format certs for nginx

2025-11-01 10:37:49 +00:00 · 2021-08-09 22:51:23 +02:00
parent 98b903fe13
commit 24f9bf1064
3 changed files with 23 additions and 5 deletions
--- a/core/nginx/conf/tls.conf
+++ b/core/nginx/conf/tls.conf
@@ -3,6 +3,7 @@ ssl_certificate_key {{ TLS[1] }};
 {% if TLS_FLAVOR in ['letsencrypt','mail-letsencrypt'] %}
 ssl_certificate {{ TLS[2] }};
 ssl_certificate_key {{ TLS[3] }};
+ssl_trusted_certificate /etc/ssl/certs/ca-cert-DST_Root_CA_X3.pem;
 {% endif %}
 ssl_session_timeout 1d;
 ssl_session_tickets off;
--- a/core/nginx/config.py
+++ b/core/nginx/config.py
@@ -26,11 +26,11 @@ cert_name = os.getenv("TLS_CERT_FILENAME", default="cert.pem")
 keypair_name = os.getenv("TLS_KEYPAIR_FILENAME", default="key.pem")
 args["TLS"] = {
    "cert": ("/certs/%s" % cert_name, "/certs/%s" % keypair_name),
-    "letsencrypt": ("/certs/letsencrypt/live/mailu/chain.pem",
-        "/certs/letsencrypt/live/mailu/privkey.pem", "/certs/letsencrypt/live/mailu-ecdsa/chain.pem", "/certs/letsencrypt/live/mailu-ecdsa/privkey.pem"),
+    "letsencrypt": ("/certs/letsencrypt/live/mailu/nginx-chain.pem",
+        "/certs/letsencrypt/live/mailu/privkey.pem", "/certs/letsencrypt/live/mailu-ecdsa/nginx-chain.pem", "/certs/letsencrypt/live/mailu-ecdsa/privkey.pem"),
    "mail": ("/certs/%s" % cert_name, "/certs/%s" % keypair_name),
-    "mail-letsencrypt": ("/certs/letsencrypt/live/mailu/chain.pem",
-        "/certs/letsencrypt/live/mailu/privkey.pem", "/certs/letsencrypt/live/mailu-ecdsa/chain.pem", "/certs/letsencrypt/live/mailu-ecdsa/privkey.pem"),
+    "mail-letsencrypt": ("/certs/letsencrypt/live/mailu/nginx-chain.pem",
+        "/certs/letsencrypt/live/mailu/privkey.pem", "/certs/letsencrypt/live/mailu-ecdsa/nginx-chain.pem", "/certs/letsencrypt/live/mailu-ecdsa/privkey.pem"),
    "notls": None
 }[args["TLS_FLAVOR"]]

--- a/core/nginx/letsencrypt.py
+++ b/core/nginx/letsencrypt.py
@@ -4,7 +4,6 @@ import os
 import time
 import subprocess

-
 command = [
    "certbot",
    "-n", "--agree-tos", # non-interactive
@@ -31,12 +30,30 @@ command2 = [
    "--post-hook", "/config.py"
 ]

+def format_for_nginx(fullchain, output):
+    """ nginx expects cert + intermediate
+    whereas letsencrypt provides ca + intermediate + cert
+    """
+    certs = []
+    with open(fullchain, 'r') as pem:
+        cert = ''
+        for line in pem:
+            cert += line
+            if '-----END CERTIFICATE-----' in line:
+                certs += [cert]
+                cert = ''
+    with open(output, 'w') as pem:
+        for cert in reversed(certs[1:]):
+            pem.write(cert)
+
 # Wait for nginx to start
 time.sleep(5)

 # Run certbot every hour
 while True:
    subprocess.call(command)
+    format_for_nginx('/certs/letsencrypt/live/mailu/fullchain.pem', '/certs/letsencrypt/live/mailu/nginx-chain.pem')
    subprocess.call(command2)
+    format_for_nginx('/certs/letsencrypt/live/mailu-ecdsa/fullchain.pem', '/certs/letsencrypt/live/mailu-ecdsa/nginx-chain.pem')
    time.sleep(3600)