wildduck/setup/13_install_ssl_certs.sh

#! /bin/bash

OURNAME=13_install_ssl_certs.sh

echo -e "\n-- Executing ${ORANGE}${OURNAME}${NC} subscript --"

#### SSL CERTS ####

# Install acme.sh
# NOTE: the version 3.0.7 has a bug with Nginx certs, so version is pinned to 3.0.6
ACME_VERSION="3.0.6"
wget https://raw.githubusercontent.com/acmesh-official/acme.sh/${ACME_VERSION}/acme.sh
sh acme.sh --install --auto-upgrade 0
rm -rf acme.sh

# WildDuck TLS config
echo 'cert="/etc/wildduck/certs/fullchain.pem"
key="/etc/wildduck/certs/privkey.pem"' > /etc/wildduck/tls.toml

sed -i -e "s/key=/#key=/g;s/cert=/#cert=/g" /etc/zone-mta/interfaces/feeder.toml
echo '# @include "../../wildduck/tls.toml"' >> /etc/zone-mta/interfaces/feeder.toml

# vanity script as first run should not restart anything
echo '#!/bin/bash
echo "OK"' > /usr/local/bin/reload-services.sh
chmod +x /usr/local/bin/reload-services.sh

~/.acme.sh/acme.sh --issue --nginx --server letsencrypt \
    -d "$HOSTNAME" \
    --key-file       /etc/wildduck/certs/privkey.pem  \
    --fullchain-file /etc/wildduck/certs/fullchain.pem \
    --reloadcmd     "/usr/local/bin/reload-services.sh" \
    --force || echo "Warning: Failed to generate certificates, using self-signed certs"

# Update site config, make sure ssl is enabled
echo "server {
    listen 80;
    listen [::]:80;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name $HOSTNAME;

    ssl_certificate /etc/wildduck/certs/fullchain.pem;
    ssl_certificate_key /etc/wildduck/certs/privkey.pem;

    # special config for EventSource to disable gzip
    location /api/events {
        proxy_http_version 1.1;
        gzip off;
        proxy_set_header X-Real-IP \$remote_addr;
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
        proxy_set_header HOST \$http_host;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass http://127.0.0.1:3000;
        proxy_redirect off;
    }

    # special config for uploads
    location /webmail/send {
        client_max_body_size 15M;
        proxy_http_version 1.1;
        proxy_set_header X-Real-IP \$remote_addr;
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
        proxy_set_header HOST \$http_host;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass http://127.0.0.1:3000;
        proxy_redirect off;
    }

    location / {
        proxy_http_version 1.1;
        proxy_set_header X-Real-IP \$remote_addr;
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
        proxy_set_header HOST \$http_host;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass http://127.0.0.1:3000;
        proxy_redirect off;
    }
}" > "/etc/nginx/sites-available/$HOSTNAME"

#See issue https://github.com/nodemailer/wildduck/issues/83
$SYSTEMCTL_PATH start nginx
$SYSTEMCTL_PATH reload nginx
Breaking up install.sh into chapters Fixed two issues: 82: need to install npm globally to get around permission problems 83: need to start nginx service before restarting it Better executable requirements (lsof, ps). It may be not installed on minimal systems. Better service detection on given port. It is especially useful, if the installation.sh got interrupted for some reason, and already installed some services. Minor doc update, so a single line is required to paste in terminal. curl vs. wget -> stayed with wget, it is installed by default on ubuntu Colors: added color support for the terminal output:) 2018-06-08 04:09:57 +08:00			`#! /bin/bash`

			`OURNAME=13_install_ssl_certs.sh`

			`echo -e "\n-- Executing ${ORANGE}${OURNAME}${NC} subscript --"`

			`#### SSL CERTS ####`

Pin acme.sh in setup script 2023-08-24 16:18:18 +08:00			`# Install acme.sh`
			`# NOTE: the version 3.0.7 has a bug with Nginx certs, so version is pinned to 3.0.6`
			`ACME_VERSION="3.0.6"`
Updated install script 2023-08-31 20:25:41 +08:00			`wget https://raw.githubusercontent.com/acmesh-official/acme.sh/${ACME_VERSION}/acme.sh`
			`sh acme.sh --install --auto-upgrade 0`
			`rm -rf acme.sh`
Breaking up install.sh into chapters Fixed two issues: 82: need to install npm globally to get around permission problems 83: need to start nginx service before restarting it Better executable requirements (lsof, ps). It may be not installed on minimal systems. Better service detection on given port. It is especially useful, if the installation.sh got interrupted for some reason, and already installed some services. Minor doc update, so a single line is required to paste in terminal. curl vs. wget -> stayed with wget, it is installed by default on ubuntu Colors: added color support for the terminal output:) 2018-06-08 04:09:57 +08:00
Pin acme.sh in setup script 2023-08-24 16:18:18 +08:00			`# WildDuck TLS config`
Breaking up install.sh into chapters Fixed two issues: 82: need to install npm globally to get around permission problems 83: need to start nginx service before restarting it Better executable requirements (lsof, ps). It may be not installed on minimal systems. Better service detection on given port. It is especially useful, if the installation.sh got interrupted for some reason, and already installed some services. Minor doc update, so a single line is required to paste in terminal. curl vs. wget -> stayed with wget, it is installed by default on ubuntu Colors: added color support for the terminal output:) 2018-06-08 04:09:57 +08:00			`echo 'cert="/etc/wildduck/certs/fullchain.pem"`
			`key="/etc/wildduck/certs/privkey.pem"' > /etc/wildduck/tls.toml`

			`sed -i -e "s/key=/#key=/g;s/cert=/#cert=/g" /etc/zone-mta/interfaces/feeder.toml`
			`echo '# @include "../../wildduck/tls.toml"' >> /etc/zone-mta/interfaces/feeder.toml`

			`# vanity script as first run should not restart anything`
			`echo '#!/bin/bash`
			`echo "OK"' > /usr/local/bin/reload-services.sh`
			`chmod +x /usr/local/bin/reload-services.sh`

updated acme conf 2021-07-05 23:09:41 +08:00			`~/.acme.sh/acme.sh --issue --nginx --server letsencrypt \`
Breaking up install.sh into chapters Fixed two issues: 82: need to install npm globally to get around permission problems 83: need to start nginx service before restarting it Better executable requirements (lsof, ps). It may be not installed on minimal systems. Better service detection on given port. It is especially useful, if the installation.sh got interrupted for some reason, and already installed some services. Minor doc update, so a single line is required to paste in terminal. curl vs. wget -> stayed with wget, it is installed by default on ubuntu Colors: added color support for the terminal output:) 2018-06-08 04:09:57 +08:00			`-d "$HOSTNAME" \`
			`--key-file /etc/wildduck/certs/privkey.pem \`
			`--fullchain-file /etc/wildduck/certs/fullchain.pem \`
			`--reloadcmd "/usr/local/bin/reload-services.sh" \`
			`--force \|\| echo "Warning: Failed to generate certificates, using self-signed certs"`

			`# Update site config, make sure ssl is enabled`
			`echo "server {`
			`listen 80;`
			`listen [::]:80;`
			`listen 443 ssl http2;`
			`listen [::]:443 ssl http2;`

			`server_name $HOSTNAME;`

			`ssl_certificate /etc/wildduck/certs/fullchain.pem;`
			`ssl_certificate_key /etc/wildduck/certs/privkey.pem;`

updated nginx setup 2019-02-23 08:01:00 +08:00			`# special config for EventSource to disable gzip`
			`location /api/events {`
			`proxy_http_version 1.1;`
			`gzip off;`
			`proxy_set_header X-Real-IP \$remote_addr;`
			`proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;`
			`proxy_set_header HOST \$http_host;`
			`proxy_set_header X-NginX-Proxy true;`
			`proxy_pass http://127.0.0.1:3000;`
			`proxy_redirect off;`
			`}`

			`# special config for uploads`
			`location /webmail/send {`
			`client_max_body_size 15M;`
			`proxy_http_version 1.1;`
			`proxy_set_header X-Real-IP \$remote_addr;`
			`proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;`
			`proxy_set_header HOST \$http_host;`
			`proxy_set_header X-NginX-Proxy true;`
			`proxy_pass http://127.0.0.1:3000;`
			`proxy_redirect off;`
			`}`

Breaking up install.sh into chapters Fixed two issues: 82: need to install npm globally to get around permission problems 83: need to start nginx service before restarting it Better executable requirements (lsof, ps). It may be not installed on minimal systems. Better service detection on given port. It is especially useful, if the installation.sh got interrupted for some reason, and already installed some services. Minor doc update, so a single line is required to paste in terminal. curl vs. wget -> stayed with wget, it is installed by default on ubuntu Colors: added color support for the terminal output:) 2018-06-08 04:09:57 +08:00			`location / {`
updated nginx setup 2019-02-23 08:01:00 +08:00			`proxy_http_version 1.1;`
Breaking up install.sh into chapters Fixed two issues: 82: need to install npm globally to get around permission problems 83: need to start nginx service before restarting it Better executable requirements (lsof, ps). It may be not installed on minimal systems. Better service detection on given port. It is especially useful, if the installation.sh got interrupted for some reason, and already installed some services. Minor doc update, so a single line is required to paste in terminal. curl vs. wget -> stayed with wget, it is installed by default on ubuntu Colors: added color support for the terminal output:) 2018-06-08 04:09:57 +08:00			`proxy_set_header X-Real-IP \$remote_addr;`
			`proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;`
			`proxy_set_header HOST \$http_host;`
			`proxy_set_header X-NginX-Proxy true;`
			`proxy_pass http://127.0.0.1:3000;`
			`proxy_redirect off;`
			`}`
			`}" > "/etc/nginx/sites-available/$HOSTNAME"`

			`#See issue https://github.com/nodemailer/wildduck/issues/83`
			`$SYSTEMCTL_PATH start nginx`
			`$SYSTEMCTL_PATH reload nginx`