Page MenuHomeDevCentral

Propagate Let's encrypt certificate to mail server
Open, HighPublic

Description

Draft script to propagate it:

1#!/bin/sh
2
3# -------------------------------------------------------------
4# Propagate a Let's encrypt certificate to the mail server
5# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6# Project: Nasqueron
7# Created: 2016-05-21
8# License: Trivial work, not eligible to copyright
9# Dependencies: OpenSSL
10# -------------------------------------------------------------
11
12# -------------------------------------------------------------
13# Configuration
14# -------------------------------------------------------------
15
16# Relevant paths
17LETSENCRYPT_CERT_FOLDER=/data/letsencrypt/etc/live/mail.nasqueron.org-0001
18MAILSERVER_CERT_FOLDER=/var/lib/lxc/mailserver/rootfs/etc/ssl/certs
19HASH_FOLDER=/tmp
20
21# To identify an unique certifate, we use the following content and path
22# for an hash file.
23ACTUAL_HASH=`openssl sha256 $LETSENCRYPT_CERT_FOLDER/cert.pem`
24HASH_FILE = $HASH_FOLDER/hash-cert-`openssl sha256 $LETSENCRYPT_CERT_FOLDER`
25
26# -------------------------------------------------------------
27# Helper methods
28# -------------------------------------------------------------
29
30# Determines if we should propagate a new certificate
31should_propagate() {
32 if [ ! -f $HASH_FILE ]; then
33 return 1
34 elif is_cert_hash_changed; then
35 return 1
36 else
37 return 0
38 fi
39}
40
41# Determines if the certificate has been modified, based on last recorded hash
42is_cert_hash_changed() {
43 EXPECTED_HASH=`cat $HASH_FILE`
44
45 if [ "$ACTUAL_HASH" = "$EXPECTED_HASH" ]; then
46 return 0
47 else
48 return 1
49 fi
50}
51
52# Saves the new certificate hash
53save_certificate_hash() {
54 echo $ACTUAL_HASH > $HASH_FILE
55}
56
57# -------------------------------------------------------------
58# Procedural code
59# -------------------------------------------------------------
60
61if should_propagate; then
62 echo cp $LETSENCRYPT_CERT_FOLDER/fullchain.pem $MAILSERVER_CERT_FOLDER/mailserver.crt
63 echo cp $LETSENCRYPT_CERT_FOLDER/privkey.pem $MAILSERVER_CERT_FOLDER/mailserver.key
64 save_certificate_hash
65fi