ยง2024-11-01

#! /bin/bash

OURNAME=13_install_ssl_certs.sh

echo -e "\n-- Executing ${ORANGE}${OURNAME}${NC} subscript --"

#### SSL CERTS ####

# Install acme.sh
# NOTE: the version 3.0.7 has a bug with Nginx certs, so version is pinned to 3.0.6
ACME_VERSION="3.0.6"
wget https://raw.githubusercontent.com/acmesh-official/acme.sh/${ACME_VERSION}/acme.sh

# --auto-upgrade 0 disable auto-upgrade
sh acme.sh --install --auto-upgrade 0

# test run on alexlai@hc4Noble.yushei.net
# $ sh acme.sh --install --auto-upgrade 0
# [Fri Nov  1 06:57:48 PM CST 2024] It is recommended to install socat first.
# [Fri Nov  1 06:57:48 PM CST 2024] We use socat for standalone server if you use standalone mode.
# [Fri Nov  1 06:57:48 PM CST 2024] If you don't use standalone mode, just ignore this warning.
# [Fri Nov  1 06:57:48 PM CST 2024] Installing to /home/alexlai/.acme.sh
# [Fri Nov  1 06:57:48 PM CST 2024] Installed to /home/alexlai/.acme.sh/acme.sh
# [Fri Nov  1 06:57:48 PM CST 2024] Installing alias to '/home/alexlai/.bashrc'
# [Fri Nov  1 06:57:48 PM CST 2024] OK, Close and reopen your terminal to start using acme.sh
# [Fri Nov  1 06:57:48 PM CST 2024] Installing cron job
# no crontab for alexlai
# no crontab for alexlai
# [Fri Nov  1 06:57:48 PM CST 2024] Good, bash is found, so change the shebang to use bash as preferred.
# [Fri Nov  1 06:57:49 PM CST 2024] OK
# $ ls -al ~/.acme.sh/
# total 232
# drwx------  2 alexlai alexlai     79 Nov  1 18:57 .
# drwxr-x--- 22 alexlai alexlai   4096 Nov  1 18:57 ..
# -rw-rw-r--  1 alexlai alexlai    159 Nov  1 18:57 account.conf
# -rwxrwxr-x  1 alexlai alexlai 220762 Nov  1 18:57 acme.sh
# -rw-rw-r--  1 alexlai alexlai     94 Nov  1 18:57 acme.sh.env
# -rw-rw-r--  1 alexlai alexlai   1306 Nov  1 18:57 http.header
# and `. "/home/alexlai/.acme.sh/acme.sh.env"` added into ~/.bashrc
#
# $  cat /home/alexlai/.acme.sh/acme.sh.env
# export LE_WORKING_DIR="/home/alexlai/.acme.sh"
# alias acme.sh="/home/alexlai/.acme.sh/acme.sh"
# alias: This is a shell built-in command that allows you to create shortcuts for longer commands
#

rm -rf acme.sh

# -- create /etc/wildduck/tls.toml -------------------------------------------------------------
# WildDuck TLS config
echo 'cert="/etc/wildduck/certs/fullchain.pem"
key="/etc/wildduck/certs/privkey.pem"' > /etc/wildduck/tls.toml

sed -i -e "s/key=/#key=/g;s/cert=/#cert=/g" /etc/zone-mta/interfaces/feeder.toml
echo '# @include "../../wildduck/tls.toml"' >> /etc/zone-mta/interfaces/feeder.toml

# vanity script as first run should not restart anything
echo '#!/bin/bash
echo "OK"' > /usr/local/bin/reload-services.sh
chmod +x /usr/local/bin/reload-services.sh

~/.acme.sh/acme.sh --issue --nginx --server letsencrypt \
    -d "$HOSTNAME" \
    --key-file       /etc/wildduck/certs/privkey.pem  \
    --fullchain-file /etc/wildduck/certs/fullchain.pem \
    --reloadcmd     "/usr/local/bin/reload-services.sh" \
    --force || echo "Warning: Failed to generate certificates, using self-signed certs"

# Update site config, make sure ssl is enabled
echo "server {
    listen 80;
    listen [::]:80;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name $HOSTNAME;

    ssl_certificate /etc/wildduck/certs/fullchain.pem;
    ssl_certificate_key /etc/wildduck/certs/privkey.pem;

    # special config for EventSource to disable gzip
    location /api/events {
        proxy_http_version 1.1;
        gzip off;
        proxy_set_header X-Real-IP \$remote_addr;
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
        proxy_set_header HOST \$http_host;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass http://127.0.0.1:3000;
        proxy_redirect off;
    }

    # special config for uploads
    location /webmail/send {
        client_max_body_size 15M;
        proxy_http_version 1.1;
        proxy_set_header X-Real-IP \$remote_addr;
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
        proxy_set_header HOST \$http_host;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass http://127.0.0.1:3000;
        proxy_redirect off;
    }

    location / {
        proxy_http_version 1.1;
        proxy_set_header X-Real-IP \$remote_addr;
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
        proxy_set_header HOST \$http_host;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass http://127.0.0.1:3000;
        proxy_redirect off;
    }
}" > "/etc/nginx/sites-available/$HOSTNAME"

#See issue https://github.com/nodemailer/wildduck/issues/83
$SYSTEMCTL_PATH start nginx
$SYSTEMCTL_PATH reload nginx