diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php index e262f31fa52f54ecb89f00695b447d2677728bef..5c2d78c8c82437d4aab3bf1fba5ed247eb7d9c80 100644 --- a/install/lib/installer_base.lib.php +++ b/install/lib/installer_base.lib.php @@ -2720,6 +2720,42 @@ class installer_base { return $response; } + private function make_acme_vhost($server_name, $server = 'apache') { + global $conf; + + $use_template = 'apache_acme.vhost.master'; + if($server === 'nginx') { + $use_template = 'nginx_acme.vhost.master'; + } + + $vhost_conf_dir = $conf[$server]['vhost_conf_dir']; + $vhost_conf_enabled_dir = $conf[$server]['vhost_conf_enabled_dir']; + + $tpl = new tpl($use_template); + $tpl->setVar('domain', $server_name); + + if($server !== 'nginx') { + $tpl->setVar('apache_version',getapacheversion()); + } + + wf($vhost_conf_dir.'/acme.vhost', $tpl->grab()); + + if(@is_link($vhost_conf_enabled_dir.'/999-acme.vhost')) { + unlink($vhost_conf_enabled_dir.'/999-acme.vhost'); + } + if(!@is_link($vhost_conf_enabled_dir.'/999-acme.vhost')) { + symlink($vhost_conf_dir.'/acme.vhost', $vhost_conf_enabled_dir.'/999-acme.vhost'); + } + + if($conf[$server]['installed'] == true && $conf[$server]['init_script'] != '') { + if($this->is_update) { + system($this->getinitcommand($conf[$server]['init_script'], 'force-reload').' &> /dev/null || ' . $this->getinitcommand($conf[$server]['init_script'], 'restart').' &> /dev/null'); + } else { + system($this->getinitcommand($conf[$server]['init_script'], 'restart').' &> /dev/null'); + } + } + } + public function make_ispconfig_ssl_cert() { global $conf, $autoinstall; @@ -2802,13 +2838,18 @@ class installer_base { $acme = explode("\n", shell_exec('which /usr/local/ispconfig/server/scripts/acme.sh /root/.acme.sh/acme.sh')); $acme = reset($acme); + // first of all create the acme vhosts if not existing + if($conf['nginx']['installed'] == true) { + $this->make_acme_vhost($hostname, 'nginx'); + } elseif($conf['apache']['installed'] == true) { + $this->make_acme_vhost($hostname, 'apache'); + } + // Attempt to use Neilpang acme.sh first, as it is now the preferred LE client if (is_executable($acme)) { - if($conf['nginx']['installed'] == true) { - exec("$acme --issue --nginx -d $hostname $renew_hook"); - } elseif($conf['apache']['installed'] == true) { - exec("$acme --issue --apache -d $hostname $renew_hook"); + if($conf['nginx']['installed'] == true || $conf['apache']['installed'] == true) { + exec("$acme --issue -w /usr/local/ispconfig/interface/acme -d $hostname $renew_hook"); } // Else, it is not webserver, so we use standalone else { @@ -2840,10 +2881,8 @@ class installer_base { $certonly = 'certonly --agree-tos --non-interactive --expand --rsa-key-size 4096'; // If this is a webserver - if($conf['nginx']['installed'] == true) - exec("$le_client $certonly $acme_version --nginx --email postmaster@$hostname -d $hostname $renew_hook"); - elseif($conf['apache']['installed'] == true) - exec("$le_client $certonly $acme_version --apache --email postmaster@$hostname -d $hostname $renew_hook"); + if($conf['nginx']['installed'] == true || $conf['apache']['installed'] == true) + exec("$le_client $certonly $acme_version --authenticator webroot --webroot-path /usr/local/ispconfig/interface/acme --email postmaster@$hostname -d $hostname $renew_hook"); // Else, it is not webserver, so we use standalone else exec("$le_client $certonly $acme_version --standalone --email postmaster@$hostname -d $hostname $hook"); diff --git a/install/tpl/apache_acme.vhost.master b/install/tpl/apache_acme.vhost.master new file mode 100644 index 0000000000000000000000000000000000000000..59ece91c00b9a3f66342bbae95e07cec25358c09 --- /dev/null +++ b/install/tpl/apache_acme.vhost.master @@ -0,0 +1,18 @@ +<VirtualHost *:80> + + ServerName <tmpl_var name='domain'> + + DocumentRoot /usr/local/ispconfig/interface/acme + + <Directory /usr/local/ispconfig/interface/acme> + AllowOverride None + <tmpl_if name='apache_version' op='>' value='2.2' format='version'> + Require all granted + <tmpl_else> + Order allow,deny + Allow from all + </tmpl_if> + </Directory> + +</VirtualHost> + diff --git a/install/tpl/nginx_acme.vhost.master b/install/tpl/nginx_acme.vhost.master new file mode 100644 index 0000000000000000000000000000000000000000..d7c576b04d35e06180cea48db6ff933914ec917c --- /dev/null +++ b/install/tpl/nginx_acme.vhost.master @@ -0,0 +1,25 @@ +server { + listen 80; + listen [::]:80; + + server_name <tmpl_var name='domain'>; + + root /usr/local/ispconfig/interface/acme; + + autoindex off; + index index.html; + + ## Disable .htaccess and other hidden files + location ~ / { + deny all; + } + + ## Allow access for .well-known/acme-challenge + location ^~ /.well-known/acme-challenge/ { + access_log off; + log_not_found off; + auth_basic off; + root /usr/local/ispconfig/interface/acme/; + try_files $uri $uri/ =404; + } +} \ No newline at end of file