60 lines
2.0 KiB
Bash
60 lines
2.0 KiB
Bash
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
source ./lib.sh
|
|
|
|
CONF_BASE="/etc/${APP_USER}"
|
|
CERT_DIR="${CONF_BASE}/ssl"
|
|
UI_SSL_DIR="/etc/ssl/ui"; WEBMAIL_SSL_DIR="/etc/ssl/webmail"; MAIL_SSL_DIR="/etc/ssl/mail"
|
|
UI_CERT="${UI_SSL_DIR}/fullchain.pem"; UI_KEY="${UI_SSL_DIR}/privkey.pem"
|
|
WEBMAIL_CERT="${WEBMAIL_SSL_DIR}/fullchain.pem"; WEBMAIL_KEY="${WEBMAIL_SSL_DIR}/privkey.pem"
|
|
MAIL_CERT="${MAIL_SSL_DIR}/fullchain.pem"; MAIL_KEY="${MAIL_SSL_DIR}/privkey.pem"
|
|
|
|
install -d -m 0750 "$CERT_DIR"
|
|
CERT="${CERT_DIR}/cert.pem"; KEY="${CERT_DIR}/key.pem"
|
|
|
|
if [[ ! -s "$CERT" || ! -s "$KEY" ]]; then
|
|
log "Self-signed Zertifikat erzeugen …"
|
|
OSSL_CFG="${CERT_DIR}/openssl.cnf"
|
|
cat > "$OSSL_CFG" <<CFG
|
|
[req]
|
|
default_bits=2048
|
|
prompt=no
|
|
default_md=sha256
|
|
req_extensions=req_ext
|
|
distinguished_name=dn
|
|
[dn]
|
|
CN=${SERVER_PUBLIC_IPV4}
|
|
O=${APP_NAME}
|
|
C=DE
|
|
[req_ext]
|
|
subjectAltName=@alt_names
|
|
[alt_names]
|
|
IP.1=${SERVER_PUBLIC_IPV4}
|
|
CFG
|
|
openssl req -x509 -newkey rsa:2048 -days 825 -nodes -keyout "$KEY" -out "$CERT" -config "$OSSL_CFG"
|
|
chgrp www-data "$CERT" "$KEY" || true
|
|
chmod 640 "$KEY" "$CERT"
|
|
fi
|
|
|
|
install -d -m 0755 "$UI_SSL_DIR" "$WEBMAIL_SSL_DIR" "$MAIL_SSL_DIR"
|
|
ln -sf "$CERT" "$UI_CERT"; ln -sf "$KEY" "$UI_KEY"
|
|
ln -sf "$CERT" "$WEBMAIL_CERT";ln -sf "$KEY" "$WEBMAIL_KEY"
|
|
ln -sf "$CERT" "$MAIL_CERT"; ln -sf "$KEY" "$MAIL_KEY"
|
|
|
|
# --- Mail-Zertifikate: Rechte für Postfix & Dovecot -------------------------
|
|
# WICHTIG: Rechte am *Target* (KEY/CERT im $CERT_DIR) setzen, nicht an den Symlinks.
|
|
if [[ -f "$KEY" && -f "$CERT" ]]; then
|
|
echo "[+] Setze Berechtigungen für Mail-Zertifikate …"
|
|
# Key: nur root + Gruppe lesen. Gruppe → postfix
|
|
chgrp postfix "$KEY" || true
|
|
chmod 640 "$KEY" || true
|
|
# Dovecot zusätzlich Leserechte via ACL
|
|
setfacl -m u:dovecot:r "$KEY" || true
|
|
# Zertifikat darf weltweit lesbar sein
|
|
chmod 644 "$CERT" || true
|
|
else
|
|
echo "[!] Zertifikatsdateien fehlen: $KEY oder $CERT" >&2
|
|
fi
|
|
|
|
# Optional: kurze Info, wohin verlinkt wurde
|
|
echo "[i] Mail TLS: $MAIL_CERT -> $CERT ; $MAIL_KEY -> $KEY" |