do not create or renew LE certificates on active migration mode, fixes #4702

5f3c7335 · Marius Burkard · 71aeb3b1 · 5f3c7335 · 5f3c7335
Commit 5f3c7335 authored Jul 13, 2017 by Marius Burkard
--- a/server/lib/classes/cron.d/900-letsencrypt.inc.php
+++ b/server/lib/classes/cron.d/900-letsencrypt.inc.php
@@ -49,30 +49,35 @@ class cronjob_letsencrypt extends cronjob {

 	public function onRunJob() {
 		global $app, $conf;
-
-		$letsencrypt = explode("\n", shell_exec('which letsencrypt certbot /root/.local/share/letsencrypt/bin/letsencrypt'));
-		$letsencrypt = reset($letsencrypt);
-		if(is_executable($letsencrypt)) {
-			$version = exec($letsencrypt . ' --version  2>&1', $ret, $val);
-			if(preg_match('/^(\S+|\w+)\s+(\d+(\.\d+)+)$/', $version, $matches)) {
-				$type = strtolower($matches[1]);
-				$version = $matches[2];
-				if(($type != 'letsencrypt' && $type != 'certbot') || version_compare($version, '0.7.0', '<')) {
-					exec($letsencrypt . ' -n renew');
-					$app->services->restartServiceDelayed('httpd', 'force-reload');
-				} else {
-					$marker_file = '/usr/local/ispconfig/server/le.restart';
-					$cmd = "echo '1' > " . $marker_file;
-					exec($letsencrypt . ' -n renew --post-hook ' . escapeshellarg($cmd));
-					if(file_exists($marker_file) && trim(file_get_contents($marker_file)) == '1') {
-						unlink($marker_file);
+		
+		$server_config = $app->getconf->get_server_config($conf['server_id'], 'server');
+		if(!isset($server_config['migration_mode']) || $server_config['migration_mode'] != 'y') {
+			$letsencrypt = explode("\n", shell_exec('which letsencrypt certbot /root/.local/share/letsencrypt/bin/letsencrypt'));
+			$letsencrypt = reset($letsencrypt);
+			if(is_executable($letsencrypt)) {
+				$version = exec($letsencrypt . ' --version  2>&1', $ret, $val);
+				if(preg_match('/^(\S+|\w+)\s+(\d+(\.\d+)+)$/', $version, $matches)) {
+					$type = strtolower($matches[1]);
+					$version = $matches[2];
+					if(($type != 'letsencrypt' && $type != 'certbot') || version_compare($version, '0.7.0', '<')) {
+						exec($letsencrypt . ' -n renew');
 						$app->services->restartServiceDelayed('httpd', 'force-reload');
+					} else {
+						$marker_file = '/usr/local/ispconfig/server/le.restart';
+						$cmd = "echo '1' > " . $marker_file;
+						exec($letsencrypt . ' -n renew --post-hook ' . escapeshellarg($cmd));
+						if(file_exists($marker_file) && trim(file_get_contents($marker_file)) == '1') {
+							unlink($marker_file);
+							$app->services->restartServiceDelayed('httpd', 'force-reload');
+						}
 					}
+				} else {
+					exec($letsencrypt . ' -n renew');
+					$app->services->restartServiceDelayed('httpd', 'force-reload');
 				}
-			} else {
-				exec($letsencrypt . ' -n renew');
-				$app->services->restartServiceDelayed('httpd', 'force-reload');
 			}
+		} else {
+			$app->log('Migration mode active, not running Let\'s Encrypt renewal.', LOGLEVEL_DEBUG);
 		}
 		
 		parent::onRunJob();

--- a/server/lib/classes/letsencrypt.inc.php
+++ b/server/lib/classes/letsencrypt.inc.php
@@ -181,6 +181,7 @@ class letsencrypt {
 		
 		$app->uses('getconf');
 		$web_config = $app->getconf->get_server_config($conf['server_id'], 'web');
+		$server_config = $app->getconf->get_server_config($conf['server_id'], 'server');
 		
 		$tmp = $app->letsencrypt->get_website_certificate_paths($data);
 		$domain = $tmp['domain'];
@@ -233,7 +234,7 @@ class letsencrypt {

 		$le_domains = array();
 		foreach($temp_domains as $temp_domain) {
-			if(isset($web_config['skip_le_check']) && $web_config['skip_le_check'] == 'y') {
+			if((isset($web_config['skip_le_check']) && $web_config['skip_le_check'] == 'y') || (isset($server_config['migration_mode']) && $server_config['migration_mode'] == 'y')) {
 				$le_domains[] = $temp_domain;
 			} else {
 				$le_hash_check = trim(@file_get_contents('http://' . $temp_domain . '/.well-known/acme-challenge/' . $le_rnd_file));
@@ -261,14 +262,19 @@ class letsencrypt {
 		$letsencrypt_cmd = '';
 		$success = false;
 		if(!empty($cli_domain_arg)) {
-			$app->log("Create Let's Encrypt SSL Cert for: $domain", LOGLEVEL_DEBUG);
-			$app->log("Let's Encrypt SSL Cert domains: $cli_domain_arg", LOGLEVEL_DEBUG);
-		
-			$letsencrypt = explode("\n", shell_exec('which letsencrypt certbot /root/.local/share/letsencrypt/bin/letsencrypt'));
-			$letsencrypt = reset($letsencrypt);
-			if(is_executable($letsencrypt)) {
-				$letsencrypt_cmd = $letsencrypt . " certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email postmaster@$domain $cli_domain_arg --webroot-path /usr/local/ispconfig/interface/acme";
-				$success = $app->system->_exec($letsencrypt_cmd);
+			if(!isset($server_config['migration_mode']) || $server_config['migration_mode'] != 'y') {
+				$app->log("Create Let's Encrypt SSL Cert for: $domain", LOGLEVEL_DEBUG);
+				$app->log("Let's Encrypt SSL Cert domains: $cli_domain_arg", LOGLEVEL_DEBUG);
+			
+				$letsencrypt = explode("\n", shell_exec('which letsencrypt certbot /root/.local/share/letsencrypt/bin/letsencrypt'));
+				$letsencrypt = reset($letsencrypt);
+				if(is_executable($letsencrypt)) {
+					$letsencrypt_cmd = $letsencrypt . " certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email postmaster@$domain $cli_domain_arg --webroot-path /usr/local/ispconfig/interface/acme";
+					$success = $app->system->_exec($letsencrypt_cmd);
+				}
+			} else {
+				$app->log("Migration mode active, skipping Let's Encrypt SSL Cert creation for: $domain", LOGLEVEL_DEBUG);
+				$success = true;
 			}
 		}