From 82844ca651fa31755878490eabca0d80e83f8bda Mon Sep 17 00:00:00 2001 From: Nils Date: Sun, 15 Jul 2018 17:24:15 +0200 Subject: [PATCH 1/5] make certbot auto-agree to TOS if NONINTERACTIVE=1 env var is set (#1399) --- Vagrantfile | 9 ++++++--- setup/start.sh | 3 ++- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/Vagrantfile b/Vagrantfile index b4bcb257..0161ae0d 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -19,9 +19,12 @@ Vagrant.configure("2") do |config| config.vm.network "private_network", ip: "192.168.50.4" config.vm.provision :shell, :inline => <<-SH - # Set environment variables so that the setup script does - # not ask any questions during provisioning. We'll let the - # machine figure out its own public IP. + # Set environment variables so that the setup script does + # not ask any questions during provisioning. We'll let the + # machine figure out its own public IP. + # + # Please note: NONINTERACTIVE=1 mode means that you'll automatically agree + # to Let's Encrypt's ACME Subscriber Agreement. export NONINTERACTIVE=1 export PUBLIC_IP=auto export PUBLIC_IPV6=auto diff --git a/setup/start.sh b/setup/start.sh index 86b34c8e..b13e80ca 100755 --- a/setup/start.sh +++ b/setup/start.sh @@ -139,7 +139,8 @@ echo "Mail-in-a-Box uses Let's Encrypt to provision free certificates" echo "to enable HTTPS connections to your box. You'll now be asked to agree" echo "to Let's Encrypt's terms of service." echo -certbot register --register-unsafely-without-email --config-dir $STORAGE_ROOT/ssl/lets_encrypt +certbot register $([ "$NONINTERACTIVE" == 1 ] && echo "--agree-tos") \ + --register-unsafely-without-email --config-dir $STORAGE_ROOT/ssl/lets_encrypt fi # Done. From b0b5d8e79238b5079cc4bb0a526e896e1d9b4921 Mon Sep 17 00:00:00 2001 From: dev9 Date: Thu, 19 Jul 2018 08:17:38 -0700 Subject: [PATCH 2/5] Fix .mobileconfig so CalDAV calendar works on Mac OS X (#1402) The previous CalDAVPrincipalURL "/cloud/remote.php/caldav/calendars/" causes an error in OS X. See: https://discourse.mailinabox.email/t/caldav-with-macos-10-12-2-does-not-work/1649 and other similar issues. The correct CalDAVPrincipalURL: https://discourse.mailinabox.email/t/caldav-with-macos-10-12-2-does-not-work/1649 but it turns out you can just leave the key/value out completely and OS X/iOS are able to auto discover the correct URL. --- conf/ios-profile.xml | 2 -- 1 file changed, 2 deletions(-) diff --git a/conf/ios-profile.xml b/conf/ios-profile.xml index 983b260d..f2011a4e 100644 --- a/conf/ios-profile.xml +++ b/conf/ios-profile.xml @@ -18,8 +18,6 @@ PRIMARY_HOSTNAME CalDAVPort 443 - CalDAVPrincipalURL - /cloud/remote.php/caldav/calendars/ CalDAVUseSSL PayloadDescription From 78d1c9be6e6aae8466289e41280f56deed40e12e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nils=20Norman=20Hauk=C3=A5s?= Date: Sun, 15 Jul 2018 00:17:43 +0200 Subject: [PATCH 3/5] failing z-push installation: replace git clone with wget_verify git clone (which uses curl) underneath was failing. Curiously, the same git clone command would work on my macos host machine. From the screenshot it looks like curl was somehow not able to negotiate the connection. Might have been a missing CA certificate for Comodo, but I was not able to determine if that was the issue. fixes #1393 closes #1387 closes #1400 --- setup/zpush.sh | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/setup/zpush.sh b/setup/zpush.sh index eac3a0a0..66bacbaf 100755 --- a/setup/zpush.sh +++ b/setup/zpush.sh @@ -23,6 +23,7 @@ phpenmod -v php7.0 imap # Copy Z-Push into place. VERSION=2.3.9 +TARGETHASH=60087b97e4b1c73db096e252cf893c75df556907 needs_update=0 #NODOC if [ ! -f /usr/local/lib/z-push/version ]; then needs_update=1 #NODOC @@ -31,13 +32,12 @@ elif [[ $VERSION != `cat /usr/local/lib/z-push/version` ]]; then needs_update=1 #NODOC fi if [ $needs_update == 1 ]; then + wget_verify http://download.z-push.org/final/2.3/z-push-$VERSION.tar.gz $TARGETHASH /tmp/z-push.tar.gz + rm -rf /usr/local/lib/z-push - - git_clone https://stash.z-hub.io/scm/zp/z-push.git $VERSION '' /tmp/z-push - - mkdir /usr/local/lib/z-push - cp -r /tmp/z-push/src/* /usr/local/lib/z-push - rm -rf /tmp/z-push + tar -xzf /tmp/z-push.tar.gz -C /usr/local/lib/ + rm /tmp/z-push.tar.gz + mv /usr/local/lib/z-push-$VERSION /usr/local/lib/z-push rm -f /usr/sbin/z-push-{admin,top} ln -s /usr/local/lib/z-push/z-push-admin.php /usr/sbin/z-push-admin From 15583ec10d423e5273897de95924e69227d8046c Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Thu, 19 Jul 2018 11:27:37 -0400 Subject: [PATCH 4/5] updated CHANGELOG --- CHANGELOG.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9e4f2e02..3669a90a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,21 @@ CHANGELOG ========= +In Development +-------------- + +System: + +* We now use EFF's `certbot` to provision TLS certificates (from Let's Encrypt) instead of our home-grown ACME library. + +Contacts/Calendar: + +* Fix for Mac OS X autoconfig of the calendar. + +Setup: + +* Installing Z-Push broke because of what looks like a change or problem in their git server HTTPS certificate. That's fixed. + v0.27 (June 14, 2018) --------------------- From 2f467556bdf7b6db58db16c211bf5c1122fee8d1 Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Thu, 19 Jul 2018 11:40:49 -0400 Subject: [PATCH 5/5] new ssl cert provisioning broke if a domain doesnt yet have a cert, fixes #1392 --- management/ssl_certificates.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/management/ssl_certificates.py b/management/ssl_certificates.py index 200a3463..76b0f8fa 100755 --- a/management/ssl_certificates.py +++ b/management/ssl_certificates.py @@ -142,7 +142,7 @@ def get_ssl_certificates(env): return ret def get_domain_ssl_files(domain, ssl_certificates, env, allow_missing_cert=False, use_main_cert=True): - if use_main_cert: + if use_main_cert or not allow_missing_cert: # Get the system certificate info. ssl_private_key = os.path.join(os.path.join(env["STORAGE_ROOT"], 'ssl', 'ssl_private_key.pem')) ssl_certificate = os.path.join(os.path.join(env["STORAGE_ROOT"], 'ssl', 'ssl_certificate.pem')) @@ -153,6 +153,7 @@ def get_domain_ssl_files(domain, ssl_certificates, env, allow_missing_cert=False "certificate_object": load_pem(load_cert_chain(ssl_certificate)[0]), } + if use_main_cert: if domain == env['PRIMARY_HOSTNAME']: # The primary domain must use the server certificate because # it is hard-coded in some service configuration files. @@ -225,7 +226,7 @@ def get_certificates_to_provision(env, limit_domains=None, show_valid_certs=True # DNS is all good. # Check for a good existing cert. - existing_cert = get_domain_ssl_files(domain, existing_certs, env, use_main_cert=False) + existing_cert = get_domain_ssl_files(domain, existing_certs, env, use_main_cert=False, allow_missing_cert=True) if existing_cert: existing_cert_check = check_certificate(domain, existing_cert['certificate'], existing_cert['private-key'], warn_if_expiring_soon=14)