- Merged https://github.com/alexalouit/ISPConfig-letsencrypt.git

Marius Cramer

2015-12-08 018c55dd71b17a2db9dc2d5cd21cb44a4963dda5

 server/plugins-available/apache2_plugin.inc.php

@@ -148,6 +148,7 @@

        [ req ]
        default_bits           = 2048
      default_md             = sha256
        default_keyfile        = keyfile.pem
        distinguished_name     = req_distinguished_name
        attributes             = req_attributes
@@ -171,30 +172,34 @@

         $rand_file = escapeshellcmd($rand_file);
         $key_file = escapeshellcmd($key_file);
         $openssl_cmd_key_file = $key_file;
         if(substr($domain, 0, 2) == '*.' && strpos($key_file, '/ssl/\*.') !== false) $key_file = str_replace('/ssl/\*.', '/ssl/*.', $key_file); // wildcard certificate
         $key_file2 = escapeshellcmd($key_file2);
         $openssl_cmd_key_file2 = $key_file2;
         if(substr($domain, 0, 2) == '*.' && strpos($key_file2, '/ssl/\*.') !== false) $key_file2 = str_replace('/ssl/\*.', '/ssl/*.', $key_file2); // wildcard certificate
         $ssl_days = 3650;
         $csr_file = escapeshellcmd($csr_file);
         $openssl_cmd_csr_file = $csr_file;
         if(substr($domain, 0, 2) == '*.' && strpos($csr_file, '/ssl/\*.') !== false) $csr_file = str_replace('/ssl/\*.', '/ssl/*.', $csr_file); // wildcard certificate
         $config_file = escapeshellcmd($ssl_cnf_file);
         $crt_file = escapeshellcmd($crt_file);
         $openssl_cmd_crt_file = $crt_file;
         if(substr($domain, 0, 2) == '*.' && strpos($crt_file, '/ssl/\*.') !== false) $crt_file = str_replace('/ssl/\*.', '/ssl/*.', $crt_file); // wildcard certificate

         if(is_file($ssl_cnf_file) && !is_link($ssl_cnf_file)) {

            exec("openssl genrsa -des3 -rand $rand_file -passout pass:$ssl_password -out $key_file 2048");
            exec("openssl req -new -passin pass:$ssl_password -passout pass:$ssl_password -key $key_file -out $csr_file -days $ssl_days -config $config_file");
            exec("openssl rsa -passin pass:$ssl_password -in $key_file -out $key_file2");
            exec("openssl genrsa -des3 -rand $rand_file -passout pass:$ssl_password -out $openssl_cmd_key_file 2048");
            exec("openssl req -new -sha256 -passin pass:$ssl_password -passout pass:$ssl_password -key $openssl_cmd_key_file -out $openssl_cmd_csr_file -days $ssl_days -config $config_file");
            exec("openssl rsa -passin pass:$ssl_password -in $openssl_cmd_key_file -out $openssl_cmd_key_file2");

            if(file_exists($web_config['CA_path'].'/openssl.cnf'))
            {
               exec("openssl ca -batch -out $crt_file -config ".$web_config['CA_path']."/openssl.cnf -passin pass:".$web_config['CA_pass']." -in $csr_file");
               exec("openssl ca -batch -out $openssl_cmd_crt_file -config ".$web_config['CA_path']."/openssl.cnf -passin pass:".$web_config['CA_pass']." -in $openssl_cmd_csr_file");
               $app->log("Creating CA-signed SSL Cert for: $domain", LOGLEVEL_DEBUG);
               if (filesize($crt_file)==0 || !file_exists($crt_file)) $app->log("CA-Certificate signing failed.  openssl ca -out $crt_file -config ".$web_config['CA_path']."/openssl.cnf -passin pass:".$web_config['CA_pass']." -in $csr_file", LOGLEVEL_ERROR);
               if (filesize($crt_file)==0 || !file_exists($crt_file)) $app->log("CA-Certificate signing failed.  openssl ca -out $openssl_cmd_crt_file -config ".$web_config['CA_path']."/openssl.cnf -passin pass:".$web_config['CA_pass']." -in $openssl_cmd_csr_file", LOGLEVEL_ERROR);
            };
            if (@filesize($crt_file)==0 || !file_exists($crt_file)){
               exec("openssl req -x509 -passin pass:$ssl_password -passout pass:$ssl_password -key $key_file -in $csr_file -out $crt_file -days $ssl_days -config $config_file ");
               exec("openssl req -x509 -passin pass:$ssl_password -passout pass:$ssl_password -key $openssl_cmd_key_file -in $openssl_cmd_csr_file -out $openssl_cmd_crt_file -days $ssl_days -config $config_file ");
               $app->log("Creating self-signed SSL Cert for: $domain", LOGLEVEL_DEBUG);
            };

@@ -273,7 +278,7 @@
         $bundle_file = $ssl_dir.'/'.$domain.'.bundle';
         if(file_exists($web_config['CA_path'].'/openssl.cnf') && !is_link($web_config['CA_path'].'/openssl.cnf'))
         {
            exec("openssl ca -batch -config ".$web_config['CA_path']."/openssl.cnf -passin pass:".$web_config['CA_pass']." -revoke $crt_file");
            exec("openssl ca -batch -config ".$web_config['CA_path']."/openssl.cnf -passin pass:".$web_config['CA_pass']." -revoke ".escapeshellcmd($crt_file));
            $app->log("Revoking CA-signed SSL Cert for: $domain", LOGLEVEL_DEBUG);
         };
         $app->system->unlink($csr_file);
@@ -344,8 +349,9 @@
         if($data['new']['type'] == 'vhost' || $data['new']['type'] == 'vhostsubdomain') $app->log('document_root not set', LOGLEVEL_WARN);
         return 0;
      }
      if($data['new']['system_user'] == 'root' or $data['new']['system_group'] == 'root') {
         $app->log('Websites cannot be owned by the root user or group.', LOGLEVEL_WARN);
      if($app->system->is_allowed_user($data['new']['system_user'], $app->system->is_user($data['new']['system_user']), true) == false
         || $app->system->is_allowed_group($data['new']['system_group'], $app->system->is_group($data['new']['system_group']), true) == false) {
         $app->log('Websites cannot be owned by the root user or group. User: '.$data['new']['system_user'].' Group: '.$data['new']['system_group'], LOGLEVEL_WARN);
         return 0;
      }
      if(trim($data['new']['domain']) == '') {
@@ -461,6 +467,9 @@
               $app->system->rename($data['new']['document_root'], $data['new']['document_root'].'_bak_'.date('Y_m_d_H_i_s'));
               $app->log('Renaming existing directory in new docroot location. mv '.$data['new']['document_root'].' '.$data['new']['document_root'].'_bak_'.date('Y_m_d_H_i_s'), LOGLEVEL_DEBUG);
            }
				
            //* Unmount the old log directory bfore we move the log dir
            exec('umount '.escapeshellcmd($old_dir.'/log'));

            //* Create new base directory, if it does not exist yet
            if(!is_dir($new_dir)) $app->system->mkdirpath($new_dir);
@@ -486,13 +495,27 @@
         if($apache_chrooted) $this->_exec('chroot '.escapeshellcmd($web_config['website_basedir']).' '.$command);

         //* Change the log mount
         /*
         $fstab_line = '/var/log/ispconfig/httpd/'.$data['old']['domain'].' '.$data['old']['document_root'].'/'.$old_log_folder.'    none    bind';
         $app->system->removeLine('/etc/fstab', $fstab_line);
         $fstab_line = '/var/log/ispconfig/httpd/'.$data['old']['domain'].' '.$data['old']['document_root'].'/'.$old_log_folder.'    none    bind,nobootwait';
         $app->system->removeLine('/etc/fstab', $fstab_line);
         $fstab_line = '/var/log/ispconfig/httpd/'.$data['new']['domain'].' '.$data['new']['document_root'].'/'.$log_folder.'    none    bind,nobootwait,_netdev    0 0';
         $app->system->replaceLine('/etc/fstab', $fstab_line, $fstab_line, 1, 1);

         $fstab_line = '/var/log/ispconfig/httpd/'.$data['old']['domain'].' '.$data['old']['document_root'].'/'.$old_log_folder.'    none    bind,nobootwait';
         $app->system->removeLine('/etc/fstab', $fstab_line);
         */
			
         $fstab_line_old = '/var/log/ispconfig/httpd/'.$data['old']['domain'].' '.$data['old']['document_root'].'/'.$old_log_folder.'    none    bind';
			
         if($web_config['network_filesystem'] == 'y') {
            $fstab_line = '/var/log/ispconfig/httpd/'.$data['new']['domain'].' '.$data['new']['document_root'].'/'.$log_folder.'    none    bind,nobootwait,_netdev    0 0';
            $app->system->replaceLine('/etc/fstab', $fstab_line_old, $fstab_line, 0, 1);
         } else {
            $fstab_line = '/var/log/ispconfig/httpd/'.$data['new']['domain'].' '.$data['new']['document_root'].'/'.$log_folder.'    none    bind,nobootwait    0 0';
            $app->system->replaceLine('/etc/fstab', $fstab_line_old, $fstab_line, 0, 1);
         }
			
         exec('mount --bind '.escapeshellarg('/var/log/ispconfig/httpd/'.$data['new']['domain']).' '.escapeshellarg($data['new']['document_root'].'/'.$log_folder));
			
      }

      //print_r($data);
@@ -710,7 +733,7 @@
            $app->system->chmod($data['new']['document_root'].'/ssl', 0755);

            // make tmp directory writable for Apache and the website users
            $app->system->chmod($data['new']['document_root'].'/tmp', 0777);
            $app->system->chmod($data['new']['document_root'].'/tmp', 0770);

            // Set Log directory to 755 to make the logs accessible by the FTP user
            if(realpath($data['new']['document_root'].'/'.$log_folder . '/error.log') == '/var/log/ispconfig/httpd/'.$data['new']['domain'].'/error.log') {
@@ -770,7 +793,7 @@
            $app->system->chmod($data['new']['document_root'].'/cgi-bin', 0755);

            // make temp directory writable for Apache and the website users
            $app->system->chmod($data['new']['document_root'].'/tmp', 0777);
            $app->system->chmod($data['new']['document_root'].'/tmp', 0770);

            // Set Log directory to 755 to make the logs accessible by the FTP user
            if(realpath($data['new']['document_root'].'/'.$log_folder . '/error.log') == '/var/log/ispconfig/httpd/'.$data['new']['domain'].'/error.log') {
@@ -926,6 +949,92 @@
         $app->log('SSL Disabled. '.$domain,LOGLEVEL_DEBUG);
      }
      */

      //* Generate Let's Encrypt SSL certificat
      if($data['new']['ssl'] == 'y' && $data['new']['ssl_letsencrypt'] == 'y') {
         $data['new']['ssl_domain'] = $domain;
         $vhost_data['ssl_domain'] = $domain;

         //* be sure to have good domain
         $lddomain = (string) "$domain";
         if($data['new']['subdomain'] == "www" OR $data['new']['subdomain'] == "*") {
            $lddomain .= (string) " --domains www." . $domain;
         }

            $crt_tmp_file = "/etc/letsencrypt/live/".$domain."/cert.pem";
            $key_tmp_file = "/etc/letsencrypt/live/".$domain."/privkey.pem";
            $bundle_tmp_file = "/etc/letsencrypt/live/".$domain."/chain.pem";
            $webroot = $data['new']['document_root']."/web";

            //* check if we have already a Let's Encrypt cert
            if(!file_exists($crt_tmp_file) && !file_exists($key_tmp_file)) {
               $app->log("Create Let's Encrypt SSL Cert for: $domain", LOGLEVEL_DEBUG);

               if(is_dir($webroot . "/.well-known/")) {
                  $app->log("Remove old challenge directory", LOGLEVEL_DEBUG);
                  $this->_exec("rm -rf " . $webroot . "/.well-known/");
               }

               $app->log("Create challenge directory", LOGLEVEL_DEBUG);
               $app->system->mkdirpath($webroot . "/.well-known/");
               $app->system->chown($webroot . "/.well-known/", $data['new']['system_user']);
               $app->system->chgrp($webroot . "/.well-known/", $data['new']['system_group']);
               $app->system->mkdirpath($webroot . "/.well-known/acme-challenge");
               $app->system->chown($webroot . "/.well-known/acme-challenge/", $data['new']['system_user']);
               $app->system->chgrp($webroot . "/.well-known/acme-challenge/", $data['new']['system_group']);
               $app->system->chmod($webroot . "/.well-known/acme-challenge", "g+s");

               $this->_exec("/root/.local/share/letsencrypt/bin/letsencrypt auth -a webroot --email postmaster@$domain --domains $lddomain --webroot-path $webroot");
            };

            //* check is been correctly created
            if(file_exists($crt_tmp_file) OR file_exists($key_tmp_file)) {
               $date = date("YmdHis");
               if(is_file($key_file)) {
                  $app->system->copy($key_file, $key_file.'.old'.$date);
                  $app->system->chmod($key_file.'.old.'.$date, 0400);
                  $app->system->unlink($key_file);
               }

               if ($web_config["website_symlinks_rel"] == 'y') {
                  $this->create_relative_link(escapeshellcmd($key_tmp_file), escapeshellcmd($key_file));
               } else {
                  exec("ln -s ".escapeshellcmd($key_tmp_file)." ".escapeshellcmd($key_file));
               }

               if(is_file($crt_file)) {
                  $app->system->copy($crt_file, $crt_file.'.old.'.$date);
                  $app->system->chmod($crt_file.'.old.'.$date, 0400);
                  $app->system->unlink($crt_file);
               }

               if($web_config["website_symlinks_rel"] == 'y') {
                  $this->create_relative_link(escapeshellcmd($crt_tmp_file), escapeshellcmd($crt_file));
               } else {
                  exec("ln -s ".escapeshellcmd($crt_tmp_file)." ".escapeshellcmd($crt_file));
               }

               if(is_file($bundle_file)) {
                  $app->system->copy($bundle_file, $bundle_file.'.old.'.$date);
                  $app->system->chmod($bundle_file.'.old.'.$date, 0400);
                  $app->system->unlink($bundle_file);
               }

               if($web_config["website_symlinks_rel"] == 'y') {
                  $this->create_relative_link(escapeshellcmd($bundle_tmp_file), escapeshellcmd($bundle_file));
               } else {
                  exec("ln -s ".escapeshellcmd($bundle_tmp_file)." ".escapeshellcmd($bundle_file));
               }

               /* we don't need to store it.
               /* Update the DB of the (local) Server */
               $app->db->query("UPDATE web_domain SET ssl_request = '', ssl_cert = '$ssl_cert', ssl_key = '$ssl_key' WHERE domain = '".$data['new']['domain']."'");
               $app->db->query("UPDATE web_domain SET ssl_action = '' WHERE domain = '".$data['new']['domain']."'");
               /* Update also the master-DB of the Server-Farm */
               $app->dbmaster->query("UPDATE web_domain SET ssl_request = '', ssl_cert = '$ssl_cert', ssl_key = '$ssl_key' WHERE domain = '".$data['new']['domain']."'");
               $app->dbmaster->query("UPDATE web_domain SET ssl_action = '' WHERE domain = '".$data['new']['domain']."'");
            }
         };

      if(@is_file($bundle_file)) $vhost_data['has_bundle_cert'] = 1;

@@ -1205,18 +1314,15 @@

      } else {
         //remove the php fastgi starter script if available
         $fastcgi_starter_script = $fastcgi_config['fastcgi_starter_script'].($data['old']['type'] == 'vhostsubdomain' ? '_web' . $data['old']['domain_id'] : '');
         if ($data['old']['php'] == 'fast-cgi') {
            $fastcgi_starter_path = str_replace('[system_user]', $data['old']['system_user'], $fastcgi_config['fastcgi_starter_path']);
            $fastcgi_starter_path = str_replace('[client_id]', $client_id, $fastcgi_starter_path);
            if($data['old']['type'] == 'vhost') {
               if (is_dir($fastcgi_starter_path)) {
                  exec('rm -rf '.$fastcgi_starter_path);
               }
               if(is_file($fastcgi_starter_script)) @unlink($fastcgi_starter_script);
               if (is_dir($fastcgi_starter_path)) @rmdir($fastcgi_starter_path);
            } else {
               $fcgi_starter_script = $fastcgi_starter_path.$fastcgi_config['fastcgi_starter_script'].'_web' . $data['old']['domain_id'];
               if (file_exists($fcgi_starter_script)) {
                  exec('rm -f '.$fcgi_starter_script);
               }
               if(is_file($fastcgi_starter_script)) @unlink($fastcgi_starter_script);
            }
         }
      }
@@ -1254,8 +1360,11 @@
      $pool_name = 'web'.$data['new']['domain_id'];
      $socket_dir = escapeshellcmd($web_config['php_fpm_socket_dir']);
      if(substr($socket_dir, -1) != '/') $socket_dir .= '/';

      if($data['new']['php_fpm_use_socket'] == 'y'){
		
      $apache_modules = $app->system->getapachemodules();
		
      // Use sockets, but not with apache 2.4 on centos (mod_proxy_fcgi) as socket support is buggy in that version
      if($data['new']['php_fpm_use_socket'] == 'y' && in_array('fastcgi_module',$apache_modules)){
         $use_tcp = 0;
         $use_socket = 1;
      } else {
@@ -1472,7 +1581,7 @@
      if(!is_dir($data['new']['document_root'].'/' . $web_folder . '/stats')) $app->system->mkdir($data['new']['document_root'].'/' . $web_folder . '/stats');
      $ht_file = "AuthType Basic\nAuthName \"Members Only\"\nAuthUserFile ".$data['new']['document_root']."/web/stats/.htpasswd_stats\nrequire valid-user";
      $app->system->file_put_contents($data['new']['document_root'].'/' . $web_folder . '/stats/.htaccess', $ht_file);
      $app->system->chmod($data['new']['document_root'].'/' . $web_folder . '/stats/.htaccess', 0751);
      $app->system->chmod($data['new']['document_root'].'/' . $web_folder . '/stats/.htaccess', 0755);
      unset($ht_file);
      //}

@@ -1482,7 +1591,7 @@
            $app->system->web_folder_protection($data['new']['document_root'], false);
            $app->system->file_put_contents($data['new']['document_root'].'/web/stats/.htpasswd_stats', $htp_file);
            $app->system->web_folder_protection($data['new']['document_root'], true);
            $app->system->chmod($data['new']['document_root'].'/web/stats/.htpasswd_stats', 0751);
            $app->system->chmod($data['new']['document_root'].'/web/stats/.htpasswd_stats', 0755);
            unset($htp_file);
         }
      }
@@ -2641,7 +2750,10 @@
      $tpl->newTemplate('php_fpm_pool.conf.master');
      $tpl->setVar('apache_version', $app->system->getapacheversion());
      
      if($data['new']['php_fpm_use_socket'] == 'y'){
      $apache_modules = $app->system->getapachemodules();
		
      // Use sockets, but not with apache 2.4 on centos (mod_proxy_fcgi) as socket support is buggy in that version
      if($data['new']['php_fpm_use_socket'] == 'y' && in_array('fastcgi_module',$apache_modules)){
         $use_tcp = 0;
         $use_socket = 1;
         if(!is_dir($socket_dir)) $app->system->mkdirpath($socket_dir);