Merge branch 'patch-3' into 'stable-3.1'

Allow creating LE SSL certs during ISPConfig 3.1 stable install or update

See merge request ispconfig/ispconfig3!911

Author: Till Brehm

install/install.php

@@ -576,6 +576,12 @@
 	$inst->install_ispconfig_interface = false;
 }
 
+// Create SSL certs for non-webserver(s)?
+if(!file_exists('/usr/local/ispconfig/interface/ssl/ispserver.crt')) {
+    if(strtolower($inst->simple_query('Do you want to create SSL certs for your server?', array('y', 'n'), 'y')) == 'y')
+        $inst->make_ispconfig_ssl_cert();
+}
+
 $inst->install_ispconfig();
 
 //* Configure DBServer

install/lib/installer_base.lib.php

@@ -1,7 +1,7 @@
 <?php
 
 /*
-Copyright (c) 2007-2010, Till Brehm, projektfarm Gmbh
+Copyright (c) 2007-2019, Till Brehm, projektfarm GmbH
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without modification,
@@ -2684,34 +2684,254 @@ public function configure_apps_vhost() {
 			if(!@is_link($vhost_conf_enabled_dir.'/000-apps.vhost')) {
 				symlink($vhost_conf_dir.'/apps.vhost', $vhost_conf_enabled_dir.'/000-apps.vhost');
 			}
+		}
+	}
 
+	private function curl_request($url, $use_ipv6 = false) {
+		$set_headers = [
+			'Connection: Close',
+			'User-Agent: ISPConfig/3',
+			'Accept: */*'
+		];
+
+		$ch = curl_init($url);
+        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
+        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
+        curl_setopt($ch, CURLOPT_FORBID_REUSE, 1);
+        curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10);
+        curl_setopt($ch, CURLOPT_HTTPHEADER, $set_headers);
+		curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
+		curl_setopt($ch, CURLOPT_MAXREDIRS, 5);
+
+		if($use_ipv6) {
+			if(defined('CURLOPT_IPRESOLVE') && defined('CURL_IPRESOLVE_V6')) {
+				curl_setopt($ch, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V6);
+			}
+		} else {
+			if(defined('CURLOPT_IPRESOLVE') && defined('CURL_IPRESOLVE_V4')) {
+				curl_setopt($ch, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4);
+			}
 		}
+
+		$response = curl_exec($ch);
+		curl_close($ch);
+
+		return $response;
 	}
 
 	public function make_ispconfig_ssl_cert() {
-		global $conf,$autoinstall;
+		global $conf, $autoinstall;
 
-		$install_dir = $conf['ispconfig_install_dir'];
+		//* Get hostname from user entry or shell command */
+		if($conf['hostname'] !== 'localhost' && $conf['hostname'] !== '') {
+			$hostname = $conf['hostname'];
+		} else {
+			$hostname = exec('hostname -f');
+		}
+
+		// Check dns a record exist and its ip equal to server public ip
+		$svr_ip4 = $this->curl_request('https://ispconfig.org/remoteip.php', false);
+		$svr_ip6 = $this->curl_request('https://ispconfig.org/remoteip.php', true);
+
+		if(function_exists('idn_to_ascii')) {
+			if(defined('IDNA_NONTRANSITIONAL_TO_ASCII') && defined('INTL_IDNA_VARIANT_UTS46') && constant('IDNA_NONTRANSITIONAL_TO_ASCII')) {
+				$hostname = idn_to_ascii($hostname, IDNA_NONTRANSITIONAL_TO_ASCII, INTL_IDNA_VARIANT_UTS46);
+			} else {
+				$hostname = idn_to_ascii($hostname);
+			}
+		}
+		$dns_ips = array();
+		if (checkdnsrr($hostname, 'A')) {
+			$dnsa=dns_get_record($hostname, DNS_A);
+			if($dnsa) {
+				foreach ($dnsa as $rec) {
+					$dns_ips[] = $rec['ip'];
+				}
+			}
+		}
+		if (checkdnsrr($hostname, 'AAAA')) {
+			$dnsaaaa=dns_get_record($hostname, DNS_AAAA);
+			if($dnsaaaa) {
+				foreach ($dnsaaaa as $rec) {
+					$dns_ips[] = $rec['ip'];
+				}
+			}
+		}
+
+		// Request for certs if no LE SSL folder for server fqdn exist
+		$le_live_dir = '/etc/letsencrypt/live/' . $hostname;
+		if (!@is_dir($le_live_dir) && (
+				($svr_ip4 && in_array($svr_ip4, $dns_ips)) || ($svr_ip6 && in_array($svr_ip6, $dns_ips))
+			)) {
+
+			// This script is needed earlier to check and open http port 80 or standalone might fail
+			// Make executable and temporary symlink latest letsencrypt pre, post and renew hook script before install
+			if(file_exists(dirname(getcwd()) . '/server/scripts/letsencrypt_pre_hook.sh')) {
+				symlink(dirname(getcwd()) . '/server/scripts/letsencrypt_pre_hook.sh', '/usr/local/bin/letsencrypt_pre_hook.sh');
+			}
+			if(file_exists(dirname(getcwd()) . '/server/scripts/letsencrypt_post_hook.sh')) {
+				symlink(dirname(getcwd()) . '/server/scripts/letsencrypt_post_hook.sh', '/usr/local/bin/letsencrypt_post_hook.sh');
+			}
+			if(file_exists(dirname(getcwd()) . '/server/scripts/letsencrypt_renew_hook.sh')) {
+				symlink(dirname(getcwd()) . '/server/scripts/letsencrypt_renew_hook.sh', '/usr/local/bin/letsencrypt_renew_hook.sh');
+			}
+			chown('/usr/local/bin/letsencrypt_pre_hook.sh', 'root');
+			chown('/usr/local/bin/letsencrypt_post_hook.sh', 'root');
+			chown('/usr/local/bin/letsencrypt_renew_hook.sh', 'root');
+			chmod('/usr/local/bin/letsencrypt_pre_hook.sh', 0700);
+			chmod('/usr/local/bin/letsencrypt_post_hook.sh', 0700);
+			chmod('/usr/local/bin/letsencrypt_renew_hook.sh', 0700);
 
-		$ssl_crt_file = $install_dir.'/interface/ssl/ispserver.crt';
-		$ssl_csr_file = $install_dir.'/interface/ssl/ispserver.csr';
-		$ssl_key_file = $install_dir.'/interface/ssl/ispserver.key';
+			// Check http port 80 status as it cannot be determined at post hook stage
+			$port80_status=exec('true &>/dev/null </dev/tcp/127.0.0.1/80 && echo open || echo close');
+
+			// Set pre-, post- and renew hook
+			$pre_hook = "--pre-hook \"letsencrypt_pre_hook.sh\"";
+			$renew_hook = "  --renew-hook \"letsencrypt_renew_hook.sh\"";
+			if($port80_status == 'close') {
+				$post_hook = " --post-hook \"letsencrypt_post_hook.sh\"";
+				$hook = $pre_hook . $post_hook . $renew_hook;
+			} else {
+				$hook = $pre_hook . $renew_hook;
+			}
+
+			// Get the default LE client name and version
+			$le_client = explode("\n", shell_exec('which letsencrypt certbot /root/.local/share/letsencrypt/bin/letsencrypt /opt/eff.org/certbot/venv/bin/certbot'));
+			$le_client = reset($le_client);
+
+			// Check for Neilpang acme.sh as well
+			$acme = explode("\n", shell_exec('which /usr/local/ispconfig/server/scripts/acme.sh /root/.acme.sh/acme.sh'));
+			$acme = reset($acme);
+
+			// Attempt to use Neilpang acme.sh first, as it is now the preferred LE client
+			if (is_executable($acme)) {
+
+				if($conf['nginx']['installed'] == true) {
+					exec("$acme --issue --nginx -d $hostname $renew_hook");
+				} elseif($conf['apache']['installed'] == true) {
+					exec("$acme --issue --apache -d $hostname $renew_hook");
+				}
+				// Else, it is not webserver, so we use standalone
+				else {
+					exec("$acme --issue --standalone -d $hostname $hook");
+				}
 
-		if(!@is_dir($install_dir.'/interface/ssl')) mkdir($install_dir.'/interface/ssl', 0755, true);
+				// Define LE certs name and path, then install them
+				if (!@is_dir($le_live_dir)) mkdir($le_live_dir, 0755, true);
+				$acme_cert = "--cert-file $le_live_dir/cert.pem";
+				$acme_key = "--key-file $le_live_dir/privkey.pem";
+				$acme_ca = "--ca-file $le_live_dir/chain.pem";
+				$acme_chain = "--fullchain-file $le_live_dir/fullchain.pem";
+				exec("$acme --install-cert -d $hostname $acme_cert $acme_key $acme_ca $acme_chain");
+
+			// Else, we attempt to use the official LE certbot client certbot
+			} else {
+
+				//  But only if it is otherwise available
+				if(is_executable($le_client)) {
+
+					// Get its version info due to be used for webroot arguement issues
+					$le_info = exec($le_client . ' --version  2>&1', $ret, $val);
+					if(preg_match('/^(\S+|\w+)\s+(\d+(\.\d+)+)$/', $le_info, $matches)) {
+						$le_version = $matches[2];
+					}
+
+					// Define certbot commands
+					$acme_version = '--server https://acme-v0' . (($le_version >=0.22) ? '2' : '1') . '.api.letsencrypt.org/directory';
+					$certonly = 'certonly --agree-tos --non-interactive --expand --rsa-key-size 4096';
+
+					// If this is a webserver
+					if($conf['nginx']['installed'] == true)
+						exec("$le_client $certonly $acme_version --nginx --email postmaster@$hostname $renew_hook");
+					elseif($conf['apache']['installed'] == true)
+						exec("$le_client $certonly $acme_version --apache --email postmaster@$hostname $renew_hook");
+					// Else, it is not webserver, so we use standalone
+					else
+						exec("$le_client $certonly $acme_version --standalone --email postmaster@$hostname -d $hostname $hook");
+				}
+			}
+		}
+
+		//* Define and check ISPConfig SSL folder */
+		$ssl_dir = $conf['ispconfig_install_dir'].'/interface/ssl';
+		if(!@is_dir($ssl_dir)) mkdir($ssl_dir, 0755, true);
+
+		$ssl_crt_file = $ssl_dir.'/ispserver.crt';
+		$ssl_csr_file = $ssl_dir.'/ispserver.csr';
+		$ssl_key_file = $ssl_dir.'/ispserver.key';
+		$ssl_pem_file = $ssl_dir.'/ispserver.pem';
+
+		$date = new DateTime();
+
+		// If the LE SSL certs for this hostname exists
+		if (is_dir($le_live_dir) && in_array($svr_ip, $dns_ips)) {
+
+			// Backup existing ispserver ssl files
+			if (file_exists($ssl_crt_file)) rename($ssl_crt_file, $ssl_crt_file . '-' .$date->format('YmdHis') . '.bak');
+			if (file_exists($ssl_key_file)) rename($ssl_key_file, $ssl_key_file . '-' .$date->format('YmdHis') . '.bak');
+			if (file_exists($ssl_pem_file)) rename($ssl_pem_file, $ssl_pem_file . '-' .$date->format('YmdHis') . '.bak');
+
+			// Create symlink to LE fullchain and key for ISPConfig
+			symlink($le_live_dir.'/fullchain.pem', $ssl_crt_file);
+			symlink($le_live_dir.'/privkey.pem', $ssl_key_file);
 
-		$ssl_pw = substr(md5(mt_rand()), 0, 6);
-		exec("openssl genrsa -des3 -passout pass:$ssl_pw -out $ssl_key_file 4096");
-		if(AUTOINSTALL){
-			exec("openssl req -new -passin pass:$ssl_pw -passout pass:$ssl_pw -subj '/C=".escapeshellcmd($autoinstall['ssl_cert_country'])."/ST=".escapeshellcmd($autoinstall['ssl_cert_state'])."/L=".escapeshellcmd($autoinstall['ssl_cert_locality'])."/O=".escapeshellcmd($autoinstall['ssl_cert_organisation'])."/OU=".escapeshellcmd($autoinstall['ssl_cert_organisation_unit'])."/CN=".escapeshellcmd($autoinstall['ssl_cert_common_name'])."' -key $ssl_key_file -out $ssl_csr_file");
 		} else {
-			exec("openssl req -new -passin pass:$ssl_pw -passout pass:$ssl_pw -key $ssl_key_file -out $ssl_csr_file");
+
+			// We can still use the old self-signed method
+			$ssl_pw = substr(md5(mt_rand()), 0, 6);
+			exec("openssl genrsa -des3 -passout pass:$ssl_pw -out $ssl_key_file 4096");
+			if(AUTOINSTALL){
+				exec("openssl req -new -passin pass:$ssl_pw -passout pass:$ssl_pw -subj '/C=".escapeshellcmd($autoinstall['ssl_cert_country'])."/ST=".escapeshellcmd($autoinstall['ssl_cert_state'])."/L=".escapeshellcmd($autoinstall['ssl_cert_locality'])."/O=".escapeshellcmd($autoinstall['ssl_cert_organisation'])."/OU=".escapeshellcmd($autoinstall['ssl_cert_organisation_unit'])."/CN=".escapeshellcmd($autoinstall['ssl_cert_common_name'])."' -key $ssl_key_file -out $ssl_csr_file");
+			} else {
+				exec("openssl req -new -passin pass:$ssl_pw -passout pass:$ssl_pw -key $ssl_key_file -out $ssl_csr_file");
+			}
+			exec("openssl req -x509 -passin pass:$ssl_pw -passout pass:$ssl_pw -key $ssl_key_file -in $ssl_csr_file -out $ssl_crt_file -days 3650");
+			exec("openssl rsa -passin pass:$ssl_pw -in $ssl_key_file -out $ssl_key_file.insecure");
+			rename($ssl_key_file, $ssl_key_file.'.secure');
+			rename($ssl_key_file.'.insecure', $ssl_key_file);
 		}
-		exec("openssl req -x509 -passin pass:$ssl_pw -passout pass:$ssl_pw -key $ssl_key_file -in $ssl_csr_file -out $ssl_crt_file -days 3650");
-		exec("openssl rsa -passin pass:$ssl_pw -in $ssl_key_file -out $ssl_key_file.insecure");
-		rename($ssl_key_file, $ssl_key_file.'.secure');
-		rename($ssl_key_file.'.insecure', $ssl_key_file);
 
-		exec('chown -R root:root /usr/local/ispconfig/interface/ssl');
+		// Build ispserver.pem file and chmod it
+		exec("cat $ssl_key_file $ssl_crt_file > $ssl_pem_file; chmod 600 $ssl_pem_file");
+
+		// Extend LE SSL certs to postfix
+		if ($conf['postfix']['installed'] == true && strtolower($this->simple_query('Symlink ISPConfig LE SSL certs to postfix?', array('y', 'n'), 'y')) == 'y') {
+
+			// Define folder, file(s)
+			$cf = $conf['postfix'];
+			$postfix_dir = $cf['config_dir'];
+			if(!is_dir($postfix_dir)) $this->error("The postfix configuration directory '$postfix_dir' does not exist.");
+			$smtpd_crt = $postfix_dir.'/smtpd.cert';
+			$smtpd_key = $postfix_dir.'/smtpd.key';
+
+			// Backup existing postfix ssl files
+			if (file_exists($smtpd_crt)) rename($smtpd_crt, $smtpd_crt . '-' .$date->format('YmdHis') . '.bak');
+			if (file_exists($smtpd_key)) rename($smtpd_key, $smtpd_key . '-' .$date->format('YmdHis') . '.bak');
+
+			// Create symlink to ISPConfig SSL files
+			symlink($ssl_crt_file, $smtpd_crt);
+			symlink($ssl_key_file, $smtpd_key);
+		}
+
+		// Extend LE SSL certs to pureftpd
+		if ($conf['pureftpd']['installed'] == true && strtolower($this->simple_query('Symlink ISPConfig LE SSL certs to pureftpd? Creating dhparam file takes some times.', array('y', 'n'), 'y')) == 'y') {
+
+			// Define folder, file(s)
+			$pureftpd_dir = '/etc/ssl/private';
+			if(!is_dir($pureftpd_dir)) mkdir($pureftpd_dir, 0755, true);
+			$pureftpd_pem = $pureftpd_dir.'/pure-ftpd.pem';
+
+			// Backup existing pureftpd ssl files
+			if (file_exists($pureftpd_pem)) rename($pureftpd_pem, $pureftpd_pem . '-' .$date->format('YmdHis') . '.bak');
+
+			// Create symlink to ISPConfig SSL files
+			symlink($ssl_pem_file, $pureftpd_pem);
+			if (!file_exists("$pureftpd_dir/pure-ftpd-dhparams.pem"))
+				exec("cd $pureftpd_dir; openssl dhparam -out dhparam2048.pem 2048; ln -sf dhparam2048.pem pure-ftpd-dhparams.pem");
+		}
+
+		exec("chown -R root:root $ssl_dir");
 
 	}
 
@@ -3134,6 +3354,20 @@ public function install_ispconfig() {
 		if(!is_link('/usr/local/bin/ispconfig_update_from_dev.sh')) symlink($install_dir.'/server/scripts/ispconfig_update.sh', '/usr/local/bin/ispconfig_update_from_dev.sh');
 		if(!is_link('/usr/local/bin/ispconfig_update.sh')) symlink($install_dir.'/server/scripts/ispconfig_update.sh', '/usr/local/bin/ispconfig_update.sh');
 
+		// Make executable then unlink and symlink letsencrypt pre, post and renew hook scripts
+		chown($install_dir.'/server/scripts/letsencrypt_pre_hook.sh', 'root');
+		chown($install_dir.'/server/scripts/letsencrypt_post_hook.sh', 'root');
+		chown($install_dir.'/server/scripts/letsencrypt_renew_hook.sh', 'root');
+		chmod($install_dir.'/server/scripts/letsencrypt_pre_hook.sh', 0700);
+		chmod($install_dir.'/server/scripts/letsencrypt_post_hook.sh', 0700);
+		chmod($install_dir.'/server/scripts/letsencrypt_renew_hook.sh', 0700);
+		if(is_link('/usr/local/bin/letsencrypt_pre_hook.sh')) unlink('/usr/local/bin/letsencrypt_pre_hook.sh');
+		if(is_link('/usr/local/bin/letsencrypt_post_hook.sh')) unlink('/usr/local/bin/letsencrypt_post_hook.sh');
+		if(is_link('/usr/local/bin/letsencrypt_renew_hook.sh')) unlink('/usr/local/bin/letsencrypt_renew_hook.sh');
+		symlink($install_dir.'/server/scripts/letsencrypt_pre_hook.sh', '/usr/local/bin/letsencrypt_pre_hook.sh');
+		symlink($install_dir.'/server/scripts/letsencrypt_post_hook.sh', '/usr/local/bin/letsencrypt_post_hook.sh');
+		symlink($install_dir.'/server/scripts/letsencrypt_renew_hook.sh', '/usr/local/bin/letsencrypt_renew_hook.sh');
+
 		//* Make the logs readable for the ispconfig user
 		if(@is_file('/var/log/mail.log')) exec('chmod +r /var/log/mail.log');
 		if(@is_file('/var/log/mail.warn')) exec('chmod +r /var/log/mail.warn');
@@ -3474,5 +3708,3 @@ protected function insert_db_credentials($tContents) {
 	}
 
 }
-
-?>

install/uninstall.php

@@ -88,6 +88,9 @@
 	exec('rm -rf /usr/local/ispconfig');
 
 	// Delete various other files
+	@unlink("/usr/local/bin/letsencrypt_post_hook.sh");
+	@unlink("/usr/local/bin/letsencrypt_pre_hook.sh");
+	@unlink("/usr/local/bin/letsencrypt_renew_hook.sh");
 	@unlink("/usr/local/bin/ispconfig_update.sh");
 	@unlink("/usr/local/bin/ispconfig_update_from_svn.sh");
 	@unlink("/var/spool/mail/ispconfig");

install/update.php

@@ -536,6 +536,12 @@
 	}
 }
 
+// Create SSL certs for non-webserver(s)?
+if(!file_exists('/usr/local/ispconfig/interface/ssl/ispserver.crt')) {
+    if(strtolower($inst->simple_query('Do you want to create SSL certs for your server?', array('y', 'n'), 'y')) == 'y')
+        $inst->make_ispconfig_ssl_cert();
+}
+
 $inst->install_ispconfig();
 
 // Cleanup

server/scripts/letsencrypt_post_hook.sh

@@ -0,0 +1,45 @@
+#!/bin/bash
+
+### BEGIN INIT INFO
+# Provides: LETSENCRYPT POST HOOK SCRIPT
+# Required-Start:  $local_fs $network
+# Required-Stop:  $local_fs
+# Default-Start:  2 3 4 5
+# Default-Stop:  0 1 6
+# Short-Description: LETSENCRYPT POST HOOK SCRIPT
+# Description:  To force close http port 80 if it is by default closed, to be used by letsencrypt client standlone command
+### END INIT INFO
+
+## If you need a custom hook file, create a file with the same name in
+## /usr/local/ispconfig/server/conf-custom/scripts/
+if [[ -e "/usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_post_hook.sh" ]] ; then
+	. /usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_post_hook.sh && exit 0 || exit 1;
+fi
+
+# You can add support to other firewall
+
+# For RHEL, Centos or derivatives
+if which yum &> /dev/null 2>&1 ; then
+    # Check if web server software is installed, start it if any
+    if [ rpm -q nginx ]; then service nginx start
+    elif [ rpm -q httpd ]; then service httpd start
+    # If using firewalld
+    elif [ rpm -q firewalld ] && [ `firewall-cmd --state` = running ]; then
+        firewall-cmd --zone=public --permanent --remove-service=http
+        firewall-cmd --reload
+    # If using UFW
+    else; if [ rpm -q ufw ]; then ufw --force enable && ufw deny http; fi
+    fi
+# For Debian, Ubuntu or derivatives
+elif apt-get -v >/dev/null 2>&1 ; then
+    # Check if web server software is installed, stop it if any
+    if [ $(dpkg-query -W -f='${Status}' nginx 2>/dev/null | grep -c "ok installed") -eq 1 ]; then service nginx start
+    elif [ $(dpkg-query -W -f='${Status}' apache2 2>/dev/null | grep -c "ok installed") -eq 1 ]; then service apache2 start
+    # If using UFW
+    else; if [ $(dpkg-query -W -f='${Status}' ufw 2>/dev/null | grep -c "ok installed") -eq 1 ]; then ufw --force enable && ufw deny http; fi
+    fi
+# Try iptables as a final attempt
+else
+    iptables -D INPUT  -p tcp  --dport 80    -j ACCEPT
+    service iptables save
+fi