forked from opnsense/plugins
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request opnsense#3749 from fraenki/acme_321
security/acme-client: release 3.21
- Loading branch information
Showing
6 changed files
with
62 additions
and
150 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,7 +1,7 @@ | ||
| <?php | ||
|
|
||
| /* | ||
| * Copyright (C) 2020-2021 Frank Wall | ||
| * Copyright (C) 2020-2024 Frank Wall | ||
| * Copyright (C) 2018 Deciso B.V. | ||
| * Copyright (C) 2018 Franco Fichtner <[email protected]> | ||
| * All rights reserved. | ||
|
|
@@ -120,35 +120,19 @@ public function runAcme() | |
| LeUtils::log('running automation (acme.sh): ' . $this->config->name); | ||
|
|
||
| // Preparation to run acme client | ||
| $proc_env = $this->acme_env; // env variables for proc_open() | ||
| $proc_env = $this->acme_env; // add env variables | ||
| $proc_env['PATH'] = $this::ACME_ENV_PATH; | ||
| $proc_desc = array( // descriptor array for proc_open() | ||
| 0 => array("pipe", "r"), // stdin | ||
| 1 => array("pipe", "w"), // stdout | ||
| 2 => array("pipe", "w") // stderr | ||
| ); | ||
| $proc_pipes = array(); | ||
|
|
||
| // Run acme client | ||
|
|
||
| // Prepare acme.sh command to run a deploy hook | ||
| $acmecmd = self::ACME_CMD | ||
| . ' ' | ||
| . '--deploy ' | ||
| . implode(' ', $this->acme_args); | ||
| LeUtils::log_debug('running acme.sh command: ' . (string)$acmecmd, $this->debug); | ||
| $proc = proc_open($acmecmd, $proc_desc, $proc_pipes, null, $proc_env); | ||
|
|
||
| // Make sure the resource could be setup properly | ||
| if (is_resource($proc)) { | ||
| // Close all pipes | ||
| fclose($proc_pipes[0]); | ||
| fclose($proc_pipes[1]); | ||
| fclose($proc_pipes[2]); | ||
| // Get exit code | ||
| $result = proc_close($proc); | ||
| } else { | ||
| LeUtils::log_error('unable to start acme client process'); | ||
| return false; | ||
| } | ||
| // Run acme.sh command | ||
| $result = LeUtils::run_shell_command($acmecmd, $proc_env); | ||
|
|
||
| // acme.sh records the last used deploy hook and would automatically | ||
| // use it on the next run. This information must be removed from the | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,7 +1,7 @@ | ||
| <?php | ||
|
|
||
| /* | ||
| * Copyright (C) 2017-2020 Frank Wall | ||
| * Copyright (C) 2017-2024 Frank Wall | ||
| * Copyright (C) 2015 Deciso B.V. | ||
| * Copyright (C) 2010 Jim Pingle <[email protected]> | ||
| * Copyright (C) 2008 Shrew Soft Inc. <[email protected]> | ||
|
|
@@ -194,17 +194,26 @@ public static function run_shell_command($proc_cmd, $proc_env = array()) | |
|
|
||
| // Make sure the resource could be setup properly | ||
| if (is_resource($proc)) { | ||
| // Close all pipes | ||
| // This workaround ensures that the accurate return code | ||
| // is reliably returned. | ||
| fclose($proc_pipes[0]); | ||
| $output = array(); | ||
| while (!feof($proc_pipes[1])) { | ||
| $output[] = rtrim(fgets($proc_pipes[1], 1024), "\n"); | ||
| } | ||
| fclose($proc_pipes[1]); | ||
| while (!feof($proc_pipes[2])) { | ||
| $output[] = rtrim(fgets($proc_pipes[2], 1024), "\n"); | ||
| } | ||
| fclose($proc_pipes[2]); | ||
|
|
||
| // Get exit code | ||
| $result = proc_close($proc); | ||
| log_error(sprintf("AcmeClient: The shell command '%s' returned exit code '%d'", $proc_cmd, $result)); | ||
| log_error(sprintf("AcmeClient: The shell command returned exit code '%d': '%s'", $result, $proc_cmd)); | ||
| return($result); | ||
| } else { | ||
| log_error(sprintf("AcmeClient: Unable to prepare shell command '%s'", $proc_cmd)); | ||
| return false; | ||
| return(-999); | ||
| } | ||
| } | ||
| } | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,7 +1,7 @@ | ||
| <?php | ||
|
|
||
| /* | ||
| * Copyright (C) 2020-2021 Frank Wall | ||
| * Copyright (C) 2020-2024 Frank Wall | ||
| * Copyright (C) 2018 Deciso B.V. | ||
| * Copyright (C) 2018 Franco Fichtner <[email protected]> | ||
| * All rights reserved. | ||
|
|
@@ -154,16 +154,10 @@ public function run(bool $renew = false) | |
| $account_conf_file = $account_conf_dir . '/account.conf'; | ||
|
|
||
| // Preparation to run acme client | ||
| $proc_env = $this->acme_env; // env variables for proc_open() | ||
| $proc_env = $this->acme_env; // add env variables | ||
| $proc_env['PATH'] = $this::ACME_ENV_PATH; | ||
| $proc_desc = array( // descriptor array for proc_open() | ||
| 0 => array("pipe", "r"), // stdin | ||
| 1 => array("pipe", "w"), // stdout | ||
| 2 => array("pipe", "w") // stderr | ||
| ); | ||
| $proc_pipes = array(); | ||
|
|
||
| // Run acme client | ||
|
|
||
| // Prepare acme.sh command | ||
| // NOTE: We "export" certificates to our own directory, so we don't have to deal | ||
| // with domain names in filesystem, but instead can use the ID of our certObj, which | ||
| // will never change. | ||
|
|
@@ -173,25 +167,14 @@ public function run(bool $renew = false) | |
| . implode(' ', $this->acme_args) . ' ' | ||
| . LeUtils::execSafe('--accountconf %s', $account_conf_file); | ||
| LeUtils::log_debug('running acme.sh command: ' . (string)$acmecmd, $this->debug); | ||
| $proc = proc_open($acmecmd, $proc_desc, $proc_pipes, null, $proc_env); | ||
|
|
||
| // Make sure the resource could be setup properly | ||
| if (is_resource($proc)) { | ||
| // Close all pipes | ||
| fclose($proc_pipes[0]); | ||
| fclose($proc_pipes[1]); | ||
| fclose($proc_pipes[2]); | ||
| // Get exit code | ||
| $result = proc_close($proc); | ||
| } else { | ||
| LeUtils::log_error('unable to start acme client process'); | ||
| return false; | ||
| } | ||
|
|
||
| // Run acme.sh command | ||
| $result = LeUtils::run_shell_command($acmecmd, $proc_env); | ||
|
|
||
| // Run optional cleanup tasks. | ||
| $this->cleanup(); | ||
|
|
||
| // Check validation result | ||
| // Check acme.sh result | ||
| if ($result) { | ||
| LeUtils::log_error('domain validation failed (' . $this->getMethod() . ')'); | ||
| return false; | ||
|
|
||