#!/bin/sh # based on doc/mkcert.sh # if ssl disabled then lets just exit doveconf ssl 2>/dev/null | grep -q 'yes' || exit 0 # Generates a self-signed certificate. OPENSSL=${OPENSSL-openssl} SSLDIR=${SSLDIR-/etc/ssl/dovecot} OPENSSLCONFIG=${OPENSSLCONFIG-/etc/dovecot/dovecot-openssl.cnf} CERTDIR=$SSLDIR KEYDIR=$SSLDIR # parse cert and key file from dovecot.conf (1.2) for upgraders dovecot_conf=/etc/dovecot/dovecot.conf ssl_cert_file= ssl_key_file= if [ -r "$dovecot_conf" ]; then ssl_cert_file=$(awk -F'[[:space:]]*=[[:space:]]*' '/^ssl_cert_file/ { print $2}' $dovecot_conf) ssl_key_file=$(awk -F'[[:space:]]*=[[:space:]]*' '/^ssl_key_file/ { print $2}' $dovecot_conf) fi # check if we have ssl_cert and/or key (for dovecot-2.0+) # try expand the cert/key itself and if found, lets just keep it [ -n "$(doveconf -x ssl_cert 2>/dev/null)" ] && exit 0 [ -n "$(doveconf -x ssl_key 2>/dev/null)" ] && exit 0 [ -z "$ssl_cert_file" ] && ssl_cert_file=$(doveconf ssl_cert | sed 's/.*= <//') [ -z "$ssl_key_file" ] && ssl_key_file=$(doveconf ssl_key | sed 's/.*= <//') CERTFILE=${ssl_cert_file:-$CERTDIR/server.pem} KEYFILE=${ssl_key_file:-$KEYDIR/server.key} if [ -e "$CERTFILE" ]; then echo "Keeping existing $CERTFILE" exit 0 fi if [ -e "$KEYFILE" ]; then echo "Keeping existing $KEYFILE" exit 0 fi if [ ! -c /dev/urandom ] && [ ! -c /dev/random ]; then echo "No /dev/urandom or /dev/random so ssl cert not created" exit 1 fi $OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days 365 || exit 2 chmod 0600 $KEYFILE echo $OPENSSL x509 -subject -fingerprint -noout -in $CERTFILE || exit 2