From 18e52ab27d518526a887b96222c688d040222b4d Mon Sep 17 00:00:00 2001 From: andryyy Date: Fri, 23 Jun 2017 08:33:07 +0200 Subject: [PATCH 1/2] More debug output, keep key for TLSA 3 1 1, other minor changes --- data/Dockerfiles/acme/docker-entrypoint.sh | 34 ++++++++++++---------- 1 file changed, 18 insertions(+), 16 deletions(-) diff --git a/data/Dockerfiles/acme/docker-entrypoint.sh b/data/Dockerfiles/acme/docker-entrypoint.sh index 039f73da..81c6380c 100755 --- a/data/Dockerfiles/acme/docker-entrypoint.sh +++ b/data/Dockerfiles/acme/docker-entrypoint.sh @@ -1,11 +1,5 @@ #!/bin/bash -if [[ "${SKIP_LETS_ENCRYPT}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then - echo "Skipping Let's Encrypt..." - exit 0 -fi - - ACME_BASE=/var/lib/acme SSL_EXAMPLE=/var/lib/ssl-example mkdir -p ${ACME_BASE}/acme/private @@ -19,18 +13,20 @@ restart_containers(){ } if [[ -f ${ACME_BASE}/cert.pem ]]; then - if [[ $(openssl x509 -in ${ACME_BASE}/cert.pem -noout -issuer) != *"Let's Encrypt"* && - $(openssl x509 -in ${ACME_BASE}/cert.pem -noout -issuer) != *"mailcow"* ]]; then - echo "Skipping ACME client" + ISSUER=$(openssl x509 -in ${ACME_BASE}/cert.pem -noout -issuer) + if [[ ${ISSUER} != *"Let's Encrypt"* && ${ISSUER} != *"mailcow"* ]]; then + echo "Found certificate with issuer other than mailcow snake-oil CA and Let's Encrypt, skipping ACME client..." exit 0 else declare -a SAN_ARRAY_NOW SAN_NAMES=$(openssl x509 -noout -text -in ${ACME_BASE}/cert.pem | awk '/X509v3 Subject Alternative Name/ {getline;gsub(/ /, "", $0); print}' | tr -d "DNS:") if [[ ! -z ${SAN_NAMES} ]]; then IFS=',' read -a SAN_ARRAY_NOW <<< ${SAN_NAMES} + echo "Found Let's Encrypt or mailcow snake-oil CA issued certificate with SANs: ${SAN_ARRAY_NOW[*]}" fi fi else + ISSUER="mailcow" if [[ -f ${ACME_BASE}/acme/fullchain.pem ]] && [[ -f ${ACME_BASE}/acme/private/privkey.pem ]]; then cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem @@ -41,7 +37,10 @@ else fi while true; do - + if [[ "${SKIP_LETS_ENCRYPT}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then + echo "SKIP_LETS_ENCRYPT=y, skipping Let's Encrypt..." + exit 0 + fi declare -a SQL_DOMAIN_ARR declare -a VALIDATED_CONFIG_DOMAINS declare -a ADDITIONAL_VALIDATED_SAN @@ -98,12 +97,11 @@ while true; do ORPHANED_SAN=($(echo ${SAN_ARRAY_NOW[*]} ${VALIDATED_CONFIG_DOMAINS[*]} ${ADDITIONAL_VALIDATED_SAN[*]} ${MAILCOW_HOSTNAME} | tr ' ' '\n' | sort | uniq -u )) if [[ ! -z ${ORPHANED_SAN[*]} ]]; then DATE=$(date +%Y-%m-%d_%H_%M_%S) - echo "Found orphaned SAN in certificate, moving old files to ${ACME_BASE}/acme/private/${DATE}/" - mkdir -p ${ACME_BASE}/acme/private/${DATE}/ - mv ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/acme/private/${DATE}/ - mv ${ACME_BASE}/acme/private/account.key ${ACME_BASE}/acme/private/${DATE}/ - mv ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/acme/private/${DATE}/ - mv ${ACME_BASE}/acme/cert.pem ${ACME_BASE}/acme/private/${DATE}/ + echo "Found orphaned SAN in certificate, moving old files to ${ACME_BASE}/acme/private/${DATE}.bak/" + mkdir -p ${ACME_BASE}/acme/private/${DATE}.bak/ + [[ -f ${ACME_BASE}/acme/private/account.key ]] && mv ${ACME_BASE}/acme/private/account.key ${ACME_BASE}/acme/private/${DATE}.bak/ + mv ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/acme/private/${DATE}.bak/ + cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/acme/private/${DATE}.bak/ # Keep key for TLSA 3 1 1 records fi acme-client \ @@ -123,10 +121,14 @@ while true; do restart_containers ${CONTAINERS_RESTART} ;; 1) # failure + [[ -f ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ]] && cp -n ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ${ACME_BASE}/cert.pem + [[ -f ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ]] && cp -n ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ${ACME_BASE}/key.pem exit 1;; 2) # no change ;; *) # unspecified + [[ -f ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ]] && cp -n ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ${ACME_BASE}/cert.pem + [[ -f ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ]] && cp -n ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ${ACME_BASE}/key.pem exit 1;; esac From 59623a639e62aeaebfbd7835096d1becffae1d4b Mon Sep 17 00:00:00 2001 From: andryyy Date: Fri, 23 Jun 2017 08:40:05 +0200 Subject: [PATCH 2/2] Keep key when issuing new certificate to not break TLSA records with options 3 1 1 --- data/Dockerfiles/acme/docker-entrypoint.sh | 3 ++- docker-compose.yml | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/data/Dockerfiles/acme/docker-entrypoint.sh b/data/Dockerfiles/acme/docker-entrypoint.sh index 81c6380c..08d32b7b 100755 --- a/data/Dockerfiles/acme/docker-entrypoint.sh +++ b/data/Dockerfiles/acme/docker-entrypoint.sh @@ -97,10 +97,11 @@ while true; do ORPHANED_SAN=($(echo ${SAN_ARRAY_NOW[*]} ${VALIDATED_CONFIG_DOMAINS[*]} ${ADDITIONAL_VALIDATED_SAN[*]} ${MAILCOW_HOSTNAME} | tr ' ' '\n' | sort | uniq -u )) if [[ ! -z ${ORPHANED_SAN[*]} ]]; then DATE=$(date +%Y-%m-%d_%H_%M_%S) - echo "Found orphaned SAN in certificate, moving old files to ${ACME_BASE}/acme/private/${DATE}.bak/" + echo "Found orphaned SAN(s) ${ORPHANED_SAN[*]} in certificate, moving old files to ${ACME_BASE}/acme/private/${DATE}.bak/" mkdir -p ${ACME_BASE}/acme/private/${DATE}.bak/ [[ -f ${ACME_BASE}/acme/private/account.key ]] && mv ${ACME_BASE}/acme/private/account.key ${ACME_BASE}/acme/private/${DATE}.bak/ mv ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/acme/private/${DATE}.bak/ + mv ${ACME_BASE}/acme/cert.pem ${ACME_BASE}/acme/private/${DATE}.bak/ cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/acme/private/${DATE}.bak/ # Keep key for TLSA 3 1 1 records fi diff --git a/docker-compose.yml b/docker-compose.yml index ade39b40..236a40a4 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -284,7 +284,7 @@ services: acme-mailcow: depends_on: - nginx-mailcow - image: mailcow/acme:1.2 + image: mailcow/acme:1.3 build: ./data/Dockerfiles/acme dns: - 172.22.1.254