LE: fix hooks (were broken for rpm-based OSes) & make them compatible with ECDSA certificates #6563

d--j · d--j · commit 9e9681e93a44 · 2025-03-06T14:19:18.000+01:00
diff --git a/server/scripts/letsencrypt_post_hook.sh b/server/scripts/letsencrypt_post_hook.sh
@@ -1,14 +1,7 @@
 #!/bin/bash
 
-### BEGIN INIT INFO
-# Provides: LETSENCRYPT POST HOOK SCRIPT
-# Required-Start:  $local_fs $network
-# Required-Stop:  $local_fs
-# Default-Start:  2 3 4 5
-# Default-Stop:  0 1 6
 # Short-Description: LETSENCRYPT POST HOOK SCRIPT
 # Description:  To force close http port 80 if it is by default closed, to be used by letsencrypt client standlone command
-### END INIT INFO
 
 ## If you need a custom hook file, create a file with the same name in
 ## /usr/local/ispconfig/server/conf-custom/scripts/
@@ -17,44 +10,35 @@
 ##
 ## Eg. you can override the ispc_letsencrypt_firewall_disable() function then 'return 124'
 ## to customize the firewall setup.
-if [ -e "/usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_post_hook.sh" ] ; then
-        . /usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_post_hook.sh
-        ret=$?
-        if [ $ret != 124 ]; then exit $ret; fi
+if [ -e "/usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_post_hook.sh" ]; then
+  . /usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_post_hook.sh
+  ret=$?
+  if [ $ret != 124 ]; then exit $ret; fi
 fi
 
 declare -F ispc_letsencrypt_firewall_disable &>/dev/null || ispc_letsencrypt_firewall_disable() {
-        # delete 'ispc-letsencrypt' chain
-        iptables -D INPUT -p tcp --dport 80 -j ispc-letsencrypt
-        iptables -F ispc-letsencrypt
-        iptables -X ispc-letsencrypt
+  # delete 'ispc-letsencrypt' chain
+  iptables -D INPUT -p tcp --dport 80 -j ispc-letsencrypt
+  iptables -F ispc-letsencrypt
+  iptables -X ispc-letsencrypt
 }
 
 ispc_letsencrypt_firewall_disable
 
-
 # For RHEL, Centos or derivatives
-if which yum &> /dev/null 2>&1 ; then
-    # Check if web server software is installed, start it if any
-    if [ rpm -q nginx ]; then service nginx start
-    elif [ rpm -q httpd ]; then service httpd start
-#    # If using firewalld
-#    elif [ rpm -q firewalld ] && [ `firewall-cmd --state` = running ]; then
-#        firewall-cmd --zone=public --permanent --remove-service=http
-#        firewall-cmd --reload
-#    # If using UFW
-#    elif [ rpm -q ufw ]; then ufw --force enable && ufw deny http
-    fi
+if which yum &>/dev/null 2>&1; then
+  # Check if web server software is installed, start it if any
+  if rpm -q nginx; then
+    service nginx start
+  elif rpm -q httpd; then
+    service httpd start
+  fi
 # For Debian, Ubuntu or derivatives
-elif apt-get -v >/dev/null 2>&1 ; then
-    # Check if web server software is installed, stop it if any
-    if [ $(dpkg-query -W -f='${Status}' nginx 2>/dev/null | grep -c "ok installed") -eq 1 ]; then service nginx start
-    elif [ $(dpkg-query -W -f='${Status}' apache2 2>/dev/null | grep -c "ok installed") -eq 1 ]; then service apache2 start
-#    # If using UFW
-#    elif [ $(dpkg-query -W -f='${Status}' ufw 2>/dev/null | grep -c "ok installed") -eq 1 ]; then ufw --force enable && ufw deny http
-    fi
-## Try iptables as a final attempt
-#else
-#    iptables -D INPUT  -p tcp  --dport 80    -j ACCEPT
-#    service iptables save
+elif apt-get -v >/dev/null 2>&1; then
+  # Check if web server software is installed, stop it if any
+  if [ "$(dpkg-query -W -f='${Status}' nginx 2>/dev/null | grep -c "ok installed")" -eq 1 ]; then
+    service nginx start
+  elif [ "$(dpkg-query -W -f='${Status}' apache2 2>/dev/null | grep -c "ok installed")" -eq 1 ]; then
+    service apache2 start
+  fi
 fi
diff --git a/server/scripts/letsencrypt_pre_hook.sh b/server/scripts/letsencrypt_pre_hook.sh
@@ -1,14 +1,7 @@
 #!/bin/bash
 
-### BEGIN INIT INFO
-# Provides: LETSENCRYPT PRE HOOK SCRIPT
-# Required-Start:  $local_fs $network
-# Required-Stop:  $local_fs
-# Default-Start:  2 3 4 5
-# Default-Stop:  0 1 6
 # Short-Description: LETSENCRYPT PRE HOOK SCRIPT
 # Description:  To force open http port 80 to be used by letsencrypt client standlone command
-### END INIT INFO
 
 ## If you need a custom hook file, create a file with the same name in
 ## /usr/local/ispconfig/server/conf-custom/scripts/
@@ -17,45 +10,30 @@
 ##
 ## Eg. you can override the ispc_letsencrypt_firewall_enable() function then 'return 124'
 ## to customize the firewall setup.
-if [ -e "/usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_pre_hook.sh" ] ; then
-	. /usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_pre_hook.sh
-	ret=$?
-	if [ $ret != 124 ]; then exit $ret; fi
+if [ -e "/usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_pre_hook.sh" ]; then
+  . /usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_pre_hook.sh
+  ret=$?
+  if [ $ret != 124 ]; then exit $ret; fi
 fi
 
 declare -F ispc_letsencrypt_firewall_enable &>/dev/null || ispc_letsencrypt_firewall_enable() {
-	# create 'ispc-letsencrypt' chain with ACCEPT policy and send port 80 there
-	iptables -N ispc-letsencrypt
-	iptables -I ispc-letsencrypt -p tcp --dport 80 -j ACCEPT
-	iptables -A ispc-letsencrypt -j RETURN
-	iptables -I INPUT -p tcp --dport 80 -j ispc-letsencrypt
+  # create 'ispc-letsencrypt' chain with ACCEPT policy and send port 80 there
+  iptables -N ispc-letsencrypt
+  iptables -I ispc-letsencrypt -p tcp --dport 80 -j ACCEPT
+  iptables -A ispc-letsencrypt -j RETURN
+  iptables -I INPUT -p tcp --dport 80 -j ispc-letsencrypt
 }
 
 ispc_letsencrypt_firewall_enable
 
 # For RHEL, Centos or derivatives
-if which yum &> /dev/null 2>&1 ; then
-    # Check if web server software is installed, stop it if any
-    if [ rpm -q nginx ]; then service nginx stop; fi
-    if [ rpm -q httpd ]; then service httpd stop; fi
-#    # If using firewalld
-#    if [ rpm -q firewalld ] && [ `firewall-cmd --state` = running ]; then
-#        firewall-cmd --zone=public --permanent --add-service=http
-#        firewall-cmd --reload
-#    fi
-#    # If using UFW
-#    if [ rpm -q ufw ]; then ufw --force enable && ufw allow http; fi
-
+if which yum &>/dev/null 2>&1; then
+  # Check if web server software is installed, stop it if any
+  if rpm -q nginx; then service nginx stop; fi
+  if rpm -q httpd; then service httpd stop; fi
 # For Debian, Ubuntu or derivatives
-elif apt-get -v >/dev/null 2>&1 ; then
-    # Check if web server software is installed, stop it if any
-    if [ $(dpkg-query -W -f='${Status}' nginx 2>/dev/null | grep -c "ok installed") -eq 1 ]; then service nginx stop; fi
-    if [ $(dpkg-query -W -f='${Status}' apache2 2>/dev/null | grep -c "ok installed") -eq 1 ]; then service apache2 stop; fi
-#    # If using UFW
-#    if [ $(dpkg-query -W -f='${Status}' ufw 2>/dev/null | grep -c "ok installed") -eq 1 ]; then ufw --force enable && ufw allow http; fi
-    
-## Try iptables as a final attempt
-#else
-#    iptables -I INPUT  -p tcp  --dport 80    -j ACCEPT
-#    service iptables save
+elif apt-get -v >/dev/null 2>&1; then
+  # Check if web server software is installed, stop it if any
+  if [ "$(dpkg-query -W -f='${Status}' nginx 2>/dev/null | grep -c "ok installed")" -eq 1 ]; then service nginx stop; fi
+  if [ "$(dpkg-query -W -f='${Status}' apache2 2>/dev/null | grep -c "ok installed")" -eq 1 ]; then service apache2 stop; fi
 fi
diff --git a/server/scripts/letsencrypt_renew_hook.sh b/server/scripts/letsencrypt_renew_hook.sh
@@ -1,59 +1,77 @@
 #!/bin/bash
 
-### BEGIN INIT INFO
-# Provides: LETSENCRYPT RENEW HOOK SCRIPT
-# Required-Start:  $local_fs $network
-# Required-Stop:  $local_fs
-# Default-Start:  2 3 4 5
-# Default-Stop:  0 1 6
 # Short-Description: LETSENCRYPT RENEW HOOK SCRIPT
 # Description:  Taken from LE4ISPC code. To be used to update ispserver.pem automatically after ISPConfig LE SSL certs are renewed and to reload / restart important ISPConfig server services
-### END INIT INFO
 
 ## If you need a custom hook file, create a file with the same name in
 ## /usr/local/ispconfig/server/conf-custom/scripts/
 ##
 ## End the file with 'return 124' to signal that this script should not terminate.
-if [ -e "/usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_renew_hook.sh" ] ; then
-        . /usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_renew_hook.sh
-        ret=$?
-        if [ $ret != 124 ]; then exit $ret; fi
+if [ -e "/usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_renew_hook.sh" ]; then
+  . /usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_renew_hook.sh
+  ret=$?
+  if [ $ret != 124 ]; then exit $ret; fi
 fi
 
 hostname=$(hostname -f)
-if [ -d "/usr/local/ispconfig/server/scripts/${hostname}" ] ; then
-	lelive="/usr/local/ispconfig/server/scripts/${hostname}" ;
-elif [ -d "/root/.acme.sh/${hostname}" ] ; then
-	lelive="/root/.acme.sh/${hostname}" ;
-else
-	lelive="/etc/letsencrypt/live/${hostname}" ;
+
+# If you want to manually execute letsencrypt_renew_hook.sh, call it with the SUCCESS environment variable set.
+# E.g. like this: "SUCCESS=1 letsencrypt_renew_hook.sh"
+# Then we assume that the certificate is there and do the post-processing.
+SUCCESS=${SUCCESS:-}
+
+# acme.sh defines/exports the environment variables
+# CERT_PATH, CERT_KEY_PATH, CA_CERT_PATH, CERT_FULLCHAIN_PATH and Le_Domain (main cert domain)
+# for all hooks
+if [ -f "$CERT_KEY_PATH" ] && [[ "${Le_Domain:-}" == "$hostname" ]]; then
+  SUCCESS=acme.sh
+  echo "$(/bin/date)" "Reconfigure and reload services after $hostname certificate issuing/renewal via acme.sh" >>/var/log/ispconfig/ispconfig.log
+# certbot defines/exports the environment variables
+# RENEWED_DOMAINS (all cert domains space separated) and RENEWED_LINEAGE (directory in /etc/letsencrypt/live)
+# for the renew/deploy hook
+elif [ -d "$RENEWED_LINEAGE" ] && [[ "$RENEWED_DOMAINS " == "$hostname "* ]]; then
+  SUCCESS=certbot
+  echo "$(/bin/date)" "Reconfigure and reload services after $hostname certificate issuing/renewal via certbot" >>/var/log/ispconfig/ispconfig.log
 fi
 
-if [ -d "$lelive" ]; then
-    cd /usr/local/ispconfig/interface/ssl; ibak=ispserver.*.bak; ipem=ispserver.pem; icrt=ispserver.crt; ikey=ispserver.key
-    if ls $ibak 1> /dev/null 2>&1; then rm $ibak; fi
-    if [ -e "$ipem" ]; then mv $ipem $ipem-$(date +"%y%m%d%H%M%S").bak; cat $ikey $icrt > $ipem; chmod 600 $ipem; fi
-    pureftpdpem=/etc/ssl/private/pure-ftpd.pem; if [ -e "$pureftpdpem" ]; then chmod 600 $pureftpdpem; fi
-    # For Red Hat, Centos or derivatives
-    if which yum &> /dev/null 2>&1 ; then
-        if ( rpm -q pure-ftpd ); then service pure-ftpd restart; fi
-        if ( rpm -q monit ); then service monit restart; fi
-        if ( rpm -q postfix ); then service postfix restart; fi
-        if ( rpm -q dovecot ); then service dovecot restart; fi
-        if ( rpm -q mysql-server ); then service mysqld restart; fi
-        if ( rpm -q mariadb-server ); then service mariadb restart; fi
-        if ( rpm -q MariaDB-server ); then service mysql restart; fi
-        if ( rpm -q nginx ); then service nginx restart; fi
-        if ( rpm -q httpd ); then service httpd restart; fi
-    # For Debian, Ubuntu or derivatives
-    elif apt-get -v >/dev/null 2>&1 ; then
-        if [ $(dpkg-query -W -f='${Status}' pure-ftpd-mysql 2>/dev/null | grep -c "ok installed") -eq 1 ]; then service pure-ftpd-mysql restart; fi
-        if [ $(dpkg-query -W -f='${Status}' monit 2>/dev/null | grep -c "ok installed") -eq 1 ]; then service monit restart; fi
-        if [ $(dpkg-query -W -f='${Status}' postfix 2>/dev/null | grep -c "ok installed") -eq 1 ]; then service postfix restart; fi
-        if [ $(dpkg-query -W -f='${Status}' dovecot-imapd 2>/dev/null | grep -c "ok installed") -eq 1 ]; then service dovecot restart; fi
-        if [ $(dpkg-query -W -f='${Status}' mysql 2>/dev/null | grep -c "ok installed") -eq 1 ]; then service mysql restart; fi
-        if [ $(dpkg-query -W -f='${Status}' mariadb 2>/dev/null | grep -c "ok installed") -eq 1 ]; then service mysql restart; fi
-        if [ $(dpkg-query -W -f='${Status}' nginx 2>/dev/null | grep -c "ok installed") -eq 1 ]; then service nginx restart; fi
-        if [ $(dpkg-query -W -f='${Status}' apache2 2>/dev/null | grep -c "ok installed") -eq 1 ]; then service apache2 restart; fi
+if [ -n "$SUCCESS" ]; then
+  if cd /usr/local/ispconfig/interface/ssl; then
+    ipem=ispserver.pem
+    icrt=ispserver.crt
+    ikey=ispserver.key
+    if ls ispserver.*.bak &>/dev/null; then
+      rm ispserver.*.bak
     fi
-else echo `/bin/date` "Your Lets Encrypt SSL certs path for your ISPConfig server FQDN is missing.$line" >> /var/log/ispconfig/ispconfig.log; fi
+    if [ -e "$ipem" ]; then
+      mv $ipem "$ipem-$(date +"%y%m%d%H%M%S").bak"
+      cat $ikey $icrt >$ipem
+      chmod 600 $ipem
+    fi
+  fi
+  pureftpdpem=/etc/ssl/private/pure-ftpd.pem
+  if [ -e "$pureftpdpem" ]; then chmod 600 $pureftpdpem; fi
+  # For Red Hat, Centos or derivatives
+  if which yum &>/dev/null 2>&1; then
+    if rpm -q pure-ftpd; then service pure-ftpd restart; fi
+    if rpm -q monit; then service monit restart; fi
+    if rpm -q postfix; then service postfix restart; fi
+    if rpm -q dovecot; then service dovecot restart; fi
+    if rpm -q mysql-server; then service mysqld restart; fi
+    if rpm -q mariadb-server; then service mariadb restart; fi
+    if rpm -q MariaDB-server; then service mysql restart; fi
+    if rpm -q nginx; then service nginx restart; fi
+    if rpm -q httpd; then service httpd restart; fi
+  # For Debian, Ubuntu or derivatives
+  elif apt-get -v >/dev/null 2>&1; then
+    if [ "$(dpkg-query -W -f='${Status}' pure-ftpd-mysql 2>/dev/null | grep -c "ok installed")" -eq 1 ]; then service pure-ftpd-mysql restart; fi
+    if [ "$(dpkg-query -W -f='${Status}' monit 2>/dev/null | grep -c "ok installed")" -eq 1 ]; then service monit restart; fi
+    if [ "$(dpkg-query -W -f='${Status}' postfix 2>/dev/null | grep -c "ok installed")" -eq 1 ]; then service postfix restart; fi
+    if [ "$(dpkg-query -W -f='${Status}' dovecot-imapd 2>/dev/null | grep -c "ok installed")" -eq 1 ]; then service dovecot restart; fi
+    if [ "$(dpkg-query -W -f='${Status}' mysql 2>/dev/null | grep -c "ok installed")" -eq 1 ]; then service mysql restart; fi
+    if [ "$(dpkg-query -W -f='${Status}' mariadb 2>/dev/null | grep -c "ok installed")" -eq 1 ]; then service mysql restart; fi
+    if [ "$(dpkg-query -W -f='${Status}' nginx 2>/dev/null | grep -c "ok installed")" -eq 1 ]; then service nginx restart; fi
+    if [ "$(dpkg-query -W -f='${Status}' apache2 2>/dev/null | grep -c "ok installed")" -eq 1 ]; then service apache2 restart; fi
+  fi
+else
+  echo "$(/bin/date)" "Your Lets Encrypt SSL certs path for your ISPConfig server FQDN is missing." >>/var/log/ispconfig/ispconfig.log
+fi
