From 83246e6892f216319567960d7a40969a088b5f92 Mon Sep 17 00:00:00 2001
From: Jesse Norell <jesse@kci.net>
Date: Fri, 29 Jan 2021 09:29:17 -0700
Subject: [PATCH] set umask before calling acme.sh

---
 install/lib/installer_base.lib.php     | 6 ++++++
 server/lib/classes/letsencrypt.inc.php | 3 +++
 2 files changed, 9 insertions(+)

diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php
index 688fd32a83..dabbfd6d79 100644
--- a/install/lib/installer_base.lib.php
+++ b/install/lib/installer_base.lib.php
@@ -3023,6 +3023,9 @@ class installer_base {
 
 				swriteln('acme.sh is installed, overriding certificate path to use ' . $acme_cert_dir);
 
+				# acme.sh does not set umask, resulting in incorrect permissions (ispconfig issue #6015)
+				$old_umask = umask(0022);
+
 				$out = null;
 				$ret = null;
 				if($conf['nginx']['installed'] == true || $conf['apache']['installed'] == true) {
@@ -3044,6 +3047,7 @@ class installer_base {
 					$acme_chain = "--fullchain-file " . escapeshellarg($ssl_crt_file);
 					exec("$acme --install-cert -d " . escapeshellarg($hostname) . " $acme_key $acme_chain");
 					$issued_successfully = true;
+					umask($old_umask);
 
 					// Make temporary backup of self-signed certs permanent
 					if(file_exists($ssl_crt_file.'-temporary.bak') || is_link($ssl_crt_file.'-temporary.bak'))
@@ -3056,6 +3060,8 @@ class installer_base {
 				} else {
 					swriteln('Issuing certificate via acme.sh failed. Please check that your hostname can be verified by letsencrypt');
 
+					umask($old_umask);
+
 					// Restore temporary backup of self-signed certs
 					if(file_exists($ssl_crt_file.'-temporary.bak') || is_link($ssl_crt_file.'-temporary.bak'))
 						rename($ssl_crt_file.'-temporary.bak', $ssl_crt_file);
diff --git a/server/lib/classes/letsencrypt.inc.php b/server/lib/classes/letsencrypt.inc.php
index a118d55769..17bc37826c 100644
--- a/server/lib/classes/letsencrypt.inc.php
+++ b/server/lib/classes/letsencrypt.inc.php
@@ -399,11 +399,13 @@ class letsencrypt {
 		$this->certbot_use_certcommand = false;
 		$letsencrypt_cmd = '';
 		$allow_return_codes = null;
+		$old_umask = umask(0022);  # work around acme.sh permission bug, see #6015
 		if($use_acme) {
 			$letsencrypt_cmd = $this->get_acme_command($temp_domains, $key_file, $bundle_file, $crt_file, $server_type);
 			$allow_return_codes = array(2);
 		} else {
 			$letsencrypt_cmd = $this->get_certbot_command($temp_domains);
+			umask($old_umask);
 		}
 
 		$success = false;
@@ -420,6 +422,7 @@ class letsencrypt {
 		}
 
 		if($use_acme === true) {
+			umask($old_umask);
 			if(!$success) {
 				$app->log('Let\'s Encrypt SSL Cert for: ' . $domain . ' could not be issued.', LOGLEVEL_WARN);
 				$app->log($letsencrypt_cmd, LOGLEVEL_WARN);
-- 
GitLab