From 8f282dadca9ed49cf43f3db7ffaeada750b02837 Mon Sep 17 00:00:00 2001
From: Mustafa Ramadhan <mustafa@bigraf.com>
Date: Sat, 21 May 2016 08:19:52 +0700
Subject: [PATCH] use letsencrypt-auto instead acme.sh (bug?); use '--webroot'
 for letsencrypt; add http/2 feature for apache; add merge and symlink info to
 log for letsencrypt; mod pure-ftpd.init; install acme.sh and letsencrypt-auto
 together

---
 kloxo/bin/kloxoversion                        |   2 +-
 kloxo/file/acme.sh/tpl/acme.sh.tpl            |   7 +-
 kloxo/file/apache/tpl/defaults.conf.tpl       |  17 +-
 kloxo/file/apache/tpl/domains.conf.tpl        | 147 +++++++++++++++++-
 kloxo/file/letsencrypt/tpl/letsencrypt.sh.tpl |  45 +++++-
 .../file/pure-ftpd/etc/init.d/pure-ftpd.init  |   6 +-
 kloxo/httpdocs/driver/pserver/sslcertlib.php  |  28 ++--
 kloxo/httpdocs/lib/html/lib.php               |   9 +-
 8 files changed, 230 insertions(+), 31 deletions(-)

diff --git a/kloxo/bin/kloxoversion b/kloxo/bin/kloxoversion
index ff82984dd4..8c341b01fa 100644
--- a/kloxo/bin/kloxoversion
+++ b/kloxo/bin/kloxoversion
@@ -1 +1 @@
-7.0.0.b-2016052101
\ No newline at end of file
+7.0.0.b-2016052102
\ No newline at end of file
diff --git a/kloxo/file/acme.sh/tpl/acme.sh.tpl b/kloxo/file/acme.sh/tpl/acme.sh.tpl
index 4013e02aac..34e8952f7a 100644
--- a/kloxo/file/acme.sh/tpl/acme.sh.tpl
+++ b/kloxo/file/acme.sh/tpl/acme.sh.tpl
@@ -40,8 +40,7 @@ else
 	action="--issue"
 fi
 
-## MR -- change '--webroot /var/run/letsencrypt' to '--standalone'
-/usr/bin/acme.sh ${action} --standalone  \
+/usr/bin/acme.sh ${action} --webroot /var/run/letsencrypt \
 <?php echo $dom; ?>
 	<?php echo $req; ?> >> ${logdir}/acme.sh.log \
 	&> ${logdir}/acme.sh_temp.log
@@ -58,7 +57,9 @@ fi
 if [ -f ${rootpath}/${maindom}/ca.cer ] ; then
 	cd ${rootpath}/${maindom}
 
-	cat ${maindom}.key ${maindom}.cer ca.cer > ${maindom}.pem
+	merge="cat ${maindom}.key ${maindom}.cer ca.cer > ${maindom}.pem"
+	echo "[$(date)] ${merge}" >> ${logdir}/acme.sh.log
+	${merge}
 
 	for i in .ca .crt .key .pem ; do
 		if [ "${i}" == ".ca" ] ; then
diff --git a/kloxo/file/apache/tpl/defaults.conf.tpl b/kloxo/file/apache/tpl/defaults.conf.tpl
index 1d6c775799..1605016204 100644
--- a/kloxo/file/apache/tpl/defaults.conf.tpl
+++ b/kloxo/file/apache/tpl/defaults.conf.tpl
@@ -293,7 +293,9 @@ foreach ($certnamelist as $ip => $certname) {
 		if ($count !== 0) {
 ?>
 
-	Include <?php echo $globalspath; ?>/<?php echo $header_base; ?>.conf
+	<IfModule mod_http2.c>
+		Protocols h2 http/1.1
+	</IfModule>
 
 	<IfModule mod_ssl.c>
 		SSLEngine On
@@ -304,13 +306,22 @@ foreach ($certnamelist as $ip => $certname) {
 		SSLCertificateFile <?php echo $certname; ?>.pem
 		SSLCertificateKeyFile <?php echo $certname; ?>.key
 <?php
-				if (file_exists("{$certname}.ca")) {
+			if (file_exists("{$certname}.ca")) {
 
 ?>
 		SSLCACertificatefile <?php echo $certname; ?>.ca
+
+		Include <?php echo $globalspath; ?>/<?php echo $header_base; ?>.conf
+<?php
+			}
+?>
+	</IfModule>
 <?php
-				}
+		} else {
 ?>
+
+	<IfModule mod_http2.c>
+		Protocols h2c http/1.1
 	</IfModule>
 <?php
 		}
diff --git a/kloxo/file/apache/tpl/domains.conf.tpl b/kloxo/file/apache/tpl/domains.conf.tpl
index c54d5cd730..5db38d0840 100644
--- a/kloxo/file/apache/tpl/domains.conf.tpl
+++ b/kloxo/file/apache/tpl/domains.conf.tpl
@@ -200,6 +200,10 @@ foreach ($certnamelist as $ip => $certname) {
 			if ($count !== 0) {
 ?>
 
+	<IfModule mod_http2.c>
+		Protocols h2 http/1.1
+	</IfModule>
+
 	<IfModule mod_ssl.c>
 		SSLEngine On
 		SSLProtocol ALL -SSLv2 -SSLv3
@@ -218,6 +222,13 @@ foreach ($certnamelist as $ip => $certname) {
 				}
 ?>
 	</IfModule>
+<?php
+			} else {
+?>
+
+	<IfModule mod_http2.c>
+		Protocols h2c http/1.1
+	</IfModule>
 <?php
 			}
 ?>
@@ -333,6 +344,10 @@ foreach ($certnamelist as $ip => $certname) {
 		if ($count !== 0) {
 ?>
 
+	<IfModule mod_http2.c>
+		Protocols h2 http/1.1
+	</IfModule>
+
 	<IfModule mod_ssl.c>
 		SSLEngine on
 		SSLProtocol ALL -SSLv2 -SSLv3
@@ -342,14 +357,21 @@ foreach ($certnamelist as $ip => $certname) {
 		SSLCertificateFile <?php echo $certname; ?>.pem
 		SSLCertificateKeyFile <?php echo $certname; ?>.key
 <?php
-				if (file_exists("{$certname}.ca")) {
+			if (file_exists("{$certname}.ca")) {
 ?>
 		SSLCACertificatefile <?php echo $certname; ?>.ca
 
 		Include <?php echo $globalspath; ?>/<?php echo $header_base; ?>.conf
 <?php
-				}
+			}
+?>
+	</IfModule>
+<?php
+		} else {
 ?>
+
+	<IfModule mod_http2.c>
+		Protocols h2c http/1.1
 	</IfModule>
 <?php
 		}
@@ -466,6 +488,10 @@ foreach ($certnamelist as $ip => $certname) {
 			if ($count !== 0) {
 ?>
 
+	<IfModule mod_http2.c>
+		Protocols h2 http/1.1
+	</IfModule>
+
 	<IfModule mod_ssl.c>
 		SSLEngine On
 		SSLProtocol ALL -SSLv2 -SSLv3
@@ -484,6 +510,13 @@ foreach ($certnamelist as $ip => $certname) {
 				}
 ?>
 	</IfModule>
+<?php
+			} else {
+?>
+
+	<IfModule mod_http2.c>
+		Protocols h2c http/1.1
+	</IfModule>
 <?php
 			}
 ?>
@@ -512,6 +545,10 @@ foreach ($certnamelist as $ip => $certname) {
 			if ($count !== 0) {
 ?>
 
+	<IfModule mod_http2.c>
+		Protocols h2 http/1.1
+	</IfModule>
+
 	<IfModule mod_ssl.c>
 		SSLEngine On
 		SSLProtocol ALL -SSLv2 -SSLv3
@@ -530,6 +567,13 @@ foreach ($certnamelist as $ip => $certname) {
 				}
 ?>
 	</IfModule>
+<?php
+			} else {
+?>
+
+	<IfModule mod_http2.c>
+		Protocols h2c http/1.1
+	</IfModule>
 <?php
 			}
 ?>
@@ -658,6 +702,10 @@ foreach ($certnamelist as $ip => $certname) {
 			if ($enablessl) {
 ?>
 
+	<IfModule mod_http2.c>
+		Protocols h2 http/1.1
+	</IfModule>
+
 	<IfModule mod_ssl.c>
 		SSLEngine On
 		SSLProtocol ALL -SSLv2 -SSLv3
@@ -676,6 +724,13 @@ foreach ($certnamelist as $ip => $certname) {
 				}
 ?>
 	</IfModule>
+<?php
+			} else {
+?>
+
+	<IfModule mod_http2.c>
+		Protocols h2c http/1.1
+	</IfModule>
 <?php
 			}
 		}
@@ -1017,6 +1072,10 @@ foreach ($certnamelist as $ip => $certname) {
 						if ($enablessl) {
 ?>
 
+	<IfModule mod_http2.c>
+		Protocols h2 http/1.1
+	</IfModule>
+
 	<IfModule mod_ssl.c>
 		SSLEngine On
 		SSLProtocol ALL -SSLv2 -SSLv3
@@ -1035,6 +1094,13 @@ foreach ($certnamelist as $ip => $certname) {
 							}
 ?>
 	</IfModule>
+<?php
+						} else {
+?>
+
+	<IfModule mod_http2.c>
+		Protocols h2c http/1.1
+	</IfModule>
 <?php
 						}
 					}
@@ -1173,6 +1239,10 @@ foreach ($certnamelist as $ip => $certname) {
 						if ($enablessl) {
 ?>
 
+	<IfModule mod_http2.c>
+		Protocols h2 http/1.1
+	</IfModule>
+
 	<IfModule mod_ssl.c>
 		SSLEngine On
 		SSLProtocol ALL -SSLv2 -SSLv3
@@ -1191,6 +1261,13 @@ foreach ($certnamelist as $ip => $certname) {
 							}
 ?>
 	</IfModule>
+<?php
+						} else {
+?>
+
+	<IfModule mod_http2.c>
+		Protocols h2c http/1.1
+	</IfModule>
 <?php
 						}
 					}
@@ -1229,6 +1306,10 @@ foreach ($certnamelist as $ip => $certname) {
 					if ($count !== 0) {
 ?>
 
+	<IfModule mod_http2.c>
+		Protocols h2 http/1.1
+	</IfModule>
+
 	<IfModule mod_ssl.c>
 		SSLEngine On
 		SSLProtocol ALL -SSLv2 -SSLv3
@@ -1247,6 +1328,13 @@ foreach ($certnamelist as $ip => $certname) {
 						}
 ?>
 	</IfModule>
+<?php
+					} else {
+?>
+
+	<IfModule mod_http2.c>
+		Protocols h2c http/1.1
+	</IfModule>
 <?php
 					}
 ?>
@@ -1362,6 +1450,10 @@ foreach ($certnamelist as $ip => $certname) {
 						if ($count !== 0) {
 ?>
 
+	<IfModule mod_http2.c>
+		Protocols h2 http/1.1
+	</IfModule>
+
 	<IfModule mod_ssl.c>
 		SSLEngine On
 		SSLProtocol ALL -SSLv2 -SSLv3
@@ -1380,6 +1472,13 @@ foreach ($certnamelist as $ip => $certname) {
 							}
 ?>
 		</IfModule>
+<?php
+						} else {
+?>
+
+	<IfModule mod_http2.c>
+		Protocols h2c http/1.1
+	</IfModule>
 <?php
 						}
 ?>
@@ -1408,6 +1507,10 @@ foreach ($certnamelist as $ip => $certname) {
 						if ($count !== 0) {
 ?>
 
+	<IfModule mod_http2.c>
+		Protocols h2 http/1.1
+	</IfModule>
+
 	<IfModule mod_ssl.c>
 		SSLEngine On
 		SSLProtocol ALL -SSLv2 -SSLv3
@@ -1426,6 +1529,13 @@ foreach ($certnamelist as $ip => $certname) {
 							}
 ?>
 	</IfModule>
+<?php
+						} else {
+?>
+
+	<IfModule mod_http2.c>
+		Protocols h2c http/1.1
+	</IfModule>
 <?php
 						}
 ?>
@@ -1557,6 +1667,10 @@ foreach ($certnamelist as $ip => $certname) {
 					if ($count !== 0) {
 ?>
 
+	<IfModule mod_http2.c>
+		Protocols h2 http/1.1
+	</IfModule>
+
 	<IfModule mod_ssl.c>
 		SSLEngine On
 		SSLProtocol ALL -SSLv2 -SSLv3
@@ -1575,6 +1689,13 @@ foreach ($certnamelist as $ip => $certname) {
 						}
 ?>
 	</IfModule>
+<?php
+					} else {
+?>
+
+	<IfModule mod_http2.c>
+		Protocols h2c http/1.1
+	</IfModule>
 <?php
 					}
 ?>
@@ -1690,6 +1811,10 @@ foreach ($certnamelist as $ip => $certname) {
 						if ($count !== 0) {
 ?>
 
+	<IfModule mod_http2.c>
+		Protocols h2 http/1.1
+	</IfModule>
+
 	<IfModule mod_ssl.c>
 		SSLEngine On
 		SSLProtocol ALL -SSLv2 -SSLv3
@@ -1708,6 +1833,13 @@ foreach ($certnamelist as $ip => $certname) {
 							}
 ?>
 	</IfModule>
+<?php
+						} else {
+?>
+
+	<IfModule mod_http2.c>
+		Protocols h2c http/1.1
+	</IfModule>
 <?php
 						}
 ?>
@@ -1736,6 +1868,10 @@ foreach ($certnamelist as $ip => $certname) {
 						if ($count !== 0) {
 ?>
 
+	<IfModule mod_http2.c>
+		Protocols h2 http/1.1
+	</IfModule>
+
 	<IfModule mod_ssl.c>
 		SSLEngine On
 		SSLProtocol ALL -SSLv2 -SSLv3
@@ -1754,6 +1890,13 @@ foreach ($certnamelist as $ip => $certname) {
 							}
 ?>
 	</IfModule>
+<?php
+						} else {
+?>
+
+	<IfModule mod_http2.c>
+		Protocols h2c http/1.1
+	</IfModule>
 <?php
 						}
 ?>
diff --git a/kloxo/file/letsencrypt/tpl/letsencrypt.sh.tpl b/kloxo/file/letsencrypt/tpl/letsencrypt.sh.tpl
index 7cd3104225..ff2268a48a 100644
--- a/kloxo/file/letsencrypt/tpl/letsencrypt.sh.tpl
+++ b/kloxo/file/letsencrypt/tpl/letsencrypt.sh.tpl
@@ -21,14 +21,55 @@
 
 	$doms = explode(" ", $subjectAltName);
 
+	$count = 1;
+
 	foreach ($doms as $k => $v) {
+		if ($count === 1) {
+			$basedom = $v;
+		}
+
 		$dom .= "\t--domain $v  \\\n";
+
+		$count++;
 	}
 ?>
 #!/bin/sh
 
+logdir="/var/log/letsencrypt"
+lepath="/etc/letsencrypt/live"
+sslpath="/home/kloxo/ssl"
+maindom="<?php echo $basedom; ?>"
+
 letsencrypt-auto certonly --agree-tos --text --renew-by-default  \
 	--duplicate --webroot --webroot-path /var/run/letsencrypt  \
 	<?php echo $req; ?> \
-<?php echo $dom; ?>
-	|| exit 1
+<?php echo $dom; ?> >/dev/null 2>&1
+
+RETVAL=$?
+
+if [ -f ${lepath}/${maindom}/chain.pem ] ; then
+	cd ${lepath}/${maindom}
+
+	STAMP=$(date +%Y-%m-%d:%H:%M:%S)
+	merge="cat privkey.pem cert.pem chain.pem > all.pem"
+	${merge}
+	echo "${STAMP}:Merge files with '${merge}'" >> ${logdir}/letsencrypt.log
+
+	for i in privkey.pem cert.pem chain.pem all.pem ; do
+		if [ "${i}" == "privkey.pem" ] ; then
+			slink="ln -sf ${lepath}/${maindom}/privkey.pem ${sslpath}/${maindom}.key"
+		elif [ "${i}" == "cert.pem" ] ; then
+			slink="ln -sf ${lepath}/${maindom}/cert.pem ${sslpath}/${maindom}.crt"
+		elif [ "${i}" == "chain.pem" ] ; then
+			slink="ln -sf ${lepath}/${maindom}/chain.pem ${sslpath}/${maindom}.ca"
+		elif [ "${i}" == "all.pem" ] ; then
+			slink="ln -sf ${lepath}/${maindom}/all.pem ${sslpath}/${maindom}.pem"
+		fi
+
+		STAMP=$(date +%Y-%m-%d:%H:%M:%S)
+		${slink}
+		echo "${STAMP}:Create symlink with '${slink}'" >> ${logdir}/letsencrypt.log
+	done
+fi
+
+exit $RETVAL
diff --git a/kloxo/file/pure-ftpd/etc/init.d/pure-ftpd.init b/kloxo/file/pure-ftpd/etc/init.d/pure-ftpd.init
index 91144f30a2..51f30c7969 100644
--- a/kloxo/file/pure-ftpd/etc/init.d/pure-ftpd.init
+++ b/kloxo/file/pure-ftpd/etc/init.d/pure-ftpd.init
@@ -32,16 +32,18 @@ start() {
 	echo -n $"Starting $prog: "
 	daemon "$pure_launch_script $pure_config --daemonize > /dev/null"
 	RETVAL=$?
-	[ $RETVAL = 0 ] && touch /var/lock/subsys/pure-ftpd
 	echo
+	[ $RETVAL = 0 ] && touch /var/lock/subsys/pure-ftpd
+	return $RETVAL
 }
 
 stop() {
 	echo -n $"Stopping $prog: "
 	killproc pure-ftpd
 	RETVAL=$?
-	[ $RETVAL = 0 ] && rm -f /var/lock/subsys/pure-ftpd
 	echo
+	[ $RETVAL = 0 ] && rm -f /var/lock/subsys/pure-ftpd
+	return $RETVAL
 }
 
 # See how we were called.
diff --git a/kloxo/httpdocs/driver/pserver/sslcertlib.php b/kloxo/httpdocs/driver/pserver/sslcertlib.php
index 3b0c198667..efca8a56bd 100644
--- a/kloxo/httpdocs/driver/pserver/sslcertlib.php
+++ b/kloxo/httpdocs/driver/pserver/sslcertlib.php
@@ -693,11 +693,11 @@ function createLetsencrypt()
 		// MR -- disable because use ssl_data_b for key_bits
 	//	$input['key_bits'] = $this->key_bits;
 
-	//	$tplsource = getLinkCustomfile("/opt/configs/letsencrypt/tpl", "letsencrypt.sh.tpl");
-	//	$tpltarget = "{$shpath}/{$name}_letsencrypt.sh";
+		$tplsource = getLinkCustomfile("/opt/configs/letsencrypt/tpl", "letsencrypt.sh.tpl");
+		$tpltarget = "{$shpath}/{$name}_letsencrypt.sh";
 
-		$tplsource = getLinkCustomfile("/opt/configs/acme.sh/tpl", "acme.sh.tpl");
-		$tpltarget = "{$shpath}/{$name}_acme.sh";
+	//	$tplsource = getLinkCustomfile("/opt/configs/acme.sh/tpl", "acme.sh.tpl");
+	//	$tpltarget = "{$shpath}/{$name}_acme.sh";
 
 		$tpl = lfile_get_contents($tplsource);
 
@@ -711,23 +711,23 @@ function createLetsencrypt()
 			lfile_put_contents($tpltarget, $tplparse);
 		}
 
-	//	exec("cd {$shpath}; sh {$name}_letsencrypt.sh", $out, $ret);
-		exec("cd {$shpath}; sh {$name}_acme.sh", $out, $ret);
+		exec("cd {$shpath}; sh {$name}_letsencrypt.sh", $out, $ret);
+	//	exec("cd {$shpath}; sh {$name}_acme.sh", $out, $ret);
 
 		if ($ret !== 0) {
 			throw new lxException($login->getThrow("create_certificate_failed"), '', $parent->nname);
 		}
 
-	//	$lepath = "/etc/letsencrypt/live/{$name}";
-		$lepath = "/root/.acme.sh/{$name}";
+		$lepath = "/etc/letsencrypt/live/{$name}";
+	//	$lepath = "/root/.acme.sh/{$name}";
 
-	//	$this->text_key_content = lfile_get_contents("{$lepath}/privkey.pem");
-	//	$this->text_crt_content = lfile_get_contents("{$lepath}/cert.pem");
-	//	$this->text_ca_content = lfile_get_contents("{$lepath}/chain.pem");
+		$this->text_key_content = lfile_get_contents("{$lepath}/privkey.pem");
+		$this->text_crt_content = lfile_get_contents("{$lepath}/cert.pem");
+		$this->text_ca_content = lfile_get_contents("{$lepath}/chain.pem");
 
-		$this->text_key_content = lfile_get_contents("{$lepath}/{$name}.key");
-		$this->text_crt_content = lfile_get_contents("{$lepath}/{$name}.cer");
-		$this->text_ca_content = lfile_get_contents("{$lepath}/ca.cer");
+	//	$this->text_key_content = lfile_get_contents("{$lepath}/{$name}.key");
+	//	$this->text_crt_content = lfile_get_contents("{$lepath}/{$name}.cer");
+	//	$this->text_ca_content = lfile_get_contents("{$lepath}/ca.cer");
 
 		if ($parent->getClass() === 'web') {
 			// MR -- disable because proses inside domain.com_acme.sh
diff --git a/kloxo/httpdocs/lib/html/lib.php b/kloxo/httpdocs/lib/html/lib.php
index 28af26476c..124fc29b8b 100644
--- a/kloxo/httpdocs/lib/html/lib.php
+++ b/kloxo/httpdocs/lib/html/lib.php
@@ -8389,10 +8389,11 @@ function setAllSSLPortions($nolog = null)
 {
 	log_cleanup("Setting All SSL Portions", $nolog);
 
-//	log_cleanup("- Installing Letsencrypt-auto", $nolog);
-//	setInstallLetsencrypt($nolog);
-	log_cleanup("- Removing Letsencrypt-auto", $nolog);
-	setRemoveLetsencrypt($nolog);
+	log_cleanup("- Installing Letsencrypt-auto", $nolog);
+	setInstallLetsencrypt($nolog);
+
+//	log_cleanup("- Removing Letsencrypt-auto", $nolog);
+//	setRemoveLetsencrypt($nolog);
 
 	log_cleanup("- Installing acme.sh", $nolog);
 	setInstallAcmesh($nolog);