Page MenuHomeWMGMC Issues
Files F15869

No OneTemporary
Actions

View Options

diff --git a/data/Dockerfiles/acme/Dockerfile b/data/Dockerfiles/acme/Dockerfile
index b3fd77fd..1554e6a8 100644
--- a/data/Dockerfiles/acme/Dockerfile
+++ b/data/Dockerfiles/acme/Dockerfile
@@ -1,16 +1,17 @@
FROM alpine:3.6
LABEL maintainer "Andre Peters <andre.peters@servercow.de>"
RUN apk add --update --no-cache \
bash \
acme-client \
curl \
openssl \
bind-tools \
jq \
- mariadb-client
+ mariadb-client \
+ tini
COPY docker-entrypoint.sh /srv/docker-entrypoint.sh
-ENTRYPOINT ["/srv/docker-entrypoint.sh"]
+CMD ["/sbin/tini", "-g", "--", "/srv/docker-entrypoint.sh"]
diff --git a/data/Dockerfiles/acme/docker-entrypoint.sh b/data/Dockerfiles/acme/docker-entrypoint.sh
index 25023819..6d3d7273 100755
--- a/data/Dockerfiles/acme/docker-entrypoint.sh
+++ b/data/Dockerfiles/acme/docker-entrypoint.sh
@@ -1,289 +1,307 @@
#!/bin/bash
set -o pipefail
exec 5>&1
ACME_BASE=/var/lib/acme
SSL_EXAMPLE=/var/lib/ssl-example
mkdir -p ${ACME_BASE}/acme/private
restart_containers(){
- for container in $*; do
- echo "Restarting ${container}..."
- curl -X POST http://dockerapi:8080/containers/${container}/restart
- done
+ for container in $*; do
+ echo "Restarting ${container}..."
+ curl -X POST http://dockerapi:8080/containers/${container}/restart
+ done
}
log_f() {
- echo "$(date) - ${1}"
+ if [[ ${2} == "no_nl" ]]; then
+ echo -n "$(date) - ${1}"
+ elif [[ ${2} == "no_date" ]]; then
+ echo "${1}"
+ else
+ echo "$(date) - ${1}"
+ fi
+}
+
+array_diff() {
+ # https://stackoverflow.com/questions/2312762, Alex Offshore
+ eval local ARR1=\(\"\${$2[@]}\"\)
+ eval local ARR2=\(\"\${$3[@]}\"\)
+ local IFS=$'\n'
+ mapfile -t $1 < <(comm -23 <(echo "${ARR1[*]}" | sort) <(echo "${ARR2[*]}" | sort))
}
verify_hash_match(){
- CERT_HASH=$(openssl x509 -noout -modulus -in "${1}" | openssl md5)
- KEY_HASH=$(openssl rsa -noout -modulus -in "${2}" | openssl md5)
- if [[ ${CERT_HASH} != ${KEY_HASH} ]]; then
- log_f "Certificate and key hashes do not match!"
- return 1
- else
- log_f "Verified hashes."
- return 0
- fi
+ CERT_HASH=$(openssl x509 -noout -modulus -in "${1}" | openssl md5)
+ KEY_HASH=$(openssl rsa -noout -modulus -in "${2}" | openssl md5)
+ if [[ ${CERT_HASH} != ${KEY_HASH} ]]; then
+ log_f "Certificate and key hashes do not match!"
+ return 1
+ else
+ log_f "Verified hashes."
+ return 0
+ fi
}
get_ipv4(){
local IPV4=
local IPV4_SRCS=
local TRY=
IPV4_SRCS[0]="api.ipify.org"
IPV4_SRCS[1]="ifconfig.co"-
IPV4_SRCS[2]="icanhazip.com"
IPV4_SRCS[3]="v4.ident.me"
IPV4_SRCS[4]="ipecho.net/plain"
IPV4_SRCS[5]="mailcow.email/ip.php"
until [[ ! -z ${IPV4} ]] || [[ ${TRY} -ge 100 ]]; do
IPV4=$(curl --connect-timeout 3 -m 10 -L4s ${IPV4_SRCS[$RANDOM % ${#IPV4_SRCS[@]} ]} | grep -E "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$")
[[ ! -z ${TRY} ]] && sleep 1
TRY=$((TRY+1))
done
echo ${IPV4}
}
[[ ! -f ${ACME_BASE}/dhparams.pem ]] && cp ${SSL_EXAMPLE}/dhparams.pem ${ACME_BASE}/dhparams.pem
if [[ -f ${ACME_BASE}/cert.pem ]] && [[ -f ${ACME_BASE}/key.pem ]]; then
- ISSUER=$(openssl x509 -in ${ACME_BASE}/cert.pem -noout -issuer)
- if [[ ${ISSUER} != *"Let's Encrypt"* && ${ISSUER} != *"mailcow"* ]]; then
- log_f "Found certificate with issuer other than mailcow snake-oil CA and Let's Encrypt, skipping ACME client..."
- sleep 3650d
- exec $(readlink -f "$0")
- else
- declare -a SAN_ARRAY_NOW
- SAN_NAMES=$(openssl x509 -noout -text -in ${ACME_BASE}/cert.pem | awk '/X509v3 Subject Alternative Name/ {getline;gsub(/ /, "", $0); print}' | tr -d "DNS:")
- if [[ ! -z ${SAN_NAMES} ]]; then
- IFS=',' read -a SAN_ARRAY_NOW <<< ${SAN_NAMES}
- log_f "Found Let's Encrypt or mailcow snake-oil CA issued certificate with SANs: ${SAN_ARRAY_NOW[*]}"
- fi
- fi
+ ISSUER=$(openssl x509 -in ${ACME_BASE}/cert.pem -noout -issuer)
+ if [[ ${ISSUER} != *"Let's Encrypt"* && ${ISSUER} != *"mailcow"* ]]; then
+ log_f "Found certificate with issuer other than mailcow snake-oil CA and Let's Encrypt, skipping ACME client..."
+ sleep 3650d
+ exec $(readlink -f "$0")
+ else
+ declare -a SAN_ARRAY_NOW
+ SAN_NAMES=$(openssl x509 -noout -text -in ${ACME_BASE}/cert.pem | awk '/X509v3 Subject Alternative Name/ {getline;gsub(/ /, "", $0); print}' | tr -d "DNS:")
+ if [[ ! -z ${SAN_NAMES} ]]; then
+ IFS=',' read -a SAN_ARRAY_NOW <<< ${SAN_NAMES}
+ log_f "Found Let's Encrypt or mailcow snake-oil CA issued certificate with SANs: ${SAN_ARRAY_NOW[*]}"
+ fi
+ fi
else
- if [[ -f ${ACME_BASE}/acme/fullchain.pem ]] && [[ -f ${ACME_BASE}/acme/private/privkey.pem ]]; then
- if verify_hash_match ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/acme/private/privkey.pem; then
- log_f "Restoring previous acme certificate and restarting script..."
- cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem
- cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem
- # Restarting with env var set to trigger a restart,
- exec env TRIGGER_RESTART=1 $(readlink -f "$0")
- fi
- ISSUER="mailcow"
- else
- log_f "Restoring mailcow snake-oil certificates and restarting script..."
- cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem
- cp ${SSL_EXAMPLE}/key.pem ${ACME_BASE}/key.pem
- exec env TRIGGER_RESTART=1 $(readlink -f "$0")
- fi
+ if [[ -f ${ACME_BASE}/acme/fullchain.pem ]] && [[ -f ${ACME_BASE}/acme/private/privkey.pem ]]; then
+ if verify_hash_match ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/acme/private/privkey.pem; then
+ log_f "Restoring previous acme certificate and restarting script..."
+ cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem
+ cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem
+ # Restarting with env var set to trigger a restart,
+ exec env TRIGGER_RESTART=1 $(readlink -f "$0")
+ fi
+ ISSUER="mailcow"
+ else
+ log_f "Restoring mailcow snake-oil certificates and restarting script..."
+ cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem
+ cp ${SSL_EXAMPLE}/key.pem ${ACME_BASE}/key.pem
+ exec env TRIGGER_RESTART=1 $(readlink -f "$0")
+ fi
fi
while ! mysqladmin ping --host mysql -u${DBUSER} -p${DBPASS} --silent; do
- echo "Waiting for database to come up..."
- sleep 2
+ echo "Waiting for database to come up..."
+ sleep 2
done
while true; do
- if [[ "${SKIP_LETS_ENCRYPT}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
- log_f "SKIP_LETS_ENCRYPT=y, skipping Let's Encrypt..."
- sleep 365d
- exec $(readlink -f "$0")
- fi
- if [[ "${SKIP_IP_CHECK}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
- SKIP_IP_CHECK=y
- fi
- unset SQL_DOMAIN_ARR
- unset VALIDATED_CONFIG_DOMAINS
- unset ADDITIONAL_VALIDATED_SAN
- declare -a SQL_DOMAIN_ARR
- declare -a VALIDATED_CONFIG_DOMAINS
- declare -a ADDITIONAL_VALIDATED_SAN
- IFS=',' read -r -a ADDITIONAL_SAN_ARR <<< "${ADDITIONAL_SAN}"
- IPV4=$(get_ipv4)
- # Container ids may have changed
- CONTAINERS_RESTART=($(curl --silent http://dockerapi:8080/containers/json | jq -r '.[] | {name: .Config.Labels["com.docker.compose.service"], id: .Id}' | jq -rc 'select( .name | contains("nginx-mailcow") or contains("postfix-mailcow") or contains("dovecot-mailcow")) | .id' | tr "\n" " "))
+ if [[ "${SKIP_LETS_ENCRYPT}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
+ log_f "SKIP_LETS_ENCRYPT=y, skipping Let's Encrypt..."
+ sleep 365d
+ exec $(readlink -f "$0")
+ fi
+ if [[ "${SKIP_IP_CHECK}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
+ SKIP_IP_CHECK=y
+ fi
+ unset SQL_DOMAIN_ARR
+ unset VALIDATED_CONFIG_DOMAINS
+ unset ADDITIONAL_VALIDATED_SAN
+ declare -a SQL_DOMAIN_ARR
+ declare -a VALIDATED_CONFIG_DOMAINS
+ declare -a ADDITIONAL_VALIDATED_SAN
+ IFS=',' read -r -a ADDITIONAL_SAN_ARR <<< "${ADDITIONAL_SAN}"
+ IPV4=$(get_ipv4)
+ # Container ids may have changed
+ CONTAINERS_RESTART=($(curl --silent http://dockerapi:8080/containers/json | jq -r '.[] | {name: .Config.Labels["com.docker.compose.service"], id: .Id}' | jq -rc 'select( .name | tostring | contains("nginx-mailcow") or contains("postfix-mailcow") or contains("dovecot-mailcow")) | .id' | tr "\n" " "))
- while read domain; do
- SQL_DOMAIN_ARR+=("${domain}")
- done < <(mysql -h mysql-mailcow -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT domain FROM domain WHERE backupmx=0" -Bs)
- while read alias_domain; do
- SQL_DOMAIN_ARR+=("${alias_domain}")
- done < <(mysql -h mysql-mailcow -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT alias_domain FROM alias_domain" -Bs)
+ log_f "Waiting for domain tables... " no_nl
+ while [[ -z ${DOMAIN_TABLE} ]]; do
+ DOMAIN_TABLE=$(mysql -h mysql-mailcow -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SHOW TABLES LIKE 'domain'" -Bs)
+ [[ -z ${DOMAIN_TABLE} ]] && sleep 10
+ done
+ log_f "OK" no_date
- for SQL_DOMAIN in "${SQL_DOMAIN_ARR[@]}"; do
- A_CONFIG=$(dig A autoconfig.${SQL_DOMAIN} +short | tail -n 1)
- if [[ ! -z ${A_CONFIG} ]]; then
- log_f "Found A record for autoconfig.${SQL_DOMAIN}: ${A_CONFIG}"
- if [[ ${IPV4:-ERR} == ${A_CONFIG} ]] || [[ ${SKIP_IP_CHECK} == "y" ]]; then
- log_f "Confirmed A record autoconfig.${SQL_DOMAIN}"
- VALIDATED_CONFIG_DOMAINS+=("autoconfig.${SQL_DOMAIN}")
- else
- log_f "Cannot match your IP ${IPV4} against hostname autoconfig.${SQL_DOMAIN} (${A_CONFIG})"
- fi
- else
- log_f "No A record for autoconfig.${SQL_DOMAIN} found"
- fi
+ while read domains; do
+ SQL_DOMAIN_ARR+=("${domains}")
+ done < <(mysql -h mysql-mailcow -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT domain FROM domain WHERE backupmx=0 UNION SELECT alias_domain FROM alias_domain" -Bs)
+
+ for SQL_DOMAIN in "${SQL_DOMAIN_ARR[@]}"; do
+ A_CONFIG=$(dig A autoconfig.${SQL_DOMAIN} +short | tail -n 1)
+ if [[ ! -z ${A_CONFIG} ]]; then
+ log_f "Found A record for autoconfig.${SQL_DOMAIN}: ${A_CONFIG}"
+ if [[ ${IPV4:-ERR} == ${A_CONFIG} ]] || [[ ${SKIP_IP_CHECK} == "y" ]]; then
+ log_f "Confirmed A record autoconfig.${SQL_DOMAIN}"
+ VALIDATED_CONFIG_DOMAINS+=("autoconfig.${SQL_DOMAIN}")
+ else
+ log_f "Cannot match your IP ${IPV4} against hostname autoconfig.${SQL_DOMAIN} (${A_CONFIG})"
+ fi
+ else
+ log_f "No A record for autoconfig.${SQL_DOMAIN} found"
+ fi
A_DISCOVER=$(dig A autodiscover.${SQL_DOMAIN} +short | tail -n 1)
- if [[ ! -z ${A_DISCOVER} ]]; then
- log_f "Found A record for autodiscover.${SQL_DOMAIN}: ${A_DISCOVER}"
- if [[ ${IPV4:-ERR} == ${A_DISCOVER} ]] || [[ ${SKIP_IP_CHECK} == "y" ]]; then
- log_f "Confirmed A record autodiscover.${SQL_DOMAIN}"
- VALIDATED_CONFIG_DOMAINS+=("autodiscover.${SQL_DOMAIN}")
- else
- log_f "Cannot match your IP ${IPV4} against hostname autodiscover.${SQL_DOMAIN} (${A_DISCOVER})"
- fi
- else
- log_f "No A record for autodiscover.${SQL_DOMAIN} found"
- fi
- done
+ if [[ ! -z ${A_DISCOVER} ]]; then
+ log_f "Found A record for autodiscover.${SQL_DOMAIN}: ${A_DISCOVER}"
+ if [[ ${IPV4:-ERR} == ${A_DISCOVER} ]] || [[ ${SKIP_IP_CHECK} == "y" ]]; then
+ log_f "Confirmed A record autodiscover.${SQL_DOMAIN}"
+ VALIDATED_CONFIG_DOMAINS+=("autodiscover.${SQL_DOMAIN}")
+ else
+ log_f "Cannot match your IP ${IPV4} against hostname autodiscover.${SQL_DOMAIN} (${A_DISCOVER})"
+ fi
+ else
+ log_f "No A record for autodiscover.${SQL_DOMAIN} found"
+ fi
+ done
- A_MAILCOW_HOSTNAME=$(dig A ${MAILCOW_HOSTNAME} +short | tail -n 1)
- if [[ ! -z ${A_MAILCOW_HOSTNAME} ]]; then
- log_f "Found A record for ${MAILCOW_HOSTNAME}: ${A_MAILCOW_HOSTNAME}"
- if [[ ${IPV4:-ERR} == ${A_MAILCOW_HOSTNAME} ]] || [[ ${SKIP_IP_CHECK} == "y" ]]; then
- log_f "Confirmed A record ${MAILCOW_HOSTNAME}"
- VALIDATED_MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
- else
- log_f "Cannot match your IP ${IPV4} against hostname ${MAILCOW_HOSTNAME} (${A_MAILCOW_HOSTNAME}) "
- fi
- else
- log_f "No A record for ${MAILCOW_HOSTNAME} found"
- fi
+ A_MAILCOW_HOSTNAME=$(dig A ${MAILCOW_HOSTNAME} +short | tail -n 1)
+ if [[ ! -z ${A_MAILCOW_HOSTNAME} ]]; then
+ log_f "Found A record for ${MAILCOW_HOSTNAME}: ${A_MAILCOW_HOSTNAME}"
+ if [[ ${IPV4:-ERR} == ${A_MAILCOW_HOSTNAME} ]] || [[ ${SKIP_IP_CHECK} == "y" ]]; then
+ log_f "Confirmed A record ${MAILCOW_HOSTNAME}"
+ VALIDATED_MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
+ else
+ log_f "Cannot match your IP ${IPV4} against hostname ${MAILCOW_HOSTNAME} (${A_MAILCOW_HOSTNAME}) "
+ fi
+ else
+ log_f "No A record for ${MAILCOW_HOSTNAME} found"
+ fi
- for SAN in "${ADDITIONAL_SAN_ARR[@]}"; do
- if [[ ${SAN} == ${MAILCOW_HOSTNAME} ]]; then
- continue
- fi
- A_SAN=$(dig A ${SAN} +short | tail -n 1)
- if [[ ! -z ${A_SAN} ]]; then
- log_f "Found A record for ${SAN}: ${A_SAN}"
- if [[ ${IPV4:-ERR} == ${A_SAN} ]] || [[ ${SKIP_IP_CHECK} == "y" ]]; then
- log_f "Confirmed A record ${SAN}"
- ADDITIONAL_VALIDATED_SAN+=("${SAN}")
- else
- log_f "Cannot match your IP against hostname ${SAN}"
- fi
- else
- log_f "No A record for ${SAN} found"
- fi
- done
+ for SAN in "${ADDITIONAL_SAN_ARR[@]}"; do
+ if [[ ${SAN} == ${MAILCOW_HOSTNAME} ]]; then
+ continue
+ fi
+ A_SAN=$(dig A ${SAN} +short | tail -n 1)
+ if [[ ! -z ${A_SAN} ]]; then
+ log_f "Found A record for ${SAN}: ${A_SAN}"
+ if [[ ${IPV4:-ERR} == ${A_SAN} ]] || [[ ${SKIP_IP_CHECK} == "y" ]]; then
+ log_f "Confirmed A record ${SAN}"
+ ADDITIONAL_VALIDATED_SAN+=("${SAN}")
+ else
+ log_f "Cannot match your IP against hostname ${SAN}"
+ fi
+ else
+ log_f "No A record for ${SAN} found"
+ fi
+ done
# Unique elements
- ALL_VALIDATED=(${VALIDATED_MAILCOW_HOSTNAME} $(echo ${VALIDATED_CONFIG_DOMAINS[*]} ${ADDITIONAL_VALIDATED_SAN[*]} | xargs -n1 | sort -u | xargs))
- if [[ -z ${ALL_VALIDATED[*]} ]]; then
- log_f "Cannot validate hostnames, skipping Let's Encrypt for 1 hour."
- log_f "Use SKIP_LETS_ENCRYPT=y in mailcow.conf to skip it permanently."
- sleep 1h
- exec $(readlink -f "$0")
- fi
+ ALL_VALIDATED=(${VALIDATED_MAILCOW_HOSTNAME} $(echo ${VALIDATED_CONFIG_DOMAINS[*]} ${ADDITIONAL_VALIDATED_SAN[*]} | xargs -n1 | sort -u | xargs))
+ if [[ -z ${ALL_VALIDATED[*]} ]]; then
+ log_f "Cannot validate hostnames, skipping Let's Encrypt for 1 hour."
+ log_f "Use SKIP_LETS_ENCRYPT=y in mailcow.conf to skip it permanently."
+ sleep 1h
+ exec $(readlink -f "$0")
+ fi
- ORPHANED_SAN=($(echo ${SAN_ARRAY_NOW[*]} ${ALL_VALIDATED[*]} | tr ' ' '\n' | sort | uniq -u ))
- if [[ ! -z ${ORPHANED_SAN[*]} ]] && [[ ${ISSUER} != *"mailcow"* ]]; then
- DATE=$(date +%Y-%m-%d_%H_%M_%S)
- log_f "Found orphaned SAN ${ORPHANED_SAN[*]} in certificate, moving old files to ${ACME_BASE}/acme/private/${DATE}.bak/, keeping key file..."
- mkdir -p ${ACME_BASE}/acme/private/${DATE}.bak/
- [[ -f ${ACME_BASE}/acme/private/account.key ]] && mv ${ACME_BASE}/acme/private/account.key ${ACME_BASE}/acme/private/${DATE}.bak/
- [[ -f ${ACME_BASE}/acme/fullchain.pem ]] && mv ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/acme/private/${DATE}.bak/
- [[ -f ${ACME_BASE}/acme/cert.pem ]] && mv ${ACME_BASE}/acme/cert.pem ${ACME_BASE}/acme/private/${DATE}.bak/
- cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/acme/private/${DATE}.bak/ # Keep key for TLSA 3 1 1 records
- fi
+ array_diff ORPHANED_SAN SAN_ARRAY_NOW ALL_VALIDATED
+ if [[ ! -z ${ORPHANED_SAN[*]} ]] && [[ ${ISSUER} != *"mailcow"* ]]; then
+ DATE=$(date +%Y-%m-%d_%H_%M_%S)
+ log_f "Found orphaned SAN ${ORPHANED_SAN[*]} in certificate, moving old files to ${ACME_BASE}/acme/private/${DATE}.bak/, keeping key file..."
+ mkdir -p ${ACME_BASE}/acme/private/${DATE}.bak/
+ [[ -f ${ACME_BASE}/acme/private/account.key ]] && mv ${ACME_BASE}/acme/private/account.key ${ACME_BASE}/acme/private/${DATE}.bak/
+ [[ -f ${ACME_BASE}/acme/fullchain.pem ]] && mv ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/acme/private/${DATE}.bak/
+ [[ -f ${ACME_BASE}/acme/cert.pem ]] && mv ${ACME_BASE}/acme/cert.pem ${ACME_BASE}/acme/private/${DATE}.bak/
+ cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/acme/private/${DATE}.bak/ # Keep key for TLSA 3 1 1 records
+ fi
- ACME_RESPONSE=$(acme-client \
- -v -e -b -N -n \
- -f ${ACME_BASE}/acme/private/account.key \
- -k ${ACME_BASE}/acme/private/privkey.pem \
- -c ${ACME_BASE}/acme \
- ${ALL_VALIDATED[*]} 2>&1 | tee /dev/fd/5)
+ ACME_RESPONSE=$(acme-client \
+ -v -e -b -N -n \
+ -f ${ACME_BASE}/acme/private/account.key \
+ -k ${ACME_BASE}/acme/private/privkey.pem \
+ -c ${ACME_BASE}/acme \
+ ${ALL_VALIDATED[*]} 2>&1 | tee /dev/fd/5)
- case "$?" in
- 0) # new certs
- # cp the new certificates and keys
- cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem
- cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem
+ case "$?" in
+ 0) # new certs
+ # cp the new certificates and keys
+ cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem
+ cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem
- # restart docker containers
- if ! verify_hash_match ${ACME_BASE}/cert.pem ${ACME_BASE}/key.pem; then
- log_f "Certificate was successfully requested, but key and certificate have non-matching hashes, restoring mailcow snake-oil and restarting containers..."
- cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem
- cp ${SSL_EXAMPLE}/key.pem ${ACME_BASE}/key.pem
- fi
- restart_containers ${CONTAINERS_RESTART[*]}
- ;;
- 1) # failure
- if [[ $ACME_RESPONSE =~ "No registration exists" ]]; then
- log_f "Registration keys are invalid, deleting old keys and restarting..."
- rm ${ACME_BASE}/acme/private/account.key
- rm ${ACME_BASE}/acme/private/privkey.pem
- exec $(readlink -f "$0")
- fi
- if [[ -f ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ]] && [[ -f ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ]]; then
- log_f "Error requesting certificate, restoring previous certificate from backup and restarting containers...."
- cp ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ${ACME_BASE}/cert.pem
- cp ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ${ACME_BASE}/key.pem
- TRIGGER_RESTART=1
- elif [[ -f ${ACME_BASE}/acme/fullchain.pem ]] && [[ -f ${ACME_BASE}/acme/private/privkey.pem ]]; then
- log_f "Error requesting certificate, restoring from previous acme request and restarting containers..."
- cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem
- cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem
- TRIGGER_RESTART=1
- fi
- if ! verify_hash_match ${ACME_BASE}/cert.pem ${ACME_BASE}/key.pem; then
- log_f "Error verifying certificates, restoring mailcow snake-oil and restarting containers..."
- cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem
- cp ${SSL_EXAMPLE}/key.pem ${ACME_BASE}/key.pem
- TRIGGER_RESTART=1
- fi
- [[ ${TRIGGER_RESTART} == 1 ]] && restart_containers ${CONTAINERS_RESTART[*]}
- log_f "Retrying in 30 minutes..."
- sleep 30m
- exec $(readlink -f "$0")
- ;;
- 2) # no change
- if ! diff ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem; then
- log_f "Certificate was not changed, but active certificate does not match the verified certificate, fixing and restarting containers..."
- cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem
- cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem
- TRIGGER_RESTART=1
- fi
- if ! verify_hash_match ${ACME_BASE}/cert.pem ${ACME_BASE}/key.pem; then
- log_f "Certificate was not changed, but hashes do not match, restoring from previous acme request and restarting containers..."
- cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem
- cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem
- TRIGGER_RESTART=1
- fi
- [[ ${TRIGGER_RESTART} == 1 ]] && restart_containers ${CONTAINERS_RESTART[*]}
- ;;
- *) # unspecified
- if [[ -f ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ]] && [[ -f ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ]]; then
- log_f "Error requesting certificate, restoring previous certificate from backup and restarting containers...."
- cp ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ${ACME_BASE}/cert.pem
- cp ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ${ACME_BASE}/key.pem
- TRIGGER_RESTART=1
+ # restart docker containers
+ if ! verify_hash_match ${ACME_BASE}/cert.pem ${ACME_BASE}/key.pem; then
+ log_f "Certificate was successfully requested, but key and certificate have non-matching hashes, restoring mailcow snake-oil and restarting containers..."
+ cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem
+ cp ${SSL_EXAMPLE}/key.pem ${ACME_BASE}/key.pem
+ fi
+ restart_containers ${CONTAINERS_RESTART[*]}
+ ;;
+ 1) # failure
+ if [[ $ACME_RESPONSE =~ "No registration exists" ]]; then
+ log_f "Registration keys are invalid, deleting old keys and restarting..."
+ rm ${ACME_BASE}/acme/private/account.key
+ rm ${ACME_BASE}/acme/private/privkey.pem
+ exec $(readlink -f "$0")
+ fi
+ if [[ -f ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ]] && [[ -f ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ]]; then
+ log_f "Error requesting certificate, restoring previous certificate from backup and restarting containers...."
+ cp ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ${ACME_BASE}/cert.pem
+ cp ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ${ACME_BASE}/key.pem
+ TRIGGER_RESTART=1
+ elif [[ -f ${ACME_BASE}/acme/fullchain.pem ]] && [[ -f ${ACME_BASE}/acme/private/privkey.pem ]]; then
+ log_f "Error requesting certificate, restoring from previous acme request and restarting containers..."
+ cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem
+ cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem
+ TRIGGER_RESTART=1
+ fi
+ if ! verify_hash_match ${ACME_BASE}/cert.pem ${ACME_BASE}/key.pem; then
+ log_f "Error verifying certificates, restoring mailcow snake-oil and restarting containers..."
+ cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem
+ cp ${SSL_EXAMPLE}/key.pem ${ACME_BASE}/key.pem
+ TRIGGER_RESTART=1
+ fi
+ [[ ${TRIGGER_RESTART} == 1 ]] && restart_containers ${CONTAINERS_RESTART[*]}
+ log_f "Retrying in 30 minutes..."
+ sleep 30m
+ exec $(readlink -f "$0")
+ ;;
+ 2) # no change
+ if ! diff ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem; then
+ log_f "Certificate was not changed, but active certificate does not match the verified certificate, fixing and restarting containers..."
+ cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem
+ cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem
+ TRIGGER_RESTART=1
+ fi
+ if ! verify_hash_match ${ACME_BASE}/cert.pem ${ACME_BASE}/key.pem; then
+ log_f "Certificate was not changed, but hashes do not match, restoring from previous acme request and restarting containers..."
+ cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem
+ cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem
+ TRIGGER_RESTART=1
+ fi
+ [[ ${TRIGGER_RESTART} == 1 ]] && restart_containers ${CONTAINERS_RESTART[*]}
+ ;;
+ *) # unspecified
+ if [[ -f ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ]] && [[ -f ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ]]; then
+ log_f "Error requesting certificate, restoring previous certificate from backup and restarting containers...."
+ cp ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ${ACME_BASE}/cert.pem
+ cp ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ${ACME_BASE}/key.pem
+ TRIGGER_RESTART=1
elif [[ -f ${ACME_BASE}/acme/fullchain.pem ]] && [[ -f ${ACME_BASE}/acme/private/privkey.pem ]]; then
- log_f "Error requesting certificate, restoring from previous acme request and restarting containers..."
- cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem
- cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem
- TRIGGER_RESTART=1
- fi
- if ! verify_hash_match ${ACME_BASE}/cert.pem ${ACME_BASE}/key.pem; then
- log_f "Error verifying certificates, restoring mailcow snake-oil..."
- cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem
- cp ${SSL_EXAMPLE}/key.pem ${ACME_BASE}/key.pem
- TRIGGER_RESTART=1
- fi
- [[ ${TRIGGER_RESTART} == 1 ]] && restart_containers ${CONTAINERS_RESTART[*]}
- log_f "Retrying in 30 minutes..."
- sleep 30m
- exec $(readlink -f "$0")
- ;;
- esac
+ log_f "Error requesting certificate, restoring from previous acme request and restarting containers..."
+ cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem
+ cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem
+ TRIGGER_RESTART=1
+ fi
+ if ! verify_hash_match ${ACME_BASE}/cert.pem ${ACME_BASE}/key.pem; then
+ log_f "Error verifying certificates, restoring mailcow snake-oil..."
+ cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem
+ cp ${SSL_EXAMPLE}/key.pem ${ACME_BASE}/key.pem
+ TRIGGER_RESTART=1
+ fi
+ [[ ${TRIGGER_RESTART} == 1 ]] && restart_containers ${CONTAINERS_RESTART[*]}
+ log_f "Retrying in 30 minutes..."
+ sleep 30m
+ exec $(readlink -f "$0")
+ ;;
+ esac
- log_f "ACME certificate validation done. Sleeping for another day."
- sleep 1d
+ log_f "ACME certificate validation done. Sleeping for another day."
+ sleep 1d
done
diff --git a/data/Dockerfiles/acme/tini b/data/Dockerfiles/acme/tini
new file mode 100755
index 00000000..6556c966
Binary files /dev/null and b/data/Dockerfiles/acme/tini differ

File Metadata

Mime Type
text/x-diff
Expires
9月 9 Tue, 5:45 AM (7 h, 40 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
5358
默认替代文本
(25 KB)

Event Timeline

WMGMC Technical Group