Merge remote-tracking branch 'origin/master' into dns-editor

lib/classes/ssl/class.lescript.php

@@ -62,16 +62,23 @@ class lescript
 			$keys = $this->generateKey();
 			// Only store the accountkey in production, in staging always generate a new key
 			if (Settings::Get('system.letsencryptca') == 'production') {
-				$upd_stmt = Database::prepare("
-                    UPDATE `" . TABLE_PANEL_CUSTOMERS . "` SET `lepublickey` = :public, `leprivatekey` = :private WHERE `customerid` = :customerid;
-                ");
-				Database::pexecute($upd_stmt, array(
-					'public' => $keys['public'],
-					'private' => $keys['private'],
-					'customerid' => $certrow['customerid']
-				));
+				$upd_stmt = Database::prepare(
+					"UPDATE `" . TABLE_PANEL_CUSTOMERS . "` SET `lepublickey` = :public, `leprivatekey` = :private " .
+						 "WHERE `customerid` = :customerid;");
+				Database::pexecute($upd_stmt,
+					array(
+						'public' => $keys['public'],
+						'private' => $keys['private'],
+						'customerid' => $certrow['customerid']
+					));
 			}
 			$this->accountKey = $keys['private'];
+
+			$response = $this->postNewReg();
+			if ($this->client->getLastCode() != 201) {
+				throw new \RuntimeException("Account not initialized, probably due to rate limiting. Whole response: " . $response);
+			}
+
 			$this->postNewReg();
 			$this->log('New account certificate registered');
 		} else {
@@ -83,7 +90,7 @@ class lescript
 	public function signDomains(array $domains, $domainkey = null, $csr = null)
 	{
 		if (! $this->accountKey) {
-			throw new \RuntimeException("Account not initiated");
+			throw new \RuntimeException("Account not initialized");
 		}
 
 		$this->log('Starting certificate generation process for domains');
@@ -101,13 +108,14 @@ class lescript
 
 			$this->log("Requesting challenge for $domain");
 
-			$response = $this->signedRequest("/acme/new-authz", array(
-				"resource" => "new-authz",
-				"identifier" => array(
-					"type" => "dns",
-					"value" => $domain
-				)
-			));
+			$response = $this->signedRequest("/acme/new-authz",
+				array(
+					"resource" => "new-authz",
+					"identifier" => array(
+						"type" => "dns",
+						"value" => $domain
+					)
+				));
 
 			// if response is not an array but a string, it's most likely a server-error, e.g.
 			// <HTML><HEAD><TITLE>Error</TITLE></HEAD><BODY>An error occurred while processing your request.
@@ -121,9 +129,10 @@ class lescript
 			}
 
 			// choose http-01 challenge only
-			$challenge = array_reduce($response['challenges'], function ($v, $w) {
-				return $v ? $v : ($w['type'] == 'http-01' ? $w : false);
-			});
+			$challenge = array_reduce($response['challenges'],
+				function ($v, $w) {
+					return $v ? $v : ($w['type'] == 'http-01' ? $w : false);
+				});
 			if (! $challenge)
 				throw new RuntimeException("HTTP Challenge for $domain is not available. Whole response: " . json_encode($response));
 
@@ -145,8 +154,7 @@ class lescript
 				"e" => Base64UrlSafeEncoder::encode($accountKeyDetails["rsa"]["e"]),
 				"kty" => "RSA",
 				"n" => Base64UrlSafeEncoder::encode($accountKeyDetails["rsa"]["n"])
-			)
-			;
+			);
 			$payload = $challenge['token'] . '.' . Base64UrlSafeEncoder::encode(hash('sha256', json_encode($header), true));
 
 			file_put_contents($tokenPath, $payload);
@@ -174,12 +182,13 @@ class lescript
 			$this->log("Sending request to challenge");
 
 			// send request to challenge
-			$result = $this->signedRequest($challenge['uri'], array(
-				"resource" => "challenge",
-				"type" => "http-01",
-				"keyAuthorization" => $payload,
-				"token" => $challenge['token']
-			));
+			$result = $this->signedRequest($challenge['uri'],
+				array(
+					"resource" => "challenge",
+					"type" => "http-01",
+					"keyAuthorization" => $payload,
+					"token" => $challenge['token']
+				));
 
 			// waiting loop
 			// we wait for a maximum of 30 seconds to avoid endless loops
@@ -218,9 +227,7 @@ class lescript
 
 		$this->client->getLastLinks();
 
-		if (empty($csrfile) || Settings::Get('system.letsencryptreuseold') == 0) {
-			$csr = $this->generateCSR($privateDomainKey, $domains);
-		}
+		$csr = $this->generateCSR($privateDomainKey, $domains);
 
 		// request certificates creation
 		$result = $this->signedRequest("/acme/new-cert", array(
@@ -306,7 +313,8 @@ class lescript
 		$tmpConfPath = $tmpConfMeta["uri"];
 
 		// workaround to get SAN working
-		fwrite($tmpConf, 'HOME = .
+		fwrite($tmpConf,
+			'HOME = .
 RANDFILE = $ENV::HOME/.rnd
 [ req ]
 default_bits = ' . Settings::Get('system.letsencryptkeysize') . '
@@ -320,15 +328,16 @@ basicConstraints = CA:FALSE
 subjectAltName = ' . $san . '
 keyUsage = nonRepudiation, digitalSignature, keyEncipherment');
 
-		$csr = openssl_csr_new(array(
-			"CN" => $domain,
-			"ST" => Settings::Get('system.letsencryptstate'),
-			"C" => Settings::Get('system.letsencryptcountrycode'),
-			"O" => "Unknown"
-		), $privateKey, array(
-			"config" => $tmpConfPath,
-			"digest_alg" => "sha256"
-		));
+		$csr = openssl_csr_new(
+			array(
+				"CN" => $domain,
+				"ST" => Settings::Get('system.letsencryptstate'),
+				"C" => Settings::Get('system.letsencryptcountrycode'),
+				"O" => "Unknown"
+			), $privateKey, array(
+				"config" => $tmpConfPath,
+				"digest_alg" => "sha256"
+			));
 
 		if (! $csr)
 			throw new \RuntimeException("CSR couldn't be generated! " . openssl_error_string());
@@ -343,10 +352,11 @@ keyUsage = nonRepudiation, digitalSignature, keyEncipherment');
 
 	private function generateKey()
 	{
-		$res = openssl_pkey_new(array(
-			"private_key_type" => OPENSSL_KEYTYPE_RSA,
-			"private_key_bits" => (int) Settings::Get('system.letsencryptkeysize')
-		));
+		$res = openssl_pkey_new(
+			array(
+				"private_key_type" => OPENSSL_KEYTYPE_RSA,
+				"private_key_bits" => (int) Settings::Get('system.letsencryptkeysize')
+			));
 
 		if (! openssl_pkey_export($res, $privateKey)) {
 			throw new \RuntimeException("Key export failed!");

lib/configfiles/jessie.xml

@@ -40,14 +40,14 @@
 							</visibility>
 							<content><![CDATA[mkdir -p {{settings.system.deactivateddocroot}}]]></content>
 						</command>
-						<command><![CDATA[a2dismod userdir]]></command>
-						<command><![CDATA[a2enmod headers]]></command>
 					</commands>
 				</general>
 				<!-- HTTP Apache -->
 				<daemon name="apache" version="2.4" title="Apache 2.4" default="true">
 					<install><![CDATA[apt-get install apache2]]></install>
 					<include>//service[@type='http']/general/commands</include>
+					<command><![CDATA[a2dismod userdir]]></command>
+					<command><![CDATA[a2enmod headers]]></command>
 					<command>
 						<visibility mode="true">{{settings.phpfpm.enabled}}
 						</visibility>
@@ -4022,7 +4022,7 @@ aliases:     files
 					<command><![CDATA[/etc/init.d/nscd restart]]></command>
 					<!-- clear group chache -->
 					<command><![CDATA[nscd --invalidate=group]]></command>
-					<file /><!-- separate the following mkdir command from the previous nscd -->
+					<!-- @TODO separate the following mkdir command from the previous nscd -->
 					<command>
 						<visibility mode="notisdir">/etc/insserv/overrides</visibility>
 						<content><![CDATA[mkdir -p /etc/insserv/overrides]]></content>

lib/configfiles/precise.xml

@@ -40,8 +40,6 @@
 							</visibility>
 							<content><![CDATA[mkdir -p {{settings.system.deactivateddocroot}}]]></content>
 						</command>
-						<command><![CDATA[a2dismod userdir]]></command>
-						<command><![CDATA[a2enmod headers]]></command>
 					</commands>
 				</general>
 				<!-- HTTP Apache -->
@@ -49,6 +47,8 @@
 					default="true">
 					<install><![CDATA[apt-get install apache2]]></install>
 					<include>//service[@type='http']/general/commands</include>
+					<command><![CDATA[a2dismod userdir]]></command>
+					<command><![CDATA[a2enmod headers]]></command>
 					<file name="/etc/apache2/mods-enabled/fastcgi.conf">
 						<visibility mode="true">{{settings.phpfpm.enabled}}
 						</visibility>

lib/configfiles/rhel_centos.xml

@@ -40,8 +40,6 @@
 							</visibility>
 							<content><![CDATA[mkdir -p {{settings.system.deactivateddocroot}}]]></content>
 						</command>
-						<command><![CDATA[a2dismod userdir]]></command>
-						<command><![CDATA[a2enmod headers]]></command>
 					</commands>
 				</general>
 				<!-- HTTP Apache -->

lib/configfiles/trusty.xml

@@ -40,8 +40,6 @@
 							</visibility>
 							<content><![CDATA[mkdir -p {{settings.system.deactivateddocroot}}]]></content>
 						</command>
-						<command><![CDATA[a2dismod userdir]]></command>
-						<command><![CDATA[a2enmod headers]]></command>
 					</commands>
 				</general>
 				<!-- HTTP Apache -->
@@ -49,6 +47,8 @@
 					default="true">
 					<install><![CDATA[apt-get install apache2]]></install>
 					<include>//service[@type='http']/general/commands</include>
+					<command><![CDATA[a2dismod userdir]]></command>
+					<command><![CDATA[a2enmod headers]]></command>
 					<file name="/etc/apache2/mods-enabled/fastcgi.conf">
 						<visibility mode="true">{{settings.phpfpm.enabled}}
 						</visibility>
@@ -83,6 +83,8 @@ Alias "/.well-known/acme-challenge" "{{settings.system.letsencryptchallengepath}
 				<daemon name="apache" version="2.4" title="Apache 2.4">
 					<install><![CDATA[apt-get install apache2]]></install>
 					<include>//service[@type='http']/general/commands</include>
+					<command><![CDATA[a2dismod userdir]]></command>
+					<command><![CDATA[a2enmod headers]]></command>
 					<file name="/etc/apache2/mods-enabled/fastcgi.conf">
 						<visibility mode="true">{{settings.phpfpm.enabled}}
 						</visibility>

lib/configfiles/wheezy.xml

@@ -40,8 +40,6 @@
 							</visibility>
 							<content><![CDATA[mkdir -p {{settings.system.deactivateddocroot}}]]></content>
 						</command>
-						<command><![CDATA[a2dismod userdir]]></command>
-						<command><![CDATA[a2enmod headers]]></command>
 					</commands>
 				</general>
 				<!-- HTTP Apache -->
@@ -49,6 +47,8 @@
 					default="true">
 					<install><![CDATA[apt-get install apache2]]></install>
 					<include>//service[@type='http']/general/commands</include>
+					<command><![CDATA[a2dismod userdir]]></command>
+					<command><![CDATA[a2enmod headers]]></command>
 					<file name="/etc/apache2/mods-enabled/fastcgi.conf">
 						<visibility mode="true">{{settings.phpfpm.enabled}}
 						</visibility>
@@ -83,6 +83,8 @@ Alias "/.well-known/acme-challenge" "{{settings.system.letsencryptchallengepath}
 				<daemon name="apache" version="2.4" title="Apache 2.4">
 					<install><![CDATA[apt-get install apache2]]></install>
 					<include>//service[@type='http']/general/commands</include>
+					<command><![CDATA[a2dismod userdir]]></command>
+					<command><![CDATA[a2enmod headers]]></command>
 					<file name="/etc/apache2/mods-enabled/fastcgi.conf">
 						<visibility mode="true">{{settings.phpfpm.enabled}}
 						</visibility>

lib/functions/froxlor/function.triggerLetsEncryptCSRForAliasDestinationDomain.php

@@ -0,0 +1,34 @@
+<?php
+
+/**
+ * This file is part of the Froxlor project.
+ * Copyright (c) 2010 the Froxlor Team (see authors).
+ *
+ * For the full copyright and license information, please view the COPYING
+ * file that was distributed with this source code. You can also view the
+ * COPYING file online at http://files.froxlor.org/misc/COPYING.txt
+ *
+ * @copyright  (c) the authors
+ * @author     Daniel Reichelt <hacking@nachtgeist.net> (2016-)
+ * @license    GPLv2 http://files.froxlor.org/misc/COPYING.txt
+ * @package    Functions
+ *
+ */
+
+function triggerLetsEncryptCSRForAliasDestinationDomain($aliasDestinationDomainID, $log)
+{
+	if (isset($aliasDestinationDomainID) && $aliasDestinationDomainID > 0) {
+		$log->logAction(ADM_ACTION, LOG_INFO, "LetsEncrypt CSR triggered for domain ID " . $aliasDestinationDomainID);
+		$upd_stmt = Database::prepare(
+			"UPDATE
+					`" . TABLE_PANEL_DOMAIN_SSL_SETTINGS . "`
+				SET
+					`expirationdate` = null
+				WHERE
+					domainid = :domainid
+			");
+		Database::pexecute($upd_stmt, array(
+			'domainid' => $aliasDestinationDomainID
+		));
+	}
+}