Newer
Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
#!/bin/bash
#####################################################################################
# #
# Syntax: fixcerts DOMAIN #
# #
# Use: Extend Letsencrypt SSl certificates for commonly grouped services such as #
# Apache,Postfix,Dovecot using Certbot. Useful for keeping all client #
# applications referencing the same virtual domain name, such as auto-config #
# email clients on phones, i.e. mailuser@mydomain.TLD smtp.mydomain.TLD #
# imaps.mydomain.TLD instead of mailuser@mydomain.TLD mail.ISPmaildomain.TLD #
# Also useful when sending mail through services like Gmail that will #
# validate sender through a negotiated TLS encrypted connection. #
# #
# Ex: sh fixcerts myhosteddomain.com #
# #
# Prerequisites: #
# - A Letsencrypt certificate for the DOMAIN must already exist #
# - A seperate certificate each for Dovecot and Postfix were previously generated #
# - All new host names to add MUST already exist in DNS at least as a CNAME #
# - Edit the Dovecot/Postfix conf to use the alternate certificate #
# - Set the variable wr_file to a directory that certbot can read and write from #
# - Set the dom_cert=,dv_cert=,pf_cert=,dv_file=, and pf_file= variables #
# #
# In my case, I ran: #
# certbot certonly -webroot /usr/local/ispconfig/interface/acme -d dc.hrst.xyz #
# certbot certonly -webroot /usr/local/ispconfig/interface/acme -d pf.hrst.xyz #
# to create the separate Dovecot and Postscript certificates, then edited and #
# ran the script to extend those certificate, once per hosted domain #
# #
# If you use only one alternate certifcate for both mail services, set both dv_file #
# and pf_file to the same file name and set one of _cert files="" and #
# use the other. If you don't wish to add to a particular certificate, set the #
# variable ="", such as dom_cert #
# TODO: Pre-validate desired additions as already existing in DNS #
# Generate SRV Records and add to DNS to autoconfig clients #
# #
# Author: tad.hasse@gmail.com #
# #
#####################################################################################
#bail out on error
set -e
# Hostnames to add to the main domain certificate
dom_cert="webmail"
# Hostnames to add to the Dovecot domain certificate
dv_cert="pop3s imap"
# Hostnames to add to the Postfix domain certificate
pf_cert="mail smtp smtps"
# Name of the certificate file that handles Dovecot
dv_file="dc.hrst.xyz"
# Name of the certificate file that handles Postfix
pf_file="pf.hrst.xyz"
# Writeable webroot for certbot (I use ISPConfig,
wr_file="/usr/local/ispconfig/interface/acme"
new_cert=""
nanobot=""
affected_services=""
if [ -z "$1" ] # Is parameter #1 zero length?
then
echo "-No DOMAIN specified" # Or no parameter passed.
exit 1
fi
#live_check='/etc/letsencrypt/live/'$1
if [[ ! -d '/etc/letsencrypt/live/'$1 ]]; then
echo "- DOMAIN certificate for \"$1\" not found -"
exit 1
fi
if [[ ! -d '/etc/letsencrypt/live/'${dv_file} ]]; then
echo "- Dovecot/postoffice certificate" ${dv_file}" for \"$1\" not found -"
exit 1
fi
if [[ ! -d '/etc/letsencrypt/live/'${pf_file} ]]; then
echo "- Postfix/mail certificate" ${pf_file}" for \"$1\" not found -"
exit 1
fi
# Have certbot generate its current certificate list for use as input
certbot certificates >~/certfile
# Extend base domain certificate which typically only contains the domain.TLD and www.domain.TLD
if [[ ! -z "${dom_cert}" ]]; then
echo
new_cert=$(echo $dom_cert| sed -e "s/ /.$1 /g" -e 's/ / -d /g' -e "s/$/.$1 /g" -e 's/^/-d /g')
echo "Adding" ${new_cert} " to "$1
nanobot=$(grep -A1 "Certificate Name: "$1 certfile |awk -F': ' '{ {getline}; $1=""; print }'|sed 's/ / -d /g')
doit_cert=$(echo "certbot certonly --webroot -w ${wr_file}${nanobot} ${new_cert}")
${doit_cert}
affected_services=${affected_services}+"A"
else
echo "Domain Certificate unaffected"
fi
# Extend the Dovecot certificate
if [[ ! -z "${dv_cert}" ]]; then
echo
new_cert=$(echo $dv_cert| sed -e "s/ /.$1 /g" -e 's/ / -d /g' -e "s/$/.$1 /g" -e 's/^/-d /g')
echo "Adding" ${new_cert} " to "${dv_file}
nanobot=$(grep -A1 "Certificate Name: "${dv_file} certfile |awk -F': ' '{ {getline}; $1=""; print }'|sed 's/ / -d /g')
doit_cert=$(echo "certbot certonly --webroot -w ${wr_file}${nanobot} ${new_cert}")
${doit_cert}
affected_services=${affected_services}+"D"
else
echo "Dovecot Certificate unaffected"
fi
# Extend the Postscript certificate
if [[ ! -z "{$pf_cert}" ]]; then
echo
new_cert=$(echo $pf_cert| sed -e "s/ /.$1 /g" -e 's/ / -d /g' -e "s/$/.$1 /g" -e 's/^/-d /g')
echo "Adding" ${new_cert} " to " ${pf_file}
nanobot=$(grep -A1 "Certificate Name: "${pf_file} certfile |awk -F': ' '{ {getline}; $1=""; print }'|sed 's/ / -d /g')
doit_cert=$(echo "certbot certonly --webroot -w ${wr_file}${nanobot} ${new_cert}")
${doit_cert}
affected_services=${affected_services}+"P"
else
echo "Postfix Certificate unaffected"
fi
if [[ $affected_services == *"A"* ]]; then
echo "Remember to restart the httpd service"
fi
if [[ $affected_services == *"D"* ]]; then
echo "Remember to restart the dovecot/postoffice service"
fi
if [[ $affected_services == *"P"* ]]; then
echo "Remember to restart the postfix/sendmail service"
fi
echo
echo
echo "Add the following SRV records to DNS for client setup for "$1
if [[ $affected_services == *"D"* ]]; then
echo "_imaps._tcp."$1 "SRV 3600 4 60 993 imaps"
echo "_pop3s._tcp."$1 "SRV 3600 6 60 995 pop3s"
echo "_imap._tcp."$1 " SRV 3600 8 60 143 imap"
fi
if [[ $affected_services == *"P"* ]]; then
echo "_smtps._tcp."$1 "SRV 3600 8 60 465 smtps"
echo "_smtp._tcp."$1 " SRV 3600 10 60 587 smtp"
fi