From 1a12aa01b4bdade8cd4751474fcaaf5891083eef Mon Sep 17 00:00:00 2001 From: Noah Swartz Date: Tue, 26 Jan 2016 10:17:34 -0800 Subject: [PATCH 1/8] make different options ssl conf for centos --- .../centos-options-ssl-apache.conf | 21 +++++++++++++++++++ .../letsencrypt_apache/constants.py | 17 ++++++++------- 2 files changed, 30 insertions(+), 8 deletions(-) create mode 100644 letsencrypt-apache/letsencrypt_apache/centos-options-ssl-apache.conf diff --git a/letsencrypt-apache/letsencrypt_apache/centos-options-ssl-apache.conf b/letsencrypt-apache/letsencrypt_apache/centos-options-ssl-apache.conf new file mode 100644 index 000000000..fbe8da0f2 --- /dev/null +++ b/letsencrypt-apache/letsencrypt_apache/centos-options-ssl-apache.conf @@ -0,0 +1,21 @@ +# Baseline setting to Include for SSL sites + +SSLEngine on + +# Intermediate configuration, tweak to your needs +SSLProtocol all -SSLv2 -SSLv3 +SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA +SSLHonorCipherOrder on + +SSLOptions +StrictRequire + +# Add vhost name to log entries: +LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined +LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common + +#CustomLog /var/log/apache2/access.log vhost_combined +#LogLevel warn +#ErrorLog /var/log/apache2/error.log + +# Always ensure Cookies have "Secure" set (JAH 2012/1) +#Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4" diff --git a/letsencrypt-apache/letsencrypt_apache/constants.py b/letsencrypt-apache/letsencrypt_apache/constants.py index fe5ef3335..72ff384f7 100644 --- a/letsencrypt-apache/letsencrypt_apache/constants.py +++ b/letsencrypt-apache/letsencrypt_apache/constants.py @@ -16,7 +16,9 @@ CLI_DEFAULTS_DEBIAN = dict( le_vhost_ext="-le-ssl.conf", handle_mods=True, handle_sites=True, - challenge_location="/etc/apache2" + challenge_location="/etc/apache2", + MOD_SSL_CONF_SRC = pkg_resources.resource_filename( + "letsencrypt_apache", "options-ssl-apache.conf") ) CLI_DEFAULTS_CENTOS = dict( server_root="/etc/httpd", @@ -31,7 +33,9 @@ CLI_DEFAULTS_CENTOS = dict( le_vhost_ext="-le-ssl.conf", handle_mods=False, handle_sites=False, - challenge_location="/etc/httpd/conf.d" + challenge_location="/etc/httpd/conf.d", + MOD_SSL_CONF_SRC = pkg_resources.resource_filename( + "letsencrypt_apache", "centos-options-ssl-apache.conf") ) CLI_DEFAULTS_GENTOO = dict( server_root="/etc/apache2", @@ -46,7 +50,9 @@ CLI_DEFAULTS_GENTOO = dict( le_vhost_ext="-le-ssl.conf", handle_mods=False, handle_sites=False, - challenge_location="/etc/apache2/vhosts.d" + challenge_location="/etc/apache2/vhosts.d", + MOD_SSL_CONF_SRC = pkg_resources.resource_filename( + "letsencrypt_apache", "options-ssl-apache.conf") ) CLI_DEFAULTS = { "debian": CLI_DEFAULTS_DEBIAN, @@ -62,11 +68,6 @@ CLI_DEFAULTS = { MOD_SSL_CONF_DEST = "options-ssl-apache.conf" """Name of the mod_ssl config file as saved in `IConfig.config_dir`.""" -MOD_SSL_CONF_SRC = pkg_resources.resource_filename( - "letsencrypt_apache", "options-ssl-apache.conf") -"""Path to the Apache mod_ssl config file found in the Let's Encrypt -distribution.""" - AUGEAS_LENS_DIR = pkg_resources.resource_filename( "letsencrypt_apache", "augeas_lens") """Path to the Augeas lens directory""" From 1a14b4c8d5ec67115f41deec71fd15c4cd350be5 Mon Sep 17 00:00:00 2001 From: Noah Swartz Date: Tue, 26 Jan 2016 10:39:54 -0800 Subject: [PATCH 2/8] fix mapping issue --- letsencrypt-apache/letsencrypt_apache/configurator.py | 2 +- letsencrypt-apache/letsencrypt_apache/constants.py | 6 +++--- letsencrypt-apache/letsencrypt_apache/tests/util.py | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/letsencrypt-apache/letsencrypt_apache/configurator.py b/letsencrypt-apache/letsencrypt_apache/configurator.py index 8818923f4..8cd26e32b 100644 --- a/letsencrypt-apache/letsencrypt_apache/configurator.py +++ b/letsencrypt-apache/letsencrypt_apache/configurator.py @@ -1587,4 +1587,4 @@ def install_ssl_options_conf(options_ssl): # Check to make sure options-ssl.conf is installed if not os.path.isfile(options_ssl): - shutil.copyfile(constants.MOD_SSL_CONF_SRC, options_ssl) + shutil.copyfile(constants.os_constant("MOD_SSL_CONF_SRC"), options_ssl) diff --git a/letsencrypt-apache/letsencrypt_apache/constants.py b/letsencrypt-apache/letsencrypt_apache/constants.py index 72ff384f7..50156444b 100644 --- a/letsencrypt-apache/letsencrypt_apache/constants.py +++ b/letsencrypt-apache/letsencrypt_apache/constants.py @@ -17,7 +17,7 @@ CLI_DEFAULTS_DEBIAN = dict( handle_mods=True, handle_sites=True, challenge_location="/etc/apache2", - MOD_SSL_CONF_SRC = pkg_resources.resource_filename( + MOD_SSL_CONF_SRC=pkg_resources.resource_filename( "letsencrypt_apache", "options-ssl-apache.conf") ) CLI_DEFAULTS_CENTOS = dict( @@ -34,7 +34,7 @@ CLI_DEFAULTS_CENTOS = dict( handle_mods=False, handle_sites=False, challenge_location="/etc/httpd/conf.d", - MOD_SSL_CONF_SRC = pkg_resources.resource_filename( + MOD_SSL_CONF_SRC=pkg_resources.resource_filename( "letsencrypt_apache", "centos-options-ssl-apache.conf") ) CLI_DEFAULTS_GENTOO = dict( @@ -51,7 +51,7 @@ CLI_DEFAULTS_GENTOO = dict( handle_mods=False, handle_sites=False, challenge_location="/etc/apache2/vhosts.d", - MOD_SSL_CONF_SRC = pkg_resources.resource_filename( + MOD_SSL_CONF_SRC=pkg_resources.resource_filename( "letsencrypt_apache", "options-ssl-apache.conf") ) CLI_DEFAULTS = { diff --git a/letsencrypt-apache/letsencrypt_apache/tests/util.py b/letsencrypt-apache/letsencrypt_apache/tests/util.py index fb86d2320..ff60c05e3 100644 --- a/letsencrypt-apache/letsencrypt_apache/tests/util.py +++ b/letsencrypt-apache/letsencrypt_apache/tests/util.py @@ -33,7 +33,7 @@ class ApacheTest(unittest.TestCase): # pylint: disable=too-few-public-methods pkg="letsencrypt_apache.tests") self.ssl_options = common.setup_ssl_options( - self.config_dir, constants.MOD_SSL_CONF_SRC, + self.config_dir, constants.os_constant("MOD_SSL_CONF_SRC"), constants.MOD_SSL_CONF_DEST) self.config_path = os.path.join(self.temp_dir, config_root) From 8ba59406adfa48b49437b34120820613784e2a82 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Tue, 26 Jan 2016 11:40:44 -0800 Subject: [PATCH 3/8] When in doubt, use the config root --- .../letsencrypt_apache/parser.py | 19 +------------------ .../letsencrypt_apache/tests/parser_test.py | 12 +----------- 2 files changed, 2 insertions(+), 29 deletions(-) diff --git a/letsencrypt-apache/letsencrypt_apache/parser.py b/letsencrypt-apache/letsencrypt_apache/parser.py index cc7f2ec42..3c13aae5f 100644 --- a/letsencrypt-apache/letsencrypt_apache/parser.py +++ b/letsencrypt-apache/letsencrypt_apache/parser.py @@ -597,7 +597,7 @@ class ApacheParser(object): .. todo:: Make sure that files are included """ - default = self._set_user_config_file() + default = self.loc["root"] temp = os.path.join(self.root, "ports.conf") if os.path.isfile(temp): @@ -618,23 +618,6 @@ class ApacheParser(object): raise errors.NoInstallationError("Could not find configuration root") - def _set_user_config_file(self): - """Set the appropriate user configuration file - - .. todo:: This will have to be updated for other distros versions - - :param str root: pathname which contains the user config - - """ - # Basic check to see if httpd.conf exists and - # in hierarchy via direct include - # httpd.conf was very common as a user file in Apache 2.2 - if (os.path.isfile(os.path.join(self.root, "httpd.conf")) and - self.find_dir("Include", "httpd.conf", self.loc["root"])): - return os.path.join(self.root, "httpd.conf") - else: - return os.path.join(self.root, "apache2.conf") - def case_i(string): """Returns case insensitive regex. diff --git a/letsencrypt-apache/letsencrypt_apache/tests/parser_test.py b/letsencrypt-apache/letsencrypt_apache/tests/parser_test.py index e976bc9f6..2e6481aba 100644 --- a/letsencrypt-apache/letsencrypt_apache/tests/parser_test.py +++ b/letsencrypt-apache/letsencrypt_apache/tests/parser_test.py @@ -106,7 +106,7 @@ class BasicParserTest(util.ParserTest): def test_set_locations(self): with mock.patch("letsencrypt_apache.parser.os.path") as mock_path: - mock_path.isfile.side_effect = [True, False, False] + mock_path.isfile.side_effect = [False, False] # pylint: disable=protected-access results = self.parser._set_locations() @@ -114,16 +114,6 @@ class BasicParserTest(util.ParserTest): self.assertEqual(results["default"], results["listen"]) self.assertEqual(results["default"], results["name"]) - def test_set_user_config_file(self): - # pylint: disable=protected-access - path = os.path.join(self.parser.root, "httpd.conf") - open(path, 'w').close() - self.parser.add_dir(self.parser.loc["default"], "Include", - "httpd.conf") - - self.assertEqual( - path, self.parser._set_user_config_file()) - @mock.patch("letsencrypt_apache.parser.ApacheParser._get_runtime_cfg") def test_update_runtime_variables(self, mock_cfg): mock_cfg.return_value = ( From 870a743ce1f2b797157bae770bd5b89df89006d8 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Tue, 26 Jan 2016 18:09:55 -0800 Subject: [PATCH 4/8] Detect * and _default_ conflict --- letsencrypt-apache/letsencrypt_apache/configurator.py | 11 ++++++++++- .../letsencrypt_apache/tests/configurator_test.py | 8 ++++++++ 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/letsencrypt-apache/letsencrypt_apache/configurator.py b/letsencrypt-apache/letsencrypt_apache/configurator.py index 8818923f4..745a00719 100644 --- a/letsencrypt-apache/letsencrypt_apache/configurator.py +++ b/letsencrypt-apache/letsencrypt_apache/configurator.py @@ -874,9 +874,18 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): # See if the exact address appears in any other vhost # Remember 1.1.1.1:* == 1.1.1.1 -> hence any() for addr in vhost.addrs: + + # In Apache 2.2, when a NameVirtualHost directive is not + # set, "*" and "_default_" will conflict when sharing a port + addrs = [addr] + if addr.get_addr() == "*": + addrs.append(obj.Addr(("_default_", addr.get_port(),))) + elif addr.get_addr() == "_default_": + addrs.append(obj.Addr(("*", addr.get_port(),))) + for test_vh in self.vhosts: if (vhost.filep != test_vh.filep and - any(test_addr == addr for + any(test_addr in addrs for test_addr in test_vh.addrs) and not self.is_name_vhost(addr)): self.add_name_vhost(addr) diff --git a/letsencrypt-apache/letsencrypt_apache/tests/configurator_test.py b/letsencrypt-apache/letsencrypt_apache/tests/configurator_test.py index 00a98e33a..cae5869dd 100644 --- a/letsencrypt-apache/letsencrypt_apache/tests/configurator_test.py +++ b/letsencrypt-apache/letsencrypt_apache/tests/configurator_test.py @@ -606,6 +606,14 @@ class TwoVhost80Test(util.ApacheTest): self.config._add_name_vhost_if_necessary(self.vh_truth[0]) self.assertTrue(self.config.save.called) + new_addrs = set() + for addr in self.vh_truth[0].addrs: + new_addrs.add(obj.Addr(("_default_", addr.get_port(),))) + + self.vh_truth[0].addrs = new_addrs + self.config._add_name_vhost_if_necessary(self.vh_truth[0]) + self.assertEqual(self.config.save.call_count, 2) + @mock.patch("letsencrypt_apache.configurator.tls_sni_01.ApacheTlsSni01.perform") @mock.patch("letsencrypt_apache.configurator.ApacheConfigurator.restart") def test_perform(self, mock_restart, mock_perform): From 90f9254fc3eb906fda27404b71523bcc37796d84 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcel=20Kr=C3=BCger?= Date: Fri, 29 Jan 2016 18:25:50 +0100 Subject: [PATCH 5/8] Fix multiple snakeoil certs for nginx --- letsencrypt-nginx/letsencrypt_nginx/configurator.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/letsencrypt-nginx/letsencrypt_nginx/configurator.py b/letsencrypt-nginx/letsencrypt_nginx/configurator.py index 691688969..0da12d143 100644 --- a/letsencrypt-nginx/letsencrypt_nginx/configurator.py +++ b/letsencrypt-nginx/letsencrypt_nginx/configurator.py @@ -310,11 +310,11 @@ class NginxConfigurator(common.Plugin): key = OpenSSL.crypto.load_privatekey( OpenSSL.crypto.FILETYPE_PEM, le_key.pem) cert = acme_crypto_util.gen_ss_cert(key, domains=[socket.gethostname()]) - cert_path = os.path.join(tmp_dir, "cert.pem") cert_pem = OpenSSL.crypto.dump_certificate( OpenSSL.crypto.FILETYPE_PEM, cert) - with open(cert_path, 'w') as cert_file: - cert_file.write(cert_pem) + cert_file, cert_path = le_util.unique_file(os.path.join(tmp_dir, "cert.pem")) + cert_file.write(cert_pem) + cert_file.close() return cert_path, le_key.file def _make_server_ssl(self, vhost): From 52894206927477fbc054f18b655c8c4dc81d6e7f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcel=20Kr=C3=BCger?= Date: Fri, 29 Jan 2016 20:40:28 +0100 Subject: [PATCH 6/8] Protect opened files against IO-exceptions --- letsencrypt-nginx/letsencrypt_nginx/configurator.py | 4 ++-- letsencrypt/crypto_util.py | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/letsencrypt-nginx/letsencrypt_nginx/configurator.py b/letsencrypt-nginx/letsencrypt_nginx/configurator.py index 0da12d143..3d48d100f 100644 --- a/letsencrypt-nginx/letsencrypt_nginx/configurator.py +++ b/letsencrypt-nginx/letsencrypt_nginx/configurator.py @@ -313,8 +313,8 @@ class NginxConfigurator(common.Plugin): cert_pem = OpenSSL.crypto.dump_certificate( OpenSSL.crypto.FILETYPE_PEM, cert) cert_file, cert_path = le_util.unique_file(os.path.join(tmp_dir, "cert.pem")) - cert_file.write(cert_pem) - cert_file.close() + with cert_file: + cert_file.write(cert_pem) return cert_path, le_key.file def _make_server_ssl(self, vhost): diff --git a/letsencrypt/crypto_util.py b/letsencrypt/crypto_util.py index 730c32398..76265a739 100644 --- a/letsencrypt/crypto_util.py +++ b/letsencrypt/crypto_util.py @@ -53,8 +53,8 @@ def init_save_key(key_size, key_dir, keyname="key-letsencrypt.pem"): config.strict_permissions) key_f, key_path = le_util.unique_file( os.path.join(key_dir, keyname), 0o600) - key_f.write(key_pem) - key_f.close() + with key_f: + key_f.write(key_pem) logger.info("Generating key (%d bits): %s", key_size, key_path) From 50e2f769c0d1a506df9db153b664583d0322ae07 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Fri, 29 Jan 2016 12:54:34 -0800 Subject: [PATCH 7/8] loc--, readability++ --- letsencrypt-apache/letsencrypt_apache/configurator.py | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/letsencrypt-apache/letsencrypt_apache/configurator.py b/letsencrypt-apache/letsencrypt_apache/configurator.py index 745a00719..9e3f34990 100644 --- a/letsencrypt-apache/letsencrypt_apache/configurator.py +++ b/letsencrypt-apache/letsencrypt_apache/configurator.py @@ -874,14 +874,11 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): # See if the exact address appears in any other vhost # Remember 1.1.1.1:* == 1.1.1.1 -> hence any() for addr in vhost.addrs: - # In Apache 2.2, when a NameVirtualHost directive is not # set, "*" and "_default_" will conflict when sharing a port - addrs = [addr] - if addr.get_addr() == "*": - addrs.append(obj.Addr(("_default_", addr.get_port(),))) - elif addr.get_addr() == "_default_": - addrs.append(obj.Addr(("*", addr.get_port(),))) + if addr.get_addr() in ("*", "_default_"): + addrs = [obj.Addr((a, addr.get_port(),)) + for a in ("*", "_default_")] for test_vh in self.vhosts: if (vhost.filep != test_vh.filep and From 95061b84874a3a5291b545a4a8ada083afebfe5e Mon Sep 17 00:00:00 2001 From: Aaron Zirbes Date: Fri, 29 Jan 2016 17:03:31 -0500 Subject: [PATCH 8/8] Stop spewing "grep: /etc/os-release: No such file or directory" when running le-auto. Fix #2255. Also bump embedded version number. --- letsencrypt-auto-source/letsencrypt-auto | 4 ++-- letsencrypt-auto-source/letsencrypt-auto.template | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/letsencrypt-auto-source/letsencrypt-auto b/letsencrypt-auto-source/letsencrypt-auto index e0812501c..7800a5eb6 100755 --- a/letsencrypt-auto-source/letsencrypt-auto +++ b/letsencrypt-auto-source/letsencrypt-auto @@ -19,7 +19,7 @@ XDG_DATA_HOME=${XDG_DATA_HOME:-~/.local/share} VENV_NAME="letsencrypt" VENV_PATH=${VENV_PATH:-"$XDG_DATA_HOME/$VENV_NAME"} VENV_BIN=${VENV_PATH}/bin -LE_AUTO_VERSION="0.3.0" +LE_AUTO_VERSION="0.4.0.dev0" # This script takes the same arguments as the main letsencrypt program, but it # additionally responds to --verbose (more output) and --debug (allow support @@ -374,7 +374,7 @@ Bootstrap() { elif [ -f /etc/redhat-release ]; then echo "Bootstrapping dependencies for RedHat-based OSes..." BootstrapRpmCommon - elif `grep -q openSUSE /etc/os-release` ; then + elif [ -f /etc/os-release] && `grep -q openSUSE /etc/os-release` ; then echo "Bootstrapping dependencies for openSUSE-based OSes..." BootstrapSuseCommon elif [ -f /etc/arch-release ]; then diff --git a/letsencrypt-auto-source/letsencrypt-auto.template b/letsencrypt-auto-source/letsencrypt-auto.template index 8118a5f69..ba17d7a99 100755 --- a/letsencrypt-auto-source/letsencrypt-auto.template +++ b/letsencrypt-auto-source/letsencrypt-auto.template @@ -130,7 +130,7 @@ Bootstrap() { elif [ -f /etc/redhat-release ]; then echo "Bootstrapping dependencies for RedHat-based OSes..." BootstrapRpmCommon - elif `grep -q openSUSE /etc/os-release` ; then + elif [ -f /etc/os-release] && `grep -q openSUSE /etc/os-release` ; then echo "Bootstrapping dependencies for openSUSE-based OSes..." BootstrapSuseCommon elif [ -f /etc/arch-release ]; then