commit 7b2a3a1c374b0a853b379f41561dcf2796c55986
author Matthias Andreas Benkard <code@mail.matthias.benkard.de> Mon Aug 16 10:57:25 2021 +0200
committer Matthias Andreas Benkard <code@mail.matthias.benkard.de> Mon Aug 16 10:57:25 2021 +0200
tree 28fe5b17bb86fa7f276e64c6981ab05401a84038
parent 8bb60d08ffa0baf1a0e81e705342d6f25dd8511c

git subrepo commit (merge) mailcow/src/mailcow-dockerized

subrepo: subdir:   "mailcow/src/mailcow-dockerized"
  merged:   "02ae5285"
upstream: origin:   "https://github.com/mailcow/mailcow-dockerized.git"
  branch:   "master"
  commit:   "649a5c01"
git-subrepo: version:  "0.4.3"
  origin:   "???"
  commit:   "???"
Change-Id: I870ad468fba026cc5abf3c5699ed1e12ff28b32b

mailcow/src/mailcow-dockerized/data/Dockerfiles/acme/acme.sh

diff --git a/mailcow/src/mailcow-dockerized/data/Dockerfiles/acme/acme.sh b/mailcow/src/mailcow-dockerized/data/Dockerfiles/acme/acme.sh
index 5d5da1e..4f5cb80 100755
--- a/mailcow/src/mailcow-dockerized/data/Dockerfiles/acme/acme.sh
+++ b/mailcow/src/mailcow-dockerized/data/Dockerfiles/acme/acme.sh
@@ -155,6 +155,18 @@
   fi
   if [[ ! -f ${ACME_BASE}/acme/account.pem ]]; then
     log_f "Generating missing Lets Encrypt account key..."
+    if [[ ! -z ${ACME_CONTACT} ]]; then
+      if ! verify_email "${ACME_CONTACT}"; then
+        log_f "Invalid email address, will not start registration!"
+        sleep 365d
+        exec $(readlink -f "$0")
+      else
+        ACME_CONTACT_PARAMETER="--contact mailto:${ACME_CONTACT}"
+        log_f "Valid email address, using ${ACME_CONTACT} for registration"
+      fi
+    else
+      ACME_CONTACT_PARAMETER=""
+    fi
     openssl genrsa 4096 > ${ACME_BASE}/acme/account.pem
   else
     log_f "Using existing Lets Encrypt account key ${ACME_BASE}/acme/account.pem"
@@ -207,22 +219,9 @@
   IPV6=$(get_ipv6)
   log_f "OK: ${IPV4}, ${IPV6:-"0000:0000:0000:0000:0000:0000:0000:0000"}"
 
-  # Hard-fail on CAA errors for MAILCOW_HOSTNAME
-  MH_PARENT_DOMAIN=$(echo ${MAILCOW_HOSTNAME} | cut -d. -f2-)
-  MH_CAAS=( $(dig CAA ${MH_PARENT_DOMAIN} +short | sed -n 's/\d issue "\(.*\)"/\1/p') )
-  if [[ ! -z ${MH_CAAS} ]]; then
-    if [[ ${MH_CAAS[@]} =~ "letsencrypt.org" ]]; then
-      log_f "Validated CAA for parent domain ${MH_PARENT_DOMAIN}"
-    else
-      log_f "Skipping ACME validation: Lets Encrypt disallowed for ${MAILCOW_HOSTNAME} by CAA record, retrying in 1h..."
-      sleep 1h
-      exec $(readlink -f "$0")
-    fi
-  fi
-
   #########################################
   # IP and webroot challenge verification #
-  SQL_DOMAINS=$(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT domain FROM domain WHERE backupmx=0" -Bs)
+  SQL_DOMAINS=$(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT domain FROM domain WHERE backupmx=0 and active=1" -Bs)
   if [[ ! $? -eq 0 ]]; then
     log_f "Failed to read SQL domains, retrying in 1 minute..."
     sleep 1m
@@ -290,7 +289,7 @@
     VALIDATED_CERTIFICATES+=("${CERT_NAME}")
 
     # obtain server certificate if required
-    DOMAINS=${SERVER_SAN_VALIDATED[@]} /srv/obtain-certificate.sh rsa
+    ACME_CONTACT_PARAMETER=${ACME_CONTACT_PARAMETER} DOMAINS=${SERVER_SAN_VALIDATED[@]} /srv/obtain-certificate.sh rsa
     RETURN="$?"
     if [[ "$RETURN" == "0" ]]; then # 0 = cert created successfully
       CERT_AMOUNT_CHANGED=1