summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--certs/dovecot/00cacert.org_class3.crt42
-rw-r--r--certs/dovecot/00lets-encrypt-x1-cross-signed.pem27
-rwxr-xr-xcerts/gencerts.sh61
-rw-r--r--certs/public/fripost.org.pem65
-rw-r--r--certs/public/git.fripost.org.pem63
-rw-r--r--certs/public/imap.fripost.org.pem60
-rw-r--r--certs/public/lists.fripost.org.pem63
-rw-r--r--certs/public/mail.fripost.org.pem65
-rw-r--r--certs/public/mx1.fripost.org.pem48
-rw-r--r--certs/public/mx2.fripost.org.pem49
-rw-r--r--certs/public/smtp.fripost.org.pem62
-rw-r--r--roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf2
-rw-r--r--roles/IMAP/tasks/imap.yml19
-rw-r--r--roles/MSA/templates/etc/postfix/main.cf.j24
-rw-r--r--roles/MX/tasks/main.yml2
-rw-r--r--roles/MX/templates/etc/postfix/main.cf.j24
-rw-r--r--roles/common-web/files/etc/nginx/sites-available/default11
-rw-r--r--roles/common-web/files/etc/nginx/snippets/acme-challenge.conf4
-rw-r--r--roles/common-web/tasks/main.yml3
-rw-r--r--roles/common/handlers/main.yml3
-rw-r--r--roles/common/tasks/main.yml3
-rw-r--r--roles/git/files/etc/nginx/sites-available/git37
-rw-r--r--roles/git/tasks/cgit.yml20
-rw-r--r--roles/lists/files/etc/nginx/sites-available/sympa8
-rw-r--r--roles/lists/tasks/nginx.yml20
-rw-r--r--roles/webmail/files/etc/nginx/sites-available/roundcube13
-rw-r--r--roles/webmail/tasks/roundcube.yml20
-rw-r--r--roles/wiki/files/etc/nginx/sites-available/website17
-rw-r--r--roles/wiki/files/etc/nginx/sites-available/wiki10
-rw-r--r--roles/wiki/tasks/main.yml24
30 files changed, 402 insertions, 427 deletions
diff --git a/certs/dovecot/00cacert.org_class3.crt b/certs/dovecot/00cacert.org_class3.crt
deleted file mode 100644
index 087ca0e..0000000
--- a/certs/dovecot/00cacert.org_class3.crt
+++ /dev/null
@@ -1,42 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIHWTCCBUGgAwIBAgIDCkGKMA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv
-b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
-Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
-dEBjYWNlcnQub3JnMB4XDTExMDUyMzE3NDgwMloXDTIxMDUyMDE3NDgwMlowVDEU
-MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0
-Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN
-AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a
-iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1
-aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C
-jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia
-pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0
-FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt
-XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL
-oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6
-R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp
-rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/
-LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA
-BfvpAgMBAAGjggINMIICCTAdBgNVHQ4EFgQUdahxYEyIE/B42Yl3tW3Fid+8sXow
-gaMGA1UdIwSBmzCBmIAUFrUyG9TH8+DmjvO90rA67rI5GNGhfaR7MHkxEDAOBgNV
-BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAG
-A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS
-c3VwcG9ydEBjYWNlcnQub3JnggEAMA8GA1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUH
-AQEEUTBPMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggr
-BgEFBQcwAoYcaHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBB
-MD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y
-Zy9pbmRleC5waHA/aWQ9MTAwNAYJYIZIAYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0Fj
-ZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwUAYJYIZIAYb4QgENBEMWQVRvIGdldCB5
-b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSwgZ28gdG8gaHR0cDovL3d3dy5D
-QWNlcnQub3JnMA0GCSqGSIb3DQEBCwUAA4ICAQApKIWuRKm5r6R5E/CooyuXYPNc
-7uMvwfbiZqARrjY3OnYVBFPqQvX56sAV2KaC2eRhrnILKVyQQ+hBsuF32wITRHhH
-Va9Y/MyY9kW50SD42CEH/m2qc9SzxgfpCYXMO/K2viwcJdVxjDm1Luq+GIG6sJO4
-D+Pm1yaMMVpyA4RS5qb1MyJFCsgLDYq4Nm+QCaGrvdfVTi5xotSu+qdUK+s1jVq3
-VIgv7nSf7UgWyg1I0JTTrKSi9iTfkuO960NAkW4cGI5WtIIS86mTn9S8nK2cde5a
-lxuV53QtHA+wLJef+6kzOXrnAzqSjiL2jA3k2X4Ndhj3AfnvlpaiVXPAPHG0HRpW
-Q7fDCo1y/OIQCQtBzoyUoPkD/XFzS4pXM+WOdH4VAQDmzEoc53+VGS3FpQyLu7Xt
-hbNc09+4ufLKxw0BFKxwWMWMjTPUnWajGlCVI/xI4AZDEtnNp4Y5LzZyo4AQ5OHz
-0ctbGsDkgJp8E3MGT9ujayQKurMcvEp4u+XjdTilSKeiHq921F73OIZWWonO1sOn
-ebJSoMbxhbQljPI/lrMQ2Y1sVzufb4Y6GIIiNsiwkTjbKqGTqoQ/9SdlrnPVyNXT
-d+pLncdBu8fA46A/5H2kjXPmEkvfoXNzczqA6NXLji/L6hOn1kGLrPo8idck9U60
-4GGSt/M3mMS+lqO3ig==
------END CERTIFICATE-----
diff --git a/certs/dovecot/00lets-encrypt-x1-cross-signed.pem b/certs/dovecot/00lets-encrypt-x1-cross-signed.pem
new file mode 100644
index 0000000..8a92a0b
--- /dev/null
+++ b/certs/dovecot/00lets-encrypt-x1-cross-signed.pem
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEqDCCA5CgAwIBAgIRAJgT9HUT5XULQ+dDHpceRL0wDQYJKoZIhvcNAQELBQAw
+PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
+Ew5EU1QgUm9vdCBDQSBYMzAeFw0xNTEwMTkyMjMzMzZaFw0yMDEwMTkyMjMzMzZa
+MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
+ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAJzTDPBa5S5Ht3JdN4OzaGMw6tc1Jhkl4b2+NfFwki+3uEtB
+BaupnjUIWOyxKsRohwuj43Xk5vOnYnG6eYFgH9eRmp/z0HhncchpDpWRz/7mmelg
+PEjMfspNdxIknUcbWuu57B43ABycrHunBerOSuu9QeU2mLnL/W08lmjfIypCkAyG
+dGfIf6WauFJhFBM/ZemCh8vb+g5W9oaJ84U/l4avsNwa72sNlRZ9xCugZbKZBDZ1
+gGusSvMbkEl4L6KWTyogJSkExnTA0DHNjzE4lRa6qDO4Q/GxH8Mwf6J5MRM9LTb4
+4/zyM2q5OTHFr8SNDR1kFjOq+oQpttQLwNh9w5MCAwEAAaOCAZIwggGOMBIGA1Ud
+EwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMH8GCCsGAQUFBwEBBHMwcTAy
+BggrBgEFBQcwAYYmaHR0cDovL2lzcmcudHJ1c3RpZC5vY3NwLmlkZW50cnVzdC5j
+b20wOwYIKwYBBQUHMAKGL2h0dHA6Ly9hcHBzLmlkZW50cnVzdC5jb20vcm9vdHMv
+ZHN0cm9vdGNheDMucDdjMB8GA1UdIwQYMBaAFMSnsaR7LHH62+FLkHX/xBVghYkQ
+MFQGA1UdIARNMEswCAYGZ4EMAQIBMD8GCysGAQQBgt8TAQEBMDAwLgYIKwYBBQUH
+AgEWImh0dHA6Ly9jcHMucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcwPAYDVR0fBDUw
+MzAxoC+gLYYraHR0cDovL2NybC5pZGVudHJ1c3QuY29tL0RTVFJPT1RDQVgzQ1JM
+LmNybDATBgNVHR4EDDAKoQgwBoIELm1pbDAdBgNVHQ4EFgQUqEpqYwR93brm0Tm3
+pkVl7/Oo7KEwDQYJKoZIhvcNAQELBQADggEBANHIIkus7+MJiZZQsY14cCoBG1hd
+v0J20/FyWo5ppnfjL78S2k4s2GLRJ7iD9ZDKErndvbNFGcsW+9kKK/TnY21hp4Dd
+ITv8S9ZYQ7oaoqs7HwhEMY9sibED4aXw09xrJZTC9zK1uIfW6t5dHQjuOWv+HHoW
+ZnupyxpsEUlEaFb+/SCI4KCSBdAsYxAcsHYI5xxEI4LutHp6s3OT2FuO90WfdsIk
+6q78OMSdn875bNjdBYAqxUp2/LEIHfDBkLoQz0hFJmwAbYahqKaLn73PAAm1X2kj
+f1w8DdnkabOLGeOVcj9LQ+s67vBykx4anTjURkbqZslUEUsn2k5xeua2zUk=
+-----END CERTIFICATE-----
diff --git a/certs/gencerts.sh b/certs/gencerts.sh
index e129733..047bba1 100755
--- a/certs/gencerts.sh
+++ b/certs/gencerts.sh
@@ -18,20 +18,17 @@ usage() {
}
x509fpr() {
- local msg="$1" host cert h t
+ local msg="$1" host cert h spki
host="${msg%%,*}"; host="${msg%% *}"
cert="$DIR/${host%%:*}.pem"
+ spki=$(openssl x509 -noout -pubkey<"$cert" | openssl pkey -pubin -outform DER | openssl dgst -sha1 | sed -nr 's/^[^=]+=\s*//p')
[ "$typ" = mdwn ] && { echo; echo " $msg"; echo; } || echo " $msg"
- for t in X.509 PKey; do
- for h in sha1 sha256; do
- [ "$t" = PKey ] && echo -n "$t $h" || echo -n "$t $h"
- for i in $(seq 1 $((7 - ${#h}))); do echo -n ' '; done
- if [ "$t" = PKey ]; then
- openssl x509 -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -"$h" -c
- else
- openssl x509 -noout -fingerprint -"$h"
- fi <"$cert" | sed -nr 's/^[^=]+=\s*//p'
- done
+ echo "${indent}X.509: https://crt.sh/?spkisha1=${spki}&iCAID=7395"
+ echo "${indent}SPKI:"
+ for h in sha1 sha256; do
+ echo -n " $h" | tr '[a-z]' '[A-Z]'
+ for i in $(seq 1 $((7 - ${#h}))); do echo -n ' '; done
+ openssl x509 -noout -pubkey<"$cert" | openssl pkey -pubin -outform DER | openssl dgst -"$h" -c | sed -nr 's/^[^=]+=\s*//p'
done | sed -r "s/(\S+)(.*)/$indent\1\U\2/"
}
@@ -98,13 +95,20 @@ fi
# Generate ASCII file to be clearsigned
cat >"$src2" << EOF
-The following is an up-to date list of SHA-1 and SHA-256 fingerprints of all
-X.509 certificates Fripost uses on its publicly available services. Please
-consider any mismatch as a man-in-the-middle attack, and let us know
-immediately! -- admin@fripost.org
+The following is an up-to date list of SHA-1 and SHA-256 fingerprints of
+all SPKI (Subject Public Key Info) of each X.509 certificate Fripost
+uses on its publicly available services. Please consider any mismatch
+as a man-in-the-middle attack, and let us know immediately! --
+admin@fripost.org
+
+
+These certificates are all issued by the Let's Encrypt Certificate
+Authority, and are submitted to Certificate Transparency logs. You can
+view all issued Let's Encrypt certificates at crt.sh:
+ https://crt.sh/?Identity=%25fripost.org&iCAID=7395
-All our X.509 certificates are available in PEM format under
+Our X.509 certificates are also available in PEM format at:
$VCS_BROWSER/tree/certs/public ,
@@ -120,14 +124,20 @@ allfpr asc >>"$src2"
cat >"$mdwn2" << EOF
# Certificates at Fripost
-The following is an up-to date list of SHA-1 and SHA-256 fingerprints of all
-X.509 certificates Fripost uses on its publicly available services. Please
-consider any mismatch as a man-in-the-middle attack, and let us know
-immediately! (See also the [[signed version of this page|certs.asc]].)
+The following is an up-to date list of SHA-1 and SHA-256 fingerprints of
+all SPKI (Subject Public Key Info) of each X.509 certificate Fripost
+uses on its publicly available services. Please consider any mismatch
+as a man-in-the-middle attack, and let us know immediately! (See also
+the [[signed version of this page|certs.asc]].)
-- [[admin@fripost.org|mailto:admin@fripost.org]]
-All our X.509 certificates are available in PEM format under our
+These certificates are all issued by the [[Let's Encrypt Certificate
+Authority|https://letsencrypt.org]], and are submitted to [[Certificate
+Transparency logs|https://www.certificate-transparency.org]].
+You can view all issued Let's Encrypt certificates at
+[[crt.sh|https://crt.sh/?Identity=%25fripost.org&iCAID=7395]].
+Our X.509 certificates are also available in PEM format under our
[[Git repository|$VCS_BROWSER/tree/certs/public]],
from which this fingerprint list was [[generated|$VCS_BROWSER/tree/certs/gencerts.sh]], at
$(git --no-pager --git-dir="$DIR/../../.git" --work-tree="$DIR" log -1 --pretty=format:"[[Commit ID %h from %aD|$VCS_BROWSER/tree/certs/public?id=%H]]" -- "$DIR").
@@ -135,15 +145,6 @@ $(git --no-pager --git-dir="$DIR/../../.git" --work-tree="$DIR" log -1 --pretty=
EOF
allfpr mdwn >>"$mdwn2"
-tee -a "$src2" >> "$mdwn2" << EOF
-
-
-If your SSL/TLS-capable client is able to validate the public key
-fingerprint of the remote peer certificate, then you should probably use
-this (the above values prefixed with "PKey") instead of the fingerprint
-of the certificate instead (the above values prefixed with "X.509"),
-since the former typically doesn't change upon certificate renewal.
-EOF
echo >>"$src2"
diff --git a/certs/public/fripost.org.pem b/certs/public/fripost.org.pem
index 21e7834..6138e4d 100644
--- a/certs/public/fripost.org.pem
+++ b/certs/public/fripost.org.pem
@@ -1,34 +1,35 @@
-----BEGIN CERTIFICATE-----
-MIIF6jCCBNKgAwIBAgISESF11XzOHj81ZogVBVzxjIZRMA0GCSqGSIb3DQEBBQUA
-MFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMS0wKwYD
-VQQDEyRHbG9iYWxTaWduIERvbWFpbiBWYWxpZGF0aW9uIENBIC0gRzIwHhcNMTQw
-MjE0MTY1MTEzWhcNMTYwMzE2MTY1MTEzWjBGMQswCQYDVQQGEwJTRTEhMB8GA1UE
-CxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMRQwEgYDVQQDDAtmcmlwb3N0Lm9y
-ZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKmwUaNJT9sQMyZ6ST5O
-ohafJdfx+cKPpn3zHUg+bXbwa0L/UgOLqWuwz49zKPcIu3ZdP7t6LqM5jyiXqaIS
-blAudNAFkqi3oEEHn7Qi4pTkE5Gq/X5Cw/uwjTBv7KPcnNg3lPkpw44XgohFMHTd
-WLSEScVeR9gKTZKe9ev0R8XeUK55K+VNVYDoi4u/4XsPD53wGJSoOP9Ph9fWHIkc
-FhXzPGSWVErlPUucs0Yd94umR3Ws7OQuWTNwwT+2vzeeer5qsW/Xj41gQquviAbj
-7FIRjjxO0ONC+iIlor0TJzsKIaHVvNfCXCfDsRQFz8voOrnGn5lwtugBI4WmLm35
-aLPV2sNzs8QoHdd9ZgXTu4h7SyYkbZwSCsjeo+W1ggoA5q85Krk6XzsR5G5Ay4ao
-NiYSt/GKo6AgIHywCaPiK8Gsv+E0LPMSy79zmNo1K/LErlnknkd7/m01lhO8ION4
-4aLwEwAimbbn5Q19VT7KSMO6GjDTme5lzizIF9S3Qns6PXRacak3KNVo31qPPNmQ
-VeBiFe6nonpCSDKc2+CFmmpVKqNT1fTsolrb0/ZNn/GrY/GPy2jEEW9vVUvhToNz
-tWTrRzspROWCxKZrKBmPCi3VSxjcWisoTjN1pshdX9q3j0wV7gNPUxpHiKWbaQN6
-aUKcdem7KUJN28wPbYM9x0mVAgMBAAGjggG/MIIBuzAOBgNVHQ8BAf8EBAMCBaAw
-SQYDVR0gBEIwQDA+BgZngQwBAgEwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cu
-Z2xvYmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wKAYDVR0RBCEwH4ILZnJpcG9zdC5v
-cmeCEG1haWwuZnJpcG9zdC5vcmcwCQYDVR0TBAIwADAdBgNVHSUEFjAUBggrBgEF
-BQcDAQYIKwYBBQUHAwIwPwYDVR0fBDgwNjA0oDKgMIYuaHR0cDovL2NybC5nbG9i
-YWxzaWduLmNvbS9ncy9nc2RvbWFpbnZhbGcyLmNybDCBiAYIKwYBBQUHAQEEfDB6
-MEEGCCsGAQUFBzAChjVodHRwOi8vc2VjdXJlLmdsb2JhbHNpZ24uY29tL2NhY2Vy
-dC9nc2RvbWFpbnZhbGcyLmNydDA1BggrBgEFBQcwAYYpaHR0cDovL29jc3AyLmds
-b2JhbHNpZ24uY29tL2dzZG9tYWludmFsZzIwHQYDVR0OBBYEFEkxhnTOMo28i3Yh
-yH9oLEL+HNjJMB8GA1UdIwQYMBaAFJat+rBbuYNkKnbCHIpp2kLc/v0oMA0GCSqG
-SIb3DQEBBQUAA4IBAQBWzbngCosmPDWYEys4jRqkeAiIPZDXXMCschXEt5WuAiBb
-Ztve1aS9Lc8BGXyusZCrMbJ00ZzBXIyoCGmq6BxKd27EruQlb7bmcnGLyTCaGseg
-E24L6nuaojTfH5phFtQl3kbkFYPo1Vcc0/T3vMKD6vpBkUhWdl2YwWpog/59eXsJ
-SsyQ5ZTG0hehLEBSLc6tO3PpM588KMK7CYVixitYgjcLTNomd4xdNRF2I9ayRw2R
-/vU8AmjNZww2cCQO/GeMqZMqzKTNVwPejHx14wx8X8z4DS6n/wU3U1N6WwpWQMqW
-R0gEBOX9hpLqu9PQuFC3ipmcpek7ZjtOg6+SiLZ6
+MIIGHTCCBQWgAwIBAgISAVNRrmK0qo/HwaqLbfEeSVcJMA0GCSqGSIb3DQEBCwUA
+MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
+ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMTAeFw0xNTEyMDgxOTM1MDBaFw0x
+NjAzMDcxOTM1MDBaMBYxFDASBgNVBAMTC2ZyaXBvc3Qub3JnMIICIjANBgkqhkiG
+9w0BAQEFAAOCAg8AMIICCgKCAgEA40NtrjEbAPdCAliRNgd+6DgwGDGe0eOwyIWu
+nhwWQ3qOz+6zmSVqW4KhbPW5ISipA82SKw97Gu9g6nSRWTHMkry4SzSpis99eQ7x
+QA8TpLm+g9MzH8CJKs3ea8N2Xqc6EqpnaNmCSo07+0oki2r5LRAwANChLOFuRvRI
+Mg4bckDcJ5WGR7n+E8NllZI9ntjeFk9uqNcnXkCU1j5kCG9P5MdRm3mgSHCCZN2o
+3JcBFx2Na6QWLRiCHA0JY2xi/MNewdk2LRAYHxT/4HHXNCJ0zBKYNZYDbAVLIOhd
+5Nb8ZrgNwG+Tz3gdgeCM3P2FEVNaufOh8YgxzCXigbogVLDqzTdVOi1I7ERUCOsG
+jh8kN+Nbte1hHLPFuVCQNhiaIaKFM+IYUaMWPoLxN9knHWcVUMwdwuKg9lLVnGvF
+nV+SZcqtekIZ4L6Ekw/tQtjxEKpm7AWYIgYCt+K6XAs4nzjFpAvGbgzqZE3jWtjg
+twpkc+UsPL9YNwwJwMnwGZfLeM3lDeJo7U1OYOf0MV65H5JRM0wduqvpnCm8Ft0i
+7OhEzOi7/wBtWU0TnyZNYz6wOZ0nMAvqjHDJ+NmE4nWoBQHY+hDD1x+pAtKNy2jn
+nfjd6N2ToUEdfIBiNOT37uinMwDq3Y+BCK0hUEyOCE8MKx82v2aysgc2sLHNKlsO
+zBScg0UCAwEAAaOCAi8wggIrMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggr
+BgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUHZY9GB30
+kxEIRKVLzdyDVL4FPycwHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEw
+cAYIKwYBBQUHAQEEZDBiMC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5pbnQteDEu
+bGV0c2VuY3J5cHQub3JnLzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgx
+LmxldHNlbmNyeXB0Lm9yZy8wOQYDVR0RBDIwMIILZnJpcG9zdC5vcmeCD3d3dy5m
+cmlwb3N0Lm9yZ4IQd2lraS5mcmlwb3N0Lm9yZzCB/gYDVR0gBIH2MIHzMAgGBmeB
+DAECATCB5gYLKwYBBAGC3xMBAQEwgdYwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMu
+bGV0c2VuY3J5cHQub3JnMIGrBggrBgEFBQcCAjCBngyBm1RoaXMgQ2VydGlmaWNh
+dGUgbWF5IG9ubHkgYmUgcmVsaWVkIHVwb24gYnkgUmVseWluZyBQYXJ0aWVzIGFu
+ZCBvbmx5IGluIGFjY29yZGFuY2Ugd2l0aCB0aGUgQ2VydGlmaWNhdGUgUG9saWN5
+IGZvdW5kIGF0IGh0dHBzOi8vbGV0c2VuY3J5cHQub3JnL3JlcG9zaXRvcnkvMA0G
+CSqGSIb3DQEBCwUAA4IBAQADhIMJYMH9neqNP8pnYUn5XYfZorIRB1n3hbE6s849
+KuBcdAwmbgLXkL67r5cQRUCmLkV+KRu8XOrBHQtYOxzt1ANEWs4lRgZdz3UFUnXT
+/9bzY4DZey+DOmOE0qG9oZD4AZTguFcnkDC4adHrmzdMf3Me3zF5hAJR1N2fEpKk
+vBjnJRKA/90/5U6VMHUiBkor4hMwzfuUCZdgNKvVeGhDWVUr0OLOnW+b8MnmLz87
+LvxR5DgqyxlKqq6CqsGzzLs6qdFqAiZjB7cF2s7e/Wi3nVDFr8Qb1TlxdlkQ15ka
+xbvhxUD0YHOsO+hGiwbo6gAeFrzP3uxTTzhrtHnZgOVZ
-----END CERTIFICATE-----
diff --git a/certs/public/git.fripost.org.pem b/certs/public/git.fripost.org.pem
index 5360ec3..65fd6f3 100644
--- a/certs/public/git.fripost.org.pem
+++ b/certs/public/git.fripost.org.pem
@@ -1,32 +1,35 @@
-----BEGIN CERTIFICATE-----
-MIIFgDCCA2igAwIBAgIJAPfN6C7lrvYQMA0GCSqGSIb3DQEBDQUAME0xEDAOBgNV
-BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMQwwCgYDVQQLDANXV1cxGDAW
-BgNVBAMMD2dpdC5mcmlwb3N0Lm9yZzAeFw0xNTA1MzAxNTM5MzdaFw0yNTA1Mjcx
-NTM5MzdaME0xEDAOBgNVBAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMQww
-CgYDVQQLDANXV1cxGDAWBgNVBAMMD2dpdC5mcmlwb3N0Lm9yZzCCAiIwDQYJKoZI
-hvcNAQEBBQADggIPADCCAgoCggIBALrzJ7lrPSoRqktTezi2Kd1X57JntjUhGzWJ
-lH4gwQeJK0IVm1N8qP7pxJ6PCDd4wPGWzXwegT/hZH28GGVbUFVCu6v6ACmm4+bQ
-PJYzPCavZ7xdI8KnH5K/rNr29lqst9YTXcQTgN52/LtsMnk1K6yl+I96Zq7gSOxg
-C4nFNgykwGGhopc8HbxXo/5f40immkRcF41AOVy8Pb4enUCSO47ou0zV2BmD/DIq
-TdImYzom13Bhc4l8hcd2LQuD+NZvmGq4Oq0Sz4Xwqm9wHgUIiBT4cw2fGBi8hKio
-OJ4Z8j3d7CHmbbXJDYF4heIWycuJDNjNooSDs/rIsqSgiIaGXOShHA0N2sQl06by
-vFKQ0a1vSioq1WaorEeIRbb+qSTtEPHeZe8K4tpgiV1xjsbwceKirB5a1kXACV8z
-OklGlYmUX3WiHCIbHA23qngUsmIcpWd59S6pGwUYOqbPnQHBrvA2EnmrqnR8FpNE
-1NXE8MY1OJGSIHZdMBzrMW4oHTXKf9FVyBVLF7HQHbhOqiY2nUM+oUxc9lDjGASM
-pxNH8YrQ+fEs0x3TX0RM8rtMSbMdLJnn01eUx226vj2lEucjTnmVkzIuoijDTWnO
-pvNGz88+hNI+aaaD7Zskzw14qEFDocI3xPN5vf4XuEBrAKJI88N1YMqjpalRrNu5
-GpOPZW9tAgMBAAGjYzBhMEEGA1UdEQQ6MDiBEWFkbWluQGZyaXBvc3Qub3Jngg9n
-aXQuZnJpcG9zdC5vcmeCEmdpdHdlYi5mcmlwb3N0Lm9yZzAMBgNVHRMBAf8EAjAA
-MA4GA1UdDwEB/wQEAwICpDANBgkqhkiG9w0BAQ0FAAOCAgEAIj1HrruLLYdNpMWr
-HtfG94VEiPSGoy6Fh+u89iBHyYw1NVmWqNP8dKard4DG1TZYmHCEu4z/g86ryLDG
-3A5h3d4DnLFbnMy2H+4eYA97h/+5MRvYTzA0CFJIEwDFyziFi4GZGLgavRTLlj/L
-7JyjO2p0v0yR9ifkbCpV72Wuyu0lffNuaJ4+6Y1wxL0WP5toT2p6SRyk/Jx7NX/7
-xvEI/8nlohnkKbv8ubwS7ZpmF57IO3FfRVKIqOeo5aUQUvydePlyGG0Iuu0uR6q6
-OEcMnIfLGtETyDj4vo97FM/hzyVdzd4vniET15wwO7SZ6+U12s/ofYTEzN8kCrxO
-C9WguSQlhvM6c02CV7neOL6PEogeGpNchkJwwUpMYF3OpGWg/epP209WVGflnHmg
-hVZzoxDNJ9MuR72okR62X+rpn4oqO92dvSWnAEmStOpUo0i5nlMprNsd3FLg8uVC
-D2DyyaefBVEqYGTLQertr4SRR5hOduz/ltbmnuESY+G327lNma4jl4kwpyAP13sl
-JrfN/WTsYKBTsP1Aroe+MlwRxMNIyUUi9DUe+ZJNyAUELXM4LMCsu+6BvScarQIJ
-H0lpqPZw+4XkbdkK4SdH9WwmpkzcFhIQBkWtYJe1/S7LuBlDqQmIZP3qDYuR36Vo
-FeM2vPhQnlbj2qQomaMM+j6y5cU=
+MIIGAjCCBOqgAwIBAgISAYNlFOqyNr6JG6VCrfsp/5VCMA0GCSqGSIb3DQEBCwUA
+MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
+ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMTAeFw0xNTEyMDgxOTMyMDBaFw0x
+NjAzMDcxOTMyMDBaMBoxGDAWBgNVBAMTD2dpdC5mcmlwb3N0Lm9yZzCCAiIwDQYJ
+KoZIhvcNAQEBBQADggIPADCCAgoCggIBAKZhfyFvQMwMR4fRPBDKsyIkSe7M5wnx
+4IZ0yoJLEU0xq84K+SRQ1l/d2nrnoXQ4QKZj1/Ld9tF0nv3OrmDVvoIjalVCNn2g
+/XBW0e41KdHybhim3hYYB5WajEswGQB8UUgUrCtLoVFhzv9YfrPLVEgMl94GFm0B
+Ju+hasccQrpqD9G5Zzy39VNXaubORUrGXAhpv3yxzaT+WPcvu4kSOqTNcIchujNg
+oIuzp8wtBFSoRfU138tZpLAu+5XK73klb50sDu1/PsL6XnfjDgSGhdhEpkKrf5tS
+3dItAWvJLm9iLAdfLYRye3bgnGkTTiFr6HXiWEbFEb+SccrPtu7nSQEOwjQAIgM+
+eyDuBQE8/z9TN4xutCQOnR4FMysfGUt+Qfd7IZ35Sh1NKcUzN2LHNw1oY06wOMyh
+OYqKztIn/rLjOy+O6sphjy5mn2T4CzQHsqwvXbBHMqnx2uGOLJs2bAbWPfTkmggv
+20lfvnao/L73/RdG9oXqMCErPgVekh90RdpI5BpiPU5cgoNnSgGc6bw3O31CItgT
+dugAzP7mmHdq+1vEgF4Bu6QgBve+UTmJNw5oPTxDW/kDMcmKryz0mJTIv+8EOQLM
+OolWDwKE/v0bF7hY62PVKupb5Whky3k80uUYyh+jD9OMUDvfROvAqmd1CdtpJLhF
+XXxdjG2JonSfAgMBAAGjggIQMIICDDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYw
+FAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFLlf
+KgMvKLcbf4VlquCyXqJeRuMoMB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/z
+qOyhMHAGCCsGAQUFBwEBBGQwYjAvBggrBgEFBQcwAYYjaHR0cDovL29jc3AuaW50
+LXgxLmxldHNlbmNyeXB0Lm9yZy8wLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0Lmlu
+dC14MS5sZXRzZW5jcnlwdC5vcmcvMBoGA1UdEQQTMBGCD2dpdC5mcmlwb3N0Lm9y
+ZzCB/gYDVR0gBIH2MIHzMAgGBmeBDAECATCB5gYLKwYBBAGC3xMBAQEwgdYwJgYI
+KwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIGrBggrBgEFBQcC
+AjCBngyBm1RoaXMgQ2VydGlmaWNhdGUgbWF5IG9ubHkgYmUgcmVsaWVkIHVwb24g
+YnkgUmVseWluZyBQYXJ0aWVzIGFuZCBvbmx5IGluIGFjY29yZGFuY2Ugd2l0aCB0
+aGUgQ2VydGlmaWNhdGUgUG9saWN5IGZvdW5kIGF0IGh0dHBzOi8vbGV0c2VuY3J5
+cHQub3JnL3JlcG9zaXRvcnkvMA0GCSqGSIb3DQEBCwUAA4IBAQAmjjh+ymazFdma
+4j/fVcAPxmUJSUl7dqG+lohv2uSwnjz/SEMtiOLcpoySOJZAN/tjz5VWvgA+/xeL
+EhmFs5P4FuxvhOX4LJgLgAKL3tEoIvantGi8nPCQh1UBYgvQ3Q5B2svehNWezQva
+qJ0jxsXN8o2BtBq4oC0m7e7UDu7o1YXxZEspPkK6wCAsB7m8fAdPHPA7AyimfqTj
+lPztlpkJsZCGa5lplpi6EvS6wzFkZuWQYHaxqb9L0dN9SVu4YwshEBoKdUMIxSeM
+hD6Dq0ebWLYRWg2AHHnF1xtbfUqQLw1kqbdgcl3vcsoDPt5nDkStMIVcd20nR1W6
+KGZ8K+jB
-----END CERTIFICATE-----
diff --git a/certs/public/imap.fripost.org.pem b/certs/public/imap.fripost.org.pem
index a639fa8..1896b4a 100644
--- a/certs/public/imap.fripost.org.pem
+++ b/certs/public/imap.fripost.org.pem
@@ -1,29 +1,35 @@
-----BEGIN CERTIFICATE-----
-MIIE8jCCAtqgAwIBAgIDAly4MA0GCSqGSIb3DQEBDQUAMFQxFDASBgNVBAoTC0NB
-Y2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5vcmcxHDAaBgNV
-BAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwHhcNMTUwMjI0MTI0MzA5WhcNMTcwMjIz
-MTI0MzA5WjAbMRkwFwYDVQQDExBpbWFwLmZyaXBvc3Qub3JnMIIBIjANBgkqhkiG
-9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0Y2yv7YbJzrmNYBFRnDtUM4Rpxg5wKAPxd2B
-3PfMDJ9CLmp3uRsZ/EgO0QsWa/7BE4OymbUD69OKK2tb5bNpDbFKPT2K7SlWaAcK
-VVkUhFgKgqrGuifdQlOJw/IlUPZj9u3sfk2rE5D1KcxBqVfGEWJm0pvxrOm3Ki2g
-ZjJFrsKonAaXV5STPt7KHMk+UuCVpNRCLckbQ3kZBop8Ds8uOFHUf6dKSSnAFN68
-NY6l5OwFbTqie+6hhsR1b/k+/vyDxOrm9wwGV8fYfdfPzYdv7wzGLJw0YOyVFwmb
-BWDOFps4AVxnu5WC1oUKjLI7ClYY5Bsgl/M295vaYssqLs0DoQIDAQABo4IBBDCC
-AQAwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCA6gwNAYDVR0lBC0wKwYIKwYB
-BQUHAwIGCCsGAQUFBwMBBglghkgBhvhCBAEGCisGAQQBgjcKAwMwMwYIKwYBBQUH
-AQEEJzAlMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5jYWNlcnQub3JnLzA4BgNV
-HR8EMTAvMC2gK6AphidodHRwOi8vY3JsLmNhY2VydC5vcmcvY2xhc3MzLXJldm9r
-ZS5jcmwwOwYDVR0RBDQwMoIQaW1hcC5mcmlwb3N0Lm9yZ6AeBggrBgEFBQcIBaAS
-DBBpbWFwLmZyaXBvc3Qub3JnMA0GCSqGSIb3DQEBDQUAA4ICAQBd+VPou5v0FvKn
-kIh/VYj6ifSIqmmD9BC26/IwKc0T6gYG/jSnqdp7uDIXLGLcBymTHu8Jur11aOZ2
-7PQcF3urZiJRca5NCF0TzVM06i9wm4tZNPBu5f/2Wpez6Tlh8oDsHvfNCLMNEgxJ
-wS4WgST0wq8yXTyJcnKG85lY1BxZzk6JTogZZEqxOjk7W2DxdILFYIQlFT7mFsX+
-Cgru6mP0VpO+tRhMHaBt5gV3gimrTovqNOW0DOKy9TSWU0WgJ+R9ehqxlAh0AIL8
-aa/eTOHCZ99Ad3AE+eFx59LLabSRz0fNxfKojN/KWG+EPwMkE3r/FoVgcXc4/1Gx
-D6KAtACqyAgGONaTSkjRnZsvlQmKpcdNvPRV6Xt8tJNlqnCOdSNKqFQkNWQW3eXx
-cHKbOl77m/cflT7vAIz5nv+LLiWuwSLRzxnLTy03iOIXBiIpnGvLSbGV06ocSQjW
-OUB4dCIFn1a6LjmExoOo5uqSrsKSUoit47D7PpumE0P2pLD7+iNYpvHhuQh9Galf
-6UIeO8POiZR1kso0XqfyYWGcmrOa4SWLPXRK1dRlz12XVtAN5B+JWGUmsixAFu+l
-RxGL9eLvFWjd/KiuZUNRcoge80Hf1RrHDuu5GUWjlKmxu1QzS+Kpdib1fQx1ukt8
-iwWMTlTVy6DNy4OillMconIZ2Rx9wg==
+MIIGFzCCBP+gAwIBAgISAeKF61Exi1Bd4jXjTumceSXeMA0GCSqGSIb3DQEBCwUA
+MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
+ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMTAeFw0xNTEyMDgxOTU5MDBaFw0x
+NjAzMDcxOTU5MDBaMBsxGTAXBgNVBAMTEGltYXAuZnJpcG9zdC5vcmcwggIiMA0G
+CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDZaLXYYngW1ioTzfNRtmUeFh9Kopdi
+1qfcpRdPwTndRJRfWNC8eA66gDsypYAHc2TlKW86H5ktSpl4ZxmeXTPvK1Ajfe5u
+MkOwIHrjHCqKtXXYq4VX0bPCBNSAtT6X1/unBebEoMl/SX6R6m78lEc2020bW7vT
+ATMbdGN0AKW3C+zyfOAK2uMILEaFL/0wQRwXJZD8vYk8XH6h3p2Sb9Zb7X5xb0kf
+QoDom6AV6gNYnFGsxZkTGcAZVfia2gjM2gl7b/QW8FH4ENazrYqyMs7wMAOvYLfJ
+WybxgwqEiVIG8+p/uYIKfqZaLabBXa++JgEx1CkxqsTqXAw2ruYGNZ46V0YiUxnk
+Huyoq6eRR+gnzN7TUVx7bbeBCoKcin/r33TSJj6rc7l7YrzelO7LpLDV67gKxhjE
+y76BILtscipL2SV/MsRR4mjn3Lm74Al90DHgfsXYlPvzrOdpDqwhpv96LKo6lop0
+hz0PQMQrYWYu43wfPAZOZtBH5Mdc/8NapnA6cnzWhCxtWKFK+bO6FItUgDGxET36
+WZUClrRpCLHk+nOn9buPWddr3JbEasvTdgIDKWF1D4hqKxNK1+myo7fQE6999nEO
+jrpiN5bhr1HUOWmSOnEcPm3zUskDk133koQ/CpfUMzg8jZpXSsYpVRov+oUZofcU
+zkPdVExs8rz7MwIDAQABo4ICJDCCAiAwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQW
+MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQG
+WiAaUhAefQy9IZ0tP8BZqxPF5DAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv
+86jsoTBwBggrBgEFBQcBAQRkMGIwLwYIKwYBBQUHMAGGI2h0dHA6Ly9vY3NwLmlu
+dC14MS5sZXRzZW5jcnlwdC5vcmcvMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5p
+bnQteDEubGV0c2VuY3J5cHQub3JnLzAuBgNVHREEJzAlghBpbWFwLmZyaXBvc3Qu
+b3JnghFzaWV2ZS5mcmlwb3N0Lm9yZzCB/gYDVR0gBIH2MIHzMAgGBmeBDAECATCB
+5gYLKwYBBAGC3xMBAQEwgdYwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2Vu
+Y3J5cHQub3JnMIGrBggrBgEFBQcCAjCBngyBm1RoaXMgQ2VydGlmaWNhdGUgbWF5
+IG9ubHkgYmUgcmVsaWVkIHVwb24gYnkgUmVseWluZyBQYXJ0aWVzIGFuZCBvbmx5
+IGluIGFjY29yZGFuY2Ugd2l0aCB0aGUgQ2VydGlmaWNhdGUgUG9saWN5IGZvdW5k
+IGF0IGh0dHBzOi8vbGV0c2VuY3J5cHQub3JnL3JlcG9zaXRvcnkvMA0GCSqGSIb3
+DQEBCwUAA4IBAQAS2kt6KFeNkudjNucQcxQv9qx2skPil5Sh1YqeJF76tkVH0nno
+0JofNwz97Kzn73VKYCBMiL7VsbK2mOskfl2kl+G9vlY+S5ElQM0zZQMT6XgDKJs7
+a2hVADdca4GAldu9KGjHxiERX6I2tfZ59CH3/OXpHbhT+IE8HqOLpT7Dsl9n6IKA
+QlCuDIjEYSPq6f+ob7asivKNZJIUIWpzzEjudRCbEvijS6Nae4O79sS0UUpqqPws
+17iXYORZJ+hvPglCZK6z9zinZaTPoAHE2UhaJN7fqPF3opvmjiSZkDFFFvA41lkt
+gLrdsIE8QxR3riA2fBtMjuEdUmcc5HUNRVW/
-----END CERTIFICATE-----
diff --git a/certs/public/lists.fripost.org.pem b/certs/public/lists.fripost.org.pem
index 7182fe5..7e04b9a 100644
--- a/certs/public/lists.fripost.org.pem
+++ b/certs/public/lists.fripost.org.pem
@@ -1,32 +1,35 @@
-----BEGIN CERTIFICATE-----
-MIIFcjCCA1qgAwIBAgIJAKA4tp7v9dDAMA0GCSqGSIb3DQEBDQUAME8xEDAOBgNV
-BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMQwwCgYDVQQLDANXV1cxGjAY
-BgNVBAMMEWxpc3RzLmZyaXBvc3Qub3JnMB4XDTE1MDUxMzAxMDUyN1oXDTI1MDUx
-MDAxMDUyN1owTzEQMA4GA1UECgwHRnJpcG9zdDERMA8GA1UECwwIU1NMY2VydHMx
-DDAKBgNVBAsMA1dXVzEaMBgGA1UEAwwRbGlzdHMuZnJpcG9zdC5vcmcwggIiMA0G
-CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCxzcjPc7tIddB33YfHGUZmhP3mO6Fl
-k8pJL7nVJgyrnMr832BDyhUrmNGqZc/ZXkY+4QcCv600AsOTqi/e+pCQ2bvddIy4
-7I2jk1qwV1g44bJ4169804uaPROmb0D86RE1XF+3EkIIjyEAReBX9vRNULnbYMlk
-YOrBLy+E89/9huZyhCJO475kq/4AaUqmGc0PR1SSUUpJdAjyCiOAHHZAYtgqBuOA
-2tl6uhZvu+OLbwFY+bitXe0pJJdk9cs/U8c/3X7WqUp1ek9WRPwMfasro5r5EGct
-+ZQw4k1jT3jvNji4pVLqis+WzcOGaMIEPyANPmIsPXr6h89FrBLVf3ccr7V9Qrox
-Px2NCyCfeodrSF+RZjeprCJ9+fpksTJYz02qEbBrslj65TlPMjl1E/JQ1n2H47F1
-8tEAJ0JMmSlvx+WKNMLRKr4cw5M8aqaOunQpTYr+O7UzGspaYwuTn5hFxIrGDJqx
-e4TUByBRNiiX4tTYzvuPvPlnEhOcRz9mVPGMzMInlmM+1K4eIQenQeqvMeEcIk5c
-NibnODQBqA4e6XmUPyh73y8cz0u3s+EBz+vg8m0785VlB/HHVxanJx6J9R4zWi2K
-H0MXvVAFI8Om4sA1eg25EogTmPZQp6N1xsEQIl5bt1yiv0XJUdSdzpY6hho160u7
-hge7KyBZoUX/mQIDAQABo1EwTzAvBgNVHREEKDAmgRFhZG1pbkBmcmlwb3N0Lm9y
-Z4IRbGlzdHMuZnJpcG9zdC5vcmcwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMC
-AqQwDQYJKoZIhvcNAQENBQADggIBAKZHb3C/tIft8PzvR/K4c8CKWOMT1afizz/K
-VVlYGG6JHAjGCveIt61oD+entbxLGjUNqPbq0JLlocEeI1BXT3ikMTmhCmjuB5XQ
-+it34Xang3KNe7jDJOc7Z+GXYY+lqYA3qDKXIOXi20zziVmy9MAyEwuqRLdGziO4
-u+yYHHwHaK+2qgiMIP/wCcLlF2uPsOz0A+3/rLvVQiQURfHLL97a1sY3VNuYPuMA
-EXhUouyfibcBHRVfFANSj2QSDpbD5ms9xoDbmO6qp0Kw5408M2KwF1EaZtSTVRQS
-tyKCJ+7olziAXeQs/I0WENjxSF9tKSW10VWzXk1zJaR95BkiXNaICHyB0zRIXeYU
-DRzlhgWuxhWwf7mfCr5Uzjn/AMQcS0ba104bFRsieag3SX1KnU9PyQdqXc28jfo7
-2IdGj2qIeYY+I6sGfyD5rXx2W5+t+cf8of0stlq4bag7DFbrN9RsSMCpwrbCrpMy
-BO60QmcYRrkKNL04t+723DWQv5joekaKQB4Wy7fZldhd17Kit3Ds/R3Nc64znVfh
-KRn6QYzHOdYkf1MBMeS91qaGQTDndKFjZlayO7IqSusNEoDLp6f1knl+WU3+qwoa
-CkEH6MjpRmjtu7dGudQPly/XkgpnDMRR8B8o2cNHpKQNYwAyE9bVPRIdnx738Vjo
-l3P0GZ75
+MIIGBjCCBO6gAwIBAgISAUJ3fVQbiEbMMnke9mXi7hwwMA0GCSqGSIb3DQEBCwUA
+MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
+ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMTAeFw0xNTEyMDgxODEzMDBaFw0x
+NjAzMDcxODEzMDBaMBwxGjAYBgNVBAMTEWxpc3RzLmZyaXBvc3Qub3JnMIICIjAN
+BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxy2uS+XBKPzAqj72knb7BOxowvWc
+vtXzCWtU0QBxkcjwPIuXT5tO3/VWOTV3TZZD4rLX1W9hHk+YB7sC+a9SG8FnNnp6
+L02NIfZf+PmI2FSimA+8E9aA5tmh1zYs4vyT3cre4TUceOfmqa7umsmkRA7pMNzo
+Q3EtYduS2r9mr7CRivjkufggJu/gOXGpt2bZ2vlYdA8PqkWxQvNERqjRMaBQd8hJ
+bhzUEmfHdGDMN3f3BpylBYdmRKpj5gc1mEwUgThYJUuar8TU7SuJZVf0VKUcsrhQ
+jYcUb7afnPErIh410gEoOZpmprLVgGEyCRj9l9crez0d1zzun40E0DDDlIGMYcOB
+BwRotVQZnbxGm9h3enOrXdDHw97FGfoI2DhG/51N6Nesem9WaBa6bXO0XsUf8jw2
+sqpaJWd6W3ZyjpnLRwSOPzDWlQgcCx/AVxUC6N8qQMZFEnhaZP95gnQ/n5VPtCO5
+XbgNEvZuBj/95yyDQA4dozRBJ8ELKpW+7aYeSh75KTidjthHPijzCMHkI3xK5csJ
+XnKAhTEenw9lfcBHvx/eogQghktDdBYa3sjQQOoyQj+33DR5HzKKsJAMsKXRKDBI
+/tolHSxJtYwoFNTNOFJ3aq/gPWZqgqm3yctAIyq5oHraaJAOzBkV09NzUFdI5Dw0
+UC6YmZZtmtKoWVsCAwEAAaOCAhIwggIOMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUE
+FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU
+R9kLB3gXJ0EiHvp7BNKA6bGL4AYwHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl
+7/Oo7KEwcAYIKwYBBQUHAQEEZDBiMC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5p
+bnQteDEubGV0c2VuY3J5cHQub3JnLzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQu
+aW50LXgxLmxldHNlbmNyeXB0Lm9yZy8wHAYDVR0RBBUwE4IRbGlzdHMuZnJpcG9z
+dC5vcmcwgf4GA1UdIASB9jCB8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHW
+MCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYB
+BQUHAgIwgZ4MgZtUaGlzIENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1
+cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdp
+dGggdGhlIENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xldHNl
+bmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAB2LfUsTB
+hLYAAsRpsHiGvJunfsiFUA4lWWAXD4fQ2LND60uv3yK7H+EKJRCZmkgTty5tIOHe
+C9Yb8oyjE6g9Irg7viPgab+Ago+ILi+TbP2VwjKO1ggmvpLmFLxA7hGG6e8MOJx2
+9TufciFTouIKUznmWGNXVPEOMvDjrZYrzngaYP9LC1jHa94hyAGBOCSeLGotzdPo
+RLzvROggglmWo8gLG6qjJD5m4QSaUG90OMyd6WUftEd+6iUb/vc6/1QjHnxyozEQ
+sQovX2l5LL9HKPvoQzZbvxdPt7fzufI152izY3A9UfMfgb56XoD6NP9MHt9HlX0C
+aNpaKPrfsIApHg==
-----END CERTIFICATE-----
diff --git a/certs/public/mail.fripost.org.pem b/certs/public/mail.fripost.org.pem
index 21e7834..8d64f50 100644
--- a/certs/public/mail.fripost.org.pem
+++ b/certs/public/mail.fripost.org.pem
@@ -1,34 +1,35 @@
-----BEGIN CERTIFICATE-----
-MIIF6jCCBNKgAwIBAgISESF11XzOHj81ZogVBVzxjIZRMA0GCSqGSIb3DQEBBQUA
-MFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMS0wKwYD
-VQQDEyRHbG9iYWxTaWduIERvbWFpbiBWYWxpZGF0aW9uIENBIC0gRzIwHhcNMTQw
-MjE0MTY1MTEzWhcNMTYwMzE2MTY1MTEzWjBGMQswCQYDVQQGEwJTRTEhMB8GA1UE
-CxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMRQwEgYDVQQDDAtmcmlwb3N0Lm9y
-ZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKmwUaNJT9sQMyZ6ST5O
-ohafJdfx+cKPpn3zHUg+bXbwa0L/UgOLqWuwz49zKPcIu3ZdP7t6LqM5jyiXqaIS
-blAudNAFkqi3oEEHn7Qi4pTkE5Gq/X5Cw/uwjTBv7KPcnNg3lPkpw44XgohFMHTd
-WLSEScVeR9gKTZKe9ev0R8XeUK55K+VNVYDoi4u/4XsPD53wGJSoOP9Ph9fWHIkc
-FhXzPGSWVErlPUucs0Yd94umR3Ws7OQuWTNwwT+2vzeeer5qsW/Xj41gQquviAbj
-7FIRjjxO0ONC+iIlor0TJzsKIaHVvNfCXCfDsRQFz8voOrnGn5lwtugBI4WmLm35
-aLPV2sNzs8QoHdd9ZgXTu4h7SyYkbZwSCsjeo+W1ggoA5q85Krk6XzsR5G5Ay4ao
-NiYSt/GKo6AgIHywCaPiK8Gsv+E0LPMSy79zmNo1K/LErlnknkd7/m01lhO8ION4
-4aLwEwAimbbn5Q19VT7KSMO6GjDTme5lzizIF9S3Qns6PXRacak3KNVo31qPPNmQ
-VeBiFe6nonpCSDKc2+CFmmpVKqNT1fTsolrb0/ZNn/GrY/GPy2jEEW9vVUvhToNz
-tWTrRzspROWCxKZrKBmPCi3VSxjcWisoTjN1pshdX9q3j0wV7gNPUxpHiKWbaQN6
-aUKcdem7KUJN28wPbYM9x0mVAgMBAAGjggG/MIIBuzAOBgNVHQ8BAf8EBAMCBaAw
-SQYDVR0gBEIwQDA+BgZngQwBAgEwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cu
-Z2xvYmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wKAYDVR0RBCEwH4ILZnJpcG9zdC5v
-cmeCEG1haWwuZnJpcG9zdC5vcmcwCQYDVR0TBAIwADAdBgNVHSUEFjAUBggrBgEF
-BQcDAQYIKwYBBQUHAwIwPwYDVR0fBDgwNjA0oDKgMIYuaHR0cDovL2NybC5nbG9i
-YWxzaWduLmNvbS9ncy9nc2RvbWFpbnZhbGcyLmNybDCBiAYIKwYBBQUHAQEEfDB6
-MEEGCCsGAQUFBzAChjVodHRwOi8vc2VjdXJlLmdsb2JhbHNpZ24uY29tL2NhY2Vy
-dC9nc2RvbWFpbnZhbGcyLmNydDA1BggrBgEFBQcwAYYpaHR0cDovL29jc3AyLmds
-b2JhbHNpZ24uY29tL2dzZG9tYWludmFsZzIwHQYDVR0OBBYEFEkxhnTOMo28i3Yh
-yH9oLEL+HNjJMB8GA1UdIwQYMBaAFJat+rBbuYNkKnbCHIpp2kLc/v0oMA0GCSqG
-SIb3DQEBBQUAA4IBAQBWzbngCosmPDWYEys4jRqkeAiIPZDXXMCschXEt5WuAiBb
-Ztve1aS9Lc8BGXyusZCrMbJ00ZzBXIyoCGmq6BxKd27EruQlb7bmcnGLyTCaGseg
-E24L6nuaojTfH5phFtQl3kbkFYPo1Vcc0/T3vMKD6vpBkUhWdl2YwWpog/59eXsJ
-SsyQ5ZTG0hehLEBSLc6tO3PpM588KMK7CYVixitYgjcLTNomd4xdNRF2I9ayRw2R
-/vU8AmjNZww2cCQO/GeMqZMqzKTNVwPejHx14wx8X8z4DS6n/wU3U1N6WwpWQMqW
-R0gEBOX9hpLqu9PQuFC3ipmcpek7ZjtOg6+SiLZ6
+MIIGGTCCBQGgAwIBAgISAc9Od/F2ZI9NBTwVRRs9P5QGMA0GCSqGSIb3DQEBCwUA
+MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
+ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMTAeFw0xNTEyMDgxOTQ2MDBaFw0x
+NjAzMDcxOTQ2MDBaMBsxGTAXBgNVBAMTEG1haWwuZnJpcG9zdC5vcmcwggIiMA0G
+CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDAW/LL+h8Iqhv+6MhmqNCEmXBb822T
+C+uVIGS2wY4sWMl2A7wkldmG7huERI0ornL2R2ypnEV9Rlv8YdnBfnuDGRKNr3DE
+JBgVZFfel3XDlne4U/oQFpFJFi7DkCpU+tpAsadt6TmiLgW3PsQRwDiCuEpfGKmo
+f53QRkHxIVVfrR84hGK8beqQkSn5cb5e0XaAof5s9I/IlU9WcIlSLzZsWLE3WAO9
+QO1goyDrBCeTvMUIC3lkFlSIyJL4m0dyPM9RoELpAOX0i2YQ+Vz8sW5n/6xPrBGU
+piNTaQKa1gX4fleu/6ZEdIzRC7y1vX352wED/cPRC3hLc4kEnUqj+4UzxZup4xe/
+zITxLqa7DArOnj9o9qNCOaLy9zBE6RgJMR42Wv4R53O5GTQHkcU6UtZrSbuxdK6j
+9+3HwfLOwGEbb3dE8RSt1RNvz9cu1EqFGPSfsiGor1v3fiuL7OK/+5+WdxF4myKv
+xui5fmU8KyoDebLs+59CcBNHTcR94eyiSTTDvPgZUIzQaA75wWjwc2S/Eli7Znc/
+bW5PMZhJzqdmORvgg4ryZUl8Vz+KyeGBK+Z5BdEAlsQcOZyax+Ixlc6Ek90Fy71y
+c7lxRbs73FbMIEBKaIceMmEp7jRjqZHZYwGQLyD98XdSCRHFryU8gkdjTKcnZNJp
+9EFpyOXCpaVS8wIDAQABo4ICJjCCAiIwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQW
+MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSm
+OAr5ZZ5/QM3nckd78yr33xB0STAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv
+86jsoTBwBggrBgEFBQcBAQRkMGIwLwYIKwYBBQUHMAGGI2h0dHA6Ly9vY3NwLmlu
+dC14MS5sZXRzZW5jcnlwdC5vcmcvMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5p
+bnQteDEubGV0c2VuY3J5cHQub3JnLzAwBgNVHREEKTAnghBtYWlsLmZyaXBvc3Qu
+b3JnghN3ZWJtYWlsLmZyaXBvc3Qub3JnMIH+BgNVHSAEgfYwgfMwCAYGZ4EMAQIB
+MIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRz
+ZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGeDIGbVGhpcyBDZXJ0aWZpY2F0ZSBt
+YXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBSZWx5aW5nIFBhcnRpZXMgYW5kIG9u
+bHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBDZXJ0aWZpY2F0ZSBQb2xpY3kgZm91
+bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5vcmcvcmVwb3NpdG9yeS8wDQYJKoZI
+hvcNAQELBQADggEBAH0J8G1vhKLfTPsE0CNXzKNRk8BtL9zjoAPacX4B3L35UMzU
+WiiJyFueX8haqtU9SfI27fvEml9hhpTUkCkcybMOlmhtMbdRsjqLdskT6LIPMmy1
+Zaw1KzVhyKQ9n+GJKqLWjiPjL/n68SbBofG5ECRbs3xunwk1rjpaKfLQgwqYQWhl
+5hPZoqvtX9FgkYSOQm3do9LbXwotP8O4IV5934Usg6Z1u7PBApVXGnC2XyLNC6d3
+M/hUhNzzSgiJcgi6jysjtSbhV2zxd3vXCyzQpwGE/O9Guk94xmPG2abQmK87rYDi
+4H0Uk1JSUA9QI5N28cBCgbFbggqb4XcF9TjXTY8=
-----END CERTIFICATE-----
diff --git a/certs/public/mx1.fripost.org.pem b/certs/public/mx1.fripost.org.pem
index 4125fe6..9077133 100644
--- a/certs/public/mx1.fripost.org.pem
+++ b/certs/public/mx1.fripost.org.pem
@@ -1,17 +1,35 @@
-----BEGIN CERTIFICATE-----
-MIICzDCCAbSgAwIBAgIJAPMB7FTIynrtMA0GCSqGSIb3DQEBBQUAMB4xHDAaBgNV
-BAMTE2VsZWZhbnQuZnJpcG9zdC5vcmcwHhcNMTQwNjEyMDMzNjA1WhcNMjQwNjA5
-MDMzNjA1WjAeMRwwGgYDVQQDExNlbGVmYW50LmZyaXBvc3Qub3JnMIIBIjANBgkq
-hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAujhus+DICT/d8icmD2nXeOAv/g8BFIoC
-vNMJVloT8P+sivFsEi1+WL+4af30N/ic3Sr5gEzU0i85XGf59USdCP+3oB6gwg3y
-59LAvLZGM3b0uD8YfV/OctCruSkb1BNgKnrEvavuKZxyo0lU6KbCymGyJZXlXxHL
-+fmhNvF7dBpGzCtaylSjc7j59TfNHr5jM/itcNQZaxAujJUGg2yxfMNXUBnMxYOY
-LReMpUUacJUUFtBhlTG3ny/Jrga8TxlsvVtEl4yZilpqVJa+BF5G3ex8kaLyYOD/
-frNZxmVoEV/tvqNDtpXGKbpVUVp2HOg+FkJq/d8wa7w0w0akNnpoZwIDAQABow0w
-CzAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBBQUAA4IBAQCqPS6LLs5gzKvFcAOMnkpH
-3+iVEWEpv8UlSb6QIyWVkr5DtyP2N9I6AaDKq2qiwKg1hWanPFvmrkKImXnYm/GJ
-ehMLdkjE3Y6rZZL9iU91KJLu35jeoWVjDjm+Xsjt9JvHELQtDnTxROLv70hL2H7l
-Xu+8xh9iYMrHDYLYu2/3obg2jAAmvkLQ37IEyBFpyCRbtLEaxmRKhOx+q0VUH/e5
-vSAf4EE8cr4AbEzBWWE83SyEJfc65aM97l2U1DmM0KBQfhxD+JTbrEqy7KjA3Ppe
-phCLfLo+igYKAnPqz0kvgIAz4DLKFBW+XN45sZz45ZqfQZKsA+v+XMJ1V7qo9qBV
+MIIGAjCCBOqgAwIBAgISARXQ7SpFB4qRwSLt1oUKpDElMA0GCSqGSIb3DQEBCwUA
+MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
+ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMTAeFw0xNTEyMTYwMDIzMDBaFw0x
+NjAzMTUwMDIzMDBaMBoxGDAWBgNVBAMTD214MS5mcmlwb3N0Lm9yZzCCAiIwDQYJ
+KoZIhvcNAQEBBQADggIPADCCAgoCggIBAKlhAZFY51Mns5A0IyBXGwxS5tdYQaue
+WU/PobCkl0hwMxPB1OzSYa71etMkFiTOsgspxWQ624T7MHM3JhSdOJUpMBJKNwaz
+dsC4sWT7eRTNiLpmM8PypXnJqJ7kvMzLUZiqRM3vfjJ/znOAb1B+zWIiyVCFFk6j
+4X5Ue6zfUROFGVxbIpK7lgpNYI0Ia9IXyX13iqRCvDlcmRdCtz4UpxTaLz6fOyfa
+5S52ABgu9aqjI5eVInTSL0zjPXpn3jzW23z+lffCIxx765iXFJdEuWbzlFnE6SZN
+yvA6zDDfJ+g0D1Pas964nzm0JWGAwQozg5qZFF99Zwxa3PC8nBh7ih+D1j7HPsA0
+93CvU7PITKnDNOdI6i+h+AJQ+wxsb0RtQ88QT/BdAGcD/WpSXn6MG/GBtE6AtSNv
+cd2me4jOAbQHShSQ49/iRTvUmP8jcxW1+CDoYhY+2nBO8MkrNciIK6j8HwptSpbl
+ZDp9GxyrXBXE4YWM1bFIAEBv9u+MrREt9Np/+hCPuaFW0Gx/Dcga47Tcfsm1v4Ub
+NAuciQLEz/CCBAIIfikykDq15Y9Y1WhOmlv5lGN/0dQGqDlXYs7ZGBmbiTv9AYug
+Sawqay8q1MquoIoVPTXP0/5KIdQrx3ioFkZF3fxbGi6iTzwtqcsiKX+82dMW+3PY
+/6L3nrlYwncNAgMBAAGjggIQMIICDDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYw
+FAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFKXT
+6Tt9ylkLkl3fyPVtgKlD5q8eMB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/z
+qOyhMHAGCCsGAQUFBwEBBGQwYjAvBggrBgEFBQcwAYYjaHR0cDovL29jc3AuaW50
+LXgxLmxldHNlbmNyeXB0Lm9yZy8wLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0Lmlu
+dC14MS5sZXRzZW5jcnlwdC5vcmcvMBoGA1UdEQQTMBGCD214MS5mcmlwb3N0Lm9y
+ZzCB/gYDVR0gBIH2MIHzMAgGBmeBDAECATCB5gYLKwYBBAGC3xMBAQEwgdYwJgYI
+KwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIGrBggrBgEFBQcC
+AjCBngyBm1RoaXMgQ2VydGlmaWNhdGUgbWF5IG9ubHkgYmUgcmVsaWVkIHVwb24g
+YnkgUmVseWluZyBQYXJ0aWVzIGFuZCBvbmx5IGluIGFjY29yZGFuY2Ugd2l0aCB0
+aGUgQ2VydGlmaWNhdGUgUG9saWN5IGZvdW5kIGF0IGh0dHBzOi8vbGV0c2VuY3J5
+cHQub3JnL3JlcG9zaXRvcnkvMA0GCSqGSIb3DQEBCwUAA4IBAQBz9jeaYmoqxSx4
+mf4w6HcKt14vE2tVXuBLcx4BPmK6E7dfUFWw1td9y+252n13BsspKZA2QYDLb6rN
+0F/p0x0JF5AGAijdFyqsEl3N/IJC2bcpt8eyxc+B3phl7Qzl1HnzO/1Y7BNOiGca
+xJ+0dPIGhkhSjzbAj1f3YJyofFcQhHx/r+tOy55O6pxlVRjXLBd1ZtCLRGVGdO2g
+Ecjc+YrYlsiimoHQpizNih1PHzuY/XyHJJeeNGgRPJMYrKrCCiOp/iJUAvOxzCTF
+r27HVf+ZVkFikYllNB0IJB/tNlxj4cOkAXRwLZtN2a7gELTQm9XG5APErq15JK06
+Du+Xy8Mq
-----END CERTIFICATE-----
diff --git a/certs/public/mx2.fripost.org.pem b/certs/public/mx2.fripost.org.pem
index c0e3920..c743fa5 100644
--- a/certs/public/mx2.fripost.org.pem
+++ b/certs/public/mx2.fripost.org.pem
@@ -1,18 +1,35 @@
-----BEGIN CERTIFICATE-----
-MIIC0DCCAbigAwIBAgIJANBAvGQBHfhIMA0GCSqGSIb3DQEBBQUAMCAxHjAcBgNV
-BAMTFWVsZWZhbnQuc3ZlbnNrYS5ndS5zZTAeFw0xNDAyMTgxOTU3MDJaFw0yNDAy
-MTYxOTU3MDJaMCAxHjAcBgNVBAMTFWVsZWZhbnQuc3ZlbnNrYS5ndS5zZTCCASIw
-DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO1CRtPMLU5p93Jpo/FAdrai555D
-sWsv9gOBFEPVsGrryHFP7woMN3HBuF4D567MhKod9eEXIuwrHV0tSgUQ5RoKgC48
-MvC6WfBTdYIpSpyWQIMV+90rO4fgGk1KmKiVCPVDWb1XL9IhVxqNs9KOWxUyYT7d
-hgx+Okc1Wg5SzjA3f6n8gy0R3gcPmQ4+h8Y1qHgIt52eU6umgE1WX6dGvRJ6KANk
-5IohMfJV8wu2/HRqcnwFcrGgmovWgOlBStPRNq581jh8QWuYnewTCYqjkn9Ny4v7
-xYBIYNDzTCf/8ML4LkpAgo9+vn4to71HbHt6mpJv3Ct48h0HlGAs7XNtui8CAwEA
-AaMNMAswCQYDVR0TBAIwADANBgkqhkiG9w0BAQUFAAOCAQEACjbr0H6cyuZbcvZM
-Lo7G/P7QtHOPFepLN7AT0UzUiNlVBansz5lRAXje//pHS6tgQkJM2wub5vN9BmBL
-7ZF3Mbm/5WQSGzR+W/Q8t3gfm51Op5niY67Pm9NIn3j8PKF2MQ9t8tVvdtJ4bvpM
-6PsCxS+tFyhoe1U4+Cv0ouKwUvB+QbfQ/TUIYzGhZ7JllRWaOCcAXszCMoIWMV0X
-RTYsgqtB9dKJYyak6hMkXpIlL+4GwM3ZBa1YNc/Th5In96sjjcd2PAVfg+Xt7pXL
-3VvGm4W9OirooG+ntEKX1ZoT9pxDlcWy2J7GHsrTn+XLWCmynTBwj5jQ7BAlFvEg
-SswV6g==
+MIIGAjCCBOqgAwIBAgISAUBmsGd9DcCLwDznhjjca/3/MA0GCSqGSIb3DQEBCwUA
+MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
+ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMTAeFw0xNTEyMTYwMDEwMDBaFw0x
+NjAzMTUwMDEwMDBaMBoxGDAWBgNVBAMTD214Mi5mcmlwb3N0Lm9yZzCCAiIwDQYJ
+KoZIhvcNAQEBBQADggIPADCCAgoCggIBALQbPWAwWT9JwMkJ4V+O9lnlvhH+Mbj9
+OpJNy+Aeghevn9eKYNRhouHjqEvS9AfGAkykynnl0xaePg0koF1Eo7/J85HkZrxk
+khikZTYcXRvQxmD6zpU33DS5CH2Jcf2PR1lYrbTTn5emJ8WiUmY0jh941dr5IVKx
+xtdDXpb1fx/4vwJnsuZJfeJ1hVaOqBx0sOHz6pTdKYh3EG5H5uMaW1QQFsi3u6fq
+krwPYk2MS0+jOLgVBb2hDDSJS43rHpIJ37mHWhrB1uX0O1qSuMtefD9jQUQ8h2m4
+kiFwIilMG/89qkCkUfPuh/h7B7I3+aC7ItHWygPEcU16bYKUG8/5Yo8zsMJIu4N3
+DzC/DcoGDwoPsqjp0UMz84E0Mpup9eywIMdR101cR84GSCJnaPUYwz3kBQ3ep6ms
+fM3KijMEC/5tvlx+5QeZzCp2sqoZeqHdr+wDKx/RhtJKk6pmHIC4BwxEhl0hkVxO
+M+rMHwpUhVYTFC00/3OO/uVO3k6+b5F0WS0SY7jBpaXVb8SMuQ8q8+yoZ5M/pFrI
+YCIJyIHEDGR3N3kN6QLGcIHjqchbehOENj0xTxjgdEU7LPIb3ikeudppRLmYXzaD
+a+ucAozbljBHv7LjyDICaLtaC29lTkWgZA7tCcE2DwxK+FxgDlqUyucTBCz+ajjx
+1VZXhzoJZFczAgMBAAGjggIQMIICDDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYw
+FAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFBAM
+Y9xCJ+RcfJU9bEr7qoSjmrsHMB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/z
+qOyhMHAGCCsGAQUFBwEBBGQwYjAvBggrBgEFBQcwAYYjaHR0cDovL29jc3AuaW50
+LXgxLmxldHNlbmNyeXB0Lm9yZy8wLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0Lmlu
+dC14MS5sZXRzZW5jcnlwdC5vcmcvMBoGA1UdEQQTMBGCD214Mi5mcmlwb3N0Lm9y
+ZzCB/gYDVR0gBIH2MIHzMAgGBmeBDAECATCB5gYLKwYBBAGC3xMBAQEwgdYwJgYI
+KwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIGrBggrBgEFBQcC
+AjCBngyBm1RoaXMgQ2VydGlmaWNhdGUgbWF5IG9ubHkgYmUgcmVsaWVkIHVwb24g
+YnkgUmVseWluZyBQYXJ0aWVzIGFuZCBvbmx5IGluIGFjY29yZGFuY2Ugd2l0aCB0
+aGUgQ2VydGlmaWNhdGUgUG9saWN5IGZvdW5kIGF0IGh0dHBzOi8vbGV0c2VuY3J5
+cHQub3JnL3JlcG9zaXRvcnkvMA0GCSqGSIb3DQEBCwUAA4IBAQBs4Iq51S5xR94h
+SzKhlt7fdCgP1YdjWB1kjWTC9xL7Iii22E4n3YipH96wKHBMxnS3cZsCLHZ8VdHe
+KXr1kTw4AH7Jx+KCzj2ztjD/z6t6wb1IZZTpHFMJKZVf67Y+Bb9W/mpQww1Yq8IU
+x+90BDLE9OiNGjPe/a7uTrCi/FJ8ESCHcX+0yiDXMDP/1Kdy0XPUle+gAqJUUM1R
+09O8f3hwwIhVXcP0DA8UR0un5/usFttereY9OQX46iK4ckrfAhvNpjqqfMVzW1nu
+H0XPnh3lr4k8L/jJeK8tNa3QVnVxPGV5ZDotqQrZKG47nEZgNcXPxxe6otjneZXR
+LQFrwFiZ
-----END CERTIFICATE-----
diff --git a/certs/public/smtp.fripost.org.pem b/certs/public/smtp.fripost.org.pem
index 2f97708..81a1325 100644
--- a/certs/public/smtp.fripost.org.pem
+++ b/certs/public/smtp.fripost.org.pem
@@ -1,31 +1,35 @@
-----BEGIN CERTIFICATE-----
-MIIFUjCCAzoCCQCy2XbMAN1DeTANBgkqhkiG9w0BAQUFADBrMQswCQYDVQQGEwJT
-RTEQMA4GA1UECgwHRnJpcG9zdDENMAsGA1UECwwEU01UUDEZMBcGA1UEAwwQc210
-cC5mcmlwb3N0Lm9yZzEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZnJpcG9zdC5vcmcw
-HhcNMTQwNDA3MjMyMzMwWhcNMjQwNDA0MjMyMzMwWjBrMQswCQYDVQQGEwJTRTEQ
-MA4GA1UECgwHRnJpcG9zdDENMAsGA1UECwwEU01UUDEZMBcGA1UEAwwQc210cC5m
-cmlwb3N0Lm9yZzEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZnJpcG9zdC5vcmcwggIi
-MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC/TboO8u6v8rVtrkI8kDZ4mdxM
-5uyIPR2HODYIdMSj2YHmLohzITyysFNLpAVHOATnRkqLxhmX2zZ+Eu3uCE/kOfdR
-fVNEvnSksFSCFXjqx666k7ABtyNHOVqali2HO62JDs837EPEOnF5oVapIUExse29
-POfBDGf18ArDGgd2Tl2DLDiojZYHh1pOsFhKcsks3OOdE109BG6C9S9ZlFBz0PW/
-s9ESEicP9KsqTpIRyd8OU3x8S0p+MDudu5NJjRG+Vlk6uJ2ApC68EowuIx/h7zbp
-GEBG71GWb3OjlahOsf/EfKf/vHgkK8+CUWW1FGlvznoeS8R/fgUxRTh6+NXiSJGU
-5Eq/wez/hYnotQWBExb42tUBcZbFh6FtD1FU7QNYwALHjV0aSx6leIgkGGWeUgJc
-7o8OtDUX5QiY0Xe0s3g6qLFMGgXsfUA4IWjmOknFUA5CtJhDT5uMQLO/jF0tvugi
-wTaBxpIjYDATfA1JeEB7+cfh9Jw5Q5XmydLUoLdT7Nut8e2NjYyN9izguPBf+Rzk
-gUJZFeB+CEV62lMNWWENqgunjVXicolQ4WdWETYQWzUvVyFvR1RWVkOVw+1Wt6zU
-Vbb3t1b2avnzvp4j92pTImJUgTLLRI5QE3bzD9MMDQSH6s7/dBltGIJeepDHB07H
-yleUc/j6IdbfH5dfNwIDAQABMA0GCSqGSIb3DQEBBQUAA4ICAQAFcW7ZYxsSuv3u
-EbCa8NQ+HjecVHD8Spz4ofBZ9R0uON2VI++dz1mBdZE3udoxBt/Nj3U/YnlVToal
-W/dYGusuKQFIATiB9MFXUDl1gfKaqcyrCZUxGpi1OXOa27WPbiRiQMnBYNkD1p3D
-cz28XGQ78DswRER4eFn+76pOjqFxkxEe0Ww1oPvu+in23OWgTVTWP/6Opp6Y/epN
-XkbHKiH9OXe2StYnlXD7P89w07fXaBNfDT5vLC9PDgYJk7wN76AaqwK/ZKFithSx
-oT60db1n+fhaMC2U1R64L2clLpSrZ3lvXRplcsdII/06d+ysJn7hLV9IUca9AMoP
-Px2KIyHgp5U6VtFF6UOLBl9+BUd0zzArSh9CJnXG88+CplGN51Fv2dPqzdno1XSg
-ShbJ1onYonLbDaPG4i0LD3KyIX6ep5eU+KZZtcHwTbzKAQ/ySu5nqx2DAJbalJmj
-9qz/zfOuZMJGDuN+iHCnqyxGoC/hB20IreGHfGS4XmJDkZ3zzqjJjBV32XeZ3Sx6
-odMnwO4mLjyb1Az/C/rwCrVG3nrZQhmD/H+juJVI/cinocJtQoPPq3zPx+GxQUxe
-smR7bY7EMaTt+9EelIGmp65jEGrr+OVhZ3NudwWQyC242SMiOq+JpVRuefp+mtAN
-UGGTaC4MdXJIwWZTakrnhkgTp4uqrA==
+MIIGBDCCBOygAwIBAgISAT/ZlANJISFHRihAoZ7zCz9AMA0GCSqGSIb3DQEBCwUA
+MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
+ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMTAeFw0xNTEyMTYwMDU3MDBaFw0x
+NjAzMTUwMDU3MDBaMBsxGTAXBgNVBAMTEHNtdHAuZnJpcG9zdC5vcmcwggIiMA0G
+CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC4wO2IiiPCn9SEc7DRhayWqme2Ef31
+/lO2aFamTnUykDxmuKt8QSVbhN9LQ4dcH1n8CLc7pZvQD12bVu8B+ds50sjKlwEr
+rH/0NsQOOdR5zEhMdRZG8f75Nbvyz0NjMRClAXhc3aJKNJ2qcPOx66IbPbvrk+lf
+lCtQoIblMN/r4UhYMxHMqsZeFBAdI+6ns2pgyR9FOu9zDsTde1a7v2yzQLp1ewjj
+gj0XK0RLJZ8nsRmiOz9UrquYrHnBQkeOF5OK+T45wQdRCSjnmK4jP9nRbIIwLdUQ
+CLRB2Ji8uV8rtPTgFns8Dyx3/dFxgWVzXJwh6EodaWnCO0V8xTODjHMWiQQOobf1
+iEeo6krPq3v19j40c6p+EDLdRRqM/wNtAXS9lfoIDxv/z8Aa4gJpjJhnmkatStaD
+ldwOOPgf0/vtB/QoQJi4J5mLWkeZFl+HJPWrKJGtSCSi/9vndCL7FIbMk5B2d9rD
+IKs2xn3Et1DPV1zpI2vNcky/mebq+Cb2qDNlC5WEDrCIiiUhEJHjd4gdtF/Q6gom
+X8VmH7XigiNE4aVGuWgD9r7iZBFp4hCTw/iczZK9aMi6N6ZeTzLs0YAeR339J2ei
+yDV5aZd/BOepkDb9UYzBCBrU7uAOdCX69YA/FTNHXVYhYqWd14/bJnWKlUckd1D9
+5ioBZfdYQEHOyQIDAQABo4ICETCCAg0wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQW
+MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQn
+lA9Ej2gB1YNUZIYC5AnMWifuyTAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv
+86jsoTBwBggrBgEFBQcBAQRkMGIwLwYIKwYBBQUHMAGGI2h0dHA6Ly9vY3NwLmlu
+dC14MS5sZXRzZW5jcnlwdC5vcmcvMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5p
+bnQteDEubGV0c2VuY3J5cHQub3JnLzAbBgNVHREEFDASghBzbXRwLmZyaXBvc3Qu
+b3JnMIH+BgNVHSAEgfYwgfMwCAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAm
+BggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUF
+BwICMIGeDIGbVGhpcyBDZXJ0aWZpY2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBv
+biBieSBSZWx5aW5nIFBhcnRpZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRo
+IHRoZSBDZXJ0aWZpY2F0ZSBQb2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5j
+cnlwdC5vcmcvcmVwb3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBAEvepC7eMCHI
+2yHZx3lSg8KJluZxsW0XlCL6BDupcMKxXQ2DAvhd/d+pnxKQVQ+40Y4NUZGTz1w/
+tZA9lKQn14aQ6o31UKuRSm+FB7zCeLBm3uqxevk8NOcrt1kxvdjul5xYv6t5tLpZ
+Dqk0sM+Lg1/qgTj1IuEQ4rc0RUqoCr2WG0HOW0a8tqWOBDKZDja8r82AhjgT7c21
+2Iz2ItsavlgsW6Gx8OX0gRmoaS3AQ+8dcg99uhajkd5ixkJF09zuqa5Rd87sAjmN
+fmqU/Ok3VUZr1DSrnBc2lt+vhCB8Sn9FcS6BDO3eGy4P8Gy6fES51Bb9MgB6bXOr
+TB5QdMpaRG8=
-----END CERTIFICATE-----
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
index dc0b5bf..114388e 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
@@ -9,7 +9,7 @@ ssl = required
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
-ssl_cert = </etc/dovecot/ssl/imap.fripost.org.pem
+ssl_cert = </etc/dovecot/ssl/imap.fripost.org.chained.pem
ssl_key = </etc/dovecot/ssl/imap.fripost.org.key
# If key file is password protected, give the password here. Alternatively
diff --git a/roles/IMAP/tasks/imap.yml b/roles/IMAP/tasks/imap.yml
index ec1aaac..c9686c9 100644
--- a/roles/IMAP/tasks/imap.yml
+++ b/roles/IMAP/tasks/imap.yml
@@ -76,19 +76,6 @@
owner=root group=root
mode=0755
-- name: Generate a private key and a X.509 certificate for Dovecot
- command: genkeypair.sh x509
- --pubkey=/etc/dovecot/ssl/imap.fripost.org.pem
- --privkey=/etc/dovecot/ssl/imap.fripost.org.key
- --ou=IMAP --cn=imap.fripost.org
- -t rsa -b 4096 -h sha512
- register: r1
- changed_when: r1.rc == 0
- failed_when: r1.rc > 1
- notify:
- - Restart Dovecot
- tags:
- - genkey
- name: Fetch Dovecot's X.509 certificate
# Ensure we don't fetch private data
@@ -105,7 +92,7 @@
dest=/etc/dovecot/{{ item }}
owner=root group=root
mode=0644
- register: r2
+ register: r1
with_items:
- conf.d/10-auth.conf
- conf.d/10-logging.conf
@@ -132,14 +119,14 @@
create=yes
owner=root group=root
mode=0644
- register: r3
+ register: r2
when: "'IMAP' in group_names and 'webmail' not in group_names"
notify:
- Restart Dovecot
- name: Start Dovecot
service: name=dovecot state=started
- when: not (r1.changed or r2.changed or r3.changed)
+ when: not (r1.changed or r2.changed)
- meta: flush_handlers
diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2
index efcebef..caba881 100644
--- a/roles/MSA/templates/etc/postfix/main.cf.j2
+++ b/roles/MSA/templates/etc/postfix/main.cf.j2
@@ -75,8 +75,8 @@ smtp_tls_fingerprint_digest = sha256
{% endif %}
smtpd_tls_security_level = encrypt
-smtpd_tls_cert_file = /etc/postfix/ssl/smtp.fripost.org.pem
-smtpd_tls_key_file = /etc/postfix/ssl/private/smtp.fripost.org.key
+smtpd_tls_cert_file = /etc/postfix/ssl/smtp.fripost.org.chained.pem
+smtpd_tls_key_file = /etc/postfix/ssl/smtp.fripost.org.key
smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparams.pem
smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache
smtpd_tls_received_header = yes
diff --git a/roles/MX/tasks/main.yml b/roles/MX/tasks/main.yml
index da6923b..1b820e3 100644
--- a/roles/MX/tasks/main.yml
+++ b/roles/MX/tasks/main.yml
@@ -82,7 +82,7 @@
# Ensure we don't fetch private data
sudo: False
# `/usr/sbin/postmulti -i mx -x /usr/sbin/postconf -xh smtpd_tls_cert_file`
- fetch: src=/etc/ssl/certs/ssl-cert-snakeoil.pem
+ fetch: src=/etc/postfix/ssl/mx.fripost.org.pem
dest=certs/public/mx{{ mxno | default('') }}.fripost.org.pem
fail_on_missing=yes
flat=yes
diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2
index b9f7c09..0259538 100644
--- a/roles/MX/templates/etc/postfix/main.cf.j2
+++ b/roles/MX/templates/etc/postfix/main.cf.j2
@@ -93,8 +93,8 @@ smtp_tls_fingerprint_digest = sha256
smtpd_tls_security_level = may
smtpd_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
-smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
-smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_tls_cert_file = /etc/postfix/ssl/mx.fripost.org.chained.pem
+smtpd_tls_key_file = /etc/postfix/ssl/mx.fripost.org.key
smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparams.pem
smtpd_tls_CApath = /etc/ssl/certs/
smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache
diff --git a/roles/common-web/files/etc/nginx/sites-available/default b/roles/common-web/files/etc/nginx/sites-available/default
new file mode 100644
index 0000000..6df1615
--- /dev/null
+++ b/roles/common-web/files/etc/nginx/sites-available/default
@@ -0,0 +1,11 @@
+server {
+ listen 80 default_server;
+ listen [::]:80 default_server;
+
+ access_log /var/log/nginx/access.log;
+ error_log /var/log/nginx/error.log info;
+
+ # serve ACME challenges on all virtual hosts
+ # /!\ need to be served individually for each explicit virtual host as well!
+ include snippets/acme-challenge.conf;
+}
diff --git a/roles/common-web/files/etc/nginx/snippets/acme-challenge.conf b/roles/common-web/files/etc/nginx/snippets/acme-challenge.conf
new file mode 100644
index 0000000..b2a856a
--- /dev/null
+++ b/roles/common-web/files/etc/nginx/snippets/acme-challenge.conf
@@ -0,0 +1,4 @@
+location /.well-known/acme-challenge/ {
+ alias /var/www/acme-challenge/;
+ default_type application/jose+json;
+}
diff --git a/roles/common-web/tasks/main.yml b/roles/common-web/tasks/main.yml
index c44e3a5..fb6bb2d 100644
--- a/roles/common-web/tasks/main.yml
+++ b/roles/common-web/tasks/main.yml
@@ -8,7 +8,7 @@
tags:
- logrotate
-- name: Copy fastcgi parameters and SSL configuration snippets
+- name: Copy fastcgi parameters, acme-challenge and SSL configuration snippets
copy: src=etc/nginx/snippets/{{ item }}
dest=/etc/nginx/snippets/{{ item }}
owner=root group=root
@@ -19,6 +19,7 @@
- fastcgi-php.conf
- fastcgi-php-ssl.conf
- ssl.conf
+ - acme-challenge.conf
notify:
- Restart Nginx
diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml
index a852c4d..07047c7 100644
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@@ -52,3 +52,6 @@
- name: Restart freshclam
service: name=clamav-freshclam state=restarted
+
+- name: Install LetsEncrypt's ACME client
+ apt: deb=/tmp/letsencrypt-tiny_0.1-1_all.deb
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 470a6b2..955493a 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -45,6 +45,9 @@
- rsync
- screen
- telnet-ssl
+ # for letencrypt
+ - liblwp-protocol-https-perl
+ - socat
# XXX: this is a workaround the CAcert root CAs not being present in
# Jessie. In stretch, we would merely install the 'ca-cacert' package.
diff --git a/roles/git/files/etc/nginx/sites-available/git b/roles/git/files/etc/nginx/sites-available/git
index 67776de..afb5fca 100644
--- a/roles/git/files/etc/nginx/sites-available/git
+++ b/roles/git/files/etc/nginx/sites-available/git
@@ -4,42 +4,13 @@ server {
server_name git.fripost.org;
+ include snippets/acme-challenge.conf;
+
access_log /var/log/nginx/git.access.log;
error_log /var/log/nginx/git.error.log info;
- location ^~ /static/ {
- alias /usr/share/cgit/;
- expires 30d;
- }
-
- # Bypass the CGI to return static files stored on disk. Try first repo with
- # a trailing '.git', then without.
- location ~* "^/((?U)[^/]+)(?:\.git)?/objects/(?:[0-9a-f]{2}/[0-9a-f]{38}|pack/pack-[0-9a-f]{40}\.(?:pack|idx))$" {
- root /var/lib/gitolite/repositories;
- try_files /$1.git/objects/$2 /$1/objects/$2 =404;
- expires 30d;
- gzip off;
- # TODO honor git-daemon-export-ok
- }
-
- # disallow push over HTTP/HTTPS
- location ~* "^/[^/]+/git-receive-pack$" { return 403; }
-
- location ~* "^/[^/]+/(?:HEAD|info/refs|objects/info/[^/]+|git-upload-pack)$" {
- gzip off;
- include uwsgi_params;
- uwsgi_modifier1 9;
- uwsgi_param GIT_PROJECT_ROOT /var/lib/gitolite/repositories;
- uwsgi_pass unix:/run/uwsgi/app/git-http-backend/socket;
- }
-
-
- # send all other URLs to cgit
location / {
- gzip off;
- include uwsgi_params;
- uwsgi_modifier1 9;
- uwsgi_pass unix:/run/uwsgi/app/cgit/socket;
+ return 301 https://$host$request_uri;
}
}
@@ -51,7 +22,7 @@ server {
server_name git.fripost.org;
include snippets/ssl.conf;
- ssl_certificate /etc/nginx/ssl/git.fripost.org.pem;
+ ssl_certificate /etc/nginx/ssl/git.fripost.org.chained.pem;
ssl_certificate_key /etc/nginx/ssl/git.fripost.org.key;
access_log /var/log/nginx/git.access.log;
diff --git a/roles/git/tasks/cgit.yml b/roles/git/tasks/cgit.yml
index 27e0554..7237aa9 100644
--- a/roles/git/tasks/cgit.yml
+++ b/roles/git/tasks/cgit.yml
@@ -72,26 +72,12 @@
- www-data
-- name: Generate a private key and a X.509 certificate for Nginx
- command: genkeypair.sh x509
- --pubkey=/etc/nginx/ssl/git.fripost.org.pem
- --privkey=/etc/nginx/ssl/git.fripost.org.key
- --ou=WWW --cn=git.fripost.org --dns=git.fripost.org
- -t rsa -b 4096 -h sha512
- register: r1
- changed_when: r1.rc == 0
- failed_when: r1.rc > 1
- notify:
- - Restart Nginx
- tags:
- - genkey
-
- name: Copy /etc/nginx/sites-available/git
copy: src=etc/nginx/sites-available/git
dest=/etc/nginx/sites-available/git
owner=root group=root
mode=0644
- register: r2
+ register: r1
notify:
- Restart Nginx
@@ -100,13 +86,13 @@
dest=/etc/nginx/sites-enabled/git
owner=root group=root
state=link force=yes
- register: r3
+ register: r2
notify:
- Restart Nginx
- name: Start Nginx
service: name=nginx state=started
- when: not (r1.changed or r2.changed or r3.changed)
+ when: not (r1.changed or r2.changed)
- meta: flush_handlers
diff --git a/roles/lists/files/etc/nginx/sites-available/sympa b/roles/lists/files/etc/nginx/sites-available/sympa
index ea0424f..5e469fa 100644
--- a/roles/lists/files/etc/nginx/sites-available/sympa
+++ b/roles/lists/files/etc/nginx/sites-available/sympa
@@ -4,10 +4,14 @@ server {
server_name lists.fripost.org;
+ include snippets/acme-challenge.conf;
+
access_log /var/log/nginx/lists.access.log;
error_log /var/log/nginx/lists.error.log info;
- return 302 https://$host$request_uri;
+ location / {
+ return 301 https://$host$request_uri;
+ }
}
@@ -21,7 +25,7 @@ server {
error_log /var/log/nginx/lists.error.log info;
include snippets/ssl.conf;
- ssl_certificate /etc/nginx/ssl/lists.fripost.org.pem;
+ ssl_certificate /etc/nginx/ssl/lists.fripost.org.chained.pem;
ssl_certificate_key /etc/nginx/ssl/lists.fripost.org.key;
location = / {
diff --git a/roles/lists/tasks/nginx.yml b/roles/lists/tasks/nginx.yml
index 4501d39..21e769a 100644
--- a/roles/lists/tasks/nginx.yml
+++ b/roles/lists/tasks/nginx.yml
@@ -1,26 +1,12 @@
- name: Install Nginx
apt: pkg=nginx
-- name: Generate a private key and a X.509 certificate for Nginx
- command: genkeypair.sh x509
- --pubkey=/etc/nginx/ssl/lists.fripost.org.pem
- --privkey=/etc/nginx/ssl/lists.fripost.org.key
- --ou=WWW --cn=lists.fripost.org --dns=lists.fripost.org
- -t rsa -b 4096 -h sha512
- register: r1
- changed_when: r1.rc == 0
- failed_when: r1.rc > 1
- notify:
- - Restart Nginx
- tags:
- - genkey
-
- name: Copy /etc/nginx/sites-available/sympa
copy: src=etc/nginx/sites-available/sympa
dest=/etc/nginx/sites-available/sympa
owner=root group=root
mode=0644
- register: r2
+ register: r1
notify:
- Restart Nginx
@@ -29,13 +15,13 @@
dest=/etc/nginx/sites-enabled/sympa
owner=root group=root
state=link
- register: r3
+ register: r2
notify:
- Restart Nginx
- name: Start nginx
service: name=nginx state=started
- when: not (r1.changed or r2.changed or r3.changed)
+ when: not (r1.changed or r2.changed)
- meta: flush_handlers
diff --git a/roles/webmail/files/etc/nginx/sites-available/roundcube b/roles/webmail/files/etc/nginx/sites-available/roundcube
index 1297834..df10be9 100644
--- a/roles/webmail/files/etc/nginx/sites-available/roundcube
+++ b/roles/webmail/files/etc/nginx/sites-available/roundcube
@@ -3,12 +3,17 @@ server {
listen 80;
listen [::]:80;
- server_name mail.fripost.org;
+ server_name mail.fripost.org;
+ server_name webmail.fripost.org;
+
+ include snippets/acme-challenge.conf;
access_log /var/log/nginx/roundcube.access.log;
error_log /var/log/nginx/roundcube.error.log info;
- return 301 https://$host$request_uri;
+ location / {
+ return 301 https://$host$request_uri;
+ }
}
@@ -16,7 +21,9 @@ server {
listen 443;
listen [::]:443;
- server_name mail.fripost.org;
+ server_name mail.fripost.org;
+ server_name webmail.fripost.org;
+
root /var/lib/roundcube;
include snippets/ssl.conf;
diff --git a/roles/webmail/tasks/roundcube.yml b/roles/webmail/tasks/roundcube.yml
index ed6a3b4..3eaf766 100644
--- a/roles/webmail/tasks/roundcube.yml
+++ b/roles/webmail/tasks/roundcube.yml
@@ -103,26 +103,12 @@
- name: Start php5-fpm
service: name=php5-fpm state=started
-- name: Generate a private key and a X.509 certificate for Nginx
- command: genkeypair.sh x509
- --pubkey=/etc/nginx/ssl/mail.fripost.org.pem
- --privkey=/etc/nginx/ssl/mail.fripost.org.key
- --ou=WWW --cn=mail.fripost.org --dns=mail.fripost.org
- -t rsa -b 4096 -h sha512
- register: r1
- changed_when: r1.rc == 0
- failed_when: r1.rc > 1
- notify:
- - Restart Nginx
- tags:
- - genkey
-
- name: Copy /etc/nginx/sites-available/roundcube
copy: src=etc/nginx/sites-available/roundcube
dest=/etc/nginx/sites-available/roundcube
owner=root group=root
mode=0644
- register: r2
+ register: r1
notify:
- Restart Nginx
@@ -131,13 +117,13 @@
dest=/etc/nginx/sites-enabled/roundcube
owner=root group=root
state=link force=yes
- register: r3
+ register: r2
notify:
- Restart Nginx
- name: Start Nginx
service: name=nginx state=started
- when: not (r1.changed or r2.changed or r3.changed)
+ when: not (r1.changed or r2.changed)
- meta: flush_handlers
diff --git a/roles/wiki/files/etc/nginx/sites-available/website b/roles/wiki/files/etc/nginx/sites-available/website
index 3e32158..2519286 100644
--- a/roles/wiki/files/etc/nginx/sites-available/website
+++ b/roles/wiki/files/etc/nginx/sites-available/website
@@ -5,10 +5,14 @@ server {
server_name fripost.org;
server_name www.fripost.org;
- access_log /var/log/nginx/access.log;
- error_log /var/log/nginx/error.log info;
+ include snippets/acme-challenge.conf;
- return 301 https://fripost.org$request_uri;
+ access_log /var/log/nginx/www.access.log;
+ error_log /var/log/nginx/www.error.log info;
+
+ location / {
+ return 301 https://$host$request_uri;
+ }
}
@@ -16,14 +20,15 @@ server {
listen 443;
listen [::]:443;
- server_name fripost.org;
+ server_name fripost.org;
+ server_name www.fripost.org;
include snippets/ssl.conf;
ssl_certificate /etc/nginx/ssl/www.fripost.org.chained.pem;
ssl_certificate_key /etc/nginx/ssl/www.fripost.org.key;
- access_log /var/log/nginx/access.log;
- error_log /var/log/nginx/error.log info;
+ access_log /var/log/nginx/www.access.log;
+ error_log /var/log/nginx/www.error.log info;
location / {
try_files $uri $uri/ =404;
diff --git a/roles/wiki/files/etc/nginx/sites-available/wiki b/roles/wiki/files/etc/nginx/sites-available/wiki
index 3777b87..2855e07 100644
--- a/roles/wiki/files/etc/nginx/sites-available/wiki
+++ b/roles/wiki/files/etc/nginx/sites-available/wiki
@@ -4,18 +4,14 @@ server {
server_name wiki.fripost.org;
+ include snippets/acme-challenge.conf;
+
access_log /var/log/nginx/wiki.access.log;
error_log /var/log/nginx/wiki.error.log info;
location / {
location ~ ^/website(/.*)?$ { return 302 $scheme://fripost.org$1; }
- try_files $uri $uri/ =404;
- index index.html;
- root /var/lib/ikiwiki/public_html/fripost-wiki;
- }
-
- location = /ikiwiki.cgi {
- return 302 https://$host$request_uri;
+ return 301 https://$host$request_uri;
}
}
diff --git a/roles/wiki/tasks/main.yml b/roles/wiki/tasks/main.yml
index 22a5831..763f99a 100644
--- a/roles/wiki/tasks/main.yml
+++ b/roles/wiki/tasks/main.yml
@@ -65,26 +65,12 @@
- meta: flush_handlers
-- name: Generate a private key and a X.509 certificate for Nginx
- command: genkeypair.sh x509
- --pubkey=/etc/nginx/ssl/fripost.org.pem
- --privkey=/etc/nginx/ssl/fripost.org.key
- --ou=WWW --cn=fripost.org --dns=fripost.org --dns=wiki.fripost.org
- -t rsa -b 4096 -h sha512
- register: r1
- changed_when: r1.rc == 0
- failed_when: r1.rc > 1
- notify:
- - Restart Nginx
- tags:
- - genkey
-
- name: Copy /etc/nginx/sites-available/{wiki,website}
copy: src=etc/nginx/sites-available/{{ item }}
dest=/etc/nginx/sites-available/{{ item }}
owner=root group=root
mode=0644
- register: r2
+ register: r1
with_items:
- website
- wiki
@@ -96,7 +82,7 @@
dest=/etc/nginx/sites-enabled/{{ item }}
owner=root group=root
state=link force=yes
- register: r3
+ register: r2
with_items:
- website
- wiki
@@ -105,15 +91,15 @@
- name: Start Nginx
service: name=nginx state=started
- when: not (r1.changed or r2.changed or r3.changed)
+ when: not (r1.changed or r2.changed)
- meta: flush_handlers
- name: Fetch Nginx's X.509 certificate
# Ensure we don't fetch private data
sudo: False
- fetch: src=/etc/nginx/ssl/fripost.org.pem
- dest=certs/public/
+ fetch: src=/etc/nginx/ssl/www.fripost.org.pem
+ dest=certs/public/fripost.org.pem
fail_on_missing=yes
flat=yes
tags: