security/acme-client: bugfix release 1.3

[fraenki]

New features

• GUI: hide HTTP-01 validation methods when not selected (similar to DNS-01)
• GUI: hide parameters for restart actions when not selected
• Advanced: make the timeout for (custom) restart commands configurable

Bugfixes

• properly import CA certificates (closes security/acme-client: properly handle issuer certs #84)
• do not make keys world-readable
• remove DNS-01 and HTTP-01 prefixes from validation names (they are obsolete now)
• avoid log message on missing restart action (fixes df2a727)

NOTE: Deleting an imported Let's Encrypt CA will automatically delete all LE certificates that are referenced.

For reference: A Let's Encrypt CA will only be imported on issue or renewal of a LE certificate. It may be required to forcefully renew an existing certificate to allow the CA to be imported.

[fraenki]

I've removed the prefixes as requested by @fabianfrz in #86 (review).

[fraenki]

@AdSchellevis Please review f65be49 :)

[AdSchellevis]

@fraenki empty else clause.

[fraenki]

thx, fixed already

[AdSchellevis]

@fraenki probably a bit off topic, but what does this run?

[fraenki]

Hmm, it's the "container" for the optional input fields. I'm not sure how it might work without this.

[AdSchellevis]

I'm not sure what you mean, can you point me to the code where it's used?

[fraenki]

this: https://github.com/fraenki/plugins/blob/6fcc7f8a5ae706279553601e606ee6d6da2b6766/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/actions.volt#L59-L60

[AdSchellevis]

sorry, I meant the glue to the system action, not the volt template. My question was about the use of the parameter, it looked like an option to input shell commands, so I was curious :)

[fraenki]

It is indeed:

plugins/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php

Lines 1053 to 1090 in a3520c7

	$proc_cmd = (string)$action->custom;
	$proc = proc_open($proc_cmd, $proc_desc, $proc_pipes, null, $proc_env);
	// Make sure the resource could be setup properly
	if (is_resource($proc)) {
	fclose($proc_pipes[0]);
	// Wait until process terminates normally
	while (is_resource($proc)) {
	$proc_stdout .= stream_get_contents($proc_pipes[1]);
	$proc_stderr .= stream_get_contents($proc_pipes[2]);
	// Check if timeout is reached
	if (($timeout !== false) and ((time() - $starttime) > $timeout)) {
	// Terminate process if timeout is reached
	log_error("AcmeClient: timeout running restart action: " . $action->name);
	proc_terminate($proc, 9);
	$result = '99';
	break;
	}
	// Check if process terminated normally
	$status = proc_get_status($proc);
	if (!$status['running']) {
	fclose($proc_pipes[1]);
	fclose($proc_pipes[2]);
	proc_close($proc);
	$result = $status['exitcode'];
	break;
	}
	usleep(100000);
	}
	} else {
	log_error("AcmeClient: unable to initiate restart action: " . $action->name);
	continue; // Continue with next action.
	}
	$return = $result;

[AdSchellevis]

Is this really necessary? this causes quite some security concerns, we've tried to prevent for all other components we've developed.
Creating configd templates is not very complex and makes sure you can only execute safe code.
If someone adds rm -rf / your firewall is gone....

[fraenki]

I'm aware of the risk. I want to keep the plugin as flexible as possible and by far not all system commands are available as configd commands. Let me think about this a little bit... maybe we can discuss this further on IRC later this week...

[AdSchellevis]

@fraenki sure, I'll try to be online on IRC on Friday

[AdSchellevis]

probably easier to just $("."+service_id).show() , I don't expect it would mind if the class isn't there.

[fraenki]

fixed in 6fcc7f8

[fraenki]

@fichtner Feel free to merge if the next release of OPNsense is near, otherwise I'll keep on pushing fixes.

[fichtner]

@fraenki are you ok with the other dns updates and acme.sh update that went in previously to land in stable/17.1?

[fraenki]

Yes, they should be included in this release.

[fichtner]

@fraenki excellent... merged :)