kienan
/
AlternC
mirror of https://github.com/kienanstewart/AlternC.git
1
0
Fork 0
Code Issues Releases Wiki Activity

[fix] next ssl step: we start to use /etc/ssl/(certs|private)/alternc-<servicename>.(pem|key) as location for system service certificates, also, trying to use PdoException in case of PDO error (better for bug tracking)

This commit is contained in:
Benjamin Sonntag 2018-06-24 15:43:23 +02:00
parent cb13dae853
commit 5a3b9c7a13
3 changed files with 59 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
bureau/class/db_mysql.php
View File

@ -62,8 +62,11 @@ class DB_Sql {
$dsn = sprintf('mysql:dbname=%s;host=%s', $db, $host); $dsn = sprintf('mysql:dbname=%s;host=%s', $db, $host);
$options=array(
\PDO::ATTR_ERRMODE => \PDO::ERRMODE_EXCEPTION
);
try { try {
$this->pdo_instance = new PDO($dsn, $user, $passwd); $this->pdo_instance = new PDO($dsn, $user, $passwd, $options);
} catch (PDOException $e) { } catch (PDOException $e) {
echo "Mysql", "PDO instance", $e->getMessage(); echo "Mysql", "PDO instance", $e->getMessage();
return FALSE; return FALSE;

25
bureau/class/m_ssl.php
View File

@ -458,7 +458,7 @@ INSTR(CONCAT(sd.sub,IF(sd.sub!='','.',''),sd.domaine),'.')+1))=?
$msg->log("ssl", "import_cert"); $msg->log("ssl", "import_cert");
// Search for an existing cert: (first) // Search for an existing cert: (first)
$db->query("SELECT id FROM certificates WHERE crt=?;",array($crt)); $db->query("SELECT id FROM certificates WHERE sslcrt=?;",array($crt));
if ($db->next_record()) { if ($db->next_record()) {
$msg->raise("ERROR","ssl", _("Certificate already exists in database")); $msg->raise("ERROR","ssl", _("Certificate already exists in database"));
return false; return false;
@ -556,7 +556,7 @@ SELECT ?,?,?, FROM_UNIXTIME(?), FROM_UNIXTIME(?), ?, ?, sslcsr FROM certificate
$msg->log("ssl", "update_domain($action,$type,$fqdn)"); $msg->log("ssl", "update_domain($action,$type,$fqdn)");
// the domain type must be a "dns_only=false" one: // the domain type must be a "dns_only=false" one:
if (!($domtype=$dom->domains_type_get($type)) || $domtype["dns_only"]==true) { if (!($domtype=$dom->domains_type_get($type)) || $domtype["only_dns"]==true) {
return; // nothing to do : this domain type does not involve Vhosts return; // nothing to do : this domain type does not involve Vhosts
} }
@ -623,19 +623,38 @@ SELECT ?,?,?, FROM_UNIXTIME(?), FROM_UNIXTIME(?), ?, ?, sslcsr FROM certificate
// we split the certificates by 1000 // we split the certificates by 1000
$CRTDIR = self::KEY_REPOSITORY . "/" . floor($cert["id"]/1000); $CRTDIR = self::KEY_REPOSITORY . "/" . floor($cert["id"]/1000);
@mkdir($CRTDIR); @mkdir($CRTDIR,0750,true);
// set the proper permissions on the Key Repository folder and children :
chown(self::KEY_REPOSITORY,"root");
chgrp(self::KEY_REPOSITORY,"ssl-cert");
chmod(self::KEY_REPOSITORY,0750);
chown($CRTDIR,"root");
chgrp($CRTDIR,"ssl-cert");
chmod($CRTDIR,0750);
if ( if (
!file_exists($CRTDIR . "/" . $cert["id"].".crt") || !file_exists($CRTDIR . "/" . $cert["id"].".crt") ||
!file_exists($CRTDIR . "/" . $cert["id"].".key")) { !file_exists($CRTDIR . "/" . $cert["id"].".key")) {
// write the files (first time we use a certificate) // write the files (first time we use a certificate)
file_put_contents($CRTDIR . "/" . $cert["id"].".crt", $cert["sslcrt"]); file_put_contents($CRTDIR . "/" . $cert["id"].".crt", $cert["sslcrt"]);
file_put_contents($CRTDIR . "/" . $cert["id"].".key", $cert["sslkey"]); file_put_contents($CRTDIR . "/" . $cert["id"].".key", $cert["sslkey"]);
// set the proper rights on those files :
chown($CRTDIR . "/" . $cert["id"].".crt","root");
chgrp($CRTDIR . "/" . $cert["id"].".crt","ssl-cert");
chmod($CRTDIR . "/" . $cert["id"].".crt",0640);
chown($CRTDIR . "/" . $cert["id"].".key","root");
chgrp($CRTDIR . "/" . $cert["id"].".key","ssl-cert");
chmod($CRTDIR . "/" . $cert["id"].".key",0640);
if (isset($cert["sslchain"]) && $cert["sslchain"]) { if (isset($cert["sslchain"]) && $cert["sslchain"]) {
file_put_contents($CRTDIR . "/" . $cert["id"] . ".chain", $cert["sslchain"]); file_put_contents($CRTDIR . "/" . $cert["id"] . ".chain", $cert["sslchain"]);
chown($CRTDIR . "/" . $cert["id"].".chain","root");
chgrp($CRTDIR . "/" . $cert["id"].".chain","ssl-cert");
chmod($CRTDIR . "/" . $cert["id"].".chain",0640);
} }
} }
// we have the files, let's fill the output array : // we have the files, let's fill the output array :
$output=array( $output=array(
"id" => $cert["id"],
"crt" => $CRTDIR . "/" . $cert["id"].".crt", "crt" => $CRTDIR . "/" . $cert["id"].".crt",
"key" => $CRTDIR . "/" . $cert["id"].".key", "key" => $CRTDIR . "/" . $cert["id"].".key",
); );

41
install/alternc.install
View File

@ -277,8 +277,8 @@ rm -f $SED_SCRIPT
######################################################################## ########################################################################
# Ad-hoc fixes # Ad-hoc fixes
#
# add php.ini directives for AlternC in any installed php version:
php="`ls /usr/lib/apache*/*/*php*.so | sed -e 's/^.*libphp\(.*\)\.so$/\1/' | tail -1`" php="`ls /usr/lib/apache*/*/*php*.so | sed -e 's/^.*libphp\(.*\)\.so$/\1/' | tail -1`"
if [ "$php" = "7.0" ] if [ "$php" = "7.0" ]
then then
@ -289,20 +289,43 @@ else
ln -fs /etc/alternc/alternc.ini /etc/php$php/cli/conf.d/alternc.ini || true ln -fs /etc/alternc/alternc.ini /etc/php$php/cli/conf.d/alternc.ini || true
fi fi
#Set a default certificate if needed # Create the default certificate if needed (requires openssl)
make-ssl-cert generate-default-snakeoil make-ssl-cert generate-default-snakeoil
SNAKEOIL_SSLKEY=$(</etc/ssl/private/ssl-cert-snakeoil.key)
SNAKEOIL_SSLCRT=$(</etc/ssl/certs/ssl-cert-snakeoil.pem)
mysql_query "SET SESSION sql_mode=\"NO_AUTO_VALUE_ON_ZERO\" ; INSERT IGNORE INTO \ mysql_query <<EOF
certificates (id,uid,status,fqdn,validstart,validend,sslkey,sslcrt,provider) \ SET SESSION sql_mode="NO_AUTO_VALUE_ON_ZERO" ;
VALUES \ INSERT IGNORE INTO certificates
(0,2000,1,\"ALTERNC_DEFAULT_FQDN\",NOW(),ADDDATE(NOW(),INTERVAL 200 YEAR),\"$SNAKEOIL_SSLKEY\",\"$SNAKEOIL_SSLCRT\",\"snakeoil\");" (id,uid,status,fqdn,validstart,validend,sslkey,sslcrt,provider)
VALUES
(0, 2000, 1, "AlternC Default Certificate", NOW(), DATE_ADD(NOW(),INTERVAL 20 YEAR),
"$(cat /etc/ssl/private/ssl-cert-snakeoil.key)",
"$(cat /etc/ssl/certs/ssl-cert-snakeoil.pem)",
"snakeoil");
EOF
# backward compatibility: in case you still use apache.pem
# we are now storing certificates in /etc/ssl/certs/alternc-<servicename>.pem
# and private keys in /etc/ssl/private/alternc-<servicename>.key
if [ ! -e /etc/alternc/apache.pem ]; then if [ ! -e /etc/alternc/apache.pem ]; then
echo -e "$SNAKEOIL_SSLKEY\n$SNAKEOIL_SSLCRT" > /etc/alternc/apache.pem cat /etc/ssl/private/ssl-cert-snakeoil.key /etc/ssl/certs/ssl-cert-snakeoil.pem > /etc/alternc/apache.pem
fi fi
# set services certificates in case we don't already have them:
# we set them to snakeoil: a provider MUST be installed to obtain a proper certificate automagically
for service in postfix dovecot proftpd panel
do
if [ ! -e "/etc/ssl/certs/alternc-${service}.pem" -o ! -e "/etc/ssl/private/alternc-${service}.key" ]
then
cat /etc/ssl/private/ssl-cert-snakeoil.key >"/etc/ssl/private/alternc-${service}.key"
cat /etc/ssl/certs/ssl-cert-snakeoil.pem >"/etc/ssl/certs/alternc-${service}.pem"
fi
done
# ensure dovecot, postfix, apache, can access ssl certificates:
adduser dovecot ssl-cert
adduser www-data ssl-cert
adduser postfix ssl-cert
run-parts --arg=certificates /usr/lib/alternc/install.d run-parts --arg=certificates /usr/lib/alternc/install.d
if [ -x /usr/sbin/apache2 ]; then if [ -x /usr/sbin/apache2 ]; then