iankelling.org Git - distro-setup/blob - mail-cert-cron

   1 #!/bin/bash
   2 # I, Ian Kelling, follow the GNU license recommendations at
   3 # https://www.gnu.org/licenses/license-recommendations.en.html. They
   4 # recommend that small programs, < 300 lines, be licensed under the
   5 # Apache License 2.0. This file contains or is part of one or more small
   6 # programs. If a small program grows beyond 300 lines, I plan to switch
   7 # its license to GPL.
   8
   9 # Copyright 2024 Ian Kelling
  10
  11 # Licensed under the Apache License, Version 2.0 (the "License");
  12 # you may not use this file except in compliance with the License.
  13 # You may obtain a copy of the License at
  14
  15 #     http://www.apache.org/licenses/LICENSE-2.0
  16
  17 # Unless required by applicable law or agreed to in writing, software
  18 # distributed under the License is distributed on an "AS IS" BASIS,
  19 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  20 # See the License for the specific language governing permissions and
  21 # limitations under the License.
  22
  23 set -eE -o pipefail
  24 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
  25
  26 [[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"
  27
  28 interactive=false
  29 case $1 in
  30   # For first run, accept host key. Note, known_hosts is saved in /p.
  31   -1)
  32     opt=(-e 'ssh -oStrictHostKeyChecking=no')
  33     shift
  34     ;;
  35   -i)
  36     interactive=true
  37     shift
  38     ;;
  39 esac
  40
  41 f=/a/bin/bash_unpublished/source-state
  42 if [[ -e $f ]]; then
  43   # shellcheck source=/a/bin/bash_unpublished/source-state
  44   source $f
  45 fi
  46
  47 try() {
  48   local ret=0
  49   "$@" || ret=$?
  50   if $interactive && (( ret >=1 )); then
  51     echo "$0: ERROR: exit $ret on: $*"
  52   fi
  53 }
  54
  55 # note: when certificate is expired, you will get this in /var/log/mail.log when k-9 mail tries to fetch:
  56 # imap-login: Disconnected: Connection closed: SSL_accept() failed: error:0A000416:SSL routines::sslv3 alert certificate unknown: SSL alert number 46 (no auth attempts in 0 secs): user=<>, rip=redacted, lip=10.8.0.4, TLS handshaking: SSL_accept() failed: error:0A000416:SSL routines::sslv3 alert certificate unknown: SSL alert number 46, session=<EsdzzmAWosNKXpza
  57
  58 case $HOSTNAME in
  59   $MAIL_HOST|bk)
  60     # ||: is to allow for temporary connection issues.
  61     try rsync "${opt[@]}" -ogtL --chown=root:Debian-exim --chmod=640 \
  62           root@li.iankelling.org:/etc/letsencrypt/live/mail.iankelling.org/{fullchain.pem,privkey.pem} /etc/exim4
  63     if ! openssl x509 -checkend $(( 60 * 60 * 24 * 3 )) -noout -in /etc/exim4/fullchain.pem; then
  64       echo "$0: error!: cert rsync failed and it will expire in less than 3 days"
  65       exit 1
  66     fi
  67     ;;&
  68 esac
  69
  70 # note: exim spec, 5.3 command line option -bd says that all files except
  71 # .include "are reread each time they are used."
  72
  73
  74 exit 0