bakery-admin/bakery-ia
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8461226a97340e61f3e0b1ec7eeaec6c92801097
bakery-ia/infrastructure/security/certificates/mailu/generate-mailu-certificates.sh
Urtzi Alfaro 35f164f0cd Add new infra architecture
2026-01-19 11:55:17 +01:00

107 lines
3.0 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
# Generate TLS certificates for Mailu mail server
# Uses the shared CA from the infrastructure
set -e
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
CA_DIR="$SCRIPT_DIR/../ca"
MAILU_DIR="$SCRIPT_DIR"
echo "Generating TLS certificates for Mailu..."
echo "Directory: $MAILU_DIR"
echo ""
# Check if CA exists
if [ ! -f "$CA_DIR/ca-cert.pem" ] || [ ! -f "$CA_DIR/ca-key.pem" ]; then
echo "ERROR: CA certificates not found. Please run generate-certificates.sh first."
exit 1
fi
# Clean up old certificates
echo "Cleaning up old certificates..."
rm -f "$MAILU_DIR/mailu-cert.pem" "$MAILU_DIR/mailu-key.pem" "$MAILU_DIR/mailu.csr" 2>/dev/null || true
# =====================================
# Generate Mailu Server Certificates
# =====================================
echo "Generating Mailu server certificates..."
# Generate Mailu server private key
openssl genrsa -out "$MAILU_DIR/mailu-key.pem" 4096
# Create certificate signing request (CSR)
openssl req -new -key "$MAILU_DIR/mailu-key.pem" -out "$MAILU_DIR/mailu.csr" \
-subj "/C=US/ST=California/L=SanFrancisco/O=BakeryIA/OU=Mail/CN=mail.bakewise.ai"
# Create SAN configuration for Mailu
cat > "$MAILU_DIR/san.cnf" <<EOF
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = California
L = SanFrancisco
O = BakeryIA
OU = Mail
CN = mail.bakewise.ai
[v3_req]
keyUsage = keyEncipherment, dataEncipherment, digitalSignature
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = mail.bakewise.ai
DNS.2 = mailu-front.bakery-ia.svc.cluster.local
DNS.3 = mailu-front.bakery-ia
DNS.4 = mailu-front
DNS.5 = localhost
DNS.6 = *.bakewise.ai
IP.1 = 127.0.0.1
EOF
# Sign the certificate with CA (valid for 3 years)
openssl x509 -req -in "$MAILU_DIR/mailu.csr" \
-CA "$CA_DIR/ca-cert.pem" -CAkey "$CA_DIR/ca-key.pem" -CAcreateserial \
-out "$MAILU_DIR/mailu-cert.pem" -days 1095 \
-extensions v3_req -extfile "$MAILU_DIR/san.cnf"
# Set proper permissions
chmod 600 "$MAILU_DIR/mailu-key.pem"
chmod 644 "$MAILU_DIR/mailu-cert.pem"
# Copy CA cert for Mailu clients
cp "$CA_DIR/ca-cert.pem" "$MAILU_DIR/ca-cert.pem"
echo "✓ Mailu certificates generated"
echo ""
# =====================================
# Verify Certificates
# =====================================
echo "Verifying certificates..."
echo "Mailu certificate details:"
openssl x509 -in "$MAILU_DIR/mailu-cert.pem" -noout -subject -issuer -dates
openssl verify -CAfile "$CA_DIR/ca-cert.pem" "$MAILU_DIR/mailu-cert.pem"
echo ""
echo "===================="
echo "✓ Mailu certificates generated successfully!"
echo ""
echo "Generated files:"
echo " - $MAILU_DIR/mailu-cert.pem (Server certificate)"
echo " - $MAILU_DIR/mailu-key.pem (Server private key)"
echo " - $MAILU_DIR/ca-cert.pem (CA certificate for clients)"
echo ""
echo "Next steps:"
echo " 1. Create Kubernetes secret: mailu-tls-secret"
echo " 2. Mount in mailu-front deployment"
echo ""
Reference in New Issue View Git Blame Copy Permalink