Implement CAA DNS record for letsencrypt.org

2019-07-27 17:36:31 +02:00
parent d5e4182878
commit d4e5e32c14
9 changed files with 86 additions and 0 deletions
--- a/install/froxlor.sql
+++ b/install/froxlor.sql
@@ -256,6 +256,7 @@ CREATE TABLE `panel_domains` (
  `mod_fcgid_maxrequests` int(4) default '-1',
  `ismainbutsubto` int(11) unsigned NOT NULL default '0',
  `letsencrypt` tinyint(1) NOT NULL default '0',
+  `caa` tinyint(1) NOT NULL default '0',
  `hsts` varchar(10) NOT NULL default '0',
  `hsts_sub` tinyint(1) NOT NULL default '0',
  `hsts_preload` tinyint(1) NOT NULL default '0',
--- a/install/updates/froxlor/0.10/update_0.10.inc.php
+++ b/install/updates/froxlor/0.10/update_0.10.inc.php
@@ -263,3 +263,9 @@ if (\Froxlor\Froxlor::isDatabaseVersion('201904100')) {
 if (\Froxlor\Froxlor::isFroxlorVersion('0.10.0-rc1')) {
 	\Froxlor\Froxlor::updateToVersion('0.10.0-rc2');
 }
+
+if (\Froxlor\Froxlor::isDatabaseVersion('201904250')) {
+
+	Database::query("ALTER TABLE `" . TABLE_PANEL_DOMAINS . "` ADD `caa` TINYINT(1) NOT NULL DEFAULT '0' AFTER `letsencrypt`;");
+	\Froxlor\Froxlor::updateToDbVersion('201907270');
+}
--- a/lib/Froxlor/Dns/Dns.php
+++ b/lib/Froxlor/Dns/Dns.php
@@ -130,6 +130,12 @@ class Dns
 			}
 		}

+		// additional required records for CAA if activated
+		if ($domain['caa'] == '1') {
+			// check for CAA content later
+			self::addRequiredEntry('@', 'CAA', $required_entries);
+		}
+
 		// additional required records for SPF and DKIM if activated
 		if ($domain['isemaildomain'] == '1') {
 			if (Settings::Get('spf.use_spf') == '1') {
@@ -278,6 +284,11 @@ class Dns
 					}
 				}
 			}
+
+			// CAA
+			if (array_key_exists("CAA", $required_entries)) {
+				$zonerecords[] = new DnsEntry('@', 'CAA', '0 issue "letsencrypt.org"');
+			}
 		}

 		if (empty($primary_ns)) {
--- a/lib/formfields/admin/domains/formfield.domains_add.php
+++ b/lib/formfields/admin/domains/formfield.domains_add.php
@@ -214,6 +214,19 @@ return array(
 						),
 						'value' => array()
 					),
+					'caa' => array(
+						'visible' => (\Froxlor\Settings::Get('system.leenabled') == '1' ? ($ssl_ipsandports != '' ? true : false) : false),
+						'label' => $lng['admin']['caa']['title'],
+						'desc' => $lng['admin']['caa']['description'],
+						'type' => 'checkbox',
+						'values' => array(
+							array(
+								'label' => $lng['panel']['yes'],
+								'value' => '1'
+							)
+						),
+						'value' => array()
+					),
 					'http2' => array(
 						'visible' => ($ssl_ipsandports != '' ? true : false) && \Froxlor\Settings::Get('system.webserver') != 'lighttpd' && \Froxlor\Settings::Get('system.http2_support') == '1',
 						'label' => $lng['admin']['domain_http2']['title'],
--- a/lib/formfields/admin/domains/formfield.domains_edit.php
+++ b/lib/formfields/admin/domains/formfield.domains_edit.php
@@ -250,6 +250,21 @@ return array(
 							$result['letsencrypt']
 						)
 					),
+					'caa' => array(
+						'visible' => (\Froxlor\Settings::Get('system.leenabled') == '1' ? ($ssl_ipsandports != '' ? true : false) : false),
+						'label' => $lng['admin']['caa']['title'],
+						'desc' => $lng['admin']['caa']['description'],
+						'type' => 'checkbox',
+						'values' => array(
+							array(
+								'label' => $lng['panel']['yes'],
+								'value' => '1'
+							)
+						),
+						'value' => array(
+							$result['caa']
+						)
+					),
 					'http2' => array(
 						'visible' => ($ssl_ipsandports != '' ? true : false) && \Froxlor\Settings::Get('system.webserver') != 'lighttpd' && \Froxlor\Settings::Get('system.http2_support') == '1',
 						'label' => $lng['admin']['domain_http2']['title'],
--- a/lib/formfields/customer/domains/formfield.domains_add.php
+++ b/lib/formfields/customer/domains/formfield.domains_add.php
@@ -108,6 +108,19 @@ return array(
 						),
 						'value' => array()
 					),
+					'caa' => array(
+						'visible' => \Froxlor\Settings::Get('system.leenabled') == '1' ? true : false,
+						'label' => $lng['customer']['caa']['title'],
+						'desc' => $lng['customer']['caa']['description'],
+						'type' => 'checkbox',
+						'values' => array(
+							array(
+								'label' => $lng['panel']['yes'],
+								'value' => '1'
+							)
+						),
+						'value' => array()
+					),
 					'hsts_maxage' => array(
 						'label' => $lng['admin']['domain_hsts_maxage']['title'],
 						'desc' => $lng['admin']['domain_hsts_maxage']['description'],
--- a/lib/formfields/customer/domains/formfield.domains_edit.php
+++ b/lib/formfields/customer/domains/formfield.domains_edit.php
@@ -128,6 +128,21 @@ return array(
 							$result['letsencrypt']
 						)
 					),
+					'caa' => array(
+						'visible' => \Froxlor\Settings::Get('system.leenabled') == '1' ? true : false,
+						'label' => $lng['customer']['caa']['title'],
+						'desc' => $lng['customer']['caa']['description'],
+						'type' => 'checkbox',
+						'values' => array(
+							array(
+								'label' => $lng['panel']['yes'],
+								'value' => '1'
+							)
+						),
+						'value' => array(
+							$result['caa']
+						)
+					),
 					'hsts_maxage' => array(
 						'label' => $lng['admin']['domain_hsts_maxage']['title'],
 						'desc' => $lng['admin']['domain_hsts_maxage']['description'],
--- a/lng/english.lng.php
+++ b/lng/english.lng.php
@@ -1848,6 +1848,12 @@ $lng['serversettings']['leenabled']['title'] = "Enable Let's Encrypt";
 $lng['serversettings']['leenabled']['description'] = "If activated, customers are able to let froxlor automatically generate and renew Let's Encrypt ssl-certificates for domains with a ssl IP/port.<br /><br />Please remember that you need to go through the webserver-configuration when enabled because this feature needs a special configuration.";
 $lng['domains']['ssl_redirect_temporarilydisabled'] = "<br>The SSL redirect is temporarily deactivated while a new Let's Encrypt certificate is generated. It will be activated again after the certificate was generated.";

+// Added for CAA record support
+$lng['admin']['caa']['title'] = 'Use CAA DNS record';
+$lng['admin']['caa']['description'] = 'DNS Certification Authority Authorization (CAA) is an Internet security policy mechanism which allows domain name holders to indicate to certificate authorities whether they are authorized to issue digital certificates for a particular domain name. It does this by means of a new "CAA" Domain Name System (DNS) resource record. Currently it only supports Let\'s Encrypt. This feature is still in beta.';
+$lng['customer']['caa']['title'] = 'Use CAA DNS record';
+$lng['customer']['caa']['description'] = 'DNS Certification Authority Authorization (CAA) is an Internet security policy mechanism which allows domain name holders to indicate to certificate authorities whether they are authorized to issue digital certificates for a particular domain name. It does this by means of a new "CAA" Domain Name System (DNS) resource record. Currently it only supports Let\'s Encrypt. This feature is still in beta.';
+
 // Autoupdate
 $lng['admin']['autoupdate'] = 'Auto-Update';
 $lng['error']['customized_version'] = 'It looks like your Froxlor installation has been modified, no support sorry.';
--- a/lng/german.lng.php
+++ b/lng/german.lng.php
@@ -1500,6 +1500,12 @@ $lng['serversettings']['leenabled']['title'] = "Let's Encrypt verwenden";
 $lng['serversettings']['leenabled']['description'] = "Wenn dies aktiviert ist, können Kunden durch Froxlor automatisch generierte und verlängerbare Let's Encrypt SSL-Zertifikate für Domains mit SSL IP/Port nutzen.<br /><br />Bitte die Webserver-Konfiguration beachten wenn aktiviert, da dieses Feature eine spezielle Konfiguration benötigt.";
 $lng['domains']['ssl_redirect_temporarilydisabled'] = "<br>Die SSL-Umleitung ist, während ein neues Let's Encrypt - Zertifikat erstellt wird, temporär deaktiviert. Die Umleitung wird nach der Zertifikatserstellung wieder aktiviert.";

+// Added for CAA record support
+$lng['admin']['caa']['title'] = 'CAA DNS Eintrag erstellen';
+$lng['admin']['caa']['description'] = 'DNS Certification Authority Authorization (CAA) verwendet das Domain Name System, um dem Besitzer einer Domain die Möglichkeit zu bieten, gewisse Zertifizierungsstellen (CAs) dazu zu berechtigen, ein Zertifikat für die betroffene Domain auszustellen. CAA Records sollen verhindern, dass Zertifikate fälschlicherweise für eine Domain ausgestellt werden. Im Moment wird nur Let\'s Encrypt unterstützt. Dieses Feature befindet sich noch im Test.';
+$lng['customer']['caa']['title'] = 'CAA DNS Eintrag erstellen';
+$lng['customer']['caa']['description'] = 'DNS Certification Authority Authorization (CAA) verwendet das Domain Name System, um dem Besitzer einer Domain die Möglichkeit zu bieten, gewisse Zertifizierungsstellen (CAs) dazu zu berechtigen, ein Zertifikat für die betroffene Domain auszustellen. CAA Records sollen verhindern, dass Zertifikate fälschlicherweise für eine Domain ausgestellt werden. Im Moment wird nur Let\'s Encrypt unterstützt. Dieses Feature befindet sich noch im Test.';
+
 // Autoupdate
 $lng['admin']['autoupdate'] = 'Auto-Update';
 $lng['error']['customized_version'] = 'Es scheint als wäre die Froxlor Installation angepasst worden. Kein Support, sorry.';