1
0
mirror of https://github.com/mail-in-a-box/mailinabox.git synced 2024-11-22 02:17:26 +00:00

if the server certificate can be used for a non-primary domain, use it

This commit is contained in:
Joshua Tauberer 2014-07-09 16:38:42 +00:00
parent 6c70b10c15
commit 659b5c8aa3

View File

@ -96,18 +96,29 @@ def get_domain_ssl_files(domain, env):
# Don't allow the user to override the key for PRIMARY_HOSTNAME because # Don't allow the user to override the key for PRIMARY_HOSTNAME because
# that's what's in the main file. # that's what's in the main file.
ssl_key = os.path.join(env["STORAGE_ROOT"], 'ssl/ssl_private_key.pem') ssl_key = os.path.join(env["STORAGE_ROOT"], 'ssl/ssl_private_key.pem')
ssl_key_is_alt = False
alt_key = os.path.join(env["STORAGE_ROOT"], 'ssl/%s/private_key.pem' % safe_domain_name(domain)) alt_key = os.path.join(env["STORAGE_ROOT"], 'ssl/%s/private_key.pem' % safe_domain_name(domain))
if domain != env['PRIMARY_HOSTNAME'] and os.path.exists(alt_key): if domain != env['PRIMARY_HOSTNAME'] and os.path.exists(alt_key):
ssl_key = alt_key ssl_key = alt_key
ssl_key_is_alt = True
# What SSL certificate will we use? This has to be differnet for each # What SSL certificate will we use?
# domain name. For PRIMARY_HOSTNAME, use the one we generated at set-up ssl_certificate_primary = os.path.join(env["STORAGE_ROOT"], 'ssl/ssl_certificate.pem')
# time.
if domain == env['PRIMARY_HOSTNAME']: if domain == env['PRIMARY_HOSTNAME']:
ssl_certificate = os.path.join(env["STORAGE_ROOT"], 'ssl/ssl_certificate.pem') # For PRIMARY_HOSTNAME, use the one we generated at set-up time.
ssl_certificate = ssl_certificate_primary
else: else:
# For other domains, we'll probably use a certificate in a different path.
ssl_certificate = os.path.join(env["STORAGE_ROOT"], 'ssl/%s/ssl_certificate.pem' % safe_domain_name(domain)) ssl_certificate = os.path.join(env["STORAGE_ROOT"], 'ssl/%s/ssl_certificate.pem' % safe_domain_name(domain))
# But we can be smart and reuse the main SSL certificate if is has
# a Subject Alternative Name matching this domain. Don't do this if
# the user has uploaded a different private key for this domain.
if not ssl_key_is_alt:
from whats_next import check_certificate
if check_certificate(domain, ssl_certificate_primary, None) == "OK":
ssl_certificate = ssl_certificate_primary
# Where would the CSR go? As with the SSL cert itself, the CSR must be # Where would the CSR go? As with the SSL cert itself, the CSR must be
# different for each domain name. # different for each domain name.
if domain == env['PRIMARY_HOSTNAME']: if domain == env['PRIMARY_HOSTNAME']:
@ -118,12 +129,17 @@ def get_domain_ssl_files(domain, env):
return ssl_key, ssl_certificate, csr_path return ssl_key, ssl_certificate, csr_path
def ensure_ssl_certificate_exists(domain, ssl_key, ssl_certificate, csr_path, env): def ensure_ssl_certificate_exists(domain, ssl_key, ssl_certificate, csr_path, env):
# For domains besides PRIMARY_HOSTNAME, generate a self-signed certificate if one doesn't # For domains besides PRIMARY_HOSTNAME, generate a self-signed certificate if
# already exist. See setup/mail.sh for documentation. # a certificate doesn't already exist. See setup/mail.sh for documentation.
if domain == env['PRIMARY_HOSTNAME']: if domain == env['PRIMARY_HOSTNAME']:
return return
# Sanity check. Shouldn't happen. A non-primary domain might use this
# certificate (see above), but then the certificate should exist anyway.
if ssl_certificate == os.path.join(env["STORAGE_ROOT"], 'ssl/ssl_certificate.pem'):
return
if os.path.exists(ssl_certificate): if os.path.exists(ssl_certificate):
return return