[fix] next ssl step: we start to use /etc/ssl/(certs|private)/alternc-<servicename>.(pem|key) as location for system service certificates, also, trying to use PdoException in case of PDO error (better for bug tracking)

bureau/class/db_mysql.php

@@ -62,8 +62,11 @@ class DB_Sql {
 
         $dsn = sprintf('mysql:dbname=%s;host=%s', $db, $host);
 
+        $options=array(
+            \PDO::ATTR_ERRMODE => \PDO::ERRMODE_EXCEPTION
+        );
         try {
-            $this->pdo_instance = new PDO($dsn, $user, $passwd);
+            $this->pdo_instance = new PDO($dsn, $user, $passwd, $options);
         } catch (PDOException $e) {
             echo "Mysql", "PDO instance", $e->getMessage();
             return FALSE;

bureau/class/m_ssl.php

@@ -458,7 +458,7 @@ INSTR(CONCAT(sd.sub,IF(sd.sub!='','.',''),sd.domaine),'.')+1))=?
         $msg->log("ssl", "import_cert");
 
         // Search for an existing cert: (first)
-        $db->query("SELECT id FROM certificates WHERE crt=?;",array($crt));
+        $db->query("SELECT id FROM certificates WHERE sslcrt=?;",array($crt));
         if ($db->next_record()) {
             $msg->raise("ERROR","ssl", _("Certificate already exists in database"));
             return false;
@@ -556,7 +556,7 @@ SELECT ?,?,?, FROM_UNIXTIME(?), FROM_UNIXTIME(?), ?, ?, sslcsr FROM certificate
         $msg->log("ssl", "update_domain($action,$type,$fqdn)");
 
         // the domain type must be a "dns_only=false" one:
-        if (!($domtype=$dom->domains_type_get($type)) || $domtype["dns_only"]==true) {
+        if (!($domtype=$dom->domains_type_get($type)) || $domtype["only_dns"]==true) {
             return; // nothing to do : this domain type does not involve Vhosts
         }
 
@@ -623,19 +623,38 @@ SELECT ?,?,?, FROM_UNIXTIME(?), FROM_UNIXTIME(?), ?, ?, sslcsr FROM certificate
 
         // we split the certificates by 1000
         $CRTDIR = self::KEY_REPOSITORY . "/" . floor($cert["id"]/1000);
-        @mkdir($CRTDIR);
+        @mkdir($CRTDIR,0750,true);
+        // set the proper permissions on the Key Repository folder and children : 
+        chown(self::KEY_REPOSITORY,"root");
+        chgrp(self::KEY_REPOSITORY,"ssl-cert");
+        chmod(self::KEY_REPOSITORY,0750);
+        chown($CRTDIR,"root");
+        chgrp($CRTDIR,"ssl-cert");
+        chmod($CRTDIR,0750);
+
         if (
             !file_exists($CRTDIR . "/" . $cert["id"].".crt") ||
             !file_exists($CRTDIR . "/" . $cert["id"].".key")) {
             // write the files (first time we use a certificate)
             file_put_contents($CRTDIR . "/" . $cert["id"].".crt", $cert["sslcrt"]);
             file_put_contents($CRTDIR . "/" . $cert["id"].".key", $cert["sslkey"]);
+            // set the proper rights on those files :
+            chown($CRTDIR . "/" . $cert["id"].".crt","root");
+            chgrp($CRTDIR . "/" . $cert["id"].".crt","ssl-cert");
+            chmod($CRTDIR . "/" . $cert["id"].".crt",0640);
+            chown($CRTDIR . "/" . $cert["id"].".key","root");
+            chgrp($CRTDIR . "/" . $cert["id"].".key","ssl-cert");
+            chmod($CRTDIR . "/" . $cert["id"].".key",0640);
             if (isset($cert["sslchain"]) && $cert["sslchain"]) {
                 file_put_contents($CRTDIR . "/" . $cert["id"] . ".chain", $cert["sslchain"]);
+                chown($CRTDIR . "/" . $cert["id"].".chain","root");
+                chgrp($CRTDIR . "/" . $cert["id"].".chain","ssl-cert");
+                chmod($CRTDIR . "/" . $cert["id"].".chain",0640);
             }
         }
         // we have the files, let's fill the output array :
         $output=array(
+            "id" => $cert["id"],
             "crt" => $CRTDIR . "/" . $cert["id"].".crt",
             "key" => $CRTDIR . "/" . $cert["id"].".key",
         );

install/alternc.install

@@ -276,9 +276,9 @@ echo "."
 rm -f $SED_SCRIPT
 
 ######################################################################## 
-# Ad-hoc fixes
-#
+# Ad-hoc fixes 
 
+# add php.ini directives for AlternC in any installed php version:
 php="`ls /usr/lib/apache*/*/*php*.so | sed -e 's/^.*libphp\(.*\)\.so$/\1/' | tail -1`"
 if [ "$php" = "7.0" ]
 then
@@ -289,20 +289,43 @@ else
     ln -fs /etc/alternc/alternc.ini /etc/php$php/cli/conf.d/alternc.ini || true
 fi
 
-#Set a default certificate if needed
+# Create the default certificate if needed (requires openssl)
 make-ssl-cert generate-default-snakeoil
-SNAKEOIL_SSLKEY=$(</etc/ssl/private/ssl-cert-snakeoil.key)
-SNAKEOIL_SSLCRT=$(</etc/ssl/certs/ssl-cert-snakeoil.pem)
 
-mysql_query "SET SESSION sql_mode=\"NO_AUTO_VALUE_ON_ZERO\" ; INSERT IGNORE INTO \
-    certificates (id,uid,status,fqdn,validstart,validend,sslkey,sslcrt,provider) \
-    VALUES \
-    (0,2000,1,\"ALTERNC_DEFAULT_FQDN\",NOW(),ADDDATE(NOW(),INTERVAL 200 YEAR),\"$SNAKEOIL_SSLKEY\",\"$SNAKEOIL_SSLCRT\",\"snakeoil\");"
+mysql_query <<EOF
+SET SESSION sql_mode="NO_AUTO_VALUE_ON_ZERO" ; 
+INSERT IGNORE INTO certificates 
+  (id,uid,status,fqdn,validstart,validend,sslkey,sslcrt,provider) 
+  VALUES 
+  (0, 2000, 1, "AlternC Default Certificate", NOW(), DATE_ADD(NOW(),INTERVAL 20 YEAR), 
+  "$(cat /etc/ssl/private/ssl-cert-snakeoil.key)",
+  "$(cat /etc/ssl/certs/ssl-cert-snakeoil.pem)",
+  "snakeoil");
+EOF
 
+# backward compatibility: in case you still use apache.pem
+# we are now storing certificates in /etc/ssl/certs/alternc-<servicename>.pem
+# and private keys in /etc/ssl/private/alternc-<servicename>.key
 if [ ! -e /etc/alternc/apache.pem ]; then
-    echo -e "$SNAKEOIL_SSLKEY\n$SNAKEOIL_SSLCRT" > /etc/alternc/apache.pem
+    cat /etc/ssl/private/ssl-cert-snakeoil.key /etc/ssl/certs/ssl-cert-snakeoil.pem > /etc/alternc/apache.pem
 fi
 
+# set services certificates in case we don't already have them:
+# we set them to snakeoil: a provider MUST be installed to obtain a proper certificate automagically
+for service in postfix dovecot proftpd panel
+do
+    if [ ! -e "/etc/ssl/certs/alternc-${service}.pem" -o ! -e "/etc/ssl/private/alternc-${service}.key" ]
+    then
+	cat /etc/ssl/private/ssl-cert-snakeoil.key >"/etc/ssl/private/alternc-${service}.key"
+	cat /etc/ssl/certs/ssl-cert-snakeoil.pem >"/etc/ssl/certs/alternc-${service}.pem"
+    fi
+done
+
+# ensure dovecot, postfix, apache, can access ssl certificates:
+adduser dovecot ssl-cert
+adduser www-data ssl-cert
+adduser postfix ssl-cert
+
 run-parts --arg=certificates /usr/lib/alternc/install.d
 
 if [ -x /usr/sbin/apache2 ]; then