Laudende Default seite entfernen

2025-10-17 03:47:17 +02:00 · 2025-10-17 03:47:17 +02:00 · ba65f0fecb
parent e17db18f05
commit ba65f0fecb
1 changed files with 106 additions and 107 deletions
--- a/scripts/75-le-issue.sh
+++ b/scripts/75-le-issue.sh
@ -5,26 +5,21 @@ source ./lib.sh
 ACME_WEBROOT="/var/www/letsencrypt"
 install -d -m 0755 "${ACME_WEBROOT}/.well-known/acme-challenge"

-# Let's Encrypt: Staging optional (für Tests)
 CERTBOT_EXTRA=()
-LE_STAGING="${LE_STAGING:-0}"
+LE_STAGING="${LE_STAGING:-0}"  # 1 = Let's Encrypt Staging aktivieren
 [[ "$LE_STAGING" = "1" ]] && CERTBOT_EXTRA+=(--test-cert)

-# Einheitliche LE-E-Mail mit Fallback
-LE_MAIL="${LE_EMAIL:-admin@${BASE_DOMAIN}}"
-
-# DNS zeigt auf diese Kiste?
 resolve_ok() {
  local host="$1"
  local pats=()
  [[ -n "${SERVER_PUBLIC_IPV4:-}" ]] && pats+=("${SERVER_PUBLIC_IPV4//./\\.}")
  [[ -n "${SERVER_PUBLIC_IPV6:-}" ]] && pats+=("${SERVER_PUBLIC_IPV6//:/\\:}")
+  # Wenn gar nichts bekannt ist, lieber nicht blockieren:
  [[ ${#pats[@]} -eq 0 ]] && return 0
  getent ahosts "$host" | awk '{print $1}' | sort -u \
    | grep -Eq "^($(IFS='|'; echo "${pats[*]}"))$"
 }

-# HTTP-01 erreichbar?
 probe_http() {
  local host="$1"
  echo test > "${ACME_WEBROOT}/.well-known/acme-challenge/_probe"
@ -32,51 +27,127 @@ probe_http() {
  || curl -fsS --max-time 5 -6 "http://${host}/.well-known/acme-challenge/_probe" >/dev/null
 }

-# Ein Zertifikat ausstellen
 issue() {
  local host="$1"
-  [[ -z "$host" ]] && return 0
-
  echo "[i] Versuche LE für ${host} …"
-
-  if ! resolve_ok "$host"; then
-    echo "[!] DNS zeigt (noch) nicht hierher – überspringe: ${host}"
-    return 0
-  fi
+  resolve_ok "$host" || { echo "[!] DNS zeigt (noch) nicht hierher – skip ${host}"; return 0; }

  if ! probe_http "$host"; then
    echo "[!] ACME-HTTP-Check für ${host} fehlgeschlagen (Port 80/IPv6/Firewall/Nginx prüfen)."
  fi

+  # MX: Key beibehalten (TLSA 3 1 1 bleibt stabil)
  EXTRA_ARGS=()
-  # MX: Key wiederverwenden → stabiler TLSA-Hash (3 1 1)
-  [[ "${host}" == "${MAIL_HOSTNAME}" ]] && EXTRA_ARGS+=(--reuse-key)
+  [[ "$host" == "$MAIL_HOSTNAME" ]] && EXTRA_ARGS+=(--reuse-key)

-certbot certonly \
-  --agree-tos -m "${LE_MAIL}" --non-interactive \
-  --webroot -w "${ACME_WEBROOT}" -d "${host}" \
-  "${EXTRA_ARGS[@]}" "${CERTBOT_EXTRA[@]}" || true
+  certbot certonly --agree-tos -m "${LE_EMAIL:-admin@${BASE_DOMAIN}}" \
+    --non-interactive --webroot -w "$ACME_WEBROOT" -d "$host" \
+    "${EXTRA_ARGS[@]}" "${CERTBOT_EXTRA[@]}" || true
 }

-# ------------------- Hauptlauf -------------------
-if [[ "${BASE_DOMAIN}" != "example.com" ]]; then
-  issue "${UI_HOST:-}"
-  issue "${WEBMAIL_HOST:-}"
-  issue "${MAIL_HOSTNAME:-}"
+if [[ "$BASE_DOMAIN" != "example.com" ]]; then
+  issue "$UI_HOST"
+  issue "$WEBMAIL_HOST"
+  issue "$MAIL_HOSTNAME"

-  # Falls Deploy-Hook erst JETZT angelegt wurde: einmal manuell ausführen
-  if [[ -x /usr/local/sbin/mw-deploy.sh ]]; then
-    /usr/local/sbin/mw-deploy.sh || true
-  fi
+run-parts /etc/letsencrypt/renewal-hooks/deploy || true
+systemctl reload nginx || true

-  # Nginx nur neu laden, wenn aktiv
-  if systemctl is-active --quiet nginx; then
-    systemctl reload nginx || true
-  fi
+#  # TLSA direkt einmal schreiben (Hook macht es bei Renewals sowieso)
+#  MX_CERT="/etc/letsencrypt/live/${MAIL_HOSTNAME}/fullchain.pem"
+#  if [[ -s "$MX_CERT" ]]; then
+#    HASH="$(openssl x509 -in "$MX_CERT" -noout -pubkey \
+#      | openssl pkey -pubin -outform DER \
+#      | openssl dgst -sha256 | sed 's/^.*= //')"
+#    TLSA_LINE="_25._tcp.${MAIL_HOSTNAME}. IN TLSA 3 1 1 ${HASH}"
+#    install -d -m 0755 /etc/mailwolt/dns
+#    echo "${TLSA_LINE}" > "/etc/mailwolt/dns/${MAIL_HOSTNAME}.tlsa.txt"
+#    echo "[TLSA] ${TLSA_LINE}"
+#  fi
 else
  echo "[i] BASE_DOMAIN=example.com – LE wird übersprungen."
 fi

+
+##!/usr/bin/env bash
+#set -euo pipefail
+#source ./lib.sh
+#
+#ACME_WEBROOT="/var/www/letsencrypt"
+#install -d -m 0755 "${ACME_WEBROOT}/.well-known/acme-challenge"
+#
+## Let's Encrypt: Staging optional (für Tests)
+#CERTBOT_EXTRA=()
+#LE_STAGING="${LE_STAGING:-0}"
+#[[ "$LE_STAGING" = "1" ]] && CERTBOT_EXTRA+=(--test-cert)
+#
+## Einheitliche LE-E-Mail mit Fallback
+#LE_MAIL="${LE_EMAIL:-admin@${BASE_DOMAIN}}"
+#
+## DNS zeigt auf diese Kiste?
+#resolve_ok() {
+#  local host="$1"
+#  local pats=()
+#  [[ -n "${SERVER_PUBLIC_IPV4:-}" ]] && pats+=("${SERVER_PUBLIC_IPV4//./\\.}")
+#  [[ -n "${SERVER_PUBLIC_IPV6:-}" ]] && pats+=("${SERVER_PUBLIC_IPV6//:/\\:}")
+#  [[ ${#pats[@]} -eq 0 ]] && return 0
+#  getent ahosts "$host" | awk '{print $1}' | sort -u \
+#    | grep -Eq "^($(IFS='|'; echo "${pats[*]}"))$"
+#}
+#
+## HTTP-01 erreichbar?
+#probe_http() {
+#  local host="$1"
+#  echo test > "${ACME_WEBROOT}/.well-known/acme-challenge/_probe"
+#  curl -fsS --max-time 5 -4 "http://${host}/.well-known/acme-challenge/_probe" >/dev/null \
+#  || curl -fsS --max-time 5 -6 "http://${host}/.well-known/acme-challenge/_probe" >/dev/null
+#}
+#
+## Ein Zertifikat ausstellen
+#issue() {
+#  local host="$1"
+#  [[ -z "$host" ]] && return 0
+#
+#  echo "[i] Versuche LE für ${host} …"
+#
+#  if ! resolve_ok "$host"; then
+#    echo "[!] DNS zeigt (noch) nicht hierher – überspringe: ${host}"
+#    return 0
+#  fi
+#
+#  if ! probe_http "$host"; then
+#    echo "[!] ACME-HTTP-Check für ${host} fehlgeschlagen (Port 80/IPv6/Firewall/Nginx prüfen)."
+#  fi
+#
+#  EXTRA_ARGS=()
+#  # MX: Key wiederverwenden → stabiler TLSA-Hash (3 1 1)
+#  [[ "${host}" == "${MAIL_HOSTNAME}" ]] && EXTRA_ARGS+=(--reuse-key)
+#
+#certbot certonly \
+#  --agree-tos -m "${LE_MAIL}" --non-interactive \
+#  --webroot -w "${ACME_WEBROOT}" -d "${host}" \
+#  "${EXTRA_ARGS[@]}" "${CERTBOT_EXTRA[@]}" || true
+#}
+#
+## ------------------- Hauptlauf -------------------
+#if [[ "${BASE_DOMAIN}" != "example.com" ]]; then
+#  issue "${UI_HOST:-}"
+#  issue "${WEBMAIL_HOST:-}"
+#  issue "${MAIL_HOSTNAME:-}"
+#
+#  # Falls Deploy-Hook erst JETZT angelegt wurde: einmal manuell ausführen
+#  if [[ -x /usr/local/sbin/mw-deploy.sh ]]; then
+#    /usr/local/sbin/mw-deploy.sh || true
+#  fi
+#
+#  # Nginx nur neu laden, wenn aktiv
+#  if systemctl is-active --quiet nginx; then
+#    systemctl reload nginx || true
+#  fi
+#else
+#  echo "[i] BASE_DOMAIN=example.com – LE wird übersprungen."
+#fi
+
 ##!/usr/bin/env bash
 #set -euo pipefail
 #source ./lib.sh
@ -159,76 +230,4 @@ fi
 #  echo "[i] BASE_DOMAIN=example.com – LE-Ausstellung wird übersprungen."
 #fi
 #
-###!/usr/bin/env bash
-##set -euo pipefail
-##source ./lib.sh
-##
-##ACME_WEBROOT="/var/www/letsencrypt"
-##install -d -m 0755 "${ACME_WEBROOT}/.well-known/acme-challenge"
-##
-##CERTBOT_EXTRA=()
-##LE_STAGING="${LE_STAGING:-0}"  # 1 = Let's Encrypt Staging aktivieren
-##[[ "$LE_STAGING" = "1" ]] && CERTBOT_EXTRA+=(--test-cert)
-##
-##resolve_ok() {
-##  local host="$1"
-##  local pats=()
-##  [[ -n "${SERVER_PUBLIC_IPV4:-}" ]] && pats+=("${SERVER_PUBLIC_IPV4//./\\.}")
-##  [[ -n "${SERVER_PUBLIC_IPV6:-}" ]] && pats+=("${SERVER_PUBLIC_IPV6//:/\\:}")
-##  # Wenn gar nichts bekannt ist, lieber nicht blockieren:
-##  [[ ${#pats[@]} -eq 0 ]] && return 0
-##  getent ahosts "$host" | awk '{print $1}' | sort -u \
-##    | grep -Eq "^($(IFS='|'; echo "${pats[*]}"))$"
-##}
-##
-##probe_http() {
-##  local host="$1"
-##  echo test > "${ACME_WEBROOT}/.well-known/acme-challenge/_probe"
-##  curl -fsS --max-time 5 -4 "http://${host}/.well-known/acme-challenge/_probe" >/dev/null \
-##  || curl -fsS --max-time 5 -6 "http://${host}/.well-known/acme-challenge/_probe" >/dev/null
-##}
-##
-##issue() {
-##  local host="$1"
-##  echo "[i] Versuche LE für ${host} …"
-##  resolve_ok "$host" || { echo "[!] DNS zeigt (noch) nicht hierher – skip ${host}"; return 0; }
-##
-##  if ! probe_http "$host"; then
-##    echo "[!] ACME-HTTP-Check für ${host} fehlgeschlagen (Port 80/IPv6/Firewall/Nginx prüfen)."
-##  fi
-##
-##  # MX: Key beibehalten (TLSA 3 1 1 bleibt stabil)
-##  EXTRA_ARGS=()
-##  [[ "$host" == "$MAIL_HOSTNAME" ]] && EXTRA_ARGS+=(--reuse-key)
-##
-##  certbot certonly --agree-tos -m "$LE_EMAIL" --non-interactive \
-##    --webroot -w "$ACME_WEBROOT" -d "$UI_HOST" \
-##    --deploy-hook /usr/local/sbin/mw-deploy.sh
-##
-##  certbot certonly --agree-tos -m "${LE_EMAIL:-admin@${BASE_DOMAIN}}" \
-##    --non-interactive --webroot -w "$ACME_WEBROOT" -d "$host" \
-##    "${EXTRA_ARGS[@]}" "${CERTBOT_EXTRA[@]}" || true
-##}
-##
-##if [[ "$BASE_DOMAIN" != "example.com" ]]; then
-##  issue "$UI_HOST"
-##  issue "$WEBMAIL_HOST"
-##  issue "$MAIL_HOSTNAME"
-##
-##run-parts /etc/letsencrypt/renewal-hooks/deploy || true
-##systemctl reload nginx || true
-##
-##  # TLSA direkt einmal schreiben (Hook macht es bei Renewals sowieso)
-##  MX_CERT="/etc/letsencrypt/live/${MAIL_HOSTNAME}/fullchain.pem"
-##  if [[ -s "$MX_CERT" ]]; then
-##    HASH="$(openssl x509 -in "$MX_CERT" -noout -pubkey \
-##      | openssl pkey -pubin -outform DER \
-##      | openssl dgst -sha256 | sed 's/^.*= //')"
-##    TLSA_LINE="_25._tcp.${MAIL_HOSTNAME}. IN TLSA 3 1 1 ${HASH}"
-##    install -d -m 0755 /etc/mailwolt/dns
-##    echo "${TLSA_LINE}" > "/etc/mailwolt/dns/${MAIL_HOSTNAME}.tlsa.txt"
-##    echo "[TLSA] ${TLSA_LINE}"
-##  fi
-##else
-##  echo "[i] BASE_DOMAIN=example.com – LE wird übersprungen."
-##fi
+