mirror of
https://github.com/mail-in-a-box/mailinabox.git
synced 2024-11-22 02:17:26 +00:00
dont save the CSR generated to make self-signed certificates for non-primary domains (it has no value and might be confusing)
This commit is contained in:
parent
a3e526e818
commit
3187053b3a
@ -36,7 +36,7 @@ def buy_ssl_certificate(api_key, domain, command, env):
|
|||||||
|
|
||||||
# Where is the SSL cert stored?
|
# Where is the SSL cert stored?
|
||||||
|
|
||||||
ssl_key, ssl_certificate, ssl_csr_path = get_domain_ssl_files(domain, env)
|
ssl_key, ssl_certificate = get_domain_ssl_files(domain, env)
|
||||||
|
|
||||||
# Have we already created a cert for this domain?
|
# Have we already created a cert for this domain?
|
||||||
|
|
||||||
|
@ -249,7 +249,7 @@ def dns_get_dump():
|
|||||||
@authorized_personnel_only
|
@authorized_personnel_only
|
||||||
def ssl_get_csr(domain):
|
def ssl_get_csr(domain):
|
||||||
from web_update import get_domain_ssl_files, create_csr
|
from web_update import get_domain_ssl_files, create_csr
|
||||||
ssl_key, ssl_certificate, csr_path = get_domain_ssl_files(domain, env)
|
ssl_key, ssl_certificate = get_domain_ssl_files(domain, env)
|
||||||
return create_csr(domain, ssl_key, env)
|
return create_csr(domain, ssl_key, env)
|
||||||
|
|
||||||
@app.route('/ssl/install', methods=['POST'])
|
@app.route('/ssl/install', methods=['POST'])
|
||||||
|
@ -458,7 +458,7 @@ def check_ssl_cert(domain, env):
|
|||||||
if query_dns(domain, "A", None) not in (env['PUBLIC_IP'], None): return
|
if query_dns(domain, "A", None) not in (env['PUBLIC_IP'], None): return
|
||||||
|
|
||||||
# Where is the SSL stored?
|
# Where is the SSL stored?
|
||||||
ssl_key, ssl_certificate, ssl_csr_path = get_domain_ssl_files(domain, env)
|
ssl_key, ssl_certificate = get_domain_ssl_files(domain, env)
|
||||||
|
|
||||||
if not os.path.exists(ssl_certificate):
|
if not os.path.exists(ssl_certificate):
|
||||||
env['out'].print_error("The SSL certificate file for this domain is missing.")
|
env['out'].print_error("The SSL certificate file for this domain is missing.")
|
||||||
@ -707,7 +707,7 @@ if __name__ == "__main__":
|
|||||||
domain = env['PRIMARY_HOSTNAME']
|
domain = env['PRIMARY_HOSTNAME']
|
||||||
if query_dns(domain, "A") != env['PUBLIC_IP']:
|
if query_dns(domain, "A") != env['PUBLIC_IP']:
|
||||||
sys.exit(1)
|
sys.exit(1)
|
||||||
ssl_key, ssl_certificate, ssl_csr_path = get_domain_ssl_files(domain, env)
|
ssl_key, ssl_certificate = get_domain_ssl_files(domain, env)
|
||||||
if not os.path.exists(ssl_certificate):
|
if not os.path.exists(ssl_certificate):
|
||||||
sys.exit(1)
|
sys.exit(1)
|
||||||
cert_status, cert_status_details = check_certificate(domain, ssl_certificate, ssl_key)
|
cert_status, cert_status_details = check_certificate(domain, ssl_certificate, ssl_key)
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
# domains for which a mail account has been set up.
|
# domains for which a mail account has been set up.
|
||||||
########################################################################
|
########################################################################
|
||||||
|
|
||||||
import os, os.path, shutil, re, rtyaml
|
import os, os.path, shutil, re, tempfile, rtyaml
|
||||||
|
|
||||||
from mailconfig import get_mail_domains
|
from mailconfig import get_mail_domains
|
||||||
from dns_update import get_custom_dns_config, do_dns_update
|
from dns_update import get_custom_dns_config, do_dns_update
|
||||||
@ -75,11 +75,11 @@ def make_domain_config(domain, template, template_for_primaryhost, env):
|
|||||||
root = get_web_root(domain, env)
|
root = get_web_root(domain, env)
|
||||||
|
|
||||||
# What private key and SSL certificate will we use for this domain?
|
# What private key and SSL certificate will we use for this domain?
|
||||||
ssl_key, ssl_certificate, csr_path = get_domain_ssl_files(domain, env)
|
ssl_key, ssl_certificate = get_domain_ssl_files(domain, env)
|
||||||
|
|
||||||
# For hostnames created after the initial setup, ensure we have an SSL certificate
|
# For hostnames created after the initial setup, ensure we have an SSL certificate
|
||||||
# available. Make a self-signed one now if one doesn't exist.
|
# available. Make a self-signed one now if one doesn't exist.
|
||||||
ensure_ssl_certificate_exists(domain, ssl_key, ssl_certificate, csr_path, env)
|
ensure_ssl_certificate_exists(domain, ssl_key, ssl_certificate, env)
|
||||||
|
|
||||||
# Put pieces together.
|
# Put pieces together.
|
||||||
nginx_conf_parts = re.split("\s*# ADDITIONAL DIRECTIVES HERE\s*", template)
|
nginx_conf_parts = re.split("\s*# ADDITIONAL DIRECTIVES HERE\s*", template)
|
||||||
@ -164,16 +164,9 @@ def get_domain_ssl_files(domain, env, allow_shared_cert=True):
|
|||||||
if check_certificate(domain, ssl_certificate_primary, None)[0] == "OK":
|
if check_certificate(domain, ssl_certificate_primary, None)[0] == "OK":
|
||||||
ssl_certificate = ssl_certificate_primary
|
ssl_certificate = ssl_certificate_primary
|
||||||
|
|
||||||
# Where would the CSR go? As with the SSL cert itself, the CSR must be
|
return ssl_key, ssl_certificate
|
||||||
# different for each domain name.
|
|
||||||
if domain == env['PRIMARY_HOSTNAME']:
|
|
||||||
csr_path = os.path.join(env["STORAGE_ROOT"], 'ssl/ssl_cert_sign_req.csr')
|
|
||||||
else:
|
|
||||||
csr_path = os.path.join(env["STORAGE_ROOT"], 'ssl/%s/certificate_signing_request.csr' % safe_domain_name(domain))
|
|
||||||
|
|
||||||
return ssl_key, ssl_certificate, csr_path
|
def ensure_ssl_certificate_exists(domain, ssl_key, ssl_certificate, env):
|
||||||
|
|
||||||
def ensure_ssl_certificate_exists(domain, ssl_key, ssl_certificate, csr_path, env):
|
|
||||||
# For domains besides PRIMARY_HOSTNAME, generate a self-signed certificate if
|
# For domains besides PRIMARY_HOSTNAME, generate a self-signed certificate if
|
||||||
# a certificate doesn't already exist. See setup/mail.sh for documentation.
|
# a certificate doesn't already exist. See setup/mail.sh for documentation.
|
||||||
|
|
||||||
@ -192,15 +185,16 @@ def ensure_ssl_certificate_exists(domain, ssl_key, ssl_certificate, csr_path, en
|
|||||||
|
|
||||||
# Generate a new self-signed certificate using the same private key that we already have.
|
# Generate a new self-signed certificate using the same private key that we already have.
|
||||||
|
|
||||||
# Start with a CSR.
|
# Start with a CSR written to a temporary file.
|
||||||
with open(csr_path, "w") as f:
|
with tempfile.NamedTemporaryFile(mode="w") as csr_fp:
|
||||||
f.write(create_csr(domain, ssl_key, env))
|
csr_fp.write(create_csr(domain, ssl_key, env))
|
||||||
|
csr_fp.flush() # since we won't close until after running 'openssl x509', since close triggers delete.
|
||||||
|
|
||||||
# And then make the certificate.
|
# And then make the certificate.
|
||||||
shell("check_call", [
|
shell("check_call", [
|
||||||
"openssl", "x509", "-req",
|
"openssl", "x509", "-req",
|
||||||
"-days", "365",
|
"-days", "365",
|
||||||
"-in", csr_path,
|
"-in", csr_fp.name,
|
||||||
"-signkey", ssl_key,
|
"-signkey", ssl_key,
|
||||||
"-out", ssl_certificate])
|
"-out", ssl_certificate])
|
||||||
|
|
||||||
@ -225,7 +219,7 @@ def install_cert(domain, ssl_cert, ssl_chain, env):
|
|||||||
|
|
||||||
# Do validation on the certificate before installing it.
|
# Do validation on the certificate before installing it.
|
||||||
from status_checks import check_certificate
|
from status_checks import check_certificate
|
||||||
ssl_key, ssl_certificate, ssl_csr_path = get_domain_ssl_files(domain, env, allow_shared_cert=False)
|
ssl_key, ssl_certificate = get_domain_ssl_files(domain, env, allow_shared_cert=False)
|
||||||
cert_status, cert_status_details = check_certificate(domain, fn, ssl_key)
|
cert_status, cert_status_details = check_certificate(domain, fn, ssl_key)
|
||||||
if cert_status != "OK":
|
if cert_status != "OK":
|
||||||
if cert_status == "SELF-SIGNED":
|
if cert_status == "SELF-SIGNED":
|
||||||
@ -258,7 +252,7 @@ def install_cert(domain, ssl_cert, ssl_chain, env):
|
|||||||
def get_web_domains_info(env):
|
def get_web_domains_info(env):
|
||||||
def check_cert(domain):
|
def check_cert(domain):
|
||||||
from status_checks import check_certificate
|
from status_checks import check_certificate
|
||||||
ssl_key, ssl_certificate, ssl_csr_path = get_domain_ssl_files(domain, env)
|
ssl_key, ssl_certificate = get_domain_ssl_files(domain, env)
|
||||||
if not os.path.exists(ssl_certificate):
|
if not os.path.exists(ssl_certificate):
|
||||||
return ("danger", "No Certificate Installed")
|
return ("danger", "No Certificate Installed")
|
||||||
cert_status, cert_status_details = check_certificate(domain, ssl_certificate, ssl_key)
|
cert_status, cert_status_details = check_certificate(domain, ssl_certificate, ssl_key)
|
||||||
|
Loading…
Reference in New Issue
Block a user