boban
/
mailwolt-installer
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Laudende Default seite entfernen

main
boksbc 2025-10-17 04:14:06 +02:00
parent b49c661763
commit 90a80e6843
1 changed files with 104 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

129
scripts/75-le-issue.sh
View File

@ -5,16 +5,19 @@ source ./lib.sh
ACME_WEBROOT="/var/www/letsencrypt"
install -d -m 0755 "${ACME_WEBROOT}/.well-known/acme-challenge"
# Staging optional (verbraucht kein Live-Limit)
CERTBOT_EXTRA=()
LE_STAGING="${LE_STAGING:-0}" # 1 = Let's Encrypt Staging aktivieren
LE_STAGING="${LE_STAGING:-0}"
[[ "$LE_STAGING" = "1" ]] && CERTBOT_EXTRA+=(--test-cert)
# Einheitliche LE-Mail (Fallback)
LE_MAIL="${LE_EMAIL:-admin@${BASE_DOMAIN}}"
resolve_ok() {
local host="$1"
local pats=()
[[ -n "${SERVER_PUBLIC_IPV4:-}" ]] && pats+=("${SERVER_PUBLIC_IPV4//./\\.}")
[[ -n "${SERVER_PUBLIC_IPV6:-}" ]] && pats+=("${SERVER_PUBLIC_IPV6//:/\\:}")
# Wenn gar nichts bekannt ist, lieber nicht blockieren:
[[ ${#pats[@]} -eq 0 ]] && return 0
getent ahosts "$host" | awk '{print $1}' | sort -u \
| grep -Eq "^($(IFS='|'; echo "${pats[*]}"))$"
@ -28,47 +31,123 @@ probe_http() {
}
issue() {
local host="$1"
local host="${1:-}"
[[ -z "$host" ]] && return 0
echo "[i] Versuche LE für ${host}"
resolve_ok "$host" || { echo "[!] DNS zeigt (noch) nicht hierher skip ${host}"; return 0; }
if ! resolve_ok "$host"; then
echo "[!] DNS zeigt (noch) nicht hierher überspringe: ${host}"
return 0
fi
if ! probe_http "$host"; then
echo "[!] ACME-HTTP-Check für ${host} fehlgeschlagen (Port 80/IPv6/Firewall/Nginx prüfen)."
# wir versuchen trotzdem Certbot meldet sich, falls es scheitert
fi
# MX: Key beibehalten (TLSA 3 1 1 bleibt stabil)
EXTRA_ARGS=()
[[ "$host" == "$MAIL_HOSTNAME" ]] && EXTRA_ARGS+=(--reuse-key)
# Für MX den Key wiederverwenden → stabiler TLSA (3 1 1)
[[ "$host" == "${MAIL_HOSTNAME}" ]] && EXTRA_ARGS+=(--reuse-key)
certbot certonly --agree-tos -m "${LE_EMAIL:-admin@${BASE_DOMAIN}}" \
--non-interactive --webroot -w "$ACME_WEBROOT" -d "$host" \
# WICHTIG: Deploy-Wrapper anhängen, damit Symlinks/Nginx gesetzt werden
certbot certonly \
--agree-tos -m "${LE_MAIL}" --non-interactive \
--webroot -w "${ACME_WEBROOT}" -d "${host}" \
--deploy-hook /usr/local/sbin/mw-deploy.sh \
"${EXTRA_ARGS[@]}" "${CERTBOT_EXTRA[@]}" || true
}
if [[ "$BASE_DOMAIN" != "example.com" ]]; then
issue "$UI_HOST"
issue "$WEBMAIL_HOST"
issue "$MAIL_HOSTNAME"
if [[ "${BASE_DOMAIN}" != "example.com" ]]; then
issue "${UI_HOST:-}"
issue "${WEBMAIL_HOST:-}"
issue "${MAIL_HOSTNAME:-}"
run-parts /etc/letsencrypt/renewal-hooks/deploy || true
systemctl reload nginx || true
# Falls der Deploy-Wrapper gerade erst installiert wurde:
if [[ -x /usr/local/sbin/mw-deploy.sh ]]; then
/usr/local/sbin/mw-deploy.sh || true
fi
# # TLSA direkt einmal schreiben (Hook macht es bei Renewals sowieso)
# MX_CERT="/etc/letsencrypt/live/${MAIL_HOSTNAME}/fullchain.pem"
# if [[ -s "$MX_CERT" ]]; then
# HASH="$(openssl x509 -in "$MX_CERT" -noout -pubkey \
# | openssl pkey -pubin -outform DER \
# | openssl dgst -sha256 | sed 's/^.*= //')"
# TLSA_LINE="_25._tcp.${MAIL_HOSTNAME}. IN TLSA 3 1 1 ${HASH}"
# install -d -m 0755 /etc/mailwolt/dns
# echo "${TLSA_LINE}" > "/etc/mailwolt/dns/${MAIL_HOSTNAME}.tlsa.txt"
# echo "[TLSA] ${TLSA_LINE}"
# fi
# Nginx nur neu laden, wenn aktiv
if systemctl is-active --quiet nginx; then
systemctl reload nginx || true
fi
else
echo "[i] BASE_DOMAIN=example.com LE wird übersprungen."
fi
##!/usr/bin/env bash
#set -euo pipefail
#source ./lib.sh
#
#ACME_WEBROOT="/var/www/letsencrypt"
#install -d -m 0755 "${ACME_WEBROOT}/.well-known/acme-challenge"
#
#CERTBOT_EXTRA=()
#LE_STAGING="${LE_STAGING:-0}" # 1 = Let's Encrypt Staging aktivieren
#[[ "$LE_STAGING" = "1" ]] && CERTBOT_EXTRA+=(--test-cert)
#
#resolve_ok() {
# local host="$1"
# local pats=()
# [[ -n "${SERVER_PUBLIC_IPV4:-}" ]] && pats+=("${SERVER_PUBLIC_IPV4//./\\.}")
# [[ -n "${SERVER_PUBLIC_IPV6:-}" ]] && pats+=("${SERVER_PUBLIC_IPV6//:/\\:}")
# # Wenn gar nichts bekannt ist, lieber nicht blockieren:
# [[ ${#pats[@]} -eq 0 ]] && return 0
# getent ahosts "$host" | awk '{print $1}' | sort -u \
# | grep -Eq "^($(IFS='|'; echo "${pats[*]}"))$"
#}
#
#probe_http() {
# local host="$1"
# echo test > "${ACME_WEBROOT}/.well-known/acme-challenge/_probe"
# curl -fsS --max-time 5 -4 "http://${host}/.well-known/acme-challenge/_probe" >/dev/null \
# || curl -fsS --max-time 5 -6 "http://${host}/.well-known/acme-challenge/_probe" >/dev/null
#}
#
#issue() {
# local host="$1"
# echo "[i] Versuche LE für ${host} …"
# resolve_ok "$host" || { echo "[!] DNS zeigt (noch) nicht hierher skip ${host}"; return 0; }
#
# if ! probe_http "$host"; then
# echo "[!] ACME-HTTP-Check für ${host} fehlgeschlagen (Port 80/IPv6/Firewall/Nginx prüfen)."
# fi
#
# # MX: Key beibehalten (TLSA 3 1 1 bleibt stabil)
# EXTRA_ARGS=()
# [[ "$host" == "$MAIL_HOSTNAME" ]] && EXTRA_ARGS+=(--reuse-key)
#
# certbot certonly --agree-tos -m "${LE_EMAIL:-admin@${BASE_DOMAIN}}" \
# --non-interactive --webroot -w "$ACME_WEBROOT" -d "$host" \
# "${EXTRA_ARGS[@]}" "${CERTBOT_EXTRA[@]}" || true
#}
#
#if [[ "$BASE_DOMAIN" != "example.com" ]]; then
# issue "$UI_HOST"
# issue "$WEBMAIL_HOST"
# issue "$MAIL_HOSTNAME"
#
#run-parts /etc/letsencrypt/renewal-hooks/deploy || true
#systemctl reload nginx || true
#
## # TLSA direkt einmal schreiben (Hook macht es bei Renewals sowieso)
## MX_CERT="/etc/letsencrypt/live/${MAIL_HOSTNAME}/fullchain.pem"
## if [[ -s "$MX_CERT" ]]; then
## HASH="$(openssl x509 -in "$MX_CERT" -noout -pubkey \
## | openssl pkey -pubin -outform DER \
## | openssl dgst -sha256 | sed 's/^.*= //')"
## TLSA_LINE="_25._tcp.${MAIL_HOSTNAME}. IN TLSA 3 1 1 ${HASH}"
## install -d -m 0755 /etc/mailwolt/dns
## echo "${TLSA_LINE}" > "/etc/mailwolt/dns/${MAIL_HOSTNAME}.tlsa.txt"
## echo "[TLSA] ${TLSA_LINE}"
## fi
#else
# echo "[i] BASE_DOMAIN=example.com LE wird übersprungen."
#fi
##!/usr/bin/env bash
#set -euo pipefail
#source ./lib.sh