feat: add automatic garbage collection for Let's Encrypt certificates.

When enabled (enabled by default for new installs) ISPConfig will automatically remove certbot/acme.sh issued certificates that do not get used anymore.

You can specify a list of domains that should never be automatically deleted. If you use certbot/acme.sh on your server outside ISPConfig you should list all these domains in the denylist otherwise ISPConfig will automatically remove the certificates.

Fixes #5226

Author: d--j

install/tpl/server.ini.master

@@ -142,6 +142,8 @@ vhost_proxy_protocol_enabled=n
 vhost_proxy_protocol_protocols=ipv4
 vhost_proxy_protocol_http_port=880
 vhost_proxy_protocol_https_port=8443
+le_auto_cleanup=y
+le_auto_cleanup_denylist=[server_name]
 
 [dns]
 bind_user=root

interface/web/admin/form/server_config.tform.php

@@ -574,15 +574,6 @@
 			'default' => '2048',
 			'value' => array('1024' => 'weak (1024)', '2048' => 'normal (2048)', '4096' => 'strong (4096)')
 		),
-        'relayhost_password' => array(
-            'datatype' => 'VARCHAR',
-            'formtype' => 'TEXT',
-            'default' => '',
-            'value' => '',
-            'width' => '40',
-            'maxlength' => '255'
-        ),
-
 		'pop3_imap_daemon' => array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'SELECT',
@@ -1642,6 +1633,20 @@
 			'width' => '40',
 			'maxlength' => '255'
 		),
+		'le_auto_cleanup' => array(
+			'datatype' => 'VARCHAR',
+			'formtype' => 'CHECKBOX',
+			'default' => 'y',
+			'value' => array(0 => 'n', 1 => 'y')
+		),
+		'le_auto_cleanup_denylist' => array(
+			'datatype' => 'VARCHAR',
+			'formtype' => 'TEXT',
+			'default' => '[server_name]',
+			'value' => '',
+			'width' => '40',
+			'maxlength' => '255'
+		),
 		//#################################
 		// END Datatable fields
 		//#################################

interface/web/admin/lib/lang/en_server_config.lng

@@ -370,3 +370,6 @@ $wb['sysbackup_copies_txt'] = 'Number of ISPConfig backups';
 $wb['sysbackup_copies_error_empty'] = 'Number of ISPConfig backups must not be empty';
 $wb['sysbackup_copies_error_regex'] = 'Number of ISPConfig backups must be a number between 1 and 3';
 $wb['sysbackup_copies_note_txt'] = '(0 = off)';
+$wb['le_auto_cleanup_txt'] = 'Automatically purge unused Let\'s Encrypt certificates';
+$wb['le_auto_cleanup_denylist_txt'] = 'Comma seperated list of domains that should never be purged.';
+$wb['le_auto_cleanup_denylist_note_txt'] = 'Placeholders:';

interface/web/admin/templates/server_config_web_edit.htm

@@ -248,6 +248,17 @@ <h4 class="panel-title">
 					<label class="col-sm-3 control-label"><tmpl_var name="skip_le_check_txt"></label>
 					<div class="col-sm-9"><tmpl_var name="skip_le_check"></div>
 				</div>
+                <div class="form-group">
+                    <label class="col-sm-3 control-label"><tmpl_var name="le_auto_cleanup_txt"></label>
+                    <div class="col-sm-9"><tmpl_var name="le_auto_cleanup"></div>
+                </div>
+                <div class="form-group">
+                    <label for="le_auto_cleanup_denylist" class="col-sm-3 control-label">{tmpl_var name='le_auto_cleanup_denylist_txt'}</label>
+                    <div class="col-sm-9">
+                        <input type="text" name="CA_path" id="le_auto_cleanup_denylist" value="{tmpl_var name='le_auto_cleanup_denylist'}" class="form-control" />
+                        <br>{tmpl_var name='le_auto_cleanup_denylist_note_txt'} <a href="javascript:void(0);" class="addPlaceholder">[server_name]</a>
+                    </div>
+                </div>
 	  <!-- End content -->
 	  </div>
 	</div>

server/cli/modules/letsencrypt.inc.php

@@ -0,0 +1,95 @@
+<?php
+
+/*
+Copyright (c) 2024, Daniel Jagszent
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+    * Redistributions of source code must retain the above copyright notice,
+      this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright notice,
+      this list of conditions and the following disclaimer in the documentation
+      and/or other materials provided with the distribution.
+    * Neither the name of ISPConfig nor the names of its contributors
+      may be used to endorse or promote products derived from this software without
+      specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+class letsencrypt_cli extends cli
+{
+
+	function __construct()
+	{
+		$cmd_opt                                = [];
+		$cmd_opt['letsencrypt']                 = 'showHelp';
+		$cmd_opt['letsencrypt:list']            = 'list';
+		$cmd_opt['letsencrypt:cleanup-expired'] = 'cleanupExpired';
+		$this->addCmdOpt($cmd_opt);
+	}
+
+	public function list($arg)
+	{
+		global $app;
+		$app->uses('letsencrypt');
+		$certificates = $app->letsencrypt->get_certificate_list();
+		foreach ($certificates as $certificate) {
+			print_r($certificate);
+		}
+	}
+
+	public function cleanupExpired($arg)
+	{
+		global $app;
+		$app->uses('letsencrypt');
+		$removals     = 0;
+		$hasErrors    = false;
+		$certificates = $app->letsencrypt->get_certificate_list();
+		foreach ($certificates as $certificate) {
+			if (! $certificate['is_valid']) {
+				$this->swriteln("Removing ".join(', ', $certificate['domains'])." expired certificate...");
+				if ($app->letsencrypt->remove_certificate($certificate)) {
+					$removals += 1;
+				} else {
+					$this->swriteln("Could not remove ".print_r($certificate, true));
+					$hasErrors = true;
+				}
+			}
+		}
+		if ($removals) {
+			$this->swriteln("Removed $removals expired certificates");
+		} else {
+			$this->swriteln("No certificates were removed");
+		}
+		if ($hasErrors) {
+			exit(1);
+		}
+	}
+
+	public function showHelp($arg)
+	{
+		global $conf;
+
+		$this->swriteln("---------------------------------");
+		$this->swriteln("- Available commandline option -");
+		$this->swriteln("---------------------------------");
+		$this->swriteln("ispc letsencrypt list - lists all known certificates");
+		$this->swriteln("ispc letsencrypt cleanup-expired - Cleanup all expired certificates.");
+		$this->swriteln("---------------------------------");
+		$this->swriteln();
+	}
+
+}
+

server/lib/classes/cron.d/800-letsencrypt_cleanup.inc.php

@@ -0,0 +1,142 @@
+<?php
+
+/*
+Copyright (c) 2024, Daniel Jagszent
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+    * Redistributions of source code must retain the above copyright notice,
+      this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright notice,
+      this list of conditions and the following disclaimer in the documentation
+      and/or other materials provided with the distribution.
+    * Neither the name of ISPConfig nor the names of its contributors
+      may be used to endorse or promote products derived from this software without
+      specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+class cronjob_letsencrypt_cleanup extends cronjob
+{
+
+	// job schedule
+	protected $_schedule = '@weekly';
+
+	private $denylist = [];
+
+	protected function onBeforeRun()
+	{
+		global $app, $conf;
+		$app->uses('letsencrypt,ini_parser,getconf');
+
+		$server_db_record = $app->db->queryOneRecord("SELECT * FROM server WHERE server_id = ?", $conf['server_id']);
+		if (! $server_db_record || ! $server_db_record['web_server']) {
+			if ($conf['log_priority'] <= LOGLEVEL_DEBUG) {
+				print 'Webserver not active, not running Let\'s Encrypt cleanup.'."\n";
+			}
+
+			return false;
+		}
+
+		$server_config = $app->getconf->get_server_config($conf['server_id'], 'server');
+		if (($server_config['migration_mode'] ?? 'n') != 'y') {
+			if ($conf['log_priority'] <= LOGLEVEL_DEBUG) {
+				print 'Migration mode active, not running Let\'s Encrypt cleanup.'."\n";
+			}
+
+			return false;
+		}
+
+		if (! $app->letsencrypt->get_acme_script() && ! $app->letsencrypt->get_certbot_script()) {
+			if ($conf['log_priority'] <= LOGLEVEL_DEBUG) {
+				print 'No Let\'s Encrypt client found, not running Let\'s Encrypt cleanup.'."\n";
+			}
+
+			return false;
+		}
+
+		$web_config      = $app->getconf->get_server_config($conf['server_id'], 'web');
+		$le_auto_cleanup = $web_config['le_auto_cleanup'] ?? 'n';
+		if ($le_auto_cleanup == 'n') {
+			return false;
+		}
+		$this->denylist = array_filter(array_map(function ($domain) use ($server_db_record) {
+			$domain = trim($domain);
+			if ($domain == '[server_name]') {
+				return $server_db_record['server_name'];
+			}
+
+			return $domain;
+		}, explode(',', $web_config['le_auto_cleanup_denylist'] ?? '')));
+
+		return parent::onBeforeRun();
+	}
+
+
+	public function onRunJob()
+	{
+		global $app, $conf;
+		$used_serials       = [];
+		$active_ssl_records = $app->db->queryAllRecords(
+			"SELECT * FROM web_domain WHERE active = 'y' AND ssl_letsencrypt = 'y' AND `ssl` = 'y' AND document_root IS NOT NULL AND server_id = ?",
+			$conf['server_id']
+		);
+		foreach ($active_ssl_records as $active_ssl_record) {
+			$cert_paths = $app->letsencrypt->get_website_certificate_paths(['new' => $active_ssl_record]);
+			if (is_readable($cert_paths['crt'])) {
+				$info = $app->letsencrypt->extract_x509($cert_paths['crt']);
+				if ($info) {
+					$used_serials[] = $info['serialNumber'];
+					if ($conf['log_priority'] <= LOGLEVEL_DEBUG) {
+						print 'mark serial number '.$info['serialNumber'].' as used from '.$cert_paths['crt']."\n";
+					}
+				} else {
+					if ($conf['log_priority'] <= LOGLEVEL_DEBUG) {
+						print 'cannot extract x509 information from '.$cert_paths['crt']."\n";
+					}
+				}
+			} else {
+				if ($conf['log_priority'] <= LOGLEVEL_DEBUG) {
+					print $cert_paths['crt'].' is not readable'."\n";
+				}
+			}
+		}
+
+		$certificates = $app->letsencrypt->get_certificate_list();
+		foreach ($certificates as $certificate) {
+			if (in_array($certificate['serialNumber'], $used_serials)) {
+				if ($conf['log_priority'] <= LOGLEVEL_DEBUG) {
+					print 'Skip '.$certificate['id'] . ' because it still gets used by ISPConfig' . "\n";
+				}
+				continue;
+			}
+			foreach ($this->denylist as $domain) {
+				if (in_array($domain, $certificate['domains'])) {
+					if ($conf['log_priority'] <= LOGLEVEL_DEBUG) {
+						print 'Skip '.$certificate['id'] . ' because it is on denylist' . "\n";
+					}
+					continue 2;
+				}
+			}
+			if ($app->letsencrypt->remove_certificate($certificate)) {
+				print 'Removed unused certificate '.$certificate['id']."\n";
+			} else {
+				print 'Error removing certificate '.$certificate['id']."\n";
+			}
+		}
+
+		parent::onRunJob();
+	}
+}