kienan
/
AlternC
mirror of https://github.com/kienanstewart/AlternC.git
1
0
Fork 0
Code Issues Releases Wiki Activity

many fixed: proper searchBestCertificate() and selfSigned() in m_ssl, + new templates and generator

This commit is contained in:
Benjamin Sonntag 2015-02-12 21:17:59 +01:00
parent f7d8c4fe72
commit eab44df9db
12 changed files with 304 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
ssl/gen-ssl-templates.sh
View File

@ -6,15 +6,25 @@
function convert { function convert {
src=$1 src=$1
dst=$2 dst=$2
(cat ../etc/alternc/templates/apache2/url.conf | sed -e 's#%%redirect%%#https://%%fqdn%%#'
cat $src | cat $src |
sed -e 's#:80#:443#' \ sed -e 's#:80#:443#' \
-e "s#</VirtualHost># SSLEngine On\n SSLCertificateFile %%CRT%%\n SSLCertificateKeyFile %%KEY%%\n %%CHAINLINE%%\n\n</VirtualHost>#i" \ -e "s#</VirtualHost># SSLEngine On\n SSLCertificateFile %%CRT%%\n SSLCertificateKeyFile %%KEY%%\n %%CHAINLINE%%\n\n</VirtualHost>#i" \
>$dst ) >$dst
} }
for template in panel url vhost
do
convert "../etc/alternc/templates/apache2/${template}.conf" "templates/${template}-ssl.conf"
done
# Those 3 are redirects from http://%%fqdn%% to https://%%fqdn%% PLUS the https://%%fqdn%% VHOST
convert "../roundcube/templates/apache2/roundcube.conf" "templates/roundcube-ssl.conf" convert "../roundcube/templates/apache2/roundcube.conf" "templates/roundcube-ssl.conf"
convert "../squirrelmail/templates/apache2/squirrelmail.conf" "templates/squirrelmail-ssl.conf" convert "../squirrelmail/templates/apache2/squirrelmail.conf" "templates/squirrelmail-ssl.conf"
convert "../etc/alternc/templates/apache2/panel.conf" "templates/panel-ssl.conf"
convert "../etc/alternc/templates/apache2/vhost.conf" "templates/vhost-ssl.conf"
# manual case : BOTH http and https are normal vhosts pointing to the same DocumentRoot
(cat ../etc/alternc/templates/apache2/vhost.conf
cat ../etc/alternc/templates/apache2/vhost.conf |
sed -e 's#:80#:443#' \
-e "s#</VirtualHost># SSLEngine On\n SSLCertificateFile %%CRT%%\n SSLCertificateKeyFile %%KEY%%\n %%CHAINLINE%%\n\n</VirtualHost>#i"
) >templates/vhost-mixssl.conf

32
ssl/hosting_vhost-ssl.sh
View File

@ -2,9 +2,10 @@
<?php <?php
/* /*
function called as a hook during alternc update_domains.sh as follow: function called as a hook during alternc update_domains.sh as follow:
(launched by functions_hosting.sh in launch_hook() shell function)
create a host: launch_hooks "create" "$1" "$2" "$3" "$4" (type domain mail value) create a host: launch_hooks "create" "$1" "$2" "$3" "$4" (type domain mail value)
at the end of host creation: launch_hooks "postinst" "$1" "$2" "$3" "$4" at the end of host creation: launch_hooks "postinst" "$1" "$2" "$3" "$4"
enable or disable a sot: launch_hooks "enable|disable" "$1" "$2" "$3" (type domain value) enable or disable a host: launch_hooks "enable|disable" "$1" "$2" "$3" (type domain value)
at host deletion: launch_hooks "delete" "$1" "$2" "$3" "$4" (type fqdn) at host deletion: launch_hooks "delete" "$1" "$2" "$3" "$4" (type fqdn)
also, after reloading apache : also, after reloading apache :
@ -16,8 +17,33 @@
before reloading a zone : run-parts --arg=dns_reload_zone --arg="$domain" /usr/lib/alternc/reload.d before reloading a zone : run-parts --arg=dns_reload_zone --arg="$domain" /usr/lib/alternc/reload.d
*/ */
// Bootstrap
// Bootstraps
require_once("/usr/share/alternc/panel/class/config_nochk.php"); require_once("/usr/share/alternc/panel/class/config_nochk.php");
if (!isset($argv[1])) {
echo "FATAL: must be launched from functions_hosting.sh !\n";
exit();
}
if ( ($argv[1]=="create" || $argv[1]=="postinst" || $argv[1]=="delete") ) {
if (count($argv)<5) {
echo "FATAL: create/postinst/delete need 4 parameters: type domain mail value\n";
print_r($argv);
exit();
}
$ssl->update_domain($argv[1], $argv[2], $argv[3], $argv[4]);
exit();
}
if ( ($argv[1]=="enable" || $argv[1]=="disable") ) {
if (count($argv)<4) {
echo "FATAL: enable/disable need 3 parameters: type domain value\n";
print_r($argv);
exit();
}
$ssl->update_domain($argv[1], $argv[2], $argv[3] );
exit();
}
echo "FATAL: action unknown, must be launched from functions_hosting.sh !\n";
print_r($argv);
exit();

198
ssl/panel/class/m_ssl.php
View File

@ -36,15 +36,19 @@ class m_ssl {
public $error = ""; public $error = "";
// Includes one or more of those flags to see only those certificates // Includes one or more of those flags to see only those certificates
// when listing them: // when listing them:
const FILTER_PENDING = 1; const FILTER_PENDING = 1;
const FILTER_OK = 2; const FILTER_OK = 2;
const FILTER_EXPIRED = 4; const FILTER_EXPIRED = 4;
const FILTER_SHARED = 8; const FILTER_SHARED = 8;
const SSL_INCRON_FILE = "/var/run/alternc/ssl/generate_certif_alias"; const SSL_INCRON_FILE = "/var/run/alternc/ssl/generate_certif_alias";
// ----------------------------------------------------------------- var $myDomainesTypes = array("vhost-ssl", "url-ssl", "panel-ssl", "roundcube-ssl", "squirrelmail-ssl");
const KEY_REPOSITORY = "/var/lib/alternc/ssl/private/";
// -----------------------------------------------------------------
/** /**
* Constructor * Constructor
*/ */
@ -52,7 +56,7 @@ class m_ssl {
} }
// ----------------------------------------------------------------- // -----------------------------------------------------------------
/** /**
* Hook to add the "ssl certificate" menu in the Panel * Hook to add the "ssl certificate" menu in the Panel
*/ */
@ -78,7 +82,7 @@ class m_ssl {
); );
} }
// or admin shared >0 ! // or admin shared >0 !
$db->query("SELECT COUNT(*) AS cnt FROM certificates WHERE uid='$cuid' OR shared=1"); $db->query("SELECT COUNT(*) AS cnt FROM certificates WHERE uid='$cuid' OR shared=1");
$used = $q['u']; $used = $q['u'];
if ($db->next_record()) { if ($db->next_record()) {
@ -94,7 +98,7 @@ class m_ssl {
return $obj; return $obj;
} }
// ----------------------------------------------------------------- // -----------------------------------------------------------------
/** Return all the SSL certificates for an account (or the searched one) /** Return all the SSL certificates for an account (or the searched one)
* @param $filter an integer telling which certificate we want to see (see FILTER_* constants above) * @param $filter an integer telling which certificate we want to see (see FILTER_* constants above)
* the default is showing all certificate, but only Pending and OK certificates, not expired or shared one * the default is showing all certificate, but only Pending and OK certificates, not expired or shared one
@ -106,7 +110,7 @@ class m_ssl {
global $db, $err, $cuid; global $db, $err, $cuid;
$err->log("ssl", "get_list"); $err->log("ssl", "get_list");
$r = array(); $r = array();
// If we have no filter, we filter by default on pending and ok certificates if there is more than 10 of them for the same user. // If we have no filter, we filter by default on pending and ok certificates if there is more than 10 of them for the same user.
if (is_null($filter)) { if (is_null($filter)) {
$db->query("SELECT count(*) AS cnt FROM certificates WHERE uid='$cuid' OR shared=1;"); $db->query("SELECT count(*) AS cnt FROM certificates WHERE uid='$cuid' OR shared=1;");
$db->next_record(); $db->next_record();
@ -116,9 +120,9 @@ class m_ssl {
$filter = (self::FILTER_PENDING | self::FILTER_OK | self::FILTER_EXPIRED | self::FILTER_SHARED); $filter = (self::FILTER_PENDING | self::FILTER_OK | self::FILTER_EXPIRED | self::FILTER_SHARED);
} }
} }
// filter the filter values :) // filter the filter values :)
$filter = ($filter & (self::FILTER_PENDING | self::FILTER_OK | self::FILTER_EXPIRED | self::FILTER_SHARED)); $filter = ($filter & (self::FILTER_PENDING | self::FILTER_OK | self::FILTER_EXPIRED | self::FILTER_SHARED));
// Here filter can't be null (and will be returned to the caller !) // Here filter can't be null (and will be returned to the caller !)
$sql = ""; $sql = "";
if ($filter & self::FILTER_SHARED) { if ($filter & self::FILTER_SHARED) {
$sql = " (uid='$cuid' OR shared=1) "; $sql = " (uid='$cuid' OR shared=1) ";
@ -148,7 +152,7 @@ class m_ssl {
} }
} }
// ----------------------------------------------------------------- // -----------------------------------------------------------------
/** Generate a new CSR, a new Private RSA Key, for FQDN. /** Generate a new CSR, a new Private RSA Key, for FQDN.
* @param $fqdn string the FQDN of the domain name for which we want a CSR. * @param $fqdn string the FQDN of the domain name for which we want a CSR.
* a wildcard certificate must start by *. * a wildcard certificate must start by *.
@ -179,7 +183,7 @@ class m_ssl {
return false; return false;
} }
$dn = array("commonName" => $fqdn); $dn = array("commonName" => $fqdn);
// override the (not taken from openssl.cnf) digest to use SHA-2 / SHA256 and not SHA-1 or MD5 : // override the (not taken from openssl.cnf) digest to use SHA-2 / SHA256 and not SHA-1 or MD5 :
$config = array("digest_alg" => "sha256"); $config = array("digest_alg" => "sha256");
$csr = openssl_csr_new($dn, $pkey, $config); $csr = openssl_csr_new($dn, $pkey, $config);
$csrout = ""; $csrout = "";
@ -192,7 +196,7 @@ class m_ssl {
return $id; return $id;
} }
// ----------------------------------------------------------------- // -----------------------------------------------------------------
/** Return all informations of a given certificate for the current user. /** Return all informations of a given certificate for the current user.
* @return array all the informations of the current certificate as a hash. * @return array all the informations of the current certificate as a hash.
*/ */
@ -208,7 +212,7 @@ class m_ssl {
return $db->Record; return $db->Record;
} }
// ----------------------------------------------------------------- // -----------------------------------------------------------------
/** Share (or unshare) an ssl certificate /** Share (or unshare) an ssl certificate
* @param $id integer the id of the certificate in the table. * @param $id integer the id of the certificate in the table.
* @param $action integer share (1) or unshare (0) this certificate * @param $action integer share (1) or unshare (0) this certificate
@ -232,7 +236,7 @@ class m_ssl {
return true; return true;
} }
// ----------------------------------------------------------------- // -----------------------------------------------------------------
/** Return all the subdomains that can be ssl-enabled for the current account. /** Return all the subdomains that can be ssl-enabled for the current account.
* @return array of strings : all the subdomains. * @return array of strings : all the subdomains.
* Excludes the one for which a cert is already available * Excludes the one for which a cert is already available
@ -241,7 +245,7 @@ class m_ssl {
global $db, $err, $cuid; global $db, $err, $cuid;
$err->log("ssl", "get_new_advice"); $err->log("ssl", "get_new_advice");
$r = array(); $r = array();
// my certificates, either OK or PENDING (not expired) or the SHARED one (only OK then) // my certificates, either OK or PENDING (not expired) or the SHARED one (only OK then)
$db->query("SELECT fqdn FROM certificates WHERE $db->query("SELECT fqdn FROM certificates WHERE
(uid='$cuid' AND status IN (" . self::STATUS_PENDING . "," . self::STATUS_OK . ") ) (uid='$cuid' AND status IN (" . self::STATUS_PENDING . "," . self::STATUS_OK . ") )
OR (shared=1 AND status=" . self::STATUS_OK . ") OR (shared=1 AND status=" . self::STATUS_OK . ")
@ -250,7 +254,7 @@ class m_ssl {
while ($db->next_record()) { while ($db->next_record()) {
$r[] = $db->f("fqdn"); $r[] = $db->f("fqdn");
} }
// Now we get all our subdomains for certain domaines_types // Now we get all our subdomains for certain domaines_types
$db->query("SELECT sub,domaine FROM sub_domaines WHERE compte='$cuid' AND type IN ('vhost', 'url', 'roundcube', 'squirrelmail', 'panel', 'php52');"); $db->query("SELECT sub,domaine FROM sub_domaines WHERE compte='$cuid' AND type IN ('vhost', 'url', 'roundcube', 'squirrelmail', 'panel', 'php52');");
$advice = array(); $advice = array();
while ($db->next_record()) { while ($db->next_record()) {
@ -270,7 +274,7 @@ class m_ssl {
return($advice); return($advice);
} }
// ----------------------------------------------------------------- // -----------------------------------------------------------------
/** Import an existing ssl Key, Certificate and (maybe) a Chained Cert /** Import an existing ssl Key, Certificate and (maybe) a Chained Cert
* @param $key string the X.509 PEM-encoded RSA key * @param $key string the X.509 PEM-encoded RSA key
* @param $crt string the X.509 PEM-encoded certificate, which *must* * @param $crt string the X.509 PEM-encoded certificate, which *must*
@ -295,7 +299,7 @@ class m_ssl {
$fqdn = $crtdata["subject"]["CN"]; $fqdn = $crtdata["subject"]["CN"];
$altnames = $this->parseAltNames($crtdata["extensions"]["subjectAltName"]); $altnames = $this->parseAltNames($crtdata["extensions"]["subjectAltName"]);
// Everything is PERFECT and has been thoroughly checked, let's insert those in the DB ! // Everything is PERFECT and has been thoroughly checked, let's insert those in the DB !
$sql = "INSERT INTO certificates SET uid='$cuid', status=" . self::STATUS_OK . ", shared=0, fqdn='" . addslashes($fqdn) . "', altnames='" . addslashes($altnames) . "', validstart=FROM_UNIXTIME(" . intval($validstart) . "), validend=FROM_UNIXTIME(" . intval($validend) . "), sslkey='" . addslashes($key) . "', sslcrt='" . addslashes($crt) . "', sslchain='" . addslashes($chain) . "';"; $sql = "INSERT INTO certificates SET uid='$cuid', status=" . self::STATUS_OK . ", shared=0, fqdn='" . addslashes($fqdn) . "', altnames='" . addslashes($altnames) . "', validstart=FROM_UNIXTIME(" . intval($validstart) . "), validend=FROM_UNIXTIME(" . intval($validend) . "), sslkey='" . addslashes($key) . "', sslcrt='" . addslashes($crt) . "', sslchain='" . addslashes($chain) . "';";
$db->query($sql); $db->query($sql);
if (!($id = $db->lastid())) { if (!($id = $db->lastid())) {
@ -305,7 +309,7 @@ class m_ssl {
return $id; return $id;
} }
// ----------------------------------------------------------------- // -----------------------------------------------------------------
/** Import an ssl certificate into an existing certificate entry in the DB. /** Import an ssl certificate into an existing certificate entry in the DB.
* (finalize an enrollment process) * (finalize an enrollment process)
* @param $certid integer the ID in the database of the SSL Certificate * @param $certid integer the ID in the database of the SSL Certificate
@ -332,7 +336,7 @@ class m_ssl {
$fqdn = $crtdata["subject"]["CN"]; $fqdn = $crtdata["subject"]["CN"];
$altnames = $this->parseAltNames($crtdata["extensions"]["subjectAltName"]); $altnames = $this->parseAltNames($crtdata["extensions"]["subjectAltName"]);
// Everything is PERFECT and has been thoroughly checked, let's insert those in the DB ! // Everything is PERFECT and has been thoroughly checked, let's insert those in the DB !
$sql = "UPDATE certificates SET status=" . self::STATUS_OK . ", shared=0, fqdn='" . addslashes($fqdn) . "', altnames='" . addslashes($altnames) . "', validstart=FROM_UNIXTIME(" . intval($validstart) . "), validend=FROM_UNIXTIME(" . intval($validend) . "), sslcrt='" . addslashes($crt) . "', sslchain='" . addslashes($chain) . "' WHERE id='$certid' ;"; $sql = "UPDATE certificates SET status=" . self::STATUS_OK . ", shared=0, fqdn='" . addslashes($fqdn) . "', altnames='" . addslashes($altnames) . "', validstart=FROM_UNIXTIME(" . intval($validstart) . "), validend=FROM_UNIXTIME(" . intval($validend) . "), sslcrt='" . addslashes($crt) . "', sslchain='" . addslashes($chain) . "' WHERE id='$certid' ;";
if (!$db->query($sql)) { if (!$db->query($sql)) {
$err->raise("ssl", _("Can't save the Crt/Chain now. Please try later.")); $err->raise("ssl", _("Can't save the Crt/Chain now. Please try later."));
@ -341,7 +345,7 @@ class m_ssl {
return $certid; return $certid;
} }
// ----------------------------------------------------------------- // -----------------------------------------------------------------
/** Function called by a hook when an AlternC member is deleted. /** Function called by a hook when an AlternC member is deleted.
* @access private * @access private
* TODO: delete unused ssl certificates ?? > do this in the crontab. * TODO: delete unused ssl certificates ?? > do this in the crontab.
@ -353,7 +357,7 @@ class m_ssl {
return true; return true;
} }
// ----------------------------------------------------------------- // -----------------------------------------------------------------
/** Hook which returns the used quota for the $name service for the current user. /** Hook which returns the used quota for the $name service for the current user.
* @param $name string name of the quota * @param $name string name of the quota
* @return integer the number of service used or false if an error occured * @return integer the number of service used or false if an error occured
@ -370,7 +374,98 @@ class m_ssl {
return $q; return $q;
} }
// ----------------------------------------------------------------- // -----------------------------------------------------------------
/** Launched by hosting_functions.sh launched by update_domaines.sh
* Action may be create/postinst/delete/enable/disable
* Change the template for this domain name to have the proper CERTIFICATE
* An algorithm determine the best possible certificate, which may be a BAD one
* (like a generic admin-shared or self-signed for localhost as a last chance)
*/
public function update_domain($action, $type, $fqdn, $mail = 0, $value = "") {
global $db, $err;
$err->log("ssl", "update_domain($action,$type,$fqdn)");
if (!in_array($type, $this->myDomainesTypes)) {
return; // nothing to do : the type is not our to start with ;)
}
if ($action == "create") {
$err->log("ssl", "update_domain:CREATE($action,$type,$fqdn)");
$offset = 0;
$found = false;
do { // try each subdomain (strtok-style) and search them in sub_domaines table:
$db->query("SELECT * FROM sub_domaines WHERE "
. "sub='" . substr($fqdn, 0, $offset) . "' AND domaine='" . substr($fqdn, $offset + ($offset != 0)) . "' "
. "AND web_action NOT IN ('','OK') AND type='" . $type . "';");
if ($db->next_record()) {
$found = true;
break;
}
$offset = strpos($fqdn, ".", $offset);
} while (true);
if (!$found) {
echo "FATAL: didn't found fqdn $fqdn in sub_domaines table !\n";
return;
}
// found and $db point to it:
$subdom = $db->Record;
$TARGET_FILE = "/var/lib/alternc/apache-vhost/" . substr($subdom["compte"], -1) . "/" . $subdom["compte"] . "/" . $fqdn . ".conf";
// DEBUG
echo "TARGET_FILE:".$TARGET_FILE."\n";
$cert = $this->searchBestCert($subdom["compte"], $fqdn);
// DEBUG echo "Return from searchBestCert(" . $subdom["compte"] . "," . $fqdn . ") is "; print_r($cert);
// Save crt/key/chain into KEY_REPOSITORY
$CRTDIR = self::KEY_REPOSITORY . "/" . $subdom["compte"];
@mkdir($CRTDIR);
file_put_contents($CRTDIR . "/" . $fqdn . ".crt", $cert["sslcrt"]);
file_put_contents($CRTDIR . "/" . $fqdn . ".key", $cert["sslkey"]);
if (isset($cert["sslchain"]) && $cert["sslchain"]) {
file_put_contents($CRTDIR . "/" . $fqdn . ".chain", $cert["sslchain"]);
}
// edit apache conf file to set the certificate:
$s = file_get_contents($TARGET_FILE);
$s = str_replace("%%CRT%%", $CRTDIR . "/" . $fqdn . ".crt", $s);
$s = str_replace("%%KEY%%", $CRTDIR . "/" . $fqdn . ".key", $s);
if (isset($cert["sslchain"]) && $cert["sslchain"]) {
$s = str_replace("%%CHAINLINE%%", "SSLCertificateChainFile " . $CRTDIR . "/" . $fqdn . ".crt", $s);
} else {
$s = str_replace("%%CHAINLINE%%", "", $s);
}
file_put_contents($TARGET_FILE, $s);
} // action==create
}
// --------------op---------------------------------------------------
/** Search for the best certificate for a user and a fqdn
* Return a hash with sslcrt, sslkey and maybe sslchain.
* return ANYWAY : if necessary, return a newly created (and stored in KEY_REPOSITORY localhost self-signed certificate...
*/
public function searchBestCert($uid, $fqdn) {
global $db;
$uid = intval($uid);
// 1st search for a valid certificate in my account or shared by the admin:
// the ORDER BY make it so that we try VALID then EXPIRED one (sad)
$wildcard = "*" . substr($fqdn, strpos($fqdn, ".") + 1);
$db->query("SELECT * FROM certificates WHERE status=1 "
. "AND (uid=" . $uid . " OR shared=1) "
. "AND (fqdn='" . $fqdn . "' OR fqdn='" . $wildcard . "' OR altnames LIKE '%" . $fqdn . "%') "
. "ORDER BY (validstart<=NOW() AND validend>=NOW()) DESC, validstart DESC ");
while ($db->next_record()) {
if ($db->fqdn == $fqdn) {
return $db->Record;
}
$altnames = explode("\n", $db->Record["altnames"]);
foreach ($altnames as $altname) {
if (trim($altname) == $fqdn) {
return $db->Record;
}
}
}
// not found, we generate a one-time self-signed certificate for this host.
$crt = $this->selfSigned($fqdn);
$crt["uid"] = $uid;
return $crt;
}
// -----------------------------------------------------------------
/** Export every information for an AlternC's account /** Export every information for an AlternC's account
* @access private * @access private
* EXPERIMENTAL 'sid' function ;) * EXPERIMENTAL 'sid' function ;)
@ -391,7 +486,7 @@ class m_ssl {
return $str; return $str;
} }
// ----------------------------------------------------------------- // -----------------------------------------------------------------
/** Returns the list of alternate names of an X.509 SSL Certificate /** Returns the list of alternate names of an X.509 SSL Certificate
* from the attribute list. * from the attribute list.
* @param $str string the $crtdata["extensions"]["subjectAltName"] from openssl * @param $str string the $crtdata["extensions"]["subjectAltName"] from openssl
@ -406,7 +501,7 @@ class m_ssl {
} }
} }
// ----------------------------------------------------------------- // -----------------------------------------------------------------
/** Add (immediately) a global alias to the HTTP /** Add (immediately) a global alias to the HTTP
* certif_alias table and add it to apache configuration * certif_alias table and add it to apache configuration
* by launching a incron action. * by launching a incron action.
@ -428,7 +523,7 @@ class m_ssl {
return true; return true;
} }
// ----------------------------------------------------------------- // -----------------------------------------------------------------
/** Removes (immediately) a global alias to the HTTP /** Removes (immediately) a global alias to the HTTP
* certif_alias table and add it to apache configuration * certif_alias table and add it to apache configuration
* by launching a incron action. * by launching a incron action.
@ -447,7 +542,7 @@ class m_ssl {
return true; return true;
} }
// ----------------------------------------------------------------- // -----------------------------------------------------------------
/** Check that a crt is a proper certificate /** Check that a crt is a proper certificate
* @param $crt string an SSL Certificate * @param $crt string an SSL Certificate
* @param $chain string is a list of certificates * @param $chain string is a list of certificates
@ -458,14 +553,14 @@ class m_ssl {
*/ */
function check_cert($crt, $chain, $key = "", $certid = null) { function check_cert($crt, $chain, $key = "", $certid = null) {
global $db; global $db;
// Check that the key crt and chain are really SSL certificates and keys // Check that the key crt and chain are really SSL certificates and keys
$crt = trim(str_replace("\r\n", "\n", $crt)) . "\n"; $crt = trim(str_replace("\r\n", "\n", $crt)) . "\n";
$key = trim(str_replace("\r\n", "\n", $key)) . "\n"; $key = trim(str_replace("\r\n", "\n", $key)) . "\n";
$chain = trim(str_replace("\r\n", "\n", $chain)) . "\n"; $chain = trim(str_replace("\r\n", "\n", $chain)) . "\n";
$this->error = ""; $this->error = "";
if (trim($key) == "" && !is_null($certid)) { if (trim($key) == "" && !is_null($certid)) {
// find it in the DB : // find it in the DB :
$db->query("SELECT sslkey FROM certificates WHERE id=" . intval($certid) . ";"); $db->query("SELECT sslkey FROM certificates WHERE id=" . intval($certid) . ";");
if (!$db->next_record()) { if (!$db->next_record()) {
$this->error.=_("Can't find the private key in the certificate table, please check your form."); $this->error.=_("Can't find the private key in the certificate table, please check your form.");
@ -494,7 +589,7 @@ class m_ssl {
return false; return false;
} }
// We split the chained certificates in individuals certificates : // We split the chained certificates in individuals certificates :
$chains = array(); $chains = array();
$status = 0; $status = 0;
$new = ""; $new = "";
@ -516,8 +611,8 @@ class m_ssl {
$new.=$line . "\n"; $new.=$line . "\n";
} }
} }
// here chains contains all the ssl certificates in the chained certs. // here chains contains all the ssl certificates in the chained certs.
// Now we check those using Openssl functions (real check :) ) // Now we check those using Openssl functions (real check :) )
$rchains = array(); $rchains = array();
$i = 0; $i = 0;
foreach ($chains as $tmpcert) { foreach ($chains as $tmpcert) {
@ -540,13 +635,13 @@ class m_ssl {
$this->error.=_("The private key is invalid.") . "\n"; $this->error.=_("The private key is invalid.") . "\n";
} }
if (!$this->error) { if (!$this->error) {
// check that the private key and the certificates are matching : // check that the private key and the certificates are matching :
if (!openssl_x509_check_private_key($rcrt, $rkey)) { if (!openssl_x509_check_private_key($rcrt, $rkey)) {
$this->error.=_("The private key is not the one signed inside the certificate.") . "\n"; $this->error.=_("The private key is not the one signed inside the certificate.") . "\n";
} }
} }
if (!$this->error) { if (!$this->error) {
// Everything is fine, let's recreate crt, chain, key from our internal OpenSSL structures: // Everything is fine, let's recreate crt, chain, key from our internal OpenSSL structures:
if (!openssl_x509_export($rcrt, $crt)) { if (!openssl_x509_export($rcrt, $crt)) {
$this->error.=_("Can't export your certificate as a string, please check its syntax.") . "\n"; $this->error.=_("Can't export your certificate as a string, please check its syntax.") . "\n";
} }
@ -565,7 +660,40 @@ class m_ssl {
return array($crt, $chain, $key, $crtdata); return array($crt, $chain, $key, $crtdata);
} }
// check_cert // -----------------------------------------------------------------
/** Generate a self-signed certificate
*
* @param string $fqdn the fully qualified domain name to set as commonName for the certificate
* @return hash an array similar to a certificate DB row containing everything (sslcrt, sslcsr, sslkey, sslchain)
*/
private function selfSigned($fqdn) {
global $err;
putenv("OPENSSL_CONF=/etc/alternc/openssl.cnf");
$pkey = openssl_pkey_new();
if (!$pkey) {
$err->raise("ssl", _("Can't generate a private key (1)"));
return false;
}
$privKey = "";
if (!openssl_pkey_export($pkey, $privKey)) {
$err->raise("ssl", _("Can't generate a private key (2)"));
return false;
}
$dn = array("commonName" => $fqdn);
// override the (not taken from openssl.cnf) digest to use SHA-2 / SHA256 and not SHA-1 or MD5 :
$config = array("digest_alg" => "sha256");
$csr = openssl_csr_new($dn, $pkey, $config);
$csrout = "";
openssl_csr_export($csr, $csrout);
$crt = openssl_csr_sign($csr, null, $pkey, 3650, $config);
$crtout = "";
openssl_x509_export($crt, $crtout);
return array("id" => 0, "status" => 1, "shared" => 0, "fqdn" => $fqdn, "altnames" => "",
"validstart" => date("Y-m-d H:i:s"), "validend" => date("Y-m-d H:i:s", time() + 86400 * 10 * 365.249),
"sslcsr" => $csrout, "sslcrt" => $crtout, "sslkey" => $privKey, "sslchain" => ""
);
}
} }
/* Class m_ssl */ /* Class m_ssl */

15
ssl/ssl.sql
View File

@ -29,9 +29,14 @@ CREATE TABLE IF NOT EXISTS `certif_alias` (
KEY `uid` (`uid`) KEY `uid` (`uid`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COMMENT='Global aliases defined for SSL certificates FILE validation processes'; ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COMMENT='Global aliases defined for SSL certificates FILE validation processes';
INSERT IGNORE INTO `domaines_type` (name ,description ,target ,entry ,compatibility ,enable ,only_dns ,need_dns ,advanced ) VALUES ('vhost-ssl','Locally hosted WITH SSL','DIRECTORY','%SUB% IN A @@PUBLIC_IP@@','vhost,url,txt,defmx,defmx2,mx,mx2','ALL',0,0,0,1,1); INSERT IGNORE INTO `domaines_type` (name ,description ,target ,entry ,compatibility ,enable ,only_dns ,need_dns ,advanced ) VALUES
INSERT IGNORE INTO `domaines_type` (name ,description ,target ,entry ,compatibility ,enable ,only_dns ,need_dns ,advanced ) VALUES ('url-ssl','URL redirection WITH SSL','URL','%SUB% IN A @@PUBLIC_IP@@','vhost,url,txt,defmx,defmx2','ALL',0,0,0,0,0); ('vhost-ssl','Locally hosted forcing HTTPS','DIRECTORY','%SUB% IN A @@PUBLIC_IP@@','vhost,url,txt,defmx,defmx2,mx,mx2','ALL',0,0,0);
INSERT IGNORE INTO `domaines_type` (name ,description ,target ,entry ,compatibility ,enable ,only_dns ,need_dns ,advanced ) VALUES ('panel-ssl','AlternC panel access WITH SSL','NONE','%SUB% IN A @@PUBLIC_IP@@','panel,ip,ipv6,cname,txt,mx,mx2,defmx,defmx2','ALL',0,0,1,0,0); INSERT IGNORE INTO `domaines_type` (name ,description ,target ,entry ,compatibility ,enable ,only_dns ,need_dns ,advanced ) VALUES
INSERT IGNORE INTO `domaines_type` (name ,description ,target ,entry ,compatibility ,enable ,only_dns ,need_dns ,advanced ) VALUES ('roundcube-ssl','Roundcube Webmail access WITH SSL', 'NONE', '%SUB% IN A @@PUBLIC_IP@@', 'mx,mx2,defmx,defmx2,roundcube,txt', 'ALL', '0', '0', '0'); ('vhost-mixssl','Locally hosted HTTP and HTTPS','DIRECTORY','%SUB% IN A @@PUBLIC_IP@@','vhost,url,txt,defmx,defmx2,mx,mx2','ALL',0,0,0);
INSERT IGNORE INTO `domaines_type` (name ,description ,target ,entry ,compatibility ,enable ,only_dns ,need_dns ,advanced ) VALUES ('squirrelmail-ssl','Squirrelmail Webmail access WITH SSL', 'NONE', '%SUB% IN A @@PUBLIC_IP@@', 'mx,mx2,defmx,defmx2,squirrelmail,txt', 'ALL', '0', '0', '0'); INSERT IGNORE INTO `domaines_type` (name ,description ,target ,entry ,compatibility ,enable ,only_dns ,need_dns ,advanced ) VALUES
('panel-ssl','AlternC panel access WITH SSL','NONE','%SUB% IN A @@PUBLIC_IP@@','ip,ipv6,cname,txt,mx,mx2,defmx,defmx2','ALL',0,0,1);
INSERT IGNORE INTO `domaines_type` (name ,description ,target ,entry ,compatibility ,enable ,only_dns ,need_dns ,advanced ) VALUES
('roundcube-ssl','Roundcube Webmail access WITH SSL', 'NONE', '%SUB% IN A @@PUBLIC_IP@@', 'mx,mx2,defmx,defmx2,txt', 'ALL',0,0,1;
INSERT IGNORE INTO `domaines_type` (name ,description ,target ,entry ,compatibility ,enable ,only_dns ,need_dns ,advanced ) VALUES
('squirrelmail-ssl','Squirrelmail Webmail access WITH SSL', 'NONE', '%SUB% IN A @@PUBLIC_IP@@', 'mx,mx2,defmx,defmx2,txt','ALL',0,0,1);

0
ssl/ssl_alias_manager.sh Normal file → Executable file
View File

12
ssl/templates/panel-ssl.conf
View File

@ -1,3 +1,15 @@
<Virtualhost *:80>
ServerName %%fqdn%%
AssignUserId #%%UID%% #%%GID%%
SetEnv LOGIN "%%UID%%-%%LOGIN%%"
KeepAlive Off
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !/cgi-bin/
RewriteRule ^/(.*)$ https://%%fqdn%%/$1 [R=301,L]
</Virtualhost>
<VirtualHost *:443> <VirtualHost *:443>
DocumentRoot /usr/share/alternc/panel/admin DocumentRoot /usr/share/alternc/panel/admin
AssignUserId alterncpanel alterncpanel AssignUserId alterncpanel alterncpanel

12
ssl/templates/roundcube-ssl.conf
View File

@ -1,3 +1,15 @@
<Virtualhost *:80>
ServerName %%fqdn%%
AssignUserId #%%UID%% #%%GID%%
SetEnv LOGIN "%%UID%%-%%LOGIN%%"
KeepAlive Off
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !/cgi-bin/
RewriteRule ^/(.*)$ https://%%fqdn%%/$1 [R=301,L]
</Virtualhost>
<VirtualHost *:443> <VirtualHost *:443>
ServerName %%fqdn%% ServerName %%fqdn%%
AssignUserId www-data www-data AssignUserId www-data www-data

12
ssl/templates/squirrelmail-ssl.conf
View File

@ -1,3 +1,15 @@
<Virtualhost *:80>
ServerName %%fqdn%%
AssignUserId #%%UID%% #%%GID%%
SetEnv LOGIN "%%UID%%-%%LOGIN%%"
KeepAlive Off
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !/cgi-bin/
RewriteRule ^/(.*)$ https://%%fqdn%%/$1 [R=301,L]
</Virtualhost>
<VirtualHost *:443> <VirtualHost *:443>
ServerName %%fqdn%% ServerName %%fqdn%%
AssignUserId alternc-squirrelmail nogroup AssignUserId alternc-squirrelmail nogroup

17
ssl/templates/url-ssl.conf
View File

@ -1,17 +0,0 @@
<Virtualhost *:443>
ServerName %%fqdn%%
AssignUserId #%%UID%% #%%GID%%
SetEnv LOGIN "%%UID%%-%%LOGIN%%"
KeepAlive Off
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !/cgi-bin/
RewriteRule ^/(.*)$ %%redirect%%/$1 [R=301,L]
SSLEngine On
SSLCertificateFile %%CRT%%
SSLCertificateKeyFile %%KEY%%
%%CHAINLINE%%
</VirtualHost>

39
ssl/templates/vhost-mixssl.conf Normal file
View File

@ -0,0 +1,39 @@
<VirtualHost *:80>
ServerName %%fqdn%%
DocumentRoot "%%document_root%%"
AssignUserId #%%UID%% #%%GID%%
SetEnv LOGIN "%%UID%%-%%LOGIN%%"
<Directory "%%document_root%%">
php_admin_value open_basedir "%%account_root%%:/usr/share/php/"
php_admin_value upload_tmp_dir %%account_root%%/tmp
php_admin_value sendmail_path '/usr/lib/alternc/sendmail "%%mail_account%%" '
php_admin_flag mail.add_x_header on
Options +MultiViews -FollowSymLinks +SymLinksIfOwnerMatch
AllowOverride AuthConfig FileInfo Limit Options Indexes
</Directory>
</VirtualHost>
<VirtualHost *:443>
ServerName %%fqdn%%
DocumentRoot "%%document_root%%"
AssignUserId #%%UID%% #%%GID%%
SetEnv LOGIN "%%UID%%-%%LOGIN%%"
<Directory "%%document_root%%">
php_admin_value open_basedir "%%account_root%%:/usr/share/php/"
php_admin_value upload_tmp_dir %%account_root%%/tmp
php_admin_value sendmail_path '/usr/lib/alternc/sendmail "%%mail_account%%" '
php_admin_flag mail.add_x_header on
Options +MultiViews -FollowSymLinks +SymLinksIfOwnerMatch
AllowOverride AuthConfig FileInfo Limit Options Indexes
</Directory>
SSLEngine On
SSLCertificateFile %%CRT%%
SSLCertificateKeyFile %%KEY%%
%%CHAINLINE%%
</VirtualHost>

12
ssl/templates/vhost-ssl.conf
View File

@ -1,3 +1,15 @@
<Virtualhost *:80>
ServerName %%fqdn%%
AssignUserId #%%UID%% #%%GID%%
SetEnv LOGIN "%%UID%%-%%LOGIN%%"
KeepAlive Off
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !/cgi-bin/
RewriteRule ^/(.*)$ https://%%fqdn%%/$1 [R=301,L]
</Virtualhost>
<VirtualHost *:443> <VirtualHost *:443>
ServerName %%fqdn%% ServerName %%fqdn%%
DocumentRoot "%%document_root%%" DocumentRoot "%%document_root%%"

8
ssl/update_ssl.php
View File

@ -1,8 +0,0 @@
#!/usr/bin/php
<?php
/* This script is launched as root through a cron to update automagically new certificates
and deploy them if required
*/