Version bump and Let's Encrypt support if no SSL cert is provided via…

… mdata

copy/opt/core/var/mdata-setup/includes/31-dovecot.sh

@@ -1,21 +1,8 @@
 #!/bin/bash
-# Configure dovecot ssl certificates
-
-mdata-get mbox_ssl > /opt/local/etc/dovecot/ssl/dovecot.pem
-chmod 400 /opt/local/etc/dovecot/ssl/dovecot.pem
-
-if mdata-get mbox_ssl 1>/dev/null 2>&1; then
-	cat > /opt/local/etc/dovecot/conf.d/core-ssl.conf <<EOF
-ssl = required
-disable_plaintext_auth = yes
-ssl_cert = </opt/local/etc/dovecot/ssl/dovecot.pem
-ssl_key = </opt/local/etc/dovecot/ssl/dovecot.pem
-EOF
-fi
+# Configure dovecot trusted proxies
 
 if mdata-get trusted_proxies 1>/dev/null 2>&1; then
 	cat > /opt/local/etc/dovecot/conf.d/core-proxy-trusted.conf <<EOF
 login_trusted_networks = $(mdata-get trusted_proxies)
 EOF
-
 fi

copy/opt/local/etc/dovecot/conf.d/core-ssl.conf

@@ -0,0 +1,4 @@
+ssl = required
+disable_plaintext_auth = yes
+ssl_cert = </opt/local/etc/dovecot/ssl/dovecot.crt
+ssl_key = </opt/local/etc/dovecot/ssl/dovecot.key

copy/var/zoneinit/includes/41-ssl.sh

@@ -0,0 +1,49 @@
+# This script will try to manage the ssl certificates for us, we support
+# own ssl certificates, let's encrypt and selfsigned fallbacks for dev
+# usage
+
+ssl() {
+	local ssl_home=${1}
+	local mdata_var=${2}
+	local filename=${3}
+	local service=${4-${filename}}
+
+	mkdir -p "${ssl_home}"
+
+	if mdata-get ${mdata_var} 1>/dev/null 2>&1; then
+		(
+		umask 0027
+		mdata-get ${mdata_var} > "${ssl_home}/${filename}.pem"
+		# Split files for ${filename} usage
+		openssl pkey -in "${ssl_home}/${filename}.pem" -out "${ssl_home}/${filename}.key"
+		openssl crl2pkcs7 -nocrl -certfile "${ssl_home}/${filename}.pem" | \
+			openssl pkcs7 -print_certs -out "${ssl_home}/${filename}.crt"
+		)
+	else
+		# Try to generate let's encrypt ssl certificate for the hostname
+		if /opt/core/bin/ssl-letsencrypt.sh 1>/dev/null; then
+			local le_home='/opt/local/etc/letsencrypt/'
+			local le_live="${le_home}live/$(hostname)/"
+			# Workaround to copy correct files for ssl_home
+			(
+			umask 0027
+			cat ${le_live}fullchain.pem > ${ssl_home}/${filename}.crt
+			cat ${le_live}privkey.pem   > ${ssl_home}/${filename}.key
+			)
+			# Update renew-hook.sh
+			grep -q '^#!/usr/bin/env bash' || echo '#!/usr/bin/env bash' > ${le_home}renew-hook.sh
+			echo "cat ${le_live}fullchain.pem > ${ssl_home}/${filename}.crt" >> ${le_home}renew-hook.sh
+			echo "cat ${le_live}privkey.pem   > ${ssl_home}/${filename}.key" >> ${le_home}renew-hook.sh
+			echo "svcadm restart ${service}" >> ${le_home}renew-hook.sh
+		else
+			# Fallback to selfsigned ssl certificates
+			/opt/core/bin/ssl-selfsigned.sh -d ${ssl_home} -f ${filename}
+		fi
+	fi
+}
+
+# Request and manage SSL certificates
+ssl /opt/local/etc/dovecot/ssl mbox_ssl dovecot
+
+# Fix permissions
+chgrp dovecot /opt/local/etc/dovecot/ssl/dovecot.*

manifest

@@ -1,8 +1,8 @@
 name="core-mbox"
 organization="SkyLime"
 brand="Instance"
-version="16.4.0"
+version="16.4.1"
 description="core.io Mailbox Server"
 homepage="https://github.com/skylime/mi-core-mbox"
 users="root admin"
-base="1bb910cb-4c32-43b0-8037-212e15953848"
+base="1963511a-19d8-4646-90b4-09ecfad1d3ac"

manifest.json

@@ -1,11 +1,11 @@
 {
 	"name":         "core-mbox",
-	"version":      "16.4.0",
+	"version":      "16.4.1",
 	"description":  "core.io Mailbox Server",
 	"organization": "SkyLime",
 	"brand":        "Instance",
 	"homepage":     "https://github.com/skylime/mi-core-mbox",
-	"base":         "1bb910cb-4c32-43b0-8037-212e15953848",
+	"base":         "1963511a-19d8-4646-90b4-09ecfad1d3ac",
 	"customer_metadata": {
 		"root_authorized_keys": {"type": "text", "description": "SSH public key(s) for the root user"},
 		"syslog_host":          {"type": "text", "description": "syslog server IP address and port seperated by colon"},