Allow selecting new keysize, fixes #1594
Prepare database and cron for HSTS, refs #1593 Added option to re-use key and CSR for Let's Encrypt Signed-off-by: Florian Aders <eleras@froxlor.org>
This commit is contained in:
Florian Aders
@@ -21,14 +21,14 @@
|
||||
$cronlog->logAction(CRON_ACTION, LOG_INFO, "Updated Let's Encrypt certificates");
|
||||
|
||||
$certificates_stmt = Database::query("
|
||||
SELECT domssl.`id`, domssl.`domainid`, domssl.expirationdate, domssl.`ssl_cert_file`, domssl.`ssl_key_file`, domssl.`ssl_ca_file`, dom.`domain`, dom.`iswildcarddomain`, dom.`wwwserveralias`,
|
||||
SELECT domssl.`id`, domssl.`domainid`, domssl.expirationdate, domssl.`ssl_cert_file`, domssl.`ssl_key_file`, domssl.`ssl_ca_file`, domssl.`ssl_csr_file`, dom.`domain`, dom.`iswildcarddomain`, dom.`wwwserveralias`,
|
||||
dom.`documentroot`, dom.`id` as 'domainid', dom.`ssl_redirect`, cust.`leprivatekey`, cust.`lepublickey`, cust.customerid
|
||||
FROM `".TABLE_PANEL_CUSTOMERS."` as cust, `".TABLE_PANEL_DOMAINS."` dom LEFT JOIN `".TABLE_PANEL_DOMAIN_SSL_SETTINGS."` domssl ON (dom.id = domssl.domainid)
|
||||
WHERE dom.customerid = cust.customerid AND dom.letsencrypt = 1 AND (domssl.expirationdate < DATE_ADD(NOW(), INTERVAL 30 DAY) OR domssl.expirationdate IS NULL)
|
||||
");
|
||||
|
||||
$updcert_stmt = Database::prepare("
|
||||
REPLACE INTO `".TABLE_PANEL_DOMAIN_SSL_SETTINGS."` SET `id` = :id, `domainid` = :domainid, `ssl_cert_file` = :crt, `ssl_key_file` = :key, `ssl_ca_file` = :ca, `ssl_cert_chainfile` = :fullchain, expirationdate = :expirationdate
|
||||
REPLACE INTO `".TABLE_PANEL_DOMAIN_SSL_SETTINGS."` SET `id` = :id, `domainid` = :domainid, `ssl_cert_file` = :crt, `ssl_key_file` = :key, `ssl_ca_file` = :ca, `ssl_cert_chainfile` = :fullchain, `ssl_csr_file` = :csr, expirationdate = :expirationdate
|
||||
");
|
||||
|
||||
$upddom_stmt = Database::prepare("
|
||||
@@ -71,7 +71,7 @@ while ($certrow = $certificates_stmt->fetch(PDO::FETCH_ASSOC)) {
|
||||
$le->initAccount($certrow);
|
||||
|
||||
// Request the new certificate (old key may be used)
|
||||
$return = $le->signDomains($domains, $certrow['ssl_key_file']);
|
||||
$return = $le->signDomains($domains, $certrow['ssl_key_file'], $certrow['ssl_csr_file']);
|
||||
|
||||
// We are interessted in the expirationdate
|
||||
$newcert = openssl_x509_parse($return['crt']);
|
||||
@@ -84,6 +84,7 @@ while ($certrow = $certificates_stmt->fetch(PDO::FETCH_ASSOC)) {
|
||||
'key' => $return['key'],
|
||||
'ca' => $return['chain'],
|
||||
'fullchain' => $return['fullchain'],
|
||||
'csr' => $return['csr'],
|
||||
'expirationdate' => date('Y-m-d H:i:s', $newcert['validTo_time_t'])
|
||||
)
|
||||
);
|
||||
|
||||
@@ -811,6 +811,19 @@ class apache extends HttpConfigBase {
|
||||
if ($domain['ssl_cert_chainfile'] != '') {
|
||||
$vhost_content .= ' SSLCertificateChainFile ' . makeCorrectFile($domain['ssl_cert_chainfile']) . "\n";
|
||||
}
|
||||
|
||||
if ($domain['hsts'] > 0) {
|
||||
$vhost_content .= ' <IfModule mod_headers.c>' . "\n";
|
||||
$vhost_content .= ' Header always set Strict-Transport-Security "max-age=' . $domain['hsts'];
|
||||
if ($domain['hsts_sub'] == 1) {
|
||||
$vhost_content .= '; includeSubdomains';
|
||||
}
|
||||
if ($domain['hsts_preload'] == 1) {
|
||||
$vhost_content .= '; preload';
|
||||
}
|
||||
$vhost_content .= '"' . "\n";
|
||||
$vhost_content .= ' </IfModule>' . "\n";
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
|
||||
@@ -518,6 +518,18 @@ class lighttpd extends HttpConfigBase {
|
||||
if ($domain['ssl_ca_file'] != '') {
|
||||
$ssl_settings.= 'ssl.ca-file = "' . makeCorrectFile($domain['ssl_ca_file']) . '"' . "\n";
|
||||
}
|
||||
|
||||
if ($domain['hsts'] > 0) {
|
||||
|
||||
$vhost_content .= '$HTTP["scheme"] == "https" { setenv.add-response-header = ( "Strict-Transport-Security" => "max-age=' . $domain['hsts'];
|
||||
if ($domain['hsts_sub'] == 1) {
|
||||
$vhost_content .= '; includeSubdomains';
|
||||
}
|
||||
if ($domain['hsts_preload'] == 1) {
|
||||
$vhost_content .= '; preload';
|
||||
}
|
||||
$vhost_content .= '") }' . "\n";
|
||||
}
|
||||
}
|
||||
}
|
||||
return $ssl_settings;
|
||||
|
||||
@@ -591,6 +591,18 @@ class nginx extends HttpConfigBase {
|
||||
$sslsettings.= "\t" . 'ssl_client_certificate ' . makeCorrectFile($domain_or_ip['ssl_ca_file']) . ';' . "\n";
|
||||
}
|
||||
}
|
||||
|
||||
if ($domain['hsts'] > 0) {
|
||||
|
||||
$vhost_content .= 'add_header Strict-Transport-Security "max-age=' . $domain['hsts'];
|
||||
if ($domain['hsts_sub'] == 1) {
|
||||
$vhost_content .= '; includeSubdomains';
|
||||
}
|
||||
if ($domain['hsts_preload'] == 1) {
|
||||
$vhost_content .= '; preload';
|
||||
}
|
||||
$vhost_content .= '";' . "\n";
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user