|
1 | 1 | <?php |
2 | 2 |
|
3 | 3 | /* |
4 | | -Copyright (c) 2007-2010, Till Brehm, projektfarm Gmbh |
| 4 | +Copyright (c) 2007-2019, Till Brehm, projektfarm GmbH |
5 | 5 | All rights reserved. |
6 | 6 |
|
7 | 7 | Redistribution and use in source and binary forms, with or without modification, |
@@ -2672,34 +2672,254 @@ public function configure_apps_vhost() { |
2672 | 2672 | if(!@is_link($vhost_conf_enabled_dir.'/000-apps.vhost')) { |
2673 | 2673 | symlink($vhost_conf_dir.'/apps.vhost', $vhost_conf_enabled_dir.'/000-apps.vhost'); |
2674 | 2674 | } |
| 2675 | + } |
| 2676 | + } |
2675 | 2677 |
|
| 2678 | + private function curl_request($url, $use_ipv6 = false) { |
| 2679 | + $set_headers = [ |
| 2680 | + 'Connection: Close', |
| 2681 | + 'User-Agent: ISPConfig/3', |
| 2682 | + 'Accept: */*' |
| 2683 | + ]; |
| 2684 | + |
| 2685 | + $ch = curl_init($url); |
| 2686 | + curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); |
| 2687 | + curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); |
| 2688 | + curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); |
| 2689 | + curl_setopt($ch, CURLOPT_FORBID_REUSE, 1); |
| 2690 | + curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10); |
| 2691 | + curl_setopt($ch, CURLOPT_HTTPHEADER, $set_headers); |
| 2692 | + curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); |
| 2693 | + curl_setopt($ch, CURLOPT_MAXREDIRS, 5); |
| 2694 | + |
| 2695 | + if($use_ipv6) { |
| 2696 | + if(defined('CURLOPT_IPRESOLVE') && defined('CURL_IPRESOLVE_V6')) { |
| 2697 | + curl_setopt($ch, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V6); |
| 2698 | + } |
| 2699 | + } else { |
| 2700 | + if(defined('CURLOPT_IPRESOLVE') && defined('CURL_IPRESOLVE_V4')) { |
| 2701 | + curl_setopt($ch, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4); |
| 2702 | + } |
2676 | 2703 | } |
| 2704 | + |
| 2705 | + $response = curl_exec($ch); |
| 2706 | + curl_close($ch); |
| 2707 | + |
| 2708 | + return $response; |
2677 | 2709 | } |
2678 | 2710 |
|
2679 | 2711 | public function make_ispconfig_ssl_cert() { |
2680 | | - global $conf,$autoinstall; |
| 2712 | + global $conf, $autoinstall; |
2681 | 2713 |
|
2682 | | - $install_dir = $conf['ispconfig_install_dir']; |
| 2714 | + //* Get hostname from user entry or shell command */ |
| 2715 | + if($conf['hostname'] !== 'localhost' && $conf['hostname'] !== '') { |
| 2716 | + $hostname = $conf['hostname']; |
| 2717 | + } else { |
| 2718 | + $hostname = exec('hostname -f'); |
| 2719 | + } |
| 2720 | + |
| 2721 | + // Check dns a record exist and its ip equal to server public ip |
| 2722 | + $svr_ip4 = $this->curl_request('https://ispconfig.org/remoteip.php', false); |
| 2723 | + $svr_ip6 = $this->curl_request('https://ispconfig.org/remoteip.php', true); |
| 2724 | + |
| 2725 | + if(function_exists('idn_to_ascii')) { |
| 2726 | + if(defined('IDNA_NONTRANSITIONAL_TO_ASCII') && defined('INTL_IDNA_VARIANT_UTS46') && constant('IDNA_NONTRANSITIONAL_TO_ASCII')) { |
| 2727 | + $hostname = idn_to_ascii($hostname, IDNA_NONTRANSITIONAL_TO_ASCII, INTL_IDNA_VARIANT_UTS46); |
| 2728 | + } else { |
| 2729 | + $hostname = idn_to_ascii($hostname); |
| 2730 | + } |
| 2731 | + } |
| 2732 | + $dns_ips = array(); |
| 2733 | + if (checkdnsrr($hostname, 'A')) { |
| 2734 | + $dnsa=dns_get_record($hostname, DNS_A); |
| 2735 | + if($dnsa) { |
| 2736 | + foreach ($dnsa as $rec) { |
| 2737 | + $dns_ips[] = $rec['ip']; |
| 2738 | + } |
| 2739 | + } |
| 2740 | + } |
| 2741 | + if (checkdnsrr($hostname, 'AAAA')) { |
| 2742 | + $dnsaaaa=dns_get_record($hostname, DNS_AAAA); |
| 2743 | + if($dnsaaaa) { |
| 2744 | + foreach ($dnsaaaa as $rec) { |
| 2745 | + $dns_ips[] = $rec['ip']; |
| 2746 | + } |
| 2747 | + } |
| 2748 | + } |
| 2749 | + |
| 2750 | + // Request for certs if no LE SSL folder for server fqdn exist |
| 2751 | + $le_live_dir = '/etc/letsencrypt/live/' . $hostname; |
| 2752 | + if (!@is_dir($le_live_dir) && ( |
| 2753 | + ($svr_ip4 && in_array($svr_ip4, $dns_ips)) || ($svr_ip6 && in_array($svr_ip6, $dns_ips)) |
| 2754 | + )) { |
| 2755 | + |
| 2756 | + // This script is needed earlier to check and open http port 80 or standalone might fail |
| 2757 | + // Make executable and temporary symlink latest letsencrypt pre, post and renew hook script before install |
| 2758 | + if(file_exists(dirname(getcwd()) . '/server/scripts/letsencrypt_pre_hook.sh')) { |
| 2759 | + symlink(dirname(getcwd()) . '/server/scripts/letsencrypt_pre_hook.sh', '/usr/local/bin/letsencrypt_pre_hook.sh'); |
| 2760 | + } |
| 2761 | + if(file_exists(dirname(getcwd()) . '/server/scripts/letsencrypt_post_hook.sh')) { |
| 2762 | + symlink(dirname(getcwd()) . '/server/scripts/letsencrypt_post_hook.sh', '/usr/local/bin/letsencrypt_post_hook.sh'); |
| 2763 | + } |
| 2764 | + if(file_exists(dirname(getcwd()) . '/server/scripts/letsencrypt_renew_hook.sh')) { |
| 2765 | + symlink(dirname(getcwd()) . '/server/scripts/letsencrypt_renew_hook.sh', '/usr/local/bin/letsencrypt_renew_hook.sh'); |
| 2766 | + } |
| 2767 | + chown('/usr/local/bin/letsencrypt_pre_hook.sh', 'root'); |
| 2768 | + chown('/usr/local/bin/letsencrypt_post_hook.sh', 'root'); |
| 2769 | + chown('/usr/local/bin/letsencrypt_renew_hook.sh', 'root'); |
| 2770 | + chmod('/usr/local/bin/letsencrypt_pre_hook.sh', 0700); |
| 2771 | + chmod('/usr/local/bin/letsencrypt_post_hook.sh', 0700); |
| 2772 | + chmod('/usr/local/bin/letsencrypt_renew_hook.sh', 0700); |
2683 | 2773 |
|
2684 | | - $ssl_crt_file = $install_dir.'/interface/ssl/ispserver.crt'; |
2685 | | - $ssl_csr_file = $install_dir.'/interface/ssl/ispserver.csr'; |
2686 | | - $ssl_key_file = $install_dir.'/interface/ssl/ispserver.key'; |
| 2774 | + // Check http port 80 status as it cannot be determined at post hook stage |
| 2775 | + $port80_status=exec('true &>/dev/null </dev/tcp/127.0.0.1/80 && echo open || echo close'); |
| 2776 | + |
| 2777 | + // Set pre-, post- and renew hook |
| 2778 | + $pre_hook = "--pre-hook \"letsencrypt_pre_hook.sh\""; |
| 2779 | + $renew_hook = " --renew-hook \"letsencrypt_renew_hook.sh\""; |
| 2780 | + if($port80_status == 'close') { |
| 2781 | + $post_hook = " --post-hook \"letsencrypt_post_hook.sh\""; |
| 2782 | + $hook = $pre_hook . $post_hook . $renew_hook; |
| 2783 | + } else { |
| 2784 | + $hook = $pre_hook . $renew_hook; |
| 2785 | + } |
| 2786 | + |
| 2787 | + // Get the default LE client name and version |
| 2788 | + $le_client = explode("\n", shell_exec('which letsencrypt certbot /root/.local/share/letsencrypt/bin/letsencrypt /opt/eff.org/certbot/venv/bin/certbot')); |
| 2789 | + $le_client = reset($le_client); |
| 2790 | + |
| 2791 | + // Check for Neilpang acme.sh as well |
| 2792 | + $acme = explode("\n", shell_exec('which /usr/local/ispconfig/server/scripts/acme.sh /root/.acme.sh/acme.sh')); |
| 2793 | + $acme = reset($acme); |
| 2794 | + |
| 2795 | + // Attempt to use Neilpang acme.sh first, as it is now the preferred LE client |
| 2796 | + if (is_executable($acme)) { |
| 2797 | + |
| 2798 | + if($conf['nginx']['installed'] == true) { |
| 2799 | + exec("$acme --issue --nginx -d $hostname $renew_hook"); |
| 2800 | + } elseif($conf['apache']['installed'] == true) { |
| 2801 | + exec("$acme --issue --apache -d $hostname $renew_hook"); |
| 2802 | + } |
| 2803 | + // Else, it is not webserver, so we use standalone |
| 2804 | + else { |
| 2805 | + exec("$acme --issue --standalone -d $hostname $hook"); |
| 2806 | + } |
2687 | 2807 |
|
2688 | | - if(!@is_dir($install_dir.'/interface/ssl')) mkdir($install_dir.'/interface/ssl', 0755, true); |
| 2808 | + // Define LE certs name and path, then install them |
| 2809 | + if (!@is_dir($le_live_dir)) mkdir($le_live_dir, 0755, true); |
| 2810 | + $acme_cert = "--cert-file $le_live_dir/cert.pem"; |
| 2811 | + $acme_key = "--key-file $le_live_dir/privkey.pem"; |
| 2812 | + $acme_ca = "--ca-file $le_live_dir/chain.pem"; |
| 2813 | + $acme_chain = "--fullchain-file $le_live_dir/fullchain.pem"; |
| 2814 | + exec("$acme --install-cert -d $hostname $acme_cert $acme_key $acme_ca $acme_chain"); |
| 2815 | + |
| 2816 | + // Else, we attempt to use the official LE certbot client certbot |
| 2817 | + } else { |
| 2818 | + |
| 2819 | + // But only if it is otherwise available |
| 2820 | + if(is_executable($le_client)) { |
| 2821 | + |
| 2822 | + // Get its version info due to be used for webroot arguement issues |
| 2823 | + $le_info = exec($le_client . ' --version 2>&1', $ret, $val); |
| 2824 | + if(preg_match('/^(\S+|\w+)\s+(\d+(\.\d+)+)$/', $le_info, $matches)) { |
| 2825 | + $le_version = $matches[2]; |
| 2826 | + } |
| 2827 | + |
| 2828 | + // Define certbot commands |
| 2829 | + $acme_version = '--server https://acme-v0' . (($le_version >=0.22) ? '2' : '1') . '.api.letsencrypt.org/directory'; |
| 2830 | + $certonly = 'certonly --agree-tos --non-interactive --expand --rsa-key-size 4096'; |
| 2831 | + |
| 2832 | + // If this is a webserver |
| 2833 | + if($conf['nginx']['installed'] == true) |
| 2834 | + exec("$le_client $certonly $acme_version --nginx --email postmaster@$hostname $renew_hook"); |
| 2835 | + elseif($conf['apache']['installed'] == true) |
| 2836 | + exec("$le_client $certonly $acme_version --apache --email postmaster@$hostname $renew_hook"); |
| 2837 | + // Else, it is not webserver, so we use standalone |
| 2838 | + else |
| 2839 | + exec("$le_client $certonly $acme_version --standalone --email postmaster@$hostname -d $hostname $hook"); |
| 2840 | + } |
| 2841 | + } |
| 2842 | + } |
| 2843 | + |
| 2844 | + //* Define and check ISPConfig SSL folder */ |
| 2845 | + $ssl_dir = $conf['ispconfig_install_dir'].'/interface/ssl'; |
| 2846 | + if(!@is_dir($ssl_dir)) mkdir($ssl_dir, 0755, true); |
| 2847 | + |
| 2848 | + $ssl_crt_file = $ssl_dir.'/ispserver.crt'; |
| 2849 | + $ssl_csr_file = $ssl_dir.'/ispserver.csr'; |
| 2850 | + $ssl_key_file = $ssl_dir.'/ispserver.key'; |
| 2851 | + $ssl_pem_file = $ssl_dir.'/ispserver.pem'; |
| 2852 | + |
| 2853 | + $date = new DateTime(); |
| 2854 | + |
| 2855 | + // If the LE SSL certs for this hostname exists |
| 2856 | + if (is_dir($le_live_dir) && in_array($svr_ip, $dns_ips)) { |
| 2857 | + |
| 2858 | + // Backup existing ispserver ssl files |
| 2859 | + if (file_exists($ssl_crt_file)) rename($ssl_crt_file, $ssl_crt_file . '-' .$date->format('YmdHis') . '.bak'); |
| 2860 | + if (file_exists($ssl_key_file)) rename($ssl_key_file, $ssl_key_file . '-' .$date->format('YmdHis') . '.bak'); |
| 2861 | + if (file_exists($ssl_pem_file)) rename($ssl_pem_file, $ssl_pem_file . '-' .$date->format('YmdHis') . '.bak'); |
| 2862 | + |
| 2863 | + // Create symlink to LE fullchain and key for ISPConfig |
| 2864 | + symlink($le_live_dir.'/fullchain.pem', $ssl_crt_file); |
| 2865 | + symlink($le_live_dir.'/privkey.pem', $ssl_key_file); |
2689 | 2866 |
|
2690 | | - $ssl_pw = substr(md5(mt_rand()), 0, 6); |
2691 | | - exec("openssl genrsa -des3 -passout pass:$ssl_pw -out $ssl_key_file 4096"); |
2692 | | - if(AUTOINSTALL){ |
2693 | | - exec("openssl req -new -passin pass:$ssl_pw -passout pass:$ssl_pw -subj '/C=".escapeshellcmd($autoinstall['ssl_cert_country'])."/ST=".escapeshellcmd($autoinstall['ssl_cert_state'])."/L=".escapeshellcmd($autoinstall['ssl_cert_locality'])."/O=".escapeshellcmd($autoinstall['ssl_cert_organisation'])."/OU=".escapeshellcmd($autoinstall['ssl_cert_organisation_unit'])."/CN=".escapeshellcmd($autoinstall['ssl_cert_common_name'])."' -key $ssl_key_file -out $ssl_csr_file"); |
2694 | 2867 | } else { |
2695 | | - exec("openssl req -new -passin pass:$ssl_pw -passout pass:$ssl_pw -key $ssl_key_file -out $ssl_csr_file"); |
| 2868 | + |
| 2869 | + // We can still use the old self-signed method |
| 2870 | + $ssl_pw = substr(md5(mt_rand()), 0, 6); |
| 2871 | + exec("openssl genrsa -des3 -passout pass:$ssl_pw -out $ssl_key_file 4096"); |
| 2872 | + if(AUTOINSTALL){ |
| 2873 | + exec("openssl req -new -passin pass:$ssl_pw -passout pass:$ssl_pw -subj '/C=".escapeshellcmd($autoinstall['ssl_cert_country'])."/ST=".escapeshellcmd($autoinstall['ssl_cert_state'])."/L=".escapeshellcmd($autoinstall['ssl_cert_locality'])."/O=".escapeshellcmd($autoinstall['ssl_cert_organisation'])."/OU=".escapeshellcmd($autoinstall['ssl_cert_organisation_unit'])."/CN=".escapeshellcmd($autoinstall['ssl_cert_common_name'])."' -key $ssl_key_file -out $ssl_csr_file"); |
| 2874 | + } else { |
| 2875 | + exec("openssl req -new -passin pass:$ssl_pw -passout pass:$ssl_pw -key $ssl_key_file -out $ssl_csr_file"); |
| 2876 | + } |
| 2877 | + exec("openssl req -x509 -passin pass:$ssl_pw -passout pass:$ssl_pw -key $ssl_key_file -in $ssl_csr_file -out $ssl_crt_file -days 3650"); |
| 2878 | + exec("openssl rsa -passin pass:$ssl_pw -in $ssl_key_file -out $ssl_key_file.insecure"); |
| 2879 | + rename($ssl_key_file, $ssl_key_file.'.secure'); |
| 2880 | + rename($ssl_key_file.'.insecure', $ssl_key_file); |
2696 | 2881 | } |
2697 | | - exec("openssl req -x509 -passin pass:$ssl_pw -passout pass:$ssl_pw -key $ssl_key_file -in $ssl_csr_file -out $ssl_crt_file -days 3650"); |
2698 | | - exec("openssl rsa -passin pass:$ssl_pw -in $ssl_key_file -out $ssl_key_file.insecure"); |
2699 | | - rename($ssl_key_file, $ssl_key_file.'.secure'); |
2700 | | - rename($ssl_key_file.'.insecure', $ssl_key_file); |
2701 | 2882 |
|
2702 | | - exec('chown -R root:root /usr/local/ispconfig/interface/ssl'); |
| 2883 | + // Build ispserver.pem file and chmod it |
| 2884 | + exec("cat $ssl_key_file $ssl_crt_file > $ssl_pem_file; chmod 600 $ssl_pem_file"); |
| 2885 | + |
| 2886 | + // Extend LE SSL certs to postfix |
| 2887 | + if ($conf['postfix']['installed'] == true && strtolower($this->simple_query('Symlink ISPConfig LE SSL certs to postfix?', array('y', 'n'), 'y')) == 'y') { |
| 2888 | + |
| 2889 | + // Define folder, file(s) |
| 2890 | + $cf = $conf['postfix']; |
| 2891 | + $postfix_dir = $cf['config_dir']; |
| 2892 | + if(!is_dir($postfix_dir)) $this->error("The postfix configuration directory '$postfix_dir' does not exist."); |
| 2893 | + $smtpd_crt = $postfix_dir.'/smtpd.cert'; |
| 2894 | + $smtpd_key = $postfix_dir.'/smtpd.key'; |
| 2895 | + |
| 2896 | + // Backup existing postfix ssl files |
| 2897 | + if (file_exists($smtpd_crt)) rename($smtpd_crt, $smtpd_crt . '-' .$date->format('YmdHis') . '.bak'); |
| 2898 | + if (file_exists($smtpd_key)) rename($smtpd_key, $smtpd_key . '-' .$date->format('YmdHis') . '.bak'); |
| 2899 | + |
| 2900 | + // Create symlink to ISPConfig SSL files |
| 2901 | + symlink($ssl_crt_file, $smtpd_crt); |
| 2902 | + symlink($ssl_key_file, $smtpd_key); |
| 2903 | + } |
| 2904 | + |
| 2905 | + // Extend LE SSL certs to pureftpd |
| 2906 | + if ($conf['pureftpd']['installed'] == true && strtolower($this->simple_query('Symlink ISPConfig LE SSL certs to pureftpd? Creating dhparam file takes some times.', array('y', 'n'), 'y')) == 'y') { |
| 2907 | + |
| 2908 | + // Define folder, file(s) |
| 2909 | + $pureftpd_dir = '/etc/ssl/private'; |
| 2910 | + if(!is_dir($pureftpd_dir)) mkdir($pureftpd_dir, 0755, true); |
| 2911 | + $pureftpd_pem = $pureftpd_dir.'/pure-ftpd.pem'; |
| 2912 | + |
| 2913 | + // Backup existing pureftpd ssl files |
| 2914 | + if (file_exists($pureftpd_pem)) rename($pureftpd_pem, $pureftpd_pem . '-' .$date->format('YmdHis') . '.bak'); |
| 2915 | + |
| 2916 | + // Create symlink to ISPConfig SSL files |
| 2917 | + symlink($ssl_pem_file, $pureftpd_pem); |
| 2918 | + if (!file_exists("$pureftpd_dir/pure-ftpd-dhparams.pem")) |
| 2919 | + exec("cd $pureftpd_dir; openssl dhparam -out dhparam2048.pem 2048; ln -sf dhparam2048.pem pure-ftpd-dhparams.pem"); |
| 2920 | + } |
| 2921 | + |
| 2922 | + exec("chown -R root:root $ssl_dir"); |
2703 | 2923 |
|
2704 | 2924 | } |
2705 | 2925 |
|
@@ -3122,6 +3342,20 @@ public function install_ispconfig() { |
3122 | 3342 | if(!is_link('/usr/local/bin/ispconfig_update_from_dev.sh')) symlink($install_dir.'/server/scripts/ispconfig_update.sh', '/usr/local/bin/ispconfig_update_from_dev.sh'); |
3123 | 3343 | if(!is_link('/usr/local/bin/ispconfig_update.sh')) symlink($install_dir.'/server/scripts/ispconfig_update.sh', '/usr/local/bin/ispconfig_update.sh'); |
3124 | 3344 |
|
| 3345 | + // Make executable then unlink and symlink letsencrypt pre, post and renew hook scripts |
| 3346 | + chown($install_dir.'/server/scripts/letsencrypt_pre_hook.sh', 'root'); |
| 3347 | + chown($install_dir.'/server/scripts/letsencrypt_post_hook.sh', 'root'); |
| 3348 | + chown($install_dir.'/server/scripts/letsencrypt_renew_hook.sh', 'root'); |
| 3349 | + chmod($install_dir.'/server/scripts/letsencrypt_pre_hook.sh', 0700); |
| 3350 | + chmod($install_dir.'/server/scripts/letsencrypt_post_hook.sh', 0700); |
| 3351 | + chmod($install_dir.'/server/scripts/letsencrypt_renew_hook.sh', 0700); |
| 3352 | + if(is_link('/usr/local/bin/letsencrypt_pre_hook.sh')) unlink('/usr/local/bin/letsencrypt_pre_hook.sh'); |
| 3353 | + if(is_link('/usr/local/bin/letsencrypt_post_hook.sh')) unlink('/usr/local/bin/letsencrypt_post_hook.sh'); |
| 3354 | + if(is_link('/usr/local/bin/letsencrypt_renew_hook.sh')) unlink('/usr/local/bin/letsencrypt_renew_hook.sh'); |
| 3355 | + symlink($install_dir.'/server/scripts/letsencrypt_pre_hook.sh', '/usr/local/bin/letsencrypt_pre_hook.sh'); |
| 3356 | + symlink($install_dir.'/server/scripts/letsencrypt_post_hook.sh', '/usr/local/bin/letsencrypt_post_hook.sh'); |
| 3357 | + symlink($install_dir.'/server/scripts/letsencrypt_renew_hook.sh', '/usr/local/bin/letsencrypt_renew_hook.sh'); |
| 3358 | + |
3125 | 3359 | //* Make the logs readable for the ispconfig user |
3126 | 3360 | if(@is_file('/var/log/mail.log')) exec('chmod +r /var/log/mail.log'); |
3127 | 3361 | if(@is_file('/var/log/mail.warn')) exec('chmod +r /var/log/mail.warn'); |
@@ -3462,5 +3696,3 @@ protected function insert_db_credentials($tContents) { |
3462 | 3696 | } |
3463 | 3697 |
|
3464 | 3698 | } |
3465 | | - |
3466 | | -?> |
|
0 commit comments