From 4df53ce24797a7da70a5d7d4f7457e69f6eaf56e Mon Sep 17 00:00:00 2001 From: Balakrishnan Balasubramanian Date: Mon, 1 Apr 2024 18:09:36 -0400 Subject: [PATCH] Improve cert_copy script to work better for the first time --- deploy_configs/README.md | 11 ++++++----- deploy_configs/mail4one_cert_copy.sh | 22 +++++++++++++++------- 2 files changed, 21 insertions(+), 12 deletions(-) diff --git a/deploy_configs/README.md b/deploy_configs/README.md index a121b2a..a209272 100644 --- a/deploy_configs/README.md +++ b/deploy_configs/README.md @@ -81,15 +81,16 @@ systemctl status mail4one Above command should fail as the TLS certificates don't exist yet. ## Setup TLS certificates -Install [certbot](https://certbot.eff.org/) and run below command. Follow instructions to create TLS certificates. Usually you want certificate for domain name like `mail.example.com` +Install [certbot](https://certbot.eff.org/) and run below command. Follow instructions to create TLS certificates. Usually you want certificate for domain name like `mail.mydomain.com` ```sh sudo certbot certonly -sudo cp /etc/letsencrypt/live/mail.example.com/{fullchain,privkey}.pem /var/lib/mail4one/certs/ -sudo chown mail4one:mail4one /var/lib/mail4one/certs/{fullchain,privkey}.pem -# Edit mail4one_cert_copy.sh to update your domain name +# **Edit** mail4one_cert_copy.sh to update your domain name sudo cp mail4one_cert_copy.sh /etc/letsencrypt/renewal-hooks/deploy/ sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/mail4one_cert_copy.sh + +# This will create and copy the certificates to the right path with correct permissions and ownership +sudo certbot certonly -d mail.mydomain.com --run-deploy-hooks --dry-run ``` ## Restart service and check logs ```sh @@ -109,6 +110,6 @@ python3 -m http.server 25 In local machine or a browser You should see file listing a, b, c. Repeat for port 465, 995 to make sure firewall rules and dns is working ```sh -curl http://mail.example.com:25 +curl http://mail.mydomain.com:25 ``` If not working, refer to VPS settings and OS firewall settings. diff --git a/deploy_configs/mail4one_cert_copy.sh b/deploy_configs/mail4one_cert_copy.sh index bd44084..b1283fc 100755 --- a/deploy_configs/mail4one_cert_copy.sh +++ b/deploy_configs/mail4one_cert_copy.sh @@ -7,13 +7,21 @@ # This file is supposed to be copied to /etc/letsencrypt/renewal-hooks/deploy/ # Change the mail domain to the one on MX record +set -eu + if [ "$RENEWED_DOMAINS" = "mail.mydomain.com" ] then - mkdir -p /var/lib/mail4one/certs - chmod 750 /var/lib/mail4one/certs - chown mail4one:mail4one /var/lib/mail4one/certs - cp "$RENEWED_LINEAGE/fullchain.pem" /var/lib/mail4one/certs/ - cp "$RENEWED_LINEAGE/privkey.pem" /var/lib/mail4one/certs/ - systemctl restart mail4one.service - echo "$(date) Renewed and deployed certificates for mail4one" >> /var/log/mail4one-cert-renew.log + app=mail4one + appuser=$app + certpath="/var/lib/$app/certs" + + mkdir -p "$certpath" + chmod 750 "$certpath" + + chown $appuser:$appuser "$certpath" + install -o "$appuser" -g "$appuser" -m 444 "$RENEWED_LINEAGE/fullchain.pem" -t "$certpath" + install -o "$appuser" -g "$appuser" -m 400 "$RENEWED_LINEAGE/privkey.pem" -t "$certpath" + + systemctl restart $app.service + echo "$(date) Renewed and deployed certificates for $app" >> /var/log/cert-renew.log fi