Merge branch '5767-installer-does-not-issue-le-certificate' into 'develop'

Till Brehm · Till Brehm · commit f01582320ccd · 2020-09-24T15:30:27.000+02:00
Resolve "Installer does not issue LE certificate"

Closes #5767

See merge request ispconfig/ispconfig3!1213
diff --git a/install/install.php b/install/install.php
@@ -545,6 +545,7 @@
 }
 
 //** Configure ISPConfig :-)
+$issue_tried = false;
 $install_ispconfig_interface_default = ($conf['mysql']['master_slave_setup'] == 'y')?'n':'y';
 if($install_mode == 'standard' || strtolower($inst->simple_query('Install ISPConfig Web Interface', array('y', 'n'), $install_ispconfig_interface_default,'install_ispconfig_web_interface')) == 'y') {
 	swriteln('Installing ISPConfig');
@@ -571,6 +572,7 @@
 
 	if(strtolower($inst->simple_query('Do you want a secure (SSL) connection to the ISPConfig web interface', array('y', 'n'), 'y','ispconfig_use_ssl')) == 'y') {
 		$inst->make_ispconfig_ssl_cert();
+		$issue_tried = true;
 	}
 	$inst->install_ispconfig_interface = true;
 
@@ -580,7 +582,7 @@
 
 // Create SSL certs for non-webserver(s)?
 if(!file_exists('/usr/local/ispconfig/interface/ssl/ispserver.crt')) {
-    if(strtolower($inst->simple_query('Do you want to create SSL certs for your server?', array('y', 'n'), 'y')) == 'y') {
+    if(!$issue_tried && strtolower($inst->simple_query('Do you want to create SSL certs for your server?', array('y', 'n'), 'y')) == 'y') {
         $inst->make_ispconfig_ssl_cert();
 	}
 } else {
diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php
@@ -2835,12 +2835,18 @@ public function make_ispconfig_ssl_cert() {
 		}
 
 		swriteln('Using certificate path ' . $acme_cert_dir);
+		$ip_address_match = false;
 		if(!(($svr_ip4 && in_array($svr_ip4, $dns_ips)) || ($svr_ip6 && in_array($svr_ip6, $dns_ips)))) {
 			swriteln('Server\'s public ip(s) (' . $svr_ip4 . ($svr_ip6 ? ', ' . $svr_ip6 : '') . ') not found in A/AAAA records for ' . $hostname . ': ' . implode(', ', $dns_ips));
+			if(strtolower($inst->simple_query('Ignore DNS check and continue to request certificate?', array('y', 'n') , 'n','ignore_hostname_dns')) == 'y') {
+				$ip_address_match = true;
+			}
+		} else {
+			$ip_address_match = true;
 		}
 
 
-		if ((!@is_dir($acme_cert_dir) || !@file_exists($check_acme_file) || !@file_exists($ssl_crt_file) || md5_file($check_acme_file) != md5_file($ssl_crt_file)) && (($svr_ip4 && in_array($svr_ip4, $dns_ips)) || ($svr_ip6 && in_array($svr_ip6, $dns_ips)))) {
+		if ((!@is_dir($acme_cert_dir) || !@file_exists($check_acme_file) || !@file_exists($ssl_crt_file) || md5_file($check_acme_file) != md5_file($ssl_crt_file)) && $ip_address_match == true) {
 
 			// This script is needed earlier to check and open http port 80 or standalone might fail
 			// Make executable and temporary symlink latest letsencrypt pre, post and renew hook script before install
@@ -3003,7 +3009,7 @@ public function make_ispconfig_ssl_cert() {
 				}
 			}
 		} else {
-			if(($svr_ip4 && in_array($svr_ip4, $dns_ips)) || ($svr_ip6 && in_array($svr_ip6, $dns_ips))) {
+			if($ip_address_match) {
 				// the directory already exists so we have to assume that it was created previously
 				$issued_successfully = true;
 			}
diff --git a/install/update.php b/install/update.php
@@ -519,6 +519,7 @@
 //** Configure ISPConfig
 swriteln('Updating ISPConfig');
 
+$issue_tried = false;
 // create acme vhost
 if($conf['nginx']['installed'] == true) {
 	$inst->make_acme_vhost('nginx'); // we need this config file but we don't want nginx to be restarted at this point
@@ -541,13 +542,15 @@
 	// $ispconfig_ssl_default = (is_ispconfig_ssl_enabled() == true)?'y':'n';
 	if(strtolower($inst->simple_query('Create new ISPConfig SSL certificate', array('yes', 'no'), 'no','create_new_ispconfig_ssl_cert')) == 'yes') {
 		$inst->make_ispconfig_ssl_cert();
+		$issue_tried = true;
 	}
 }
 
 // Create SSL certs for non-webserver(s)?
 if(!file_exists('/usr/local/ispconfig/interface/ssl/ispserver.crt')) {
-    if(strtolower($inst->simple_query('Do you want to create SSL certs for your server?', array('y', 'n'), 'y')) == 'y')
+    if(!$issue_tried && strtolower($inst->simple_query('Do you want to create SSL certs for your server?', array('y', 'n'), 'y')) == 'y') {
         $inst->make_ispconfig_ssl_cert();
+	}
 } else {
 	swriteln('Certificate exists. Not creating a new one.');
 }

Original file line number	Diff line number	Diff line change
`@@ -545,6 +545,7 @@`
`545`	`545`	`}`
`546`	`546`
`547`	`547`	`//** Configure ISPConfig :-)`
	`548`	`+$issue_tried = false;`
`548`	`549`	`$install_ispconfig_interface_default = ($conf['mysql']['master_slave_setup'] == 'y')?'n':'y';`
`549`	`550`	`if($install_mode == 'standard' \|\| strtolower($inst->simple_query('Install ISPConfig Web Interface', array('y', 'n'), $install_ispconfig_interface_default,'install_ispconfig_web_interface')) == 'y') {`
`550`	`551`	`swriteln('Installing ISPConfig');`
`@@ -571,6 +572,7 @@`
`571`	`572`
`572`	`573`	`if(strtolower($inst->simple_query('Do you want a secure (SSL) connection to the ISPConfig web interface', array('y', 'n'), 'y','ispconfig_use_ssl')) == 'y') {`
`573`	`574`	`$inst->make_ispconfig_ssl_cert();`
	`575`	`+ $issue_tried = true;`
`574`	`576`	`}`
`575`	`577`	`$inst->install_ispconfig_interface = true;`
`576`	`578`
`@@ -580,7 +582,7 @@`
`580`	`582`
`581`	`583`	`// Create SSL certs for non-webserver(s)?`
`582`	`584`	`if(!file_exists('/usr/local/ispconfig/interface/ssl/ispserver.crt')) {`
`583`		`- if(strtolower($inst->simple_query('Do you want to create SSL certs for your server?', array('y', 'n'), 'y')) == 'y') {`
	`585`	`+ if(!$issue_tried && strtolower($inst->simple_query('Do you want to create SSL certs for your server?', array('y', 'n'), 'y')) == 'y') {`
`584`	`586`	`$inst->make_ispconfig_ssl_cert();`
`585`	`587`	`}`
`586`	`588`	`} else {`
Original file line number	Diff line number	Diff line change
`@@ -2835,12 +2835,18 @@ public function make_ispconfig_ssl_cert() {`
`2835`	`2835`	`}`
`2836`	`2836`
`2837`	`2837`	`swriteln('Using certificate path ' . $acme_cert_dir);`
	`2838`	`+ $ip_address_match = false;`
`2838`	`2839`	`if(!(($svr_ip4 && in_array($svr_ip4, $dns_ips)) \|\| ($svr_ip6 && in_array($svr_ip6, $dns_ips)))) {`
`2839`	`2840`	`swriteln('Server\'s public ip(s) (' . $svr_ip4 . ($svr_ip6 ? ', ' . $svr_ip6 : '') . ') not found in A/AAAA records for ' . $hostname . ': ' . implode(', ', $dns_ips));`
	`2841`	`+ if(strtolower($inst->simple_query('Ignore DNS check and continue to request certificate?', array('y', 'n') , 'n','ignore_hostname_dns')) == 'y') {`
	`2842`	`+ $ip_address_match = true;`
	`2843`	`+ }`
	`2844`	`+ } else {`
	`2845`	`+ $ip_address_match = true;`
`2840`	`2846`	`}`
`2841`	`2847`
`2842`	`2848`
`2843`		`- if ((!@is_dir($acme_cert_dir) \|\| !@file_exists($check_acme_file) \|\| !@file_exists($ssl_crt_file) \|\| md5_file($check_acme_file) != md5_file($ssl_crt_file)) && (($svr_ip4 && in_array($svr_ip4, $dns_ips)) \|\| ($svr_ip6 && in_array($svr_ip6, $dns_ips)))) {`
	`2849`	`+ if ((!@is_dir($acme_cert_dir) \|\| !@file_exists($check_acme_file) \|\| !@file_exists($ssl_crt_file) \|\| md5_file($check_acme_file) != md5_file($ssl_crt_file)) && $ip_address_match == true) {`
`2844`	`2850`
`2845`	`2851`	`// This script is needed earlier to check and open http port 80 or standalone might fail`
`2846`	`2852`	`// Make executable and temporary symlink latest letsencrypt pre, post and renew hook script before install`
`@@ -3003,7 +3009,7 @@ public function make_ispconfig_ssl_cert() {`
`3003`	`3009`	`}`
`3004`	`3010`	`}`
`3005`	`3011`	`} else {`
`3006`		`- if(($svr_ip4 && in_array($svr_ip4, $dns_ips)) \|\| ($svr_ip6 && in_array($svr_ip6, $dns_ips))) {`
	`3012`	`+ if($ip_address_match) {`
`3007`	`3013`	`// the directory already exists so we have to assume that it was created previously`
`3008`	`3014`	`$issued_successfully = true;`
`3009`	`3015`	`}`