From 599d73b54549d808e3d05c3a98c4729d942edd5f Mon Sep 17 00:00:00 2001
From: Alexandre Alouit <alexandre.alouit@gmail.com>
Date: Fri, 4 Dec 2015 09:47:54 +0100
Subject: bugfix & improvements
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

prevent apache with conf.d directory instead conf-available
create challenge directory (prevent Let’s Encrypt create file with bad
permission)
use debug ispconfig function
use fullchain for apache
---
 README.md                                          |  6 ++---
 _todo                                              |  3 ++-
 cli.ini                                            |  3 ++-
 cli.ini.patch                                      | 11 ---------
 install.php                                        | 27 ++++++++++++++--------
 .../plugins-available/apache2_plugin.inc.php       | 24 ++++++++++++++++---
 src/server/plugins-available/nginx_plugin.inc.php  | 17 +++++++++++++-
 7 files changed, 62 insertions(+), 29 deletions(-)
 delete mode 100644 cli.ini.patch

diff --git a/README.md b/README.md
index 80e78e6..006421d 100644
--- a/README.md
+++ b/README.md
@@ -21,6 +21,8 @@ php -q install.php
 
 After install, a new checkbox will be available in editing website, just check it.
 
+Adjust server in ```/etc/letsencrypt/cli.ini```if isn't ``https://acme-v01.api.letsencrypt.org/directory```
+
 
 ## MANUAL INSTALLATION
 
@@ -31,11 +33,9 @@ After install, a new checkbox will be available in editing website, just check i
 cd ISPConfig-letsencrypt
 ```
 
-- patch or create Let's Encrypt configuration
+- create Let's Encrypt configuration
 ```
 cp ./cli.ini /etc/letsencrypt/cli.ini
- or
-patch /etc/letsencrypt/cli.ini < ./cli.ini.patch
 ```
 
 - patch ISPConfig (merge all files from ./src to /usr/local/ispconfig)
diff --git a/_todo b/_todo
index 45341e3..8be3573 100644
--- a/_todo
+++ b/_todo
@@ -1,7 +1,8 @@
 check dns entry is correct before request to Let's Encrypt (apache and nginx plugin)
 check dns MX entry is correct before request to Let's Encrypt (apache and nginx plugin)
 check if we already have a symlink and if he's valid (apache and nginx plugin)
-force ssl field to on when use Let's Encrypt (api access)
+force ssl field to on when use Let's Encrypt (api access?)
 disable ssl tab when use Let's Encrypt (webgui)
 check dns entry is correct and MX domain
 check if is a symlink and is correct (if target is same)
+disable ssl & letsencrypt fields in database if we have error (and show notification?)
diff --git a/cli.ini b/cli.ini
index 6eab855..a54d846 100644
--- a/cli.ini
+++ b/cli.ini
@@ -6,7 +6,7 @@
 rsa-key-size = 4096
 
 # Always use the staging/testing server
-server = https://acme-staging.api.letsencrypt.org/directory
+#server = https://acme-staging.api.letsencrypt.org/directory
 
 # Uncomment and update to register with the specified e-mail address
 # email = foo@example.com
@@ -27,3 +27,4 @@ text = True
 agree-dev-preview = True
 agree-tos = True
 authenticator = webroot
+server https://acme-v01.api.letsencrypt.org/directory
diff --git a/cli.ini.patch b/cli.ini.patch
deleted file mode 100644
index e038f5c..0000000
--- a/cli.ini.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- cli.ini	2015-11-06 20:21:09.332000000 +0100
-+++ cli.ini	2015-11-06 20:21:27.380000000 +0100
-@@ -22,3 +22,8 @@
- # path to the public_html / webroot folder being served by your web server.
- # authenticator = webroot
- # webroot-path = /usr/share/nginx/html
-+
-+text = True
-+agree-dev-preview = True
-+agree-tos = True
-+authenticator = webroot
diff --git a/install.php b/install.php
index 4fac9d8..c1417c7 100644
--- a/install.php
+++ b/install.php
@@ -84,13 +84,14 @@ if(!is_file("/root/.local/share/letsencrypt/bin/letsencrypt-renewer")) {
 	exit;
 }
 
-if(!is_file("/etc/letsencrypt/cli.ini")) {
-	echo "Let's Encrypt configuration file don't exist, create it.\n";
-	exec("cp ./cli.ini /etc/letsencrypt/cli.ini");
-} else {
-	echo "Let's Encrypt configuration file exist, patch it.\n";
-	exec("patch /etc/letsencrypt/cli.ini < ./cli.ini.patch");
+if(is_file("/etc/letsencrypt/cli.ini")) {
+	echo "Let's Encrypt configuration file exist, backup up and remove.\n";
+	exec("cp /etc/letsencrypt/cli.ini " . $backup_dir . date("Ymdhis") . "-letsencrypt.cli.ini");
+	exec("rm /etc/letsencrypt/cli.ini");
+
 }
+echo "Copy Let's Encrypt configuration.\n";
+exec("cp ./cli.ini /etc/letsencrypt/cli.ini");
 
 if(!$buffer = mysql_connect($clientdb_host, $clientdb_user, $clientdb_password)) {
 	echo "ERROR: There was a problem with the MySQL connection.\n";
@@ -102,10 +103,18 @@ mysql_db_query($conf['db_database'], "ALTER TABLE `web_domain` ADD `ssl_letsencr
 
 if(is_file("/etc/apache2/apache2.conf")) {
 	echo "Configure Apache and reload it.\n";
-	if(is_file("/etc/apache2/conf-available/letsencrypt.conf")) {
-		exec("rm /etc/apache2/conf-available/letsencrypt.conf");
+	if(is_dir("/etc/apache2/conf-available")) {
+		if(is_file("/etc/apache2/conf-available/letsencrypt.conf")) {
+			exec("rm /etc/apache2/conf-available/letsencrypt.conf");
+		}
+		exec("cp ./apache.letsencrypt.conf /etc/apache2/conf-available/letsencrypt.conf");
+	}
+	if(is_dir("/etc/apache2/conf.d")) {
+		if(is_file("/etc/apache2/conf.d/letsencrypt.conf")) {
+			exec("rm /etc/apache2/conf.d/letsencrypt.conf");
+		}
+		exec("cp ./apache.letsencrypt.conf /etc/apache2/conf.d/letsencrypt.conf");
 	}
-	exec("cp ./apache.letsencrypt.conf /etc/apache2/conf-available/letsencrypt.conf");
 	exec("a2enmod headers");
 	exec("a2enconf letsencrypt");
 	exec("service apache2 reload");
diff --git a/src/server/plugins-available/apache2_plugin.inc.php b/src/server/plugins-available/apache2_plugin.inc.php
index 1b28759..66486b8 100755
--- a/src/server/plugins-available/apache2_plugin.inc.php
+++ b/src/server/plugins-available/apache2_plugin.inc.php
@@ -952,20 +952,38 @@ class apache2_plugin {
 
 		//* Generate Let's Encrypt SSL certificat
 		if($data['new']['ssl'] == 'y' && $data['new']['ssl_letsencrypt'] == 'y') {
+			$data['new']['ssl_domain'] = $domain;
+			$vhost_data['ssl_domain'] = $domain;
+
 			//* be sure to have good domain
 			$lddomain = (string) "$domain";
 			if($data['new']['subdomain'] == "www" OR $data['new']['subdomain'] == "*") {
 				$lddomain .= (string) " --domains www." . $domain;
 			}
 
-				$crt_tmp_file = "/etc/letsencrypt/live/".$domain."/cert.pem";
+				$crt_tmp_file = "/etc/letsencrypt/live/".$domain."/fullchain.pem";
 				$key_tmp_file = "/etc/letsencrypt/live/".$domain."/privkey.pem";
 				$webroot = $data['new']['document_root']."/web";
 
 				//* check if we have already a Let's Encrypt cert
 				if(!file_exists($crt_tmp_file) && !file_exists($key_tmp_file)) {
-				$app->log("Create Let's Encrypt SSL Cert for: $domain", LOGLEVEL_DEBUG);
-					exec("/root/.local/share/letsencrypt/bin/letsencrypt auth -a webroot --email postmaster@$domain --domains $lddomain --webroot-path $webroot --text --agree-tos");
+					$app->log("Create Let's Encrypt SSL Cert for: $domain", LOGLEVEL_DEBUG);
+
+					if(is_dir($webroot . "/.well-known/")) {
+						$app->log("Remove old challenge directory", LOGLEVEL_DEBUG);
+						$this->_exec("rm -rf " . $webroot . "/.well-known/");
+					}
+
+					$app->log("Create challenge directory", LOGLEVEL_DEBUG);
+					$app->system->mkdirpath($webroot . "/.well-known/");
+					$app->system->chown($webroot . "/.well-known/", $data['new']['system_user']);
+					$app->system->chgrp($webroot . "/.well-known/", $data['new']['system_group']);
+					$app->system->mkdirpath($webroot . "/.well-known/acme-challenge");
+					$app->system->chown($webroot . "/.well-known/acme-challenge/", $data['new']['system_user']);
+					$app->system->chgrp($webroot . "/.well-known/acme-challenge/", $data['new']['system_group']);
+					$app->system->chmod($webroot . "/.well-known/acme-challenge", "g+s");
+
+					$this->_exec("/root/.local/share/letsencrypt/bin/letsencrypt auth -a webroot --email postmaster@$domain --domains $lddomain --webroot-path $webroot");
 				};
 
 				//* check is been correctly created
diff --git a/src/server/plugins-available/nginx_plugin.inc.php b/src/server/plugins-available/nginx_plugin.inc.php
index 6c2aaa3..fb2329a 100755
--- a/src/server/plugins-available/nginx_plugin.inc.php
+++ b/src/server/plugins-available/nginx_plugin.inc.php
@@ -1127,7 +1127,22 @@ class nginx_plugin {
 			//* check if we have already a Let's Encrypt cert
 			if(!file_exists($crt_tmp_file) && !file_exists($key_tmp_file)) {
 				$app->log("Create Let's Encrypt SSL Cert for: $domain", LOGLEVEL_DEBUG);
-				exec("/root/.local/share/letsencrypt/bin/letsencrypt auth -a webroot --email postmaster@$domain --domains $lddomain --webroot-path $webroot --text --agree-tos");
+
+				if(is_dir($webroot . "/.well-known/")) {
+					$app->log("Remove old challenge directory", LOGLEVEL_DEBUG);
+					$this->_exec("rm -rf " . $webroot . "/.well-known/");
+				}
+
+				$app->log("Create challenge directory", LOGLEVEL_DEBUG);
+				$app->system->mkdirpath($webroot . "/.well-known/");
+				$app->system->chown($webroot . "/.well-known/", $$data['new']['system_user']);
+				$app->system->chgrp($webroot . "/.well-known/", $data['new']['system_group']);
+				$app->system->mkdirpath($webroot . "/.well-known/acme-challenge");
+				$app->system->chown($webroot . "/.well-known/acme-challenge/", $data['new']['system_user']);
+				$app->system->chgrp($webroot . "/.well-known/acme-challenge/", $data['new']['system_group']);
+				$app->system->chmod($webroot . "/.well-known/acme-challenge", "g+s");
+
+				$this->_exec("/root/.local/share/letsencrypt/bin/letsencrypt auth -a webroot --email postmaster@$domain --domains $lddomain --webroot-path $webroot");
 			};
 
 			//* check is been correctly created
-- 
cgit v1.2.3