[ACME] Fix detection of orphaned SANs and add tini

data/Dockerfiles/acme/Dockerfile

@@ -9,8 +9,9 @@ RUN apk add --update --no-cache \
 	openssl \
 	bind-tools \
 	jq \
-	mariadb-client
+	mariadb-client \
+  tini
 
 COPY docker-entrypoint.sh /srv/docker-entrypoint.sh
 
-ENTRYPOINT ["/srv/docker-entrypoint.sh"]
+CMD ["/sbin/tini", "-g", "--", "/srv/docker-entrypoint.sh"]

data/Dockerfiles/acme/docker-entrypoint.sh

@@ -8,26 +8,40 @@ SSL_EXAMPLE=/var/lib/ssl-example
 mkdir -p ${ACME_BASE}/acme/private
 
 restart_containers(){
-	for container in $*; do
-		echo "Restarting ${container}..."
-		curl -X POST http://dockerapi:8080/containers/${container}/restart
-	done
+  for container in $*; do
+    echo "Restarting ${container}..."
+    curl -X POST http://dockerapi:8080/containers/${container}/restart
+  done
 }
 
 log_f() {
-  echo "$(date) - ${1}"
+  if [[ ${2} == "no_nl" ]]; then
+    echo -n "$(date) - ${1}"
+  elif [[ ${2} == "no_date" ]]; then
+    echo "${1}"
+  else
+    echo "$(date) - ${1}"
+  fi
+}
+
+array_diff() {
+  # https://stackoverflow.com/questions/2312762, Alex Offshore
+  eval local ARR1=\(\"\${$2[@]}\"\)
+  eval local ARR2=\(\"\${$3[@]}\"\)
+  local IFS=$'\n'
+  mapfile -t $1 < <(comm -23 <(echo "${ARR1[*]}" | sort) <(echo "${ARR2[*]}" | sort))
 }
 
 verify_hash_match(){
-	CERT_HASH=$(openssl x509 -noout -modulus -in "${1}" | openssl md5)
-	KEY_HASH=$(openssl rsa -noout -modulus -in "${2}" | openssl md5)
-	if [[ ${CERT_HASH} != ${KEY_HASH} ]]; then
-		log_f "Certificate and key hashes do not match!"
-		return 1
-	else
-		log_f "Verified hashes."
-		return 0
-	fi
+  CERT_HASH=$(openssl x509 -noout -modulus -in "${1}" | openssl md5)
+  KEY_HASH=$(openssl rsa -noout -modulus -in "${2}" | openssl md5)
+  if [[ ${CERT_HASH} != ${KEY_HASH} ]]; then
+    log_f "Certificate and key hashes do not match!"
+    return 1
+  else
+    log_f "Verified hashes."
+    return 0
+  fi
 }
 
 get_ipv4(){
@@ -51,239 +65,243 @@ get_ipv4(){
 [[ ! -f ${ACME_BASE}/dhparams.pem ]] && cp ${SSL_EXAMPLE}/dhparams.pem ${ACME_BASE}/dhparams.pem
 
 if [[ -f ${ACME_BASE}/cert.pem ]] && [[ -f ${ACME_BASE}/key.pem ]]; then
-	ISSUER=$(openssl x509 -in ${ACME_BASE}/cert.pem -noout -issuer)
-	if [[ ${ISSUER} != *"Let's Encrypt"* && ${ISSUER} != *"mailcow"* ]]; then
-		log_f "Found certificate with issuer other than mailcow snake-oil CA and Let's Encrypt, skipping ACME client..."
-		sleep 3650d
-		exec $(readlink -f "$0")
-	else
-		declare -a SAN_ARRAY_NOW
-		SAN_NAMES=$(openssl x509 -noout -text -in ${ACME_BASE}/cert.pem | awk '/X509v3 Subject Alternative Name/ {getline;gsub(/ /, "", $0); print}' | tr -d "DNS:")
-		if [[ ! -z ${SAN_NAMES} ]]; then
-			IFS=',' read -a SAN_ARRAY_NOW <<< ${SAN_NAMES}
-			log_f "Found Let's Encrypt or mailcow snake-oil CA issued certificate with SANs: ${SAN_ARRAY_NOW[*]}"
-		fi
-	fi
+  ISSUER=$(openssl x509 -in ${ACME_BASE}/cert.pem -noout -issuer)
+  if [[ ${ISSUER} != *"Let's Encrypt"* && ${ISSUER} != *"mailcow"* ]]; then
+    log_f "Found certificate with issuer other than mailcow snake-oil CA and Let's Encrypt, skipping ACME client..."
+    sleep 3650d
+    exec $(readlink -f "$0")
+  else
+    declare -a SAN_ARRAY_NOW
+    SAN_NAMES=$(openssl x509 -noout -text -in ${ACME_BASE}/cert.pem | awk '/X509v3 Subject Alternative Name/ {getline;gsub(/ /, "", $0); print}' | tr -d "DNS:")
+    if [[ ! -z ${SAN_NAMES} ]]; then
+      IFS=',' read -a SAN_ARRAY_NOW <<< ${SAN_NAMES}
+      log_f "Found Let's Encrypt or mailcow snake-oil CA issued certificate with SANs: ${SAN_ARRAY_NOW[*]}"
+    fi
+  fi
 else
-	if [[ -f ${ACME_BASE}/acme/fullchain.pem ]] && [[ -f ${ACME_BASE}/acme/private/privkey.pem ]]; then
-		if verify_hash_match ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/acme/private/privkey.pem; then
-			log_f "Restoring previous acme certificate and restarting script..."
-			cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem
-			cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem
-			# Restarting with env var set to trigger a restart,
-			exec env TRIGGER_RESTART=1 $(readlink -f "$0")
-		fi
-	ISSUER="mailcow"
-	else
-		log_f "Restoring mailcow snake-oil certificates and restarting script..."
-		cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem
-		cp ${SSL_EXAMPLE}/key.pem ${ACME_BASE}/key.pem
-		exec env TRIGGER_RESTART=1 $(readlink -f "$0")
-	fi
+  if [[ -f ${ACME_BASE}/acme/fullchain.pem ]] && [[ -f ${ACME_BASE}/acme/private/privkey.pem ]]; then
+    if verify_hash_match ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/acme/private/privkey.pem; then
+      log_f "Restoring previous acme certificate and restarting script..."
+      cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem
+      cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem
+      # Restarting with env var set to trigger a restart,
+      exec env TRIGGER_RESTART=1 $(readlink -f "$0")
+    fi
+  ISSUER="mailcow"
+  else
+    log_f "Restoring mailcow snake-oil certificates and restarting script..."
+    cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem
+    cp ${SSL_EXAMPLE}/key.pem ${ACME_BASE}/key.pem
+    exec env TRIGGER_RESTART=1 $(readlink -f "$0")
+  fi
 fi
 
 while ! mysqladmin ping --host mysql -u${DBUSER} -p${DBPASS} --silent; do
-	echo "Waiting for database to come up..."
-	sleep 2
+  echo "Waiting for database to come up..."
+  sleep 2
 done
 
 while true; do
-	if [[ "${SKIP_LETS_ENCRYPT}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
-		log_f "SKIP_LETS_ENCRYPT=y, skipping Let's Encrypt..."
-		sleep 365d
-		exec $(readlink -f "$0")
-	fi
-	if [[ "${SKIP_IP_CHECK}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
-		SKIP_IP_CHECK=y
-	fi
-	unset SQL_DOMAIN_ARR
-	unset VALIDATED_CONFIG_DOMAINS
-	unset ADDITIONAL_VALIDATED_SAN
-	declare -a SQL_DOMAIN_ARR
-	declare -a VALIDATED_CONFIG_DOMAINS
-	declare -a ADDITIONAL_VALIDATED_SAN
-	IFS=',' read -r -a ADDITIONAL_SAN_ARR <<< "${ADDITIONAL_SAN}"
-	IPV4=$(get_ipv4)
-	# Container ids may have changed
-	CONTAINERS_RESTART=($(curl --silent http://dockerapi:8080/containers/json | jq -r '.[] | {name: .Config.Labels["com.docker.compose.service"], id: .Id}' | jq -rc 'select( .name | contains("nginx-mailcow") or contains("postfix-mailcow") or contains("dovecot-mailcow")) | .id' | tr "\n" " "))
+  if [[ "${SKIP_LETS_ENCRYPT}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
+    log_f "SKIP_LETS_ENCRYPT=y, skipping Let's Encrypt..."
+    sleep 365d
+    exec $(readlink -f "$0")
+  fi
+  if [[ "${SKIP_IP_CHECK}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
+    SKIP_IP_CHECK=y
+  fi
+  unset SQL_DOMAIN_ARR
+  unset VALIDATED_CONFIG_DOMAINS
+  unset ADDITIONAL_VALIDATED_SAN
+  declare -a SQL_DOMAIN_ARR
+  declare -a VALIDATED_CONFIG_DOMAINS
+  declare -a ADDITIONAL_VALIDATED_SAN
+  IFS=',' read -r -a ADDITIONAL_SAN_ARR <<< "${ADDITIONAL_SAN}"
+  IPV4=$(get_ipv4)
+  # Container ids may have changed
+  CONTAINERS_RESTART=($(curl --silent http://dockerapi:8080/containers/json | jq -r '.[] | {name: .Config.Labels["com.docker.compose.service"], id: .Id}' | jq -rc 'select( .name | tostring | contains("nginx-mailcow") or contains("postfix-mailcow") or contains("dovecot-mailcow")) | .id' | tr "\n" " "))
 
-	while read domain; do
-		SQL_DOMAIN_ARR+=("${domain}")
-	done < <(mysql -h mysql-mailcow -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT domain FROM domain WHERE backupmx=0" -Bs)
-	while read alias_domain; do
-		SQL_DOMAIN_ARR+=("${alias_domain}")
-	done < <(mysql -h mysql-mailcow -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT alias_domain FROM alias_domain" -Bs)
+  log_f "Waiting for domain tables... " no_nl
+  while [[ -z ${DOMAIN_TABLE} ]]; do
+    DOMAIN_TABLE=$(mysql -h mysql-mailcow -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SHOW TABLES LIKE 'domain'" -Bs)
+    [[ -z ${DOMAIN_TABLE} ]] && sleep 10
+  done
+  log_f "OK" no_date
 
-	for SQL_DOMAIN in "${SQL_DOMAIN_ARR[@]}"; do
-		A_CONFIG=$(dig A autoconfig.${SQL_DOMAIN} +short | tail -n 1)
-		if [[ ! -z ${A_CONFIG} ]]; then
-			log_f "Found A record for autoconfig.${SQL_DOMAIN}: ${A_CONFIG}"
-			if [[ ${IPV4:-ERR} == ${A_CONFIG} ]] || [[ ${SKIP_IP_CHECK} == "y" ]]; then
-				log_f "Confirmed A record autoconfig.${SQL_DOMAIN}"
-				VALIDATED_CONFIG_DOMAINS+=("autoconfig.${SQL_DOMAIN}")
-			else
-				log_f "Cannot match your IP ${IPV4} against hostname autoconfig.${SQL_DOMAIN} (${A_CONFIG})"
-			fi
-		else
-			log_f "No A record for autoconfig.${SQL_DOMAIN} found"
-		fi
+  while read domains; do
+    SQL_DOMAIN_ARR+=("${domains}")
+  done < <(mysql -h mysql-mailcow -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT domain FROM domain WHERE backupmx=0 UNION SELECT alias_domain FROM alias_domain" -Bs)
+
+  for SQL_DOMAIN in "${SQL_DOMAIN_ARR[@]}"; do
+    A_CONFIG=$(dig A autoconfig.${SQL_DOMAIN} +short | tail -n 1)
+    if [[ ! -z ${A_CONFIG} ]]; then
+      log_f "Found A record for autoconfig.${SQL_DOMAIN}: ${A_CONFIG}"
+      if [[ ${IPV4:-ERR} == ${A_CONFIG} ]] || [[ ${SKIP_IP_CHECK} == "y" ]]; then
+        log_f "Confirmed A record autoconfig.${SQL_DOMAIN}"
+        VALIDATED_CONFIG_DOMAINS+=("autoconfig.${SQL_DOMAIN}")
+      else
+        log_f "Cannot match your IP ${IPV4} against hostname autoconfig.${SQL_DOMAIN} (${A_CONFIG})"
+      fi
+    else
+      log_f "No A record for autoconfig.${SQL_DOMAIN} found"
+    fi
 
         A_DISCOVER=$(dig A autodiscover.${SQL_DOMAIN} +short | tail -n 1)
-		if [[ ! -z ${A_DISCOVER} ]]; then
-			log_f "Found A record for autodiscover.${SQL_DOMAIN}: ${A_DISCOVER}"
-			if [[ ${IPV4:-ERR} == ${A_DISCOVER} ]] || [[ ${SKIP_IP_CHECK} == "y" ]]; then
-				log_f "Confirmed A record autodiscover.${SQL_DOMAIN}"
-				VALIDATED_CONFIG_DOMAINS+=("autodiscover.${SQL_DOMAIN}")
-			else
-				log_f "Cannot match your IP ${IPV4} against hostname autodiscover.${SQL_DOMAIN} (${A_DISCOVER})"
-			fi
-		else
-			log_f "No A record for autodiscover.${SQL_DOMAIN} found"
-		fi
-	done
+    if [[ ! -z ${A_DISCOVER} ]]; then
+      log_f "Found A record for autodiscover.${SQL_DOMAIN}: ${A_DISCOVER}"
+      if [[ ${IPV4:-ERR} == ${A_DISCOVER} ]] || [[ ${SKIP_IP_CHECK} == "y" ]]; then
+        log_f "Confirmed A record autodiscover.${SQL_DOMAIN}"
+        VALIDATED_CONFIG_DOMAINS+=("autodiscover.${SQL_DOMAIN}")
+      else
+        log_f "Cannot match your IP ${IPV4} against hostname autodiscover.${SQL_DOMAIN} (${A_DISCOVER})"
+      fi
+    else
+      log_f "No A record for autodiscover.${SQL_DOMAIN} found"
+    fi
+  done
 
-	A_MAILCOW_HOSTNAME=$(dig A ${MAILCOW_HOSTNAME} +short | tail -n 1)
-	if [[ ! -z ${A_MAILCOW_HOSTNAME} ]]; then
-		log_f "Found A record for ${MAILCOW_HOSTNAME}: ${A_MAILCOW_HOSTNAME}"
-		if [[ ${IPV4:-ERR} == ${A_MAILCOW_HOSTNAME} ]] || [[ ${SKIP_IP_CHECK} == "y" ]]; then
-			log_f "Confirmed A record ${MAILCOW_HOSTNAME}"
-			VALIDATED_MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
-		else
-			log_f "Cannot match your IP ${IPV4} against hostname ${MAILCOW_HOSTNAME} (${A_MAILCOW_HOSTNAME}) "
-		fi
-	else
-		log_f "No A record for ${MAILCOW_HOSTNAME} found"
-	fi
+  A_MAILCOW_HOSTNAME=$(dig A ${MAILCOW_HOSTNAME} +short | tail -n 1)
+  if [[ ! -z ${A_MAILCOW_HOSTNAME} ]]; then
+    log_f "Found A record for ${MAILCOW_HOSTNAME}: ${A_MAILCOW_HOSTNAME}"
+    if [[ ${IPV4:-ERR} == ${A_MAILCOW_HOSTNAME} ]] || [[ ${SKIP_IP_CHECK} == "y" ]]; then
+      log_f "Confirmed A record ${MAILCOW_HOSTNAME}"
+      VALIDATED_MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
+    else
+      log_f "Cannot match your IP ${IPV4} against hostname ${MAILCOW_HOSTNAME} (${A_MAILCOW_HOSTNAME}) "
+    fi
+  else
+    log_f "No A record for ${MAILCOW_HOSTNAME} found"
+  fi
 
-	for SAN in "${ADDITIONAL_SAN_ARR[@]}"; do
-		if [[ ${SAN} == ${MAILCOW_HOSTNAME} ]]; then
-			continue
-		fi
-		A_SAN=$(dig A ${SAN} +short | tail -n 1)
-		if [[ ! -z ${A_SAN} ]]; then
-			log_f "Found A record for ${SAN}: ${A_SAN}"
-			if [[ ${IPV4:-ERR} == ${A_SAN} ]] || [[ ${SKIP_IP_CHECK} == "y" ]]; then
-				log_f "Confirmed A record ${SAN}"
-				ADDITIONAL_VALIDATED_SAN+=("${SAN}")
-			else
-				log_f "Cannot match your IP against hostname ${SAN}"
-			fi
-		else
-			log_f "No A record for ${SAN} found"
-		fi
-	done
+  for SAN in "${ADDITIONAL_SAN_ARR[@]}"; do
+    if [[ ${SAN} == ${MAILCOW_HOSTNAME} ]]; then
+      continue
+    fi
+    A_SAN=$(dig A ${SAN} +short | tail -n 1)
+    if [[ ! -z ${A_SAN} ]]; then
+      log_f "Found A record for ${SAN}: ${A_SAN}"
+      if [[ ${IPV4:-ERR} == ${A_SAN} ]] || [[ ${SKIP_IP_CHECK} == "y" ]]; then
+        log_f "Confirmed A record ${SAN}"
+        ADDITIONAL_VALIDATED_SAN+=("${SAN}")
+      else
+        log_f "Cannot match your IP against hostname ${SAN}"
+      fi
+    else
+      log_f "No A record for ${SAN} found"
+    fi
+  done
 
   # Unique elements
-	ALL_VALIDATED=(${VALIDATED_MAILCOW_HOSTNAME} $(echo ${VALIDATED_CONFIG_DOMAINS[*]} ${ADDITIONAL_VALIDATED_SAN[*]} | xargs -n1 | sort -u | xargs))
-	if [[ -z ${ALL_VALIDATED[*]} ]]; then
-		log_f "Cannot validate hostnames, skipping Let's Encrypt for 1 hour."
-		log_f "Use SKIP_LETS_ENCRYPT=y in mailcow.conf to skip it permanently."
-		sleep 1h
-		exec $(readlink -f "$0")
-	fi
+  ALL_VALIDATED=(${VALIDATED_MAILCOW_HOSTNAME} $(echo ${VALIDATED_CONFIG_DOMAINS[*]} ${ADDITIONAL_VALIDATED_SAN[*]} | xargs -n1 | sort -u | xargs))
+  if [[ -z ${ALL_VALIDATED[*]} ]]; then
+    log_f "Cannot validate hostnames, skipping Let's Encrypt for 1 hour."
+    log_f "Use SKIP_LETS_ENCRYPT=y in mailcow.conf to skip it permanently."
+    sleep 1h
+    exec $(readlink -f "$0")
+  fi
 
-	ORPHANED_SAN=($(echo ${SAN_ARRAY_NOW[*]} ${ALL_VALIDATED[*]} | tr ' ' '\n' | sort | uniq -u ))
-	if [[ ! -z ${ORPHANED_SAN[*]} ]] && [[ ${ISSUER} != *"mailcow"* ]]; then
-		DATE=$(date +%Y-%m-%d_%H_%M_%S)
-		log_f "Found orphaned SAN ${ORPHANED_SAN[*]} in certificate, moving old files to ${ACME_BASE}/acme/private/${DATE}.bak/, keeping key file..."
-		mkdir -p ${ACME_BASE}/acme/private/${DATE}.bak/
-		[[ -f ${ACME_BASE}/acme/private/account.key ]] && mv ${ACME_BASE}/acme/private/account.key ${ACME_BASE}/acme/private/${DATE}.bak/
-		[[ -f ${ACME_BASE}/acme/fullchain.pem ]] && mv ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/acme/private/${DATE}.bak/
-		[[ -f ${ACME_BASE}/acme/cert.pem ]] && mv ${ACME_BASE}/acme/cert.pem ${ACME_BASE}/acme/private/${DATE}.bak/
-		cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/acme/private/${DATE}.bak/ # Keep key for TLSA 3 1 1 records
-	fi
+  array_diff ORPHANED_SAN SAN_ARRAY_NOW ALL_VALIDATED
+  if [[ ! -z ${ORPHANED_SAN[*]} ]] && [[ ${ISSUER} != *"mailcow"* ]]; then
+    DATE=$(date +%Y-%m-%d_%H_%M_%S)
+    log_f "Found orphaned SAN ${ORPHANED_SAN[*]} in certificate, moving old files to ${ACME_BASE}/acme/private/${DATE}.bak/, keeping key file..."
+    mkdir -p ${ACME_BASE}/acme/private/${DATE}.bak/
+    [[ -f ${ACME_BASE}/acme/private/account.key ]] && mv ${ACME_BASE}/acme/private/account.key ${ACME_BASE}/acme/private/${DATE}.bak/
+    [[ -f ${ACME_BASE}/acme/fullchain.pem ]] && mv ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/acme/private/${DATE}.bak/
+    [[ -f ${ACME_BASE}/acme/cert.pem ]] && mv ${ACME_BASE}/acme/cert.pem ${ACME_BASE}/acme/private/${DATE}.bak/
+    cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/acme/private/${DATE}.bak/ # Keep key for TLSA 3 1 1 records
+  fi
 
-	ACME_RESPONSE=$(acme-client \
-		-v -e -b -N -n \
-		-f ${ACME_BASE}/acme/private/account.key \
-		-k ${ACME_BASE}/acme/private/privkey.pem \
-		-c ${ACME_BASE}/acme \
-		${ALL_VALIDATED[*]} 2>&1 | tee /dev/fd/5)
+  ACME_RESPONSE=$(acme-client \
+    -v -e -b -N -n \
+    -f ${ACME_BASE}/acme/private/account.key \
+    -k ${ACME_BASE}/acme/private/privkey.pem \
+    -c ${ACME_BASE}/acme \
+    ${ALL_VALIDATED[*]} 2>&1 | tee /dev/fd/5)
 
-	case "$?" in
-		0) # new certs
-			# cp the new certificates and keys
-			cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem
-			cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem
+  case "$?" in
+    0) # new certs
+      # cp the new certificates and keys
+      cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem
+      cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem
 
-			# restart docker containers
-			if ! verify_hash_match ${ACME_BASE}/cert.pem ${ACME_BASE}/key.pem; then
-				log_f "Certificate was successfully requested, but key and certificate have non-matching hashes, restoring mailcow snake-oil and restarting containers..."
-				cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem
-				cp ${SSL_EXAMPLE}/key.pem ${ACME_BASE}/key.pem
-			fi
-			restart_containers ${CONTAINERS_RESTART[*]}
-			;;
-		1) # failure
-			if [[ $ACME_RESPONSE =~ "No registration exists" ]]; then
-				log_f "Registration keys are invalid, deleting old keys and restarting..."
-				rm ${ACME_BASE}/acme/private/account.key
-				rm ${ACME_BASE}/acme/private/privkey.pem
-				exec $(readlink -f "$0")
-			fi
-			if [[ -f ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ]] && [[ -f ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ]]; then
-				log_f "Error requesting certificate, restoring previous certificate from backup and restarting containers...."
-				cp ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ${ACME_BASE}/cert.pem
-				cp ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ${ACME_BASE}/key.pem
-				TRIGGER_RESTART=1
-			elif [[ -f ${ACME_BASE}/acme/fullchain.pem ]] && [[ -f ${ACME_BASE}/acme/private/privkey.pem ]]; then
-				log_f "Error requesting certificate, restoring from previous acme request and restarting containers..."
-				cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem
-				cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem
-				TRIGGER_RESTART=1
-			fi
-			if ! verify_hash_match ${ACME_BASE}/cert.pem ${ACME_BASE}/key.pem; then
-				log_f "Error verifying certificates, restoring mailcow snake-oil and restarting containers..."
-				cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem
-				cp ${SSL_EXAMPLE}/key.pem ${ACME_BASE}/key.pem
-				TRIGGER_RESTART=1
-			fi
-			[[ ${TRIGGER_RESTART} == 1 ]] && restart_containers ${CONTAINERS_RESTART[*]}
-			log_f "Retrying in 30 minutes..."
-			sleep 30m
-			exec $(readlink -f "$0")
-			;;
-		2) # no change
-			if ! diff ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem; then
-				log_f "Certificate was not changed, but active certificate does not match the verified certificate, fixing and restarting containers..."
-				cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem
-				cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem
-				TRIGGER_RESTART=1
-			fi
-			if ! verify_hash_match ${ACME_BASE}/cert.pem ${ACME_BASE}/key.pem; then
-				log_f "Certificate was not changed, but hashes do not match, restoring from previous acme request and restarting containers..."
-				cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem
-				cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem
-				TRIGGER_RESTART=1
-			fi
-			[[ ${TRIGGER_RESTART} == 1 ]] && restart_containers ${CONTAINERS_RESTART[*]}
-			;;
-		*) # unspecified
-			if [[ -f ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ]] && [[ -f ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ]]; then
-				log_f "Error requesting certificate, restoring previous certificate from backup and restarting containers...."
-				cp ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ${ACME_BASE}/cert.pem
-				cp ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ${ACME_BASE}/key.pem
-				TRIGGER_RESTART=1
+      # restart docker containers
+      if ! verify_hash_match ${ACME_BASE}/cert.pem ${ACME_BASE}/key.pem; then
+        log_f "Certificate was successfully requested, but key and certificate have non-matching hashes, restoring mailcow snake-oil and restarting containers..."
+        cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem
+        cp ${SSL_EXAMPLE}/key.pem ${ACME_BASE}/key.pem
+      fi
+      restart_containers ${CONTAINERS_RESTART[*]}
+      ;;
+    1) # failure
+      if [[ $ACME_RESPONSE =~ "No registration exists" ]]; then
+        log_f "Registration keys are invalid, deleting old keys and restarting..."
+        rm ${ACME_BASE}/acme/private/account.key
+        rm ${ACME_BASE}/acme/private/privkey.pem
+        exec $(readlink -f "$0")
+      fi
+      if [[ -f ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ]] && [[ -f ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ]]; then
+        log_f "Error requesting certificate, restoring previous certificate from backup and restarting containers...."
+        cp ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ${ACME_BASE}/cert.pem
+        cp ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ${ACME_BASE}/key.pem
+        TRIGGER_RESTART=1
+      elif [[ -f ${ACME_BASE}/acme/fullchain.pem ]] && [[ -f ${ACME_BASE}/acme/private/privkey.pem ]]; then
+        log_f "Error requesting certificate, restoring from previous acme request and restarting containers..."
+        cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem
+        cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem
+        TRIGGER_RESTART=1
+      fi
+      if ! verify_hash_match ${ACME_BASE}/cert.pem ${ACME_BASE}/key.pem; then
+        log_f "Error verifying certificates, restoring mailcow snake-oil and restarting containers..."
+        cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem
+        cp ${SSL_EXAMPLE}/key.pem ${ACME_BASE}/key.pem
+        TRIGGER_RESTART=1
+      fi
+      [[ ${TRIGGER_RESTART} == 1 ]] && restart_containers ${CONTAINERS_RESTART[*]}
+      log_f "Retrying in 30 minutes..."
+      sleep 30m
+      exec $(readlink -f "$0")
+      ;;
+    2) # no change
+      if ! diff ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem; then
+        log_f "Certificate was not changed, but active certificate does not match the verified certificate, fixing and restarting containers..."
+        cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem
+        cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem
+        TRIGGER_RESTART=1
+      fi
+      if ! verify_hash_match ${ACME_BASE}/cert.pem ${ACME_BASE}/key.pem; then
+        log_f "Certificate was not changed, but hashes do not match, restoring from previous acme request and restarting containers..."
+        cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem
+        cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem
+        TRIGGER_RESTART=1
+      fi
+      [[ ${TRIGGER_RESTART} == 1 ]] && restart_containers ${CONTAINERS_RESTART[*]}
+      ;;
+    *) # unspecified
+      if [[ -f ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ]] && [[ -f ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ]]; then
+        log_f "Error requesting certificate, restoring previous certificate from backup and restarting containers...."
+        cp ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ${ACME_BASE}/cert.pem
+        cp ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ${ACME_BASE}/key.pem
+        TRIGGER_RESTART=1
             elif [[ -f ${ACME_BASE}/acme/fullchain.pem ]] && [[ -f ${ACME_BASE}/acme/private/privkey.pem ]]; then
-				log_f "Error requesting certificate, restoring from previous acme request and restarting containers..."
-				cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem
-				cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem
-				TRIGGER_RESTART=1
-			fi
-			if ! verify_hash_match ${ACME_BASE}/cert.pem ${ACME_BASE}/key.pem; then
-				log_f "Error verifying certificates, restoring mailcow snake-oil..."
-				cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem
-				cp ${SSL_EXAMPLE}/key.pem ${ACME_BASE}/key.pem
-				TRIGGER_RESTART=1
-			fi
-			[[ ${TRIGGER_RESTART} == 1 ]] && restart_containers ${CONTAINERS_RESTART[*]}
-			log_f "Retrying in 30 minutes..."
-			sleep 30m
-			exec $(readlink -f "$0")
-			;;
-	esac
+        log_f "Error requesting certificate, restoring from previous acme request and restarting containers..."
+        cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem
+        cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem
+        TRIGGER_RESTART=1
+      fi
+      if ! verify_hash_match ${ACME_BASE}/cert.pem ${ACME_BASE}/key.pem; then
+        log_f "Error verifying certificates, restoring mailcow snake-oil..."
+        cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem
+        cp ${SSL_EXAMPLE}/key.pem ${ACME_BASE}/key.pem
+        TRIGGER_RESTART=1
+      fi
+      [[ ${TRIGGER_RESTART} == 1 ]] && restart_containers ${CONTAINERS_RESTART[*]}
+      log_f "Retrying in 30 minutes..."
+      sleep 30m
+      exec $(readlink -f "$0")
+      ;;
+  esac
 
-	log_f "ACME certificate validation done. Sleeping for another day."
-	sleep 1d
+  log_f "ACME certificate validation done. Sleeping for another day."
+  sleep 1d
 
 done