Add ECC certs for modern clients

master
Florent Daigniere 3 years ago
parent cb68cb312b
commit f05cc99dc0

@ -1,5 +1,9 @@
ssl_certificate {{ TLS[0] }}; ssl_certificate {{ TLS[0] }};
ssl_certificate_key {{ TLS[1] }}; ssl_certificate_key {{ TLS[1] }};
{% if TLS_FLAVOR in ['letsencrypt','mail-letsencrypt] %}
ssl_certificate {{ TLS[2] }};
ssl_certificate_key {{ TLS[3] }};
{% endif %}
ssl_session_timeout 1d; ssl_session_timeout 1d;
ssl_session_tickets off; ssl_session_tickets off;
ssl_dhparam /conf/dhparam.pem; ssl_dhparam /conf/dhparam.pem;

@ -27,10 +27,10 @@ keypair_name = os.getenv("TLS_KEYPAIR_FILENAME", default="key.pem")
args["TLS"] = { args["TLS"] = {
"cert": ("/certs/%s" % cert_name, "/certs/%s" % keypair_name), "cert": ("/certs/%s" % cert_name, "/certs/%s" % keypair_name),
"letsencrypt": ("/certs/letsencrypt/live/mailu/fullchain.pem", "letsencrypt": ("/certs/letsencrypt/live/mailu/fullchain.pem",
"/certs/letsencrypt/live/mailu/privkey.pem"), "/certs/letsencrypt/live/mailu/privkey.pem", "/certs/letsencrypt/live/mailu-ecdsa/fullchain.pem", "/certs/letsencrypt/live/mailu-ecdsa/privkey.pem"),
"mail": ("/certs/%s" % cert_name, "/certs/%s" % keypair_name), "mail": ("/certs/%s" % cert_name, "/certs/%s" % keypair_name),
"mail-letsencrypt": ("/certs/letsencrypt/live/mailu/fullchain.pem", "mail-letsencrypt": ("/certs/letsencrypt/live/mailu/fullchain.pem",
"/certs/letsencrypt/live/mailu/privkey.pem"), "/certs/letsencrypt/live/mailu/privkey.pem", "/certs/letsencrypt/live/mailu-ecdsa/fullchain.pem", "/certs/letsencrypt/live/mailu-ecdsa/privkey.pem"),
"notls": None "notls": None
}[args["TLS_FLAVOR"]] }[args["TLS_FLAVOR"]]

@ -14,7 +14,19 @@ command = [
"--cert-name", "mailu", "--cert-name", "mailu",
"--preferred-challenges", "http", "--http-01-port", "8008", "--preferred-challenges", "http", "--http-01-port", "8008",
"--keep-until-expiring", "--keep-until-expiring",
"--rsa-key-size", "3072", "--config-dir", "/certs/letsencrypt",
"--post-hook", "/config.py"
]
command2 = [
"certbot",
"-n", "--agree-tos", # non-interactive
"-d", os.environ["HOSTNAMES"],
"-m", "{}@{}".format(os.environ["POSTMASTER"], os.environ["DOMAIN"]),
"certonly", "--standalone",
"--cert-name", "mailu-ecdsa",
"--preferred-challenges", "http", "--http-01-port", "8008",
"--keep-until-expiring",
"--key-type", "ecdsa",
"--config-dir", "/certs/letsencrypt", "--config-dir", "/certs/letsencrypt",
"--post-hook", "/config.py" "--post-hook", "/config.py"
] ]
@ -25,5 +37,6 @@ time.sleep(5)
# Run certbot every hour # Run certbot every hour
while True: while True:
subprocess.call(command) subprocess.call(command)
subprocess.call(command2)
time.sleep(3600) time.sleep(3600)

Loading…
Cancel
Save