2014-06-21 22:15:53 +00:00
|
|
|
#!/bin/bash
|
|
|
|
#
|
|
|
|
# SSL Certificate
|
2014-09-21 17:43:21 +00:00
|
|
|
# ---------------
|
2014-06-21 22:15:53 +00:00
|
|
|
#
|
|
|
|
# Create a self-signed SSL certificate if one has not yet been created.
|
|
|
|
#
|
2014-06-30 13:15:36 +00:00
|
|
|
# The certificate is for PRIMARY_HOSTNAME specifically and is used for:
|
2014-06-21 22:15:53 +00:00
|
|
|
#
|
|
|
|
# * IMAP
|
|
|
|
# * SMTP submission (port 587) and opportunistic TLS (when on the receiving end)
|
|
|
|
# * the DNSSEC DANE TLSA record for SMTP
|
2014-06-30 13:15:36 +00:00
|
|
|
# * HTTPS (for PRIMARY_HOSTNAME only)
|
2014-06-21 22:15:53 +00:00
|
|
|
#
|
2014-06-30 13:15:36 +00:00
|
|
|
# When other domains besides PRIMARY_HOSTNAME are served over HTTPS,
|
2014-06-21 22:15:53 +00:00
|
|
|
# we generate a domain-specific self-signed certificate in the management
|
|
|
|
# daemon (web_update.py) as needed.
|
|
|
|
|
|
|
|
source setup/functions.sh # load our functions
|
|
|
|
source /etc/mailinabox.conf # load global vars
|
|
|
|
|
|
|
|
apt_install openssl
|
|
|
|
|
|
|
|
mkdir -p $STORAGE_ROOT/ssl
|
2014-09-21 17:43:21 +00:00
|
|
|
# Generate a new private key if one doesn't already exist.
|
|
|
|
# Set the umask so the key file is not world-readable.
|
2014-07-28 19:38:17 +00:00
|
|
|
if [ ! -f $STORAGE_ROOT/ssl/ssl_private_key.pem ]; then
|
2014-07-16 13:06:45 +00:00
|
|
|
(umask 077; hide_output \
|
|
|
|
openssl genrsa -out $STORAGE_ROOT/ssl/ssl_private_key.pem 2048)
|
2014-06-21 22:15:53 +00:00
|
|
|
fi
|
2014-09-21 17:43:21 +00:00
|
|
|
|
|
|
|
# Generate a certificate signing request if one doesn't already exist.
|
2014-06-21 22:15:53 +00:00
|
|
|
if [ ! -f $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr ]; then
|
2014-07-16 13:06:45 +00:00
|
|
|
hide_output \
|
2014-06-21 22:15:53 +00:00
|
|
|
openssl req -new -key $STORAGE_ROOT/ssl/ssl_private_key.pem -out $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr \
|
2014-08-23 21:49:33 +00:00
|
|
|
-sha256 -subj "/C=$CSR_COUNTRY/ST=/L=/O=/CN=$PRIMARY_HOSTNAME"
|
2014-06-21 22:15:53 +00:00
|
|
|
fi
|
2014-09-21 17:43:21 +00:00
|
|
|
|
|
|
|
# Generate a SSL certificate by self-signing if a SSL certificate doesn't yet exist.
|
2014-06-21 22:15:53 +00:00
|
|
|
if [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then
|
2014-07-16 13:06:45 +00:00
|
|
|
hide_output \
|
2014-06-21 22:15:53 +00:00
|
|
|
openssl x509 -req -days 365 \
|
|
|
|
-in $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr -signkey $STORAGE_ROOT/ssl/ssl_private_key.pem -out $STORAGE_ROOT/ssl/ssl_certificate.pem
|
|
|
|
fi
|
|
|
|
|
2014-09-26 22:01:38 +00:00
|
|
|
# For nginx and postfix, pre-generate some better DH bits. They seem to
|
|
|
|
# each rely on openssl's default of 1024 bits.
|
|
|
|
if [ ! -f $STORAGE_ROOT/ssl/dh2048.pem ]; then
|
|
|
|
openssl dhparam -out $STORAGE_ROOT/ssl/dh2048.pem 2048
|
|
|
|
fi
|