-
Notifications
You must be signed in to change notification settings - Fork 588
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
acme client package for pfSense, initial commit #89
Conversation
…e webservers, some bugfixes
Not sure if its of use, or too late, there is an php implementation of acme thats quite well done, https://github.com/kelunik/acme |
Can't you just use the FreeBSD Shell script package as base? http://www.freshports.org/security/letsencrypt.sh/ |
Yes that 'could' be possible now (it didnt exist when i first created the package..), and i'm willing to change it if one of the ESF guy's tells me that would help get the pfSense package committed. Sofar i have not heard anything from them. |
+1 |
|
@PiBa-NL you can go ahead and make all necessary changes. Let me know when you have a final version for proper revision. Thanks! |
@PiBa-NL In case it's not clear, when the changes are made and accepted, we'll be bringing this to pfSense. |
Take a look at https://github.com/lukas2511/dehydrated - this is the renamed (new) version of the FreeBSD Shell script that @wernerdev referes to. |
Yes i shortly discussed with rbgarga, i am taking a look at the alternatives to the currently used 'lescript' which seems to hardly be maintained at all.. To which might be the 'best' way to integrate one of the other implementations. t.b.h. ive barely looked at further improvement the past half year as it was uncertain to if it would be 'allowed', the 'go ahead' has been received :) , need a few days though to switch
currently i'm leaning towards the Neilpang implementation.. unless there are compelling reasons ive overlooked the others are way better.? |
I actually use the DNS update option in acme.sh and it's pretty nice! The good thing about that is that you can still have your haproxy run on port 80 (and 443) without have to turn it off for a cert update. I'd vote for acme.sh if that's the only one who support the DNS update method. |
@rbgarga, i think its ready to commit, still things to improve i guess but those can follow later once people start testing it |
8c77fb1
to
ba41bee
Compare
… license / added service restart action
ba41bee
to
d5ebdad
Compare
…pkg-acme and provide webgui options for them + small fixes
…ting the proper accountkey
DNS-Manual works as expected! Thanks! |
Installed on pfsense 2.3. Works fine with DNS-manual although it couldn't find curl out of the box. Regarding webroot method, seems that $domain_info['webrootfolder'] was not set so the following code fails if ($domain_info['method'] == 'webroot') { |
…th proper refid references, validate certificatename configured does not contain spaces as acme.sh dies not handle them well
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems to operate but could use some refinement and security improvements. See my inline comments for details.
function generateAccountKey() { | ||
unlink_if_exists("{$this->path_account}/account.key"); | ||
$this->debug = false; | ||
$this->execacmesh("--home {$this->acmeconf} --createAccountKey --accountkeylength 4096 --accountconf {$this->accountconfig}"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Must use escapeshellarg() around all parameters involving variables.
|
||
function registeraccount($key) { | ||
file_put_contents("{$this->path_account}/account.key", $key); | ||
$result = $this->execacmesh("" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Must use escapeshellarg() around all parameters involving variables.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
using escapeshellarg now
safe_mkdir($certpath); | ||
|
||
unlink_if_exists("{$certpath}/{$domain}.key"); | ||
$this->execacmesh("" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Must use escapeshellarg() around all parameters involving variables.
foreach($domainstosign as $domain) { | ||
$domainstr .= " -d {$domain}"; | ||
} | ||
$this->execacmesh("" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Must use escapeshellarg() around all parameters involving variables.
|
||
$form->add($section); | ||
|
||
print $form; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With only this one option and just the checkbox text this page seems really bare. Maybe at least add a little description text about what the renewal job does?
For example, if it uses cron, how often it runs, etc, etc.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
added a check basically preventing to show the page
@@ -0,0 +1,66 @@ | |||
#!/usr/local/bin/php -f |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This script needs the execute bit set.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
makefile sets -m 0755, that should be enough right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Now changed to use INSTALL_DATA/INSTALL_SCRIPT macros in the Makefile.
/* Ensure that our pool names are unique */ | ||
for ($i=0; isset($config['installedpackages']['acme']['accountkeys']['item'][$i]); $i++) { | ||
if (($_POST['name'] == $config['installedpackages']['acme']['accountkeys']['item'][$i]['name']) && ($i != $id)) { | ||
$input_errors[] = "This pool name has already been used. Pool names must be unique."; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"Pool name"? Shouldn't this be "Account Key Name"?
} | ||
|
||
if($accountkey['name'] != "") { | ||
$changedesc .= " modified pool: '{$accountkey['name']}'"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pool?
/* Ensure that our pool names are unique */ | ||
for ($i=0; isset($config['installedpackages']['acme']['certificates']['item'][$i]); $i++) { | ||
if (($_POST['name'] == $config['installedpackages']['acme']['certificates']['item'][$i]['name']) && ($i != $id)) { | ||
$input_errors[] = "This pool name has already been used. Pool names must be unique."; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pool name?
} | ||
|
||
if($certificate['name'] != "") { | ||
$changedesc .= " modified pool: '{$certificate['name']}'"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pool?
I'll wait the changes for items pointed out by @jim-p before start reviewing |
One more question: Why is |
Regarding nsupdate, i will add below run_depends item, would that make its binary available.? |
We already have nsupdate, it is what we use for RFC 2136 updates. |
c01aeac
to
f885d77
Compare
…warnings, use fa-plus instead of fa-level-down icon
f885d77
to
6c9fa13
Compare
Ah ok, well then i think all comments have been addressed. The buttons for generating/registering account key still change to a check-mark when successful, i think thats alright. I've added the nsupdate option (someone should test it..). Added a little more text. Removed the 'pool' texts (which came from copy/paste from haproxy package..) Lemme know if i missed something :). |
…TALL_SCRIPT macro's
@PiBa-NL here is output of 'portlint -CN', please fix all warnings and fatal messages
|
|
||
MAINTAINER= PiBa-NL | ||
COMMENT= pfSense package acme | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add LICENSE= APACHE20 between COMMENT and USE_PHP leaving a blank line before and after
MAINTAINER= PiBa-NL | ||
COMMENT= pfSense package acme | ||
|
||
USE_PHP= ftp |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
USE_PHP alone is deprecated. keep this line replacing space by TAB to separate = and value and add the following line before it:
USES= php
|
||
USE_PHP= ftp | ||
|
||
CONFLICTS= |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove blank CONFLICT block
do-install: | ||
${MKDIR} ${STAGEDIR}${PREFIX}/pkg | ||
${MKDIR} ${STAGEDIR}${PREFIX}/pkg/acme | ||
${MKDIR} ${STAGEDIR}${PREFIX}/pkg/acme/dnsapi |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
MKDIR macro is 'mkdir -p' so you just need to run it to last level and it will create parent directories, remove lines creating pkg and pkg/acme
${MKDIR} ${STAGEDIR}${PREFIX}/pkg | ||
${MKDIR} ${STAGEDIR}${PREFIX}/pkg/acme | ||
${MKDIR} ${STAGEDIR}${PREFIX}/pkg/acme/dnsapi | ||
${MKDIR} ${STAGEDIR}${PREFIX}/www |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove this line, next one will create this directory too
www/acme/acme_generalsettings.php | ||
/etc/inc/priv/acme.priv.inc | ||
%%DATADIR%%/info.xml | ||
@dir /etc/inc/priv |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add @dir /etc/inc and remove all blank lines
I'm still checking this out but got sidetracked by other things I was working on. I did notice that in the Domain SAN list when you edit an entry the form fields only take up a little amount of space horizontally and it looks weird. And it may be beyond the scope of this code, but I'd like to see the nsupdate method support an additional field for a domain suffix or fulldomain override. I can see people not wanting to add dynamic updates for their entire zone, but you could make a new dynamic zone or subdomain and CNAME the |
Screen cap of the weird formatting: http://i.imgur.com/p1JjE4I.png |
…e for nsupdate method, improved layout for these extra fields
Looks like maybe it's to a point where we could pull it in and hack on it some more as we go. |
Merged in a single commit (979e112) to make it easier. Thanks!!! |
@jim-p roughly how long until this commit will make it into master? |
It's in master, but on master new packages only show up when a new snapshot is built. So the next snapshot will have it. It's possible as well that it wasn't built with the latest snapshot run and needs adjustments yet. So probably tomorrow sometime if it isn't up already |
- move public facing stuff into public/, this allows us to stop exposing templates_c/ etc. to the world (but also means you'll need to adjust your webserver config) - enable users to reset their passwords by mail or SMS ($CONF['forgotten_user_password_reset'], $CONF['forgotten_admin_password_reset'], $CONF['sms_send_function']) - allow local alias targets (without @Domain) - see #134 - add $CONF['edit_alias'] to disable "edit_alias" function for users - add php_crypt $CONF["encrypt"] option (see #170 for examples) - add random_compat phar (see: https://github.com/paragonie/random_compat) to support random_int()/random_string() in older PHP versions. - add support for MySQL connections over SSL - language updates: sk, ja, nl, bg, fr, cz - update bundled smarty library (lib/smarty to 3.1.32; includes security fixes) - split up pacrypt() into different functions; add some minimal test coverage - add id autoincrement field to log table (#89) - add token to login.php to prevent CSRF - lots of bugfixes and code cleanup - drop unused code in postfixadmin-cli - introduce PHP-CS-Fixer to enforce code style - vacation.pl: - avoid answering to more known autoresponders - add $no_vacation_pattern to avoid sending autoresponders based on the To: address - replace Deprecated Mail::Sender by Email::Sender - use MIME:EncWords - remove unused MIME::Base64 - add docker repo, see https://github.com/postfixadmin/docker PR: 229370 Submitted by: Melissa Pilgrim <ports.maintainer@evilphi.com> (maintainer) Sponsored by: Netzkommune
This is a minor bugfix release. From the changelog: * Fix duplicate reference values * Fix double prompts for overwriting files * Fix map variables visibility when opening maps * Fix document generator dialog's tab navigation * Fix boundary objects' text alignment (diagrams) * Fix pipe objects' resizing (diagrams) * Fix component objects' margin sizes * Enable newlines on most diagram objects #89 * Add global settings for commands to execute after a template is called
* add -q and document -v * Use CURLOPT_PATH_AS_IS option if it is available * Correct -r to be "-r rrset". Correct batch rdata/ip to be "rdata/ip/ADDR[,PFXLEN]" * In man page: remove duplicate -v flag description. Move -q flag to be in alphabetical order * Change -R option to be a -N option. Add a new -R option that searches the left-hand-side. Reference dnstable-encoding(5) * fix no-newline-eof bug in -f for jonas; add -f -f support (verbose batching) * correct behaviour of -l and -L with respect to -f and -m * only call writer_fini() from the scope who called writer_init(), except in the my_exit() path * kill the sort on overcount * add error code and description to the -f -f ++ marker * fix abort in writer_status() by changing where "once" lives from reader to writer * fix no-newline-eof bug in -f; add -f -f support (verbose batching) * Change parsing -l and -L to use parse_long so it will catch parsing errors * Fix an assert * fix #90 with some warning and documentation changes * fix #89 by restructuring the validate_verb() system * fix #88 by better explaining text vs. dns formats * fix #87 by reorganizing some man page text * fix #86 by checking argument to -A and -B options * fix #83 by rewording the -k section of the man page * replace text for -A and -B options * improve documentation about interaction of -s/-S with -l/-L * fix #81 * improve documentation of -c to explain about -A + -B quota impact * time, not date * fix everything noted in #85 * document RRset (raw) query. document HEX better (#111) Restrict portscount to real release tags. Sponsored by: Farsight Security, Inc.
Changelog: * Fix build with gcc 11.3.0 (resolves #57) by @danvratil in #58 * Fix ODR violation when LTO is enabled by @danvratil in #59 * Rework Github CI - add compilers and platforms by @danvratil in #60 * CI: consolidate the CI builds into a single matrix by @danvratil in #61 * Export QCoro wrapper classes by @danvratil in #65 * CI: disable shared libs on Windows by @danvratil in #67 * Enable "modern Qt" compiler definitions by @danvratil in #66 * Introduce Generator and AsyncGenerator coroutine return types by @danvratil in #69 * Fix installing export header by @danvratil in #77 * Deprecate task.h in favor of qcorotask.h (#70) by @danvratil in #76 * QtWebSockets support by @danvratil in #75 * Document -DQCORO_WITH_QTWEBSOCKETS by @dangelog in #81 * Fix the build by #include'ing by @dangelog in #82 * QCoroTask: fixup a template type parameter name by @dangelog in #83 * Add support for clang-cl (fixes #84) by @danvratil in #86 * Fix possible race in TestWsServer by @danvratil in #88 * WebSocket bugfixes & documentation by @danvratil in #89 * Explicitly enable exception support for clang-cl (fixes #90) by @danvratil in #91
acme client package for pfSense, initial commit