1
0
mirror of https://github.com/mail-in-a-box/mailinabox.git synced 2024-11-22 02:17:26 +00:00
mailinabox/setup/check_certificate.sh

43 lines
2.6 KiB
Bash
Executable File

#!/bin/bash
# Checks the status of the SSL certificate and tells the user
# what to do next.
. /etc/mailinabox.conf
if openssl verify $STORAGE_ROOT/ssl/ssl_certificate.pem | grep "self signed" > /dev/null; then
echo "Your SSL certificate has not yet been signed by a certificate authority (CA)."
echo
echo "Before you continue:"
echo
echo "* Your email on this Mail-in-a-Box should be working already."
echo
echo "Okay, go to https://store.sslmatrix.com/products.php?prod=1&yr=1 and begin the process of ordering a RapidSSL SSL certificate for \$9.95."
# TODO: Say something about choosing a good password for SSLMatrix?
echo
#echo "They'll send you an email with instructions for getting your signed certificate. Remember that since Mail-in-a-Box uses Greylisting, that email may not arrive immediately. (You'll also get another Sales Receipt email, and if you pay by PayPal a third email containing a receipt from PayPal.)"
echo "After completing your purchase, click My Dashboard, then click your order number. Copy the Configuration PIN to your clipboard, and then next to SSL Status click Configure SSL. Paste the PIN back in and enter the verification code from the image."
echo
echo "Copy the following certificate signing request (CSR), including the BEGIN and END lines, to your clipboard:"
echo
cat $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr
echo
echo "(It is safe to share your CSR. It contains only the public half of your secret SSL information.)"
echo
echo "Paste the CSR into the big box. Then click continue. Fill out the form. Pick an email address that you have set up an alias for so you can receive mail to that address. For Server Type, choose Other. Walk through the steps until you have gotten your SSL certificate."
echo
echo "Empty the contents of $STORAGE_ROOT/ssl/ssl_certificate.pem. Paste your SSL certificate into the file. Rapid SSL will also tell you to download an intermediate certificate. Download the Bundled CA Version (PEM) and paste it into $STORAGE_ROOT/ssl/ssl_certificate.pem *below* your certificate."
echo
echo "Then restart your machine to ensure that system services begin using the SSL certificate."
else
# Certificate is not self-signed. In order to verify with openssl, we need to split out any
# intermediary certificates in the chain from our certificate (at the top).
perl -n0777e '@x = /(-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----)(.*)/sg; print $x[1];' \
< $STORAGE_ROOT/ssl/ssl_certificate.pem > /tmp/ssl_chain.pem
openssl verify -verbose -purpose sslserver -policy_check \
-untrusted /tmp/ssl_chain.pem \
$STORAGE_ROOT/ssl/ssl_certificate.pem
fi