68 lines
2.3 KiB
Bash
68 lines
2.3 KiB
Bash
#!/usr/bin/env bash
|
||
set -euo pipefail
|
||
source ./lib.sh
|
||
|
||
ACME_WEBROOT="/var/www/letsencrypt"
|
||
install -d -m 0755 "${ACME_WEBROOT}/.well-known/acme-challenge"
|
||
|
||
CERTBOT_EXTRA=()
|
||
LE_STAGING="${LE_STAGING:-0}" # 1 = Let's Encrypt Staging aktivieren
|
||
[[ "$LE_STAGING" = "1" ]] && CERTBOT_EXTRA+=(--test-cert)
|
||
|
||
resolve_ok() {
|
||
local host="$1"
|
||
local pats=()
|
||
[[ -n "${SERVER_PUBLIC_IPV4:-}" ]] && pats+=("${SERVER_PUBLIC_IPV4//./\\.}")
|
||
[[ -n "${SERVER_PUBLIC_IPV6:-}" ]] && pats+=("${SERVER_PUBLIC_IPV6//:/\\:}")
|
||
# Wenn gar nichts bekannt ist, lieber nicht blockieren:
|
||
[[ ${#pats[@]} -eq 0 ]] && return 0
|
||
getent ahosts "$host" | awk '{print $1}' | sort -u \
|
||
| grep -Eq "^($(IFS='|'; echo "${pats[*]}"))$"
|
||
}
|
||
|
||
probe_http() {
|
||
local host="$1"
|
||
echo test > "${ACME_WEBROOT}/.well-known/acme-challenge/_probe"
|
||
curl -fsS --max-time 5 -4 "http://${host}/.well-known/acme-challenge/_probe" >/dev/null \
|
||
|| curl -fsS --max-time 5 -6 "http://${host}/.well-known/acme-challenge/_probe" >/dev/null
|
||
}
|
||
|
||
issue() {
|
||
local host="$1"
|
||
echo "[i] Versuche LE für ${host} …"
|
||
resolve_ok "$host" || { echo "[!] DNS zeigt (noch) nicht hierher – skip ${host}"; return 0; }
|
||
|
||
if ! probe_http "$host"; then
|
||
echo "[!] ACME-HTTP-Check für ${host} fehlgeschlagen (Port 80/IPv6/Firewall/Nginx prüfen)."
|
||
fi
|
||
|
||
# MX: Key beibehalten (TLSA 3 1 1 bleibt stabil)
|
||
EXTRA_ARGS=()
|
||
[[ "$host" == "$MAIL_HOSTNAME" ]] && EXTRA_ARGS+=(--reuse-key)
|
||
|
||
certbot certonly --agree-tos -m "${LE_EMAIL:-admin@${BASE_DOMAIN}}" \
|
||
--non-interactive --webroot -w "$ACME_WEBROOT" -d "$host" \
|
||
"${EXTRA_ARGS[@]}" "${CERTBOT_EXTRA[@]}" || true
|
||
}
|
||
|
||
if [[ "$BASE_DOMAIN" != "example.com" ]]; then
|
||
issue "$UI_HOST"
|
||
issue "$WEBMAIL_HOST"
|
||
issue "$MAIL_HOSTNAME"
|
||
|
||
systemctl reload nginx || true
|
||
|
||
# TLSA direkt einmal schreiben (Hook macht es bei Renewals sowieso)
|
||
MX_CERT="/etc/letsencrypt/live/${MAIL_HOSTNAME}/fullchain.pem"
|
||
if [[ -s "$MX_CERT" ]]; then
|
||
HASH="$(openssl x509 -in "$MX_CERT" -noout -pubkey \
|
||
| openssl pkey -pubin -outform DER \
|
||
| openssl dgst -sha256 | sed 's/^.*= //')"
|
||
TLSA_LINE="_25._tcp.${MAIL_HOSTNAME}. IN TLSA 3 1 1 ${HASH}"
|
||
install -d -m 0755 /etc/mailwolt/dns
|
||
echo "${TLSA_LINE}" > "/etc/mailwolt/dns/${MAIL_HOSTNAME}.tlsa.txt"
|
||
echo "[TLSA] ${TLSA_LINE}"
|
||
fi
|
||
else
|
||
echo "[i] BASE_DOMAIN=example.com – LE wird übersprungen."
|
||
fi |