mirror of
https://github.com/optim-enterprises-bv/Mailu-OIDC.git
synced 2025-10-31 18:18:04 +00:00
6b5bb5fcd1
3559: Fix #3531 (backport #3557) r=mergify[bot] a=mergify[bot] ## What type of PR? bug-fix ## What does this PR do? Ensure we have both RSA and ECDSA certs when using letsencrypt now that the default behaviour from certbot has changed. This is only important for new installs, not those renewing existing certs. ### Related issue(s) - closes #3531 ## Prerequisites Before we can consider review and merge, please make sure the following list is done and checked. If an entry in not applicable, you can check it or remove it from the list. - [ ] In case of feature or enhancement: documentation updated accordingly - [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file. <hr>This is an automatic backport of pull request #3557 done by [Mergify](https://mergify.com). Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
66 lines
2.0 KiB
Python
Executable File
66 lines
2.0 KiB
Python
Executable File
#!/usr/bin/env python3
|
|
|
|
import logging as log
|
|
import os
|
|
import requests
|
|
import sys
|
|
import subprocess
|
|
import time
|
|
|
|
log.basicConfig(stream=sys.stderr, level="WARNING")
|
|
hostnames = ','.join(set(host.strip() for host in os.environ['HOSTNAMES'].split(',')))
|
|
|
|
command = [
|
|
"certbot",
|
|
"-n", "--agree-tos", # non-interactive
|
|
"-d", hostnames, "--expand", "--allow-subset-of-names",
|
|
"-m", "{}@{}".format(os.environ["POSTMASTER"], os.environ["DOMAIN"]),
|
|
"certonly", "--standalone",
|
|
"--cert-name", "mailu",
|
|
"--preferred-challenges", "http", "--http-01-port", "8008",
|
|
"--keep-until-expiring",
|
|
"--allow-subset-of-names",
|
|
"--key-type", "rsa",
|
|
"--renew-with-new-domains",
|
|
"--config-dir", "/certs/letsencrypt",
|
|
"--post-hook", "/config.py"
|
|
]
|
|
command2 = [
|
|
"certbot",
|
|
"-n", "--agree-tos", # non-interactive
|
|
"-d", hostnames, "--expand", "--allow-subset-of-names",
|
|
"-m", "{}@{}".format(os.environ["POSTMASTER"], os.environ["DOMAIN"]),
|
|
"certonly", "--standalone",
|
|
"--cert-name", "mailu-ecdsa",
|
|
"--preferred-challenges", "http", "--http-01-port", "8008",
|
|
"--keep-until-expiring",
|
|
"--allow-subset-of-names",
|
|
"--key-type", "ecdsa",
|
|
"--renew-with-new-domains",
|
|
"--config-dir", "/certs/letsencrypt",
|
|
"--post-hook", "/config.py"
|
|
]
|
|
|
|
# Wait for nginx to start
|
|
time.sleep(5)
|
|
|
|
# Run certbot every day
|
|
while True:
|
|
while True:
|
|
hostname = os.environ['HOSTNAMES'].split(',')[0]
|
|
target = f'http://{hostname}/.well-known/acme-challenge/testing'
|
|
try:
|
|
r = requests.get(target)
|
|
if r.status_code != 204:
|
|
log.critical(f"Can't reach {target}!, please ensure it's fixed or change the TLS_FLAVOR.")
|
|
time.sleep(5)
|
|
else:
|
|
break
|
|
except Exception as e:
|
|
log.error(f"Exception while fetching {target}!", exc_info = e)
|
|
time.sleep(15)
|
|
|
|
subprocess.call(command)
|
|
subprocess.call(command2)
|
|
time.sleep(86400)
|