set version to 0.10.16 for upcoming release

Signed-off-by: Michael Kaufmann <d00p@froxlor.org>

.travis.yml

@@ -58,7 +58,7 @@ after_success:
   - bash <(curl -s https://codecov.io/bash) -f "build/logs/clover.xml"
 
 notifications:
-  irc: "irc.freenode.org#froxlor"
+  irc: "chat.freenode.net#froxlor"
   webhooks:
     urls:
       - https://webhooks.gitter.im/e/bdf91d1c3f745e51f796

2fa.php

@@ -38,7 +38,7 @@ if (AREA == 'admin') {
 }
 $success_message = "";
 
-$tfa = new \Froxlor\FroxlorTwoFactorAuth('Froxlor');
+$tfa = new \Froxlor\FroxlorTwoFactorAuth('Froxlor ' . Settings::Get('system.hostname'));
 
 // do the delete and then just show a success-message
 if ($action == 'delete') {

actions/admin/settings/131.ssl.php

@@ -214,11 +214,11 @@ return array(
 					'save_method' => 'storeSettingField'
 				),
 				'system_disable_le_selfcheck' => array(
-					'label' => $lng['serversettings']['disable_le_selfcheck'],
+					'label' => $lng['serversettings']['le_domain_dnscheck'],
 					'settinggroup' => 'system',
-					'varname' => 'disable_le_selfcheck',
+					'varname' => 'le_domain_dnscheck',
 					'type' => 'bool',
-					'default' => false,
+					'default' => true,
 					'save_method' => 'storeSettingField'
 				)
 			)

customer_email.php

@@ -19,7 +19,6 @@
 define('AREA', 'customer');
 require './lib/init.php';
 
-use Froxlor\Api\Commands\SubDomains;
 use Froxlor\Database\Database;
 use Froxlor\Settings;
 use Froxlor\Api\Commands\Emails as Emails;

install/froxlor.sql

@@ -654,7 +654,7 @@ opcache.interned_strings_buffer'),
 	('system', 'leregistered', '0'),
 	('system', 'leaccount', ''),
 	('system', 'nssextrausers', '0'),
-	('system', 'disable_le_selfcheck', '0'),
+	('system', 'le_domain_dnscheck', '1'),
 	('system', 'ssl_protocols', 'TLSv1,TLSv1.2'),
 	('system', 'tlsv13_cipher_list', ''),
 	('system', 'honorcipherorder', '0'),
@@ -704,8 +704,8 @@ opcache.interned_strings_buffer'),
 	('panel', 'password_special_char', '!?<>§$%+#=@'),
 	('panel', 'customer_hide_options', ''),
 	('panel', 'is_configured', '0'),
-	('panel', 'version', '0.10.14'),
-	('panel', 'db_version', '202002290');
+	('panel', 'version', '0.10.16'),
+	('panel', 'db_version', '202004140');
 
 
 DROP TABLE IF EXISTS `panel_tasks`;

install/lib/class.FroxlorInstall.php

@@ -332,17 +332,18 @@ class FroxlorInstall
 		$userdata .= "?>";
 
 		// test if we can store the userdata.inc.php in ../lib
+		$umask = @umask(077);
 		$userdata_file = dirname(dirname(dirname(__FILE__))) . '/lib/userdata.inc.php';
-		if (@touch($userdata_file) && @chmod($userdata_file, 0400) && @is_writable($userdata_file)) {
+		if (@touch($userdata_file) && @is_writable($userdata_file)) {
 			$fp = @fopen($userdata_file, 'w');
 			@fputs($fp, $userdata, strlen($userdata));
 			@fclose($fp);
 			$content .= $this->_status_message('green', 'OK');
 		} else {
+			@unlink($userdata_file);
 			// try creating it in a temporary file
 			$temp_file = @tempnam(sys_get_temp_dir(), 'fx');
 			if ($temp_file) {
-				chmod($temp_file, 0400);
 				$fp = @fopen($temp_file, 'w');
 				@fputs($fp, $userdata, strlen($userdata));
 				@fclose($fp);
@@ -353,6 +354,7 @@ class FroxlorInstall
 				eval("\$content .= \"" . $this->_getTemplate("textarea") . "\";");
 			}
 		}
+		@umask($umask);
 
 		return $content;
 	}

install/updates/froxlor/0.10/update_0.10.inc.php

@@ -597,3 +597,23 @@ if (\Froxlor\Froxlor::isFroxlorVersion('0.10.13')) {
 	showUpdateStep("Updating from 0.10.13 to 0.10.14", false);
 	\Froxlor\Froxlor::updateToVersion('0.10.14');
 }
+
+if (\Froxlor\Froxlor::isFroxlorVersion('0.10.14')) {
+	showUpdateStep("Updating from 0.10.14 to 0.10.15", false);
+	\Froxlor\Froxlor::updateToVersion('0.10.15');
+}
+
+if (\Froxlor\Froxlor::isDatabaseVersion('202002290')) {
+	showUpdateStep("Adding new setting to validate DNS when using Let's Encrypt");
+	Database::query("DELETE FROM `" . TABLE_PANEL_SETTINGS . "` WHERE `settinggroup` = 'system' AND `varname` = 'disable_le_selfcheck'");
+	$le_domain_dnscheck = isset($_POST['system_le_domain_dnscheck']) ? (int) $_POST['system_le_domain_dnscheck'] : '1';
+	Settings::AddNew("system.le_domain_dnscheck", $le_domain_dnscheck);
+	lastStepStatus(0);
+
+	\Froxlor\Froxlor::updateToDbVersion('202004140');
+}
+
+if (\Froxlor\Froxlor::isFroxlorVersion('0.10.15')) {
+	showUpdateStep("Updating from 0.10.15 to 0.10.16", false);
+	\Froxlor\Froxlor::updateToVersion('0.10.16');
+}

install/updates/preconfig.php

@@ -34,6 +34,9 @@ function getPreConfig($current_version, $current_db_version)
 	include_once \Froxlor\FileDir::makeCorrectFile(dirname(__FILE__) . '/preconfig/0.9/preconfig_0.9.inc.php');
 	parseAndOutputPreconfig($has_preconfig, $return, $current_version, $current_db_version);
 
+	include_once \Froxlor\FileDir::makeCorrectFile(dirname(__FILE__) . '/preconfig/0.10/preconfig_0.10.inc.php');
+	parseAndOutputPreconfig2($has_preconfig, $return, $current_version, $current_db_version);
+
 	$return .= '<br /><br />' . \Froxlor\UI\HTML::makecheckbox('update_changesagreed', '<strong>I have read the update notifications above and I am aware of the changes made to my system.</strong>', '1', true, '0', true);
 	$return .= '</div>';
 	$return .= '<input type="hidden" name="update_preconfig" value="1" />';

install/updates/preconfig/0.10/preconfig_0.10.inc.php

@@ -0,0 +1,42 @@
+<?php
+
+/**
+ * This file is part of the Froxlor project.
+ * Copyright (c) 2010 the Froxlor Team (see authors).
+ *
+ * For the full copyright and license information, please view the COPYING
+ * file that was distributed with this source code. You can also view the
+ * COPYING file online at http://files.froxlor.org/misc/COPYING.txt
+ *
+ * @copyright  (c) the authors
+ * @author     Froxlor team <team@froxlor.org> (2010-)
+ * @license    GPLv2 http://files.froxlor.org/misc/COPYING.txt
+ * @package    Updater
+ *
+ */
+
+/**
+ * checks if the new-version has some updating to do
+ *
+ * @param boolean $has_preconfig
+ *        	pointer to check if any preconfig has to be output
+ * @param string $return
+ *        	pointer to output string
+ * @param string $current_version
+ *        	current froxlor version
+ *        	
+ * @return null
+ */
+function parseAndOutputPreconfig2(&$has_preconfig, &$return, $current_version, $current_db_version)
+{
+	global $lng;
+
+	if (versionInUpdate($current_db_version, '202004140')) {
+		$has_preconfig = true;
+		$description = 'Froxlor can now optionally validate the dns entries of domains that request Lets Encrypt certificates to reduce dns-related problems (e.g. freshly registered domain or updated a-record).<br />';
+		$question = '<strong>Validate DNS of domains when using Lets Encrypt&nbsp;';
+		$question .= \Froxlor\UI\HTML::makeyesno('system_le_domain_dnscheck', '1', '0', '1');
+
+		eval("\$return.=\"" . \Froxlor\UI\Template::getTemplate("update/preconfigitem") . "\";");
+	}
+}

lib/Froxlor/Api/Commands/Customers.php

@@ -1410,7 +1410,7 @@ class Customers extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\Resource
 				'id' => $id
 			), true, true);
 
-			// first gather all domain-id's to clean up panel_domaintoip and dns-entries accordingly
+			// first gather all domain-id's to clean up panel_domaintoip, dns-entries and certificates accordingly
 			$did_stmt = Database::prepare("SELECT `id` FROM `" . TABLE_PANEL_DOMAINS . "` WHERE `customerid` = :id");
 			Database::pexecute($did_stmt, array(
 				'id' => $id
@@ -1426,6 +1426,11 @@ class Customers extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\Resource
 				Database::pexecute($stmt, array(
 					'did' => $row['id']
 				), true, true);
+				// remove domain->certificates entries
+				$stmt = Database::prepare("DELETE FROM `" . TABLE_PANEL_DOMAIN_SSL_SETTINGS . "` WHERE `domainid` = :did");
+				Database::pexecute($stmt, array(
+					'did' => $row['id']
+				), true, true);
 			}
 			// remove customer domains
 			$stmt = Database::prepare("DELETE FROM `" . TABLE_PANEL_DOMAINS . "` WHERE `customerid` = :id");

lib/Froxlor/Api/Commands/EmailAccounts.php

@@ -100,8 +100,8 @@ class EmailAccounts extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\Reso
 			// alternative email address to send info to
 			if (Settings::Get('panel.sendalternativemail') == 1) {
 				$alternative_email = $idna_convert->encode(\Froxlor\Validate\Validate::validate($alternative_email, 'alternative_email', '', '', array(), true));
-				if (! \Froxlor\Validate\Validate::validateEmail($alternative_email)) {
-					\Froxlor\UI\Response::standard_error('emailiswrong', $alternative_email, true);
+				if (!empty($alternative_email) && ! \Froxlor\Validate\Validate::validateEmail($alternative_email)) {
+					\Froxlor\UI\Response::standard_error('alternativeemailiswrong', $alternative_email, true);
 				}
 			} else {
 				$alternative_email = '';
@@ -236,7 +236,7 @@ class EmailAccounts extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\Reso
 				$this->mailer()->clearAddresses();
 
 				// customer wants to send the e-mail to an alternative email address too
-				if (Settings::Get('panel.sendalternativemail') == 1) {
+				if (Settings::Get('panel.sendalternativemail') == 1 && !empty($alternative_email)) {
 					// get template for mail subject
 					$mail_subject = $this->getMailTemplate($customer, 'mails', 'pop_success_alternative_subject', $replace_arr, $this->lng['mails']['pop_success_alternative']['subject']);
 					// get template for mail body

lib/Froxlor/Api/Commands/IpsAndPorts.php

@@ -560,7 +560,7 @@ class IpsAndPorts extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\Resour
 						'ip' => $result['ip']
 					));
 
-					if (($result['ip'] != Settings::Get('system.ipaddress')) || ($result['ip'] == Settings::Get('system.ipaddress') && $result_sameipotherport == false)) {
+					if (($result['ip'] != Settings::Get('system.ipaddress')) || ($result['ip'] == Settings::Get('system.ipaddress') && $result_sameipotherport != false)) {
 
 						$del_stmt = Database::prepare("
 							DELETE FROM `" . TABLE_PANEL_IPSANDPORTS . "`

lib/Froxlor/Cron/CronConfig.php

@@ -99,7 +99,7 @@ class CronConfig
 					$binpath = Settings::Get("system.croncmdline");
 					// fallback as it is important
 					if ($binpath === null) {
-						$binpath = "/usr/bin/nice -n 5 /usr/bin/php5 -q";
+						$binpath = "/usr/bin/nice -n 5 /usr/bin/php -q";
 					}
 
 					$cronfile .= "root " . $binpath . " " . \Froxlor\FileDir::makeCorrectFile(\Froxlor\Froxlor::getInstallDir() . "/scripts/froxlor_master_cronjob.php") . " --" . $row_cronentry['cronfile'] . " 1> /dev/null\n";

lib/Froxlor/Cron/Http/Apache.php

@@ -172,7 +172,7 @@ class Apache extends HttpConfigBase
 
 				$mypath = $this->getMyPath($row_ipsandports);
 
-				$this->virtualhosts_data[$vhosts_filename] .= 'DocumentRoot "' . $mypath . '"' . "\n";
+				$this->virtualhosts_data[$vhosts_filename] .= 'DocumentRoot "' . rtrim($mypath, "/") . '"' . "\n";
 
 				if ($row_ipsandports['vhostcontainer_servername_statement'] == '1') {
 					$this->virtualhosts_data[$vhosts_filename] .= ' ServerName ' . Settings::Get('system.hostname') . "\n";
@@ -661,7 +661,7 @@ class Apache extends HttpConfigBase
 
 		if ($domain['deactivated'] == '1' && Settings::Get('system.deactivateddocroot') != '') {
 			$webroot_text .= '  # Using docroot for deactivated users...' . "\n";
-			$webroot_text .= '  DocumentRoot "' . \Froxlor\FileDir::makeCorrectDir(Settings::Get('system.deactivateddocroot')) . "\"\n";
+			$webroot_text .= '  DocumentRoot "' . rtrim(\Froxlor\FileDir::makeCorrectDir(Settings::Get('system.deactivateddocroot')), "/") . "\"\n";
 			$webroot_text .= '  <Directory "' . \Froxlor\FileDir::makeCorrectDir(Settings::Get('system.deactivateddocroot')) . '">' . "\n";
 			// >=apache-2.4 enabled?
 			if (Settings::Get('system.apache24') == '1') {
@@ -674,7 +674,7 @@ class Apache extends HttpConfigBase
 			$webroot_text .= '  </Directory>' . "\n";
 			$this->deactivated = true;
 		} else {
-			$webroot_text .= '  DocumentRoot "' . $domain['documentroot'] . "\"\n";
+			$webroot_text .= '  DocumentRoot "' . rtrim($domain['documentroot'], "/") . "\"\n";
 			$this->deactivated = false;
 		}
 

lib/Froxlor/Cron/Http/LetsEncrypt/AcmeSh.php

@@ -4,6 +4,8 @@ namespace Froxlor\Cron\Http\LetsEncrypt;
 use Froxlor\FroxlorLogger;
 use Froxlor\Settings;
 use Froxlor\Database\Database;
+use Froxlor\PhpHelper;
+use Froxlor\Domain\Domain;
 
 /**
  * This file is part of the Froxlor project.
@@ -45,7 +47,409 @@ class AcmeSh extends \Froxlor\Cron\FroxlorCron
 
 	public static $no_inserttask = false;
 
-	private static function needRenew()
+	/**
+	 * run the task
+	 *
+	 * @param boolean $internal
+	 * @return number
+	 */
+	public static function run($internal = false)
+	{
+		// usually, this is action is called from within the tasks-jobs
+		if (! defined('CRON_IS_FORCED') && ! defined('CRON_DEBUG_FLAG') && $internal == false) {
+			// Let's Encrypt cronjob is combined with regeneration of webserver configuration files.
+			// For debugging purposes you can use the --debug switch and the --force switch to run the cron manually.
+			// check whether we MIGHT need to run although there is no task to regenerate config-files
+			$needRenew = self::issueDomains();
+			if ($needRenew || self::issueFroxlorVhost()) {
+				// insert task to generate certificates and vhost-configs
+				\Froxlor\System\Cronjob::inserttask(1);
+			}
+			return 0;
+		}
+
+		// set server according to settings
+		self::$apiserver = 'https://acme-' . (Settings::Get('system.letsencryptca') == 'testing' ? 'staging-' : '') . 'v0' . \Froxlor\Settings::Get('system.leapiversion') . '.api.letsencrypt.org/directory';
+
+		// validate acme.sh installation
+		if (! self::checkInstall()) {
+			return - 1;
+		}
+
+		// flag for re-generation of vhost files
+		$changedetected = 0;
+
+		// prepare update sql
+		self::$updcert_stmt = Database::prepare("
+			REPLACE INTO
+				`" . TABLE_PANEL_DOMAIN_SSL_SETTINGS . "`
+			SET
+				`id` = :id,
+				`domainid` = :domainid,
+				`ssl_cert_file` = :crt,
+				`ssl_key_file` = :key,
+				`ssl_ca_file` = :ca,
+				`ssl_cert_chainfile` = :chain,
+				`ssl_csr_file` = :csr,
+				`ssl_fullchain_file` = :fullchain,
+				`expirationdate` = :expirationdate
+		");
+
+		// prepare domain update sql
+		self::$upddom_stmt = Database::prepare("UPDATE `" . TABLE_PANEL_DOMAINS . "` SET `ssl_redirect` = '1' WHERE `id` = :domainid");
+
+		// check whether there are certificates to issue
+		$issue_froxlor = self::issueFroxlorVhost();
+		$issue_domains = self::issueDomains();
+
+		// first - generate LE for system-vhost if enabled
+		if ($issue_froxlor) {
+			// build row
+			$certrow = array(
+				'loginname' => 'froxlor.panel',
+				'domain' => Settings::Get('system.hostname'),
+				'domainid' => 0,
+				'documentroot' => \Froxlor\Froxlor::getInstallDir(),
+				'leprivatekey' => Settings::Get('system.leprivatekey'),
+				'lepublickey' => Settings::Get('system.lepublickey'),
+				'leregistered' => Settings::Get('system.leregistered'),
+				'ssl_redirect' => Settings::Get('system.le_froxlor_redirect'),
+				'expirationdate' => null,
+				'ssl_cert_file' => null,
+				'ssl_key_file' => null,
+				'ssl_ca_file' => null,
+				'ssl_csr_file' => null,
+				'id' => null
+			);
+
+			// add to queue
+			$issue_domains[] = $certrow;
+		}
+
+		if (count($issue_domains)) {
+			FroxlorLogger::getInstanceOf()->logAction(FroxlorLogger::CRON_ACTION, LOG_INFO, "Requesting " . count($issue_domains) . " new Let's Encrypt certificates");
+			self::runIssueFor($issue_domains);
+			$changedetected = 1;
+		}
+
+		// compare file-system certificates with the ones in our database
+		// and update if needed
+		$renew_froxlor = self::renewFroxlorVhost();
+		$renew_domains = self::renewDomains();
+
+		if ($renew_froxlor) {
+			// build row
+			$certrow = array(
+				'loginname' => 'froxlor.panel',
+				'domain' => Settings::Get('system.hostname'),
+				'domainid' => 0,
+				'documentroot' => \Froxlor\Froxlor::getInstallDir(),
+				'leprivatekey' => Settings::Get('system.leprivatekey'),
+				'lepublickey' => Settings::Get('system.lepublickey'),
+				'leregistered' => Settings::Get('system.leregistered'),
+				'ssl_redirect' => Settings::Get('system.le_froxlor_redirect'),
+				'expirationdate' => is_array($renew_froxlor) ? $renew_froxlor['expirationdate'] : date('Y-m-d H:i:s', 0),
+				'ssl_cert_file' => is_array($renew_froxlor) ? $renew_froxlor['ssl_cert_file'] : null,
+				'ssl_key_file' => is_array($renew_froxlor) ? $renew_froxlor['ssl_key_file'] : null,
+				'ssl_ca_file' => is_array($renew_froxlor) ? $renew_froxlor['ssl_ca_file'] : null,
+				'ssl_csr_file' => is_array($renew_froxlor) ? $renew_froxlor['ssl_csr_file'] : null,
+				'id' => is_array($renew_froxlor) ? $renew_froxlor['id'] : null
+			);
+			$renew_domains[] = $certrow;
+		}
+
+		foreach ($renew_domains as $domain) {
+			$cronlog = FroxlorLogger::getInstanceOf(array(
+				'loginname' => $domain['loginname'],
+				'adminsession' => 0
+			));
+			if (defined('CRON_IS_FORCED') || self::checkFsFilesAreNewer($domain['domain'], $domain['expirationdate'])) {
+				self::certToDb($domain, $cronlog, array());
+				$changedetected = 1;
+			}
+		}
+
+		// If we have a change in a certificate, we need to update the webserver - configs
+		// This is easiest done by just creating a new task ;)
+		if ($changedetected) {
+			if (self::$no_inserttask == false) {
+				\Froxlor\System\Cronjob::inserttask(1);
+			}
+			FroxlorLogger::getInstanceOf()->logAction(FroxlorLogger::CRON_ACTION, LOG_INFO, "Let's Encrypt certificates have been updated");
+		} else {
+			FroxlorLogger::getInstanceOf()->logAction(FroxlorLogger::CRON_ACTION, LOG_INFO, "No new certificates or certificate updates found");
+		}
+	}
+
+	/**
+	 * issue certificates for a list of domains
+	 */
+	private static function runIssueFor($certrows = array())
+	{
+		// prepare aliasdomain-check
+		$aliasdomains_stmt = Database::prepare("
+			SELECT
+				dom.`id` as domainid,
+				dom.`domain`,
+				dom.`wwwserveralias`
+			FROM `" . TABLE_PANEL_DOMAINS . "` AS dom
+			WHERE
+				dom.`aliasdomain` = :id
+				AND dom.`letsencrypt` = 1
+				AND dom.`iswildcarddomain` = 0
+		");
+		// iterate through all domains
+		foreach ($certrows as $certrow) {
+			// set logger to corresponding loginname for the log to appear in the users system-log
+			$cronlog = FroxlorLogger::getInstanceOf(array(
+				'loginname' => $certrow['loginname'],
+				'adminsession' => 0
+			));
+			// Only issue let's encrypt certificate if no broken ssl_redirect is enabled
+			if ($certrow['ssl_redirect'] != 2) {
+				$do_force = false;
+				if (! empty($certrow['ssl_cert_file']) && empty($certrow['expirationdate'])) {
+					// domain changed (SAN or similar)
+					$do_force = true;
+					$cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_INFO, "Re-creating certificate for " . $certrow['domain']);
+				} else {
+					$cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_INFO, "Creating certificate for " . $certrow['domain']);
+				}
+				$cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_INFO, "Adding common-name: " . $certrow['domain']);
+				$domains = array(
+					strtolower($certrow['domain'])
+				);
+				// add www.<domain> to SAN list
+				if ($certrow['wwwserveralias'] == 1) {
+					$cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_INFO, "Adding SAN entry: www." . $certrow['domain']);
+					$domains[] = strtolower('www.' . $certrow['domain']);
+				}
+				if ($certrow['domainid'] == 0) {
+					$froxlor_aliases = Settings::Get('system.froxloraliases');
+					if (! empty($froxlor_aliases)) {
+						$froxlor_aliases = explode(",", $froxlor_aliases);
+						foreach ($froxlor_aliases as $falias) {
+							if (\Froxlor\Validate\Validate::validateDomain(trim($falias))) {
+								$cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_INFO, "Adding SAN entry: " . strtolower(trim($falias)));
+								$domains[] = strtolower(trim($falias));
+							}
+						}
+					}
+				} else {
+					// add alias domains (and possibly www.<aliasdomain>) to SAN list
+					Database::pexecute($aliasdomains_stmt, array(
+						'id' => $certrow['domainid']
+					));
+					$aliasdomains = $aliasdomains_stmt->fetchAll(\PDO::FETCH_ASSOC);
+					foreach ($aliasdomains as $aliasdomain) {
+						$cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_INFO, "Adding SAN entry: " . $aliasdomain['domain']);
+						$domains[] = strtolower($aliasdomain['domain']);
+						if ($aliasdomain['wwwserveralias'] == 1) {
+							$cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_INFO, "Adding SAN entry: www." . $aliasdomain['domain']);
+							$domains[] = strtolower('www.' . $aliasdomain['domain']);
+						}
+					}
+				}
+
+				self::validateDns($domains, $certrow['domainid'], $cronlog);
+
+				self::runAcmeSh($certrow, $domains, $cronlog, $do_force);
+			} else {
+				$cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_WARNING, "Skipping Let's Encrypt generation for " . $certrow['domain'] . " due to an enabled ssl_redirect");
+			}
+		}
+	}
+
+	/**
+	 * validate dns (A / AAAA record) of domain against known system ips
+	 *
+	 * @param array $domains
+	 * @param int $domain_id
+	 * @param FroxlorLogger $cronlog
+	 */
+	private static function validateDns(&$domains = array(), $domain_id, &$cronlog)
+	{
+		if (Settings::Get('system.le_domain_dnscheck') == '1' && ! empty($domains)) {
+			$loop_domains = $domains;
+			// ips according to our system
+			$our_ips = Domain::getIpsOfDomain($domain_id);
+			foreach ($loop_domains as $idx => $domain) {
+				$cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_INFO, "Validating DNS of " . $domain);
+				// ips accordint to NS
+				$domain_ips = PhpHelper::gethostbynamel6($domain);
+				if (count(array_intersect($our_ips, $domain_ips)) <= 0) {
+					// no common ips...
+					$cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_WARNING, "Skipping Let's Encrypt generation for " . $domain . " due to no system known IP address via DNS check");
+					unset($domains[$idx]);
+				}
+			}
+		}
+	}
+
+	private static function runAcmeSh($certrow = array(), $domains = array(), &$cronlog = null, $force = false)
+	{
+		if (! empty($domains)) {
+
+			if (self::$do_update) {
+				self::checkUpgrade();
+				self::$do_update = false;
+			}
+
+			$acmesh_cmd = self::$acmesh . " --auto-upgrade 0 --server " . self::$apiserver . " --issue -d " . implode(" -d ", $domains);
+			// challenge path
+			$acmesh_cmd .= " -w " . Settings::Get('system.letsencryptchallengepath');
+			if (Settings::Get('system.leecc') > 0) {
+				// ecc certificate
+				$acmesh_cmd .= " --keylength ec-" . Settings::Get('system.leecc');
+			} else {
+				$acmesh_cmd .= " --keylength " . Settings::Get('system.letsencryptkeysize');
+			}
+			if (Settings::Get('system.letsencryptreuseold') != '1') {
+				$acmesh_cmd .= " --always-force-new-domain-key";
+			}
+			if (Settings::Get('system.letsencryptca') == 'testing') {
+				$acmesh_cmd .= " --staging";
+			}
+			if ($force) {
+				$acmesh_cmd .= " --force";
+			}
+			if (defined('CRON_DEBUG_FLAG')) {
+				$acmesh_cmd .= " --debug";
+			}
+
+			$acme_result = \Froxlor\FileDir::safe_exec($acmesh_cmd);
+			// debug output of acme.sh run
+			$cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_DEBUG, implode("\n", $acme_result));
+
+			self::certToDb($certrow, $cronlog, $acme_result);
+		}
+	}
+
+	private static function certToDb($certrow, &$cronlog, $acme_result)
+	{
+		$return = array();
+		self::readCertificateToVar($certrow['domain'], $return, $cronlog);
+
+		if (! empty($return['crt'])) {
+
+			$newcert = openssl_x509_parse($return['crt']);
+
+			if ($newcert) {
+				// Store the new data
+				Database::pexecute(self::$updcert_stmt, array(
+					'id' => $certrow['id'],
+					'domainid' => $certrow['domainid'],
+					'crt' => $return['crt'],
+					'key' => $return['key'],
+					'ca' => $return['chain'],
+					'chain' => $return['chain'],
+					'csr' => $return['csr'],
+					'fullchain' => $return['fullchain'],
+					'expirationdate' => date('Y-m-d H:i:s', $newcert['validTo_time_t'])
+				));
+
+				if ($certrow['ssl_redirect'] == 3) {
+					Database::pexecute(self::$upddom_stmt, array(
+						'domainid' => $certrow['domainid']
+					));
+				}
+
+				$cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_INFO, "Updated Let's Encrypt certificate for " . $certrow['domain']);
+			} else {
+				$cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_ERR, "Got non-successful Let's Encrypt response for " . $certrow['domain'] . ":\n" . implode("\n", $acme_result));
+			}
+		} else {
+			$cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_ERR, "Could not get Let's Encrypt certificate for " . $certrow['domain'] . ":\n" . implode("\n", $acme_result));
+		}
+	}
+
+	/**
+	 * check whether we need to issue a new certificate for froxlor itself
+	 *
+	 * @return boolean
+	 */
+	private static function issueFroxlorVhost()
+	{
+		if (Settings::Get('system.le_froxlor_enabled') == '1') {
+			// let's encrypt is enabled, now check whether we have a certificate
+			$froxlor_ssl_settings_stmt = Database::prepare("
+				SELECT * FROM `" . TABLE_PANEL_DOMAIN_SSL_SETTINGS . "`
+				WHERE `domainid` = '0'
+			");
+			$froxlor_ssl = Database::pexecute_first($froxlor_ssl_settings_stmt);
+			// also check for possible existing certificate
+			if (! $froxlor_ssl && ! self::checkFsFilesAreNewer(Settings::Get('system.hostname'), date('Y-m-d H:i:s'))) {
+				return true;
+			}
+		}
+		return false;
+	}
+
+	/**
+	 * check whether we need to renew-check the certificate for froxlor itself
+	 *
+	 * @return boolean
+	 */
+	private static function renewFroxlorVhost()
+	{
+		if (Settings::Get('system.le_froxlor_enabled') == '1') {
+			// let's encrypt is enabled, now check whether we have a certificate
+			$froxlor_ssl_settings_stmt = Database::prepare("
+				SELECT * FROM `" . TABLE_PANEL_DOMAIN_SSL_SETTINGS . "`
+				WHERE `domainid` = '0'
+			");
+			$froxlor_ssl = Database::pexecute_first($froxlor_ssl_settings_stmt);
+			// also check for possible existing certificate
+			if ($froxlor_ssl || (! $froxlor_ssl && ! self::checkFsFilesAreNewer(Settings::Get('system.hostname'), date('Y-m-d H:i:s', 0)))) {
+				return ($froxlor_ssl ? $froxlor_ssl : true);
+			}
+		}
+		return false;
+	}
+
+	/**
+	 * get a list of domains that have a lets encrypt certificate (possible renew)
+	 */
+	private static function renewDomains()
+	{
+		$certificates_stmt = Database::query("
+			SELECT
+				domssl.`id`,
+				domssl.`domainid`,
+				domssl.`expirationdate`,
+				domssl.`ssl_cert_file`,
+				domssl.`ssl_key_file`,
+				dom.`domain`,
+				dom.`id` AS 'domainid',
+				dom.`ssl_redirect`,
+				cust.`loginname`
+			FROM
+				`" . TABLE_PANEL_CUSTOMERS . "` AS cust,
+				`" . TABLE_PANEL_DOMAINS . "` AS dom
+			LEFT JOIN
+				`" . TABLE_PANEL_DOMAIN_SSL_SETTINGS . "` AS domssl ON
+					dom.`id` = domssl.`domainid`
+			WHERE
+				dom.`customerid` = cust.`customerid`
+				AND cust.deactivated = 0
+				AND dom.`letsencrypt` = 1
+				AND dom.`aliasdomain` IS NULL
+				AND dom.`iswildcarddomain` = 0
+		");
+		$renew_certs = $certificates_stmt->fetchAll(\PDO::FETCH_ASSOC);
+		if (self::renewFroxlorVhost()) {
+			// add froxlor to the list of renews
+		}
+		if ($renew_certs) {
+			return $renew_certs;
+		}
+		return array();
+	}
+
+	/**
+	 * get a list of domains that require a new certificate (issue)
+	 */
+	private static function issueDomains()
 	{
 		$certificates_stmt = Database::query("
 			SELECT
@@ -78,322 +482,51 @@ class AcmeSh extends \Froxlor\Cron\FroxlorCron
 				AND dom.`letsencrypt` = 1
 				AND dom.`aliasdomain` IS NULL
 				AND dom.`iswildcarddomain` = 0
-				AND (
-					domssl.`expirationdate` < DATE_ADD(NOW(), INTERVAL 30 DAY)
-					OR domssl.`expirationdate` IS NULL
-				)
+				AND domssl.`expirationdate` IS NULL
 		");
 		$customer_ssl = $certificates_stmt->fetchAll(\PDO::FETCH_ASSOC);
-		if (! $customer_ssl) {
-			$customer_ssl = array();
+		if ($customer_ssl) {
+			return $customer_ssl;
 		}
-
-		$froxlor_ssl = array();
-		if (Settings::Get('system.le_froxlor_enabled') == '1') {
-			$froxlor_ssl_settings_stmt = Database::prepare("
-				SELECT * FROM `" . TABLE_PANEL_DOMAIN_SSL_SETTINGS . "`
-				WHERE `domainid` = '0' AND
-				(`expirationdate` < DATE_ADD(NOW(), INTERVAL 30 DAY) OR `expirationdate` IS NULL)
-			");
-			$froxlor_ssl = Database::pexecute_first($froxlor_ssl_settings_stmt);
-			if (! $froxlor_ssl) {
-				$froxlor_ssl = array();
-			}
-		}
-
-		if (count($customer_ssl) > 0 || count($froxlor_ssl) > 0) {
-			return array(
-				'customer_ssl' => $customer_ssl,
-				'froxlor_ssl' => $froxlor_ssl
-			);
-		}
-		return false;
+		return array();
 	}
 
-	public static function run($internal = false)
-	{
-		if (! defined('CRON_IS_FORCED') && ! defined('CRON_DEBUG_FLAG') && $internal == false) {
-			// Let's Encrypt cronjob is combined with regeneration of webserver configuration files.
-			// For debugging purposes you can use the --debug switch and the --force switch to run the cron manually.
-			// check whether we MIGHT need to run although there is no task to regenerate config-files
-			$needRenew = self::needRenew();
-			if ($needRenew) {
-				// insert task to generate certificates and vhost-configs
-				\Froxlor\System\Cronjob::inserttask(1);
-			}
-			return 0;
-		}
-
-		self::checkInstall();
-
-		self::$apiserver = 'https://acme-'.(Settings::Get('system.letsencryptca') == 'testing' ? 'staging-' : '').'v0' . \Froxlor\Settings::Get('system.leapiversion') . '.api.letsencrypt.org/directory';
-
-		FroxlorLogger::getInstanceOf()->logAction(FroxlorLogger::CRON_ACTION, LOG_INFO, "Requesting/renewing Let's Encrypt certificates");
-
-		$aliasdomains_stmt = Database::prepare("
-			SELECT
-				dom.`id` as domainid,
-				dom.`domain`,
-				dom.`wwwserveralias`
-			FROM `" . TABLE_PANEL_DOMAINS . "` AS dom
-			WHERE
-				dom.`aliasdomain` = :id
-				AND dom.`letsencrypt` = 1
-				AND dom.`iswildcarddomain` = 0
-		");
-
-		self::$updcert_stmt = Database::prepare("
-			REPLACE INTO
-				`" . TABLE_PANEL_DOMAIN_SSL_SETTINGS . "`
-			SET
-				`id` = :id,
-				`domainid` = :domainid,
-				`ssl_cert_file` = :crt,
-				`ssl_key_file` = :key,
-				`ssl_ca_file` = :ca,
-				`ssl_cert_chainfile` = :chain,
-				`ssl_csr_file` = :csr,
-				`ssl_fullchain_file` = :fullchain,
-				`expirationdate` = :expirationdate
-		");
-
-		self::$upddom_stmt = Database::prepare("UPDATE `" . TABLE_PANEL_DOMAINS . "` SET `ssl_redirect` = '1' WHERE `id` = :domainid");
-
-		// flag for re-generation of vhost files
-		$changedetected = 0;
-
-		$needRenew = self::needRenew();
-
-		// first - generate LE for system-vhost if enabled
-		if (Settings::Get('system.le_froxlor_enabled') == '1') {
-
-			$certrow = array(
-				'loginname' => 'froxlor.panel',
-				'domain' => Settings::Get('system.hostname'),
-				'domainid' => 0,
-				'documentroot' => \Froxlor\Froxlor::getInstallDir(),
-				'leprivatekey' => Settings::Get('system.leprivatekey'),
-				'lepublickey' => Settings::Get('system.lepublickey'),
-				'leregistered' => Settings::Get('system.leregistered'),
-				'ssl_redirect' => Settings::Get('system.le_froxlor_redirect'),
-				'expirationdate' => null,
-				'ssl_cert_file' => null,
-				'ssl_key_file' => null,
-				'ssl_ca_file' => null,
-				'ssl_csr_file' => null,
-				'id' => null
-			);
-
-			$froxlor_ssl = $needRenew ? $needRenew['froxlor_ssl'] : array();
-
-			$cert_mode = 'issue';
-			if (count($froxlor_ssl) > 0) {
-				$cert_mode = 'renew';
-				$certrow['id'] = $froxlor_ssl['id'];
-				$certrow['expirationdate'] = $froxlor_ssl['expirationdate'];
-				$certrow['ssl_cert_file'] = $froxlor_ssl['ssl_cert_file'];
-				$certrow['ssl_key_file'] = $froxlor_ssl['ssl_key_file'];
-				$certrow['ssl_ca_file'] = $froxlor_ssl['ssl_ca_file'];
-				$certrow['ssl_csr_file'] = $froxlor_ssl['ssl_csr_file'];
-			} else {
-				// check whether we have an entry with valid certificates which just does not need
-				// updating yet, so we need to skip this here
-				$froxlor_ssl_settings_stmt = Database::prepare("
-					SELECT * FROM `" . TABLE_PANEL_DOMAIN_SSL_SETTINGS . "` WHERE `domainid` = '0'
-				");
-				$froxlor_ssl = Database::pexecute_first($froxlor_ssl_settings_stmt);
-				if ($froxlor_ssl && ! empty($froxlor_ssl['ssl_cert_file'])) {
-					$cert_mode = false;
-				}
-			}
-
-			if ($cert_mode) {
-				$domains = array(
-					strtolower($certrow['domain'])
-				);
-
-				$froxlor_aliases = Settings::Get('system.froxloraliases');
-				if (! empty($froxlor_aliases)) {
-					$froxlor_aliases = explode(",", $froxlor_aliases);
-					foreach ($froxlor_aliases as $falias) {
-						if (\Froxlor\Validate\Validate::validateDomain(trim($falias))) {
-							$domains[] = strtolower(trim($falias));
-						}
-					}
-				}
-
-				// Only renew let's encrypt certificate if no broken ssl_redirect is enabled
-				// - this temp. deactivation of the ssl-redirect is handled by the webserver-cronjob
-				$do_force = false;
-				if ($cert_mode == 'renew') {
-					FroxlorLogger::getInstanceOf()->logAction(FroxlorLogger::CRON_ACTION, LOG_INFO, "Updating certificate for " . $certrow['domain']);
-				} else {
-					$do_force = true;
-					FroxlorLogger::getInstanceOf()->logAction(FroxlorLogger::CRON_ACTION, LOG_INFO, "Creating certificate for " . $certrow['domain']);
-				}
-
-				$cronlog = FroxlorLogger::getInstanceOf(array(
-					'loginname' => $certrow['loginname'],
-					'adminsession' => 0
-				));
-
-				self::runAcmeSh($certrow, $domains, $cert_mode, $cronlog, $changedetected, $do_force);
-			}
-		}
-
-		// customer domains
-		$certrows = $needRenew ? $needRenew['customer_ssl'] : array();
-		foreach ($certrows as $certrow) {
-
-			// initialize mode to 'issue'
-			$cert_mode = 'issue';
-
-			// set logger to corresponding loginname for the log to appear in the users system-log
-			$cronlog = FroxlorLogger::getInstanceOf(array(
-				'loginname' => $certrow['loginname'],
-				'adminsession' => 0
-			));
-
-			// Only renew let's encrypt certificate if no broken ssl_redirect is enabled
-			if ($certrow['ssl_redirect'] != 2) {
-
-				$do_force = false;
-				if (! empty($certrow['ssl_cert_file']) && ! empty($certrow['expirationdate'])) {
-					$cert_mode = 'renew';
-					$cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_INFO, "Updating certificate for " . $certrow['domain']);
-				} else if (! empty($certrow['ssl_cert_file']) && empty($certrow['expirationdate'])) {
-					// domain changed (SAN or similar)
-					$do_force = true;
-					$cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_INFO, "Re-creating certificate for " . $certrow['domain']);
-				} else {
-					$cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_INFO, "Creating certificate for " . $certrow['domain']);
-				}
-
-				$cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_INFO, "Adding SAN entry: " . $certrow['domain']);
-				$domains = array(
-					strtolower($certrow['domain'])
-				);
-				// add www.<domain> to SAN list
-				if ($certrow['wwwserveralias'] == 1) {
-					$cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_INFO, "Adding SAN entry: www." . $certrow['domain']);
-					$domains[] = strtolower('www.' . $certrow['domain']);
-				}
-
-				// add alias domains (and possibly www.<aliasdomain>) to SAN list
-				Database::pexecute($aliasdomains_stmt, array(
-					'id' => $certrow['domainid']
-				));
-				$aliasdomains = $aliasdomains_stmt->fetchAll(\PDO::FETCH_ASSOC);
-				foreach ($aliasdomains as $aliasdomain) {
-					$cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_INFO, "Adding SAN entry: " . $aliasdomain['domain']);
-					$domains[] = strtolower($aliasdomain['domain']);
-					if ($aliasdomain['wwwserveralias'] == 1) {
-						$cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_INFO, "Adding SAN entry: www." . $aliasdomain['domain']);
-						$domains[] = strtolower('www.' . $aliasdomain['domain']);
-					}
-				}
-
-				self::runAcmeSh($certrow, $domains, $cert_mode, $cronlog, $changedetected, $do_force);
-			} else {
-				$cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_WARNING, "Skipping Let's Encrypt generation for " . $certrow['domain'] . " due to an enabled ssl_redirect");
-			}
-		}
-
-		// If we have a change in a certificate, we need to update the webserver - configs
-		// This is easiest done by just creating a new task ;)
-		if ($changedetected) {
-			if (self::$no_inserttask == false) {
-				\Froxlor\System\Cronjob::inserttask(1);
-			}
-			FroxlorLogger::getInstanceOf()->logAction(FroxlorLogger::CRON_ACTION, LOG_INFO, "Let's Encrypt certificates have been updated");
-		} else {
-			FroxlorLogger::getInstanceOf()->logAction(FroxlorLogger::CRON_ACTION, LOG_INFO, "No new certificates or certificates due for renewal found");
-		}
-	}
-
-	private static function runAcmeSh($certrow = array(), $domains = array(), $cert_mode = 'issue', &$cronlog = null, &$changedetected = 0, $force = false)
-	{
-		if (! empty($domains)) {
-
-			if (self::$do_update) {
-				self::checkUpgrade();
-				self::$do_update = false;
-			}
-
-			$acmesh_cmd = self::$acmesh . " --auto-upgrade 0 --server " . self::$apiserver . " --" . $cert_mode . " -d " . implode(" -d ", $domains);
-
-			if ($cert_mode == 'issue') {
-				$acmesh_cmd .= " -w " . Settings::Get('system.letsencryptchallengepath');
-			}
-			if (Settings::Get('system.leecc') > 0) {
-				$acmesh_cmd .= " --keylength ec-" . Settings::Get('system.leecc');
-			} else {
-				$acmesh_cmd .= " --keylength " . Settings::Get('system.letsencryptkeysize');
-			}
-			if (Settings::Get('system.letsencryptreuseold') != '1') {
-				$acmesh_cmd .= " --always-force-new-domain-key";
-			}
-			if (Settings::Get('system.letsencryptca') == 'testing') {
-				$acmesh_cmd .= " --staging";
-			}
-			if ($force) {
-				$acmesh_cmd .= " --force";
-			}
-			if (defined('CRON_DEBUG_FLAG')) {
-				$acmesh_cmd .= " --debug";
-			}
-
-			$acme_result = \Froxlor\FileDir::safe_exec($acmesh_cmd);
-			// debug output of acme.sh run
-			$cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_DEBUG, implode("\n", $acme_result));
-
-			$return = array();
-			self::readCertificateToVar($certrow['domain'], $return);
-
-			if (! empty($return['crt'])) {
-
-				$newcert = openssl_x509_parse($return['crt']);
-
-				if ($newcert) {
-					// Store the new data
-					Database::pexecute(self::$updcert_stmt, array(
-						'id' => $certrow['id'],
-						'domainid' => $certrow['domainid'],
-						'crt' => $return['crt'],
-						'key' => $return['key'],
-						'ca' => $return['chain'],
-						'chain' => $return['chain'],
-						'csr' => $return['csr'],
-						'fullchain' => $return['fullchain'],
-						'expirationdate' => date('Y-m-d H:i:s', $newcert['validTo_time_t'])
-					));
-
-					if ($certrow['ssl_redirect'] == 3) {
-						Database::pexecute(self::$upddom_stmt, array(
-							'domainid' => $certrow['domainid']
-						));
-					}
-
-					$cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_INFO, "Updated Let's Encrypt certificate for " . $certrow['domain']);
-					$changedetected = 1;
-				} else {
-					$cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_ERR, "Got non-successful Let's Encrypt response for " . $certrow['domain'] . ":\n" . implode("\n", $acme_result));
-				}
-			} else {
-				$cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_ERR, "Could not get Let's Encrypt certificate for " . $certrow['domain'] . ":\n" . implode("\n", $acme_result));
-			}
-		}
-	}
-
-	private static function readCertificateToVar($domain, &$return)
+	private static function checkFsFilesAreNewer($domain, $cert_date = 0)
 	{
 		$certificate_folder = dirname(self::$acmesh) . "/" . $domain;
 		if (Settings::Get('system.leecc') > 0) {
 			$certificate_folder .= "_ecc";
 		}
 		$certificate_folder = \Froxlor\FileDir::makeCorrectDir($certificate_folder);
+		$ssl_file = \Froxlor\FileDir::makeCorrectFile($certificate_folder . '/' . $domain . '.cer');
 
-		if (is_dir($certificate_folder)) {
+		if (is_dir($certificate_folder) && file_exists($ssl_file) && is_readable($ssl_file)) {
+			$cert_data = openssl_x509_parse(file_get_contents($ssl_file));
+			if (strtotime($cert_data['validTo_time_t']) > strtotime($cert_date)) {
+				return true;
+			}
+		}
+		return false;
+	}
+
+	/**
+	 * get certificate files from filesystem and store in $return array
+	 *
+	 * @param string $domain
+	 * @param array $return
+	 * @param object $cronlog
+	 */
+	private static function readCertificateToVar($domain, &$return, &$cronlog)
+	{
+		$certificate_folder = dirname(self::$acmesh) . "/" . $domain;
+		$certificate_folder_noecc = null;
+		if (Settings::Get('system.leecc') > 0) {
+			$certificate_folder_noecc = \Froxlor\FileDir::makeCorrectDir($certificate_folder);
+			$certificate_folder .= "_ecc";
+		}
+		$certificate_folder = \Froxlor\FileDir::makeCorrectDir($certificate_folder);
+
+		if (is_dir($certificate_folder) || is_dir($certificate_folder_noecc)) {
 			foreach ([
 				'crt' => $domain . '.cer',
 				'key' => $domain . '.key',
@@ -405,28 +538,52 @@ class AcmeSh extends \Froxlor\Cron\FroxlorCron
 				if (file_exists($ssl_file)) {
 					$return[$index] = file_get_contents($ssl_file);
 				} else {
+					if (! empty($certificate_folder_noecc)) {
+						$ssl_file_fb = \Froxlor\FileDir::makeCorrectFile($certificate_folder_noecc . '/' . $sslfile);
+						if (file_exists($ssl_file_fb)) {
+							$cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_WARNING, "ECC certificates activated but found only non-ecc file");
+							$return[$index] = file_get_contents($ssl_file_fb);
+							continue;
+						}
+					}
+					$cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_ERR, "Could not find file '" . $sslfile . "' in '" . $certificate_folder . "'");
 					$return[$index] = null;
 				}
 			}
+		} else {
+			$cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_ERR, "Could not find certificate-folder '" . $certificate_folder . "'");
 		}
 	}
 
-	private static function checkInstall()
+	/**
+	 * install acme.sh if not found yet
+	 */
+	private static function checkInstall($tries = 0)
 	{
-		if (! file_exists(self::$acmesh)) {
+		if (! file_exists(self::$acmesh) && $tries > 0) {
+			FroxlorLogger::getInstanceOf()->logAction(FroxlorLogger::CRON_ACTION, LOG_ERR, "Download/installation of acme.sh seems to have failed. Re-run cronjob to try again or install manually to '" . self::$acmesh . "'");
+			echo PHP_EOL . "Download/installation of acme.sh seems to have failed. Re-run cronjob to try again or install manually to '" . self::$acmesh . "'" . PHP_EOL;
+			return false;
+		} else if (! file_exists(self::$acmesh)) {
 			FroxlorLogger::getInstanceOf()->logAction(FroxlorLogger::CRON_ACTION, LOG_INFO, "Could not find acme.sh - installing it to /root/.acme.sh/");
 			$return = false;
 			\Froxlor\FileDir::safe_exec("wget -O - https://get.acme.sh | sh", $return, array(
 				'|'
 			));
+			// check whether the installation worked
+			return self::checkInstall(++ $tries);
 		}
+		return true;
 	}
 
+	/**
+	 * run upgrade
+	 */
 	private static function checkUpgrade()
 	{
 		$acmesh_result = \Froxlor\FileDir::safe_exec(self::$acmesh . " --upgrade");
-		// check for activated cron (which is installed automatically) but we don't need it
-		$acmesh_result2 = \Froxlor\FileDir::safe_exec(self::$acmesh . " --uninstall-cronjob");
+		// check for activated cron
+		$acmesh_result2 = \Froxlor\FileDir::safe_exec(self::$acmesh . " --install-cronjob");
 		FroxlorLogger::getInstanceOf()->logAction(FroxlorLogger::CRON_ACTION, LOG_INFO, "Checking for LetsEncrypt client upgrades before renewing certificates:\n" . implode("\n", $acmesh_result) . "\n" . implode("\n", $acmesh_result2));
 	}
 }

lib/Froxlor/Cron/System/BackupCron.php

@@ -77,6 +77,7 @@ class BackupCron extends \Froxlor\Cron\FroxlorCron
 
 		$del_stmt = Database::prepare("DELETE FROM `" . TABLE_PANEL_TASKS . "` WHERE `id` = :id");
 
+		$cronlog = FroxlorLogger::getInstanceOf();
 		$all_jobs = $result_tasks_stmt->fetchAll();
 		foreach ($all_jobs as $row) {
 
@@ -96,7 +97,7 @@ class BackupCron extends \Froxlor\Cron\FroxlorCron
 						\Froxlor\FileDir::safe_exec('mkdir -p ' . escapeshellarg($row['data']['destdir']));
 					}
 
-					self::createCustomerBackup($row['data'], $customerdocroot, FroxlorLogger::getInstanceOf());
+					self::createCustomerBackup($row['data'], $customerdocroot, $cronlog);
 				}
 			}
 

lib/Froxlor/Cron/System/Extrausers.php

@@ -67,7 +67,7 @@ class Extrausers
 						'name' => \Froxlor\Customer\Customer::getCustomerDetail($u['customerid'], 'name'),
 						'company' => \Froxlor\Customer\Customer::getCustomerDetail($u['customerid'], 'company')
 					);
-					$u['comment'] = \Froxlor\User::getCorrectUserSalutation($salutation_array);
+					$u['comment'] = self::cleanString(\Froxlor\User::getCorrectUserSalutation($salutation_array));
 					if ($u['login_enabled'] != 'Y') {
 						$u['password'] = '*';
 						$u['shell'] = '/bin/false';
@@ -90,4 +90,10 @@ class Extrausers
 			$cronlog->logAction(\Froxlor\FroxlorLogger::CRON_ACTION, LOG_NOTICE, 'Error when writing ' . $type . ' file entries');
 		}
 	}
+
+	private static function cleanString($string = null)
+	{
+		$allowed = "/[^a-z0-9\\.\\-\\_\\ ]/i";
+		return preg_replace($allowed, "", $string);
+	}
 }

lib/Froxlor/Cron/Traffic/ReportsCron.php

@@ -394,13 +394,15 @@ class ReportsCron extends \Froxlor\Cron\FroxlorCron
 						$lngfile = Database::pexecute_first($lngfile_stmt, array(
 							'deflang' => Settings::Get('panel.standardlanguage')
 						));
-						$langfile = $lngfile['file'];
+						$langfile = $lngfile['file'] ?? 'lng/english.lng.php';
 					}
 
 					// include english language file (fallback)
 					include_once \Froxlor\FileDir::makeCorrectFile(\Froxlor\Froxlor::getInstallDir() . '/lng/english.lng.php');
 					// include admin/customer language file
-					include_once \Froxlor\FileDir::makeCorrectFile(\Froxlor\Froxlor::getInstallDir() . '/' . $langfile);
+					if ($lngfile != 'lng/english.lng.php') {
+						include_once \Froxlor\FileDir::makeCorrectFile(\Froxlor\Froxlor::getInstallDir() . '/' . $langfile);
+					}
 
 					// Get mail templates from database; the ones from 'admin' are fetched for fallback
 					$result2_stmt = Database::prepare("

lib/Froxlor/Domain/Domain.php

@@ -6,6 +6,41 @@ use Froxlor\Database\Database;
 class Domain
 {
 
+	/**
+	 * return all ip addresses associated with given domain,
+	 * returns all ips if domain-id = 0 (froxlor.vhost)
+	 *
+	 * @param int $domain_id
+	 * @return array
+	 */
+	public static function getIpsOfDomain($domain_id)
+	{
+		if ($domain_id > 0) {
+			$sel_stmt = Database::prepare("
+				SELECT i.ip FROM `" . TABLE_PANEL_IPSANDPORTS . "` `i`
+				LEFT JOIN `" . TABLE_DOMAINTOIP . "` `dip` ON dip.id_ipandports = i.id
+				AND dip.id_domain = :domainid
+				GROUP BY i.ip
+			");
+			$sel_param = array(
+				'domainid' => $domain_id
+			);
+		} else {
+			// assuming froxlor.vhost (id = 0)
+			$sel_stmt = Database::prepare("
+				SELECT ip FROM `" . TABLE_PANEL_IPSANDPORTS . "`
+				GROUP BY ip
+			");
+			$sel_param = array();
+		}
+		Database::pexecute($sel_stmt, $sel_param);
+		$result = array();
+		while ($ip = $sel_stmt->fetch(\PDO::FETCH_ASSOC)) {
+			$result[] = $ip['ip'];
+		}
+		return $result;
+	}
+
 	/**
 	 * return an array of all enabled redirect-codes
 	 *

lib/Froxlor/Froxlor.php

@@ -7,10 +7,10 @@ final class Froxlor
 {
 
 	// Main version variable
-	const VERSION = '0.10.14';
+	const VERSION = '0.10.16';
 
 	// Database version (YYYYMMDDC where C is a daily counter)
-	const DBVERSION = '202002290';
+	const DBVERSION = '202004140';
 
 	// Distribution branding-tag (used for Debian etc.)
 	const BRANDING = '';

lib/Froxlor/MailLogParser.php

@@ -209,12 +209,12 @@ class MailLogParser
 
 			$timestamp = $this->getLogTimestamp($line);
 			if ($this->startTime < $timestamp) {
-				if (preg_match("/dovecot.*(?::|\]) imap\(.*@([a-z0-9\.\-]+)\):.*(?:in=(\d+) out=(\d+)|bytes=(\d+)\/(\d+))/i", $line, $matches)) {
+				if (preg_match("/dovecot.*(?::|\]) imap\(.*@([a-z0-9\.\-]+)\)(<\d+><[a-z0-9+\/=]+>)?:.*(?:in=(\d+) out=(\d+)|bytes=(\d+)\/(\d+))/i", $line, $matches)) {
 					// Dovecot IMAP
-					$this->addDomainTraffic($matches[1], (int) $matches[2] + (int) $matches[3], $timestamp);
-				} elseif (preg_match("/dovecot.*(?::|\]) pop3\(.*@([a-z0-9\.\-]+)\):.*in=(\d+).*out=(\d+)/i", $line, $matches)) {
+					$this->addDomainTraffic($matches[1], (int) $matches[3] + (int) $matches[4], $timestamp);
+				} elseif (preg_match("/dovecot.*(?::|\]) pop3\(.*@([a-z0-9\.\-]+)\)(<\d+><[a-z0-9+\/=]+>)?:.*in=(\d+).*out=(\d+)/i", $line, $matches)) {
 					// Dovecot POP3
-					$this->addDomainTraffic($matches[1], (int) $matches[2] + (int) $matches[3], $timestamp);
+					$this->addDomainTraffic($matches[1], (int) $matches[3] + (int) $matches[4], $timestamp);
 				}
 			}
 		}

lng/english.lng.php

@@ -204,6 +204,7 @@ $lng['error']['mydomain'] = '\'Domain\'';
 $lng['error']['mydocumentroot'] = '\'Documentroot\'';
 $lng['error']['loginnameexists'] = 'Loginname %s already exists';
 $lng['error']['emailiswrong'] = 'Email-address %s contains invalid characters or is incomplete';
+$lng['error']['alternativeemailiswrong'] = 'The given alternative email address %s to send the credentials to seems to be invalid';
 $lng['error']['loginnameiswrong'] = 'Loginname "%s" contains illegal characters.';
 $lng['error']['loginnameiswrong2'] = 'Loginname contains too many characters. Only %s characters are allowed.';
 $lng['error']['userpathcombinationdupe'] = 'Combination of username and path already exists';
@@ -1697,7 +1698,7 @@ $lng['admin']['integrityresult'] = 'Result';
 $lng['admin']['integrityfix'] = 'Fix problems automatically';
 $lng['question']['admin_integritycheck_reallyfix'] = 'Do you really want to try fixing all database integrity problems automatically?';
 $lng['serversettings']['system_croncmdline']['title'] = 'Cron execution command (php-binary)';
-$lng['serversettings']['system_croncmdline']['description'] = 'Command to execute our cronjobs. Change this only if you know what you are doing (default: "/usr/bin/nice -n 5 /usr/bin/php5 -q")!';
+$lng['serversettings']['system_croncmdline']['description'] = 'Command to execute our cronjobs. Change this only if you know what you are doing (default: "/usr/bin/nice -n 5 /usr/bin/php -q")!';
 $lng['error']['cannotdeletehostnamephpconfig'] = 'This PHP-configuration is used by the Froxlor-vhost and cannot be deleted.';
 $lng['error']['cannotdeletedefaultphpconfig'] = 'This PHP-configuration is set as default and cannot be deleted.';
 $lng['serversettings']['system_cron_allowautoupdate']['title'] = 'Allow automatic database updates';
@@ -1982,8 +1983,8 @@ $lng['admin']['domain_http2']['title'] = 'HTTP2 support';
 $lng['admin']['domain_http2']['description'] = 'See <a target="_blank" href="https://en.wikipedia.org/wiki/HTTP/2">Wikipedia</a> for a detailed explanation of HTTP2';
 $lng['admin']['testmail'] = 'SMTP test';
 $lng['success']['testmailsent'] = 'Test mail sent successfully';
-$lng['serversettings']['disable_le_selfcheck']['title'] = "Disable Let's Encrypt local self-check";
-$lng['serversettings']['disable_le_selfcheck']['description'] = "If activated, froxlor will <strong>not</strong> perform its self-check for token accessibility. Needed for NATed IP's or similar.";
+$lng['serversettings']['le_domain_dnscheck']['title'] = "Validate DNS of domains when using Let's Encrypt";
+$lng['serversettings']['le_domain_dnscheck']['description'] = "If activated, froxlor will validate whether the domain which requests a Let's Encrypt certificate resolves to at least one of the system ip addresses.";
 $lng['menue']['phpsettings']['fpmdaemons'] = 'PHP-FPM versions';
 $lng['admin']['phpsettings']['activephpconfigs'] = 'In use for php-config(s)';
 $lng['admin']['phpsettingsforsubdomains'] = 'Apply php-config to all subdomains:';

lng/german.lng.php

@@ -202,6 +202,7 @@ $lng['error']['mydomain'] = '\'Domain\'';
 $lng['error']['mydocumentroot'] = '\'Documentroot\'';
 $lng['error']['loginnameexists'] = 'Der Login-Name "%s" existiert bereits.';
 $lng['error']['emailiswrong'] = 'Die E-Mail-Adresse "%s" enthält ungültige Zeichen oder ist nicht vollständig.';
+$lng['error']['alternativeemailiswrong'] = 'Die angegebene alternative E-Mail Adresse "%s", an welche die Zugangsdaten geschickt werden soll, scheint ungültig zu sein.';
 $lng['error']['loginnameiswrong'] = 'Der Login-Name "%s" enthält ungültige Zeichen.';
 $lng['error']['loginnameiswrong2'] = 'Der Login-Name enthält zu viele Zeichen, es sind maximal %s Zeichen erlaubt.';
 $lng['error']['userpathcombinationdupe'] = 'Die Kombination aus Benutzername und Pfad existiert bereits.';
@@ -1421,7 +1422,7 @@ $lng['admin']['integrityresult'] = 'Ergebnis';
 $lng['admin']['integrityfix'] = 'Probleme automatisch beheben';
 $lng['question']['admin_integritycheck_reallyfix'] = 'Möchten Sie wirklich versuchen sämtliche Datenbank-Integritätsprobleme automatisch zu beheben?';
 $lng['serversettings']['system_croncmdline']['title'] = 'Cron Startbefehl (php Programm)';
-$lng['serversettings']['system_croncmdline']['description'] = 'Befehl zum Ausführen des Cronjobs. Ändern dieser Einstellung nur wenn nötig (Standard: "/usr/bin/nice -n 5 /usr/bin/php5 -q")!';
+$lng['serversettings']['system_croncmdline']['description'] = 'Befehl zum Ausführen des Cronjobs. Ändern dieser Einstellung nur wenn nötig (Standard: "/usr/bin/nice -n 5 /usr/bin/php -q")!';
 $lng['error']['cannotdeletehostnamephpconfig'] = 'Diese PHP-Konfiguration ist dem Froxlor-Vhost zugewiesen und kann daher nicht gelöscht werden.';
 $lng['error']['cannotdeletedefaultphpconfig'] = 'Diese PHP-Konfiguration ist als Standard hinterlegt und kann daher nicht gelöscht werden.';
 $lng['serversettings']['system_cron_allowautoupdate']['title'] = 'Erlaube automatische Datenbank-Aktualisierungen';
@@ -1632,8 +1633,8 @@ $lng['admin']['domain_http2']['title'] = 'HTTP2 Unterstützung';
 $lng['admin']['domain_http2']['description'] = 'Siehe <a target="_blank" href="https://de.wikipedia.org/wiki/Hypertext_Transfer_Protocol#HTTP.2F2">Wikipedia</a> für eine ausführliche Beschreibung von HTTP2';
 $lng['admin']['testmail'] = 'SMTP Test';
 $lng['success']['testmailsent'] = 'Test E-Mail erfolgreich gesendet';
-$lng['serversettings']['disable_le_selfcheck']['title'] = "Deaktiviere Let's Encrypt lokale Selbstprüfung";
-$lng['serversettings']['disable_le_selfcheck']['description'] = "Wenn aktiviert wird Froxlor <strong>keine</strong> Erreichbarkeitsprüfung des Tokens vornehmen. Nötig bei ge-NAT-eten IP-Adressen oder Ähnlichem";
+$lng['serversettings']['le_domain_dnscheck']['title'] = "Validiere DNS der Domains wenn Let's Encrypt genutzt wird";
+$lng['serversettings']['le_domain_dnscheck']['description'] = "Wenn aktiviert wird froxlor überprüfen ob die DNS Einträge der Domains, welche ein Let's Encrypt Zertifikat beantragt, mindestens auf eine der System IP Adressen auflöst.";
 $lng['menue']['phpsettings']['fpmdaemons'] = 'PHP-FPM Versionen';
 $lng['admin']['phpsettings']['activephpconfigs'] = 'In Verwendung für PHP-Konfiguration(en)';
 $lng['admin']['phpsettingsforsubdomains'] = 'PHP-Config für alle Subdomains übernehmen:';

lng/italian.lng.php

@@ -1635,7 +1635,7 @@ $lng['admin']['integrityresult'] = 'Risultato';
 $lng['admin']['integrityfix'] = 'Risolvi problemi automaticamente';
 $lng['question']['admin_integritycheck_reallyfix'] = 'Vuoi veramente provare a risolvere i problemi di integrità del database automaticamente?';
 $lng['serversettings']['system_croncmdline']['title'] = 'Commando di esecuzione Cron (binario php)';
-$lng['serversettings']['system_croncmdline']['description'] = 'Commando per eseguire i nostri cronjob. Modificalo soltanto se sai cosa stai facendo (predefinito: "/usr/bin/nice -n 5 /usr/bin/php5 -q")!';
+$lng['serversettings']['system_croncmdline']['description'] = 'Commando per eseguire i nostri cronjob. Modificalo soltanto se sai cosa stai facendo (predefinito: "/usr/bin/nice -n 5 /usr/bin/php -q")!';
 $lng['error']['cannotdeletehostnamephpconfig'] = 'Questa configurazione PHP è utilizzata dal vhost Froxlor e non può essere eliminata.';
 $lng['error']['cannotdeletedefaultphpconfig'] = 'Questa configurazione PHP è impostata come predefinita e non può essere eliminata.';
 $lng['serversettings']['system_cron_allowautoupdate']['title'] = 'Permetti aggiornamenti automatici del database';