- wildcard domains not supported by letsencrypt, yet

Marius Cramer

2015-12-08 46230badbe21f7c4337fef7369defd6f2372a5cf

 server/plugins-available/nginx_plugin.inc.php

@@ -475,7 +475,8 @@
            }
            
            //* Unmount the old log directory bfore we move the log dir
            exec('umount '.escapeshellcmd($old_dir.'/log'));
            //exec('fuser -km '.escapeshellcmd($old_dir.'/log'));
            exec('umount '.escapeshellcmd($data['old']['document_root'].'/log'));

            //* Create new base directory, if it does not exist yet
            if(!is_dir($new_dir)) $app->system->mkdirpath($new_dir);
@@ -557,6 +558,7 @@
         $app->system->removeLine('/etc/fstab', $fstab_line);

         //* Unmount log directory
         //exec('fuser -km '.escapeshellarg($data['old']['document_root'].'/'.$old_log_folder));
         exec('umount '.escapeshellarg($data['old']['document_root'].'/'.$old_log_folder));
      }

@@ -570,7 +572,8 @@
         $app->system->chmod($data['new']['document_root'].'/'.$log_folder, 0755);
         exec('mount --bind '.escapeshellarg('/var/log/ispconfig/httpd/'.$data['new']['domain']).' '.escapeshellarg($data['new']['document_root'].'/'.$log_folder));
         //* add mountpoint to fstab
         $fstab_line = '/var/log/ispconfig/httpd/'.$data['new']['domain'].' '.$data['new']['document_root'].'/'.$log_folder.'    none    bind,nobootwait,_netdev    0 0';
         $fstab_line = '/var/log/ispconfig/httpd/'.$data['new']['domain'].' '.$data['new']['document_root'].'/'.$log_folder.'    none    bind,nobootwait';
         $fstab_line .= @($web_config['network_filesystem'] == 'y')?',_netdev    0 0':'    0 0';
         $app->system->replaceLine('/etc/fstab', $fstab_line, $fstab_line, 1, 1);
      }

@@ -1139,9 +1142,97 @@

      // Check if a SSL cert exists
      $ssl_dir = $data['new']['document_root'].'/ssl';
      if(!isset($data['new']['ssl_domain']) OR empty($data['new']['ssl_domain'])) { $data['new']['ssl_domain'] = $data['new']['domain']; }
      $domain = $data['new']['ssl_domain'];
      $tpl->setVar('ssl_domain', $domain);
      $key_file = $ssl_dir.'/'.$domain.'.key';
      $crt_file = $ssl_dir.'/'.$domain.'.crt';


      $tpl->setVar('ssl_letsencrypt', "n");
      //* Generate Let's Encrypt SSL certificat
      if($data['new']['ssl'] == 'y' && $data['new']['ssl_letsencrypt'] == 'y') {
         //* be sure to have good domain
         if(substr($domain, 0, 2) === '*.') {
            // wildcard domain not yet supported by letsencrypt!
            $app->log('Wildcard domains not yet supported by letsencrypt, so changing ' . $domain . ' to ' . substr($domain, 2), LOGLEVEL_WARN);
            $domain = substr($domain, 2);
         }
			
         $data['new']['ssl_domain'] = $domain;
         $vhost_data['ssl_domain'] = $domain;
			
         $lddomain = (string) "$domain";
         if($data['new']['subdomain'] == "www" OR $data['new']['subdomain'] == "*") {
            $lddomain .= (string) " --domains www." . $domain;
         }

         $tpl->setVar('ssl_letsencrypt', "y");
         //* TODO: check dns entry is correct
         $crt_tmp_file = "/etc/letsencrypt/live/".$domain."/fullchain.pem";
         $key_tmp_file = "/etc/letsencrypt/live/".$domain."/privkey.pem";
         $webroot = $data['new']['document_root']."/web";

         //* check if we have already a Let's Encrypt cert
         if(!file_exists($crt_tmp_file) && !file_exists($key_tmp_file)) {
            $app->log("Create Let's Encrypt SSL Cert for: $domain", LOGLEVEL_DEBUG);

            if(is_dir($webroot . "/.well-known/")) {
               $app->log("Remove old challenge directory", LOGLEVEL_DEBUG);
               $this->_exec("rm -rf " . $webroot . "/.well-known/");
            }

            $app->log("Create challenge directory", LOGLEVEL_DEBUG);
            $app->system->mkdirpath($webroot . "/.well-known/");
            $app->system->chown($webroot . "/.well-known/", $$data['new']['system_user']);
            $app->system->chgrp($webroot . "/.well-known/", $data['new']['system_group']);
            $app->system->mkdirpath($webroot . "/.well-known/acme-challenge");
            $app->system->chown($webroot . "/.well-known/acme-challenge/", $data['new']['system_user']);
            $app->system->chgrp($webroot . "/.well-known/acme-challenge/", $data['new']['system_group']);
            $app->system->chmod($webroot . "/.well-known/acme-challenge", "g+s");
				
            if(file_exists("/root/.local/share/letsencrypt/bin/letsencrypt")) {
               $this->_exec("/root/.local/share/letsencrypt/bin/letsencrypt auth --text --agree-tos --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email postmaster@$domain --domains $lddomain --webroot-path " . escapeshellarg($webroot));
            }
         };

         //* check is been correctly created
         if(file_exists($crt_tmp_file) OR file_exists($key_tmp_file)) {
               $date = date("YmdHis");
//* TODO: check if is a symlink, if target same keep it, either remove it
            if(is_file($key_file)) {
               $app->system->copy($key_file, $key_file.'.old'.$date);
               $app->system->chmod($key_file.'.old.'.$date, 0400);
               $app->system->unlink($key_file);
            }

            if ($web_config["website_symlinks_rel"] == 'y') {
               $this->create_relative_link(escapeshellcmd($key_tmp_file), escapeshellcmd($key_file));
            } else {
               exec("ln -s ".escapeshellcmd($key_tmp_file)." ".escapeshellcmd($key_file));
            }

            if(is_file($crt_file)) {
               $app->system->copy($crt_file, $crt_file.'.old.'.$date);
               $app->system->chmod($crt_file.'.old.'.$date, 0400);
               $app->system->unlink($crt_file);
            }

            if($web_config["website_symlinks_rel"] == 'y') {
               $this->create_relative_link(escapeshellcmd($crt_tmp_file), escapeshellcmd($crt_file));
            } else {
               exec("ln -s ".escapeshellcmd($crt_tmp_file)." ".escapeshellcmd($crt_file));
            }

            /* we don't need to store it.
            /* Update the DB of the (local) Server */
            $app->db->query("UPDATE web_domain SET ssl_request = '', ssl_cert = '', ssl_key = '' WHERE domain = '".$data['new']['domain']."'");
            $app->db->query("UPDATE web_domain SET ssl_action = '' WHERE domain = '".$data['new']['domain']."'");
            /* Update also the master-DB of the Server-Farm */
            $app->dbmaster->query("UPDATE web_domain SET ssl_request = '', ssl_cert = '', ssl_key = '' WHERE domain = '".$data['new']['domain']."'");
            $app->dbmaster->query("UPDATE web_domain SET ssl_action = '' WHERE domain = '".$data['new']['domain']."'");
         }
      };

      if($domain!='' && $data['new']['ssl'] == 'y' && @is_file($crt_file) && @is_file($key_file) && (@filesize($crt_file)>0)  && (@filesize($key_file)>0)) {
         $vhost_data['ssl_enabled'] = 1;
@@ -1880,10 +1971,12 @@
         if(is_array($log_folders) && !empty($log_folders)){
            foreach($log_folders as $log_folder){
               //if($app->system->is_mounted($data['old']['document_root'].'/'.$log_folder)) exec('umount '.escapeshellarg($data['old']['document_root'].'/'.$log_folder));
               //exec('fuser -km '.escapeshellarg($data['old']['document_root'].'/'.$log_folder).' 2>/dev/null');
               exec('umount '.escapeshellarg($data['old']['document_root'].'/'.$log_folder).' 2>/dev/null');
            }
         } else {
            //if($app->system->is_mounted($data['old']['document_root'].'/'.$log_folder)) exec('umount '.escapeshellarg($data['old']['document_root'].'/'.$log_folder));
            //exec('fuser -km '.escapeshellarg($data['old']['document_root'].'/'.$log_folder).' 2>/dev/null');
            exec('umount '.escapeshellarg($data['old']['document_root'].'/'.$log_folder).' 2>/dev/null');
         }
      }