Vesta SSL Certificate Management

Author: Serghey Rodin

bin/v-change-sys-vesta-ssl

@@ -0,0 +1,77 @@
+#!/bin/bash
+# info: change vesta ssl certificate
+# options: SSL_DIR [RESTART]
+#
+# The function changes vesta SSL certificate and the key.
+
+
+#----------------------------------------------------------#
+#                    Variable&Function                     #
+#----------------------------------------------------------#
+
+# Argument definition
+domain='certificate'
+ssl_dir=$1
+restart=$2
+
+# Includes
+source $VESTA/func/main.sh
+source $VESTA/func/domain.sh
+source $VESTA/conf/vesta.conf
+
+
+#----------------------------------------------------------#
+#                    Verifications                         #
+#----------------------------------------------------------#
+
+check_args '1' "$#" 'SSL_DIR [RESTART]'
+is_format_valid 'ssl_dir'
+
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+
+# Checking new certificate
+certificate=$(cat $ssl_dir/$domain.crt |grep -n END)
+certificate_count=$(echo "$certificate" |wc -l)
+if [ "$certificate_count" -gt 1 ]; then
+    crt_end=$(echo "$certificate" |head -n1 |cut -f 1 -d :)
+    crt_lines=$(wc -l $ssl_dir/$domain.crt |cut -f1 -d ' ')
+    pem_begin=$((crt_lines - crt_end))
+    mv $ssl_dir/$domain.crt $ssl_dir/$domain.crt_full
+    head -n $crt_end $ssl_dir/$domain.crt_full > $ssl_dir/$domain.crt
+    tail -n $pem_begin $ssl_dir/$domain.crt_full > $ssl_dir/$domain.ca
+    is_web_domain_cert_valid
+    mv -f $ssl_dir/$domain.crt_full $ssl_dir/$domain.crt
+    rm -f $ssl_dir/$domain.ca
+else
+    is_web_domain_cert_valid
+fi
+
+# Moving old certificate
+mv $VESTA/ssl/certificate.crt $VESTA/ssl/certificate.crt.back
+mv $VESTA/ssl/certificate.key $VESTA/ssl/certificate.key.back
+
+# Adding new certificate
+cp -f $ssl_dir/certificate.crt $VESTA/ssl/certificate.crt
+cp -f $ssl_dir/certificate.key $VESTA/ssl/certificate.key
+
+
+#----------------------------------------------------------#
+#                       Vesta                              #
+#----------------------------------------------------------#
+
+# Restarting web server
+if [ "$restart" != 'no' ]; then
+    kill -HUP $(cat /var/run/vesta-nginx.pid)
+    $BIN/v-restart-mail
+    if [ ! -z "$IMAP_SYSTEM" ]; then
+        v-restart-service "$IMAP_SYSTEM"
+    fi
+fi
+
+# Logging
+log_event "$OK" "$ARGUMENTS"
+
+exit

bin/v-list-sys-vesta-ssl

@@ -0,0 +1,130 @@
+#!/bin/bash
+# info: list vesta ssl certificate
+# options: [FORMAT]
+#
+# The function of obtaining vesta ssl files.
+
+
+#----------------------------------------------------------#
+#                    Variable&Function                     #
+#----------------------------------------------------------#
+
+# Argument definition
+format=${1-shell}
+
+# Includes
+source $VESTA/func/main.sh
+
+# JSON list function
+json_list() {
+    echo '{'
+    echo -e "\t\"VESTA\": {"
+    echo "        \"CRT\": \"$crt\","
+    echo "        \"KEY\": \"$key\","
+    echo "        \"CA\": \"$ca\","
+    echo "        \"SUBJECT\": \"$subj\","
+    echo "        \"ALIASES\": \"$alt_dns\","
+    echo "        \"NOT_BEFORE\": \"$before\","
+    echo "        \"NOT_AFTER\": \"$after\","
+    echo "        \"SIGNATURE\": \"$signature\","
+    echo "        \"PUB_KEY\": \"$pub_key\","
+    echo "        \"ISSUER\": \"$issuer\""
+    echo -e "\t}\n}"
+}
+
+# SHELL list function
+shell_list() {
+    if [ ! -z "$crt" ]; then
+        echo -e "$crt"
+    fi
+    if [ ! -z "$key" ]; then
+        echo -e "\n$key"
+    fi
+    if [ ! -z "$crt" ]; then
+        echo
+        echo
+        echo "SUBJECT:        $subj"
+        if [ ! -z "$alt_dns" ]; then
+            echo "ALIASES:        ${alt_dns//,/ }"
+        fi
+        echo "VALID FROM:     $before"
+        echo "VALID TIL:      $after"
+        echo "SIGNATURE:      $signature"
+        echo "PUB_KEY:        $pub_key"
+        echo "ISSUER:         $issuer"
+    fi
+}
+
+# PLAIN list function
+plain_list() {
+    if [ ! -z "$crt" ]; then
+        echo -e "$crt"
+    fi
+    if [ ! -z "$key" ]; then
+        echo -e "\n$key"
+    fi
+    if [ ! -z "$ca" ]; then
+        echo -e "\n$ca"
+    fi
+    if [ ! -z "$crt" ]; then
+        echo "$subj"
+        echo "${alt_dns//,/ }"
+        echo "$before"
+        echo "$after"
+        echo "$signature"
+        echo "$pub_key"
+        echo "$issuer"
+    fi
+
+}
+
+# CSV list function
+csv_list() {
+    echo -n "CRT,KEY,CA,SUBJECT,ALIASES,NOT_BEFORE,NOT_AFTER,SIGNATURE,"
+    echo "PUB_KEY,ISSUER"
+    echo -n "\"$crt\",\"$key\",\"$ca\",\"$subj\",\"${alt_dns//,/ }\","
+    echo "\"$before\",\"$after\",\"$signature\",\"$pub_key\",\"$issuer\""
+}
+
+
+#----------------------------------------------------------#
+#                    Verifications                         #
+#----------------------------------------------------------#
+
+
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+
+# Parsing SSL certificate
+crt=$(cat $VESTA/ssl/certificate.crt |sed ':a;N;$!ba;s/\n/\\n/g')
+key=$(cat $VESTA/ssl/certificate.crt |sed ':a;N;$!ba;s/\n/\\n/g')
+
+# Parsing SSL certificate details without CA
+info=$(openssl x509 -text -in $VESTA/ssl/certificate.crt)
+subj=$(echo "$info" |grep Subject: |cut -f 2 -d =)
+before=$(echo "$info" |grep Before: |sed -e "s/.*Before: //")
+after=$(echo "$info" |grep "After :" |sed -e "s/.*After : //")
+signature=$(echo "$info" |grep "Algorithm:" |head -n1 )
+signature=$(echo "$signature"| sed -e "s/.*Algorithm: //")
+pub_key=$(echo "$info" |grep Public-Key: |cut -f2 -d \( | tr -d \))
+issuer=$(echo "$info" |grep Issuer: |sed -e "s/.*Issuer: //")
+alt_dns=$(echo "$info" |grep DNS |sed -e 's/DNS:/\n/g' |tr -d ',')
+alt_dns=$(echo "$alt_dns" |tr -d ' ' |sed -e "/^$/d")
+alt_dns=$(echo "$alt_dns" |sed -e ':a;N;$!ba;s/\n/,/g')
+
+# Listing data
+case $format in
+    json)   json_list ;;
+    plain)  plain_list ;;
+    csv)    csv_list ;;
+    shell)  shell_list ;;
+esac
+
+
+#----------------------------------------------------------#
+#                       Vesta                              #
+#----------------------------------------------------------#
+
+exit

web/edit/server/index.php

@@ -78,6 +78,21 @@
     }
 }
 
+// List ssl certificate info
+exec (VESTA_CMD."v-list-sys-vesta-ssl json", $output, $return_var);
+$ssl_str = json_decode(implode('', $output), true);
+unset($output);
+$v_ssl_crt = $ssl_str['VESTA']['CRT'];
+$v_ssl_key = $ssl_str['VESTA']['KEY'];
+$v_ssl_ca = $ssl_str['VESTA']['CA'];
+$v_ssl_subject = $ssl_str['VESTA']['SUBJECT'];
+$v_ssl_aliases = $ssl_str['VESTA']['ALIASES'];
+$v_ssl_not_before = $ssl_str['VESTA']['NOT_BEFORE'];
+$v_ssl_not_after = $ssl_str['VESTA']['NOT_AFTER'];
+$v_ssl_signature = $ssl_str['VESTA']['SIGNATURE'];
+$v_ssl_pub_key = $ssl_str['VESTA']['PUB_KEY'];
+$v_ssl_issuer = $ssl_str['VESTA']['ISSUER'];
+
 // Check POST request
 if (!empty($_POST['save'])) {
 
@@ -178,7 +193,6 @@
         }
     }
 
-
     // Update webmail url
     if (empty($_SESSION['error_msg'])) {
         if ($_POST['v_mail_url'] != $_SESSION['MAIL_URL']) {
@@ -231,7 +245,6 @@
         }
     }
 
-
     // Change backup gzip level
     if (empty($_SESSION['error_msg'])) {
         if ($_POST['v_backup_gzip'] != $v_backup_gzip ) {
@@ -323,7 +336,6 @@
         }
     }
 
-
     // Delete remote backup host
     if (empty($_SESSION['error_msg'])) {
         if ((empty($_POST['v_backup_host'])) && (!empty($v_backup_host))) {
@@ -340,6 +352,49 @@
         }
     }
 
+    // Update SSL certificate
+    if ((!empty($_POST['v_ssl_crt'])) && (empty($_SESSION['error_msg']))) {
+        if (($v_ssl_crt != str_replace("\r\n", "\n",  $_POST['v_ssl_crt'])) || ($v_ssl_key != str_replace("\r\n", "\n",  $_POST['v_ssl_key']))) {
+            exec ('mktemp -d', $mktemp_output, $return_var);
+            $tmpdir = $mktemp_output[0];
+
+            // Certificate
+            if (!empty($_POST['v_ssl_crt'])) {
+                $fp = fopen($tmpdir."/certificate.crt", 'w');
+                fwrite($fp, str_replace("\r\n", "\n",  $_POST['v_ssl_crt']));
+                fwrite($fp, "\n");
+                fclose($fp);
+            }
+
+            // Key
+            if (!empty($_POST['v_ssl_key'])) {
+                $fp = fopen($tmpdir."/certificate.key", 'w');
+                fwrite($fp, str_replace("\r\n", "\n", $_POST['v_ssl_key']));
+                fwrite($fp, "\n");
+                fclose($fp);
+            }
+
+            exec (VESTA_CMD."v-change-sys-vesta-ssl ".$tmpdir, $output, $return_var);
+            check_return_code($return_var,$output);
+            unset($output);
+
+            // List ssl certificate info
+            exec (VESTA_CMD."v-list-sys-vesta-ssl json", $output, $return_var);
+            $ssl_str = json_decode(implode('', $output), true);
+            unset($output);
+            $v_ssl_crt = $ssl_str['VESTA']['CRT'];
+            $v_ssl_key = $ssl_str['VESTA']['KEY'];
+            $v_ssl_ca = $ssl_str['VESTA']['CA'];
+            $v_ssl_subject = $ssl_str['VESTA']['SUBJECT'];
+            $v_ssl_aliases = $ssl_str['VESTA']['ALIASES'];
+            $v_ssl_not_before = $ssl_str['VESTA']['NOT_BEFORE'];
+            $v_ssl_not_after = $ssl_str['VESTA']['NOT_AFTER'];
+            $v_ssl_signature = $ssl_str['VESTA']['SIGNATURE'];
+            $v_ssl_pub_key = $ssl_str['VESTA']['PUB_KEY'];
+            $v_ssl_issuer = $ssl_str['VESTA']['ISSUER'];
+        }
+    }
+
     // Flush field values on success
     if (empty($_SESSION['error_msg'])) {
         $_SESSION['ok_msg'] = __('Changes has been saved.');
@@ -375,7 +430,6 @@
         }
     }
 
-
     // activating filemanager licence
     if (empty($_SESSION['error_msg'])) {
         if($_SESSION['FILEMANAGER_KEY'] != $_POST['v_filemanager_licence'] && $_POST['v_filemanager'] == 'yes'){
@@ -410,11 +464,14 @@
 // Check system configuration
 exec (VESTA_CMD . "v-list-sys-config json", $output, $return_var);
 $data = json_decode(implode('', $output), true);
+unset($output);
+
 $sys_arr = $data['config'];
 foreach ($sys_arr as $key => $value) {
     $_SESSION[$key] = $value;
 }
 
+
 // Render page
 render_page($user, $TAB, 'edit_server');