certbot_zimbra.sh

#!/bin/bash

# Copyright (c) 2023 Lorenzo Milesi <maxxer@yetopen.com>, Jernej Jakob <jernej.jakob@gmail.com>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

readonly progname="certbot_zimbra.sh"
readonly version="1.0.2"
readonly github_url="https://github.com/YetOpen/certbot-zimbra"
readonly copyright="Copyright (c) 2023 Lorenzo Milesi <maxxer@yetopen.com>, Jernej Jakob <jernej.jakob@gmail.com>"
# paths
readonly zmpath=~zimbra
readonly zmwebroot="$zmpath/data/nginx/html"
readonly le_conf_path="/etc/letsencrypt"
readonly le_conf_renewal_path="$le_conf_path/renewal"
readonly le_live_path="$le_conf_path/live" # the domain will be appended to this path
readonly temppath="/run/$progname"
# other options
readonly zmprov_opts="-l" # use ldap (faster)
# used to extract the CA for the certificates
readonly ca_certificates_file="/etc/ssl/certs/ca-certificates.crt"
readonly pki_ca_bundle_file="/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"
# Do NOT modify anything after this line.
webroot=""
certpath=""
le_bin=""
le_params=()
le_agree_tos=false
le_noniact=false
le_override_key_type_rsa=true
extra_domains=()
no_nginx=false
deploy_only=false
new_cert=false
services=all
patch_only=false
restart_zimbra=true
prompt_confirm=false
detect_public_hostnames=true
skip_port_check=false
port=""
quiet=false
readonly min_certbot_version="0.19.0"
detected_certbot_version=""
locked=false
platform=""
detected_zimbra_version=""

# set up a trap on exit
exitfunc(){
	e="$?"
	if (( e != 0 )) && ! "$quiet"; then
		printf '\nAn error seems to have occurred. Please read the output above for clues and try to rectify the situation.\nIf you believe this is an error with the script, please file an issue at %s . Exiting.\n' "$github_url" >&2
	fi

	# close fd used for locking
	exec 200>&-
	if "$locked"; then
		rm "$temppath/$progname.lck"
	fi

	exit "$e"
}
trap exitfunc EXIT

## functions begin ##

check_user () {
	if (( EUID != 0 )); then
		printf 'Error: This script must be run as root.\n' >&2
		exit 1
	fi
}

make_temp() {
	! mkdir --mode=750 -p "$temppath" && printf 'Error: Cannot create temporary directory "%s".\n' "$temppath" >&2 && exit 1
	chown root:zimbra "$temppath"
}

get_lock(){
	exec 200> "$temppath/$progname.lck"
	if ! flock -n 200; then
		printf 'Error: cannot get exclusive lock. Another instance of this script may be running.\nIf you are sure there is no other instance of this script running (check with "ps afx") you can remove "%s" and try again.\n' "$temppath/$progname.lck" >&2
		exit 1
	fi
	locked=true
	readonly locked
}

prompt(){
	while read -rp "$1 " yn; do
		case "$yn" in
			[Yy]* ) return 0;;
			[Nn]* ) return 1;;
			* ) printf 'Please answer yes or no.\n' >&2 ;;
		esac
	done
}

check_depends_ca() {
	# Debian/Ubuntu provided by ca-certificates
	[[ -r "$ca_certificates_file" ]] && return
	# RHEL/CentOS provided by pki-base
	[[ -r "$pki_ca_bundle_file" ]] && return

	cat >&2 <<-'EOF'
		Error: Installed CA certificates not found or files not readable. Please check if you have installed:
		Debian/Ubuntu: ca-certificates (if you do, you might have to run "update-ca-certificates")
		RHEL/CentOS: pki-base (if you do, you might have to run "update-ca-trust")
	EOF
	exit 1
}

check_depends() {
	# check for dependencies
	! "$quiet" && printf 'Checking for dependencies...\n' >&2

	# do not check for lsof or ss here as we'll do that later
	for name in sudo openssl grep sort head sed chmod chown cat cp awk "$zmpath/bin/zmhostname" "$zmpath/bin/zmcertmgr" "$zmpath/bin/zmcontrol" "$zmpath/bin/zmprov" "$zmpath/libexec/get_plat_tag.sh"; do
		if ! hash "$name" 2>/dev/null; then
			printf 'Error: "%s" not found or executable\n' "$name" >&2
			exit 1
		fi
	done
}

# greater than or equal to (>=) semver comparison
# pure bash solution thanks to geirha at #bash:irc.libera.chat
version_ge() {
	local a b
	IFS=. read -ra a <<< "$1"
	IFS=. read -ra b <<< "$2"
	(( a[0] > b[0] || (a[0] == b[0] && (a[1] > b[1] || a[1] == b[1] && a[2] >= b[2])) ))
}

bootstrap() {
	check_user
	make_temp
	get_lock

	check_depends
	check_depends_ca

	# Detect OS and Zimbra version

	# use Zimbra's get_plat_tag.sh to find OS and version (this is only for display and not used elsewhere in the script)
	# returns $OS$ver for 32-bit or $OS$ver_64 for 64-bit, where OS is the os name (UBUNTU,DEBIAN,RHEL,CentOS,F,FC,SLES,openSUSE,UCS,MANDRIVA,SOLARIS,MACOSx)
	platform="$("$zmpath/libexec/get_plat_tag.sh")"
	readonly platform

	detected_zimbra_version="$(sudo -in -u zimbra -- '$HOME/bin/zmcontrol' -v | grep -Po '(\d+).(\d+).(\d+)' | head -n 1)"
	readonly detected_zimbra_version
	[[ -z "$detected_zimbra_version" ]] && printf 'Error: Unable to detect Zimbra version.\n' >&2 && exit 1
	! "$quiet" && printf 'Detected Zimbra %s on %s\n' "$detected_zimbra_version" "$platform" >&2

	get_domain

	return 0
}

check_zimbra_proxy() {
	# must be run after get_domain
	[[ -z "$domain" ]] && printf 'Unexpected error (check_zimbra_proxy domain not set).\n' >&2 && exit 1

	! "$quiet" && printf 'Checking zimbra-proxy is running and enabled\n' >&2

	# TODO: check if path to zmproxyctl is different on <8.7
	if ! sudo -in -u zimbra -- '$HOME/bin/zmproxyctl' status > /dev/null; then
		printf 'Error: zimbra-proxy is not running.\n' >&2
		exit 1
	fi
	if ! sudo -in -u zimbra -- '$HOME/bin/zmprov' $zmprov_opts gs "$domain" zimbraReverseProxyHttpEnabled | grep -q TRUE; then
		printf 'Error: http reverse proxy not enabled (zimbraReverseProxyHttpEnabled: FALSE).\n' >&2
		exit 1
	fi

	if [[ -z "$port" ]]; then
		! "$quiet" && printf 'Detecting port from zimbraMailProxyPort\n' >&2
		port="$(sudo -in -u zimbra -- '$HOME/bin/zmprov' $zmprov_opts gs "$domain" zimbraMailProxyPort | sed -n "s/zimbraMailProxyPort: //p")"
		[[ -z "$port" ]] && printf 'Error: zimbraMailProxyPort not found.\n' >&2 && exit 1
	else
		! "$quiet" && printf 'Skipping port detection from zimbraMailProxyPort due to --port override\n' >&2
	fi

	if [[ "$port" != "80" ]] && ! "$quiet"; then
		printf 'WARNING: non-standard zimbraMailProxyPort %s. This needs to be 80 from the internet for ACME HTTP-01 to work. If you have NAT set up to do the translation this is likely fine. If not, your Zimbra proxy is misconfigured and Certbot will fail.\n' "$port" >&2
		if "$prompt_confirm"; then
			prompt "Proceed?"
			(( $? == 1 )) && printf 'Cannot continue.\n' >&2 && exit 0
		else
			printf 'WARNING: Prompt disabled, proceeding anyway.\n' >&2
		fi
	fi
}

# Check if process is listening on port $1 (optionally with name $2 and/or user $3) or return an error
check_port () {
	if "$skip_port_check"; then
		! "$quiet" && printf 'Skipping port check\n' >&2
		return 0
	fi

	[[ -z "$1" ]] && printf 'Unexpected error: check_port empty $1 (port).\n' >&2 && exit 1

	! "$quiet" && printf 'Checking if process is listening on port %s\n' "$1 ${2:+"with name \"$2\" "}${3:+"user \"$3\""}" >&2

	# check with lsof if available, or fall back to ss
	declare -a check_bin
	declare grep_filter=
	if hash lsof 2>/dev/null; then
		check_bin=("lsof" "-i" ":$1" "-s" "TCP:LISTEN" "-a" "-n")
		grep_filter="$2.*$3"
	elif hash ss 2>/dev/null; then
		check_bin=("ss" "-lptn" "sport" "eq" ":$1")
		# ss doesn't return process user, so don't use it for count
		grep_filter="$2"
	else
		printf 'Error: Neither "lsof" nor "ss" were found in PATH. Unable to continue.\n' >&2
		exit 1
	fi

	# return false if count of matched processes is 0
	# optionally $2 and $3 are process name and process user
	(( "$("${check_bin[@]}" | grep -c "$grep_filter")" == 0 )) && return 1

	return 0
}


# Patch Zimbra proxy nginx and restart it if successful
# zimbra-proxy must be running (checked with check_zimbra_proxy) or zmproxyctl restart will fail
# returns true if patch was applied or was already present, exits script if encountered an error
patch_nginx() {
	[[ ! -d "$zmpath/conf/nginx/includes" ]] && printf 'Error: "%s" not found.\n' "$zmpath/conf/nginx/includes" >&2 && exit 1

	# Don't patch if patch is already applied
	if grep -r -q 'acme-challenge' "$zmpath/conf/nginx/templates"; then
		! "$quiet" && printf 'Nginx templates already patched.\n' >&2
	else
		[[ -z $webroot ]] && printf 'Unexpected error: patch_nginx WEBROOT not set.\n' >&2 && exit 1

		# make a backup of Zimbra's original templates
		set -e
		local bkdate="$(date +'%Y%m%d_%H%M%S')"
		! "$quiet" && printf 'Making a backup of nginx templates in "%s"\n' "$zmpath/conf/nginx/templates.$bkdate" >&2
		cp -a "$zmpath/conf/nginx/templates" "$zmpath/conf/nginx/templates.$bkdate"
		set +e

		# do patch
		! "$quiet" && printf 'Patching nginx templates... ' >&2
		e=0
		for file in http.default https.default http https ; do
			# Find the } that matches the first { after the server directive and add our location block before it,
			# ignoring all curly braces and anything else between them. If there are multiple server blocks
			# it adds the directives to all of them. It breaks in special cases of one-liner server blocks (rare)
			# and unbalanced curly brace count (missing braces aka broken formatting).
			# Exits 0 (success) if at least 1 substitution was made, 1 (failure) if 0 substitutions were made.
			awk -v webroot="$webroot" -v progname="$progname" -f - "$zmpath/conf/nginx/templates.$bkdate/nginx.conf.web.$file.template" > "$zmpath/conf/nginx/templates/nginx.conf.web.$file.template" <<-'EOF'
				function count(s, t) {
					i=1; n=0
					while (j = index(substr(s, i), t)) {
						i += j
						n++
					}
					return n
				}
				BEGIN {e = 1}
				/^[[:blank:]]*#/ {print; next}
				/^[[:blank:]]*server[[:space:]{]*$/ { found = 1 }
				/\{/ && found {
				  b += count($0, "{")
				  if (first == 0) first = NR
				}
				/\}/ && found { b -= count($0, "}") }
				{
				  if (found && b == 0 && first != 0) {
				    sub(/\}[^}]*$/, "\n    # patched by " progname "\n    location ^~ /.well-known/acme-challenge {\n        root " webroot ";\n    }\n&")
				    found = 0
				    first = 0
				    e = 0
				  }
				  print
				}
				END {exit e}
			EOF
			e="$?"
			(( e != 0 )) && break
		done

		if (( e != 0 )); then
			! "$quiet" && printf 'Error!\nRestoring old templates... ' >&2
			if ! cp -a "$zmpath/conf/nginx/templates.$bkdate/"* "$zmpath/conf/nginx/templates/"; then
				! "$quiet" && printf 'Error restoring templates!\n' >&2
			else
				! "$quiet" && printf 'Success.\n' >&2
			fi
			! "$quiet" && printf 'Error patching nginx templates.\n' >&2
			exit 1
		else
			! "$quiet" && printf 'Success.\n' >&2
		fi

		unset bkdate
	fi

	# Don't restart if includes show nginx has already been restarted
	if grep -r -q 'acme-challenge' "$zmpath/conf/nginx/includes"; then
		! "$quiet" && printf 'Nginx includes already patched, skipping zmproxy restart.\n' >&2
	else
		if "$prompt_confirm"; then
			prompt "Restart zmproxy?"
			(( $? == 1 )) && printf 'Cannot continue.\n' >&2 && exit 0
		fi

		! "$quiet" && printf 'Running zmproxyctl restart.\n' >&2
		# reload nginx config
		sudo -in -u zimbra -- '$HOME/bin/zmproxyctl' restart 200>&-; e="$?"
		if (( e != 0 )); then
			printf 'Error restarting zmproxy ("zmproxyctl restart" exit status %s).\n' "$e" >&2
			exit 1
		else
			! "$quiet" && printf 'Success.\n' >&2
		fi
	fi

	return 0
}

# detect additional public service hostnames from configured domains' zimbraPublicServiceHostname
find_additional_public_hostnames() {
	# If already set, leave them alone
	[[ "${extra_domains[*]}" ]] && return

	# If it has been requested NOT to perform the search
	if ! "$detect_public_hostnames"; then
		! "$quiet" && printf 'Skipping additional public service hostname detection\n' >&2
		return
	fi

	! "$quiet" && printf 'Detecting additional public service hostnames...\n' >&2

	readarray -t extra_domains < <(sudo -in -u zimbra -- '$HOME/bin/zmprov' $zmprov_opts gad \
		| awk '{printf "gd %s zimbraPublicServiceHostname zimbraVirtualHostname\n", $0}' \
		| sudo -in -u zimbra -- '$HOME/bin/zmprov' $zmprov_opts - \
		| awk -v domain="$domain" '/zimbraPublicServiceHostname:|zimbraVirtualHostname:/ {if ($2 != domain && $2 != "") {print $2}}' \
		| sort -u
	)

	if ! "$quiet"; then
		if [[ "${extra_domains[*]}" ]]; then
			printf 'Got %s domain names to use as certificate SANs: %s\n' "${#extra_domains[@]}" "${extra_domains[*]}" >&2
			if "$prompt_confirm"; then
				prompt "Include these in the certificate?"
				(( $? == 1 )) && unset extra_domains
			fi
		else
			printf 'No additional domain names found.\n' >&2
		fi
	fi

	return 0
}

get_domain () {
	# If we got no domain from command line try using Zimbra hostname
	if [[ -z "$domain" ]]; then
		! "$quiet" && printf 'Using zmhostname to detect domain name.\n' >&2
		domain="$("$zmpath/bin/zmhostname")"
	fi

	[[ -z "$domain" ]] && printf 'Error: No hostname found! Please run with -d/--hostname or check why zmhostname is not working.\n' >&2 && exit 1

	! "$quiet" && printf 'Using domain name %s (as certificate DN)\n' "$domain" >&2

	if "$prompt_confirm"; then
		prompt "Is this correct?"
		(( $? == 1 )) && printf 'Error: Please manually specify your hostname with "--hostname your.host.name".\n' >&2 && exit 0
	fi

	return 0
}

find_certbot () {
	# check for executable certbot-auto / certbot / letsencrypt
	# TODO: remove dead certbot-auto
	le_bin="$(command -v certbot letsencrypt certbot-auto 2>/dev/null | head -n 1)"
	[[ -z "$le_bin" ]] && printf 'Error: No letsencrypt/certbot binary found in PATH.\n' >&2 && exit 1

	! "$quiet" && printf 'Detecting Certbot version...\n' >&2

	# get Certbot version
	detected_certbot_version="$("$le_bin" --quiet --version 2>&1 | grep -oP '^certbot \K(\d+).(\d+).(\d+)$')"
	local certbot_version_exit="${PIPESTATUS[0]}"
	if (( certbot_version_exit != 0 )); then
		printf 'Error: "%s" exit status %s.\n' "$le_bin --quiet --version" "$certbot_version_exit" >&2
		exit 1
	fi

	if [[ -z "$detected_certbot_version" ]]; then
		printf 'Error: unable to parse Certbot version.\n' >&2
		exit 1
	fi

	! "$quiet" && printf 'Detected Certbot %s\n' "$detected_certbot_version" >&2

	if ! version_ge "$detected_certbot_version" "$min_certbot_version"; then
		printf 'Error: Certbot is too old, please upgrade to Certbot >=%s.\n' "$min_certbot_version" >&2
		exit 1
	fi

	return 0
}

# perform the ACME request
request_cert() {
	[[ -z "$webroot" ]] && printf 'Unexpected error: check_webroot webroot not set.\n' >&2 && exit 1

	# <8.7 didn't have nginx webroot
	if ! [[ -d "$webroot" ]]; then
		if "$prompt_confirm"; then
			prompt "Webroot $webroot doesn't exist, create it?"
			(( $? == 1 )) && printf 'Cannot proceed.\n' >&2 && exit 0
		fi
		! "$quiet" && printf 'Creating webroot %s\n' "$webroot" >&2
		set -e
		mkdir -p "$webroot"
		set +e
	fi

	if "$prompt_confirm"; then
		prompt "We will now run Certbot to request the certificate. Proceed?"
		(( $? == 1 )) && printf 'Unable to proceed.\n' >&2 && exit 0
	fi

	#TODO: dry-run

	"$le_noniact" && le_params+=("--non-interactive")
	"$quiet" && le_params+=("--quiet")
	"$le_agree_tos" && le_params+=("--agree-tos")

	version_ge "$detected_certbot_version" "2.0.0" &&
		"$le_override_key_type_rsa" &&
		le_params+=("--key-type" "rsa" "--rsa-key-size" "4096")

	le_params+=("--webroot" "-w" "$webroot" "--cert-name" "$domain" "-d" "$domain")
	for d in "${extra_domains[@]}"; do
		[[ -z "$d" ]] && continue
		le_params+=("-d" "$d")
	done

	! "$quiet" && printf 'Running %s\n' "$le_bin certonly ${le_params[*]}" >&2
	"$quiet" && exec > /dev/null
	"$quiet" && exec 2>/dev/null
	# Request our cert
	"$le_bin" certonly "${le_params[@]}"
	e="$?"
	"$quiet" && exec > /dev/stdout
	"$quiet" && exec 2> /dev/stderr
	(( e != 0 )) && printf 'Error: "%s" exit status %s. Cannot proceed.\n' "$le_bin" "$e" >&2 && exit 1
	return 0
}

# adds pre and deploy hooks to the Certbot certificate configuration
add_certbot_hooks() {
        if "$prompt_confirm" && ! prompt "Do you wish to add pre and deploy hooks to Certbot certificate configuration? (unless you manually wish to do so, answer yes)"; then
		printf 'Please manually add Certbot hooks as described in the README.\n' >&2
		return
        fi

	declare -i e=0
	progpath="$(command -v "$progname" 2>/dev/null)"

	if [[ -z "$progpath" ]]; then
		printf 'Error: could not find "%s" in PATH!\n' "$progname" >&2
		e=1
	else
		! "$quiet" && printf 'Adding pre and deploy hooks to Certbot certificate configuration\n' >&2

		if version_ge "$detected_certbot_version" "2.3.0"; then
			# Certbot >=2.3.0 has "reconfigure"
			local le_reconfigure_params=("--cert-name" "$domain" "--pre-hook" "$progpath -p" "--deploy-hook" "$progpath -d")
			"$quiet" && le_reconfigure_params+=("--quiet")
			"$le_noniact" && le_reconfigure_params+=("--non-interactive")

			! "$le_noniact" && ! "$quiet" && printf 'WARNING: Certbot will ask if you want to test run the deploy hook, answer D "(D)o not run"!\n' >&2
			! "$quiet" && printf 'WARNING: Certbot will test run the pre_hook, it will fail, this is normal. There is no way to disable testing the pre_hook.' >&2
			! "$quiet" && printf 'Running "%s"\n' "$le_bin reconfigure ${le_reconfigure_params[*]}" >&2
			"$le_bin" reconfigure "${le_reconfigure_params[@]}"
			e="$?"
		else
			# manually change hooks in Certbot renewal config file
			! "$quiet" && printf 'Certbot does not have reconfigure, manually editing renewal config file...\n'

			# make backup of conf file
			local le_domain_conf="$le_conf_renewal_path/$domain.conf"
			local le_domain_conf_temp="$temppath/$domain.conf"

			if ! cp --preserve=all "$le_domain_conf" "$le_domain_conf_temp"; then
				printf 'Error: cannot read "%s"!\n' "$le_domain_conf" >&2
				e=1
			fi

			if ! cp -f --preserve=all --backup=numbered "$le_domain_conf" "$le_domain_conf"; then
				printf 'Error: cannot write to "%s"!\n' "$le_conf_renewal_path" >&2
				e=1
			fi

			if (( e == 0 )); then
				# awk program works if [renewalparams] does or doesn't already exist
				# (it would be very odd if they didn't!)
				# Certbot stores --deploy-hook as "renew_hook" in the config file
				# https://github.com/certbot/certbot/issues/5935
				awk -v progname="$progname" -v progpath="$progpath" -f - "$le_domain_conf" > "$le_domain_conf_temp" <<- 'EOF'
					function print_hooks() {
					        print "pre_hook =", progpath, "-p"
					        print "renew_hook =", progpath, "-d"
					}
					BEGIN {e=1}
					/^(pre|renew)_hook.*/ {next}
					{print}
					/^\[renewalparams\]$/ {
						print "# hooks modified by", progname
					        print_hooks()
					        e=0
					}
					END {
					        if (e) {
							print "# renewalparams added by", progname
					                print "[renewalparams]"
					                print_hooks()
					        }
					}
				EOF
				e="$?"
				if (( e != 0 )); then
					printf 'Error: awk exit %s!\n' "$e" >&2
				else
					if ! cp -f --preserve=all "$le_domain_conf_temp" "$le_domain_conf"; then
						printf 'Error: cannot write to "%s"!\n' "$le_domain_conf" >&2
						e+=1
					fi
				fi
			fi
		fi
	fi

	if (( e != 0 )); then
		printf 'Error while adding hooks to Certbot certificate renewal configuration! Please do so manually as described in the README.\n' >&2
	fi
}

# copies stuff ready for Zimbra deployment and test them
prepare_cert() {
	! "$quiet" && printf 'Preparing certificates for deployment.\n' >&2

	[[ -z "$domain" ]] && printf 'Unexpected error (prepare_cert domain not set).\n' >&2 && exit 1

	# when run as --deploy-hook, check if any of RENEWED_DOMAINS match Zimbra's domain.
	# RENEWED_DOMAINS and RENEWED_LINEAGE are passed by Certbot as env vars to --deploy-hook
	if [[ -n "$RENEWED_DOMAINS" ]]; then
		# we were run as --deploy-hook
		set -f
		for renewed_domain in $RENEWED_DOMAINS; do
			[[ "$renewed_domain" == "$domain" ]] && certpath="$RENEWED_LINEAGE"
		done
		set +f
		# exit gracefully if no matching domains were found. We must be running for some other cert, not ours.
		if [[ -z "$certpath" ]]; then
			! "$quiet" && printf 'Detected --deploy-hook but no matching domain name found. Nothing to do.\n' >&2
			exit 0
		else
			! "$quiet" && printf 'Detected --deploy-hook and matching domain name found\n' >&2
		fi
	else
		# we were run standalone
		certpath="$le_live_path/$domain"
	fi

	# Make Zimbra accessible files
	# save old umask
	oldumask="$(umask -p)"
	# make files u=rwx g=rx o=
	umask 0027

	# exit on error
	set -e

	tmpcerts="$(mktemp -d --tmpdir="$temppath" certs-XXXXXXXX)"

	cp "$certpath"/{privkey.pem,cert.pem} "$tmpcerts/"

	# Create the "patched" chain suitable for Zimbra

	# find the first valid chain by iterating through chain.pem one certificate at a time
	local chaincerts="$(cat "$certpath/chain.pem")"
	local chaincert="${chaincerts%%END CERTIFICATE*}END CERTIFICATE-----"
	local issuerhash=
	local issuercn=

	while [[ "$chaincert" != "${chaincert##*BEGIN CERTIFICATE}" ]]; do
		if printf '%s\n' "$chaincert" | openssl verify >/dev/null 2>&1; then
			issuerhash="$(printf '%s' "${chaincert}" | openssl x509 -noout -issuer_hash)"
			issuercn="$(printf '%s' "${chaincert}" | openssl x509 -noout -issuer -nameopt sep_multiline,utf8 | grep -oP '\sCN=\K.*')"
			break
		else
			# get next cert
			chaincerts="${chaincerts##"$chaincert"}"
			chaincert="${chaincerts%%END CERTIFICATE*}END CERTIFICATE-----"
		fi
	done

	unset chaincerts chaincert

	if [[ -z "$issuerhash" ]]; then
		printf 'Error: No valid chain found in "%s"!\n' "$certpath/chain.pem" >&2
		exit 1
	fi

	if [[ -r "$ca_certificates_file" ]]; then
	        # Debian/Ubuntu
		# use the issuer_hash of the LE chain cert to find the root CA in /etc/ssl/certs
		cat "/etc/ssl/certs/$issuerhash.0" >> "$tmpcerts/zimbra_chain.pem"
	elif [[ -r "$pki_ca_bundle_file" ]]; then
		# RHEL/CentOS
		# extract CA by CN in tls-ca-bundle.pem

		# if we can't find the issuer CN in the bundle file, it may have spaces removed, hopefully we'll find it without spaces
		grep -q "^# $issuercn\$" "$pki_ca_bundle_file" || issuercn="${issuercn//' '}"
		# the following awk script extracts the CA cert from the bundle or exits 1 if not found
		if ! awk -v issuercn="$issuercn" -f - "$pki_ca_bundle_file" >> "$tmpcerts/zimbra_chain.pem" <<-'EOF'
			BEGIN {e=1}
			$0 ~ "^# " issuercn "$" {e=0; next}
			(!e){
				print
				if ($0 ~ /END CERTIFICATE/){exit e}
			}
			END {exit e}
			EOF
			then
				printf 'Error: Cannot find "%s" in "%s".\n' "$issuercn" "$pki_ca_bundle_file"
				exit 1
		fi
	else
		# we shouldn't be here
		printf 'Error in prepare_cert: cannot find installed CA certificates (check_depends_ca should have caught this).\n' >&2
		exit 1
	fi

	cat "$certpath/chain.pem" >> "$tmpcerts/zimbra_chain.pem"

	$oldumask
	unset oldumask

	# set permissions so that Zimbra can read the certs
	chown -R root:zimbra "$tmpcerts"
	chmod 550 "$tmpcerts"
	chmod 440 "$tmpcerts"/*

	! "$quiet" && printf 'Testing with zmcertmgr.\n' >&2

	# redirect stdout to /dev/null if quiet
	"$quiet" && exec > /dev/null
	"$quiet" && exec 2>/dev/null

	# Test cert. 8.6 and below must use root
	if version_ge "$detected_zimbra_version" "8.7"; then
		sudo -in -u zimbra -- '$HOME/bin/zmcertmgr' verifycrt comm "$tmpcerts"/privkey.pem "$tmpcerts"/cert.pem "$tmpcerts"/zimbra_chain.pem
	else
		"$zmpath/bin/zmcertmgr" verifycrt comm "$tmpcerts/privkey.pem" "$tmpcerts/cert.pem" "$tmpcerts/zimbra_chain.pem"
	fi

	# undo quiet
	"$quiet" && exec > /dev/stdout
	"$quiet" && exec 2> /dev/stderr

	# undo set -e
	set +e

	return 0
}

# deploys certificate and restarts Zimbra. ASSUMES prepare_certificate has been called already
deploy_cert() {
	if "$prompt_confirm"; then
		prompt "Deploy certificates to Zimbra? This may restart some services."
		(( $? == 1 )) && printf 'Cannot proceed.\n' >&2 && exit 0
	fi

	# exit on error
	set -e
	! "$quiet" && printf 'Deploying certificates.\n' >&2

	# Backup old stuff
	cp -a "$zmpath/ssl/zimbra" "$zmpath/ssl/zimbra.$(date +'%Y%m%d_%H%M%S')"

	# copy privkey
	cp -a "$tmpcerts/privkey.pem" "$zmpath/ssl/zimbra/commercial/commercial.key"

	"$quiet" && exec > /dev/null
	"$quiet" && exec 2>/dev/null
	# this is it, deploy the cert.
	if version_ge "$detected_zimbra_version" "8.7"; then
		sudo -in -u zimbra -- '$HOME/bin/zmcertmgr' deploycrt comm "$tmpcerts"/cert.pem "$tmpcerts"/zimbra_chain.pem -deploy "$services"
	else
		"$zmpath/bin/zmcertmgr" deploycrt comm "$tmpcerts/cert.pem" "$tmpcerts/zimbra_chain.pem"
	fi
	"$quiet" && exec > /dev/stdout
	"$quiet" && exec 2> /dev/stderr

	! "$quiet" && printf 'Removing temporary files in "%s"\n' "$tmpcerts" >&2
	# this is kind of sketchy
	[[ -n "$tmpcerts" ]] && rm -r "$tmpcerts"
	unset tmpcerts

	set +e

	if "$restart_zimbra"; then
		if "$prompt_confirm"; then
			prompt "Restart Zimbra?"
			(( $? == 1 )) && printf 'Cannot proceed.\n' >&2 && exit 0
		fi

		! "$quiet" && printf 'Restarting Zimbra.\n' >&2

		"$quiet" && exec > /dev/null
		"$quiet" && exec 2> /dev/null
		# Finally apply cert!
		sudo -in -u zimbra -- '$HOME/bin/zmcontrol' restart 200>&-
		# FIXME And hope that everything started fine! :)
		"$quiet" && exec > /dev/stdout
		"$quiet" && exec 2> /dev/stderr
	fi

	return 0
}

usage () {
	cat >&2 <<-EOF
		Usage: $progname [ -d | -n | -p ] [options]...
		  This script automates installing, renewing and deploying ACME certificates to Zimbra. It's a wrapper around Certbot and Zimbra tools.

		Options:
		  Only one option at a time can be supplied. Options cannot be chained.

		Mode selection:
		  -p | --patch-only:  does only nginx patching. Useful to be called before renew, in case nginx templates have been overwritten by an upgrade.
		  -n | --new:  performs a request for a new certificate ("certonly"). Can be used to update the domains in an existing certificate.
		  -d | --deploy-only:  Just deploys certificates. Will detect if it's being run from Certbot renew_hook or --deploy-hook and only deploy if env variable RENEWED_DOMAINS matches the hostname. If run standalone, assumes valid certificates are in $le_live_path.

		Global options:
		  -c | --prompt-confirm:  ask for confirmation.
		  -q | --quiet:  Do not output anything except errors. Useful for scripts. Implies -N/--noninteractive.
		  -H | --hostname <my.host.name>:  hostname being requested. If not passed it's automatically detected using "zmhostname". Used as Zimbra server name in zmprov, CN and name for certificate.

		Port check (--patch-only and --new):
		  -j | --no-port-check:  disable port check.
		  -P | --port <port>:  port the web server to use for the ACME HTTP-01 challenge is listening on. Is detected from zimbraMailProxyPort if not set. Mandatory with -x/--no-nginx unless -j/--no-port-check is set.

		Nginx options (--patch-only and --new):
		  -w | --webroot "/path/to/www":  path to the webroot of alternate webserver. Valid only with -x/--no-nginx.
		  -x | --no-nginx:  Alternate webserver mode. Don't check and patch zimbra-proxy's nginx. Must also specify -P/--port and -w/--webroot.

		Options for -n|--new:
		  -a | --agree-tos:  agree with the Terms of Service of the ACME server (avoids prompt)
		  -L | --letsencrypt-params "--extra-le-parameter":  Additional parameter to pass to Certbot. Must be repeated for each parameter and argument, e.g. -L "--preferred-chain" -L "ISRG Root X1"
		  -N | --noninteractive:  Pass --non-interactive to Certbot.
		  --no-override-key-type-rsa:  if Certbot >=v2.0.0 has been detected, do not override ECDSA to RSA with "--key-type rsa" (use this to get the default ECDSA key type, Zimbra does NOT support it!)
		  -e | --extra-domain <extra.domain.tld>:  additional domain names being requested. Can be used multiple times. Implies -u/--no-public-hostname-detection.
		  -u | --no-public-hostname-detection:  do not detect additional hostnames from domain zimbraPublicServiceHostname and zimbraVirtualHostname.

		Deploy options:
		  -s | --services <service_names>:  comma-separated list of services to be used for a certificate. Passed to 'zmcertmgr'. Valid services are 'all' or any of: ldap,mailboxd,mta,proxy,imapd. Default: 'all'
		  -z | --no-zimbra-restart:  do not restart Zimbra after a certificate deployment
	EOF
}

print_version(){
	cat >&2 <<-EOF
		$progname $version

		Report bugs at: $github_url

		$copyright

		This program is free software: you can redistribute it and/or modify
		it under the terms of the GNU General Public License as published by
		the Free Software Foundation, either version 3 of the License, or
		(at your option) any later version.

		This program is distributed in the hope that it will be useful,
		but WITHOUT ANY WARRANTY; without even the implied warranty of
		MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
		GNU General Public License for more details.

		You should have received a copy of the GNU General Public License
		along with this program.  If not, see <http://www.gnu.org/licenses/>.
	EOF
}
## functions end ##

# main flow


# parameters parsing http://stackoverflow.com/a/14203146/738852
while (( $# > 0 )); do
	case "$1" in
		# flow-modifying parameters
		-d|--deploy-only)
			deploy_only=true
			;;
		-n|--new)
			new_cert=true
			;;
		-p|--patch-only)
			patch_only=true
			;;
		# optional parameters
		# Certbot
		-a|--agree-tos)
			le_agree_tos=true
			;;
		-L|--letsencrypt-params)
			[[ -z "$2" ]] && printf 'Error: missing --letsencrypt-params argument\n' >&2 && exit 1
			le_params+=("$2")
			shift
			;;
		-N|--noninteractive)
			le_noniact=true
			;;
		--no-override-key-type-rsa)
			le_override_key_type_rsa=false
			;;
		# domain
		-e|--extra-domain)
			[[ -z "$2" ]] && printf 'Error: missing --extra-domain argument\n' >&2 && exit 1
			extra_domains+=("$2")
			detect_public_hostnames=false
			shift
			;;
		-H|--hostname)
			[[ -z "$2" ]] && printf 'Error: missing --hostname argument\n' >&2 && exit 1
			domain="$2"
			detect_public_hostnames=false
			shift
			;;
		-u|--no-public-hostname-detection)
			detect_public_hostnames=false
			;;
		# port check
		-j|--no-port-check)
			skip_port_check=true
			;;
		-P|--port)
			[[ -z "$2" ]] && printf 'Error: missing --port argument\n' >&2 && exit 1
			port="$2"
			shift
			;;
		# nginx
		-w|--webroot)
			[[ -z "$2" ]] && printf 'Error: missing --webroot argument\n' >&2 && exit 1
			webroot="$2"
			shift
			;;
		-x|--no-nginx)
			no_nginx=true
			;;
		# zimbra
		-s|--services)
			[[ -z "$2" ]] && printf 'Error: missing --services argument\n' >&2 && exit 1
			services="$2"
			shift
			;;
		-z|--no-zimbra-restart)
			restart_zimbra=false
			;;
		# other
		-c|--prompt-confirm)
			prompt_confirm=true
			;;
		-q|--quiet)
			quiet=true
			le_noniact=true
			;;
		-h|--help)
			usage
			exit 0
			;;
		-V|--version)
			print_version
			exit 0
			;;
		*)
			printf 'Unknown option: "%s". Try --help for usage.\n' "$1" >&2
			exit 1
			;;
	esac
	shift
done

readonly deploy_only new_cert patch_only le_agree_tos le_noniact le_override_key_type_rsa detect_public_hostnames skip_port_check no_nginx services restart_zimbra prompt_confirm quiet

# exit if an invalid option combination was passed
"$quiet" && "$prompt_confirm" && printf 'Incompatible option combination: --quiet --prompt-confirm\n' >&2 && exit 1
"$le_noniact" && "$prompt_confirm" && printf 'Incompatible option combination: --noninteractive --prompt-confirm\n' >&2 && exit 1

"$deploy_only" && { "$patch_only" ||
		"$le_agree_tos" || [[ -n "${le_params[*]}" ]] || "$le_noniact" || ! "$le_override_key_type_rsa" ||
		[[ -n "${extra_domains[*]}" ]] ||
		"$no_nginx" || [[ -n "$webroot" ]] || [[ -n "$port" ]] || "$skip_port_check"
	} && cat >&2 <<-'EOF' &&
		Incompatible option combination:
		--deploy-only
		& [
		  --patch-only |
		  --agree-tos | --letsencrypt-params | --noninteractive | --no-override-key-type-rsa |
		  --extra-domain |
		  --no-nginx | --webroot | --port | --no-port-check
		]
		EOF
	exit 1
"$new_cert" && "$deploy_only" && printf 'Incompatible option combination: --new --deploy-only\n' >&2 && exit 1
"$patch_only" && { "$new_cert" || "$no_nginx" ||
		"$le_agree_tos" || [[ -n "${le_params[*]}" ]] || "$le_noniact" || ! "$le_override_key_type_rsa" ||
		[[ -n "${extra_domains[*]}" ]] ||
		[[ "$services" != "all" ]] || ! "$restart_zimbra"
	} && cat >&2 <<-'EOF' &&
		Incompatible option combination:
		--patch-only
		& [
		  --new | --no-nginx |
		  --agree-tos | --letsencrypt-params | --noninteractive | --no-override-key-type-rsa |
		  --extra-domain |
		  --services | --no-zimbra-restart
		]
		EOF
	exit 1
! { "$deploy_only" || "$new_cert" || "$patch_only"; } && printf 'Nothing to do. Please specify one of: -d | -n | -p\n' >&2 && exit 1

"$no_nginx" && [[ -z "$webroot" || ( -z "$port" && ! "$skip_port_check" ) ]] && printf 'Error: --no-nginx requires --webroot and --port or --no-port-check.\n' >&2 && exit 1
! "$no_nginx" && [[ -n "$webroot" ]] && printf 'Error: -w/--webroot cannot be used in zimbra-proxy mode. Please use -x/--no-nginx (alternate webserver mode).\n' >&2 && exit 1
"$skip_port_check" && [[ -n "$port" ]] && printf 'Error: -j/--no-port-check cannot be used with -P/--port.\n' >&2 && exit 1

! "$quiet" && printf '%s\n' "$progname v$version - $github_url" >&2

## actions
bootstrap

if ! "$deploy_only"; then
	if "$no_nginx"; then
		! check_port "$port" && printf 'Error: port check failed. A web server to use for the HTTP-01 ACME challenge must be listening on the port specified with --port.\n' >&2 \
				&& exit 1
	else
		webroot="$zmwebroot"
		readonly webroot

		check_zimbra_proxy
		! check_port "$port" nginx zimbra && printf 'Error: port check failed. If you have overridden the port with --port, a web server to use for the HTTP-01 ACME challenge must be listening on it.\n' >&2 && exit 1
		patch_nginx
	fi

	"$patch_only" && exit 0

	find_additional_public_hostnames
	find_certbot
	request_cert
	add_certbot_hooks
fi

prepare_cert
deploy_cert

exit 0