mirror of
https://github.com/optim-enterprises-bv/Mailu.git
synced 2025-10-31 01:57:59 +00:00
Add ECC certs for modern clients
This commit is contained in:
Florent Daigniere
@@ -1,5 +1,9 @@
|
|||||||
ssl_certificate {{ TLS[0] }};
|
ssl_certificate {{ TLS[0] }};
|
||||||
ssl_certificate_key {{ TLS[1] }};
|
ssl_certificate_key {{ TLS[1] }};
|
||||||
|
{% if TLS_FLAVOR in ['letsencrypt','mail-letsencrypt] %}
|
||||||
|
ssl_certificate {{ TLS[2] }};
|
||||||
|
ssl_certificate_key {{ TLS[3] }};
|
||||||
|
{% endif %}
|
||||||
ssl_session_timeout 1d;
|
ssl_session_timeout 1d;
|
||||||
ssl_session_tickets off;
|
ssl_session_tickets off;
|
||||||
ssl_dhparam /conf/dhparam.pem;
|
ssl_dhparam /conf/dhparam.pem;
|
||||||
|
|||||||
@@ -27,10 +27,10 @@ keypair_name = os.getenv("TLS_KEYPAIR_FILENAME", default="key.pem")
|
|||||||
args["TLS"] = {
|
args["TLS"] = {
|
||||||
"cert": ("/certs/%s" % cert_name, "/certs/%s" % keypair_name),
|
"cert": ("/certs/%s" % cert_name, "/certs/%s" % keypair_name),
|
||||||
"letsencrypt": ("/certs/letsencrypt/live/mailu/fullchain.pem",
|
"letsencrypt": ("/certs/letsencrypt/live/mailu/fullchain.pem",
|
||||||
"/certs/letsencrypt/live/mailu/privkey.pem"),
|
"/certs/letsencrypt/live/mailu/privkey.pem", "/certs/letsencrypt/live/mailu-ecdsa/fullchain.pem", "/certs/letsencrypt/live/mailu-ecdsa/privkey.pem"),
|
||||||
"mail": ("/certs/%s" % cert_name, "/certs/%s" % keypair_name),
|
"mail": ("/certs/%s" % cert_name, "/certs/%s" % keypair_name),
|
||||||
"mail-letsencrypt": ("/certs/letsencrypt/live/mailu/fullchain.pem",
|
"mail-letsencrypt": ("/certs/letsencrypt/live/mailu/fullchain.pem",
|
||||||
"/certs/letsencrypt/live/mailu/privkey.pem"),
|
"/certs/letsencrypt/live/mailu/privkey.pem", "/certs/letsencrypt/live/mailu-ecdsa/fullchain.pem", "/certs/letsencrypt/live/mailu-ecdsa/privkey.pem"),
|
||||||
"notls": None
|
"notls": None
|
||||||
}[args["TLS_FLAVOR"]]
|
}[args["TLS_FLAVOR"]]
|
||||||
|
|
||||||
|
|||||||
@@ -14,7 +14,19 @@ command = [
|
|||||||
"--cert-name", "mailu",
|
"--cert-name", "mailu",
|
||||||
"--preferred-challenges", "http", "--http-01-port", "8008",
|
"--preferred-challenges", "http", "--http-01-port", "8008",
|
||||||
"--keep-until-expiring",
|
"--keep-until-expiring",
|
||||||
"--rsa-key-size", "3072",
|
"--config-dir", "/certs/letsencrypt",
|
||||||
|
"--post-hook", "/config.py"
|
||||||
|
]
|
||||||
|
command2 = [
|
||||||
|
"certbot",
|
||||||
|
"-n", "--agree-tos", # non-interactive
|
||||||
|
"-d", os.environ["HOSTNAMES"],
|
||||||
|
"-m", "{}@{}".format(os.environ["POSTMASTER"], os.environ["DOMAIN"]),
|
||||||
|
"certonly", "--standalone",
|
||||||
|
"--cert-name", "mailu-ecdsa",
|
||||||
|
"--preferred-challenges", "http", "--http-01-port", "8008",
|
||||||
|
"--keep-until-expiring",
|
||||||
|
"--key-type", "ecdsa",
|
||||||
"--config-dir", "/certs/letsencrypt",
|
"--config-dir", "/certs/letsencrypt",
|
||||||
"--post-hook", "/config.py"
|
"--post-hook", "/config.py"
|
||||||
]
|
]
|
||||||
@@ -25,5 +37,6 @@ time.sleep(5)
|
|||||||
# Run certbot every hour
|
# Run certbot every hour
|
||||||
while True:
|
while True:
|
||||||
subprocess.call(command)
|
subprocess.call(command)
|
||||||
|
subprocess.call(command2)
|
||||||
time.sleep(3600)
|
time.sleep(3600)
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user