- revert CAA checks from !1128 until we have a solid method for getting the...

- revert CAA checks from !1128 until we have a solid method for getting the correct CAA domain from a host name

- revert CAA checks from !1128 until we have a solid method for getting the...
49a081d1 · Marius Burkard · 98ba3c40 · 49a081d1
Commit 49a081d1 authored 4 years ago by Marius Burkard
--- a/server/lib/classes/letsencrypt.inc.php
+++ b/server/lib/classes/letsencrypt.inc.php
@@ -373,38 +373,13 @@ class letsencrypt {
 			if((isset($web_config['skip_le_check']) && $web_config['skip_le_check'] == 'y') || (isset($server_config['migration_mode']) && $server_config['migration_mode'] == 'y')) {
 				$le_domains[] = $temp_domain;
 			} else {
-				//check caa-record
+				$le_hash_check = trim(@file_get_contents('http://' . $temp_domain . '/.well-known/acme-challenge/' . $le_rnd_file));
-				$caa_check = false;
+				if($le_hash_check == $le_rnd_hash) {
-				$caa_domain = $temp_domain;
+					$le_domains[] = $temp_domain;
-				$count = substr_count($caa_domain, '.');
+					$app->log("Verified domain " . $temp_domain . " should be reachable for letsencrypt.", LOGLEVEL_DEBUG);
-				if($count === 2) {
-					if(strlen(explode('.', $caa_domain)[1]) > 3) {
-						$caa_domain = explode('.', $caa_domain, 2)[1];
- 					}
-				} else if($count > 2) {
-					$caa_domain = get_domain(explode('.', $caa_domain, 2)[1]);
-				}
-				$caa_records = @dns_get_record($caa_domain, DNS_CAA); // requieres PHP 7.0.16, 7.1.2
-				if(is_array($caa_records) && !empty($caa_records)) {
-					foreach ($caa_records as $record) {
-						if($record['value'] == 'letsencrypt.org') $caa_check = true;
-					}
-				} else {
-					$caa_check = true;
-				}
-				if($caa_check === true) {
-					$le_hash_check = trim(@file_get_contents('http://' . $temp_domain . '/.well-known/acme-challenge/' . $le_rnd_file));
-					if($le_hash_check == $le_rnd_hash) {
-						$le_domains[] = $temp_domain;
-						$app->log("Verified domain " . $temp_domain . " should be reachable for letsencrypt.", LOGLEVEL_DEBUG);
-					} else {
-						$app->log("Could not verify domain " . $temp_domain . ", so excluding it from letsencrypt request.", LOGLEVEL_WARN);
-					}
 				} else {
-					$app->log("Incomplete CAA-Records for " . $temp_domain . ", so excluding it from letsencrypt request.", LOGLEVEL_WARN);
+					$app->log("Could not verify domain " . $temp_domain . ", so excluding it from letsencrypt request.", LOGLEVEL_WARN);
 				}
 			}
 		}
 		$temp_domains = $le_domains;