Merge ae96f6f5e6 into d7244ed920

2026-04-02 21:37:23 +02:00 · 2022-08-27 16:12:15 +09:00
parent d7244ed920 ae96f6f5e6
commit 88f521d697
11 changed files with 270 additions and 37 deletions
--- a/setup/migrate.py
+++ b/setup/migrate.py
@@ -213,7 +213,7 @@ def run_migrations():
 	migration_id = None
 	if os.path.exists(migration_id_file):
 		with open(migration_id_file) as f:
-			migration_id = f.read().strip();
+			migration_id = f.read().strip()

 	if migration_id is None:
 		# Load the legacy location of the migration ID. We'll drop support
--- a/setup/ssl.sh
+++ b/setup/ssl.sh
@@ -39,6 +39,7 @@ apt_install openssl
 # Create a directory to store TLS-related things like "SSL" certificates.

 mkdir -p $STORAGE_ROOT/ssl
+mkdir -p $STORAGE_ROOT/ssl-backup  # creating a backup directory for ssl certs just to be safe

 # Generate a new private key.
 #
@@ -66,6 +67,13 @@ if [ ! -f $STORAGE_ROOT/ssl/ssl_private_key.pem ]; then
 		openssl genrsa -out $STORAGE_ROOT/ssl/ssl_private_key.pem 2048)
 fi

+# for Double TLSA scheme. More details here (https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html)
+if [ ! -f $STORAGE_ROOT/ssl/next_ssl_private_key.pem ]; then
+	# Set the umask so the key file is never world-readable.
+	(umask 077; hide_output \
+		openssl genrsa -out $STORAGE_ROOT/ssl/next_ssl_private_key.pem 2048)
+fi
+
 # Generate a self-signed SSL certificate because things like nginx, dovecot,
 # etc. won't even start without some certificate in place, and we need nginx
 # so we can offer the user a control panel to install a better certificate.