refactor Let's encrypt issuing and introduce ECC cert handling #5226 #6563

Author: d--j

install/tpl/server.ini.master

@@ -142,6 +142,7 @@ vhost_proxy_protocol_enabled=n
 vhost_proxy_protocol_protocols=ipv4
 vhost_proxy_protocol_http_port=880
 vhost_proxy_protocol_https_port=8443
+le_signature_type=ECDSA
 le_auto_cleanup=y
 le_auto_cleanup_denylist=[server_name]
 

interface/lib/classes/validate_domain.inc.php

@@ -278,5 +278,30 @@ function _wildcard_limit() {
 		return true; // admin may always add wildcard domain
 	}
 
+	/**
+	 * Validates that input is a comma separated list of domain globs.
+	 */
+	function domain_glob_list($field_name, $field_value, $validator) {
+		global $app;
+		$allowempty = $validator['allowempty'] ?: 'n';
+		$exceptions = $validator['exceptions'] ?: [];
+		if (!$field_value) {
+			if ($allowempty == 'y') {
+				return '';
+			}
+			return $this->get_error($validator['errmsg']);
+		}
+		$parts = explode(',', $field_value);
+		foreach ($parts as $part) {
+			$part = trim($part);
+			if (in_array($part, $exceptions, true)) {
+				continue;
+			}
+			if (!preg_match("/^[a-z0-9*._-]+$/i", $part) || !filter_var($part, FILTER_VALIDATE_DOMAIN)) {
+				return $this->get_error($validator['errmsg']);
+			}
+		}
+		return '';
+	}
 
 }

interface/web/admin/form/server_config.tform.php

@@ -1633,13 +1633,29 @@
 			'width' => '40',
 			'maxlength' => '255'
 		),
+		'le_signature_type' => array(
+			'datatype' => 'VARCHAR',
+			'formtype' => 'SELECT',
+			'default' => 'ECDSA',
+			'value' => array('RSA' => 'RSA (RSA encryption with SHA-256)', 'ECDSA' => 'ECDSA (Elliptic Curve Digital Signature Algorithm)')
+		),
 		'le_auto_cleanup' => array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'CHECKBOX',
 			'default' => 'y',
 			'value' => array(0 => 'n', 1 => 'y')
 		),
 		'le_auto_cleanup_denylist' => array(
+			'validators' => array(
+				array (
+					'type' => 'CUSTOM',
+					'class' => 'validate_domain',
+					'function' => 'domain_glob_list',
+					'allowempty' => 'y',
+					'exceptions' => array('[server_name]'),
+					'errmsg'=> 'le_auto_cleanup_denylist_error_custom'
+				),
+			),
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
 			'default' => '[server_name]',

interface/web/admin/lib/lang/en_server_config.lng

@@ -370,6 +370,8 @@ $wb['sysbackup_copies_txt'] = 'Number of ISPConfig backups';
 $wb['sysbackup_copies_error_empty'] = 'Number of ISPConfig backups must not be empty';
 $wb['sysbackup_copies_error_regex'] = 'Number of ISPConfig backups must be a number between 1 and 3';
 $wb['sysbackup_copies_note_txt'] = '(0 = off)';
+$wb['le_signature_type_txt'] = 'Certificate signature type';
 $wb['le_auto_cleanup_txt'] = 'Automatically purge unused Let\'s Encrypt certificates';
-$wb['le_auto_cleanup_denylist_txt'] = 'Comma seperated list of domains that should never be purged.';
-$wb['le_auto_cleanup_denylist_note_txt'] = 'Placeholders:';
+$wb['le_auto_cleanup_denylist_txt'] = 'Domains that should never be purged';
+$wb['le_auto_cleanup_denylist_note_txt'] = 'Comma separated list of domain globs that should not be purged. <br>E.g. <code>mail.*, externally-managed.example.com</code> <br>Placeholders:';
+$wb['le_auto_cleanup_denylist_error_custom'] = 'Invalid list of domain globs';

interface/web/admin/templates/server_config_web_edit.htm

@@ -248,14 +248,21 @@ <h4 class="panel-title">
 					<label class="col-sm-3 control-label"><tmpl_var name="skip_le_check_txt"></label>
 					<div class="col-sm-9"><tmpl_var name="skip_le_check"></div>
 				</div>
+
+				<div class="form-group">
+                    <label class="col-sm-3 control-label">{tmpl_var name='le_signature_type_txt'}</label>
+                    <div class="col-sm-9"><select name="le_signature_type" id="le_signature_type" class="form-control">
+                        {tmpl_var name='le_signature_type'}
+                    </select></div>
+				</div>
                 <div class="form-group">
                     <label class="col-sm-3 control-label"><tmpl_var name="le_auto_cleanup_txt"></label>
                     <div class="col-sm-9"><tmpl_var name="le_auto_cleanup"></div>
                 </div>
                 <div class="form-group">
                     <label for="le_auto_cleanup_denylist" class="col-sm-3 control-label">{tmpl_var name='le_auto_cleanup_denylist_txt'}</label>
                     <div class="col-sm-9">
-                        <input type="text" name="CA_path" id="le_auto_cleanup_denylist" value="{tmpl_var name='le_auto_cleanup_denylist'}" class="form-control" />
+                        <input type="text" name="le_auto_cleanup_denylist" id="le_auto_cleanup_denylist" value="{tmpl_var name='le_auto_cleanup_denylist'}" class="form-control" />
                         <br>{tmpl_var name='le_auto_cleanup_denylist_note_txt'} <a href="javascript:void(0);" class="addPlaceholder">[server_name]</a>
                     </div>
                 </div>

server/cli/modules/letsencrypt.inc.php

@@ -28,68 +28,211 @@
 EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
 
-class letsencrypt_cli extends cli
-{
-
-	function __construct()
-	{
-		$cmd_opt                                = [];
-		$cmd_opt['letsencrypt']                 = 'showHelp';
-		$cmd_opt['letsencrypt:list']            = 'list';
+class letsencrypt_cli extends cli {
+
+	function __construct() {
+		$cmd_opt = [];
+		$cmd_opt['letsencrypt'] = 'showHelp';
+		$cmd_opt['letsencrypt:list'] = 'listCertificates';
+		$cmd_opt['letsencrypt:info'] = 'outputCertificate';
 		$cmd_opt['letsencrypt:cleanup-expired'] = 'cleanupExpired';
 		$this->addCmdOpt($cmd_opt);
 	}
 
-	public function list($arg)
-	{
+	public function listCertificates($arg) {
 		global $app;
 		$app->uses('letsencrypt');
-		$certificates = $app->letsencrypt->get_certificate_list();
-		foreach ($certificates as $certificate) {
-			print_r($certificate);
+		$certificates = $this->getCertificates();
+		if(empty($certificates)) {
+			return;
+		}
+		$table = [['type', 'id', 'valid info', 'serial', 'domains']];
+		$ansi_reset = "\033[0m";
+		$bold_red = "\033[1m\033[31m";
+		$bold_green = "\033[1m\033[32m";
+		foreach($certificates as $certificate) {
+			$valid = ($certificate['is_valid'] ? ($bold_green . 'yes' . $ansi_reset) : ($bold_red . 'no ' . $ansi_reset)) . ' ' . $this->getValidInfo($certificate);
+			$table[] = [
+				$certificate['signature_type'],
+				$certificate['id'],
+				$valid,
+				$certificate['serial_number'],
+				$this->getList($certificate['domains']),
+			];
 		}
+		$this->outputTable($table, ['variable_columns' => '1,4', 'expand' => true]);
 	}
 
-	public function cleanupExpired($arg)
-	{
+	public function outputCertificate($args) {
 		global $app;
+		if(empty($args)) {
+
+		}
+		if(empty($args)) {
+			$this->swriteln('error: ID of the certificate is missing');
+			$this->showHelp($args);
+			exit(1);
+		}
 		$app->uses('letsencrypt');
-		$removals     = 0;
-		$hasErrors    = false;
-		$certificates = $app->letsencrypt->get_certificate_list();
-		foreach ($certificates as $certificate) {
-			if (! $certificate['is_valid']) {
-				$this->swriteln("Removing ".join(', ', $certificate['domains'])." expired certificate...");
-				if ($app->letsencrypt->remove_certificate($certificate)) {
-					$removals += 1;
-				} else {
-					$this->swriteln("Could not remove ".print_r($certificate, true));
-					$hasErrors = true;
+		$certificates = $this->getCertificates();
+		if(empty($certificates)) {
+			return;
+		}
+		foreach($args as $id) {
+			$certificate = false;
+			foreach($certificates as $c) {
+				if($c['id'] == $id) {
+					$certificate = $c;
+					break;
 				}
 			}
+			if($certificate) {
+				$ansi_reset = "\033[0m";
+				$bold_red = "\033[1m\033[31m";
+				$bold_green = "\033[1m\033[32m";
+				$bold_yellow = "\033[1m\033[33m";
+				$gray = "\033[38;5;7m";
+				$valid = ($certificate['is_valid'] ? ($bold_green . 'yes' . $ansi_reset) : ($bold_red . 'no ' . $ansi_reset)) . ' ' . $this->getValidInfo($certificate);
+				$table = [
+					['key', 'value'],
+					['id', $certificate['id']],
+					['serial', $certificate['serial_number']],
+					['type', $certificate['signature_type']],
+					['valid', $valid . "\n" . $gray . 'from ' . $ansi_reset . $certificate['valid_from']->format('Y-m-d H:i:s') . "\n" . $gray . 'to   ' . $ansi_reset . $certificate['valid_to']->format('Y-m-d H:i:s')],
+					['revokation', $certificate['is_revoked'] === null ? ($bold_yellow . 'not checked' . $ansi_reset) : $certificate['is_revoked'] ? ($bold_red . 'REVOKED' . $ansi_reset) : ($bold_green . 'not revoked' . $ansi_reset)],
+					['domains', $this->getList($certificate['domains'])],
+					['subject', $this->getAssocArray($certificate['subject'])],
+					['issuer', $this->getAssocArray($certificate['issuer'])],
+					['source', $certificate['source']],
+					['conf', $certificate['conf']],
+					['files', $this->getAssocArray($certificate['cert_paths'])],
+				];
+				$this->outputTable($table, ['min_lengths' => [10], 'variable_columns' => '1', 'expand' => true]);
+			} else {
+				$this->swriteln("\n" . 'Certificate not found: ' . $id . "\n");
+			}
 		}
-		if ($removals) {
-			$this->swriteln("Removed $removals expired certificates");
-		} else {
-			$this->swriteln("No certificates were removed");
+
+	}
+
+	public function cleanupExpired($arg) {
+		global $app;
+		$app->uses('letsencrypt');
+		$removals = 0;
+		$hasErrors = false;
+		$certificates = $this->getCertificates();
+		if(empty($certificates)) {
+			return;
+		}
+		$certificates_to_remove = [];
+		foreach($certificates as $certificate) {
+			if(!$certificate['is_valid']) {
+				$certificates_to_remove[] = $certificate;
+			}
+		}
+		if(empty($certificates_to_remove)) {
+			$this->swriteln('No expired certificates found');
+			return;
 		}
-		if ($hasErrors) {
+		$ansi_reset = "\033[0m";
+		$bold_red = "\033[1m\033[31m";
+		$table = [['type', 'id', 'valid info', 'serial', 'domains']];
+		foreach($certificates_to_remove as $certificate) {
+			$valid = $this->getValidInfo($certificate);
+			$table[] = [
+				$certificate['signature_type'],
+				$certificate['id'],
+				$valid,
+				$certificate['serial_number'],
+				$this->getList($certificate['domains']),
+			];
+		}
+		$this->outputTable($table, ['variable_columns' => '1,4', 'expand' => true]);
+		$this->swriteln('');
+		if($this->simple_query($bold_red . 'Do you want to delete the certificates?' . $ansi_reset, ['yes', 'no'], 'no') == 'no') {
+			$this->swriteln('No certificates were removed');
+			return;
+		}
+		foreach($certificates_to_remove as $certificate) {
+			$this->swriteln('Removing expired certificate ' . $certificate['id']);
+			if($app->letsencrypt->remove_certificate($certificate)) {
+				$removals += 1;
+			} else {
+				$this->swriteln("Could not remove " . print_r($certificate, true));
+				$hasErrors = true;
+			}
+		}
+		$this->swriteln('Removed ' . $removals . ' expired certificates');
+		if($hasErrors) {
 			exit(1);
 		}
 	}
 
-	public function showHelp($arg)
-	{
+	public function showHelp($arg) {
 		global $conf;
 
 		$this->swriteln("---------------------------------");
-		$this->swriteln("- Available commandline option -");
+		$this->swriteln("- Available commandline options -");
 		$this->swriteln("---------------------------------");
 		$this->swriteln("ispc letsencrypt list - lists all known certificates");
+		$this->swriteln("ispc letsencrypt info <id> - outputs all information of one certificate");
 		$this->swriteln("ispc letsencrypt cleanup-expired - Cleanup all expired certificates.");
 		$this->swriteln("---------------------------------");
 		$this->swriteln();
 	}
 
+
+	private function getList($array) {
+		return join("\n", array_map(function($line) {
+			$ansi_reset = "\033[0m";
+			$gray = "\033[38;5;7m";
+			return $gray . '• ' . $ansi_reset . $line;
+		}, $array));
+	}
+
+	private function getAssocArray($array) {
+		return join("\n", array_map(function($key, $value) {
+			$ansi_reset = "\033[0m";
+			$gray = "\033[38;5;7m";
+			return $gray . $key . '=' . $ansi_reset . $value;
+		}, array_keys($array), array_values($array)));
+	}
+
+	private function getValidInfo($certificate) {
+		$ansi_reset = "\033[0m";
+		$bold_red = "\033[1m\033[31m";
+		$bold_green = "\033[1m\033[32m";
+		$bold_yellow = "\033[1m\033[33m";
+		$gray = "\033[38;5;7m";
+		$now = new DateTime('now');
+		$diff = $now->diff($certificate['valid_to'])->format('%r%a');
+		if($diff > 0) {
+			if($diff <= 7) {
+				$info = $bold_yellow . $diff . ' day' . ($diff > 1 ? 's' : '') . ' valid' . $ansi_reset;
+			} else {
+				$info = $bold_green . $diff . ' days valid' . $ansi_reset;
+			}
+		} else {
+			$diff = abs($diff);
+			$info = $bold_red . $diff . ' day' . ($diff != 1 ? 's' : '') . ' expired' . $ansi_reset;
+		}
+		// $info .= $gray . $certificate['valid_to']->format('Y-m-d H:i:s') . $ansi_reset;
+		if($certificate['is_revoked'] === null) {
+			$info .= $gray . ' (no OCSP)' . $ansi_reset;
+		} elseif($certificate['is_revoked']) {
+			$info .= $bold_red . ' REVOKED' . $ansi_reset;
+		}
+		return $info;
+	}
+
+	private function getCertificates() {
+		global $app;
+		$this->swriteln('Getting all certificates…');
+		$certificates = $app->letsencrypt->get_certificate_list();
+		if(empty($certificates)) {
+			$this->swriteln('No certificates found');
+		}
+		return $certificates;
+	}
 }