kienan
/
AlternC
mirror of https://github.com/kienanstewart/AlternC.git
1
0
Fork 0
Code Issues Releases Wiki Activity

[fix] misc bugs in m_ssl (incorrect table and certificate name) + restart instead of reload if necessary in src/reload-certs

This commit is contained in:
Benjamin Sonntag 2018-06-24 19:02:11 +02:00
parent 649b2c55d6
commit 5489387103
2 changed files with 31 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
bureau/class/m_ssl.php
View File

@ -179,21 +179,27 @@ class m_ssl {
* try to minimize zero-file-size risk or timing attack * try to minimize zero-file-size risk or timing attack
*/ */
private function copycert($target,$id) { private function copycert($target,$id) {
global $db; global $db,$msg;
$db->query("SELECT * FROM certificate WHERE id=?",array($id)); $msg->raise("INFO","ssl",_("Copying system certificate $id on $target"));
$db->query("SELECT * FROM certificates WHERE id=?",array($id));
if (!$db->next_record()) return false; if (!$db->next_record()) return false;
if (!file_put_contents("/etc/ssl/certs/".$target.".crt.tmp",trim($db->Record["sslcrt"])."\n".trim($db->Record["sslchain"]))) if (!file_put_contents("/etc/ssl/certs/".$target.".pem.tmp",trim($db->Record["sslcrt"])."\n".trim($db->Record["sslchain"]))) {
$msg->raise("ERROR","ssl",_("Can't put file into /etc/ssl/certs/".$target.".pem.tmp, failing properly"));
return false; return false;
chown("/etc/ssl/certs/".$target.".crt.tmp","root"); }
chgrp("/etc/ssl/certs/".$target.".crt.tmp","ssl-cert"); chown("/etc/ssl/certs/".$target.".pem.tmp","root");
chmod("/etc/ssl/certs/".$target.".crt.tmp",0755); chgrp("/etc/ssl/certs/".$target.".pem.tmp","ssl-cert");
if (!file_put_contents("/etc/ssl/private/".$target.".key.tmp",$db->Record["sslkey"])) chmod("/etc/ssl/certs/".$target.".pem.tmp",0755);
if (!file_put_contents("/etc/ssl/private/".$target.".key.tmp",$db->Record["sslkey"])) {
$msg->raise("ERROR","ssl",_("Can't put file into /etc/ssl/private/".$target.".key.tmp, failing properly"));
@unlink("/etc/ssl/certs/".$target.".pem.tmp");
return false; return false;
}
chown("/etc/ssl/private/".$target.".key.tmp","root"); chown("/etc/ssl/private/".$target.".key.tmp","root");
chgrp("/etc/ssl/private/".$target.".key.tmp","ssl-cert"); chgrp("/etc/ssl/private/".$target.".key.tmp","ssl-cert");
chmod("/etc/ssl/private/".$target.".key.tmp",0750); chmod("/etc/ssl/private/".$target.".key.tmp",0750);
rename("/etc/ssl/certs/".$target.".crt.tmp","/etc/ssl/certs/".$target.".crt"); rename("/etc/ssl/certs/".$target.".pem.tmp","/etc/ssl/certs/".$target.".pem");
rename("/etc/ssl/private/".$target.".key.tmp","/etc/ssl/private/".$target.".key"); rename("/etc/ssl/private/".$target.".key.tmp","/etc/ssl/private/".$target.".key");
return true; return true;
} }
@ -232,7 +238,7 @@ INSTR(CONCAT(sd.sub,IF(sd.sub!='','.',''),sd.domaine),'.')+1))=?
continue; // this certificate is used (even though it's expired :/ ) continue; // this certificate is used (even though it's expired :/ )
} }
$CRTDIR = self::KEY_REPOSITORY . "/" . floor($db->Record["id"]/1000); $CRTDIR = self::KEY_REPOSITORY . "/" . floor($db->Record["id"]/1000);
@unlink($CRTDIR."/".$db->Record["id"].".crt"); @unlink($CRTDIR."/".$db->Record["id"].".pem");
@unlink($CRTDIR."/".$db->Record["id"].".key"); @unlink($CRTDIR."/".$db->Record["id"].".key");
@unlink($CRTDIR."/".$db->Record["id"].".chain"); @unlink($CRTDIR."/".$db->Record["id"].".chain");
$d=opendir($CRTDIR); $d=opendir($CRTDIR);
@ -634,15 +640,15 @@ SELECT ?,?,?, FROM_UNIXTIME(?), FROM_UNIXTIME(?), ?, ?, sslcsr FROM certificate
chmod($CRTDIR,0750); chmod($CRTDIR,0750);
if ( if (
!file_exists($CRTDIR . "/" . $cert["id"].".crt") || !file_exists($CRTDIR . "/" . $cert["id"].".pem") ||
!file_exists($CRTDIR . "/" . $cert["id"].".key")) { !file_exists($CRTDIR . "/" . $cert["id"].".key")) {
// write the files (first time we use a certificate) // write the files (first time we use a certificate)
file_put_contents($CRTDIR . "/" . $cert["id"].".crt", $cert["sslcrt"]); file_put_contents($CRTDIR . "/" . $cert["id"].".pem", $cert["sslcrt"]);
file_put_contents($CRTDIR . "/" . $cert["id"].".key", $cert["sslkey"]); file_put_contents($CRTDIR . "/" . $cert["id"].".key", $cert["sslkey"]);
// set the proper rights on those files : // set the proper rights on those files :
chown($CRTDIR . "/" . $cert["id"].".crt","root"); chown($CRTDIR . "/" . $cert["id"].".pem","root");
chgrp($CRTDIR . "/" . $cert["id"].".crt","ssl-cert"); chgrp($CRTDIR . "/" . $cert["id"].".pem","ssl-cert");
chmod($CRTDIR . "/" . $cert["id"].".crt",0640); chmod($CRTDIR . "/" . $cert["id"].".pem",0640);
chown($CRTDIR . "/" . $cert["id"].".key","root"); chown($CRTDIR . "/" . $cert["id"].".key","root");
chgrp($CRTDIR . "/" . $cert["id"].".key","ssl-cert"); chgrp($CRTDIR . "/" . $cert["id"].".key","ssl-cert");
chmod($CRTDIR . "/" . $cert["id"].".key",0640); chmod($CRTDIR . "/" . $cert["id"].".key",0640);
@ -656,7 +662,7 @@ SELECT ?,?,?, FROM_UNIXTIME(?), FROM_UNIXTIME(?), ?, ?, sslcsr FROM certificate
// we have the files, let's fill the output array : // we have the files, let's fill the output array :
$output=array( $output=array(
"id" => $cert["id"], "id" => $cert["id"],
"crt" => $CRTDIR . "/" . $cert["id"].".crt", "crt" => $CRTDIR . "/" . $cert["id"].".pem",
"key" => $CRTDIR . "/" . $cert["id"].".key", "key" => $CRTDIR . "/" . $cert["id"].".key",
); );
if (file_exists($CRTDIR . "/" . $cert["id"].".chain")) { if (file_exists($CRTDIR . "/" . $cert["id"].".chain")) {

13
src/reload-certs
View File

@ -30,8 +30,15 @@ $ssl->cron_new_certs();
$services=array("postfix","dovecot","proftpd","apache2"); $services=array("postfix","dovecot","proftpd","apache2");
foreach($services as $service) { foreach($services as $service) {
echo "Reloading $service\n"; passthru("service $service status",&$ret);
passthru("service $service reload"); if ($ret!=0) {
echo "Done...\n"; echo "$service not running, restarting\n";
passthru("service $service restart");
echo "Done...\n";
} else {
echo "$service running, reloading\n";
passthru("service $service reload");
echo "Done...\n";
};
} }