Exim multi cert#249
Conversation
This script will query the vexim database.domains table and try to create/renew certificates for all domains Certbot will listen on the IP resolved by DNS and the ACME server will use the same IP for validating
This script will query the vexim database.domains table and try to create/renew certificates for all domains Certbot will listen on the IP resolved by DNS and the ACME server will use the same IP for validating
* some minor bugfixes and cleanup * write config file for dovecot for all domains if DOVECOT_SSL= is set properly
create certificate with all domains in the SAN field as fallback
|
Nice work! So, it's mainly for the user that they can use their own domain name for all mail-related services which is great. And if you are concerned about SNI-support in other mail servers (for incoming mail) you still ca use the default hostname in the mx-entry of the DNS. I think it's a very nice feature for vexim. I didn't go through the code yet. It's probably for debian systems, I will see if I can get this working under FreeBSD. |
merge master
|
the script 'mon-certificates' makes sure that all certificates in the database are getting generated by certbot. just tin case you are lazy and wouldn't do it manually. |
There was a problem hiding this comment.
I tried running the script locally and it failed. Maybe that's because I wasn't running it as root.
I got a bunch of lines like this in the output:
dig: '.admin' is not a legal name (empty label) # in other lines
.adminwas replaced with my TLD's.
Also I had a bunch of other comments, see below.
Also, there's currently no place in our distribution dedicated to scripts like this, so I'm reluctant to merge this in. Maybe a better place for it would be in the Wiki, at least for now?
| # set this if a config file for dovecot should be created | ||
| # this will also reload dovecot | ||
| # will be used only if the dovecot binary is executable |
There was a problem hiding this comment.
This says "dovecot", but obviously Exim is meant here.
| NGINX_PASS="proxy_pass http://mail1;" | ||
| # a file where additional parameters for proxy configurations will be | ||
| NGINX_PROXYPARAMS="include /etc/nginx/proxy_params;" |
There was a problem hiding this comment.
NGINX_PROXY_PASS and NGINX_PROXY_PARAMS would look nicer
| SUBDOMAIN_LIST_WWW="vexim" | ||
|
|
||
| # if you want to use a dedicated DNS resolver put it here | ||
| DNSSERVER="ns1.runout.at" |
There was a problem hiding this comment.
Do you really want to leave your own DNS server as example?
| # If you're behind a nat or you have some kind of port forwarding | ||
| # you can set a global IP for certbot here. | ||
| # certbot will listen on this IP but the ACME server will use the IP from DNS | ||
| DOMAIN_IP_OVERRIDE="" |
There was a problem hiding this comment.
Options that are optional should probably be commented out?
| # type of IP address should be used "AAAA" or "A" | ||
| DNSTYPE="AAAA" |
There was a problem hiding this comment.
This lacks an explanation about what record we are talking about here.
| fi | ||
|
|
||
| if [ ! -z "${EXIM_SSL}" ] && [ -x "${EXIM_BIN}" ]; then | ||
| mv -f ${EXIM_SSL} ${DOVECOT_SSL}.1 2>/dev/null |
There was a problem hiding this comment.
Apparent copy-paste error here.
| @@ -0,0 +1,288 @@ | |||
| #!/bin/bash | |||
There was a problem hiding this comment.
/bin/sh would be more portable.
|
thx for the feedback. The script is running on my server daily. I'll check if I have made changes and report back. This would be the interesting part for a merge: docs/debian-conf.d/main/00_vexim_listmacrosdefs Maybe I should have made separate PRs for the monitoring scripts. |
|
The macros change also seems quite specific to your server. First, because it's probably Debian-specific, but also because it uses |
support for multiple ssl-certificates
#246