self-hosted/Mailu
1
0
Fork 0
mirror of https://github.com/Mailu/Mailu.git synced 2025-08-10 22:31:47 +02:00
Code Issues Releases Activity

Use ldez/traefik-certs-dumper in certificate dumper, and make more robust

Browse Source 
closes #820
This commit is contained in:
Dario Ernst
2019-03-10 12:15:14 +00:00
parent da52c64cd8
commit 1acd629e6f
5 changed files with 16 additions and 67 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
optional/traefik-certdumper/Dockerfile
View File

@@ -1,11 +1,10 @@
FROM alpine:3.8 FROM ldez/traefik-certs-dumper
RUN apk --no-cache add inotify-tools jq openssl util-linux bash docker RUN apk --no-cache add inotify-tools util-linux bash docker
# while not strictly documented, this script seems to always(?) support previous acme.json versions too
RUN wget https://raw.githubusercontent.com/containous/traefik/master/contrib/scripts/dumpcerts.sh -O dumpcerts.sh COPY run.sh /
VOLUME ["/traefik"] VOLUME ["/traefik"]
VOLUME ["/output"] VOLUME ["/output"]
COPY run.sh /
ENTRYPOINT ["/run.sh"] ENTRYPOINT ["/run.sh"]

21
optional/traefik-certdumper/LICENSE
View File

@@ -1,21 +0,0 @@
MIT License
Copyright (c) 2018 Sven Dowideit
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

27
optional/traefik-certdumper/README.md
View File

@@ -1,27 +0,0 @@
# Single-domain traefik-certdumper for mailu
This is based on the work by Sven Dowideit on https://github.com/SvenDowideit/traefik-certdumper
## Fork?
This is a slight modification that is less flexible, but is adapted to the
usecase in mailu. If you wish to deploy mailu behind a traefik, you face many
problems. One of these is that you need to get the certificates into mailu in a
very defined manner. This will copy the certificate for the **Main:**-domain
given in the DOMAIN-environment onto `output`.
If your output happens to be mailu-front-`/certs`, the certificate-watcher in
the front-container will catch it and reload nginx. This works for mailu
`TLS_FLAVOR=[mail, cert]`
```
certdumper:
restart: always
image: Mailu/traefik-certdumper:$VERSION
environment:
- DOMAIN=$DOMAIN
volumes:
# your traefik data-volume is probably declared outside of the mailu composefile
- /data/traefik:/traefik
- $ROOT/certs/:/output/
```

25
optional/traefik-certdumper/run.sh
View File

@@ -2,25 +2,22 @@
function dump() { function dump() {
echo "$(date) Dumping certificates" echo "$(date) Dumping certificates"
bash dumpcerts.sh /traefik/acme.json /tmp/work/ || return
# private-keys are rsa, we need pem though traefik-certs-dumper dump --crt-name "cert" --crt-ext ".pem" --key-name "key" --key-ext ".pem" --domain-subdir=true --dest /tmp/work --source /traefik/acme.json > /dev/null
for key_file in $(ls /tmp/work/private/*); do
pem_file=$(echo $key_file | sed 's/private/pem/g' | sed 's/.key/-private.pem/g')
openssl rsa -in $key_file -text > $pem_file
done
echo "$(date) Copying certificates" if diff -q /tmp/work/${DOMAIN}/cert.pem /output/cert.pem >/dev/null && \
cp -v /tmp/work/pem/${DOMAIN}-private.pem /output/key.pem diff -q /tmp/work/${DOMAIN}/key.pem /output/key.pem >/dev/null ; then
# the .crt is a chained-pem, as common for letsencrypt echo "$(date) Certificate and key still up to date, doing nothing"
cp -v /tmp/work/certs/${DOMAIN}.crt /output/cert.pem else
echo "$(date) Certificate or key differ, updating"
mv /tmp/work/${DOMAIN}/*.pem /output/
fi
} }
mkdir -p /tmp/work/pem /tmp/work/certs mkdir -p /tmp/work
# run once on start to make sure we have any old certs
dump dump
while true; do while true; do
inotifywait -e modify /traefik/acme.json && \ inotifywait -qq -e modify /traefik/acme.json
dump dump
done done

1
towncrier/newsfragments/820.bugfix Normal file
View File

@@ -0,0 +1 @@
Use ldez/traefik-certs-dumper in our certificate dumper to have a more robust solution