Skip to content

Commit 45c429e

Browse files
author
Marius Burkard
committed
- adding domain check prior to requesting Letsencrypt cert, implements #4466
1 parent d0e3363 commit 45c429e

File tree

2 files changed

+44
-6
lines changed

2 files changed

+44
-6
lines changed

server/plugins-available/apache2_plugin.inc.php

Lines changed: 22 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1185,8 +1185,8 @@ function update($event_name, $data) {
11851185
|| $this->update_letsencrypt == true
11861186
)) {
11871187
// default values
1188-
$temp_domains = array();
1189-
$lddomain = $domain;
1188+
$temp_domains = array($domain);
1189+
$lddomain = '';
11901190
$subdomains = null;
11911191
$aliasdomains = null;
11921192
$sub_prefixes = array();
@@ -1218,6 +1218,25 @@ function update($event_name, $data) {
12181218

12191219
// prevent duplicate
12201220
$temp_domains = array_unique($temp_domains);
1221+
1222+
// check if domains are reachable to avoid letsencrypt verification errors
1223+
$le_rnd_file = uniqid('le-') . '.txt';
1224+
$le_rnd_hash = md5(uniqid('le-', true));
1225+
file_put_contents('/usr/local/ispconfig/interface/acme/.well-known/acme-challenge/' . $le_rnd_file, $le_rnd_hash);
1226+
1227+
$le_domains = array();
1228+
foreach($temp_domains as $temp_domain) {
1229+
$le_hash_check = trim(@file_get_contents('http://' . $temp_domain . '/.well-known/acme-challenge/' . $le_rnd_file));
1230+
if($le_hash_check == $le_rnd_hash) {
1231+
$le_domains[] = $temp_domain;
1232+
$app->log("Verified domain " . $temp_domain . " should be reachable for letsencrypt.", LOGLEVEL_DEBUG);
1233+
} else {
1234+
$app->log("Could not verify domain " . $temp_domain . ", so excluding it from letsencrypt request.", LOGLEVEL_WARN);
1235+
}
1236+
}
1237+
$temp_domains = $le_domains;
1238+
unset($le_domains);
1239+
@unlink('/usr/local/ispconfig/interface/acme/.well-known/acme-challenge/' . $le_rnd_file);
12211240

12221241
// generate cli format
12231242
foreach($temp_domains as $temp_domain) {
@@ -1243,7 +1262,7 @@ function update($event_name, $data) {
12431262
$letsencrypt = explode("\n", shell_exec('which letsencrypt certbot /root/.local/share/letsencrypt/bin/letsencrypt'));
12441263
$letsencrypt = reset($letsencrypt);
12451264
if(is_executable($letsencrypt)) {
1246-
$success = $this->_exec($letsencrypt . " certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email postmaster@$domain --domains $lddomain --webroot-path /usr/local/ispconfig/interface/acme");
1265+
$success = $this->_exec($letsencrypt . " certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email postmaster@$domain $lddomain --webroot-path /usr/local/ispconfig/interface/acme");
12471266
}
12481267
if(!$success) {
12491268
// error issuing cert

server/plugins-available/nginx_plugin.inc.php

Lines changed: 22 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1254,8 +1254,8 @@ function update($event_name, $data) {
12541254
|| $this->update_letsencrypt == true
12551255
)) {
12561256
// default values
1257-
$temp_domains = array();
1258-
$lddomain = $domain;
1257+
$temp_domains = array($domain);
1258+
$lddomain = '';
12591259
$subdomains = null;
12601260
$aliasdomains = null;
12611261
$sub_prefixes = array();
@@ -1292,6 +1292,25 @@ function update($event_name, $data) {
12921292
// prevent duplicate
12931293
$temp_domains = array_unique($temp_domains);
12941294

1295+
// check if domains are reachable to avoid letsencrypt verification errors
1296+
$le_rnd_file = uniqid('le-') . '.txt';
1297+
$le_rnd_hash = md5(uniqid('le-', true));
1298+
file_put_contents('/usr/local/ispconfig/interface/acme/.well-known/acme-challenge/' . $le_rnd_file, $le_rnd_hash);
1299+
1300+
$le_domains = array();
1301+
foreach($temp_domains as $temp_domain) {
1302+
$le_hash_check = trim(@file_get_contents('http://' . $temp_domain . '/.well-known/acme-challenge/' . $le_rnd_file));
1303+
if($le_hash_check == $le_rnd_hash) {
1304+
$le_domains[] = $temp_domain;
1305+
$app->log("Verified domain " . $temp_domain . " should be reachable for letsencrypt.", LOGLEVEL_DEBUG);
1306+
} else {
1307+
$app->log("Could not verify domain " . $temp_domain . ", so excluding it from letsencrypt request.", LOGLEVEL_WARN);
1308+
}
1309+
}
1310+
$temp_domains = $le_domains;
1311+
unset($le_domains);
1312+
@unlink('/usr/local/ispconfig/interface/acme/.well-known/acme-challenge/' . $le_rnd_file);
1313+
12951314
// generate cli format
12961315
foreach($temp_domains as $temp_domain) {
12971316
$lddomain .= (string) " --domains " . $temp_domain;
@@ -1317,7 +1336,7 @@ function update($event_name, $data) {
13171336
$letsencrypt = explode("\n", shell_exec('which letsencrypt certbot /root/.local/share/letsencrypt/bin/letsencrypt'));
13181337
$letsencrypt = reset($letsencrypt);
13191338
if(is_executable($letsencrypt)) {
1320-
$success = $this->_exec($letsencrypt . " certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email postmaster@$domain --domains $lddomain --webroot-path /usr/local/ispconfig/interface/acme");
1339+
$success = $this->_exec($letsencrypt . " certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email postmaster@$domain $lddomain --webroot-path /usr/local/ispconfig/interface/acme");
13211340
}
13221341
if(!$success) {
13231342
// error issuing cert

0 commit comments

Comments
 (0)