chris/mailcow
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add '{push-mailcow-cert.sh}'

Browse Source 
Add script that pushes newly renewed ssl certificate to Mailcow VM staging area.  Uses '{deploy-staged-cert.sh}' to push new cert.
This commit is contained in:
Christopher Berger
2026-05-28 02:18:40 +00:00
parent d78ac7ac26
commit f891004943
1 changed files with 48 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
push-mailcow-cert.sh
+48
View File
@@ -0,0 +1,48 @@
#!/usr/bin/env bash
#
# push-mailcow-cert.sh (runs on Nginx Proxy Manager host)
# Pushes the npm-5 (mail.wittenberger.us) cert to the mailcow VM when it changes.
#
# Requires: an SSH key for a dedicated push user on the mailcow VM (see notes).
set -euo pipefail
# ---- CONFIG ---------------------------------------------------------------
NPM_CERT_DIR="/etc/nginx/letsencrypt/live/npm-5" # mail.wittenberger.us cert
MAILCOW_HOST="<redacted>" # ssh host/alias or IP of mailcow VM
MAILCOW_SSH_USER="certsync" # dedicated low-priv user on mailcow VM
SSH_KEY="/root/.ssh/mailcow_certsync" # private key for that user
REMOTE_STAGING="/home/certsync/incoming" # staging dir on mailcow VM
# ---------------------------------------------------------------------------
SRC_CERT="${NPM_CERT_DIR}/fullchain.pem"
SRC_KEY="${NPM_CERT_DIR}/privkey.pem"
log() { echo "[$(date '+%Y-%m-%d %H:%M:%S')] $*"; }
[[ -r "${SRC_CERT}" ]] || { log "ERROR: cert not readable: ${SRC_CERT}"; exit 1; }
[[ -r "${SRC_KEY}" ]] || { log "ERROR: key not readable: ${SRC_KEY}"; exit 1; }
# Track last-pushed fingerprint locally so it only pushes on change.
STATE_FILE="/var/lib/mailcow-cert-push/last_fp"
mkdir -p "$(dirname "${STATE_FILE}")"
new_fp=$(openssl x509 -noout -fingerprint -sha256 -in "${SRC_CERT}")
cur_fp=""
[[ -r "${STATE_FILE}" ]] && cur_fp=$(cat "${STATE_FILE}")
if [[ "${new_fp}" == "${cur_fp}" ]]; then
log "Cert unchanged; nothing to push."
exit 0
fi
log "Cert changed — pushing to ${MAILCOW_HOST}."
# rsync both files into the staging dir. Trailing dot files copied with perms.
rsync -azL --chmod=F600 \
-e "ssh -i ${SSH_KEY} -o StrictHostKeyChecking=accept-new" \
"${SRC_CERT}" "${SRC_KEY}" \
"${MAILCOW_SSH_USER}@${MAILCOW_HOST}:${REMOTE_STAGING}/"
echo "${new_fp}" > "${STATE_FILE}"
log "Push complete."