mailcow-dockerized
mailcow-dockerized copied to clipboard
mailcow
mobileconfig not signed
Hi there,
is it possible to sign the mobileconfig.php for preventing the "not signed" issue ?
-matthias
That was originally part of #972, but removed before merging. The implementation there was a bit dangerous because it used the same private key as the TLS services.
Nobody ever picked up on it because signing isn't really required, but feel free to submit another pull request that obtains a separate Let's Encrypt certificate and uses that for signing.
ok i think this is a valuable feature and i would like to implement it can you briefly explain the necessary steps to properly implement it?
my thoughts:
-
define this feature as optional
-
implement subdomain for delivering the mobileconfig.php over an own cert , maybe mobilconfig.${MAILCOW_HOST}
-
update documentation (dns, nginxconf and necessary env vars)
-
something else ... ?
@MatthiasHertel, sounds good. Add an environment variable with the subdomain name to be used. If it is not set, no certificate should be requested and no mobileconfig should be signed.
Since the certificate is separate from the one for the mailcow domains, you don't need to modify the acme container entrypoint. Instead, obtain the certificate from within the PHP script (using a PHP acme client like https://github.com/kelunik/acme-client) the first time a mobileconfig is generated or if the previous certificate has expired.
Regarding the signing: maybe @feldsam can provide his code if he still has it. It used to be part of #972, but he squashed all commits into one before merging, which means that the history ist lost.
Hello, In my PR was signing using proc_open and calling openssl on cmd line, which @andryyy don't like and recommend do it via php openssl lib, so my code is useless for this comunity.
@feldsam, could you still push your code to a Git repository? It's not that difficult to just replace that proc_open with a library call. Everything else -- like preparing the data and attaching the signature to the plist -- is still the same.
Hello, there is whole file - latest version
https://github.com/FELDSAM-INC/mailcow-dockerized/blob/feldhost-rc/data/web/mobileconfig.php
and there is commit (I don't know if I something changes in that code block after this commit) https://github.com/FELDSAM-INC/mailcow-dockerized/commit/325ea9184c03ca78cd0a46f30b03b4198f48beb1
That should provide a good starting point for @MatthiasHertel. Thanks, @feldsam. I guess the needed PHP function is openssl_pkcs7_sign
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hi, I too would like to know the plans for this feature, alternatively is someone using their own workaround?
Thanks
Hi all, here is my version, which uses Let'sencrypt SSL. Small change in docker compose and in acme docker-entrypoint to generate password protected key. Core developers doesn't like mounting ssl directory inside PHP container and propose generating separate keys for this purpose, but nobody do it and I use my version. Since my last PR I refactored proc_open to use native php ssl functions.
probably better will be mounting just key.secure.pem and cert.pem instead of whole ssl dir.
@mkuron, look on this commit and if you like I can do PR.
https://github.com/FELDSAM-INC/mailcow-dockerized/commit/a7a8fc5082c02c822fb7724a86ae85818e40ddd9
