lub
/
mailu
1
0
Fork 0
Code Issues Pull Requests Packages Releases Wiki Activity

format certs for nginx

Browse Source
master
Florent Daigniere 3 years ago
parent 98b903fe13
commit 24f9bf1064
3 changed files with 23 additions and 5 deletions
Show Stats Download Patch File Download Diff File

1
core/nginx/conf/tls.conf
Unescape Escape View File

@ -3,6 +3,7 @@ ssl_certificate_key {{ TLS[1] }};
{% if TLS_FLAVOR in ['letsencrypt','mail-letsencrypt'] %} {% if TLS_FLAVOR in ['letsencrypt','mail-letsencrypt'] %}
ssl_certificate {{ TLS[2] }}; ssl_certificate {{ TLS[2] }};
ssl_certificate_key {{ TLS[3] }}; ssl_certificate_key {{ TLS[3] }};
ssl_trusted_certificate /etc/ssl/certs/ca-cert-DST_Root_CA_X3.pem;
{% endif %} {% endif %}
ssl_session_timeout 1d; ssl_session_timeout 1d;
ssl_session_tickets off; ssl_session_tickets off;

8
core/nginx/config.py
Unescape Escape View File

@ -26,11 +26,11 @@ cert_name = os.getenv("TLS_CERT_FILENAME", default="cert.pem")
keypair_name = os.getenv("TLS_KEYPAIR_FILENAME", default="key.pem") keypair_name = os.getenv("TLS_KEYPAIR_FILENAME", default="key.pem")
args["TLS"] = { args["TLS"] = {
"cert": ("/certs/%s" % cert_name, "/certs/%s" % keypair_name), "cert": ("/certs/%s" % cert_name, "/certs/%s" % keypair_name),
"letsencrypt": ("/certs/letsencrypt/live/mailu/chain.pem", "letsencrypt": ("/certs/letsencrypt/live/mailu/nginx-chain.pem",
"/certs/letsencrypt/live/mailu/privkey.pem", "/certs/letsencrypt/live/mailu-ecdsa/chain.pem", "/certs/letsencrypt/live/mailu-ecdsa/privkey.pem"), "/certs/letsencrypt/live/mailu/privkey.pem", "/certs/letsencrypt/live/mailu-ecdsa/nginx-chain.pem", "/certs/letsencrypt/live/mailu-ecdsa/privkey.pem"),
"mail": ("/certs/%s" % cert_name, "/certs/%s" % keypair_name), "mail": ("/certs/%s" % cert_name, "/certs/%s" % keypair_name),
"mail-letsencrypt": ("/certs/letsencrypt/live/mailu/chain.pem", "mail-letsencrypt": ("/certs/letsencrypt/live/mailu/nginx-chain.pem",
"/certs/letsencrypt/live/mailu/privkey.pem", "/certs/letsencrypt/live/mailu-ecdsa/chain.pem", "/certs/letsencrypt/live/mailu-ecdsa/privkey.pem"), "/certs/letsencrypt/live/mailu/privkey.pem", "/certs/letsencrypt/live/mailu-ecdsa/nginx-chain.pem", "/certs/letsencrypt/live/mailu-ecdsa/privkey.pem"),
"notls": None "notls": None
}[args["TLS_FLAVOR"]] }[args["TLS_FLAVOR"]]

19
core/nginx/letsencrypt.py
Unescape Escape View File

@ -4,7 +4,6 @@ import os
import time import time
import subprocess import subprocess
command = [ command = [
"certbot", "certbot",
"-n", "--agree-tos", # non-interactive "-n", "--agree-tos", # non-interactive
@ -31,12 +30,30 @@ command2 = [
"--post-hook", "/config.py" "--post-hook", "/config.py"
] ]
def format_for_nginx(fullchain, output):
""" nginx expects cert + intermediate
whereas letsencrypt provides ca + intermediate + cert
"""
certs = []
with open(fullchain, 'r') as pem:
cert = ''
for line in pem:
cert += line
if '-----END CERTIFICATE-----' in line:
certs += [cert]
cert = ''
with open(output, 'w') as pem:
for cert in reversed(certs[1:]):
pem.write(cert)
# Wait for nginx to start # Wait for nginx to start
time.sleep(5) time.sleep(5)
# Run certbot every hour # Run certbot every hour
while True: while True:
subprocess.call(command) subprocess.call(command)
format_for_nginx('/certs/letsencrypt/live/mailu/fullchain.pem', '/certs/letsencrypt/live/mailu/nginx-chain.pem')
subprocess.call(command2) subprocess.call(command2)
format_for_nginx('/certs/letsencrypt/live/mailu-ecdsa/fullchain.pem', '/certs/letsencrypt/live/mailu-ecdsa/nginx-chain.pem')
time.sleep(3600) time.sleep(3600)

Write Preview
Loading…
Cancel
Save