From 4a052da289c36547fd7863d18e3ba23f8ea5dc78 Mon Sep 17 00:00:00 2001 From: Lasagne <57591331+schichtnudelauflauf@users.noreply.github.com> Date: Mon, 10 Jun 2024 12:33:02 +0200 Subject: [PATCH] Add switch to skip fetching certificates auto{config,discover} subdomains (#5838) * Add ACME_DONT_FETCH_CERTS_FOR_HTTP_SUBDOMAINS to acme.sh * Add ACME_DONT_FETCH_CERTS_FOR_HTTP_SUBDOMAINS to docker-compose.yml * Add ACME_DONT_FETCH_CERTS_FOR_HTTP_SUBDOMAINS to generate_config.sh * Add ACME_DONT_FETCH_CERTS_FOR_HTTP_SUBDOMAINS to update.sh * AUTODISCOVER_SAN instead of long string default on, default is fetching certs for auto{discover,conf} * AUTODISCOVER_SAN instead of long string also flipped * AUTODISCOVER_SAN instead of long string flipped default meaning * fix explanation for AUTODISCOVER_SAN * AUTODISCOVER_SAN instead of long string and flipped meaning of the bool * fix AUTODISCOVER_SAN explanation * Merge branch 'mailcow:staging' into staging * update.sh: corrected syntax for mailcow.conf insertion --- data/Dockerfiles/acme/acme.sh | 8 ++++++++ docker-compose.yml | 1 + generate_config.sh | 7 +++++++ update.sh | 13 +++++++++++++ 4 files changed, 29 insertions(+) diff --git a/data/Dockerfiles/acme/acme.sh b/data/Dockerfiles/acme/acme.sh index 1cd456a499..9d04d10cec 100755 --- a/data/Dockerfiles/acme/acme.sh +++ b/data/Dockerfiles/acme/acme.sh @@ -33,6 +33,10 @@ if [[ "${ONLY_MAILCOW_HOSTNAME}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then ONLY_MAILCOW_HOSTNAME=y fi +if [[ "${AUTODISCOVER_SAN}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then + AUTODISCOVER_SAN=y +fi + # Request individual certificate for every domain if [[ "${ENABLE_SSL_SNI}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then ENABLE_SSL_SNI=y @@ -211,7 +215,11 @@ while true; do ADDITIONAL_SAN_ARR+=($i) fi done + + if [[ ${AUTODISCOVER_SAN} == "y" ]]; then + # Fetch certs for autoconfig and autodiscover subdomains ADDITIONAL_WC_ARR+=('autodiscover' 'autoconfig') + fi if [[ ${SKIP_IP_CHECK} != "y" ]]; then # Start IP detection diff --git a/docker-compose.yml b/docker-compose.yml index 230fd8505f..2d4de525c5 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -411,6 +411,7 @@ services: - LOG_LINES=${LOG_LINES:-9999} - ACME_CONTACT=${ACME_CONTACT:-} - ADDITIONAL_SAN=${ADDITIONAL_SAN} + - AUTODISCOVER_SAN=${AUTODISCOVER_SAN:-y} - MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME} - DBNAME=${DBNAME} - DBUSER=${DBUSER} diff --git a/generate_config.sh b/generate_config.sh index 05d9ee2f10..f97ddd9a4e 100755 --- a/generate_config.sh +++ b/generate_config.sh @@ -336,6 +336,13 @@ MAILDIR_GC_TIME=7200 ADDITIONAL_SAN= +# Obtain certificates for autodiscover.* and autoconfig.* domains. +# This can be useful to switch off in case you are in a scenario where a reverse proxy already handles those. +# There are mixed scenarios where ports 80,443 are occupied and you do not want to share certs +# between services. So acme-mailcow obtains for maildomains and all web-things get handled +# in the reverse proxy. +AUTODISCOVER_SAN=y + # Additional server names for mailcow UI # # Specify alternative addresses for the mailcow UI to respond to diff --git a/update.sh b/update.sh index f1e31652cd..0c8f85fedc 100755 --- a/update.sh +++ b/update.sh @@ -450,6 +450,7 @@ CONFIG_ARRAY=( "SKIP_CLAMD" "SKIP_IP_CHECK" "ADDITIONAL_SAN" + "AUTODISCOVER_SAN" "DOVEADM_PORT" "IPV4_NETWORK" "IPV6_NETWORK" @@ -715,6 +716,18 @@ for option in ${CONFIG_ARRAY[@]}; do echo '# Comma separated list without spaces! Example: ADDITIONAL_SERVER_NAMES=a.b.c,d.e.f' >> mailcow.conf echo 'ADDITIONAL_SERVER_NAMES=' >> mailcow.conf fi + + elif [[ ${option} == "AUTODISCOVER_SAN" ]]; then + if ! grep -q ${option} mailcow.conf; then + echo "Adding new option \"${option}\" to mailcow.conf" + echo '# Obtain certificates for autodiscover.* and autoconfig.* domains.' >> mailcow.conf + echo '# This can be useful to switch off in case you are in a scenario where a reverse proxy already handles those.' >> mailcow.conf + echo '# There are mixed scenarios where ports 80,443 are occupied and you do not want to share certs' >> mailcow.conf + echo '# between services. So acme-mailcow obtains for maildomains and all web-things get handled' >> mailcow.conf + echo '# in the reverse proxy.' >> mailcow.conf + echo 'AUTODISCOVER_SAN=y' >> mailcow.conf + fi + elif [[ ${option} == "ACME_CONTACT" ]]; then if ! grep -q ${option} mailcow.conf; then echo "Adding new option \"${option}\" to mailcow.conf"