Laudende Default seite entfernen
parent
ae883adf9f
commit
3c6185e291
|
|
@ -2,8 +2,29 @@
|
|||
set -euo pipefail
|
||||
source ./lib.sh
|
||||
|
||||
install -d /etc/letsencrypt/renewal-hooks/deploy
|
||||
# -----------------------------------------------------------------------------
|
||||
# 21-le-deploy-hook.sh
|
||||
# - Legt /etc/mailwolt/installer.env (falls fehlt) an
|
||||
# - Erzeugt LE-Deploy-Hooks:
|
||||
# * 50-mailwolt-symlinks.sh → verlinkt LE-Zerts nach /etc/ssl/{ui,webmail,mail}
|
||||
# * 60-mailwolt-tlsa.sh → schreibt TLSA (3 1 1) für MX nach jedem Renew
|
||||
# -----------------------------------------------------------------------------
|
||||
|
||||
# 1) Sicherstellen, dass die Hosts persistent verfügbar sind
|
||||
if [[ ! -f /etc/mailwolt/installer.env ]]; then
|
||||
install -d -m 0755 /etc/mailwolt
|
||||
cat >/etc/mailwolt/installer.env <<EOF
|
||||
UI_HOST=${UI_HOST}
|
||||
WEBMAIL_HOST=${WEBMAIL_HOST}
|
||||
MAIL_HOSTNAME=${MAIL_HOSTNAME}
|
||||
EOF
|
||||
echo "[+] /etc/mailwolt/installer.env erstellt."
|
||||
fi
|
||||
|
||||
# 2) Deploy-Hooks-Verzeichnis anlegen
|
||||
install -d -m 0755 /etc/letsencrypt/renewal-hooks/deploy
|
||||
|
||||
# 3) Hook: LE-Zertifikate nach /etc/ssl/* verlinken und Nginx reloaden
|
||||
cat >/etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh <<'HOOK'
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
|
@ -30,7 +51,7 @@ link_if() {
|
|||
local le_base="$1" target_dir="$2"
|
||||
local cert="${le_base}/fullchain.pem"
|
||||
local key="${le_base}/privkey.pem"
|
||||
if [ -f "$cert" ] && [ -f "$key" ]; then
|
||||
if [[ -f "$cert" && -f "$key" ]]; then
|
||||
install -d -m 0755 "$target_dir"
|
||||
ln -sf "$cert" "${target_dir}/fullchain.pem"
|
||||
ln -sf "$key" "${target_dir}/privkey.pem"
|
||||
|
|
@ -39,38 +60,52 @@ link_if() {
|
|||
}
|
||||
|
||||
# Nur linken, wenn Hostnamen vorhanden sind
|
||||
[ -n "$UI_HOST" ] && link_if "$UI_LE" "$UI_SSL_DIR"
|
||||
[ -n "$WEBMAIL_HOST" ] && link_if "$WEBMAIL_LE" "$WEBMAIL_SSL_DIR"
|
||||
[ -n "$MX_HOST" ] && link_if "$MX_LE" "$MAIL_SSL_DIR"
|
||||
[[ -n "$UI_HOST" ]] && link_if "$UI_LE" "$UI_SSL_DIR"
|
||||
[[ -n "$WEBMAIL_HOST" ]] && link_if "$WEBMAIL_LE" "$WEBMAIL_SSL_DIR"
|
||||
[[ -n "$MX_HOST" ]] && link_if "$MX_LE" "$MAIL_SSL_DIR"
|
||||
|
||||
# Dienste neu laden
|
||||
# sinnvolle Rechte (Key nur für root lesbar, Chain world-readable)
|
||||
chmod 640 "${UI_SSL_DIR}/privkey.pem" 2>/dev/null || true
|
||||
chmod 640 "${WEBMAIL_SSL_DIR}/privkey.pem" 2>/dev/null || true
|
||||
chmod 640 "${MAIL_SSL_DIR}/privkey.pem" 2>/dev/null || true
|
||||
chmod 644 "${UI_SSL_DIR}/fullchain.pem" 2>/dev/null || true
|
||||
chmod 644 "${WEBMAIL_SSL_DIR}/fullchain.pem" 2>/dev/null || true
|
||||
chmod 644 "${MAIL_SSL_DIR}/fullchain.pem" 2>/dev/null || true
|
||||
|
||||
# Nur Nginx neu laden – Postfix/Dovecot startet später im Installer
|
||||
systemctl reload nginx || true
|
||||
systemctl reload postfix dovecot || true
|
||||
HOOK
|
||||
|
||||
chmod +x /etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh
|
||||
|
||||
# --- 60: TLSA-Hook (bei jedem Renew für MX neu berechnen – falls Key doch rotiert) ---
|
||||
cat >/etc/letsencrypt/renewal-hooks/deploy/60-mailwolt-tlsa.sh <<HOOK
|
||||
# 4) Hook: TLSA (3 1 1) für MX nach jedem Renew/Issue generieren
|
||||
cat >/etc/letsencrypt/renewal-hooks/deploy/60-mailwolt-tlsa.sh <<'HOOK'
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
MX_HOST="${MAIL_HOSTNAME}"
|
||||
|
||||
# Nur reagieren, wenn das MX-Zert erneuert wurde
|
||||
case " \${RENEWED_DOMAINS:-} " in
|
||||
*" \${MX_HOST} "*) ;;
|
||||
# MAIL_HOSTNAME kommt von certbot via Environment nicht automatisch,
|
||||
# daher direkt aus installer.env lesen, falls gesetzt.
|
||||
set +u
|
||||
[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env
|
||||
set -u
|
||||
MX_HOST="${MAIL_HOSTNAME:-}"
|
||||
|
||||
[[ -n "$MX_HOST" ]] || exit 0
|
||||
|
||||
# Nur reagieren, wenn das MX-Zert in diesem Run drin war
|
||||
case " ${RENEWED_DOMAINS:-} " in
|
||||
*" ${MX_HOST} "*) ;; # ok
|
||||
*) exit 0 ;;
|
||||
esac
|
||||
|
||||
CERT="\${RENEWED_LINEAGE}/fullchain.pem"
|
||||
if [[ -s "\$CERT" ]]; then
|
||||
HASH="\$(openssl x509 -in "\$CERT" -noout -pubkey \
|
||||
CERT="${RENEWED_LINEAGE}/fullchain.pem"
|
||||
if [[ -s "$CERT" ]]; then
|
||||
HASH="$(openssl x509 -in "$CERT" -noout -pubkey \
|
||||
| openssl pkey -pubin -outform DER \
|
||||
| openssl dgst -sha256 | sed 's/^.*= //')"
|
||||
TLSA_LINE="_25._tcp.\${MX_HOST}. IN TLSA 3 1 1 \${HASH}"
|
||||
TLSA_LINE="_25._tcp.${MX_HOST}. IN TLSA 3 1 1 ${HASH}"
|
||||
install -d -m 0755 /etc/mailwolt/dns
|
||||
echo "\${TLSA_LINE}" > "/etc/mailwolt/dns/\${MX_HOST}.tlsa.txt"
|
||||
echo "[TLSA] \${TLSA_LINE}"
|
||||
echo "${TLSA_LINE}" > "/etc/mailwolt/dns/${MX_HOST}.tlsa.txt"
|
||||
echo "[TLSA] ${TLSA_LINE}"
|
||||
fi
|
||||
HOOK
|
||||
chmod +x /etc/letsencrypt/renewal-hooks/deploy/60-mailwolt-tlsa.sh
|
||||
Loading…
Reference in New Issue