Merge branch 'bugfix/6061_Improve-certbot-primary-domain-selection' into 'develop'

Marius Burkard · Marius Burkard · commit da4135860b9c · 2021-03-10T06:57:42.000Z
Add --cert-name option to certbot calls to set primary domain instead of --expand

Closes #6061

See merge request ispconfig/ispconfig3!1418
diff --git a/server/lib/classes/letsencrypt.inc.php b/server/lib/classes/letsencrypt.inc.php
@@ -137,6 +137,7 @@ public function get_certbot_command($domains) {
 			return false;
 		}
 
+		$primary_domain = $domains[0];
 		$matches = array();
 		$ret = null;
 		$val = 0;
@@ -151,18 +152,22 @@ public function get_certbot_command($domains) {
 			$acme_version = 'https://acme-v01.api.letsencrypt.org/directory';
 		}
 		if (version_compare($letsencrypt_version, '0.30', '>=')) {
-			$app->log("LE version is " . $letsencrypt_version . ", so using certificates command", LOGLEVEL_DEBUG);
+			$app->log("LE version is " . $letsencrypt_version . ", so using certificates command and --cert-name instead of --expand", LOGLEVEL_DEBUG);
 			$this->certbot_use_certcommand = true;
 			$webroot_map = array();
 			for($i = 0; $i < count($domains); $i++) {
 				$webroot_map[$domains[$i]] = '/usr/local/ispconfig/interface/acme';
 			}
 			$webroot_args = "--webroot-map " . escapeshellarg(str_replace(array("\r", "\n"), '', json_encode($webroot_map)));
+			// --cert-name might be working with earlier versions of certbot, but there is no exact version documented
+			// So for safety reasons we add it to the 0.30 version check as it is documented to work as expected in this version
+			$cert_selection_command = "--cert-name $primary_domain";
 		} else {
 			$webroot_args = "$cmd --webroot-path /usr/local/ispconfig/interface/acme";
+			$cert_selection_command = "--expand";
 		}
 
-		$cmd = $letsencrypt . " certonly -n --text --agree-tos --expand --authenticator webroot --server $acme_version --rsa-key-size 4096 --email postmaster@$domain $webroot_args";
+		$cmd = $letsencrypt . " certonly -n --text --agree-tos $cert_selection_command --authenticator webroot --server $acme_version --rsa-key-size 4096 --email webmaster@$primary_domain $webroot_args";
 
 		return $cmd;
 	}

Original file line number	Diff line number	Diff line change
`@@ -137,6 +137,7 @@ public function get_certbot_command($domains) {`
`137`	`137`	`return false;`
`138`	`138`	`}`
`139`	`139`
	`140`	`+ $primary_domain = $domains[0];`
`140`	`141`	`$matches = array();`
`141`	`142`	`$ret = null;`
`142`	`143`	`$val = 0;`
`@@ -151,18 +152,22 @@ public function get_certbot_command($domains) {`
`151`	`152`	`$acme_version = 'https://acme-v01.api.letsencrypt.org/directory';`
`152`	`153`	`}`
`153`	`154`	`if (version_compare($letsencrypt_version, '0.30', '>=')) {`
`154`		`- $app->log("LE version is " . $letsencrypt_version . ", so using certificates command", LOGLEVEL_DEBUG);`
	`155`	`+ $app->log("LE version is " . $letsencrypt_version . ", so using certificates command and --cert-name instead of --expand", LOGLEVEL_DEBUG);`
`155`	`156`	`$this->certbot_use_certcommand = true;`
`156`	`157`	`$webroot_map = array();`
`157`	`158`	`for($i = 0; $i < count($domains); $i++) {`
`158`	`159`	`$webroot_map[$domains[$i]] = '/usr/local/ispconfig/interface/acme';`
`159`	`160`	`}`
`160`	`161`	`$webroot_args = "--webroot-map " . escapeshellarg(str_replace(array("\r", "\n"), '', json_encode($webroot_map)));`
	`162`	`+ // --cert-name might be working with earlier versions of certbot, but there is no exact version documented`
	`163`	`+ // So for safety reasons we add it to the 0.30 version check as it is documented to work as expected in this version`
	`164`	`+ $cert_selection_command = "--cert-name $primary_domain";`
`161`	`165`	`} else {`
`162`	`166`	`$webroot_args = "$cmd --webroot-path /usr/local/ispconfig/interface/acme";`
	`167`	`+ $cert_selection_command = "--expand";`
`163`	`168`	`}`
`164`	`169`
`165`		`- $cmd = $letsencrypt . " certonly -n --text --agree-tos --expand --authenticator webroot --server $acme_version --rsa-key-size 4096 --email postmaster@$domain $webroot_args";`
	`170`	`+ $cmd = $letsencrypt . " certonly -n --text --agree-tos $cert_selection_command --authenticator webroot --server $acme_version --rsa-key-size 4096 --email webmaster@$primary_domain $webroot_args";`
`166`	`171`
`167`	`172`	`return $cmd;`
`168`	`173`	`}`