redis cert
This commit is contained in:
root
52
sync_mail_certs.sh
Normal file → Executable file
52
sync_mail_certs.sh
Normal file → Executable file
@@ -1,27 +1,45 @@
|
||||
#!/bin/bash
|
||||
|
||||
# --- CONFIGURATION ---
|
||||
# 1. The path you found in Step 1
|
||||
SOURCE_DIR="/local-zfs/subvol-100-disk-0/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.poppyglen.cc"
|
||||
ENV_FILE="/root/secrets/redis.env"
|
||||
if [ -f "$ENV_FILE" ]; then
|
||||
export $(grep -v '^#' "$ENV_FILE" | xargs)
|
||||
export REDISCLI_AUTH="$REDIS_PASSWORD"
|
||||
else
|
||||
echo "ERROR: Secret file $ENV_FILE not found."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# 2. The destination (Your Mailserver Config Mount)
|
||||
# We use the existing 'mp3' location (/rpool/mail/config) so the container sees it automatically
|
||||
REDIS_HOST="192.168.0.120"
|
||||
REDIS_PORT="6379"
|
||||
REDIS_DB="2"
|
||||
DEST_DIR="/local-zfs/mail/config/ssl"
|
||||
DOMAIN="mail.poppyglen.cc"
|
||||
|
||||
# Key paths in Redis
|
||||
CERT_KEY="caddy/certificates/acme-v02.api.letsencrypt.org-directory/$DOMAIN/$DOMAIN.crt"
|
||||
PRIV_KEY="caddy/certificates/acme-v02.api.letsencrypt.org-directory/$DOMAIN/$DOMAIN.key"
|
||||
|
||||
# --- SYNC LOGIC ---
|
||||
mkdir -p "$DEST_DIR"
|
||||
|
||||
# Copy the cert and key
|
||||
# We rename them to standard names for simplicity
|
||||
cp "$SOURCE_DIR/mail.poppyglen.cc.crt" "$DEST_DIR/cert.pem"
|
||||
cp "$SOURCE_DIR/mail.poppyglen.cc.key" "$DEST_DIR/key.pem"
|
||||
echo "Fetching and decoding certs from Redis..."
|
||||
|
||||
# --- PERMISSION FIX (CRITICAL) ---
|
||||
# We make them readable by 'Unknown' users so the Container can read them.
|
||||
# 644 allows Owner(RW), Group(R), Everyone(R)
|
||||
chmod 644 "$DEST_DIR/cert.pem"
|
||||
chmod 644 "$DEST_DIR/key.pem"
|
||||
|
||||
# Reload the Mail Container to apply (Optional, usually not needed if hot-loading)
|
||||
# pct exec 124 -- supervisorctl restart postfix
|
||||
# Logic:
|
||||
# 1. Get raw JSON from Redis
|
||||
# 2. Use jq to get the "value" field
|
||||
# 3. Use base64 -d to turn that string back into a PEM file
|
||||
redis-cli -h "$REDIS_HOST" -p "$REDIS_PORT" -n "$REDIS_DB" --raw GET "$CERT_KEY" | jq -r '.value' | base64 -d > "$DEST_DIR/cert.pem"
|
||||
redis-cli -h "$REDIS_HOST" -p "$REDIS_PORT" -n "$REDIS_DB" --raw GET "$PRIV_KEY" | jq -r '.value' | base64 -d > "$DEST_DIR/key.pem"
|
||||
|
||||
# --- VERIFICATION ---
|
||||
if openssl x509 -in "$DEST_DIR/cert.pem" -noout > /dev/null 2>&1; then
|
||||
echo "Success! Certificate is valid."
|
||||
chmod 644 "$DEST_DIR/cert.pem" "$DEST_DIR/key.pem"
|
||||
|
||||
# Reload Mail Services
|
||||
# pct exec 124 -- postfix reload
|
||||
# pct exec 124 -- dovecot reload
|
||||
else
|
||||
echo "ERROR: Extraction failed. The resulting cert.pem is not a valid certificate."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
Reference in New Issue
Block a user