Commit 5c4d5508 authored by laking's avatar laking

Implemented local CA certificate signing.

parent 0930f5fc
......@@ -186,4 +186,6 @@ $conf['cron']['init_script'] = 'crond';
$conf['cron']['crontab_dir'] = '/etc/cron.d';
$conf['cron']['wget'] = '/usr/bin/wget';
$conf['CA-path'] = '/etc/pki/CA';
?>
......@@ -186,4 +186,6 @@ $conf['cron']['init_script'] = 'crond';
$conf['cron']['crontab_dir'] = '/etc/cron.d';
$conf['cron']['wget'] = '/usr/bin/wget';
$conf['CA-path'] = '/etc/pki/CA';
?>
......@@ -190,5 +190,8 @@ $conf['vlogger']['config_dir'] = '/etc';
$conf['cron']['init_script'] = 'cron';
$conf['cron']['crontab_dir'] = '/etc/cron.d';
$conf['cron']['wget'] = '/usr/bin/wget';
$conf['CA-path'] = '/etc/ssl';
?>
......@@ -190,5 +190,8 @@ $conf['vlogger']['config_dir'] = '/etc';
$conf['cron']['init_script'] = 'cron';
$conf['cron']['crontab_dir'] = '/etc/cron.d';
$conf['cron']['wget'] = '/usr/bin/wget';
$conf['CA-path'] = '/etc/ssl';
?>
......@@ -186,4 +186,6 @@ $conf['cron']['init_script'] = 'crond';
$conf['cron']['crontab_dir'] = '/etc/cron.d';
$conf['cron']['wget'] = '/usr/bin/wget';
$conf['CA-path'] = '/etc/pki/CA';
?>
......@@ -202,4 +202,7 @@ $conf['cron']['init_script'] = 'vixie-cron';
$conf['cron']['crontab_dir'] = '/etc/cron.d';
$conf['cron']['group'] = 'cron';
$conf['cron']['wget'] = '/usr/bin/wget';
$conf['CA-path'] = '/etc/ssl';
?>
......@@ -186,4 +186,6 @@ $conf['cron']['init_script'] = 'cron';
$conf['cron']['crontab_dir'] = '/etc/cron.d';
$conf['cron']['wget'] = '/usr/bin/wget';
$conf['CA-path'] = '/etc/ssl';
?>
......@@ -186,4 +186,6 @@ $conf['cron']['init_script'] = 'cron';
$conf['cron']['crontab_dir'] = '/etc/cron.d';
$conf['cron']['wget'] = '/usr/bin/wget';
$conf['CA-path'] = '/etc/ssl';
?>
......@@ -695,6 +695,10 @@ class installer_dist extends installer_base {
$content = str_replace('{server_id}', $conf['server_id'], $content);
$content = str_replace('{ispconfig_log_priority}', $conf['ispconfig_log_priority'], $content);
$content = str_replace('{language}', $conf['language'], $content);
if (!$conf['CA-enabled']) $content = str_replace('$conf[\'CA', '//$conf[\'CA', $content);
$content = str_replace('{CA-path}', $conf['CA-path'], $content);
$content = str_replace('{CA-pass}', $conf['CA-pass'], $content);
wf("$install_dir/server/lib/$configfile", $content);
......
......@@ -667,6 +667,10 @@ class installer extends installer_base
$this->write_config_file("$install_dir/interface/lib/$configfile", $content);
if(!$conf['CA-enabled']) $content = str_replace('$conf[\'CA','//$conf[\'CA', $content);
$content = str_replace('{CA-path}', $conf['CA-path'], $content);
$content = str_replace('{CA-pass}', $conf['CA-pass'], $content);
//* Create the config file for ISPConfig server
$this->write_config_file("$install_dir/server/lib/$configfile", $content);
......
......@@ -708,6 +708,10 @@ class installer_dist extends installer_base {
$content = str_replace('{ispconfig_log_priority}', $conf['ispconfig_log_priority'], $content);
$content = str_replace('{language}', $conf['language'], $content);
if(!$conf['CA-enabled']) $content = str_replace('$conf[\'CA','//$conf[\'CA', $content);
$content = str_replace('{CA-path}', $conf['CA-path'], $content);
$content = str_replace('{CA-pass}', $conf['CA-pass'], $content);
wf("$install_dir/server/lib/$configfile", $content);
//* Create the config file for remote-actions (but only, if it does not exist, because
......
......@@ -438,6 +438,19 @@ if($install_mode == 'standard') {
$inst->configure_firewall();
}
//** Configure CA
if(strtolower($inst->simple_query('Should this installation use a local CA to default-sign certificates?',array('y','n'),'n')) == 'y') {
$conf['CA-enabled'] = true;
$conf['CA-path'] = $inst->free_query('Path to the CA folder: ', $conf['CA-path']);
$conf['CA-pass'] = $inst->free_query('Root Certificate Passphrase', '');
if(!is_file($conf['CA-path'].'/openssl.cnf'))
{
swriteln('ERROR. '.$conf['CA-path'].'/openssl.cnf not found.');
$conf['CA-enabled'] = false;
}
//$inst->configure_ca();
} else {$conf['CA-enabled'] = false;};
//** Configure ISPConfig :-)
if(strtolower($inst->simple_query('Install ISPConfig Web Interface',array('y','n'),'y')) == 'y') {
swriteln('Installing ISPConfig');
......
......@@ -157,6 +157,10 @@ $conf['interface_logout_url'] = ''; // example: http://www.domain.tld/
$conf['start_db'] = true;
$conf['start_session'] = true;
//** CA-configuration
$conf['CA-path'] = '{CA-path}';
$conf['CA-pass'] = '{CA-pass}';
//** Constants
define('LOGLEVEL_DEBUG',0);
......
......@@ -303,6 +303,20 @@ if($reconfigure_services_answer == 'yes') {
//}
}
//** Configure CA
if(strtolower($inst->simple_query('Should this installation use a local CA to default-sign certificates?',array('y','n'),'n')) == 'y') {
$conf['CA-enabled'] = true;
$conf['CA-path'] = $inst->free_query('Path to the CA folder: ', $conf['CA-path']);
$conf['CA-pass'] = $inst->free_query('Root Certificate Passphrase', '');
if(!is_file($conf['CA-path'].'/openssl.cnf'))
{
swriteln('ERROR. '.$conf['CA-path'].'/openssl.cnf not found.');
$conf['CA-enabled'] = false;
}
//$inst->configure_ca();
} else {$conf['CA-enabled'] = false;};
//** Configure ISPConfig
swriteln('Updating ISPConfig');
......
......@@ -137,8 +137,18 @@ class apache2_plugin {
$crt_file = escapeshellcmd($crt_file);
if(is_file($ssl_cnf_file)) {
exec("openssl genrsa -des3 -rand $rand_file -passout pass:$ssl_password -out $key_file 2048 && openssl req -new -passin pass:$ssl_password -passout pass:$ssl_password -key $key_file -out $csr_file -days $ssl_days -config $config_file && openssl req -x509 -passin pass:$ssl_password -passout pass:$ssl_password -key $key_file -in $csr_file -out $crt_file -days $ssl_days -config $config_file && openssl rsa -passin pass:$ssl_password -in $key_file -out $key_file2");
$app->log('Creating SSL Cert for: '.$domain,LOGLEVEL_DEBUG);
exec("openssl genrsa -des3 -rand $rand_file -passout pass:$ssl_password -out $key_file 2048");
exec("openssl req -new -passin pass:$ssl_password -passout pass:$ssl_password -key $key_file -out $csr_file -days $ssl_days -config $config_file");
if(isset($conf['CA-path']) && isset($conf['CA-pass']) )
{
exec("openssl ca -batch -out $crt_file -config ".$conf['CA-path']."/openssl.cnf -passin pass:".$conf['CA-pass']." -in $csr_file");
$app->log("Creating CA-signed SSL Cert for: $domain",LOGLEVEL_DEBUG);
} else{
exec("openssl req -x509 -passin pass:$ssl_password -passout pass:$ssl_password -key $key_file -in $csr_file -out $crt_file -days $ssl_days -config $config_file ");
$app->log("Creating self-signed SSL Cert for: $domain",LOGLEVEL_DEBUG);
};
exec("openssl rsa -passin pass:$ssl_password -in $key_file -out $key_file2");
}
exec('chmod 400 '.$key_file2);
......@@ -178,6 +188,11 @@ class apache2_plugin {
$csr_file = $ssl_dir.'/'.$domain.'.csr';
$crt_file = $ssl_dir.'/'.$domain.'.crt';
$bundle_file = $ssl_dir.'/'.$domain.'.bundle';
if(isset($conf['CA-path']) && isset($conf['CA-pass']) )
{
exec("openssl ca -batch -config ".$conf['CA-path']."/openssl.cnf -passin pass:".$conf['CA-pass']." -revoke $crt_file");
$app->log("Revoking CA-signed SSL Cert for: $domain",LOGLEVEL_DEBUG);
};
unlink($csr_file);
unlink($crt_file);
unlink($bundle_file);
......@@ -597,7 +612,7 @@ class apache2_plugin {
$crt_file = $ssl_dir.'/'.$domain.'.crt';
$bundle_file = $ssl_dir.'/'.$domain.'.bundle';
if($data['new']['ssl'] == 'y' && @is_file($crt_file) && @is_file($key_file)) {
if($data['new']['ssl'] == 'y' && @is_file($crt_file) && @is_file($key_file) && (@filesize($crt_file)>0) && (@filesize($key_file)>0)) {
$vhost_data['ssl_enabled'] = 1;
$app->log('Enable SSL for: '.$domain,LOGLEVEL_DEBUG);
} else {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment