From d8b6d87ade2ec44b58352442661379cc1b193a38 Mon Sep 17 00:00:00 2001 From: Daniel Reichelt Date: Fri, 16 Sep 2016 07:32:22 +0200 Subject: [PATCH 1/2] cron/nginx: remove echo'ed messages they already get logged --- scripts/jobs/cron_tasks.inc.http.30.nginx.php | 3 --- 1 file changed, 3 deletions(-) diff --git a/scripts/jobs/cron_tasks.inc.http.30.nginx.php b/scripts/jobs/cron_tasks.inc.http.30.nginx.php index ac81e94b..af44aea4 100644 --- a/scripts/jobs/cron_tasks.inc.http.30.nginx.php +++ b/scripts/jobs/cron_tasks.inc.http.30.nginx.php @@ -610,7 +610,6 @@ class nginx extends HttpConfigBase { // check for existence, #1485 if (!file_exists($domain_or_ip['ssl_cert_file'])) { $this->logger->logAction(CRON_ACTION, LOG_ERR, $domain_or_ip['domain'] . ' :: certificate file "'.$domain_or_ip['ssl_cert_file'].'" does not exist! Cannot create ssl-directives'); - echo $domain_or_ip['domain'] . ' :: certificate file "'.$domain_or_ip['ssl_cert_file'].'" does not exist! Cannot create SSL-directives'."\n"; } else { // obsolete: ssl on now belongs to the listen block as 'ssl' at the end //$sslsettings .= "\t" . 'ssl on;' . "\n"; @@ -624,7 +623,6 @@ class nginx extends HttpConfigBase { // check for existence, #1485 if (!file_exists($domain_or_ip['ssl_key_file'])) { $this->logger->logAction(CRON_ACTION, LOG_ERR, $domain_or_ip['domain'] . ' :: certificate key file "'.$domain_or_ip['ssl_key_file'].'" does not exist! Cannot create ssl-directives'); - echo $domain_or_ip['domain'] . ' :: certificate key file "'.$domain_or_ip['ssl_key_file'].'" does not exist! SSL-directives might not be working'."\n"; } else { $sslsettings .= "\t" . 'ssl_certificate_key ' .makeCorrectFile($domain_or_ip['ssl_key_file']) . ';' . "\n"; } @@ -634,7 +632,6 @@ class nginx extends HttpConfigBase { // check for existence, #1485 if (!file_exists($domain_or_ip['ssl_ca_file'])) { $this->logger->logAction(CRON_ACTION, LOG_ERR, $domain_or_ip['domain'] . ' :: certificate CA file "'.$domain_or_ip['ssl_ca_file'].'" does not exist! Cannot create ssl-directives'); - echo $domain_or_ip['domain'] . ' :: certificate CA file "'.$domain_or_ip['ssl_ca_file'].'" does not exist! SSL-directives might not be working'."\n"; } else { $sslsettings.= "\t" . 'ssl_client_certificate ' . makeCorrectFile($domain_or_ip['ssl_ca_file']) . ';' . "\n"; } From 41e769d6815568b9f2f7d392b85ca615c0594535 Mon Sep 17 00:00:00 2001 From: Daniel Reichelt Date: Fri, 16 Sep 2016 07:50:10 +0200 Subject: [PATCH 2/2] cron/nginx: remove ssl_client_certificate Adding the CA certificate to an nginx vhost via ssl_client_certificate is outright wrong. Moreover, the CA certificate data is already written to the certificate file itself (class.DomainSSL.php:83-85). fixes #1650 --- scripts/jobs/cron_tasks.inc.http.30.nginx.php | 9 --------- 1 file changed, 9 deletions(-) diff --git a/scripts/jobs/cron_tasks.inc.http.30.nginx.php b/scripts/jobs/cron_tasks.inc.http.30.nginx.php index af44aea4..ae9e5a41 100644 --- a/scripts/jobs/cron_tasks.inc.http.30.nginx.php +++ b/scripts/jobs/cron_tasks.inc.http.30.nginx.php @@ -628,15 +628,6 @@ class nginx extends HttpConfigBase { } } - if ($domain_or_ip['ssl_ca_file'] != '') { - // check for existence, #1485 - if (!file_exists($domain_or_ip['ssl_ca_file'])) { - $this->logger->logAction(CRON_ACTION, LOG_ERR, $domain_or_ip['domain'] . ' :: certificate CA file "'.$domain_or_ip['ssl_ca_file'].'" does not exist! Cannot create ssl-directives'); - } else { - $sslsettings.= "\t" . 'ssl_client_certificate ' . makeCorrectFile($domain_or_ip['ssl_ca_file']) . ';' . "\n"; - } - } - if (isset($domain_or_ip['hsts']) && $domain_or_ip['hsts'] > 0) { $vhost_content .= 'add_header Strict-Transport-Security "max-age=' . $domain_or_ip['hsts']; if ($domain_or_ip['hsts_sub'] == 1) {