Added key rollover code.

2026-03-06 16:07:22 +01:00 · 2020-11-04 20:25:25 +06:00
parent 94aab7c5e2
commit e6657d6ebe
6 changed files with 228 additions and 29 deletions
--- a/setup/ssl.sh
+++ b/setup/ssl.sh
@@ -19,7 +19,7 @@
 #
 # The Diffie-Hellman cipher bits are used for SMTP and HTTPS, when a
 # Diffie-Hellman cipher is selected during TLS negotiation. Diffie-Hellman
-# provides Perfect Forward Secrecy. 
+# provides Perfect Forward Secrecy.

 source setup/functions.sh # load our functions
 source /etc/mailinabox.conf # load global vars
@@ -66,6 +66,13 @@ if [ ! -f $STORAGE_ROOT/ssl/ssl_private_key.pem ]; then
 		openssl genrsa -out $STORAGE_ROOT/ssl/ssl_private_key.pem 2048)
 fi

+# for Double TLSA scheme. More details here (https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html)
+if [ ! -f $STORAGE_ROOT/ssl/next_ssl_private_key.pem ]; then
+	# Set the umask so the key file is never world-readable.
+	(umask 077; hide_output \
+		openssl genrsa -out $STORAGE_ROOT/ssl/next_ssl_private_key.pem 2048)
+fi
+
 # Generate a self-signed SSL certificate because things like nginx, dovecot,
 # etc. won't even start without some certificate in place, and we need nginx
 # so we can offer the user a control panel to install a better certificate.