Merge pull request #2 from serghey-rodin/master

compare

bin/v-add-backup-host

@@ -38,8 +38,8 @@ EOF
 sftpc() {
     expect -f "-" <<EOF "$@"
         set count 0
-        spawn /usr/bin/sftp -o StrictHostKeyChecking=no -o \
-            Port=$port $user@$host
+        spawn "/usr/bin/sftp -o StrictHostKeyChecking=no -o \
+            Port=$port '$user@$host'"
         expect {
             "password:" {
                 send "$password\r"
@@ -94,12 +94,14 @@ EOF
 
 if [ "$type" != 'local' ];then
     check_args '4' "$#" "TYPE HOST USERNAME PASSWORD [PATH] [PORT]"
-    is_format_valid 'host'
+    is_format_valid 'user' 'host' 'path' 'port'
     is_password_valid
     if [ "$type" = 'sftp' ]; then
         which expect >/dev/null 2>&1
         check_result $? "expect command not found"  $E_NOTEXIST
     fi
+    host "$host" >/dev/null 2>&1
+    check_result $? "host connection failed" "$E_CONNECT"
 fi
 
 

bin/v-add-dns-record

@@ -45,10 +45,12 @@ if [[ $rtype =~ NS|CNAME|MX|PTR|SRV ]]; then
     fi
 fi
 
-dvalue=${dvalue//\"/}
+if [ $rtype != "CAA" ]; then
+    dvalue=${dvalue//\"/}
 
-if [[ "$dvalue" =~ [\;[:space:]] ]]; then
-    dvalue='"'"$dvalue"'"'
+    if [[ "$dvalue" =~ [\;[:space:]] ]]; then
+        dvalue='"'"$dvalue"'"'
+    fi
 fi
 
 # Additional argument formatting

bin/v-add-firewall-chain

@@ -47,7 +47,13 @@ is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
 
 # Checking known chains
 case $chain in
-    SSH)        port=22; protocol=TCP ;;
+    SSH)        # Get ssh port by reading ssh config file.
+                sshport=$(grep '^Port ' /etc/ssh/sshd_config | head -1 | cut -d ' ' -f 2)
+                if [ -z "$sshport" ]; then
+                    sshport=22
+                fi
+                port=$sshport; 
+                protocol=TCP ;;
     FTP)        port=21; protocol=TCP  ;;
     MAIL)       port='25,465,587,2525,110,995,143,993'; protocol=TCP  ;;
     DNS)        port=53; protocol=UDP  ;;

bin/v-add-letsencrypt-domain

@@ -1,13 +1,8 @@
 #!/bin/bash
-# info: adding letsencrypt ssl cetificate for domain
-# options: USER DOMAIN [ALIASES] [RESTART] [NOTIFY]
+# info: check letsencrypt domain
+# options: USER DOMAIN [ALIASES]
 #
-# The function turns on SSL support for a domain. Parameter ssl_dir is a path
-# to directory where 2 or 3 ssl files can be found. Certificate file
-# domain.tld.crt and its key domain.tld.key  are mandatory. Certificate
-# authority domain.tld.ca file is optional. If home directory  parameter
-# (ssl_home) is not set, https domain uses public_shtml as separate
-# documentroot directory.
+# The function check and validates domain with Let's Encript
 
 
 #----------------------------------------------------------#
@@ -18,39 +13,77 @@
 user=$1
 domain=$2
 aliases=$3
-restart=$4
-notify=$5
+
+# LE API
+API='https://acme-v02.api.letsencrypt.org'
 
 # Includes
 source $VESTA/func/main.sh
 source $VESTA/func/domain.sh
 source $VESTA/conf/vesta.conf
 
 # Additional argument formatting
-format_domain_idn
+format_identifier_idn() {
+    identifier_idn=$identifier
+    if [[ "$identifier_idn" = *[![:ascii:]]* ]]; then
+        identifier_idn=$(idn -t --quiet -a $identifier_idn)
+    fi
+}
+
+# encode base64
+encode_base64() {
+    cat |base64 |tr '+/' '-_' |tr -d '\r\n='
+}
+
+# Let's Encrypt v2 curl function
+query_le_v2() {
+
+    protected='{"nonce": "'$3'",'
+    protected=''$protected' "url": "'$1'",'
+    protected=''$protected' "alg": "RS256", "kid": "'$KID'"}'
+    content="Content-Type: application/jose+json"
+
+    payload_=$(echo -n "$2" |encode_base64)
+    protected_=$(echo -n "$protected" |encode_base64)
+    signature_=$(printf "%s" "$protected_.$payload_" |\
+        openssl dgst -sha256 -binary -sign $USER_DATA/ssl/user.key |\
+        encode_base64)
+
+    post_data='{"protected":"'"$protected_"'",'
+    post_data=$post_data'"payload":"'"$payload_"'",'
+    post_data=$post_data'"signature":"'"$signature_"'"}'
+
+    curl -s -i -d "$post_data" "$1" -H "$content"
+}
+
 
 
 #----------------------------------------------------------#
 #                    Verifications                         #
 #----------------------------------------------------------#
 
-check_args '2' "$#" 'USER DOMAIN [ALIASES] [RESTART] [NOTIFY]'
-is_format_valid 'user' 'domain'
+check_args '2' "$#" 'USER DOMAIN [ALIASES]'
+is_format_valid 'user' 'domain' 'aliases'
 is_system_enabled "$WEB_SYSTEM" 'WEB_SYSTEM'
-is_system_enabled "$WEB_SSL" 'SSL_SUPPORT'
 is_object_valid 'user' 'USER' "$user"
 is_object_unsuspended 'user' 'USER' "$user"
 is_object_valid 'web' 'DOMAIN' "$domain"
 is_object_unsuspended 'web' 'DOMAIN' "$domain"
-
+get_domain_values 'web'
+# check if alias is the letsencrypt wildcard domain, if not, make the normal checks
+if [[ "$aliases" != "*.$domain" ]]; then
+    for alias in $(echo "$aliases" |tr ',' '\n' |sort -u); do
+        check_alias="$(echo $ALIAS |tr ',' '\n' |grep ^$alias$)"
+        if [ -z "$check_alias" ]; then
+            check_result $E_NOTEXIST "domain alias $alias doesn't exist"
+        fi
+    done
+fi;
 
 #----------------------------------------------------------#
 #                       Action                             #
 #----------------------------------------------------------#
 
-# Parsing domain data
-get_domain_values 'web'
-
 # Registering LetsEncrypt user account
 $BIN/v-add-letsencrypt-user $user
 if [ "$?" -ne 0  ]; then
@@ -62,54 +95,154 @@ fi
 
 # Parsing LetsEncrypt account data
 source $USER_DATA/ssl/le.conf
-email=$EMAIL
-
-# Validating domain and aliases
-i=1
-for alias in $(echo $domain,$aliases |tr ',' '\n' |sort -u); do
-    $BIN/v-check-letsencrypt-domain $user $alias
-    if [ "$?" -ne 0 ]; then
-        touch $VESTA/data/queue/letsencrypt.pipe
-        sed -i "/ $domain /d" $VESTA/data/queue/letsencrypt.pipe
-        send_notice "LETSENCRYPT" "$alias validation failed"
-        check_result $E_INVALID "LE domain validation" >/dev/null
+
+# Checking wildcard alias
+if [ "$aliases" = "*.$domain" ]; then
+    wildcard='yes'
+    proto="dns-01"
+    if [ ! -e "$VESTA/data/users/$user/dns/$domain.conf" ]; then
+        check_result $E_NOTEXIST "DNS domain $domain doesn't exist"
     fi
+else
+    proto="http-01"
+fi
+
+# Requesting nonce / STEP 1
+answer=$(curl -s -I "$API/directory")
+nonce=$(echo "$answer" |grep Nonce |cut -f2 -d \ |tr -d '\r\n')
+status=$(echo "$answer"|grep HTTP/1.1 |tail -n1 |cut -f 2 -d ' ')
+if [[ "$status" -ne 200 ]]; then
+    check_result $E_CONNECT "Let's Encrypt nonce request status $status"
+fi
 
-    # Checking LE limits per account
-    if [ "$i" -gt 100 ]; then
-        touch $VESTA/data/queue/letsencrypt.pipe
-        sed -i "/ $domain /d" $VESTA/data/queue/letsencrypt.pipe
-        send_notice 'LETSENCRYPT' 'Limit of domains per account is reached'
-        check_result $E_LIMIT "LE can't sign more than 100 domains"
+# Placing new order / STEP 2
+url="$API/acme/new-order"
+payload='{"identifiers":['
+for identifier in $(echo $domain,$aliases |tr ',' '\n' |sort -u); do
+    format_identifier_idn
+    payload=$payload'{"type":"dns","value":"'$identifier_idn'"},'
+done
+payload=$(echo "$payload"|sed "s/,$//")
+payload=$payload']}'
+answer=$(query_le_v2 "$url" "$payload" "$nonce")
+nonce=$(echo "$answer" |grep Nonce |cut -f2 -d \ |tr -d '\r\n')
+authz=$(echo "$answer" |grep "acme/authz" |cut -f2 -d '"')
+finalize=$(echo "$answer" |grep 'finalize":' |cut -f4 -d '"')
+status=$(echo "$answer" |grep HTTP/1.1 |tail -n1 |cut -f2 -d ' ')
+if [[ "$status" -ne 201 ]]; then
+    check_result $E_CONNECT "Let's Encrypt new auth status $status"
+fi
+
+# Requesting authorization token / STEP 3
+for auth in $authz; do
+    payload=''
+    answer=$(query_le_v2 "$auth" "$payload" "$nonce")
+    url=$(echo "$answer" |grep -A3 $proto |grep url |cut -f 4 -d \")
+    token=$(echo "$answer" |grep -A3 $proto |grep token |cut -f 4 -d \")
+    nonce=$(echo "$answer" |grep Nonce |cut -f2 -d \ |tr -d '\r\n')
+    status=$(echo "$answer"|grep HTTP/1.1 |tail -n1 |cut -f 2 -d ' ')
+    if [[ "$status" -ne 200 ]]; then
+        check_result $E_CONNECT "Let's Encrypt acme/authz bad status $status"
+    fi
+
+    # Accepting challenge / STEP 4
+    if [ "$wildcard" = 'yes'  ]; then
+        record=$(printf "%s" "$token.$THUMB" |\
+            openssl dgst -sha256 -binary |encode_base64)
+        old_records=$($BIN/v-list-dns-records $user $domain plain|grep 'TXT')
+        old_records=$(echo "$old_records" |grep _acme-challenge |cut -f 1)
+        for old_record in $old_records; do
+            $BIN/v-delete-dns-record $user $domain $old_record
+        done
+        $BIN/v-add-dns-record $user $domain "_acme-challenge" "TXT" $record
+        check_result $? "DNS _acme-challenge record wasn't created"
+    else
+        if [ "$WEB_SYSTEM" = 'nginx' ] || [ ! -z "$PROXY_SYSTEM" ]; then
+            conf="$HOMEDIR/$user/conf/web/nginx.$domain.conf_letsencrypt"
+            sconf="$HOMEDIR/$user/conf/web/snginx.$domain.conf_letsencrypt"
+            if [ ! -e "$conf" ]; then
+                echo 'location ~ "^/\.well-known/acme-challenge/(.*)$" {' \
+                    > $conf
+                echo '    default_type text/plain;' >> $conf
+                echo '    return 200 "$1.'$THUMB'";' >> $conf
+                echo '}' >> $conf
+            fi
+            if [ ! -e "$sconf" ]; then
+                ln -s "$conf" "$sconf"
+            fi
+            $BIN/v-restart-proxy
+            check_result $? "Proxy restart failed" >/dev/null
+
+        else
+            well_known="$HOMEDIR/$user/web/$domain/public_html/.well-known"
+            acme_challenge="$well_known/acme-challenge"
+            mkdir -p $acme_challenge
+            echo "$token.$THUMB" > $acme_challenge/$token
+            chown -R $user:$user $well_known
+        fi
+        $BIN/v-restart-web
+        check_result $? "Web restart failed" >/dev/null
+    fi
+
+    # Requesting ACME validation / STEP 5
+    validation_check=$(echo "$answer" |grep '"valid"')
+    if [[ ! -z "$validation_check" ]]; then
+        validation='valid'
+    else
+        validation='pending'
+    fi
+
+    # Doing pol check on status
+    i=1
+    while [ "$validation" = 'pending' ]; do
+        payload='{}'
+        answer=$(query_le_v2 "$url" "$payload" "$nonce")
+        validation=$(echo "$answer"|grep -A1 $proto |tail -n1|cut -f4 -d \")
+        nonce=$(echo "$answer" |grep Nonce |cut -f2 -d \ |tr -d '\r\n')
+        status=$(echo "$answer"|grep HTTP/1.1 |tail -n1 |cut -f 2 -d ' ')
+        if [[ "$status" -ne 200 ]]; then
+            check_result $E_CONNECT "Let's Encrypt validation status $status"
+        fi
+
+        i=$((i + 1))
+        if [ "$i" -gt 10 ]; then
+            check_result $E_CONNECT "Let's Encrypt domain validation timeout"
+        fi
+        sleep 1
+    done
+    if [ "$validation" = 'invalid' ]; then
+        check_result $E_CONNECT "Let's Encrypt domain verification failed"
     fi
-    i=$((i++))
 done
 
-# Generating CSR
-ssl_dir=$($BIN/v-generate-ssl-cert "$domain" "$email" "US" "California" \
+
+# Generating new ssl certificate
+ssl_dir=$($BIN/v-generate-ssl-cert "$domain" "info@$domain" "US" "California"\
     "San Francisco" "Vesta" "IT" "$aliases" |tail -n1 |awk '{print $2}')
 
-# Signing CSR
-crt=$($BIN/v-sign-letsencrypt-csr $user $domain $ssl_dir)
-if [ "$?" -ne 0 ]; then
-    touch $VESTA/data/queue/letsencrypt.pipe
-    sed -i "/ $domain /d" $VESTA/data/queue/letsencrypt.pipe
-    send_notice "LETSENCRYPT" "$alias validation failed"
-    check_result "$E_INVALID" "LE $domain validation"
-fi
-echo "$crt" > $ssl_dir/$domain.crt
-
-# Dowloading CA certificate
-le_certs='https://letsencrypt.org/certs'
-x1='lets-encrypt-x1-cross-signed.pem.txt'
-x3='lets-encrypt-x3-cross-signed.pem.txt'
-issuer=$(openssl x509 -text -in $ssl_dir/$domain.crt |grep "Issuer:")
-if [ -z "$(echo $issuer|grep X3)" ]; then
-    curl -s $le_certs/$x1 > $ssl_dir/$domain.ca
-else
-    curl -s $le_certs/$x3 > $ssl_dir/$domain.ca
+# Sending CSR to finalize order / STEP 6
+csr=$(openssl req -in $ssl_dir/$domain.csr -outform DER |encode_base64)
+payload='{"csr":"'$csr'"}'
+answer=$(query_le_v2 "$finalize" "$payload" "$nonce")
+nonce=$(echo "$answer" |grep Nonce |cut -f2 -d \ |tr -d '\r\n')
+status=$(echo "$answer"|grep HTTP/1.1 |tail -n1 |cut -f 2 -d ' ')
+certificate=$(echo "$answer"|grep 'certificate":' |cut -f4 -d '"')
+if [[ "$status" -ne 200 ]]; then
+    check_result $E_CONNECT "Let's Encrypt finalize bad status $status"
 fi
 
+# Downloading signed certificate / STEP 7
+curl -s "$certificate" -o $ssl_dir/$domain.pem
+
+# Splitting up downloaded pem
+crt_end=$(grep -n END $ssl_dir/$domain.pem |head -n1 |cut -f1 -d:)
+head -n $crt_end $ssl_dir/$domain.pem > $ssl_dir/$domain.crt
+
+pem_lines=$(wc -l $ssl_dir/$domain.pem |cut -f 1 -d ' ')
+ca_end=$(grep -n  "BEGIN" $ssl_dir/$domain.pem |tail -n1 |cut -f 1 -d :)
+ca_end=$(( pem_lines - crt_end + 1 ))
+tail -n $ca_end $ssl_dir/$domain.pem > $ssl_dir/$domain.ca
+
 # Adding SSL
 ssl_home=$(search_objects 'web' 'LETSENCRYPT' 'yes' 'SSL_HOME')
 $BIN/v-delete-web-domain-ssl $user $domain >/dev/null 2>&1
@@ -140,18 +273,13 @@ update_object_value 'web' 'DOMAIN' "$domain" '$LETSENCRYPT' 'yes'
 #                       Vesta                              #
 #----------------------------------------------------------#
 
-# Restarting web
-$BIN/v-restart-web $restart
-if [ "$?" -ne 0  ]; then
-    send_notice 'LETSENCRYPT' "web server needs to be restarted manually"
-fi
+# Deleteing task from queue
+touch $VESTA/data/queue/letsencrypt.pipe
+sed -i "/ $domain /d" $VESTA/data/queue/letsencrypt.pipe
 
 # Notifying user
 send_notice 'LETSENCRYPT' "$domain SSL has been installed successfully"
 
-# Deleteing task from queue
-touch $VESTA/data/queue/letsencrypt.pipe
-sed -i "/ $domain /d" $VESTA/data/queue/letsencrypt.pipe
 
 # Logging
 log_event "$OK" "$ARGUMENTS"