Merge branch 'develop' of git.ispconfig.org:ispconfig/ispconfig3 into develop

Author: Till Brehm

install/install.php

@@ -536,7 +536,16 @@
 	$inst->configure_fail2ban();
 }
 
+// create acme vhost
+if($conf['nginx']['installed'] == true) {
+	$inst->make_acme_vhost('nginx'); // we need this config file but we don't want nginx to be restarted at this point
+}
+if($conf['apache']['installed'] == true) {
+	$inst->make_acme_vhost('apache'); // we need this config file but we don't want apache to be restarted at this point
+}
+
 //** Configure ISPConfig :-)
+$issue_tried = false;
 $install_ispconfig_interface_default = ($conf['mysql']['master_slave_setup'] == 'y')?'n':'y';
 if($install_mode == 'standard' || strtolower($inst->simple_query('Install ISPConfig Web Interface', array('y', 'n'), $install_ispconfig_interface_default,'install_ispconfig_web_interface')) == 'y') {
 	swriteln('Installing ISPConfig');
@@ -563,6 +572,7 @@
 
 	if(strtolower($inst->simple_query('Do you want a secure (SSL) connection to the ISPConfig web interface', array('y', 'n'), 'y','ispconfig_use_ssl')) == 'y') {
 		$inst->make_ispconfig_ssl_cert();
+		$issue_tried = true;
 	}
 	$inst->install_ispconfig_interface = true;
 
@@ -572,8 +582,9 @@
 
 // Create SSL certs for non-webserver(s)?
 if(!file_exists('/usr/local/ispconfig/interface/ssl/ispserver.crt')) {
-    if(strtolower($inst->simple_query('Do you want to create SSL certs for your server?', array('y', 'n'), 'y')) == 'y')
+    if(!$issue_tried && strtolower($inst->simple_query('Do you want to create SSL certs for your server?', array('y', 'n'), 'y')) == 'y') {
         $inst->make_ispconfig_ssl_cert();
+	}
 } else {
 	swriteln('Certificate exists. Not creating a new one.');
 }

install/lib/installer_base.lib.php

@@ -1169,6 +1169,9 @@ public function configure_postfix($options = '') {
 		    $postconf_commands = array_merge($postconf_commands, array_filter(explode("\n", $content)));
 		}
 
+		// Remove comment lines, these would give fatal errors when passed to postconf.
+		$postconf_commands = array_filter($postconf_commands, function($line) { return preg_match('/^[^#]/', $line); });
+
 		//* These postconf commands will be executed on installation only
 		if($this->is_update == false) {
 			$postconf_commands = array_merge($postconf_commands, array(
@@ -2550,7 +2553,7 @@ public function configure_apps_vhost() {
 			}
 
 			// comment out the listen directive if port is 80 or 443
-			if($conf['web']['apps_vhost_ip'] == 80 or $conf['web']['apps_vhost_ip'] == 443) {
+			if($conf['web']['apps_vhost_port'] == 80 or $conf['web']['apps_vhost_port'] == 443) {
 				$tpl->setVar('vhost_port_listen','#');
 			} else {
 				$tpl->setVar('vhost_port_listen','');
@@ -2718,9 +2721,15 @@ private function curl_request($url, $use_ipv6 = false) {
 		return $response;
 	}
 
-	private function make_acme_vhost($server_name, $server = 'apache') {
+	public function make_acme_vhost($server = 'apache') {
 		global $conf;
 
+		if($conf['hostname'] !== 'localhost' && $conf['hostname'] !== '') {
+			$server_name = $conf['hostname'];
+		} else {
+			$server_name = exec('hostname -f');
+		}
+
 		$use_template = 'apache_acme.conf.master';
 		$use_symlink = '999-acme.conf';
 		$use_name = 'acme.conf';
@@ -2756,14 +2765,6 @@ private function make_acme_vhost($server_name, $server = 'apache') {
 		if(!@is_link($vhost_conf_enabled_dir.'' . $use_symlink)) {
 			symlink($vhost_conf_dir.'/' . $use_name, $vhost_conf_enabled_dir.'/' . $use_symlink);
 		}
-
-		if($conf[$server]['installed'] == true && $conf[$server]['init_script'] != '') {
-			if($this->is_update) {
-				system($this->getinitcommand($conf[$server]['init_script'], 'force-reload').' &> /dev/null || ' . $this->getinitcommand($conf[$server]['init_script'], 'restart').' &> /dev/null');
-			} else {
-				system($this->getinitcommand($conf[$server]['init_script'], 'restart').' &> /dev/null');
-			}
-		}
 	}
 
 	public function make_ispconfig_ssl_cert() {
@@ -2834,12 +2835,18 @@ public function make_ispconfig_ssl_cert() {
 		}
 
 		swriteln('Using certificate path ' . $acme_cert_dir);
+		$ip_address_match = false;
 		if(!(($svr_ip4 && in_array($svr_ip4, $dns_ips)) || ($svr_ip6 && in_array($svr_ip6, $dns_ips)))) {
 			swriteln('Server\'s public ip(s) (' . $svr_ip4 . ($svr_ip6 ? ', ' . $svr_ip6 : '') . ') not found in A/AAAA records for ' . $hostname . ': ' . implode(', ', $dns_ips));
+			if(strtolower($inst->simple_query('Ignore DNS check and continue to request certificate?', array('y', 'n') , 'n','ignore_hostname_dns')) == 'y') {
+				$ip_address_match = true;
+			}
+		} else {
+			$ip_address_match = true;
 		}
 
 
-		if ((!@is_dir($acme_cert_dir) || !@file_exists($check_acme_file) || !@file_exists($ssl_crt_file) || md5_file($check_acme_file) != md5_file($ssl_crt_file)) && (($svr_ip4 && in_array($svr_ip4, $dns_ips)) || ($svr_ip6 && in_array($svr_ip6, $dns_ips)))) {
+		if ((!@is_dir($acme_cert_dir) || !@file_exists($check_acme_file) || !@file_exists($ssl_crt_file) || md5_file($check_acme_file) != md5_file($ssl_crt_file)) && $ip_address_match == true) {
 
 			// This script is needed earlier to check and open http port 80 or standalone might fail
 			// Make executable and temporary symlink latest letsencrypt pre, post and renew hook script before install
@@ -2889,15 +2896,22 @@ public function make_ispconfig_ssl_cert() {
 			// first of all create the acme vhosts if not existing
 			if($conf['nginx']['installed'] == true) {
 				swriteln('Using nginx for certificate validation');
-				$this->make_acme_vhost($hostname, 'nginx');
+				$server = 'nginx';
 			} elseif($conf['apache']['installed'] == true) {
 				swriteln('Using apache for certificate validation');
 				if($this->is_update == false && @is_link($vhost_conf_enabled_dir.'/000-ispconfig.conf')) {
 					$restore_conf_symlink = true;
 					unlink($vhost_conf_enabled_dir.'/000-ispconfig.conf');
 				}
+				$server = 'apache';
+			}
 
-				$this->make_acme_vhost($hostname, 'apache');
+			if($conf[$server]['installed'] == true && $conf[$server]['init_script'] != '') {
+				if($this->is_update) {
+					system($this->getinitcommand($conf[$server]['init_script'], 'force-reload').' &> /dev/null || ' . $this->getinitcommand($conf[$server]['init_script'], 'restart').' &> /dev/null');
+				} else {
+					system($this->getinitcommand($conf[$server]['init_script'], 'restart').' &> /dev/null');
+				}
 			}
 
 			$issued_successfully = false;
@@ -2930,6 +2944,8 @@ public function make_ispconfig_ssl_cert() {
 						rename($ssl_pem_file, $ssl_pem_file . '-' . $date->format('YmdHis') . '.bak');
 					}
 
+					$check_acme_file = $ssl_crt_file;
+
 					// Define LE certs name and path, then install them
 					//$acme_cert = "--cert-file $acme_cert_dir/cert.pem";
 					$acme_key = "--key-file " . escapeshellarg($ssl_key_file);
@@ -2994,9 +3010,11 @@ public function make_ispconfig_ssl_cert() {
 					symlink($vhost_conf_dir.'/ispconfig.conf', $vhost_conf_enabled_dir.'/000-ispconfig.conf');
 				}
 			}
-		} elseif(($svr_ip4 && in_array($svr_ip4, $dns_ips)) || ($svr_ip6 && in_array($svr_ip6, $dns_ips))) {
-			// the directory already exists so we have to assume that it was created previously
-			$issued_successfully = true;
+		} else {
+			if($ip_address_match) {
+				// the directory already exists so we have to assume that it was created previously
+				$issued_successfully = true;
+			}
 		}
 
 		// If the LE SSL certs for this hostname exists

install/tpl/apache_acme.conf.master

@@ -1,11 +1,13 @@
-	Alias /.well-known/acme-challenge /usr/local/ispconfig/interface/acme/.well-known/acme-challenge
-
-	<Directory /usr/local/ispconfig/interface/acme>
-		AllowOverride None
+Alias /.well-known/acme-challenge /usr/local/ispconfig/interface/acme/.well-known/acme-challenge
+<Directory /usr/local/ispconfig/interface/acme/.well-known/acme-challenge>
 		<tmpl_if name='apache_version' op='>' value='2.2' format='version'>
 		Require all granted
 		<tmpl_else>
-		Order allow,deny
-		Allow from all
+        Order allow,deny
+        Allow from all
 		</tmpl_if>
-	</Directory>
+        <IfModule mpm_itk_module>
+           AssignUserId ispconfig ispconfig
+        </IfModule>
+</Directory>
+

install/tpl/apache_apps.vhost.master

@@ -122,3 +122,9 @@
 {/tmpl_if}
 
 </VirtualHost>
+
+<tmpl_if name='apache_version' op='>=' value='2.3.3' format='version'>
+<IfModule mod_ssl.c>
+  <tmpl_var name="ssl_comment">SSLStaplingCache shmcb:/var/run/ocsp(128000)
+</IfModule>
+</tmpl_if>

install/tpl/apache_ispconfig.conf.master

@@ -132,19 +132,6 @@ CustomLog "| /usr/local/ispconfig/server/scripts/vlogger -s access.log -t \"%Y%m
 
 Alias /awstats-icon "/usr/share/awstats/icon"
 
-Alias /.well-known/acme-challenge /usr/local/ispconfig/interface/acme/.well-known/acme-challenge
-<Directory /usr/local/ispconfig/interface/acme/.well-known/acme-challenge>
-		<tmpl_if name='apache_version' op='>' value='2.2' format='version'>
-		Require all granted
-		<tmpl_else>
-        Order allow,deny
-        Allow from all
-		</tmpl_if>
-        <IfModule mpm_itk_module>
-           AssignUserId ispconfig ispconfig
-        </IfModule>
-</Directory>
-
 NameVirtualHost *:80
 NameVirtualHost *:443
 <tmpl_loop name="ip_adresses">

install/tpl/debian6_dovecot2.conf.master

@@ -11,7 +11,6 @@ ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
 ssl_min_protocol = TLSv1.2
 ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
 ssl_prefer_server_ciphers = no
-auth_verbose = yes
 mail_max_userip_connections = 100
 mail_plugins = quota
 passdb {

install/tpl/debian_dovecot2.conf.master

@@ -10,7 +10,6 @@ ssl_key = </etc/postfix/smtpd.key
 ssl_min_protocol = TLSv1.2
 ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
 ssl_prefer_server_ciphers = no
-auth_verbose = yes
 mail_max_userip_connections = 100
 mail_plugins = $mail_plugins quota
 passdb {

install/tpl/fedora_dovecot2.conf.master

@@ -9,7 +9,6 @@ ssl_key = </etc/postfix/smtpd.key
 ssl_min_protocol = TLSv1.2
 ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
 ssl_prefer_server_ciphers = no
-auth_verbose = yes
 mail_plugins = quota
 passdb {
   args = /etc/dovecot-sql.conf

install/tpl/mysql-virtual_mailboxes.cf.master

@@ -2,4 +2,4 @@ user = {mysql_server_ispconfig_user}
 password = {mysql_server_ispconfig_password}
 dbname = {mysql_server_database}
 hosts = {mysql_server_ip}
-query = select CONCAT(SUBSTRING_INDEX(email,'@',-1),'/',SUBSTRING_INDEX(email,'@',1),'/') from mail_user where login = '%s' and postfix = 'y' and disabledeliver = 'n' and server_id = {server_id}
+query = select CONCAT(SUBSTRING_INDEX(email,'@',-1),'/',SUBSTRING_INDEX(email,'@',1),'/') from mail_user where email = '%s' and postfix = 'y' and disabledeliver = 'n' and server_id = {server_id}

install/tpl/nginx_apps.vhost.master

@@ -1,5 +1,5 @@
 server {
-        listen {apps_vhost_port} {ssl_on};
+        listen {apps_vhost_ip}{apps_vhost_port} {ssl_on};
         listen [::]:{apps_vhost_port} {ssl_on} ipv6only=on;
 
         {ssl_comment}ssl_protocols TLSv1.2;
@@ -99,7 +99,7 @@ server {
                        fastcgi_param   REDIRECT_STATUS         200;
                        # To access phpMyAdmin, the default user (like www-data on Debian/Ubuntu) must be used
                        {use_tcp}fastcgi_pass 127.0.0.1:9000;
-                       {use_socket}fastcgi_pass unix:/var/run/php5-fpm.sock;
+                       {use_socket}fastcgi_pass unix:{fpm_socket};
                        fastcgi_index index.php;
                        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                        fastcgi_buffer_size 128k;
@@ -149,7 +149,7 @@ server {
                        fastcgi_param   REDIRECT_STATUS         200;
                        # To access SquirrelMail, the default user (like www-data on Debian/Ubuntu) must be used
                        {use_tcp}fastcgi_pass 127.0.0.1:9000;
-                       {use_socket}fastcgi_pass unix:/var/run/php5-fpm.sock;
+                       {use_socket}fastcgi_pass unix:{fpm_socket};
                        fastcgi_index index.php;
                        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                        fastcgi_buffer_size 128k;