Головна сторінка Огляд Довідка
Увійти
irwanmohi
/
mailcow-dockerized
дзеркало https://github.com/mailcow/mailcow-dockerized.git
Слідкувати 1
Зірка 0
Відгалуження 0
Файли Проблеми 0 Wiki
Гілка: feat/mTLS-auth
Гілки Теги
mailcow-dock...
/
data
/
Dockerfiles
/
acme
/
obtain-certificate.sh

obtain-certificate.sh 4.6 KB
Постійне посилання Історія Запис

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131 
  1. #!/bin/bash
    2. 

  2. 

  3. # Return values / exit codes
    4. 

  4. # 0 = cert created successfully
    5. 

  5. # 1 = cert renewed successfully
    6. 

  6. # 2 = cert not due for renewal
    7. 

  7. # * = errors
    8. 

  8. 

  9. 

  10. source /srv/functions.sh
    11. 

  11. 

  12. CERT_DOMAINS=(${DOMAINS[@]})
    13. 

  13. CERT_DOMAIN=${CERT_DOMAINS[0]}
    14. 

  14. ACME_BASE=/var/lib/acme
    15. 

  15. 

  16. TYPE=${1}
    17. 

  17. PREFIX=""
    18. 

  18. # only support rsa certificates for now
    19. 

  19. if [[ "${TYPE}" != "rsa" ]]; then
    20. 

  20.   log_f "Unknown certificate type '${TYPE}' requested"
    21. 

  21.   exit 5
    22. 

  22. fi
    23. 

  23. DOMAINS_FILE=${ACME_BASE}/${CERT_DOMAIN}/domains
    24. 

  24. CERT=${ACME_BASE}/${CERT_DOMAIN}/${PREFIX}cert.pem
    25. 

  25. SHARED_KEY=${ACME_BASE}/acme/${PREFIX}key.pem  # must already exist
    26. 

  26. KEY=${ACME_BASE}/${CERT_DOMAIN}/${PREFIX}key.pem
    27. 

  27. CSR=${ACME_BASE}/${CERT_DOMAIN}/${PREFIX}acme.csr
    28. 

  28. 

  29. if [[ -z ${CERT_DOMAINS[*]} ]]; then
    30. 

  30.   log_f "Missing CERT_DOMAINS to obtain a certificate"
    31. 

  31.   exit 3
    32. 

  32. fi
    33. 

  33. 

  34. if [[ "${LE_STAGING}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
    35. 

  35.   if [[ ! -z "${DIRECTORY_URL}" ]]; then
    36. 

  36.     log_f "Cannot use DIRECTORY_URL with LE_STAGING=y - ignoring DIRECTORY_URL"
    37. 

  37.   fi
    38. 

  38.   log_f "Using Let's Encrypt staging servers"
    39. 

  39.   DIRECTORY_URL='--directory-url https://acme-staging-v02.api.letsencrypt.org/directory'
    40. 

  40. elif [[ ! -z "${DIRECTORY_URL}" ]]; then
    41. 

  41.   log_f "Using custom directory URL ${DIRECTORY_URL}"
    42. 

  42.   DIRECTORY_URL="--directory-url ${DIRECTORY_URL}"
    43. 

  43. fi
    44. 

  44. 

  45. if [[ -f ${DOMAINS_FILE} && "$(cat ${DOMAINS_FILE})" ==  "${CERT_DOMAINS[*]}" ]]; then
    46. 

  46.   if [[ ! -f ${CERT} || ! -f "${KEY}" || -f "${ACME_BASE}/force_renew" ]]; then
    47. 

  47.     log_f "Certificate ${CERT} doesn't exist yet or forced renewal - start obtaining"
    48. 

  48.   # Certificate exists and did not change but could be due for renewal (30 days)
    49. 

  49.   elif ! openssl x509 -checkend 2592000 -noout -in ${CERT} > /dev/null; then
    50. 

  50.     log_f "Certificate ${CERT} is due for renewal (< 30 days) - start renewing"
    51. 

  51.   else
    52. 

  52.     log_f "Certificate ${CERT} validation done, neither changed nor due for renewal."
    53. 

  53.     exit 2
    54. 

  54.   fi
    55. 

  55. else
    56. 

  56.   log_f "Certificate ${CERT} missing or changed domains '${CERT_DOMAINS[*]}' - start obtaining"
    57. 

  57. fi
    58. 

  58. 

  59. 

  60. # Make backup
    61. 

  61. if [[ -f ${CERT} ]]; then
    62. 

  62.   DATE=$(date +%Y-%m-%d_%H_%M_%S)
    63. 

  63.   BACKUP_DIR=${ACME_BASE}/backups/${CERT_DOMAIN}/${PREFIX}${DATE}
    64. 

  64.   log_f "Creating backups in ${BACKUP_DIR} ..."
    65. 

  65.   mkdir -p ${BACKUP_DIR}/
    66. 

  66.   [[ -f ${DOMAINS_FILE} ]] && cp ${DOMAINS_FILE} ${BACKUP_DIR}/
    67. 

  67.   [[ -f ${CERT} ]] && cp ${CERT} ${BACKUP_DIR}/
    68. 

  68.   [[ -f ${KEY} ]] && cp ${KEY} ${BACKUP_DIR}/
    69. 

  69.   [[ -f ${CSR} ]] && cp ${CSR} ${BACKUP_DIR}/
    70. 

  70. fi
    71. 

  71. 

  72. mkdir -p ${ACME_BASE}/${CERT_DOMAIN}
    73. 

  73. if [[ ! -f ${KEY} ]]; then
    74. 

  74.   log_f "Copying shared private key for this certificate..."
    75. 

  75.   cp ${SHARED_KEY} ${KEY}
    76. 

  76.   chmod 600 ${KEY}
    77. 

  77. fi
    78. 

  78. 

  79. # Generating CSR
    80. 

  80. printf "[SAN]\nsubjectAltName=" > /tmp/_SAN
    81. 

  81. printf "DNS:%s," "${CERT_DOMAINS[@]}" >> /tmp/_SAN
    82. 

  82. sed -i '$s/,$//' /tmp/_SAN
    83. 

  83. openssl req -new -sha256 -key ${KEY} -subj "/" -reqexts SAN -config <(cat "$(openssl version -d | sed 's/.*"\(.*\)"/\1/g')/openssl.cnf" /tmp/_SAN) > ${CSR}
    84. 

  84. 

  85. # acme-tiny writes info to stderr and ceritifcate to stdout
    86. 

  86. # The redirects will do the following:
    87. 

  87. # - redirect stdout to temp certificate file
    88. 

  88. # - redirect acme-tiny stderr to stdout (logs to variable ACME_RESPONSE)
    89. 

  89. # - tee stderr to get live output and log to dockerd
    90. 

  90. 

  91. log_f "Checking resolver..."
    92. 

  92. until dig letsencrypt.org +time=3 +tries=1 @unbound > /dev/null; do
    93. 

  93.   sleep 2
    94. 

  94. done
    95. 

  95. log_f "Resolver OK"
    96. 

  96. log_f "Using command acme-tiny ${DIRECTORY_URL} ${ACME_CONTACT_PARAMETER} --account-key ${ACME_BASE}/acme/account.pem --disable-check --csr ${CSR} --acme-dir /var/www/acme/"
    97. 

  97. ACME_RESPONSE=$(acme-tiny ${DIRECTORY_URL} ${ACME_CONTACT_PARAMETER} \
    98. 

  98.   --account-key ${ACME_BASE}/acme/account.pem \
    99. 

  99.   --disable-check \
    100. 

  100.   --csr ${CSR} \
    101. 

  101.   --acme-dir /var/www/acme/ 2>&1 > /tmp/_cert.pem | tee /dev/fd/5; exit ${PIPESTATUS[0]})
    102. 

  102. SUCCESS="$?"
    103. 

  103. ACME_RESPONSE_B64=$(echo "${ACME_RESPONSE}" | openssl enc -e -A -base64)
    104. 

  104. log_f "${ACME_RESPONSE_B64}" redis_only b64
    105. 

  105. case "$SUCCESS" in
    106. 

  106.   0) # cert requested
    107. 

  107.     log_f "Deploying certificate ${CERT}..."
    108. 

  108.     # Deploy the new certificate and key
    109. 

  109.     # Moving temp cert to {domain} folder
    110. 

  110.     if verify_hash_match /tmp/_cert.pem ${KEY}; then
    111. 

  111.       RETURN=0  # certificate created
    112. 

  112.       if [[ -f ${CERT} ]]; then
    113. 

  113.         RETURN=1  # certificate renewed
    114. 

  114.       fi
    115. 

  115.       mv -f /tmp/_cert.pem ${CERT}
    116. 

  116.       echo -n ${CERT_DOMAINS[*]} > ${DOMAINS_FILE}
    117. 

  117.       rm /var/www/acme/* 2> /dev/null
    118. 

  118.       log_f "Certificate successfully obtained"
    119. 

  119.       exit ${RETURN}
    120. 

  120.     else
    121. 

  121.       log_f "Certificate was successfully requested, but key and certificate have non-matching hashes, ignoring certificate"
    122. 

  122.       exit 4
    123. 

  123.     fi
    124. 

  124.     ;;
    125. 

  125.   *) # non-zero is non-fun
    126. 

  126.     log_f "Failed to obtain certificate ${CERT} for domains '${CERT_DOMAINS[*]}'"
    127. 

  127.     redis-cli -h redis SET ACME_FAIL_TIME "$(date +%s)"
    128. 

  128.     exit 100${SUCCESS}
    129. 

  129.     ;;
    130. 

  130. esac
    131. 

  131.