4 năm trước cách đây · 0cbd4ec273
--- a/data/Dockerfiles/acme/acme.sh
+++ b/data/Dockerfiles/acme/acme.sh
@@ -155,6 +155,18 @@ while true; do
 
				   fi
			
 
				   if [[ ! -f ${ACME_BASE}/acme/account.pem ]]; then
			
 
				     log_f "Generating missing Lets Encrypt account key..."
			
 
				+    if [[ ! -z ${ACME_CONTACT} ]]; then
			
 
				+      if ! verify_email "${ACME_CONTACT}"; then
			
 
				+        log_f "Invalid email address, will not start registration!"
			
 
				+        sleep 365d
			
 
				+        exec $(readlink -f "$0")
			
 
				+      else
			
 
				+        ACME_CONTACT_PARAMETER="--contact mailto:${ACME_CONTACT}"
			
 
				+        log_f "Valid email address, using ${ACME_CONTACT} for registration"
			
 
				+      fi
			
 
				+    else
			
 
				+      ACME_CONTACT_PARAMETER=""
			
 
				+    fi
			
 
				     openssl genrsa 4096 > ${ACME_BASE}/acme/account.pem
			
 
				   else
			
 
				     log_f "Using existing Lets Encrypt account key ${ACME_BASE}/acme/account.pem"
			
@@ -207,19 +219,6 @@ while true; do
 
				   IPV6=$(get_ipv6)
			
 
				   log_f "OK: ${IPV4}, ${IPV6:-"0000:0000:0000:0000:0000:0000:0000:0000"}"
			
 
				 
			
 
				-  # Hard-fail on CAA errors for MAILCOW_HOSTNAME
			
 
				-  MH_PARENT_DOMAIN=$(echo ${MAILCOW_HOSTNAME} | cut -d. -f2-)
			
 
				-  MH_CAAS=( $(dig CAA ${MH_PARENT_DOMAIN} +short | sed -n 's/\d issue "\(.*\)"/\1/p') )
			
 
				-  if [[ ! -z ${MH_CAAS} ]]; then
			
 
				-    if [[ ${MH_CAAS[@]} =~ "letsencrypt.org" ]]; then
			
 
				-      log_f "Validated CAA for parent domain ${MH_PARENT_DOMAIN}"
			
 
				-    else
			
 
				-      log_f "Skipping ACME validation: Lets Encrypt disallowed for ${MAILCOW_HOSTNAME} by CAA record, retrying in 1h..."
			
 
				-      sleep 1h
			
 
				-      exec $(readlink -f "$0")
			
 
				-    fi
			
 
				-  fi
			
 
				-
			
 
				   #########################################
			
 
				   # IP and webroot challenge verification #
			
 
				   SQL_DOMAINS=$(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT domain FROM domain WHERE backupmx=0 and active=1" -Bs)
			
@@ -290,7 +289,7 @@ while true; do
 
				     VALIDATED_CERTIFICATES+=("${CERT_NAME}")
			
 
				 
			
 
				     # obtain server certificate if required
			
 
				-    DOMAINS=${SERVER_SAN_VALIDATED[@]} /srv/obtain-certificate.sh rsa
			
 
				+    ACME_CONTACT_PARAMETER=${ACME_CONTACT_PARAMETER} DOMAINS=${SERVER_SAN_VALIDATED[@]} /srv/obtain-certificate.sh rsa
			
 
				     RETURN="$?"
			
 
				     if [[ "$RETURN" == "0" ]]; then # 0 = cert created successfully
			
 
				       CERT_AMOUNT_CHANGED=1
			
--- a/data/Dockerfiles/acme/functions.sh
+++ b/data/Dockerfiles/acme/functions.sh
@@ -16,6 +16,15 @@ log_f() {
 
				   fi
			
 
				 }
			
 
				 
			
 
				+verify_email(){
			
 
				+  regex="^(([A-Za-z0-9]+((\.|\-|\_|\+)?[A-Za-z0-9]?)*[A-Za-z0-9]+)|[A-Za-z0-9]+)@(([A-Za-z0-9]+)+((\.|\-|\_)?([A-Za-z0-9]+)+)*)+\.([A-Za-z]{2,})+$"
			
 
				+  if [[ $1 =~ ${regex} ]]; then
			
 
				+    return 0
			
 
				+  else
			
 
				+    return 1
			
 
				+  fi
			
 
				+}
			
 
				+
			
 
				 verify_hash_match(){
			
 
				   CERT_HASH=$(openssl x509 -in "${1}" -noout -pubkey | openssl md5)
			
 
				   KEY_HASH=$(openssl pkey -in "${2}" -pubout | openssl md5)
			
@@ -60,6 +69,17 @@ check_domain(){
 
				     DOMAIN=$1
			
 
				     A_DOMAIN=$(dig A ${DOMAIN} +short | tail -n 1)
			
 
				     AAAA_DOMAIN=$(dig AAAA ${DOMAIN} +short | tail -n 1)
			
 
				+    # Hard-fail on CAA errors for MAILCOW_HOSTNAME
			
 
				+    PARENT_DOMAIN=$(echo ${DOMAIN} | cut -d. -f2-)
			
 
				+    CAAS=( $(dig CAA ${PARENT_DOMAIN} +short | sed -n 's/\d issue "\(.*\)"/\1/p') )
			
 
				+    if [[ ! -z ${CAAS} ]]; then
			
 
				+      if [[ ${CAAS[@]} =~ "letsencrypt.org" ]]; then
			
 
				+        log_f "Validated CAA for parent domain ${PARENT_DOMAIN}"
			
 
				+      else
			
 
				+        log_f "Lets Encrypt disallowed for ${PARENT_DOMAIN} by CAA record"
			
 
				+        return 1
			
 
				+      fi
			
 
				+    fi
			
 
				     # Check if CNAME without v6 enabled target
			
 
				     if [[ ! -z ${AAAA_DOMAIN} ]] && [[ -z $(echo ${AAAA_DOMAIN} | grep "^\([0-9a-fA-F]\{0,4\}:\)\{1,7\}[0-9a-fA-F]\{0,4\}$") ]]; then
			
 
				       AAAA_DOMAIN=
			
--- a/data/Dockerfiles/acme/obtain-certificate.sh
+++ b/data/Dockerfiles/acme/obtain-certificate.sh
@@ -93,8 +93,8 @@ until dig letsencrypt.org +time=3 +tries=1 @unbound > /dev/null; do
 
				   sleep 2
			
 
				 done
			
 
				 log_f "Resolver OK"
			
 
				-
			
 
				-ACME_RESPONSE=$(acme-tiny ${DIRECTORY_URL} \
			
 
				+log_f "Using command acme-tiny ${DIRECTORY_URL} ${ACME_CONTACT_PARAMETER} --account-key ${ACME_BASE}/acme/account.pem --disable-check --csr ${CSR} --acme-dir /var/www/acme/"
			
 
				+ACME_RESPONSE=$(acme-tiny ${DIRECTORY_URL} ${ACME_CONTACT_PARAMETER} \
			
 
				   --account-key ${ACME_BASE}/acme/account.pem \
			
 
				   --disable-check \
			
 
				   --csr ${CSR} \
			
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -384,11 +384,12 @@ services:
 
				     acme-mailcow:
			
 
				       depends_on:
			
 
				         - nginx-mailcow
			
 
				-      image: mailcow/acme:1.78
			
 
				+      image: mailcow/acme:1.79
			
 
				       dns:
			
 
				         - ${IPV4_NETWORK:-172.22.1}.254
			
 
				       environment:
			
 
				         - LOG_LINES=${LOG_LINES:-9999}
			
 
				+        - ACME_CONTACT=${ACME_CONTACT:-}
			
 
				         - ADDITIONAL_SAN=${ADDITIONAL_SAN}
			
 
				         - MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
			
 
				         - DBNAME=${DBNAME}
			
--- a/generate_config.sh
+++ b/generate_config.sh
@@ -336,6 +336,13 @@ DOVECOT_MASTER_USER=
 
				 # LEAVE EMPTY IF UNSURE
			
 
				 DOVECOT_MASTER_PASS=
			
 
				 
			
 
				+# Let's Encrypt registration contact information
			
 
				+# Optional: Leave empty for none
			
 
				+# This value is only used on first order!
			
 
				+# Setting it at a later point will require the following steps:
			
 
				+# https://mailcow.github.io/mailcow-dockerized-docs/debug-reset-tls/
			
 
				+ACME_CONTACT=
			
 
				+
			
 
				 EOF
			
 
				 
			
 
				 mkdir -p data/assets/ssl
			
--- a/update.sh
+++ b/update.sh
@@ -223,6 +223,7 @@ CONFIG_ARRAY=(
 
				   "XMPP_S2S_PORT"
			
 
				   "XMPP_HTTPS_PORT"
			
 
				   "ADDITIONAL_SERVER_NAMES"
			
 
				+  "ACME_CONTACT"
			
 
				 )
			
 
				 
			
 
				 sed -i --follow-symlinks '$a\' mailcow.conf
			
@@ -433,6 +434,15 @@ for option in ${CONFIG_ARRAY[@]}; do
 
				     if ! grep -q ${option} mailcow.conf; then
			
 
				       echo "XMPP_HTTPS_PORT=5443" >> mailcow.conf
			
 
				     fi
			
 
				+  elif [[ ${option} == "ACME_CONTACT" ]]; then
			
 
				+    if ! grep -q ${option} mailcow.conf; then
			
 
				+      echo '# Let\'s Encrypt registration contact information' >> mailcow.conf
			
 
				+      echo '# Optional: Leave empty for none' >> mailcow.conf
			
 
				+      echo '# This value is only used on first order!' >> mailcow.conf
			
 
				+      echo '# Setting it at a later point will require the following steps:' >> mailcow.conf
			
 
				+      echo '# https://mailcow.github.io/mailcow-dockerized-docs/debug-reset-tls/' >> mailcow.conf
			
 
				+      echo 'ACME_CONTACT=' >> mailcow.conf
			
 
				+  fi
			
 
				   elif ! grep -q ${option} mailcow.conf; then
			
 
				     echo "Adding new option \"${option}\" to mailcow.conf"
			
 
				     echo "${option}=n" >> mailcow.conf