Aliases created by the "Website auto alias" setting are not added to the Lets Encrypt certificate request
Short description
If a value is defined in System > Server Config > Web > Website Auto Alias, it is automatically added as an alias to the site vhost. However it is not added to the LE certificate request.
Correct behaviour
The auto alias should be part of the certificate request.
(I know some people use auto alias for internal aliases, that would still be fine as the LE check would catch the non-routable alias and discard it.)
An example
We have mail.[website_domain]
configured as our auto alias:
This correctly appears in all new nginx vhosts like so:
server_name example.com www.example.com mail.example.com;
However it does not get added to the certificate request. Viewing the request in acme.log
shows it is not included and viewing the certificate afterwards shows this:
$ openssl x509 -in /var/www/example.com/ssl/example.com-le.crt -text -noout | grep DNS
DNS: example.com, DNS: www.example.com
Environment
Server OS: CentOS 8
ISPConfig version: 3.2.2
Webserver: NGINX
Proposed fix
Looks like the certificate generation logic is in server/plugins-available/nginx_plugin.inc.php:1385
//* Generate Let's Encrypt SSL certificat
if($data['new']['ssl'] == 'y' && $data['new']['ssl_letsencrypt'] == 'y' && $conf['mirror_server_id'] == 0 && ( // ssl and let's encrypt is active and no mirror server
($data['old']['ssl'] == 'n' || $data['old']['ssl_letsencrypt'] == 'n') // we have new let's encrypt configuration
|| ($data['old']['domain'] != $data['new']['domain']) // we have domain update
|| ($data['old']['subdomain'] != $data['new']['subdomain']) // we have new or update on "auto" subdomain
|| $this->update_letsencrypt == true
)) {
$success = $app->letsencrypt->request_certificates($data, 'nginx');
if($success) {
/* we don't need to store it.
/* Update the DB of the (local) Server */
$app->db->query("UPDATE web_domain SET ssl_request = '', ssl_cert = '', ssl_key = '' WHERE domain = ?", $data['new']['domain']);
$app->db->query("UPDATE web_domain SET ssl_action = '' WHERE domain = ?", $data['new']['domain']);
/* Update also the master-DB of the Server-Farm */
$app->dbmaster->query("UPDATE web_domain SET ssl_request = '', ssl_cert = '', ssl_key = '' WHERE domain = ?", $data['new']['domain']);
$app->dbmaster->query("UPDATE web_domain SET ssl_action = '' WHERE domain = ?", $data['new']['domain']);
} else {
$data['new']['ssl_letsencrypt'] = 'n';
if($data['old']['ssl'] == 'n') $data['new']['ssl'] = 'n';
/* Update the DB of the (local) Server */
$app->db->query("UPDATE web_domain SET `ssl` = ?, `ssl_letsencrypt` = ? WHERE `domain` = ? AND `server_id` = ?", $data['new']['ssl'], 'n', $data['new']['domain'], $conf['server_id']);
/* Update also the master-DB of the Server-Farm */
$app->dbmaster->query("UPDATE web_domain SET `ssl` = ?, `ssl_letsencrypt` = ? WHERE `domain` = ?", $data['new']['ssl'], 'n', $data['new']['domain']);
}
}
The problem appears to be it simply takes the information straight out of $data
but the part that deals with the auto alias hasn't been called yet as it's all the way down on line 1651:
// get autoalias
$auto_alias = $web_config['website_autoalias'];
if($auto_alias != '') {
// get the client username
$client = $app->db->queryOneRecord("SELECT `username` FROM `client` WHERE `client_id` = ?", $client_id);
$aa_search = array('[client_id]', '[website_id]', '[client_username]', '[website_domain]');
$aa_replace = array($client_id, $data['new']['domain_id'], $client['username'], $data['new']['domain']);
$auto_alias = str_replace($aa_search, $aa_replace, $auto_alias);
unset($client);
unset($aa_search);
unset($aa_replace);
$server_alias[] .= $auto_alias.' ';
}
There's not an obvious way to add it to that file, as it just passes the $data
array off to the letsencrypt library. However we could add it in the LE lib, maybe after line 365? We'd basically just have to add the above "get auto alias" stuff in there. The only problem with that I can see is if the Apache plugin works differently and is already adding the auto alias, in which case we don't want to duplicate it.
Can anyone confirm if the Apache plugin does that? If not would this method be acceptable? Thanks