diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf index 60cdc1ea..b9bb20b7 100644 --- a/core/nginx/conf/nginx.conf +++ b/core/nginx/conf/nginx.conf @@ -289,8 +289,8 @@ mail { listen [::]:25; {% if TLS and not TLS_ERROR %} {% if TLS_FLAVOR in ['letsencrypt','mail-letsencrypt'] %} - ssl_certificate /certs/letsencrypt/live/mailu/nginx-chain-DANE.pem; - ssl_certificate /certs/letsencrypt/live/mailu-ecdsa/nginx-chain-DANE.pem; + ssl_certificate /certs/letsencrypt/live/mailu/fullchain.pem; + ssl_certificate /certs/letsencrypt/live/mailu-ecdsa/fullchain.pem; {% endif %} ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; diff --git a/core/nginx/config.py b/core/nginx/config.py index 9fa75877..bd6967b9 100755 --- a/core/nginx/config.py +++ b/core/nginx/config.py @@ -34,6 +34,24 @@ args["TLS"] = { "notls": None }[args["TLS_FLAVOR"]] +def format_for_nginx(fullchain, output): + """ We may want to strip ISRG Root X1 out """ + certs = [] + with open(fullchain, 'r') as pem: + cert = '' + for line in pem: + cert += line + if '-----END CERTIFICATE-----' in line: + certs += [cert] + cert = '' + with open(output, 'w') as pem: + for cert in certs[:-1] if len(certs)>2 and os.getenv('LETSENCRYPT_SHORTCHAIN', default="False") else certs: + pem.write(cert) + +if args['TLS_FLAVOR'] in ['letsencrypt', 'mail-letsencrypt']: + format_for_nginx('/certs/letsencrypt/live/mailu/fullchain.pem', '/certs/letsencrypt/live/mailu/nginx-chain.pem') + format_for_nginx('/certs/letsencrypt/live/mailu-ecdsa/fullchain.pem', '/certs/letsencrypt/live/mailu-ecdsa/nginx-chain.pem') + if args["TLS"] and not all(os.path.exists(file_path) for file_path in args["TLS"]): print("Missing cert or key file, disabling TLS") args["TLS_ERROR"] = "yes" diff --git a/core/nginx/letsencrypt.py b/core/nginx/letsencrypt.py index c9048c8c..48316c1c 100755 --- a/core/nginx/letsencrypt.py +++ b/core/nginx/letsencrypt.py @@ -32,39 +32,11 @@ command2 = [ "--post-hook", "/config.py" ] -def format_for_nginx(fullchain, output): - """ We may want to strip ISRG Root X1 out - """ - certs = [] - with open(fullchain, 'r') as pem: - cert = '' - for line in pem: - cert += line - if '-----END CERTIFICATE-----' in line: - certs += [cert] - cert = '' - with open(output, 'w') as pem: - for cert in certs[:-1] if len(certs)>2 and os.getenv('LETSENCRYPT_SHORTCHAIN', default="False") else certs: - pem.write(cert) - -def add_DANE_pin(chain, output): - with open(output, 'w') as pem: - with open(chain, 'r') as chain: - for line in chain: - pem.write(line) - with open('/etc/ssl/certs/ca-cert-ISRG_Root_X1.pem', 'r') as isrgx1: - for line in isrgx1: - pem.write(line) - # Wait for nginx to start time.sleep(5) # Run certbot every day while True: subprocess.call(command) - format_for_nginx('/certs/letsencrypt/live/mailu/fullchain.pem', '/certs/letsencrypt/live/mailu/nginx-chain.pem') - add_DANE_pin('/certs/letsencrypt/live/mailu/chain.pem', '/certs/letsencrypt/live/mailu/nginx-chain-DANE.pem') subprocess.call(command2) - format_for_nginx('/certs/letsencrypt/live/mailu-ecdsa/fullchain.pem', '/certs/letsencrypt/live/mailu-ecdsa/nginx-chain.pem') - add_DANE_pin('/certs/letsencrypt/live/mailu-ecdsa/chain.pem', '/certs/letsencrypt/live/mailu-ecdsa/nginx-chain-DANE.pem') time.sleep(86400)