self-hosted/Mailu
1
0
Fork 0
mirror of https://github.com/Mailu/Mailu.git synced 2025-01-18 03:21:36 +02:00
Code Issues Releases Activity

simplify as per ghostwheel42's suggestion

Browse Source
This commit is contained in:
Florent Daigniere 2022-02-20 11:56:21 +01:00
parent e4a32b55f5
commit 0816cb9497
3 changed files with 20 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
core/nginx/conf/nginx.conf
View File

@ -289,8 +289,8 @@ mail {
listen [::]:25;
{% if TLS and not TLS_ERROR %}
{% if TLS_FLAVOR in ['letsencrypt','mail-letsencrypt'] %}
ssl_certificate /certs/letsencrypt/live/mailu/nginx-chain-DANE.pem;
ssl_certificate /certs/letsencrypt/live/mailu-ecdsa/nginx-chain-DANE.pem;
ssl_certificate /certs/letsencrypt/live/mailu/fullchain.pem;
ssl_certificate /certs/letsencrypt/live/mailu-ecdsa/fullchain.pem;
{% endif %}
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;

18
core/nginx/config.py
View File

@ -34,6 +34,24 @@ args["TLS"] = {
"notls": None
}[args["TLS_FLAVOR"]]
def format_for_nginx(fullchain, output):
""" We may want to strip ISRG Root X1 out """
certs = []
with open(fullchain, 'r') as pem:
cert = ''
for line in pem:
cert += line
if '-----END CERTIFICATE-----' in line:
certs += [cert]
cert = ''
with open(output, 'w') as pem:
for cert in certs[:-1] if len(certs)>2 and os.getenv('LETSENCRYPT_SHORTCHAIN', default="False") else certs:
pem.write(cert)
if args['TLS_FLAVOR'] in ['letsencrypt', 'mail-letsencrypt']:
format_for_nginx('/certs/letsencrypt/live/mailu/fullchain.pem', '/certs/letsencrypt/live/mailu/nginx-chain.pem')
format_for_nginx('/certs/letsencrypt/live/mailu-ecdsa/fullchain.pem', '/certs/letsencrypt/live/mailu-ecdsa/nginx-chain.pem')
if args["TLS"] and not all(os.path.exists(file_path) for file_path in args["TLS"]):
print("Missing cert or key file, disabling TLS")
args["TLS_ERROR"] = "yes"

28
core/nginx/letsencrypt.py
View File

@ -32,39 +32,11 @@ command2 = [
"--post-hook", "/config.py"
]
def format_for_nginx(fullchain, output):
""" We may want to strip ISRG Root X1 out
"""
certs = []
with open(fullchain, 'r') as pem:
cert = ''
for line in pem:
cert += line
if '-----END CERTIFICATE-----' in line:
certs += [cert]
cert = ''
with open(output, 'w') as pem:
for cert in certs[:-1] if len(certs)>2 and os.getenv('LETSENCRYPT_SHORTCHAIN', default="False") else certs:
pem.write(cert)
def add_DANE_pin(chain, output):
with open(output, 'w') as pem:
with open(chain, 'r') as chain:
for line in chain:
pem.write(line)
with open('/etc/ssl/certs/ca-cert-ISRG_Root_X1.pem', 'r') as isrgx1:
for line in isrgx1:
pem.write(line)
# Wait for nginx to start
time.sleep(5)
# Run certbot every day
while True:
subprocess.call(command)
format_for_nginx('/certs/letsencrypt/live/mailu/fullchain.pem', '/certs/letsencrypt/live/mailu/nginx-chain.pem')
add_DANE_pin('/certs/letsencrypt/live/mailu/chain.pem', '/certs/letsencrypt/live/mailu/nginx-chain-DANE.pem')
subprocess.call(command2)
format_for_nginx('/certs/letsencrypt/live/mailu-ecdsa/fullchain.pem', '/certs/letsencrypt/live/mailu-ecdsa/nginx-chain.pem')
add_DANE_pin('/certs/letsencrypt/live/mailu-ecdsa/chain.pem', '/certs/letsencrypt/live/mailu-ecdsa/nginx-chain-DANE.pem')
time.sleep(86400)