From 989f6912819f0644a7780eead32031239b15cbaf Mon Sep 17 00:00:00 2001 From: Michael Sprauer Date: Tue, 30 Jun 2020 22:34:26 +0200 Subject: [PATCH 1/6] fix tests with space in path --- test/mail_dhparams_manual_not_one_dir.bats | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/mail_dhparams_manual_not_one_dir.bats b/test/mail_dhparams_manual_not_one_dir.bats index ae98ccff..36e2f926 100644 --- a/test/mail_dhparams_manual_not_one_dir.bats +++ b/test/mail_dhparams_manual_not_one_dir.bats @@ -22,7 +22,7 @@ function teardown() { function setup_file() { # copy the custom DHE params in local config - cp `pwd`/test/test-files/ssl/custom-dhe-params.pem `pwd`/test/config/dhparams.pem + cp "`pwd`/test/test-files/ssl/custom-dhe-params.pem" "`pwd`/test/config/dhparams.pem" docker run -d --name mail_manual_dhparams_not_one_dir \ -v "`pwd`/test/config":/tmp/docker-mailserver \ @@ -35,7 +35,7 @@ function setup_file() { function teardown_file() { # remove custom dhe file - rm `pwd`/test/config/dhparams.pem + rm "`pwd`/test/config/dhparams.pem" docker rm -f mail_manual_dhparams_not_one_dir } From 32c732e276b2637cdda1fd1cc8b5ba318a765687 Mon Sep 17 00:00:00 2001 From: Michael Sprauer Date: Tue, 30 Jun 2020 22:43:22 +0200 Subject: [PATCH 2/6] certificates from acme.json Will extract certificates from acme.json as written by traefik for usage in dovecot and postfix. Also watches acme.json for changes. For this to work the file has to be mounted/present at `/etc/letsencrypt/acme.json` --- target/check-for-changes.sh | 8 ++- target/helper_functions.sh | 68 ++++++++++++------- target/start-mailserver.sh | 4 +- test/config/letsencrypt/acme-changed.json | 31 +++++++++ test/config/letsencrypt/acme.json | 31 +++++++++ test/config/letsencrypt/changed/cert.pem | 18 +++++ test/config/letsencrypt/changed/fullchain.pem | 36 ++++++++++ test/config/letsencrypt/changed/key.pem | 27 ++++++++ test/mail_ssl_letsencrypt.bats | 51 ++++++++++++++ 9 files changed, 247 insertions(+), 27 deletions(-) create mode 100644 test/config/letsencrypt/acme-changed.json create mode 100644 test/config/letsencrypt/acme.json create mode 100644 test/config/letsencrypt/changed/cert.pem create mode 100644 test/config/letsencrypt/changed/fullchain.pem create mode 100644 test/config/letsencrypt/changed/key.pem diff --git a/target/check-for-changes.sh b/target/check-for-changes.sh index 804d7070..da3e0607 100755 --- a/target/check-for-changes.sh +++ b/target/check-for-changes.sh @@ -1,5 +1,7 @@ #!/bin/bash +. /usr/local/bin/helper_functions.sh + # create date for log output log_date=$(date +"%Y-%m-%d %H:%M:%S ") echo "${log_date} Start check-for-changes script." @@ -32,7 +34,7 @@ echo "${log_date} Using postmaster address ${PM_ADDRESS}" # Create an array of files to monitor, must be the same as in start-mailserver.sh declare -a cf_files=() -for file in postfix-accounts.cf postfix-virtual.cf postfix-aliases.cf dovecot-quotas.cf; do +for file in postfix-accounts.cf postfix-virtual.cf postfix-aliases.cf dovecot-quotas.cf /etc/letsencrypt/acme.json; do [ -f "$file" ] && cf_files+=("$file") done @@ -61,6 +63,10 @@ if [[ $chksum == *"FAIL"* ]]; then ( flock -e 200 + if [[ $chksum == *"/etc/letsencrypt/acme.json: FAILED"* ]]; then + (extractCertsFromAcmeJson "$HOSTNAME" || extractCertsFromAcmeJson "$DOMAINNAME") + fi + #regen postix aliases. echo "root: ${PM_ADDRESS}" > /etc/aliases if [ -f /tmp/docker-mailserver/postfix-aliases.cf ]; then diff --git a/target/helper_functions.sh b/target/helper_functions.sh index 207daef1..24a13829 100644 --- a/target/helper_functions.sh +++ b/target/helper_functions.sh @@ -2,36 +2,54 @@ # expects mask prefix length and the digit function _mask_ip_digit() { - if [[ $1 -ge 8 ]]; then - MASK=255 - else - if [[ $1 -le 0 ]]; then - MASK=0 - else - VALUES=('0' '128' '192' '224' '240' '248' '252' '254' '255') - MASK=${VALUES[$1]} - fi - fi - echo $(( $2 & $MASK )) + if [[ $1 -ge 8 ]]; then + MASK=255 + else + if [[ $1 -le 0 ]]; then + MASK=0 + else + VALUES=('0' '128' '192' '224' '240' '248' '252' '254' '255') + MASK=${VALUES[$1]} + fi + fi + echo $(($2 & $MASK)) } # transforms a specific ip with CIDR suffix like 1.2.3.4/16 # to subnet with cidr suffix like 1.2.0.0/16 function _sanitize_ipv4_to_subnet_cidr() { - IP=${1%%/*} - PREFIX_LENGTH=${1#*/} + IP=${1%%/*} + PREFIX_LENGTH=${1#*/} - # split IP by . into digits - DIGITS=(${IP//./ }) + # split IP by . into digits + DIGITS=(${IP//./ }) - # mask digits according to prefix length - MASKED_DIGITS=() - DIGIT_PREFIX_LENGTH="$PREFIX_LENGTH" - for DIGIT in "${DIGITS[@]}" ; do - MASKED_DIGITS+=( $(_mask_ip_digit $DIGIT_PREFIX_LENGTH $DIGIT) ) - DIGIT_PREFIX_LENGTH=$(( $DIGIT_PREFIX_LENGTH - 8 )) - done + # mask digits according to prefix length + MASKED_DIGITS=() + DIGIT_PREFIX_LENGTH="$PREFIX_LENGTH" + for DIGIT in "${DIGITS[@]}"; do + MASKED_DIGITS+=($(_mask_ip_digit $DIGIT_PREFIX_LENGTH $DIGIT)) + DIGIT_PREFIX_LENGTH=$(($DIGIT_PREFIX_LENGTH - 8)) + done - # output masked ip plus prefix length - echo ${MASKED_DIGITS[0]}.${MASKED_DIGITS[1]}.${MASKED_DIGITS[2]}.${MASKED_DIGITS[3]}/$PREFIX_LENGTH -} \ No newline at end of file + # output masked ip plus prefix length + echo ${MASKED_DIGITS[0]}.${MASKED_DIGITS[1]}.${MASKED_DIGITS[2]}.${MASKED_DIGITS[3]}/$PREFIX_LENGTH +} + +# extracts certificates from acme.json and returns 0 if found +function extractCertsFromAcmeJson() { + WHAT=$1 + # sorry for the code-golf :( + KEY=$(cat /etc/letsencrypt/acme.json | python -c "import sys,json,itertools; print map(lambda c: c[\"key\"] if (c[\"domain\"][\"main\"]==\"$WHAT\" or \"$WHAT\" in c[\"domain\"][\"sans\"]) else \"\", list(itertools.chain.from_iterable(map(lambda x: x[\"Certificates\"], json.load(sys.stdin).values()))))[0]") + CERT=$(cat /etc/letsencrypt/acme.json | python -c "import sys,json,itertools; print map(lambda c: c[\"certificate\"] if (c[\"domain\"][\"main\"]==\"$WHAT\" or \"$WHAT\" in c[\"domain\"][\"sans\"]) else \"\", list(itertools.chain.from_iterable(map(lambda x: x[\"Certificates\"], json.load(sys.stdin).values()))))[0]") + + if [[ -n "${KEY}${CERT}" ]]; then + mkdir -p /etc/letsencrypt/live/"$HOSTNAME"/ + echo $KEY | base64 -d >/etc/letsencrypt/live/"$HOSTNAME"/key.pem || exit 1 + echo $CERT | base64 -d >/etc/letsencrypt/live/"$HOSTNAME"/fullchain.pem || exit 1 + echo "Cert found in /etc/letsencrypt/acme.json for $WHAT" + return 0 + else + return 1 + fi +} diff --git a/target/start-mailserver.sh b/target/start-mailserver.sh index 7f56923e..932b00b1 100644 --- a/target/start-mailserver.sh +++ b/target/start-mailserver.sh @@ -505,7 +505,7 @@ function _setup_chksum_file() { pushd /tmp/docker-mailserver declare -a cf_files=() - for file in postfix-accounts.cf postfix-virtual.cf postfix-aliases.cf dovecot-quotas.cf; do + for file in postfix-accounts.cf postfix-virtual.cf postfix-aliases.cf dovecot-quotas.cf /etc/letsencrypt/acme.json; do [ -f "$file" ] && cf_files+=("$file") done @@ -1048,6 +1048,8 @@ function _setup_ssl() { local LETSENCRYPT_DOMAIN="" local LETSENCRYPT_KEY="" + [[ -f /etc/letsencrypt/acme.json ]] && (extractCertsFromAcmeJson "$HOSTNAME" || extractCertsFromAcmeJson "$DOMAINNAME") + # first determine the letsencrypt domain by checking both the full hostname or just the domainname if a SAN is used in the cert if [ -e "/etc/letsencrypt/live/$HOSTNAME/fullchain.pem" ]; then LETSENCRYPT_DOMAIN=$HOSTNAME diff --git a/test/config/letsencrypt/acme-changed.json b/test/config/letsencrypt/acme-changed.json new file mode 100644 index 00000000..0e05482a --- /dev/null +++ b/test/config/letsencrypt/acme-changed.json @@ -0,0 +1,31 @@ +{ + "le": { + "Account": { + "Email": "acme@admin.com", + "Registration": { + "body": { + "status": "valid", + "contact": [ + "mailto:acme@admin.com" + ] + }, + "uri": "https://acme-v02.api.letsencrypt.org/acme/acct/0123456789" + }, + "PrivateKey": "YES", + "KeyType": "4096" + }, + "Certificates": [ + { + "domain": { + "main": "mail.my-domain.com", + "sans": [ + "mail2.my-domain.com" + ] + }, + "certificate": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1RENDQWN5Z0F3SUJBZ0lKQU4vKzNMTVF2bnYxTUEwR0NTcUdTSWIzRFFFQkN3VUFNQkl4RURBT0JnTlYKQkFNTUIzUmxjM1F0WTJFd0hoY05NakF3TmpJNU1qQTFOVEl4V2hjTk1qQXdPREk0TWpBMU5USXhXakFXTVJRdwpFZ1lEVlFRRERBdGxlR0Z0Y0d4bExtTnZiVENDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DCmdnRUJBTDVVTmc3eWJyWG9DSW5teFErZjM4KytzTEVjZ0c2UDBYK2ZhSDExQnc0N1Z0K21mMXZsdEloN29qTzgKRGVYcUZ4c0dMM1MvWXF5dVhYMFRHSU9oL2Nzam52djFHRUwxVXgwWUNzeUZrdmZsYjhOdVNLVzUyVDBkblVxRgpaRndsZHlrQ3dIblF4bXdZWnhuWmpWRjJZT3IvS21HWnZPNWR4U1RzL3FEdVUwY3AzRkQ0ejJDQkVMTG16aXh2CmZPMkxnazFZbi9IOW1OTE5TS1FhaVNlQ3hJZDVDek5JbG1VSWZuTDB0dWMzbjJmTmlnanVQS09WMkgvN05WVFQKVHJpdVAzODRieDlXVExmWDI5Y24rSG80aEtCYXEydDFXbXoranNXaTFneWExS3JMQU00enpRSEkrdTZyMytqUwozUHNSVnMxY3N5TzJOQ1hxVm8vYnhxZTM4K3NDQXdFQUFhTTVNRGN3Q1FZRFZSMFRCQUl3QURBTEJnTlZIUThFCkJBTUNCZUF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdJR0NDc0dBUVVGQndNQk1BMEdDU3FHU0liM0RRRUIKQ3dVQUE0SUJBUUFrbUhIVGFaOGhpU3RvQS9YWWpHWGtIVDVEQmpqT2hSbTNtbWRDRit4aGJVY2ovZnJ3QlluMAphcEFHZk5TR3ErUEpUZ1Zkc1pVQUMrc09meFJtZTNGalU1Z0Fla2VJRGpPUU1kMVZiZG1jSVd0bkorVHR6OTRGClFtNVY3RGY4a1ZrY3FFNlV2dlh5WDNZRUZqMi9md2I0aHh5eWwvZkFXbDVhY1dUTE5BMm1PS20vZk1oS2V6K2gKM1ZHaEtRNVpHUzBRdCtMZWEzbzdMV3M1ZEg1TGhTdnMzRmU5UFNkZHhhME5idHI0c2ZnZk9JUUpnbzJtQ3ZjaAp1NXpGcTdudkRxZHNtZFp3WU1JY2lucFBXSmdFb1FMSldVL2dXTDJZYSs1a0oxMzdzbVBjWVg3akRTeUJIbGtRCm9BWU9CNjVZbm9XeFZ1UXRLcUhXNmY4bnFEMW53RUJuCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM5ekNDQWQrZ0F3SUJBZ0lKQVAvNDFhc0srSTNCTUEwR0NTcUdTSWIzRFFFQkN3VUFNQkl4RURBT0JnTlYKQkFNTUIzUmxjM1F0WTJFd0hoY05NakF3TmpJNU1qQTFOVEl4V2hjTk1qQXdPREk0TWpBMU5USXhXakFTTVJBdwpEZ1lEVlFRRERBZDBaWE4wTFdOaE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBCmt6bE9GM1E4d3Q2RzhNOENnKy9VQURsa2JPVW5CbGJDd2xSbnFTcnZyWDdCUmMzN1IxWStLenNNbUdna1BrdkUKY3padVdiT1FVOGdoblFKd1NIVC9BSzFnNWpNYzdtWkxTa0UrdVZNb3I0KzRWZ3Q0a0t2Zmt0emNDSk9mby9xTApYVjJlUFJnVmxIaitwZWlscUhNTThQMDNWUHg2a3E3b1pFMXBCbGg0UXlMejdEWWNQNkFEM0JxL0hTTTVobXZQCmlIYkNIeTZ5ZitRc3VCcWFXQ2VjMXlnYzlHUG55RFhRb0RSQXdsY0EwYVZTU29zYzZIZVZRb0RCUFR6WlVyaU0KcmlxUEszWVQ0TEdFSDZuVHgzUlV0anVHOFpkR3pwZ3V3OS95MHRjY3Q3NzdXTEZJZXVCUWttWmlNRzNYZWl2dQpUYmZIQ2JxSkNPNTNmc2JLMENyekVRSURBUUFCbzFBd1RqQWRCZ05WSFE0RUZnUVV4bzZOWFJpMzlReEpuWlpECnZieGNvK20yVTdZd0h3WURWUjBqQkJnd0ZvQVV4bzZOWFJpMzlReEpuWlpEdmJ4Y28rbTJVN1l3REFZRFZSMFQKQkFVd0F3RUIvekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBT0JLTUcyYWFaK2YyR2F6ZHRxNytJbFJNM1lGdgppbkY1dWFaM2JxQytwS0RiMXdaSkx6V2dIVmdOU0dYZXRIUEthOVFweVFxRWUvYllNSzdhdkpvLy9GbWhnMCszClN3STJnOUJvSVBCZDRqSUJZNDFoL3pyeVRZNFBMeC9OcWFwV1I0LzNuRFBKM1NTTUhaNEpnUDhHVFhsem1GNmoKNFVnd1JyTEZRZDBaWllORFJvOGJaZVVFcVg3MGswRXFZOVF4QmpKZ1V6VnlXWWpQKy9TZVhBQkp5UHY3bHpSTgpudktqM0Y5MWVOZnFmOFkrV2RkdkI4am4zTFhvazRTaUZ6eEVTZkozblZPZ3dwOFNQaGhUU2hiWFFhajQ4Rng4Cm82VEdNOXV0UHROOXFJTnd2cXlySzRsVXdLajZZTHlUa1YxMG9WZ3RKWWh5eUhWVmw3SmhjOFVJTXc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==", + "key": "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdmxRMkR2SnV0ZWdJaWViRkQ1L2Z6NzZ3c1J5QWJvL1JmNTlvZlhVSERqdFczNlovClcrVzBpSHVpTTd3TjVlb1hHd1l2ZEw5aXJLNWRmUk1ZZzZIOXl5T2UrL1VZUXZWVEhSZ0t6SVdTOStWdncyNUkKcGJuWlBSMmRTb1ZrWENWM0tRTEFlZERHYkJobkdkbU5VWFpnNnY4cVlabTg3bDNGSk96K29PNVRSeW5jVVBqUApZSUVRc3ViT0xHOTg3WXVDVFZpZjhmMlkwczFJcEJxSko0TEVoM2tMTTBpV1pRaCtjdlMyNXplZlo4MktDTzQ4Cm81WFlmL3MxVk5OT3VLNC9memh2SDFaTXQ5ZmIxeWY0ZWppRW9GcXJhM1ZhYlA2T3hhTFdESnJVcXNzQXpqUE4KQWNqNjdxdmY2TkxjK3hGV3pWeXpJN1kwSmVwV2o5dkdwN2Z6NndJREFRQUJBb0lCQVFDdWZoNGhqZm9hSStUUQpLUlk1d09VOFhTTTQvVnh5QU1DZE5OUmpVTXRyTE5QMHIzek1EOGgzNklGSTFQd1k4WWpGYWVKUU1yYVFnanVMCjA5b0J0SjR0Z3piYTRGV2g3YkNKVitWdXBIZWRkbWdFMERNaVhVVGhWeWxCalJINXVRK0tOYytvM3ROTGZ3UG4KR3lFSXNuTWdmMWVucTM4Zk9qRG9MYTgwYzhzOXpYaEh0Wng5SlF6RFViUXIrRE5UUzBSTFA1Mk1JL3BYR0MrZwpUMjI1c1ZWMzl1cVFGY2NIRUNhY0xEYlllNUVoelJpMlBOQTk4Zkh0Ty9sQVA5amp2UWlNY2NyMEtqanpFSGxTCmxvRnMxL3kvdkNBby9rVGhxaEtMLzBUM3FkaUcrWU5zbmUrVGh5Mnh4NVczN1lNR0l0ZTlmKzV5bVRtYitsZ2IKZlU2L2kydGhBb0dCQVBPNlVydDUwaDN2SjJtLytNRkNrb2tjYTE5NWs5c1lPMVJNa1RZSFBaNW40K25UdTMybwpSREt1L0t3T2dseTljcDAwUW44WEljRGk3TXV0OE1LN1JHdjFXeVpWbGJYMStMMzFGVCtjL045NnJIQmE1U0hJCm5oZFRMQkxQVG1iNk9PUFNXWEVIbDAwdnNsdEFsdXRJcnVmanpvd0V0Z3B0T2hZTzhhNjA4aWh2QW9HQkFNZnAKa2l1LzBibDdjUWdZZmdmSWZ5YzJpTU9aU0RseVRFRThxZmhWa1NWNFg3bDNycXk3eUNQNEc1MXBaQ1dWcDl6WQo4UzNtYmlDM3hYVjZpTzVQeGVoS1ZmdnFySXF6MnpaWDhTRjFhMUwzekRGQ3BFNkdmUHB5Uk1uK01hLy84b3haCmRwdGV6WlRCMVJtUDd6UndIVGJrSXhjU3NuYkVUOWNuZDc1ck9OSkZBb0dCQU0wQm0xZFFONW13TU5HMWhQSmkKSWNtc212QTYzbEE2eUtTMnBxbndXemNqb2NScnNWZ1hzZzJEdk1xb2hhU21RWUxUazE4OVFNbnkxa1RZY1J3SwowcG1RVG5Rbkp2OWYvek1ndEJmRzM3akdnY2NiM1lHV01zdmh6TCtobWd2cVN2SHVYQWRENEZNdlhIRi9HYktjCmQycGI1cjlGc3kyQUJJekxVeVNsMU02SEFvR0FCQUxneHZYelhGaG92VFBZbTRsZlc4Y1JXWE5pNnB3cmdZZVoKRlgyS0N3bHVTa2RuZnRuSnUwY0lMdEZsakFlRHRiKzRueVluZ1lxT2NMd0RzVnh5YVNYTXNlQlVrL2ZsNXlJKwptV0JFeGdabzEzZ3gyYzJEQm5keWYrY1UwaVk5bEtsYTR1VTFGTTRLMjVkeXdrZVpubmRYYU9nY0lwdnZ5aTVsCmpiR1RFMDBDZ1lBVCtVTm9tcDhKbW01YXFDME1kc050OW13T0tMVnRDazFZei9YODVQbVNpU1p4eG11cThVNXUKYThvYUovTm1tTXBZc1JHOXB5NW1JZ0RXSDFicnlPWlA3YVB0T0lWWnBZSDc3cU1ySjR2RmJ6MkphQTFiMWlySgoyMkhkajFYRDdMdjJ1cXQ3UVVsYU5RY3VrSkZJSE94WVJOWUNobEpuSUVmMmU3MGpkbEN4TGc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=", + "Store": "default" + } + ] + } +} diff --git a/test/config/letsencrypt/acme.json b/test/config/letsencrypt/acme.json new file mode 100644 index 00000000..244d058a --- /dev/null +++ b/test/config/letsencrypt/acme.json @@ -0,0 +1,31 @@ +{ + "le": { + "Account": { + "Email": "acme@admin.com", + "Registration": { + "body": { + "status": "valid", + "contact": [ + "mailto:acme@admin.com" + ] + }, + "uri": "https://acme-v02.api.letsencrypt.org/acme/acct/0123456789" + }, + "PrivateKey": "YES", + "KeyType": "4096" + }, + "Certificates": [ + { + "domain": { + "main": "mail.my-domain.com", + "sans": [ + "mail2.my-domain.com" + ] + }, + "certificate": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZHVENDQkFHZ0F3SUJBZ0lTQTUwamo2QS9pbEV4TWxhNDFQd1NlanlCTUEwR0NTcUdTSWIzRFFFQkN3VUEKTUVveEN6QUpCZ05WQkFZVEFsVlRNUll3RkFZRFZRUUtFdzFNWlhRbmN5QkZibU55ZVhCME1TTXdJUVlEVlFRRApFeHBNWlhRbmN5QkZibU55ZVhCMElFRjFkR2h2Y21sMGVTQllNekFlRncweE5qQTBNVGt4T1RBMU1EQmFGdzB4Ck5qQTNNVGd4T1RBMU1EQmFNQlV4RXpBUkJnTlZCQU1UQ21sbWRYTnBieTVqYjIwd2dnRWlNQTBHQ1NxR1NJYjMKRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDY0NsZitQZWUxRUl0ZG5qYWdPVVF1d0E0U0xMaUtDZjVUKzJFYwpCUG53TUdLdERiL1RCV2M4S0VIUUd4WUNkdGFtRmNpVCtPWFVsSkdqUEdFbmE0REFLQU5pNW5qbXErVFFGYjdKCmlwQTdwZlE0ZnAvMk9xRzNlNlN3TnZXdXJKbEhJaWdpTGUxbGJjKzdydC81aG9uN0p3bjI2MHgvWGFQSFhSa1UKQWl5NUZTRFZlWG5uQ0w1UU91NXNybkhyZFRsV3BFbno5V1V2WUNqM0RNUjM4Z3hvam5tcGo0OGFNUlJ0ckJBTwpObHhUOVRzc0hvS3ZEWEkxYkViZWIydHBtQy8ra1JQdXNJdWtpdWNjM0ZvOVIvc0hYakZrRDdtSzJVTWIwVUxFCkJHMkQ0d3dFSU5VU0czQjN3c3UwZXl3QWxrcFgxVWNGemRGVHRzalU3VjJhMDZqQkFnTUJBQUdqZ2dJc01JSUMKS0RBT0JnTlZIUThCQWY4RUJBTUNCYUF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQwpNQXdHQTFVZEV3RUIvd1FDTUFBd0hRWURWUjBPQkJZRUZPS3FSbktUZDJhZFdEK1NuZFNaVkZQc0xWSmtNQjhHCkExVWRJd1FZTUJhQUZLaEthbU1FZmQyNjV0RTV0NlpGWmUvenFPeWhNSEFHQ0NzR0FRVUZCd0VCQkdRd1lqQXYKQmdnckJnRUZCUWN3QVlZamFIUjBjRG92TDI5amMzQXVhVzUwTFhnekxteGxkSE5sYm1OeWVYQjBMbTl5Wnk4dwpMd1lJS3dZQkJRVUhNQUtHSTJoMGRIQTZMeTlqWlhKMExtbHVkQzE0TXk1c1pYUnpaVzVqY25sd2RDNXZjbWN2Ck1EWUdBMVVkRVFRdk1DMkNDbWxtZFhOcGJ5NWpiMjJDRDIxaGFXd3VhV1oxYzJsdkxtTnZiWUlPZDNkM0xtbG0KZFhOcGJ5NWpiMjB3Z2Y0R0ExVWRJQVNCOWpDQjh6QUlCZ1puZ1F3QkFnRXdnZVlHQ3lzR0FRUUJndDhUQVFFQgpNSUhXTUNZR0NDc0dBUVVGQndJQkZocG9kSFJ3T2k4dlkzQnpMbXhsZEhObGJtTnllWEIwTG05eVp6Q0Jxd1lJCkt3WUJCUVVIQWdJd2daNE1nWnRVYUdseklFTmxjblJwWm1sallYUmxJRzFoZVNCdmJteDVJR0psSUhKbGJHbGwKWkNCMWNHOXVJR0o1SUZKbGJIbHBibWNnVUdGeWRHbGxjeUJoYm1RZ2IyNXNlU0JwYmlCaFkyTnZjbVJoYm1ObApJSGRwZEdnZ2RHaGxJRU5sY25ScFptbGpZWFJsSUZCdmJHbGplU0JtYjNWdVpDQmhkQ0JvZEhSd2N6b3ZMMnhsCmRITmxibU55ZVhCMExtOXlaeTl5WlhCdmMybDBiM0o1THpBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWd6ZjkKRFZDZFZ0S3ZsbUdlVDJwdUhVNVVMZjN0L0pENk5MM29jdUJNc0RRUE9IeGE2a2t5ZDZ4cWRCQWVsTlNmRVl2KwpCVmZRcDZXb3gySUdyd2ZxcXZOTnpQR1RITHhTcEs5NEdrMGVlZzdZaGN4am9Pcnl2NEZnb3dRT2F4NUowT1NTCldJZEFGVnlrUHM4N1dLeUhOWThXMXpsZS9ZZTl5alM2YmpIZGpxbk9pRy83cURRL0REWUduN0lMSEFIbVVaWXkKMVFRMEVkZmZOa0xwa21DblRub3RnQlVwcW1EdDdwTU5aUnVZRlRRcTYzMWloZTdqUlhqU2tnV1M3dFRmVVQxNQpTZXNVSW8xTmJqQ0ptQmNlRmQyYy9zcmdWbGJXYzJMWHQ3UWY1eXhXSnloVDE2ci9NN29rMGJ0SDI1RDVhemsyClRLZG5xL1FGaEhXVlpVcjNoZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVrakNDQTNxZ0F3SUJBZ0lRQ2dGQlFnQUFBVk9GYzJvTGhleW5DREFOQmdrcWhraUc5dzBCQVFzRkFEQS8KTVNRd0lnWURWUVFLRXh0RWFXZHBkR0ZzSUZOcFoyNWhkSFZ5WlNCVWNuVnpkQ0JEYnk0eEZ6QVZCZ05WQkFNVApEa1JUVkNCU2IyOTBJRU5CSUZnek1CNFhEVEUyTURNeE56RTJOREEwTmxvWERUSXhNRE14TnpFMk5EQTBObG93ClNqRUxNQWtHQTFVRUJoTUNWVk14RmpBVUJnTlZCQW9URFV4bGRDZHpJRVZ1WTNKNWNIUXhJekFoQmdOVkJBTVQKR2t4bGRDZHpJRVZ1WTNKNWNIUWdRWFYwYUc5eWFYUjVJRmd6TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQwpBUThBTUlJQkNnS0NBUUVBbk5NTThGcmxMa2UzY2wwM2c3Tm9ZekRxMXpVbUdTWGh2YjQxOFhDU0w3ZTRTMEVGCnE2bWVOUWhZN0xFcXhHaUhDNlBqZGVUbTg2ZGljYnA1Z1dBZjE1R2FuL1BRZUdkeHlHa09sWkhQL3VhWjZXQTgKU014K3lrMTNFaVNkUnh0YTY3bnNIamNBSEp5c2U2Y0Y2czVLNjcxQjVUYVl1Y3Y5YlR5V2FOOGpLa0tRRElaMApaOGgvcFpxNFVtRVVFejlsNllLSHk5djZEbGIyaG9uemhUK1hocSt3M0JydmF3MlZGbjNFSzZCbHNwa0VObldBCmE2eEs4eHVRU1hndm9wWlBLaUFsS1FUR2RNRFFNYzJQTVRpVkZycW9NN2hEOGJFZnd6Qi9vbmt4RXowdE52amoKL1BJemFyazVNY1d2eEkwTkhXUVdNNnI2aENtMjFBdkEySDNEa3dJREFRQUJvNElCZlRDQ0FYa3dFZ1lEVlIwVApBUUgvQkFnd0JnRUIvd0lCQURBT0JnTlZIUThCQWY4RUJBTUNBWVl3ZndZSUt3WUJCUVVIQVFFRWN6QnhNRElHCkNDc0dBUVVGQnpBQmhpWm9kSFJ3T2k4dmFYTnlaeTUwY25WemRHbGtMbTlqYzNBdWFXUmxiblJ5ZFhOMExtTnYKYlRBN0JnZ3JCZ0VGQlFjd0FvWXZhSFIwY0RvdkwyRndjSE11YVdSbGJuUnlkWE4wTG1OdmJTOXliMjkwY3k5awpjM1J5YjI5MFkyRjRNeTV3TjJNd0h3WURWUjBqQkJnd0ZvQVV4S2V4cEhzc2NmcmI0VXVRZGYvRUZXQ0ZpUkF3ClZBWURWUjBnQkUwd1N6QUlCZ1puZ1F3QkFnRXdQd1lMS3dZQkJBR0MzeE1CQVFFd01EQXVCZ2dyQmdFRkJRY0MKQVJZaWFIUjBjRG92TDJOd2N5NXliMjkwTFhneExteGxkSE5sYm1OeWVYQjBMbTl5WnpBOEJnTlZIUjhFTlRBegpNREdnTDZBdGhpdG9kSFJ3T2k4dlkzSnNMbWxrWlc1MGNuVnpkQzVqYjIwdlJGTlVVazlQVkVOQldETkRVa3d1ClkzSnNNQjBHQTFVZERnUVdCQlNvU21wakJIM2R1dWJST2JlbVJXWHY4Nmpzb1RBTkJna3Foa2lHOXcwQkFRc0YKQUFPQ0FRRUEzVFBYRWZOaldEamRHQlg3Q1ZXK2RsYTVjRWlsYVVjbmU4SWtDSkx4V2g5S0VpazNKSFJSSEdKbwp1TTJWY0dmbDk2UzhUaWhSelp2b3JvZWQ2dGk2V3FFQm10enczV29kYXRnK1Z5T2VwaDRFWXByLzF3WEt0eDgvCndBcEl2SlN3dG1WaTRNRlU1YU1xclNERTZlYTczTWoydGNNeW81ak1kNmptZVdVSEs4c28vam9XVW9IT1Vnd3UKWDRQbzFRWXorM2RzemtEcU1wNGZrbHhCd1hSc1cxMEtYelBNVForc09QQXZleXhpbmRtamtXOGxHeStRc1JsRwpQZlorRzZaNmg3bWplbTBZK2lXbGtZY1Y0UElXTDFpd0JpOHNhQ2JHUzVqTjJwOE0rWCtRN1VOS0VrUk9iM042CktPcWtxbTU3VEgySDNlREpBa1NuaDYvRE5GdTBRZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=", + "key": "LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRQ2NDbGYrUGVlMUVJdGQKbmphZ09VUXV3QTRTTExpS0NmNVQrMkVjQlBud01HS3REYi9UQldjOEtFSFFHeFlDZHRhbUZjaVQrT1hVbEpHagpQR0VuYTREQUtBTmk1bmptcStUUUZiN0ppcEE3cGZRNGZwLzJPcUczZTZTd052V3VySmxISWlnaUxlMWxiYys3CnJ0LzVob243SnduMjYweC9YYVBIWFJrVUFpeTVGU0RWZVhubkNMNVFPdTVzcm5IcmRUbFdwRW56OVdVdllDajMKRE1SMzhneG9qbm1wajQ4YU1SUnRyQkFPTmx4VDlUc3NIb0t2RFhJMWJFYmViMnRwbUMvK2tSUHVzSXVraXVjYwozRm85Ui9zSFhqRmtEN21LMlVNYjBVTEVCRzJENHd3RUlOVVNHM0Izd3N1MGV5d0Fsa3BYMVVjRnpkRlR0c2pVCjdWMmEwNmpCQWdNQkFBRUNnZ0VBTStjQTQ5RmxqQVdIeGNrRmRILzMzUEVHL1NhZzcxRnBwamVjVW55WlFqcGwKNkJnRnNVUS8xWE95aUcwcUFnSFRYZ1VxNVlWSnRVOEJybUU4RTZlZmVNc1diVVFwL05nNlVMaWE4R0RGbndHUgpYV1ZKQWRiNHlaWTM3bUVwa1VOWjdKNUE2VFdMbkV4Tlo2bEFXTGhXbHhLaUx0NlBZR0llUXdjRmUzRkp2UG4wCkdVU0ZZWFlMSnE5bElpclF2bDZsVnpsanBQNnF2RlFFcWE0ZGdXcUJPckMyL2pMNGFtS0s3MU4yM3NGbnowc1EKVXFqUDcyYzdOcis0eE1PaHNHZXRWMW1ZZ1BxQW9SNVczWFpScURQZVo2ZjBGSjdMNXhHNjlZSmVvN01yWGhLbApOOWtMaGJHUi9GSDNJSGRvN3RSYjJvR21IRExOSmY5ei9tQkVlclNXMFFLQmdRRFBIQ2M1OXRDd21GMVVWNGVWCmZoUm9xNFF5cDh3RjJJdEpUTWQxMkxKT1g2N2VOSnk2djkzQWh1YVBnS3Ava1JNdWw1WmpMOTBVVjFJU2wvbHoKZVl6Z3JlTXR0Q3RSaFp4VVN2Qm82dzMyTlNhY29pS2Nab2p5VGR5WlB1T2VBRzJSeE5IaCtuK05aN05qSVd2Rwo3eGxXOUhYUU9QaTh4bEhwRGZEcys3RWdYUUtCZ1FEQTRBSmxvcjIyZEV4R3VET0xsTzBldCtUVmhFcnFYRlNaCkN0Um13c0wrWFRlU0t5bmdaY3l1MVlueW9OT0E5dkd5T2syNkFXK1dWOU45VTZyd1ZzOENWY3plZTVlS1BaSk4KeFFaalVvK2ZlcDN4SUZ2QnBnbmFkZnJvZHhqRDhYTXBIY2IwSS9aUklDWktxSVZ2OXErRnpFWHFFK0hzZkQzQgprQmZaOEdaenRRS0JnRVZTZHc2L3ZqcGR4Vjlsck13czEwZnhvTjRUckFhSTVKWTBUTTcxS1RseWJXV1MxcUxyCmRaM3JpV0NmQUhLU2JJazcwK3AvS3RDVUtiUnZpZDlNNEFxVUtXWXkyQTBCVzhJYkV6MEs4REZvdVBQVWtTRW8KY000cG9aenBuK1pTM2xuY055UWNaSFZBTUpzTnBMV0Jja25ZcVZaNHUwajBXSlpaUkRzT1E4dEJBb0dCQUsycApCSDkraUZJL1pHNUliQ0RCZHI2eDFOaHF4UWsvR095elU0c3kwVjgxajFPTWlhZ0NBTWxxZTBwNmcvVWFZNFNWCittWC81UGo1R3ZNODRpeUQvTitkWVZqdzd3RUpiekdXdEttNUxKZnJUMHBNV0ZHRHJsdUUzdVZ3Vmx3V2lobjcKTmFlY3VhdFJ4eWh4azdPNzZVNFBIdVFrQXNkckZpK3lEY2V0TEpJQkFvR0JBSkhVTXR0S1E5L3NjNkVZZ2R5bQp1OGhNaS9XR3J0NWVPT0FKMTdsWTUzZVJaTGNpN3MxbWZzV0lGOWIwTjUwaUU2MFNhRkFEUWlNUkFVdGtKWE5JCmE1NXFkcGFsVkhzQUU0V3doN25sS0xrYURFYXJ0eDVYMXFTVEZ3NGZUTXlLTk92ZWlnZ1EvaTlMWnBGeHN6MjIKM1YrN2pQSmFDTnlQYm1PZXZYR2hCRWpyCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=", + "Store": "default" + } + ] + } +} diff --git a/test/config/letsencrypt/changed/cert.pem b/test/config/letsencrypt/changed/cert.pem new file mode 100644 index 00000000..aecb192c --- /dev/null +++ b/test/config/letsencrypt/changed/cert.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC5DCCAcygAwIBAgIJAN/+3LMQvnv1MA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNV +BAMMB3Rlc3QtY2EwHhcNMjAwNjI5MjA1NTIxWhcNMjAwODI4MjA1NTIxWjAWMRQw +EgYDVQQDDAtleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBAL5UNg7ybrXoCInmxQ+f38++sLEcgG6P0X+faH11Bw47Vt+mf1vltIh7ojO8 +DeXqFxsGL3S/YqyuXX0TGIOh/csjnvv1GEL1Ux0YCsyFkvflb8NuSKW52T0dnUqF +ZFwldykCwHnQxmwYZxnZjVF2YOr/KmGZvO5dxSTs/qDuU0cp3FD4z2CBELLmzixv +fO2Lgk1Yn/H9mNLNSKQaiSeCxId5CzNIlmUIfnL0tuc3n2fNigjuPKOV2H/7NVTT +TriuP384bx9WTLfX29cn+Ho4hKBaq2t1Wmz+jsWi1gya1KrLAM4zzQHI+u6r3+jS +3PsRVs1csyO2NCXqVo/bxqe38+sCAwEAAaM5MDcwCQYDVR0TBAIwADALBgNVHQ8E +BAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMA0GCSqGSIb3DQEB +CwUAA4IBAQAkmHHTaZ8hiStoA/XYjGXkHT5DBjjOhRm3mmdCF+xhbUcj/frwBYn0 +apAGfNSGq+PJTgVdsZUAC+sOfxRme3FjU5gAekeIDjOQMd1VbdmcIWtnJ+Ttz94F +Qm5V7Df8kVkcqE6UvvXyX3YEFj2/fwb4hxyyl/fAWl5acWTLNA2mOKm/fMhKez+h +3VGhKQ5ZGS0Qt+Lea3o7LWs5dH5LhSvs3Fe9PSddxa0Nbtr4sfgfOIQJgo2mCvch +u5zFq7nvDqdsmdZwYMIcinpPWJgEoQLJWU/gWL2Ya+5kJ137smPcYX7jDSyBHlkQ +oAYOB65YnoWxVuQtKqHW6f8nqD1nwEBn +-----END CERTIFICATE----- diff --git a/test/config/letsencrypt/changed/fullchain.pem b/test/config/letsencrypt/changed/fullchain.pem new file mode 100644 index 00000000..ee19d130 --- /dev/null +++ b/test/config/letsencrypt/changed/fullchain.pem @@ -0,0 +1,36 @@ +-----BEGIN CERTIFICATE----- +MIIC5DCCAcygAwIBAgIJAN/+3LMQvnv1MA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNV +BAMMB3Rlc3QtY2EwHhcNMjAwNjI5MjA1NTIxWhcNMjAwODI4MjA1NTIxWjAWMRQw +EgYDVQQDDAtleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBAL5UNg7ybrXoCInmxQ+f38++sLEcgG6P0X+faH11Bw47Vt+mf1vltIh7ojO8 +DeXqFxsGL3S/YqyuXX0TGIOh/csjnvv1GEL1Ux0YCsyFkvflb8NuSKW52T0dnUqF +ZFwldykCwHnQxmwYZxnZjVF2YOr/KmGZvO5dxSTs/qDuU0cp3FD4z2CBELLmzixv +fO2Lgk1Yn/H9mNLNSKQaiSeCxId5CzNIlmUIfnL0tuc3n2fNigjuPKOV2H/7NVTT +TriuP384bx9WTLfX29cn+Ho4hKBaq2t1Wmz+jsWi1gya1KrLAM4zzQHI+u6r3+jS +3PsRVs1csyO2NCXqVo/bxqe38+sCAwEAAaM5MDcwCQYDVR0TBAIwADALBgNVHQ8E +BAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMA0GCSqGSIb3DQEB +CwUAA4IBAQAkmHHTaZ8hiStoA/XYjGXkHT5DBjjOhRm3mmdCF+xhbUcj/frwBYn0 +apAGfNSGq+PJTgVdsZUAC+sOfxRme3FjU5gAekeIDjOQMd1VbdmcIWtnJ+Ttz94F +Qm5V7Df8kVkcqE6UvvXyX3YEFj2/fwb4hxyyl/fAWl5acWTLNA2mOKm/fMhKez+h +3VGhKQ5ZGS0Qt+Lea3o7LWs5dH5LhSvs3Fe9PSddxa0Nbtr4sfgfOIQJgo2mCvch +u5zFq7nvDqdsmdZwYMIcinpPWJgEoQLJWU/gWL2Ya+5kJ137smPcYX7jDSyBHlkQ +oAYOB65YnoWxVuQtKqHW6f8nqD1nwEBn +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIC9zCCAd+gAwIBAgIJAP/41asK+I3BMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNV +BAMMB3Rlc3QtY2EwHhcNMjAwNjI5MjA1NTIxWhcNMjAwODI4MjA1NTIxWjASMRAw +DgYDVQQDDAd0ZXN0LWNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +kzlOF3Q8wt6G8M8Cg+/UADlkbOUnBlbCwlRnqSrvrX7BRc37R1Y+KzsMmGgkPkvE +czZuWbOQU8ghnQJwSHT/AK1g5jMc7mZLSkE+uVMor4+4Vgt4kKvfktzcCJOfo/qL +XV2ePRgVlHj+peilqHMM8P03VPx6kq7oZE1pBlh4QyLz7DYcP6AD3Bq/HSM5hmvP +iHbCHy6yf+QsuBqaWCec1ygc9GPnyDXQoDRAwlcA0aVSSosc6HeVQoDBPTzZUriM +riqPK3YT4LGEH6nTx3RUtjuG8ZdGzpguw9/y0tcct777WLFIeuBQkmZiMG3Xeivu +TbfHCbqJCO53fsbK0CrzEQIDAQABo1AwTjAdBgNVHQ4EFgQUxo6NXRi39QxJnZZD +vbxco+m2U7YwHwYDVR0jBBgwFoAUxo6NXRi39QxJnZZDvbxco+m2U7YwDAYDVR0T +BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAOBKMG2aaZ+f2Gazdtq7+IlRM3YFv +inF5uaZ3bqC+pKDb1wZJLzWgHVgNSGXetHPKa9QpyQqEe/bYMK7avJo//Fmhg0+3 +SwI2g9BoIPBd4jIBY41h/zryTY4PLx/NqapWR4/3nDPJ3SSMHZ4JgP8GTXlzmF6j +4UgwRrLFQd0ZZYNDRo8bZeUEqX70k0EqY9QxBjJgUzVyWYjP+/SeXABJyPv7lzRN +nvKj3F91eNfqf8Y+WddvB8jn3LXok4SiFzxESfJ3nVOgwp8SPhhTShbXQaj48Fx8 +o6TGM9utPtN9qINwvqyrK4lUwKj6YLyTkV10oVgtJYhyyHVVl7Jhc8UIMw== +-----END CERTIFICATE----- diff --git a/test/config/letsencrypt/changed/key.pem b/test/config/letsencrypt/changed/key.pem new file mode 100644 index 00000000..727fcf31 --- /dev/null +++ b/test/config/letsencrypt/changed/key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAvlQ2DvJutegIiebFD5/fz76wsRyAbo/Rf59ofXUHDjtW36Z/ +W+W0iHuiM7wN5eoXGwYvdL9irK5dfRMYg6H9yyOe+/UYQvVTHRgKzIWS9+Vvw25I +pbnZPR2dSoVkXCV3KQLAedDGbBhnGdmNUXZg6v8qYZm87l3FJOz+oO5TRyncUPjP +YIEQsubOLG987YuCTVif8f2Y0s1IpBqJJ4LEh3kLM0iWZQh+cvS25zefZ82KCO48 +o5XYf/s1VNNOuK4/fzhvH1ZMt9fb1yf4ejiEoFqra3VabP6OxaLWDJrUqssAzjPN +Acj67qvf6NLc+xFWzVyzI7Y0JepWj9vGp7fz6wIDAQABAoIBAQCufh4hjfoaI+TQ +KRY5wOU8XSM4/VxyAMCdNNRjUMtrLNP0r3zMD8h36IFI1PwY8YjFaeJQMraQgjuL +09oBtJ4tgzba4FWh7bCJV+VupHeddmgE0DMiXUThVylBjRH5uQ+KNc+o3tNLfwPn +GyEIsnMgf1enq38fOjDoLa80c8s9zXhHtZx9JQzDUbQr+DNTS0RLP52MI/pXGC+g +T225sVV39uqQFccHECacLDbYe5EhzRi2PNA98fHtO/lAP9jjvQiMccr0KjjzEHlS +loFs1/y/vCAo/kThqhKL/0T3qdiG+YNsne+Thy2xx5W37YMGIte9f+5ymTmb+lgb +fU6/i2thAoGBAPO6Urt50h3vJ2m/+MFCkokca195k9sYO1RMkTYHPZ5n4+nTu32o +RDKu/KwOgly9cp00Qn8XIcDi7Mut8MK7RGv1WyZVlbX1+L31FT+c/N96rHBa5SHI +nhdTLBLPTmb6OOPSWXEHl00vsltAlutIrufjzowEtgptOhYO8a608ihvAoGBAMfp +kiu/0bl7cQgYfgfIfyc2iMOZSDlyTEE8qfhVkSV4X7l3rqy7yCP4G51pZCWVp9zY +8S3mbiC3xXV6iO5PxehKVfvqrIqz2zZX8SF1a1L3zDFCpE6GfPpyRMn+Ma//8oxZ +dptezZTB1RmP7zRwHTbkIxcSsnbET9cnd75rONJFAoGBAM0Bm1dQN5mwMNG1hPJi +IcmsmvA63lA6yKS2pqnwWzcjocRrsVgXsg2DvMqohaSmQYLTk189QMny1kTYcRwK +0pmQTnQnJv9f/zMgtBfG37jGgccb3YGWMsvhzL+hmgvqSvHuXAdD4FMvXHF/GbKc +d2pb5r9Fsy2ABIzLUySl1M6HAoGABALgxvXzXFhovTPYm4lfW8cRWXNi6pwrgYeZ +FX2KCwluSkdnftnJu0cILtFljAeDtb+4nyYngYqOcLwDsVxyaSXMseBUk/fl5yI+ +mWBExgZo13gx2c2DBndyf+cU0iY9lKla4uU1FM4K25dywkeZnndXaOgcIpvvyi5l +jbGTE00CgYAT+UNomp8Jmm5aqC0MdsNt9mwOKLVtCk1Yz/X85PmSiSZxxmuq8U5u +a8oaJ/NmmMpYsRG9py5mIgDWH1bryOZP7aPtOIVZpYH77qMrJ4vFbz2JaA1b1irJ +22Hdj1XD7Lv2uqt7QUlaNQcukJFIHOxYRNYChlJnIEf2e70jdlCxLg== +-----END RSA PRIVATE KEY----- diff --git a/test/mail_ssl_letsencrypt.bats b/test/mail_ssl_letsencrypt.bats index 01c7a742..1f67d45d 100644 --- a/test/mail_ssl_letsencrypt.bats +++ b/test/mail_ssl_letsencrypt.bats @@ -26,11 +26,24 @@ function setup_file() { -e SSL_TYPE=letsencrypt \ -h mail.my-domain.com -t ${NAME} wait_for_finished_setup_in_container mail_lets_hostname + + cp "`pwd`/test/config/letsencrypt/acme.json" "`pwd`/test/config/acme.json" + docker run -d --name mail_lets_acme_json \ + -v "`pwd`/test/config":/tmp/docker-mailserver \ + -v "`pwd`/test/config/acme.json":/etc/letsencrypt/acme.json:ro \ + -v "`pwd`/test/test-files":/tmp/docker-mailserver-test:ro \ + -e DMS_DEBUG=0 \ + -e SSL_TYPE=letsencrypt \ + -h mail.my-domain.com -t ${NAME} + + wait_for_finished_setup_in_container mail_lets_acme_json } function teardown_file() { docker rm -f mail_lets_domain docker rm -f mail_lets_hostname + docker rm -f mail_lets_acme_json + rm "`pwd`/test/config/acme.json" } # this test must come first to reliably identify when to run setup_file @@ -78,6 +91,44 @@ function teardown_file() { assert_success } +# +# acme.json updates +# + +@test "checking changedetector: server is ready" { + run docker exec mail_lets_acme_json /bin/bash -c "ps aux | grep '/bin/bash /usr/local/bin/check-for-changes.sh'" + assert_success +} + +@test "can extract certs from acme.json" { + run docker exec mail_lets_acme_json /bin/bash -c "cat /etc/letsencrypt/live/mail.my-domain.com/key.pem" + assert_output "$(cat "`pwd`/test/config/letsencrypt/mail.my-domain.com/privkey.pem")" + assert_success + + run docker exec mail_lets_acme_json /bin/bash -c "cat /etc/letsencrypt/live/mail.my-domain.com/fullchain.pem" + assert_output "$(cat "`pwd`/test/config/letsencrypt/mail.my-domain.com/fullchain.pem")" + assert_success +} + +@test "can detect changes" { + cp "`pwd`/test/config/letsencrypt/acme-changed.json" "`pwd`/test/config/acme.json" + sleep 11 + run docker exec mail_lets_acme_json /bin/bash -c "supervisorctl tail changedetector" + assert_output --partial "Cert found in /etc/letsencrypt/acme.json for mail.my-domain.com" + assert_output --partial "postfix: stopped" + assert_output --partial "postfix: started" + assert_output --partial "Update checksum" + + run docker exec mail_lets_acme_json /bin/bash -c "cat /etc/letsencrypt/live/mail.my-domain.com/key.pem" + assert_output "$(cat "`pwd`/test/config/letsencrypt/changed/key.pem")" + assert_success + + run docker exec mail_lets_acme_json /bin/bash -c "cat /etc/letsencrypt/live/mail.my-domain.com/fullchain.pem" + assert_output "$(cat "`pwd`/test/config/letsencrypt/changed/fullchain.pem")" + assert_success +} + + # this test is only there to reliably mark the end for the teardown_file @test "last" { skip 'Finished testing of letsencrypt SSL' From 3a3cec6a8ffb80c430bb4819fef3d1943b3cbc30 Mon Sep 17 00:00:00 2001 From: Michael Sprauer Date: Tue, 7 Jul 2020 21:26:53 +0200 Subject: [PATCH 3/6] trigger reload if cert change /etc/letsencrypt/live/$HOSTNAME/key.pem and /etc/letsencrypt/live/$HOSTNAME/fullchain.pem are watched and will trigger a reload if changed --- target/check-for-changes.sh | 2 +- target/start-mailserver.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/target/check-for-changes.sh b/target/check-for-changes.sh index da3e0607..e72243d0 100755 --- a/target/check-for-changes.sh +++ b/target/check-for-changes.sh @@ -34,7 +34,7 @@ echo "${log_date} Using postmaster address ${PM_ADDRESS}" # Create an array of files to monitor, must be the same as in start-mailserver.sh declare -a cf_files=() -for file in postfix-accounts.cf postfix-virtual.cf postfix-aliases.cf dovecot-quotas.cf /etc/letsencrypt/acme.json; do +for file in postfix-accounts.cf postfix-virtual.cf postfix-aliases.cf dovecot-quotas.cf /etc/letsencrypt/acme.json "/etc/letsencrypt/live/$HOSTNAME/key.pem" "/etc/letsencrypt/live/$HOSTNAME/fullchain.pem"; do [ -f "$file" ] && cf_files+=("$file") done diff --git a/target/start-mailserver.sh b/target/start-mailserver.sh index 932b00b1..e674361c 100644 --- a/target/start-mailserver.sh +++ b/target/start-mailserver.sh @@ -505,7 +505,7 @@ function _setup_chksum_file() { pushd /tmp/docker-mailserver declare -a cf_files=() - for file in postfix-accounts.cf postfix-virtual.cf postfix-aliases.cf dovecot-quotas.cf /etc/letsencrypt/acme.json; do + for file in postfix-accounts.cf postfix-virtual.cf postfix-aliases.cf dovecot-quotas.cf /etc/letsencrypt/acme.json "/etc/letsencrypt/live/$HOSTNAME/key.pem" "/etc/letsencrypt/live/$HOSTNAME/fullchain.pem"; do [ -f "$file" ] && cf_files+=("$file") done From d61a8cd9c034192caa026015a652ca12c7131916 Mon Sep 17 00:00:00 2001 From: Michael Sprauer Date: Tue, 7 Jul 2020 21:30:40 +0200 Subject: [PATCH 4/6] letsencrypt & traefik wildcard support set SSL_DOMAIN=*.example.com to extract a wildcard certificate from traefiks acme.json store --- target/check-for-changes.sh | 6 +++++- test/config/dovecot-lmtp/conf.d/10-auth.conf | 4 ++-- test/config/dovecot-lmtp/conf.d/10-ssl.conf | 2 +- test/config/dovecot-lmtp/conf.d/15-lda.conf | 4 ++-- test/config/dovecot-lmtp/conf.d/90-quota.conf | 4 ++-- test/config/dovecot-lmtp/local.conf | 1 + test/config/letsencrypt/acme-changed.json | 6 ++---- test/config/user-patches/user-patches.sh | 0 test/mail_ssl_letsencrypt.bats | 3 ++- 9 files changed, 17 insertions(+), 13 deletions(-) mode change 100644 => 100755 test/config/user-patches/user-patches.sh diff --git a/target/check-for-changes.sh b/target/check-for-changes.sh index e72243d0..40793d47 100755 --- a/target/check-for-changes.sh +++ b/target/check-for-changes.sh @@ -64,7 +64,11 @@ if [[ $chksum == *"FAIL"* ]]; then flock -e 200 if [[ $chksum == *"/etc/letsencrypt/acme.json: FAILED"* ]]; then - (extractCertsFromAcmeJson "$HOSTNAME" || extractCertsFromAcmeJson "$DOMAINNAME") + for certdomain in $SSL_DOMAIN $HOSTNAME $DOMAINNAME; do + if extractCertsFromAcmeJson "$certdomain"; then + break + fi + done fi #regen postix aliases. diff --git a/test/config/dovecot-lmtp/conf.d/10-auth.conf b/test/config/dovecot-lmtp/conf.d/10-auth.conf index fd51326d..8f88d178 100644 --- a/test/config/dovecot-lmtp/conf.d/10-auth.conf +++ b/test/config/dovecot-lmtp/conf.d/10-auth.conf @@ -7,7 +7,7 @@ # matches the local IP (ie. you're connecting from the same computer), the # connection is considered secure and plaintext authentication is allowed. # See also ssl=required setting. -#disable_plaintext_auth = yes +disable_plaintext_auth = no # Authentication cache size (e.g. 10M). 0 means it's disabled. Note that # bsdauth, PAM and vpopmail require cache_key to be set for caching to be used. @@ -121,7 +121,7 @@ auth_mechanisms = plain login #!include auth-system.conf.ext #!include auth-sql.conf.ext -######!include auth-ldap.conf.ext +#######!include auth-ldap.conf.ext !include auth-passwdfile.inc #!include auth-checkpassword.conf.ext #!include auth-vpopmail.conf.ext diff --git a/test/config/dovecot-lmtp/conf.d/10-ssl.conf b/test/config/dovecot-lmtp/conf.d/10-ssl.conf index f4d5884f..cacdcfea 100644 --- a/test/config/dovecot-lmtp/conf.d/10-ssl.conf +++ b/test/config/dovecot-lmtp/conf.d/10-ssl.conf @@ -3,7 +3,7 @@ ## # SSL/TLS support: yes, no, required. -ssl = required +ssl = yes # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but diff --git a/test/config/dovecot-lmtp/conf.d/15-lda.conf b/test/config/dovecot-lmtp/conf.d/15-lda.conf index 5f060985..3cbd4528 100644 --- a/test/config/dovecot-lmtp/conf.d/15-lda.conf +++ b/test/config/dovecot-lmtp/conf.d/15-lda.conf @@ -4,11 +4,11 @@ # Address to use when sending rejection mails. # Default is postmaster@. %d expands to recipient domain. -postmaster_address = postmaster@domain.com +postmaster_address = postmaster@my-domain.com # Hostname to use in various parts of sent mails (e.g. in Message-Id) and # in LMTP replies. Default is the system's real hostname@domain. -#hostname = +hostname = mail.my-domain.com # If user is over quota, return with temporary failure instead of # bouncing the mail. diff --git a/test/config/dovecot-lmtp/conf.d/90-quota.conf b/test/config/dovecot-lmtp/conf.d/90-quota.conf index db1f7188..9db935fb 100644 --- a/test/config/dovecot-lmtp/conf.d/90-quota.conf +++ b/test/config/dovecot-lmtp/conf.d/90-quota.conf @@ -15,7 +15,7 @@ # to give additional 100 MB when saving to Trash: plugin { - #quota_rule = *:storage=1G + #quota_rule = *:storage=0 #quota_rule2 = Trash:storage=+100M # LDA/LMTP allows saving the last mail to bring user from under quota to @@ -75,6 +75,6 @@ plugin { plugin { #quota = dict:user::proxy::quota #quota2 = dict:domain:%d:proxy::quota_domain - #quota_rule = *:storage=102400 + #quota_rule = *:storage=0 #quota2_rule = *:storage=1048576 } diff --git a/test/config/dovecot-lmtp/local.conf b/test/config/dovecot-lmtp/local.conf index 35279f28..47e76619 100644 --- a/test/config/dovecot-lmtp/local.conf +++ b/test/config/dovecot-lmtp/local.conf @@ -1 +1,2 @@ mail_max_userip_connections = 69 +recipient_delimiter = ~ diff --git a/test/config/letsencrypt/acme-changed.json b/test/config/letsencrypt/acme-changed.json index 0e05482a..a48ca25f 100644 --- a/test/config/letsencrypt/acme-changed.json +++ b/test/config/letsencrypt/acme-changed.json @@ -17,10 +17,8 @@ "Certificates": [ { "domain": { - "main": "mail.my-domain.com", - "sans": [ - "mail2.my-domain.com" - ] + "main": "example.com", + "sans": ["*.example.com"] }, "certificate": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1RENDQWN5Z0F3SUJBZ0lKQU4vKzNMTVF2bnYxTUEwR0NTcUdTSWIzRFFFQkN3VUFNQkl4RURBT0JnTlYKQkFNTUIzUmxjM1F0WTJFd0hoY05NakF3TmpJNU1qQTFOVEl4V2hjTk1qQXdPREk0TWpBMU5USXhXakFXTVJRdwpFZ1lEVlFRRERBdGxlR0Z0Y0d4bExtTnZiVENDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DCmdnRUJBTDVVTmc3eWJyWG9DSW5teFErZjM4KytzTEVjZ0c2UDBYK2ZhSDExQnc0N1Z0K21mMXZsdEloN29qTzgKRGVYcUZ4c0dMM1MvWXF5dVhYMFRHSU9oL2Nzam52djFHRUwxVXgwWUNzeUZrdmZsYjhOdVNLVzUyVDBkblVxRgpaRndsZHlrQ3dIblF4bXdZWnhuWmpWRjJZT3IvS21HWnZPNWR4U1RzL3FEdVUwY3AzRkQ0ejJDQkVMTG16aXh2CmZPMkxnazFZbi9IOW1OTE5TS1FhaVNlQ3hJZDVDek5JbG1VSWZuTDB0dWMzbjJmTmlnanVQS09WMkgvN05WVFQKVHJpdVAzODRieDlXVExmWDI5Y24rSG80aEtCYXEydDFXbXoranNXaTFneWExS3JMQU00enpRSEkrdTZyMytqUwozUHNSVnMxY3N5TzJOQ1hxVm8vYnhxZTM4K3NDQXdFQUFhTTVNRGN3Q1FZRFZSMFRCQUl3QURBTEJnTlZIUThFCkJBTUNCZUF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdJR0NDc0dBUVVGQndNQk1BMEdDU3FHU0liM0RRRUIKQ3dVQUE0SUJBUUFrbUhIVGFaOGhpU3RvQS9YWWpHWGtIVDVEQmpqT2hSbTNtbWRDRit4aGJVY2ovZnJ3QlluMAphcEFHZk5TR3ErUEpUZ1Zkc1pVQUMrc09meFJtZTNGalU1Z0Fla2VJRGpPUU1kMVZiZG1jSVd0bkorVHR6OTRGClFtNVY3RGY4a1ZrY3FFNlV2dlh5WDNZRUZqMi9md2I0aHh5eWwvZkFXbDVhY1dUTE5BMm1PS20vZk1oS2V6K2gKM1ZHaEtRNVpHUzBRdCtMZWEzbzdMV3M1ZEg1TGhTdnMzRmU5UFNkZHhhME5idHI0c2ZnZk9JUUpnbzJtQ3ZjaAp1NXpGcTdudkRxZHNtZFp3WU1JY2lucFBXSmdFb1FMSldVL2dXTDJZYSs1a0oxMzdzbVBjWVg3akRTeUJIbGtRCm9BWU9CNjVZbm9XeFZ1UXRLcUhXNmY4bnFEMW53RUJuCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM5ekNDQWQrZ0F3SUJBZ0lKQVAvNDFhc0srSTNCTUEwR0NTcUdTSWIzRFFFQkN3VUFNQkl4RURBT0JnTlYKQkFNTUIzUmxjM1F0WTJFd0hoY05NakF3TmpJNU1qQTFOVEl4V2hjTk1qQXdPREk0TWpBMU5USXhXakFTTVJBdwpEZ1lEVlFRRERBZDBaWE4wTFdOaE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBCmt6bE9GM1E4d3Q2RzhNOENnKy9VQURsa2JPVW5CbGJDd2xSbnFTcnZyWDdCUmMzN1IxWStLenNNbUdna1BrdkUKY3padVdiT1FVOGdoblFKd1NIVC9BSzFnNWpNYzdtWkxTa0UrdVZNb3I0KzRWZ3Q0a0t2Zmt0emNDSk9mby9xTApYVjJlUFJnVmxIaitwZWlscUhNTThQMDNWUHg2a3E3b1pFMXBCbGg0UXlMejdEWWNQNkFEM0JxL0hTTTVobXZQCmlIYkNIeTZ5ZitRc3VCcWFXQ2VjMXlnYzlHUG55RFhRb0RSQXdsY0EwYVZTU29zYzZIZVZRb0RCUFR6WlVyaU0KcmlxUEszWVQ0TEdFSDZuVHgzUlV0anVHOFpkR3pwZ3V3OS95MHRjY3Q3NzdXTEZJZXVCUWttWmlNRzNYZWl2dQpUYmZIQ2JxSkNPNTNmc2JLMENyekVRSURBUUFCbzFBd1RqQWRCZ05WSFE0RUZnUVV4bzZOWFJpMzlReEpuWlpECnZieGNvK20yVTdZd0h3WURWUjBqQkJnd0ZvQVV4bzZOWFJpMzlReEpuWlpEdmJ4Y28rbTJVN1l3REFZRFZSMFQKQkFVd0F3RUIvekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBT0JLTUcyYWFaK2YyR2F6ZHRxNytJbFJNM1lGdgppbkY1dWFaM2JxQytwS0RiMXdaSkx6V2dIVmdOU0dYZXRIUEthOVFweVFxRWUvYllNSzdhdkpvLy9GbWhnMCszClN3STJnOUJvSVBCZDRqSUJZNDFoL3pyeVRZNFBMeC9OcWFwV1I0LzNuRFBKM1NTTUhaNEpnUDhHVFhsem1GNmoKNFVnd1JyTEZRZDBaWllORFJvOGJaZVVFcVg3MGswRXFZOVF4QmpKZ1V6VnlXWWpQKy9TZVhBQkp5UHY3bHpSTgpudktqM0Y5MWVOZnFmOFkrV2RkdkI4am4zTFhvazRTaUZ6eEVTZkozblZPZ3dwOFNQaGhUU2hiWFFhajQ4Rng4Cm82VEdNOXV0UHROOXFJTnd2cXlySzRsVXdLajZZTHlUa1YxMG9WZ3RKWWh5eUhWVmw3SmhjOFVJTXc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==", "key": "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdmxRMkR2SnV0ZWdJaWViRkQ1L2Z6NzZ3c1J5QWJvL1JmNTlvZlhVSERqdFczNlovClcrVzBpSHVpTTd3TjVlb1hHd1l2ZEw5aXJLNWRmUk1ZZzZIOXl5T2UrL1VZUXZWVEhSZ0t6SVdTOStWdncyNUkKcGJuWlBSMmRTb1ZrWENWM0tRTEFlZERHYkJobkdkbU5VWFpnNnY4cVlabTg3bDNGSk96K29PNVRSeW5jVVBqUApZSUVRc3ViT0xHOTg3WXVDVFZpZjhmMlkwczFJcEJxSko0TEVoM2tMTTBpV1pRaCtjdlMyNXplZlo4MktDTzQ4Cm81WFlmL3MxVk5OT3VLNC9memh2SDFaTXQ5ZmIxeWY0ZWppRW9GcXJhM1ZhYlA2T3hhTFdESnJVcXNzQXpqUE4KQWNqNjdxdmY2TkxjK3hGV3pWeXpJN1kwSmVwV2o5dkdwN2Z6NndJREFRQUJBb0lCQVFDdWZoNGhqZm9hSStUUQpLUlk1d09VOFhTTTQvVnh5QU1DZE5OUmpVTXRyTE5QMHIzek1EOGgzNklGSTFQd1k4WWpGYWVKUU1yYVFnanVMCjA5b0J0SjR0Z3piYTRGV2g3YkNKVitWdXBIZWRkbWdFMERNaVhVVGhWeWxCalJINXVRK0tOYytvM3ROTGZ3UG4KR3lFSXNuTWdmMWVucTM4Zk9qRG9MYTgwYzhzOXpYaEh0Wng5SlF6RFViUXIrRE5UUzBSTFA1Mk1JL3BYR0MrZwpUMjI1c1ZWMzl1cVFGY2NIRUNhY0xEYlllNUVoelJpMlBOQTk4Zkh0Ty9sQVA5amp2UWlNY2NyMEtqanpFSGxTCmxvRnMxL3kvdkNBby9rVGhxaEtMLzBUM3FkaUcrWU5zbmUrVGh5Mnh4NVczN1lNR0l0ZTlmKzV5bVRtYitsZ2IKZlU2L2kydGhBb0dCQVBPNlVydDUwaDN2SjJtLytNRkNrb2tjYTE5NWs5c1lPMVJNa1RZSFBaNW40K25UdTMybwpSREt1L0t3T2dseTljcDAwUW44WEljRGk3TXV0OE1LN1JHdjFXeVpWbGJYMStMMzFGVCtjL045NnJIQmE1U0hJCm5oZFRMQkxQVG1iNk9PUFNXWEVIbDAwdnNsdEFsdXRJcnVmanpvd0V0Z3B0T2hZTzhhNjA4aWh2QW9HQkFNZnAKa2l1LzBibDdjUWdZZmdmSWZ5YzJpTU9aU0RseVRFRThxZmhWa1NWNFg3bDNycXk3eUNQNEc1MXBaQ1dWcDl6WQo4UzNtYmlDM3hYVjZpTzVQeGVoS1ZmdnFySXF6MnpaWDhTRjFhMUwzekRGQ3BFNkdmUHB5Uk1uK01hLy84b3haCmRwdGV6WlRCMVJtUDd6UndIVGJrSXhjU3NuYkVUOWNuZDc1ck9OSkZBb0dCQU0wQm0xZFFONW13TU5HMWhQSmkKSWNtc212QTYzbEE2eUtTMnBxbndXemNqb2NScnNWZ1hzZzJEdk1xb2hhU21RWUxUazE4OVFNbnkxa1RZY1J3SwowcG1RVG5Rbkp2OWYvek1ndEJmRzM3akdnY2NiM1lHV01zdmh6TCtobWd2cVN2SHVYQWRENEZNdlhIRi9HYktjCmQycGI1cjlGc3kyQUJJekxVeVNsMU02SEFvR0FCQUxneHZYelhGaG92VFBZbTRsZlc4Y1JXWE5pNnB3cmdZZVoKRlgyS0N3bHVTa2RuZnRuSnUwY0lMdEZsakFlRHRiKzRueVluZ1lxT2NMd0RzVnh5YVNYTXNlQlVrL2ZsNXlJKwptV0JFeGdabzEzZ3gyYzJEQm5keWYrY1UwaVk5bEtsYTR1VTFGTTRLMjVkeXdrZVpubmRYYU9nY0lwdnZ5aTVsCmpiR1RFMDBDZ1lBVCtVTm9tcDhKbW01YXFDME1kc050OW13T0tMVnRDazFZei9YODVQbVNpU1p4eG11cThVNXUKYThvYUovTm1tTXBZc1JHOXB5NW1JZ0RXSDFicnlPWlA3YVB0T0lWWnBZSDc3cU1ySjR2RmJ6MkphQTFiMWlySgoyMkhkajFYRDdMdjJ1cXQ3UVVsYU5RY3VrSkZJSE94WVJOWUNobEpuSUVmMmU3MGpkbEN4TGc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=", diff --git a/test/config/user-patches/user-patches.sh b/test/config/user-patches/user-patches.sh old mode 100644 new mode 100755 diff --git a/test/mail_ssl_letsencrypt.bats b/test/mail_ssl_letsencrypt.bats index 1f67d45d..8acfdb3a 100644 --- a/test/mail_ssl_letsencrypt.bats +++ b/test/mail_ssl_letsencrypt.bats @@ -34,6 +34,7 @@ function setup_file() { -v "`pwd`/test/test-files":/tmp/docker-mailserver-test:ro \ -e DMS_DEBUG=0 \ -e SSL_TYPE=letsencrypt \ + -e "SSL_DOMAIN=*.example.com" \ -h mail.my-domain.com -t ${NAME} wait_for_finished_setup_in_container mail_lets_acme_json @@ -114,7 +115,7 @@ function teardown_file() { cp "`pwd`/test/config/letsencrypt/acme-changed.json" "`pwd`/test/config/acme.json" sleep 11 run docker exec mail_lets_acme_json /bin/bash -c "supervisorctl tail changedetector" - assert_output --partial "Cert found in /etc/letsencrypt/acme.json for mail.my-domain.com" + assert_output --partial "Cert found in /etc/letsencrypt/acme.json for *.example.com" assert_output --partial "postfix: stopped" assert_output --partial "postfix: started" assert_output --partial "Update checksum" From 119dbd664c6887ca1a0242ebc2ea606983aae203 Mon Sep 17 00:00:00 2001 From: Michael Sprauer Date: Tue, 14 Jul 2020 15:23:36 +0200 Subject: [PATCH 5/6] revert nonsens changes --- test/config/dovecot-lmtp/conf.d/10-auth.conf | 12 ++++++------ test/config/dovecot-lmtp/conf.d/10-ssl.conf | 2 +- test/config/dovecot-lmtp/conf.d/15-lda.conf | 6 +++--- test/config/dovecot-lmtp/conf.d/90-quota.conf | 4 ++-- test/config/dovecot-lmtp/local.conf | 1 - 5 files changed, 12 insertions(+), 13 deletions(-) diff --git a/test/config/dovecot-lmtp/conf.d/10-auth.conf b/test/config/dovecot-lmtp/conf.d/10-auth.conf index 8f88d178..19526cd6 100644 --- a/test/config/dovecot-lmtp/conf.d/10-auth.conf +++ b/test/config/dovecot-lmtp/conf.d/10-auth.conf @@ -7,7 +7,7 @@ # matches the local IP (ie. you're connecting from the same computer), the # connection is considered secure and plaintext authentication is allowed. # See also ssl=required setting. -disable_plaintext_auth = no +#disable_plaintext_auth = yes # Authentication cache size (e.g. 10M). 0 means it's disabled. Note that # bsdauth, PAM and vpopmail require cache_key to be set for caching to be used. @@ -30,7 +30,7 @@ disable_plaintext_auth = no # Default realm/domain to use if none was specified. This is used for both # SASL realms and appending @domain to username in plaintext logins. -#auth_default_realm = +#auth_default_realm = # List of allowed characters in username. If the user-given username contains # a character not listed in here, the login automatically fails. This is just @@ -73,7 +73,7 @@ disable_plaintext_auth = no # Kerberos keytab to use for the GSSAPI mechanism. Will use the system # default (usually /etc/krb5.keytab) if not specified. You may need to change # the auth service to run as root to be able to read this file. -#auth_krb5_keytab = +#auth_krb5_keytab = # Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and # ntlm_auth helper. @@ -88,9 +88,9 @@ disable_plaintext_auth = no # Require a valid SSL client certificate or the authentication fails. #auth_ssl_require_client_cert = no -# Take the username from client's SSL certificate, using +# Take the username from client's SSL certificate, using # X509_NAME_get_text_by_NID() which returns the subject's DN's -# CommonName. +# CommonName. #auth_ssl_username_from_cert = no # Space separated list of wanted authentication mechanisms: @@ -121,7 +121,7 @@ auth_mechanisms = plain login #!include auth-system.conf.ext #!include auth-sql.conf.ext -#######!include auth-ldap.conf.ext +######!include auth-ldap.conf.ext !include auth-passwdfile.inc #!include auth-checkpassword.conf.ext #!include auth-vpopmail.conf.ext diff --git a/test/config/dovecot-lmtp/conf.d/10-ssl.conf b/test/config/dovecot-lmtp/conf.d/10-ssl.conf index cacdcfea..f4d5884f 100644 --- a/test/config/dovecot-lmtp/conf.d/10-ssl.conf +++ b/test/config/dovecot-lmtp/conf.d/10-ssl.conf @@ -3,7 +3,7 @@ ## # SSL/TLS support: yes, no, required. -ssl = yes +ssl = required # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but diff --git a/test/config/dovecot-lmtp/conf.d/15-lda.conf b/test/config/dovecot-lmtp/conf.d/15-lda.conf index 3cbd4528..69892e3c 100644 --- a/test/config/dovecot-lmtp/conf.d/15-lda.conf +++ b/test/config/dovecot-lmtp/conf.d/15-lda.conf @@ -4,11 +4,11 @@ # Address to use when sending rejection mails. # Default is postmaster@. %d expands to recipient domain. -postmaster_address = postmaster@my-domain.com +postmaster_address = postmaster@domain.com # Hostname to use in various parts of sent mails (e.g. in Message-Id) and # in LMTP replies. Default is the system's real hostname@domain. -hostname = mail.my-domain.com +#hostname = # If user is over quota, return with temporary failure instead of # bouncing the mail. @@ -32,7 +32,7 @@ hostname = mail.my-domain.com #recipient_delimiter = + # Header where the original recipient address (SMTP's RCPT TO: address) is taken -# from if not available elsewhere. With dovecot-lda -a parameter overrides this. +# from if not available elsewhere. With dovecot-lda -a parameter overrides this. # A commonly used header for this is X-Original-To. #lda_original_recipient_header = diff --git a/test/config/dovecot-lmtp/conf.d/90-quota.conf b/test/config/dovecot-lmtp/conf.d/90-quota.conf index 9db935fb..db1f7188 100644 --- a/test/config/dovecot-lmtp/conf.d/90-quota.conf +++ b/test/config/dovecot-lmtp/conf.d/90-quota.conf @@ -15,7 +15,7 @@ # to give additional 100 MB when saving to Trash: plugin { - #quota_rule = *:storage=0 + #quota_rule = *:storage=1G #quota_rule2 = Trash:storage=+100M # LDA/LMTP allows saving the last mail to bring user from under quota to @@ -75,6 +75,6 @@ plugin { plugin { #quota = dict:user::proxy::quota #quota2 = dict:domain:%d:proxy::quota_domain - #quota_rule = *:storage=0 + #quota_rule = *:storage=102400 #quota2_rule = *:storage=1048576 } diff --git a/test/config/dovecot-lmtp/local.conf b/test/config/dovecot-lmtp/local.conf index 47e76619..35279f28 100644 --- a/test/config/dovecot-lmtp/local.conf +++ b/test/config/dovecot-lmtp/local.conf @@ -1,2 +1 @@ mail_max_userip_connections = 69 -recipient_delimiter = ~ From ffac79bc8ec780b880d2fbde110f940cae7b5cba Mon Sep 17 00:00:00 2001 From: Michael Sprauer Date: Wed, 15 Jul 2020 09:23:34 +0200 Subject: [PATCH 6/6] Trigger