aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAlexandre Alouit <alexandre.alouit@gmail.com>2015-12-04 09:47:54 +0100
committerAlexandre Alouit <alexandre.alouit@gmail.com>2015-12-04 09:47:54 +0100
commit599d73b54549d808e3d05c3a98c4729d942edd5f (patch)
tree6a35115fa53dc553196510b32caf3e24f2af155f
parent876dc671ef09e855eea7714c519977462e90f30c (diff)
bugfix & improvements
prevent apache with conf.d directory instead conf-available create challenge directory (prevent Let’s Encrypt create file with bad permission) use debug ispconfig function use fullchain for apache
-rw-r--r--README.md6
-rw-r--r--_todo3
-rw-r--r--cli.ini3
-rw-r--r--cli.ini.patch11
-rw-r--r--install.php27
-rwxr-xr-xsrc/server/plugins-available/apache2_plugin.inc.php24
-rwxr-xr-xsrc/server/plugins-available/nginx_plugin.inc.php17
7 files changed, 62 insertions, 29 deletions
diff --git a/README.md b/README.md
index 80e78e6..006421d 100644
--- a/README.md
+++ b/README.md
@@ -21,6 +21,8 @@ php -q install.php
After install, a new checkbox will be available in editing website, just check it.
+Adjust server in ```/etc/letsencrypt/cli.ini```if isn't ``https://acme-v01.api.letsencrypt.org/directory```
+
## MANUAL INSTALLATION
@@ -31,11 +33,9 @@ After install, a new checkbox will be available in editing website, just check i
cd ISPConfig-letsencrypt
```
-- patch or create Let's Encrypt configuration
+- create Let's Encrypt configuration
```
cp ./cli.ini /etc/letsencrypt/cli.ini
- or
-patch /etc/letsencrypt/cli.ini < ./cli.ini.patch
```
- patch ISPConfig (merge all files from ./src to /usr/local/ispconfig)
diff --git a/_todo b/_todo
index 45341e3..8be3573 100644
--- a/_todo
+++ b/_todo
@@ -1,7 +1,8 @@
check dns entry is correct before request to Let's Encrypt (apache and nginx plugin)
check dns MX entry is correct before request to Let's Encrypt (apache and nginx plugin)
check if we already have a symlink and if he's valid (apache and nginx plugin)
-force ssl field to on when use Let's Encrypt (api access)
+force ssl field to on when use Let's Encrypt (api access?)
disable ssl tab when use Let's Encrypt (webgui)
check dns entry is correct and MX domain
check if is a symlink and is correct (if target is same)
+disable ssl & letsencrypt fields in database if we have error (and show notification?)
diff --git a/cli.ini b/cli.ini
index 6eab855..a54d846 100644
--- a/cli.ini
+++ b/cli.ini
@@ -6,7 +6,7 @@
rsa-key-size = 4096
# Always use the staging/testing server
-server = https://acme-staging.api.letsencrypt.org/directory
+#server = https://acme-staging.api.letsencrypt.org/directory
# Uncomment and update to register with the specified e-mail address
# email = foo@example.com
@@ -27,3 +27,4 @@ text = True
agree-dev-preview = True
agree-tos = True
authenticator = webroot
+server https://acme-v01.api.letsencrypt.org/directory
diff --git a/cli.ini.patch b/cli.ini.patch
deleted file mode 100644
index e038f5c..0000000
--- a/cli.ini.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- cli.ini 2015-11-06 20:21:09.332000000 +0100
-+++ cli.ini 2015-11-06 20:21:27.380000000 +0100
-@@ -22,3 +22,8 @@
- # path to the public_html / webroot folder being served by your web server.
- # authenticator = webroot
- # webroot-path = /usr/share/nginx/html
-+
-+text = True
-+agree-dev-preview = True
-+agree-tos = True
-+authenticator = webroot
diff --git a/install.php b/install.php
index 4fac9d8..c1417c7 100644
--- a/install.php
+++ b/install.php
@@ -84,13 +84,14 @@ if(!is_file("/root/.local/share/letsencrypt/bin/letsencrypt-renewer")) {
exit;
}
-if(!is_file("/etc/letsencrypt/cli.ini")) {
- echo "Let's Encrypt configuration file don't exist, create it.\n";
- exec("cp ./cli.ini /etc/letsencrypt/cli.ini");
-} else {
- echo "Let's Encrypt configuration file exist, patch it.\n";
- exec("patch /etc/letsencrypt/cli.ini < ./cli.ini.patch");
+if(is_file("/etc/letsencrypt/cli.ini")) {
+ echo "Let's Encrypt configuration file exist, backup up and remove.\n";
+ exec("cp /etc/letsencrypt/cli.ini " . $backup_dir . date("Ymdhis") . "-letsencrypt.cli.ini");
+ exec("rm /etc/letsencrypt/cli.ini");
+
}
+echo "Copy Let's Encrypt configuration.\n";
+exec("cp ./cli.ini /etc/letsencrypt/cli.ini");
if(!$buffer = mysql_connect($clientdb_host, $clientdb_user, $clientdb_password)) {
echo "ERROR: There was a problem with the MySQL connection.\n";
@@ -102,10 +103,18 @@ mysql_db_query($conf['db_database'], "ALTER TABLE `web_domain` ADD `ssl_letsencr
if(is_file("/etc/apache2/apache2.conf")) {
echo "Configure Apache and reload it.\n";
- if(is_file("/etc/apache2/conf-available/letsencrypt.conf")) {
- exec("rm /etc/apache2/conf-available/letsencrypt.conf");
+ if(is_dir("/etc/apache2/conf-available")) {
+ if(is_file("/etc/apache2/conf-available/letsencrypt.conf")) {
+ exec("rm /etc/apache2/conf-available/letsencrypt.conf");
+ }
+ exec("cp ./apache.letsencrypt.conf /etc/apache2/conf-available/letsencrypt.conf");
+ }
+ if(is_dir("/etc/apache2/conf.d")) {
+ if(is_file("/etc/apache2/conf.d/letsencrypt.conf")) {
+ exec("rm /etc/apache2/conf.d/letsencrypt.conf");
+ }
+ exec("cp ./apache.letsencrypt.conf /etc/apache2/conf.d/letsencrypt.conf");
}
- exec("cp ./apache.letsencrypt.conf /etc/apache2/conf-available/letsencrypt.conf");
exec("a2enmod headers");
exec("a2enconf letsencrypt");
exec("service apache2 reload");
diff --git a/src/server/plugins-available/apache2_plugin.inc.php b/src/server/plugins-available/apache2_plugin.inc.php
index 1b28759..66486b8 100755
--- a/src/server/plugins-available/apache2_plugin.inc.php
+++ b/src/server/plugins-available/apache2_plugin.inc.php
@@ -952,20 +952,38 @@ class apache2_plugin {
//* Generate Let's Encrypt SSL certificat
if($data['new']['ssl'] == 'y' && $data['new']['ssl_letsencrypt'] == 'y') {
+ $data['new']['ssl_domain'] = $domain;
+ $vhost_data['ssl_domain'] = $domain;
+
//* be sure to have good domain
$lddomain = (string) "$domain";
if($data['new']['subdomain'] == "www" OR $data['new']['subdomain'] == "*") {
$lddomain .= (string) " --domains www." . $domain;
}
- $crt_tmp_file = "/etc/letsencrypt/live/".$domain."/cert.pem";
+ $crt_tmp_file = "/etc/letsencrypt/live/".$domain."/fullchain.pem";
$key_tmp_file = "/etc/letsencrypt/live/".$domain."/privkey.pem";
$webroot = $data['new']['document_root']."/web";
//* check if we have already a Let's Encrypt cert
if(!file_exists($crt_tmp_file) && !file_exists($key_tmp_file)) {
- $app->log("Create Let's Encrypt SSL Cert for: $domain", LOGLEVEL_DEBUG);
- exec("/root/.local/share/letsencrypt/bin/letsencrypt auth -a webroot --email postmaster@$domain --domains $lddomain --webroot-path $webroot --text --agree-tos");
+ $app->log("Create Let's Encrypt SSL Cert for: $domain", LOGLEVEL_DEBUG);
+
+ if(is_dir($webroot . "/.well-known/")) {
+ $app->log("Remove old challenge directory", LOGLEVEL_DEBUG);
+ $this->_exec("rm -rf " . $webroot . "/.well-known/");
+ }
+
+ $app->log("Create challenge directory", LOGLEVEL_DEBUG);
+ $app->system->mkdirpath($webroot . "/.well-known/");
+ $app->system->chown($webroot . "/.well-known/", $data['new']['system_user']);
+ $app->system->chgrp($webroot . "/.well-known/", $data['new']['system_group']);
+ $app->system->mkdirpath($webroot . "/.well-known/acme-challenge");
+ $app->system->chown($webroot . "/.well-known/acme-challenge/", $data['new']['system_user']);
+ $app->system->chgrp($webroot . "/.well-known/acme-challenge/", $data['new']['system_group']);
+ $app->system->chmod($webroot . "/.well-known/acme-challenge", "g+s");
+
+ $this->_exec("/root/.local/share/letsencrypt/bin/letsencrypt auth -a webroot --email postmaster@$domain --domains $lddomain --webroot-path $webroot");
};
//* check is been correctly created
diff --git a/src/server/plugins-available/nginx_plugin.inc.php b/src/server/plugins-available/nginx_plugin.inc.php
index 6c2aaa3..fb2329a 100755
--- a/src/server/plugins-available/nginx_plugin.inc.php
+++ b/src/server/plugins-available/nginx_plugin.inc.php
@@ -1127,7 +1127,22 @@ class nginx_plugin {
//* check if we have already a Let's Encrypt cert
if(!file_exists($crt_tmp_file) && !file_exists($key_tmp_file)) {
$app->log("Create Let's Encrypt SSL Cert for: $domain", LOGLEVEL_DEBUG);
- exec("/root/.local/share/letsencrypt/bin/letsencrypt auth -a webroot --email postmaster@$domain --domains $lddomain --webroot-path $webroot --text --agree-tos");
+
+ if(is_dir($webroot . "/.well-known/")) {
+ $app->log("Remove old challenge directory", LOGLEVEL_DEBUG);
+ $this->_exec("rm -rf " . $webroot . "/.well-known/");
+ }
+
+ $app->log("Create challenge directory", LOGLEVEL_DEBUG);
+ $app->system->mkdirpath($webroot . "/.well-known/");
+ $app->system->chown($webroot . "/.well-known/", $$data['new']['system_user']);
+ $app->system->chgrp($webroot . "/.well-known/", $data['new']['system_group']);
+ $app->system->mkdirpath($webroot . "/.well-known/acme-challenge");
+ $app->system->chown($webroot . "/.well-known/acme-challenge/", $data['new']['system_user']);
+ $app->system->chgrp($webroot . "/.well-known/acme-challenge/", $data['new']['system_group']);
+ $app->system->chmod($webroot . "/.well-known/acme-challenge", "g+s");
+
+ $this->_exec("/root/.local/share/letsencrypt/bin/letsencrypt auth -a webroot --email postmaster@$domain --domains $lddomain --webroot-path $webroot");
};
//* check is been correctly created