#!/bin/sh # based on doc/mkcert.sh # if ssl disabled then lets just exit doveconf ssl 2>/dev/null | grep -Eq '(yes|required)' || exit 0 # Generates a self-signed certificate. OPENSSL=${OPENSSL-openssl} SSLDIR=${SSLDIR-/etc/ssl/dovecot} OPENSSLCONFIG=${OPENSSLCONFIG-/etc/dovecot/dovecot-openssl.cnf} CERTDIR=$SSLDIR KEYDIR=$SSLDIR # check if we have ssl_cert and/or key (for dovecot-2.0+) # try expand the cert/key itself and if found, lets just keep it [ -n "$(doveconf -x ssl_cert 2>/dev/null)" ] && exit 0 [ -n "$(doveconf -x ssl_key 2>/dev/null)" ] && exit 0 ssl_cert_file=$(doveconf ssl_cert | sed 's/.*= <//') ssl_key_file=$(doveconf ssl_key | sed 's/.*= <//') CERTFILE=${ssl_cert_file:-$CERTDIR/server.pem} KEYFILE=${ssl_key_file:-$KEYDIR/server.key} if [ -e "$CERTFILE" ]; then echo "Keeping existing $CERTFILE" exit 0 fi if [ -e "$KEYFILE" ]; then echo "Keeping existing $KEYFILE" exit 0 fi if [ ! -c /dev/urandom ] && [ ! -c /dev/random ]; then echo "No /dev/urandom or /dev/random so ssl cert not created" exit 1 fi $OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days 365 || exit 2 chmod 0600 $KEYFILE echo $OPENSSL x509 -subject -fingerprint -noout -in $CERTFILE || exit 2