From 83246e6892f216319567960d7a40969a088b5f92 Mon Sep 17 00:00:00 2001 From: Jesse Norell Date: Fri, 29 Jan 2021 09:29:17 -0700 Subject: [PATCH 1/3] set umask before calling acme.sh --- install/lib/installer_base.lib.php | 6 ++++++ server/lib/classes/letsencrypt.inc.php | 3 +++ 2 files changed, 9 insertions(+) diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php index 688fd32a83..dabbfd6d79 100644 --- a/install/lib/installer_base.lib.php +++ b/install/lib/installer_base.lib.php @@ -3023,6 +3023,9 @@ class installer_base { swriteln('acme.sh is installed, overriding certificate path to use ' . $acme_cert_dir); + # acme.sh does not set umask, resulting in incorrect permissions (ispconfig issue #6015) + $old_umask = umask(0022); + $out = null; $ret = null; if($conf['nginx']['installed'] == true || $conf['apache']['installed'] == true) { @@ -3044,6 +3047,7 @@ class installer_base { $acme_chain = "--fullchain-file " . escapeshellarg($ssl_crt_file); exec("$acme --install-cert -d " . escapeshellarg($hostname) . " $acme_key $acme_chain"); $issued_successfully = true; + umask($old_umask); // Make temporary backup of self-signed certs permanent if(file_exists($ssl_crt_file.'-temporary.bak') || is_link($ssl_crt_file.'-temporary.bak')) @@ -3056,6 +3060,8 @@ class installer_base { } else { swriteln('Issuing certificate via acme.sh failed. Please check that your hostname can be verified by letsencrypt'); + umask($old_umask); + // Restore temporary backup of self-signed certs if(file_exists($ssl_crt_file.'-temporary.bak') || is_link($ssl_crt_file.'-temporary.bak')) rename($ssl_crt_file.'-temporary.bak', $ssl_crt_file); diff --git a/server/lib/classes/letsencrypt.inc.php b/server/lib/classes/letsencrypt.inc.php index a118d55769..17bc37826c 100644 --- a/server/lib/classes/letsencrypt.inc.php +++ b/server/lib/classes/letsencrypt.inc.php @@ -399,11 +399,13 @@ class letsencrypt { $this->certbot_use_certcommand = false; $letsencrypt_cmd = ''; $allow_return_codes = null; + $old_umask = umask(0022); # work around acme.sh permission bug, see #6015 if($use_acme) { $letsencrypt_cmd = $this->get_acme_command($temp_domains, $key_file, $bundle_file, $crt_file, $server_type); $allow_return_codes = array(2); } else { $letsencrypt_cmd = $this->get_certbot_command($temp_domains); + umask($old_umask); } $success = false; @@ -420,6 +422,7 @@ class letsencrypt { } if($use_acme === true) { + umask($old_umask); if(!$success) { $app->log('Let\'s Encrypt SSL Cert for: ' . $domain . ' could not be issued.', LOGLEVEL_WARN); $app->log($letsencrypt_cmd, LOGLEVEL_WARN); -- GitLab From 12fe2f6a39b46ec7bab55f5b4a03c6e1ec550055 Mon Sep 17 00:00:00 2001 From: Jesse Norell Date: Fri, 29 Jan 2021 09:51:13 -0700 Subject: [PATCH 2/3] set use_acme flag after install --- server/lib/classes/letsencrypt.inc.php | 3 +++ 1 file changed, 3 insertions(+) diff --git a/server/lib/classes/letsencrypt.inc.php b/server/lib/classes/letsencrypt.inc.php index 17bc37826c..880aa06a21 100644 --- a/server/lib/classes/letsencrypt.inc.php +++ b/server/lib/classes/letsencrypt.inc.php @@ -319,6 +319,9 @@ class letsencrypt { } elseif(!$this->get_certbot_script()) { // acme and le missing $this->install_acme(); + if($this->get_acme_script()) { + $use_acme = true; + } } $tmp = $app->letsencrypt->get_website_certificate_paths($data); -- GitLab From 76647e89177058d4dfb003822c23695915768444 Mon Sep 17 00:00:00 2001 From: Jesse Norell Date: Fri, 29 Jan 2021 09:58:29 -0700 Subject: [PATCH 3/3] report error if no Let's Encrypt client --- server/lib/classes/letsencrypt.inc.php | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/server/lib/classes/letsencrypt.inc.php b/server/lib/classes/letsencrypt.inc.php index 880aa06a21..a2e6a5c380 100644 --- a/server/lib/classes/letsencrypt.inc.php +++ b/server/lib/classes/letsencrypt.inc.php @@ -317,10 +317,14 @@ class letsencrypt { if($this->get_acme_script()) { $use_acme = true; } elseif(!$this->get_certbot_script()) { + $app->log("Unable to find Let's Encrypt client, installing acme.sh.", LOGLEVEL_DEBUG); // acme and le missing $this->install_acme(); if($this->get_acme_script()) { $use_acme = true; + } else { + $app->log("Unable to install acme.sh. Cannot proceed, no Let's Encrypt client found.", LOGLEVEL_WARN); + return false; } } -- GitLab