mirror of
https://github.com/mailcow/mailcow-dockerized.git
synced 2025-01-08 04:05:03 +02:00
Fix issuing ecdsa certificates correctly for newly added domains
This commit is contained in:
parent
dbfeed5c3a
commit
bd6196ad35
@ -442,7 +442,7 @@ while true; do
|
|||||||
|
|
||||||
# archive ecdsa cert (if exists)
|
# archive ecdsa cert (if exists)
|
||||||
mkdir -p ${BACKUP_DIR_ECDSA}/
|
mkdir -p ${BACKUP_DIR_ECDSA}/
|
||||||
[[ -f ${ACME_BASE}/${EXISTING_CERT}/ecdsa-cert.pem && -f ${ACME_BASE}/${EXISTING_CERT}/domains ]] && cp ${ACME_BASE}/${EXISTING_CERT}/domains ${BACKUP_DIR_ECDSA}/
|
[[ -f ${ACME_BASE}/${EXISTING_CERT}/ecdsa-cert.pem && -f ${ACME_BASE}/${EXISTING_CERT}/ecdsa-domains ]] && cp ${ACME_BASE}/${EXISTING_CERT}/ecdsa-domains ${BACKUP_DIR_ECDSA}/
|
||||||
[[ -f ${ACME_BASE}/${EXISTING_CERT}/ecdsa-cert.pem ]] && mv ${ACME_BASE}/${EXISTING_CERT}/ecdsa-cert.pem ${BACKUP_DIR_ECDSA}/
|
[[ -f ${ACME_BASE}/${EXISTING_CERT}/ecdsa-cert.pem ]] && mv ${ACME_BASE}/${EXISTING_CERT}/ecdsa-cert.pem ${BACKUP_DIR_ECDSA}/
|
||||||
[[ -f ${ACME_BASE}/${EXISTING_CERT}/ecdsa-key.pem ]] && mv ${ACME_BASE}/${EXISTING_CERT}/ecdsa-key.pem ${BACKUP_DIR_ECDSA}/
|
[[ -f ${ACME_BASE}/${EXISTING_CERT}/ecdsa-key.pem ]] && mv ${ACME_BASE}/${EXISTING_CERT}/ecdsa-key.pem ${BACKUP_DIR_ECDSA}/
|
||||||
[[ -f ${ACME_BASE}/${EXISTING_CERT}/ecdsa-acme.csr ]] && mv ${ACME_BASE}/${EXISTING_CERT}/ecdsa-acme.csr ${BACKUP_DIR_ECDSA}/
|
[[ -f ${ACME_BASE}/${EXISTING_CERT}/ecdsa-acme.csr ]] && mv ${ACME_BASE}/${EXISTING_CERT}/ecdsa-acme.csr ${BACKUP_DIR_ECDSA}/
|
||||||
@ -460,28 +460,15 @@ while true; do
|
|||||||
# reload on new or changed certificates
|
# reload on new or changed certificates
|
||||||
if [[ "${CERT_CHANGED}" == "1" ]]; then
|
if [[ "${CERT_CHANGED}" == "1" ]]; then
|
||||||
rm -f "${ACME_BASE}/force_renew" 2> /dev/null
|
rm -f "${ACME_BASE}/force_renew" 2> /dev/null
|
||||||
RELOAD_LOOP_C=1
|
log_f "Reloading or restarting services... (${RELOAD_LOOP_C})"
|
||||||
while [[ "${POSTFIX_CERT_SERIAL}" == "${POSTFIX_CERT_SERIAL_NEW}" ]] || [[ "${DOVECOT_CERT_SERIAL}" == "${DOVECOT_CERT_SERIAL_NEW}" ]] || [[ "${POSTFIX_CERT_SERIAL_ECDSA}" == "${POSTFIX_CERT_SERIAL_NEW_ECDSA}" ]] || [[ "${DOVECOT_CERT_SERIAL_ECDSA}" == "${DOVECOT_CERT_SERIAL_NEW_ECDSA}" ]] || [[ ${#POSTFIX_CERT_SERIAL_NEW} -ne 36 ]] || [[ ${#DOVECOT_CERT_SERIAL_NEW} -ne 36 ]] || [[ ${#POSTFIX_CERT_SERIAL_NEW_ECDSA} -ne 36 ]] || [[ ${#DOVECOT_CERT_SERIAL_NEW_ECDSA} -ne 36 ]]; do
|
CERT_AMOUNT_CHANGED=${CERT_AMOUNT_CHANGED} /srv/reload-configurations.sh
|
||||||
log_f "Reloading or restarting services... (${RELOAD_LOOP_C})"
|
log_f "Waiting for containers to settle..."
|
||||||
RELOAD_LOOP_C=$((RELOAD_LOOP_C + 1))
|
sleep 10
|
||||||
CERT_AMOUNT_CHANGED=${CERT_AMOUNT_CHANGED} /srv/reload-configurations.sh
|
until nc -z dovecot 143; do
|
||||||
log_f "Waiting for containers to settle..."
|
sleep 1
|
||||||
sleep 10
|
done
|
||||||
until nc -z dovecot 143; do
|
until nc -z postfix 25; do
|
||||||
sleep 1
|
sleep 1
|
||||||
done
|
|
||||||
until nc -z postfix 25; do
|
|
||||||
sleep 1
|
|
||||||
done
|
|
||||||
POSTFIX_CERT_SERIAL_NEW="$(echo | openssl s_client -tls1_2 -cipher 'aRSA' -connect postfix:25 -starttls smtp 2>/dev/null | openssl x509 -inform pem -noout -serial | cut -d "=" -f 2)"
|
|
||||||
DOVECOT_CERT_SERIAL_NEW="$(echo | openssl s_client -tls1_2 -cipher 'aRSA' -connect dovecot:143 -starttls imap 2>/dev/null | openssl x509 -inform pem -noout -serial | cut -d "=" -f 2)"
|
|
||||||
POSTFIX_CERT_SERIAL_NEW_ECDSA="$(echo | openssl s_client -tls1_2 -cipher 'aECDSA' -connect postfix:25 -starttls smtp 2>/dev/null | openssl x509 -inform pem -noout -serial | cut -d "=" -f 2)"
|
|
||||||
DOVECOT_CERT_SERIAL_NEW_ECDSA="$(echo | openssl s_client -tls1_2 -cipher 'aECDSA' -connect dovecot:143 -starttls imap 2>/dev/null | openssl x509 -inform pem -noout -serial | cut -d "=" -f 2)"
|
|
||||||
if [[ ${RELOAD_LOOP_C} -gt 3 ]]; then
|
|
||||||
log_f "Some services do return old end dates, something went wrong!"
|
|
||||||
${REDIS_CMDLINE} SET ACME_FAIL_TIME "$(date +%s)"
|
|
||||||
break;
|
|
||||||
fi
|
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -21,7 +21,7 @@ elif [[ "${TYPE}" != "rsa" ]]; then
|
|||||||
log_f "Unknown certificate type '${TYPE}' requested"
|
log_f "Unknown certificate type '${TYPE}' requested"
|
||||||
exit 5
|
exit 5
|
||||||
fi
|
fi
|
||||||
DOMAINS_FILE=${ACME_BASE}/${CERT_DOMAIN}/domains
|
DOMAINS_FILE=${ACME_BASE}/${CERT_DOMAIN}/${PREFIX}domains
|
||||||
CERT=${ACME_BASE}/${CERT_DOMAIN}/${PREFIX}cert.pem
|
CERT=${ACME_BASE}/${CERT_DOMAIN}/${PREFIX}cert.pem
|
||||||
SHARED_KEY=${ACME_BASE}/acme/${PREFIX}key.pem # must already exist
|
SHARED_KEY=${ACME_BASE}/acme/${PREFIX}key.pem # must already exist
|
||||||
KEY=${ACME_BASE}/${CERT_DOMAIN}/${PREFIX}key.pem
|
KEY=${ACME_BASE}/${CERT_DOMAIN}/${PREFIX}key.pem
|
||||||
|
Loading…
Reference in New Issue
Block a user