Skip to content

Commit abd6fe8

Browse files
FreddleSpl0itFreddleSpl0it
authored
Merge pull request #7124 from mailcow/fix/7112
[ACME] Fix wildcard certificate conflict with MAILCOW_HOSTNAME
2 parents 5f8382e + 1da8d1c commit abd6fe8

File tree

2 files changed

+23
-3
lines changed

2 files changed

+23
-3
lines changed

data/Dockerfiles/acme/acme.sh

Lines changed: 22 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -308,13 +308,33 @@ while true; do
308308
done
309309
fi
310310

311+
# Check if MAILCOW_HOSTNAME is covered by a wildcard in ADDITIONAL_SAN
312+
MAILCOW_HOSTNAME_COVERED=0
313+
if [[ ! -z ${VALIDATED_MAILCOW_HOSTNAME} && ! -z ${ADDITIONAL_SAN} ]]; then
314+
# Extract parent domain from MAILCOW_HOSTNAME (e.g., mail.example.com -> example.com)
315+
MAILCOW_PARENT_DOMAIN=$(echo ${VALIDATED_MAILCOW_HOSTNAME} | cut -d. -f2-)
316+
# Check if ADDITIONAL_SAN contains a wildcard for this parent domain
317+
if [[ "${ADDITIONAL_SAN}" == *"*.${MAILCOW_PARENT_DOMAIN}"* ]]; then
318+
log_f "MAILCOW_HOSTNAME '${VALIDATED_MAILCOW_HOSTNAME}' is covered by wildcard '*.${MAILCOW_PARENT_DOMAIN}' - skipping explicit hostname"
319+
MAILCOW_HOSTNAME_COVERED=1
320+
fi
321+
fi
322+
311323
# Unique domains for server certificate
312324
if [[ ${ENABLE_SSL_SNI} == "y" ]]; then
313325
# create certificate for server name and fqdn SANs only
314-
SERVER_SAN_VALIDATED=(${VALIDATED_MAILCOW_HOSTNAME} $(echo ${ADDITIONAL_VALIDATED_SAN[*]} | xargs -n1 | sort -u | xargs))
326+
if [[ ${MAILCOW_HOSTNAME_COVERED} == "1" ]]; then
327+
SERVER_SAN_VALIDATED=($(echo ${ADDITIONAL_VALIDATED_SAN[*]} | xargs -n1 | sort -u | xargs))
328+
else
329+
SERVER_SAN_VALIDATED=(${VALIDATED_MAILCOW_HOSTNAME} $(echo ${ADDITIONAL_VALIDATED_SAN[*]} | xargs -n1 | sort -u | xargs))
330+
fi
315331
else
316332
# create certificate for all domains, including all subdomains from other domains [*]
317-
SERVER_SAN_VALIDATED=(${VALIDATED_MAILCOW_HOSTNAME} $(echo ${VALIDATED_CONFIG_DOMAINS[*]} ${ADDITIONAL_VALIDATED_SAN[*]} | xargs -n1 | sort -u | xargs))
333+
if [[ ${MAILCOW_HOSTNAME_COVERED} == "1" ]]; then
334+
SERVER_SAN_VALIDATED=($(echo ${VALIDATED_CONFIG_DOMAINS[*]} ${ADDITIONAL_VALIDATED_SAN[*]} | xargs -n1 | sort -u | xargs))
335+
else
336+
SERVER_SAN_VALIDATED=(${VALIDATED_MAILCOW_HOSTNAME} $(echo ${VALIDATED_CONFIG_DOMAINS[*]} ${ADDITIONAL_VALIDATED_SAN[*]} | xargs -n1 | sort -u | xargs))
337+
fi
318338
fi
319339
if [[ ! -z ${SERVER_SAN_VALIDATED[*]} ]]; then
320340
CERT_NAME=${SERVER_SAN_VALIDATED[0]}

docker-compose.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -465,7 +465,7 @@ services:
465465
condition: service_started
466466
unbound-mailcow:
467467
condition: service_healthy
468-
image: ghcr.io/mailcow/acme:1.96
468+
image: ghcr.io/mailcow/acme:1.97
469469
dns:
470470
- ${IPV4_NETWORK:-172.22.1}.254
471471
environment:

0 commit comments

Comments
 (0)