diff options
| author | Alexandre Alouit <alexandre.alouit@gmail.com> | 2015-12-04 09:47:54 +0100 |
|---|---|---|
| committer | Alexandre Alouit <alexandre.alouit@gmail.com> | 2015-12-04 09:47:54 +0100 |
| commit | 599d73b54549d808e3d05c3a98c4729d942edd5f (patch) | |
| tree | 6a35115fa53dc553196510b32caf3e24f2af155f | |
| parent | 876dc671ef09e855eea7714c519977462e90f30c (diff) | |
bugfix & improvements
prevent apache with conf.d directory instead conf-available
create challenge directory (prevent Let’s Encrypt create file with bad
permission)
use debug ispconfig function
use fullchain for apache
| -rw-r--r-- | README.md | 6 | ||||
| -rw-r--r-- | _todo | 3 | ||||
| -rw-r--r-- | cli.ini | 3 | ||||
| -rw-r--r-- | cli.ini.patch | 11 | ||||
| -rw-r--r-- | install.php | 21 | ||||
| -rwxr-xr-x | src/server/plugins-available/apache2_plugin.inc.php | 22 | ||||
| -rwxr-xr-x | src/server/plugins-available/nginx_plugin.inc.php | 17 |
7 files changed, 58 insertions, 25 deletions
@@ -21,6 +21,8 @@ php -q install.php After install, a new checkbox will be available in editing website, just check it. +Adjust server in ```/etc/letsencrypt/cli.ini```if isn't ``https://acme-v01.api.letsencrypt.org/directory``` + ## MANUAL INSTALLATION @@ -31,11 +33,9 @@ After install, a new checkbox will be available in editing website, just check i cd ISPConfig-letsencrypt ``` -- patch or create Let's Encrypt configuration +- create Let's Encrypt configuration ``` cp ./cli.ini /etc/letsencrypt/cli.ini - or -patch /etc/letsencrypt/cli.ini < ./cli.ini.patch ``` - patch ISPConfig (merge all files from ./src to /usr/local/ispconfig) @@ -1,7 +1,8 @@ check dns entry is correct before request to Let's Encrypt (apache and nginx plugin) check dns MX entry is correct before request to Let's Encrypt (apache and nginx plugin) check if we already have a symlink and if he's valid (apache and nginx plugin) -force ssl field to on when use Let's Encrypt (api access) +force ssl field to on when use Let's Encrypt (api access?) disable ssl tab when use Let's Encrypt (webgui) check dns entry is correct and MX domain check if is a symlink and is correct (if target is same) +disable ssl & letsencrypt fields in database if we have error (and show notification?) @@ -6,7 +6,7 @@ rsa-key-size = 4096 # Always use the staging/testing server -server = https://acme-staging.api.letsencrypt.org/directory +#server = https://acme-staging.api.letsencrypt.org/directory # Uncomment and update to register with the specified e-mail address # email = foo@example.com @@ -27,3 +27,4 @@ text = True agree-dev-preview = True agree-tos = True authenticator = webroot +server https://acme-v01.api.letsencrypt.org/directory diff --git a/cli.ini.patch b/cli.ini.patch deleted file mode 100644 index e038f5c..0000000 --- a/cli.ini.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- cli.ini 2015-11-06 20:21:09.332000000 +0100 -+++ cli.ini 2015-11-06 20:21:27.380000000 +0100 -@@ -22,3 +22,8 @@ - # path to the public_html / webroot folder being served by your web server. - # authenticator = webroot - # webroot-path = /usr/share/nginx/html -+ -+text = True -+agree-dev-preview = True -+agree-tos = True -+authenticator = webroot diff --git a/install.php b/install.php index 4fac9d8..c1417c7 100644 --- a/install.php +++ b/install.php @@ -84,13 +84,14 @@ if(!is_file("/root/.local/share/letsencrypt/bin/letsencrypt-renewer")) { exit; } -if(!is_file("/etc/letsencrypt/cli.ini")) { - echo "Let's Encrypt configuration file don't exist, create it.\n"; - exec("cp ./cli.ini /etc/letsencrypt/cli.ini"); -} else { - echo "Let's Encrypt configuration file exist, patch it.\n"; - exec("patch /etc/letsencrypt/cli.ini < ./cli.ini.patch"); +if(is_file("/etc/letsencrypt/cli.ini")) { + echo "Let's Encrypt configuration file exist, backup up and remove.\n"; + exec("cp /etc/letsencrypt/cli.ini " . $backup_dir . date("Ymdhis") . "-letsencrypt.cli.ini"); + exec("rm /etc/letsencrypt/cli.ini"); + } +echo "Copy Let's Encrypt configuration.\n"; +exec("cp ./cli.ini /etc/letsencrypt/cli.ini"); if(!$buffer = mysql_connect($clientdb_host, $clientdb_user, $clientdb_password)) { echo "ERROR: There was a problem with the MySQL connection.\n"; @@ -102,10 +103,18 @@ mysql_db_query($conf['db_database'], "ALTER TABLE `web_domain` ADD `ssl_letsencr if(is_file("/etc/apache2/apache2.conf")) { echo "Configure Apache and reload it.\n"; + if(is_dir("/etc/apache2/conf-available")) { if(is_file("/etc/apache2/conf-available/letsencrypt.conf")) { exec("rm /etc/apache2/conf-available/letsencrypt.conf"); } exec("cp ./apache.letsencrypt.conf /etc/apache2/conf-available/letsencrypt.conf"); + } + if(is_dir("/etc/apache2/conf.d")) { + if(is_file("/etc/apache2/conf.d/letsencrypt.conf")) { + exec("rm /etc/apache2/conf.d/letsencrypt.conf"); + } + exec("cp ./apache.letsencrypt.conf /etc/apache2/conf.d/letsencrypt.conf"); + } exec("a2enmod headers"); exec("a2enconf letsencrypt"); exec("service apache2 reload"); diff --git a/src/server/plugins-available/apache2_plugin.inc.php b/src/server/plugins-available/apache2_plugin.inc.php index 1b28759..66486b8 100755 --- a/src/server/plugins-available/apache2_plugin.inc.php +++ b/src/server/plugins-available/apache2_plugin.inc.php @@ -952,20 +952,38 @@ class apache2_plugin { //* Generate Let's Encrypt SSL certificat if($data['new']['ssl'] == 'y' && $data['new']['ssl_letsencrypt'] == 'y') { + $data['new']['ssl_domain'] = $domain; + $vhost_data['ssl_domain'] = $domain; + //* be sure to have good domain $lddomain = (string) "$domain"; if($data['new']['subdomain'] == "www" OR $data['new']['subdomain'] == "*") { $lddomain .= (string) " --domains www." . $domain; } - $crt_tmp_file = "/etc/letsencrypt/live/".$domain."/cert.pem"; + $crt_tmp_file = "/etc/letsencrypt/live/".$domain."/fullchain.pem"; $key_tmp_file = "/etc/letsencrypt/live/".$domain."/privkey.pem"; $webroot = $data['new']['document_root']."/web"; //* check if we have already a Let's Encrypt cert if(!file_exists($crt_tmp_file) && !file_exists($key_tmp_file)) { $app->log("Create Let's Encrypt SSL Cert for: $domain", LOGLEVEL_DEBUG); - exec("/root/.local/share/letsencrypt/bin/letsencrypt auth -a webroot --email postmaster@$domain --domains $lddomain --webroot-path $webroot --text --agree-tos"); + + if(is_dir($webroot . "/.well-known/")) { + $app->log("Remove old challenge directory", LOGLEVEL_DEBUG); + $this->_exec("rm -rf " . $webroot . "/.well-known/"); + } + + $app->log("Create challenge directory", LOGLEVEL_DEBUG); + $app->system->mkdirpath($webroot . "/.well-known/"); + $app->system->chown($webroot . "/.well-known/", $data['new']['system_user']); + $app->system->chgrp($webroot . "/.well-known/", $data['new']['system_group']); + $app->system->mkdirpath($webroot . "/.well-known/acme-challenge"); + $app->system->chown($webroot . "/.well-known/acme-challenge/", $data['new']['system_user']); + $app->system->chgrp($webroot . "/.well-known/acme-challenge/", $data['new']['system_group']); + $app->system->chmod($webroot . "/.well-known/acme-challenge", "g+s"); + + $this->_exec("/root/.local/share/letsencrypt/bin/letsencrypt auth -a webroot --email postmaster@$domain --domains $lddomain --webroot-path $webroot"); }; //* check is been correctly created diff --git a/src/server/plugins-available/nginx_plugin.inc.php b/src/server/plugins-available/nginx_plugin.inc.php index 6c2aaa3..fb2329a 100755 --- a/src/server/plugins-available/nginx_plugin.inc.php +++ b/src/server/plugins-available/nginx_plugin.inc.php @@ -1127,7 +1127,22 @@ class nginx_plugin { //* check if we have already a Let's Encrypt cert if(!file_exists($crt_tmp_file) && !file_exists($key_tmp_file)) { $app->log("Create Let's Encrypt SSL Cert for: $domain", LOGLEVEL_DEBUG); - exec("/root/.local/share/letsencrypt/bin/letsencrypt auth -a webroot --email postmaster@$domain --domains $lddomain --webroot-path $webroot --text --agree-tos"); + + if(is_dir($webroot . "/.well-known/")) { + $app->log("Remove old challenge directory", LOGLEVEL_DEBUG); + $this->_exec("rm -rf " . $webroot . "/.well-known/"); + } + + $app->log("Create challenge directory", LOGLEVEL_DEBUG); + $app->system->mkdirpath($webroot . "/.well-known/"); + $app->system->chown($webroot . "/.well-known/", $$data['new']['system_user']); + $app->system->chgrp($webroot . "/.well-known/", $data['new']['system_group']); + $app->system->mkdirpath($webroot . "/.well-known/acme-challenge"); + $app->system->chown($webroot . "/.well-known/acme-challenge/", $data['new']['system_user']); + $app->system->chgrp($webroot . "/.well-known/acme-challenge/", $data['new']['system_group']); + $app->system->chmod($webroot . "/.well-known/acme-challenge", "g+s"); + + $this->_exec("/root/.local/share/letsencrypt/bin/letsencrypt auth -a webroot --email postmaster@$domain --domains $lddomain --webroot-path $webroot"); }; //* check is been correctly created |