#IP-1488 Fixed

#IP-1500 Fixed
Fixed: Wrong error handling in cert_view.php (openssl_x509_checkpurpose function aslo returns -1 which is not FALSE)
CS fixes
[ci skip]

CHANGELOG

@@ -8,7 +8,9 @@ CONFIG
 	Added: /dev/random and /dev/urandom to open_basedir (PHP)
 
 FRONTEND
+	Added: SSL status filed on domain management page (Client interface)
 	Fixed: Exception raised due to missing `ZIP` configuration variable
+	Fixed: Wrong error handling in cert_view.php (openssl_x509_checkpurpose function aslo returns -1 which is not FALSE)
 
 PACKAGES
 	Fixed: Global symbol "$rs" requires explicit package name at Package/Webstats/Awstats/Uninstaller.pm line 103
@@ -26,6 +28,10 @@ INSTALLER
 	Fixed: Wrong package name (mysql-client-5.5 instead of mysql-client-5.6) in Debian Stretch packages file
 	Pending: VsFTPd support for Debian Stretch - libpam-mysql package not available at this moment
 
+YOUTRACK
+	IP-1488 Show SSL-status on domain page
+	IP-1500 Update fails when a customer's SSL certificate is invalid or expired
+
 ------------------------------------------------------------------------------------------------------------------------
 1.2.15
 ------------------------------------------------------------------------------------------------------------------------

engine/PerlLib/Modules/SSLcertificate.pm

@@ -71,7 +71,7 @@ sub process
 	return $rs if $rs;
 
 	my @sql;
-	if($self->{'status'} ~~ ['toadd', 'tochange']) {
+	if($self->{'status'} ~~ [ 'toadd', 'tochange' ]) {
 		$rs = $self->add();
 		@sql = (
 			'UPDATE ssl_certs SET status = ? WHERE cert_id = ?',
@@ -92,7 +92,10 @@ sub process
 		return 1;
 	}
 
-	$rs;
+	# (since 1.2.16 - See #IP-1500)
+	# Return 0 to avoid any failure on update when a customer's SSL certificate is expired or invalid.
+	# It is the customer responsability to update the certificate throught his interface
+	0;
 }
 
 =item add()
@@ -128,7 +131,7 @@ sub add
 		'certificate_chain_name' => $self->{'domain_name'},
 		'private_key_container_path' => $privateKeyContainer,
 		'certificate_container_path' => $certificateContainer,
-		'ca_bundle_container_path' => (defined $caBundleContainer) ? $caBundleContainer : ''
+		'ca_bundle_container_path' => defined $caBundleContainer ? $caBundleContainer : ''
 	);
 
 	# Check certificate chain
@@ -229,7 +232,7 @@ sub _loadData
 
 	unless(exists $rdata->{$self->{'domain_id'}}) {
 		error(sprintf('SSL certificate with ID %s has not been found or is in an inconsistent state', $certificateId));
-    	return 1;
+		return 1;
 	}
 
 	$self->{'domain_name'} = $rdata->{$self->{'domain_id'}}->{'domain_name'};

engine/PerlLib/iMSCP/OpenSSL.pm

@@ -99,7 +99,7 @@ sub validateCertificate
 	if ($self->{'certificate_container_path'} eq '') {
 		error('Path to SSL certificate container file is not set');
 		return 1;
-	} elsif(! -f $self->{'certificate_container_path'}) {
+	} elsif(!-f $self->{'certificate_container_path'}) {
 		error(sprintf("SSL certificate container %s doesn't exists", $self->{'certificate_container_path'}));
 		return 1;
 	}
@@ -118,6 +118,7 @@ sub validateCertificate
 	my @cmd = (
 		'openssl verify',
 		$caBundle ? ('-CAfile', escapeShell($self->{'ca_bundle_container_path'})) : '',
+		'-purpose sslserver',
 		escapeShell($self->{'certificate_container_path'})
 	);
 
@@ -199,7 +200,7 @@ sub importCertificate
 
 	my $certificate = $file->get();
 	unless(defined $certificate) {
-		error(sprintf('Could not read %s', $self->{'certificate_container_path'}));
+		error(sprintf('Could not read %s file', $self->{'certificate_container_path'}));
 		return 1;
 	}
 
@@ -217,7 +218,7 @@ sub importCertificate
 
 	$rs = execute("@cmd", \my $stdout, \my $stderr);
 	debug($stdout) if $stdout;
-	warning($stderr) if $stderr && ! $rs;
+	warning($stderr) if $stderr && !$rs;
 	error('Could not import SSL certificate' . ($stderr ? ": $stderr" : '')) if $rs;
 	$rs;
 }
@@ -242,7 +243,7 @@ sub ImportCaBundle
 
 	my $caBundle = $file->get();
 	unless(defined $caBundle) {
-		error(sprintf('Could not read %s', $self->{'ca_bundle_container_path'}));
+		error(sprintf('Could not read %s file', $self->{'ca_bundle_container_path'}));
 		return 1;
 	}
 
@@ -259,7 +260,7 @@ sub ImportCaBundle
 
 	$rs = execute("@cmd", \my $stdout, \my $stderr);
 	debug($stdout) if $stdout;
-	warning($stderr) if $stderr && ! $rs;
+	warning($stderr) if $stderr && !$rs;
 	error('Could not import CA Bundle' . ($stderr ? ": $stderr" : '')) if $rs;
 	$rs;
 }
@@ -304,7 +305,7 @@ sub createSelfSignedCertificate
 
 	my $rs = execute("@cmd", \my $stdout, \my $stderr);
 	debug($stdout) if $stdout;
-	debug($stderr) if $stderr && ! $rs;
+	debug($stderr) if $stderr && !$rs;
 	error('Could not to generate self-signed certificate' . ($stderr ? ": $stderr" : '')) if $rs;
 	$rs
 }

gui/public/client/cert_view.php

@@ -40,46 +40,22 @@ function _client_getDomainName($domainId, $domainType)
                 break;
             case 'als':
                 $query = '
-                    SELECT
-                        alias_name AS domain_name
-                    FROM
-                        domain_aliasses
-                    INNER JOIN
-                        domain USING(domain_id)
-                    WHERE
-                        alias_id = ?
-                    AND
-                        domain_admin_id = ?
+                    SELECT alias_name AS domain_name FROM domain_aliasses INNER JOIN domain USING(domain_id)
+                    WHERE alias_id = ?
+                    AND domain_admin_id = ?
             ';
                 break;
             case 'sub':
                 $query = "
-                    SELECT
-                        CONCAT(subdomain_name, '.', domain_name) AS domain_name
-                    FROM
-                        subdomain
-                    INNER JOIN
-                        domain USING(domain_id)
-                    WHERE
-                        subdomain_id = ?
-                    AND
-                        domain_admin_id = ?
+                    SELECT CONCAT(subdomain_name, '.', domain_name) AS domain_name FROM subdomain
+                    INNER JOIN domain USING(domain_id) WHERE subdomain_id = ? AND domain_admin_id = ?
                 ";
                 break;
             default:
                 $query = "
-                    SELECT
-                        CONCAT(subdomain_alias_name, '.', alias_name) AS domain_name
-                    FROM
-                        subdomain_alias
-                    INNER JOIN
-                        domain_aliasses USING(alias_id)
-                    INNER JOIN domain
-                        USING(domain_id)
-                    WHERE
-                        subdomain_alias_id = ?
-                    AND
-                        domain_admin_id = ?
+                    SELECT CONCAT(subdomain_alias_name, '.', alias_name) AS domain_name FROM subdomain_alias
+                    INNER JOIN domain_aliasses USING(alias_id) INNER JOIN domain USING(domain_id)
+                    WHERE subdomain_alias_id = ? AND domain_admin_id = ?
                 ";
         }
 
@@ -214,24 +190,24 @@ function client_generateSelfSignedCert($domainName)
     );
 
     $sslConfig = array('config' => $sslConfigFilePath);
-    $csr = openssl_csr_new($distinguishedName, $pkey, $sslConfig);
+    $csr = @openssl_csr_new($distinguishedName, $pkey, $sslConfig);
     if (!is_resource($csr)) {
         write_log(sprintf('Could not generate SSL certificate signing request: %s', openssl_error_string()), E_USER_ERROR);
         return false;
     }
 
-    if (!@openssl_pkey_export($pkey, $pkeyStr, null, $sslConfig)) {
+    if (@openssl_pkey_export($pkey, $pkeyStr, null, $sslConfig) !== true) {
         write_log(sprintf('Could not export private key: %s', openssl_error_string()), E_USER_ERROR);
         return false;
     }
 
-    $cert = openssl_csr_sign($csr, null, $pkeyStr, 365, $sslConfig, $_SESSION['user_id'] . time());
+    $cert = @openssl_csr_sign($csr, null, $pkeyStr, 365, $sslConfig, $_SESSION['user_id'] . time());
     if (!is_resource($cert)) {
         write_log(sprintf('Could not generate SSL certificate: %s', openssl_error_string()));
         return false;
     }
 
-    if (!@openssl_x509_export($cert, $certStr)) {
+    if (@openssl_x509_export($cert, $certStr) !== true) {
         write_log(sprintf('Could not export SSL certificate: %s', openssl_error_string()), E_USER_ERROR);
         return false;
     }
@@ -299,13 +275,13 @@ function client_addSslCert($domainId, $domainType)
             return;
         }
 
-        if (!@openssl_x509_check_private_key($certificate, $privateKey)) {
+        if (@openssl_x509_check_private_key($certificate, $privateKey) !== true) {
             set_page_message(tr("The private key doesn't belong to the provided SSL certificate."), 'error');
             return;
         }
 
-        if (!($tmpfname = @tempnam(sys_get_temp_dir(), (intval($_SESSION['user_id']) . 'ssl-ca')))) {
-            write_log('Could not create temporary file for CA bundle..', E_USER_ERROR);
+        if (($tmpfname = @tempnam(sys_get_temp_dir(), (intval($_SESSION['user_id']) . 'ssl-ca'))) === false) {
+            write_log('Could not create temporary file for CA bundle.', E_USER_ERROR);
             set_page_message(tr('Could not add/update SSL certificate. An unexpected error occurred.'), 'error');
             return;
         }
@@ -315,22 +291,25 @@ function client_addSslCert($domainId, $domainType)
         }, $tmpfname);
 
         if ($caBundle !== '') {
-            if (!@file_put_contents($tmpfname, $caBundle)) {
-                write_log('Could not export customer CA bundle in temporary file.', E_USER_ERROR);
+            if (@file_put_contents($tmpfname, $caBundle) === false) {
+                write_log('Could not write CA bundle in temporary file.', E_USER_ERROR);
                 set_page_message(tr('Could not add/update SSL certificate. An unexpected error occurred.'), 'error');
                 return;
             }
 
-            // Note: Here we also add the CA bundle in the trusted chain to support self-signed certificates
-            if (!@openssl_x509_checkpurpose($certificate, X509_PURPOSE_SSL_SERVER, array($config['DISTRO_CA_BUNDLE'], $tmpfname), $tmpfname)) {
+            if (@openssl_x509_checkpurpose($certificate, X509_PURPOSE_SSL_SERVER, array($config['DISTRO_CA_BUNDLE']), $tmpfname) !== true) {
                 set_page_message(tr('At least one intermediate certificate is invalid or missing.'), 'error');
                 return;
             }
         } else {
-            @file_put_contents($tmpfname, $certificateStr);
+            if (@file_put_contents($tmpfname, $certificateStr) === false) {
+                write_log('Could not write SSL certificate in temporary file.', E_USER_ERROR);
+                set_page_message(tr('Could not add/update SSL certificate. An unexpected error occurred.'), 'error');
+                return;
+            }
 
             // Note: Here we also add the certificate in the trusted chain to support self-signed certificates
-            if (!@openssl_x509_checkpurpose($certificate, X509_PURPOSE_SSL_SERVER, array($config['DISTRO_CA_BUNDLE'], $tmpfname))) {
+            if(@openssl_x509_checkpurpose($certificate, X509_PURPOSE_SSL_SERVER, array($config['DISTRO_CA_BUNDLE'], $tmpfname)) !== true) {
                 set_page_message(tr('At least one intermediate certificate is invalid or missing.'), 'error');
                 return;
             }
@@ -339,14 +318,14 @@ function client_addSslCert($domainId, $domainType)
 
     // Preparing data for insertion in database
     if (!$selfSigned) {
-        if (!@openssl_pkey_export($privateKey, $privateKeyStr)) {
+        if (@openssl_pkey_export($privateKey, $privateKeyStr) === false) {
             write_log('Could not export private key.', E_USER_ERROR);
             set_page_message(tr('Could not add/update SSL certificate. An unexpected error occurred.'), 'error');
             return;
         }
 
         @openssl_pkey_free($privateKey);
-        if (!@openssl_x509_export($certificate, $certificateStr)) {
+        if (@openssl_x509_export($certificate, $certificateStr) === false) {
             write_log('Could not export SSL certificate.', E_USER_ERROR);
             set_page_message(tr('Could not add/update SSL certificate. An unexpected error occurred.'), 'error');
             return;
@@ -483,7 +462,9 @@ function client_generatePage($tpl, $domainId, $domainType)
         $caBundle = tohtml($row['ca_bundle']);
         $trAction = tr('Update');
         $status = $row['status'];
-        $tpl->assign('STATUS', translate_dmn_status($status));
+        $tpl->assign('STATUS', in_array($status, array('toadd', 'tochange', 'todelete', 'ok'))
+            ? translate_dmn_status($status)
+            : '<span style="color: red;font-weight: bold">' . tr('Invalid SSL certificate') . "</span>");
     } else {
         if (customerHasFeature('ssl')) {
             $dynTitle = tr('Add SSL certificate');
@@ -500,8 +481,7 @@ function client_generatePage($tpl, $domainId, $domainType)
         }
     }
 
-    if (
-        customerHasFeature('ssl') && isset($_POST['cert_id']) && isset($_POST['private_key']) &&
+    if (customerHasFeature('ssl') && isset($_POST['cert_id']) && isset($_POST['private_key']) &&
         isset($_POST['certificate']) && isset($_POST['ca_bundle'])
     ) {
         $certId = $_POST['cert_id'];
@@ -520,7 +500,7 @@ function client_generatePage($tpl, $domainId, $domainType)
         'TR_ACTION' => $trAction
     ));
 
-    if (!customerHasFeature('ssl') || (isset($status) && in_array($status, array('toadd', 'tochange', 'todelete')))) {
+    if (!customerHasFeature('ssl') || isset($status) && in_array($status, array('toadd', 'tochange', 'todelete'))) {
         $tpl->assign('SSL_CERTIFICATE_ACTIONS', '');
         if (!customerHasFeature('ssl')) {
             set_page_message(tr('SSL feature is not available. You can only view your certificate.'), 'static_warning');