Merge branch '6176-don-t-use-password-protected-keys-for-self-signed-certificates' into 'develop'

Resolve "Don't use password-protected keys for self-signed certificates"

Closes #6176

See merge request ispconfig/ispconfig3!1486

Author: Marius Burkard

.gitlab-ci.yml

@@ -3,6 +3,7 @@ stages:
   - syntax
   - syntax_diff
   - test
+  - build
 
 #
 ### Stage syntax
@@ -63,3 +64,21 @@ test:install:
     - apt-get --yes install curl
     - curl --insecure https://127.0.0.1:8080/login/
     - ps xaf
+
+
+build:package:
+    stage: build
+    image: edbizarro/gitlab-ci-pipeline-php:7.2
+    only:
+        refs:
+            - /^\d+\.\d+\.\d+$/
+    except:
+        - branches
+        - merge_requests
+        - schedules
+        - pushes
+    script:
+        - echo "Building release."
+        
+    when: manual
+    allow_failure: false

install/lib/installer_base.lib.php

@@ -3147,17 +3147,11 @@ public function make_ispconfig_ssl_cert() {
 			}
 
 			// We can still use the old self-signed method
-			$ssl_pw = substr(md5(mt_rand()), 0, 6);
-			exec("openssl genrsa -des3 -passout pass:$ssl_pw -out $ssl_key_file 4096");
+			$openssl_cmd = 'openssl req -nodes -newkey rsa:4096 -x509 -days 3650 -keyout ' . escapeshellarg($ssl_key_file) . ' -out ' . escapeshellarg($ssl_crt_file);
 			if(AUTOINSTALL){
-				exec("openssl req -new -passin pass:$ssl_pw -passout pass:$ssl_pw -subj '/C=".escapeshellcmd($autoinstall['ssl_cert_country'])."/ST=".escapeshellcmd($autoinstall['ssl_cert_state'])."/L=".escapeshellcmd($autoinstall['ssl_cert_locality'])."/O=".escapeshellcmd($autoinstall['ssl_cert_organisation'])."/OU=".escapeshellcmd($autoinstall['ssl_cert_organisation_unit'])."/CN=".escapeshellcmd($autoinstall['ssl_cert_common_name'])."' -key $ssl_key_file -out $ssl_csr_file");
-			} else {
-				exec("openssl req -new -passin pass:$ssl_pw -passout pass:$ssl_pw -key $ssl_key_file -out $ssl_csr_file");
+				$openssl_cmd .= ' -subj ' . escapeshellarg('/C=' . $autoinstall['ssl_cert_country'] . '/ST=' . $autoinstall['ssl_cert_state'] . '/L=' . $autoinstall['ssl_cert_locality'] . '/O=' . $autoinstall['ssl_cert_organisation'] . '/OU=' . $autoinstall['ssl_cert_organisation_unit'] . '/CN=' . $autoinstall['ssl_cert_common_name']);
 			}
-			exec("openssl req -x509 -passin pass:$ssl_pw -passout pass:$ssl_pw -key $ssl_key_file -in $ssl_csr_file -out $ssl_crt_file -days 3650");
-			exec("openssl rsa -passin pass:$ssl_pw -in $ssl_key_file -out $ssl_key_file.insecure");
-			rename($ssl_key_file, $ssl_key_file.'.secure');
-			rename($ssl_key_file.'.insecure', $ssl_key_file);
+			exec($openssl_cmd);
 		}
 
 		// Build ispserver.pem file and chmod it