Merge branch '6015_letsencrypt_token_permissions' into 'develop'

acme.sh and missing letsencrypt client fixes Closes #6015 See merge request ispconfig/ispconfig3!1396

Merge branch '6015_letsencrypt_token_permissions' into 'develop'
11071719 · Marius Burkard · c0db0194 · 76647e89 · 11071719 · 11071719
Commit 11071719 authored 4 years ago by Marius Burkard
--- a/install/lib/installer_base.lib.php
+++ b/install/lib/installer_base.lib.php
@@ -2977,6 +2977,9 @@ class installer_base {

 				swriteln('acme.sh is installed, overriding certificate path to use ' . $acme_cert_dir);

+				# acme.sh does not set umask, resulting in incorrect permissions (ispconfig issue #6015)
+				$old_umask = umask(0022);
+
 				$out = null;
 				$ret = null;
 				if($conf['nginx']['installed'] == true || $conf['apache']['installed'] == true) {
@@ -2998,6 +3001,7 @@ class installer_base {
 					$acme_chain = "--fullchain-file " . escapeshellarg($ssl_crt_file);
 					exec("$acme --install-cert -d " . escapeshellarg($hostname) . " $acme_key $acme_chain");
 					$issued_successfully = true;
+					umask($old_umask);

 					// Make temporary backup of self-signed certs permanent
 					if(file_exists($ssl_crt_file.'-temporary.bak') || is_link($ssl_crt_file.'-temporary.bak'))
@@ -3010,6 +3014,8 @@ class installer_base {
 				} else {
 					swriteln('Issuing certificate via acme.sh failed. Please check that your hostname can be verified by letsencrypt');

+					umask($old_umask);
+
 					// Restore temporary backup of self-signed certs
 					if(file_exists($ssl_crt_file.'-temporary.bak') || is_link($ssl_crt_file.'-temporary.bak'))
 						rename($ssl_crt_file.'-temporary.bak', $ssl_crt_file);

--- a/server/lib/classes/letsencrypt.inc.php
+++ b/server/lib/classes/letsencrypt.inc.php
@@ -317,8 +317,15 @@ class letsencrypt {
 		if($this->get_acme_script()) {
 			$use_acme = true;
 		} elseif(!$this->get_certbot_script()) {
+			$app->log("Unable to find Let's Encrypt client, installing acme.sh.", LOGLEVEL_DEBUG);
 			// acme and le missing
 			$this->install_acme();
+			if($this->get_acme_script()) {
+				$use_acme = true;
+			} else {
+				$app->log("Unable to install acme.sh.  Cannot proceed, no Let's Encrypt client found.", LOGLEVEL_WARN);
+				return false;
+			}
 		}

 		$tmp = $app->letsencrypt->get_website_certificate_paths($data);
@@ -399,11 +406,13 @@ class letsencrypt {
 		$this->certbot_use_certcommand = false;
 		$letsencrypt_cmd = '';
 		$allow_return_codes = null;
+		$old_umask = umask(0022);  # work around acme.sh permission bug, see #6015
 		if($use_acme) {
 			$letsencrypt_cmd = $this->get_acme_command($temp_domains, $key_file, $bundle_file, $crt_file, $server_type);
 			$allow_return_codes = array(2);
 		} else {
 			$letsencrypt_cmd = $this->get_certbot_command($temp_domains);
+			umask($old_umask);
 		}

 		$success = false;
@@ -420,6 +429,7 @@ class letsencrypt {
 		}

 		if($use_acme === true) {
+			umask($old_umask);
 			if(!$success) {
 				$app->log('Let\'s Encrypt SSL Cert for: ' . $domain . ' could not be issued.', LOGLEVEL_WARN);
 				$app->log($letsencrypt_cmd, LOGLEVEL_WARN);