Laudende Default seite entfernen
parent
eb21584f33
commit
ae883adf9f
|
|
@ -205,20 +205,41 @@ build_site_acme_only(){
|
||||||
local host="$1" outfile="$2"
|
local host="$1" outfile="$2"
|
||||||
|
|
||||||
cat > "$outfile" <<CONF
|
cat > "$outfile" <<CONF
|
||||||
# --- ${host} : ACME-only (für LE-HTTP-01) ---
|
# --- ${host} : ACME-only (80 + 443), KEIN App-Root ---
|
||||||
server {
|
server {
|
||||||
listen 80;
|
listen 80;
|
||||||
listen [::]:80;
|
listen [::]:80;
|
||||||
server_name ${host};
|
server_name ${host};
|
||||||
|
|
||||||
# Nur Challenge-Dateien ausliefern
|
# HTTP-01 Challenge exakt ausliefern
|
||||||
location ^~ /.well-known/acme-challenge/ {
|
location ^~ /.well-known/acme-challenge/ {
|
||||||
root ${ACME_ROOT};
|
root ${ACME_ROOT};
|
||||||
allow all;
|
default_type "text/plain";
|
||||||
|
try_files \$uri =404;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Alles andere → nach https
|
||||||
|
location / { return 301 https://\$host\$request_uri; }
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl${NGINX_HTTP2_SUFFIX};
|
||||||
|
listen [::]:443 ssl${NGINX_HTTP2_SUFFIX};
|
||||||
|
server_name ${host};
|
||||||
|
|
||||||
|
ssl_certificate /etc/ssl/mail/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/ssl/mail/privkey.pem;
|
||||||
|
ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
|
|
||||||
|
# Auch via https die Challenge bedienen (falls Redirects gefolgt werden)
|
||||||
|
location ^~ /.well-known/acme-challenge/ {
|
||||||
|
root ${ACME_ROOT};
|
||||||
|
default_type "text/plain";
|
||||||
|
try_files \$uri =404;
|
||||||
}
|
}
|
||||||
|
|
||||||
# Sonst nichts preisgeben
|
# Sonst nichts preisgeben
|
||||||
return 204;
|
location / { return 444; }
|
||||||
}
|
}
|
||||||
CONF
|
CONF
|
||||||
}
|
}
|
||||||
|
|
@ -228,21 +249,21 @@ MX_SITE="/etc/nginx/sites-available/mx-mailwolt.conf"
|
||||||
UI_SITE="/etc/nginx/sites-available/ui-mailwolt.conf"
|
UI_SITE="/etc/nginx/sites-available/ui-mailwolt.conf"
|
||||||
WEBMAIL_SITE="/etc/nginx/sites-available/webmail-mailwolt.conf"
|
WEBMAIL_SITE="/etc/nginx/sites-available/webmail-mailwolt.conf"
|
||||||
|
|
||||||
build_site_acme_only "${MAIL_HOSTNAME}" "$MX_SITE"
|
# UI & Webmail wie gehabt …
|
||||||
|
if [[ "${PROXY_MODE:-0}" -eq 1 ]]; then
|
||||||
if [[ "${PROXY_MODE}" -eq 1 ]]; then
|
|
||||||
# Hinter NPM/Proxy: Backend nur HTTP:80 (keine Redirects, kein 443)
|
|
||||||
build_site_http_only "$UI_HOST" "$UI_SITE"
|
build_site_http_only "$UI_HOST" "$UI_SITE"
|
||||||
build_site_http_only "$WEBMAIL_HOST" "$WEBMAIL_SITE"
|
build_site_http_only "$WEBMAIL_HOST" "$WEBMAIL_SITE"
|
||||||
else
|
else
|
||||||
# Live-Server: 80→443 + TLS vHosts
|
build_site_tls "$UI_HOST" "/etc/ssl/ui" "$UI_SITE"
|
||||||
build_site_tls "$UI_HOST" "/etc/ssl/ui" "$UI_SITE"
|
build_site_tls "$WEBMAIL_HOST" "/etc/ssl/webmail" "$WEBMAIL_SITE"
|
||||||
build_site_tls "$WEBMAIL_HOST" "/etc/ssl/webmail" "$WEBMAIL_SITE"
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
ln -sf "$MX_SITE" "/etc/nginx/sites-enabled/mx-mailwolt.conf"
|
# MX: **immer** ACME-only (kein Laravel dahinter)
|
||||||
ln -sf "$UI_SITE" "/etc/nginx/sites-enabled/ui-mailwolt.conf"
|
build_site_acme_only "${MAIL_HOSTNAME}" "$MX_SITE"
|
||||||
ln -sf "$WEBMAIL_SITE" "/etc/nginx/sites-enabled/webmail-mailwolt.conf"
|
|
||||||
|
ln -sf "$UI_SITE" /etc/nginx/sites-enabled/ui-mailwolt.conf
|
||||||
|
ln -sf "$WEBMAIL_SITE" /etc/nginx/sites-enabled/webmail-mailwolt.conf
|
||||||
|
ln -sf "$MX_SITE" /etc/nginx/sites-enabled/mx-mailwolt.conf
|
||||||
|
|
||||||
# ── Real-IP nur, wenn Proxy davor ──────────────────────────────────────────
|
# ── Real-IP nur, wenn Proxy davor ──────────────────────────────────────────
|
||||||
if [[ "${PROXY_MODE}" -eq 1 && -n "${NPM_IP}" ]]; then
|
if [[ "${PROXY_MODE}" -eq 1 && -n "${NPM_IP}" ]]; then
|
||||||
|
|
|
||||||
|
|
@ -3,29 +3,46 @@ set -euo pipefail
|
||||||
source ./lib.sh
|
source ./lib.sh
|
||||||
|
|
||||||
ACME_WEBROOT="/var/www/letsencrypt"
|
ACME_WEBROOT="/var/www/letsencrypt"
|
||||||
|
install -d -m 0755 "${ACME_WEBROOT}/.well-known/acme-challenge"
|
||||||
|
|
||||||
|
CERTBOT_EXTRA=()
|
||||||
|
LE_STAGING="${LE_STAGING:-0}" # 1 = Let's Encrypt Staging aktivieren
|
||||||
|
[[ "$LE_STAGING" = "1" ]] && CERTBOT_EXTRA+=(--test-cert)
|
||||||
|
|
||||||
resolve_ok() {
|
resolve_ok() {
|
||||||
local host="$1"
|
local host="$1"
|
||||||
getent ahosts "$host" | awk '{print $1}' | sort -u | grep -q -F "$SERVER_PUBLIC_IPV4"
|
local pats=()
|
||||||
|
[[ -n "${SERVER_PUBLIC_IPV4:-}" ]] && pats+=("${SERVER_PUBLIC_IPV4//./\\.}")
|
||||||
|
[[ -n "${SERVER_PUBLIC_IPV6:-}" ]] && pats+=("${SERVER_PUBLIC_IPV6//:/\\:}")
|
||||||
|
# Wenn gar nichts bekannt ist, lieber nicht blockieren:
|
||||||
|
[[ ${#pats[@]} -eq 0 ]] && return 0
|
||||||
|
getent ahosts "$host" | awk '{print $1}' | sort -u \
|
||||||
|
| grep -Eq "^($(IFS='|'; echo "${pats[*]}"))$"
|
||||||
|
}
|
||||||
|
|
||||||
|
probe_http() {
|
||||||
|
local host="$1"
|
||||||
|
echo test > "${ACME_WEBROOT}/.well-known/acme-challenge/_probe"
|
||||||
|
curl -fsS --max-time 5 -4 "http://${host}/.well-known/acme-challenge/_probe" >/dev/null \
|
||||||
|
|| curl -fsS --max-time 5 -6 "http://${host}/.well-known/acme-challenge/_probe" >/dev/null
|
||||||
}
|
}
|
||||||
|
|
||||||
issue() {
|
issue() {
|
||||||
local host="$1"
|
local host="$1"
|
||||||
echo "[i] Versuche LE für ${host} …"
|
echo "[i] Versuche LE für ${host} …"
|
||||||
if ! resolve_ok "$host"; then
|
resolve_ok "$host" || { echo "[!] DNS zeigt (noch) nicht hierher – skip ${host}"; return 0; }
|
||||||
echo "[!] DNS zeigt (noch) nicht auf diese IP – überspringe: ${host}"
|
|
||||||
return 0
|
if ! probe_http "$host"; then
|
||||||
|
echo "[!] ACME-HTTP-Check für ${host} fehlgeschlagen (Port 80/IPv6/Firewall/Nginx prüfen)."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Für MX den Schlüssel beibehalten, damit TLSA (3 1 1) stabil bleibt
|
# MX: Key beibehalten (TLSA 3 1 1 bleibt stabil)
|
||||||
EXTRA_ARGS=()
|
EXTRA_ARGS=()
|
||||||
if [[ "$host" == "$MAIL_HOSTNAME" ]]; then
|
[[ "$host" == "$MAIL_HOSTNAME" ]] && EXTRA_ARGS+=(--reuse-key)
|
||||||
EXTRA_ARGS+=(--reuse-key)
|
|
||||||
fi
|
|
||||||
|
|
||||||
certbot certonly --agree-tos -m "${LE_EMAIL:-admin@${BASE_DOMAIN}}" \
|
certbot certonly --agree-tos -m "${LE_EMAIL:-admin@${BASE_DOMAIN}}" \
|
||||||
--non-interactive --webroot -w "$ACME_WEBROOT" -d "$host" \
|
--non-interactive --webroot -w "$ACME_WEBROOT" -d "$host" \
|
||||||
"${EXTRA_ARGS[@]}" || true
|
"${EXTRA_ARGS[@]}" "${CERTBOT_EXTRA[@]}" || true
|
||||||
}
|
}
|
||||||
|
|
||||||
if [[ "$BASE_DOMAIN" != "example.com" ]]; then
|
if [[ "$BASE_DOMAIN" != "example.com" ]]; then
|
||||||
|
|
@ -33,10 +50,9 @@ if [[ "$BASE_DOMAIN" != "example.com" ]]; then
|
||||||
issue "$WEBMAIL_HOST"
|
issue "$WEBMAIL_HOST"
|
||||||
issue "$MAIL_HOSTNAME"
|
issue "$MAIL_HOSTNAME"
|
||||||
|
|
||||||
# Nginx neu laden (Symlink-Hook verlinkt die neuen Zerts)
|
|
||||||
systemctl reload nginx || true
|
systemctl reload nginx || true
|
||||||
|
|
||||||
# Direkt nach Erst-Ausstellung TLSA für MX einmal erzeugen
|
# TLSA direkt einmal schreiben (Hook macht es bei Renewals sowieso)
|
||||||
MX_CERT="/etc/letsencrypt/live/${MAIL_HOSTNAME}/fullchain.pem"
|
MX_CERT="/etc/letsencrypt/live/${MAIL_HOSTNAME}/fullchain.pem"
|
||||||
if [[ -s "$MX_CERT" ]]; then
|
if [[ -s "$MX_CERT" ]]; then
|
||||||
HASH="$(openssl x509 -in "$MX_CERT" -noout -pubkey \
|
HASH="$(openssl x509 -in "$MX_CERT" -noout -pubkey \
|
||||||
|
|
@ -48,5 +64,5 @@ if [[ "$BASE_DOMAIN" != "example.com" ]]; then
|
||||||
echo "[TLSA] ${TLSA_LINE}"
|
echo "[TLSA] ${TLSA_LINE}"
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
echo "[i] BASE_DOMAIN=example.com – LE-Ausstellung wird übersprungen."
|
echo "[i] BASE_DOMAIN=example.com – LE wird übersprungen."
|
||||||
fi
|
fi
|
||||||
Loading…
Reference in New Issue