set umask before calling acme.sh

jnorell · jnorell · commit 83246e6892f2 · 2021-01-29T10:02:25.000-07:00
diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php
@@ -3023,6 +3023,9 @@ public function make_ispconfig_ssl_cert() {
 
 				swriteln('acme.sh is installed, overriding certificate path to use ' . $acme_cert_dir);
 
+				# acme.sh does not set umask, resulting in incorrect permissions (ispconfig issue #6015)
+				$old_umask = umask(0022);
+
 				$out = null;
 				$ret = null;
 				if($conf['nginx']['installed'] == true || $conf['apache']['installed'] == true) {
@@ -3044,6 +3047,7 @@ public function make_ispconfig_ssl_cert() {
 					$acme_chain = "--fullchain-file " . escapeshellarg($ssl_crt_file);
 					exec("$acme --install-cert -d " . escapeshellarg($hostname) . " $acme_key $acme_chain");
 					$issued_successfully = true;
+					umask($old_umask);
 
 					// Make temporary backup of self-signed certs permanent
 					if(file_exists($ssl_crt_file.'-temporary.bak') || is_link($ssl_crt_file.'-temporary.bak'))
@@ -3056,6 +3060,8 @@ public function make_ispconfig_ssl_cert() {
 				} else {
 					swriteln('Issuing certificate via acme.sh failed. Please check that your hostname can be verified by letsencrypt');
 
+					umask($old_umask);
+
 					// Restore temporary backup of self-signed certs
 					if(file_exists($ssl_crt_file.'-temporary.bak') || is_link($ssl_crt_file.'-temporary.bak'))
 						rename($ssl_crt_file.'-temporary.bak', $ssl_crt_file);
diff --git a/server/lib/classes/letsencrypt.inc.php b/server/lib/classes/letsencrypt.inc.php
@@ -399,11 +399,13 @@ public function request_certificates($data, $server_type = 'apache') {
 		$this->certbot_use_certcommand = false;
 		$letsencrypt_cmd = '';
 		$allow_return_codes = null;
+		$old_umask = umask(0022);  # work around acme.sh permission bug, see #6015
 		if($use_acme) {
 			$letsencrypt_cmd = $this->get_acme_command($temp_domains, $key_file, $bundle_file, $crt_file, $server_type);
 			$allow_return_codes = array(2);
 		} else {
 			$letsencrypt_cmd = $this->get_certbot_command($temp_domains);
+			umask($old_umask);
 		}
 
 		$success = false;
@@ -420,6 +422,7 @@ public function request_certificates($data, $server_type = 'apache') {
 		}
 
 		if($use_acme === true) {
+			umask($old_umask);
 			if(!$success) {
 				$app->log('Let\'s Encrypt SSL Cert for: ' . $domain . ' could not be issued.', LOGLEVEL_WARN);
 				$app->log($letsencrypt_cmd, LOGLEVEL_WARN);
