mailinabox/setup/ssl.sh

#!/bin/bash
#
# SSL Certificate
#
# Create a self-signed SSL certificate if one has not yet been created.
#
# The certificate is for PRIMARY_HOSTNAME specifically and is used for:
#
#  * IMAP
#  * SMTP submission (port 587) and opportunistic TLS (when on the receiving end)
#  * the DNSSEC DANE TLSA record for SMTP
#  * HTTPS (for PRIMARY_HOSTNAME only)
#
# When other domains besides PRIMARY_HOSTNAME are served over HTTPS,
# we generate a domain-specific self-signed certificate in the management
# daemon (web_update.py) as needed.

source setup/functions.sh # load our functions
source /etc/mailinabox.conf # load global vars

apt_install openssl

mkdir -p $STORAGE_ROOT/ssl
if [ ! -f $STORAGE_ROOT/ssl/ssl_private_key.pem ]; then
	# Generate a new private key if one doesn't already exist.
	# Set the umask so the key file is not world-readable.
	(umask 077; hide_output \
		openssl genrsa -out $STORAGE_ROOT/ssl/ssl_private_key.pem 2048)
fi
if [ ! -f $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr ]; then
	# Generate a certificate signing request if one doesn't already exist.
	hide_output \
	openssl req -new -key $STORAGE_ROOT/ssl/ssl_private_key.pem -out $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr \
	  -sha256 -subj "/C=$CSR_COUNTRY/ST=/L=/O=/CN=$PRIMARY_HOSTNAME"
fi
if [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then
	# Generate a SSL certificate by self-signing if a SSL certificate doesn't yet exist.
	hide_output \
	openssl x509 -req -days 365 \
	  -in $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr -signkey $STORAGE_ROOT/ssl/ssl_private_key.pem -out $STORAGE_ROOT/ssl/ssl_certificate.pem
fi
move the SSL setup into its own bash script since it is used for much more than email now 2014-06-21 22:15:53 +00:00			`#!/bin/bash`
			`#`
			`# SSL Certificate`
			`#`
			`# Create a self-signed SSL certificate if one has not yet been created.`
			`#`
s/PUBLIC_HOSTNAME/PRIMARY_HOSTNAME/ throughout 2014-06-30 13:15:36 +00:00			`# The certificate is for PRIMARY_HOSTNAME specifically and is used for:`
move the SSL setup into its own bash script since it is used for much more than email now 2014-06-21 22:15:53 +00:00			`#`
			`# * IMAP`
			`# * SMTP submission (port 587) and opportunistic TLS (when on the receiving end)`
			`# * the DNSSEC DANE TLSA record for SMTP`
s/PUBLIC_HOSTNAME/PRIMARY_HOSTNAME/ throughout 2014-06-30 13:15:36 +00:00			`# * HTTPS (for PRIMARY_HOSTNAME only)`
move the SSL setup into its own bash script since it is used for much more than email now 2014-06-21 22:15:53 +00:00			`#`
s/PUBLIC_HOSTNAME/PRIMARY_HOSTNAME/ throughout 2014-06-30 13:15:36 +00:00			`# When other domains besides PRIMARY_HOSTNAME are served over HTTPS,`
move the SSL setup into its own bash script since it is used for much more than email now 2014-06-21 22:15:53 +00:00			`# we generate a domain-specific self-signed certificate in the management`
			`# daemon (web_update.py) as needed.`

			`source setup/functions.sh # load our functions`
			`source /etc/mailinabox.conf # load global vars`

			`apt_install openssl`

			`mkdir -p $STORAGE_ROOT/ssl`
the SSL private key would be overwritten if ssl_certificate.pem file was deleted; maybe the cause of #98 2014-07-28 19:38:17 +00:00			`if [ ! -f $STORAGE_ROOT/ssl/ssl_private_key.pem ]; then`
move the SSL setup into its own bash script since it is used for much more than email now 2014-06-21 22:15:53 +00:00			`# Generate a new private key if one doesn't already exist.`
			`# Set the umask so the key file is not world-readable.`
hide lots of unnecessary and scary output during setup 2014-07-16 13:06:45 +00:00			`(umask 077; hide_output \`
			`openssl genrsa -out $STORAGE_ROOT/ssl/ssl_private_key.pem 2048)`
move the SSL setup into its own bash script since it is used for much more than email now 2014-06-21 22:15:53 +00:00			`fi`
			`if [ ! -f $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr ]; then`
			`# Generate a certificate signing request if one doesn't already exist.`
hide lots of unnecessary and scary output during setup 2014-07-16 13:06:45 +00:00			`hide_output \`
move the SSL setup into its own bash script since it is used for much more than email now 2014-06-21 22:15:53 +00:00			`openssl req -new -key $STORAGE_ROOT/ssl/ssl_private_key.pem -out $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr \`
when generating SSL CSRs, using SHA256 as SHA1 is being phased out, per @konklone 2014-08-23 21:49:33 +00:00			`-sha256 -subj "/C=$CSR_COUNTRY/ST=/L=/O=/CN=$PRIMARY_HOSTNAME"`
move the SSL setup into its own bash script since it is used for much more than email now 2014-06-21 22:15:53 +00:00			`fi`
			`if [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then`
			`# Generate a SSL certificate by self-signing if a SSL certificate doesn't yet exist.`
hide lots of unnecessary and scary output during setup 2014-07-16 13:06:45 +00:00			`hide_output \`
move the SSL setup into its own bash script since it is used for much more than email now 2014-06-21 22:15:53 +00:00			`openssl x509 -req -days 365 \`
			`-in $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr -signkey $STORAGE_ROOT/ssl/ssl_private_key.pem -out $STORAGE_ROOT/ssl/ssl_certificate.pem`
			`fi`