Add switch to skip fetching certificates auto{config,discover} subdomains (#5838)

* Add ACME_DONT_FETCH_CERTS_FOR_HTTP_SUBDOMAINS to acme.sh

* Add ACME_DONT_FETCH_CERTS_FOR_HTTP_SUBDOMAINS to docker-compose.yml

* Add ACME_DONT_FETCH_CERTS_FOR_HTTP_SUBDOMAINS to generate_config.sh

* Add ACME_DONT_FETCH_CERTS_FOR_HTTP_SUBDOMAINS to update.sh

* AUTODISCOVER_SAN instead of long string

default on,
default is fetching certs for auto{discover,conf}

* AUTODISCOVER_SAN instead of long string

also flipped

* AUTODISCOVER_SAN instead of long string

flipped default meaning

* fix explanation for AUTODISCOVER_SAN

* AUTODISCOVER_SAN instead of long string

and flipped meaning of the bool

* fix AUTODISCOVER_SAN explanation

* Merge branch 'mailcow:staging' into staging

* update.sh: corrected syntax for mailcow.conf insertion
This commit is contained in:
Lasagne 2024-06-10 12:33:02 +02:00 committed by GitHub
parent 18d7a55b15
commit 4a052da289
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 29 additions and 0 deletions

View File

@ -33,6 +33,10 @@ if [[ "${ONLY_MAILCOW_HOSTNAME}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
ONLY_MAILCOW_HOSTNAME=y ONLY_MAILCOW_HOSTNAME=y
fi fi
if [[ "${AUTODISCOVER_SAN}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
AUTODISCOVER_SAN=y
fi
# Request individual certificate for every domain # Request individual certificate for every domain
if [[ "${ENABLE_SSL_SNI}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then if [[ "${ENABLE_SSL_SNI}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
ENABLE_SSL_SNI=y ENABLE_SSL_SNI=y
@ -211,7 +215,11 @@ while true; do
ADDITIONAL_SAN_ARR+=($i) ADDITIONAL_SAN_ARR+=($i)
fi fi
done done
if [[ ${AUTODISCOVER_SAN} == "y" ]]; then
# Fetch certs for autoconfig and autodiscover subdomains
ADDITIONAL_WC_ARR+=('autodiscover' 'autoconfig') ADDITIONAL_WC_ARR+=('autodiscover' 'autoconfig')
fi
if [[ ${SKIP_IP_CHECK} != "y" ]]; then if [[ ${SKIP_IP_CHECK} != "y" ]]; then
# Start IP detection # Start IP detection

View File

@ -411,6 +411,7 @@ services:
- LOG_LINES=${LOG_LINES:-9999} - LOG_LINES=${LOG_LINES:-9999}
- ACME_CONTACT=${ACME_CONTACT:-} - ACME_CONTACT=${ACME_CONTACT:-}
- ADDITIONAL_SAN=${ADDITIONAL_SAN} - ADDITIONAL_SAN=${ADDITIONAL_SAN}
- AUTODISCOVER_SAN=${AUTODISCOVER_SAN:-y}
- MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME} - MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
- DBNAME=${DBNAME} - DBNAME=${DBNAME}
- DBUSER=${DBUSER} - DBUSER=${DBUSER}

View File

@ -336,6 +336,13 @@ MAILDIR_GC_TIME=7200
ADDITIONAL_SAN= ADDITIONAL_SAN=
# Obtain certificates for autodiscover.* and autoconfig.* domains.
# This can be useful to switch off in case you are in a scenario where a reverse proxy already handles those.
# There are mixed scenarios where ports 80,443 are occupied and you do not want to share certs
# between services. So acme-mailcow obtains for maildomains and all web-things get handled
# in the reverse proxy.
AUTODISCOVER_SAN=y
# Additional server names for mailcow UI # Additional server names for mailcow UI
# #
# Specify alternative addresses for the mailcow UI to respond to # Specify alternative addresses for the mailcow UI to respond to

View File

@ -450,6 +450,7 @@ CONFIG_ARRAY=(
"SKIP_CLAMD" "SKIP_CLAMD"
"SKIP_IP_CHECK" "SKIP_IP_CHECK"
"ADDITIONAL_SAN" "ADDITIONAL_SAN"
"AUTODISCOVER_SAN"
"DOVEADM_PORT" "DOVEADM_PORT"
"IPV4_NETWORK" "IPV4_NETWORK"
"IPV6_NETWORK" "IPV6_NETWORK"
@ -715,6 +716,18 @@ for option in ${CONFIG_ARRAY[@]}; do
echo '# Comma separated list without spaces! Example: ADDITIONAL_SERVER_NAMES=a.b.c,d.e.f' >> mailcow.conf echo '# Comma separated list without spaces! Example: ADDITIONAL_SERVER_NAMES=a.b.c,d.e.f' >> mailcow.conf
echo 'ADDITIONAL_SERVER_NAMES=' >> mailcow.conf echo 'ADDITIONAL_SERVER_NAMES=' >> mailcow.conf
fi fi
elif [[ ${option} == "AUTODISCOVER_SAN" ]]; then
if ! grep -q ${option} mailcow.conf; then
echo "Adding new option \"${option}\" to mailcow.conf"
echo '# Obtain certificates for autodiscover.* and autoconfig.* domains.' >> mailcow.conf
echo '# This can be useful to switch off in case you are in a scenario where a reverse proxy already handles those.' >> mailcow.conf
echo '# There are mixed scenarios where ports 80,443 are occupied and you do not want to share certs' >> mailcow.conf
echo '# between services. So acme-mailcow obtains for maildomains and all web-things get handled' >> mailcow.conf
echo '# in the reverse proxy.' >> mailcow.conf
echo 'AUTODISCOVER_SAN=y' >> mailcow.conf
fi
elif [[ ${option} == "ACME_CONTACT" ]]; then elif [[ ${option} == "ACME_CONTACT" ]]; then
if ! grep -q ${option} mailcow.conf; then if ! grep -q ${option} mailcow.conf; then
echo "Adding new option \"${option}\" to mailcow.conf" echo "Adding new option \"${option}\" to mailcow.conf"