added let's encrypt for froxlor vhost - untested for now, testers are welcome

Signed-off-by: Michael Kaufmann (d00p) <d00p@froxlor.org>

scripts/jobs/cron_letsencrypt.php

@@ -93,7 +93,99 @@ $updcert_stmt = Database::prepare(
 
 $upddom_stmt = Database::prepare("UPDATE `" . TABLE_PANEL_DOMAINS . "` SET `ssl_redirect` = '1' WHERE `id` = :domainid");
 
+// flag for re-generation of vhost files
 $changedetected = 0;
+
+// first - generate LE for system-vhost if enabled
+if (Settings::Get('system.le_froxlor_enabled') == '1') {
+
+	$certrow = array(
+		'loginname' => 'froxlor.panel',
+		'domain' => Settings::Get('system.hostname'),
+		'domainid' => 0,
+		'documentroot' => FROXLOR_INSTALL_DIR,
+		'leprivatekey' => Settings::Get('system.leprivatekey'),
+		'lepublickey' => Settings::Get('system.lepublickey'),
+		'ssl_redirect' => Settings::Get('system.le_froxlor_redirect'),
+		'expirationdate' => null,
+		'ssl_cert_file' => null,
+		'ssl_key_file' => null,
+		'ssl_ca_file' => null,
+		'ssl_csr_file' => null
+	);
+
+	$froxlor_ssl_settings_stmt = Database::prepare("
+		SELECT * FROM `".TABLE_PANEL_DOMAIN_SSL_SETTINGS."`
+		WHERE `domainid` = '0' AND
+		(`expirationdate` < DATE_ADD(NOW(), INTERVAL 30 DAY) OR `expirationdate` IS NULL)
+	");
+	$froxlor_ssl = Database::pexecute_first($froxlor_ssl_settings_stmt);
+
+	if ($froxlor_ssl) {
+		$certrow['id'] = $froxlor_ssl['id'];
+		$certrow['expirationdate'] = $froxlor_ssl['expirationdate'];
+		$certrow['ssl_cert_file'] = $froxlor_ssl['ssl_cert_file'];
+		$certrow['ssl_key_file'] = $froxlor_ssl['ssl_key_file'];
+		$certrow['ssl_ca_file'] = $froxlor_ssl['ssl_ca_file'];
+		$certrow['ssl_csr_file'] = $froxlor_ssl['ssl_csr_file'];
+	}
+	$domains = array(
+		$certrow['domain'],
+		'www.'.$certrow['domain']
+	);
+
+	// Only renew let's encrypt certificate if no broken ssl_redirect is enabled
+	if ($certrow['ssl_redirect'] != 2) {
+		$cronlog->logAction(CRON_ACTION, LOG_DEBUG, "Updating " . $certrow['domain']);
+
+		$cronlog = FroxlorLogger::getInstanceOf(array(
+			'loginname' => $certrow['loginname']
+		));
+
+		try {
+			// Initialize Lescript with documentroot
+			$le = new lescript($cronlog, $version);
+
+			// Initialize Lescript
+			$le->initAccount($certrow, true);
+
+			// Request the new certificate (old key may be used)
+			$return = $le->signDomains($domains, $certrow['ssl_key_file'], $certrow['ssl_csr_file']);
+
+			// We are interessted in the expirationdate
+			$newcert = openssl_x509_parse($return['crt']);
+
+			// Store the new data
+			Database::pexecute($updcert_stmt,
+				array(
+					'id' => $certrow['id'],
+					'domainid' => $certrow['domainid'],
+					'crt' => $return['crt'],
+					'key' => $return['key'],
+					'ca' => $return['chain'],
+					'chain' => $return['chain'],
+					'csr' => $return['csr'],
+					'expirationdate' => date('Y-m-d H:i:s', $newcert['validTo_time_t'])
+				));
+
+			if ($certrow['ssl_redirect'] == 3) {
+				Settings::Set('system.le_froxlor_redirect', '1');
+			}
+
+			$cronlog->logAction(CRON_ACTION, LOG_INFO, "Updated Let's Encrypt certificate for " . $certrow['domain']);
+
+			$changedetected = 1;
+		} catch (Exception $e) {
+			$cronlog->logAction(CRON_ACTION, LOG_ERR,
+				"Could not get Let's Encrypt certificate for " . $certrow['domain'] . ": " . $e->getMessage());
+		}
+	} else {
+		$cronlog->logAction(CRON_ACTION, LOG_WARNING,
+			"Skipping Let's Encrypt generation for " . $certrow['domain'] . " due to an enabled ssl_redirect");
+	}
+}
+
+// customer domains
 $certrows = $certificates_stmt->fetchAll(PDO::FETCH_ASSOC);
 foreach ($certrows as $certrow) {
 

scripts/jobs/cron_tasks.inc.http.10.apache.php

@@ -363,12 +363,32 @@ class apache extends HttpConfigBase {
 						$row_ipsandports['ssl_cert_chainfile'] = Settings::Get('system.ssl_cert_chainfile');
 					}
 
-					if ($row_ipsandports['ssl_cert_file'] != '') {
+					$domain = array(
+						'id' => 0,
+						'domain' => Settings::Get('system.hostname'),
+						'adminid' => 1, /* first admin-user (superadmin) */
+						'loginname' => 'froxlor.panel',
+						'documentroot' => $mypath,
+					);
+
+					// override corresponding array values
+					$domain['ssl_cert_file'] = $row_ipsandports['ssl_cert_file'];
+					$domain['ssl_key_file'] = $row_ipsandports['ssl_key_file'];
+					$domain['ssl_ca_file'] = $row_ipsandports['ssl_ca_file'];
+					$domain['ssl_cert_chainfile'] = $row_ipsandports['ssl_cert_chainfile'];
+
+					// SSL STUFF
+					$dssl = new DomainSSL();
+					// this sets the ssl-related array-indices in the $domain array
+					// if the domain has customer-defined ssl-certificates
+					$dssl->setDomainSSLFilesArray($domain);
+
+					if ($domain['ssl_cert_file'] != '') {
 
 						// check for existence, #1485
-						if (!file_exists($row_ipsandports['ssl_cert_file'])) {
-							$this->logger->logAction(CRON_ACTION, LOG_ERR, $ipport . ' :: certificate file "'.$row_ipsandports['ssl_cert_file'].'" does not exist! Cannot create ssl-directives');
-							echo $ipport . ' :: certificate file "'.$row_ipsandports['ssl_cert_file'].'" does not exist! Cannot create SSL-directives'."\n";
+						if (!file_exists($domain['ssl_cert_file'])) {
+							$this->logger->logAction(CRON_ACTION, LOG_ERR, $ipport . ' :: certificate file "'.$domain['ssl_cert_file'].'" does not exist! Cannot create ssl-directives');
+							echo $ipport . ' :: certificate file "'.$domain['ssl_cert_file'].'" does not exist! Cannot create SSL-directives'."\n";
 						} else {
 
 							$this->virtualhosts_data[$vhosts_filename] .= ' SSLEngine On' . "\n";
@@ -377,36 +397,36 @@ class apache extends HttpConfigBase {
 							$this->virtualhosts_data[$vhosts_filename] .= ' SSLHonorCipherOrder On' . "\n";
 							$this->virtualhosts_data[$vhosts_filename] .= ' SSLCipherSuite ' . Settings::Get('system.ssl_cipher_list') . "\n";
 							$this->virtualhosts_data[$vhosts_filename] .= ' SSLVerifyDepth 10' . "\n";
-							$this->virtualhosts_data[$vhosts_filename] .= ' SSLCertificateFile ' . makeCorrectFile($row_ipsandports['ssl_cert_file']) . "\n";
+							$this->virtualhosts_data[$vhosts_filename] .= ' SSLCertificateFile ' . makeCorrectFile($domain['ssl_cert_file']) . "\n";
 
-							if ($row_ipsandports['ssl_key_file'] != '') {
+							if ($domain['ssl_key_file'] != '') {
 								// check for existence, #1485
-								if (!file_exists($row_ipsandports['ssl_key_file'])) {
-									$this->logger->logAction(CRON_ACTION, LOG_ERR, $ipport . ' :: certificate key file "'.$row_ipsandports['ssl_key_file'].'" does not exist! Cannot create ssl-directives');
-									echo $ipport . ' :: certificate key file "'.$row_ipsandports['ssl_key_file'].'" does not exist! SSL-directives might not be working'."\n";
+								if (!file_exists($domain['ssl_key_file'])) {
+									$this->logger->logAction(CRON_ACTION, LOG_ERR, $ipport . ' :: certificate key file "'.$domain['ssl_key_file'].'" does not exist! Cannot create ssl-directives');
+									echo $ipport . ' :: certificate key file "'.$domain['ssl_key_file'].'" does not exist! SSL-directives might not be working'."\n";
 								} else {
-									$this->virtualhosts_data[$vhosts_filename] .= ' SSLCertificateKeyFile ' . makeCorrectFile($row_ipsandports['ssl_key_file']) . "\n";
+									$this->virtualhosts_data[$vhosts_filename] .= ' SSLCertificateKeyFile ' . makeCorrectFile($domain['ssl_key_file']) . "\n";
 								}
 							}
 
-							if ($row_ipsandports['ssl_ca_file'] != '') {
+							if ($domain['ssl_ca_file'] != '') {
 								// check for existence, #1485
-								if (!file_exists($row_ipsandports['ssl_ca_file'])) {
-									$this->logger->logAction(CRON_ACTION, LOG_ERR, $ipport . ' :: certificate CA file "'.$row_ipsandports['ssl_ca_file'].'" does not exist! Cannot create ssl-directives');
-									echo $ipport . ' :: certificate CA file "'.$row_ipsandports['ssl_ca_file'].'" does not exist! SSL-directives might not be working'."\n";
+								if (!file_exists($domain['ssl_ca_file'])) {
+									$this->logger->logAction(CRON_ACTION, LOG_ERR, $ipport . ' :: certificate CA file "'.$domain['ssl_ca_file'].'" does not exist! Cannot create ssl-directives');
+									echo $ipport . ' :: certificate CA file "'.$domain['ssl_ca_file'].'" does not exist! SSL-directives might not be working'."\n";
 								} else {
-									$this->virtualhosts_data[$vhosts_filename] .= ' SSLCACertificateFile ' . makeCorrectFile($row_ipsandports['ssl_ca_file']) . "\n";
+									$this->virtualhosts_data[$vhosts_filename] .= ' SSLCACertificateFile ' . makeCorrectFile($domain['ssl_ca_file']) . "\n";
 								}
 							}
 
 							// #418
-							if ($row_ipsandports['ssl_cert_chainfile'] != '') {
+							if ($domain['ssl_cert_chainfile'] != '') {
 								// check for existence, #1485
-								if (!file_exists($row_ipsandports['ssl_cert_chainfile'])) {
-									$this->logger->logAction(CRON_ACTION, LOG_ERR, $ipport . ' :: certificate chain file "'.$row_ipsandports['ssl_cert_chainfile'].'" does not exist! Cannot create ssl-directives');
-									echo $ipport . ' :: certificate chain file "'.$row_ipsandports['ssl_cert_chainfile'].'" does not exist! SSL-directives might not be working'."\n";
+								if (!file_exists($domain['ssl_cert_chainfile'])) {
+									$this->logger->logAction(CRON_ACTION, LOG_ERR, $ipport . ' :: certificate chain file "'.$domain['ssl_cert_chainfile'].'" does not exist! Cannot create ssl-directives');
+									echo $ipport . ' :: certificate chain file "'.$domain['ssl_cert_chainfile'].'" does not exist! SSL-directives might not be working'."\n";
 								} else {
-									$this->virtualhosts_data[$vhosts_filename] .= ' SSLCertificateChainFile ' . makeCorrectFile($row_ipsandports['ssl_cert_chainfile']) . "\n";
+									$this->virtualhosts_data[$vhosts_filename] .= ' SSLCertificateChainFile ' . makeCorrectFile($domain['ssl_cert_chainfile']) . "\n";
 								}
 							}
 						}
@@ -845,6 +865,9 @@ class apache extends HttpConfigBase {
 			}
 		}
 
+		// avoid using any whitespaces
+		$domain['documentroot'] = trim($domain['documentroot']);
+
 		if (preg_match('/^https?\:\/\//', $domain['documentroot'])) {
 			$corrected_docroot = $this->idnaConvert->encode($domain['documentroot']);
 

scripts/jobs/cron_tasks.inc.http.30.nginx.php

@@ -150,6 +150,35 @@ class nginx extends HttpConfigBase {
 					if ($row_ipsandports['ssl_cert_file'] != '' && file_exists($row_ipsandports['ssl_cert_file'])) {
 						$ssl_vhost = true;
 					}
+
+					$domain = array(
+						'id' => 0,
+						'domain' => Settings::Get('system.hostname'),
+						'adminid' => 1, /* first admin-user (superadmin) */
+						'loginname' => 'froxlor.panel',
+						'documentroot' => $mypath
+					);
+
+					// override corresponding array values
+					$domain['ssl_cert_file'] = $row_ipsandports['ssl_cert_file'];
+					$domain['ssl_key_file'] = $row_ipsandports['ssl_key_file'];
+					$domain['ssl_ca_file'] = $row_ipsandports['ssl_ca_file'];
+					$domain['ssl_cert_chainfile'] = $row_ipsandports['ssl_cert_chainfile'];
+
+					// SSL STUFF
+					$dssl = new DomainSSL();
+					// this sets the ssl-related array-indices in the $domain array
+					// if the domain has customer-defined ssl-certificates
+					$dssl->setDomainSSLFilesArray($domain);
+
+					if ($domain['ssl_cert_file'] != '' && file_exists($domain['ssl_cert_file'])) {
+						// override corresponding array values
+						$row_ipsandports['ssl_cert_file'] = $domain['ssl_cert_file'];
+						$row_ipsandports['ssl_key_file'] = $domain['ssl_key_file'];
+						$row_ipsandports['ssl_ca_file'] = $domain['ssl_ca_file'];
+						$row_ipsandports['ssl_cert_chainfile'] = $domain['ssl_cert_chainfile'];
+						$ssl_vhost = true;
+					}
 				}
 
 				/**
@@ -415,6 +444,9 @@ class nginx extends HttpConfigBase {
 			$domain['documentroot'] = 'https://' . $domain['domain'] . $_sslport . '/';
 		}
 
+		// avoid using any whitespaces
+		$domain['documentroot'] = trim($domain['documentroot']);
+
 		// create ssl settings first since they are required for normal and redirect vhosts
 		if ($ssl_vhost === true
 			&& $domain['ssl'] == '1'