42 lines
1.3 KiB
Bash
42 lines
1.3 KiB
Bash
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
source ./lib.sh
|
|
|
|
CONF_BASE="/etc/${APP_USER}"
|
|
CERT_DIR="${CONF_BASE}/ssl"
|
|
UI_SSL_DIR="/etc/ssl/ui"; WEBMAIL_SSL_DIR="/etc/ssl/webmail"; MAIL_SSL_DIR="/etc/ssl/mail"
|
|
UI_CERT="${UI_SSL_DIR}/fullchain.pem"; UI_KEY="${UI_SSL_DIR}/privkey.pem"
|
|
WEBMAIL_CERT="${WEBMAIL_SSL_DIR}/fullchain.pem"; WEBMAIL_KEY="${WEBMAIL_SSL_DIR}/privkey.pem"
|
|
MAIL_CERT="${MAIL_SSL_DIR}/fullchain.pem"; MAIL_KEY="${MAIL_SSL_DIR}/privkey.pem"
|
|
|
|
install -d -m 0750 "$CERT_DIR"
|
|
CERT="${CERT_DIR}/cert.pem"; KEY="${CERT_DIR}/key.pem"
|
|
|
|
if [[ ! -s "$CERT" || ! -s "$KEY" ]]; then
|
|
log "Self-signed Zertifikat erzeugen …"
|
|
OSSL_CFG="${CERT_DIR}/openssl.cnf"
|
|
cat > "$OSSL_CFG" <<CFG
|
|
[req]
|
|
default_bits=2048
|
|
prompt=no
|
|
default_md=sha256
|
|
req_extensions=req_ext
|
|
distinguished_name=dn
|
|
[dn]
|
|
CN=${SERVER_PUBLIC_IPV4}
|
|
O=${APP_NAME}
|
|
C=DE
|
|
[req_ext]
|
|
subjectAltName=@alt_names
|
|
[alt_names]
|
|
IP.1=${SERVER_PUBLIC_IPV4}
|
|
CFG
|
|
openssl req -x509 -newkey rsa:2048 -days 825 -nodes -keyout "$KEY" -out "$CERT" -config "$OSSL_CFG"
|
|
chgrp www-data "$CERT" "$KEY" || true
|
|
chmod 640 "$KEY" "$CERT"
|
|
fi
|
|
|
|
install -d -m 0755 "$UI_SSL_DIR" "$WEBMAIL_SSL_DIR" "$MAIL_SSL_DIR"
|
|
ln -sf "$CERT" "$UI_CERT"; ln -sf "$KEY" "$UI_KEY"
|
|
ln -sf "$CERT" "$WEBMAIL_CERT";ln -sf "$KEY" "$WEBMAIL_KEY"
|
|
ln -sf "$CERT" "$MAIL_CERT"; ln -sf "$KEY" "$MAIL_KEY" |