move the SSL setup into its own bash script since it is used for much more than email now

67d31ed9 · Joshua Tauberer · 0ab43ef4 · 67d31ed9 · 67d31ed9 · 67d31ed9
Commit 67d31ed9 authored Jun 21, 2014 by Joshua Tauberer
Show whitespace changes
Inline Side-by-side

Showing with 48 additions and 29 deletions

dns_update.py management/dns_update.py +3 -4

mail.sh setup/mail.sh +1 -25

ssl.sh setup/ssl.sh +43 -0

start.sh setup/start.sh +1 -0

No files found.
--- a/management/dns_update.py
+++ b/management/dns_update.py
@@ -132,7 +132,7 @@ def build_zone(domain, zonefile, env, with_ns=True):
 		records.append(("ns1", "A",   env["PUBLIC_IP"]))
 		records.append(("ns2", "A",   env["PUBLIC_IP"]))
-		# Add a TLSA record for SMTP.
+		# Add a DANE TLSA record for SMTP.
 		records.append(("_25._tcp", "TLSA", build_tlsa_record(env)))
 	def has_rec(qname, rtype):
@@ -179,9 +179,8 @@ def build_zone(domain, zonefile, env, with_ns=True):
 ########################################################################
 def build_tlsa_record(env):
-	# A TLSA record in DNS specifies that connections on a port, e.g.
+	# A DANE TLSA record in DNS specifies that connections on a port
-	# the SMTP port, must use TLS and the certificate must match a
+	# must use TLS and the certificate must match a particular certificate.
-	# particular certificate.
 	#
 	# Thanks to http://blog.huque.com/2012/10/dnssec-and-certificates.html
 	# for explaining all of this!

--- a/setup/mail.sh
+++ b/setup/mail.sh
@@ -18,8 +18,7 @@ source /etc/mailinabox.conf # load global vars
 apt_install \
 	postfix postgrey postfix-pcre \
-	dovecot-core dovecot-imapd dovecot-lmtpd dovecot-sqlite sqlite3 \
+	dovecot-core dovecot-imapd dovecot-lmtpd dovecot-sqlite sqlite3
-	openssl
 mkdir -p $STORAGE_ROOT/mail
@@ -244,29 +243,6 @@ tools/editconf.py /etc/dovecot/conf.d/10-ssl.conf \
 	"ssl_cert=<$STORAGE_ROOT/ssl/ssl_certificate.pem" \
 	"ssl_key=<$STORAGE_ROOT/ssl/ssl_private_key.pem" \
-# SSL CERTIFICATE
-mkdir -p $STORAGE_ROOT/ssl
-if [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then
-	# Generate a new private key if one doesn't already exist.
-	# Set the umask so the key file is not world-readable.
-	(umask 077; openssl genrsa -out $STORAGE_ROOT/ssl/ssl_private_key.pem 2048)
-fi
-if [ ! -f $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr ]; then
-	# Generate a certificate signing request if one doesn't already exist.
-	openssl req -new -key $STORAGE_ROOT/ssl/ssl_private_key.pem -out $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr \
-	  -subj "/C=$CSR_COUNTRY/ST=/L=/O=/CN=$PUBLIC_HOSTNAME"
-fi
-if [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then
-	# Generate a SSL certificate by self-signing if a SSL certificate doesn't yet exist.
-	openssl x509 -req -days 365 \
-	  -in $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr -signkey $STORAGE_ROOT/ssl/ssl_private_key.pem -out $STORAGE_ROOT/ssl/ssl_certificate.pem
-fi
-echo
-echo "Your SSL certificate's fingerpint is:"
-openssl x509 -in /home/user-data/ssl/ssl_certificate.pem -noout -fingerprint
-echo
 # PERMISSIONS / RESTART SERVICES
 # Ensure configuration files are owned by dovecot and not world readable.

--- a/setup/ssl.sh
+++ b/setup/ssl.sh
+#!/bin/bash
+#
+# SSL Certificate
+#
+# Create a self-signed SSL certificate if one has not yet been created.
+#
+# The certificate is for PUBLIC_HOSTNAME specifically and is used for:
+#
+#  * IMAP
+#  * SMTP submission (port 587) and opportunistic TLS (when on the receiving end)
+#  * the DNSSEC DANE TLSA record for SMTP
+#  * HTTPS (for PUBLIC_HOSTNAME only)
+#
+# When other domains besides PUBLIC_HOSTNAME are served over HTTPS,
+# we generate a domain-specific self-signed certificate in the management
+# daemon (web_update.py) as needed.
+source setup/functions.sh # load our functions
+source /etc/mailinabox.conf # load global vars
+apt_install openssl
+mkdir -p $STORAGE_ROOT/ssl
+if [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then
+	# Generate a new private key if one doesn't already exist.
+	# Set the umask so the key file is not world-readable.
+	(umask 077; openssl genrsa -out $STORAGE_ROOT/ssl/ssl_private_key.pem 2048)
+fi
+if [ ! -f $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr ]; then
+	# Generate a certificate signing request if one doesn't already exist.
+	openssl req -new -key $STORAGE_ROOT/ssl/ssl_private_key.pem -out $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr \
+	  -subj "/C=$CSR_COUNTRY/ST=/L=/O=/CN=$PUBLIC_HOSTNAME"
+fi
+if [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then
+	# Generate a SSL certificate by self-signing if a SSL certificate doesn't yet exist.
+	openssl x509 -req -days 365 \
+	  -in $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr -signkey $STORAGE_ROOT/ssl/ssl_private_key.pem -out $STORAGE_ROOT/ssl/ssl_certificate.pem
+fi
+echo
+echo "Your SSL certificate's fingerpint is:"
+openssl x509 -in /home/user-data/ssl/ssl_certificate.pem -noout -fingerprint
+echo
--- a/setup/start.sh
+++ b/setup/start.sh
@@ -122,6 +122,7 @@ EOF
 # Start service configuration.
 . setup/system.sh
+. setup/ssl.sh
 . setup/dns.sh
 . setup/mail.sh
 . setup/dkim.sh