From cd7bc5f6bc6bfa3006e0465741bac3a5cee6ba0c Mon Sep 17 00:00:00 2001
From: Jack Twilley <mathuin@users.noreply.github.com>
Date: Mon, 29 Aug 2016 04:46:16 -0700
Subject: [PATCH] Minor tweaks to letsencrypt configuration. (#288)

The letsencrypt-auto client creates cert.pem, chain.pem, fullchain.pem, and
privkey.pem in its default settings.  The simp_le client creates cert.pem,
fullchain.pem, and key.pem in its default settings.

A check for either privkey.pem or key.pem was added.

The chain.pem file was only used by the letsencrypt code for the creation of
combined.pem, which is not used by either postfix or dovecot.

The code to create a combined.pem file for letsencrypt was removed, as was the
corresponding test.
---
 target/start-mailserver.sh | 30 +++++++++++++++++-------------
 test/tests.bats            |  5 -----
 2 files changed, 17 insertions(+), 18 deletions(-)

diff --git a/target/start-mailserver.sh b/target/start-mailserver.sh
index fdbaab2a..f70ab9e8 100644
--- a/target/start-mailserver.sh
+++ b/target/start-mailserver.sh
@@ -121,23 +121,27 @@ case $SSL_TYPE in
   "letsencrypt" )
     # letsencrypt folders and files mounted in /etc/letsencrypt
     if [ -e "/etc/letsencrypt/live/$(hostname)/cert.pem" ] \
-    && [ -e "/etc/letsencrypt/live/$(hostname)/chain.pem" ] \
-    && [ -e "/etc/letsencrypt/live/$(hostname)/fullchain.pem" ] \
-    && [ -e "/etc/letsencrypt/live/$(hostname)/privkey.pem" ]; then
-      echo "Adding $(hostname) SSL certificate"
-      # create combined.pem from (cert|chain|privkey).pem with eol after each .pem
-      sed -e '$a\' -s /etc/letsencrypt/live/$(hostname)/{cert,chain,privkey}.pem > /etc/letsencrypt/live/$(hostname)/combined.pem
+    && [ -e "/etc/letsencrypt/live/$(hostname)/fullchain.pem" ]; then
+      KEY=""
+      if [ -e "/etc/letsencrypt/live/$(hostname)/privkey.pem" ]; then
+        KEY="/etc/letsencrypt/live/$(hostname)/privkey.pem"
+      elif [ -e "/etc/letsencrypt/live/$(hostname)/key.pem" ]; then
+        KEY="/etc/letsencrypt/live/$(hostname)/key.pem"
+      fi
+      if [ -n "$KEY" ]; then
+        echo "Adding $(hostname) SSL certificate"
 
-      # Postfix configuration
-      sed -i -r 's/smtpd_tls_cert_file=\/etc\/ssl\/certs\/ssl-cert-snakeoil.pem/smtpd_tls_cert_file=\/etc\/letsencrypt\/live\/'$(hostname)'\/fullchain.pem/g' /etc/postfix/main.cf
-      sed -i -r 's/smtpd_tls_key_file=\/etc\/ssl\/private\/ssl-cert-snakeoil.key/smtpd_tls_key_file=\/etc\/letsencrypt\/live\/'$(hostname)'\/privkey.pem/g' /etc/postfix/main.cf
+        # Postfix configuration
+        sed -i -r 's/smtpd_tls_cert_file=\/etc\/ssl\/certs\/ssl-cert-snakeoil.pem/smtpd_tls_cert_file=\/etc\/letsencrypt\/live\/'$(hostname)'\/fullchain.pem/g' /etc/postfix/main.cf
+        sed -i -r 's/smtpd_tls_key_file=\/etc\/ssl\/private\/ssl-cert-snakeoil.key/smtpd_tls_key_file=\/etc\/letsencrypt\/live\/'$(hostname)'\/privkey.pem/g' /etc/postfix/main.cf
 
-      # Dovecot configuration
-      sed -i -e 's/ssl_cert = <\/etc\/dovecot\/dovecot\.pem/ssl_cert = <\/etc\/letsencrypt\/live\/'$(hostname)'\/fullchain\.pem/g' /etc/dovecot/conf.d/10-ssl.conf
-      sed -i -e 's/ssl_key = <\/etc\/dovecot\/private\/dovecot\.pem/ssl_key = <\/etc\/letsencrypt\/live\/'$(hostname)'\/privkey\.pem/g' /etc/dovecot/conf.d/10-ssl.conf
+        # Dovecot configuration
+        sed -i -e 's/ssl_cert = <\/etc\/dovecot\/dovecot\.pem/ssl_cert = <\/etc\/letsencrypt\/live\/'$(hostname)'\/fullchain\.pem/g' /etc/dovecot/conf.d/10-ssl.conf
+        sed -i -e 's/ssl_key = <\/etc\/dovecot\/private\/dovecot\.pem/ssl_key = <\/etc\/letsencrypt\/live\/'$(hostname)'\/privkey\.pem/g' /etc/dovecot/conf.d/10-ssl.conf
 
-      echo "SSL configured with 'letsencrypt' certificates"
+        echo "SSL configured with 'letsencrypt' certificates"
 
+      fi
     fi
     ;;
 
diff --git a/test/tests.bats b/test/tests.bats
index 97db1775..8be8f894 100644
--- a/test/tests.bats
+++ b/test/tests.bats
@@ -428,11 +428,6 @@
   [ "$output" -eq 2 ]
 }
 
-@test "checking ssl: letsencrypt combined.pem generated correctly" {
-  run docker exec mail_pop3 ls -1 /etc/letsencrypt/live/mail.my-domain.com/combined.pem
-  [ "$status" -eq 0 ]
-}
-
 @test "checking ssl: letsencrypt cert works correctly" {
   run docker exec mail_pop3 /bin/sh -c "timeout 1 openssl s_client -connect 0.0.0.0:587 -starttls smtp -CApath /etc/ssl/certs/ | grep 'Verify return code: 10 (certificate has expired)'"
   [ "$status" -eq 0 ]