diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2015-12-20 14:13:08 +0100 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2015-12-20 14:13:13 +0100 |
| commit | da2572ddb144086034eba1989ae909763e95c680 (patch) | |
| tree | d3374338793592412ca1b10fb4fc20068a392c4e | |
| parent | 01e59771866559cc13a58800282617d04cb286a6 (diff) | |
Use the Let's Encrypt CA for our public certs.
30 files changed, 402 insertions, 427 deletions
diff --git a/certs/dovecot/00cacert.org_class3.crt b/certs/dovecot/00cacert.org_class3.crt deleted file mode 100644 index 087ca0e..0000000 --- a/certs/dovecot/00cacert.org_class3.crt +++ /dev/null @@ -1,42 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIHWTCCBUGgAwIBAgIDCkGKMA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv -b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ -Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y -dEBjYWNlcnQub3JnMB4XDTExMDUyMzE3NDgwMloXDTIxMDUyMDE3NDgwMlowVDEU -MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0 -Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN -AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a -iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1 -aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C -jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia -pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0 -FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt -XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL -oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6 -R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp -rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/ -LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA -BfvpAgMBAAGjggINMIICCTAdBgNVHQ4EFgQUdahxYEyIE/B42Yl3tW3Fid+8sXow -gaMGA1UdIwSBmzCBmIAUFrUyG9TH8+DmjvO90rA67rI5GNGhfaR7MHkxEDAOBgNV -BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAG -A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS -c3VwcG9ydEBjYWNlcnQub3JnggEAMA8GA1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUH -AQEEUTBPMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggr -BgEFBQcwAoYcaHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBB -MD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y -Zy9pbmRleC5waHA/aWQ9MTAwNAYJYIZIAYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0Fj -ZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwUAYJYIZIAYb4QgENBEMWQVRvIGdldCB5 -b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSwgZ28gdG8gaHR0cDovL3d3dy5D -QWNlcnQub3JnMA0GCSqGSIb3DQEBCwUAA4ICAQApKIWuRKm5r6R5E/CooyuXYPNc -7uMvwfbiZqARrjY3OnYVBFPqQvX56sAV2KaC2eRhrnILKVyQQ+hBsuF32wITRHhH -Va9Y/MyY9kW50SD42CEH/m2qc9SzxgfpCYXMO/K2viwcJdVxjDm1Luq+GIG6sJO4 -D+Pm1yaMMVpyA4RS5qb1MyJFCsgLDYq4Nm+QCaGrvdfVTi5xotSu+qdUK+s1jVq3 -VIgv7nSf7UgWyg1I0JTTrKSi9iTfkuO960NAkW4cGI5WtIIS86mTn9S8nK2cde5a -lxuV53QtHA+wLJef+6kzOXrnAzqSjiL2jA3k2X4Ndhj3AfnvlpaiVXPAPHG0HRpW -Q7fDCo1y/OIQCQtBzoyUoPkD/XFzS4pXM+WOdH4VAQDmzEoc53+VGS3FpQyLu7Xt -hbNc09+4ufLKxw0BFKxwWMWMjTPUnWajGlCVI/xI4AZDEtnNp4Y5LzZyo4AQ5OHz -0ctbGsDkgJp8E3MGT9ujayQKurMcvEp4u+XjdTilSKeiHq921F73OIZWWonO1sOn -ebJSoMbxhbQljPI/lrMQ2Y1sVzufb4Y6GIIiNsiwkTjbKqGTqoQ/9SdlrnPVyNXT -d+pLncdBu8fA46A/5H2kjXPmEkvfoXNzczqA6NXLji/L6hOn1kGLrPo8idck9U60 -4GGSt/M3mMS+lqO3ig== ------END CERTIFICATE----- diff --git a/certs/dovecot/00lets-encrypt-x1-cross-signed.pem b/certs/dovecot/00lets-encrypt-x1-cross-signed.pem new file mode 100644 index 0000000..8a92a0b --- /dev/null +++ b/certs/dovecot/00lets-encrypt-x1-cross-signed.pem @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIEqDCCA5CgAwIBAgIRAJgT9HUT5XULQ+dDHpceRL0wDQYJKoZIhvcNAQELBQAw +PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD +Ew5EU1QgUm9vdCBDQSBYMzAeFw0xNTEwMTkyMjMzMzZaFw0yMDEwMTkyMjMzMzZa +MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD +ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMTCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBAJzTDPBa5S5Ht3JdN4OzaGMw6tc1Jhkl4b2+NfFwki+3uEtB +BaupnjUIWOyxKsRohwuj43Xk5vOnYnG6eYFgH9eRmp/z0HhncchpDpWRz/7mmelg +PEjMfspNdxIknUcbWuu57B43ABycrHunBerOSuu9QeU2mLnL/W08lmjfIypCkAyG +dGfIf6WauFJhFBM/ZemCh8vb+g5W9oaJ84U/l4avsNwa72sNlRZ9xCugZbKZBDZ1 +gGusSvMbkEl4L6KWTyogJSkExnTA0DHNjzE4lRa6qDO4Q/GxH8Mwf6J5MRM9LTb4 +4/zyM2q5OTHFr8SNDR1kFjOq+oQpttQLwNh9w5MCAwEAAaOCAZIwggGOMBIGA1Ud +EwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMH8GCCsGAQUFBwEBBHMwcTAy +BggrBgEFBQcwAYYmaHR0cDovL2lzcmcudHJ1c3RpZC5vY3NwLmlkZW50cnVzdC5j +b20wOwYIKwYBBQUHMAKGL2h0dHA6Ly9hcHBzLmlkZW50cnVzdC5jb20vcm9vdHMv +ZHN0cm9vdGNheDMucDdjMB8GA1UdIwQYMBaAFMSnsaR7LHH62+FLkHX/xBVghYkQ +MFQGA1UdIARNMEswCAYGZ4EMAQIBMD8GCysGAQQBgt8TAQEBMDAwLgYIKwYBBQUH +AgEWImh0dHA6Ly9jcHMucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcwPAYDVR0fBDUw +MzAxoC+gLYYraHR0cDovL2NybC5pZGVudHJ1c3QuY29tL0RTVFJPT1RDQVgzQ1JM +LmNybDATBgNVHR4EDDAKoQgwBoIELm1pbDAdBgNVHQ4EFgQUqEpqYwR93brm0Tm3 +pkVl7/Oo7KEwDQYJKoZIhvcNAQELBQADggEBANHIIkus7+MJiZZQsY14cCoBG1hd +v0J20/FyWo5ppnfjL78S2k4s2GLRJ7iD9ZDKErndvbNFGcsW+9kKK/TnY21hp4Dd +ITv8S9ZYQ7oaoqs7HwhEMY9sibED4aXw09xrJZTC9zK1uIfW6t5dHQjuOWv+HHoW +ZnupyxpsEUlEaFb+/SCI4KCSBdAsYxAcsHYI5xxEI4LutHp6s3OT2FuO90WfdsIk +6q78OMSdn875bNjdBYAqxUp2/LEIHfDBkLoQz0hFJmwAbYahqKaLn73PAAm1X2kj +f1w8DdnkabOLGeOVcj9LQ+s67vBykx4anTjURkbqZslUEUsn2k5xeua2zUk= +-----END CERTIFICATE----- diff --git a/certs/gencerts.sh b/certs/gencerts.sh index e129733..047bba1 100755 --- a/certs/gencerts.sh +++ b/certs/gencerts.sh @@ -1,54 +1,51 @@ #!/bin/sh set -ue PATH=/usr/bin:/bin if [ -n "${GNUPGBIN:-}" ]; then GPG="$GNUPGBIN" elif [ -x /usr/bin/gpg2 ]; then GPG=/usr/bin/gpg2 else GPG=gpg fi GPG_OPTS='--no-auto-check-trustdb --batch --no-verbose --yes' usage() { echo "Usage: $0 /path/to/certs.asc" >&2 exit 1 } x509fpr() { - local msg="$1" host cert h t + local msg="$1" host cert h spki host="${msg%%,*}"; host="${msg%% *}" cert="$DIR/${host%%:*}.pem" + spki=$(openssl x509 -noout -pubkey<"$cert" | openssl pkey -pubin -outform DER | openssl dgst -sha1 | sed -nr 's/^[^=]+=\s*//p') [ "$typ" = mdwn ] && { echo; echo " $msg"; echo; } || echo " $msg" - for t in X.509 PKey; do - for h in sha1 sha256; do - [ "$t" = PKey ] && echo -n "$t $h" || echo -n "$t $h" - for i in $(seq 1 $((7 - ${#h}))); do echo -n ' '; done - if [ "$t" = PKey ]; then - openssl x509 -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -"$h" -c - else - openssl x509 -noout -fingerprint -"$h" - fi <"$cert" | sed -nr 's/^[^=]+=\s*//p' - done + echo "${indent}X.509: https://crt.sh/?spkisha1=${spki}&iCAID=7395" + echo "${indent}SPKI:" + for h in sha1 sha256; do + echo -n " $h" | tr '[a-z]' '[A-Z]' + for i in $(seq 1 $((7 - ${#h}))); do echo -n ' '; done + openssl x509 -noout -pubkey<"$cert" | openssl pkey -pubin -outform DER | openssl dgst -"$h" -c | sed -nr 's/^[^=]+=\s*//p' done | sed -r "s/(\S+)(.*)/$indent\1\U\2/" } sshfpr() { local msg="$1" host t h fpr host="${msg%%,*}"; host="${msg%% *}"; host="${host#*@}" [ "$typ" = mdwn ] && { echo; echo " $msg"; echo; } || echo " $msg" [ "${host#*:}" != 22 ] || host="${host%%:*}" for h in MD5 SHA256; do ssh-keygen -E "$h" -f "$DIR/../ssh_known_hosts" -lF "${host#*@}" done | sed -nr 's/^[^ #]+\s+//p' | sed -r 's/^(\S+)\s+(MD5|SHA256):/\1 \2 /' | while read t h fpr; do echo -n "$indent$t" for i in $(seq 1 $((7 - ${#h}))); do echo -n ' '; done echo "$h:$fpr" done } allfpr() { local typ="$1" @@ -81,80 +78,84 @@ allfpr() { [ $# -eq 1 ] || usage asc="$1" asc2=$(mktemp --tmpdir) src=$(mktemp --tmpdir) src2=$(mktemp --tmpdir) mdwn="${asc%.asc}.mdwn" mdwn2=$(mktemp --tmpdir) DIR="$(dirname "$0")/public" VCS_BROWSER='https://git.fripost.org/fripost-ansible' trap 'rm -f "$src" "$src2" "$asc2" "$mdwn2"' EXIT if [ -s "$asc" ]; then "$GPG" $GPG_OPTS --logger-file=/dev/null --output="$src" -- "$asc" fi # Generate ASCII file to be clearsigned cat >"$src2" << EOF -The following is an up-to date list of SHA-1 and SHA-256 fingerprints of all -X.509 certificates Fripost uses on its publicly available services. Please -consider any mismatch as a man-in-the-middle attack, and let us know -immediately! -- admin@fripost.org +The following is an up-to date list of SHA-1 and SHA-256 fingerprints of +all SPKI (Subject Public Key Info) of each X.509 certificate Fripost +uses on its publicly available services. Please consider any mismatch +as a man-in-the-middle attack, and let us know immediately! -- +admin@fripost.org + + +These certificates are all issued by the Let's Encrypt Certificate +Authority, and are submitted to Certificate Transparency logs. You can +view all issued Let's Encrypt certificates at crt.sh: + https://crt.sh/?Identity=%25fripost.org&iCAID=7395 -All our X.509 certificates are available in PEM format under +Our X.509 certificates are also available in PEM format at: $VCS_BROWSER/tree/certs/public , Git repository from which this fingerprint list was generated, at commit ID $(git --no-pager --git-dir="$DIR/../../.git" --work-tree="$DIR" log -1 --pretty=format:'%h from %aD' -- "$DIR"). EOF allfpr asc >>"$src2" # Generate markdown file cat >"$mdwn2" << EOF # Certificates at Fripost -The following is an up-to date list of SHA-1 and SHA-256 fingerprints of all -X.509 certificates Fripost uses on its publicly available services. Please -consider any mismatch as a man-in-the-middle attack, and let us know -immediately! (See also the [[signed version of this page|certs.asc]].) +The following is an up-to date list of SHA-1 and SHA-256 fingerprints of +all SPKI (Subject Public Key Info) of each X.509 certificate Fripost +uses on its publicly available services. Please consider any mismatch +as a man-in-the-middle attack, and let us know immediately! (See also +the [[signed version of this page|certs.asc]].) -- [[admin@fripost.org|mailto:admin@fripost.org]] -All our X.509 certificates are available in PEM format under our +These certificates are all issued by the [[Let's Encrypt Certificate +Authority|https://letsencrypt.org]], and are submitted to [[Certificate +Transparency logs|https://www.certificate-transparency.org]]. +You can view all issued Let's Encrypt certificates at +[[crt.sh|https://crt.sh/?Identity=%25fripost.org&iCAID=7395]]. +Our X.509 certificates are also available in PEM format under our [[Git repository|$VCS_BROWSER/tree/certs/public]], from which this fingerprint list was [[generated|$VCS_BROWSER/tree/certs/gencerts.sh]], at $(git --no-pager --git-dir="$DIR/../../.git" --work-tree="$DIR" log -1 --pretty=format:"[[Commit ID %h from %aD|$VCS_BROWSER/tree/certs/public?id=%H]]" -- "$DIR"). EOF allfpr mdwn >>"$mdwn2" -tee -a "$src2" >> "$mdwn2" << EOF - - -If your SSL/TLS-capable client is able to validate the public key -fingerprint of the remote peer certificate, then you should probably use -this (the above values prefixed with "PKey") instead of the fingerprint -of the certificate instead (the above values prefixed with "X.509"), -since the former typically doesn't change upon certificate renewal. -EOF echo >>"$src2" if diff -u --label "a/${asc%.asc}" --label "b/${asc%.asc}" -- "$src" "$src2" && diff -q -- "$mdwn" "$mdwn2" >/dev/null; then echo 'The fingerprint list is up to date.' else "$GPG" $GPG_OPTS --output="$asc2" --clearsign -- "$src2" cp -f "$asc2" "$asc" cp -f "$mdwn2" "$mdwn" echo ================================ echo "The fingerprint lists ($asc and $mdwn) have been updated!" echo '/!\ You should now push the changes to the wiki. /!\' fi diff --git a/certs/public/fripost.org.pem b/certs/public/fripost.org.pem index 21e7834..6138e4d 100644 --- a/certs/public/fripost.org.pem +++ b/certs/public/fripost.org.pem @@ -1,34 +1,35 @@ -----BEGIN CERTIFICATE----- -MIIF6jCCBNKgAwIBAgISESF11XzOHj81ZogVBVzxjIZRMA0GCSqGSIb3DQEBBQUA -MFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMS0wKwYD -VQQDEyRHbG9iYWxTaWduIERvbWFpbiBWYWxpZGF0aW9uIENBIC0gRzIwHhcNMTQw -MjE0MTY1MTEzWhcNMTYwMzE2MTY1MTEzWjBGMQswCQYDVQQGEwJTRTEhMB8GA1UE -CxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMRQwEgYDVQQDDAtmcmlwb3N0Lm9y -ZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKmwUaNJT9sQMyZ6ST5O -ohafJdfx+cKPpn3zHUg+bXbwa0L/UgOLqWuwz49zKPcIu3ZdP7t6LqM5jyiXqaIS -blAudNAFkqi3oEEHn7Qi4pTkE5Gq/X5Cw/uwjTBv7KPcnNg3lPkpw44XgohFMHTd -WLSEScVeR9gKTZKe9ev0R8XeUK55K+VNVYDoi4u/4XsPD53wGJSoOP9Ph9fWHIkc -FhXzPGSWVErlPUucs0Yd94umR3Ws7OQuWTNwwT+2vzeeer5qsW/Xj41gQquviAbj -7FIRjjxO0ONC+iIlor0TJzsKIaHVvNfCXCfDsRQFz8voOrnGn5lwtugBI4WmLm35 -aLPV2sNzs8QoHdd9ZgXTu4h7SyYkbZwSCsjeo+W1ggoA5q85Krk6XzsR5G5Ay4ao -NiYSt/GKo6AgIHywCaPiK8Gsv+E0LPMSy79zmNo1K/LErlnknkd7/m01lhO8ION4 -4aLwEwAimbbn5Q19VT7KSMO6GjDTme5lzizIF9S3Qns6PXRacak3KNVo31qPPNmQ -VeBiFe6nonpCSDKc2+CFmmpVKqNT1fTsolrb0/ZNn/GrY/GPy2jEEW9vVUvhToNz -tWTrRzspROWCxKZrKBmPCi3VSxjcWisoTjN1pshdX9q3j0wV7gNPUxpHiKWbaQN6 -aUKcdem7KUJN28wPbYM9x0mVAgMBAAGjggG/MIIBuzAOBgNVHQ8BAf8EBAMCBaAw -SQYDVR0gBEIwQDA+BgZngQwBAgEwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cu -Z2xvYmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wKAYDVR0RBCEwH4ILZnJpcG9zdC5v -cmeCEG1haWwuZnJpcG9zdC5vcmcwCQYDVR0TBAIwADAdBgNVHSUEFjAUBggrBgEF -BQcDAQYIKwYBBQUHAwIwPwYDVR0fBDgwNjA0oDKgMIYuaHR0cDovL2NybC5nbG9i -YWxzaWduLmNvbS9ncy9nc2RvbWFpbnZhbGcyLmNybDCBiAYIKwYBBQUHAQEEfDB6 -MEEGCCsGAQUFBzAChjVodHRwOi8vc2VjdXJlLmdsb2JhbHNpZ24uY29tL2NhY2Vy -dC9nc2RvbWFpbnZhbGcyLmNydDA1BggrBgEFBQcwAYYpaHR0cDovL29jc3AyLmds -b2JhbHNpZ24uY29tL2dzZG9tYWludmFsZzIwHQYDVR0OBBYEFEkxhnTOMo28i3Yh -yH9oLEL+HNjJMB8GA1UdIwQYMBaAFJat+rBbuYNkKnbCHIpp2kLc/v0oMA0GCSqG -SIb3DQEBBQUAA4IBAQBWzbngCosmPDWYEys4jRqkeAiIPZDXXMCschXEt5WuAiBb -Ztve1aS9Lc8BGXyusZCrMbJ00ZzBXIyoCGmq6BxKd27EruQlb7bmcnGLyTCaGseg -E24L6nuaojTfH5phFtQl3kbkFYPo1Vcc0/T3vMKD6vpBkUhWdl2YwWpog/59eXsJ -SsyQ5ZTG0hehLEBSLc6tO3PpM588KMK7CYVixitYgjcLTNomd4xdNRF2I9ayRw2R -/vU8AmjNZww2cCQO/GeMqZMqzKTNVwPejHx14wx8X8z4DS6n/wU3U1N6WwpWQMqW -R0gEBOX9hpLqu9PQuFC3ipmcpek7ZjtOg6+SiLZ6 +MIIGHTCCBQWgAwIBAgISAVNRrmK0qo/HwaqLbfEeSVcJMA0GCSqGSIb3DQEBCwUA +MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD +ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMTAeFw0xNTEyMDgxOTM1MDBaFw0x +NjAzMDcxOTM1MDBaMBYxFDASBgNVBAMTC2ZyaXBvc3Qub3JnMIICIjANBgkqhkiG +9w0BAQEFAAOCAg8AMIICCgKCAgEA40NtrjEbAPdCAliRNgd+6DgwGDGe0eOwyIWu +nhwWQ3qOz+6zmSVqW4KhbPW5ISipA82SKw97Gu9g6nSRWTHMkry4SzSpis99eQ7x +QA8TpLm+g9MzH8CJKs3ea8N2Xqc6EqpnaNmCSo07+0oki2r5LRAwANChLOFuRvRI +Mg4bckDcJ5WGR7n+E8NllZI9ntjeFk9uqNcnXkCU1j5kCG9P5MdRm3mgSHCCZN2o +3JcBFx2Na6QWLRiCHA0JY2xi/MNewdk2LRAYHxT/4HHXNCJ0zBKYNZYDbAVLIOhd +5Nb8ZrgNwG+Tz3gdgeCM3P2FEVNaufOh8YgxzCXigbogVLDqzTdVOi1I7ERUCOsG +jh8kN+Nbte1hHLPFuVCQNhiaIaKFM+IYUaMWPoLxN9knHWcVUMwdwuKg9lLVnGvF +nV+SZcqtekIZ4L6Ekw/tQtjxEKpm7AWYIgYCt+K6XAs4nzjFpAvGbgzqZE3jWtjg +twpkc+UsPL9YNwwJwMnwGZfLeM3lDeJo7U1OYOf0MV65H5JRM0wduqvpnCm8Ft0i +7OhEzOi7/wBtWU0TnyZNYz6wOZ0nMAvqjHDJ+NmE4nWoBQHY+hDD1x+pAtKNy2jn +nfjd6N2ToUEdfIBiNOT37uinMwDq3Y+BCK0hUEyOCE8MKx82v2aysgc2sLHNKlsO +zBScg0UCAwEAAaOCAi8wggIrMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggr +BgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUHZY9GB30 +kxEIRKVLzdyDVL4FPycwHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEw +cAYIKwYBBQUHAQEEZDBiMC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5pbnQteDEu +bGV0c2VuY3J5cHQub3JnLzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgx +LmxldHNlbmNyeXB0Lm9yZy8wOQYDVR0RBDIwMIILZnJpcG9zdC5vcmeCD3d3dy5m +cmlwb3N0Lm9yZ4IQd2lraS5mcmlwb3N0Lm9yZzCB/gYDVR0gBIH2MIHzMAgGBmeB +DAECATCB5gYLKwYBBAGC3xMBAQEwgdYwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMu +bGV0c2VuY3J5cHQub3JnMIGrBggrBgEFBQcCAjCBngyBm1RoaXMgQ2VydGlmaWNh +dGUgbWF5IG9ubHkgYmUgcmVsaWVkIHVwb24gYnkgUmVseWluZyBQYXJ0aWVzIGFu +ZCBvbmx5IGluIGFjY29yZGFuY2Ugd2l0aCB0aGUgQ2VydGlmaWNhdGUgUG9saWN5 +IGZvdW5kIGF0IGh0dHBzOi8vbGV0c2VuY3J5cHQub3JnL3JlcG9zaXRvcnkvMA0G +CSqGSIb3DQEBCwUAA4IBAQADhIMJYMH9neqNP8pnYUn5XYfZorIRB1n3hbE6s849 +KuBcdAwmbgLXkL67r5cQRUCmLkV+KRu8XOrBHQtYOxzt1ANEWs4lRgZdz3UFUnXT +/9bzY4DZey+DOmOE0qG9oZD4AZTguFcnkDC4adHrmzdMf3Me3zF5hAJR1N2fEpKk +vBjnJRKA/90/5U6VMHUiBkor4hMwzfuUCZdgNKvVeGhDWVUr0OLOnW+b8MnmLz87 +LvxR5DgqyxlKqq6CqsGzzLs6qdFqAiZjB7cF2s7e/Wi3nVDFr8Qb1TlxdlkQ15ka +xbvhxUD0YHOsO+hGiwbo6gAeFrzP3uxTTzhrtHnZgOVZ -----END CERTIFICATE----- diff --git a/certs/public/git.fripost.org.pem b/certs/public/git.fripost.org.pem index 5360ec3..65fd6f3 100644 --- a/certs/public/git.fripost.org.pem +++ b/certs/public/git.fripost.org.pem @@ -1,32 +1,35 @@ -----BEGIN CERTIFICATE----- -MIIFgDCCA2igAwIBAgIJAPfN6C7lrvYQMA0GCSqGSIb3DQEBDQUAME0xEDAOBgNV -BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMQwwCgYDVQQLDANXV1cxGDAW -BgNVBAMMD2dpdC5mcmlwb3N0Lm9yZzAeFw0xNTA1MzAxNTM5MzdaFw0yNTA1Mjcx -NTM5MzdaME0xEDAOBgNVBAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMQww -CgYDVQQLDANXV1cxGDAWBgNVBAMMD2dpdC5mcmlwb3N0Lm9yZzCCAiIwDQYJKoZI -hvcNAQEBBQADggIPADCCAgoCggIBALrzJ7lrPSoRqktTezi2Kd1X57JntjUhGzWJ -lH4gwQeJK0IVm1N8qP7pxJ6PCDd4wPGWzXwegT/hZH28GGVbUFVCu6v6ACmm4+bQ -PJYzPCavZ7xdI8KnH5K/rNr29lqst9YTXcQTgN52/LtsMnk1K6yl+I96Zq7gSOxg -C4nFNgykwGGhopc8HbxXo/5f40immkRcF41AOVy8Pb4enUCSO47ou0zV2BmD/DIq -TdImYzom13Bhc4l8hcd2LQuD+NZvmGq4Oq0Sz4Xwqm9wHgUIiBT4cw2fGBi8hKio -OJ4Z8j3d7CHmbbXJDYF4heIWycuJDNjNooSDs/rIsqSgiIaGXOShHA0N2sQl06by -vFKQ0a1vSioq1WaorEeIRbb+qSTtEPHeZe8K4tpgiV1xjsbwceKirB5a1kXACV8z -OklGlYmUX3WiHCIbHA23qngUsmIcpWd59S6pGwUYOqbPnQHBrvA2EnmrqnR8FpNE -1NXE8MY1OJGSIHZdMBzrMW4oHTXKf9FVyBVLF7HQHbhOqiY2nUM+oUxc9lDjGASM -pxNH8YrQ+fEs0x3TX0RM8rtMSbMdLJnn01eUx226vj2lEucjTnmVkzIuoijDTWnO -pvNGz88+hNI+aaaD7Zskzw14qEFDocI3xPN5vf4XuEBrAKJI88N1YMqjpalRrNu5 -GpOPZW9tAgMBAAGjYzBhMEEGA1UdEQQ6MDiBEWFkbWluQGZyaXBvc3Qub3Jngg9n -aXQuZnJpcG9zdC5vcmeCEmdpdHdlYi5mcmlwb3N0Lm9yZzAMBgNVHRMBAf8EAjAA -MA4GA1UdDwEB/wQEAwICpDANBgkqhkiG9w0BAQ0FAAOCAgEAIj1HrruLLYdNpMWr -HtfG94VEiPSGoy6Fh+u89iBHyYw1NVmWqNP8dKard4DG1TZYmHCEu4z/g86ryLDG -3A5h3d4DnLFbnMy2H+4eYA97h/+5MRvYTzA0CFJIEwDFyziFi4GZGLgavRTLlj/L -7JyjO2p0v0yR9ifkbCpV72Wuyu0lffNuaJ4+6Y1wxL0WP5toT2p6SRyk/Jx7NX/7 -xvEI/8nlohnkKbv8ubwS7ZpmF57IO3FfRVKIqOeo5aUQUvydePlyGG0Iuu0uR6q6 -OEcMnIfLGtETyDj4vo97FM/hzyVdzd4vniET15wwO7SZ6+U12s/ofYTEzN8kCrxO -C9WguSQlhvM6c02CV7neOL6PEogeGpNchkJwwUpMYF3OpGWg/epP209WVGflnHmg -hVZzoxDNJ9MuR72okR62X+rpn4oqO92dvSWnAEmStOpUo0i5nlMprNsd3FLg8uVC -D2DyyaefBVEqYGTLQertr4SRR5hOduz/ltbmnuESY+G327lNma4jl4kwpyAP13sl -JrfN/WTsYKBTsP1Aroe+MlwRxMNIyUUi9DUe+ZJNyAUELXM4LMCsu+6BvScarQIJ -H0lpqPZw+4XkbdkK4SdH9WwmpkzcFhIQBkWtYJe1/S7LuBlDqQmIZP3qDYuR36Vo -FeM2vPhQnlbj2qQomaMM+j6y5cU= +MIIGAjCCBOqgAwIBAgISAYNlFOqyNr6JG6VCrfsp/5VCMA0GCSqGSIb3DQEBCwUA +MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD +ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMTAeFw0xNTEyMDgxOTMyMDBaFw0x +NjAzMDcxOTMyMDBaMBoxGDAWBgNVBAMTD2dpdC5mcmlwb3N0Lm9yZzCCAiIwDQYJ +KoZIhvcNAQEBBQADggIPADCCAgoCggIBAKZhfyFvQMwMR4fRPBDKsyIkSe7M5wnx +4IZ0yoJLEU0xq84K+SRQ1l/d2nrnoXQ4QKZj1/Ld9tF0nv3OrmDVvoIjalVCNn2g +/XBW0e41KdHybhim3hYYB5WajEswGQB8UUgUrCtLoVFhzv9YfrPLVEgMl94GFm0B +Ju+hasccQrpqD9G5Zzy39VNXaubORUrGXAhpv3yxzaT+WPcvu4kSOqTNcIchujNg +oIuzp8wtBFSoRfU138tZpLAu+5XK73klb50sDu1/PsL6XnfjDgSGhdhEpkKrf5tS +3dItAWvJLm9iLAdfLYRye3bgnGkTTiFr6HXiWEbFEb+SccrPtu7nSQEOwjQAIgM+ +eyDuBQE8/z9TN4xutCQOnR4FMysfGUt+Qfd7IZ35Sh1NKcUzN2LHNw1oY06wOMyh +OYqKztIn/rLjOy+O6sphjy5mn2T4CzQHsqwvXbBHMqnx2uGOLJs2bAbWPfTkmggv +20lfvnao/L73/RdG9oXqMCErPgVekh90RdpI5BpiPU5cgoNnSgGc6bw3O31CItgT +dugAzP7mmHdq+1vEgF4Bu6QgBve+UTmJNw5oPTxDW/kDMcmKryz0mJTIv+8EOQLM +OolWDwKE/v0bF7hY62PVKupb5Whky3k80uUYyh+jD9OMUDvfROvAqmd1CdtpJLhF +XXxdjG2JonSfAgMBAAGjggIQMIICDDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYw +FAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFLlf +KgMvKLcbf4VlquCyXqJeRuMoMB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/z +qOyhMHAGCCsGAQUFBwEBBGQwYjAvBggrBgEFBQcwAYYjaHR0cDovL29jc3AuaW50 +LXgxLmxldHNlbmNyeXB0Lm9yZy8wLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0Lmlu +dC14MS5sZXRzZW5jcnlwdC5vcmcvMBoGA1UdEQQTMBGCD2dpdC5mcmlwb3N0Lm9y +ZzCB/gYDVR0gBIH2MIHzMAgGBmeBDAECATCB5gYLKwYBBAGC3xMBAQEwgdYwJgYI +KwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIGrBggrBgEFBQcC +AjCBngyBm1RoaXMgQ2VydGlmaWNhdGUgbWF5IG9ubHkgYmUgcmVsaWVkIHVwb24g +YnkgUmVseWluZyBQYXJ0aWVzIGFuZCBvbmx5IGluIGFjY29yZGFuY2Ugd2l0aCB0 +aGUgQ2VydGlmaWNhdGUgUG9saWN5IGZvdW5kIGF0IGh0dHBzOi8vbGV0c2VuY3J5 +cHQub3JnL3JlcG9zaXRvcnkvMA0GCSqGSIb3DQEBCwUAA4IBAQAmjjh+ymazFdma +4j/fVcAPxmUJSUl7dqG+lohv2uSwnjz/SEMtiOLcpoySOJZAN/tjz5VWvgA+/xeL +EhmFs5P4FuxvhOX4LJgLgAKL3tEoIvantGi8nPCQh1UBYgvQ3Q5B2svehNWezQva +qJ0jxsXN8o2BtBq4oC0m7e7UDu7o1YXxZEspPkK6wCAsB7m8fAdPHPA7AyimfqTj +lPztlpkJsZCGa5lplpi6EvS6wzFkZuWQYHaxqb9L0dN9SVu4YwshEBoKdUMIxSeM +hD6Dq0ebWLYRWg2AHHnF1xtbfUqQLw1kqbdgcl3vcsoDPt5nDkStMIVcd20nR1W6 +KGZ8K+jB -----END CERTIFICATE----- diff --git a/certs/public/imap.fripost.org.pem b/certs/public/imap.fripost.org.pem index a639fa8..1896b4a 100644 --- a/certs/public/imap.fripost.org.pem +++ b/certs/public/imap.fripost.org.pem @@ -1,29 +1,35 @@ -----BEGIN CERTIFICATE----- -MIIE8jCCAtqgAwIBAgIDAly4MA0GCSqGSIb3DQEBDQUAMFQxFDASBgNVBAoTC0NB -Y2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5vcmcxHDAaBgNV -BAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwHhcNMTUwMjI0MTI0MzA5WhcNMTcwMjIz -MTI0MzA5WjAbMRkwFwYDVQQDExBpbWFwLmZyaXBvc3Qub3JnMIIBIjANBgkqhkiG -9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0Y2yv7YbJzrmNYBFRnDtUM4Rpxg5wKAPxd2B -3PfMDJ9CLmp3uRsZ/EgO0QsWa/7BE4OymbUD69OKK2tb5bNpDbFKPT2K7SlWaAcK -VVkUhFgKgqrGuifdQlOJw/IlUPZj9u3sfk2rE5D1KcxBqVfGEWJm0pvxrOm3Ki2g -ZjJFrsKonAaXV5STPt7KHMk+UuCVpNRCLckbQ3kZBop8Ds8uOFHUf6dKSSnAFN68 -NY6l5OwFbTqie+6hhsR1b/k+/vyDxOrm9wwGV8fYfdfPzYdv7wzGLJw0YOyVFwmb -BWDOFps4AVxnu5WC1oUKjLI7ClYY5Bsgl/M295vaYssqLs0DoQIDAQABo4IBBDCC -AQAwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCA6gwNAYDVR0lBC0wKwYIKwYB -BQUHAwIGCCsGAQUFBwMBBglghkgBhvhCBAEGCisGAQQBgjcKAwMwMwYIKwYBBQUH -AQEEJzAlMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5jYWNlcnQub3JnLzA4BgNV -HR8EMTAvMC2gK6AphidodHRwOi8vY3JsLmNhY2VydC5vcmcvY2xhc3MzLXJldm9r -ZS5jcmwwOwYDVR0RBDQwMoIQaW1hcC5mcmlwb3N0Lm9yZ6AeBggrBgEFBQcIBaAS -DBBpbWFwLmZyaXBvc3Qub3JnMA0GCSqGSIb3DQEBDQUAA4ICAQBd+VPou5v0FvKn -kIh/VYj6ifSIqmmD9BC26/IwKc0T6gYG/jSnqdp7uDIXLGLcBymTHu8Jur11aOZ2 -7PQcF3urZiJRca5NCF0TzVM06i9wm4tZNPBu5f/2Wpez6Tlh8oDsHvfNCLMNEgxJ -wS4WgST0wq8yXTyJcnKG85lY1BxZzk6JTogZZEqxOjk7W2DxdILFYIQlFT7mFsX+ -Cgru6mP0VpO+tRhMHaBt5gV3gimrTovqNOW0DOKy9TSWU0WgJ+R9ehqxlAh0AIL8 -aa/eTOHCZ99Ad3AE+eFx59LLabSRz0fNxfKojN/KWG+EPwMkE3r/FoVgcXc4/1Gx -D6KAtACqyAgGONaTSkjRnZsvlQmKpcdNvPRV6Xt8tJNlqnCOdSNKqFQkNWQW3eXx -cHKbOl77m/cflT7vAIz5nv+LLiWuwSLRzxnLTy03iOIXBiIpnGvLSbGV06ocSQjW -OUB4dCIFn1a6LjmExoOo5uqSrsKSUoit47D7PpumE0P2pLD7+iNYpvHhuQh9Galf -6UIeO8POiZR1kso0XqfyYWGcmrOa4SWLPXRK1dRlz12XVtAN5B+JWGUmsixAFu+l -RxGL9eLvFWjd/KiuZUNRcoge80Hf1RrHDuu5GUWjlKmxu1QzS+Kpdib1fQx1ukt8 -iwWMTlTVy6DNy4OillMconIZ2Rx9wg== +MIIGFzCCBP+gAwIBAgISAeKF61Exi1Bd4jXjTumceSXeMA0GCSqGSIb3DQEBCwUA +MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD +ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMTAeFw0xNTEyMDgxOTU5MDBaFw0x +NjAzMDcxOTU5MDBaMBsxGTAXBgNVBAMTEGltYXAuZnJpcG9zdC5vcmcwggIiMA0G +CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDZaLXYYngW1ioTzfNRtmUeFh9Kopdi +1qfcpRdPwTndRJRfWNC8eA66gDsypYAHc2TlKW86H5ktSpl4ZxmeXTPvK1Ajfe5u +MkOwIHrjHCqKtXXYq4VX0bPCBNSAtT6X1/unBebEoMl/SX6R6m78lEc2020bW7vT +ATMbdGN0AKW3C+zyfOAK2uMILEaFL/0wQRwXJZD8vYk8XH6h3p2Sb9Zb7X5xb0kf +QoDom6AV6gNYnFGsxZkTGcAZVfia2gjM2gl7b/QW8FH4ENazrYqyMs7wMAOvYLfJ +WybxgwqEiVIG8+p/uYIKfqZaLabBXa++JgEx1CkxqsTqXAw2ruYGNZ46V0YiUxnk +Huyoq6eRR+gnzN7TUVx7bbeBCoKcin/r33TSJj6rc7l7YrzelO7LpLDV67gKxhjE +y76BILtscipL2SV/MsRR4mjn3Lm74Al90DHgfsXYlPvzrOdpDqwhpv96LKo6lop0 +hz0PQMQrYWYu43wfPAZOZtBH5Mdc/8NapnA6cnzWhCxtWKFK+bO6FItUgDGxET36 +WZUClrRpCLHk+nOn9buPWddr3JbEasvTdgIDKWF1D4hqKxNK1+myo7fQE6999nEO +jrpiN5bhr1HUOWmSOnEcPm3zUskDk133koQ/CpfUMzg8jZpXSsYpVRov+oUZofcU +zkPdVExs8rz7MwIDAQABo4ICJDCCAiAwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQW +MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQG +WiAaUhAefQy9IZ0tP8BZqxPF5DAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv +86jsoTBwBggrBgEFBQcBAQRkMGIwLwYIKwYBBQUHMAGGI2h0dHA6Ly9vY3NwLmlu +dC14MS5sZXRzZW5jcnlwdC5vcmcvMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5p +bnQteDEubGV0c2VuY3J5cHQub3JnLzAuBgNVHREEJzAlghBpbWFwLmZyaXBvc3Qu +b3JnghFzaWV2ZS5mcmlwb3N0Lm9yZzCB/gYDVR0gBIH2MIHzMAgGBmeBDAECATCB +5gYLKwYBBAGC3xMBAQEwgdYwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2Vu +Y3J5cHQub3JnMIGrBggrBgEFBQcCAjCBngyBm1RoaXMgQ2VydGlmaWNhdGUgbWF5 +IG9ubHkgYmUgcmVsaWVkIHVwb24gYnkgUmVseWluZyBQYXJ0aWVzIGFuZCBvbmx5 +IGluIGFjY29yZGFuY2Ugd2l0aCB0aGUgQ2VydGlmaWNhdGUgUG9saWN5IGZvdW5k +IGF0IGh0dHBzOi8vbGV0c2VuY3J5cHQub3JnL3JlcG9zaXRvcnkvMA0GCSqGSIb3 +DQEBCwUAA4IBAQAS2kt6KFeNkudjNucQcxQv9qx2skPil5Sh1YqeJF76tkVH0nno +0JofNwz97Kzn73VKYCBMiL7VsbK2mOskfl2kl+G9vlY+S5ElQM0zZQMT6XgDKJs7 +a2hVADdca4GAldu9KGjHxiERX6I2tfZ59CH3/OXpHbhT+IE8HqOLpT7Dsl9n6IKA +QlCuDIjEYSPq6f+ob7asivKNZJIUIWpzzEjudRCbEvijS6Nae4O79sS0UUpqqPws +17iXYORZJ+hvPglCZK6z9zinZaTPoAHE2UhaJN7fqPF3opvmjiSZkDFFFvA41lkt +gLrdsIE8QxR3riA2fBtMjuEdUmcc5HUNRVW/ -----END CERTIFICATE----- diff --git a/certs/public/lists.fripost.org.pem b/certs/public/lists.fripost.org.pem index 7182fe5..7e04b9a 100644 --- a/certs/public/lists.fripost.org.pem +++ b/certs/public/lists.fripost.org.pem @@ -1,32 +1,35 @@ -----BEGIN CERTIFICATE----- -MIIFcjCCA1qgAwIBAgIJAKA4tp7v9dDAMA0GCSqGSIb3DQEBDQUAME8xEDAOBgNV -BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMQwwCgYDVQQLDANXV1cxGjAY -BgNVBAMMEWxpc3RzLmZyaXBvc3Qub3JnMB4XDTE1MDUxMzAxMDUyN1oXDTI1MDUx -MDAxMDUyN1owTzEQMA4GA1UECgwHRnJpcG9zdDERMA8GA1UECwwIU1NMY2VydHMx -DDAKBgNVBAsMA1dXVzEaMBgGA1UEAwwRbGlzdHMuZnJpcG9zdC5vcmcwggIiMA0G -CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCxzcjPc7tIddB33YfHGUZmhP3mO6Fl -k8pJL7nVJgyrnMr832BDyhUrmNGqZc/ZXkY+4QcCv600AsOTqi/e+pCQ2bvddIy4 -7I2jk1qwV1g44bJ4169804uaPROmb0D86RE1XF+3EkIIjyEAReBX9vRNULnbYMlk -YOrBLy+E89/9huZyhCJO475kq/4AaUqmGc0PR1SSUUpJdAjyCiOAHHZAYtgqBuOA -2tl6uhZvu+OLbwFY+bitXe0pJJdk9cs/U8c/3X7WqUp1ek9WRPwMfasro5r5EGct -+ZQw4k1jT3jvNji4pVLqis+WzcOGaMIEPyANPmIsPXr6h89FrBLVf3ccr7V9Qrox -Px2NCyCfeodrSF+RZjeprCJ9+fpksTJYz02qEbBrslj65TlPMjl1E/JQ1n2H47F1 -8tEAJ0JMmSlvx+WKNMLRKr4cw5M8aqaOunQpTYr+O7UzGspaYwuTn5hFxIrGDJqx -e4TUByBRNiiX4tTYzvuPvPlnEhOcRz9mVPGMzMInlmM+1K4eIQenQeqvMeEcIk5c -NibnODQBqA4e6XmUPyh73y8cz0u3s+EBz+vg8m0785VlB/HHVxanJx6J9R4zWi2K -H0MXvVAFI8Om4sA1eg25EogTmPZQp6N1xsEQIl5bt1yiv0XJUdSdzpY6hho160u7 -hge7KyBZoUX/mQIDAQABo1EwTzAvBgNVHREEKDAmgRFhZG1pbkBmcmlwb3N0Lm9y -Z4IRbGlzdHMuZnJpcG9zdC5vcmcwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMC -AqQwDQYJKoZIhvcNAQENBQADggIBAKZHb3C/tIft8PzvR/K4c8CKWOMT1afizz/K -VVlYGG6JHAjGCveIt61oD+entbxLGjUNqPbq0JLlocEeI1BXT3ikMTmhCmjuB5XQ -+it34Xang3KNe7jDJOc7Z+GXYY+lqYA3qDKXIOXi20zziVmy9MAyEwuqRLdGziO4 -u+yYHHwHaK+2qgiMIP/wCcLlF2uPsOz0A+3/rLvVQiQURfHLL97a1sY3VNuYPuMA -EXhUouyfibcBHRVfFANSj2QSDpbD5ms9xoDbmO6qp0Kw5408M2KwF1EaZtSTVRQS -tyKCJ+7olziAXeQs/I0WENjxSF9tKSW10VWzXk1zJaR95BkiXNaICHyB0zRIXeYU -DRzlhgWuxhWwf7mfCr5Uzjn/AMQcS0ba104bFRsieag3SX1KnU9PyQdqXc28jfo7 -2IdGj2qIeYY+I6sGfyD5rXx2W5+t+cf8of0stlq4bag7DFbrN9RsSMCpwrbCrpMy -BO60QmcYRrkKNL04t+723DWQv5joekaKQB4Wy7fZldhd17Kit3Ds/R3Nc64znVfh -KRn6QYzHOdYkf1MBMeS91qaGQTDndKFjZlayO7IqSusNEoDLp6f1knl+WU3+qwoa -CkEH6MjpRmjtu7dGudQPly/XkgpnDMRR8B8o2cNHpKQNYwAyE9bVPRIdnx738Vjo -l3P0GZ75 +MIIGBjCCBO6gAwIBAgISAUJ3fVQbiEbMMnke9mXi7hwwMA0GCSqGSIb3DQEBCwUA +MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD +ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMTAeFw0xNTEyMDgxODEzMDBaFw0x +NjAzMDcxODEzMDBaMBwxGjAYBgNVBAMTEWxpc3RzLmZyaXBvc3Qub3JnMIICIjAN +BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxy2uS+XBKPzAqj72knb7BOxowvWc +vtXzCWtU0QBxkcjwPIuXT5tO3/VWOTV3TZZD4rLX1W9hHk+YB7sC+a9SG8FnNnp6 +L02NIfZf+PmI2FSimA+8E9aA5tmh1zYs4vyT3cre4TUceOfmqa7umsmkRA7pMNzo +Q3EtYduS2r9mr7CRivjkufggJu/gOXGpt2bZ2vlYdA8PqkWxQvNERqjRMaBQd8hJ +bhzUEmfHdGDMN3f3BpylBYdmRKpj5gc1mEwUgThYJUuar8TU7SuJZVf0VKUcsrhQ +jYcUb7afnPErIh410gEoOZpmprLVgGEyCRj9l9crez0d1zzun40E0DDDlIGMYcOB +BwRotVQZnbxGm9h3enOrXdDHw97FGfoI2DhG/51N6Nesem9WaBa6bXO0XsUf8jw2 +sqpaJWd6W3ZyjpnLRwSOPzDWlQgcCx/AVxUC6N8qQMZFEnhaZP95gnQ/n5VPtCO5 +XbgNEvZuBj/95yyDQA4dozRBJ8ELKpW+7aYeSh75KTidjthHPijzCMHkI3xK5csJ +XnKAhTEenw9lfcBHvx/eogQghktDdBYa3sjQQOoyQj+33DR5HzKKsJAMsKXRKDBI +/tolHSxJtYwoFNTNOFJ3aq/gPWZqgqm3yctAIyq5oHraaJAOzBkV09NzUFdI5Dw0 +UC6YmZZtmtKoWVsCAwEAAaOCAhIwggIOMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUE +FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU +R9kLB3gXJ0EiHvp7BNKA6bGL4AYwHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl +7/Oo7KEwcAYIKwYBBQUHAQEEZDBiMC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5p +bnQteDEubGV0c2VuY3J5cHQub3JnLzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQu +aW50LXgxLmxldHNlbmNyeXB0Lm9yZy8wHAYDVR0RBBUwE4IRbGlzdHMuZnJpcG9z +dC5vcmcwgf4GA1UdIASB9jCB8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHW +MCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYB +BQUHAgIwgZ4MgZtUaGlzIENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1 +cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdp +dGggdGhlIENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xldHNl +bmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAB2LfUsTB +hLYAAsRpsHiGvJunfsiFUA4lWWAXD4fQ2LND60uv3yK7H+EKJRCZmkgTty5tIOHe +C9Yb8oyjE6g9Irg7viPgab+Ago+ILi+TbP2VwjKO1ggmvpLmFLxA7hGG6e8MOJx2 +9TufciFTouIKUznmWGNXVPEOMvDjrZYrzngaYP9LC1jHa94hyAGBOCSeLGotzdPo +RLzvROggglmWo8gLG6qjJD5m4QSaUG90OMyd6WUftEd+6iUb/vc6/1QjHnxyozEQ +sQovX2l5LL9HKPvoQzZbvxdPt7fzufI152izY3A9UfMfgb56XoD6NP9MHt9HlX0C +aNpaKPrfsIApHg== -----END CERTIFICATE----- diff --git a/certs/public/mail.fripost.org.pem b/certs/public/mail.fripost.org.pem index 21e7834..8d64f50 100644 --- a/certs/public/mail.fripost.org.pem +++ b/certs/public/mail.fripost.org.pem @@ -1,34 +1,35 @@ -----BEGIN CERTIFICATE----- -MIIF6jCCBNKgAwIBAgISESF11XzOHj81ZogVBVzxjIZRMA0GCSqGSIb3DQEBBQUA -MFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMS0wKwYD -VQQDEyRHbG9iYWxTaWduIERvbWFpbiBWYWxpZGF0aW9uIENBIC0gRzIwHhcNMTQw -MjE0MTY1MTEzWhcNMTYwMzE2MTY1MTEzWjBGMQswCQYDVQQGEwJTRTEhMB8GA1UE -CxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMRQwEgYDVQQDDAtmcmlwb3N0Lm9y -ZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKmwUaNJT9sQMyZ6ST5O -ohafJdfx+cKPpn3zHUg+bXbwa0L/UgOLqWuwz49zKPcIu3ZdP7t6LqM5jyiXqaIS -blAudNAFkqi3oEEHn7Qi4pTkE5Gq/X5Cw/uwjTBv7KPcnNg3lPkpw44XgohFMHTd -WLSEScVeR9gKTZKe9ev0R8XeUK55K+VNVYDoi4u/4XsPD53wGJSoOP9Ph9fWHIkc -FhXzPGSWVErlPUucs0Yd94umR3Ws7OQuWTNwwT+2vzeeer5qsW/Xj41gQquviAbj -7FIRjjxO0ONC+iIlor0TJzsKIaHVvNfCXCfDsRQFz8voOrnGn5lwtugBI4WmLm35 -aLPV2sNzs8QoHdd9ZgXTu4h7SyYkbZwSCsjeo+W1ggoA5q85Krk6XzsR5G5Ay4ao -NiYSt/GKo6AgIHywCaPiK8Gsv+E0LPMSy79zmNo1K/LErlnknkd7/m01lhO8ION4 -4aLwEwAimbbn5Q19VT7KSMO6GjDTme5lzizIF9S3Qns6PXRacak3KNVo31qPPNmQ -VeBiFe6nonpCSDKc2+CFmmpVKqNT1fTsolrb0/ZNn/GrY/GPy2jEEW9vVUvhToNz -tWTrRzspROWCxKZrKBmPCi3VSxjcWisoTjN1pshdX9q3j0wV7gNPUxpHiKWbaQN6 -aUKcdem7KUJN28wPbYM9x0mVAgMBAAGjggG/MIIBuzAOBgNVHQ8BAf8EBAMCBaAw -SQYDVR0gBEIwQDA+BgZngQwBAgEwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cu -Z2xvYmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wKAYDVR0RBCEwH4ILZnJpcG9zdC5v -cmeCEG1haWwuZnJpcG9zdC5vcmcwCQYDVR0TBAIwADAdBgNVHSUEFjAUBggrBgEF -BQcDAQYIKwYBBQUHAwIwPwYDVR0fBDgwNjA0oDKgMIYuaHR0cDovL2NybC5nbG9i -YWxzaWduLmNvbS9ncy9nc2RvbWFpbnZhbGcyLmNybDCBiAYIKwYBBQUHAQEEfDB6 -MEEGCCsGAQUFBzAChjVodHRwOi8vc2VjdXJlLmdsb2JhbHNpZ24uY29tL2NhY2Vy -dC9nc2RvbWFpbnZhbGcyLmNydDA1BggrBgEFBQcwAYYpaHR0cDovL29jc3AyLmds -b2JhbHNpZ24uY29tL2dzZG9tYWludmFsZzIwHQYDVR0OBBYEFEkxhnTOMo28i3Yh -yH9oLEL+HNjJMB8GA1UdIwQYMBaAFJat+rBbuYNkKnbCHIpp2kLc/v0oMA0GCSqG -SIb3DQEBBQUAA4IBAQBWzbngCosmPDWYEys4jRqkeAiIPZDXXMCschXEt5WuAiBb -Ztve1aS9Lc8BGXyusZCrMbJ00ZzBXIyoCGmq6BxKd27EruQlb7bmcnGLyTCaGseg -E24L6nuaojTfH5phFtQl3kbkFYPo1Vcc0/T3vMKD6vpBkUhWdl2YwWpog/59eXsJ -SsyQ5ZTG0hehLEBSLc6tO3PpM588KMK7CYVixitYgjcLTNomd4xdNRF2I9ayRw2R -/vU8AmjNZww2cCQO/GeMqZMqzKTNVwPejHx14wx8X8z4DS6n/wU3U1N6WwpWQMqW -R0gEBOX9hpLqu9PQuFC3ipmcpek7ZjtOg6+SiLZ6 +MIIGGTCCBQGgAwIBAgISAc9Od/F2ZI9NBTwVRRs9P5QGMA0GCSqGSIb3DQEBCwUA +MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD +ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMTAeFw0xNTEyMDgxOTQ2MDBaFw0x +NjAzMDcxOTQ2MDBaMBsxGTAXBgNVBAMTEG1haWwuZnJpcG9zdC5vcmcwggIiMA0G +CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDAW/LL+h8Iqhv+6MhmqNCEmXBb822T +C+uVIGS2wY4sWMl2A7wkldmG7huERI0ornL2R2ypnEV9Rlv8YdnBfnuDGRKNr3DE +JBgVZFfel3XDlne4U/oQFpFJFi7DkCpU+tpAsadt6TmiLgW3PsQRwDiCuEpfGKmo +f53QRkHxIVVfrR84hGK8beqQkSn5cb5e0XaAof5s9I/IlU9WcIlSLzZsWLE3WAO9 +QO1goyDrBCeTvMUIC3lkFlSIyJL4m0dyPM9RoELpAOX0i2YQ+Vz8sW5n/6xPrBGU +piNTaQKa1gX4fleu/6ZEdIzRC7y1vX352wED/cPRC3hLc4kEnUqj+4UzxZup4xe/ +zITxLqa7DArOnj9o9qNCOaLy9zBE6RgJMR42Wv4R53O5GTQHkcU6UtZrSbuxdK6j +9+3HwfLOwGEbb3dE8RSt1RNvz9cu1EqFGPSfsiGor1v3fiuL7OK/+5+WdxF4myKv +xui5fmU8KyoDebLs+59CcBNHTcR94eyiSTTDvPgZUIzQaA75wWjwc2S/Eli7Znc/ +bW5PMZhJzqdmORvgg4ryZUl8Vz+KyeGBK+Z5BdEAlsQcOZyax+Ixlc6Ek90Fy71y +c7lxRbs73FbMIEBKaIceMmEp7jRjqZHZYwGQLyD98XdSCRHFryU8gkdjTKcnZNJp +9EFpyOXCpaVS8wIDAQABo4ICJjCCAiIwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQW +MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSm +OAr5ZZ5/QM3nckd78yr33xB0STAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv +86jsoTBwBggrBgEFBQcBAQRkMGIwLwYIKwYBBQUHMAGGI2h0dHA6Ly9vY3NwLmlu +dC14MS5sZXRzZW5jcnlwdC5vcmcvMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5p +bnQteDEubGV0c2VuY3J5cHQub3JnLzAwBgNVHREEKTAnghBtYWlsLmZyaXBvc3Qu +b3JnghN3ZWJtYWlsLmZyaXBvc3Qub3JnMIH+BgNVHSAEgfYwgfMwCAYGZ4EMAQIB +MIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRz +ZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGeDIGbVGhpcyBDZXJ0aWZpY2F0ZSBt +YXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBSZWx5aW5nIFBhcnRpZXMgYW5kIG9u +bHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBDZXJ0aWZpY2F0ZSBQb2xpY3kgZm91 +bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5vcmcvcmVwb3NpdG9yeS8wDQYJKoZI +hvcNAQELBQADggEBAH0J8G1vhKLfTPsE0CNXzKNRk8BtL9zjoAPacX4B3L35UMzU +WiiJyFueX8haqtU9SfI27fvEml9hhpTUkCkcybMOlmhtMbdRsjqLdskT6LIPMmy1 +Zaw1KzVhyKQ9n+GJKqLWjiPjL/n68SbBofG5ECRbs3xunwk1rjpaKfLQgwqYQWhl +5hPZoqvtX9FgkYSOQm3do9LbXwotP8O4IV5934Usg6Z1u7PBApVXGnC2XyLNC6d3 +M/hUhNzzSgiJcgi6jysjtSbhV2zxd3vXCyzQpwGE/O9Guk94xmPG2abQmK87rYDi +4H0Uk1JSUA9QI5N28cBCgbFbggqb4XcF9TjXTY8= -----END CERTIFICATE----- diff --git a/certs/public/mx1.fripost.org.pem b/certs/public/mx1.fripost.org.pem index 4125fe6..9077133 100644 --- a/certs/public/mx1.fripost.org.pem +++ b/certs/public/mx1.fripost.org.pem @@ -1,17 +1,35 @@ -----BEGIN CERTIFICATE----- -MIICzDCCAbSgAwIBAgIJAPMB7FTIynrtMA0GCSqGSIb3DQEBBQUAMB4xHDAaBgNV -BAMTE2VsZWZhbnQuZnJpcG9zdC5vcmcwHhcNMTQwNjEyMDMzNjA1WhcNMjQwNjA5 -MDMzNjA1WjAeMRwwGgYDVQQDExNlbGVmYW50LmZyaXBvc3Qub3JnMIIBIjANBgkq -hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAujhus+DICT/d8icmD2nXeOAv/g8BFIoC -vNMJVloT8P+sivFsEi1+WL+4af30N/ic3Sr5gEzU0i85XGf59USdCP+3oB6gwg3y -59LAvLZGM3b0uD8YfV/OctCruSkb1BNgKnrEvavuKZxyo0lU6KbCymGyJZXlXxHL -+fmhNvF7dBpGzCtaylSjc7j59TfNHr5jM/itcNQZaxAujJUGg2yxfMNXUBnMxYOY -LReMpUUacJUUFtBhlTG3ny/Jrga8TxlsvVtEl4yZilpqVJa+BF5G3ex8kaLyYOD/ -frNZxmVoEV/tvqNDtpXGKbpVUVp2HOg+FkJq/d8wa7w0w0akNnpoZwIDAQABow0w -CzAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBBQUAA4IBAQCqPS6LLs5gzKvFcAOMnkpH -3+iVEWEpv8UlSb6QIyWVkr5DtyP2N9I6AaDKq2qiwKg1hWanPFvmrkKImXnYm/GJ -ehMLdkjE3Y6rZZL9iU91KJLu35jeoWVjDjm+Xsjt9JvHELQtDnTxROLv70hL2H7l -Xu+8xh9iYMrHDYLYu2/3obg2jAAmvkLQ37IEyBFpyCRbtLEaxmRKhOx+q0VUH/e5 -vSAf4EE8cr4AbEzBWWE83SyEJfc65aM97l2U1DmM0KBQfhxD+JTbrEqy7KjA3Ppe -phCLfLo+igYKAnPqz0kvgIAz4DLKFBW+XN45sZz45ZqfQZKsA+v+XMJ1V7qo9qBV +MIIGAjCCBOqgAwIBAgISARXQ7SpFB4qRwSLt1oUKpDElMA0GCSqGSIb3DQEBCwUA +MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD +ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMTAeFw0xNTEyMTYwMDIzMDBaFw0x +NjAzMTUwMDIzMDBaMBoxGDAWBgNVBAMTD214MS5mcmlwb3N0Lm9yZzCCAiIwDQYJ +KoZIhvcNAQEBBQADggIPADCCAgoCggIBAKlhAZFY51Mns5A0IyBXGwxS5tdYQaue +WU/PobCkl0hwMxPB1OzSYa71etMkFiTOsgspxWQ624T7MHM3JhSdOJUpMBJKNwaz +dsC4sWT7eRTNiLpmM8PypXnJqJ7kvMzLUZiqRM3vfjJ/znOAb1B+zWIiyVCFFk6j +4X5Ue6zfUROFGVxbIpK7lgpNYI0Ia9IXyX13iqRCvDlcmRdCtz4UpxTaLz6fOyfa +5S52ABgu9aqjI5eVInTSL0zjPXpn3jzW23z+lffCIxx765iXFJdEuWbzlFnE6SZN +yvA6zDDfJ+g0D1Pas964nzm0JWGAwQozg5qZFF99Zwxa3PC8nBh7ih+D1j7HPsA0 +93CvU7PITKnDNOdI6i+h+AJQ+wxsb0RtQ88QT/BdAGcD/WpSXn6MG/GBtE6AtSNv +cd2me4jOAbQHShSQ49/iRTvUmP8jcxW1+CDoYhY+2nBO8MkrNciIK6j8HwptSpbl +ZDp9GxyrXBXE4YWM1bFIAEBv9u+MrREt9Np/+hCPuaFW0Gx/Dcga47Tcfsm1v4Ub +NAuciQLEz/CCBAIIfikykDq15Y9Y1WhOmlv5lGN/0dQGqDlXYs7ZGBmbiTv9AYug +Sawqay8q1MquoIoVPTXP0/5KIdQrx3ioFkZF3fxbGi6iTzwtqcsiKX+82dMW+3PY +/6L3nrlYwncNAgMBAAGjggIQMIICDDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYw +FAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFKXT +6Tt9ylkLkl3fyPVtgKlD5q8eMB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/z +qOyhMHAGCCsGAQUFBwEBBGQwYjAvBggrBgEFBQcwAYYjaHR0cDovL29jc3AuaW50 +LXgxLmxldHNlbmNyeXB0Lm9yZy8wLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0Lmlu +dC14MS5sZXRzZW5jcnlwdC5vcmcvMBoGA1UdEQQTMBGCD214MS5mcmlwb3N0Lm9y +ZzCB/gYDVR0gBIH2MIHzMAgGBmeBDAECATCB5gYLKwYBBAGC3xMBAQEwgdYwJgYI +KwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIGrBggrBgEFBQcC +AjCBngyBm1RoaXMgQ2VydGlmaWNhdGUgbWF5IG9ubHkgYmUgcmVsaWVkIHVwb24g +YnkgUmVseWluZyBQYXJ0aWVzIGFuZCBvbmx5IGluIGFjY29yZGFuY2Ugd2l0aCB0 +aGUgQ2VydGlmaWNhdGUgUG9saWN5IGZvdW5kIGF0IGh0dHBzOi8vbGV0c2VuY3J5 +cHQub3JnL3JlcG9zaXRvcnkvMA0GCSqGSIb3DQEBCwUAA4IBAQBz9jeaYmoqxSx4 +mf4w6HcKt14vE2tVXuBLcx4BPmK6E7dfUFWw1td9y+252n13BsspKZA2QYDLb6rN +0F/p0x0JF5AGAijdFyqsEl3N/IJC2bcpt8eyxc+B3phl7Qzl1HnzO/1Y7BNOiGca +xJ+0dPIGhkhSjzbAj1f3YJyofFcQhHx/r+tOy55O6pxlVRjXLBd1ZtCLRGVGdO2g +Ecjc+YrYlsiimoHQpizNih1PHzuY/XyHJJeeNGgRPJMYrKrCCiOp/iJUAvOxzCTF +r27HVf+ZVkFikYllNB0IJB/tNlxj4cOkAXRwLZtN2a7gELTQm9XG5APErq15JK06 +Du+Xy8Mq -----END CERTIFICATE----- diff --git a/certs/public/mx2.fripost.org.pem b/certs/public/mx2.fripost.org.pem index c0e3920..c743fa5 100644 --- a/certs/public/mx2.fripost.org.pem +++ b/certs/public/mx2.fripost.org.pem @@ -1,18 +1,35 @@ -----BEGIN CERTIFICATE----- -MIIC0DCCAbigAwIBAgIJANBAvGQBHfhIMA0GCSqGSIb3DQEBBQUAMCAxHjAcBgNV -BAMTFWVsZWZhbnQuc3ZlbnNrYS5ndS5zZTAeFw0xNDAyMTgxOTU3MDJaFw0yNDAy -MTYxOTU3MDJaMCAxHjAcBgNVBAMTFWVsZWZhbnQuc3ZlbnNrYS5ndS5zZTCCASIw -DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO1CRtPMLU5p93Jpo/FAdrai555D -sWsv9gOBFEPVsGrryHFP7woMN3HBuF4D567MhKod9eEXIuwrHV0tSgUQ5RoKgC48 -MvC6WfBTdYIpSpyWQIMV+90rO4fgGk1KmKiVCPVDWb1XL9IhVxqNs9KOWxUyYT7d -hgx+Okc1Wg5SzjA3f6n8gy0R3gcPmQ4+h8Y1qHgIt52eU6umgE1WX6dGvRJ6KANk -5IohMfJV8wu2/HRqcnwFcrGgmovWgOlBStPRNq581jh8QWuYnewTCYqjkn9Ny4v7 -xYBIYNDzTCf/8ML4LkpAgo9+vn4to71HbHt6mpJv3Ct48h0HlGAs7XNtui8CAwEA -AaMNMAswCQYDVR0TBAIwADANBgkqhkiG9w0BAQUFAAOCAQEACjbr0H6cyuZbcvZM -Lo7G/P7QtHOPFepLN7AT0UzUiNlVBansz5lRAXje//pHS6tgQkJM2wub5vN9BmBL -7ZF3Mbm/5WQSGzR+W/Q8t3gfm51Op5niY67Pm9NIn3j8PKF2MQ9t8tVvdtJ4bvpM -6PsCxS+tFyhoe1U4+Cv0ouKwUvB+QbfQ/TUIYzGhZ7JllRWaOCcAXszCMoIWMV0X -RTYsgqtB9dKJYyak6hMkXpIlL+4GwM3ZBa1YNc/Th5In96sjjcd2PAVfg+Xt7pXL -3VvGm4W9OirooG+ntEKX1ZoT9pxDlcWy2J7GHsrTn+XLWCmynTBwj5jQ7BAlFvEg -SswV6g== +MIIGAjCCBOqgAwIBAgISAUBmsGd9DcCLwDznhjjca/3/MA0GCSqGSIb3DQEBCwUA +MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD +ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMTAeFw0xNTEyMTYwMDEwMDBaFw0x +NjAzMTUwMDEwMDBaMBoxGDAWBgNVBAMTD214Mi5mcmlwb3N0Lm9yZzCCAiIwDQYJ +KoZIhvcNAQEBBQADggIPADCCAgoCggIBALQbPWAwWT9JwMkJ4V+O9lnlvhH+Mbj9 +OpJNy+Aeghevn9eKYNRhouHjqEvS9AfGAkykynnl0xaePg0koF1Eo7/J85HkZrxk +khikZTYcXRvQxmD6zpU33DS5CH2Jcf2PR1lYrbTTn5emJ8WiUmY0jh941dr5IVKx +xtdDXpb1fx/4vwJnsuZJfeJ1hVaOqBx0sOHz6pTdKYh3EG5H5uMaW1QQFsi3u6fq +krwPYk2MS0+jOLgVBb2hDDSJS43rHpIJ37mHWhrB1uX0O1qSuMtefD9jQUQ8h2m4 +kiFwIilMG/89qkCkUfPuh/h7B7I3+aC7ItHWygPEcU16bYKUG8/5Yo8zsMJIu4N3 +DzC/DcoGDwoPsqjp0UMz84E0Mpup9eywIMdR101cR84GSCJnaPUYwz3kBQ3ep6ms +fM3KijMEC/5tvlx+5QeZzCp2sqoZeqHdr+wDKx/RhtJKk6pmHIC4BwxEhl0hkVxO +M+rMHwpUhVYTFC00/3OO/uVO3k6+b5F0WS0SY7jBpaXVb8SMuQ8q8+yoZ5M/pFrI +YCIJyIHEDGR3N3kN6QLGcIHjqchbehOENj0xTxjgdEU7LPIb3ikeudppRLmYXzaD +a+ucAozbljBHv7LjyDICaLtaC29lTkWgZA7tCcE2DwxK+FxgDlqUyucTBCz+ajjx +1VZXhzoJZFczAgMBAAGjggIQMIICDDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYw +FAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFBAM +Y9xCJ+RcfJU9bEr7qoSjmrsHMB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/z +qOyhMHAGCCsGAQUFBwEBBGQwYjAvBggrBgEFBQcwAYYjaHR0cDovL29jc3AuaW50 +LXgxLmxldHNlbmNyeXB0Lm9yZy8wLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0Lmlu +dC14MS5sZXRzZW5jcnlwdC5vcmcvMBoGA1UdEQQTMBGCD214Mi5mcmlwb3N0Lm9y +ZzCB/gYDVR0gBIH2MIHzMAgGBmeBDAECATCB5gYLKwYBBAGC3xMBAQEwgdYwJgYI +KwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIGrBggrBgEFBQcC +AjCBngyBm1RoaXMgQ2VydGlmaWNhdGUgbWF5IG9ubHkgYmUgcmVsaWVkIHVwb24g +YnkgUmVseWluZyBQYXJ0aWVzIGFuZCBvbmx5IGluIGFjY29yZGFuY2Ugd2l0aCB0 +aGUgQ2VydGlmaWNhdGUgUG9saWN5IGZvdW5kIGF0IGh0dHBzOi8vbGV0c2VuY3J5 +cHQub3JnL3JlcG9zaXRvcnkvMA0GCSqGSIb3DQEBCwUAA4IBAQBs4Iq51S5xR94h +SzKhlt7fdCgP1YdjWB1kjWTC9xL7Iii22E4n3YipH96wKHBMxnS3cZsCLHZ8VdHe +KXr1kTw4AH7Jx+KCzj2ztjD/z6t6wb1IZZTpHFMJKZVf67Y+Bb9W/mpQww1Yq8IU +x+90BDLE9OiNGjPe/a7uTrCi/FJ8ESCHcX+0yiDXMDP/1Kdy0XPUle+gAqJUUM1R +09O8f3hwwIhVXcP0DA8UR0un5/usFttereY9OQX46iK4ckrfAhvNpjqqfMVzW1nu +H0XPnh3lr4k8L/jJeK8tNa3QVnVxPGV5ZDotqQrZKG47nEZgNcXPxxe6otjneZXR +LQFrwFiZ -----END CERTIFICATE----- diff --git a/certs/public/smtp.fripost.org.pem b/certs/public/smtp.fripost.org.pem index 2f97708..81a1325 100644 --- a/certs/public/smtp.fripost.org.pem +++ b/certs/public/smtp.fripost.org.pem @@ -1,31 +1,35 @@ -----BEGIN CERTIFICATE----- -MIIFUjCCAzoCCQCy2XbMAN1DeTANBgkqhkiG9w0BAQUFADBrMQswCQYDVQQGEwJT -RTEQMA4GA1UECgwHRnJpcG9zdDENMAsGA1UECwwEU01UUDEZMBcGA1UEAwwQc210 -cC5mcmlwb3N0Lm9yZzEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZnJpcG9zdC5vcmcw -HhcNMTQwNDA3MjMyMzMwWhcNMjQwNDA0MjMyMzMwWjBrMQswCQYDVQQGEwJTRTEQ -MA4GA1UECgwHRnJpcG9zdDENMAsGA1UECwwEU01UUDEZMBcGA1UEAwwQc210cC5m -cmlwb3N0Lm9yZzEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZnJpcG9zdC5vcmcwggIi -MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC/TboO8u6v8rVtrkI8kDZ4mdxM -5uyIPR2HODYIdMSj2YHmLohzITyysFNLpAVHOATnRkqLxhmX2zZ+Eu3uCE/kOfdR -fVNEvnSksFSCFXjqx666k7ABtyNHOVqali2HO62JDs837EPEOnF5oVapIUExse29 -POfBDGf18ArDGgd2Tl2DLDiojZYHh1pOsFhKcsks3OOdE109BG6C9S9ZlFBz0PW/ -s9ESEicP9KsqTpIRyd8OU3x8S0p+MDudu5NJjRG+Vlk6uJ2ApC68EowuIx/h7zbp -GEBG71GWb3OjlahOsf/EfKf/vHgkK8+CUWW1FGlvznoeS8R/fgUxRTh6+NXiSJGU -5Eq/wez/hYnotQWBExb42tUBcZbFh6FtD1FU7QNYwALHjV0aSx6leIgkGGWeUgJc -7o8OtDUX5QiY0Xe0s3g6qLFMGgXsfUA4IWjmOknFUA5CtJhDT5uMQLO/jF0tvugi -wTaBxpIjYDATfA1JeEB7+cfh9Jw5Q5XmydLUoLdT7Nut8e2NjYyN9izguPBf+Rzk -gUJZFeB+CEV62lMNWWENqgunjVXicolQ4WdWETYQWzUvVyFvR1RWVkOVw+1Wt6zU -Vbb3t1b2avnzvp4j92pTImJUgTLLRI5QE3bzD9MMDQSH6s7/dBltGIJeepDHB07H -yleUc/j6IdbfH5dfNwIDAQABMA0GCSqGSIb3DQEBBQUAA4ICAQAFcW7ZYxsSuv3u -EbCa8NQ+HjecVHD8Spz4ofBZ9R0uON2VI++dz1mBdZE3udoxBt/Nj3U/YnlVToal -W/dYGusuKQFIATiB9MFXUDl1gfKaqcyrCZUxGpi1OXOa27WPbiRiQMnBYNkD1p3D -cz28XGQ78DswRER4eFn+76pOjqFxkxEe0Ww1oPvu+in23OWgTVTWP/6Opp6Y/epN -XkbHKiH9OXe2StYnlXD7P89w07fXaBNfDT5vLC9PDgYJk7wN76AaqwK/ZKFithSx -oT60db1n+fhaMC2U1R64L2clLpSrZ3lvXRplcsdII/06d+ysJn7hLV9IUca9AMoP -Px2KIyHgp5U6VtFF6UOLBl9+BUd0zzArSh9CJnXG88+CplGN51Fv2dPqzdno1XSg -ShbJ1onYonLbDaPG4i0LD3KyIX6ep5eU+KZZtcHwTbzKAQ/ySu5nqx2DAJbalJmj -9qz/zfOuZMJGDuN+iHCnqyxGoC/hB20IreGHfGS4XmJDkZ3zzqjJjBV32XeZ3Sx6 -odMnwO4mLjyb1Az/C/rwCrVG3nrZQhmD/H+juJVI/cinocJtQoPPq3zPx+GxQUxe -smR7bY7EMaTt+9EelIGmp65jEGrr+OVhZ3NudwWQyC242SMiOq+JpVRuefp+mtAN -UGGTaC4MdXJIwWZTakrnhkgTp4uqrA== +MIIGBDCCBOygAwIBAgISAT/ZlANJISFHRihAoZ7zCz9AMA0GCSqGSIb3DQEBCwUA +MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD +ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMTAeFw0xNTEyMTYwMDU3MDBaFw0x +NjAzMTUwMDU3MDBaMBsxGTAXBgNVBAMTEHNtdHAuZnJpcG9zdC5vcmcwggIiMA0G +CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC4wO2IiiPCn9SEc7DRhayWqme2Ef31 +/lO2aFamTnUykDxmuKt8QSVbhN9LQ4dcH1n8CLc7pZvQD12bVu8B+ds50sjKlwEr +rH/0NsQOOdR5zEhMdRZG8f75Nbvyz0NjMRClAXhc3aJKNJ2qcPOx66IbPbvrk+lf +lCtQoIblMN/r4UhYMxHMqsZeFBAdI+6ns2pgyR9FOu9zDsTde1a7v2yzQLp1ewjj +gj0XK0RLJZ8nsRmiOz9UrquYrHnBQkeOF5OK+T45wQdRCSjnmK4jP9nRbIIwLdUQ +CLRB2Ji8uV8rtPTgFns8Dyx3/dFxgWVzXJwh6EodaWnCO0V8xTODjHMWiQQOobf1 +iEeo6krPq3v19j40c6p+EDLdRRqM/wNtAXS9lfoIDxv/z8Aa4gJpjJhnmkatStaD +ldwOOPgf0/vtB/QoQJi4J5mLWkeZFl+HJPWrKJGtSCSi/9vndCL7FIbMk5B2d9rD +IKs2xn3Et1DPV1zpI2vNcky/mebq+Cb2qDNlC5WEDrCIiiUhEJHjd4gdtF/Q6gom +X8VmH7XigiNE4aVGuWgD9r7iZBFp4hCTw/iczZK9aMi6N6ZeTzLs0YAeR339J2ei +yDV5aZd/BOepkDb9UYzBCBrU7uAOdCX69YA/FTNHXVYhYqWd14/bJnWKlUckd1D9 +5ioBZfdYQEHOyQIDAQABo4ICETCCAg0wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQW +MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQn +lA9Ej2gB1YNUZIYC5AnMWifuyTAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv +86jsoTBwBggrBgEFBQcBAQRkMGIwLwYIKwYBBQUHMAGGI2h0dHA6Ly9vY3NwLmlu +dC14MS5sZXRzZW5jcnlwdC5vcmcvMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5p +bnQteDEubGV0c2VuY3J5cHQub3JnLzAbBgNVHREEFDASghBzbXRwLmZyaXBvc3Qu +b3JnMIH+BgNVHSAEgfYwgfMwCAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAm +BggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUF +BwICMIGeDIGbVGhpcyBDZXJ0aWZpY2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBv +biBieSBSZWx5aW5nIFBhcnRpZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRo +IHRoZSBDZXJ0aWZpY2F0ZSBQb2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5j +cnlwdC5vcmcvcmVwb3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBAEvepC7eMCHI +2yHZx3lSg8KJluZxsW0XlCL6BDupcMKxXQ2DAvhd/d+pnxKQVQ+40Y4NUZGTz1w/ +tZA9lKQn14aQ6o31UKuRSm+FB7zCeLBm3uqxevk8NOcrt1kxvdjul5xYv6t5tLpZ +Dqk0sM+Lg1/qgTj1IuEQ4rc0RUqoCr2WG0HOW0a8tqWOBDKZDja8r82AhjgT7c21 +2Iz2ItsavlgsW6Gx8OX0gRmoaS3AQ+8dcg99uhajkd5ixkJF09zuqa5Rd87sAjmN +fmqU/Ok3VUZr1DSrnBc2lt+vhCB8Sn9FcS6BDO3eGy4P8Gy6fES51Bb9MgB6bXOr +TB5QdMpaRG8= -----END CERTIFICATE----- diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf index dc0b5bf..114388e 100644 --- a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf +++ b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf @@ -1,32 +1,32 @@ ## ## SSL settings ## # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt> ssl = required # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf -ssl_cert = </etc/dovecot/ssl/imap.fripost.org.pem +ssl_cert = </etc/dovecot/ssl/imap.fripost.org.chained.pem ssl_key = </etc/dovecot/ssl/imap.fripost.org.key # If key file is password protected, give the password here. Alternatively # give it when starting dovecot with -p parameter. Since this file is often # world-readable, you may want to place this setting instead to a different # root owned 0600 file by using ssl_key_password = <path. #ssl_key_password = # PEM encoded trusted certificate authority. Set this only if you intend to use # ssl_verify_client_cert=yes. The file should contain the CA certificate(s) # followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem) #ssl_ca = # Require that CRL check succeeds for client certificates. #ssl_require_crl = yes # Directory and/or file for trusted SSL CA certificates. These are used only # when Dovecot needs to act as an SSL client (e.g. imapc backend). The # directory is usually /etc/ssl/certs in Debian-based systems and the file is # /etc/pki/tls/cert.pem in RedHat-based systems. diff --git a/roles/IMAP/tasks/imap.yml b/roles/IMAP/tasks/imap.yml index ec1aaac..c9686c9 100644 --- a/roles/IMAP/tasks/imap.yml +++ b/roles/IMAP/tasks/imap.yml @@ -59,104 +59,91 @@ owner=root group=root mode=0644 with_items: - all - flagged - recent - unseen - name: Create directory /home/mail/spamspool file: path=/home/mail/spamspool state=directory owner=vmail group=vmail mode=0700 - name: Create directory /etc/dovecot/ssl file: path=/etc/dovecot/ssl state=directory owner=root group=root mode=0755 -- name: Generate a private key and a X.509 certificate for Dovecot - command: genkeypair.sh x509 - --pubkey=/etc/dovecot/ssl/imap.fripost.org.pem - --privkey=/etc/dovecot/ssl/imap.fripost.org.key - --ou=IMAP --cn=imap.fripost.org - -t rsa -b 4096 -h sha512 - register: r1 - changed_when: r1.rc == 0 - failed_when: r1.rc > 1 - notify: - - Restart Dovecot - tags: - - genkey - name: Fetch Dovecot's X.509 certificate # Ensure we don't fetch private data sudo: False fetch: src=/etc/dovecot/ssl/imap.fripost.org.pem dest=certs/public/ fail_on_missing=yes flat=yes tags: - genkey - name: Configure Dovecot copy: src=etc/dovecot/{{ item }} dest=/etc/dovecot/{{ item }} owner=root group=root mode=0644 - register: r2 + register: r1 with_items: - conf.d/10-auth.conf - conf.d/10-logging.conf - conf.d/10-mail.conf - conf.d/10-master.conf - conf.d/10-ssl.conf - conf.d/15-mailboxes.conf - conf.d/20-imap.conf - conf.d/20-lmtp.conf - conf.d/90-plugin.conf - conf.d/90-sieve.conf - conf.d/auth-ldap.conf.ext - dovecot-ldap.conf.ext - dovecot-ldap-userdb.conf.ext notify: - Restart Dovecot - name: Tell Dovecot we have a remote IMAP proxy # XXX: we should have an automatic lookup here lineinfile: dest=/etc/dovecot/dovecot.conf regexp='^(\s*#)?\s*login_trusted_networks\s*=' line='login_trusted_networks = 171.25.193.76/32' state=present create=yes owner=root group=root mode=0644 - register: r3 + register: r2 when: "'IMAP' in group_names and 'webmail' not in group_names" notify: - Restart Dovecot - name: Start Dovecot service: name=dovecot state=started - when: not (r1.changed or r2.changed or r3.changed) + when: not (r1.changed or r2.changed) - meta: flush_handlers - name: Install 'dovecot_stats_' Munin wildcard plugin file: src=/usr/local/share/munin/plugins/dovecot_stats_ dest=/etc/munin/plugins/dovecot_stats_fripost.org owner=root group=root state=link force=yes tags: - munin - munin-node notify: - Restart munin-node - name: Install 'dovecot_logins' and 'dovecot_who' Munin plugin file: src=/usr/local/share/munin/plugins/{{ item }} dest=/etc/munin/plugins/{{ item }} owner=root group=root state=link force=yes diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2 index efcebef..caba881 100644 --- a/roles/MSA/templates/etc/postfix/main.cf.j2 +++ b/roles/MSA/templates/etc/postfix/main.cf.j2 @@ -58,42 +58,42 @@ smtp_data_done_timeout = 1200s # Anonymize the (authenticated) sender; pass the mail to the antivirus header_checks = pcre:$config_directory/anonymize_sender.pcre #content_filter = amavisfeed:unix:public/amavisfeed-antivirus # TLS {% if 'out' in group_names %} smtp_tls_security_level = none smtp_bind_address = 127.0.0.1 {% else %} smtp_tls_security_level = encrypt smtp_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem smtp_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache smtp_tls_policy_maps = cdb:/etc/postfix/tls_policy smtp_tls_fingerprint_digest = sha256 {% endif %} smtpd_tls_security_level = encrypt -smtpd_tls_cert_file = /etc/postfix/ssl/smtp.fripost.org.pem -smtpd_tls_key_file = /etc/postfix/ssl/private/smtp.fripost.org.key +smtpd_tls_cert_file = /etc/postfix/ssl/smtp.fripost.org.chained.pem +smtpd_tls_key_file = /etc/postfix/ssl/smtp.fripost.org.key smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparams.pem smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache smtpd_tls_received_header = yes smtpd_tls_ask_ccert = yes # SASL smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = no smtpd_sasl_local_domain = smtpd_sasl_exceptions_networks = $mynetworks smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_sasl_type = dovecot smtpd_sasl_path = unix:private/dovecot-auth strict_rfc821_envelopes = yes smtpd_delay_reject = yes disable_vrfy_command = yes diff --git a/roles/MX/tasks/main.yml b/roles/MX/tasks/main.yml index da6923b..1b820e3 100644 --- a/roles/MX/tasks/main.yml +++ b/roles/MX/tasks/main.yml @@ -65,41 +65,41 @@ owner=root group=root mode=0644 notify: - Reload Postfix - name: Copy reserved-alias.pl copy: src=usr/local/bin/reserved-alias.pl dest=/usr/local/bin/reserved-alias.pl owner=root group=root mode=0755 - meta: flush_handlers - name: Start Postfix service: name=postfix state=started - name: Fetch Postfix's X.509 certificate # Ensure we don't fetch private data sudo: False # `/usr/sbin/postmulti -i mx -x /usr/sbin/postconf -xh smtpd_tls_cert_file` - fetch: src=/etc/ssl/certs/ssl-cert-snakeoil.pem + fetch: src=/etc/postfix/ssl/mx.fripost.org.pem dest=certs/public/mx{{ mxno | default('') }}.fripost.org.pem fail_on_missing=yes flat=yes tags: - genkey - name: Install 'postfix_mailqueue_' Munin wildcard plugin file: src=/usr/local/share/munin/plugins/postfix_mailqueue_ dest=/etc/munin/plugins/postfix_mailqueue_postfix-{{ postfix_instance[inst].name }} owner=root group=root state=link force=yes tags: - munin - munin-node notify: - Restart munin-node - name: Install 'postfix_stats_' Munin wildcard plugin file: src=/usr/local/share/munin/plugins/postfix_stats_ diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2 index b9f7c09..0259538 100644 --- a/roles/MX/templates/etc/postfix/main.cf.j2 +++ b/roles/MX/templates/etc/postfix/main.cf.j2 @@ -76,42 +76,42 @@ smtp_send_xforward_command = yes smtp_destination_recipient_limit = 1000 reserved-alias_destination_recipient_limit = 1 # Tolerate occasional high latency smtp_data_done_timeout = 1200s {% if 'out' in group_names %} smtp_tls_security_level = none smtp_bind_address = 127.0.0.1 {% else %} smtp_tls_security_level = encrypt smtp_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem smtp_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache smtp_tls_policy_maps = cdb:/etc/postfix/tls_policy smtp_tls_fingerprint_digest = sha256 {% endif %} smtpd_tls_security_level = may smtpd_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5 -smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem -smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key +smtpd_tls_cert_file = /etc/postfix/ssl/mx.fripost.org.chained.pem +smtpd_tls_key_file = /etc/postfix/ssl/mx.fripost.org.key smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparams.pem smtpd_tls_CApath = /etc/ssl/certs/ smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache smtpd_tls_received_header = yes smtpd_tls_ask_ccert = yes # http://en.linuxreviews.org/HOWTO_Stop_spam_using_Postfix # http://www.howtoforge.com/block_spam_at_mta_level_postfix strict_rfc821_envelopes = yes smtpd_delay_reject = yes disable_vrfy_command = yes # UCE control invalid_hostname_reject_code = 554 multi_recipient_bounce_reject_code = 554 non_fqdn_reject_code = 554 relay_domains_reject_code = 554 unknown_address_reject_code = 554 diff --git a/roles/common-web/files/etc/nginx/sites-available/default b/roles/common-web/files/etc/nginx/sites-available/default new file mode 100644 index 0000000..6df1615 --- /dev/null +++ b/roles/common-web/files/etc/nginx/sites-available/default @@ -0,0 +1,11 @@ +server { + listen 80 default_server; + listen [::]:80 default_server; + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log info; + + # serve ACME challenges on all virtual hosts + # /!\ need to be served individually for each explicit virtual host as well! + include snippets/acme-challenge.conf; +} diff --git a/roles/common-web/files/etc/nginx/snippets/acme-challenge.conf b/roles/common-web/files/etc/nginx/snippets/acme-challenge.conf new file mode 100644 index 0000000..b2a856a --- /dev/null +++ b/roles/common-web/files/etc/nginx/snippets/acme-challenge.conf @@ -0,0 +1,4 @@ +location /.well-known/acme-challenge/ { + alias /var/www/acme-challenge/; + default_type application/jose+json; +} diff --git a/roles/common-web/tasks/main.yml b/roles/common-web/tasks/main.yml index c44e3a5..fb6bb2d 100644 --- a/roles/common-web/tasks/main.yml +++ b/roles/common-web/tasks/main.yml @@ -1,41 +1,42 @@ - name: Install Nginx apt: pkg=nginx - name: Limit Nginx logging lineinfile: "dest=/etc/logrotate.d/nginx create=yes regexp='^\\s*rotate\\s' line='\trotate 1'" tags: - logrotate -- name: Copy fastcgi parameters and SSL configuration snippets +- name: Copy fastcgi parameters, acme-challenge and SSL configuration snippets copy: src=etc/nginx/snippets/{{ item }} dest=/etc/nginx/snippets/{{ item }} owner=root group=root mode=0644 register: r1 with_items: - fastcgi.conf - fastcgi-php.conf - fastcgi-php-ssl.conf - ssl.conf + - acme-challenge.conf notify: - Restart Nginx - name: Copy /etc/nginx/sites-available/default copy: src=etc/nginx/sites-available/default dest=/etc/nginx/sites-available/default owner=root group=root mode=0644 register: r2 notify: - Restart Nginx - name: Create /etc/nginx/sites-enabled/default file: src=../sites-available/default dest=/etc/nginx/sites-enabled/default owner=root group=root state=link force=yes register: r3 notify: - Restart Nginx diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index a852c4d..07047c7 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -35,20 +35,23 @@ - name: Restart Postfix service: name=postfix state=restarted - name: Reload Postfix service: name=postfix state=reloaded - name: Restart stunnel service: name=stunnel4 pattern=/usr/bin/stunnel4 state=restarted - name: Restart bacula-fd service: name=bacula-fd state=restarted - name: Update certificate command: update-ca-certificates - name: Restart munin-node service: name=munin-node state=restarted - name: Restart freshclam service: name=clamav-freshclam state=restarted + +- name: Install LetsEncrypt's ACME client + apt: deb=/tmp/letsencrypt-tiny_0.1-1_all.deb diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 470a6b2..955493a 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -28,40 +28,43 @@ command: gendhparam.sh /etc/ssl/private/dhparams.pem creates=/etc/ssl/private/dhparams.pem tags: genkey - include: logging.yml tags=logging - include: ntp.yml tags=ntp - include: mail.yml tags=mail,postfix - include: bacula.yml tags=bacula-fd,bacula - include: munin-node.yml tags=munin-node,munin - name: Install common packages apt: pkg={{ item }} with_items: - ca-certificates - etckeeper - ethtool - git - htop - molly-guard - rsync - screen - telnet-ssl + # for letencrypt + - liblwp-protocol-https-perl + - socat # XXX: this is a workaround the CAcert root CAs not being present in # Jessie. In stretch, we would merely install the 'ca-cacert' package. - name: Create directory /usr/local/share/ca-certificates/CAcert file: path=/usr/local/share/ca-certificates/CAcert state=directory owner=root group=root mode=0755 tags: - certs - name: Copy CAcert root CAs copy: src=certs/CAcert/{{ item }} dest=/usr/local/share/ca-certificates/CAcert/{{ item }} owner=root group=root mode=0644 with_items: - root.crt - class3.crt tags: diff --git a/roles/git/files/etc/nginx/sites-available/git b/roles/git/files/etc/nginx/sites-available/git index 67776de..afb5fca 100644 --- a/roles/git/files/etc/nginx/sites-available/git +++ b/roles/git/files/etc/nginx/sites-available/git @@ -1,74 +1,45 @@ server { listen 80; listen [::]:80; server_name git.fripost.org; + include snippets/acme-challenge.conf; + access_log /var/log/nginx/git.access.log; error_log /var/log/nginx/git.error.log info; - location ^~ /static/ { - alias /usr/share/cgit/; - expires 30d; - } - - # Bypass the CGI to return static files stored on disk. Try first repo with - # a trailing '.git', then without. - location ~* "^/((?U)[^/]+)(?:\.git)?/objects/(?:[0-9a-f]{2}/[0-9a-f]{38}|pack/pack-[0-9a-f]{40}\.(?:pack|idx))$" { - root /var/lib/gitolite/repositories; - try_files /$1.git/objects/$2 /$1/objects/$2 =404; - expires 30d; - gzip off; - # TODO honor git-daemon-export-ok - } - - # disallow push over HTTP/HTTPS - location ~* "^/[^/]+/git-receive-pack$" { return 403; } - - location ~* "^/[^/]+/(?:HEAD|info/refs|objects/info/[^/]+|git-upload-pack)$" { - gzip off; - include uwsgi_params; - uwsgi_modifier1 9; - uwsgi_param GIT_PROJECT_ROOT /var/lib/gitolite/repositories; - uwsgi_pass unix:/run/uwsgi/app/git-http-backend/socket; - } - - - # send all other URLs to cgit location / { - gzip off; - include uwsgi_params; - uwsgi_modifier1 9; - uwsgi_pass unix:/run/uwsgi/app/cgit/socket; + return 301 https://$host$request_uri; } } server { listen 443; listen [::]:443; server_name git.fripost.org; include snippets/ssl.conf; - ssl_certificate /etc/nginx/ssl/git.fripost.org.pem; + ssl_certificate /etc/nginx/ssl/git.fripost.org.chained.pem; ssl_certificate_key /etc/nginx/ssl/git.fripost.org.key; access_log /var/log/nginx/git.access.log; error_log /var/log/nginx/git.error.log info; location ^~ /static/ { alias /usr/share/cgit/; expires 30d; } # Bypass the CGI to return static files stored on disk. Try first repo with # a trailing '.git', then without. location ~* "^/((?U)[^/]+)(?:\.git)?/objects/(?:[0-9a-f]{2}/[0-9a-f]{38}|pack/pack-[0-9a-f]{40}\.(?:pack|idx))$" { root /var/lib/gitolite/repositories; try_files /$1.git/objects/$2 /$1/objects/$2 =404; expires 30d; gzip off; # TODO honor git-daemon-export-ok } diff --git a/roles/git/tasks/cgit.yml b/roles/git/tasks/cgit.yml index 27e0554..7237aa9 100644 --- a/roles/git/tasks/cgit.yml +++ b/roles/git/tasks/cgit.yml @@ -55,67 +55,53 @@ - cgit - git-http-backend notify: - Restart uWSGI - name: Start uWSGI service: name=nginx state=started when: not (r1.changed or r2.changed or r3.changed or r4.changed or r5.changed) - meta: flush_handlers - name: Add 'cgit' & 'www-data' to the group 'gitolite' user: name={{ item }} groups=gitolite append=yes with_items: # for the cgit interface - cgit # for pulls over HTTP/HTTPS - www-data -- name: Generate a private key and a X.509 certificate for Nginx - command: genkeypair.sh x509 - --pubkey=/etc/nginx/ssl/git.fripost.org.pem - --privkey=/etc/nginx/ssl/git.fripost.org.key - --ou=WWW --cn=git.fripost.org --dns=git.fripost.org - -t rsa -b 4096 -h sha512 - register: r1 - changed_when: r1.rc == 0 - failed_when: r1.rc > 1 - notify: - - Restart Nginx - tags: - - genkey - - name: Copy /etc/nginx/sites-available/git copy: src=etc/nginx/sites-available/git dest=/etc/nginx/sites-available/git owner=root group=root mode=0644 - register: r2 + register: r1 notify: - Restart Nginx - name: Create /etc/nginx/sites-enabled/git file: src=../sites-available/git dest=/etc/nginx/sites-enabled/git owner=root group=root state=link force=yes - register: r3 + register: r2 notify: - Restart Nginx - name: Start Nginx service: name=nginx state=started - when: not (r1.changed or r2.changed or r3.changed) + when: not (r1.changed or r2.changed) - meta: flush_handlers - name: Fetch Nginx's X.509 certificate # Ensure we don't fetch private data sudo: False fetch: src=/etc/nginx/ssl/git.fripost.org.pem dest=certs/public/ fail_on_missing=yes flat=yes tags: - genkey diff --git a/roles/lists/files/etc/nginx/sites-available/sympa b/roles/lists/files/etc/nginx/sites-available/sympa index ea0424f..5e469fa 100644 --- a/roles/lists/files/etc/nginx/sites-available/sympa +++ b/roles/lists/files/etc/nginx/sites-available/sympa @@ -1,44 +1,48 @@ server { listen 80; listen [::]:80; server_name lists.fripost.org; + include snippets/acme-challenge.conf; + access_log /var/log/nginx/lists.access.log; error_log /var/log/nginx/lists.error.log info; - return 302 https://$host$request_uri; + location / { + return 301 https://$host$request_uri; + } } server { listen 443; listen [::]:443; server_name lists.fripost.org; access_log /var/log/nginx/lists.access.log; error_log /var/log/nginx/lists.error.log info; include snippets/ssl.conf; - ssl_certificate /etc/nginx/ssl/lists.fripost.org.pem; + ssl_certificate /etc/nginx/ssl/lists.fripost.org.chained.pem; ssl_certificate_key /etc/nginx/ssl/lists.fripost.org.key; location = / { return 302 /sympa$args; } location ^~ /static-sympa/ { alias /var/lib/sympa/static_content/; expires 30d; } location ^~ /sympa { fastcgi_split_path_info ^(/sympa)(.*)$; include snippets/fastcgi.conf; fastcgi_pass unix:/run/wwsympa.socket; gzip off; } location ~* ^/([^/]+)/?$ { diff --git a/roles/lists/tasks/nginx.yml b/roles/lists/tasks/nginx.yml index 4501d39..21e769a 100644 --- a/roles/lists/tasks/nginx.yml +++ b/roles/lists/tasks/nginx.yml @@ -1,50 +1,36 @@ - name: Install Nginx apt: pkg=nginx -- name: Generate a private key and a X.509 certificate for Nginx - command: genkeypair.sh x509 - --pubkey=/etc/nginx/ssl/lists.fripost.org.pem - --privkey=/etc/nginx/ssl/lists.fripost.org.key - --ou=WWW --cn=lists.fripost.org --dns=lists.fripost.org - -t rsa -b 4096 -h sha512 - register: r1 - changed_when: r1.rc == 0 - failed_when: r1.rc > 1 - notify: - - Restart Nginx - tags: - - genkey - - name: Copy /etc/nginx/sites-available/sympa copy: src=etc/nginx/sites-available/sympa dest=/etc/nginx/sites-available/sympa owner=root group=root mode=0644 - register: r2 + register: r1 notify: - Restart Nginx - name: Create /etc/nginx/sites-enabled/sympa file: src=../sites-available/sympa dest=/etc/nginx/sites-enabled/sympa owner=root group=root state=link - register: r3 + register: r2 notify: - Restart Nginx - name: Start nginx service: name=nginx state=started - when: not (r1.changed or r2.changed or r3.changed) + when: not (r1.changed or r2.changed) - meta: flush_handlers - name: Fetch Nginx's X.509 certificate # Ensure we don't fetch private data sudo: False fetch: src=/etc/nginx/ssl/lists.fripost.org.pem dest=certs/public/ fail_on_missing=yes flat=yes tags: - genkey diff --git a/roles/webmail/files/etc/nginx/sites-available/roundcube b/roles/webmail/files/etc/nginx/sites-available/roundcube index 1297834..df10be9 100644 --- a/roles/webmail/files/etc/nginx/sites-available/roundcube +++ b/roles/webmail/files/etc/nginx/sites-available/roundcube @@ -1,39 +1,46 @@ server { listen 80; listen [::]:80; - server_name mail.fripost.org; + server_name mail.fripost.org; + server_name webmail.fripost.org; + + include snippets/acme-challenge.conf; access_log /var/log/nginx/roundcube.access.log; error_log /var/log/nginx/roundcube.error.log info; - return 301 https://$host$request_uri; + location / { + return 301 https://$host$request_uri; + } } server { listen 443; listen [::]:443; - server_name mail.fripost.org; + server_name mail.fripost.org; + server_name webmail.fripost.org; + root /var/lib/roundcube; include snippets/ssl.conf; ssl_certificate /etc/nginx/ssl/mail.fripost.org.chained.pem; ssl_certificate_key /etc/nginx/ssl/mail.fripost.org.key; location = /favicon.ico { root /usr/share/roundcube/skins/default/images; log_not_found off; access_log off; expires max; } location = /robots.txt { allow all; log_not_found off; access_log off; } # Deny all attempts to access hidden files, or files under hidden diff --git a/roles/webmail/tasks/roundcube.yml b/roles/webmail/tasks/roundcube.yml index ed6a3b4..3eaf766 100644 --- a/roles/webmail/tasks/roundcube.yml +++ b/roles/webmail/tasks/roundcube.yml @@ -86,67 +86,53 @@ owner=root group=root mode=0644 with_items: - classic - larry - name: Configure Roundcube plugins copy: src=etc/roundcube/plugins/{{ item }}/config.inc.php dest=/etc/roundcube/plugins/{{ item }}/config.inc.php owner=root group=root mode=0644 with_items: - additional_message_headers - jqueryui - managesieve - password - name: Start php5-fpm service: name=php5-fpm state=started -- name: Generate a private key and a X.509 certificate for Nginx - command: genkeypair.sh x509 - --pubkey=/etc/nginx/ssl/mail.fripost.org.pem - --privkey=/etc/nginx/ssl/mail.fripost.org.key - --ou=WWW --cn=mail.fripost.org --dns=mail.fripost.org - -t rsa -b 4096 -h sha512 - register: r1 - changed_when: r1.rc == 0 - failed_when: r1.rc > 1 - notify: - - Restart Nginx - tags: - - genkey - - name: Copy /etc/nginx/sites-available/roundcube copy: src=etc/nginx/sites-available/roundcube dest=/etc/nginx/sites-available/roundcube owner=root group=root mode=0644 - register: r2 + register: r1 notify: - Restart Nginx - name: Create /etc/nginx/sites-enabled/roundcube file: src=../sites-available/roundcube dest=/etc/nginx/sites-enabled/roundcube owner=root group=root state=link force=yes - register: r3 + register: r2 notify: - Restart Nginx - name: Start Nginx service: name=nginx state=started - when: not (r1.changed or r2.changed or r3.changed) + when: not (r1.changed or r2.changed) - meta: flush_handlers - name: Fetch Nginx's X.509 certificate # Ensure we don't fetch private data sudo: False fetch: src=/etc/nginx/ssl/mail.fripost.org.pem dest=certs/public/ fail_on_missing=yes flat=yes tags: - genkey diff --git a/roles/wiki/files/etc/nginx/sites-available/website b/roles/wiki/files/etc/nginx/sites-available/website index 3e32158..2519286 100644 --- a/roles/wiki/files/etc/nginx/sites-available/website +++ b/roles/wiki/files/etc/nginx/sites-available/website @@ -1,46 +1,51 @@ server { listen 80; listen [::]:80; server_name fripost.org; server_name www.fripost.org; - access_log /var/log/nginx/access.log; - error_log /var/log/nginx/error.log info; + include snippets/acme-challenge.conf; - return 301 https://fripost.org$request_uri; + access_log /var/log/nginx/www.access.log; + error_log /var/log/nginx/www.error.log info; + + location / { + return 301 https://$host$request_uri; + } } server { listen 443; listen [::]:443; - server_name fripost.org; + server_name fripost.org; + server_name www.fripost.org; include snippets/ssl.conf; ssl_certificate /etc/nginx/ssl/www.fripost.org.chained.pem; ssl_certificate_key /etc/nginx/ssl/www.fripost.org.key; - access_log /var/log/nginx/access.log; - error_log /var/log/nginx/error.log info; + access_log /var/log/nginx/www.access.log; + error_log /var/log/nginx/www.error.log info; location / { try_files $uri $uri/ =404; index index.html; root /var/lib/ikiwiki/public_html/fripost-wiki/website; } location /static/ { alias /var/lib/ikiwiki/public_html/fripost-wiki/static/; expires 30d; } location /material/ { alias /var/www/fripost.org/material/; expires 30d; } location /minutes/ { alias /var/www/fripost.org/minutes/; expires 30d; } location /.well-known/autoconfig/ { alias /var/www/fripost.org/autoconfig/; diff --git a/roles/wiki/files/etc/nginx/sites-available/wiki b/roles/wiki/files/etc/nginx/sites-available/wiki index 3777b87..2855e07 100644 --- a/roles/wiki/files/etc/nginx/sites-available/wiki +++ b/roles/wiki/files/etc/nginx/sites-available/wiki @@ -1,38 +1,34 @@ server { listen 80; listen [::]:80; server_name wiki.fripost.org; + include snippets/acme-challenge.conf; + access_log /var/log/nginx/wiki.access.log; error_log /var/log/nginx/wiki.error.log info; location / { location ~ ^/website(/.*)?$ { return 302 $scheme://fripost.org$1; } - try_files $uri $uri/ =404; - index index.html; - root /var/lib/ikiwiki/public_html/fripost-wiki; - } - - location = /ikiwiki.cgi { - return 302 https://$host$request_uri; + return 301 https://$host$request_uri; } } server { listen 443; listen [::]:443; server_name wiki.fripost.org; include snippets/ssl.conf; ssl_certificate /etc/nginx/ssl/www.fripost.org.chained.pem; ssl_certificate_key /etc/nginx/ssl/www.fripost.org.key; access_log /var/log/nginx/wiki.access.log; error_log /var/log/nginx/wiki.error.log info; location / { location ~ ^/website(/.*)?$ { return 302 $scheme://fripost.org$1; } try_files $uri $uri/ =404; diff --git a/roles/wiki/tasks/main.yml b/roles/wiki/tasks/main.yml index 22a5831..763f99a 100644 --- a/roles/wiki/tasks/main.yml +++ b/roles/wiki/tasks/main.yml @@ -48,85 +48,71 @@ # ## Add ikiwiki's key to gitolite # sudo ln -s /var/lib/ikiwiki/wiki.fripost.org /var/lib/gitolite/repositories/fripost-wiki.git/hooks/post-update # $ /usr/bin/sudo -u ikiwiki git clone ssh://gitolite@localhost/fripost-wiki.git - name: Configure ikiwiki copy: src=var/lib/ikiwiki/fripost-wiki.setup dest=/var/lib/ikiwiki/fripost-wiki.setup owner=root group=root mode=0644 notify: - Refresh ikiwiki - name: Add fripost-wiki to /etc/ikiwiki/wikilist lineinfile: dest=/etc/ikiwiki/wikilist "line=ikiwiki /var/lib/ikiwiki/fripost-wiki.setup" owner=root group=root mode=0644 - meta: flush_handlers -- name: Generate a private key and a X.509 certificate for Nginx - command: genkeypair.sh x509 - --pubkey=/etc/nginx/ssl/fripost.org.pem - --privkey=/etc/nginx/ssl/fripost.org.key - --ou=WWW --cn=fripost.org --dns=fripost.org --dns=wiki.fripost.org - -t rsa -b 4096 -h sha512 - register: r1 - changed_when: r1.rc == 0 - failed_when: r1.rc > 1 - notify: - - Restart Nginx - tags: - - genkey - - name: Copy /etc/nginx/sites-available/{wiki,website} copy: src=etc/nginx/sites-available/{{ item }} dest=/etc/nginx/sites-available/{{ item }} owner=root group=root mode=0644 - register: r2 + register: r1 with_items: - website - wiki notify: - Restart Nginx - name: Create /etc/nginx/sites-enabled/{wiki,website} file: src=../sites-available/{{ item }} dest=/etc/nginx/sites-enabled/{{ item }} owner=root group=root state=link force=yes - register: r3 + register: r2 with_items: - website - wiki notify: - Restart Nginx - name: Start Nginx service: name=nginx state=started - when: not (r1.changed or r2.changed or r3.changed) + when: not (r1.changed or r2.changed) - meta: flush_handlers - name: Fetch Nginx's X.509 certificate # Ensure we don't fetch private data sudo: False - fetch: src=/etc/nginx/ssl/fripost.org.pem - dest=certs/public/ + fetch: src=/etc/nginx/ssl/www.fripost.org.pem + dest=certs/public/fripost.org.pem fail_on_missing=yes flat=yes tags: - genkey - name: Create directory /var/www/fripost.org/autoconfig/mail file: path=/var/www/fripost.org/autoconfig/mail state=directory owner=root group=root mode=0755 - name: Copy /var/www/fripost.org/autoconfig/mail/config-v1.1.xml copy: src=var/www/fripost.org/autoconfig/mail/config-v1.1.xml dest=/var/www/fripost.org/autoconfig/mail/config-v1.1.xml owner=root group=root mode=0644 |