Merge branch '5743-improve-ssl-error-messages-on-install-update' into 'develop'

Till Brehm · Till Brehm · commit 5f31eb1e9096 · 2020-09-18T12:54:22.000+02:00
Resolve "Improve SSL error messages on install / update"

Closes #5743

See merge request ispconfig/ispconfig3!1181
diff --git a/install/install.php b/install/install.php
@@ -574,6 +574,8 @@
 if(!file_exists('/usr/local/ispconfig/interface/ssl/ispserver.crt')) {
     if(strtolower($inst->simple_query('Do you want to create SSL certs for your server?', array('y', 'n'), 'y')) == 'y')
         $inst->make_ispconfig_ssl_cert();
+} else {
+	swriteln('Certificate exists. Not creating a new one.');
 }
 
 if($conf['services']['web'] == true) {
diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php
@@ -2822,6 +2822,8 @@ public function make_ispconfig_ssl_cert() {
 
 		// Request for certs if no LE SSL folder for server fqdn exist
 
+		swriteln('Checking / creating certificate for ' . $hostname);
+
 		$acme_cert_dir = '/usr/local/ispconfig/server/scripts/' . $hostname;
 		$check_acme_file = $acme_cert_dir . '/' . $hostname . '.cer';
 		if(!@is_dir($acme_cert_dir)) {
@@ -2832,6 +2834,13 @@ public function make_ispconfig_ssl_cert() {
 				$check_acme_file = $acme_cert_dir . '/cert.pem';
 			}
 		}
+
+		swriteln('Using certificate path ' . $acme_cert_dir);
+		if(!(($svr_ip4 && in_array($svr_ip4, $dns_ips)) || ($svr_ip6 && in_array($svr_ip6, $dns_ips)))) {
+			swriteln('Server\'s public ip(s) (' . $svr_ip4 . ($svr_ip6 ? ', ' . $svr_ip6 : '') . ') not found in A/AAAA records for ' . $hostname . ': ' . implode(', ', $dns_ips));
+		}
+
+
 		if ((!@is_dir($acme_cert_dir) || !@file_exists($check_acme_file) || !@file_exists($ssl_crt_file) || md5_file($check_acme_file) != md5_file($ssl_crt_file)) && (($svr_ip4 && in_array($svr_ip4, $dns_ips)) || ($svr_ip6 && in_array($svr_ip6, $dns_ips)))) {
 
 			// This script is needed earlier to check and open http port 80 or standalone might fail
@@ -2881,8 +2890,10 @@ public function make_ispconfig_ssl_cert() {
 
 			// first of all create the acme vhosts if not existing
 			if($conf['nginx']['installed'] == true) {
+				swriteln('Using nginx for certificate validation');
 				$this->make_acme_vhost($hostname, 'nginx');
 			} elseif($conf['apache']['installed'] == true) {
+				swriteln('Using apache for certificate validation');
 				if($this->is_update == false && @is_link($vhost_conf_enabled_dir.'/000-ispconfig.conf')) {
 					$restore_conf_symlink = true;
 					unlink($vhost_conf_enabled_dir.'/000-ispconfig.conf');
@@ -2909,6 +2920,7 @@ public function make_ispconfig_ssl_cert() {
 				if($ret == 0 || ($ret == 2 && file_exists($check_acme_file))) {
 					// acme.sh returns with 2 on issue for already existing certificate
 
+
 					// Backup existing ispserver ssl files
 					if(file_exists($ssl_crt_file) || is_link($ssl_crt_file)) {
 						rename($ssl_crt_file, $ssl_crt_file . '-' . $date->format('YmdHis') . '.bak');
@@ -2926,6 +2938,8 @@ public function make_ispconfig_ssl_cert() {
 					$acme_chain = "--fullchain-file " . escapeshellarg($ssl_crt_file);
 					exec("$acme --install-cert -d $hostname $acme_key $acme_chain");
 					$issued_successfully = true;
+				} else {
+					swriteln('Issuing certificate via acme.sh failed. Please check that your hostname can be verified by letsencrypt');
 				}
 			// Else, we attempt to use the official LE certbot client certbot
 			} else {
@@ -2969,7 +2983,11 @@ public function make_ispconfig_ssl_cert() {
 						}
 
 						$issued_successfully = true;
+					} else {
+						swriteln('Issuing certificate via certbot failed. Please check log files and make sure that your hostname can be verified by letsencrypt');
 					}
+				} else {
+					swriteln('Did not find any valid acme client (acme.sh or certbot)');
 				}
 			}
 
@@ -2985,6 +3003,12 @@ public function make_ispconfig_ssl_cert() {
 
 		// If the LE SSL certs for this hostname exists
 		if(!is_dir($acme_cert_dir) || !file_exists($check_acme_file) || !$issued_successfully) {
+			if(!$issued_successfully) {
+				swriteln('Could not issue letsencrypt certificate, falling back to self-signed.');
+			} else {
+				swriteln('Issuing certificate seems to have succeeded but ' . $check_acme_file . ' seems to be missing. Falling back to self-signed.');
+			}
+
 			// We can still use the old self-signed method
 			$ssl_pw = substr(md5(mt_rand()), 0, 6);
 			exec("openssl genrsa -des3 -passout pass:$ssl_pw -out $ssl_key_file 4096");
diff --git a/install/update.php b/install/update.php
@@ -30,30 +30,30 @@
 
 /*
 	ISPConfig 3 updater.
-	
+
 	-------------------------------------------------------------------------------------
 	- Interactive update
 	-------------------------------------------------------------------------------------
 	run:
-	
+
 	php update.php
-	
+
 	-------------------------------------------------------------------------------------
 	- Noninteractive (autoupdate) mode
 	-------------------------------------------------------------------------------------
-	
+
 	The autoupdate mode can read the updater questions from a .ini style file or from
-	a php config file. Examples for both file types are in the docs folder. 
+	a php config file. Examples for both file types are in the docs folder.
 	See autoinstall.ini.sample and autoinstall.conf_sample.php.
-	
+
 	run:
-	
+
 	php update.php --autoinstall=autoinstall.ini
-	
+
 	or
-	
+
 	php update.php --autoinstall=autoinstall.conf.php
-	
+
 */
 
 error_reporting(E_ALL|E_STRICT);
@@ -263,7 +263,7 @@
 	do {
 		$tmp_mysql_server_host = $inst->free_query('MySQL master server hostname', $conf['mysql']['master_host'],'mysql_master_hostname');
 		$tmp_mysql_server_port = $inst->free_query('MySQL master server port', $conf['mysql']['master_port'],'mysql_master_port');
-		$tmp_mysql_server_admin_user = $inst->free_query('MySQL master server root username', $conf['mysql']['master_admin_user'],'mysql_master_root_user');	 
+		$tmp_mysql_server_admin_user = $inst->free_query('MySQL master server root username', $conf['mysql']['master_admin_user'],'mysql_master_root_user');
 		$tmp_mysql_server_admin_password = $inst->free_query('MySQL master server root password', $conf['mysql']['master_admin_password'],'mysql_master_root_password');
 		$tmp_mysql_server_database = $inst->free_query('MySQL master server database name', $conf['mysql']['master_database'],'mysql_master_database');
 
@@ -474,7 +474,7 @@
 				$inst->configure_apps_vhost();
 			} else swriteln('Skipping config of Apps vhost');
 		}
-	
+
 		//* Configure Jailkit
 		if($inst->reconfigure_app('Jailkit', $reconfigure_services_answer)) {
 			swriteln('Configuring Jailkit');
@@ -540,6 +540,8 @@
 if(!file_exists('/usr/local/ispconfig/interface/ssl/ispserver.crt')) {
     if(strtolower($inst->simple_query('Do you want to create SSL certs for your server?', array('y', 'n'), 'y')) == 'y')
         $inst->make_ispconfig_ssl_cert();
+} else {
+	swriteln('Certificate exists. Not creating a new one.');
 }
 
 $inst->install_ispconfig();

Original file line number	Diff line number	Diff line change
`@@ -574,6 +574,8 @@`
`574`	`574`	`if(!file_exists('/usr/local/ispconfig/interface/ssl/ispserver.crt')) {`
`575`	`575`	`if(strtolower($inst->simple_query('Do you want to create SSL certs for your server?', array('y', 'n'), 'y')) == 'y')`
`576`	`576`	`$inst->make_ispconfig_ssl_cert();`
	`577`	`+} else {`
	`578`	`+ swriteln('Certificate exists. Not creating a new one.');`
`577`	`579`	`}`
`578`	`580`
`579`	`581`	`if($conf['services']['web'] == true) {`