blob: 4f5cb803557c0f2d37b9fb2cc736334e6a31ceb4 [file] [log] [blame]
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +01001#!/bin/bash
2set -o pipefail
3exec 5>&1
4
5# Do not attempt to write to slave
6if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
7 export REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT}"
8else
9 export REDIS_CMDLINE="redis-cli -h redis -p 6379"
10fi
11
12until [[ $(${REDIS_CMDLINE} PING) == "PONG" ]]; do
13 echo "Waiting for Redis..."
14 sleep 2
15done
16
17source /srv/functions.sh
18# Thanks to https://github.com/cvmiller -> https://github.com/cvmiller/expand6
19source /srv/expand6.sh
20
21# Skipping IP check when we like to live dangerously
22if [[ "${SKIP_IP_CHECK}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
23 SKIP_IP_CHECK=y
24fi
25
26# Skipping HTTP check when we like to live dangerously
27if [[ "${SKIP_HTTP_VERIFICATION}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
28 SKIP_HTTP_VERIFICATION=y
29fi
30
31# Request certificate for MAILCOW_HOSTNAME only
32if [[ "${ONLY_MAILCOW_HOSTNAME}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
33 ONLY_MAILCOW_HOSTNAME=y
34fi
35
36# Request individual certificate for every domain
37if [[ "${ENABLE_SSL_SNI}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
38 ENABLE_SSL_SNI=y
39fi
40
41if [[ "${SKIP_LETS_ENCRYPT}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
42 log_f "SKIP_LETS_ENCRYPT=y, skipping Let's Encrypt..."
43 sleep 365d
44 exec $(readlink -f "$0")
45fi
46
47log_f "Waiting for Docker API..."
48until ping dockerapi -c1 > /dev/null; do
49 sleep 1
50done
51log_f "Docker API OK"
52
53log_f "Waiting for Postfix..."
54until ping postfix -c1 > /dev/null; do
55 sleep 1
56done
57log_f "Postfix OK"
58
59log_f "Waiting for Dovecot..."
60until ping dovecot -c1 > /dev/null; do
61 sleep 1
62done
63log_f "Dovecot OK"
64
65ACME_BASE=/var/lib/acme
66SSL_EXAMPLE=/var/lib/ssl-example
67
68mkdir -p ${ACME_BASE}/acme
69
70# Migrate
71[[ -f ${ACME_BASE}/acme/private/privkey.pem ]] && mv ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/acme/key.pem
72[[ -f ${ACME_BASE}/acme/private/account.key ]] && mv ${ACME_BASE}/acme/private/account.key ${ACME_BASE}/acme/account.pem
73if [[ -f ${ACME_BASE}/acme/key.pem && -f ${ACME_BASE}/acme/cert.pem ]]; then
74 if verify_hash_match ${ACME_BASE}/acme/cert.pem ${ACME_BASE}/acme/key.pem; then
75 log_f "Migrating to SNI folder structure..."
76 CERT_DOMAIN=($(openssl x509 -noout -text -in ${ACME_BASE}/acme/cert.pem | grep "Subject:" | sed -e 's/\(Subject:\)\|\(CN = \)\|\(CN=\)//g' | sed -e 's/^[[:space:]]*//'))
77 CERT_DOMAINS=(${CERT_DOMAIN} $(openssl x509 -noout -text -in ${ACME_BASE}/acme/cert.pem | grep "DNS:" | sed -e 's/\(DNS:\)\|,//g' | sed "s/${CERT_DOMAIN}//" | sed -e 's/^[[:space:]]*//'))
78 mkdir -p ${ACME_BASE}/${CERT_DOMAIN}
79 mv ${ACME_BASE}/acme/cert.pem ${ACME_BASE}/${CERT_DOMAIN}/cert.pem
80 # key is only copied, not moved, because it is used by all other requests too
81 cp ${ACME_BASE}/acme/key.pem ${ACME_BASE}/${CERT_DOMAIN}/key.pem
82 chmod 600 ${ACME_BASE}/${CERT_DOMAIN}/key.pem
83 echo -n ${CERT_DOMAINS[*]} > ${ACME_BASE}/${CERT_DOMAIN}/domains
84 mv ${ACME_BASE}/acme/acme.csr ${ACME_BASE}/${CERT_DOMAIN}/acme.csr
85 log_f "OK" no_date
86 fi
87fi
88
89[[ ! -f ${ACME_BASE}/dhparams.pem ]] && cp ${SSL_EXAMPLE}/dhparams.pem ${ACME_BASE}/dhparams.pem
90
91if [[ -f ${ACME_BASE}/cert.pem ]] && [[ -f ${ACME_BASE}/key.pem ]] && [[ $(stat -c%s ${ACME_BASE}/cert.pem) != 0 ]]; then
92 ISSUER=$(openssl x509 -in ${ACME_BASE}/cert.pem -noout -issuer)
93 if [[ ${ISSUER} != *"Let's Encrypt"* && ${ISSUER} != *"mailcow"* && ${ISSUER} != *"Fake LE Intermediate"* ]]; then
94 log_f "Found certificate with issuer other than mailcow snake-oil CA and Let's Encrypt, skipping ACME client..."
95 sleep 3650d
96 exec $(readlink -f "$0")
97 fi
98else
99 if [[ -f ${ACME_BASE}/${MAILCOW_HOSTNAME}/cert.pem ]] && [[ -f ${ACME_BASE}/${MAILCOW_HOSTNAME}/key.pem ]] && verify_hash_match ${ACME_BASE}/${MAILCOW_HOSTNAME}/cert.pem ${ACME_BASE}/${MAILCOW_HOSTNAME}/key.pem; then
100 log_f "Restoring previous acme certificate and restarting script..."
101 cp ${ACME_BASE}/${MAILCOW_HOSTNAME}/cert.pem ${ACME_BASE}/cert.pem
102 cp ${ACME_BASE}/${MAILCOW_HOSTNAME}/key.pem ${ACME_BASE}/key.pem
103 # Restarting with env var set to trigger a restart,
104 exec env TRIGGER_RESTART=1 $(readlink -f "$0")
105 else
106 log_f "Restoring mailcow snake-oil certificates and restarting script..."
107 cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem
108 cp ${SSL_EXAMPLE}/key.pem ${ACME_BASE}/key.pem
109 exec env TRIGGER_RESTART=1 $(readlink -f "$0")
110 fi
111fi
112
113chmod 600 ${ACME_BASE}/key.pem
114
115log_f "Waiting for database..."
116while ! mysqladmin status --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent > /dev/null; do
117 sleep 2
118done
119log_f "Database OK"
120
121log_f "Waiting for Nginx..."
122until $(curl --output /dev/null --silent --head --fail http://nginx:8081); do
123 sleep 2
124done
125log_f "Nginx OK"
126
127log_f "Waiting for resolver..."
128until dig letsencrypt.org +time=3 +tries=1 @unbound > /dev/null; do
129 sleep 2
130done
131log_f "Resolver OK"
132
133# Waiting for domain table
134log_f "Waiting for domain table..."
135while [[ -z ${DOMAIN_TABLE} ]]; do
136 curl --silent http://nginx/ >/dev/null 2>&1
137 DOMAIN_TABLE=$(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SHOW TABLES LIKE 'domain'" -Bs)
138 [[ -z ${DOMAIN_TABLE} ]] && sleep 10
139done
140log_f "OK" no_date
141
142log_f "Initializing, please wait..."
143
144while true; do
145 POSTFIX_CERT_SERIAL="$(echo | openssl s_client -connect postfix:25 -starttls smtp 2>/dev/null | openssl x509 -inform pem -noout -serial | cut -d "=" -f 2)"
146 DOVECOT_CERT_SERIAL="$(echo | openssl s_client -connect dovecot:143 -starttls imap 2>/dev/null | openssl x509 -inform pem -noout -serial | cut -d "=" -f 2)"
147 POSTFIX_CERT_SERIAL_NEW="$(echo | openssl s_client -connect postfix:25 -starttls smtp 2>/dev/null | openssl x509 -inform pem -noout -serial | cut -d "=" -f 2)"
148 DOVECOT_CERT_SERIAL_NEW="$(echo | openssl s_client -connect dovecot:143 -starttls imap 2>/dev/null | openssl x509 -inform pem -noout -serial | cut -d "=" -f 2)"
149 # Re-using previous acme-mailcow account and domain keys
150 if [[ ! -f ${ACME_BASE}/acme/key.pem ]]; then
151 log_f "Generating missing domain private rsa key..."
152 openssl genrsa 4096 > ${ACME_BASE}/acme/key.pem
153 else
154 log_f "Using existing domain rsa key ${ACME_BASE}/acme/key.pem"
155 fi
156 if [[ ! -f ${ACME_BASE}/acme/account.pem ]]; then
157 log_f "Generating missing Lets Encrypt account key..."
Matthias Andreas Benkard7b2a3a12021-08-16 10:57:25 +0200158 if [[ ! -z ${ACME_CONTACT} ]]; then
159 if ! verify_email "${ACME_CONTACT}"; then
160 log_f "Invalid email address, will not start registration!"
161 sleep 365d
162 exec $(readlink -f "$0")
163 else
164 ACME_CONTACT_PARAMETER="--contact mailto:${ACME_CONTACT}"
165 log_f "Valid email address, using ${ACME_CONTACT} for registration"
166 fi
167 else
168 ACME_CONTACT_PARAMETER=""
169 fi
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +0100170 openssl genrsa 4096 > ${ACME_BASE}/acme/account.pem
171 else
172 log_f "Using existing Lets Encrypt account key ${ACME_BASE}/acme/account.pem"
173 fi
174
175 chmod 600 ${ACME_BASE}/acme/key.pem
176 chmod 600 ${ACME_BASE}/acme/account.pem
177
178 unset EXISTING_CERTS
179 declare -a EXISTING_CERTS
180 for cert_dir in ${ACME_BASE}/*/ ; do
181 if [[ ! -f ${cert_dir}domains ]] || [[ ! -f ${cert_dir}cert.pem ]] || [[ ! -f ${cert_dir}key.pem ]]; then
182 continue
183 fi
184 EXISTING_CERTS+=("$(basename ${cert_dir})")
185 done
186
187 # Cleaning up and init validation arrays
188 unset SQL_DOMAIN_ARR
189 unset VALIDATED_CONFIG_DOMAINS
190 unset ADDITIONAL_VALIDATED_SAN
191 unset ADDITIONAL_WC_ARR
192 unset ADDITIONAL_SAN_ARR
193 unset CERT_ERRORS
194 unset CERT_CHANGED
195 unset CERT_AMOUNT_CHANGED
196 unset VALIDATED_CERTIFICATES
197 CERT_ERRORS=0
198 CERT_CHANGED=0
199 CERT_AMOUNT_CHANGED=0
200 declare -a SQL_DOMAIN_ARR
201 declare -a VALIDATED_CONFIG_DOMAINS
202 declare -a ADDITIONAL_VALIDATED_SAN
203 declare -a ADDITIONAL_WC_ARR
204 declare -a ADDITIONAL_SAN_ARR
205 declare -a VALIDATED_CERTIFICATES
206 IFS=',' read -r -a TMP_ARR <<< "${ADDITIONAL_SAN}"
207 for i in "${TMP_ARR[@]}" ; do
208 if [[ "$i" =~ \.\*$ ]]; then
209 ADDITIONAL_WC_ARR+=(${i::-2})
210 else
211 ADDITIONAL_SAN_ARR+=($i)
212 fi
213 done
214 ADDITIONAL_WC_ARR+=('autodiscover' 'autoconfig')
215
216 # Start IP detection
217 log_f "Detecting IP addresses..."
218 IPV4=$(get_ipv4)
219 IPV6=$(get_ipv6)
220 log_f "OK: ${IPV4}, ${IPV6:-"0000:0000:0000:0000:0000:0000:0000:0000"}"
221
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +0100222 #########################################
223 # IP and webroot challenge verification #
Matthias Andreas Benkard7b2a3a12021-08-16 10:57:25 +0200224 SQL_DOMAINS=$(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT domain FROM domain WHERE backupmx=0 and active=1" -Bs)
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +0100225 if [[ ! $? -eq 0 ]]; then
226 log_f "Failed to read SQL domains, retrying in 1 minute..."
227 sleep 1m
228 exec $(readlink -f "$0")
229 fi
230 while read domains; do
231 if [[ -z "${domains}" ]]; then
232 # ignore empty lines
233 continue
234 fi
235 SQL_DOMAIN_ARR+=("${domains}")
236 done <<< "${SQL_DOMAINS}"
237
238 if [[ ${ONLY_MAILCOW_HOSTNAME} != "y" ]]; then
239 for SQL_DOMAIN in "${SQL_DOMAIN_ARR[@]}"; do
240 unset VALIDATED_CONFIG_DOMAINS_SUBDOMAINS
241 declare -a VALIDATED_CONFIG_DOMAINS_SUBDOMAINS
242 for SUBDOMAIN in "${ADDITIONAL_WC_ARR[@]}"; do
243 if [[ "${SUBDOMAIN}.${SQL_DOMAIN}" != "${MAILCOW_HOSTNAME}" ]]; then
244 if check_domain "${SUBDOMAIN}.${SQL_DOMAIN}"; then
245 VALIDATED_CONFIG_DOMAINS_SUBDOMAINS+=("${SUBDOMAIN}.${SQL_DOMAIN}")
246 fi
247 fi
248 done
249 VALIDATED_CONFIG_DOMAINS+=("${VALIDATED_CONFIG_DOMAINS_SUBDOMAINS[*]}")
250 done
251 fi
252
253 if check_domain ${MAILCOW_HOSTNAME}; then
254 VALIDATED_MAILCOW_HOSTNAME="${MAILCOW_HOSTNAME}"
255 fi
256
257 if [[ ${ONLY_MAILCOW_HOSTNAME} != "y" ]]; then
258 for SAN in "${ADDITIONAL_SAN_ARR[@]}"; do
259 # Skip on CAA errors for SAN
260 SAN_PARENT_DOMAIN=$(echo ${SAN} | cut -d. -f2-)
261 SAN_CAAS=( $(dig CAA ${SAN_PARENT_DOMAIN} +short | sed -n 's/\d issue "\(.*\)"/\1/p') )
262 if [[ ! -z ${SAN_CAAS} ]]; then
263 if [[ ${SAN_CAAS[@]} =~ "letsencrypt.org" ]]; then
264 log_f "Validated CAA for parent domain ${SAN_PARENT_DOMAIN} of ${SAN}"
265 else
266 log_f "Skipping ACME validation for ${SAN}: Lets Encrypt disallowed for ${SAN} by CAA record"
267 continue
268 fi
269 fi
270 if [[ ${SAN} == ${MAILCOW_HOSTNAME} ]]; then
271 continue
272 fi
273 if check_domain ${SAN}; then
274 ADDITIONAL_VALIDATED_SAN+=("${SAN}")
275 fi
276 done
277 fi
278
279 # Unique domains for server certificate
280 if [[ ${ENABLE_SSL_SNI} == "y" ]]; then
281 # create certificate for server name and fqdn SANs only
282 SERVER_SAN_VALIDATED=(${VALIDATED_MAILCOW_HOSTNAME} $(echo ${ADDITIONAL_VALIDATED_SAN[*]} | xargs -n1 | sort -u | xargs))
283 else
284 # create certificate for all domains, including all subdomains from other domains [*]
285 SERVER_SAN_VALIDATED=(${VALIDATED_MAILCOW_HOSTNAME} $(echo ${VALIDATED_CONFIG_DOMAINS[*]} ${ADDITIONAL_VALIDATED_SAN[*]} | xargs -n1 | sort -u | xargs))
286 fi
287 if [[ ! -z ${SERVER_SAN_VALIDATED[*]} ]]; then
288 CERT_NAME=${SERVER_SAN_VALIDATED[0]}
289 VALIDATED_CERTIFICATES+=("${CERT_NAME}")
290
291 # obtain server certificate if required
Matthias Andreas Benkard7b2a3a12021-08-16 10:57:25 +0200292 ACME_CONTACT_PARAMETER=${ACME_CONTACT_PARAMETER} DOMAINS=${SERVER_SAN_VALIDATED[@]} /srv/obtain-certificate.sh rsa
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +0100293 RETURN="$?"
294 if [[ "$RETURN" == "0" ]]; then # 0 = cert created successfully
295 CERT_AMOUNT_CHANGED=1
296 CERT_CHANGED=1
297 elif [[ "$RETURN" == "1" ]]; then # 1 = cert renewed successfully
298 CERT_CHANGED=1
299 elif [[ "$RETURN" == "2" ]]; then # 2 = cert not due for renewal
300 :
301 else
302 CERT_ERRORS=1
303 fi
304 # copy hostname certificate to default/server certificate
305 # do not a key when cert is missing, this can lead to a mismatch of cert/key
306 if [[ -f ${ACME_BASE}/${CERT_NAME}/cert.pem ]]; then
307 cp ${ACME_BASE}/${CERT_NAME}/cert.pem ${ACME_BASE}/cert.pem
308 cp ${ACME_BASE}/${CERT_NAME}/key.pem ${ACME_BASE}/key.pem
309 fi
310 fi
311
312 # individual certificates for SNI [@]
313 if [[ ${ENABLE_SSL_SNI} == "y" ]]; then
314 for VALIDATED_DOMAINS in "${VALIDATED_CONFIG_DOMAINS[@]}"; do
315 VALIDATED_DOMAINS_ARR=(${VALIDATED_DOMAINS})
316
317 unset VALIDATED_DOMAINS_SORTED
318 declare -a VALIDATED_DOMAINS_SORTED
319 VALIDATED_DOMAINS_SORTED=(${VALIDATED_DOMAINS_ARR[0]} $(echo ${VALIDATED_DOMAINS_ARR[@]:1} | xargs -n1 | sort -u | xargs))
320
321 # remove all domain names that are already inside the server certificate (SERVER_SAN_VALIDATED)
322 for domain in "${SERVER_SAN_VALIDATED[@]}"; do
323 for i in "${!VALIDATED_DOMAINS_SORTED[@]}"; do
324 if [[ ${VALIDATED_DOMAINS_SORTED[i]} = $domain ]]; then
325 unset 'VALIDATED_DOMAINS_SORTED[i]'
326 fi
327 done
328 done
329
330 if [[ ! -z ${VALIDATED_DOMAINS_SORTED[*]} ]]; then
331 CERT_NAME=${VALIDATED_DOMAINS_SORTED[0]}
332 VALIDATED_CERTIFICATES+=("${CERT_NAME}")
333 # obtain certificate if required
334 DOMAINS=${VALIDATED_DOMAINS_SORTED[@]} /srv/obtain-certificate.sh rsa
335 RETURN="$?"
336 if [[ "$RETURN" == "0" ]]; then # 0 = cert created successfully
337 CERT_AMOUNT_CHANGED=1
338 CERT_CHANGED=1
339 elif [[ "$RETURN" == "1" ]]; then # 1 = cert renewed successfully
340 CERT_CHANGED=1
341 elif [[ "$RETURN" == "2" ]]; then # 2 = cert not due for renewal
342 :
343 else
344 CERT_ERRORS=1
345 fi
346 fi
347 done
348 fi
349
350 if [[ -z ${VALIDATED_CERTIFICATES[*]} ]]; then
351 log_f "Cannot validate any hostnames, skipping Let's Encrypt for 1 hour."
352 log_f "Use SKIP_LETS_ENCRYPT=y in mailcow.conf to skip it permanently."
353 ${REDIS_CMDLINE} SET ACME_FAIL_TIME "$(date +%s)"
354 sleep 1h
355 exec $(readlink -f "$0")
356 fi
357
358 # find orphaned certificates if no errors occurred
359 if [[ "${CERT_ERRORS}" == "0" ]]; then
360 for EXISTING_CERT in "${EXISTING_CERTS[@]}"; do
361 if [[ ! "`printf '_%s_\n' "${VALIDATED_CERTIFICATES[@]}"`" == *"_${EXISTING_CERT}_"* ]]; then
362 DATE=$(date +%Y-%m-%d_%H_%M_%S)
363 log_f "Found orphaned certificate: ${EXISTING_CERT} - archiving it at ${ACME_BASE}/backups/${EXISTING_CERT}/"
364 BACKUP_DIR=${ACME_BASE}/backups/${EXISTING_CERT}/${DATE}
365 # archive rsa cert and any other files
366 mkdir -p ${ACME_BASE}/backups/${EXISTING_CERT}
367 mv ${ACME_BASE}/${EXISTING_CERT} ${BACKUP_DIR}
368 CERT_CHANGED=1
369 CERT_AMOUNT_CHANGED=1
370 fi
371 done
372 fi
373
374 # reload on new or changed certificates
375 if [[ "${CERT_CHANGED}" == "1" ]]; then
376 rm -f "${ACME_BASE}/force_renew" 2> /dev/null
377 RELOAD_LOOP_C=1
378 while [[ "${POSTFIX_CERT_SERIAL}" == "${POSTFIX_CERT_SERIAL_NEW}" ]] || [[ "${DOVECOT_CERT_SERIAL}" == "${DOVECOT_CERT_SERIAL_NEW}" ]] || [[ ${#POSTFIX_CERT_SERIAL_NEW} -ne 36 ]] || [[ ${#DOVECOT_CERT_SERIAL_NEW} -ne 36 ]]; do
379 log_f "Reloading or restarting services... (${RELOAD_LOOP_C})"
380 RELOAD_LOOP_C=$((RELOAD_LOOP_C + 1))
381 CERT_AMOUNT_CHANGED=${CERT_AMOUNT_CHANGED} /srv/reload-configurations.sh
382 log_f "Waiting for containers to settle..."
383 sleep 10
384 until nc -z dovecot 143; do
385 sleep 1
386 done
387 until nc -z postfix 25; do
388 sleep 1
389 done
390 POSTFIX_CERT_SERIAL_NEW="$(echo | openssl s_client -connect postfix:25 -starttls smtp 2>/dev/null | openssl x509 -inform pem -noout -serial | cut -d "=" -f 2)"
391 DOVECOT_CERT_SERIAL_NEW="$(echo | openssl s_client -connect dovecot:143 -starttls imap 2>/dev/null | openssl x509 -inform pem -noout -serial | cut -d "=" -f 2)"
392 if [[ ${RELOAD_LOOP_C} -gt 3 ]]; then
393 log_f "Some services do return old end dates, something went wrong!"
394 ${REDIS_CMDLINE} SET ACME_FAIL_TIME "$(date +%s)"
395 break;
396 fi
397 done
398 fi
399
400 case "$CERT_ERRORS" in
401 0) # all successful
402 if [[ "${CERT_CHANGED}" == "1" ]]; then
403 if [[ "${CERT_AMOUNT_CHANGED}" == "1" ]]; then
404 log_f "Certificates successfully requested and renewed where required, sleeping one day"
405 else
406 log_f "Certificates were successfully renewed where required, sleeping for another day."
407 fi
408 else
409 log_f "Certificates were successfully validated, no changes or renewals required, sleeping for another day."
410 fi
411 sleep 1d
412 ;;
413 *) # non-zero
414 log_f "Some errors occurred, retrying in 30 minutes..."
415 ${REDIS_CMDLINE} SET ACME_FAIL_TIME "$(date +%s)"
416 sleep 30m
417 exec $(readlink -f "$0")
418 ;;
419 esac
420
421done