From 632f1566be6d3a0f153ed1e7fbe4a0716d260d63 Mon Sep 17 00:00:00 2001
From: Marius Burkard <m.burkard@pixcept.de>
Date: Wed, 02 Mar 2016 07:18:56 -0500
Subject: [PATCH] - removed unneeded security check (Fixes #3785)

---
 server/plugins-available/nginx_plugin.inc.php |   94 +++++++++++++++++++++++++++++++++--------------
 1 files changed, 66 insertions(+), 28 deletions(-)

diff --git a/server/plugins-available/nginx_plugin.inc.php b/server/plugins-available/nginx_plugin.inc.php
index 52bf73d..b3276e4 100644
--- a/server/plugins-available/nginx_plugin.inc.php
+++ b/server/plugins-available/nginx_plugin.inc.php
@@ -156,10 +156,10 @@
 
         [ req_distinguished_name ]
         C                      = ".trim($data['new']['ssl_country'])."
-        ST                     = ".trim($data['new']['ssl_state'])."
-        L                      = ".trim($data['new']['ssl_locality'])."
-        O                      = ".trim($data['new']['ssl_organisation'])."
-        OU                     = ".trim($data['new']['ssl_organisation_unit'])."
+        " . (trim($data['new']['ssl_state']) == '' ? '' : "ST                     = ".trim($data['new']['ssl_state'])) . "
+        " . (trim($data['new']['ssl_locality']) == '' ? '' : "L                      = ".trim($data['new']['ssl_locality']))."
+        " . (trim($data['new']['ssl_organisation']) == '' ? '' : "O                      = ".trim($data['new']['ssl_organisation']))."
+        " . (trim($data['new']['ssl_organisation_unit']) == '' ? '' : "OU                     = ".trim($data['new']['ssl_organisation_unit']))."
         CN                     = $domain
         emailAddress           = webmaster@".$data['new']['domain']."
 
@@ -1231,7 +1231,7 @@
 
 
 		$tpl->setVar('ssl_letsencrypt', "n");
-		//* Generate Let's Encrypt SSL certificat
+		
 		if($data['new']['ssl'] == 'y' && $data['new']['ssl_letsencrypt'] == 'y') {
 			//* be sure to have good domain
 			if(substr($domain, 0, 2) === '*.') {
@@ -1239,14 +1239,66 @@
 				$app->log('Wildcard domains not yet supported by letsencrypt, so changing ' . $domain . ' to ' . substr($domain, 2), LOGLEVEL_WARN);
 				$domain = substr($domain, 2);
 			}
-			
+
 			$data['new']['ssl_domain'] = $domain;
 			$vhost_data['ssl_domain'] = $domain;
-			
-			$lddomain = (string) "$domain";
-			if($data['new']['subdomain'] == "www" OR $data['new']['subdomain'] == "*") {
-				$lddomain .= (string) " --domains www." . $domain;
+		}
+		
+		//* Generate Let's Encrypt SSL certificat
+		if($data['new']['ssl'] == 'y' && $data['new']['ssl_letsencrypt'] == 'y' && ( // ssl and let's encrypt is active
+			($data['old']['ssl'] == 'n' || $data['old']['ssl_letsencrypt'] == 'n') // we have new let's encrypt configuration
+			|| ($data['old']['domain'] != $data['new']['domain']) // we have domain update
+			|| ($data['old']['subdomain'] != $data['new']['subdomain']) // we have new or update on "auto" subdomain
+			|| ($data['new']['type'] == 'subdomain') // we have new or update on subdomain
+			|| ($data['old']['type'] == 'alias' || $data['new']['type'] == 'alias') // we have new or update on alias domain
+		)) {
+			// default values
+			$temp_domains = array();
+			$lddomain     = $domain;
+			$subdomains   = null;
+			$aliasdomains = null;
+			$sub_prefixes = array();
+
+ 			//* be sure to have good domain
+ 			if($data['new']['subdomain'] == "www" OR $data['new']['subdomain'] == "*") {
+				$temp_domains[] = "www." . $domain;
 			}
+
+			//* then, add subdomain if we have
+			$subdomains = $app->db->queryAllRecords('SELECT domain FROM web_domain WHERE parent_domain_id = '.intval($data['new']['domain_id'])." AND active = 'y' AND type = 'subdomain'");
+			if(is_array($subdomains)) {
+				foreach($subdomains as $subdomain) {
+					$temp_domains[] = $subdomain['domain'];
+					$sub_prefixes[] = str_replace($domain, "", $subdomain['domain']);
+				}
+ 			}
+
+			//* then, add alias domain if we have
+			$aliasdomains = $app->db->queryAllRecords('SELECT domain,subdomain FROM web_domain WHERE parent_domain_id = '.intval($data['new']['domain_id'])." AND active = 'y' AND type = 'alias'");
+			if(is_array($aliasdomains)) {
+				foreach($aliasdomains as $aliasdomain) {
+					$temp_domains[] = $aliasdomain['domain'];
+					if(isset($aliasdomain['subdomain']) && ! empty($aliasdomain['subdomain'])) {
+						$temp_domains[] = $aliasdomain['subdomain'] . "." . $aliasdomain['domain'];
+					}
+					
+					foreach($sub_prefixes as $s) {
+						$temp_domains[] = $s . $aliasdomain['domain'];
+					}
+				}
+			}
+
+			// prevent duplicate
+			$temp_domains = array_unique($temp_domains);
+
+			// generate cli format
+			foreach($temp_domains as $temp_domain) {
+				$lddomain .= (string) " --domains " . $temp_domain;
+			}
+
+			// useless data
+			unset($subdomains);
+			unset($temp_domains);
 
 			$tpl->setVar('ssl_letsencrypt', "y");
 			//* TODO: check dns entry is correct
@@ -1258,31 +1310,17 @@
 			if(!file_exists($crt_tmp_file) && !file_exists($key_tmp_file)) {
 				$app->log("Create Let's Encrypt SSL Cert for: $domain", LOGLEVEL_DEBUG);
 
-				if(is_dir($webroot . "/.well-known/")) {
-					$app->log("Remove old challenge directory", LOGLEVEL_DEBUG);
-					$this->_exec("rm -rf " . $webroot . "/.well-known/");
-				}
-
-				$app->log("Create challenge directory", LOGLEVEL_DEBUG);
-				$app->system->mkdirpath($webroot . "/.well-known/");
-				$app->system->chown($webroot . "/.well-known/", $$data['new']['system_user']);
-				$app->system->chgrp($webroot . "/.well-known/", $data['new']['system_group']);
-				$app->system->mkdirpath($webroot . "/.well-known/acme-challenge");
-				$app->system->chown($webroot . "/.well-known/acme-challenge/", $data['new']['system_user']);
-				$app->system->chgrp($webroot . "/.well-known/acme-challenge/", $data['new']['system_group']);
-				$app->system->chmod($webroot . "/.well-known/acme-challenge", "g+s");
-				
 				if(file_exists("/root/.local/share/letsencrypt/bin/letsencrypt")) {
-					$this->_exec("/root/.local/share/letsencrypt/bin/letsencrypt auth --text --agree-tos --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email postmaster@$domain --domains $lddomain --webroot-path " . escapeshellarg($webroot));
+					$this->_exec("/root/.local/share/letsencrypt/bin/letsencrypt auth --text --agree-tos --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email postmaster@$domain --domains $lddomain --webroot-path /usr/local/ispconfig/interface/acme");
 				}
 			};
 
 			//* check is been correctly created
 			if(file_exists($crt_tmp_file) OR file_exists($key_tmp_file)) {
-					$date = date("YmdHis");
-//* TODO: check if is a symlink, if target same keep it, either remove it
+				$date = date("YmdHis");
+				//* TODO: check if is a symlink, if target same keep it, either remove it
 				if(is_file($key_file)) {
-					$app->system->copy($key_file, $key_file.'.old'.$date);
+					$app->system->copy($key_file, $key_file.'.old.'.$date);
 					$app->system->chmod($key_file.'.old.'.$date, 0400);
 					$app->system->unlink($key_file);
 				}

--
Gitblit v1.9.1