[ACME] Fix detection of orphaned SANs and add tini

2017-10-21 10:08:14 +02:00 · 2017-10-21 10:08:14 +02:00 · a110e2ea0f
parent 81775765d8
commit a110e2ea0f
3 changed files with 248 additions and 229 deletions
--- a/data/Dockerfiles/acme/Dockerfile
+++ b/data/Dockerfiles/acme/Dockerfile
@ -9,8 +9,9 @@ RUN apk add --update --no-cache \
 	openssl \
 	bind-tools \
 	jq \
-	mariadb-client
+	mariadb-client \
+  tini

 COPY docker-entrypoint.sh /srv/docker-entrypoint.sh

-ENTRYPOINT ["/srv/docker-entrypoint.sh"]
+CMD ["/sbin/tini", "-g", "--", "/srv/docker-entrypoint.sh"]
--- a/data/Dockerfiles/acme/docker-entrypoint.sh
+++ b/data/Dockerfiles/acme/docker-entrypoint.sh
@ -15,7 +15,21 @@ restart_containers(){
 }

 log_f() {
+  if [[ ${2} == "no_nl" ]]; then
+    echo -n "$(date) - ${1}"
+  elif [[ ${2} == "no_date" ]]; then
+    echo "${1}"
+  else
    echo "$(date) - ${1}"
+  fi
+}
+
+array_diff() {
+  # https://stackoverflow.com/questions/2312762, Alex Offshore
+  eval local ARR1=\(\"\${$2[@]}\"\)
+  eval local ARR2=\(\"\${$3[@]}\"\)
+  local IFS=$'\n'
+  mapfile -t $1 < <(comm -23 <(echo "${ARR1[*]}" | sort) <(echo "${ARR2[*]}" | sort))
 }

 verify_hash_match(){
@ -105,14 +119,18 @@ while true; do
  IFS=',' read -r -a ADDITIONAL_SAN_ARR <<< "${ADDITIONAL_SAN}"
  IPV4=$(get_ipv4)
  # Container ids may have changed
-	CONTAINERS_RESTART=($(curl --silent http://dockerapi:8080/containers/json | jq -r '.[] | {name: .Config.Labels["com.docker.compose.service"], id: .Id}' | jq -rc 'select( .name | contains("nginx-mailcow") or contains("postfix-mailcow") or contains("dovecot-mailcow")) | .id' | tr "\n" " "))
+  CONTAINERS_RESTART=($(curl --silent http://dockerapi:8080/containers/json | jq -r '.[] | {name: .Config.Labels["com.docker.compose.service"], id: .Id}' | jq -rc 'select( .name | tostring | contains("nginx-mailcow") or contains("postfix-mailcow") or contains("dovecot-mailcow")) | .id' | tr "\n" " "))

-	while read domain; do
-		SQL_DOMAIN_ARR+=("${domain}")
-	done < <(mysql -h mysql-mailcow -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT domain FROM domain WHERE backupmx=0" -Bs)
-	while read alias_domain; do
-		SQL_DOMAIN_ARR+=("${alias_domain}")
-	done < <(mysql -h mysql-mailcow -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT alias_domain FROM alias_domain" -Bs)
+  log_f "Waiting for domain tables... " no_nl
+  while [[ -z ${DOMAIN_TABLE} ]]; do
+    DOMAIN_TABLE=$(mysql -h mysql-mailcow -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SHOW TABLES LIKE 'domain'" -Bs)
+    [[ -z ${DOMAIN_TABLE} ]] && sleep 10
+  done
+  log_f "OK" no_date
+
+  while read domains; do
+    SQL_DOMAIN_ARR+=("${domains}")
+  done < <(mysql -h mysql-mailcow -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT domain FROM domain WHERE backupmx=0 UNION SELECT alias_domain FROM alias_domain" -Bs)

  for SQL_DOMAIN in "${SQL_DOMAIN_ARR[@]}"; do
    A_CONFIG=$(dig A autoconfig.${SQL_DOMAIN} +short | tail -n 1)
@ -182,7 +200,7 @@ while true; do
    exec $(readlink -f "$0")
  fi

-	ORPHANED_SAN=($(echo ${SAN_ARRAY_NOW[*]} ${ALL_VALIDATED[*]} | tr ' ' '\n' | sort | uniq -u ))
+  array_diff ORPHANED_SAN SAN_ARRAY_NOW ALL_VALIDATED
  if [[ ! -z ${ORPHANED_SAN[*]} ]] && [[ ${ISSUER} != *"mailcow"* ]]; then
    DATE=$(date +%Y-%m-%d_%H_%M_%S)
    log_f "Found orphaned SAN ${ORPHANED_SAN[*]} in certificate, moving old files to ${ACME_BASE}/acme/private/${DATE}.bak/, keeping key file..."
--- a/data/Dockerfiles/acme/tini
+++ b/data/Dockerfiles/acme/tini