initial integration of let's encrypt renew-hook for froxlor-vhost; refs #1186

Signed-off-by: Michael Kaufmann <d00p@froxlor.org>

lib/Froxlor/Cron/Http/LetsEncrypt/AcmeSh.php

@@ -518,7 +518,7 @@ EOC;
 
 				self::validateDns($domains, $certrow['domainid'], $cronlog);
 
-				self::runAcmeSh($certrow, $domains, $cronlog, $do_force);
+				self::runAcmeSh($certrow, $domains, $cronlog, $do_force, $certrow['domainid'] == 0);
 			} else {
 				$cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_WARNING, "Skipping Let's Encrypt generation for " . $certrow['domain'] . " due to an enabled ssl_redirect");
 			}
@@ -566,7 +566,7 @@ EOC;
 		}
 	}
 
-	private static function runAcmeSh(array $certrow, array $domains, &$cronlog = null, $force = false)
+	private static function runAcmeSh(array $certrow, array $domains, &$cronlog = null, bool $force = false, bool $renew_hook = false)
 	{
 		if (!empty($domains)) {
 			$acmesh_cmd = self::getAcmeSh() . " --server " . self::$apiserver . " --issue -d " . implode(" -d ", $domains);
@@ -587,6 +587,12 @@ EOC;
 			if ($force) {
 				$acmesh_cmd .= " --force";
 			}
+			if ($renew_hook
+				&& !empty(trim(Settings::Get('system.le_renew_services') ?? ""))
+				&& !empty(trim(Settings::Get('system.le_renew_hook') ?? ""))
+			) {
+				$acmesh_cmd .= " --renew-hook '" . Settings::Get('system.le_renew_hook') . "'";
+			}
 			if (defined('CRON_DEBUG_FLAG')) {
 				$acmesh_cmd .= " --debug";
 			}
@@ -603,12 +609,48 @@ EOC;
 				}
 			} else {
 				$cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_DEBUG, "Successful exit-code returned - storing certificate");
-				self::certToDb($certrow, $cronlog, $acme_result);
+				$cert_stored = self::certToDb($certrow, $cronlog, $acme_result);
+
+				if ($cert_stored
+					&& $renew_hook
+					&& !empty(trim(Settings::Get('system.le_renew_services') ?? ""))
+					&& !empty(trim(Settings::Get('system.le_renew_hook') ?? ""))
+				) {
+					$cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_DEBUG, "Renew-hook is enabled - adjusting configurations");
+
+					$certificate_folder = self::getCertificateFolder(strtolower(Settings::Get('system.hostname')));
+					$fullchain = FileDir::makeCorrectFile($certificate_folder . '/fullchain.cer');
+					$keyfile = FileDir::makeCorrectFile($certificate_folder . '/' . strtolower(Settings::Get('system.hostname')) . '.key');
+
+					if (Settings::IsInList('system.le_renew_services', 'postfix')) {
+						// "postconf -e" for postfix
+						FileDir::safe_exec('postconf -e smtpd_tls_cert_file = ' . escapeshellarg($fullchain));
+						FileDir::safe_exec('postconf -e smtpd_tls_key_file = ' . escapeshellarg($keyfile));
+					}
+					if (Settings::IsInList('system.le_renew_services', 'dovecot')) {
+						// custom config for dovecot
+						$dovecot_conf = '/etc/dovecot/conf.d/99-froxlor-ssl.conf'; // @fixme setting?
+						$ssl_content = <<<EOSSL
+# Autogenerated configuration by froxlor.
+# Do not manually edit this file as it will be overwritten.
+
+ssl = yes
+ssl_cert = <{$fullchain}
+ssl_key = <{$keyfile}
+EOSSL;
+						file_put_contents($dovecot_conf, $ssl_content);
+					}
+					if (Settings::IsInList('system.le_renew_services', 'proftpd')) {
+						// @todo
+					}
+					// reload the services
+					FileDir::safe_exec(Settings::Get('system.le_renew_hook'));
+				}
 			}
 		}
 	}
 
-	private static function certToDb($certrow, &$cronlog, $acme_result)
+	private static function certToDb($certrow, &$cronlog, $acme_result): bool
 	{
 		$return = [];
 		self::readCertificateToVar(strtolower($certrow['domain']), $return, $cronlog);
@@ -639,12 +681,14 @@ EOC;
 				}
 
 				$cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_INFO, "Updated Let's Encrypt certificate for " . $certrow['domain']);
+				return true;
 			} else {
 				$cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_ERR, "Got non-successful Let's Encrypt response for " . $certrow['domain'] . ":\n" . implode("\n", $acme_result));
 			}
 		} else {
 			$cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_ERR, "Could not get Let's Encrypt certificate for " . $certrow['domain'] . ":\n" . implode("\n", $acme_result));
 		}
+		return false;
 	}
 
 	/**