# Functions for cert creation with Let's Encrypt if ($config{'letsencrypt_cmd'}) { $letsencrypt_cmd = &has_command($config{'letsencrypt_cmd'}); } else { $letsencrypt_cmd = &has_command("letsencrypt-auto") || &has_command("letsencrypt") || &has_command("certbot-auto") || &has_command("certbot"); } $account_key = "$module_config_directory/letsencrypt.pem"; $letsencrypt_chain_urls = [ "https://letsencrypt.org/certs/lets-encrypt-r3-cross-signed.pem", "https://letsencrypt.org/certs/lets-encrypt-r3.pem", "https://letsencrypt.org/certs/lets-encrypt-e1.pem", ]; # letsencrypt_is_ip_cert_identifier(identifier) # Returns 1 if some certificate identifier is an IPv4 or IPv6 address sub letsencrypt_is_ip_cert_identifier { my ($id) = @_; return 1 if (&check_ipaddress($id)); return $id !~ /\// && $id =~ /:/ && &check_ip6address($id); } # letsencrypt_doms_have_ips(&domains) # Returns 1 if any certificate identifier is an IP address sub letsencrypt_doms_have_ips { my ($doms) = @_; foreach my $d (@$doms) { return 1 if (&letsencrypt_is_ip_cert_identifier($d)); } return 0; } # check_letsencrypt() # Returns undef if all dependencies are installed, or an error message sub check_letsencrypt { if (&has_command($letsencrypt_cmd)) { # Use official client return undef; } my $python = &get_python_cmd(); if (!$python || !&has_command("openssl")) { return $text{'letsencrypt_ecmds'}; } my $out = &backquote_command("$python -c 'import argparse' 2>&1"); if ($?) { return &text('letsencrypt_epythonmod', 'argparse'); } my $ver = &backquote_command("$python --version 2>&1"); if ($ver !~ /Python\s+([0-9\.]+)/) { return &text('letsencrypt_epythonver', "".&html_escape($out).""); } $ver = $1; if ($ver < 2.5) { return &text('letsencrypt_epythonver2', '2.5', $ver); } return undef; } # can_bind_tcp_port(port) # Returns 1 if a TCP port appears to be free for binding, or 0 if it is in use sub can_bind_tcp_port { my ($port) = @_; my $proto = getprotobyname('tcp'); return 1 if (!$proto); my @tests = ( [ PF_INET(), sub { pack_sockaddr_in($port, INADDR_ANY) } ], ); push(@tests, [ PF_INET6(), sub { pack_sockaddr_in6($port, in6addr_any()) }, sub { setsockopt($_[0], 41, 26, pack("l", 1)) } ]) if (defined(&PF_INET6) && defined(&pack_sockaddr_in6) && defined(&in6addr_any)); foreach my $t (@tests) { my ($family, $pack_func, $setup_func) = @$t; my $sock; next if (!socket($sock, $family, SOCK_STREAM, $proto)); &$setup_func($sock) if ($setup_func); setsockopt($sock, SOL_SOCKET, SO_REUSEADDR, pack("l", 1)); my $ok = bind($sock, &$pack_func()); my $inuse = !$ok && $!{'EADDRINUSE'}; close($sock); return 0 if ($inuse); } return 1; } # is_webmin_listening_on_port(port) # Returns 1 if Miniserv is configured to listen on a TCP port sub is_webmin_listening_on_port { my ($port) = @_; my %miniserv; &get_miniserv_config(\%miniserv); return 1 if ($miniserv{'port'} && $miniserv{'port'} == $port); foreach my $s (split(/\s+/, $miniserv{'sockets'} || '')) { return 1 if ($s =~ /^\Q$port\E$/ || $s =~ /^\*:\Q$port\E$/ || $s =~ /^\S+:\Q$port\E$/); } return 0; } # get_letsencrypt_certbot_port_error() # Returns an error if Certbot standalone mode cannot listen on port 80 sub get_letsencrypt_certbot_port_error { return undef if (&can_bind_tcp_port(80)); if (&is_webmin_listening_on_port(80)) { return $text{'letsencrypt_ecertbotwebmin'}; } return $text{'letsencrypt_ecertbotport'}; } # get_letsencrypt_install_message(return-link, return-title) # Returns a link or form to install Let's Encrypt sub get_letsencrypt_install_message { my ($rlink, $rmsg) = @_; &foreign_require("software"); return &software::missing_install_link( "certbot", $text{'letsencrypt_certbot'}, $rlink, $rmsg); } # get_letsencrypt_output_pem_path(output) # Returns the first certbot PEM path from command output, or undef sub get_letsencrypt_output_pem_path { my ($out) = @_; if ($out =~ /((?:\/usr\/local)?\/etc\/letsencrypt\/(?:live|archive)\/[a-zA-Z0-9\.\_\-:\/\*]+\.pem)/ || $out =~ /((?:\/usr\/local)?\/etc\/letsencrypt\/(?:live|archive)\/[a-zA-Z0-9\.\_\-:\/\r\n\* ]*?\.pem)/) { my $full = $1; $full =~ s/\s//g; return $full; } return undef; } # request_letsencrypt_cert(domain|&domains|&ips, webroot, [email], [keysize], # [request-mode], [use-staging], [account-email], # [key-type], [reuse-key], # [directory-url, server-key, server-hmac], # [allow-subset]) # Attempt to request a cert using a generated key with the Let's Encrypt client # command, and write it to the given path. Returns a status flag, and either # an error message or the paths to cert, key and chain files. sub request_letsencrypt_cert { my ($dom, $webroot, $email, $size, $mode, $staging, $account_email, $key_type, $reuse_key, $directory_url, $server_key, $server_hmac, $subset) = @_; my @doms = ref($dom) ? @$dom : ($dom); @doms = &unique(@doms); my @ips = grep { &letsencrypt_is_ip_cert_identifier($_) } @doms; @doms = grep { !&letsencrypt_is_ip_cert_identifier($_) } @doms; $email ||= (@doms ? "root\@$doms[0]" : "root\@".&get_system_hostname()); $mode ||= "web"; $reuse_key = $config{'letsencrypt_reuse'} if (!defined($reuse_key)); my ($challenge, $wellknown, $challenge_new, $wellknown_new, $wildcard); my $cmd_ver = $letsencrypt_cmd ? &get_certbot_major_version($letsencrypt_cmd) : undef; # Wildcard mode? foreach my $d (@doms) { if ($d =~ /^\*/) { $wildcard = $d; } } if (($server_key || $server_hmac) && !$letsencrypt_cmd) { return (0, $text{'letsencrypt_eeabnative'}); } # Check if IP addresses are supported if (@ips) { $mode eq "dns" && return (0, "DNS-based validation cannot be used ". "for IP addresses"); $letsencrypt_cmd || return (0, "The certbot command is required for ". "IP address certificates"); my $ip_min_certbot = $mode eq "web" ? "5.4" : "5.3"; &compare_version_numbers($cmd_ver, $ip_min_certbot) >= 0 || return (0, "Certbot version $ip_min_certbot or later is ". "required for IP address certificates". ($mode eq "web" ? " in webroot mode" : "")); } if ($mode eq "web") { # Create a challenges directory under the web root if ($wildcard) { return (0, "Wildcard hostname $wildcard can only be ". "validated in DNS mode"); } $wellknown = "$webroot/.well-known"; $challenge = "$wellknown/acme-challenge"; $wellknown_new = !-d $wellknown ? $wellknown : undef; $challenge_new = !-d $challenge ? $challenge : undef; my @st = stat($webroot); my $user = getpwuid($st[4]); if (!-d $challenge) { my $cmd = "mkdir -p -m 755 ".quotemeta($challenge). " && chmod 755 ".quotemeta($wellknown); if ($user && $user ne "root") { $cmd = &command_as_user($user, 0, $cmd); } my $out = &backquote_logged("$cmd 2>&1"); if ($?) { return (0, "mkdir failed : $out"); } } # Create a .htaccess file to ensure the directory is accessible if (&foreign_installed("apache")) { &foreign_require("apache"); my $htaccess = "$challenge/.htaccess"; if (!-r $htaccess && $apache::httpd_modules{'core'} >= 2.2) { &open_tempfile(HT, ">$htaccess"); &print_tempfile(HT, "AuthType None\n"); &print_tempfile(HT, "Require all granted\n"); &print_tempfile(HT, "Satisfy any\n"); &close_tempfile(HT); &set_ownership_permissions( $user, undef, 0755, $htaccess); } } } elsif ($mode eq "dns") { # Make sure all the DNS zones exist if ($wildcard && !$letsencrypt_cmd) { return (0, "Wildcard hostname $wildcard can only be ". "validated when the certbot Let's Encrypt client ". "is installed"); } &foreign_require("bind8"); foreach my $d (@doms) { my $z = &get_bind_zone_for_domain($d); my $d = &get_virtualmin_for_domain($d); $z || $d || return (0, "Neither DNS zone $d or any of its ". "sub-domains exist on this system"); } } elsif ($mode eq "certbot") { # Nothing to check here, since verification is done by the standalone # certbot server } else { return (0, "Unknown mode $mode"); } # Create DNS hook wrapper scripts my $dns_hook = "$module_config_directory/letsencrypt-dns.pl"; my $cleanup_hook = "$module_config_directory/letsencrypt-cleanup.pl"; if ($mode eq "dns") { &foreign_require("cron"); &cron::create_wrapper($dns_hook, $module_name, "letsencrypt-dns.pl"); &cron::create_wrapper($cleanup_hook, $module_name, "letsencrypt-cleanup.pl"); } # Run the before command if ($config{'letsencrypt_before'}) { my $out = &backquote_logged("$config{'letsencrypt_before'} 2>&1 $temp"); &print_tempfile(TEMP, "email = $email\n"); &print_tempfile(TEMP, "text = True\n"); &close_tempfile(TEMP); my $dir = $letsencrypt_cmd; my $old_flags = ""; my $new_flags = ""; my $reuse_flags = ""; my $server_flags = ""; my $subset_flags = ""; $key_type ||= $config{'letsencrypt_algo'} || 'rsa'; if (&compare_version_numbers($cmd_ver, '<', 1.11)) { $old_flags = " --manual-public-ip-logging-ok"; } if (&compare_version_numbers($cmd_ver, '>=', 2.0)) { $new_flags = " --key-type ".quotemeta($key_type); } if ($reuse_key) { $reuse_flags = " --reuse-key"; } else { $reuse_flags = " --no-reuse-key"; } if ($subset) { $subset_flags = " --allow-subset-of-names"; } if (($reuse_key && $reuse_key == -1) || &compare_version_numbers($cmd_ver, '<', '1.13.0')) { $reuse_flags = "" } if ($directory_url) { $server_flags = " --server ".quotemeta($directory_url); if ($server_key) { $server_flags .= " --eab-kid ".quotemeta($server_key); } if ($server_hmac) { $server_flags .= " --eab-hmac-key ". quotemeta($server_hmac); } } $dir =~ s/\/[^\/]+$//; $size ||= 4096; my $out; my $certname = @doms ? $doms[0] : $ips[0]; my $common_flags = " --duplicate". " --force-renewal". " --non-interactive". " --agree-tos". " --config ".quotemeta($temp)."". " --rsa-key-size ".quotemeta($size). " --cert-name ".quotemeta($certname). " --no-autorenew". (!$directory_url && $staging ? " --test-cert" : ""); if ($mode eq "web") { # Webserver based validation &clean_environment(); $out = &backquote_logged( "cd $dir && (echo A | $letsencrypt_cmd certonly". " -a webroot ". join("", map { " -d ".quotemeta($_) } @doms). join("", map { " --ip-address ".quotemeta($_) } @ips). " --webroot-path ".quotemeta($webroot). (@ips ? " --preferred-profile shortlived" : ""). $common_flags. $reuse_flags. $old_flags. $server_flags. $new_flags. $subset_flags. " 2>&1)"); &reset_environment(); } elsif ($mode eq "dns") { # DNS based validation, via hook script &clean_environment(); $out = &backquote_logged( "cd $dir && (echo A | $letsencrypt_cmd certonly". " --manual". join("", map { " -d ".quotemeta($_) } @doms). " --preferred-challenges=dns". " --manual-auth-hook $dns_hook". " --manual-cleanup-hook $cleanup_hook". $common_flags. $reuse_flags. $old_flags. $server_flags. $new_flags. $subset_flags. " 2>&1)"); &reset_environment(); } elsif ($mode eq "certbot") { # Use certbot's own webserver my $err = &get_letsencrypt_certbot_port_error(); if ($err) { @rv = (0, $err); goto FAILED; } &clean_environment(); $out = &backquote_logged( "cd $dir && (echo A | $letsencrypt_cmd certonly". " --standalone". join("", map { " -d ".quotemeta($_) } @doms). join("", map { " --ip-address ".quotemeta($_) } @ips). (@ips ? " --preferred-profile shortlived" : ""). $common_flags. $reuse_flags. $old_flags. $server_flags. $new_flags. $subset_flags. " 2>&1)"); &reset_environment(); } else { @rv = (0, "Bad mode $mode"); goto FAILED; } if ($?) { @rv = (0, "
".&html_escape($out || "No output from $letsencrypt_cmd").""); goto FAILED; } my ($full, $cert, $key, $chain); if ($full = &get_letsencrypt_output_pem_path($out)) { # Output contained the full path } else { # Try searching common paths my @fulls = grep { -r $_ } ( "/etc/letsencrypt/live/$certname/cert.pem", glob("/etc/letsencrypt/live/$certname-*/cert.pem"), "/usr/local/etc/letsencrypt/live/$certname/cert.pem", glob("/usr/local/etc/letsencrypt/live/$certname-*/cert.pem")); if (@fulls) { my %stats = map { $_, [ stat($_) ] } @fulls; @fulls = sort { $stats{$a}->[9] <=> $stats{$b}->[9] } @fulls; $full = pop(@fulls); } else { @rv = (0, "Output did not contain a PEM path!"); goto FAILED; } } if (!-r $full || !-s $full) { @rv = (0, &text('letsencrypt_efull', $full)); goto FAILED; } $full =~ s/\/[^\/]+$//; $cert = $full."/cert.pem"; if (!-r $cert || !-s $cert) { @rv = (0, &text('letsencrypt_ecert', $cert)); goto FAILED; } $key = $full."/privkey.pem"; if (!-r $key || !-s $key) { @rv = (0, &text('letsencrypt_ekey', $key)); goto FAILED; } $chain = $full."/chain.pem"; $chain = undef if (!-r $chain); &set_ownership_permissions(undef, undef, 0600, $cert); &set_ownership_permissions(undef, undef, 0600, $key); &set_ownership_permissions(undef, undef, 0600, $chain) if ($chain); if ($account_email) { # Attempt to update the contact email on file with let's encrypt &system_logged( "$letsencrypt_cmd register --update-registration". " --email ".quotemeta($account_email). $server_flags. " >/dev/null 2>&1 &1 >$account_key"); if ($?) { @rv = (0, &text('letsencrypt_eaccountkey', &html_escape($out))); goto FAILED; } } # Generate a key for the domain my $key = &transname(); my $out = &backquote_logged("openssl genrsa $size 2>&1 >".quotemeta($key).""); if ($?) { @rv = (0, &text('letsencrypt_ekeygen', &html_escape($out))); goto FAILED; } # Generate a CSR my $csr = &transname(); my ($ok, $csr) = &generate_ssl_csr($key, undef, undef, undef, undef, undef, \@doms, undef); if (!$ok) { @rv = &text('letsencrypt_ecsr', $csr); goto FAILED; } ©_source_dest($csr, "/tmp/lets.csr", 1); # Find a reasonable python version my $python = &get_python_cmd(); # Request the cert and key my $cert = &transname(); my $directory_flags = $directory_url ? "--directory-url ".quotemeta($directory_url)." --disable-check " : $staging ? "--ca https://acme-staging-v02.api.letsencrypt.org " : "--disable-check "; &clean_environment(); my $out = &backquote_logged( "$python $module_root_directory/acme_tiny.py ". "--account-key ".quotemeta($account_key)." ". "--csr ".quotemeta($csr)." ". ($mode eq "web" ? "--acme-dir ".quotemeta($challenge)." " : "--dns-hook $dns_hook ". "--cleanup-hook $cleanup_hook "). $directory_flags. "--quiet ". "2>&1 >".quotemeta($cert)); &reset_environment(); if ($?) { my @lines = split(/\r?\n/, $out); my $trace; for(my $i=1; $i<@lines; $i++) { if ($lines[$i] =~ /^Traceback\s+/) { $trace = $i; last; } } if ($trace) { @lines = @lines[0 .. $trace-1]; $out = join("\n", @lines); } @rv = (0, &text('letsencrypt_etiny', "
".&html_escape($out)).""); goto FAILED; } if (!-r $cert || !-s $cert) { @rv = (0, &text('letsencrypt_ecert', $cert)); goto FAILED; } # Check if the returned cert contains a CA cert as well my $chain = &transname(); my @certs = &cert_file_split($cert); if (@certs > 1) { # Yes .. keep the first as the cert, and use the others as # the chain my $orig = shift(@certs); my $fh = "CHAIN"; &open_tempfile($fh, ">$chain"); foreach my $c (@certs) { &print_tempfile($fh, $c); } &close_tempfile($fh); my $fh2 = "CERT"; &open_tempfile($fh2, ">$cert"); &print_tempfile($fh2, $orig); &close_tempfile($fh2); } else { if (!$directory_url) { # Download the fixed list chained cert files for # Let's Encrypt when the ACME response doesn't # include the chain. foreach my $url (@$letsencrypt_chain_urls) { my $cout; my ($host, $port, $page, $ssl) = &parse_http_url($url); my $err; &http_download($host, $port, $page, \$cout, \$err, undef, $ssl); if ($err) { @rv = (0, &text('letsencrypt_echain', $err)); goto FAILED; } if ($cout !~ /\S/ && !-r $chain) { @rv = (0, &text('letsencrypt_echain2', $url)); goto FAILED; } my $fh = "CHAIN"; &open_tempfile($fh, ">>$chain"); &print_tempfile($fh, $cout); &close_tempfile($fh); } } } # Copy the per-domain files my $certfinal = "$module_config_directory/$doms[0].cert"; my $keyfinal = "$module_config_directory/$doms[0].key"; my $chainfinal = "$module_config_directory/$doms[0].ca"; ©_source_dest($cert, $certfinal, 1); ©_source_dest($key, $keyfinal, 1); &set_ownership_permissions(undef, undef, 0600, $certfinal); &set_ownership_permissions(undef, undef, 0600, $keyfinal); if ($chain) { ©_source_dest($chain, $chainfinal, 1); &set_ownership_permissions(undef, undef, 0600, $chainfinal); } else { $chainfinal = undef; } &unlink_file($cert); &unlink_file($key); &unlink_file($chain) if ($chain); @rv = (1, $certfinal, $keyfinal, $chainfinal); } # Run the after command FAILED: if ($wellknown_new) { &cleanup_wellknown($wellknown_new, $challenge_new); } if ($config{'letsencrypt_after'}) { &backquote_logged("$config{'letsencrypt_after'} 2>&1 {'file'} && $z->{'type'} eq 'master') { return ($z, $bd); } $bd =~ s/^[^\.]+\.//; } return ( ); } # get_virtualmin_for_domain(domain-name) # If Virtualmin is installed, return the domain object that contains the given DNS domain sub get_virtualmin_for_domain { my ($bd) = @_; return undef if (!&foreign_check("virtual-server")); &foreign_require("virtual-server"); while ($bd =~ /\./) { my $d = &virtual_server::get_domain_by("dom", $bd); if ($d && $d->{'dns'}) { return $d; } $bd =~ s/^[^\.]+\.//; } return undef; } # get_certbot_major_version(cmd) # Returns Let's Encrypt client major version, such as 1.11 or 0.40 sub get_certbot_major_version { my ($cmd) = @_; my $out = &backquote_command("$cmd --version 2>&1"); if ($out && $out =~ /\s*(\d+\.\d+)\s*/) { return $1; } return undef; } # cleanup_letsencrypt_files(domain) # Delete all temporary files under /etc/letsencrypt for a domain name sub cleanup_letsencrypt_files { my ($dname) = @_; foreach my $base ("/etc/letsencrypt", "/usr/local/etc/letsencrypt") { next if (!-d $base); foreach my $f ("$base/live/$dname", glob("$base/live/$dname-[0-9][0-9][0-9][0-9]"), "$base/archive/$dname", glob("$base/archive/$dname-[0-9][0-9][0-9][0-9]"), "$base/renewal/$dname.conf", glob("$base/renewal/$dname-[0-9][0-9][0-9][0-9].conf")) { &unlink_file($f) if (-e $f); } } } 1;