ยง2024-11-01
#! /bin/bash
OURNAME=13_install_ssl_certs.sh
echo -e "\n-- Executing ${ORANGE}${OURNAME}${NC} subscript --"
#### SSL CERTS ####
# Install acme.sh
# NOTE: the version 3.0.7 has a bug with Nginx certs, so version is pinned to 3.0.6
ACME_VERSION="3.0.6"
wget https://raw.githubusercontent.com/acmesh-official/acme.sh/${ACME_VERSION}/acme.sh
ACME_VERSION="3.0.6"
# --auto-upgrade 0 disable auto-upgrade
sh acme.sh --install --auto-upgrade 0
# test run on alexlai@hc4Noble.yushei.net
# $ sh acme.sh --install --auto-upgrade 0
# [Fri Nov 1 06:57:48 PM CST 2024] It is recommended to install socat first.
# [Fri Nov 1 06:57:48 PM CST 2024] We use socat for standalone server if you use standalone mode.
# [Fri Nov 1 06:57:48 PM CST 2024] If you don't use standalone mode, just ignore this warning.
# [Fri Nov 1 06:57:48 PM CST 2024] Installing to /home/alexlai/.acme.sh
# [Fri Nov 1 06:57:48 PM CST 2024] Installed to /home/alexlai/.acme.sh/acme.sh
# [Fri Nov 1 06:57:48 PM CST 2024] Installing alias to '/home/alexlai/.bashrc'
# [Fri Nov 1 06:57:48 PM CST 2024] OK, Close and reopen your terminal to start using acme.sh
# [Fri Nov 1 06:57:48 PM CST 2024] Installing cron job
# no crontab for alexlai
# no crontab for alexlai
# [Fri Nov 1 06:57:48 PM CST 2024] Good, bash is found, so change the shebang to use bash as preferred.
# [Fri Nov 1 06:57:49 PM CST 2024] OK
# $ ls -al ~/.acme.sh/
# total 232
# drwx------ 2 alexlai alexlai 79 Nov 1 18:57 .
# drwxr-x--- 22 alexlai alexlai 4096 Nov 1 18:57 ..
# -rw-rw-r-- 1 alexlai alexlai 159 Nov 1 18:57 account.conf
# -rwxrwxr-x 1 alexlai alexlai 220762 Nov 1 18:57 acme.sh
# -rw-rw-r-- 1 alexlai alexlai 94 Nov 1 18:57 acme.sh.env
# -rw-rw-r-- 1 alexlai alexlai 1306 Nov 1 18:57 http.header
# and `. "/home/alexlai/.acme.sh/acme.sh.env"` added into ~/.bashrc
#
# $ cat /home/alexlai/.acme.sh/acme.sh.env
# export LE_WORKING_DIR="/home/alexlai/.acme.sh"
# alias acme.sh="/home/alexlai/.acme.sh/acme.sh"
# alias: This is a shell built-in command that allows you to create shortcuts for longer commands
#
rm -rf acme.sh
# -- create /etc/wildduck/tls.toml -------------------------------------------------------------
# WildDuck TLS config
echo 'cert="/etc/wildduck/certs/fullchain.pem"
key="/etc/wildduck/certs/privkey.pem"' > /etc/wildduck/tls.toml
sed -i -e "s/key=/#key=/g;s/cert=/#cert=/g" /etc/zone-mta/interfaces/feeder.toml
echo '# @include "../../wildduck/tls.toml"' >> /etc/zone-mta/interfaces/feeder.toml
# vanity script as first run should not restart anything
echo '#!/bin/bash
echo "OK"' > /usr/local/bin/reload-services.sh
chmod +x /usr/local/bin/reload-services.sh
~/.acme.sh/acme.sh --issue --nginx --server letsencrypt \
-d "$HOSTNAME" \
--key-file /etc/wildduck/certs/privkey.pem \
--fullchain-file /etc/wildduck/certs/fullchain.pem \
--reloadcmd "/usr/local/bin/reload-services.sh" \
--force || echo "Warning: Failed to generate certificates, using self-signed certs"
# Update site config, make sure ssl is enabled
echo "server {
listen 80;
listen [::]:80;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name $HOSTNAME;
ssl_certificate /etc/wildduck/certs/fullchain.pem;
ssl_certificate_key /etc/wildduck/certs/privkey.pem;
# special config for EventSource to disable gzip
location /api/events {
proxy_http_version 1.1;
gzip off;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header HOST \$http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://127.0.0.1:3000;
proxy_redirect off;
}
# special config for uploads
location /webmail/send {
client_max_body_size 15M;
proxy_http_version 1.1;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header HOST \$http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://127.0.0.1:3000;
proxy_redirect off;
}
location / {
proxy_http_version 1.1;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header HOST \$http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://127.0.0.1:3000;
proxy_redirect off;
}
}" > "/etc/nginx/sites-available/$HOSTNAME"
#See issue https://github.com/nodemailer/wildduck/issues/83
$SYSTEMCTL_PATH start nginx
$SYSTEMCTL_PATH reload nginx