52 lines
1.5 KiB
Bash
52 lines
1.5 KiB
Bash
#!/usr/bin/env bash
|
||
set -euo pipefail
|
||
source ./lib.sh
|
||
|
||
ACME_WEBROOT="/var/www/letsencrypt"
|
||
|
||
resolve_ok() {
|
||
local host="$1"
|
||
getent ahosts "$host" | awk '{print $1}' | sort -u | grep -q -F "$SERVER_PUBLIC_IPV4"
|
||
}
|
||
|
||
issue() {
|
||
local host="$1"
|
||
echo "[i] Versuche LE für ${host} …"
|
||
if ! resolve_ok "$host"; then
|
||
echo "[!] DNS zeigt (noch) nicht auf diese IP – überspringe: ${host}"
|
||
return 0
|
||
fi
|
||
|
||
# Für MX den Schlüssel beibehalten, damit TLSA (3 1 1) stabil bleibt
|
||
EXTRA_ARGS=()
|
||
if [[ "$host" == "$MAIL_HOSTNAME" ]]; then
|
||
EXTRA_ARGS+=(--reuse-key)
|
||
fi
|
||
|
||
certbot certonly --agree-tos -m "${LE_EMAIL:-admin@${BASE_DOMAIN}}" \
|
||
--non-interactive --webroot -w "$ACME_WEBROOT" -d "$host" \
|
||
"${EXTRA_ARGS[@]}" || true
|
||
}
|
||
|
||
if [[ "$BASE_DOMAIN" != "example.com" ]]; then
|
||
issue "$UI_HOST"
|
||
issue "$WEBMAIL_HOST"
|
||
issue "$MAIL_HOSTNAME"
|
||
|
||
# Nginx neu laden (Symlink-Hook verlinkt die neuen Zerts)
|
||
systemctl reload nginx || true
|
||
|
||
# Direkt nach Erst-Ausstellung TLSA für MX einmal erzeugen
|
||
MX_CERT="/etc/letsencrypt/live/${MAIL_HOSTNAME}/fullchain.pem"
|
||
if [[ -s "$MX_CERT" ]]; then
|
||
HASH="$(openssl x509 -in "$MX_CERT" -noout -pubkey \
|
||
| openssl pkey -pubin -outform DER \
|
||
| openssl dgst -sha256 | sed 's/^.*= //')"
|
||
TLSA_LINE="_25._tcp.${MAIL_HOSTNAME}. IN TLSA 3 1 1 ${HASH}"
|
||
install -d -m 0755 /etc/mailwolt/dns
|
||
echo "${TLSA_LINE}" > "/etc/mailwolt/dns/${MAIL_HOSTNAME}.tlsa.txt"
|
||
echo "[TLSA] ${TLSA_LINE}"
|
||
fi
|
||
else
|
||
echo "[i] BASE_DOMAIN=example.com – LE-Ausstellung wird übersprungen."
|
||
fi |