From 5a3b9c7a13cee19fec5fc78954c6a4a3ccebbf3b Mon Sep 17 00:00:00 2001 From: Benjamin Sonntag Date: Sun, 24 Jun 2018 15:43:23 +0200 Subject: [PATCH] [fix] next ssl step: we start to use /etc/ssl/(certs|private)/alternc-.(pem|key) as location for system service certificates, also, trying to use PdoException in case of PDO error (better for bug tracking) --- bureau/class/db_mysql.php | 5 ++++- bureau/class/m_ssl.php | 25 ++++++++++++++++++++--- install/alternc.install | 43 ++++++++++++++++++++++++++++++--------- 3 files changed, 59 insertions(+), 14 deletions(-) diff --git a/bureau/class/db_mysql.php b/bureau/class/db_mysql.php index a91ea920..e681469b 100644 --- a/bureau/class/db_mysql.php +++ b/bureau/class/db_mysql.php @@ -62,8 +62,11 @@ class DB_Sql { $dsn = sprintf('mysql:dbname=%s;host=%s', $db, $host); + $options=array( + \PDO::ATTR_ERRMODE => \PDO::ERRMODE_EXCEPTION + ); try { - $this->pdo_instance = new PDO($dsn, $user, $passwd); + $this->pdo_instance = new PDO($dsn, $user, $passwd, $options); } catch (PDOException $e) { echo "Mysql", "PDO instance", $e->getMessage(); return FALSE; diff --git a/bureau/class/m_ssl.php b/bureau/class/m_ssl.php index e4bf4916..96fef790 100644 --- a/bureau/class/m_ssl.php +++ b/bureau/class/m_ssl.php @@ -458,7 +458,7 @@ INSTR(CONCAT(sd.sub,IF(sd.sub!='','.',''),sd.domaine),'.')+1))=? $msg->log("ssl", "import_cert"); // Search for an existing cert: (first) - $db->query("SELECT id FROM certificates WHERE crt=?;",array($crt)); + $db->query("SELECT id FROM certificates WHERE sslcrt=?;",array($crt)); if ($db->next_record()) { $msg->raise("ERROR","ssl", _("Certificate already exists in database")); return false; @@ -556,7 +556,7 @@ SELECT ?,?,?, FROM_UNIXTIME(?), FROM_UNIXTIME(?), ?, ?, sslcsr FROM certificate $msg->log("ssl", "update_domain($action,$type,$fqdn)"); // the domain type must be a "dns_only=false" one: - if (!($domtype=$dom->domains_type_get($type)) || $domtype["dns_only"]==true) { + if (!($domtype=$dom->domains_type_get($type)) || $domtype["only_dns"]==true) { return; // nothing to do : this domain type does not involve Vhosts } @@ -623,19 +623,38 @@ SELECT ?,?,?, FROM_UNIXTIME(?), FROM_UNIXTIME(?), ?, ?, sslcsr FROM certificate // we split the certificates by 1000 $CRTDIR = self::KEY_REPOSITORY . "/" . floor($cert["id"]/1000); - @mkdir($CRTDIR); + @mkdir($CRTDIR,0750,true); + // set the proper permissions on the Key Repository folder and children : + chown(self::KEY_REPOSITORY,"root"); + chgrp(self::KEY_REPOSITORY,"ssl-cert"); + chmod(self::KEY_REPOSITORY,0750); + chown($CRTDIR,"root"); + chgrp($CRTDIR,"ssl-cert"); + chmod($CRTDIR,0750); + if ( !file_exists($CRTDIR . "/" . $cert["id"].".crt") || !file_exists($CRTDIR . "/" . $cert["id"].".key")) { // write the files (first time we use a certificate) file_put_contents($CRTDIR . "/" . $cert["id"].".crt", $cert["sslcrt"]); file_put_contents($CRTDIR . "/" . $cert["id"].".key", $cert["sslkey"]); + // set the proper rights on those files : + chown($CRTDIR . "/" . $cert["id"].".crt","root"); + chgrp($CRTDIR . "/" . $cert["id"].".crt","ssl-cert"); + chmod($CRTDIR . "/" . $cert["id"].".crt",0640); + chown($CRTDIR . "/" . $cert["id"].".key","root"); + chgrp($CRTDIR . "/" . $cert["id"].".key","ssl-cert"); + chmod($CRTDIR . "/" . $cert["id"].".key",0640); if (isset($cert["sslchain"]) && $cert["sslchain"]) { file_put_contents($CRTDIR . "/" . $cert["id"] . ".chain", $cert["sslchain"]); + chown($CRTDIR . "/" . $cert["id"].".chain","root"); + chgrp($CRTDIR . "/" . $cert["id"].".chain","ssl-cert"); + chmod($CRTDIR . "/" . $cert["id"].".chain",0640); } } // we have the files, let's fill the output array : $output=array( + "id" => $cert["id"], "crt" => $CRTDIR . "/" . $cert["id"].".crt", "key" => $CRTDIR . "/" . $cert["id"].".key", ); diff --git a/install/alternc.install b/install/alternc.install index c84c5b36..65b033ed 100644 --- a/install/alternc.install +++ b/install/alternc.install @@ -276,9 +276,9 @@ echo "." rm -f $SED_SCRIPT ######################################################################## -# Ad-hoc fixes -# +# Ad-hoc fixes +# add php.ini directives for AlternC in any installed php version: php="`ls /usr/lib/apache*/*/*php*.so | sed -e 's/^.*libphp\(.*\)\.so$/\1/' | tail -1`" if [ "$php" = "7.0" ] then @@ -289,20 +289,43 @@ else ln -fs /etc/alternc/alternc.ini /etc/php$php/cli/conf.d/alternc.ini || true fi -#Set a default certificate if needed +# Create the default certificate if needed (requires openssl) make-ssl-cert generate-default-snakeoil -SNAKEOIL_SSLKEY=$(.pem +# and private keys in /etc/ssl/private/alternc-.key if [ ! -e /etc/alternc/apache.pem ]; then - echo -e "$SNAKEOIL_SSLKEY\n$SNAKEOIL_SSLCRT" > /etc/alternc/apache.pem + cat /etc/ssl/private/ssl-cert-snakeoil.key /etc/ssl/certs/ssl-cert-snakeoil.pem > /etc/alternc/apache.pem fi +# set services certificates in case we don't already have them: +# we set them to snakeoil: a provider MUST be installed to obtain a proper certificate automagically +for service in postfix dovecot proftpd panel +do + if [ ! -e "/etc/ssl/certs/alternc-${service}.pem" -o ! -e "/etc/ssl/private/alternc-${service}.key" ] + then + cat /etc/ssl/private/ssl-cert-snakeoil.key >"/etc/ssl/private/alternc-${service}.key" + cat /etc/ssl/certs/ssl-cert-snakeoil.pem >"/etc/ssl/certs/alternc-${service}.pem" + fi +done + +# ensure dovecot, postfix, apache, can access ssl certificates: +adduser dovecot ssl-cert +adduser www-data ssl-cert +adduser postfix ssl-cert + run-parts --arg=certificates /usr/lib/alternc/install.d if [ -x /usr/sbin/apache2 ]; then