Merge #2254

2254: Send ISRG_X1 on port 25, make DANE pin that r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

Ensure we send ISRG_X1 in the handshake on port 25 (non-interactive, size doesn't really matter).

Update the DANE pin to reflect the change.

I am not sure whether we will need to add --preferred-chain= in the future; This may be the case when letsencrypt decides to use X2/the ECDSA chain

This needs to be tested on a letsencrypt account that isn't mine (I'm opted in for the alternate cert chains)

### Related issue(s)
- closes #2138

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

There's already a towncrier news for it

Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>

core/admin/mailu/models.py

@@ -276,7 +276,7 @@ class Domain(Base):
         hostname = app.config['HOSTNAME']
         if app.config['TLS_FLAVOR'] in ('letsencrypt', 'mail-letsencrypt'):
             # current ISRG Root X1 (RSA 4096, O = Internet Security Research Group, CN = ISRG Root X1) @20210902
-            return f'_25._tcp.{hostname}. 86400 IN TLSA 2 1 0 30820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001'
+            return f'_25._tcp.{hostname}. 86400 IN TLSA 2 1 1 0b9fa5a59eed715c26c1020c711b4f6ec42d58b0015e14337a39dad301c5afc3'
 
     @property
     def dkim_key(self):

core/nginx/conf/nginx.conf

@@ -288,6 +288,10 @@ mail {
       listen 25;
       listen [::]:25;
       {% if TLS and not TLS_ERROR %}
+      {% if TLS_FLAVOR in ['letsencrypt','mail-letsencrypt'] %}
+      ssl_certificate /certs/letsencrypt/live/mailu/fullchain.pem;
+      ssl_certificate /certs/letsencrypt/live/mailu-ecdsa/fullchain.pem;
+      {% endif %}
       ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
       ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;
       ssl_prefer_server_ciphers on;

core/nginx/config.py

@@ -34,6 +34,22 @@ args["TLS"] = {
     "notls": None
 }[args["TLS_FLAVOR"]]
 
+def format_for_nginx(fullchain, output):
+    """ We may want to strip ISRG Root X1 out """
+    if not os.path.exists(fullchain):
+        return
+    split = '-----END CERTIFICATE-----\n'
+    with open(fullchain, 'r') as pem:
+        certs = [f'{cert}{split}' for cert in pem.read().split(split) if cert]
+    if len(certs)>2 and os.getenv('LETSENCRYPT_SHORTCHAIN'):
+        del certs[-1]
+    with open(output, 'w') as pem:
+        pem.write(''.join(certs))
+
+if args['TLS_FLAVOR'] in ['letsencrypt', 'mail-letsencrypt']:
+    format_for_nginx('/certs/letsencrypt/live/mailu/fullchain.pem', '/certs/letsencrypt/live/mailu/nginx-chain.pem')
+    format_for_nginx('/certs/letsencrypt/live/mailu-ecdsa/fullchain.pem', '/certs/letsencrypt/live/mailu-ecdsa/nginx-chain.pem')
+
 if args["TLS"] and not all(os.path.exists(file_path) for file_path in args["TLS"]):
     print("Missing cert or key file, disabling TLS")
     args["TLS_ERROR"] = "yes"

core/nginx/letsencrypt.py

@@ -32,28 +32,11 @@ command2 = [
     "--post-hook", "/config.py"
 ]
 
-def format_for_nginx(fullchain, output):
-    """ We may want to strip ISRG Root X1 out
-    """
-    certs = []
-    with open(fullchain, 'r') as pem:
-        cert = ''
-        for line in pem:
-            cert += line
-            if '-----END CERTIFICATE-----' in line:
-                certs += [cert]
-                cert = ''
-    with open(output, 'w') as pem:
-        for cert in certs[:-1] if len(certs)>2 and os.getenv('LETSENCRYPT_SHORTCHAIN', default="False") else certs:
-            pem.write(cert)
-
 # Wait for nginx to start
 time.sleep(5)
 
 # Run certbot every day
 while True:
     subprocess.call(command)
-    format_for_nginx('/certs/letsencrypt/live/mailu/fullchain.pem', '/certs/letsencrypt/live/mailu/nginx-chain.pem')
     subprocess.call(command2)
-    format_for_nginx('/certs/letsencrypt/live/mailu-ecdsa/fullchain.pem', '/certs/letsencrypt/live/mailu-ecdsa/nginx-chain.pem')
     time.sleep(86400)