From 5f3c73356379142a7a2df5f2ce63c307b3b15003 Mon Sep 17 00:00:00 2001 From: Marius Burkard Date: Thu, 13 Jul 2017 22:00:58 +0200 Subject: [PATCH] do not create or renew LE certificates on active migration mode, fixes #4702 --- .../classes/cron.d/900-letsencrypt.inc.php | 45 ++++++++++--------- server/lib/classes/letsencrypt.inc.php | 24 ++++++---- 2 files changed, 40 insertions(+), 29 deletions(-) diff --git a/server/lib/classes/cron.d/900-letsencrypt.inc.php b/server/lib/classes/cron.d/900-letsencrypt.inc.php index 66597aefae..e507a3b353 100644 --- a/server/lib/classes/cron.d/900-letsencrypt.inc.php +++ b/server/lib/classes/cron.d/900-letsencrypt.inc.php @@ -49,30 +49,35 @@ class cronjob_letsencrypt extends cronjob { public function onRunJob() { global $app, $conf; - - $letsencrypt = explode("\n", shell_exec('which letsencrypt certbot /root/.local/share/letsencrypt/bin/letsencrypt')); - $letsencrypt = reset($letsencrypt); - if(is_executable($letsencrypt)) { - $version = exec($letsencrypt . ' --version 2>&1', $ret, $val); - if(preg_match('/^(\S+|\w+)\s+(\d+(\.\d+)+)$/', $version, $matches)) { - $type = strtolower($matches[1]); - $version = $matches[2]; - if(($type != 'letsencrypt' && $type != 'certbot') || version_compare($version, '0.7.0', '<')) { - exec($letsencrypt . ' -n renew'); - $app->services->restartServiceDelayed('httpd', 'force-reload'); - } else { - $marker_file = '/usr/local/ispconfig/server/le.restart'; - $cmd = "echo '1' > " . $marker_file; - exec($letsencrypt . ' -n renew --post-hook ' . escapeshellarg($cmd)); - if(file_exists($marker_file) && trim(file_get_contents($marker_file)) == '1') { - unlink($marker_file); + + $server_config = $app->getconf->get_server_config($conf['server_id'], 'server'); + if(!isset($server_config['migration_mode']) || $server_config['migration_mode'] != 'y') { + $letsencrypt = explode("\n", shell_exec('which letsencrypt certbot /root/.local/share/letsencrypt/bin/letsencrypt')); + $letsencrypt = reset($letsencrypt); + if(is_executable($letsencrypt)) { + $version = exec($letsencrypt . ' --version 2>&1', $ret, $val); + if(preg_match('/^(\S+|\w+)\s+(\d+(\.\d+)+)$/', $version, $matches)) { + $type = strtolower($matches[1]); + $version = $matches[2]; + if(($type != 'letsencrypt' && $type != 'certbot') || version_compare($version, '0.7.0', '<')) { + exec($letsencrypt . ' -n renew'); $app->services->restartServiceDelayed('httpd', 'force-reload'); + } else { + $marker_file = '/usr/local/ispconfig/server/le.restart'; + $cmd = "echo '1' > " . $marker_file; + exec($letsencrypt . ' -n renew --post-hook ' . escapeshellarg($cmd)); + if(file_exists($marker_file) && trim(file_get_contents($marker_file)) == '1') { + unlink($marker_file); + $app->services->restartServiceDelayed('httpd', 'force-reload'); + } } + } else { + exec($letsencrypt . ' -n renew'); + $app->services->restartServiceDelayed('httpd', 'force-reload'); } - } else { - exec($letsencrypt . ' -n renew'); - $app->services->restartServiceDelayed('httpd', 'force-reload'); } + } else { + $app->log('Migration mode active, not running Let\'s Encrypt renewal.', LOGLEVEL_DEBUG); } parent::onRunJob(); diff --git a/server/lib/classes/letsencrypt.inc.php b/server/lib/classes/letsencrypt.inc.php index 0b7f9876c0..af770723f5 100644 --- a/server/lib/classes/letsencrypt.inc.php +++ b/server/lib/classes/letsencrypt.inc.php @@ -181,6 +181,7 @@ class letsencrypt { $app->uses('getconf'); $web_config = $app->getconf->get_server_config($conf['server_id'], 'web'); + $server_config = $app->getconf->get_server_config($conf['server_id'], 'server'); $tmp = $app->letsencrypt->get_website_certificate_paths($data); $domain = $tmp['domain']; @@ -233,7 +234,7 @@ class letsencrypt { $le_domains = array(); foreach($temp_domains as $temp_domain) { - if(isset($web_config['skip_le_check']) && $web_config['skip_le_check'] == 'y') { + if((isset($web_config['skip_le_check']) && $web_config['skip_le_check'] == 'y') || (isset($server_config['migration_mode']) && $server_config['migration_mode'] == 'y')) { $le_domains[] = $temp_domain; } else { $le_hash_check = trim(@file_get_contents('http://' . $temp_domain . '/.well-known/acme-challenge/' . $le_rnd_file)); @@ -261,14 +262,19 @@ class letsencrypt { $letsencrypt_cmd = ''; $success = false; if(!empty($cli_domain_arg)) { - $app->log("Create Let's Encrypt SSL Cert for: $domain", LOGLEVEL_DEBUG); - $app->log("Let's Encrypt SSL Cert domains: $cli_domain_arg", LOGLEVEL_DEBUG); - - $letsencrypt = explode("\n", shell_exec('which letsencrypt certbot /root/.local/share/letsencrypt/bin/letsencrypt')); - $letsencrypt = reset($letsencrypt); - if(is_executable($letsencrypt)) { - $letsencrypt_cmd = $letsencrypt . " certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email postmaster@$domain $cli_domain_arg --webroot-path /usr/local/ispconfig/interface/acme"; - $success = $app->system->_exec($letsencrypt_cmd); + if(!isset($server_config['migration_mode']) || $server_config['migration_mode'] != 'y') { + $app->log("Create Let's Encrypt SSL Cert for: $domain", LOGLEVEL_DEBUG); + $app->log("Let's Encrypt SSL Cert domains: $cli_domain_arg", LOGLEVEL_DEBUG); + + $letsencrypt = explode("\n", shell_exec('which letsencrypt certbot /root/.local/share/letsencrypt/bin/letsencrypt')); + $letsencrypt = reset($letsencrypt); + if(is_executable($letsencrypt)) { + $letsencrypt_cmd = $letsencrypt . " certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email postmaster@$domain $cli_domain_arg --webroot-path /usr/local/ispconfig/interface/acme"; + $success = $app->system->_exec($letsencrypt_cmd); + } + } else { + $app->log("Migration mode active, skipping Let's Encrypt SSL Cert creation for: $domain", LOGLEVEL_DEBUG); + $success = true; } } -- GitLab