155 lines
5.4 KiB
Bash
155 lines
5.4 KiB
Bash
#!/usr/bin/env bash
|
||
set -euo pipefail
|
||
source ./lib.sh
|
||
|
||
ACME_WEBROOT="/var/www/letsencrypt"
|
||
install -d -m 0755 "${ACME_WEBROOT}/.well-known/acme-challenge"
|
||
|
||
# Let's Encrypt: Staging optional aktivieren (keine echten Zertifikate)
|
||
CERTBOT_EXTRA=()
|
||
LE_STAGING="${LE_STAGING:-0}" # 1 = Staging
|
||
[[ "$LE_STAGING" = "1" ]] && CERTBOT_EXTRA+=(--test-cert)
|
||
|
||
# Einheitliche LE-E-Mail mit Fallback
|
||
LE_MAIL="${LE_EMAIL:-admin@${BASE_DOMAIN}}"
|
||
|
||
# DNS-Auflösung gegen unsere bekannte(n) IP(s) prüfen (nur als Warnsignal)
|
||
resolve_ok() {
|
||
local host="$1"
|
||
local pats=()
|
||
[[ -n "${SERVER_PUBLIC_IPV4:-}" ]] && pats+=("${SERVER_PUBLIC_IPV4//./\\.}")
|
||
[[ -n "${SERVER_PUBLIC_IPV6:-}" ]] && pats+=("${SERVER_PUBLIC_IPV6//:/\\:}")
|
||
[[ ${#pats[@]} -eq 0 ]] && return 0
|
||
getent ahosts "$host" | awk '{print $1}' | sort -u \
|
||
| grep -Eq "^($(IFS='|'; echo "${pats[*]}"))$"
|
||
}
|
||
|
||
# HTTP-01 Erreichbarkeit schnell antesten (IPv4/IPv6)
|
||
probe_http() {
|
||
local host="$1"
|
||
echo test > "${ACME_WEBROOT}/.well-known/acme-challenge/_probe"
|
||
curl -fsS --max-time 5 -4 "http://${host}/.well-known/acme-challenge/_probe" >/dev/null \
|
||
|| curl -fsS --max-time 5 -6 "http://${host}/.well-known/acme-challenge/_probe" >/dev/null
|
||
}
|
||
|
||
# Ein Zertifikat für einen Host ausstellen
|
||
issue() {
|
||
local host="$1"
|
||
[[ -z "$host" ]] && return 0
|
||
|
||
echo "[i] Versuche LE für ${host} …"
|
||
|
||
if ! resolve_ok "$host"; then
|
||
echo "[!] DNS zeigt (noch) nicht hierher – überspringe: ${host}"
|
||
return 0
|
||
fi
|
||
|
||
if ! probe_http "$host"; then
|
||
echo "[!] ACME-HTTP-Check für ${host} fehlgeschlagen (Port 80/IPv6/Firewall/Nginx prüfen)."
|
||
# wir versuchen es trotzdem – Certbot meldet sich, falls es scheitert
|
||
fi
|
||
|
||
# Für MX den Key wiederverwenden (stabiler TLSA-Hash 3 1 1)
|
||
EXTRA_ARGS=()
|
||
[[ "${host}" == "${MAIL_HOSTNAME}" ]] && EXTRA_ARGS+=(--reuse-key)
|
||
|
||
certbot certonly \
|
||
--agree-tos -m "${LE_MAIL}" --non-interactive \
|
||
--webroot -w "${ACME_WEBROOT}" -d "${host}" \
|
||
--deploy-hook /usr/local/sbin/mw-deploy.sh \
|
||
"${EXTRA_ARGS[@]}" "${CERTBOT_EXTRA[@]}" || true
|
||
}
|
||
|
||
# -----------------------------------------------------------------------------
|
||
# Hauptlauf
|
||
# -----------------------------------------------------------------------------
|
||
if [[ "${BASE_DOMAIN}" != "example.com" ]]; then
|
||
issue "${UI_HOST:-}"
|
||
issue "${WEBMAIL_HOST:-}"
|
||
issue "${MAIL_HOSTNAME:-}"
|
||
|
||
# Der Deploy-Hook hat Symlinks bereits gesetzt und nginx ggf. neu geladen.
|
||
# Optional trotzdem manuell ausführen (harmlos, hilft bei exotischen Setups):
|
||
if [[ -d /etc/letsencrypt/renewal-hooks/deploy ]]; then
|
||
run-parts /etc/letsencrypt/renewal-hooks/deploy || true
|
||
fi
|
||
if systemctl is-active --quiet nginx; then
|
||
systemctl reload nginx || true
|
||
fi
|
||
else
|
||
echo "[i] BASE_DOMAIN=example.com – LE-Ausstellung wird übersprungen."
|
||
fi
|
||
|
||
##!/usr/bin/env bash
|
||
#set -euo pipefail
|
||
#source ./lib.sh
|
||
#
|
||
#ACME_WEBROOT="/var/www/letsencrypt"
|
||
#install -d -m 0755 "${ACME_WEBROOT}/.well-known/acme-challenge"
|
||
#
|
||
#CERTBOT_EXTRA=()
|
||
#LE_STAGING="${LE_STAGING:-0}" # 1 = Let's Encrypt Staging aktivieren
|
||
#[[ "$LE_STAGING" = "1" ]] && CERTBOT_EXTRA+=(--test-cert)
|
||
#
|
||
#resolve_ok() {
|
||
# local host="$1"
|
||
# local pats=()
|
||
# [[ -n "${SERVER_PUBLIC_IPV4:-}" ]] && pats+=("${SERVER_PUBLIC_IPV4//./\\.}")
|
||
# [[ -n "${SERVER_PUBLIC_IPV6:-}" ]] && pats+=("${SERVER_PUBLIC_IPV6//:/\\:}")
|
||
# # Wenn gar nichts bekannt ist, lieber nicht blockieren:
|
||
# [[ ${#pats[@]} -eq 0 ]] && return 0
|
||
# getent ahosts "$host" | awk '{print $1}' | sort -u \
|
||
# | grep -Eq "^($(IFS='|'; echo "${pats[*]}"))$"
|
||
#}
|
||
#
|
||
#probe_http() {
|
||
# local host="$1"
|
||
# echo test > "${ACME_WEBROOT}/.well-known/acme-challenge/_probe"
|
||
# curl -fsS --max-time 5 -4 "http://${host}/.well-known/acme-challenge/_probe" >/dev/null \
|
||
# || curl -fsS --max-time 5 -6 "http://${host}/.well-known/acme-challenge/_probe" >/dev/null
|
||
#}
|
||
#
|
||
#issue() {
|
||
# local host="$1"
|
||
# echo "[i] Versuche LE für ${host} …"
|
||
# resolve_ok "$host" || { echo "[!] DNS zeigt (noch) nicht hierher – skip ${host}"; return 0; }
|
||
#
|
||
# if ! probe_http "$host"; then
|
||
# echo "[!] ACME-HTTP-Check für ${host} fehlgeschlagen (Port 80/IPv6/Firewall/Nginx prüfen)."
|
||
# fi
|
||
#
|
||
# # MX: Key beibehalten (TLSA 3 1 1 bleibt stabil)
|
||
# EXTRA_ARGS=()
|
||
# [[ "$host" == "$MAIL_HOSTNAME" ]] && EXTRA_ARGS+=(--reuse-key)
|
||
#
|
||
# certbot certonly --agree-tos -m "$LE_EMAIL" --non-interactive \
|
||
# --webroot -w "$ACME_WEBROOT" -d "$UI_HOST" \
|
||
# --deploy-hook /usr/local/sbin/mw-deploy.sh
|
||
#
|
||
# certbot certonly --agree-tos -m "${LE_EMAIL:-admin@${BASE_DOMAIN}}" \
|
||
# --non-interactive --webroot -w "$ACME_WEBROOT" -d "$host" \
|
||
# "${EXTRA_ARGS[@]}" "${CERTBOT_EXTRA[@]}" || true
|
||
#}
|
||
#
|
||
#if [[ "$BASE_DOMAIN" != "example.com" ]]; then
|
||
# issue "$UI_HOST"
|
||
# issue "$WEBMAIL_HOST"
|
||
# issue "$MAIL_HOSTNAME"
|
||
#
|
||
#run-parts /etc/letsencrypt/renewal-hooks/deploy || true
|
||
#systemctl reload nginx || true
|
||
#
|
||
# # TLSA direkt einmal schreiben (Hook macht es bei Renewals sowieso)
|
||
# MX_CERT="/etc/letsencrypt/live/${MAIL_HOSTNAME}/fullchain.pem"
|
||
# if [[ -s "$MX_CERT" ]]; then
|
||
# HASH="$(openssl x509 -in "$MX_CERT" -noout -pubkey \
|
||
# | openssl pkey -pubin -outform DER \
|
||
# | openssl dgst -sha256 | sed 's/^.*= //')"
|
||
# TLSA_LINE="_25._tcp.${MAIL_HOSTNAME}. IN TLSA 3 1 1 ${HASH}"
|
||
# install -d -m 0755 /etc/mailwolt/dns
|
||
# echo "${TLSA_LINE}" > "/etc/mailwolt/dns/${MAIL_HOSTNAME}.tlsa.txt"
|
||
# echo "[TLSA] ${TLSA_LINE}"
|
||
# fi
|
||
#else
|
||
# echo "[i] BASE_DOMAIN=example.com – LE wird übersprungen."
|
||
#fi |