Commit ec73c171 authored by Joshua Tauberer's avatar Joshua Tauberer

when installing a ssl cert for the primary hostname, dns, postfix, and dovecot...

when installing a ssl cert for the primary hostname, dns, postfix, and dovecot all need to be updated/kicked

see https://discourse.mailinabox.email/t/there-is-a-problem-with-the-ssl-certificate/144/4
parent f9acf0ad
...@@ -179,9 +179,8 @@ def check_primary_hostname_dns(domain, env, dns_domains, dns_zonefiles): ...@@ -179,9 +179,8 @@ def check_primary_hostname_dns(domain, env, dns_domains, dns_zonefiles):
elif tlsa25 is None: elif tlsa25 is None:
env['out'].print_error("""The DANE TLSA record for incoming mail is not set. This is optional.""") env['out'].print_error("""The DANE TLSA record for incoming mail is not set. This is optional.""")
else: else:
env['out'].print_error("""The DANE TLSA record for incoming mail (%s) is not correct. It is '%s' but it should be '%s'. Try running tools/dns_update to env['out'].print_error("""The DANE TLSA record for incoming mail (%s) is not correct. It is '%s' but it should be '%s'.
regenerate the record. It may take several hours for It may take several hours for public DNS to update after a change."""
public DNS to update after a change."""
% (tlsa_qname, tlsa25, tlsa25_expected)) % (tlsa_qname, tlsa25, tlsa25_expected))
# Check that the hostmaster@ email address exists. # Check that the hostmaster@ email address exists.
......
...@@ -5,7 +5,7 @@ ...@@ -5,7 +5,7 @@
import os, os.path, shutil, re, rtyaml import os, os.path, shutil, re, rtyaml
from mailconfig import get_mail_domains from mailconfig import get_mail_domains
from dns_update import get_custom_dns_config from dns_update import get_custom_dns_config, do_dns_update
from utils import shell, safe_domain_name, sort_domains from utils import shell, safe_domain_name, sort_domains
def get_web_domains(env): def get_web_domains(env):
...@@ -237,8 +237,21 @@ def install_cert(domain, ssl_cert, ssl_chain, env): ...@@ -237,8 +237,21 @@ def install_cert(domain, ssl_cert, ssl_chain, env):
os.makedirs(os.path.dirname(ssl_certificate), exist_ok=True) os.makedirs(os.path.dirname(ssl_certificate), exist_ok=True)
shutil.move(fn, ssl_certificate) shutil.move(fn, ssl_certificate)
ret = []
# When updating the cert for PRIMARY_HOSTNAME, also update DNS because it is
# used in the DANE TLSA record and restart postfix and dovecot which use
# that certificate.
if domain == env['PRIMARY_HOSTNAME']:
ret.append( do_dns_update(env) )
shell('check_call', ["/usr/sbin/service", "postfix", "restart"])
shell('check_call', ["/usr/sbin/service", "dovecot", "restart"])
ret.append("mail services restarted")
# Kick nginx so it sees the cert. # Kick nginx so it sees the cert.
return do_web_update(env, ok_status="") ret.append( do_web_update(env, ok_status="") )
return "\n".join(r for r in ret if r.strip() != "")
def get_web_domains_info(env): def get_web_domains_info(env):
def check_cert(domain): def check_cert(domain):
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment