Skip to content

Commit 1fa2dfb

Browse files
author
Marius Burkard
committed
Merge branch 'ahrasis-develop-patch-37037' into 'develop'
Update installer_base.lib.php to overwrite self-signed certificate with LE SSL... See merge request ispconfig/ispconfig3!1371
2 parents db69e52 + b1f0c20 commit 1fa2dfb

File tree

1 file changed

+50
-24
lines changed

1 file changed

+50
-24
lines changed

install/lib/installer_base.lib.php

Lines changed: 50 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -2899,8 +2899,13 @@ public function make_ispconfig_ssl_cert() {
28992899
$ip_address_match = true;
29002900
}
29012901

2902+
// Get subject and issuer of ispserver.crt to check if it is self-signed cert
2903+
if (file_exists($ssl_crt_file)) {
2904+
$crt_subject = exec("openssl x509 -in ".escapeshellarg($ssl_crt_file)." -inform PEM -noout -subject");
2905+
$crt_issuer = exec("openssl x509 -in ".escapeshellarg($ssl_crt_file)." -inform PEM -noout -issuer");
2906+
}
29022907

2903-
if ((!@is_dir($acme_cert_dir) || !@file_exists($check_acme_file) || !@file_exists($ssl_crt_file) || md5_file($check_acme_file) != md5_file($ssl_crt_file)) && $ip_address_match == true) {
2908+
if ((@file_exists($ssl_crt_file) && ($crt_subject == $crt_issuer)) || (!@is_dir($acme_cert_dir) || !@file_exists($check_acme_file) || !@file_exists($ssl_crt_file) || md5_file($check_acme_file) != md5_file($ssl_crt_file)) && $ip_address_match == true) {
29042909

29052910
// This script is needed earlier to check and open http port 80 or standalone might fail
29062911
// Make executable and temporary symlink latest letsencrypt pre, post and renew hook script before install
@@ -2970,6 +2975,14 @@ public function make_ispconfig_ssl_cert() {
29702975

29712976
$issued_successfully = false;
29722977

2978+
// Backup existing ispserver ssl files
2979+
if(file_exists($ssl_crt_file) || is_link($ssl_crt_file))
2980+
rename($ssl_crt_file, $ssl_crt_file.'-temporary.bak');
2981+
if(file_exists($ssl_key_file) || is_link($ssl_key_file))
2982+
rename($ssl_key_file, $ssl_key_file.'-temporary.bak');
2983+
if(file_exists($ssl_pem_file) || is_link($ssl_pem_file))
2984+
rename($ssl_pem_file, $ssl_pem_file.'-temporary.bak');
2985+
29732986
// Attempt to use Neilpang acme.sh first, as it is now the preferred LE client
29742987
if (is_executable($acme)) {
29752988

@@ -2986,18 +2999,6 @@ public function make_ispconfig_ssl_cert() {
29862999
if($ret == 0 || ($ret == 2 && file_exists($check_acme_file))) {
29873000
// acme.sh returns with 2 on issue for already existing certificate
29883001

2989-
2990-
// Backup existing ispserver ssl files
2991-
if(file_exists($ssl_crt_file) || is_link($ssl_crt_file)) {
2992-
rename($ssl_crt_file, $ssl_crt_file . '-' . $date->format('YmdHis') . '.bak');
2993-
}
2994-
if(file_exists($ssl_key_file) || is_link($ssl_key_file)) {
2995-
rename($ssl_key_file, $ssl_key_file . '-' . $date->format('YmdHis') . '.bak');
2996-
}
2997-
if(file_exists($ssl_pem_file) || is_link($ssl_pem_file)) {
2998-
rename($ssl_pem_file, $ssl_pem_file . '-' . $date->format('YmdHis') . '.bak');
2999-
}
3000-
30013002
$check_acme_file = $ssl_crt_file;
30023003

30033004
// Define LE certs name and path, then install them
@@ -3006,8 +3007,26 @@ public function make_ispconfig_ssl_cert() {
30063007
$acme_chain = "--fullchain-file " . escapeshellarg($ssl_crt_file);
30073008
exec("$acme --install-cert -d " . escapeshellarg($hostname) . " $acme_key $acme_chain");
30083009
$issued_successfully = true;
3010+
3011+
// Make temporary backup of self-signed certs permanent
3012+
if(file_exists($ssl_crt_file.'-temporary.bak') || is_link($ssl_crt_file.'-temporary.bak'))
3013+
rename($ssl_crt_file.'-temporary.bak', $ssl_crt_file.'-'.$date->format('YmdHis').'.bak');
3014+
if(file_exists($ssl_key_file.'-temporary.bak') || is_link($ssl_key_file.'-temporary.bak'))
3015+
rename($ssl_key_file.'-temporary.bak', $ssl_key_file.'-'.$date->format('YmdHis').'.bak');
3016+
if(file_exists($ssl_pem_file.'-temporary.bak') || is_link($ssl_pem_file.'-temporary.bak'))
3017+
rename($ssl_pem_file.'-temporary.bak', $ssl_pem_file.'-'.$date->format('YmdHis').'.bak');
3018+
30093019
} else {
30103020
swriteln('Issuing certificate via acme.sh failed. Please check that your hostname can be verified by letsencrypt');
3021+
3022+
// Restore temporary backup of self-signed certs
3023+
if(file_exists($ssl_crt_file.'-temporary.bak') || is_link($ssl_crt_file.'-temporary.bak'))
3024+
rename($ssl_crt_file.'-temporary.bak', $ssl_crt_file);
3025+
if(file_exists($ssl_key_file.'-temporary.bak') || is_link($ssl_key_file.'-temporary.bak'))
3026+
rename($ssl_key_file.'-temporary.bak', $ssl_key_file);
3027+
if(file_exists($ssl_pem_file.'-temporary.bak') || is_link($ssl_pem_file.'-temporary.bak'))
3028+
rename($ssl_pem_file.'-temporary.bak', $ssl_pem_file);
3029+
30113030
}
30123031
// Else, we attempt to use the official LE certbot client certbot
30133032
} else {
@@ -3039,24 +3058,31 @@ public function make_ispconfig_ssl_cert() {
30393058
if($ret == 0) {
30403059
// certbot returns with 0 on issue for already existing certificate
30413060

3042-
// Backup existing ispserver ssl files
3043-
if(file_exists($ssl_crt_file) || is_link($ssl_crt_file)) {
3044-
rename($ssl_crt_file, $ssl_crt_file . '-' . $date->format('YmdHis') . '.bak');
3045-
}
3046-
if(file_exists($ssl_key_file) || is_link($ssl_key_file)) {
3047-
rename($ssl_key_file, $ssl_key_file . '-' . $date->format('YmdHis') . '.bak');
3048-
}
3049-
if(file_exists($ssl_pem_file) || is_link($ssl_pem_file)) {
3050-
rename($ssl_pem_file, $ssl_pem_file . '-' . $date->format('YmdHis') . '.bak');
3051-
}
3052-
30533061
$acme_cert_dir = '/etc/letsencrypt/live/' . $hostname;
30543062
symlink($acme_cert_dir . '/fullchain.pem', $ssl_crt_file);
30553063
symlink($acme_cert_dir . '/privkey.pem', $ssl_key_file);
30563064

30573065
$issued_successfully = true;
3066+
3067+
// Make temporary backup of self-signed certs permanent
3068+
if(file_exists($ssl_crt_file.'-temporary.bak') || is_link($ssl_crt_file.'-temporary.bak'))
3069+
rename($ssl_crt_file.'-temporary.bak', $ssl_crt_file.'-'.$date->format('YmdHis').'.bak');
3070+
if(file_exists($ssl_key_file.'-temporary.bak') || is_link($ssl_key_file.'-temporary.bak'))
3071+
rename($ssl_key_file.'-temporary.bak', $ssl_key_file.'-'.$date->format('YmdHis').'.bak');
3072+
if(file_exists($ssl_pem_file.'-temporary.bak') || is_link($ssl_pem_file.'-temporary.bak'))
3073+
rename($ssl_pem_file.'-temporary.bak', $ssl_pem_file.'-'.$date->format('YmdHis').'.bak');
3074+
30583075
} else {
30593076
swriteln('Issuing certificate via certbot failed. Please check log files and make sure that your hostname can be verified by letsencrypt');
3077+
3078+
// Restore temporary backup of self-signed certs
3079+
if(file_exists($ssl_crt_file.'-temporary.bak') || is_link($ssl_crt_file.'-temporary.bak'))
3080+
rename($ssl_crt_file.'-temporary.bak', $ssl_crt_file);
3081+
if(file_exists($ssl_key_file.'-temporary.bak') || is_link($ssl_key_file.'-temporary.bak'))
3082+
rename($ssl_key_file.'-temporary.bak', $ssl_key_file);
3083+
if(file_exists($ssl_pem_file.'-temporary.bak') || is_link($ssl_pem_file.'-temporary.bak'))
3084+
rename($ssl_pem_file.'-temporary.bak', $ssl_pem_file);
3085+
30603086
}
30613087
} else {
30623088
swriteln('Did not find any valid acme client (acme.sh or certbot)');

0 commit comments

Comments
 (0)