From 24f9bf106440f98a757a368b01187e7ddc16d1f0 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Mon, 9 Aug 2021 22:51:23 +0200 Subject: [PATCH] format certs for nginx --- core/nginx/conf/tls.conf | 1 + core/nginx/config.py | 8 ++++---- core/nginx/letsencrypt.py | 19 ++++++++++++++++++- 3 files changed, 23 insertions(+), 5 deletions(-) diff --git a/core/nginx/conf/tls.conf b/core/nginx/conf/tls.conf index 4372c5af..f663bfd2 100644 --- a/core/nginx/conf/tls.conf +++ b/core/nginx/conf/tls.conf @@ -3,6 +3,7 @@ ssl_certificate_key {{ TLS[1] }}; {% if TLS_FLAVOR in ['letsencrypt','mail-letsencrypt'] %} ssl_certificate {{ TLS[2] }}; ssl_certificate_key {{ TLS[3] }}; +ssl_trusted_certificate /etc/ssl/certs/ca-cert-DST_Root_CA_X3.pem; {% endif %} ssl_session_timeout 1d; ssl_session_tickets off; diff --git a/core/nginx/config.py b/core/nginx/config.py index 1b0f7235..9fa75877 100755 --- a/core/nginx/config.py +++ b/core/nginx/config.py @@ -26,11 +26,11 @@ cert_name = os.getenv("TLS_CERT_FILENAME", default="cert.pem") keypair_name = os.getenv("TLS_KEYPAIR_FILENAME", default="key.pem") args["TLS"] = { "cert": ("/certs/%s" % cert_name, "/certs/%s" % keypair_name), - "letsencrypt": ("/certs/letsencrypt/live/mailu/chain.pem", - "/certs/letsencrypt/live/mailu/privkey.pem", "/certs/letsencrypt/live/mailu-ecdsa/chain.pem", "/certs/letsencrypt/live/mailu-ecdsa/privkey.pem"), + "letsencrypt": ("/certs/letsencrypt/live/mailu/nginx-chain.pem", + "/certs/letsencrypt/live/mailu/privkey.pem", "/certs/letsencrypt/live/mailu-ecdsa/nginx-chain.pem", "/certs/letsencrypt/live/mailu-ecdsa/privkey.pem"), "mail": ("/certs/%s" % cert_name, "/certs/%s" % keypair_name), - "mail-letsencrypt": ("/certs/letsencrypt/live/mailu/chain.pem", - "/certs/letsencrypt/live/mailu/privkey.pem", "/certs/letsencrypt/live/mailu-ecdsa/chain.pem", "/certs/letsencrypt/live/mailu-ecdsa/privkey.pem"), + "mail-letsencrypt": ("/certs/letsencrypt/live/mailu/nginx-chain.pem", + "/certs/letsencrypt/live/mailu/privkey.pem", "/certs/letsencrypt/live/mailu-ecdsa/nginx-chain.pem", "/certs/letsencrypt/live/mailu-ecdsa/privkey.pem"), "notls": None }[args["TLS_FLAVOR"]] diff --git a/core/nginx/letsencrypt.py b/core/nginx/letsencrypt.py index 73659f7c..9a5ba18a 100755 --- a/core/nginx/letsencrypt.py +++ b/core/nginx/letsencrypt.py @@ -4,7 +4,6 @@ import os import time import subprocess - command = [ "certbot", "-n", "--agree-tos", # non-interactive @@ -31,12 +30,30 @@ command2 = [ "--post-hook", "/config.py" ] +def format_for_nginx(fullchain, output): + """ nginx expects cert + intermediate + whereas letsencrypt provides ca + intermediate + cert + """ + certs = [] + with open(fullchain, 'r') as pem: + cert = '' + for line in pem: + cert += line + if '-----END CERTIFICATE-----' in line: + certs += [cert] + cert = '' + with open(output, 'w') as pem: + for cert in reversed(certs[1:]): + pem.write(cert) + # Wait for nginx to start time.sleep(5) # Run certbot every hour while True: subprocess.call(command) + format_for_nginx('/certs/letsencrypt/live/mailu/fullchain.pem', '/certs/letsencrypt/live/mailu/nginx-chain.pem') subprocess.call(command2) + format_for_nginx('/certs/letsencrypt/live/mailu-ecdsa/fullchain.pem', '/certs/letsencrypt/live/mailu-ecdsa/nginx-chain.pem') time.sleep(3600)