2017-06-12 10:45:12 +02:00
#!/bin/bash
2017-09-21 09:46:09 +02:00
set -o pipefail
exec 5>& 1
2017-06-12 10:45:12 +02:00
2020-02-05 10:53:23 +01:00
# Do not attempt to write to slave
if [ [ ! -z ${ REDIS_SLAVEOF_IP } ] ] ; then
export REDIS_CMDLINE = " redis-cli -h ${ REDIS_SLAVEOF_IP } -p ${ REDIS_SLAVEOF_PORT } "
else
export REDIS_CMDLINE = "redis-cli -h redis -p 6379"
fi
2020-03-08 20:23:32 +01:00
until [ [ $( ${ REDIS_CMDLINE } PING) = = "PONG" ] ] ; do
echo "Waiting for Redis..."
sleep 2
done
2019-10-19 12:48:56 +02:00
source /srv/functions.sh
2018-06-26 23:10:24 +02:00
# Thanks to https://github.com/cvmiller -> https://github.com/cvmiller/expand6
source /srv/expand6.sh
2019-03-29 07:46:52 +01:00
# Skipping IP check when we like to live dangerously
if [ [ " ${ SKIP_IP_CHECK } " = ~ ^( [ yY] [ eE] [ sS] | [ yY] ) +$ ] ] ; then
SKIP_IP_CHECK = y
fi
# Skipping HTTP check when we like to live dangerously
if [ [ " ${ SKIP_HTTP_VERIFICATION } " = ~ ^( [ yY] [ eE] [ sS] | [ yY] ) +$ ] ] ; then
SKIP_HTTP_VERIFICATION = y
fi
2019-10-19 12:48:56 +02:00
# Request certificate for MAILCOW_HOSTNAME only
2019-04-26 21:15:46 +02:00
if [ [ " ${ ONLY_MAILCOW_HOSTNAME } " = ~ ^( [ yY] [ eE] [ sS] | [ yY] ) +$ ] ] ; then
ONLY_MAILCOW_HOSTNAME = y
fi
2024-06-10 12:33:02 +02:00
if [ [ " ${ AUTODISCOVER_SAN } " = ~ ^( [ yY] [ eE] [ sS] | [ yY] ) +$ ] ] ; then
AUTODISCOVER_SAN = y
fi
2019-10-19 12:48:56 +02:00
# Request individual certificate for every domain
if [ [ " ${ ENABLE_SSL_SNI } " = ~ ^( [ yY] [ eE] [ sS] | [ yY] ) +$ ] ] ; then
ENABLE_SSL_SNI = y
fi
2017-12-09 13:15:24 +01:00
2017-11-14 10:44:00 +01:00
if [ [ " ${ SKIP_LETS_ENCRYPT } " = ~ ^( [ yY] [ eE] [ sS] | [ yY] ) +$ ] ] ; then
log_f "SKIP_LETS_ENCRYPT=y, skipping Let's Encrypt..."
sleep 365d
exec $( readlink -f " $0 " )
fi
2020-09-28 19:58:30 +02:00
log_f "Waiting for Docker API..."
2017-11-16 14:57:17 +01:00
until ping dockerapi -c1 > /dev/null; do
sleep 1
done
2020-09-28 19:58:30 +02:00
log_f "Docker API OK"
2017-11-16 14:57:17 +01:00
2020-09-28 19:58:30 +02:00
log_f "Waiting for Postfix..."
2020-09-26 23:33:28 +02:00
until ping postfix -c1 > /dev/null; do
sleep 1
done
2020-09-28 19:58:30 +02:00
log_f "Postfix OK"
2020-09-26 23:33:28 +02:00
2020-09-28 19:58:30 +02:00
log_f "Waiting for Dovecot..."
2020-09-26 23:33:28 +02:00
until ping dovecot -c1 > /dev/null; do
sleep 1
done
2020-09-28 19:58:30 +02:00
log_f "Dovecot OK"
2020-09-26 23:33:28 +02:00
2017-06-12 10:45:12 +02:00
ACME_BASE = /var/lib/acme
2017-06-20 20:06:54 +02:00
SSL_EXAMPLE = /var/lib/ssl-example
2017-06-29 10:25:32 +02:00
2019-02-04 22:36:17 +01:00
mkdir -p ${ ACME_BASE } /acme
# Migrate
[ [ -f ${ ACME_BASE } /acme/private/privkey.pem ] ] && mv ${ ACME_BASE } /acme/private/privkey.pem ${ ACME_BASE } /acme/key.pem
[ [ -f ${ ACME_BASE } /acme/private/account.key ] ] && mv ${ ACME_BASE } /acme/private/account.key ${ ACME_BASE } /acme/account.pem
2019-10-19 12:48:56 +02:00
if [ [ -f ${ ACME_BASE } /acme/key.pem && -f ${ ACME_BASE } /acme/cert.pem ] ] ; then
if verify_hash_match ${ ACME_BASE } /acme/cert.pem ${ ACME_BASE } /acme/key.pem; then
2020-09-28 19:58:30 +02:00
log_f "Migrating to SNI folder structure..."
2019-10-19 12:48:56 +02:00
CERT_DOMAIN = ( $( openssl x509 -noout -text -in ${ ACME_BASE } /acme/cert.pem | grep "Subject:" | sed -e 's/\(Subject:\)\|\(CN = \)\|\(CN=\)//g' | sed -e 's/^[[:space:]]*//' ) )
CERT_DOMAINS = ( ${ CERT_DOMAIN } $( openssl x509 -noout -text -in ${ ACME_BASE } /acme/cert.pem | grep "DNS:" | sed -e 's/\(DNS:\)\|,//g' | sed " s/ ${ CERT_DOMAIN } // " | sed -e 's/^[[:space:]]*//' ) )
mkdir -p ${ ACME_BASE } /${ CERT_DOMAIN }
mv ${ ACME_BASE } /acme/cert.pem ${ ACME_BASE } /${ CERT_DOMAIN } /cert.pem
# key is only copied, not moved, because it is used by all other requests too
cp ${ ACME_BASE } /acme/key.pem ${ ACME_BASE } /${ CERT_DOMAIN } /key.pem
chmod 600 ${ ACME_BASE } /${ CERT_DOMAIN } /key.pem
echo -n ${ CERT_DOMAINS [*] } > ${ ACME_BASE } /${ CERT_DOMAIN } /domains
mv ${ ACME_BASE } /acme/acme.csr ${ ACME_BASE } /${ CERT_DOMAIN } /acme.csr
log_f "OK" no_date
2017-10-21 10:08:14 +02:00
fi
2019-10-19 12:48:56 +02:00
fi
2019-02-04 22:36:17 +01:00
2017-06-29 00:56:51 +02:00
[ [ ! -f ${ ACME_BASE } /dhparams.pem ] ] && cp ${ SSL_EXAMPLE } /dhparams.pem ${ ACME_BASE } /dhparams.pem
2019-04-27 10:23:00 +02:00
if [ [ -f ${ ACME_BASE } /cert.pem ] ] && [ [ -f ${ ACME_BASE } /key.pem ] ] && [ [ $( stat -c%s ${ ACME_BASE } /cert.pem) != 0 ] ] ; then
2017-10-21 10:08:14 +02:00
ISSUER = $( openssl x509 -in ${ ACME_BASE } /cert.pem -noout -issuer)
2018-10-24 20:14:59 +02:00
if [ [ ${ ISSUER } != *"Let's Encrypt" * && ${ ISSUER } != *"mailcow" * && ${ ISSUER } != *"Fake LE Intermediate" * ] ] ; then
2017-10-21 10:08:14 +02:00
log_f "Found certificate with issuer other than mailcow snake-oil CA and Let's Encrypt, skipping ACME client..."
sleep 3650d
exec $( readlink -f " $0 " )
fi
2017-06-20 20:06:54 +02:00
else
2019-10-19 12:48:56 +02:00
if [ [ -f ${ ACME_BASE } /${ MAILCOW_HOSTNAME } /cert.pem ] ] && [ [ -f ${ ACME_BASE } /${ MAILCOW_HOSTNAME } /key.pem ] ] && verify_hash_match ${ ACME_BASE } /${ MAILCOW_HOSTNAME } /cert.pem ${ ACME_BASE } /${ MAILCOW_HOSTNAME } /key.pem; then
log_f "Restoring previous acme certificate and restarting script..."
cp ${ ACME_BASE } /${ MAILCOW_HOSTNAME } /cert.pem ${ ACME_BASE } /cert.pem
cp ${ ACME_BASE } /${ MAILCOW_HOSTNAME } /key.pem ${ ACME_BASE } /key.pem
# Restarting with env var set to trigger a restart,
exec env TRIGGER_RESTART = 1 $( readlink -f " $0 " )
2017-10-21 10:08:14 +02:00
else
log_f "Restoring mailcow snake-oil certificates and restarting script..."
cp ${ SSL_EXAMPLE } /cert.pem ${ ACME_BASE } /cert.pem
cp ${ SSL_EXAMPLE } /key.pem ${ ACME_BASE } /key.pem
exec env TRIGGER_RESTART = 1 $( readlink -f " $0 " )
fi
2017-06-17 10:08:12 +02:00
fi
2019-10-19 12:48:56 +02:00
2019-03-12 23:24:03 +01:00
chmod 600 ${ ACME_BASE } /key.pem
2017-06-17 10:08:12 +02:00
2020-09-28 19:58:30 +02:00
log_f "Waiting for database..."
while ! mysqladmin status --socket= /var/run/mysqld/mysqld.sock -u${ DBUSER } -p${ DBPASS } --silent > /dev/null; do
2017-10-21 10:08:14 +02:00
sleep 2
2017-09-27 19:48:25 +02:00
done
2020-09-28 19:58:30 +02:00
log_f "Database OK"
2019-02-10 17:36:25 +01:00
2020-09-28 19:58:30 +02:00
log_f "Waiting for Nginx..."
2019-02-10 17:36:25 +01:00
until $( curl --output /dev/null --silent --head --fail http://nginx:8081) ; do
sleep 2
done
2020-09-28 19:58:30 +02:00
log_f "Nginx OK"
log_f "Waiting for resolver..."
until dig letsencrypt.org +time= 3 +tries= 1 @unbound > /dev/null; do
sleep 2
done
log_f "Resolver OK"
2018-06-26 23:35:17 +02:00
2019-02-04 22:36:17 +01:00
# Waiting for domain table
2020-09-28 19:58:30 +02:00
log_f "Waiting for domain table..."
2019-02-04 22:36:17 +01:00
while [ [ -z ${ DOMAIN_TABLE } ] ] ; do
curl --silent http://nginx/ >/dev/null 2>& 1
DOMAIN_TABLE = $( mysql --socket= /var/run/mysqld/mysqld.sock -u ${ DBUSER } -p${ DBPASS } ${ DBNAME } -e "SHOW TABLES LIKE 'domain'" -Bs)
[ [ -z ${ DOMAIN_TABLE } ] ] && sleep 10
done
log_f "OK" no_date
2020-09-28 19:58:30 +02:00
log_f "Initializing, please wait..."
2017-09-27 19:48:25 +02:00
2017-06-12 10:45:12 +02:00
while true; do
2020-09-26 23:33:28 +02:00
POSTFIX_CERT_SERIAL = " $( echo | openssl s_client -connect postfix:25 -starttls smtp 2>/dev/null | openssl x509 -inform pem -noout -serial | cut -d "=" -f 2) "
DOVECOT_CERT_SERIAL = " $( echo | openssl s_client -connect dovecot:143 -starttls imap 2>/dev/null | openssl x509 -inform pem -noout -serial | cut -d "=" -f 2) "
POSTFIX_CERT_SERIAL_NEW = " $( echo | openssl s_client -connect postfix:25 -starttls smtp 2>/dev/null | openssl x509 -inform pem -noout -serial | cut -d "=" -f 2) "
DOVECOT_CERT_SERIAL_NEW = " $( echo | openssl s_client -connect dovecot:143 -starttls imap 2>/dev/null | openssl x509 -inform pem -noout -serial | cut -d "=" -f 2) "
2019-02-04 22:36:17 +01:00
# Re-using previous acme-mailcow account and domain keys
if [ [ ! -f ${ ACME_BASE } /acme/key.pem ] ] ; then
2019-10-19 12:48:56 +02:00
log_f "Generating missing domain private rsa key..."
2019-02-04 22:36:17 +01:00
openssl genrsa 4096 > ${ ACME_BASE } /acme/key.pem
else
2019-10-19 12:48:56 +02:00
log_f " Using existing domain rsa key ${ ACME_BASE } /acme/key.pem "
2019-02-04 22:36:17 +01:00
fi
if [ [ ! -f ${ ACME_BASE } /acme/account.pem ] ] ; then
log_f "Generating missing Lets Encrypt account key..."
2021-04-29 23:32:42 +02:00
if [ [ ! -z ${ ACME_CONTACT } ] ] ; then
if ! verify_email " ${ ACME_CONTACT } " ; then
log_f "Invalid email address, will not start registration!"
sleep 365d
exec $( readlink -f " $0 " )
else
ACME_CONTACT_PARAMETER = " --contact mailto: ${ ACME_CONTACT } "
log_f " Valid email address, using ${ ACME_CONTACT } for registration "
fi
else
ACME_CONTACT_PARAMETER = ""
fi
2019-02-04 22:36:17 +01:00
openssl genrsa 4096 > ${ ACME_BASE } /acme/account.pem
else
log_f " Using existing Lets Encrypt account key ${ ACME_BASE } /acme/account.pem "
fi
2019-03-12 23:24:03 +01:00
chmod 600 ${ ACME_BASE } /acme/key.pem
chmod 600 ${ ACME_BASE } /acme/account.pem
2019-10-19 12:48:56 +02:00
unset EXISTING_CERTS
declare -a EXISTING_CERTS
for cert_dir in ${ ACME_BASE } /*/ ; do
if [ [ ! -f ${ cert_dir } domains ] ] || [ [ ! -f ${ cert_dir } cert.pem ] ] || [ [ ! -f ${ cert_dir } key.pem ] ] ; then
continue
fi
EXISTING_CERTS += ( " $( basename ${ cert_dir } ) " )
done
2019-02-04 22:36:17 +01:00
# Cleaning up and init validation arrays
2017-10-21 10:08:14 +02:00
unset SQL_DOMAIN_ARR
unset VALIDATED_CONFIG_DOMAINS
unset ADDITIONAL_VALIDATED_SAN
2019-02-04 22:36:17 +01:00
unset ADDITIONAL_WC_ARR
unset ADDITIONAL_SAN_ARR
2019-10-19 12:48:56 +02:00
unset CERT_ERRORS
unset CERT_CHANGED
unset CERT_AMOUNT_CHANGED
unset VALIDATED_CERTIFICATES
CERT_ERRORS = 0
CERT_CHANGED = 0
CERT_AMOUNT_CHANGED = 0
2017-10-21 10:08:14 +02:00
declare -a SQL_DOMAIN_ARR
declare -a VALIDATED_CONFIG_DOMAINS
declare -a ADDITIONAL_VALIDATED_SAN
2019-02-04 22:36:17 +01:00
declare -a ADDITIONAL_WC_ARR
declare -a ADDITIONAL_SAN_ARR
2019-10-19 12:48:56 +02:00
declare -a VALIDATED_CERTIFICATES
2018-04-04 14:06:41 +02:00
IFS = ',' read -r -a TMP_ARR <<< " ${ ADDITIONAL_SAN } "
for i in " ${ TMP_ARR [@] } " ; do
if [ [ " $i " = ~ \. \* $ ] ] ; then
ADDITIONAL_WC_ARR += ( ${ i : :- 2 } )
else
ADDITIONAL_SAN_ARR += ( $i )
fi
done
2024-06-10 12:33:02 +02:00
if [ [ ${ AUTODISCOVER_SAN } = = "y" ] ] ; then
# Fetch certs for autoconfig and autodiscover subdomains
2019-06-25 18:52:05 +02:00
ADDITIONAL_WC_ARR += ( 'autodiscover' 'autoconfig' )
2024-06-10 12:33:02 +02:00
fi
2018-04-04 14:06:41 +02:00
2023-01-16 10:10:20 +01:00
if [ [ ${ SKIP_IP_CHECK } != "y" ] ] ; then
2019-02-04 22:36:17 +01:00
# Start IP detection
2020-09-28 19:58:30 +02:00
log_f "Detecting IP addresses..."
2017-12-31 17:17:46 +01:00
IPV4 = $( get_ipv4)
2018-06-26 23:10:24 +02:00
IPV6 = $( get_ipv6)
2020-09-28 19:58:30 +02:00
log_f " OK: ${ IPV4 } , ${ IPV6 :- "0000:0000:0000:0000:0000:0000:0000:0000" } "
2023-01-16 10:10:20 +01:00
fi
2018-06-26 23:10:24 +02:00
2019-02-04 22:36:17 +01:00
#########################################
# IP and webroot challenge verification #
2021-03-03 07:59:11 +01:00
SQL_DOMAINS = $( mysql --socket= /var/run/mysqld/mysqld.sock -u ${ DBUSER } -p${ DBPASS } ${ DBNAME } -e "SELECT domain FROM domain WHERE backupmx=0 and active=1" -Bs)
2019-10-19 12:48:56 +02:00
if [ [ ! $? -eq 0 ] ] ; then
log_f "Failed to read SQL domains, retrying in 1 minute..."
sleep 1m
exec $( readlink -f " $0 " )
fi
2017-10-21 10:08:14 +02:00
while read domains; do
2019-10-19 18:23:59 +02:00
if [ [ -z " ${ domains } " ] ] ; then
# ignore empty lines
continue
fi
2017-10-21 10:08:14 +02:00
SQL_DOMAIN_ARR += ( " ${ domains } " )
2019-10-19 12:48:56 +02:00
done <<< " ${ SQL_DOMAINS } "
2017-10-21 10:08:14 +02:00
2019-04-26 21:15:46 +02:00
if [ [ ${ ONLY_MAILCOW_HOSTNAME } != "y" ] ] ; then
2018-10-19 10:03:05 +02:00
for SQL_DOMAIN in " ${ SQL_DOMAIN_ARR [@] } " ; do
2019-10-19 12:48:56 +02:00
unset VALIDATED_CONFIG_DOMAINS_SUBDOMAINS
declare -a VALIDATED_CONFIG_DOMAINS_SUBDOMAINS
2018-04-04 14:06:41 +02:00
for SUBDOMAIN in " ${ ADDITIONAL_WC_ARR [@] } " ; do
2019-10-19 12:48:56 +02:00
if [ [ " ${ SUBDOMAIN } . ${ SQL_DOMAIN } " != " ${ MAILCOW_HOSTNAME } " ] ] ; then
if check_domain " ${ SUBDOMAIN } . ${ SQL_DOMAIN } " ; then
VALIDATED_CONFIG_DOMAINS_SUBDOMAINS += ( " ${ SUBDOMAIN } . ${ SQL_DOMAIN } " )
2018-04-04 14:06:41 +02:00
fi
2017-10-21 10:08:14 +02:00
fi
2018-04-04 14:06:41 +02:00
done
2019-10-19 12:48:56 +02:00
VALIDATED_CONFIG_DOMAINS += ( " ${ VALIDATED_CONFIG_DOMAINS_SUBDOMAINS [*] } " )
2017-10-21 10:08:14 +02:00
done
2019-04-26 21:15:46 +02:00
fi
2017-06-12 10:45:12 +02:00
2019-10-19 12:48:56 +02:00
if check_domain ${ MAILCOW_HOSTNAME } ; then
VALIDATED_MAILCOW_HOSTNAME = " ${ MAILCOW_HOSTNAME } "
2017-10-21 10:08:14 +02:00
fi
2017-06-28 23:22:51 +02:00
2019-04-26 21:15:46 +02:00
if [ [ ${ ONLY_MAILCOW_HOSTNAME } != "y" ] ] ; then
2017-10-21 10:08:14 +02:00
for SAN in " ${ ADDITIONAL_SAN_ARR [@] } " ; do
2018-08-05 22:35:02 +02:00
# Skip on CAA errors for SAN
SAN_PARENT_DOMAIN = $( echo ${ SAN } | cut -d. -f2-)
SAN_CAAS = ( $( dig CAA ${ SAN_PARENT_DOMAIN } +short | sed -n 's/\d issue "\(.*\)"/\1/p' ) )
if [ [ ! -z ${ SAN_CAAS } ] ] ; then
if [ [ ${ SAN_CAAS [@] } = ~ "letsencrypt.org" ] ] ; then
2019-10-19 12:48:56 +02:00
log_f " Validated CAA for parent domain ${ SAN_PARENT_DOMAIN } of ${ SAN } "
2018-08-05 22:35:02 +02:00
else
2019-10-19 12:48:56 +02:00
log_f " Skipping ACME validation for ${ SAN } : Lets Encrypt disallowed for ${ SAN } by CAA record "
2018-08-05 22:35:02 +02:00
continue
fi
fi
2017-10-21 10:08:14 +02:00
if [ [ ${ SAN } = = ${ MAILCOW_HOSTNAME } ] ] ; then
continue
fi
2019-10-19 12:48:56 +02:00
if check_domain ${ SAN } ; then
ADDITIONAL_VALIDATED_SAN += ( " ${ SAN } " )
2018-06-28 20:41:44 +02:00
fi
2019-10-19 12:48:56 +02:00
done
fi
# Unique domains for server certificate
if [ [ ${ ENABLE_SSL_SNI } = = "y" ] ] ; then
# create certificate for server name and fqdn SANs only
SERVER_SAN_VALIDATED = ( ${ VALIDATED_MAILCOW_HOSTNAME } $( echo ${ ADDITIONAL_VALIDATED_SAN [*] } | xargs -n1 | sort -u | xargs) )
else
# create certificate for all domains, including all subdomains from other domains [*]
SERVER_SAN_VALIDATED = ( ${ VALIDATED_MAILCOW_HOSTNAME } $( echo ${ VALIDATED_CONFIG_DOMAINS [*] } ${ ADDITIONAL_VALIDATED_SAN [*] } | xargs -n1 | sort -u | xargs) )
fi
if [ [ ! -z ${ SERVER_SAN_VALIDATED [*] } ] ] ; then
CERT_NAME = ${ SERVER_SAN_VALIDATED [0] }
VALIDATED_CERTIFICATES += ( " ${ CERT_NAME } " )
# obtain server certificate if required
2021-04-29 23:32:42 +02:00
ACME_CONTACT_PARAMETER = ${ ACME_CONTACT_PARAMETER } DOMAINS = ${ SERVER_SAN_VALIDATED [@] } /srv/obtain-certificate.sh rsa
2019-10-19 12:48:56 +02:00
RETURN = " $? "
if [ [ " $RETURN " = = "0" ] ] ; then # 0 = cert created successfully
CERT_AMOUNT_CHANGED = 1
CERT_CHANGED = 1
elif [ [ " $RETURN " = = "1" ] ] ; then # 1 = cert renewed successfully
CERT_CHANGED = 1
elif [ [ " $RETURN " = = "2" ] ] ; then # 2 = cert not due for renewal
:
else
CERT_ERRORS = 1
fi
# copy hostname certificate to default/server certificate
2020-09-28 19:58:30 +02:00
# do not a key when cert is missing, this can lead to a mismatch of cert/key
if [ [ -f ${ ACME_BASE } /${ CERT_NAME } /cert.pem ] ] ; then
cp ${ ACME_BASE } /${ CERT_NAME } /cert.pem ${ ACME_BASE } /cert.pem
cp ${ ACME_BASE } /${ CERT_NAME } /key.pem ${ ACME_BASE } /key.pem
fi
2019-10-19 12:48:56 +02:00
fi
# individual certificates for SNI [@]
if [ [ ${ ENABLE_SSL_SNI } = = "y" ] ] ; then
for VALIDATED_DOMAINS in " ${ VALIDATED_CONFIG_DOMAINS [@] } " ; do
VALIDATED_DOMAINS_ARR = ( ${ VALIDATED_DOMAINS } )
unset VALIDATED_DOMAINS_SORTED
declare -a VALIDATED_DOMAINS_SORTED
VALIDATED_DOMAINS_SORTED = ( ${ VALIDATED_DOMAINS_ARR [0] } $( echo ${ VALIDATED_DOMAINS_ARR [@] : 1 } | xargs -n1 | sort -u | xargs) )
2019-10-20 14:44:39 +02:00
# remove all domain names that are already inside the server certificate (SERVER_SAN_VALIDATED)
for domain in " ${ SERVER_SAN_VALIDATED [@] } " ; do
for i in " ${ !VALIDATED_DOMAINS_SORTED[@] } " ; do
if [ [ ${ VALIDATED_DOMAINS_SORTED [i] } = $domain ] ] ; then
unset 'VALIDATED_DOMAINS_SORTED[i]'
fi
done
done
2019-10-19 12:48:56 +02:00
if [ [ ! -z ${ VALIDATED_DOMAINS_SORTED [*] } ] ] ; then
CERT_NAME = ${ VALIDATED_DOMAINS_SORTED [0] }
VALIDATED_CERTIFICATES += ( " ${ CERT_NAME } " )
# obtain certificate if required
DOMAINS = ${ VALIDATED_DOMAINS_SORTED [@] } /srv/obtain-certificate.sh rsa
RETURN = " $? "
if [ [ " $RETURN " = = "0" ] ] ; then # 0 = cert created successfully
CERT_AMOUNT_CHANGED = 1
CERT_CHANGED = 1
elif [ [ " $RETURN " = = "1" ] ] ; then # 1 = cert renewed successfully
CERT_CHANGED = 1
elif [ [ " $RETURN " = = "2" ] ] ; then # 2 = cert not due for renewal
:
2017-10-21 10:08:14 +02:00
else
2019-10-19 12:48:56 +02:00
CERT_ERRORS = 1
2017-10-21 10:08:14 +02:00
fi
fi
done
2019-04-26 21:15:46 +02:00
fi
2017-06-14 07:24:32 +02:00
2019-10-19 12:48:56 +02:00
if [ [ -z ${ VALIDATED_CERTIFICATES [*] } ] ] ; then
log_f "Cannot validate any hostnames, skipping Let's Encrypt for 1 hour."
2017-10-21 10:08:14 +02:00
log_f "Use SKIP_LETS_ENCRYPT=y in mailcow.conf to skip it permanently."
2020-02-05 10:53:23 +01:00
${ REDIS_CMDLINE } SET ACME_FAIL_TIME " $( date +%s) "
2017-10-21 10:08:14 +02:00
sleep 1h
exec $( readlink -f " $0 " )
fi
2017-06-28 23:22:51 +02:00
2019-10-19 12:48:56 +02:00
# find orphaned certificates if no errors occurred
if [ [ " ${ CERT_ERRORS } " = = "0" ] ] ; then
for EXISTING_CERT in " ${ EXISTING_CERTS [@] } " ; do
if [ [ ! "`printf '_%s_\n' " ${ VALIDATED_CERTIFICATES [@] } "`" = = *" _ ${ EXISTING_CERT } _ " * ] ] ; then
DATE = $( date +%Y-%m-%d_%H_%M_%S)
log_f " Found orphaned certificate: ${ EXISTING_CERT } - archiving it at ${ ACME_BASE } /backups/ ${ EXISTING_CERT } / "
BACKUP_DIR = ${ ACME_BASE } /backups/${ EXISTING_CERT } /${ DATE }
# archive rsa cert and any other files
2020-01-17 22:36:04 +01:00
mkdir -p ${ ACME_BASE } /backups/${ EXISTING_CERT }
2019-10-19 12:48:56 +02:00
mv ${ ACME_BASE } /${ EXISTING_CERT } ${ BACKUP_DIR }
CERT_CHANGED = 1
CERT_AMOUNT_CHANGED = 1
fi
done
2019-02-04 22:36:17 +01:00
fi
2019-10-19 12:48:56 +02:00
# reload on new or changed certificates
if [ [ " ${ CERT_CHANGED } " = = "1" ] ] ; then
2020-03-03 14:59:24 +01:00
rm -f " ${ ACME_BASE } /force_renew " 2> /dev/null
2020-09-26 23:33:28 +02:00
RELOAD_LOOP_C = 1
while [ [ " ${ POSTFIX_CERT_SERIAL } " = = " ${ POSTFIX_CERT_SERIAL_NEW } " ] ] || [ [ " ${ DOVECOT_CERT_SERIAL } " = = " ${ DOVECOT_CERT_SERIAL_NEW } " ] ] || [ [ ${# POSTFIX_CERT_SERIAL_NEW } -ne 36 ] ] || [ [ ${# DOVECOT_CERT_SERIAL_NEW } -ne 36 ] ] ; do
log_f " Reloading or restarting services... ( ${ RELOAD_LOOP_C } ) "
RELOAD_LOOP_C = $(( RELOAD_LOOP_C + 1 ))
CERT_AMOUNT_CHANGED = ${ CERT_AMOUNT_CHANGED } /srv/reload-configurations.sh
log_f "Waiting for containers to settle..."
sleep 10
until nc -z dovecot 143; do
sleep 1
done
until nc -z postfix 25; do
sleep 1
done
POSTFIX_CERT_SERIAL_NEW = " $( echo | openssl s_client -connect postfix:25 -starttls smtp 2>/dev/null | openssl x509 -inform pem -noout -serial | cut -d "=" -f 2) "
DOVECOT_CERT_SERIAL_NEW = " $( echo | openssl s_client -connect dovecot:143 -starttls imap 2>/dev/null | openssl x509 -inform pem -noout -serial | cut -d "=" -f 2) "
if [ [ ${ RELOAD_LOOP_C } -gt 3 ] ] ; then
log_f "Some services do return old end dates, something went wrong!"
${ REDIS_CMDLINE } SET ACME_FAIL_TIME " $( date +%s) "
break;
fi
done
2018-10-24 20:14:59 +02:00
fi
2019-10-19 12:48:56 +02:00
case " $CERT_ERRORS " in
0) # all successful
if [ [ " ${ CERT_CHANGED } " = = "1" ] ] ; then
if [ [ " ${ CERT_AMOUNT_CHANGED } " = = "1" ] ] ; then
log_f "Certificates successfully requested and renewed where required, sleeping one day"
else
log_f "Certificates were successfully renewed where required, sleeping for another day."
fi
2019-02-04 22:36:17 +01:00
else
2019-10-19 12:48:56 +02:00
log_f "Certificates were successfully validated, no changes or renewals required, sleeping for another day."
2017-10-21 10:08:14 +02:00
fi
2019-10-19 12:48:56 +02:00
sleep 1d
2017-10-21 10:08:14 +02:00
; ;
2019-10-19 12:48:56 +02:00
*) # non-zero
log_f "Some errors occurred, retrying in 30 minutes..."
2020-02-05 10:53:23 +01:00
${ REDIS_CMDLINE } SET ACME_FAIL_TIME " $( date +%s) "
2017-10-21 10:08:14 +02:00
sleep 30m
exec $( readlink -f " $0 " )
; ;
esac
2017-06-12 10:45:12 +02:00
done