From a110e2ea0f126ac5bed59dad6d30a76b12d29a0a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9?= Date: Sat, 21 Oct 2017 10:08:14 +0200 Subject: [PATCH] [ACME] Fix detection of orphaned SANs and add tini --- data/Dockerfiles/acme/Dockerfile | 5 +- data/Dockerfiles/acme/docker-entrypoint.sh | 472 +++++++++++---------- data/Dockerfiles/acme/tini | Bin 0 -> 19968 bytes 3 files changed, 248 insertions(+), 229 deletions(-) create mode 100755 data/Dockerfiles/acme/tini diff --git a/data/Dockerfiles/acme/Dockerfile b/data/Dockerfiles/acme/Dockerfile index b3fd77fd..1554e6a8 100644 --- a/data/Dockerfiles/acme/Dockerfile +++ b/data/Dockerfiles/acme/Dockerfile @@ -9,8 +9,9 @@ RUN apk add --update --no-cache \ openssl \ bind-tools \ jq \ - mariadb-client + mariadb-client \ + tini COPY docker-entrypoint.sh /srv/docker-entrypoint.sh -ENTRYPOINT ["/srv/docker-entrypoint.sh"] +CMD ["/sbin/tini", "-g", "--", "/srv/docker-entrypoint.sh"] diff --git a/data/Dockerfiles/acme/docker-entrypoint.sh b/data/Dockerfiles/acme/docker-entrypoint.sh index 25023819..6d3d7273 100755 --- a/data/Dockerfiles/acme/docker-entrypoint.sh +++ b/data/Dockerfiles/acme/docker-entrypoint.sh @@ -8,26 +8,40 @@ SSL_EXAMPLE=/var/lib/ssl-example mkdir -p ${ACME_BASE}/acme/private restart_containers(){ - for container in $*; do - echo "Restarting ${container}..." - curl -X POST http://dockerapi:8080/containers/${container}/restart - done + for container in $*; do + echo "Restarting ${container}..." + curl -X POST http://dockerapi:8080/containers/${container}/restart + done } log_f() { - echo "$(date) - ${1}" + if [[ ${2} == "no_nl" ]]; then + echo -n "$(date) - ${1}" + elif [[ ${2} == "no_date" ]]; then + echo "${1}" + else + echo "$(date) - ${1}" + fi +} + +array_diff() { + # https://stackoverflow.com/questions/2312762, Alex Offshore + eval local ARR1=\(\"\${$2[@]}\"\) + eval local ARR2=\(\"\${$3[@]}\"\) + local IFS=$'\n' + mapfile -t $1 < <(comm -23 <(echo "${ARR1[*]}" | sort) <(echo "${ARR2[*]}" | sort)) } verify_hash_match(){ - CERT_HASH=$(openssl x509 -noout -modulus -in "${1}" | openssl md5) - KEY_HASH=$(openssl rsa -noout -modulus -in "${2}" | openssl md5) - if [[ ${CERT_HASH} != ${KEY_HASH} ]]; then - log_f "Certificate and key hashes do not match!" - return 1 - else - log_f "Verified hashes." - return 0 - fi + CERT_HASH=$(openssl x509 -noout -modulus -in "${1}" | openssl md5) + KEY_HASH=$(openssl rsa -noout -modulus -in "${2}" | openssl md5) + if [[ ${CERT_HASH} != ${KEY_HASH} ]]; then + log_f "Certificate and key hashes do not match!" + return 1 + else + log_f "Verified hashes." + return 0 + fi } get_ipv4(){ @@ -51,239 +65,243 @@ get_ipv4(){ [[ ! -f ${ACME_BASE}/dhparams.pem ]] && cp ${SSL_EXAMPLE}/dhparams.pem ${ACME_BASE}/dhparams.pem if [[ -f ${ACME_BASE}/cert.pem ]] && [[ -f ${ACME_BASE}/key.pem ]]; then - ISSUER=$(openssl x509 -in ${ACME_BASE}/cert.pem -noout -issuer) - if [[ ${ISSUER} != *"Let's Encrypt"* && ${ISSUER} != *"mailcow"* ]]; then - log_f "Found certificate with issuer other than mailcow snake-oil CA and Let's Encrypt, skipping ACME client..." - sleep 3650d - exec $(readlink -f "$0") - else - declare -a SAN_ARRAY_NOW - SAN_NAMES=$(openssl x509 -noout -text -in ${ACME_BASE}/cert.pem | awk '/X509v3 Subject Alternative Name/ {getline;gsub(/ /, "", $0); print}' | tr -d "DNS:") - if [[ ! -z ${SAN_NAMES} ]]; then - IFS=',' read -a SAN_ARRAY_NOW <<< ${SAN_NAMES} - log_f "Found Let's Encrypt or mailcow snake-oil CA issued certificate with SANs: ${SAN_ARRAY_NOW[*]}" - fi - fi + ISSUER=$(openssl x509 -in ${ACME_BASE}/cert.pem -noout -issuer) + if [[ ${ISSUER} != *"Let's Encrypt"* && ${ISSUER} != *"mailcow"* ]]; then + log_f "Found certificate with issuer other than mailcow snake-oil CA and Let's Encrypt, skipping ACME client..." + sleep 3650d + exec $(readlink -f "$0") + else + declare -a SAN_ARRAY_NOW + SAN_NAMES=$(openssl x509 -noout -text -in ${ACME_BASE}/cert.pem | awk '/X509v3 Subject Alternative Name/ {getline;gsub(/ /, "", $0); print}' | tr -d "DNS:") + if [[ ! -z ${SAN_NAMES} ]]; then + IFS=',' read -a SAN_ARRAY_NOW <<< ${SAN_NAMES} + log_f "Found Let's Encrypt or mailcow snake-oil CA issued certificate with SANs: ${SAN_ARRAY_NOW[*]}" + fi + fi else - if [[ -f ${ACME_BASE}/acme/fullchain.pem ]] && [[ -f ${ACME_BASE}/acme/private/privkey.pem ]]; then - if verify_hash_match ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/acme/private/privkey.pem; then - log_f "Restoring previous acme certificate and restarting script..." - cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem - cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem - # Restarting with env var set to trigger a restart, - exec env TRIGGER_RESTART=1 $(readlink -f "$0") - fi - ISSUER="mailcow" - else - log_f "Restoring mailcow snake-oil certificates and restarting script..." - cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem - cp ${SSL_EXAMPLE}/key.pem ${ACME_BASE}/key.pem - exec env TRIGGER_RESTART=1 $(readlink -f "$0") - fi + if [[ -f ${ACME_BASE}/acme/fullchain.pem ]] && [[ -f ${ACME_BASE}/acme/private/privkey.pem ]]; then + if verify_hash_match ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/acme/private/privkey.pem; then + log_f "Restoring previous acme certificate and restarting script..." + cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem + cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem + # Restarting with env var set to trigger a restart, + exec env TRIGGER_RESTART=1 $(readlink -f "$0") + fi + ISSUER="mailcow" + else + log_f "Restoring mailcow snake-oil certificates and restarting script..." + cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem + cp ${SSL_EXAMPLE}/key.pem ${ACME_BASE}/key.pem + exec env TRIGGER_RESTART=1 $(readlink -f "$0") + fi fi while ! mysqladmin ping --host mysql -u${DBUSER} -p${DBPASS} --silent; do - echo "Waiting for database to come up..." - sleep 2 + echo "Waiting for database to come up..." + sleep 2 done while true; do - if [[ "${SKIP_LETS_ENCRYPT}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then - log_f "SKIP_LETS_ENCRYPT=y, skipping Let's Encrypt..." - sleep 365d - exec $(readlink -f "$0") - fi - if [[ "${SKIP_IP_CHECK}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then - SKIP_IP_CHECK=y - fi - unset SQL_DOMAIN_ARR - unset VALIDATED_CONFIG_DOMAINS - unset ADDITIONAL_VALIDATED_SAN - declare -a SQL_DOMAIN_ARR - declare -a VALIDATED_CONFIG_DOMAINS - declare -a ADDITIONAL_VALIDATED_SAN - IFS=',' read -r -a ADDITIONAL_SAN_ARR <<< "${ADDITIONAL_SAN}" - IPV4=$(get_ipv4) - # Container ids may have changed - CONTAINERS_RESTART=($(curl --silent http://dockerapi:8080/containers/json | jq -r '.[] | {name: .Config.Labels["com.docker.compose.service"], id: .Id}' | jq -rc 'select( .name | contains("nginx-mailcow") or contains("postfix-mailcow") or contains("dovecot-mailcow")) | .id' | tr "\n" " ")) + if [[ "${SKIP_LETS_ENCRYPT}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then + log_f "SKIP_LETS_ENCRYPT=y, skipping Let's Encrypt..." + sleep 365d + exec $(readlink -f "$0") + fi + if [[ "${SKIP_IP_CHECK}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then + SKIP_IP_CHECK=y + fi + unset SQL_DOMAIN_ARR + unset VALIDATED_CONFIG_DOMAINS + unset ADDITIONAL_VALIDATED_SAN + declare -a SQL_DOMAIN_ARR + declare -a VALIDATED_CONFIG_DOMAINS + declare -a ADDITIONAL_VALIDATED_SAN + IFS=',' read -r -a ADDITIONAL_SAN_ARR <<< "${ADDITIONAL_SAN}" + IPV4=$(get_ipv4) + # Container ids may have changed + CONTAINERS_RESTART=($(curl --silent http://dockerapi:8080/containers/json | jq -r '.[] | {name: .Config.Labels["com.docker.compose.service"], id: .Id}' | jq -rc 'select( .name | tostring | contains("nginx-mailcow") or contains("postfix-mailcow") or contains("dovecot-mailcow")) | .id' | tr "\n" " ")) - while read domain; do - SQL_DOMAIN_ARR+=("${domain}") - done < <(mysql -h mysql-mailcow -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT domain FROM domain WHERE backupmx=0" -Bs) - while read alias_domain; do - SQL_DOMAIN_ARR+=("${alias_domain}") - done < <(mysql -h mysql-mailcow -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT alias_domain FROM alias_domain" -Bs) + log_f "Waiting for domain tables... " no_nl + while [[ -z ${DOMAIN_TABLE} ]]; do + DOMAIN_TABLE=$(mysql -h mysql-mailcow -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SHOW TABLES LIKE 'domain'" -Bs) + [[ -z ${DOMAIN_TABLE} ]] && sleep 10 + done + log_f "OK" no_date - for SQL_DOMAIN in "${SQL_DOMAIN_ARR[@]}"; do - A_CONFIG=$(dig A autoconfig.${SQL_DOMAIN} +short | tail -n 1) - if [[ ! -z ${A_CONFIG} ]]; then - log_f "Found A record for autoconfig.${SQL_DOMAIN}: ${A_CONFIG}" - if [[ ${IPV4:-ERR} == ${A_CONFIG} ]] || [[ ${SKIP_IP_CHECK} == "y" ]]; then - log_f "Confirmed A record autoconfig.${SQL_DOMAIN}" - VALIDATED_CONFIG_DOMAINS+=("autoconfig.${SQL_DOMAIN}") - else - log_f "Cannot match your IP ${IPV4} against hostname autoconfig.${SQL_DOMAIN} (${A_CONFIG})" - fi - else - log_f "No A record for autoconfig.${SQL_DOMAIN} found" - fi + while read domains; do + SQL_DOMAIN_ARR+=("${domains}") + done < <(mysql -h mysql-mailcow -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT domain FROM domain WHERE backupmx=0 UNION SELECT alias_domain FROM alias_domain" -Bs) + + for SQL_DOMAIN in "${SQL_DOMAIN_ARR[@]}"; do + A_CONFIG=$(dig A autoconfig.${SQL_DOMAIN} +short | tail -n 1) + if [[ ! -z ${A_CONFIG} ]]; then + log_f "Found A record for autoconfig.${SQL_DOMAIN}: ${A_CONFIG}" + if [[ ${IPV4:-ERR} == ${A_CONFIG} ]] || [[ ${SKIP_IP_CHECK} == "y" ]]; then + log_f "Confirmed A record autoconfig.${SQL_DOMAIN}" + VALIDATED_CONFIG_DOMAINS+=("autoconfig.${SQL_DOMAIN}") + else + log_f "Cannot match your IP ${IPV4} against hostname autoconfig.${SQL_DOMAIN} (${A_CONFIG})" + fi + else + log_f "No A record for autoconfig.${SQL_DOMAIN} found" + fi A_DISCOVER=$(dig A autodiscover.${SQL_DOMAIN} +short | tail -n 1) - if [[ ! -z ${A_DISCOVER} ]]; then - log_f "Found A record for autodiscover.${SQL_DOMAIN}: ${A_DISCOVER}" - if [[ ${IPV4:-ERR} == ${A_DISCOVER} ]] || [[ ${SKIP_IP_CHECK} == "y" ]]; then - log_f "Confirmed A record autodiscover.${SQL_DOMAIN}" - VALIDATED_CONFIG_DOMAINS+=("autodiscover.${SQL_DOMAIN}") - else - log_f "Cannot match your IP ${IPV4} against hostname autodiscover.${SQL_DOMAIN} (${A_DISCOVER})" - fi - else - log_f "No A record for autodiscover.${SQL_DOMAIN} found" - fi - done + if [[ ! -z ${A_DISCOVER} ]]; then + log_f "Found A record for autodiscover.${SQL_DOMAIN}: ${A_DISCOVER}" + if [[ ${IPV4:-ERR} == ${A_DISCOVER} ]] || [[ ${SKIP_IP_CHECK} == "y" ]]; then + log_f "Confirmed A record autodiscover.${SQL_DOMAIN}" + VALIDATED_CONFIG_DOMAINS+=("autodiscover.${SQL_DOMAIN}") + else + log_f "Cannot match your IP ${IPV4} against hostname autodiscover.${SQL_DOMAIN} (${A_DISCOVER})" + fi + else + log_f "No A record for autodiscover.${SQL_DOMAIN} found" + fi + done - A_MAILCOW_HOSTNAME=$(dig A ${MAILCOW_HOSTNAME} +short | tail -n 1) - if [[ ! -z ${A_MAILCOW_HOSTNAME} ]]; then - log_f "Found A record for ${MAILCOW_HOSTNAME}: ${A_MAILCOW_HOSTNAME}" - if [[ ${IPV4:-ERR} == ${A_MAILCOW_HOSTNAME} ]] || [[ ${SKIP_IP_CHECK} == "y" ]]; then - log_f "Confirmed A record ${MAILCOW_HOSTNAME}" - VALIDATED_MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME} - else - log_f "Cannot match your IP ${IPV4} against hostname ${MAILCOW_HOSTNAME} (${A_MAILCOW_HOSTNAME}) " - fi - else - log_f "No A record for ${MAILCOW_HOSTNAME} found" - fi + A_MAILCOW_HOSTNAME=$(dig A ${MAILCOW_HOSTNAME} +short | tail -n 1) + if [[ ! -z ${A_MAILCOW_HOSTNAME} ]]; then + log_f "Found A record for ${MAILCOW_HOSTNAME}: ${A_MAILCOW_HOSTNAME}" + if [[ ${IPV4:-ERR} == ${A_MAILCOW_HOSTNAME} ]] || [[ ${SKIP_IP_CHECK} == "y" ]]; then + log_f "Confirmed A record ${MAILCOW_HOSTNAME}" + VALIDATED_MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME} + else + log_f "Cannot match your IP ${IPV4} against hostname ${MAILCOW_HOSTNAME} (${A_MAILCOW_HOSTNAME}) " + fi + else + log_f "No A record for ${MAILCOW_HOSTNAME} found" + fi - for SAN in "${ADDITIONAL_SAN_ARR[@]}"; do - if [[ ${SAN} == ${MAILCOW_HOSTNAME} ]]; then - continue - fi - A_SAN=$(dig A ${SAN} +short | tail -n 1) - if [[ ! -z ${A_SAN} ]]; then - log_f "Found A record for ${SAN}: ${A_SAN}" - if [[ ${IPV4:-ERR} == ${A_SAN} ]] || [[ ${SKIP_IP_CHECK} == "y" ]]; then - log_f "Confirmed A record ${SAN}" - ADDITIONAL_VALIDATED_SAN+=("${SAN}") - else - log_f "Cannot match your IP against hostname ${SAN}" - fi - else - log_f "No A record for ${SAN} found" - fi - done + for SAN in "${ADDITIONAL_SAN_ARR[@]}"; do + if [[ ${SAN} == ${MAILCOW_HOSTNAME} ]]; then + continue + fi + A_SAN=$(dig A ${SAN} +short | tail -n 1) + if [[ ! -z ${A_SAN} ]]; then + log_f "Found A record for ${SAN}: ${A_SAN}" + if [[ ${IPV4:-ERR} == ${A_SAN} ]] || [[ ${SKIP_IP_CHECK} == "y" ]]; then + log_f "Confirmed A record ${SAN}" + ADDITIONAL_VALIDATED_SAN+=("${SAN}") + else + log_f "Cannot match your IP against hostname ${SAN}" + fi + else + log_f "No A record for ${SAN} found" + fi + done # Unique elements - ALL_VALIDATED=(${VALIDATED_MAILCOW_HOSTNAME} $(echo ${VALIDATED_CONFIG_DOMAINS[*]} ${ADDITIONAL_VALIDATED_SAN[*]} | xargs -n1 | sort -u | xargs)) - if [[ -z ${ALL_VALIDATED[*]} ]]; then - log_f "Cannot validate hostnames, skipping Let's Encrypt for 1 hour." - log_f "Use SKIP_LETS_ENCRYPT=y in mailcow.conf to skip it permanently." - sleep 1h - exec $(readlink -f "$0") - fi + ALL_VALIDATED=(${VALIDATED_MAILCOW_HOSTNAME} $(echo ${VALIDATED_CONFIG_DOMAINS[*]} ${ADDITIONAL_VALIDATED_SAN[*]} | xargs -n1 | sort -u | xargs)) + if [[ -z ${ALL_VALIDATED[*]} ]]; then + log_f "Cannot validate hostnames, skipping Let's Encrypt for 1 hour." + log_f "Use SKIP_LETS_ENCRYPT=y in mailcow.conf to skip it permanently." + sleep 1h + exec $(readlink -f "$0") + fi - ORPHANED_SAN=($(echo ${SAN_ARRAY_NOW[*]} ${ALL_VALIDATED[*]} | tr ' ' '\n' | sort | uniq -u )) - if [[ ! -z ${ORPHANED_SAN[*]} ]] && [[ ${ISSUER} != *"mailcow"* ]]; then - DATE=$(date +%Y-%m-%d_%H_%M_%S) - log_f "Found orphaned SAN ${ORPHANED_SAN[*]} in certificate, moving old files to ${ACME_BASE}/acme/private/${DATE}.bak/, keeping key file..." - mkdir -p ${ACME_BASE}/acme/private/${DATE}.bak/ - [[ -f ${ACME_BASE}/acme/private/account.key ]] && mv ${ACME_BASE}/acme/private/account.key ${ACME_BASE}/acme/private/${DATE}.bak/ - [[ -f ${ACME_BASE}/acme/fullchain.pem ]] && mv ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/acme/private/${DATE}.bak/ - [[ -f ${ACME_BASE}/acme/cert.pem ]] && mv ${ACME_BASE}/acme/cert.pem ${ACME_BASE}/acme/private/${DATE}.bak/ - cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/acme/private/${DATE}.bak/ # Keep key for TLSA 3 1 1 records - fi + array_diff ORPHANED_SAN SAN_ARRAY_NOW ALL_VALIDATED + if [[ ! -z ${ORPHANED_SAN[*]} ]] && [[ ${ISSUER} != *"mailcow"* ]]; then + DATE=$(date +%Y-%m-%d_%H_%M_%S) + log_f "Found orphaned SAN ${ORPHANED_SAN[*]} in certificate, moving old files to ${ACME_BASE}/acme/private/${DATE}.bak/, keeping key file..." + mkdir -p ${ACME_BASE}/acme/private/${DATE}.bak/ + [[ -f ${ACME_BASE}/acme/private/account.key ]] && mv ${ACME_BASE}/acme/private/account.key ${ACME_BASE}/acme/private/${DATE}.bak/ + [[ -f ${ACME_BASE}/acme/fullchain.pem ]] && mv ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/acme/private/${DATE}.bak/ + [[ -f ${ACME_BASE}/acme/cert.pem ]] && mv ${ACME_BASE}/acme/cert.pem ${ACME_BASE}/acme/private/${DATE}.bak/ + cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/acme/private/${DATE}.bak/ # Keep key for TLSA 3 1 1 records + fi - ACME_RESPONSE=$(acme-client \ - -v -e -b -N -n \ - -f ${ACME_BASE}/acme/private/account.key \ - -k ${ACME_BASE}/acme/private/privkey.pem \ - -c ${ACME_BASE}/acme \ - ${ALL_VALIDATED[*]} 2>&1 | tee /dev/fd/5) + ACME_RESPONSE=$(acme-client \ + -v -e -b -N -n \ + -f ${ACME_BASE}/acme/private/account.key \ + -k ${ACME_BASE}/acme/private/privkey.pem \ + -c ${ACME_BASE}/acme \ + ${ALL_VALIDATED[*]} 2>&1 | tee /dev/fd/5) - case "$?" in - 0) # new certs - # cp the new certificates and keys - cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem - cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem + case "$?" in + 0) # new certs + # cp the new certificates and keys + cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem + cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem - # restart docker containers - if ! verify_hash_match ${ACME_BASE}/cert.pem ${ACME_BASE}/key.pem; then - log_f "Certificate was successfully requested, but key and certificate have non-matching hashes, restoring mailcow snake-oil and restarting containers..." - cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem - cp ${SSL_EXAMPLE}/key.pem ${ACME_BASE}/key.pem - fi - restart_containers ${CONTAINERS_RESTART[*]} - ;; - 1) # failure - if [[ $ACME_RESPONSE =~ "No registration exists" ]]; then - log_f "Registration keys are invalid, deleting old keys and restarting..." - rm ${ACME_BASE}/acme/private/account.key - rm ${ACME_BASE}/acme/private/privkey.pem - exec $(readlink -f "$0") - fi - if [[ -f ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ]] && [[ -f ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ]]; then - log_f "Error requesting certificate, restoring previous certificate from backup and restarting containers...." - cp ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ${ACME_BASE}/cert.pem - cp ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ${ACME_BASE}/key.pem - TRIGGER_RESTART=1 - elif [[ -f ${ACME_BASE}/acme/fullchain.pem ]] && [[ -f ${ACME_BASE}/acme/private/privkey.pem ]]; then - log_f "Error requesting certificate, restoring from previous acme request and restarting containers..." - cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem - cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem - TRIGGER_RESTART=1 - fi - if ! verify_hash_match ${ACME_BASE}/cert.pem ${ACME_BASE}/key.pem; then - log_f "Error verifying certificates, restoring mailcow snake-oil and restarting containers..." - cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem - cp ${SSL_EXAMPLE}/key.pem ${ACME_BASE}/key.pem - TRIGGER_RESTART=1 - fi - [[ ${TRIGGER_RESTART} == 1 ]] && restart_containers ${CONTAINERS_RESTART[*]} - log_f "Retrying in 30 minutes..." - sleep 30m - exec $(readlink -f "$0") - ;; - 2) # no change - if ! diff ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem; then - log_f "Certificate was not changed, but active certificate does not match the verified certificate, fixing and restarting containers..." - cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem - cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem - TRIGGER_RESTART=1 - fi - if ! verify_hash_match ${ACME_BASE}/cert.pem ${ACME_BASE}/key.pem; then - log_f "Certificate was not changed, but hashes do not match, restoring from previous acme request and restarting containers..." - cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem - cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem - TRIGGER_RESTART=1 - fi - [[ ${TRIGGER_RESTART} == 1 ]] && restart_containers ${CONTAINERS_RESTART[*]} - ;; - *) # unspecified - if [[ -f ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ]] && [[ -f ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ]]; then - log_f "Error requesting certificate, restoring previous certificate from backup and restarting containers...." - cp ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ${ACME_BASE}/cert.pem - cp ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ${ACME_BASE}/key.pem - TRIGGER_RESTART=1 + # restart docker containers + if ! verify_hash_match ${ACME_BASE}/cert.pem ${ACME_BASE}/key.pem; then + log_f "Certificate was successfully requested, but key and certificate have non-matching hashes, restoring mailcow snake-oil and restarting containers..." + cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem + cp ${SSL_EXAMPLE}/key.pem ${ACME_BASE}/key.pem + fi + restart_containers ${CONTAINERS_RESTART[*]} + ;; + 1) # failure + if [[ $ACME_RESPONSE =~ "No registration exists" ]]; then + log_f "Registration keys are invalid, deleting old keys and restarting..." + rm ${ACME_BASE}/acme/private/account.key + rm ${ACME_BASE}/acme/private/privkey.pem + exec $(readlink -f "$0") + fi + if [[ -f ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ]] && [[ -f ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ]]; then + log_f "Error requesting certificate, restoring previous certificate from backup and restarting containers...." + cp ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ${ACME_BASE}/cert.pem + cp ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ${ACME_BASE}/key.pem + TRIGGER_RESTART=1 + elif [[ -f ${ACME_BASE}/acme/fullchain.pem ]] && [[ -f ${ACME_BASE}/acme/private/privkey.pem ]]; then + log_f "Error requesting certificate, restoring from previous acme request and restarting containers..." + cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem + cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem + TRIGGER_RESTART=1 + fi + if ! verify_hash_match ${ACME_BASE}/cert.pem ${ACME_BASE}/key.pem; then + log_f "Error verifying certificates, restoring mailcow snake-oil and restarting containers..." + cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem + cp ${SSL_EXAMPLE}/key.pem ${ACME_BASE}/key.pem + TRIGGER_RESTART=1 + fi + [[ ${TRIGGER_RESTART} == 1 ]] && restart_containers ${CONTAINERS_RESTART[*]} + log_f "Retrying in 30 minutes..." + sleep 30m + exec $(readlink -f "$0") + ;; + 2) # no change + if ! diff ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem; then + log_f "Certificate was not changed, but active certificate does not match the verified certificate, fixing and restarting containers..." + cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem + cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem + TRIGGER_RESTART=1 + fi + if ! verify_hash_match ${ACME_BASE}/cert.pem ${ACME_BASE}/key.pem; then + log_f "Certificate was not changed, but hashes do not match, restoring from previous acme request and restarting containers..." + cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem + cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem + TRIGGER_RESTART=1 + fi + [[ ${TRIGGER_RESTART} == 1 ]] && restart_containers ${CONTAINERS_RESTART[*]} + ;; + *) # unspecified + if [[ -f ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ]] && [[ -f ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ]]; then + log_f "Error requesting certificate, restoring previous certificate from backup and restarting containers...." + cp ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ${ACME_BASE}/cert.pem + cp ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ${ACME_BASE}/key.pem + TRIGGER_RESTART=1 elif [[ -f ${ACME_BASE}/acme/fullchain.pem ]] && [[ -f ${ACME_BASE}/acme/private/privkey.pem ]]; then - log_f "Error requesting certificate, restoring from previous acme request and restarting containers..." - cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem - cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem - TRIGGER_RESTART=1 - fi - if ! verify_hash_match ${ACME_BASE}/cert.pem ${ACME_BASE}/key.pem; then - log_f "Error verifying certificates, restoring mailcow snake-oil..." - cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem - cp ${SSL_EXAMPLE}/key.pem ${ACME_BASE}/key.pem - TRIGGER_RESTART=1 - fi - [[ ${TRIGGER_RESTART} == 1 ]] && restart_containers ${CONTAINERS_RESTART[*]} - log_f "Retrying in 30 minutes..." - sleep 30m - exec $(readlink -f "$0") - ;; - esac + log_f "Error requesting certificate, restoring from previous acme request and restarting containers..." + cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem + cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem + TRIGGER_RESTART=1 + fi + if ! verify_hash_match ${ACME_BASE}/cert.pem ${ACME_BASE}/key.pem; then + log_f "Error verifying certificates, restoring mailcow snake-oil..." + cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem + cp ${SSL_EXAMPLE}/key.pem ${ACME_BASE}/key.pem + TRIGGER_RESTART=1 + fi + [[ ${TRIGGER_RESTART} == 1 ]] && restart_containers ${CONTAINERS_RESTART[*]} + log_f "Retrying in 30 minutes..." + sleep 30m + exec $(readlink -f "$0") + ;; + esac - log_f "ACME certificate validation done. Sleeping for another day." - sleep 1d + log_f "ACME certificate validation done. Sleeping for another day." + sleep 1d done diff --git a/data/Dockerfiles/acme/tini b/data/Dockerfiles/acme/tini new file mode 100755 index 0000000000000000000000000000000000000000..6556c966f4221a108f2e6d57fd0b16c4e8ac465c GIT binary patch literal 19968 zcmeHve|S{Yng2~lAS7WD6l{uEjv63n5)vddqS2Wo6J|6dF`1y2VltVTB%_m=ICCe6 zWi@tybvneRYHhpQZPV7r+SX@Ft!-g!OB5Ar?YF4aFVt>DQF{mcfkKh3)!EN`eoQU{ z+1+RNdA`s04-d?o`~H5X*_$Ip!(OjM_QUk>P-JLjkNf3*GDr6pT0 zJp97D7RL*9V>jLYPn%af@xfWU#@@3${OENruKHe8?7+>}Eqwas_|p$veP}Xy=V{K%A>ar2oOK#j#N#Ko_1HA{?@WV#dK&!ZY4Cm1`18&*{4~Fx$f{2Hc?{bc=bhcQ{P}Oa2X`v~Dm(C@cuq<`)qQi3 zHn>WQ=;4TeAm|Qgp<&%0^lJT~@J$*}!{Lx; z$Q|L={r*58;?uPOpFZsOYBvESK|K`EJnlds(Ivd;P(lXvF7Lw#;on6A*SE`nIR1FA|Yz!oG+e zGPyy%_S_m8>ht^H6ZH_HpsZ%172-StFy7GXGQfT)hjdCE2`^|q`C6n)YbGD8h?sPQwCk< znEss#nJGDE;G{JnNzhy&ivDT;Y+4C^35Ez4T|jWIb{`o=IeBF-uV>;Lvwo(i@t6&%!AyAR3g@dZ;VB-f)R^#U4kB8;2~TZM z#cIN59yvgCnDA;&B$*Bq9s$af>rD8<3|7;6O?XAF{Mm{b^@Ise&kCwMXu{JyS(P0o{5cAVdZ!8hDHDFu zgvYF(DNmd53o=+u+h@X`Yr^k0;b|?S%0UzUJcUGUnDC2C_@gE~GvOVvw+bAI{IxYq zb8MZ|^9@?KIATu}>=8`qx<-)Fi<|LXvdD@nf(MD1I+#XTyqaK2?bJRFuOOIGIyK4R ziwK@U@D2`NKrp3nYJ$TH2&Q3^8t3p?1XC)fMmbzaFr{#6n8UdQQ|hLAIsCWffGK5D z9UOk2U`o}LmBWV#rW8%paQHQXDK%4!!+#{0QZiM_;pYjq5Ug?d8GG!-%T*3SZb8R zUm}=ND>cmFFA_}4rBpA6ZzY&gEY-o`Fu{~sDJzF>B$!evRm0)FYNqv%1LnnX$6I%z zvm9fsEHQoh;cJM0Yq6o6F0LZ6Br6VB&PEQIFmt zx*K$mfz``PjXv}dVXp=@wi%7oe-~@mj$q8#I2&y%O)Ub!2tbn~(eTC!ro|siK3rkd zeoYNTgYQQ49Emx<1tm%0=J?%zSZ39X0Zyvh0n%>DJfj6#j{K0uOYPgv_;WWn;;%Vk zuOIDjIrmP|%G0s;F~+OC^c-L;1^e;-l10s!PrhdF)w&&3w-8d>u!pSlS1b6}MDKRo@eWt;*vB)Vz!5*{c+9xck@J+}xsUbv8Er*M zTgf8m5%xzL=Aso^bZ$2U4T|uFr}96pWm?WLZfQ5Wf*iY2i{>A>2XYx@?~y=y--gt! zkeTwQ%aQnO?emWKhr4M?Fn;%8I!&GMRRE4eq@ecs-IV&q8yp`!AGlKBDE*D+B=2_s ztcUSY)SB^IV9`NdxP%V6A5l~t^xogmf7?M$)Ej@rb&_3VMG8I!?p5GcY|nt?NYq^j zl<2H)K!j)U`aS*Q#!W(h-s$?kLi#I({;!h$qv(6+Kk_Za!MH@oJ&V~X%dhK6?)cxh zUmHlyA^b{t5UH-(6SZmM9H0@FJKv!e?t-S;bo?n}5*J%1<9qaw@iT}!;(HQW?Bu6Q zw#-6G#!k-E`;1=^KGCr5bgPHR(aVgtP$mD3a*YR~3XC!kk5XP6zXTo8m=C;&Mgkh+ z`!n&beL2=Ja52+zM-Ceu!q{&xp`eM+m_k3owaoc3D9IYA6=P!p?KG|y2JQt(7`O;p zj{J+tSL4Hf=Pe+5R@}~qr149T(VvTPo&1GpMrtMErsT=Ly%)j1l5H(O8xIL}i%<9Q zdG7t3BJ!~!VmJ`uCv-jhSznJzU&G!x$*eL~%I}kS)GHxgYj1xzq^{f*B9; zpeeoqB)S)`-(dT^O^kH#{syxJX5RTk5qYb~m_J(M?;3aVY>K|(Ok7^x8h`WA+o_|! z2ZcuPB&E@llt#IFY3$@2o&-B@14Bvkej`NWL_>ja-#oUy3hBf@XvV*wCjY_pS{0fS zpG@YOS{Vcx*|ZlV5y%E;jPFlhD_e@YxS|f7fwE4Yz>{iJN@i zlxu~;h9_g=07Q5k_zjp_nVNsPyBzUjj`&Bs3GzLX{3DQoA+H9(BnOkBbMk>C-Ka(O*FwFqR-(%@=p7I;R!KBHK?v^s zgkB`kvHzzJ%^fg~*> zgrNcA`L<}=u2BHVolwSUh|PV1z(E_2^{y`y&q?rryphPrMn_!eU%w&M3=4E;O3bfb zN`3h6!VGPPrRu@1#&0a0Yg^}xpRjd1<1gA=xQYC(EB;|?VoAxCSK(apA(&~6pNPL= zJP(brlj)Kzb7}T7u8f`h>_(O@f3kNux^pjhk;98{Q>k-a%pmd?BM0NxG(K!M;2xsI z^1rbJqxHxG@_rJ_Uk3J^Blk%-G5-Jd{$?8Y%Z zr(w0i{?BN(NL|S1FnFH0tzcIn6#V*IXz8&BO191h1;fh&HmPM7Wo+_6&{coTgf}AP zX$?zpj=yqoLp`}%09~=YISxm~AX`0jJ{htfZnNNDV&|VRh>)^lf6`}WU7{9{tVbZ%3J!Xn8`imYJiXo~Q z%fS#knWLA}io3XWa`$4w{s36IUnTMvUC8LpvoVbB_!K6LvOVKii5KVS#}fH7Km%9G zIQ$-uK@4UQ$wO$N%KB2_s~?mk?Yj$KSuK2hgSWD-E#vDGq=hV~b>lrkZLv^mUcBsr ztl!pXHhn$IXTI27Cm3Y%p;nJfJ zCLd~QCwHAq*YQ`5Iq+=ug#rh3(-H^kBk(#C>-hZ6m+Pyf@LeE-P)ZX&U$dVl2wNT_ zF$MsGV%Or+hE5AS!yNl>J zZsb*%H#UQeetiSi$;Hr*UIq6OaI36Jaxd%7&KQhCgjAp9?LX-IoQps)1^o*6nc9XyE%K);$!xtEmQ1lHMji1tjR4f~ zyKVx?6D!MOAJ5fqiZ!?v(USWgA3*;n=D&`i8-L}4SGGQ1()^+E3?wj+yNnzXt;Yi> zrqU< zw|E=8LZf+}nkzJ3MH)*p8i&z;#+%%Yy5$*-Pm&fmUpqGb&TRg8^JiBD}SB#56j@1_;^`ahf{wkQq?YoKEw_LdJAaub6^X{$9Y0QqZ5fOIY!obe*{Tp1toaaF?`Tl+KJt%bl0wj?aYqNBZ8|MnW_X@q{e714n zhFghpAi2|&ZcByQ-i+E4DTL%>(6mukQ_$$%1r~? z4YnThdidBL8f4H14qW0)Dpy zd(A0anNwdgADu#*VLI@IycxCL+1Ap|PEiGhip7y-g<4Z+Xb9)146l9p7#(bff|1pQ zg&Jd3fz_;QFtiaQez?hq&3B7muP)T=!4ZEr6ddvebvEJ-`{`Jhi@BU_&YrIB#!kDf z!``WJaGkxgvAxUbx?ZcQ8u8%}9Y@@YBZb;vWMm+qt#@_Wn(U`Ir_N4&UgnN4e*DR% z&WP7vYwN_oJ0*Pn0eSGAY4*~^k)>0|;3l-6qt%(ci2(i<9)6~W7*3pVG~#C5xR-uNOAW0yvu}j?BA&u7c%z1ABlPfnb$XhJey9giw@Q^ z0peOC5guHoq9uYQ4e{)d$;N7`Ygbj*vMM%!}Gp$KM&sE(IUs-b<@=hj(tm^%0p3`F<=QC=XAMD4;W6mkSah>4=Y^K)q=6M=zn zC_1dfV0ZEV+;1L7lJD~A+?Mdzk2DPUMtlKQ;q~>qqX8Wq?ZupjGBwiqTRFU~KD2fd z!+a{o61`|52e8)B+0$ir^)xx0t<6*O8$(Y-gYFSb8#DtlbU5#wVZ65iJww&ZhWKp? zMOlTNUhk6C%3{xJzA8>Y)-v8DS~kby&DI8L5c*uS~E49!G+WGotaaq)$H^-5!B(f#%DfK zMiIvBmWeI3Y%Sg~l3^Ef8^ioNgucN{!Us5BMbe`*;{8i$GC7@JaEa+piU@#a;LQAU zx*T~E4c-(CZ45HRG=iJce^Q1QSUL6fPwM|s97@j>@iYF5`0e;F=+ni2Vj8(|iFeVW z3!^p|(pfkf3{pNK={uawtd`HC{zz~sNb>D13>!X$X01W03qQwS|5B3~Cen>~(~oQI z^Fg`_FT!DM1aZuMWV4b*LQK3fMp-sYb~lE|)JCk|sta8q*6+WCPhPm8U@jS|#GK*d zh^mNOm@%X(-uL53ykmFT3XGk)`Xbw^A>4^GwxyD^A`}@89*b)9ZqB(gE*nQZ7a#rK z(&;~;cD<5L|8j<=J#sLeehBa*ucp)Vj_n^_OQ$PQ>#wKNt*BSNnNEKb^&@{tr|I3+ zKcIdc_3K!Px8{P5CAt^&y?FH4j{1H)P(6a$i!F&t=)WJ^QeM=5z&`AsP&Z>wyF5?) z&H!e$oLf7!oLfqB&Mlr*FrG83lwR=Q@9V&?i-sy_v=lgsayOuADgu_<4xpYu zJor1bg70gb5BOGmw&TMNrPKV~(nd?^SZ<@GZ2OF63)_}wvsA?Lud>wSh6^nfHVd;^ z%D~ZRDXQk3ff z7A;3VWU%%k3P3h*qimkG5_SW~-x}mGf480Y|J9c9oLuApbp*n7Bd%I_%YKZjCTg4u za`!`y_Ne$f-0*ih_2V|mi&$QZrDmki!kR2)P>6I`Q#4~ed^RI;kswpBNJpNJe}~@j zm(ywf&ifk6czzI(vI&nVrx#*e9mU3`57!#(ewpHQ7xnvCUZbUAd%nX`vu&osQXiYO z)?y7?>TNtKji#vZyrOYhhVcq>pOjA`@JR$diNGfj_#^_KMBx8}2<$uC%DvbjYvmFx zrKqU7Sb&+|z0nKWRMhY6)I0U+_to@*GZnSIRPWZ8UD3<&d@XLG|MlZ^hzMWLwNjP& z&3DIa0n@=dmC+eiUd!zy?YnYOq1IVy?Mlbu=7J@NDArzHtF_34yrA_j6*}#wLhp_7 zGRMj*g`X%EuxeK?r)v0pyeP^(j*EDEh9y6aqd2VMiDeas-!HOC$^SQ%`W<_=wUmUb-J)GD$YDA04yskYzhr; z3i}5Jbyne7##YqS)-l&$2)pd8Jsi5#6JnR^9JGcwSlu7KqOh>T7asECGyuDTe8)EI z>)XVzS4{f?m5hErN87`mLF_a7D(PX}9o)pQb&M@27V6WnBgS_pmB9bKI0%zs^Tmtfg%G!RBep?F3#sl8;kTF@DZKcVp%=$1;?&CplDjW7g5By& zhhwLR&LwC&UhM5o^{OOA2C+}curL++FaMO_7-MqyPjR` zY-_G$_Uk%2?Ok20y|d7{wxiW)2hQ2n)Y{$bY+J(`A=lQ9+;$?Vq14sR$e>i^v_r0i zt+jVHIiT6r=xoK2U1ed5)73^gTiQFBjdj>MUCyTNR$C|Q=jIk3| z>}&09u4-5Xj@j1%U|kMdYb%*5v~|P#PV$d6wRc?K>0IM*F-LoAvmMArJ3O;Bw%Ua$ zG^(l9=3HCJnr&-sYskA!)($P5g~TSjW7j(Dgd%%3{BNQo9BM{WdmEiAx+>AiPFF_s zT4$HNlG!?)T@;X(&i1vHg%nOmKs%H`uFWpAP^fu;GCcwo3RpK9t$bn4c3UfSp?lg+ z>Avd1HBC*cSw(kWG^j^eUG>W9nyOV%4%Oa<^QfAYIB^kpnow5Ntg5+G)2btb^mAc% zpH_|EmHO~I+iGN)uNn=m(%l0R8VE+K`=Z#fufi{Xs|muP;GkCR-4u*$8WOc078H4& zbPCV|TG$tGlYqP$4(MbOzkjX9W%WP^7rO5jeDfdnR)<6UH@nro!Jd8`clmk-y-=bc zA=={(huxcmgu1@b12&j(5BWXtA*7RfVCVMgi7%a6~bu-HZt-|9;lOTiI3m?#Yr@&ky%56&z|Et@yL^{~J<1(|=2?oOMFV|4=;`NCiyR zs`?Ht$bTiT{?3y6`%CvKMpizI?gH9^k785LOX}}2 zW%FmlPePWuTFI;DsWKYaDB1kk@N?jy_A7b%`5+bc-;{p|yp+32UOi8!zn7)*Pvy6= zukzqd$eQh|-}|2w$KBKVuk^f