script to check the SSL certificate, with instructions for turning the self-signed certificate into a properly signed certificate
This commit is contained in:
Joshua Tauberer
parent
ea62c2419d
commit
a35fa12465
|
|
@ -0,0 +1,42 @@
|
|||
#!/bin/bash
|
||||
# Checks the status of the SSL certificate and tells the user
|
||||
# what to do next.
|
||||
|
||||
. /etc/mailinabox.conf
|
||||
|
||||
if openssl verify $STORAGE_ROOT/ssl/ssl_certificate.pem | grep "self signed" > /dev/null; then
|
||||
echo "Your SSL certificate has not yet been signed by a certificate authority (CA)."
|
||||
echo
|
||||
echo "Before you continue:"
|
||||
echo
|
||||
echo "* Your email on this Mail-in-a-Box should be working already."
|
||||
echo
|
||||
echo "Okay, go to https://store.sslmatrix.com/products.php?prod=1&yr=1 and begin the process of ordering a RapidSSL SSL certificate for \$9.95."
|
||||
# TODO: Say something about choosing a good password for SSLMatrix?
|
||||
echo
|
||||
#echo "They'll send you an email with instructions for getting your signed certificate. Remember that since Mail-in-a-Box uses Greylisting, that email may not arrive immediately. (You'll also get another Sales Receipt email, and if you pay by PayPal a third email containing a receipt from PayPal.)"
|
||||
echo "After completing your purchase, click My Dashboard, then click your order number. Copy the Configuration PIN to your clipboard, and then next to SSL Status click Configure SSL. Paste the PIN back in and enter the verification code from the image."
|
||||
echo
|
||||
echo "Copy the following certificate signing request (CSR), including the BEGIN and END lines, to your clipboard:"
|
||||
echo
|
||||
cat $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr
|
||||
echo
|
||||
echo "(It is safe to share your CSR. It contains only the public half of your secret SSL information.)"
|
||||
echo
|
||||
echo "Paste the CSR into the big box. Then click continue. Fill out the form. Pick an email address that you have set up an alias for so you can receive mail to that address. For Server Type, choose Other. Walk through the steps until you have gotten your SSL certificate."
|
||||
echo
|
||||
echo "Empty the contents of $STORAGE_ROOT/ssl/ssl_certificate.pem. Paste your SSL certificate into the file. Rapid SSL will also tell you to download an intermediate certificate. Download the Bundled CA Version (PEM) and paste it into $STORAGE_ROOT/ssl/ssl_certificate.pem *below* your certificate."
|
||||
echo
|
||||
echo "Then restart your machine to ensure that system services begin using the SSL certificate."
|
||||
|
||||
else
|
||||
# Certificate is not self-signed. In order to verify with openssl, we need to split out any
|
||||
# intermediary certificates in the chain from our certificate (at the top).
|
||||
|
||||
perl -n0777e '@x = /(-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----)(.*)/sg; print $x[1];' \
|
||||
< $STORAGE_ROOT/ssl/ssl_certificate.pem > /tmp/ssl_chain.pem
|
||||
|
||||
openssl verify -verbose -purpose sslserver -policy_check \
|
||||
-untrusted /tmp/ssl_chain.pem \
|
||||
$STORAGE_ROOT/ssl/ssl_certificate.pem
|
||||
fi
|
||||
Loading…
Reference in New Issue