- Do not try to issue a certificate a second time

Marius Burkard · Marius Burkard · commit ebcab3571c5e · 2020-09-24T14:59:28.000+02:00
diff --git a/install/install.php b/install/install.php
@@ -537,6 +537,7 @@
 }
 
 //** Configure ISPConfig :-)
+$issue_tried = false;
 $install_ispconfig_interface_default = ($conf['mysql']['master_slave_setup'] == 'y')?'n':'y';
 if($install_mode == 'standard' || strtolower($inst->simple_query('Install ISPConfig Web Interface', array('y', 'n'), $install_ispconfig_interface_default,'install_ispconfig_web_interface')) == 'y') {
 	swriteln('Installing ISPConfig');
@@ -563,6 +564,7 @@
 
 	if(strtolower($inst->simple_query('Do you want a secure (SSL) connection to the ISPConfig web interface', array('y', 'n'), 'y','ispconfig_use_ssl')) == 'y') {
 		$inst->make_ispconfig_ssl_cert();
+		$issue_tried = true;
 	}
 	$inst->install_ispconfig_interface = true;
 
@@ -572,8 +574,9 @@
 
 // Create SSL certs for non-webserver(s)?
 if(!file_exists('/usr/local/ispconfig/interface/ssl/ispserver.crt')) {
-    if(strtolower($inst->simple_query('Do you want to create SSL certs for your server?', array('y', 'n'), 'y')) == 'y')
+    if(!$issue_tried && strtolower($inst->simple_query('Do you want to create SSL certs for your server?', array('y', 'n'), 'y')) == 'y') {
         $inst->make_ispconfig_ssl_cert();
+	}
 } else {
 	swriteln('Certificate exists. Not creating a new one.');
 }
diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php
@@ -2838,12 +2838,18 @@ public function make_ispconfig_ssl_cert() {
 		}
 
 		swriteln('Using certificate path ' . $acme_cert_dir);
+		$ip_address_match = false;
 		if(!(($svr_ip4 && in_array($svr_ip4, $dns_ips)) || ($svr_ip6 && in_array($svr_ip6, $dns_ips)))) {
 			swriteln('Server\'s public ip(s) (' . $svr_ip4 . ($svr_ip6 ? ', ' . $svr_ip6 : '') . ') not found in A/AAAA records for ' . $hostname . ': ' . implode(', ', $dns_ips));
+			if(strtolower($inst->simple_query('Ignore DNS check and continue to request certificate?', array('y', 'n') , 'n','ignore_hostname_dns')) == 'y') {
+				$ip_address_match = true;
+			}
+		} else {
+			$ip_address_match = true;
 		}
 
 
-		if ((!@is_dir($acme_cert_dir) || !@file_exists($check_acme_file) || !@file_exists($ssl_crt_file) || md5_file($check_acme_file) != md5_file($ssl_crt_file)) && (($svr_ip4 && in_array($svr_ip4, $dns_ips)) || ($svr_ip6 && in_array($svr_ip6, $dns_ips)))) {
+		if ((!@is_dir($acme_cert_dir) || !@file_exists($check_acme_file) || !@file_exists($ssl_crt_file) || md5_file($check_acme_file) != md5_file($ssl_crt_file)) && $ip_address_match == true) {
 
 			// This script is needed earlier to check and open http port 80 or standalone might fail
 			// Make executable and temporary symlink latest letsencrypt pre, post and renew hook script before install
@@ -3002,7 +3008,7 @@ public function make_ispconfig_ssl_cert() {
 			if($conf['apache']['installed'] == true) {
 				$this->make_acme_vhost($hostname, 'apache', false); // we need this config file but we don't want apache to be restarted at this point
 			}
-			if(($svr_ip4 && in_array($svr_ip4, $dns_ips)) || ($svr_ip6 && in_array($svr_ip6, $dns_ips))) {
+			if($ip_address_match) {
 				// the directory already exists so we have to assume that it was created previously
 				$issued_successfully = true;
 			}
diff --git a/install/update.php b/install/update.php
@@ -519,6 +519,7 @@
 //** Configure ISPConfig
 swriteln('Updating ISPConfig');
 
+$issue_tried = false;
 if ($inst->install_ispconfig_interface) {
 	//** Customise the port ISPConfig runs on
 	$ispconfig_port_number = get_ispconfig_port_number();
@@ -533,13 +534,15 @@
 	// $ispconfig_ssl_default = (is_ispconfig_ssl_enabled() == true)?'y':'n';
 	if(strtolower($inst->simple_query('Create new ISPConfig SSL certificate', array('yes', 'no'), 'no','create_new_ispconfig_ssl_cert')) == 'yes') {
 		$inst->make_ispconfig_ssl_cert();
+		$issue_tried = true;
 	}
 }
 
 // Create SSL certs for non-webserver(s)?
 if(!file_exists('/usr/local/ispconfig/interface/ssl/ispserver.crt')) {
-    if(strtolower($inst->simple_query('Do you want to create SSL certs for your server?', array('y', 'n'), 'y')) == 'y')
+    if(!$issue_tried && strtolower($inst->simple_query('Do you want to create SSL certs for your server?', array('y', 'n'), 'y')) == 'y') {
         $inst->make_ispconfig_ssl_cert();
+	}
 } else {
 	swriteln('Certificate exists. Not creating a new one.');
 }

Original file line number	Diff line number	Diff line change
`@@ -2838,12 +2838,18 @@ public function make_ispconfig_ssl_cert() {`
`2838`	`2838`	`}`
`2839`	`2839`
`2840`	`2840`	`swriteln('Using certificate path ' . $acme_cert_dir);`
	`2841`	`+ $ip_address_match = false;`
`2841`	`2842`	`if(!(($svr_ip4 && in_array($svr_ip4, $dns_ips)) \|\| ($svr_ip6 && in_array($svr_ip6, $dns_ips)))) {`
`2842`	`2843`	`swriteln('Server\'s public ip(s) (' . $svr_ip4 . ($svr_ip6 ? ', ' . $svr_ip6 : '') . ') not found in A/AAAA records for ' . $hostname . ': ' . implode(', ', $dns_ips));`
	`2844`	`+ if(strtolower($inst->simple_query('Ignore DNS check and continue to request certificate?', array('y', 'n') , 'n','ignore_hostname_dns')) == 'y') {`
	`2845`	`+ $ip_address_match = true;`
	`2846`	`+ }`
	`2847`	`+ } else {`
	`2848`	`+ $ip_address_match = true;`
`2843`	`2849`	`}`
`2844`	`2850`
`2845`	`2851`
`2846`		`- if ((!@is_dir($acme_cert_dir) \|\| !@file_exists($check_acme_file) \|\| !@file_exists($ssl_crt_file) \|\| md5_file($check_acme_file) != md5_file($ssl_crt_file)) && (($svr_ip4 && in_array($svr_ip4, $dns_ips)) \|\| ($svr_ip6 && in_array($svr_ip6, $dns_ips)))) {`
	`2852`	`+ if ((!@is_dir($acme_cert_dir) \|\| !@file_exists($check_acme_file) \|\| !@file_exists($ssl_crt_file) \|\| md5_file($check_acme_file) != md5_file($ssl_crt_file)) && $ip_address_match == true) {`
`2847`	`2853`
`2848`	`2854`	`// This script is needed earlier to check and open http port 80 or standalone might fail`
`2849`	`2855`	`// Make executable and temporary symlink latest letsencrypt pre, post and renew hook script before install`
`@@ -3002,7 +3008,7 @@ public function make_ispconfig_ssl_cert() {`
`3002`	`3008`	`if($conf['apache']['installed'] == true) {`
`3003`	`3009`	`$this->make_acme_vhost($hostname, 'apache', false); // we need this config file but we don't want apache to be restarted at this point`
`3004`	`3010`	`}`
`3005`		`- if(($svr_ip4 && in_array($svr_ip4, $dns_ips)) \|\| ($svr_ip6 && in_array($svr_ip6, $dns_ips))) {`
	`3011`	`+ if($ip_address_match) {`
`3006`	`3012`	`// the directory already exists so we have to assume that it was created previously`
`3007`	`3013`	`$issued_successfully = true;`
`3008`	`3014`	`}`