Skip to content

Commit b1f0c20

Browse files
ahrasisMarius Burkard
ahrasis
authored and
Marius Burkard
committed
Update installer_base.lib.php to overwrite self-signed certificate with LE SSL certs when possible. A temporary backup is made to be restored if LE SSL certs failed to be issued. It will be made permanent if LE SSL certs are successfully issued. To resolve raised issue https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5919 
1 parent 810ed16 commit b1f0c20

File tree

1 file changed

+50
-24
lines changed

1 file changed

+50
-24
lines changed

install/lib/installer_base.lib.php

Lines changed: 50 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -2871,8 +2871,13 @@ public function make_ispconfig_ssl_cert() {
28712871
$ip_address_match = true;
28722872
}
28732873

2874+
// Get subject and issuer of ispserver.crt to check if it is self-signed cert
2875+
if (file_exists($ssl_crt_file)) {
2876+
$crt_subject = exec("openssl x509 -in ".escapeshellarg($ssl_crt_file)." -inform PEM -noout -subject");
2877+
$crt_issuer = exec("openssl x509 -in ".escapeshellarg($ssl_crt_file)." -inform PEM -noout -issuer");
2878+
}
28742879

2875-
if ((!@is_dir($acme_cert_dir) || !@file_exists($check_acme_file) || !@file_exists($ssl_crt_file) || md5_file($check_acme_file) != md5_file($ssl_crt_file)) && $ip_address_match == true) {
2880+
if ((@file_exists($ssl_crt_file) && ($crt_subject == $crt_issuer)) || (!@is_dir($acme_cert_dir) || !@file_exists($check_acme_file) || !@file_exists($ssl_crt_file) || md5_file($check_acme_file) != md5_file($ssl_crt_file)) && $ip_address_match == true) {
28762881

28772882
// This script is needed earlier to check and open http port 80 or standalone might fail
28782883
// Make executable and temporary symlink latest letsencrypt pre, post and renew hook script before install
@@ -2942,6 +2947,14 @@ public function make_ispconfig_ssl_cert() {
29422947

29432948
$issued_successfully = false;
29442949

2950+
// Backup existing ispserver ssl files
2951+
if(file_exists($ssl_crt_file) || is_link($ssl_crt_file))
2952+
rename($ssl_crt_file, $ssl_crt_file.'-temporary.bak');
2953+
if(file_exists($ssl_key_file) || is_link($ssl_key_file))
2954+
rename($ssl_key_file, $ssl_key_file.'-temporary.bak');
2955+
if(file_exists($ssl_pem_file) || is_link($ssl_pem_file))
2956+
rename($ssl_pem_file, $ssl_pem_file.'-temporary.bak');
2957+
29452958
// Attempt to use Neilpang acme.sh first, as it is now the preferred LE client
29462959
if (is_executable($acme)) {
29472960

@@ -2958,18 +2971,6 @@ public function make_ispconfig_ssl_cert() {
29582971
if($ret == 0 || ($ret == 2 && file_exists($check_acme_file))) {
29592972
// acme.sh returns with 2 on issue for already existing certificate
29602973

2961-
2962-
// Backup existing ispserver ssl files
2963-
if(file_exists($ssl_crt_file) || is_link($ssl_crt_file)) {
2964-
rename($ssl_crt_file, $ssl_crt_file . '-' . $date->format('YmdHis') . '.bak');
2965-
}
2966-
if(file_exists($ssl_key_file) || is_link($ssl_key_file)) {
2967-
rename($ssl_key_file, $ssl_key_file . '-' . $date->format('YmdHis') . '.bak');
2968-
}
2969-
if(file_exists($ssl_pem_file) || is_link($ssl_pem_file)) {
2970-
rename($ssl_pem_file, $ssl_pem_file . '-' . $date->format('YmdHis') . '.bak');
2971-
}
2972-
29732974
$check_acme_file = $ssl_crt_file;
29742975

29752976
// Define LE certs name and path, then install them
@@ -2978,8 +2979,26 @@ public function make_ispconfig_ssl_cert() {
29782979
$acme_chain = "--fullchain-file " . escapeshellarg($ssl_crt_file);
29792980
exec("$acme --install-cert -d " . escapeshellarg($hostname) . " $acme_key $acme_chain");
29802981
$issued_successfully = true;
2982+
2983+
// Make temporary backup of self-signed certs permanent
2984+
if(file_exists($ssl_crt_file.'-temporary.bak') || is_link($ssl_crt_file.'-temporary.bak'))
2985+
rename($ssl_crt_file.'-temporary.bak', $ssl_crt_file.'-'.$date->format('YmdHis').'.bak');
2986+
if(file_exists($ssl_key_file.'-temporary.bak') || is_link($ssl_key_file.'-temporary.bak'))
2987+
rename($ssl_key_file.'-temporary.bak', $ssl_key_file.'-'.$date->format('YmdHis').'.bak');
2988+
if(file_exists($ssl_pem_file.'-temporary.bak') || is_link($ssl_pem_file.'-temporary.bak'))
2989+
rename($ssl_pem_file.'-temporary.bak', $ssl_pem_file.'-'.$date->format('YmdHis').'.bak');
2990+
29812991
} else {
29822992
swriteln('Issuing certificate via acme.sh failed. Please check that your hostname can be verified by letsencrypt');
2993+
2994+
// Restore temporary backup of self-signed certs
2995+
if(file_exists($ssl_crt_file.'-temporary.bak') || is_link($ssl_crt_file.'-temporary.bak'))
2996+
rename($ssl_crt_file.'-temporary.bak', $ssl_crt_file);
2997+
if(file_exists($ssl_key_file.'-temporary.bak') || is_link($ssl_key_file.'-temporary.bak'))
2998+
rename($ssl_key_file.'-temporary.bak', $ssl_key_file);
2999+
if(file_exists($ssl_pem_file.'-temporary.bak') || is_link($ssl_pem_file.'-temporary.bak'))
3000+
rename($ssl_pem_file.'-temporary.bak', $ssl_pem_file);
3001+
29833002
}
29843003
// Else, we attempt to use the official LE certbot client certbot
29853004
} else {
@@ -3011,24 +3030,31 @@ public function make_ispconfig_ssl_cert() {
30113030
if($ret == 0) {
30123031
// certbot returns with 0 on issue for already existing certificate
30133032

3014-
// Backup existing ispserver ssl files
3015-
if(file_exists($ssl_crt_file) || is_link($ssl_crt_file)) {
3016-
rename($ssl_crt_file, $ssl_crt_file . '-' . $date->format('YmdHis') . '.bak');
3017-
}
3018-
if(file_exists($ssl_key_file) || is_link($ssl_key_file)) {
3019-
rename($ssl_key_file, $ssl_key_file . '-' . $date->format('YmdHis') . '.bak');
3020-
}
3021-
if(file_exists($ssl_pem_file) || is_link($ssl_pem_file)) {
3022-
rename($ssl_pem_file, $ssl_pem_file . '-' . $date->format('YmdHis') . '.bak');
3023-
}
3024-
30253033
$acme_cert_dir = '/etc/letsencrypt/live/' . $hostname;
30263034
symlink($acme_cert_dir . '/fullchain.pem', $ssl_crt_file);
30273035
symlink($acme_cert_dir . '/privkey.pem', $ssl_key_file);
30283036

30293037
$issued_successfully = true;
3038+
3039+
// Make temporary backup of self-signed certs permanent
3040+
if(file_exists($ssl_crt_file.'-temporary.bak') || is_link($ssl_crt_file.'-temporary.bak'))
3041+
rename($ssl_crt_file.'-temporary.bak', $ssl_crt_file.'-'.$date->format('YmdHis').'.bak');
3042+
if(file_exists($ssl_key_file.'-temporary.bak') || is_link($ssl_key_file.'-temporary.bak'))
3043+
rename($ssl_key_file.'-temporary.bak', $ssl_key_file.'-'.$date->format('YmdHis').'.bak');
3044+
if(file_exists($ssl_pem_file.'-temporary.bak') || is_link($ssl_pem_file.'-temporary.bak'))
3045+
rename($ssl_pem_file.'-temporary.bak', $ssl_pem_file.'-'.$date->format('YmdHis').'.bak');
3046+
30303047
} else {
30313048
swriteln('Issuing certificate via certbot failed. Please check log files and make sure that your hostname can be verified by letsencrypt');
3049+
3050+
// Restore temporary backup of self-signed certs
3051+
if(file_exists($ssl_crt_file.'-temporary.bak') || is_link($ssl_crt_file.'-temporary.bak'))
3052+
rename($ssl_crt_file.'-temporary.bak', $ssl_crt_file);
3053+
if(file_exists($ssl_key_file.'-temporary.bak') || is_link($ssl_key_file.'-temporary.bak'))
3054+
rename($ssl_key_file.'-temporary.bak', $ssl_key_file);
3055+
if(file_exists($ssl_pem_file.'-temporary.bak') || is_link($ssl_pem_file.'-temporary.bak'))
3056+
rename($ssl_pem_file.'-temporary.bak', $ssl_pem_file);
3057+
30323058
}
30333059
} else {
30343060
swriteln('Did not find any valid acme client (acme.sh or certbot)');

0 commit comments

Comments
 (0)