LE: change semantics of setting.letsencryptreuseold

Previously setting.letsencryptreuseold determined wheter both a domain's
private key and a CSR should be re-generated.

Preparing support of alias domains in LE certificates, this is changed to
only determine the re-generation of the private key. CSRs now are always
re-generated.

lib/classes/ssl/class.lescript.php

@@ -227,9 +227,7 @@ class lescript
 
 		$this->client->getLastLinks();
 
-		if (empty($csrfile) || Settings::Get('system.letsencryptreuseold') == 0) {
 		$csr = $this->generateCSR($privateDomainKey, $domains);
-		}
 
 		// request certificates creation
 		$result = $this->signedRequest("/acme/new-cert", array(

lng/english.lng.php

@@ -1949,8 +1949,8 @@ $lng['serversettings']['letsencryptchallengepath']['title'] = "Path for Let's En
 $lng['serversettings']['letsencryptchallengepath']['description'] = "Directory where the Let's Encrypt challenges should be offered from via a global alias.<br><strong class=\"red\">ATTENTION:</strong> Let's Encrypt is still in beta</strong>";
 $lng['serversettings']['letsencryptkeysize']['title'] = "Key size for new Let's Encrypt certificates";
 $lng['serversettings']['letsencryptkeysize']['description'] = "Size of the key in Bits for new Let's Encrypt certificates.<br><strong class=\"red\">ATTENTION:</strong> Let's Encrypt is still in beta</strong>";
-$lng['serversettings']['letsencryptreuseold']['title'] = "Re-use Let's Encrypt key / CSR";
-$lng['serversettings']['letsencryptreuseold']['description'] = "If activated, the same key and CSR will be used for every renew, otherwise a new key / CSR will be generated every time.<br><strong class=\"red\">ATTENTION:</strong> Let's Encrypt is still in beta</strong>";
+$lng['serversettings']['letsencryptreuseold']['title'] = "Re-use Let's Encrypt key";
+$lng['serversettings']['letsencryptreuseold']['description'] = "If activated, the same key will be used for every renew, otherwise a new key will be generated every time.<br><strong class=\"red\">ATTENTION:</strong> Let's Encrypt is still in beta</strong>";
 $lng['serversettings']['leenabled']['title'] = "Enable Let's Encrypt";
 $lng['serversettings']['leenabled']['description'] = "If activated, customers are able to let froxlor automatically generate and renew Let's Encrypt ssl-certificates for domains with a ssl IP/port.<br /><br />Please remember that you need to go through the webserver-configuration when eabled because this feature needs a special configuration.";
 $lng['domains']['ssl_redirect_temporarilydisabled'] = "<br>The SSL redirect is temporarily deactivated while a new Let's Encrypt certificate is generated. It will be activated again after the certificate was generated.";

lng/german.lng.php

@@ -1603,8 +1603,8 @@ $lng['serversettings']['letsencryptchallengepath']['title'] = "Verzeichnis für
 $lng['serversettings']['letsencryptchallengepath']['description'] = "Let's Encrypt challenges werden aus diesem Verzeichnis über einen globalen Alias ausgeliefert.<br><strong class=\"red\">ACHTUNG:</strong> Let's Encrypt befindet sich noch im Test";
 $lng['serversettings']['letsencryptkeysize']['title'] = "Schlüsselgröße für neue Let's Encrypt Zertifikate";
 $lng['serversettings']['letsencryptkeysize']['description'] = "Größe des Schlüssels in Bit für neue Let's Encrypt Zertifikate.<br><strong class=\"red\">ACHTUNG:</strong> Let's Encrypt befindet sich noch im Test";
-$lng['serversettings']['letsencryptreuseold']['title'] = "Let's Encrypt Schlüssel / CSR wiederverwenden";
-$lng['serversettings']['letsencryptreuseold']['description'] = "Wenn dies aktiviert ist, werden der alte Schlüssel und CSR bei jeder Verlängerung verwendet, andernfalls wird ein neues Paar generiert.<br><strong class=\"red\">ACHTUNG:</strong> Let's Encrypt befindet sich noch im Test";
+$lng['serversettings']['letsencryptreuseold']['title'] = "Let's Encrypt Schlüssel wiederverwenden";
+$lng['serversettings']['letsencryptreuseold']['description'] = "Wenn dies aktiviert ist, wird der alte Schlüssel bei jeder Verlängerung verwendet, andernfalls wird ein neues Paar generiert.<br><strong class=\"red\">ACHTUNG:</strong> Let's Encrypt befindet sich noch im Test";
 $lng['serversettings']['leenabled']['title'] = "Let's Encrypt verwenden";
 $lng['serversettings']['leenabled']['description'] = "Wenn dies aktiviert ist, können Kunden durch Froxlor automatisch generierte und verlängerbare Let's Encrypt SSL-Zertifikate für Domains mit SSL IP/port nutzen.<br /><br />Bitte die Webserver-Konfiguration beachten wenn aktiviert, da dieses Feature eine spezielle Konfiguration benötigt.";
 $lng['domains']['ssl_redirect_temporarilydisabled'] = "<br>Die SSL-Umleitung ist, während ein neues Let's Encrypt - Zertifikat erstellt wird, temporär deaktiviert. Die Umleitung wird nach der Zertifikatserstellung wieder aktiviert.";

scripts/jobs/cron_letsencrypt.php

@@ -92,19 +92,7 @@ foreach ($certrows as $certrow) {
 	if ($certrow['ssl_redirect'] != 2) {
 		$cronlog->logAction(CRON_ACTION, LOG_DEBUG, "Updating " . $certrow['domain']);
 
-		if ($certrow['ssl_cert_file']) {
-			$cronlog->logAction(CRON_ACTION, LOG_DEBUG, "letsencrypt using old key / SAN for " . $certrow['domain']);
-			// Parse the old certificate
-			$x509data = openssl_x509_parse($certrow['ssl_cert_file']);
-
-			// We are interessted in the old SAN - data
-			$san = explode(', ', $x509data['extensions']['subjectAltName']);
-			$domains = array();
-			foreach ($san as $dnsname) {
-				$domains[] = substr($dnsname, 4);
-			}
-		} else {
-			$cronlog->logAction(CRON_ACTION, LOG_DEBUG, "letsencrypt generating new key / SAN for " . $certrow['domain']);
+		$cronlog->logAction(CRON_ACTION, LOG_DEBUG, "letsencrypt generating SAN list for " . $certrow['domain']);
 		$domains = array(
 			$certrow['domain']
 		);
@@ -112,7 +100,6 @@ foreach ($certrows as $certrow) {
 		if ($certrow['wwwserveralias'] == 1) {
 			$domains[] = 'www.' . $certrow['domain'];
 		}
-		}
 
 		try {
 			// Initialize Lescript with documentroot