Nginx Proxy Manager Certificate Export to Mailcow

This shell script export certificate from Nginx Proxy Manager to use with mailcow mail server.

• How does it work
• Usage

How does it work

This script has to added into crontab, and executed on machine where you need your certificate to be copied.

It was developed for use with mailcow mail server, but actullay you can run it with any application, that runs behind Nginx Proxy Manager (NPM).

This script logins over SSH into machine where NPM is running, then it finds appropriate certificate file for your domain.

If local certificate already outdated, it will be replaced with the new one from NPM.

Usage

1. Clone repository & make script executable

cd /opt
git clone https://github.com/sakis-tech/npm-cert-export.git
cd npm-cert-export
chmod +x sync_certs.sh

2. Edit script

# Nginx Proxy Manager Settings

# 1. Here you have to enter your user and host, where NPM is running
NPM_HOST_URL='root@192.168.1.100' 

# 2. Set paths on the remote NPM host to its files, as they set in Docker ENV for NPM
NPM_DATA='/docker/nginx-proxy-manager/data'
NPM_LE='/docker/nginx-proxy-manager/letsencrypt'

# 3. Here set your target machine settings: domain name, and paths to certificate and private key
# Target Host
TARGET_HOST='mail.eg23.ru'
TARGET_CRT_PATH='/opt/mailcow-dockerized/data/assets/ssl/cert.pem'
TARGET_KEY_PATH='/opt/mailcow-dockerized/data/assets/ssl/key.pem'

# 4. Here you can set additional commands, that have to be run after certificate renew. By default it will try to restart certain Mailcow containers. But you can write here everything you need.
after_cmd() {
  postfix_c=$(docker ps -qaf name=postfix-mailcow)
  dovecot_c=$(docker ps -qaf name=dovecot-mailcow)
  nginx_c=$(docker ps -qaf name=nginx-mailcow)
  docker restart ${postfix_c} ${dovecot_c} ${nginx_c}
}

3. Make sure to add your local user public ssh key from target machine to authorized_keys on remote machine, where NPM is running. Here is breief instructions how to do this, if you little confused with that.

4. After you run script and check everything is OK, you can add this to crontab

crontab -e
# Add 
0 * * * * /opt/npm-cert-export/sync_certs.sh > /opt/npm-cert-export/sync_certs.log

5. Don't forget to disable certificate renew process in mailcow server.

# cat mailcow.conf | grep SKIP_LE
SKIP_LETS_ENCRYPT=y

Cloudflare TLSA Record Management Script

This script automates the management of TLSA records on Cloudflare for a given domain. It is designed to update or add TLSA records based on the SHA-512 hash of a certificate.

Prerequisites

• jq: Command-line JSON processor. Ensure it is installed on your system.

   sudo apt-get update
   sudo apt-get install jq

Configuration

• Cloudflare Authentication:

  • Set the cloudflare_token variable in the script with your Cloudflare API token.

• Domain Configuration:

  • Set the zone and dnsrecord variables to your specific domain and DNS record.

Usage

1. Make the script executable:

   chmod +x cloudflare_tlsa_mailcow.sh

2. Run the script:

   ./cloudflare_tlsa_mailcow.sh

3. After you run script and check everything is OK, you can add this to crontab

crontab -e
# Add 
0 * * * * /opt/npm-cert-export/cloudflare_tlsa_mailcow.sh > /opt/npm-cert-export/cloudflare_tlsa_mailcow.log