From c69a68a0532220dd068e6f88348049b2df3f8ff1 Mon Sep 17 00:00:00 2001 From: Hj Ahmad Rasyid Hj Ismail Date: Sat, 17 Aug 2019 08:47:36 +0200 Subject: [PATCH 01/56] Update installer_base.lib.php to get LE SSL certs for the server via certbot or acme.sh before openssl self-signed method upon new installation or existing update; and extend it to other available services (postfix, pure-ftpd-mysql), with additional dhparam pem file, if none exists. --- install/lib/installer_base.lib.php | 175 ++++++++++++++++++++++++++--- 1 file changed, 158 insertions(+), 17 deletions(-) diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php index c7f955d945..d66dd1cd80 100644 --- a/install/lib/installer_base.lib.php +++ b/install/lib/installer_base.lib.php @@ -1,7 +1,7 @@ &1', $ret, $val); + if(preg_match('/^(\S+|\w+)\s+(\d+(\.\d+)+)$/', $le_info, $matches)) { + $le_version = $matches[2]; + } + + // Define certbot commands + $acme_version = '--server https://acme-v0' . (($le_version >=0.22) ? '2' : '1') . '.api.letsencrypt.org/directory'; + $certonly = 'certonly --agree-tos --non-interactive --expand --rsa-key-size 4096'; + + // certbot choice of authenticator + $standalone_auth = '--authenticator standalone'; + $webroot_auth = '--authenticator webroot'; + + // certbot webroot arguments i.e. map for >=0.30 or path for <=0.29 + $webroot_map[$hostname] = $webroot_path; + if ($le_version >=0.30) + $webroot_args = '--webroot-map ' . escapeshellarg(str_replace(array('\r', '\n'), '', json_encode($webroot_map))); + else + $webroot_args = "-d $hostname --webroot-path $webroot_path"; + + // If this is a webserver, we use webroot + if(($conf['nginx']['installed'] || $conf['apache']['installed']) == true) { + exec("$le_client $certonly $acme_version $webroot_auth --email postmaster@$hostname $webroot_args"); + } + // Else, it is not webserver, so we use standalone + else + exec("$le_client $certonly $acme_version $standalone_auth --email postmaster@$hostname -d $hostname"); + + } else { + + // Else try use Neilpang acme.sh, also if it is available + if (is_executable($acme)) { + + $acme = reset($acme); + + // If this is a webserver, we use webroot + if(($conf['nginx']['installed'] || $conf['apache']['installed']) == true) + exec("$acme --issue -d $hostname --webroot $webroot_path"); + // Else, it is not webserver, so we use standalone + else + exec("$acme --issue --standalone -d $hostname"); + + // Define LE certs name and path, then install them + $acme_cert = "--cert-file $le_live_dir/cert.pem"; + $acme_key = "--key-file $le_live_dir/key.pem"; + $acme_chain = "--fullchain-file $le_live_dir/fullchain.pem"; + exec("$acme --install-cert -d $hostname $acme_cert $acme_key $acme_chain"); + } + } + } + + //* Define and check ISPConfig SSL folder */ + $ssl_dir = $conf['ispconfig_install_dir'].'/interface/ssl'; + if(!@is_dir($ssl_dir)) mkdir($ssl_dir, 0755, true); - $ssl_crt_file = $install_dir.'/interface/ssl/ispserver.crt'; - $ssl_csr_file = $install_dir.'/interface/ssl/ispserver.csr'; - $ssl_key_file = $install_dir.'/interface/ssl/ispserver.key'; + $ssl_crt_file = $ssl_dir.'/ispserver.crt'; + $ssl_csr_file = $ssl_dir.'/ispserver.csr'; + $ssl_key_file = $ssl_dir.'/ispserver.key'; + $ssl_pem_file = $ssl_dir.'/ispserver.pem'; - if(!@is_dir($install_dir.'/interface/ssl')) mkdir($install_dir.'/interface/ssl', 0755, true); + $date = new DateTime(); + + // If the LE SSL certs for this hostname exists + if (is_dir($le_live_dir) && in_array($svr_ip, $dns_ips)) { + + // Backup existing ispserver ssl files + if (file_exists($ssl_crt_file)) rename($ssl_crt_file, $ssl_crt_file . '-' .$date->format('YmdHis') . '.bak'); + if (file_exists($ssl_crt_file)) rename($ssl_key_file, $ssl_key_file . '-' .$date->format('YmdHis') . '.bak'); + if (file_exists($ssl_crt_file)) rename($ssl_pem_file, $ssl_pem_file . '-' .$date->format('YmdHis') . '.bak'); + + // Create symlink to LE fullchain and key for ISPConfig + symlink($le_live_dir.'/fullchain.pem', $ssl_crt_file); + symlink($le_live_dir.'/privkey.pem', $ssl_key_file); - $ssl_pw = substr(md5(mt_rand()), 0, 6); - exec("openssl genrsa -des3 -passout pass:$ssl_pw -out $ssl_key_file 4096"); - if(AUTOINSTALL){ - exec("openssl req -new -passin pass:$ssl_pw -passout pass:$ssl_pw -subj '/C=".escapeshellcmd($autoinstall['ssl_cert_country'])."/ST=".escapeshellcmd($autoinstall['ssl_cert_state'])."/L=".escapeshellcmd($autoinstall['ssl_cert_locality'])."/O=".escapeshellcmd($autoinstall['ssl_cert_organisation'])."/OU=".escapeshellcmd($autoinstall['ssl_cert_organisation_unit'])."/CN=".escapeshellcmd($autoinstall['ssl_cert_common_name'])."' -key $ssl_key_file -out $ssl_csr_file"); } else { - exec("openssl req -new -passin pass:$ssl_pw -passout pass:$ssl_pw -key $ssl_key_file -out $ssl_csr_file"); + + // We can still use the old self-signed method + $ssl_pw = substr(md5(mt_rand()), 0, 6); + exec("openssl genrsa -des3 -passout pass:$ssl_pw -out $ssl_key_file 4096"); + if(AUTOINSTALL){ + exec("openssl req -new -passin pass:$ssl_pw -passout pass:$ssl_pw -subj '/C=".escapeshellcmd($autoinstall['ssl_cert_country'])."/ST=".escapeshellcmd($autoinstall['ssl_cert_state'])."/L=".escapeshellcmd($autoinstall['ssl_cert_locality'])."/O=".escapeshellcmd($autoinstall['ssl_cert_organisation'])."/OU=".escapeshellcmd($autoinstall['ssl_cert_organisation_unit'])."/CN=".escapeshellcmd($autoinstall['ssl_cert_common_name'])."' -key $ssl_key_file -out $ssl_csr_file"); + } else { + exec("openssl req -new -passin pass:$ssl_pw -passout pass:$ssl_pw -key $ssl_key_file -out $ssl_csr_file"); + } + exec("openssl req -x509 -passin pass:$ssl_pw -passout pass:$ssl_pw -key $ssl_key_file -in $ssl_csr_file -out $ssl_crt_file -days 3650"); + exec("openssl rsa -passin pass:$ssl_pw -in $ssl_key_file -out $ssl_key_file.insecure"); + rename($ssl_key_file, $ssl_key_file.'.secure'); + rename($ssl_key_file.'.insecure', $ssl_key_file); } - exec("openssl req -x509 -passin pass:$ssl_pw -passout pass:$ssl_pw -key $ssl_key_file -in $ssl_csr_file -out $ssl_crt_file -days 3650"); - exec("openssl rsa -passin pass:$ssl_pw -in $ssl_key_file -out $ssl_key_file.insecure"); - rename($ssl_key_file, $ssl_key_file.'.secure'); - rename($ssl_key_file.'.insecure', $ssl_key_file); - exec('chown -R root:root /usr/local/ispconfig/interface/ssl'); + // Build ispserver.pem file and chmod it + exec("cat $ssl_key_file $ssl_crt_file > $ssl_pem_file; chmod 600 $ssl_pem_file"); + + // Extend LE SSL certs to postfix + if ($conf['postfix']['installed'] == true && strtolower($this->simple_query('Symlink ISPConfig LE SSL certs to postfix?', array('y', 'n'), 'y')) == 'y') { + + // Define folder, file(s) + $cf = $conf['postfix']; + $postfix_dir = $cf['config_dir']; + if(!is_dir($postfix_dir)) $this->error("The postfix configuration directory '$postfix_dir' does not exist."); + $smtpd_crt = $postfix_dir.'/smtpd.cert'; + $smtpd_key = $postfix_dir.'/smtpd.key'; + + // Backup existing postfix ssl files + if (file_exists($smtpd_crt)) rename($smtpd_crt, $smtpd_crt . '-' .$date->format('YmdHis') . '.bak'); + if (file_exists($smtpd_key)) rename($smtpd_key, $smtpd_key . '-' .$date->format('YmdHis') . '.bak'); + + // Create symlink to ISPConfig SSL files + symlink($ssl_crt_file, $smtpd_crt); + symlink($ssl_key_file, $smtpd_key); + } + + // Extend LE SSL certs to pureftpd + if ($conf['pureftpd']['installed'] == true && strtolower($this->simple_query('Symlink ISPConfig LE SSL certs to pureftpd? Creating dhparam file takes some times.', array('y', 'n'), 'y')) == 'y') { + + // Define folder, file(s) + $pureftpd_dir = '/etc/ssl/private'; + if(!is_dir($pureftpd_dir)) mkdir($pureftpd_dir, 0755, true); + $pureftpd_pem = $pureftpd_dir.'/pure-ftpd.pem'; + + // Backup existing pureftpd ssl files + if (file_exists($pureftpd_pem)) rename($pureftpd_pem, $pureftpd_pem . '-' .$date->format('YmdHis') . '.bak'); + + // Create symlink to ISPConfig SSL files + symlink($ssl_pem_file, $pureftpd_pem); + if (!file_exists("$pureftpd_dir/pure-ftpd-dhparams.pem")) + exec("cd $pureftpd_dir; openssl dhparam -out dhparam2048.pem 2048; ln -sf dhparam2048.pem pure-ftpd-dhparams.pem"); + } + + exec("chown -R root:root $ssl_dir"); } -- GitLab From e2fcd751cbe2b9b8e5e94836bd1ded39b2e0780a Mon Sep 17 00:00:00 2001 From: Hj Ahmad Rasyid Hj Ismail Date: Sat, 17 Aug 2019 08:53:59 +0200 Subject: [PATCH 02/56] Update install.php to allow LE SSL certs to be created on ISPConfig non web server upon new installation. --- install/install.php | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/install/install.php b/install/install.php index 9dff3facf2..57d00269fd 100644 --- a/install/install.php +++ b/install/install.php @@ -574,6 +574,12 @@ if($install_mode == 'standard' || strtolower($inst->simple_query('Install ISPCon $inst->install_ispconfig_interface = false; } +// Create SSL certs for non-webserver(s)? +if(!file_exists('/usr/local/ispconfig/interface/ssl/ispserver.crt')) { + if(strtolower($inst->simple_query('Do you want to create SSL certs for your server?', array('y', 'n'), 'y')) == 'y') + $inst->make_ispconfig_ssl_cert(); +} + $inst->install_ispconfig(); //* Configure DBServer -- GitLab From c1916ef11fca6872793739635dd94fe00a534d35 Mon Sep 17 00:00:00 2001 From: Hj Ahmad Rasyid Hj Ismail Date: Sat, 17 Aug 2019 08:54:05 +0200 Subject: [PATCH 03/56] Update update.php to allow LE SSL certs to be created on ISPConfig non web server upon existing update. --- install/update.php | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/install/update.php b/install/update.php index 42ddd625f5..561ffea8cb 100644 --- a/install/update.php +++ b/install/update.php @@ -518,6 +518,12 @@ if ($inst->install_ispconfig_interface) { } } +// Create SSL certs for non-webserver(s)? +if(!file_exists('/usr/local/ispconfig/interface/ssl/ispserver.crt')) { + if(strtolower($inst->simple_query('Do you want to create SSL certs for your server?', array('y', 'n'), 'y')) == 'y') + $inst->make_ispconfig_ssl_cert(); +} + $inst->install_ispconfig(); // Cleanup -- GitLab From 511ac6cf10cec4669ed70687bc386ad86b8e6789 Mon Sep 17 00:00:00 2001 From: Hj Ahmad Rasyid Hj Ismail Date: Sat, 17 Aug 2019 13:47:22 +0200 Subject: [PATCH 04/56] Update installer_base.lib.php as le client must be reset immediately after exploding it with which command. --- install/lib/installer_base.lib.php | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php index d66dd1cd80..9015377867 100644 --- a/install/lib/installer_base.lib.php +++ b/install/lib/installer_base.lib.php @@ -2390,14 +2390,15 @@ class installer_base { // Get the default LE client name and version $le_client = explode("\n", shell_exec('which letsencrypt certbot /root/.local/share/letsencrypt/bin/letsencrypt /opt/eff.org/certbot/venv/bin/certbot')); + $le_client = reset($le_client); // Check for Neilpang acme.sh as well $acme = explode("\n", shell_exec('which /usr/local/ispconfig/server/scripts/acme.sh /root/.acme.sh/acme.sh')); + $acme = reset($acme); // Use LE certbot cleint if it is available if(is_executable($le_client)) { - $le_client = reset($le_client); $le_info = exec($le_client . ' --version 2>&1', $ret, $val); if(preg_match('/^(\S+|\w+)\s+(\d+(\.\d+)+)$/', $le_info, $matches)) { $le_version = $matches[2]; @@ -2430,9 +2431,7 @@ class installer_base { // Else try use Neilpang acme.sh, also if it is available if (is_executable($acme)) { - - $acme = reset($acme); - + // If this is a webserver, we use webroot if(($conf['nginx']['installed'] || $conf['apache']['installed']) == true) exec("$acme --issue -d $hostname --webroot $webroot_path"); -- GitLab From 52d8f80652adc2504d3672263b44cd64241be61d Mon Sep 17 00:00:00 2001 From: Hj Ahmad Rasyid Hj Ismail Date: Sat, 17 Aug 2019 14:05:11 +0200 Subject: [PATCH 05/56] Update installer_base.lib.php to create LE live directory for the hostname if acme.sh is available, as it is not present in the first place, unlike certbot that creates it when creating LE SSL certs. --- install/lib/installer_base.lib.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php index 9015377867..15cbc24d67 100644 --- a/install/lib/installer_base.lib.php +++ b/install/lib/installer_base.lib.php @@ -2386,7 +2386,7 @@ class installer_base { // Set webroot path for all ISPConfig server LE certs $webroot_path = $conf['ispconfig_install_dir'].'/interface/acme'; - if(!@is_dir($webroot_path)) $webroot_path = '/var/www/html'; + if (!@is_dir($webroot_path)) $webroot_path = '/var/www/html'; // Get the default LE client name and version $le_client = explode("\n", shell_exec('which letsencrypt certbot /root/.local/share/letsencrypt/bin/letsencrypt /opt/eff.org/certbot/venv/bin/certbot')); @@ -2440,6 +2440,7 @@ class installer_base { exec("$acme --issue --standalone -d $hostname"); // Define LE certs name and path, then install them + if (!@is_dir($le_live_dir)) mkdir($le_live_dir, 0755, true); $acme_cert = "--cert-file $le_live_dir/cert.pem"; $acme_key = "--key-file $le_live_dir/key.pem"; $acme_chain = "--fullchain-file $le_live_dir/fullchain.pem"; -- GitLab From 7decbda896ff835ea4eee6545a61a5f39b0455ee Mon Sep 17 00:00:00 2001 From: Hj Ahmad Rasyid Hj Ismail Date: Sat, 17 Aug 2019 14:09:57 +0200 Subject: [PATCH 06/56] Update installer_base.lib.php to use standard name for acme.sh LE SSL pem files. --- install/lib/installer_base.lib.php | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php index 15cbc24d67..d3e604c5b4 100644 --- a/install/lib/installer_base.lib.php +++ b/install/lib/installer_base.lib.php @@ -2442,9 +2442,10 @@ class installer_base { // Define LE certs name and path, then install them if (!@is_dir($le_live_dir)) mkdir($le_live_dir, 0755, true); $acme_cert = "--cert-file $le_live_dir/cert.pem"; - $acme_key = "--key-file $le_live_dir/key.pem"; - $acme_chain = "--fullchain-file $le_live_dir/fullchain.pem"; - exec("$acme --install-cert -d $hostname $acme_cert $acme_key $acme_chain"); + $acme_key = "--key-file $le_live_dir/privkey.pem"; + $acme_chain = "--chain-file $le_live_dir/chain.pem"; + $acme_fchain = "--fullchain-file $le_live_dir/fullchain.pem"; + exec("$acme --install-cert -d $hostname $acme_cert $acme_key $acme_chain $acme_fchain"); } } } @@ -2470,7 +2471,7 @@ class installer_base { // Create symlink to LE fullchain and key for ISPConfig symlink($le_live_dir.'/fullchain.pem', $ssl_crt_file); - symlink($le_live_dir.'/privkey.pem', $ssl_key_file); + symlink($le_live_dir.'/privKEY.PEM', $ssl_key_file); } else { -- GitLab From 8fabee3136c1d4fa5cc42442f05c07f76e790854 Mon Sep 17 00:00:00 2001 From: Hj Ahmad Rasyid Hj Ismail Date: Sat, 17 Aug 2019 14:29:57 +0200 Subject: [PATCH 07/56] Update installer_base.lib.php --- install/lib/installer_base.lib.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php index d3e604c5b4..3dca3caa0f 100644 --- a/install/lib/installer_base.lib.php +++ b/install/lib/installer_base.lib.php @@ -2443,9 +2443,9 @@ class installer_base { if (!@is_dir($le_live_dir)) mkdir($le_live_dir, 0755, true); $acme_cert = "--cert-file $le_live_dir/cert.pem"; $acme_key = "--key-file $le_live_dir/privkey.pem"; - $acme_chain = "--chain-file $le_live_dir/chain.pem"; - $acme_fchain = "--fullchain-file $le_live_dir/fullchain.pem"; - exec("$acme --install-cert -d $hostname $acme_cert $acme_key $acme_chain $acme_fchain"); + $acme_ca = "--ca-file $le_live_dir/chain.pem"; + $acme_chain = "--fullchain-file $le_live_dir/fullchain.pem"; + exec("$acme --install-cert -d $hostname $acme_cert $acme_key $acme_ca $acme_chain"); } } } -- GitLab From 376a6ffc16d06f84157cd3e32133f223f02f4390 Mon Sep 17 00:00:00 2001 From: Hj Ahmad Rasyid Hj Ismail Date: Sat, 17 Aug 2019 14:40:42 +0200 Subject: [PATCH 08/56] Update installer_base.lib.php to fix a mixed of uppercase and lowercase. --- install/lib/installer_base.lib.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php index 3dca3caa0f..fab1ed250a 100644 --- a/install/lib/installer_base.lib.php +++ b/install/lib/installer_base.lib.php @@ -2471,7 +2471,7 @@ class installer_base { // Create symlink to LE fullchain and key for ISPConfig symlink($le_live_dir.'/fullchain.pem', $ssl_crt_file); - symlink($le_live_dir.'/privKEY.PEM', $ssl_key_file); + symlink($le_live_dir.'/privkey.pem', $ssl_key_file); } else { -- GitLab From f5781410d2bbe92f3e012e8e68ea23a2b0c6433c Mon Sep 17 00:00:00 2001 From: Hj Ahmad Rasyid Hj Ismail Date: Sat, 17 Aug 2019 15:16:31 +0200 Subject: [PATCH 09/56] Update installer_base.lib.php --- install/lib/installer_base.lib.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php index fab1ed250a..1b0d3a3070 100644 --- a/install/lib/installer_base.lib.php +++ b/install/lib/installer_base.lib.php @@ -2466,8 +2466,8 @@ class installer_base { // Backup existing ispserver ssl files if (file_exists($ssl_crt_file)) rename($ssl_crt_file, $ssl_crt_file . '-' .$date->format('YmdHis') . '.bak'); - if (file_exists($ssl_crt_file)) rename($ssl_key_file, $ssl_key_file . '-' .$date->format('YmdHis') . '.bak'); - if (file_exists($ssl_crt_file)) rename($ssl_pem_file, $ssl_pem_file . '-' .$date->format('YmdHis') . '.bak'); + if (file_exists($ssl_key_file)) rename($ssl_key_file, $ssl_key_file . '-' .$date->format('YmdHis') . '.bak'); + if (file_exists($ssl_pem_file)) rename($ssl_pem_file, $ssl_pem_file . '-' .$date->format('YmdHis') . '.bak'); // Create symlink to LE fullchain and key for ISPConfig symlink($le_live_dir.'/fullchain.pem', $ssl_crt_file); -- GitLab From 429a570dbb75753d3fcb6b1830ccd71263338f6c Mon Sep 17 00:00:00 2001 From: Hj Ahmad Rasyid Hj Ismail Date: Sat, 17 Aug 2019 16:14:17 +0200 Subject: [PATCH 10/56] Update installer_base.lib.php to add pre-hook and post-hook to standalone command both certbot and acme.sh. --- install/lib/installer_base.lib.php | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php index 1b0d3a3070..dc106b77cf 100644 --- a/install/lib/installer_base.lib.php +++ b/install/lib/installer_base.lib.php @@ -2387,6 +2387,12 @@ class installer_base { // Set webroot path for all ISPConfig server LE certs $webroot_path = $conf['ispconfig_install_dir'].'/interface/acme'; if (!@is_dir($webroot_path)) $webroot_path = '/var/www/html'; + + // Set pre-hook and post hook for standalone + // Will attempt on port 443 later + $pre_hook = " --pre-hook 'ufw enable; ufw allow http; ufw allow https;'"; + $post_hook = " --post-hook 'ufw enable; ufw deny http; ufw deny https;'"; + $hook = $pre_hook . $pre_hook; // Get the default LE client name and version $le_client = explode("\n", shell_exec('which letsencrypt certbot /root/.local/share/letsencrypt/bin/letsencrypt /opt/eff.org/certbot/venv/bin/certbot')); @@ -2425,7 +2431,7 @@ class installer_base { } // Else, it is not webserver, so we use standalone else - exec("$le_client $certonly $acme_version $standalone_auth --email postmaster@$hostname -d $hostname"); + exec("$le_client $certonly $acme_version $standalone_auth --email postmaster@$hostname -d $hostname $hook"); } else { @@ -2437,7 +2443,7 @@ class installer_base { exec("$acme --issue -d $hostname --webroot $webroot_path"); // Else, it is not webserver, so we use standalone else - exec("$acme --issue --standalone -d $hostname"); + exec("$acme --issue --standalone -d $hostname $hook"); // Define LE certs name and path, then install them if (!@is_dir($le_live_dir)) mkdir($le_live_dir, 0755, true); @@ -2446,6 +2452,7 @@ class installer_base { $acme_ca = "--ca-file $le_live_dir/chain.pem"; $acme_chain = "--fullchain-file $le_live_dir/fullchain.pem"; exec("$acme --install-cert -d $hostname $acme_cert $acme_key $acme_ca $acme_chain"); + } } } -- GitLab From a0190771c55e7dd91552ff46784ff063ba4afd57 Mon Sep 17 00:00:00 2001 From: Hj Ahmad Rasyid Hj Ismail Date: Sat, 17 Aug 2019 17:18:32 +0200 Subject: [PATCH 11/56] Update installer_base.lib.php --- install/lib/installer_base.lib.php | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php index dc106b77cf..5d3e1138d8 100644 --- a/install/lib/installer_base.lib.php +++ b/install/lib/installer_base.lib.php @@ -2389,11 +2389,10 @@ class installer_base { if (!@is_dir($webroot_path)) $webroot_path = '/var/www/html'; // Set pre-hook and post hook for standalone - // Will attempt on port 443 later - $pre_hook = " --pre-hook 'ufw enable; ufw allow http; ufw allow https;'"; - $post_hook = " --post-hook 'ufw enable; ufw deny http; ufw deny https;'"; - $hook = $pre_hook . $pre_hook; - + $pre_hook = ' --pre-hook "ufw enable; ufw allow http; ufw allow https;"'; + $post_hook = ' --post-hook "ufw enable; ufw deny http; ufw deny https;"'; + $hook = $pre_hook . $post_hook; + // Get the default LE client name and version $le_client = explode("\n", shell_exec('which letsencrypt certbot /root/.local/share/letsencrypt/bin/letsencrypt /opt/eff.org/certbot/venv/bin/certbot')); $le_client = reset($le_client); -- GitLab From e1e214fe48f8627db86503388dabb2cd81db078a Mon Sep 17 00:00:00 2001 From: Hj Ahmad Rasyid Hj Ismail Date: Sat, 17 Aug 2019 17:19:52 +0200 Subject: [PATCH 12/56] Update installer_base.lib.php --- install/lib/installer_base.lib.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php index 5d3e1138d8..aa7bdab0c4 100644 --- a/install/lib/installer_base.lib.php +++ b/install/lib/installer_base.lib.php @@ -2399,7 +2399,7 @@ class installer_base { // Check for Neilpang acme.sh as well $acme = explode("\n", shell_exec('which /usr/local/ispconfig/server/scripts/acme.sh /root/.acme.sh/acme.sh')); - $acme = reset($acme); + $acme = reset($acme); // Use LE certbot cleint if it is available if(is_executable($le_client)) { -- GitLab From e47e2972094a067e98c3298ddf2bda394c7458e9 Mon Sep 17 00:00:00 2001 From: Hj Ahmad Rasyid Hj Ismail Date: Sat, 17 Aug 2019 17:26:10 +0200 Subject: [PATCH 13/56] Update installer_base.lib.php --- install/lib/installer_base.lib.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php index aa7bdab0c4..10c6012eba 100644 --- a/install/lib/installer_base.lib.php +++ b/install/lib/installer_base.lib.php @@ -2389,8 +2389,8 @@ class installer_base { if (!@is_dir($webroot_path)) $webroot_path = '/var/www/html'; // Set pre-hook and post hook for standalone - $pre_hook = ' --pre-hook "ufw enable; ufw allow http; ufw allow https;"'; - $post_hook = ' --post-hook "ufw enable; ufw deny http; ufw deny https;"'; + $pre_hook = ' --pre-hook \"ufw enable; ufw allow http; ufw allow https;\"'; + $post_hook = ' --post-hook \"ufw enable; ufw deny http; ufw deny https;\"'; $hook = $pre_hook . $post_hook; // Get the default LE client name and version -- GitLab From 888a9bd3daf01ed5e7fbddeaa04d41737925b43d Mon Sep 17 00:00:00 2001 From: Hj Ahmad Rasyid Hj Ismail Date: Sun, 18 Aug 2019 08:47:05 +0200 Subject: [PATCH 14/56] Update installer_base.lib.php to fix ufw enable not running awaiting confirmation 'y' with --force. --- install/lib/installer_base.lib.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php index 10c6012eba..379e13f4f0 100644 --- a/install/lib/installer_base.lib.php +++ b/install/lib/installer_base.lib.php @@ -2388,9 +2388,9 @@ class installer_base { $webroot_path = $conf['ispconfig_install_dir'].'/interface/acme'; if (!@is_dir($webroot_path)) $webroot_path = '/var/www/html'; - // Set pre-hook and post hook for standalone - $pre_hook = ' --pre-hook \"ufw enable; ufw allow http; ufw allow https;\"'; - $post_hook = ' --post-hook \"ufw enable; ufw deny http; ufw deny https;\"'; + // Set pre-hook and post hook for standalone non-webserver + $pre_hook = " --pre-hook \"ufw --force enable; ufw allow http; ufw allow https;\""; + $post_hook = " --post-hook \"ufw --force enable; ufw deny http; ufw deny https;\""; $hook = $pre_hook . $post_hook; // Get the default LE client name and version -- GitLab From 6d11ef6d9101708c72c2f3e76c7cc783ec54846a Mon Sep 17 00:00:00 2001 From: Hj Ahmad Rasyid Hj Ismail Date: Sun, 18 Aug 2019 08:48:46 +0200 Subject: [PATCH 15/56] Update installer_base.lib.php --- install/lib/installer_base.lib.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php index 379e13f4f0..a2ef30cf2e 100644 --- a/install/lib/installer_base.lib.php +++ b/install/lib/installer_base.lib.php @@ -2389,7 +2389,7 @@ class installer_base { if (!@is_dir($webroot_path)) $webroot_path = '/var/www/html'; // Set pre-hook and post hook for standalone non-webserver - $pre_hook = " --pre-hook \"ufw --force enable; ufw allow http; ufw allow https;\""; + $pre_hook = "--pre-hook \"ufw --force enable; ufw allow http; ufw allow https;\""; $post_hook = " --post-hook \"ufw --force enable; ufw deny http; ufw deny https;\""; $hook = $pre_hook . $post_hook; -- GitLab From d7cdd89f79458ac8d706b61722783317de93ebf4 Mon Sep 17 00:00:00 2001 From: Hj Ahmad Rasyid Hj Ismail Date: Mon, 19 Aug 2019 17:23:00 +0200 Subject: [PATCH 16/56] Update installer_base.lib.php to add check to UFW and install it if it is not installed and post-hook will only be added if the default closed port 80 (http). Port 443 (https) is dropped as it is not required for standalone. --- install/lib/installer_base.lib.php | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php index a2ef30cf2e..f71f5f55bc 100644 --- a/install/lib/installer_base.lib.php +++ b/install/lib/installer_base.lib.php @@ -2388,9 +2388,17 @@ class installer_base { $webroot_path = $conf['ispconfig_install_dir'].'/interface/acme'; if (!@is_dir($webroot_path)) $webroot_path = '/var/www/html'; + // If there is no UFW, we need to install it + $ufw = explode("\n", shell_exec('which ufw /usr/sbin/ufw')); + $ufw = reset($ufw); + if (!is_executable($ufw)) + exec("apt-get -v &> /dev/null && apt-get -y ufw || yum install epel-release -y; yum install --enablerepo=\"epel\" ufw -y"); + + // Check if port 80 http is opened by default + $try=exec('true &>/dev/null Date: Tue, 20 Aug 2019 03:44:08 +0200 Subject: [PATCH 17/56] Add new file "letsencrypt_pre_hook.sh" to support letsencrypt standalone during ISPConfig installation or update for non-webservers. Webservers shall always use webroot. --- server/scripts/letsencrypt_pre_hook.sh | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 server/scripts/letsencrypt_pre_hook.sh diff --git a/server/scripts/letsencrypt_pre_hook.sh b/server/scripts/letsencrypt_pre_hook.sh new file mode 100644 index 0000000000..cad5eeb872 --- /dev/null +++ b/server/scripts/letsencrypt_pre_hook.sh @@ -0,0 +1,24 @@ +#!/bin/bash + +### BEGIN INIT INFO +# Provides: LETSENCRYPT PRE HOOK SCRIPT +# Required-Start: $local_fs $network +# Required-Stop: $local_fs +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: LETSENCRYPT PRE HOOK SCRIPT +# Description: To force open http port 80 to be used by letsencrypt client standlone command +### END INIT INFO + +# Currently aimed at using ufw +# You can add support to other firewall + +# For RHEL, Centos or derivatives +if rpm -q ufw; then + ufw --force enable && ufw allow http +fi + +# For Debian, Ubuntu or derivatives +if [ $(dpkg-query -W -f='${Status}' ufw 2>/dev/null | grep -c "ok installed") -eq 1 ]; then + ufw --force enable && ufw allow http +fi -- GitLab From eadd3bd316557699b87eb46a9f534581893d72ce Mon Sep 17 00:00:00 2001 From: Hj Ahmad Rasyid Hj Ismail Date: Tue, 20 Aug 2019 03:47:25 +0200 Subject: [PATCH 18/56] Add new file "letsencrypt_post_hook.sh" to support letsencrypt standalone during ISPConfig installation or update for non-webservers. Webservers shall always use webroot. --- server/scripts/letsencrypt_post_hook.sh | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 server/scripts/letsencrypt_post_hook.sh diff --git a/server/scripts/letsencrypt_post_hook.sh b/server/scripts/letsencrypt_post_hook.sh new file mode 100644 index 0000000000..ce37fe96a2 --- /dev/null +++ b/server/scripts/letsencrypt_post_hook.sh @@ -0,0 +1,24 @@ +#!/bin/bash + +### BEGIN INIT INFO +# Provides: LETSENCRYPT PRE HOOK SCRIPT +# Required-Start: $local_fs $network +# Required-Stop: $local_fs +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: LETSENCRYPT PRE HOOK SCRIPT +# Description: To force close http port 80 if it is by default closed, to be used by letsencrypt client standlone command +### END INIT INFO + +# Currently aimed at using ufw +# You can add support to other firewall + +# For RHEL, Centos or derivatives +if rpm -q ufw; then + ufw --force enable && ufw deny http +fi + +# For Debian, Ubuntu or derivatives +if [ $(dpkg-query -W -f='${Status}' ufw 2>/dev/null | grep -c "ok installed") -eq 1 ]; then + ufw --force enable && ufw deny http +fi -- GitLab From a9cde6c56868d8f69fd41c2dd8ee4e24ab55acaf Mon Sep 17 00:00:00 2001 From: Hj Ahmad Rasyid Hj Ismail Date: Tue, 20 Aug 2019 03:57:39 +0200 Subject: [PATCH 19/56] Update installer_base.lib.php to remove ufw and add letsencrypt pre and post hook scripts. Before ISPConfig is installed, a temporary link will be created for the scripts. The link will be removed and updated during install. --- install/lib/installer_base.lib.php | 38 +++++++++++++++++++++--------- 1 file changed, 27 insertions(+), 11 deletions(-) diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php index f71f5f55bc..8feb7884f6 100644 --- a/install/lib/installer_base.lib.php +++ b/install/lib/installer_base.lib.php @@ -2388,19 +2388,25 @@ class installer_base { $webroot_path = $conf['ispconfig_install_dir'].'/interface/acme'; if (!@is_dir($webroot_path)) $webroot_path = '/var/www/html'; - // If there is no UFW, we need to install it - $ufw = explode("\n", shell_exec('which ufw /usr/sbin/ufw')); - $ufw = reset($ufw); - if (!is_executable($ufw)) - exec("apt-get -v &> /dev/null && apt-get -y ufw || yum install epel-release -y; yum install --enablerepo=\"epel\" ufw -y"); - - // Check if port 80 http is opened by default - $try=exec('true &>/dev/null /dev/null Date: Tue, 20 Aug 2019 04:08:46 +0200 Subject: [PATCH 20/56] Update installer_base.lib.php --- install/lib/installer_base.lib.php | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php index 8feb7884f6..fa04e8befd 100644 --- a/install/lib/installer_base.lib.php +++ b/install/lib/installer_base.lib.php @@ -2393,8 +2393,12 @@ class installer_base { // Set pre-hook and post hook for standalone non-webserver $pre_hook = "--pre-hook \"letsencrypt_pre_hook.sh\""; - if ($port80_status == 'close') $post_hook = " --post-hook \"letsencrypt_post_hook.sh\""; else $post_hook = ''; - $hook = $pre_hook . $post_hook; + if ($port80_status == 'close') { + $post_hook = " --post-hook \"letsencrypt_post_hook.sh\""; + $hook = $pre_hook . $post_hook; + } + else + $hook = $pre_hook; // This script is needed earlier to check and open http port 80 or standalone might fail chown('/tmp/ispconfig3_install/server/scripts/letsencrypt_pre_hook.sh', 'root'); -- GitLab From b078908bb68ab7b21278ef4d0dba6476c031a82c Mon Sep 17 00:00:00 2001 From: Hj Ahmad Rasyid Hj Ismail Date: Mon, 26 Aug 2019 15:46:47 +0200 Subject: [PATCH 21/56] Update installer_base.lib.php to reorganize priority i.e. to attempt to use acme.sh first if it is available, only if it is not, then we attempt certbot, if the later then is available. --- install/lib/installer_base.lib.php | 95 +++++++++++++++--------------- 1 file changed, 48 insertions(+), 47 deletions(-) diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php index fa04e8befd..365a3ba1e8 100644 --- a/install/lib/installer_base.lib.php +++ b/install/lib/installer_base.lib.php @@ -2359,7 +2359,6 @@ class installer_base { if(!@is_link($vhost_conf_enabled_dir.'/000-apps.vhost')) { symlink($vhost_conf_dir.'/apps.vhost', $vhost_conf_enabled_dir.'/000-apps.vhost'); } - } } @@ -2394,11 +2393,11 @@ class installer_base { // Set pre-hook and post hook for standalone non-webserver $pre_hook = "--pre-hook \"letsencrypt_pre_hook.sh\""; if ($port80_status == 'close') { - $post_hook = " --post-hook \"letsencrypt_post_hook.sh\""; - $hook = $pre_hook . $post_hook; + $post_hook = " --post-hook \"letsencrypt_post_hook.sh\""; + $hook = $pre_hook . $post_hook; } else - $hook = $pre_hook; + $hook = $pre_hook; // This script is needed earlier to check and open http port 80 or standalone might fail chown('/tmp/ispconfig3_install/server/scripts/letsencrypt_pre_hook.sh', 'root'); @@ -2407,9 +2406,9 @@ class installer_base { chmod('/tmp/ispconfig3_install/server/scripts/letsencrypt_post_hook.sh', 0700); // Make executable and temporary symlink letsencrypt pre and post hook script before install if(!is_link('/usr/local/bin/letsencrypt_pre_hook.sh')) - symlink('/tmp/ispconfig3_install/server/scripts/letsencrypt_pre_hook.sh', '/usr/local/bin/letsencrypt_pre_hook.sh'); + symlink('/tmp/ispconfig3_install/server/scripts/letsencrypt_pre_hook.sh', '/usr/local/bin/letsencrypt_pre_hook.sh'); if(!is_link('/usr/local/bin/letsencrypt_post_hook.sh')) - symlink('/tmp/ispconfig3_install/server/scripts/letsencrypt_post_hook.sh', '/usr/local/bin/letsencrypt_post_hook.sh'); + symlink('/tmp/ispconfig3_install/server/scripts/letsencrypt_post_hook.sh', '/usr/local/bin/letsencrypt_post_hook.sh'); // Get the default LE client name and version $le_client = explode("\n", shell_exec('which letsencrypt certbot /root/.local/share/letsencrypt/bin/letsencrypt /opt/eff.org/certbot/venv/bin/certbot')); @@ -2419,57 +2418,59 @@ class installer_base { $acme = explode("\n", shell_exec('which /usr/local/ispconfig/server/scripts/acme.sh /root/.acme.sh/acme.sh')); $acme = reset($acme); - // Use LE certbot cleint if it is available - if(is_executable($le_client)) { - - $le_info = exec($le_client . ' --version 2>&1', $ret, $val); - if(preg_match('/^(\S+|\w+)\s+(\d+(\.\d+)+)$/', $le_info, $matches)) { - $le_version = $matches[2]; - } + // Attempt to use Neilpang acme.sh first, as it is now the preferred LE client + if (is_executable($acme)) { - // Define certbot commands - $acme_version = '--server https://acme-v0' . (($le_version >=0.22) ? '2' : '1') . '.api.letsencrypt.org/directory'; - $certonly = 'certonly --agree-tos --non-interactive --expand --rsa-key-size 4096'; - - // certbot choice of authenticator - $standalone_auth = '--authenticator standalone'; - $webroot_auth = '--authenticator webroot'; - - // certbot webroot arguments i.e. map for >=0.30 or path for <=0.29 - $webroot_map[$hostname] = $webroot_path; - if ($le_version >=0.30) - $webroot_args = '--webroot-map ' . escapeshellarg(str_replace(array('\r', '\n'), '', json_encode($webroot_map))); - else - $webroot_args = "-d $hostname --webroot-path $webroot_path"; - // If this is a webserver, we use webroot - if(($conf['nginx']['installed'] || $conf['apache']['installed']) == true) { - exec("$le_client $certonly $acme_version $webroot_auth --email postmaster@$hostname $webroot_args"); - } + if(($conf['nginx']['installed'] || $conf['apache']['installed']) == true) + exec("$acme --issue -d $hostname --webroot $webroot_path"); + // Else, it is not webserver, so we use standalone else - exec("$le_client $certonly $acme_version $standalone_auth --email postmaster@$hostname -d $hostname $hook"); + exec("$acme --issue --standalone -d $hostname $hook"); + + // Define LE certs name and path, then install them + if (!@is_dir($le_live_dir)) mkdir($le_live_dir, 0755, true); + $acme_cert = "--cert-file $le_live_dir/cert.pem"; + $acme_key = "--key-file $le_live_dir/privkey.pem"; + $acme_ca = "--ca-file $le_live_dir/chain.pem"; + $acme_chain = "--fullchain-file $le_live_dir/fullchain.pem"; + exec("$acme --install-cert -d $hostname $acme_cert $acme_key $acme_ca $acme_chain"); + // Else, we attempt to use the official LE certbot client certbot } else { - - // Else try use Neilpang acme.sh, also if it is available - if (is_executable($acme)) { - + + // But only if it is otherwise available + if(is_executable($le_client)) { + + // Get its version info due to be used for webroot arguement issues + $le_info = exec($le_client . ' --version 2>&1', $ret, $val); + if(preg_match('/^(\S+|\w+)\s+(\d+(\.\d+)+)$/', $le_info, $matches)) + $le_version = $matches[2]; + + // Define certbot commands + $acme_version = '--server https://acme-v0' . (($le_version >=0.22) ? '2' : '1') . '.api.letsencrypt.org/directory'; + $certonly = 'certonly --agree-tos --non-interactive --expand --rsa-key-size 4096'; + + // certbot choice of authenticator + $standalone_auth = '--authenticator standalone'; + $webroot_auth = '--authenticator webroot'; + + // certbot webroot arguments i.e. map for >=0.30 or path for <=0.29 + $webroot_map[$hostname] = $webroot_path; + if ($le_version >=0.30) + $webroot_args = '--webroot-map ' . escapeshellarg(str_replace(array('\r', '\n'), '', json_encode($webroot_map))); + else + $webroot_args = "-d $hostname --webroot-path $webroot_path"; + // If this is a webserver, we use webroot - if(($conf['nginx']['installed'] || $conf['apache']['installed']) == true) - exec("$acme --issue -d $hostname --webroot $webroot_path"); + if(($conf['nginx']['installed'] || $conf['apache']['installed']) == true) { + exec("$le_client $certonly $acme_version $webroot_auth --email postmaster@$hostname $webroot_args"); + } // Else, it is not webserver, so we use standalone else - exec("$acme --issue --standalone -d $hostname $hook"); + exec("$le_client $certonly $acme_version $standalone_auth --email postmaster@$hostname -d $hostname $hook"); - // Define LE certs name and path, then install them - if (!@is_dir($le_live_dir)) mkdir($le_live_dir, 0755, true); - $acme_cert = "--cert-file $le_live_dir/cert.pem"; - $acme_key = "--key-file $le_live_dir/privkey.pem"; - $acme_ca = "--ca-file $le_live_dir/chain.pem"; - $acme_chain = "--fullchain-file $le_live_dir/fullchain.pem"; - exec("$acme --install-cert -d $hostname $acme_cert $acme_key $acme_ca $acme_chain"); - } } } -- GitLab From 4b6fc7b8bf30816222847ff69d082c83c71ec4fa Mon Sep 17 00:00:00 2001 From: Hj Ahmad Rasyid Hj Ismail Date: Mon, 26 Aug 2019 16:57:30 +0200 Subject: [PATCH 22/56] Update letsencrypt_pre_hook.sh to check for OS and other firewall or use iptables. Not fully tested. --- server/scripts/letsencrypt_pre_hook.sh | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/server/scripts/letsencrypt_pre_hook.sh b/server/scripts/letsencrypt_pre_hook.sh index cad5eeb872..35088ad962 100644 --- a/server/scripts/letsencrypt_pre_hook.sh +++ b/server/scripts/letsencrypt_pre_hook.sh @@ -10,15 +10,27 @@ # Description: To force open http port 80 to be used by letsencrypt client standlone command ### END INIT INFO -# Currently aimed at using ufw # You can add support to other firewall # For RHEL, Centos or derivatives -if rpm -q ufw; then - ufw --force enable && ufw allow http -fi - +if which yum &> /dev/null 2>&1 ; then + # If using firewalld + if [ rpm -q firewalld ] && [ `firewall-cmd --state` = running ]; then + firewall-cmd --zone=public --permanent --add-service=http + firewall-cmd --reload + # If using UFW + elif rpm -q ufw; then + ufw --force enable && ufw allow http + else + fi # For Debian, Ubuntu or derivatives -if [ $(dpkg-query -W -f='${Status}' ufw 2>/dev/null | grep -c "ok installed") -eq 1 ]; then - ufw --force enable && ufw allow http +elif apt-get -v >/dev/null 2>&1 ; then + # If using UFW + if [ $(dpkg-query -W -f='${Status}' ufw 2>/dev/null | grep -c "ok installed") -eq 1 ]; then + ufw --force enable && ufw allow http + fi +# Try iptables as a final attempt +else + iptables -I INPUT -p tcp --dport 80 -j ACCEPT + service iptables save fi -- GitLab From c675fa51cc36298eb1d236c73fbbb6525347c9a8 Mon Sep 17 00:00:00 2001 From: Hj Ahmad Rasyid Hj Ismail Date: Mon, 26 Aug 2019 16:57:33 +0200 Subject: [PATCH 23/56] Update letsencrypt_post_hook.sh to check for OS and other firewall or use iptables. Not fully tested. --- server/scripts/letsencrypt_post_hook.sh | 28 ++++++++++++++++++------- 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/server/scripts/letsencrypt_post_hook.sh b/server/scripts/letsencrypt_post_hook.sh index ce37fe96a2..924212e831 100644 --- a/server/scripts/letsencrypt_post_hook.sh +++ b/server/scripts/letsencrypt_post_hook.sh @@ -10,15 +10,27 @@ # Description: To force close http port 80 if it is by default closed, to be used by letsencrypt client standlone command ### END INIT INFO -# Currently aimed at using ufw # You can add support to other firewall # For RHEL, Centos or derivatives -if rpm -q ufw; then - ufw --force enable && ufw deny http -fi - +if which yum &> /dev/null 2>&1 ; then + # If using firewalld + if [ rpm -q firewalld ] && [ `firewall-cmd --state` = running ]; then + firewall-cmd --zone=public --permanent --remove-service=http + firewall-cmd --reload + # If using UFW + elif rpm -q ufw; then + ufw --force enable && ufw deny http + else + fi # For Debian, Ubuntu or derivatives -if [ $(dpkg-query -W -f='${Status}' ufw 2>/dev/null | grep -c "ok installed") -eq 1 ]; then - ufw --force enable && ufw deny http -fi +elif apt-get -v >/dev/null 2>&1 ; then + # If using UFW + if [ $(dpkg-query -W -f='${Status}' ufw 2>/dev/null | grep -c "ok installed") -eq 1 ]; then + ufw --force enable && ufw deny http + fi +# Try iptables as a final attempt +else + iptables -D INPUT -p tcp --dport 80 -j ACCEPT + service iptables save +fi \ No newline at end of file -- GitLab From 65596d7cf349ae854233d811a08e856a22348803 Mon Sep 17 00:00:00 2001 From: Hj Ahmad Rasyid Hj Ismail Date: Wed, 11 Sep 2019 11:38:07 +0200 Subject: [PATCH 24/56] Update letsencrypt_post_hook.sh to change PRE to POST --- server/scripts/letsencrypt_post_hook.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/server/scripts/letsencrypt_post_hook.sh b/server/scripts/letsencrypt_post_hook.sh index 924212e831..74128b7c5b 100644 --- a/server/scripts/letsencrypt_post_hook.sh +++ b/server/scripts/letsencrypt_post_hook.sh @@ -1,12 +1,12 @@ #!/bin/bash ### BEGIN INIT INFO -# Provides: LETSENCRYPT PRE HOOK SCRIPT +# Provides: LETSENCRYPT POST HOOK SCRIPT # Required-Start: $local_fs $network # Required-Stop: $local_fs # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 -# Short-Description: LETSENCRYPT PRE HOOK SCRIPT +# Short-Description: LETSENCRYPT POST HOOK SCRIPT # Description: To force close http port 80 if it is by default closed, to be used by letsencrypt client standlone command ### END INIT INFO -- GitLab From 6fa4eb113584fcfe0dc79c4a780ce5ed3012e9ec Mon Sep 17 00:00:00 2001 From: Hj Ahmad Rasyid Hj Ismail Date: Wed, 11 Sep 2019 11:38:08 +0200 Subject: [PATCH 25/56] Update installer_base.lib.php to add renew-hook for the purpose of automatically re-creating ispserver.pem and re-extending it to other services and re-loading or re-starting that other services. In certbot and acme.sh --renew-hook won't be run until renewal. This added code however is not fully tested yet. --- install/lib/installer_base.lib.php | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php index 365a3ba1e8..64416bda6f 100644 --- a/install/lib/installer_base.lib.php +++ b/install/lib/installer_base.lib.php @@ -2390,25 +2390,30 @@ class installer_base { // Check http port 80 status as it cannot be determined at post hook stage $port80_status=exec('true &>/dev/null =0.22) ? '2' : '1') . '.api.letsencrypt.org/directory'; $certonly = 'certonly --agree-tos --non-interactive --expand --rsa-key-size 4096'; - // certbot choice of authenticator $standalone_auth = '--authenticator standalone'; $webroot_auth = '--authenticator webroot'; @@ -2465,7 +2469,7 @@ class installer_base { // If this is a webserver, we use webroot if(($conf['nginx']['installed'] || $conf['apache']['installed']) == true) { - exec("$le_client $certonly $acme_version $webroot_auth --email postmaster@$hostname $webroot_args"); + exec("$le_client $certonly $acme_version $webroot_auth --email postmaster@$hostname $webroot_args $renew_hook"); } // Else, it is not webserver, so we use standalone else @@ -2985,15 +2989,19 @@ class installer_base { if(!is_link('/usr/local/bin/ispconfig_update_from_dev.sh')) symlink($install_dir.'/server/scripts/ispconfig_update.sh', '/usr/local/bin/ispconfig_update_from_dev.sh'); if(!is_link('/usr/local/bin/ispconfig_update.sh')) symlink($install_dir.'/server/scripts/ispconfig_update.sh', '/usr/local/bin/ispconfig_update.sh'); - // Make executable then unlink and symlink letsencrypt pre and post hook scripts + // Make executable then unlink and symlink letsencrypt pre, post and renew hook scripts chown($install_dir.'/server/scripts/letsencrypt_pre_hook.sh', 'root'); chown($install_dir.'/server/scripts/letsencrypt_post_hook.sh', 'root'); + chown($install_dir.'/server/scripts/letsencrypt_renew_hook.sh', 'root'); chmod($install_dir.'/server/scripts/letsencrypt_pre_hook.sh', 0700); chmod($install_dir.'/server/scripts/letsencrypt_post_hook.sh', 0700); + chmod($install_dir.'/server/scripts/letsencrypt_renew_hook.sh', 0700); if(is_link('/usr/local/bin/letsencrypt_pre_hook.sh')) unlink('/usr/local/bin/letsencrypt_pre_hook.sh'); if(is_link('/usr/local/bin/letsencrypt_post_hook.sh')) unlink('/usr/local/bin/letsencrypt_post_hook.sh'); + if(is_link('/usr/local/bin/letsencrypt_renew_hook.sh')) unlink('/usr/local/bin/letsencrypt_renew_hook.sh'); symlink($install_dir.'/server/scripts/letsencrypt_pre_hook.sh', '/usr/local/bin/letsencrypt_pre_hook.sh'); symlink($install_dir.'/server/scripts/letsencrypt_post_hook.sh', '/usr/local/bin/letsencrypt_post_hook.sh'); + symlink($install_dir.'/server/scripts/letsencrypt_renew_hook.sh', '/usr/local/bin/letsencrypt_renew_hook.sh'); //* Make the logs readable for the ispconfig user if(@is_file('/var/log/mail.log')) exec('chmod +r /var/log/mail.log'); -- GitLab From ca760c56d75e9a6634d60ed87e91a24dcd032b89 Mon Sep 17 00:00:00 2001 From: Hj Ahmad Rasyid Hj Ismail Date: Wed, 11 Sep 2019 11:39:46 +0200 Subject: [PATCH 26/56] Add new file to support the recreation of ispserver.pem after each and every successful ISPConfig Server LE SSL certs renewal for other related services and to reload or restart them thereafter. --- server/scripts/letsencrypt_renew_hook.sh | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 server/scripts/letsencrypt_renew_hook.sh diff --git a/server/scripts/letsencrypt_renew_hook.sh b/server/scripts/letsencrypt_renew_hook.sh new file mode 100644 index 0000000000..91570564ac --- /dev/null +++ b/server/scripts/letsencrypt_renew_hook.sh @@ -0,0 +1,24 @@ +#!/bin/bash + +### BEGIN INIT INFO +# Provides: LETSENCRYPT RENEW HOOK SCRIPT +# Required-Start: $local_fs $network +# Required-Stop: $local_fs +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: LETSENCRYPT RENEW HOOK SCRIPT +# Description: Taken from LE4ISPC code. To be used to update ispserver.pem automatically after ISPConfig LE SSL certs are renewed and to reload / restart important ISPConfig server services +### END INIT INFO + +lelive=/etc/letsencrypt/live/$(hostname -f); if [ -d "$lelive" ]; then + cd /usr/local/ispconfig/interface/ssl; ibak=ispserver.*.bak; ipem=ispserver.pem; icrt=ispserver.crt; ikey=ispserver.key + if ls $ibak 1> /dev/null 2>&1; then rm $ibak; fi + if [ -e "$ipem" ]; then mv $ipem $ipem-$(date +"%y%m%d%H%M%S").bak; cat $ikey $icrt > $ipem; chmod 600 $ipem; fi + pureftpdpem=/etc/ssl/private/pure-ftpd.pem; if [ -e "$pureftpdpem" ]; then chmod 600 $pureftpdpem; fi + if [ $(dpkg-query -W -f='${Status}' pure-ftpd-mysql 2>/dev/null | grep -c "ok installed") -eq 1 ]; then service pure-ftpd-mysql restart; fi + if [ $(dpkg-query -W -f='${Status}' monit 2>/dev/null | grep -c "ok installed") -eq 1 ]; then service monit restart; fi + if [ $(dpkg-query -W -f='${Status}' postfix 2>/dev/null | grep -c "ok installed") -eq 1 ]; then service postfix restart; fi + if [ $(dpkg-query -W -f='${Status}' dovecot-imapd 2>/dev/null | grep -c "ok installed") -eq 1 ]; then service dovecot restart; fi + if [ $(dpkg-query -W -f='${Status}' nginx 2>/dev/null | grep -c "ok installed") -eq 1 ]; then service nginx restart; fi + if [ $(dpkg-query -W -f='${Status}' apache2 2>/dev/null | grep -c "ok installed") -eq 1 ]; then service apache2 restart; fi +else echo `/bin/date` "Your Lets Encrypt SSL certs path for your ISPConfig server FQDN is missing.$line" >> /var/log/ispconfig/ispconfig.log; fi \ No newline at end of file -- GitLab From 05ddb0380c1503763a071ec45802592008bb4b59 Mon Sep 17 00:00:00 2001 From: Hj Ahmad Rasyid Hj Ismail Date: Wed, 11 Sep 2019 11:52:24 +0200 Subject: [PATCH 27/56] Update installer_base.lib.php to remove chmod, chown and symlink for letsencrypt_renew_hook.sh during install that was added earlier as it will not be required except until after LE SSL certs renewal. --- install/lib/installer_base.lib.php | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php index 64416bda6f..433a785421 100644 --- a/install/lib/installer_base.lib.php +++ b/install/lib/installer_base.lib.php @@ -2401,19 +2401,16 @@ class installer_base { $hook = $pre_hook . $renew_hook; // This script is needed earlier to check and open http port 80 or standalone might fail + // letsencrypt_renew_hook.sh is not needed as won't be called at this stage chown('/tmp/ispconfig3_install/server/scripts/letsencrypt_pre_hook.sh', 'root'); chown('/tmp/ispconfig3_install/server/scripts/letsencrypt_post_hook.sh', 'root'); - chown('/tmp/ispconfig3_install/server/scripts/letsencrypt_renew_hook.sh', 'root'); chmod('/tmp/ispconfig3_install/server/scripts/letsencrypt_pre_hook.sh', 0700); chmod('/tmp/ispconfig3_install/server/scripts/letsencrypt_post_hook.sh', 0700); - chmod('/tmp/ispconfig3_install/server/scripts/letsencrypt_renew_hook.sh', 0700); // Make executable and temporary symlink letsencrypt pre and post hook script before install if(!is_link('/usr/local/bin/letsencrypt_pre_hook.sh')) symlink('/tmp/ispconfig3_install/server/scripts/letsencrypt_pre_hook.sh', '/usr/local/bin/letsencrypt_pre_hook.sh'); if(!is_link('/usr/local/bin/letsencrypt_post_hook.sh')) symlink('/tmp/ispconfig3_install/server/scripts/letsencrypt_post_hook.sh', '/usr/local/bin/letsencrypt_post_hook.sh'); - if(!is_link('/usr/local/bin/letsencrypt_renew_hook.sh')) - symlink('/tmp/ispconfig3_install/server/scripts/letsencrypt_renew_hook.sh', '/usr/local/bin/letsencrypt_renew_hook.sh'); // Get the default LE client name and version $le_client = explode("\n", shell_exec('which letsencrypt certbot /root/.local/share/letsencrypt/bin/letsencrypt /opt/eff.org/certbot/venv/bin/certbot')); -- GitLab From 21e5b6c5928a02fbb3ff2aa8056670336a387be8 Mon Sep 17 00:00:00 2001 From: Hj Ahmad Rasyid Hj Ismail Date: Sun, 6 Oct 2019 15:27:14 +0200 Subject: [PATCH 28/56] Update letsencrypt_renew_hook.sh to support Red Hat, Centos or its derivatives; as well as restarting mysql and/or mariadb as letsencrypt can be use to secure them as well. --- server/scripts/letsencrypt_renew_hook.sh | 36 +++++++++++++++++------- 1 file changed, 26 insertions(+), 10 deletions(-) diff --git a/server/scripts/letsencrypt_renew_hook.sh b/server/scripts/letsencrypt_renew_hook.sh index 91570564ac..927ea59697 100644 --- a/server/scripts/letsencrypt_renew_hook.sh +++ b/server/scripts/letsencrypt_renew_hook.sh @@ -11,14 +11,30 @@ ### END INIT INFO lelive=/etc/letsencrypt/live/$(hostname -f); if [ -d "$lelive" ]; then - cd /usr/local/ispconfig/interface/ssl; ibak=ispserver.*.bak; ipem=ispserver.pem; icrt=ispserver.crt; ikey=ispserver.key - if ls $ibak 1> /dev/null 2>&1; then rm $ibak; fi - if [ -e "$ipem" ]; then mv $ipem $ipem-$(date +"%y%m%d%H%M%S").bak; cat $ikey $icrt > $ipem; chmod 600 $ipem; fi - pureftpdpem=/etc/ssl/private/pure-ftpd.pem; if [ -e "$pureftpdpem" ]; then chmod 600 $pureftpdpem; fi - if [ $(dpkg-query -W -f='${Status}' pure-ftpd-mysql 2>/dev/null | grep -c "ok installed") -eq 1 ]; then service pure-ftpd-mysql restart; fi - if [ $(dpkg-query -W -f='${Status}' monit 2>/dev/null | grep -c "ok installed") -eq 1 ]; then service monit restart; fi - if [ $(dpkg-query -W -f='${Status}' postfix 2>/dev/null | grep -c "ok installed") -eq 1 ]; then service postfix restart; fi - if [ $(dpkg-query -W -f='${Status}' dovecot-imapd 2>/dev/null | grep -c "ok installed") -eq 1 ]; then service dovecot restart; fi - if [ $(dpkg-query -W -f='${Status}' nginx 2>/dev/null | grep -c "ok installed") -eq 1 ]; then service nginx restart; fi - if [ $(dpkg-query -W -f='${Status}' apache2 2>/dev/null | grep -c "ok installed") -eq 1 ]; then service apache2 restart; fi + cd /usr/local/ispconfig/interface/ssl; ibak=ispserver.*.bak; ipem=ispserver.pem; icrt=ispserver.crt; ikey=ispserver.key + if ls $ibak 1> /dev/null 2>&1; then rm $ibak; fi + if [ -e "$ipem" ]; then mv $ipem $ipem-$(date +"%y%m%d%H%M%S").bak; cat $ikey $icrt > $ipem; chmod 600 $ipem; fi + pureftpdpem=/etc/ssl/private/pure-ftpd.pem; if [ -e "$pureftpdpem" ]; then chmod 600 $pureftpdpem; fi + # For Red Hat, Centos or derivatives + if which yum &> /dev/null 2>&1 ; then + if [ rpm -q pure-ftpd-mysql ]; then service pure-ftpd-mysql restart; fi + if [ rpm -q monit ]; then service monit restart; fi + if [ rpm -q postfix ]; then service postfix restart; fi + if [ rpm -q dovecot-imapd ]; then service dovecot restart; fi + if [ rpm -q mysql ]; then service mysql restart; fi + if [ rpm -q mariadb ]; then service mysql restart; fi + if [ rpm -q nginx ]; then service nginx restart; fi + if [ rpm -q apache2 ]; then service apache2 restart; fi + # For Debian, Ubuntu or derivatives + elif apt-get -v >/dev/null 2>&1 ; then + if [ $(dpkg-query -W -f='${Status}' pure-ftpd-mysql 2>/dev/null | grep -c "ok installed") -eq 1 ]; then service pure-ftpd-mysql restart; fi + if [ $(dpkg-query -W -f='${Status}' monit 2>/dev/null | grep -c "ok installed") -eq 1 ]; then service monit restart; fi + if [ $(dpkg-query -W -f='${Status}' postfix 2>/dev/null | grep -c "ok installed") -eq 1 ]; then service postfix restart; fi + if [ $(dpkg-query -W -f='${Status}' dovecot-imapd 2>/dev/null | grep -c "ok installed") -eq 1 ]; then service dovecot restart; fi + if [ $(dpkg-query -W -f='${Status}' mysql 2>/dev/null | grep -c "ok installed") -eq 1 ]; then service mysql restart; fi + if [ $(dpkg-query -W -f='${Status}' mariadb 2>/dev/null | grep -c "ok installed") -eq 1 ]; then service mysql restart; fi + if [ $(dpkg-query -W -f='${Status}' nginx 2>/dev/null | grep -c "ok installed") -eq 1 ]; then service nginx restart; fi + if [ $(dpkg-query -W -f='${Status}' apache2 2>/dev/null | grep -c "ok installed") -eq 1 ]; then service apache2 restart; fi + else + fi else echo `/bin/date` "Your Lets Encrypt SSL certs path for your ISPConfig server FQDN is missing.$line" >> /var/log/ispconfig/ispconfig.log; fi \ No newline at end of file -- GitLab From c073746b473d161782f35c0945bb574bf1c43f33 Mon Sep 17 00:00:00 2001 From: Hj Ahmad Rasyid Hj Ismail Date: Sun, 6 Oct 2019 16:02:59 +0200 Subject: [PATCH 29/56] Update installer_base.lib.php to attend to comment https://git.ispconfig.org/ispconfig/ispconfig3/merge_requests/911#note_69118. Not sure if this could fix the compatibality for php5.3 which is still supported by current version of ISPConfig but seems that solution is being used in interface/lib/classes/functions.inc.php. This suggestion solution for php5.3 is not tested. --- install/lib/installer_base.lib.php | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php index 433a785421..816e041766 100644 --- a/install/lib/installer_base.lib.php +++ b/install/lib/installer_base.lib.php @@ -2371,7 +2371,14 @@ class installer_base { // Check dns a record exist and its ip equal to server public ip $svr_ip = file_get_contents('http://dynamicdns.park-your-domain.com/getip'); - if (checkdnsrr(idn_to_ascii($hostname, IDNA_NONTRANSITIONAL_TO_ASCII, INTL_IDNA_VARIANT_UTS46), 'A')) { + if(function_exists('idn_to_ascii')) { + if(defined('IDNA_NONTRANSITIONAL_TO_ASCII') && defined('INTL_IDNA_VARIANT_UTS46') && constant('IDNA_NONTRANSITIONAL_TO_ASCII')) { + $hostname = idn_to_ascii($hostname, IDNA_NONTRANSITIONAL_TO_ASCII, INTL_IDNA_VARIANT_UTS46); + } else { + $hostname = idn_to_ascii($hostname); + } + } + if (checkdnsrr($hostname, 'A')) { $dnsa=dns_get_record($hostname, DNS_A); $dns_ips = array(); foreach ($dnsa as $rec) { -- GitLab From 29916922e94aa8d87d56d09123da4b19f53dbf02 Mon Sep 17 00:00:00 2001 From: Hj Ahmad Rasyid Hj Ismail Date: Thu, 9 Jan 2020 13:27:46 +0100 Subject: [PATCH 30/56] Update installer_base.lib.php --- install/lib/installer_base.lib.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php index 816e041766..6b99e42499 100644 --- a/install/lib/installer_base.lib.php +++ b/install/lib/installer_base.lib.php @@ -2408,16 +2408,19 @@ class installer_base { $hook = $pre_hook . $renew_hook; // This script is needed earlier to check and open http port 80 or standalone might fail - // letsencrypt_renew_hook.sh is not needed as won't be called at this stage chown('/tmp/ispconfig3_install/server/scripts/letsencrypt_pre_hook.sh', 'root'); chown('/tmp/ispconfig3_install/server/scripts/letsencrypt_post_hook.sh', 'root'); + chown('/tmp/ispconfig3_install/server/scripts/letsencrypt_renew_hook.sh', 'root'); chmod('/tmp/ispconfig3_install/server/scripts/letsencrypt_pre_hook.sh', 0700); chmod('/tmp/ispconfig3_install/server/scripts/letsencrypt_post_hook.sh', 0700); + chmod('/tmp/ispconfig3_install/server/scripts/letsencrypt_renew_hook.sh', 0700); // Make executable and temporary symlink letsencrypt pre and post hook script before install if(!is_link('/usr/local/bin/letsencrypt_pre_hook.sh')) symlink('/tmp/ispconfig3_install/server/scripts/letsencrypt_pre_hook.sh', '/usr/local/bin/letsencrypt_pre_hook.sh'); if(!is_link('/usr/local/bin/letsencrypt_post_hook.sh')) symlink('/tmp/ispconfig3_install/server/scripts/letsencrypt_post_hook.sh', '/usr/local/bin/letsencrypt_post_hook.sh'); + if(!is_link('/usr/local/bin/letsencrypt_renew_hook.sh')) + symlink('/tmp/ispconfig3_install/server/scripts/letsencrypt_renew_hook.sh', '/usr/local/bin/letsencrypt_renew_hook.sh'); // Get the default LE client name and version $le_client = explode("\n", shell_exec('which letsencrypt certbot /root/.local/share/letsencrypt/bin/letsencrypt /opt/eff.org/certbot/venv/bin/certbot')); -- GitLab From ae5080a27ec818cb02d8250cbb17f8e669665348 Mon Sep 17 00:00:00 2001 From: Hj Ahmad Rasyid Hj Ismail Date: Thu, 9 Jan 2020 14:23:31 +0100 Subject: [PATCH 31/56] Update installer_base.lib.php --- install/lib/installer_base.lib.php | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php index 6b99e42499..6c80407361 100644 --- a/install/lib/installer_base.lib.php +++ b/install/lib/installer_base.lib.php @@ -2394,19 +2394,6 @@ class installer_base { $webroot_path = $conf['ispconfig_install_dir'].'/interface/acme'; if (!@is_dir($webroot_path)) $webroot_path = '/var/www/html'; - // Check http port 80 status as it cannot be determined at post hook stage - $port80_status=exec('true &>/dev/null /dev/null Date: Sat, 11 Jan 2020 02:05:58 +0100 Subject: [PATCH 32/56] Update installer_base.lib.php --- install/lib/installer_base.lib.php | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php index 6c80407361..67583955d1 100644 --- a/install/lib/installer_base.lib.php +++ b/install/lib/installer_base.lib.php @@ -2402,21 +2402,21 @@ class installer_base { chmod('/tmp/ispconfig3_install/server/scripts/letsencrypt_post_hook.sh', 0700); chmod('/tmp/ispconfig3_install/server/scripts/letsencrypt_renew_hook.sh', 0700); // Make executable and temporary symlink letsencrypt pre and post hook script before install - if(!is_link('/usr/local/bin/letsencrypt_pre_hook.sh')) + if(!file_exists('/usr/local/bin/letsencrypt_pre_hook.sh')) symlink('/tmp/ispconfig3_install/server/scripts/letsencrypt_pre_hook.sh', '/usr/local/bin/letsencrypt_pre_hook.sh'); - if(!is_link('/usr/local/bin/letsencrypt_post_hook.sh')) + if(!file_exists('/usr/local/bin/letsencrypt_post_hook.sh')) symlink('/tmp/ispconfig3_install/server/scripts/letsencrypt_post_hook.sh', '/usr/local/bin/letsencrypt_post_hook.sh'); - if(!is_link('/usr/local/bin/letsencrypt_renew_hook.sh')) + if(!file_exists('/usr/local/bin/letsencrypt_renew_hook.sh')) symlink('/tmp/ispconfig3_install/server/scripts/letsencrypt_renew_hook.sh', '/usr/local/bin/letsencrypt_renew_hook.sh'); // Check http port 80 status as it cannot be determined at post hook stage $port80_status=exec('true &>/dev/null Date: Sat, 11 Jan 2020 02:26:52 +0100 Subject: [PATCH 33/56] Update installer_base.lib.php --- install/lib/installer_base.lib.php | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php index 67583955d1..c5d0a6cefc 100644 --- a/install/lib/installer_base.lib.php +++ b/install/lib/installer_base.lib.php @@ -2395,19 +2395,19 @@ class installer_base { if (!@is_dir($webroot_path)) $webroot_path = '/var/www/html'; // This script is needed earlier to check and open http port 80 or standalone might fail - chown('/tmp/ispconfig3_install/server/scripts/letsencrypt_pre_hook.sh', 'root'); - chown('/tmp/ispconfig3_install/server/scripts/letsencrypt_post_hook.sh', 'root'); - chown('/tmp/ispconfig3_install/server/scripts/letsencrypt_renew_hook.sh', 'root'); - chmod('/tmp/ispconfig3_install/server/scripts/letsencrypt_pre_hook.sh', 0700); - chmod('/tmp/ispconfig3_install/server/scripts/letsencrypt_post_hook.sh', 0700); - chmod('/tmp/ispconfig3_install/server/scripts/letsencrypt_renew_hook.sh', 0700); + chown($install_dir.'/server/scripts/letsencrypt_pre_hook.sh', 'root'); + chown($install_dir.'/server/scripts/letsencrypt_post_hook.sh', 'root'); + chown($install_dir.'/server/scripts/letsencrypt_renew_hook.sh', 'root'); + chmod($install_dir.'/server/scripts/letsencrypt_pre_hook.sh', 0700); + chmod($install_dir.'/server/scripts/letsencrypt_post_hook.sh', 0700); + chmod($install_dir.'/server/scripts/letsencrypt_renew_hook.sh', 0700); // Make executable and temporary symlink letsencrypt pre and post hook script before install if(!file_exists('/usr/local/bin/letsencrypt_pre_hook.sh')) - symlink('/tmp/ispconfig3_install/server/scripts/letsencrypt_pre_hook.sh', '/usr/local/bin/letsencrypt_pre_hook.sh'); + symlink($install_dir.'/server/scripts/letsencrypt_pre_hook.sh', '/usr/local/bin/letsencrypt_pre_hook.sh'); if(!file_exists('/usr/local/bin/letsencrypt_post_hook.sh')) - symlink('/tmp/ispconfig3_install/server/scripts/letsencrypt_post_hook.sh', '/usr/local/bin/letsencrypt_post_hook.sh'); + symlink($install_dir.'/server/scripts/letsencrypt_post_hook.sh', '/usr/local/bin/letsencrypt_post_hook.sh'); if(!file_exists('/usr/local/bin/letsencrypt_renew_hook.sh')) - symlink('/tmp/ispconfig3_install/server/scripts/letsencrypt_renew_hook.sh', '/usr/local/bin/letsencrypt_renew_hook.sh'); + symlink($install_dir.'/server/scripts/letsencrypt_renew_hook.sh', '/usr/local/bin/letsencrypt_renew_hook.sh'); // Check http port 80 status as it cannot be determined at post hook stage $port80_status=exec('true &>/dev/null Date: Sat, 11 Jan 2020 03:33:25 +0100 Subject: [PATCH 34/56] Update installer_base.lib.php --- install/lib/installer_base.lib.php | 1 + 1 file changed, 1 insertion(+) diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php index c5d0a6cefc..eaf8b25d20 100644 --- a/install/lib/installer_base.lib.php +++ b/install/lib/installer_base.lib.php @@ -2395,6 +2395,7 @@ class installer_base { if (!@is_dir($webroot_path)) $webroot_path = '/var/www/html'; // This script is needed earlier to check and open http port 80 or standalone might fail + $install_dir = $conf['ispconfig_install_dir']; chown($install_dir.'/server/scripts/letsencrypt_pre_hook.sh', 'root'); chown($install_dir.'/server/scripts/letsencrypt_post_hook.sh', 'root'); chown($install_dir.'/server/scripts/letsencrypt_renew_hook.sh', 'root'); -- GitLab From fc3312822ea37f79cadb2ff52485c83487360834 Mon Sep 17 00:00:00 2001 From: Hj Ahmad Rasyid Hj Ismail Date: Sat, 11 Jan 2020 03:46:38 +0100 Subject: [PATCH 35/56] Update installer_base.lib.php --- install/lib/installer_base.lib.php | 24 ++++++++++-------------- 1 file changed, 10 insertions(+), 14 deletions(-) diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php index eaf8b25d20..0e9dd30314 100644 --- a/install/lib/installer_base.lib.php +++ b/install/lib/installer_base.lib.php @@ -2395,20 +2395,16 @@ class installer_base { if (!@is_dir($webroot_path)) $webroot_path = '/var/www/html'; // This script is needed earlier to check and open http port 80 or standalone might fail - $install_dir = $conf['ispconfig_install_dir']; - chown($install_dir.'/server/scripts/letsencrypt_pre_hook.sh', 'root'); - chown($install_dir.'/server/scripts/letsencrypt_post_hook.sh', 'root'); - chown($install_dir.'/server/scripts/letsencrypt_renew_hook.sh', 'root'); - chmod($install_dir.'/server/scripts/letsencrypt_pre_hook.sh', 0700); - chmod($install_dir.'/server/scripts/letsencrypt_post_hook.sh', 0700); - chmod($install_dir.'/server/scripts/letsencrypt_renew_hook.sh', 0700); - // Make executable and temporary symlink letsencrypt pre and post hook script before install - if(!file_exists('/usr/local/bin/letsencrypt_pre_hook.sh')) - symlink($install_dir.'/server/scripts/letsencrypt_pre_hook.sh', '/usr/local/bin/letsencrypt_pre_hook.sh'); - if(!file_exists('/usr/local/bin/letsencrypt_post_hook.sh')) - symlink($install_dir.'/server/scripts/letsencrypt_post_hook.sh', '/usr/local/bin/letsencrypt_post_hook.sh'); - if(!file_exists('/usr/local/bin/letsencrypt_renew_hook.sh')) - symlink($install_dir.'/server/scripts/letsencrypt_renew_hook.sh', '/usr/local/bin/letsencrypt_renew_hook.sh'); + // Make executable and temporary copy latest letsencrypt pre, post and renew hook script before install + copy('/tmp/ispconfig3_install/server/scripts/letsencrypt_pre_hook.sh', '/usr/local/bin/letsencrypt_pre_hook.sh'); + copy('/tmp/ispconfig3_install/server/scripts/letsencrypt_post_hook.sh', '/usr/local/bin/letsencrypt_post_hook.sh'); + copy('/tmp/ispconfig3_install/server/scripts/letsencrypt_renew_hook.sh', '/usr/local/bin/letsencrypt_renew_hook.sh'); + chown('/usr/local/bin/letsencrypt_pre_hook.sh', 'root'); + chown('/usr/local/bin/letsencrypt_post_hook.sh', 'root'); + chown('/usr/local/bin/letsencrypt_renew_hook.sh', 'root'); + chmod('/usr/local/bin/letsencrypt_pre_hook.sh', 0700); + chmod('/usr/local/bin/letsencrypt_post_hook.sh', 0700); + chmod('/usr/local/bin/letsencrypt_renew_hook.sh', 0700); // Check http port 80 status as it cannot be determined at post hook stage $port80_status=exec('true &>/dev/null Date: Sat, 11 Jan 2020 04:21:20 +0100 Subject: [PATCH 36/56] Update installer_base.lib.php --- install/lib/installer_base.lib.php | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php index 0e9dd30314..18bb09061b 100644 --- a/install/lib/installer_base.lib.php +++ b/install/lib/installer_base.lib.php @@ -2396,9 +2396,12 @@ class installer_base { // This script is needed earlier to check and open http port 80 or standalone might fail // Make executable and temporary copy latest letsencrypt pre, post and renew hook script before install - copy('/tmp/ispconfig3_install/server/scripts/letsencrypt_pre_hook.sh', '/usr/local/bin/letsencrypt_pre_hook.sh'); - copy('/tmp/ispconfig3_install/server/scripts/letsencrypt_post_hook.sh', '/usr/local/bin/letsencrypt_post_hook.sh'); - copy('/tmp/ispconfig3_install/server/scripts/letsencrypt_renew_hook.sh', '/usr/local/bin/letsencrypt_renew_hook.sh'); + if (file_exists('/tmp/ispconfig3_install/server/scripts/letsencrypt_pre_hook.sh')) + copy('/tmp/ispconfig3_install/server/scripts/letsencrypt_pre_hook.sh', '/usr/local/bin/letsencrypt_pre_hook.sh'); + if (file_exists('/tmp/ispconfig3_install/server/scripts/letsencrypt_post_hook.sh')) + copy('/tmp/ispconfig3_install/server/scripts/letsencrypt_post_hook.sh', '/usr/local/bin/letsencrypt_post_hook.sh'); + if (file_exists('/tmp/ispconfig3_install/server/scripts/letsencrypt_renew_hook.sh')) + copy('/tmp/ispconfig3_install/server/scripts/letsencrypt_renew_hook.sh', '/usr/local/bin/letsencrypt_renew_hook.sh'); chown('/usr/local/bin/letsencrypt_pre_hook.sh', 'root'); chown('/usr/local/bin/letsencrypt_post_hook.sh', 'root'); chown('/usr/local/bin/letsencrypt_renew_hook.sh', 'root'); -- GitLab From 59660471b618748a9f9e891110f3f266175c8388 Mon Sep 17 00:00:00 2001 From: Hj Ahmad Rasyid Hj Ismail Date: Sat, 11 Jan 2020 04:52:39 +0100 Subject: [PATCH 37/56] Update installer_base.lib.php --- install/lib/installer_base.lib.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php index 18bb09061b..3e55428840 100644 --- a/install/lib/installer_base.lib.php +++ b/install/lib/installer_base.lib.php @@ -2395,13 +2395,13 @@ class installer_base { if (!@is_dir($webroot_path)) $webroot_path = '/var/www/html'; // This script is needed earlier to check and open http port 80 or standalone might fail - // Make executable and temporary copy latest letsencrypt pre, post and renew hook script before install + // Make executable and temporary symlink latest letsencrypt pre, post and renew hook script before install if (file_exists('/tmp/ispconfig3_install/server/scripts/letsencrypt_pre_hook.sh')) - copy('/tmp/ispconfig3_install/server/scripts/letsencrypt_pre_hook.sh', '/usr/local/bin/letsencrypt_pre_hook.sh'); + symlink('/tmp/ispconfig3_install/server/scripts/letsencrypt_pre_hook.sh', '/usr/local/bin/letsencrypt_pre_hook.sh'); if (file_exists('/tmp/ispconfig3_install/server/scripts/letsencrypt_post_hook.sh')) - copy('/tmp/ispconfig3_install/server/scripts/letsencrypt_post_hook.sh', '/usr/local/bin/letsencrypt_post_hook.sh'); + symlink('/tmp/ispconfig3_install/server/scripts/letsencrypt_post_hook.sh', '/usr/local/bin/letsencrypt_post_hook.sh'); if (file_exists('/tmp/ispconfig3_install/server/scripts/letsencrypt_renew_hook.sh')) - copy('/tmp/ispconfig3_install/server/scripts/letsencrypt_renew_hook.sh', '/usr/local/bin/letsencrypt_renew_hook.sh'); + symlink('/tmp/ispconfig3_install/server/scripts/letsencrypt_renew_hook.sh', '/usr/local/bin/letsencrypt_renew_hook.sh'); chown('/usr/local/bin/letsencrypt_pre_hook.sh', 'root'); chown('/usr/local/bin/letsencrypt_post_hook.sh', 'root'); chown('/usr/local/bin/letsencrypt_renew_hook.sh', 'root'); -- GitLab From 20cf54a301c41b93595a74507bddccde0bc36d6f Mon Sep 17 00:00:00 2001 From: Hj Ahmad Rasyid Hj Ismail Date: Sun, 31 May 2020 13:11:12 +0200 Subject: [PATCH 38/56] Update installer_base.lib.php as ISPConfig must be able to be installed from various position and not limited to /tmp/ as advised in !904/#note_72907. Therefore the necessary changes are made. --- install/lib/installer_base.lib.php | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php index 3e55428840..68a33806bc 100644 --- a/install/lib/installer_base.lib.php +++ b/install/lib/installer_base.lib.php @@ -2396,12 +2396,12 @@ class installer_base { // This script is needed earlier to check and open http port 80 or standalone might fail // Make executable and temporary symlink latest letsencrypt pre, post and renew hook script before install - if (file_exists('/tmp/ispconfig3_install/server/scripts/letsencrypt_pre_hook.sh')) - symlink('/tmp/ispconfig3_install/server/scripts/letsencrypt_pre_hook.sh', '/usr/local/bin/letsencrypt_pre_hook.sh'); - if (file_exists('/tmp/ispconfig3_install/server/scripts/letsencrypt_post_hook.sh')) - symlink('/tmp/ispconfig3_install/server/scripts/letsencrypt_post_hook.sh', '/usr/local/bin/letsencrypt_post_hook.sh'); - if (file_exists('/tmp/ispconfig3_install/server/scripts/letsencrypt_renew_hook.sh')) - symlink('/tmp/ispconfig3_install/server/scripts/letsencrypt_renew_hook.sh', '/usr/local/bin/letsencrypt_renew_hook.sh'); + if (file_exists(dirname(getcwd()) . '/server/scripts/letsencrypt_pre_hook.sh')) + symlink(dirname(getcwd()) . '/server/scripts/letsencrypt_pre_hook.sh', '/usr/local/bin/letsencrypt_pre_hook.sh'); + if (file_exists(dirname(getcwd()) . '/server/scripts/letsencrypt_post_hook.sh')) + symlink(dirname(getcwd()) . '/server/scripts/letsencrypt_post_hook.sh', '/usr/local/bin/letsencrypt_post_hook.sh'); + if (file_exists(dirname(getcwd()) . '/server/scripts/letsencrypt_renew_hook.sh')) + symlink(dirname(getcwd()) . '/server/scripts/letsencrypt_renew_hook.sh', '/usr/local/bin/letsencrypt_renew_hook.sh'); chown('/usr/local/bin/letsencrypt_pre_hook.sh', 'root'); chown('/usr/local/bin/letsencrypt_post_hook.sh', 'root'); chown('/usr/local/bin/letsencrypt_renew_hook.sh', 'root'); -- GitLab From a83a61b7c1fa93f8b2d0608e5c78439b32a9a240 Mon Sep 17 00:00:00 2001 From: Hj Ahmad Rasyid Hj Ismail Date: Sun, 31 May 2020 13:14:23 +0200 Subject: [PATCH 39/56] Update uninstall.php to remove (unlink) all letsencrypt post, pre and renew hook script from /usr/local/bin. This is important so the future reinstallation of the scripts via ISPConfig will work. While at these I found two other ISPConfig scripts (ispconfig_patch and ispconfig_update_from_dev.sh) not removed but I won't add them here as I think they have a different function and I am not sure whether they should be removed (unlink). --- install/uninstall.php | 3 +++ 1 file changed, 3 insertions(+) diff --git a/install/uninstall.php b/install/uninstall.php index c565d4653d..6ff695decc 100644 --- a/install/uninstall.php +++ b/install/uninstall.php @@ -88,6 +88,9 @@ if($do_uninstall == 'yes') { exec('rm -rf /usr/local/ispconfig'); // Delete various other files + @unlink("/usr/local/bin/letsencrypt_post_hook.sh"); + @unlink("/usr/local/bin/letsencrypt_pre_hook.sh"); + @unlink("/usr/local/bin/letsencrypt_renew_hook.sh"); @unlink("/usr/local/bin/ispconfig_update.sh"); @unlink("/usr/local/bin/ispconfig_update_from_svn.sh"); @unlink("/var/spool/mail/ispconfig"); -- GitLab From 577771182182833521627284fe27da3a06b2288f Mon Sep 17 00:00:00 2001 From: Hj Ahmad Rasyid Hj Ismail Date: Sun, 31 May 2020 13:17:04 +0200 Subject: [PATCH 40/56] Update letsencrypt_renew_hook.sh as dovecot-imapd is just dovecot in Red Hat / Centos as advised in https://git.ispconfig.org/ms217. --- server/scripts/letsencrypt_renew_hook.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/scripts/letsencrypt_renew_hook.sh b/server/scripts/letsencrypt_renew_hook.sh index 927ea59697..07881fda03 100644 --- a/server/scripts/letsencrypt_renew_hook.sh +++ b/server/scripts/letsencrypt_renew_hook.sh @@ -20,7 +20,7 @@ lelive=/etc/letsencrypt/live/$(hostname -f); if [ -d "$lelive" ]; then if [ rpm -q pure-ftpd-mysql ]; then service pure-ftpd-mysql restart; fi if [ rpm -q monit ]; then service monit restart; fi if [ rpm -q postfix ]; then service postfix restart; fi - if [ rpm -q dovecot-imapd ]; then service dovecot restart; fi + if [ rpm -q dovecot ]; then service dovecot restart; fi if [ rpm -q mysql ]; then service mysql restart; fi if [ rpm -q mariadb ]; then service mysql restart; fi if [ rpm -q nginx ]; then service nginx restart; fi -- GitLab From e1e79f3f9122ca269f29640f24a058a23be31721 Mon Sep 17 00:00:00 2001 From: Hj Ahmad Rasyid Hj Ismail Date: Tue, 2 Jun 2020 15:12:19 +0200 Subject: [PATCH 41/56] Update letsencrypt_renew_hook.sh to make adjustments / fixes for RHEL and Centos as advised in https://git.ispconfig.org/ispconfig/ispconfig3/-/merge_requests/911#note_73115 --- server/scripts/letsencrypt_renew_hook.sh | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/server/scripts/letsencrypt_renew_hook.sh b/server/scripts/letsencrypt_renew_hook.sh index 07881fda03..768cba70e9 100644 --- a/server/scripts/letsencrypt_renew_hook.sh +++ b/server/scripts/letsencrypt_renew_hook.sh @@ -17,14 +17,15 @@ lelive=/etc/letsencrypt/live/$(hostname -f); if [ -d "$lelive" ]; then pureftpdpem=/etc/ssl/private/pure-ftpd.pem; if [ -e "$pureftpdpem" ]; then chmod 600 $pureftpdpem; fi # For Red Hat, Centos or derivatives if which yum &> /dev/null 2>&1 ; then - if [ rpm -q pure-ftpd-mysql ]; then service pure-ftpd-mysql restart; fi + if [ rpm -q pure-ftpd ]; then service pure-ftpd restart; fi if [ rpm -q monit ]; then service monit restart; fi if [ rpm -q postfix ]; then service postfix restart; fi if [ rpm -q dovecot ]; then service dovecot restart; fi - if [ rpm -q mysql ]; then service mysql restart; fi - if [ rpm -q mariadb ]; then service mysql restart; fi + if [ rpm -q mysql-server ]; then service mysqld restart; fi + if [ rpm -q mariadb-server ]; then service mariadb restart; fi + if [ rpm -q MariaDB-server ]; then service mysql restart; fi if [ rpm -q nginx ]; then service nginx restart; fi - if [ rpm -q apache2 ]; then service apache2 restart; fi + if [ rpm -q httpd ]; then service httpd restart; fi # For Debian, Ubuntu or derivatives elif apt-get -v >/dev/null 2>&1 ; then if [ $(dpkg-query -W -f='${Status}' pure-ftpd-mysql 2>/dev/null | grep -c "ok installed") -eq 1 ]; then service pure-ftpd-mysql restart; fi -- GitLab From c92fee15a55752cd28ae7b093fa7be26f62b3895 Mon Sep 17 00:00:00 2001 From: Marius Burkard Date: Mon, 7 Sep 2020 13:54:23 +0200 Subject: [PATCH 42/56] Update letsencrypt_post_hook.sh --- server/scripts/letsencrypt_post_hook.sh | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/server/scripts/letsencrypt_post_hook.sh b/server/scripts/letsencrypt_post_hook.sh index 74128b7c5b..d0be339979 100644 --- a/server/scripts/letsencrypt_post_hook.sh +++ b/server/scripts/letsencrypt_post_hook.sh @@ -10,6 +10,16 @@ # Description: To force close http port 80 if it is by default closed, to be used by letsencrypt client standlone command ### END INIT INFO +## WE DISABLED THIS DUE TO ISSUES. IF YOU WANT TO USE IT, COPY THIS FILE TO +## /usr/local/ispconfig/server/conf-custom/scripts/ +## AND REMOVE THIS CODE PART +if [[ -e "/usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_post_hook.sh" ]] ; then + . /usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_post_hook.sh ; +fi +exit 0; +## END OF CODE PART + + # You can add support to other firewall # For RHEL, Centos or derivatives -- GitLab From 7d2533cdd0d6d51be8f0736a88166d6ef64e8451 Mon Sep 17 00:00:00 2001 From: Marius Burkard Date: Mon, 7 Sep 2020 13:54:54 +0200 Subject: [PATCH 43/56] Update letsencrypt_pre_hook.sh --- server/scripts/letsencrypt_pre_hook.sh | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/server/scripts/letsencrypt_pre_hook.sh b/server/scripts/letsencrypt_pre_hook.sh index 35088ad962..909832050b 100644 --- a/server/scripts/letsencrypt_pre_hook.sh +++ b/server/scripts/letsencrypt_pre_hook.sh @@ -10,6 +10,15 @@ # Description: To force open http port 80 to be used by letsencrypt client standlone command ### END INIT INFO +## WE DISABLED THIS DUE TO ISSUES. IF YOU WANT TO USE IT, COPY THIS FILE TO +## /usr/local/ispconfig/server/conf-custom/scripts/ +## AND REMOVE THIS CODE PART +if [[ -e "/usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_pre_hook.sh" ]] ; then + . /usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_pre_hook.sh ; +fi +exit 0; +## END OF CODE PART + # You can add support to other firewall # For RHEL, Centos or derivatives -- GitLab From 2f4fa5b6f1947a661934c2b7f4db9305e722a470 Mon Sep 17 00:00:00 2001 From: Marius Burkard Date: Mon, 7 Sep 2020 13:55:25 +0200 Subject: [PATCH 44/56] Update letsencrypt_renew_hook.sh --- server/scripts/letsencrypt_renew_hook.sh | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/server/scripts/letsencrypt_renew_hook.sh b/server/scripts/letsencrypt_renew_hook.sh index 768cba70e9..f71bdbcdc2 100644 --- a/server/scripts/letsencrypt_renew_hook.sh +++ b/server/scripts/letsencrypt_renew_hook.sh @@ -10,6 +10,15 @@ # Description: Taken from LE4ISPC code. To be used to update ispserver.pem automatically after ISPConfig LE SSL certs are renewed and to reload / restart important ISPConfig server services ### END INIT INFO +## WE DISABLED THIS DUE TO ISSUES. IF YOU WANT TO USE IT, COPY THIS FILE TO +## /usr/local/ispconfig/server/conf-custom/scripts/ +## AND REMOVE THIS CODE PART +if [[ -e "/usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_renew_hook.sh" ]] ; then + . /usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_renew_hook.sh ; +fi +exit 0; +## END OF CODE PART + lelive=/etc/letsencrypt/live/$(hostname -f); if [ -d "$lelive" ]; then cd /usr/local/ispconfig/interface/ssl; ibak=ispserver.*.bak; ipem=ispserver.pem; icrt=ispserver.crt; ikey=ispserver.key if ls $ibak 1> /dev/null 2>&1; then rm $ibak; fi -- GitLab From 13b4487ec7f46fd3829485b55c8e368e085db990 Mon Sep 17 00:00:00 2001 From: Marius Burkard Date: Mon, 7 Sep 2020 14:07:28 +0200 Subject: [PATCH 45/56] Update installer_base.lib.php --- install/lib/installer_base.lib.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php index 34045c4cf0..ecc984fc30 100644 --- a/install/lib/installer_base.lib.php +++ b/install/lib/installer_base.lib.php @@ -2664,7 +2664,7 @@ class installer_base { global $conf, $autoinstall; //* Get hostname from user entry or shell command */ - if($conf['hostname'] !== ('localhost' || '')) $hostname = $conf['hostname']; + if($conf['hostname'] !== 'localhost' && $conf['hostname'] !== '') $hostname = $conf['hostname']; else $hostname = exec('hostname -f'); // Check dns a record exist and its ip equal to server public ip -- GitLab From 1053fd85651cb993e06090fc510f6b595b470d4b Mon Sep 17 00:00:00 2001 From: Hj Ahmad Rasyid Hj Ismail Date: Mon, 7 Sep 2020 18:59:47 +0200 Subject: [PATCH 46/56] Update letsencrypt_pre_hook.sh to stop web server if any exist because standalone needs to use http port 80 in case the web server is installed later. --- server/scripts/letsencrypt_pre_hook.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/server/scripts/letsencrypt_pre_hook.sh b/server/scripts/letsencrypt_pre_hook.sh index 909832050b..aad5d5191d 100644 --- a/server/scripts/letsencrypt_pre_hook.sh +++ b/server/scripts/letsencrypt_pre_hook.sh @@ -21,6 +21,11 @@ exit 0; # You can add support to other firewall +# Check if web server software is installed, stop it if any +if [ rpm -q nginx ]; then service nginx stop; fi +if [ rpm -q httpd ]; then service httpd stop; fi + + # For RHEL, Centos or derivatives if which yum &> /dev/null 2>&1 ; then # If using firewalld -- GitLab From 20420dbbf8e1284e9da0a39cd9905f4c8e073f5c Mon Sep 17 00:00:00 2001 From: Hj Ahmad Rasyid Hj Ismail Date: Mon, 7 Sep 2020 19:04:23 +0200 Subject: [PATCH 47/56] Update letsencrypt_pre_hook.sh --- server/scripts/letsencrypt_pre_hook.sh | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/server/scripts/letsencrypt_pre_hook.sh b/server/scripts/letsencrypt_pre_hook.sh index aad5d5191d..dd9784187b 100644 --- a/server/scripts/letsencrypt_pre_hook.sh +++ b/server/scripts/letsencrypt_pre_hook.sh @@ -21,13 +21,11 @@ exit 0; # You can add support to other firewall -# Check if web server software is installed, stop it if any -if [ rpm -q nginx ]; then service nginx stop; fi -if [ rpm -q httpd ]; then service httpd stop; fi - - # For RHEL, Centos or derivatives if which yum &> /dev/null 2>&1 ; then + # Check if web server software is installed, stop it if any + if [ rpm -q nginx ]; then service nginx stop; fi + if [ rpm -q httpd ]; then service httpd stop; fi # If using firewalld if [ rpm -q firewalld ] && [ `firewall-cmd --state` = running ]; then firewall-cmd --zone=public --permanent --add-service=http @@ -39,6 +37,9 @@ if which yum &> /dev/null 2>&1 ; then fi # For Debian, Ubuntu or derivatives elif apt-get -v >/dev/null 2>&1 ; then + # Check if web server software is installed, stop it if any + if [ $(dpkg-query -W -f='${Status}' nginx 2>/dev/null | grep -c "ok installed") -eq 1 ]; then service nginx restart; fi + if [ $(dpkg-query -W -f='${Status}' apache2 2>/dev/null | grep -c "ok installed") -eq 1 ]; then service apache2 restart; fi # If using UFW if [ $(dpkg-query -W -f='${Status}' ufw 2>/dev/null | grep -c "ok installed") -eq 1 ]; then ufw --force enable && ufw allow http -- GitLab From 4cdc64e51f209a46367372434d7752abf701646e Mon Sep 17 00:00:00 2001 From: Hj Ahmad Rasyid Hj Ismail Date: Mon, 7 Sep 2020 19:05:04 +0200 Subject: [PATCH 48/56] Update letsencrypt_pre_hook.sh --- server/scripts/letsencrypt_pre_hook.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/server/scripts/letsencrypt_pre_hook.sh b/server/scripts/letsencrypt_pre_hook.sh index dd9784187b..d45fc38413 100644 --- a/server/scripts/letsencrypt_pre_hook.sh +++ b/server/scripts/letsencrypt_pre_hook.sh @@ -13,10 +13,10 @@ ## WE DISABLED THIS DUE TO ISSUES. IF YOU WANT TO USE IT, COPY THIS FILE TO ## /usr/local/ispconfig/server/conf-custom/scripts/ ## AND REMOVE THIS CODE PART -if [[ -e "/usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_pre_hook.sh" ]] ; then - . /usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_pre_hook.sh ; -fi -exit 0; +## if [[ -e "/usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_pre_hook.sh" ]] ; then +## . /usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_pre_hook.sh ; +## fi +## exit 0; ## END OF CODE PART # You can add support to other firewall -- GitLab From e260a9047521c2fd90ed6a677d321c4ef3894912 Mon Sep 17 00:00:00 2001 From: Hj Ahmad Rasyid Hj Ismail Date: Mon, 7 Sep 2020 19:15:26 +0200 Subject: [PATCH 49/56] Update letsencrypt_pre_hook.sh --- server/scripts/letsencrypt_pre_hook.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/server/scripts/letsencrypt_pre_hook.sh b/server/scripts/letsencrypt_pre_hook.sh index d45fc38413..0320555114 100644 --- a/server/scripts/letsencrypt_pre_hook.sh +++ b/server/scripts/letsencrypt_pre_hook.sh @@ -38,8 +38,8 @@ if which yum &> /dev/null 2>&1 ; then # For Debian, Ubuntu or derivatives elif apt-get -v >/dev/null 2>&1 ; then # Check if web server software is installed, stop it if any - if [ $(dpkg-query -W -f='${Status}' nginx 2>/dev/null | grep -c "ok installed") -eq 1 ]; then service nginx restart; fi - if [ $(dpkg-query -W -f='${Status}' apache2 2>/dev/null | grep -c "ok installed") -eq 1 ]; then service apache2 restart; fi + if [ $(dpkg-query -W -f='${Status}' nginx 2>/dev/null | grep -c "ok installed") -eq 1 ]; then service nginx stop; fi + if [ $(dpkg-query -W -f='${Status}' apache2 2>/dev/null | grep -c "ok installed") -eq 1 ]; then service apache2 stop; fi # If using UFW if [ $(dpkg-query -W -f='${Status}' ufw 2>/dev/null | grep -c "ok installed") -eq 1 ]; then ufw --force enable && ufw allow http -- GitLab From b976ba2d1e1e5f5816b19762638bd8bfe6c1ee85 Mon Sep 17 00:00:00 2001 From: Hj Ahmad Rasyid Hj Ismail Date: Mon, 7 Sep 2020 19:39:08 +0200 Subject: [PATCH 50/56] Update letsencrypt_pre_hook.sh --- server/scripts/letsencrypt_pre_hook.sh | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/server/scripts/letsencrypt_pre_hook.sh b/server/scripts/letsencrypt_pre_hook.sh index 0320555114..e061c3bc31 100644 --- a/server/scripts/letsencrypt_pre_hook.sh +++ b/server/scripts/letsencrypt_pre_hook.sh @@ -30,20 +30,18 @@ if which yum &> /dev/null 2>&1 ; then if [ rpm -q firewalld ] && [ `firewall-cmd --state` = running ]; then firewall-cmd --zone=public --permanent --add-service=http firewall-cmd --reload - # If using UFW - elif rpm -q ufw; then - ufw --force enable && ufw allow http - else fi + # If using UFW + if [ rpm -q ufw ]; then ufw --force enable && ufw allow http; fi + # For Debian, Ubuntu or derivatives elif apt-get -v >/dev/null 2>&1 ; then # Check if web server software is installed, stop it if any if [ $(dpkg-query -W -f='${Status}' nginx 2>/dev/null | grep -c "ok installed") -eq 1 ]; then service nginx stop; fi if [ $(dpkg-query -W -f='${Status}' apache2 2>/dev/null | grep -c "ok installed") -eq 1 ]; then service apache2 stop; fi # If using UFW - if [ $(dpkg-query -W -f='${Status}' ufw 2>/dev/null | grep -c "ok installed") -eq 1 ]; then - ufw --force enable && ufw allow http - fi + if [ $(dpkg-query -W -f='${Status}' ufw 2>/dev/null | grep -c "ok installed") -eq 1 ]; then ufw --force enable && ufw allow http; fi + # Try iptables as a final attempt else iptables -I INPUT -p tcp --dport 80 -j ACCEPT -- GitLab From 89e91646df4b548e4b5f9f272d846ead773985b6 Mon Sep 17 00:00:00 2001 From: Hj Ahmad Rasyid Hj Ismail Date: Mon, 7 Sep 2020 19:48:00 +0200 Subject: [PATCH 51/56] Update letsencrypt_post_hook.sh to check for web server if any exist because we cannot close http port 80 in case the web server is installed later. We also need to restart it if web server exist since it is close in pre hook. --- server/scripts/letsencrypt_post_hook.sh | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/server/scripts/letsencrypt_post_hook.sh b/server/scripts/letsencrypt_post_hook.sh index d0be339979..26b02e621b 100644 --- a/server/scripts/letsencrypt_post_hook.sh +++ b/server/scripts/letsencrypt_post_hook.sh @@ -13,10 +13,10 @@ ## WE DISABLED THIS DUE TO ISSUES. IF YOU WANT TO USE IT, COPY THIS FILE TO ## /usr/local/ispconfig/server/conf-custom/scripts/ ## AND REMOVE THIS CODE PART -if [[ -e "/usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_post_hook.sh" ]] ; then - . /usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_post_hook.sh ; -fi -exit 0; +## if [[ -e "/usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_post_hook.sh" ]] ; then +## . /usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_post_hook.sh ; +## fi +## exit 0; ## END OF CODE PART @@ -24,20 +24,23 @@ exit 0; # For RHEL, Centos or derivatives if which yum &> /dev/null 2>&1 ; then + # Check if web server software is installed, start it if any + if [ rpm -q nginx ]; then service nginx start + elif [ rpm -q httpd ]; then service httpd start # If using firewalld - if [ rpm -q firewalld ] && [ `firewall-cmd --state` = running ]; then + elif [ rpm -q firewalld ] && [ `firewall-cmd --state` = running ]; then firewall-cmd --zone=public --permanent --remove-service=http firewall-cmd --reload # If using UFW - elif rpm -q ufw; then - ufw --force enable && ufw deny http - else + else; if [ rpm -q ufw ]; then ufw --force enable && ufw deny http; fi fi # For Debian, Ubuntu or derivatives elif apt-get -v >/dev/null 2>&1 ; then + # Check if web server software is installed, stop it if any + if [ $(dpkg-query -W -f='${Status}' nginx 2>/dev/null | grep -c "ok installed") -eq 1 ]; then service nginx start + elif [ $(dpkg-query -W -f='${Status}' apache2 2>/dev/null | grep -c "ok installed") -eq 1 ]; then service apache2 start # If using UFW - if [ $(dpkg-query -W -f='${Status}' ufw 2>/dev/null | grep -c "ok installed") -eq 1 ]; then - ufw --force enable && ufw deny http + else; if [ $(dpkg-query -W -f='${Status}' ufw 2>/dev/null | grep -c "ok installed") -eq 1 ]; then ufw --force enable && ufw deny http; fi fi # Try iptables as a final attempt else -- GitLab From 3e8f11acfafc97b61d77829e648c1f2275caa453 Mon Sep 17 00:00:00 2001 From: Hj Ahmad Rasyid Hj Ismail Date: Mon, 7 Sep 2020 21:02:49 +0200 Subject: [PATCH 52/56] Update installer_base.lib.php to drop webroot solution and add nginx and apache options. To add support for IPV6 and to find solution to check public IP. To note that the main reason to check public IP is that creating or renewing Let's Encrypt may fail. --- install/lib/installer_base.lib.php | 43 ++++++++++++------------------ 1 file changed, 17 insertions(+), 26 deletions(-) diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php index ecc984fc30..fa6ad8adfd 100644 --- a/install/lib/installer_base.lib.php +++ b/install/lib/installer_base.lib.php @@ -2689,8 +2689,8 @@ class installer_base { if (!@is_dir($le_live_dir) && in_array($svr_ip, $dns_ips)) { // Set webroot path for all ISPConfig server LE certs - $webroot_path = $conf['ispconfig_install_dir'].'/interface/acme'; - if (!@is_dir($webroot_path)) $webroot_path = '/var/www/html'; + // $webroot_path = $conf['ispconfig_install_dir'].'/interface/acme'; + // if (!@is_dir($webroot_path)) $webroot_path = '/var/www/html'; // This script is needed earlier to check and open http port 80 or standalone might fail // Make executable and temporary symlink latest letsencrypt pre, post and renew hook script before install @@ -2732,9 +2732,14 @@ class installer_base { if (is_executable($acme)) { // If this is a webserver, we use webroot - if(($conf['nginx']['installed'] || $conf['apache']['installed']) == true) - exec("$acme --issue -d $hostname --webroot $webroot_path $renew_hook"); - + // if(($conf['nginx']['installed'] || $conf['apache']['installed']) == true) + // exec("$acme --issue -d $hostname --webroot $webroot_path $renew_hook"); + if(($conf['nginx']['installed'] || $conf['apache']['installed']) == true) { + if($conf['nginx']['installed'] == true) + exec("$acme --issue --nginx -d $hostname $renew_hook"); + else($conf['apache']['installed'] == true) + exec("$acme --issue --apache -d $hostname $renew_hook"); + } // Else, it is not webserver, so we use standalone else exec("$acme --issue --standalone -d $hostname $hook"); @@ -2752,33 +2757,19 @@ class installer_base { // But only if it is otherwise available if(is_executable($le_client)) { - - // Get its version info due to be used for webroot arguement issues - $le_info = exec($le_client . ' --version 2>&1', $ret, $val); - if(preg_match('/^(\S+|\w+)\s+(\d+(\.\d+)+)$/', $le_info, $matches)) - $le_version = $matches[2]; - + // Define certbot commands $acme_version = '--server https://acme-v0' . (($le_version >=0.22) ? '2' : '1') . '.api.letsencrypt.org/directory'; $certonly = 'certonly --agree-tos --non-interactive --expand --rsa-key-size 4096'; - // certbot choice of authenticator - $standalone_auth = '--authenticator standalone'; - $webroot_auth = '--authenticator webroot'; - - // certbot webroot arguments i.e. map for >=0.30 or path for <=0.29 - $webroot_map[$hostname] = $webroot_path; - if ($le_version >=0.30) - $webroot_args = '--webroot-map ' . escapeshellarg(str_replace(array('\r', '\n'), '', json_encode($webroot_map))); - else - $webroot_args = "-d $hostname --webroot-path $webroot_path"; - // If this is a webserver, we use webroot - if(($conf['nginx']['installed'] || $conf['apache']['installed']) == true) { - exec("$le_client $certonly $acme_version $webroot_auth --email postmaster@$hostname $webroot_args $renew_hook"); - } + // If this is a webserver + if($conf['nginx']['installed'] == true) + exec("$le_client $certonly $acme_version --nginx --email postmaster@$hostname $renew_hook"); + elseif($conf['apache']['installed'] == true) + exec("$le_client $certonly $acme_version --apache --email postmaster@$hostname $renew_hook"); // Else, it is not webserver, so we use standalone else - exec("$le_client $certonly $acme_version $standalone_auth --email postmaster@$hostname -d $hostname $hook"); + exec("$le_client $certonly $acme_version --standalone --email postmaster@$hostname -d $hostname $hook"); } } -- GitLab From 792d496571157c17f08aaeff9689ca7496aeef8a Mon Sep 17 00:00:00 2001 From: Hj Ahmad Rasyid Hj Ismail Date: Mon, 7 Sep 2020 21:05:12 +0200 Subject: [PATCH 53/56] Update letsencrypt_renew_hook.sh to note that this script won't affect anything as it will only help to recreate ispserver.pem file only if Let's Encrypt certificates are there. --- server/scripts/letsencrypt_renew_hook.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/server/scripts/letsencrypt_renew_hook.sh b/server/scripts/letsencrypt_renew_hook.sh index f71bdbcdc2..4421a9a46f 100644 --- a/server/scripts/letsencrypt_renew_hook.sh +++ b/server/scripts/letsencrypt_renew_hook.sh @@ -13,10 +13,10 @@ ## WE DISABLED THIS DUE TO ISSUES. IF YOU WANT TO USE IT, COPY THIS FILE TO ## /usr/local/ispconfig/server/conf-custom/scripts/ ## AND REMOVE THIS CODE PART -if [[ -e "/usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_renew_hook.sh" ]] ; then - . /usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_renew_hook.sh ; -fi -exit 0; +## if [[ -e "/usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_renew_hook.sh" ]] ; then +## . /usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_renew_hook.sh ; +## fi +## exit 0; ## END OF CODE PART lelive=/etc/letsencrypt/live/$(hostname -f); if [ -d "$lelive" ]; then -- GitLab From 438e3367263f65055539f5b6f2fcb0d56b873702 Mon Sep 17 00:00:00 2001 From: Marius Burkard Date: Tue, 8 Sep 2020 12:02:12 +0200 Subject: [PATCH 54/56] - replace external service --- install/lib/installer_base.lib.php | 152 ++++++++++++++++++++--------- 1 file changed, 105 insertions(+), 47 deletions(-) diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php index ecc984fc30..9c9e593cd3 100644 --- a/install/lib/installer_base.lib.php +++ b/install/lib/installer_base.lib.php @@ -1,7 +1,7 @@ curl_request('https://ispconfig.org/remoteip.php', false); + $svr_ip6 = $this->curl_request('https://ispconfig.org/remoteip.php', true); + if(function_exists('idn_to_ascii')) { if(defined('IDNA_NONTRANSITIONAL_TO_ASCII') && defined('INTL_IDNA_VARIANT_UTS46') && constant('IDNA_NONTRANSITIONAL_TO_ASCII')) { $hostname = idn_to_ascii($hostname, IDNA_NONTRANSITIONAL_TO_ASCII, INTL_IDNA_VARIANT_UTS46); @@ -2676,69 +2714,87 @@ class installer_base { $hostname = idn_to_ascii($hostname); } } + $dns_ips = array(); if (checkdnsrr($hostname, 'A')) { $dnsa=dns_get_record($hostname, DNS_A); - $dns_ips = array(); - foreach ($dnsa as $rec) { - $dns_ips[] = $rec['ip']; + if($dnsa) { + foreach ($dnsa as $rec) { + $dns_ips[] = $rec['ip']; + } + } + } + if (checkdnsrr($hostname, 'AAAA')) { + $dnsaaaa=dns_get_record($hostname, DNS_AAAA); + if($dnsaaaa) { + foreach ($dnsaaaa as $rec) { + $dns_ips[] = $rec['ip']; + } } } // Request for certs if no LE SSL folder for server fqdn exist $le_live_dir = '/etc/letsencrypt/live/' . $hostname; - if (!@is_dir($le_live_dir) && in_array($svr_ip, $dns_ips)) { + if (!@is_dir($le_live_dir) && ( + ($svr_ip4 && in_array($svr_ip4, $dns_ips)) || ($svr_ip6 && in_array($svr_ip6, $dns_ips)) + )) { // Set webroot path for all ISPConfig server LE certs $webroot_path = $conf['ispconfig_install_dir'].'/interface/acme'; - if (!@is_dir($webroot_path)) $webroot_path = '/var/www/html'; - + if(!@is_dir($webroot_path)) { + $webroot_path = '/var/www/html'; + } + // This script is needed earlier to check and open http port 80 or standalone might fail // Make executable and temporary symlink latest letsencrypt pre, post and renew hook script before install - if (file_exists(dirname(getcwd()) . '/server/scripts/letsencrypt_pre_hook.sh')) + if(file_exists(dirname(getcwd()) . '/server/scripts/letsencrypt_pre_hook.sh')) { symlink(dirname(getcwd()) . '/server/scripts/letsencrypt_pre_hook.sh', '/usr/local/bin/letsencrypt_pre_hook.sh'); - if (file_exists(dirname(getcwd()) . '/server/scripts/letsencrypt_post_hook.sh')) + } + if(file_exists(dirname(getcwd()) . '/server/scripts/letsencrypt_post_hook.sh')) { symlink(dirname(getcwd()) . '/server/scripts/letsencrypt_post_hook.sh', '/usr/local/bin/letsencrypt_post_hook.sh'); - if (file_exists(dirname(getcwd()) . '/server/scripts/letsencrypt_renew_hook.sh')) + } + if(file_exists(dirname(getcwd()) . '/server/scripts/letsencrypt_renew_hook.sh')) { symlink(dirname(getcwd()) . '/server/scripts/letsencrypt_renew_hook.sh', '/usr/local/bin/letsencrypt_renew_hook.sh'); + } chown('/usr/local/bin/letsencrypt_pre_hook.sh', 'root'); chown('/usr/local/bin/letsencrypt_post_hook.sh', 'root'); chown('/usr/local/bin/letsencrypt_renew_hook.sh', 'root'); chmod('/usr/local/bin/letsencrypt_pre_hook.sh', 0700); chmod('/usr/local/bin/letsencrypt_post_hook.sh', 0700); chmod('/usr/local/bin/letsencrypt_renew_hook.sh', 0700); - + // Check http port 80 status as it cannot be determined at post hook stage $port80_status=exec('true &>/dev/null &1', $ret, $val); - if(preg_match('/^(\S+|\w+)\s+(\d+(\.\d+)+)$/', $le_info, $matches)) + if(preg_match('/^(\S+|\w+)\s+(\d+(\.\d+)+)$/', $le_info, $matches)) { $le_version = $matches[2]; - + } + // Define certbot commands $acme_version = '--server https://acme-v0' . (($le_version >=0.22) ? '2' : '1') . '.api.letsencrypt.org/directory'; $certonly = 'certonly --agree-tos --non-interactive --expand --rsa-key-size 4096'; @@ -2767,19 +2824,20 @@ class installer_base { // certbot webroot arguments i.e. map for >=0.30 or path for <=0.29 $webroot_map[$hostname] = $webroot_path; - if ($le_version >=0.30) + if ($le_version >=0.30) { $webroot_args = '--webroot-map ' . escapeshellarg(str_replace(array('\r', '\n'), '', json_encode($webroot_map))); - else + } else { $webroot_args = "-d $hostname --webroot-path $webroot_path"; + } // If this is a webserver, we use webroot if(($conf['nginx']['installed'] || $conf['apache']['installed']) == true) { exec("$le_client $certonly $acme_version $webroot_auth --email postmaster@$hostname $webroot_args $renew_hook"); } // Else, it is not webserver, so we use standalone - else + else { exec("$le_client $certonly $acme_version $standalone_auth --email postmaster@$hostname -d $hostname $hook"); - + } } } } @@ -2822,46 +2880,46 @@ class installer_base { rename($ssl_key_file, $ssl_key_file.'.secure'); rename($ssl_key_file.'.insecure', $ssl_key_file); } - + // Build ispserver.pem file and chmod it exec("cat $ssl_key_file $ssl_crt_file > $ssl_pem_file; chmod 600 $ssl_pem_file"); - + // Extend LE SSL certs to postfix if ($conf['postfix']['installed'] == true && strtolower($this->simple_query('Symlink ISPConfig LE SSL certs to postfix?', array('y', 'n'), 'y')) == 'y') { - + // Define folder, file(s) $cf = $conf['postfix']; $postfix_dir = $cf['config_dir']; if(!is_dir($postfix_dir)) $this->error("The postfix configuration directory '$postfix_dir' does not exist."); $smtpd_crt = $postfix_dir.'/smtpd.cert'; $smtpd_key = $postfix_dir.'/smtpd.key'; - + // Backup existing postfix ssl files if (file_exists($smtpd_crt)) rename($smtpd_crt, $smtpd_crt . '-' .$date->format('YmdHis') . '.bak'); if (file_exists($smtpd_key)) rename($smtpd_key, $smtpd_key . '-' .$date->format('YmdHis') . '.bak'); - + // Create symlink to ISPConfig SSL files symlink($ssl_crt_file, $smtpd_crt); symlink($ssl_key_file, $smtpd_key); } - + // Extend LE SSL certs to pureftpd if ($conf['pureftpd']['installed'] == true && strtolower($this->simple_query('Symlink ISPConfig LE SSL certs to pureftpd? Creating dhparam file takes some times.', array('y', 'n'), 'y')) == 'y') { - + // Define folder, file(s) $pureftpd_dir = '/etc/ssl/private'; if(!is_dir($pureftpd_dir)) mkdir($pureftpd_dir, 0755, true); $pureftpd_pem = $pureftpd_dir.'/pure-ftpd.pem'; - + // Backup existing pureftpd ssl files if (file_exists($pureftpd_pem)) rename($pureftpd_pem, $pureftpd_pem . '-' .$date->format('YmdHis') . '.bak'); - + // Create symlink to ISPConfig SSL files symlink($ssl_pem_file, $pureftpd_pem); if (!file_exists("$pureftpd_dir/pure-ftpd-dhparams.pem")) exec("cd $pureftpd_dir; openssl dhparam -out dhparam2048.pem 2048; ln -sf dhparam2048.pem pure-ftpd-dhparams.pem"); } - + exec("chown -R root:root $ssl_dir"); } @@ -3284,7 +3342,7 @@ class installer_base { chmod($install_dir.'/server/scripts/ispconfig_update.sh', 0700); if(!is_link('/usr/local/bin/ispconfig_update_from_dev.sh')) symlink($install_dir.'/server/scripts/ispconfig_update.sh', '/usr/local/bin/ispconfig_update_from_dev.sh'); if(!is_link('/usr/local/bin/ispconfig_update.sh')) symlink($install_dir.'/server/scripts/ispconfig_update.sh', '/usr/local/bin/ispconfig_update.sh'); - + // Make executable then unlink and symlink letsencrypt pre, post and renew hook scripts chown($install_dir.'/server/scripts/letsencrypt_pre_hook.sh', 'root'); chown($install_dir.'/server/scripts/letsencrypt_post_hook.sh', 'root'); @@ -3298,7 +3356,7 @@ class installer_base { symlink($install_dir.'/server/scripts/letsencrypt_pre_hook.sh', '/usr/local/bin/letsencrypt_pre_hook.sh'); symlink($install_dir.'/server/scripts/letsencrypt_post_hook.sh', '/usr/local/bin/letsencrypt_post_hook.sh'); symlink($install_dir.'/server/scripts/letsencrypt_renew_hook.sh', '/usr/local/bin/letsencrypt_renew_hook.sh'); - + //* Make the logs readable for the ispconfig user if(@is_file('/var/log/mail.log')) exec('chmod +r /var/log/mail.log'); if(@is_file('/var/log/mail.warn')) exec('chmod +r /var/log/mail.warn'); -- GitLab From 234c2fea6606b5f28b409697fd400cfc6f194701 Mon Sep 17 00:00:00 2001 From: Marius Burkard Date: Tue, 8 Sep 2020 12:07:01 +0200 Subject: [PATCH 55/56] - spare webroot variable --- install/lib/installer_base.lib.php | 9 --------- 1 file changed, 9 deletions(-) diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php index 56021cbdb5..cf353925b3 100644 --- a/install/lib/installer_base.lib.php +++ b/install/lib/installer_base.lib.php @@ -2738,12 +2738,6 @@ class installer_base { ($svr_ip4 && in_array($svr_ip4, $dns_ips)) || ($svr_ip6 && in_array($svr_ip6, $dns_ips)) )) { - // Set webroot path for all ISPConfig server LE certs - $webroot_path = $conf['ispconfig_install_dir'].'/interface/acme'; - if(!@is_dir($webroot_path)) { - $webroot_path = '/var/www/html'; - } - // This script is needed earlier to check and open http port 80 or standalone might fail // Make executable and temporary symlink latest letsencrypt pre, post and renew hook script before install if(file_exists(dirname(getcwd()) . '/server/scripts/letsencrypt_pre_hook.sh')) { @@ -2786,9 +2780,6 @@ class installer_base { // Attempt to use Neilpang acme.sh first, as it is now the preferred LE client if (is_executable($acme)) { - // If this is a webserver, we use webroot - // if(($conf['nginx']['installed'] || $conf['apache']['installed']) == true) - // exec("$acme --issue -d $hostname --webroot $webroot_path $renew_hook"); if($conf['nginx']['installed'] == true) { exec("$acme --issue --nginx -d $hostname $renew_hook"); } elseif($conf['apache']['installed'] == true) { -- GitLab From 454754d6f02826cfd2f3184481b203c47bc45a34 Mon Sep 17 00:00:00 2001 From: Marius Burkard Date: Tue, 8 Sep 2020 12:46:54 +0200 Subject: [PATCH 56/56] - allow custom scripts for hooks --- server/scripts/letsencrypt_post_hook.sh | 12 ++++-------- server/scripts/letsencrypt_pre_hook.sh | 11 ++++------- server/scripts/letsencrypt_renew_hook.sh | 11 ++++------- 3 files changed, 12 insertions(+), 22 deletions(-) diff --git a/server/scripts/letsencrypt_post_hook.sh b/server/scripts/letsencrypt_post_hook.sh index 26b02e621b..02653f79a1 100644 --- a/server/scripts/letsencrypt_post_hook.sh +++ b/server/scripts/letsencrypt_post_hook.sh @@ -10,15 +10,11 @@ # Description: To force close http port 80 if it is by default closed, to be used by letsencrypt client standlone command ### END INIT INFO -## WE DISABLED THIS DUE TO ISSUES. IF YOU WANT TO USE IT, COPY THIS FILE TO +## If you need a custom hook file, create a file with the same name in ## /usr/local/ispconfig/server/conf-custom/scripts/ -## AND REMOVE THIS CODE PART -## if [[ -e "/usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_post_hook.sh" ]] ; then -## . /usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_post_hook.sh ; -## fi -## exit 0; -## END OF CODE PART - +if [[ -e "/usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_post_hook.sh" ]] ; then + . /usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_post_hook.sh && exit 0 || exit 1; +fi # You can add support to other firewall diff --git a/server/scripts/letsencrypt_pre_hook.sh b/server/scripts/letsencrypt_pre_hook.sh index e061c3bc31..56f246e803 100644 --- a/server/scripts/letsencrypt_pre_hook.sh +++ b/server/scripts/letsencrypt_pre_hook.sh @@ -10,14 +10,11 @@ # Description: To force open http port 80 to be used by letsencrypt client standlone command ### END INIT INFO -## WE DISABLED THIS DUE TO ISSUES. IF YOU WANT TO USE IT, COPY THIS FILE TO +## If you need a custom hook file, create a file with the same name in ## /usr/local/ispconfig/server/conf-custom/scripts/ -## AND REMOVE THIS CODE PART -## if [[ -e "/usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_pre_hook.sh" ]] ; then -## . /usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_pre_hook.sh ; -## fi -## exit 0; -## END OF CODE PART +if [[ -e "/usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_pre_hook.sh" ]] ; then + . /usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_pre_hook.sh && exit 0 || exit 1 ; +fi # You can add support to other firewall diff --git a/server/scripts/letsencrypt_renew_hook.sh b/server/scripts/letsencrypt_renew_hook.sh index 4421a9a46f..0a71f30d01 100644 --- a/server/scripts/letsencrypt_renew_hook.sh +++ b/server/scripts/letsencrypt_renew_hook.sh @@ -10,14 +10,11 @@ # Description: Taken from LE4ISPC code. To be used to update ispserver.pem automatically after ISPConfig LE SSL certs are renewed and to reload / restart important ISPConfig server services ### END INIT INFO -## WE DISABLED THIS DUE TO ISSUES. IF YOU WANT TO USE IT, COPY THIS FILE TO +## If you need a custom hook file, create a file with the same name in ## /usr/local/ispconfig/server/conf-custom/scripts/ -## AND REMOVE THIS CODE PART -## if [[ -e "/usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_renew_hook.sh" ]] ; then -## . /usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_renew_hook.sh ; -## fi -## exit 0; -## END OF CODE PART +if [[ -e "/usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_renew_hook.sh" ]] ; then + . /usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_renew_hook.sh && exit 0 || exit 1; +fi lelive=/etc/letsencrypt/live/$(hostname -f); if [ -d "$lelive" ]; then cd /usr/local/ispconfig/interface/ssl; ibak=ispserver.*.bak; ipem=ispserver.pem; icrt=ispserver.crt; ikey=ispserver.key -- GitLab