Home Explore Help
Sign In
yosoyhendrix
/
hestiacp
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: cd4c13de20
Branches Tags
hestiacp
/
bin
/
v-add-letsencrypt-domain

v-add-letsencrypt-domain 21 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574 
  1. #!/bin/bash
    2. 

  2. # info: check letsencrypt domain
    3. 

  3. # options: USER DOMAIN [ALIASES] [MAIL]
    4. 

  4. # labels: web
    5. 

  5. #
    6. 

  6. # example: v-add-letsencrypt-domain admin wonderland.com www.wonderland.com
    7. 

  7. #
    8. 

  8. # The function check and validates domain with Let's Encrypt
    9. 

  9. 

  10. 

  11. #----------------------------------------------------------#
    12. 

  12. #                    Variable&Function                     #
    13. 

  13. #----------------------------------------------------------#
    14. 

  14. 

  15. # Argument definition
    16. 

  16. user=$1
    17. 

  17. domain=$2
    18. 

  18. aliases=$3
    19. 

  19. mail=${4// }
    20. 

  20. 

  21. # Includes
    22. 

  22. # shellcheck source=/usr/local/hestia/func/main.sh
    23. 

  23. source $HESTIA/func/main.sh
    24. 

  24. # shellcheck source=/usr/local/hestia/func/domain.sh
    25. 

  25. source $HESTIA/func/domain.sh
    26. 

  26. # shellcheck source=/usr/local/hestia/conf/hestia.conf
    27. 

  27. source $HESTIA/conf/hestia.conf
    28. 

  28. 

  29. # LE API
    30. 

  30. LE_API='https://acme-v02.api.letsencrypt.org'
    31. 

  31. 

  32. if [[ "$LE_STAGING" = 'yes' ]]; then
    33. 

  33.     LE_API='https://acme-staging-v02.api.letsencrypt.org'
    34. 

  34. fi
    35. 

  35. 

  36. # encode base64
    37. 

  37. encode_base64() {
    38. 

  38.     cat |base64 |tr '+/' '-_' |tr -d '\r\n='
    39. 

  39. }
    40. 

  40. 

  41. # Let's Encrypt v2 curl function
    42. 

  42. query_le_v2() {
    43. 

  43.     protected='{"nonce": "'$3'",'
    44. 

  44.     protected=''$protected' "url": "'$1'",'
    45. 

  45.     protected=''$protected' "alg": "RS256", "kid": "'$KID'"}'
    46. 

  46.     content="Content-Type: application/jose+json"
    47. 

  47. 

  48.     payload_=$(echo -n "$2" |encode_base64)
    49. 

  49.     protected_=$(echo -n "$protected" |encode_base64)
    50. 

  50.     signature_=$(printf "%s" "$protected_.$payload_" |\
    51. 

  51.         openssl dgst -sha256 -binary -sign $USER_DATA/ssl/user.key |\
    52. 

  52.         encode_base64)
    53. 

  53. 

  54.     post_data='{"protected":"'"$protected_"'",'
    55. 

  55.     post_data=$post_data'"payload":"'"$payload_"'",'
    56. 

  56.     post_data=$post_data'"signature":"'"$signature_"'"}'
    57. 

  57. 

  58.     # Save http response to file passed as "$4" arg or print to stdout if not provided
    59. 

  59.     # http response headers are always sent to stdout
    60. 

  60.     local save_to_file=${4:-"/dev/stdout"}
    61. 

  61.     curl --location --insecure --retry 5 --retry-connrefused --silent --dump-header /dev/stdout --data "$post_data" "$1" --header "$content" --output "$save_to_file"
    62. 

  62.     debug_log "API call" "exit status: $?"
    63. 

  63. }
    64. 

  64. 

  65. 

  66. #----------------------------------------------------------#
    67. 

  67. #                    Verifications                         #
    68. 

  68. #----------------------------------------------------------#
    69. 

  69. 

  70. check_args '2' "$#" 'USER DOMAIN [ALIASES] [MAIL]'
    71. 

  71. is_format_valid 'user' 'domain' 'aliases'
    72. 

  72. is_object_valid 'user' 'USER' "$user"
    73. 

  73. is_object_unsuspended 'user' 'USER' "$user"
    74. 

  74. if [ ! -z "$mail" ]; then
    75. 

  75.     is_boolean_format_valid "$mail" 'mail'
    76. 

  76. fi
    77. 

  77. 

  78. # Set DNS CAA record retrieval commands
    79. 

  79. if [ ! -z "$DNS_SYSTEM" ]; then
    80. 

  80.     dns_domain=$($BIN/v-list-dns-domains $user | grep $domain | cut -d' ' -f1)
    81. 

  81.     caa_record=$($BIN/v-list-dns-records $user $domain | grep -i "CAA" | cut -d' ' -f1)
    82. 

  82. fi
    83. 

  83. 

  84. if [ -z "$mail" ] || [ "$mail" = 'no' ]; then
    85. 

  85.     mail=''
    86. 

  86.     is_system_enabled "$WEB_SYSTEM" 'WEB_SYSTEM'
    87. 

  87.     is_object_valid 'web' 'DOMAIN' "$domain"
    88. 

  88.     is_object_unsuspended 'web' 'DOMAIN' "$domain"
    89. 

  89.     get_domain_values 'web'
    90. 

  90.     # check if alias is the letsencrypt wildcard domain, if not, make the normal checks
    91. 

  91.     if [[ "$aliases" != "*.$domain" ]]; then
    92. 

  92.         for alias in $(echo "$aliases" |tr ',' '\n' |sort -u); do
    93. 

  93.             check_alias="$(echo $ALIAS |tr ',' '\n' |grep ^$alias$)"
    94. 

  94.             if [ -z "$check_alias" ]; then
    95. 

  95.                 check_result $E_NOTEXIST "domain alias $alias doesn't exist"
    96. 

  96.             fi
    97. 

  97.         done
    98. 

  98.     fi;
    99. 

  99. else
    100. 

  100.     is_system_enabled "$MAIL_SYSTEM" 'MAIL_SYSTEM'
    101. 

  101.     is_object_valid 'mail' 'DOMAIN' "$domain"
    102. 

  102.     is_object_unsuspended 'mail' 'DOMAIN' "$domain"
    103. 

  103. fi
    104. 

  104. 

  105. 

  106. 

  107. # Dump debug info
    108. 

  108. debug_log() {
    109. 

  109.     echo -e "\n==[${1}]==\n${2}\n" >> "$log_file"
    110. 

  110. }
    111. 

  111. 

  112. # Perform verification if read-only mode is enabled
    113. 

  113. check_hestia_demo_mode
    114. 

  114. 

  115. 

  116. #----------------------------------------------------------#
    117. 

  117. #                       Action                             #
    118. 

  118. #----------------------------------------------------------#
    119. 

  119. 

  120. # Generate correct variables for mail domain SSL certificates
    121. 

  121. if [ ! -z "$mail" ]; then
    122. 

  122.     root_domain=$domain
    123. 

  123.     domain="mail.$root_domain"
    124. 

  124.     webmail=$(get_object_value "mail" "DOMAIN" "$root_domain" '$WEBMAIL');
    125. 

  125.     if [ ! -z "$webmail" ]; then
    126. 

  126.         aliases="$WEBMAIL_ALIAS.$root_domain"
    127. 

  127.     fi
    128. 

  128. fi
    129. 

  129. 

  130. log_file="/var/log/hestia/LE-${user}-${domain}.log"
    131. 

  131. touch "$log_file"
    132. 

  132. chmod 600 "$log_file"
    133. 

  133. 

  134. echo -e "\n\n=============================
    135. 

  135. Date Time: $(date +%Y-%m-%d) $(date +%H:%M:%S)
    136. 

  136. WEB_SYSTEM: ${WEB_SYSTEM}
    137. 

  137. PROXY_SYSTEM: ${PROXY_SYSTEM}
    138. 

  138. user: ${user}
    139. 

  139. domain: ${domain}
    140. 

  140. " >> "$log_file"
    141. 

  141. 

  142. # Registering LetsEncrypt user account
    143. 

  143. $BIN/v-add-letsencrypt-user $user
    144. 

  144. if [ "$?" -ne 0  ]; then
    145. 

  145.     touch $HESTIA/data/queue/letsencrypt.pipe
    146. 

  146.     sed -i "/ $domain /d" $HESTIA/data/queue/letsencrypt.pipe
    147. 

  147.     send_notice "LETSENCRYPT" "Account registration failed ($user)"
    148. 

  148.     check_result $E_CONNECT "LE account registration ($user)" > /dev/null
    149. 

  149. fi
    150. 

  150. 

  151. # Parsing LetsEncrypt account data
    152. 

  152. source $USER_DATA/ssl/le.conf
    153. 

  153. 

  154. # Checking wildcard alias
    155. 

  155. if [ "$aliases" = "*.$domain" ]; then
    156. 

  156.     wildcard='yes'
    157. 

  157.     proto="dns-01"
    158. 

  158.     if [ ! -e "$HESTIA/data/users/$user/dns/$domain.conf" ]; then
    159. 

  159.         check_result $E_NOTEXIST "DNS domain $domain doesn't exist"
    160. 

  160.     fi
    161. 

  161. else
    162. 

  162.     proto="http-01"
    163. 

  163. fi
    164. 

  164. 

  165. echo -e "
    166. 

  166. - aliases: ${aliases}
    167. 

  167. - proto: ${proto}
    168. 

  168. - wildcard: ${wildcard}
    169. 

  169. " >> "$log_file"
    170. 

  170. 

  171. # Check if dns records exist for requested domain/aliases
    172. 

  172. if [ "$proto" = "http-01" ]; then
    173. 

  173.     for identifier in $(echo $domain,$aliases |tr ',' '\n' |sort -u); do
    174. 

  174.         if [[ "$identifier" = *[![:ascii:]]* ]]; then
    175. 

  175.             identifier=$(idn -t --quiet -a $identifier)
    176. 

  176.         fi
    177. 

  177.         if ! nslookup "${identifier}" > /dev/null 2>&1 ; then
    178. 

  178.             check_result $E_NOTEXIST "DNS record for $identifier doesn't exist"
    179. 

  179.         fi
    180. 

  180.     done
    181. 

  181. fi
    182. 

  182. 

  183. # Ensure DNS CAA record exists for Let's Encrypt before requesting certificate
    184. 

  184. if [ ! -z "$DNS_SYSTEM" ]; then
    185. 

  185.     # Check for DNS zone
    186. 

  186.     if [ "$dns_domain" = "$domain" ]; then
    187. 

  187.         # Replace DNS domain CAA records with Let's Encrypt values
    188. 

  188.         if [ -z "$caa_record" ]; then
    189. 

  189.             $BIN/v-add-dns-record $user $domain '@' 'CAA' '0 issue "letsencrypt.org"'
    190. 

  190.         else
    191. 

  191.             $BIN/v-delete-dns-record $user $domain $caa_record
    192. 

  192.             $BIN/v-add-dns-record $user $domain '@' 'CAA' '0 issue "letsencrypt.org"'
    193. 

  193.         fi
    194. 

  194.     fi
    195. 

  195. fi
    196. 

  196. 

  197. # Requesting nonce / STEP 1
    198. 

  198. answer=$(curl -s -I "$LE_API/directory")
    199. 

  199. nonce=$(echo "$answer" |grep -i nonce |cut -f2 -d \ |tr -d '\r\n')
    200. 

  200. status=$(echo "$answer"|grep HTTP/ |tail -n1 |cut -f 2 -d ' ')
    201. 

  201. 

  202. debug_log "Step 1" "- status: ${status}\n- nonce: ${nonce}\n- answer: ${answer}"
    203. 

  203. 

  204. if [[ "$status" -ne 200 ]]; then
    205. 

  205.     # Delete DNS CAA record
    206. 

  206.     if [ ! -z "$DNS_SYSTEM" ]; then
    207. 

  207.         if [ "$dns_domain" = "$domain" ]; then
    208. 

  208.             if [ ! -z "$caa_record" ]; then
    209. 

  209.                 $BIN/v-delete-dns-record $user $domain $caa_record
    210. 

  210.             fi
    211. 

  211.         fi
    212. 

  212.     fi
    213. 

  213.     check_result $E_CONNECT "Let's Encrypt nonce request status $status ($domain)"
    214. 

  214. fi
    215. 

  215. 

  216. # Placing new order / STEP 2
    217. 

  217. url="$LE_API/acme/new-order"
    218. 

  218. payload='{"identifiers":['
    219. 

  219. for identifier in $(echo $domain,$aliases |tr ',' '\n' |sort -u); do
    220. 

  220.     if [[ "$identifier" = *[![:ascii:]]* ]]; then
    221. 

  221.         identifier=$(idn -t --quiet -a $identifier)
    222. 

  222.     fi
    223. 

  223.     payload=$payload'{"type":"dns","value":"'$identifier'"},'
    224. 

  224. done
    225. 

  225. payload=$(echo "$payload"|sed "s/,$//")
    226. 

  226. payload=$payload']}'
    227. 

  227. answer=$(query_le_v2 "$url" "$payload" "$nonce")
    228. 

  228. nonce=$(echo "$answer" |grep -i nonce |cut -f2 -d \ |tr -d '\r\n')
    229. 

  229. authz=$(echo "$answer" |grep "acme/authz" |cut -f2 -d '"')
    230. 

  230. finalize=$(echo "$answer" |grep 'finalize":' |cut -f4 -d '"')
    231. 

  231. status=$(echo "$answer" |grep HTTP/ |tail -n1 |cut -f2 -d ' ')
    232. 

  232. 

  233. debug_log "Step 2" "- status: ${status}\n- nonce: ${nonce}\n- authz: ${authz}\n- finalize: ${finalize}\n- payload: ${payload}\n- answer: ${answer}"
    234. 

  234. 

  235. if [[ "$status" -ne 201 ]]; then
    236. 

  236.     # Delete DNS CAA record
    237. 

  237.     if [ ! -z "$DNS_SYSTEM" ]; then
    238. 

  238.         if [ "$dns_domain" = "$domain" ]; then
    239. 

  239.             if [ ! -z "$caa_record" ]; then
    240. 

  240.                 $BIN/v-delete-dns-record $user $domain $caa_record
    241. 

  241.             fi
    242. 

  242.         fi
    243. 

  243.     fi
    244. 

  244.     check_result $E_CONNECT "Let's Encrypt new auth status $status ($domain)"
    245. 

  245. fi
    246. 

  246. 

  247. # Requesting authorization token / STEP 3
    248. 

  248. for auth in $authz; do
    249. 

  249.     payload=''
    250. 

  250.     answer=$(query_le_v2 "$auth" "$payload" "$nonce")
    251. 

  251.     url=$(echo "$answer" |grep -A3 $proto |grep -m1 url |cut -f 4 -d \")
    252. 

  252.     token=$(echo "$answer" |grep -A3 $proto |grep token |cut -f 4 -d \")
    253. 

  253.     nonce=$(echo "$answer" |grep -i nonce |cut -f2 -d \ |tr -d '\r\n')
    254. 

  254.     status=$(echo "$answer"|grep HTTP/ |tail -n1 |cut -f 2 -d ' ')
    255. 

  255. 

  256.     debug_log "Step 3" "- status: ${status}\n- nonce: ${nonce}\n- url: ${url}\n- token: ${token}\n- answer: ${answer}"
    257. 

  257. 

  258.     if [[ "$status" -ne 200 ]]; then
    259. 

  259.         # Delete DNS CAA record
    260. 

  260.         if [ ! -z "$DNS_SYSTEM" ]; then
    261. 

  261.             dns_domain=$($BIN/v-list-dns-domains $user | grep $domain | cut -d' ' -f1)
    262. 

  262.             caa_record=$($BIN/v-list-dns-records $user $domain | grep -i "letsencrypt" | cut -d' ' -f1)
    263. 

  263. 

  264.             if [ "$dns_domain" = "$domain" ]; then
    265. 

  265.                 if [ ! -z "$caa_record" ]; then
    266. 

  266.                     $BIN/v-delete-dns-record $user $domain $caa_record
    267. 

  267.                 fi
    268. 

  268.             fi
    269. 

  269.         fi
    270. 

  270.         check_result $E_CONNECT "Let's Encrypt acme/authz bad status $status ($domain)"
    271. 

  271.     fi
    272. 

  272. 

  273.     # Accepting challenge / STEP 4
    274. 

  274.     if [ "$wildcard" = 'yes'  ]; then
    275. 

  275.         record=$(printf "%s" "$token.$THUMB" |\
    276. 

  276.             openssl dgst -sha256 -binary |encode_base64)
    277. 

  277.         old_records=$($BIN/v-list-dns-records $user $domain plain|grep 'TXT')
    278. 

  278.         old_records=$(echo "$old_records" |grep _acme-challenge |cut -f 1)
    279. 

  279.         for old_record in $old_records; do
    280. 

  280.             $BIN/v-delete-dns-record $user $domain $old_record
    281. 

  281.         done
    282. 

  282.         $BIN/v-add-dns-record $user $domain "_acme-challenge" "TXT" $record
    283. 

  283.         check_result $? "DNS _acme-challenge record wasn't created ($domain)"
    284. 

  284.     else
    285. 

  285.         if [ -z "$mail" ]; then
    286. 

  286.             if [ "$WEB_SYSTEM" = 'nginx' ] || [ "$PROXY_SYSTEM" = 'nginx' ]; then
    287. 

  287.                 conf="$HOMEDIR/$user/conf/web/$domain/nginx.conf_letsencrypt"
    288. 

  288.                 sconf="$HOMEDIR/$user/conf/web/$domain/nginx.ssl.conf_letsencrypt"
    289. 

  289.                 echo 'location ~ "^/\.well-known/acme-challenge/([-_A-Za-z0-9]+)$" {' \
    290. 

  290.                     > $conf
    291. 

  291.                 echo '    default_type text/plain;' >> $conf
    292. 

  292.                 echo '    return 200 "$1.'$THUMB'";' >> $conf
    293. 

  293.                 echo '}' >> $conf
    294. 

  294.                 if [ ! -e "$sconf" ]; then
    295. 

  295.                     ln -s "$conf" "$sconf"
    296. 

  296.                 fi
    297. 

  297.                 if [ ! -z "$PROXY_SYSTEM" ]; then
    298. 

  298.                     $BIN/v-restart-proxy
    299. 

  299.                     check_result $? "Proxy restart failed" > /dev/null
    300. 

  300.                 fi
    301. 

  301.             else
    302. 

  302.                 # Get root directory from configuration
    303. 

  303.                 domain_config="$HOMEDIR/$user/conf/web/$domain"
    304. 

  304.                 if [ -f "$domain_config/apache2.conf" ]; then
    305. 

  305.                     well_known="$(cat $domain_config/apache2.conf | egrep \
    306. 

  306.                                 '^\s+DocumentRoot'| awk '{split($0, a, " "); \
    307. 

  307.                                 print a[2]}')/.well-known"
    308. 

  308.                 else
    309. 

  309.                     well_known="$(cat $domain_config/nginx.conf | egrep '^\s+root'| \
    310. 

  310.                                 awk '{split($0, a, " "); print a[2]}' | \
    311. 

  311.                                 sed 's/;$//')/.well-known"
    312. 

  312.                 fi
    313. 

  313.                 acme_challenge="$well_known/acme-challenge"
    314. 

  314.                 mkdir -p $acme_challenge
    315. 

  315.                 echo "$token.$THUMB" > $acme_challenge/$token
    316. 

  316.                 chown -R $user:$user $well_known
    317. 

  317.             fi
    318. 

  318.         else
    319. 

  319.             if [ "$WEB_SYSTEM" = 'nginx' ] || [ "$PROXY_SYSTEM" = 'nginx' ]; then
    320. 

  320.                 conf="$HOMEDIR/$user/conf/mail/$root_domain/nginx.conf_letsencrypt"
    321. 

  321.                 sconf="$HOMEDIR/$user/conf/mail/$root_domain/nginx.ssl.conf_letsencrypt"
    322. 

  322.                 echo 'location ~ "^/\.well-known/acme-challenge/([-_A-Za-z0-9]+)$" {' \
    323. 

  323.                     > $conf
    324. 

  324.                 echo '    default_type text/plain;' >> $conf
    325. 

  325.                 echo '    return 200 "$1.'$THUMB'";' >> $conf
    326. 

  326.                 echo '}' >> $conf
    327. 

  327.                 if [ ! -e "$sconf" ]; then
    328. 

  328.                     ln -s "$conf" "$sconf"
    329. 

  329.                 fi
    330. 

  330.                 if [ ! -z "$PROXY_SYSTEM" ]; then
    331. 

  331.                     $BIN/v-restart-proxy
    332. 

  332.                     check_result $? "Proxy restart failed" > /dev/null
    333. 

  333.                 fi
    334. 

  334.             else  
    335. 

  335.                 get_object_value 'mail' 'DOMAIN' "$root_domain" "WEBMAIL" 
    336. 

  336.                 if [ ! -z "$WEBMAIL" ]; then 
    337. 

  337.                     well_known="/var/lib/$WEBMAIL/.well-known"
    338. 

  338.                     acme_challenge="$well_known/acme-challenge"
    339. 

  339.                     mkdir -p $acme_challenge
    340. 

  340.                     echo "$token.$THUMB" > $acme_challenge/$token
    341. 

  341.                     chown -R $user:$user $well_known
    342. 

  342.                 fi
    343. 

  343.             fi
    344. 

  344.         fi
    345. 

  345.         if [ "$WEB_SYSTEM" = 'nginx' ]; then
    346. 

  346.             $BIN/v-restart-web
    347. 

  347.             check_result $? "Web restart failed" > /dev/null
    348. 

  348.         fi
    349. 

  349.     fi
    350. 

  350. 

  351.     # Requesting ACME validation / STEP 5
    352. 

  352.     validation_check=$(echo "$answer" |grep '"valid"')
    353. 

  353.     if [[ ! -z "$validation_check" ]]; then
    354. 

  354.         validation='valid'
    355. 

  355.     else
    356. 

  356.         validation='pending'
    357. 

  357.         sleep 5
    358. 

  358.     fi
    359. 

  359. 

  360.     # Doing pol check on status
    361. 

  361.     i=1
    362. 

  362.     while [ "$validation" = 'pending' ]; do
    363. 

  363.         payload='{}'
    364. 

  364.         answer=$(query_le_v2 "$url" "$payload" "$nonce")
    365. 

  365.         validation=$(echo "$answer"|grep -A1 $proto |tail -n1|cut -f4 -d \")
    366. 

  366.         nonce=$(echo "$answer" |grep -i nonce |cut -f2 -d \ |tr -d '\r\n')
    367. 

  367.         status=$(echo "$answer"|grep HTTP/ |tail -n1 |cut -f 2 -d ' ')
    368. 

  368.         details=$(echo "$answer"| grep detail | cut -f 1 -d ',' | cut -f 2-4 -d ':' | cut -f 2 -d '"')
    369. 

  369. 

  370.         debug_log "Step 5" "- status: ${status}\n- nonce: ${nonce}\n- validation: ${validation}\n- details: ${details}\n- answer: ${answer}"
    371. 

  371. 

  372.         if [[ "$status" -ne 200 ]]; then
    373. 

  373.             # Delete DNS CAA record
    374. 

  374.             if [ ! -z "$DNS_SYSTEM" ]; then
    375. 

  375.                 dns_domain=$($BIN/v-list-dns-domains $user | grep $domain | cut -d' ' -f1)
    376. 

  376.                 caa_record=$($BIN/v-list-dns-records $user $domain | grep -i "letsencrypt" | cut -d' ' -f1)
    377. 

  377. 

  378.                 if [ "$dns_domain" = "$domain" ]; then
    379. 

  379.                     if [ ! -z "$caa_record" ]; then
    380. 

  380.                         $BIN/v-delete-dns-record $user $domain $caa_record
    381. 

  381.                     fi
    382. 

  382.                 fi
    383. 

  383.             fi
    384. 

  384.             debug_log "Abort Step 5" "=> Wrong status"
    385. 

  385.             check_result $E_CONNECT "Let's Encrypt validation status $status ($domain). Details: $details"
    386. 

  386.         fi
    387. 

  387. 

  388.         i=$((i + 1))
    389. 

  389.         if [ "$i" -gt 10 ]; then
    390. 

  390.             # Delete DNS CAA record
    391. 

  391.             if [ ! -z "$DNS_SYSTEM" ]; then
    392. 

  392.                 dns_domain=$($BIN/v-list-dns-domains $user | grep $domain | cut -d' ' -f1)
    393. 

  393.                 caa_record=$($BIN/v-list-dns-records $user $domain | grep -i "letsencrypt" | cut -d' ' -f1)
    394. 

  394. 

  395.                 if [ "$dns_domain" = "$domain" ]; then
    396. 

  396.                     if [ ! -z "$caa_record" ]; then
    397. 

  397.                         $BIN/v-delete-dns-record $user $domain $caa_record
    398. 

  398.                     fi
    399. 

  399.                 fi
    400. 

  400.             fi
    401. 

  401.             debug_log "Abort Step 5" "=> Too many validation retries"
    402. 

  402.             check_result $E_CONNECT "Let's Encrypt domain validation timeout ($domain)"
    403. 

  403.         fi
    404. 

  404.         sleep $((i*2))
    405. 

  405.     done
    406. 

  406.     if [ "$validation" = 'invalid' ]; then
    407. 

  407.         # Delete DNS CAA record
    408. 

  408.         if [ ! -z "$DNS_SYSTEM" ]; then
    409. 

  409.             dns_domain=$($BIN/v-list-dns-domains $user | grep $domain | cut -d' ' -f1)
    410. 

  410.             caa_record=$($BIN/v-list-dns-records $user $domain | grep -i "letsencrypt" | cut -d' ' -f1)
    411. 

  411. 

  412.             if [ "$dns_domain" = "$domain" ]; then
    413. 

  413.                 if [ ! -z "$caa_record" ]; then
    414. 

  414.                     $BIN/v-delete-dns-record $user $domain $caa_record
    415. 

  415.                 fi
    416. 

  416.             fi
    417. 

  417.         fi
    418. 

  418.         check_result $E_CONNECT "Let's Encrypt domain verification failed ($domain)"
    419. 

  419.     fi
    420. 

  420. done
    421. 

  421. 

  422. # Generating new ssl certificate
    423. 

  423. ssl_dir=$($BIN/v-generate-ssl-cert "$domain" "info@$domain" "US" "California"\
    424. 

  424.     "San Francisco" "Hestia" "IT" "$aliases" |tail -n1 |awk '{print $2}')
    425. 

  425. 

  426. # Sending CSR to finalize order / STEP 6
    427. 

  427. csr=$(openssl req -in $ssl_dir/$domain.csr -outform DER |encode_base64)
    428. 

  428. payload='{"csr":"'$csr'"}'
    429. 

  429. answer=$(query_le_v2 "$finalize" "$payload" "$nonce")
    430. 

  430. nonce=$(echo "$answer" |grep -i nonce |cut -f2 -d \ |tr -d '\r\n')
    431. 

  431. status=$(echo "$answer"|grep HTTP/ |tail -n1 |cut -f 2 -d ' ')
    432. 

  432. certificate=$(echo "$answer"|grep 'certificate":' |cut -f4 -d '"')
    433. 

  433. 

  434. debug_log "Step 6" "- status: ${status}\n- nonce: ${nonce}\n- payload: ${payload}\n- certificate: ${certificate}\n- answer: ${answer}"
    435. 

  435. 

  436. if [[ "$status" -ne 200 ]]; then
    437. 

  437.     [ -d "$ssl_dir" ] && rm -rf "$ssl_dir"
    438. 

  438.     check_result $E_CONNECT "Let's Encrypt finalize bad status $status ($domain)"
    439. 

  439. fi
    440. 

  440. 

  441. # Downloading signed certificate / STEP 7
    442. 

  442. status=0
    443. 

  443. retry=0
    444. 

  444. 

  445. while [[ $status != 200 && $retry -lt 3 ]]; do
    446. 

  446. 

  447.     answer=$(query_le_v2 "$certificate" "" "$nonce" "$ssl_dir/$domain.pem")
    448. 

  448.     status=$(echo "$answer"|grep HTTP/ |tail -n1 |cut -f 2 -d ' ')
    449. 

  449. 

  450.     debug_log "Step 7" "- status: ${status}\n- retry: ${retry}\n- answer: ${answer}"
    451. 

  451. 

  452.     if [[ $status != 200 ]]; then
    453. 

  453.         retry=$((retry + 1))
    454. 

  454.         sleep $((retry * 2))    # Sleep for 2s, 4s, 6s, 8s
    455. 

  455.     fi
    456. 

  456. 

  457. done
    458. 

  458. 

  459. # Fallback on depreciated download method for certs (unauthenticated GET)
    460. 

  460. if [[ $status != 200 ]]; then
    461. 

  461.     answer=$(curl  --insecure --retry 5 --retry-connrefused --silent --dump-header /dev/stdout "$certificate" --output "$ssl_dir/$domain.pem")
    462. 

  462.     status=$(echo "$answer"|grep HTTP/ |tail -n1 |cut -f 2 -d ' ')
    463. 

  463. 

  464.     debug_log "Step 7 - Fallback" "- status: ${status}\n- answer: ${answer}"
    465. 

  465. fi
    466. 

  466. 

  467. debug_log "CERT DIR" "$(ls -las "$ssl_dir/")"
    468. 

  468. debug_log "CERT PEM" "$(cat "$ssl_dir/$domain.pem")"
    469. 

  469. 

  470. 

  471. if [[ "$status" -ne 200 ]]; then
    472. 

  472.     [ -d "$ssl_dir" ] && rm -rf "$ssl_dir"
    473. 

  473.     check_result $E_NOTEXIST "Let's Encrypt downloading signed cert failed status:$status ($domain)"
    474. 

  474. fi
    475. 

  475. 

  476. # Splitting up downloaded pem
    477. 

  477. crt_end=$(grep -n 'END CERTIFICATE' $ssl_dir/$domain.pem |head -n1 |cut -f1 -d:)
    478. 

  478. head -n $crt_end $ssl_dir/$domain.pem > $ssl_dir/$domain.crt
    479. 

  479. 

  480. pem_lines=$(wc -l $ssl_dir/$domain.pem |cut -f 1 -d ' ')
    481. 

  481. ca_end=$(grep -n  'BEGIN CERTIFICATE' $ssl_dir/$domain.pem |tail -n1 |cut -f 1 -d :)
    482. 

  482. ca_end=$(( pem_lines - crt_end + 1 ))
    483. 

  483. tail -n $ca_end $ssl_dir/$domain.pem > $ssl_dir/$domain.ca
    484. 

  484. 

  485. debug_log "CERT CRT" "$(cat "$ssl_dir/$domain.crt")"
    486. 

  486. debug_log "CERT CA-1" "$(cat "$ssl_dir/$domain.ca")"
    487. 

  487. # Temporary fix for double "END CERTIFICATE"
    488. 

  488. if [[ $(head -n 1 $ssl_dir/$domain.ca) = "-----END CERTIFICATE-----" ]]; then
    489. 

  489.     sed -i '1,2d' $ssl_dir/$domain.ca
    490. 

  490. fi
    491. 

  491. debug_log "CERT CA-2" "$(cat "$ssl_dir/$domain.ca")"
    492. 

  492. 

  493. # Rename certs for mail
    494. 

  494. if [ ! -z "$mail" ]; then
    495. 

  495.     mv $ssl_dir/$domain.ca $ssl_dir/$root_domain.ca
    496. 

  496.     mv $ssl_dir/$domain.crt $ssl_dir/$root_domain.crt
    497. 

  497.     mv $ssl_dir/$domain.csr $ssl_dir/$root_domain.csr
    498. 

  498.     mv $ssl_dir/$domain.key $ssl_dir/$root_domain.key
    499. 

  499.     mv $ssl_dir/$domain.pem $ssl_dir/$root_domain.pem
    500. 

  500. fi
    501. 

  501. 

  502. # Adding SSL
    503. 

  503. if [ -z "$mail" ]; then
    504. 

  504.     ssl_home=$(search_objects 'web' 'LETSENCRYPT' 'yes' 'SSL_HOME')
    505. 

  505.     ssl_enabled="$(get_object_value 'web' 'DOMAIN' "$domain" '$SSL')"
    506. 

  506.     ssl_force="$(get_object_value 'web' 'DOMAIN' "$domain" '$SSL_FORCE')"
    507. 

  507.     [[ "$ssl_enabled" = "yes" ]] && $BIN/v-delete-web-domain-ssl $user $domain > /dev/null 2>&1
    508. 

  508.     $BIN/v-add-web-domain-ssl $user $domain $ssl_dir $ssl_home
    509. 

  509.     [[ "$ssl_force" = "yes" ]] && $BIN/v-add-web-domain-ssl-force $user $domain > /dev/null 2>&1
    510. 

  510. else
    511. 

  511.     ssl_enabled="$(get_object_value 'mail' 'DOMAIN' "$root_domain" '$SSL')"
    512. 

  512.     [[ "$ssl_enabled" = "yes" ]] && $BIN/v-delete-mail-domain-ssl $user $root_domain > /dev/null 2>&1
    513. 

  513.     $BIN/v-add-mail-domain-ssl $user $root_domain $ssl_dir
    514. 

  514. fi
    515. 

  515. 

  516. if [ "$?" -ne '0' ]; then
    517. 

  517.     [ -d "$ssl_dir" ] && rm -rf "$ssl_dir"
    518. 

  518.     touch $HESTIA/data/queue/letsencrypt.pipe
    519. 

  519.     sed -i "/ $domain /d" $HESTIA/data/queue/letsencrypt.pipe
    520. 

  520.     send_notice 'LETSENCRYPT' "$domain certificate installation failed ($domain)"
    521. 

  521.     check_result $? "SSL install" > /dev/null
    522. 

  522. fi
    523. 

  523. 

  524. # Adding LE autorenew cronjob
    525. 

  525. if [ -z "$(grep v-update-lets $HESTIA/data/users/admin/cron.conf)" ]; then
    526. 

  526.     min=$(generate_password '012345' '2')
    527. 

  527.     hour=$(generate_password '1234567' '1')
    528. 

  528.     cmd="sudo $BIN/v-update-letsencrypt-ssl"
    529. 

  529.     $BIN/v-add-cron-job admin "$min" "$hour" '*' '*' '*' "$cmd" > /dev/null
    530. 

  530. fi
    531. 

  531. 

  532. # Updating letsencrypt key
    533. 

  533. if [ -z "$mail" ]; then
    534. 

  534.     if [ -z "$LETSENCRYPT" ]; then
    535. 

  535.         add_object_key "web" 'DOMAIN' "$domain" 'LETSENCRYPT' 'FTP_USER'
    536. 

  536.         add_object_key "web" 'DOMAIN' "$domain" 'LETSENCRYPT_FAIL_COUNT' 'LETSENCRYPT'
    537. 

  537.     fi
    538. 

  538.     update_object_value 'web' 'DOMAIN' "$domain" '$LETSENCRYPT' 'yes'
    539. 

  539.     update_object_value 'web' 'DOMAIN' "$domain" '$LETSENCRYPT_FAIL_COUNT' "0"
    540. 

  540. else
    541. 

  541.     if [ -z "$LETSENCRYPT" ]; then
    542. 

  542.         add_object_key "mail" 'DOMAIN' "$root_domain" 'LETSENCRYPT'
    543. 

  543.         add_object_key "mail" 'DOMAIN' "$root_domain" 'LETSENCRYPT_FAIL_COUNT' 'LETSENCRYPT'
    544. 

  544.     fi
    545. 

  545.     update_object_value 'mail' 'DOMAIN' "$root_domain" '$LETSENCRYPT' 'yes'
    546. 

  546.     update_object_value 'mail' 'DOMAIN' "$root_domain" '$LETSENCRYPT_FAIL_COUNT' "0"
    547. 

  547. fi
    548. 

  548. 

  549. # Remove challenge folder if exist
    550. 

  550. if [ ! -z "$well_known" ]; then
    551. 

  551.     rm -fr $well_known
    552. 

  552. fi
    553. 

  553. 

  554. # Remove temporary SSL folder
    555. 

  555. [ -d "$ssl_dir" ] && rm -rf "$ssl_dir"
    556. 

  556. 

  557. #----------------------------------------------------------#
    558. 

  558. #                        Hestia                            #
    559. 

  559. #----------------------------------------------------------#
    560. 

  560. 

  561. # Deleting task from queue
    562. 

  562. touch $HESTIA/data/queue/letsencrypt.pipe
    563. 

  563. sed -i "/ $domain /d" $HESTIA/data/queue/letsencrypt.pipe
    564. 

  564. 

  565. # Notifying user
    566. 

  566. send_notice 'LETSENCRYPT' "$domain SSL has been installed successfully"
    567. 

  567. 

  568. # Logging
    569. 

  569. log_event "$OK" "$ARGUMENTS"
    570. 

  570. 

  571. # Cleanup debug since the SSL was issues succesfully
    572. 

  572. rm -f "$log_file"
    573. 

  573. 

  574. exit
    575.