docker-mailserver/target
Brennan Kinney 1b1877f025
refactor: letsencrypt implicit location discovery (#2525)
* chore: Extract letsencrypt logic into methods

This allows other scripts to share the functionality to discover the correct letsencrypt folder from the 3 possible locations (where specific order is important).

As these methods should now return a string value, the `return 1` after a panic is now dropped.

* chore: Update comments

The todo is resolved with this PR, `_setup_ssl` will be called by both cert conditional statements with purpose for each better documented to maintainers at the start of the logic block.

* refactor: Defer most logic to helper/ssl.sh

The loop is no longer required, extraction is delegated to `_setup_ssl` now.

For the change event prevention, we retrieve the relevant FQDN via the new helper method, beyond that it's just indentation diff.

`check-for-changes.sh` adjusted to allow locally scoped var declarations by wrapping a function. Presently no loop control flow is needed so this seems fine. Made it clear that `CHANGED` is local and `CHKSUM_FILE` is not.

Panic scope doesn't require `SSL_TYPE` for context, it's clearly`letsencrypt`.

* fix: Correctly match wildcard results

Now that the service configs are properly updated, when the services restart they will return a cert with the SAN `DNS:*.example.test`,  which is valid for `mail.example.test`, however the test function did not properly account for this in the regexp query.

Resolved by truncating the left-most DNS label from FQDN and adding a third check to match a returned wildcard DNS result.

Extracted out the common logic to create the regexp query and renamed the methods to communicate more clearly that they check the FQDN is supported, not necessarily explicitly listed by the cert.

* tests(letsencrypt): Enable remaining tests

These will now pass. Adjusted comments accordingly.

Added an additional test on a fake FQDN that should still be valid to a wildcard cert (SNI validation in a proper setup would reject the connection afterwards).

Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
2022-04-18 22:52:50 +12:00
..
amavis/conf.d Improve fail2ban docs and fix a typo (#2126) 2021-08-13 10:30:39 +02:00
bin firewall: replace iptables with nftables (#2505) 2022-04-05 15:13:59 +02:00
docker-configomat@4155504854 Updated submodule target/docker-configomat 2020-10-11 19:41:53 +02:00
dovecot refactoring: split helper functions into smaller scripts (#2420) 2022-02-21 11:56:57 +01:00
fail2ban firewall: replace iptables with nftables (#2505) 2022-04-05 15:13:59 +02:00
fetchmail Implement fetchmail (#260) (#271) 2016-08-21 22:13:13 +02:00
logwatch Add logwatch maillog.conf file to support /var/log/mail/ (#2112) 2021-08-11 11:31:00 +02:00
opendkim Fixed KeyTable refile in opendkim.conf https://serverfault.com/a/861701/377751 (#2249) 2021-10-16 19:04:51 +02:00
opendmarc [opendmarc] Skip dmarc checks for email sent over authenticated sockets 2017-09-11 17:02:47 -07:00
postfix chore: Remove invalid config in Postfix master.cf (#2272) 2021-11-01 14:03:56 +13:00
postgrey housekeeping 2020-11-06 14:04:23 +01:00
postsrsd formatting files according to standard (#1619) 2020-09-24 14:54:21 +02:00
scripts refactor: letsencrypt implicit location discovery (#2525) 2022-04-18 22:52:50 +12:00
shared init tests cases ffdhe4096 2020-04-26 22:23:51 +02:00
supervisor reverted stopwaitsecs for postfix (#2137) 2021-08-17 15:39:30 +02:00