acme, minor fixes + 'php command' ability

pfsense · Apr 28, 2016 · bfff56e · bfff56e
1 parent 018348f
commit bfff56e
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 15 deletions.
diff --git a/security/pfSense-pkg-acme/Makefile b/security/pfSense-pkg-acme/Makefile
@@ -10,7 +10,7 @@ EXTRACT_ONLY=	# empty
 MAINTAINER=	PiBa-NL
 COMMENT=	pfSense package acme
 
-# LIB_DEPENDS= ftp.so:ftp/php56-ftp
+USE_PHP= ftp
 
 CONFLICTS=	
 

diff --git a/security/pfSense-pkg-acme/files/usr/local/pkg/acme/acme.inc b/security/pfSense-pkg-acme/files/usr/local/pkg/acme/acme.inc
@@ -98,7 +98,7 @@ $acme_domain_validation_method['ftpwebroot'] = array(name => "FTP webroot",
 
 $acme_newcertificateactions = array();
 $acme_newcertificateactions['shellcommand'] = array(name => "shell command");
-//$acme_domain_validation_method['php command'] = array(name => "php command script");
+$acme_newcertificateactions['php_command'] = array(name => "php command script");
 
 // </editor-fold>
 #end
@@ -249,10 +249,11 @@ function & get_certificate($name) {
 	function renew_all_certificates() {
 		global $config;
 		$a_global = &$config['installedpackages']['acme'];
-
-		foreach($a_global['certificates']['item'] as $certificate) {
-			echo "Checking if renewal is needed for: {$certificate['name']}\n";
-			renew_certificate($certificate['name']);
+		if (is_array($a_global['certificates']['item'])) {
+			foreach($a_global['certificates']['item'] as $certificate) {
+				echo "Checking if renewal is needed for: {$certificate['name']}\n";
+				renew_certificate($certificate['name']);
+			}
 		}
 	}
 
@@ -280,6 +281,9 @@ function & get_certificate($name) {
 			echo "Renewing certificate";
 			$domainstosign = array();
 			foreach($certificate['a_domainlist']['item'] as $domain) {
+				if ($domain['status'] == 'disable') {
+					continue;
+				}
 				$domainstosign[] = $domain['name'];
 			}
 
@@ -298,11 +302,16 @@ function & get_certificate($name) {
 			$handler->path = "";
 			$le->callback = $handler;
 			$le->signDomains($domainstosign);
-
-			foreach($certificate['a_actionlist']['item'] as $action) {
-				if ($action['method'] == "shellcommand") {
-					echo "Running {$action['command']}\n";
-					mwexec_bg($action['command']);
+			if (is_array($certificate['a_actionlist']['item'])) {
+				foreach($certificate['a_actionlist']['item'] as $action) {
+					if ($action['method'] == "shellcommand") {
+						echo "Running {$action['command']}\n";
+						mwexec_bg($action['command']);
+					}
+					if ($action['method'] == "php_command") {
+						echo "Running php {$action['command']}\n";
+						eval($action['command']);
+					}
 				}
 			}
 			syslog(LOG_NOTICE, "Acme, certificate renewed: {$id}");
@@ -320,12 +329,14 @@ function & get_certificate($name) {
 				}
 			}
 			if ($domain_info['method'] == 'webroot') {
+				echo "webroot\n";
 				$directory = $domain_info['webrootfolder'];
 				if(!file_exists($directory) && !@mkdir($directory, 0755, true)) {
 					throw new \RuntimeException("Couldn't create directory to expose challenge: ${tokenPath}");
 				}
 				$tokenPath = $directory . "/" . $token;
 				file_put_contents($tokenPath, $payload);
+				echo "put token at: {$tokenPath}\n";
 			}
 			if ($domain_info['method'] == 'ftpwebroot') {
 				echo "FTP\n";
@@ -356,14 +367,16 @@ function & get_certificate($name) {
 			$certificatename = "acme_cert_" . $this->certificateinfo['name'];
 			$cert = lookup_cert_by_name($certificatename);
 			if (!is_array($cert)) {
+				echo "\n getCertificatePSK creating new cert";
 				global $config;
 				$a_cert =& $config['cert'];
 				$cert = array();
 				$cert['refid'] = uniqid();
 				$cert['descr'] = $certificatename;
 				$accountkey = generateAccountKey();
-				$cert['prv'] = base64_encode($accountkey['prv']);
+				$cert['prv'] = base64_encode($accountkey);
 				$a_cert[] = $cert;
+				echo "\n{$cert['prv']}";
 			}
 			return base64_decode($cert['prv']);
 		}

diff --git a/security/pfSense-pkg-acme/files/usr/local/pkg/acme/acme_htmllist.inc b/security/pfSense-pkg-acme/files/usr/local/pkg/acme/acme_htmllist.inc
@@ -134,6 +134,7 @@ class HtmlList
 			} elseif ($itemtype ==  "fixedtext") {
 				$result .= $item['text'];
 			} else {
+				$itemvalue = htmlspecialchars($itemvalue, ENT_QUOTES);
 				$result .= "<input name='$itemnamenr' id='$itemnamenr' type='text' value='{$itemvalue}' />";
 			}
 		} else {

diff --git a/security/pfSense-pkg-acme/files/usr/local/pkg/acme/lescript.inc b/security/pfSense-pkg-acme/files/usr/local/pkg/acme/lescript.inc
@@ -100,7 +100,6 @@ class Lescript
         // ----------------------------
 
         foreach($domains as $domain) {
-
             // 1. getting available authentication options
             // -------------------------------------------
 
@@ -146,7 +145,7 @@ class Lescript
 
 			$uri = "http://${domain}/.well-known/acme-challenge/${challenge['token']}";
 
-			$this->log("Token for $domain saved at $tokenPath and should be available at $uri");
+			$this->log("Token for $domain should be available at $uri");
 
 			// simple self check
 			if($payload !== trim(@file_get_contents($uri))) {
@@ -347,7 +346,7 @@ keyUsage = nonRepudiation, digitalSignature, keyEncipherment');
         openssl_csr_export($csr, $csr);
         fclose($tmpConf);
 
-        file_put_contents($this->getDomainPath($domain)."/last.csr", $csr);
+        //file_put_contents($this->getDomainPath($domain)."/last.csr", $csr);
         preg_match('~REQUEST-----(.*)-----END~s', $csr, $matches);
 
         return trim(Base64UrlSafeEncoder::encode(base64_decode($matches[1])));