boban
/
mailwolt-installer
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Laudende Default seite entfernen

main
boksbc 2025-10-17 03:16:19 +02:00
parent ede1b82c41
commit 9bdb02514d
2 changed files with 320 additions and 169 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

319
scripts/21-le-deploy-hook.sh
View File

@ -4,11 +4,20 @@ source ./lib.sh
log "Let's Encrypt Deploy-Hooks und Wrapper anlegen …" log "Let's Encrypt Deploy-Hooks und Wrapper anlegen …"
# 1) Wrapper-Skript, das Symlinks setzt und Nginx reloaded # 1) Wrapper, den Certbot bei Issue/Renew aufruft
cat >/usr/local/sbin/mw-deploy.sh <<'WRAP' cat >/usr/local/sbin/mw-deploy.sh <<'WRAP'
#!/usr/bin/env bash #!/usr/bin/env bash
set -euo pipefail set -euo pipefail
# Installer-Variablen laden (UI_HOST, WEBMAIL_HOST, MAIL_HOSTNAME, optional LE_EMAIL etc.)
set +u
[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env
set -u
UI_HOST="${UI_HOST:-}"
WEBMAIL_HOST="${WEBMAIL_HOST:-}"
MAIL_HOSTNAME="${MAIL_HOSTNAME:-}"
link_if() { link_if() {
local le_base="$1" target_dir="$2" local le_base="$1" target_dir="$2"
local cert="${le_base}/fullchain.pem" local cert="${le_base}/fullchain.pem"
@ -22,22 +31,35 @@ link_if() {
echo "[+] Linked ${target_dir} -> ${le_base}" echo "[+] Linked ${target_dir} -> ${le_base}"
} }
UI_HOST="${UI_HOST:-}" # Nur für Domains arbeiten, die im aktuellen Lauf erneuert/ausgestellt wurden
WEBMAIL_HOST="${WEBMAIL_HOST:-}" RDOMS=" ${RENEWED_DOMAINS:-} "
MAIL_HOSTNAME="${MAIL_HOSTNAME:-}"
[[ -n "$UI_HOST" ]] && link_if "/etc/letsencrypt/live/${UI_HOST}" "/etc/ssl/ui" # UI
[[ -n "$WEBMAIL_HOST" ]] && link_if "/etc/letsencrypt/live/${WEBMAIL_HOST}" "/etc/ssl/webmail" if [[ -n "$UI_HOST" && "$RDOMS" == *" ${UI_HOST} "* ]]; then
[[ -n "$MAIL_HOSTNAME" ]] && link_if "/etc/letsencrypt/live/${MAIL_HOSTNAME}" "/etc/ssl/mail" link_if "/etc/letsencrypt/live/${UI_HOST}" "/etc/ssl/ui"
fi
# Webmail
if [[ -n "$WEBMAIL_HOST" && "$RDOMS" == *" ${WEBMAIL_HOST} "* ]]; then
link_if "/etc/letsencrypt/live/${WEBMAIL_HOST}" "/etc/ssl/webmail"
fi
# MX
if [[ -n "$MAIL_HOSTNAME" && "$RDOMS" == *" ${MAIL_HOSTNAME} "* ]]; then
link_if "/etc/letsencrypt/live/${MAIL_HOSTNAME}" "/etc/ssl/mail"
fi
# Optional: TLSA via Laravel, falls App schon vorhanden (sonst still überspringen)
if command -v php >/dev/null 2>&1 && [ -d /var/www/mailwolt ]; then
(cd /var/www/mailwolt && php artisan dns:tlsa:refresh) || true
fi
# Nginx nur neu laden, wenn aktiv
if systemctl is-active --quiet nginx; then if systemctl is-active --quiet nginx; then
systemctl reload nginx || true systemctl reload nginx || true
fi fi
WRAP WRAP
chmod +x /usr/local/sbin/mw-deploy.sh chmod +x /usr/local/sbin/mw-deploy.sh
# 2) Certbot Deploy-Hook-Verzeichnis + Symlink für Renewals # 2) Certbot-Deploy-Hooks einrichten (ruft nur den Wrapper auf)
install -d -m 0755 /etc/letsencrypt/renewal-hooks/deploy install -d -m 0755 /etc/letsencrypt/renewal-hooks/deploy
cat >/etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh <<'HOOK' cat >/etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh <<'HOOK'
#!/usr/bin/env bash #!/usr/bin/env bash
@ -51,133 +73,182 @@ log "[✓] MailWolt Deploy-Hook eingerichtet"
#set -euo pipefail #set -euo pipefail
#source ./lib.sh #source ./lib.sh
# #
## ──────────────────────────────────────────────────────────────────────────── #log "Let's Encrypt Deploy-Hooks und Wrapper anlegen …"
## 21-le-deploy-hook.sh
## • legt /etc/mailwolt/installer.env an (falls fehlt)
## • erzeugt Deploy-Hooks:
## - 50-mailwolt-symlinks.sh → verlinkt LE-Zerts nach /etc/ssl/{ui,webmail,mail}
## - 60-mailwolt-tlsa.sh → aktualisiert TLSA (3 1 1) für MX bei jedem Renew
## • KEIN Reload von Postfix/Dovecot (kommt später im Installer)
## ────────────────────────────────────────────────────────────────────────────
# #
## 0) Hostnamen persistent speichern (für spätere Deploys) ## 1) Wrapper-Skript, das Symlinks setzt und Nginx reloaded
#install -d -m 0755 /etc/mailwolt #cat >/usr/local/sbin/mw-deploy.sh <<'WRAP'
#if [[ ! -f /etc/mailwolt/installer.env ]]; then
# cat >/etc/mailwolt/installer.env <<EOF
#UI_HOST=${UI_HOST}
#WEBMAIL_HOST=${WEBMAIL_HOST}
#MAIL_HOSTNAME=${MAIL_HOSTNAME}
#EOF
# echo "[+] /etc/mailwolt/installer.env erstellt."
#fi
#
## 1) Deploy-Hooks-Verzeichnis anlegen
#install -d -m 0755 /etc/letsencrypt/renewal-hooks/deploy
#
## ────────────────────────────────────────────────────────────────────────────
## 2) 50-mailwolt-symlinks.sh
## ────────────────────────────────────────────────────────────────────────────
#cat >/etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh <<HOOK
##!/usr/bin/env bash ##!/usr/bin/env bash
#set -euo pipefail #set -euo pipefail
# #
#UI_LE="/etc/letsencrypt/live/${UI_HOST}"
#WEBMAIL_LE="/etc/letsencrypt/live/${WEBMAIL_HOST}"
#MX_LE="/etc/letsencrypt/live/${MAIL_HOSTNAME}"
#
#UI_SSL_DIR="/etc/ssl/ui"
#WEBMAIL_SSL_DIR="/etc/ssl/webmail"
#MAIL_SSL_DIR="/etc/ssl/mail"
#
## Zielverzeichnisse anlegen (einmalig)
#install -d -m 0755 "\$UI_SSL_DIR" "\$WEBMAIL_SSL_DIR" "\$MAIL_SSL_DIR"
#
#link_if() { #link_if() {
# local le_base="\$1" target_dir="\$2" # local le_base="$1" target_dir="$2"
# local cert="\${le_base}/fullchain.pem" # local cert="${le_base}/fullchain.pem"
# local key="\${le_base}/privkey.pem" # local key="${le_base}/privkey.pem"
# [[ -s "\$cert" && -s "\$key" ]] || return 0 # [[ -s "$cert" && -s "$key" ]] || return 0
# ln -sf "\$cert" "\${target_dir}/fullchain.pem" # install -d -m 0755 "$target_dir"
# ln -sf "\$key" "\${target_dir}/privkey.pem" # ln -sf "$cert" "${target_dir}/fullchain.pem"
# chmod 644 "\${target_dir}/fullchain.pem" 2>/dev/null || true # ln -sf "$key" "${target_dir}/privkey.pem"
# chmod 600 "\${target_dir}/privkey.pem" 2>/dev/null || true # chmod 644 "${target_dir}/fullchain.pem" 2>/dev/null || true
# echo "[+] Linked \${target_dir} -> \${le_base}" # chmod 600 "${target_dir}/privkey.pem" 2>/dev/null || true
# echo "[+] Linked ${target_dir} -> ${le_base}"
#} #}
# #
## Verlinken (nur wenn Host konfiguriert) #UI_HOST="${UI_HOST:-}"
#[[ -n "${UI_HOST}" ]] && link_if "\$UI_LE" "\$UI_SSL_DIR" #WEBMAIL_HOST="${WEBMAIL_HOST:-}"
#[[ -n "${WEBMAIL_HOST}" ]] && link_if "\$WEBMAIL_LE" "\$WEBMAIL_SSL_DIR" #MAIL_HOSTNAME="${MAIL_HOSTNAME:-}"
#[[ -n "${MAIL_HOSTNAME}" ]] && link_if "\$MX_LE" "\$MAIL_SSL_DIR" #
#[[ -n "$UI_HOST" ]] && link_if "/etc/letsencrypt/live/${UI_HOST}" "/etc/ssl/ui"
#[[ -n "$WEBMAIL_HOST" ]] && link_if "/etc/letsencrypt/live/${WEBMAIL_HOST}" "/etc/ssl/webmail"
#[[ -n "$MAIL_HOSTNAME" ]] && link_if "/etc/letsencrypt/live/${MAIL_HOSTNAME}" "/etc/ssl/mail"
# #
## Nur reloaden, wenn Nginx aktiv ist (Installer startet ihn später erst)
#if systemctl is-active --quiet nginx; then #if systemctl is-active --quiet nginx; then
# systemctl reload nginx || true # systemctl reload nginx || true
#fi #fi
#WRAP
#
#chmod +x /usr/local/sbin/mw-deploy.sh
#
## 2) Certbot Deploy-Hook-Verzeichnis + Symlink für Renewals
#install -d -m 0755 /etc/letsencrypt/renewal-hooks/deploy
#cat >/etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh <<'HOOK'
##!/usr/bin/env bash
#exec /usr/local/sbin/mw-deploy.sh
#HOOK #HOOK
#chmod +x /etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh #chmod +x /etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh
# #
## ──────────────────────────────────────────────────────────────────────────── #log "[✓] MailWolt Deploy-Hook eingerichtet"
## 3) 60-mailwolt-tlsa.sh
## → nutzt Laravel, falls vorhanden; sonst Fallback mit OpenSSL.
## → schreibt nur, wenn sich der Hash geändert hat (idempotent)
## ────────────────────────────────────────────────────────────────────────────
#cat >/etc/letsencrypt/renewal-hooks/deploy/60-mailwolt-tlsa.sh <<'HOOK'
##!/usr/bin/env bash
#set -euo pipefail
# #
## installer.env lesen ###!/usr/bin/env bash
#set +u ##set -euo pipefail
#[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env ##source ./lib.sh
#set -u ##
# ### ────────────────────────────────────────────────────────────────────────────
#APP_ENV_VAL="${APP_ENV:-production}" ### 21-le-deploy-hook.sh
#BASE_DOMAIN_VAL="${BASE_DOMAIN:-example.com}" ### • legt /etc/mailwolt/installer.env an (falls fehlt)
# ### • erzeugt Deploy-Hooks:
#case "$APP_ENV_VAL" in ### - 50-mailwolt-symlinks.sh → verlinkt LE-Zerts nach /etc/ssl/{ui,webmail,mail}
# local|dev|development) exit 0 ;; ### - 60-mailwolt-tlsa.sh → aktualisiert TLSA (3 1 1) für MX bei jedem Renew
#esac ### • KEIN Reload von Postfix/Dovecot (kommt später im Installer)
#[ "$BASE_DOMAIN_VAL" = "example.com" ] && exit 0 ### ────────────────────────────────────────────────────────────────────────────
# ##
#MX_HOST="${MAIL_HOSTNAME:-}" ### 0) Hostnamen persistent speichern (für spätere Deploys)
#SERVICE="_25._tcp" ##install -d -m 0755 /etc/mailwolt
#DNS_DIR="/etc/mailwolt/dns" ##if [[ ! -f /etc/mailwolt/installer.env ]]; then
#OUT_FILE="${DNS_DIR}/${MX_HOST}.tlsa.txt" ## cat >/etc/mailwolt/installer.env <<EOF
# ##UI_HOST=${UI_HOST}
## Nur reagieren, wenn MX-Zertifikat betroffen war ##WEBMAIL_HOST=${WEBMAIL_HOST}
#case " ${RENEWED_DOMAINS:-} " in ##MAIL_HOSTNAME=${MAIL_HOSTNAME}
# *" ${MX_HOST} "*) ;; ##EOF
# *) exit 0 ;; ## echo "[+] /etc/mailwolt/installer.env erstellt."
#esac ##fi
# ##
#CERT="${RENEWED_LINEAGE}/fullchain.pem" ### 1) Deploy-Hooks-Verzeichnis anlegen
#[ -s "$CERT" ] || exit 0 ##install -d -m 0755 /etc/letsencrypt/renewal-hooks/deploy
# ##
## Wenn Laravel vorhanden ist → interner Command (DB + Datei idempotent) ### ────────────────────────────────────────────────────────────────────────────
#if command -v php >/dev/null 2>&1 && [ -d /var/www/mailwolt ]; then ### 2) 50-mailwolt-symlinks.sh
# cd /var/www/mailwolt || exit 0 ### ────────────────────────────────────────────────────────────────────────────
# php artisan dns:tlsa:refresh || true ##cat >/etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh <<HOOK
# exit 0 ###!/usr/bin/env bash
#fi ##set -euo pipefail
# ##
## Fallback: nur Datei aktualisieren, wenn Hash sich ändert ##UI_LE="/etc/letsencrypt/live/${UI_HOST}"
#HASH="$(openssl x509 -in "$CERT" -noout -pubkey \ ##WEBMAIL_LE="/etc/letsencrypt/live/${WEBMAIL_HOST}"
# | openssl pkey -pubin -outform DER \ ##MX_LE="/etc/letsencrypt/live/${MAIL_HOSTNAME}"
# | openssl dgst -sha256 | sed 's/^.*= //')" ##
#NEW_LINE="${SERVICE}.${MX_HOST}. IN TLSA 3 1 1 ${HASH}" ##UI_SSL_DIR="/etc/ssl/ui"
# ##WEBMAIL_SSL_DIR="/etc/ssl/webmail"
#mkdir -p "$DNS_DIR" ##MAIL_SSL_DIR="/etc/ssl/mail"
# ##
#if [ -r "$OUT_FILE" ] && grep -q "IN TLSA" "$OUT_FILE"; then ### Zielverzeichnisse anlegen (einmalig)
# if grep -q "$HASH" "$OUT_FILE"; then ##install -d -m 0755 "\$UI_SSL_DIR" "\$WEBMAIL_SSL_DIR" "\$MAIL_SSL_DIR"
# echo "[TLSA] Unverändert kein Update nötig." ##
# exit 0 ##link_if() {
# fi ## local le_base="\$1" target_dir="\$2"
#fi ## local cert="\${le_base}/fullchain.pem"
# ## local key="\${le_base}/privkey.pem"
#echo "$NEW_LINE" > "$OUT_FILE" ## [[ -s "\$cert" && -s "\$key" ]] || return 0
#echo "[TLSA] Aktualisiert: $NEW_LINE" ## ln -sf "\$cert" "\${target_dir}/fullchain.pem"
#HOOK ## ln -sf "\$key" "\${target_dir}/privkey.pem"
#chmod +x /etc/letsencrypt/renewal-hooks/deploy/60-mailwolt-tlsa.sh ## chmod 644 "\${target_dir}/fullchain.pem" 2>/dev/null || true
# ## chmod 600 "\${target_dir}/privkey.pem" 2>/dev/null || true
## ──────────────────────────────────────────────────────────────────────────── ## echo "[+] Linked \${target_dir} -> \${le_base}"
#echo "[✓] Deploy-Hooks installiert." ##}
##
### Verlinken (nur wenn Host konfiguriert)
##[[ -n "${UI_HOST}" ]] && link_if "\$UI_LE" "\$UI_SSL_DIR"
##[[ -n "${WEBMAIL_HOST}" ]] && link_if "\$WEBMAIL_LE" "\$WEBMAIL_SSL_DIR"
##[[ -n "${MAIL_HOSTNAME}" ]] && link_if "\$MX_LE" "\$MAIL_SSL_DIR"
##
### Nur reloaden, wenn Nginx aktiv ist (Installer startet ihn später erst)
##if systemctl is-active --quiet nginx; then
## systemctl reload nginx || true
##fi
##HOOK
##chmod +x /etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh
##
### ────────────────────────────────────────────────────────────────────────────
### 3) 60-mailwolt-tlsa.sh
### → nutzt Laravel, falls vorhanden; sonst Fallback mit OpenSSL.
### → schreibt nur, wenn sich der Hash geändert hat (idempotent)
### ────────────────────────────────────────────────────────────────────────────
##cat >/etc/letsencrypt/renewal-hooks/deploy/60-mailwolt-tlsa.sh <<'HOOK'
###!/usr/bin/env bash
##set -euo pipefail
##
### installer.env lesen
##set +u
##[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env
##set -u
##
##APP_ENV_VAL="${APP_ENV:-production}"
##BASE_DOMAIN_VAL="${BASE_DOMAIN:-example.com}"
##
##case "$APP_ENV_VAL" in
## local|dev|development) exit 0 ;;
##esac
##[ "$BASE_DOMAIN_VAL" = "example.com" ] && exit 0
##
##MX_HOST="${MAIL_HOSTNAME:-}"
##SERVICE="_25._tcp"
##DNS_DIR="/etc/mailwolt/dns"
##OUT_FILE="${DNS_DIR}/${MX_HOST}.tlsa.txt"
##
### Nur reagieren, wenn MX-Zertifikat betroffen war
##case " ${RENEWED_DOMAINS:-} " in
## *" ${MX_HOST} "*) ;;
## *) exit 0 ;;
##esac
##
##CERT="${RENEWED_LINEAGE}/fullchain.pem"
##[ -s "$CERT" ] || exit 0
##
### Wenn Laravel vorhanden ist → interner Command (DB + Datei idempotent)
##if command -v php >/dev/null 2>&1 && [ -d /var/www/mailwolt ]; then
## cd /var/www/mailwolt || exit 0
## php artisan dns:tlsa:refresh || true
## exit 0
##fi
##
### Fallback: nur Datei aktualisieren, wenn Hash sich ändert
##HASH="$(openssl x509 -in "$CERT" -noout -pubkey \
## | openssl pkey -pubin -outform DER \
## | openssl dgst -sha256 | sed 's/^.*= //')"
##NEW_LINE="${SERVICE}.${MX_HOST}. IN TLSA 3 1 1 ${HASH}"
##
##mkdir -p "$DNS_DIR"
##
##if [ -r "$OUT_FILE" ] && grep -q "IN TLSA" "$OUT_FILE"; then
## if grep -q "$HASH" "$OUT_FILE"; then
## echo "[TLSA] Unverändert kein Update nötig."
## exit 0
## fi
##fi
##
##echo "$NEW_LINE" > "$OUT_FILE"
##echo "[TLSA] Aktualisiert: $NEW_LINE"
##HOOK
##chmod +x /etc/letsencrypt/renewal-hooks/deploy/60-mailwolt-tlsa.sh
##
### ────────────────────────────────────────────────────────────────────────────
##echo "[✓] Deploy-Hooks installiert."

170
scripts/75-le-issue.sh
View File

@ -5,15 +5,15 @@ source ./lib.sh
ACME_WEBROOT="/var/www/letsencrypt" ACME_WEBROOT="/var/www/letsencrypt"
install -d -m 0755 "${ACME_WEBROOT}/.well-known/acme-challenge" install -d -m 0755 "${ACME_WEBROOT}/.well-known/acme-challenge"
# Let's Encrypt: Staging optional aktivieren (keine echten Zertifikate) # Let's Encrypt: Staging optional (für Tests)
CERTBOT_EXTRA=() CERTBOT_EXTRA=()
LE_STAGING="${LE_STAGING:-0}" # 1 = Staging LE_STAGING="${LE_STAGING:-0}"
[[ "$LE_STAGING" = "1" ]] && CERTBOT_EXTRA+=(--test-cert) [[ "$LE_STAGING" = "1" ]] && CERTBOT_EXTRA+=(--test-cert)
# Einheitliche LE-E-Mail mit Fallback # Einheitliche LE-E-Mail mit Fallback
LE_MAIL="${LE_EMAIL:-admin@${BASE_DOMAIN}}" LE_MAIL="${LE_EMAIL:-admin@${BASE_DOMAIN}}"
# DNS-Auflösung gegen unsere bekannte(n) IP(s) prüfen (nur als Warnsignal) # DNS zeigt auf diese Kiste?
resolve_ok() { resolve_ok() {
local host="$1" local host="$1"
local pats=() local pats=()
@ -24,7 +24,7 @@ resolve_ok() {
| grep -Eq "^($(IFS='|'; echo "${pats[*]}"))$" | grep -Eq "^($(IFS='|'; echo "${pats[*]}"))$"
} }
# HTTP-01 Erreichbarkeit schnell antesten (IPv4/IPv6) # HTTP-01 erreichbar?
probe_http() { probe_http() {
local host="$1" local host="$1"
echo test > "${ACME_WEBROOT}/.well-known/acme-challenge/_probe" echo test > "${ACME_WEBROOT}/.well-known/acme-challenge/_probe"
@ -32,7 +32,7 @@ probe_http() {
|| curl -fsS --max-time 5 -6 "http://${host}/.well-known/acme-challenge/_probe" >/dev/null || curl -fsS --max-time 5 -6 "http://${host}/.well-known/acme-challenge/_probe" >/dev/null
} }
# Ein Zertifikat für einen Host ausstellen # Ein Zertifikat ausstellen
issue() { issue() {
local host="$1" local host="$1"
[[ -z "$host" ]] && return 0 [[ -z "$host" ]] && return 0
@ -46,11 +46,10 @@ issue() {
if ! probe_http "$host"; then if ! probe_http "$host"; then
echo "[!] ACME-HTTP-Check für ${host} fehlgeschlagen (Port 80/IPv6/Firewall/Nginx prüfen)." echo "[!] ACME-HTTP-Check für ${host} fehlgeschlagen (Port 80/IPv6/Firewall/Nginx prüfen)."
# wir versuchen es trotzdem Certbot meldet sich, falls es scheitert
fi fi
# Für MX den Key wiederverwenden (stabiler TLSA-Hash 3 1 1)
EXTRA_ARGS=() EXTRA_ARGS=()
# MX: Key wiederverwenden → stabiler TLSA-Hash (3 1 1)
[[ "${host}" == "${MAIL_HOSTNAME}" ]] && EXTRA_ARGS+=(--reuse-key) [[ "${host}" == "${MAIL_HOSTNAME}" ]] && EXTRA_ARGS+=(--reuse-key)
certbot certonly \ certbot certonly \
@ -60,24 +59,23 @@ issue() {
"${EXTRA_ARGS[@]}" "${CERTBOT_EXTRA[@]}" || true "${EXTRA_ARGS[@]}" "${CERTBOT_EXTRA[@]}" || true
} }
# ----------------------------------------------------------------------------- # ------------------- Hauptlauf -------------------
# Hauptlauf
# -----------------------------------------------------------------------------
if [[ "${BASE_DOMAIN}" != "example.com" ]]; then if [[ "${BASE_DOMAIN}" != "example.com" ]]; then
issue "${UI_HOST:-}" issue "${UI_HOST:-}"
issue "${WEBMAIL_HOST:-}" issue "${WEBMAIL_HOST:-}"
issue "${MAIL_HOSTNAME:-}" issue "${MAIL_HOSTNAME:-}"
# Der Deploy-Hook hat Symlinks bereits gesetzt und nginx ggf. neu geladen. # Falls Deploy-Hook erst JETZT angelegt wurde: einmal manuell ausführen
# Optional trotzdem manuell ausführen (harmlos, hilft bei exotischen Setups): if [[ -x /usr/local/sbin/mw-deploy.sh ]]; then
if [[ -d /etc/letsencrypt/renewal-hooks/deploy ]]; then /usr/local/sbin/mw-deploy.sh || true
run-parts /etc/letsencrypt/renewal-hooks/deploy || true
fi fi
# Nginx nur neu laden, wenn aktiv
if systemctl is-active --quiet nginx; then if systemctl is-active --quiet nginx; then
systemctl reload nginx || true systemctl reload nginx || true
fi fi
else else
echo "[i] BASE_DOMAIN=example.com LE-Ausstellung wird übersprungen." echo "[i] BASE_DOMAIN=example.com LE wird übersprungen."
fi fi
##!/usr/bin/env bash ##!/usr/bin/env bash
@ -87,21 +85,26 @@ fi
#ACME_WEBROOT="/var/www/letsencrypt" #ACME_WEBROOT="/var/www/letsencrypt"
#install -d -m 0755 "${ACME_WEBROOT}/.well-known/acme-challenge" #install -d -m 0755 "${ACME_WEBROOT}/.well-known/acme-challenge"
# #
## Let's Encrypt: Staging optional aktivieren (keine echten Zertifikate)
#CERTBOT_EXTRA=() #CERTBOT_EXTRA=()
#LE_STAGING="${LE_STAGING:-0}" # 1 = Let's Encrypt Staging aktivieren #LE_STAGING="${LE_STAGING:-0}" # 1 = Staging
#[[ "$LE_STAGING" = "1" ]] && CERTBOT_EXTRA+=(--test-cert) #[[ "$LE_STAGING" = "1" ]] && CERTBOT_EXTRA+=(--test-cert)
# #
## Einheitliche LE-E-Mail mit Fallback
#LE_MAIL="${LE_EMAIL:-admin@${BASE_DOMAIN}}"
#
## DNS-Auflösung gegen unsere bekannte(n) IP(s) prüfen (nur als Warnsignal)
#resolve_ok() { #resolve_ok() {
# local host="$1" # local host="$1"
# local pats=() # local pats=()
# [[ -n "${SERVER_PUBLIC_IPV4:-}" ]] && pats+=("${SERVER_PUBLIC_IPV4//./\\.}") # [[ -n "${SERVER_PUBLIC_IPV4:-}" ]] && pats+=("${SERVER_PUBLIC_IPV4//./\\.}")
# [[ -n "${SERVER_PUBLIC_IPV6:-}" ]] && pats+=("${SERVER_PUBLIC_IPV6//:/\\:}") # [[ -n "${SERVER_PUBLIC_IPV6:-}" ]] && pats+=("${SERVER_PUBLIC_IPV6//:/\\:}")
# # Wenn gar nichts bekannt ist, lieber nicht blockieren:
# [[ ${#pats[@]} -eq 0 ]] && return 0 # [[ ${#pats[@]} -eq 0 ]] && return 0
# getent ahosts "$host" | awk '{print $1}' | sort -u \ # getent ahosts "$host" | awk '{print $1}' | sort -u \
# | grep -Eq "^($(IFS='|'; echo "${pats[*]}"))$" # | grep -Eq "^($(IFS='|'; echo "${pats[*]}"))$"
#} #}
# #
## HTTP-01 Erreichbarkeit schnell antesten (IPv4/IPv6)
#probe_http() { #probe_http() {
# local host="$1" # local host="$1"
# echo test > "${ACME_WEBROOT}/.well-known/acme-challenge/_probe" # echo test > "${ACME_WEBROOT}/.well-known/acme-challenge/_probe"
@ -109,47 +112,124 @@ fi
# || curl -fsS --max-time 5 -6 "http://${host}/.well-known/acme-challenge/_probe" >/dev/null # || curl -fsS --max-time 5 -6 "http://${host}/.well-known/acme-challenge/_probe" >/dev/null
#} #}
# #
## Ein Zertifikat für einen Host ausstellen
#issue() { #issue() {
# local host="$1" # local host="$1"
# [[ -z "$host" ]] && return 0
#
# echo "[i] Versuche LE für ${host} …" # echo "[i] Versuche LE für ${host} …"
# resolve_ok "$host" || { echo "[!] DNS zeigt (noch) nicht hierher skip ${host}"; return 0; } #
# if ! resolve_ok "$host"; then
# echo "[!] DNS zeigt (noch) nicht hierher überspringe: ${host}"
# return 0
# fi
# #
# if ! probe_http "$host"; then # if ! probe_http "$host"; then
# echo "[!] ACME-HTTP-Check für ${host} fehlgeschlagen (Port 80/IPv6/Firewall/Nginx prüfen)." # echo "[!] ACME-HTTP-Check für ${host} fehlgeschlagen (Port 80/IPv6/Firewall/Nginx prüfen)."
# # wir versuchen es trotzdem Certbot meldet sich, falls es scheitert
# fi # fi
# #
# # MX: Key beibehalten (TLSA 3 1 1 bleibt stabil) # # Für MX den Key wiederverwenden (stabiler TLSA-Hash 3 1 1)
# EXTRA_ARGS=() # EXTRA_ARGS=()
# [[ "$host" == "$MAIL_HOSTNAME" ]] && EXTRA_ARGS+=(--reuse-key) # [[ "${host}" == "${MAIL_HOSTNAME}" ]] && EXTRA_ARGS+=(--reuse-key)
# #
# certbot certonly --agree-tos -m "$LE_EMAIL" --non-interactive \ # certbot certonly \
# --webroot -w "$ACME_WEBROOT" -d "$UI_HOST" \ # --agree-tos -m "${LE_MAIL}" --non-interactive \
# --deploy-hook /usr/local/sbin/mw-deploy.sh # --webroot -w "${ACME_WEBROOT}" -d "${host}" \
# # --deploy-hook /usr/local/sbin/mw-deploy.sh \
# certbot certonly --agree-tos -m "${LE_EMAIL:-admin@${BASE_DOMAIN}}" \
# --non-interactive --webroot -w "$ACME_WEBROOT" -d "$host" \
# "${EXTRA_ARGS[@]}" "${CERTBOT_EXTRA[@]}" || true # "${EXTRA_ARGS[@]}" "${CERTBOT_EXTRA[@]}" || true
#} #}
# #
#if [[ "$BASE_DOMAIN" != "example.com" ]]; then ## -----------------------------------------------------------------------------
# issue "$UI_HOST" ## Hauptlauf
# issue "$WEBMAIL_HOST" ## -----------------------------------------------------------------------------
# issue "$MAIL_HOSTNAME" #if [[ "${BASE_DOMAIN}" != "example.com" ]]; then
# issue "${UI_HOST:-}"
# issue "${WEBMAIL_HOST:-}"
# issue "${MAIL_HOSTNAME:-}"
# #
#run-parts /etc/letsencrypt/renewal-hooks/deploy || true # # Der Deploy-Hook hat Symlinks bereits gesetzt und nginx ggf. neu geladen.
#systemctl reload nginx || true # # Optional trotzdem manuell ausführen (harmlos, hilft bei exotischen Setups):
# # if [[ -d /etc/letsencrypt/renewal-hooks/deploy ]]; then
# # TLSA direkt einmal schreiben (Hook macht es bei Renewals sowieso) # run-parts /etc/letsencrypt/renewal-hooks/deploy || true
# MX_CERT="/etc/letsencrypt/live/${MAIL_HOSTNAME}/fullchain.pem" # fi
# if [[ -s "$MX_CERT" ]]; then # if systemctl is-active --quiet nginx; then
# HASH="$(openssl x509 -in "$MX_CERT" -noout -pubkey \ # systemctl reload nginx || true
# | openssl pkey -pubin -outform DER \
# | openssl dgst -sha256 | sed 's/^.*= //')"
# TLSA_LINE="_25._tcp.${MAIL_HOSTNAME}. IN TLSA 3 1 1 ${HASH}"
# install -d -m 0755 /etc/mailwolt/dns
# echo "${TLSA_LINE}" > "/etc/mailwolt/dns/${MAIL_HOSTNAME}.tlsa.txt"
# echo "[TLSA] ${TLSA_LINE}"
# fi # fi
#else #else
# echo "[i] BASE_DOMAIN=example.com LE wird übersprungen." # echo "[i] BASE_DOMAIN=example.com LE-Ausstellung wird übersprungen."
#fi #fi
#
###!/usr/bin/env bash
##set -euo pipefail
##source ./lib.sh
##
##ACME_WEBROOT="/var/www/letsencrypt"
##install -d -m 0755 "${ACME_WEBROOT}/.well-known/acme-challenge"
##
##CERTBOT_EXTRA=()
##LE_STAGING="${LE_STAGING:-0}" # 1 = Let's Encrypt Staging aktivieren
##[[ "$LE_STAGING" = "1" ]] && CERTBOT_EXTRA+=(--test-cert)
##
##resolve_ok() {
## local host="$1"
## local pats=()
## [[ -n "${SERVER_PUBLIC_IPV4:-}" ]] && pats+=("${SERVER_PUBLIC_IPV4//./\\.}")
## [[ -n "${SERVER_PUBLIC_IPV6:-}" ]] && pats+=("${SERVER_PUBLIC_IPV6//:/\\:}")
## # Wenn gar nichts bekannt ist, lieber nicht blockieren:
## [[ ${#pats[@]} -eq 0 ]] && return 0
## getent ahosts "$host" | awk '{print $1}' | sort -u \
## | grep -Eq "^($(IFS='|'; echo "${pats[*]}"))$"
##}
##
##probe_http() {
## local host="$1"
## echo test > "${ACME_WEBROOT}/.well-known/acme-challenge/_probe"
## curl -fsS --max-time 5 -4 "http://${host}/.well-known/acme-challenge/_probe" >/dev/null \
## || curl -fsS --max-time 5 -6 "http://${host}/.well-known/acme-challenge/_probe" >/dev/null
##}
##
##issue() {
## local host="$1"
## echo "[i] Versuche LE für ${host} …"
## resolve_ok "$host" || { echo "[!] DNS zeigt (noch) nicht hierher skip ${host}"; return 0; }
##
## if ! probe_http "$host"; then
## echo "[!] ACME-HTTP-Check für ${host} fehlgeschlagen (Port 80/IPv6/Firewall/Nginx prüfen)."
## fi
##
## # MX: Key beibehalten (TLSA 3 1 1 bleibt stabil)
## EXTRA_ARGS=()
## [[ "$host" == "$MAIL_HOSTNAME" ]] && EXTRA_ARGS+=(--reuse-key)
##
## certbot certonly --agree-tos -m "$LE_EMAIL" --non-interactive \
## --webroot -w "$ACME_WEBROOT" -d "$UI_HOST" \
## --deploy-hook /usr/local/sbin/mw-deploy.sh
##
## certbot certonly --agree-tos -m "${LE_EMAIL:-admin@${BASE_DOMAIN}}" \
## --non-interactive --webroot -w "$ACME_WEBROOT" -d "$host" \
## "${EXTRA_ARGS[@]}" "${CERTBOT_EXTRA[@]}" || true
##}
##
##if [[ "$BASE_DOMAIN" != "example.com" ]]; then
## issue "$UI_HOST"
## issue "$WEBMAIL_HOST"
## issue "$MAIL_HOSTNAME"
##
##run-parts /etc/letsencrypt/renewal-hooks/deploy || true
##systemctl reload nginx || true
##
## # TLSA direkt einmal schreiben (Hook macht es bei Renewals sowieso)
## MX_CERT="/etc/letsencrypt/live/${MAIL_HOSTNAME}/fullchain.pem"
## if [[ -s "$MX_CERT" ]]; then
## HASH="$(openssl x509 -in "$MX_CERT" -noout -pubkey \
## | openssl pkey -pubin -outform DER \
## | openssl dgst -sha256 | sed 's/^.*= //')"
## TLSA_LINE="_25._tcp.${MAIL_HOSTNAME}. IN TLSA 3 1 1 ${HASH}"
## install -d -m 0755 /etc/mailwolt/dns
## echo "${TLSA_LINE}" > "/etc/mailwolt/dns/${MAIL_HOSTNAME}.tlsa.txt"
## echo "[TLSA] ${TLSA_LINE}"
## fi
##else
## echo "[i] BASE_DOMAIN=example.com LE wird übersprungen."
##fi