|
30 | 30 |
|
31 | 31 | class letsencrypt { |
32 | 32 |
|
33 | | - /** |
| 33 | + /** |
34 | 34 | * Construct for this class |
35 | 35 | * |
36 | 36 | * @return system |
@@ -373,13 +373,38 @@ public function request_certificates($data, $server_type = 'apache') { |
373 | 373 | if((isset($web_config['skip_le_check']) && $web_config['skip_le_check'] == 'y') || (isset($server_config['migration_mode']) && $server_config['migration_mode'] == 'y')) { |
374 | 374 | $le_domains[] = $temp_domain; |
375 | 375 | } else { |
376 | | - $le_hash_check = trim(@file_get_contents('http://' . $temp_domain . '/.well-known/acme-challenge/' . $le_rnd_file)); |
377 | | - if($le_hash_check == $le_rnd_hash) { |
378 | | - $le_domains[] = $temp_domain; |
379 | | - $app->log("Verified domain " . $temp_domain . " should be reachable for letsencrypt.", LOGLEVEL_DEBUG); |
| 376 | + //check caa-record |
| 377 | + $caa_check = false; |
| 378 | + $caa_domain = $temp_domain; |
| 379 | + $count = substr_count($caa_domain, '.'); |
| 380 | + if($count === 2) { |
| 381 | + if(strlen(explode('.', $caa_domain)[1]) > 3) { |
| 382 | + $caa_domain = explode('.', $caa_domain, 2)[1]; |
| 383 | + } |
| 384 | + } else if($count > 2) { |
| 385 | + $caa_domain = get_domain(explode('.', $caa_domain, 2)[1]); |
| 386 | + } |
| 387 | + $caa_records = @dns_get_record($caa_domain, DNS_CAA); // requieres PHP 7.0.16, 7.1.2 |
| 388 | + if(is_array($caa_records) && !empty($caa_records)) { |
| 389 | + foreach ($records as $record) { |
| 390 | + if($record['value'] == 'letsencrypt.org') $caa_check = true; |
| 391 | + } |
| 392 | + } else { |
| 393 | + $caa_check = true; |
| 394 | + } |
| 395 | + |
| 396 | + if($caa_check === true) { |
| 397 | + $le_hash_check = trim(@file_get_contents('http://' . $temp_domain . '/.well-known/acme-challenge/' . $le_rnd_file)); |
| 398 | + if($le_hash_check == $le_rnd_hash) { |
| 399 | + $le_domains[] = $temp_domain; |
| 400 | + $app->log("Verified domain " . $temp_domain . " should be reachable for letsencrypt.", LOGLEVEL_DEBUG); |
| 401 | + } else { |
| 402 | + $app->log("Could not verify domain " . $temp_domain . ", so excluding it from letsencrypt request.", LOGLEVEL_WARN); |
| 403 | + } |
380 | 404 | } else { |
381 | | - $app->log("Could not verify domain " . $temp_domain . ", so excluding it from letsencrypt request.", LOGLEVEL_WARN); |
| 405 | + $app->log("Incomplete CAA-Records for " . $temp_domain . ", so excluding it from letsencrypt request.", LOGLEVEL_WARN); |
382 | 406 | } |
| 407 | + |
383 | 408 | } |
384 | 409 | } |
385 | 410 | $temp_domains = $le_domains; |
|
0 commit comments