maketank/Froxlor
2
0
Fork 0
Code Pull Requests Releases Activity

Allow selecting new keysize, fixes #1594

Browse Source 
Prepare database and cron for HSTS, refs #1593
Added option to re-use key and CSR for Let's Encrypt

Signed-off-by: Florian Aders <eleras@froxlor.org>
This commit is contained in:
Florian Aders
2016-02-19 17:35:44 +01:00
parent e3a594f3e7
commit e621e02f92
18 changed files with 163 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
lib/classes/ssl/class.lescript.php
View File

@@ -75,7 +75,7 @@ class lescript
}
}
public function signDomains(array $domains, $domainkey = null)
public function signDomains(array $domains, $domainkey = null, $csr = null)
{
if (!$this->accountKey) {
@@ -117,7 +117,7 @@ class lescript
// 2. saving authentication token for web verification
// ---------------------------------------------------
$directory = FROXLOR_INSTALL_DIR.'/.well-known/acme-challenge';
$directory = Settings::Get('system.letsencryptchallengepath').'/.well-known/acme-challenge';
$tokenPath = $directory.'/'.$challenge['token'];
if(!file_exists($directory) && !@mkdir($directory, 0755, true)) {
@@ -190,7 +190,7 @@ class lescript
// ----------------------
// generate private key for domain if not exist
if(empty($domainkey)) {
if(empty($domainkey) || Settings::Get('system.letsencryptreuseold') == 0) {
$keys = $this->generateKey();
$domainkey = $keys['private'];
}
@@ -199,11 +199,15 @@ class lescript
$privateDomainKey = openssl_pkey_get_private($domainkey);
$this->client->getLastLinks();
if (empty($csrfile) || Settings::Get('system.letsencryptreuseold') == 0) {
$csr = $this->generateCSR($privateDomainKey, $domains);
}
// request certificates creation
$result = $this->signedRequest(
"/acme/new-cert",
array('resource' => 'new-cert', 'csr' => $this->generateCSR($privateDomainKey, $domains))
array('resource' => 'new-cert', 'csr' => $csr)
);
if ($this->client->getLastCode() !== 201) {
throw new \RuntimeException("Invalid response code: ".$this->client->getLastCode().", ".json_encode($result));
@@ -249,7 +253,7 @@ class lescript
$chain = implode("\n", $certificates);
$this->log("Done, returning new certificates and key");
return array('fullchain' => $fullchain, 'crt' => $crt, 'chain' => $chain, 'key' => $domainkey);
return array('fullchain' => $fullchain, 'crt' => $crt, 'chain' => $chain, 'key' => $domainkey, 'csr' => $csr);
}
private function parsePemFromBody($body)
@@ -281,7 +285,7 @@ class lescript
'HOME = .
RANDFILE = $ENV::HOME/.rnd
[ req ]
default_bits = 4096
default_bits = ' . Settings::Get('system.letsencryptkeysize') . '
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
req_extensions = v3_req
@@ -320,7 +324,7 @@ keyUsage = nonRepudiation, digitalSignature, keyEncipherment');
{
$res = openssl_pkey_new(array(
"private_key_type" => OPENSSL_KEYTYPE_RSA,
"private_key_bits" => 4096,
"private_key_bits" => Settings::Get('system.letsencryptkeysize'),
));
if(!openssl_pkey_export($res, $privateKey)) {

13
lib/configfiles/gentoo.xml
View File

@@ -66,8 +66,8 @@
</file>
<file name="/etc/apache2/modules.d/80_acme.conf">
<content><![CDATA[
Alias "/.well-known/acme-challenge" "{{const.FROXLOR_INSTALL_DIR}}/.well-known/acme-challenge"
<Directory "/var/www/.well-known/acme-challenge">
Alias "/.well-known/acme-challenge" "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge"
<Directory "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge">
Order allow,deny
Allow from all
</Directory>
@@ -96,8 +96,8 @@ Alias "/.well-known/acme-challenge" "{{const.FROXLOR_INSTALL_DIR}}/.well-known/a
</file>
<file name="/etc/apache2/modules.d/80_acme.conf">
<content><![CDATA[
Alias "/.well-known/acme-challenge" "{{const.FROXLOR_INSTALL_DIR}}/.well-known/acme-challenge"
<Directory "/var/www/.well-known/acme-challenge">
Alias "/.well-known/acme-challenge" "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge"
<Directory "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge">
Require all granted
</Directory>
]]>
@@ -126,6 +126,7 @@ server.modules = (
"mod_auth",
"mod_fastcgi",
"mod_cgi",
"mod_setenv",
"mod_accesslog"
)
@@ -168,7 +169,7 @@ fastcgi.server = (
)
)
alias.url += ("/.well-known/acme-challenge/" => "{{const.FROXLOR_INSTALL_DIR}}/.well-known/acme-challenge/")
alias.url += ("/.well-known/acme-challenge/" => "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge/")
]]>
</content>
@@ -265,7 +266,7 @@ fastcgi_param REDIRECT_STATUS 200;
<file name="/etc/nginx/conf.d/acme.conf">
<content><![CDATA[
location /.well-known/acme-challenge {
alias {{const.FROXLOR_INSTALL_DIR}};
alias {{settings.system.letsencryptchallengepath}};
location ~ /.well-known/acme-challenge/(.*) {
default_type text/plain;

10
lib/configfiles/jessie.xml
View File

@@ -41,6 +41,7 @@
<content><![CDATA[mkdir -p {{settings.system.deactivateddocroot}}]]></content>
</command>
<command><![CDATA[a2dismod userdir]]></command>
<command><![CDATA[a2enmod headers]]></command>
</commands>
</general>
<!-- HTTP Apache -->
@@ -69,8 +70,8 @@
</file>
<file name="/etc/apache2/conf-enabled/acme.conf">
<content><![CDATA[
Alias "/.well-known/acme-challenge" "{{const.FROXLOR_INSTALL_DIR}}/.well-known/acme-challenge"
<Directory "/var/www/.well-known/acme-challenge">
Alias "/.well-known/acme-challenge" "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge"
<Directory "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge">
Require all granted
</Directory>
]]>
@@ -89,6 +90,7 @@ server.modules = (
"mod_compress",
"mod_redirect",
"mod_rewrite",
"mod_setenv",
)
server.document-root = "/var/www"
@@ -107,7 +109,7 @@ static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )
compress.cache-dir = "/var/cache/lighttpd/compress/"
compress.filetype = ( "application/javascript", "text/css", "text/html", "text/plain" )
alias.url += ("/.well-known/acme-challenge/" => "{{const.FROXLOR_INSTALL_DIR}}/.well-known/acme-challenge/")
alias.url += ("/.well-known/acme-challenge/" => "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge/")
# default listening port for IPv6 falls back to the IPv4 port
include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port
@@ -286,7 +288,7 @@ fastcgi_param REDIRECT_STATUS 200;
<file name="/etc/nginx/conf.d/acme.conf">
<content><![CDATA[
location /.well-known/acme-challenge {
alias {{const.FROXLOR_INSTALL_DIR}};
alias {{settings.system.letsencryptchallengepath}};
location ~ /.well-known/acme-challenge/(.*) {
default_type text/plain;

10
lib/configfiles/precise.xml
View File

@@ -41,6 +41,7 @@
<content><![CDATA[mkdir -p {{settings.system.deactivateddocroot}}]]></content>
</command>
<command><![CDATA[a2dismod userdir]]></command>
<command><![CDATA[a2enmod headers]]></command>
</commands>
</general>
<!-- HTTP Apache -->
@@ -67,8 +68,8 @@
</file>
<file name="/etc/apache2/conf-enabled/acme.conf">
<content><![CDATA[
Alias "/.well-known/acme-challenge" "{{const.FROXLOR_INSTALL_DIR}}/.well-known/acme-challenge"
<Directory "/var/www/.well-known/acme-challenge">
Alias "/.well-known/acme-challenge" "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge"
<Directory "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge">
Order allow,deny
Allow from all
</Directory>
@@ -97,6 +98,7 @@ server.modules = (
"mod_auth",
"mod_fastcgi",
"mod_cgi",
"mod_setenv",
"mod_accesslog"
)
@@ -136,7 +138,7 @@ fastcgi.server = (
)
)
alias.url += ("/.well-known/acme-challenge/" => "{{const.FROXLOR_INSTALL_DIR}}/.well-known/acme-challenge/")
alias.url += ("/.well-known/acme-challenge/" => "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge/")
#### external configuration files
## mimetype mapping
@@ -245,7 +247,7 @@ fastcgi_param REDIRECT_STATUS 200;
<file name="/etc/nginx/conf.d/acme.conf">
<content><![CDATA[
location /.well-known/acme-challenge {
alias {{const.FROXLOR_INSTALL_DIR}};
alias {{settings.system.letsencryptchallengepath}};
location ~ /.well-known/acme-challenge/(.*) {
default_type text/plain;

5
lib/configfiles/rhel_centos.xml
View File

@@ -41,6 +41,7 @@
<content><![CDATA[mkdir -p {{settings.system.deactivateddocroot}}]]></content>
</command>
<command><![CDATA[a2dismod userdir]]></command>
<command><![CDATA[a2enmod headers]]></command>
</commands>
</general>
<!-- HTTP Apache -->
@@ -49,8 +50,8 @@
<include>//service[@type='http']/general/commands</include>
<file name="/etc/httpd/conf.d/acme.conf">
<content><![CDATA[
Alias "/.well-known/acme-challenge" "{{const.FROXLOR_INSTALL_DIR}}/.well-known/acme-challenge"
<Directory "/var/www/.well-known/acme-challenge">
Alias "/.well-known/acme-challenge" "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge"
<Directory "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge">
Require all granted
</Directory>
]]>

14
lib/configfiles/trusty.xml
View File

@@ -41,6 +41,7 @@
<content><![CDATA[mkdir -p {{settings.system.deactivateddocroot}}]]></content>
</command>
<command><![CDATA[a2dismod userdir]]></command>
<command><![CDATA[a2enmod headers]]></command>
</commands>
</general>
<!-- HTTP Apache -->
@@ -67,8 +68,8 @@
</file>
<file name="/etc/apache2/conf-enabled/acme.conf">
<content><![CDATA[
Alias "/.well-known/acme-challenge" "{{const.FROXLOR_INSTALL_DIR}}/.well-known/acme-challenge"
<Directory "/var/www/.well-known/acme-challenge">
Alias "/.well-known/acme-challenge" "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge"
<Directory "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge">
Order Deny,Allow
Deny from All
</Directory>
@@ -97,8 +98,8 @@ Alias "/.well-known/acme-challenge" "{{const.FROXLOR_INSTALL_DIR}}/.well-known/a
</file>
<file name="/etc/apache2/conf-enabled/acme.conf">
<content><![CDATA[
Alias "/.well-known/acme-challenge" "{{const.FROXLOR_INSTALL_DIR}}/.well-known/acme-challenge"
<Directory "/var/www/.well-known/acme-challenge">
Alias "/.well-known/acme-challenge" "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge"
<Directory "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge">
Require all granted
</Directory>
]]>
@@ -126,6 +127,7 @@ server.modules = (
"mod_auth",
"mod_fastcgi",
"mod_cgi",
"mod_setenv",
"mod_accesslog"
)
@@ -165,7 +167,7 @@ fastcgi.server = (
)
)
alias.url += ("/.well-known/acme-challenge/" => "{{const.FROXLOR_INSTALL_DIR}}/.well-known/acme-challenge/")
alias.url += ("/.well-known/acme-challenge/" => "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge/")
#### external configuration files
## mimetype mapping
@@ -274,7 +276,7 @@ fastcgi_param REDIRECT_STATUS 200;
<file name="/etc/nginx/conf.d/acme.conf">
<content><![CDATA[
location /.well-known/acme-challenge {
alias {{const.FROXLOR_INSTALL_DIR}};
alias {{settings.system.letsencryptchallengepath}};
location ~ /.well-known/acme-challenge/(.*) {
default_type text/plain;

14
lib/configfiles/wheezy.xml
View File

@@ -41,6 +41,7 @@
<content><![CDATA[mkdir -p {{settings.system.deactivateddocroot}}]]></content>
</command>
<command><![CDATA[a2dismod userdir]]></command>
<command><![CDATA[a2enmod headers]]></command>
</commands>
</general>
<!-- HTTP Apache -->
@@ -67,8 +68,8 @@
</file>
<file name="/etc/apache2/conf-enabled/acme.conf">
<content><![CDATA[
Alias "/.well-known/acme-challenge" "{{const.FROXLOR_INSTALL_DIR}}/.well-known/acme-challenge"
<Directory "/var/www/.well-known/acme-challenge">
Alias "/.well-known/acme-challenge" "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge"
<Directory "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge">
Order Deny,Allow
Deny from All
</Directory>
@@ -97,8 +98,8 @@ Alias "/.well-known/acme-challenge" "{{const.FROXLOR_INSTALL_DIR}}/.well-known/a
</file>
<file name="/etc/apache2/conf-enabled/acme.conf">
<content><![CDATA[
Alias "/.well-known/acme-challenge" "{{const.FROXLOR_INSTALL_DIR}}/.well-known/acme-challenge"
<Directory "/var/www/.well-known/acme-challenge">
Alias "/.well-known/acme-challenge" "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge"
<Directory "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge">
Require all granted
</Directory>
]]>
@@ -116,6 +117,7 @@ server.modules = (
"mod_alias",
"mod_compress",
"mod_redirect",
"mod_setenv",
"mod_rewrite",
)
@@ -135,7 +137,7 @@ static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )
compress.cache-dir = "/var/cache/lighttpd/compress/"
compress.filetype = ( "application/javascript", "text/css", "text/html", "text/plain" )
alias.url += ("/.well-known/acme-challenge/" => "{{const.FROXLOR_INSTALL_DIR}}/.well-known/acme-challenge/")
alias.url += ("/.well-known/acme-challenge/" => "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge/")
# default listening port for IPv6 falls back to the IPv4 port
include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port
@@ -314,7 +316,7 @@ fastcgi_param REDIRECT_STATUS 200;
<file name="/etc/nginx/conf.d/acme.conf">
<content><![CDATA[
location /.well-known/acme-challenge {
alias {{const.FROXLOR_INSTALL_DIR}};
alias {{settings.system.letsencryptchallengepath}};
location ~ /.well-known/acme-challenge/(.*) {
default_type text/plain;

2
lib/version.inc.php
View File

@@ -16,7 +16,7 @@
*/
// Main version variable
$version = '0.9.35-dev4';
$version = '0.9.35-dev5';
// Database version (unused, old stuff from SysCP)
$dbversion = '2';