really reuse old csr if given + code formatting
Signed-off-by: Michael Kaufmann (d00p) <d00p@froxlor.org>
This commit is contained in:
Michael Kaufmann (d00p)
@@ -63,15 +63,12 @@ class lescript
|
|||||||
$keys = $this->generateKey();
|
$keys = $this->generateKey();
|
||||||
// Only store the accountkey in production, in staging always generate a new key
|
// Only store the accountkey in production, in staging always generate a new key
|
||||||
if (Settings::Get('system.letsencryptca') == 'production') {
|
if (Settings::Get('system.letsencryptca') == 'production') {
|
||||||
$upd_stmt = Database::prepare(
|
$upd_stmt = Database::prepare("UPDATE `" . TABLE_PANEL_CUSTOMERS . "` SET `lepublickey` = :public, `leprivatekey` = :private " . "WHERE `customerid` = :customerid;");
|
||||||
"UPDATE `" . TABLE_PANEL_CUSTOMERS . "` SET `lepublickey` = :public, `leprivatekey` = :private " .
|
Database::pexecute($upd_stmt, array(
|
||||||
"WHERE `customerid` = :customerid;");
|
'public' => $keys['public'],
|
||||||
Database::pexecute($upd_stmt,
|
'private' => $keys['private'],
|
||||||
array(
|
'customerid' => $certrow['customerid']
|
||||||
'public' => $keys['public'],
|
));
|
||||||
'private' => $keys['private'],
|
|
||||||
'customerid' => $certrow['customerid']
|
|
||||||
));
|
|
||||||
}
|
}
|
||||||
$this->accountKey = $keys['private'];
|
$this->accountKey = $keys['private'];
|
||||||
|
|
||||||
@@ -88,6 +85,16 @@ class lescript
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
*
|
||||||
|
* @param array $domains
|
||||||
|
* @param string $domainkey
|
||||||
|
* @param string $csr
|
||||||
|
* optional, same behavior as $reuseCsr from the original class, but we're passing the content of the csr already
|
||||||
|
*
|
||||||
|
* @throws \RuntimeException
|
||||||
|
* @return string[]
|
||||||
|
*/
|
||||||
public function signDomains(array $domains, $domainkey = null, $csr = null)
|
public function signDomains(array $domains, $domainkey = null, $csr = null)
|
||||||
{
|
{
|
||||||
if (! $this->accountKey) {
|
if (! $this->accountKey) {
|
||||||
@@ -109,14 +116,13 @@ class lescript
|
|||||||
|
|
||||||
$this->log("Requesting challenge for $domain");
|
$this->log("Requesting challenge for $domain");
|
||||||
|
|
||||||
$response = $this->signedRequest("/acme/new-authz",
|
$response = $this->signedRequest("/acme/new-authz", array(
|
||||||
array(
|
"resource" => "new-authz",
|
||||||
"resource" => "new-authz",
|
"identifier" => array(
|
||||||
"identifier" => array(
|
"type" => "dns",
|
||||||
"type" => "dns",
|
"value" => $domain
|
||||||
"value" => $domain
|
)
|
||||||
)
|
));
|
||||||
));
|
|
||||||
|
|
||||||
// if response is not an array but a string, it's most likely a server-error, e.g.
|
// if response is not an array but a string, it's most likely a server-error, e.g.
|
||||||
// <HTML><HEAD><TITLE>Error</TITLE></HEAD><BODY>An error occurred while processing your request.
|
// <HTML><HEAD><TITLE>Error</TITLE></HEAD><BODY>An error occurred while processing your request.
|
||||||
@@ -130,12 +136,13 @@ class lescript
|
|||||||
}
|
}
|
||||||
|
|
||||||
// choose http-01 challenge only
|
// choose http-01 challenge only
|
||||||
$challenge = array_reduce($response['challenges'],
|
$challenge = array_reduce($response['challenges'], function ($v, $w) {
|
||||||
function ($v, $w) {
|
return $v ? $v : ($w['type'] == 'http-01' ? $w : false);
|
||||||
return $v ? $v : ($w['type'] == 'http-01' ? $w : false);
|
});
|
||||||
});
|
|
||||||
if (! $challenge)
|
if (! $challenge) {
|
||||||
throw new RuntimeException("HTTP Challenge for $domain is not available. Whole response: " . json_encode($response));
|
throw new RuntimeException("HTTP Challenge for $domain is not available. Whole response: " . json_encode($response));
|
||||||
|
}
|
||||||
|
|
||||||
$this->log("Got challenge token for $domain");
|
$this->log("Got challenge token for $domain");
|
||||||
$location = $this->client->getLastLocation();
|
$location = $this->client->getLastLocation();
|
||||||
@@ -183,13 +190,12 @@ class lescript
|
|||||||
$this->log("Sending request to challenge");
|
$this->log("Sending request to challenge");
|
||||||
|
|
||||||
// send request to challenge
|
// send request to challenge
|
||||||
$result = $this->signedRequest($challenge['uri'],
|
$result = $this->signedRequest($challenge['uri'], array(
|
||||||
array(
|
"resource" => "challenge",
|
||||||
"resource" => "challenge",
|
"type" => "http-01",
|
||||||
"type" => "http-01",
|
"keyAuthorization" => $payload,
|
||||||
"keyAuthorization" => $payload,
|
"token" => $challenge['token']
|
||||||
"token" => $challenge['token']
|
));
|
||||||
));
|
|
||||||
|
|
||||||
// waiting loop
|
// waiting loop
|
||||||
// we wait for a maximum of 30 seconds to avoid endless loops
|
// we wait for a maximum of 30 seconds to avoid endless loops
|
||||||
@@ -228,7 +234,9 @@ class lescript
|
|||||||
|
|
||||||
$this->client->getLastLinks();
|
$this->client->getLastLinks();
|
||||||
|
|
||||||
$csr = $this->generateCSR($privateDomainKey, $domains);
|
if (empty($csr)) {
|
||||||
|
$csr = $this->generateCSR($privateDomainKey, $domains);
|
||||||
|
}
|
||||||
|
|
||||||
// request certificates creation
|
// request certificates creation
|
||||||
$result = $this->signedRequest("/acme/new-cert", array(
|
$result = $this->signedRequest("/acme/new-cert", array(
|
||||||
@@ -314,8 +322,7 @@ class lescript
|
|||||||
$tmpConfPath = $tmpConfMeta["uri"];
|
$tmpConfPath = $tmpConfMeta["uri"];
|
||||||
|
|
||||||
// workaround to get SAN working
|
// workaround to get SAN working
|
||||||
fwrite($tmpConf,
|
fwrite($tmpConf, 'HOME = .
|
||||||
'HOME = .
|
|
||||||
RANDFILE = $ENV::HOME/.rnd
|
RANDFILE = $ENV::HOME/.rnd
|
||||||
[ req ]
|
[ req ]
|
||||||
default_bits = ' . Settings::Get('system.letsencryptkeysize') . '
|
default_bits = ' . Settings::Get('system.letsencryptkeysize') . '
|
||||||
@@ -329,16 +336,15 @@ basicConstraints = CA:FALSE
|
|||||||
subjectAltName = ' . $san . '
|
subjectAltName = ' . $san . '
|
||||||
keyUsage = nonRepudiation, digitalSignature, keyEncipherment');
|
keyUsage = nonRepudiation, digitalSignature, keyEncipherment');
|
||||||
|
|
||||||
$csr = openssl_csr_new(
|
$csr = openssl_csr_new(array(
|
||||||
array(
|
"CN" => $domain,
|
||||||
"CN" => $domain,
|
"ST" => Settings::Get('system.letsencryptstate'),
|
||||||
"ST" => Settings::Get('system.letsencryptstate'),
|
"C" => Settings::Get('system.letsencryptcountrycode'),
|
||||||
"C" => Settings::Get('system.letsencryptcountrycode'),
|
"O" => "Unknown"
|
||||||
"O" => "Unknown"
|
), $privateKey, array(
|
||||||
), $privateKey, array(
|
"config" => $tmpConfPath,
|
||||||
"config" => $tmpConfPath,
|
"digest_alg" => "sha256"
|
||||||
"digest_alg" => "sha256"
|
));
|
||||||
));
|
|
||||||
|
|
||||||
if (! $csr)
|
if (! $csr)
|
||||||
throw new \RuntimeException("CSR couldn't be generated! " . openssl_error_string());
|
throw new \RuntimeException("CSR couldn't be generated! " . openssl_error_string());
|
||||||
@@ -353,11 +359,10 @@ keyUsage = nonRepudiation, digitalSignature, keyEncipherment');
|
|||||||
|
|
||||||
private function generateKey()
|
private function generateKey()
|
||||||
{
|
{
|
||||||
$res = openssl_pkey_new(
|
$res = openssl_pkey_new(array(
|
||||||
array(
|
"private_key_type" => OPENSSL_KEYTYPE_RSA,
|
||||||
"private_key_type" => OPENSSL_KEYTYPE_RSA,
|
"private_key_bits" => (int) Settings::Get('system.letsencryptkeysize')
|
||||||
"private_key_bits" => (int) Settings::Get('system.letsencryptkeysize')
|
));
|
||||||
));
|
|
||||||
|
|
||||||
if (! openssl_pkey_export($res, $privateKey)) {
|
if (! openssl_pkey_export($res, $privateKey)) {
|
||||||
throw new \RuntimeException("Key export failed!");
|
throw new \RuntimeException("Key export failed!");
|
||||||
|
|||||||
Reference in New Issue
Block a user