Merge remote-tracking branch 'upstream/master'

2025-04-21 03:02:09 +00:00 · 2018-07-20 10:11:48 -04:00 · 2018-07-20 10:11:48 -04:00 · f51201ce14
commit f51201ce14
parent 13ead63e1a 2f467556bd
6 changed files with 41 additions and 24 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,6 +1,21 @@
 CHANGELOG
 =========

+In Development
+--------------
+
+System:
+
+* We now use EFF's `certbot` to provision TLS certificates (from Let's Encrypt) instead of our home-grown ACME library.
+
+Contacts/Calendar:
+
+* Fix for Mac OS X autoconfig of the calendar.
+
+Setup:
+
+* Installing Z-Push broke because of what looks like a change or problem in their git server HTTPS certificate. That's fixed.
+
 v0.27 (June 14, 2018)
 ---------------------

--- a/9
+++ b/9
@ -19,9 +19,12 @@ Vagrant.configure("2") do |config|
  config.vm.network "private_network", ip: "192.168.50.4"

  config.vm.provision :shell, :inline => <<-SH
-	# Set environment variables so that the setup script does
-	# not ask any questions during provisioning. We'll let the
-	# machine figure out its own public IP.
+  # Set environment variables so that the setup script does
+  # not ask any questions during provisioning. We'll let the
+  # machine figure out its own public IP.
+  #
+  # Please note: NONINTERACTIVE=1 mode means that you'll automatically agree
+  # to Let's Encrypt's ACME Subscriber Agreement.
    export NONINTERACTIVE=1
    export PUBLIC_IP=auto
    export PUBLIC_IPV6=auto
--- a/conf/ios-profile.xml
+++ b/conf/ios-profile.xml
@ -18,8 +18,6 @@
      <string>PRIMARY_HOSTNAME</string>
      <key>CalDAVPort</key>
      <real>443</real>
-      <key>CalDAVPrincipalURL</key>
-      <string>/cloud/remote.php/caldav/calendars/</string>
      <key>CalDAVUseSSL</key>
      <true/>
      <key>PayloadDescription</key>
--- a/management/ssl_certificates.py
+++ b/management/ssl_certificates.py
@ -142,17 +142,17 @@ def get_ssl_certificates(env):
 	return ret

 def get_domain_ssl_files(domain, ssl_certificates, env, allow_missing_cert=False, use_main_cert=True):
-	# I moved the system_certificate declaration here, since otherwise we get a 
-	# "local variable 'system_certificate' referenced before assignment" error in the 
-        # elif not allow_missing_cert block
-	ssl_private_key = os.path.join(os.path.join(env["STORAGE_ROOT"], 'ssl', 'ssl_private_key.pem'))
-	ssl_certificate = os.path.join(os.path.join(env["STORAGE_ROOT"], 'ssl', 'ssl_certificate.pem'))
-	system_certificate = {
-		"private-key": ssl_private_key,
-		"certificate": ssl_certificate,
-		"primary-domain": env['PRIMARY_HOSTNAME'],
-		"certificate_object": load_pem(load_cert_chain(ssl_certificate)[0]),
-	}
+	if use_main_cert or not allow_missing_cert:
+		# Get the system certificate info.
+		ssl_private_key = os.path.join(os.path.join(env["STORAGE_ROOT"], 'ssl', 'ssl_private_key.pem'))
+		ssl_certificate = os.path.join(os.path.join(env["STORAGE_ROOT"], 'ssl', 'ssl_certificate.pem'))
+		system_certificate = {
+			"private-key": ssl_private_key,
+			"certificate": ssl_certificate,
+			"primary-domain": env['PRIMARY_HOSTNAME'],
+			"certificate_object": load_pem(load_cert_chain(ssl_certificate)[0]),
+		}
+
 	if use_main_cert:
 		if domain == env['PRIMARY_HOSTNAME']:
 			# The primary domain must use the server certificate because
@ -226,7 +226,7 @@ def get_certificates_to_provision(env, limit_domains=None, show_valid_certs=True
 				# DNS is all good.

 				# Check for a good existing cert.
-				existing_cert = get_domain_ssl_files(domain, existing_certs, env, use_main_cert=False)
+				existing_cert = get_domain_ssl_files(domain, existing_certs, env, use_main_cert=False, allow_missing_cert=True)
 				if existing_cert:
 					existing_cert_check = check_certificate(domain, existing_cert['certificate'], existing_cert['private-key'],
 						warn_if_expiring_soon=14)
--- a/setup/start.sh
+++ b/setup/start.sh
@ -139,7 +139,8 @@ echo "Mail-in-a-Box uses Let's Encrypt to provision free certificates"
 echo "to enable HTTPS connections to your box. You'll now be asked to agree"
 echo "to Let's Encrypt's terms of service."
 echo
-certbot register --register-unsafely-without-email --config-dir $STORAGE_ROOT/ssl/lets_encrypt
+certbot register $([ "$NONINTERACTIVE" == 1 ] && echo "--agree-tos") \
+    --register-unsafely-without-email --config-dir $STORAGE_ROOT/ssl/lets_encrypt
 fi

 # Done.
--- a/setup/zpush.sh
+++ b/setup/zpush.sh
@ -23,6 +23,7 @@ phpenmod -v php7.0 imap

 # Copy Z-Push into place.
 VERSION=2.3.9
+TARGETHASH=60087b97e4b1c73db096e252cf893c75df556907
 needs_update=0 #NODOC
 if [ ! -f /usr/local/lib/z-push/version ]; then
 	needs_update=1 #NODOC
@ -31,13 +32,12 @@ elif [[ $VERSION != `cat /usr/local/lib/z-push/version` ]]; then
 	needs_update=1 #NODOC
 fi
 if [ $needs_update == 1 ]; then
+	wget_verify http://download.z-push.org/final/2.3/z-push-$VERSION.tar.gz $TARGETHASH /tmp/z-push.tar.gz
+
 	rm -rf /usr/local/lib/z-push
-
-	git_clone https://stash.z-hub.io/scm/zp/z-push.git $VERSION '' /tmp/z-push
-
-	mkdir /usr/local/lib/z-push
-	cp -r /tmp/z-push/src/* /usr/local/lib/z-push
-	rm -rf /tmp/z-push
+	tar -xzf /tmp/z-push.tar.gz -C /usr/local/lib/
+	rm /tmp/z-push.tar.gz
+	mv /usr/local/lib/z-push-$VERSION /usr/local/lib/z-push

 	rm -f /usr/sbin/z-push-{admin,top}
 	ln -s /usr/local/lib/z-push/z-push-admin.php /usr/sbin/z-push-admin