Skip mta-sts certificate request when MTA-STS is not active for a domain#7315
Open
DRKMDMZ wants to merge 1 commit into
Open
Skip mta-sts certificate request when MTA-STS is not active for a domain#7315DRKMDMZ wants to merge 1 commit into
DRKMDMZ wants to merge 1 commit into
Conversation
Previously the ACME container always requested a certificate for the mta-sts.<domain> subdomain of every active domain when AUTODISCOVER_SAN was enabled, regardless of whether MTA-STS was actually configured or active for that domain. Now the mta-sts subdomain certificate is only requested if an active MTA-STS policy (active = 1) exists for the domain in the mta_sts table. This mirrors the existing behaviour already used for alias domains. Additionally, a tooltip was added to the "active" checkbox in the domain MTA-STS settings to clarify that unchecking it also prevents the ACME certificate request for the mta-sts subdomain. - data/Dockerfiles/acme/acme.sh: gate mta-sts SAN on active mta_sts entry - data/web/templates/edit/domain.twig: add tooltip to active checkbox - data/web/lang/lang.en-gb.json / lang.de-de.json: new mta_sts_active_info - docker-compose.yml: bump acme image tag 1.97 -> 1.98
7 tasks
Author
|
We need this urgently! LE is limiting renews because of too many invalid requests of mta-sts.xxxx.xx |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Contribution Guidelines
What does this PR include?
Short Description
When MTA-STS is not active for a domain (the "active" checkbox is unchecked, or no MTA-STS policy exists), the ACME container will no longer request a certificate for the
mta-sts.<domain>subdomain.Previously,
mta-stswas added unconditionally to the additional SAN list for every active domain whenAUTODISCOVER_SAN=y, so ACME tried to obtain a certificate formta-sts.<domain>even when MTA-STS was never configured or explicitly disabled. This caused unnecessary certificate requests and log noise/failures for themta-stssubdomain.The ACME script now checks the
mta_ststable for an active entry (active = 1) for the domain before adding themta-stssubdomain, mirroring the logic already used for alias domains directly below it. A tooltip was added to the "active" checkbox in the domain MTA-STS settings to make this behaviour transparent to admins.Affected Containers
Did you run tests?
What did you tested?
bash -n acme.sh) and JSON validation of both changed language files.What were the final results? (Awaited, got)
mta-sts.<domain>as before - got exactly that.MTA-STS is not enabled for <domain> - skipping mta-sts subdomain certificate.Closes #6859