do
       echo '# https://mailcow.github.io/mailcow-dockerized-docs/debug-reset-tls/' >> mailcow.conf
       echo 'ACME_CONTACT=' >> mailcow.conf
   fi
+  elif [[ ${option} == "WEBAUTHN_DISABLE_ROOTCA" ]]; then
+    if ! grep -q ${option} mailcow.conf; then
+      echo "# Disable including device root ca's for WebAuthn" >> mailcow.conf
+      echo '# setting WEBAUTHN_DISABLE_ROOTCA=y will allow you to use Fido2 devices from untrusted Manufacturers' >> mailcow.conf
+      echo '# It will solve "Error: invalid root certificate" at TFA device registration' >> mailcow.conf
+      echo '# Suported devices are' >> mailcow.conf
+      echo '#   solo certified' >> mailcow.conf
+      echo '#   apple certified' >> mailcow.conf
+      echo '#   nitro certified' >> mailcow.conf
+      echo '#   yubico certified' >> mailcow.conf
+      echo '#   hypersecu certified' >> mailcow.conf
+      echo '#   globalSign certified' >> mailcow.conf
+      echo '#   googleHardware certified' >> mailcow.conf
+      echo '#   microsoftTpmCollection certified' >> mailcow.conf
+      echo '#   huawei certified' >> mailcow.conf
+      echo '#   trustkey certified' >> mailcow.conf
+      echo '#   bsi certified' >> mailcow.conf
+      echo 'WEBAUTHN_DISABLE_ROOTCA=' >> mailcow.conf
+    fi
 elif [[ ${option} == "WATCHDOG_VERBOSE" ]]; then
     if ! grep -q ${option} mailcow.conf; then
       echo '# Enable watchdog verbose logging' >> mailcow.conf