Home Explore Help
Sign In
mirrors
/
mailcow-dockerized
mirror of https://github.com/mailcow/mailcow-dockerized
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

[Config, Update] Add ACME_CONTACT

andryyy 4 years ago
parent
5df8a24c84
commit
0cbd4ec273
6 changed files with 54 additions and 17 deletions
Unified View Show Diff Stats
  1. 13 14
      data/Dockerfiles/acme/acme.sh
  2. 20 0
      data/Dockerfiles/acme/functions.sh
  3. 2 2
      data/Dockerfiles/acme/obtain-certificate.sh
  4. 2 1
      docker-compose.yml
  5. 7 0
      generate_config.sh
  6. 10 0
      update.sh

+ 13 - 14
data/Dockerfiles/acme/acme.sh
View File 

@@ -155,6 +155,18 @@ while true; do
 
   fi
 
   fi
 
   if [[ ! -f ${ACME_BASE}/acme/account.pem ]]; then
 
   if [[ ! -f ${ACME_BASE}/acme/account.pem ]]; then
 
     log_f "Generating missing Lets Encrypt account key..."
 
     log_f "Generating missing Lets Encrypt account key..."
 
+    if [[ ! -z ${ACME_CONTACT} ]]; then
 
+      if ! verify_email "${ACME_CONTACT}"; then
 
+        log_f "Invalid email address, will not start registration!"
 
+        sleep 365d
 
+        exec $(readlink -f "$0")
 
+      else
 
+        ACME_CONTACT_PARAMETER="--contact mailto:${ACME_CONTACT}"
 
+        log_f "Valid email address, using ${ACME_CONTACT} for registration"
 
+      fi
 
+    else
 
+      ACME_CONTACT_PARAMETER=""
 
+    fi
 
     openssl genrsa 4096 > ${ACME_BASE}/acme/account.pem
 
     openssl genrsa 4096 > ${ACME_BASE}/acme/account.pem
 
   else
 
   else
 
     log_f "Using existing Lets Encrypt account key ${ACME_BASE}/acme/account.pem"
 
     log_f "Using existing Lets Encrypt account key ${ACME_BASE}/acme/account.pem"
 
@@ -207,19 +219,6 @@ while true; do
 
   IPV6=$(get_ipv6)
 
   IPV6=$(get_ipv6)
 
   log_f "OK: ${IPV4}, ${IPV6:-"0000:0000:0000:0000:0000:0000:0000:0000"}"
 
   log_f "OK: ${IPV4}, ${IPV6:-"0000:0000:0000:0000:0000:0000:0000:0000"}"
 
 
 
-  # Hard-fail on CAA errors for MAILCOW_HOSTNAME
 
-  MH_PARENT_DOMAIN=$(echo ${MAILCOW_HOSTNAME} | cut -d. -f2-)
 
-  MH_CAAS=( $(dig CAA ${MH_PARENT_DOMAIN} +short | sed -n 's/\d issue "\(.*\)"/\1/p') )
 
-  if [[ ! -z ${MH_CAAS} ]]; then
 
-    if [[ ${MH_CAAS[@]} =~ "letsencrypt.org" ]]; then
 
-      log_f "Validated CAA for parent domain ${MH_PARENT_DOMAIN}"
 
-    else
 
-      log_f "Skipping ACME validation: Lets Encrypt disallowed for ${MAILCOW_HOSTNAME} by CAA record, retrying in 1h..."
 
-      sleep 1h
 
-      exec $(readlink -f "$0")
 
-    fi
 
-  fi
 
-
 
   #########################################
 
   #########################################
 
   # IP and webroot challenge verification #
 
   # IP and webroot challenge verification #
 
   SQL_DOMAINS=$(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT domain FROM domain WHERE backupmx=0 and active=1" -Bs)
 
   SQL_DOMAINS=$(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT domain FROM domain WHERE backupmx=0 and active=1" -Bs)
 
@@ -290,7 +289,7 @@ while true; do
 
     VALIDATED_CERTIFICATES+=("${CERT_NAME}")
 
     VALIDATED_CERTIFICATES+=("${CERT_NAME}")
 
 
 
     # obtain server certificate if required
 
     # obtain server certificate if required
 
-    DOMAINS=${SERVER_SAN_VALIDATED[@]} /srv/obtain-certificate.sh rsa
 
+    ACME_CONTACT_PARAMETER=${ACME_CONTACT_PARAMETER} DOMAINS=${SERVER_SAN_VALIDATED[@]} /srv/obtain-certificate.sh rsa
 
     RETURN="$?"
 
     RETURN="$?"
 
     if [[ "$RETURN" == "0" ]]; then # 0 = cert created successfully
 
     if [[ "$RETURN" == "0" ]]; then # 0 = cert created successfully
 
       CERT_AMOUNT_CHANGED=1
 
       CERT_AMOUNT_CHANGED=1

+ 20 - 0
data/Dockerfiles/acme/functions.sh
View File 

@@ -16,6 +16,15 @@ log_f() {
 
   fi
 
   fi
 
 }
 
 }
 
 
 
+verify_email(){
 
+  regex="^(([A-Za-z0-9]+((\.|\-|\_|\+)?[A-Za-z0-9]?)*[A-Za-z0-9]+)|[A-Za-z0-9]+)@(([A-Za-z0-9]+)+((\.|\-|\_)?([A-Za-z0-9]+)+)*)+\.([A-Za-z]{2,})+$"
 
+  if [[ $1 =~ ${regex} ]]; then
 
+    return 0
 
+  else
 
+    return 1
 
+  fi
 
+}
 
+
 
 verify_hash_match(){
 
 verify_hash_match(){
 
   CERT_HASH=$(openssl x509 -in "${1}" -noout -pubkey | openssl md5)
 
   CERT_HASH=$(openssl x509 -in "${1}" -noout -pubkey | openssl md5)
 
   KEY_HASH=$(openssl pkey -in "${2}" -pubout | openssl md5)
 
   KEY_HASH=$(openssl pkey -in "${2}" -pubout | openssl md5)
 
@@ -60,6 +69,17 @@ check_domain(){
 
     DOMAIN=$1
 
     DOMAIN=$1
 
     A_DOMAIN=$(dig A ${DOMAIN} +short | tail -n 1)
 
     A_DOMAIN=$(dig A ${DOMAIN} +short | tail -n 1)
 
     AAAA_DOMAIN=$(dig AAAA ${DOMAIN} +short | tail -n 1)
 
     AAAA_DOMAIN=$(dig AAAA ${DOMAIN} +short | tail -n 1)
 
+    # Hard-fail on CAA errors for MAILCOW_HOSTNAME
 
+    PARENT_DOMAIN=$(echo ${DOMAIN} | cut -d. -f2-)
 
+    CAAS=( $(dig CAA ${PARENT_DOMAIN} +short | sed -n 's/\d issue "\(.*\)"/\1/p') )
 
+    if [[ ! -z ${CAAS} ]]; then
 
+      if [[ ${CAAS[@]} =~ "letsencrypt.org" ]]; then
 
+        log_f "Validated CAA for parent domain ${PARENT_DOMAIN}"
 
+      else
 
+        log_f "Lets Encrypt disallowed for ${PARENT_DOMAIN} by CAA record"
 
+        return 1
 
+      fi
 
+    fi
 
     # Check if CNAME without v6 enabled target
 
     # Check if CNAME without v6 enabled target
 
     if [[ ! -z ${AAAA_DOMAIN} ]] && [[ -z $(echo ${AAAA_DOMAIN} | grep "^\([0-9a-fA-F]\{0,4\}:\)\{1,7\}[0-9a-fA-F]\{0,4\}$") ]]; then
 
     if [[ ! -z ${AAAA_DOMAIN} ]] && [[ -z $(echo ${AAAA_DOMAIN} | grep "^\([0-9a-fA-F]\{0,4\}:\)\{1,7\}[0-9a-fA-F]\{0,4\}$") ]]; then
 
       AAAA_DOMAIN=
 
       AAAA_DOMAIN=

+ 2 - 2
data/Dockerfiles/acme/obtain-certificate.sh
View File 

@@ -93,8 +93,8 @@ until dig letsencrypt.org +time=3 +tries=1 @unbound > /dev/null; do
 
   sleep 2
 
   sleep 2
 
 done
 
 done
 
 log_f "Resolver OK"
 
 log_f "Resolver OK"
 
-
 
-ACME_RESPONSE=$(acme-tiny ${DIRECTORY_URL} \
 
+log_f "Using command acme-tiny ${DIRECTORY_URL} ${ACME_CONTACT_PARAMETER} --account-key ${ACME_BASE}/acme/account.pem --disable-check --csr ${CSR} --acme-dir /var/www/acme/"
 
+ACME_RESPONSE=$(acme-tiny ${DIRECTORY_URL} ${ACME_CONTACT_PARAMETER} \
 
   --account-key ${ACME_BASE}/acme/account.pem \
 
   --account-key ${ACME_BASE}/acme/account.pem \
 
   --disable-check \
 
   --disable-check \
 
   --csr ${CSR} \
 
   --csr ${CSR} \

+ 2 - 1
docker-compose.yml
View File 

@@ -384,11 +384,12 @@ services:
 
     acme-mailcow:
 
     acme-mailcow:
 
       depends_on:
 
       depends_on:
 
         - nginx-mailcow
 
         - nginx-mailcow
 
-      image: mailcow/acme:1.78
 
+      image: mailcow/acme:1.79
 
       dns:
 
       dns:
 
         - ${IPV4_NETWORK:-172.22.1}.254
 
         - ${IPV4_NETWORK:-172.22.1}.254
 
       environment:
 
       environment:
 
         - LOG_LINES=${LOG_LINES:-9999}
 
         - LOG_LINES=${LOG_LINES:-9999}
 
+        - ACME_CONTACT=${ACME_CONTACT:-}
 
         - ADDITIONAL_SAN=${ADDITIONAL_SAN}
 
         - ADDITIONAL_SAN=${ADDITIONAL_SAN}
 
         - MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
 
         - MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
 
         - DBNAME=${DBNAME}
 
         - DBNAME=${DBNAME}

+ 7 - 0
generate_config.sh
View File 

@@ -336,6 +336,13 @@ DOVECOT_MASTER_USER=
 
 # LEAVE EMPTY IF UNSURE
 
 # LEAVE EMPTY IF UNSURE
 
 DOVECOT_MASTER_PASS=
 
 DOVECOT_MASTER_PASS=
 
 
 
+# Let's Encrypt registration contact information
 
+# Optional: Leave empty for none
 
+# This value is only used on first order!
 
+# Setting it at a later point will require the following steps:
 
+# https://mailcow.github.io/mailcow-dockerized-docs/debug-reset-tls/
 
+ACME_CONTACT=
 
+
 
 EOF
 
 EOF
 
 
 
 mkdir -p data/assets/ssl
 
 mkdir -p data/assets/ssl

+ 10 - 0
update.sh
View File 

@@ -223,6 +223,7 @@ CONFIG_ARRAY=(
 
   "XMPP_S2S_PORT"
 
   "XMPP_S2S_PORT"
 
   "XMPP_HTTPS_PORT"
 
   "XMPP_HTTPS_PORT"
 
   "ADDITIONAL_SERVER_NAMES"
 
   "ADDITIONAL_SERVER_NAMES"
 
+  "ACME_CONTACT"
 
 )
 
 )
 
 
 
 sed -i --follow-symlinks '$a\' mailcow.conf
 
 sed -i --follow-symlinks '$a\' mailcow.conf
 
@@ -433,6 +434,15 @@ for option in ${CONFIG_ARRAY[@]}; do
 
     if ! grep -q ${option} mailcow.conf; then
 
     if ! grep -q ${option} mailcow.conf; then
 
       echo "XMPP_HTTPS_PORT=5443" >> mailcow.conf
 
       echo "XMPP_HTTPS_PORT=5443" >> mailcow.conf
 
     fi
 
     fi
 
+  elif [[ ${option} == "ACME_CONTACT" ]]; then
 
+    if ! grep -q ${option} mailcow.conf; then
 
+      echo '# Let\'s Encrypt registration contact information' >> mailcow.conf
 
+      echo '# Optional: Leave empty for none' >> mailcow.conf
 
+      echo '# This value is only used on first order!' >> mailcow.conf
 
+      echo '# Setting it at a later point will require the following steps:' >> mailcow.conf
 
+      echo '# https://mailcow.github.io/mailcow-dockerized-docs/debug-reset-tls/' >> mailcow.conf
 
+      echo 'ACME_CONTACT=' >> mailcow.conf
 
+  fi
 
   elif ! grep -q ${option} mailcow.conf; then
 
   elif ! grep -q ${option} mailcow.conf; then
 
     echo "Adding new option \"${option}\" to mailcow.conf"
 
     echo "Adding new option \"${option}\" to mailcow.conf"
 
     echo "${option}=n" >> mailcow.conf
 
     echo "${option}=n" >> mailcow.conf