From 1acb8c84b699c9ed6b4a88fe5366912ddca6ef03 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 24 Oct 2017 11:17:42 +0200
Subject: [PATCH 1/7] security/acme-client: add missing fields to model, fixes
 #334

---
 .../mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml       | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 0052522c2..442d12140 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -430,6 +430,12 @@
                 <dns_gd_secret type="TextField">
                     <Required>N</Required>
                 </dns_gd_secret>
+                <dns_he_user type="TextField">
+                    <Required>N</Required>
+                </dns_he_user>
+                <dns_he_password type="TextField">
+                    <Required>N</Required>
+                </dns_he_password>
                 <dns_ispconfig_user type="TextField">
                     <Required>N</Required>
                 </dns_ispconfig_user>

From 218ca10430ff736f2c901ed7e09e5f67c63ac10b Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 24 Oct 2017 11:18:45 +0200
Subject: [PATCH 2/7] security/acme-client: bump model version

---
 .../opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 442d12140..d78dfcabd 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -1,7 +1,7 @@
 <model>
 
     <mount>//OPNsense/AcmeClient</mount>
-    <version>1.1.0</version>
+    <version>1.2.0</version>
     <description>
         a secure Let's Encrypt plugin
     </description>

From 8a2ad9d50625e1f44de07263042e3adc04a58b21 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 29 Oct 2017 11:24:31 +0100
Subject: [PATCH 3/7] security/acme-client: improve help text

---
 .../mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml
index d6f30156f..69625fbae 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml
@@ -27,7 +27,7 @@
         <id>acmeclient.settings.challengePort</id>
         <label>Local HTTP Port</label>
         <type>text</type>
-        <help><![CDATA[When using HTTP-01 as validation method, a local webserver is used to provide acme challenge data to the Let's Encrypt servers. This setting allows you to change the local port of this webserver in case it interferes with another local services. Defaults to port 43580.]]></help>
+        <help><![CDATA[When using HTTP-01 as validation method, a local webserver is used to provide acme challenge data to the Let's Encrypt servers. The local webserver is NOT directly exposed to the outside and should NOT use port 80 or any other well-known port. This setting allows you to change the local port of this webserver in case it interferes with another local services. Defaults to port 43580.]]></help>
         <advanced>true</advanced>
     </field>
     <field>

From 8cc23451abc9f0719729d294b452fdc854d12190 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 29 Oct 2017 11:43:22 +0100
Subject: [PATCH 4/7] security/acme-client: add compatibility with LE model 2.0

---
 .../AcmeClient/Api/SettingsController.php     | 31 +++++++------------
 1 file changed, 11 insertions(+), 20 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php
index bdf55143c..3a7fdf7e1 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php
@@ -200,11 +200,13 @@ class SettingsController extends ApiMutableModelControllerBase
                     $this->getLogger()->error("LE check: HAProxy integration is complete");
                 } else {
                     $integration_changes = true;
-                    // Check if we need to remove relics of incomplete HAProxy integration.
-                    // NOTE: We try to automatically repair a broken HAProxy integration,
-                    //       although the user may have deleted some items intentionally.
-                    //       As long as the HAProxy integration is enabled we assume that
-                    //       this is an error that should *automatically* be fixed.
+                    /**
+                     * Check if we need to remove relics of incomplete HAProxy integration.
+                     * NOTE: We try to automatically repair a broken HAProxy integration,
+                     *       although the user may have deleted some items intentionally.
+                     *       As long as the HAProxy integration is enabled we assume that
+                     *       this is an error that should *automatically* be fixed.
+                     */
                     if ($integration_found and !$integration_complete) {
                         // NOTE: We ignore the return value of the del() calls
                         //       too keep this as simple as possible.
@@ -250,11 +252,10 @@ class SettingsController extends ApiMutableModelControllerBase
                     $acl_uuid = $mdlHAProxy->newAcl(
                         "find_acme_challenge",
                         "Added by Let's Encrypt plugin",
-                        "path_starts_with",
+                        "path_beg",
                         "0",
-                        "/.well-known/acme-challenge/"
+                        array("path_beg" => "/.well-known/acme-challenge/")
                     );
-                    //$this->getLogger()->error("LE acl: ${acl_uuid}");
 
                     // Add a new HAProxy backend
                     $backend_uuid = $mdlHAProxy->newBackend(
@@ -266,7 +267,6 @@ class SettingsController extends ApiMutableModelControllerBase
                         "",
                         ""
                     );
-                    //$this->getLogger()->error("LE backend: ${backend_uuid}");
 
                     // Add a new HAProxy action
                     $action_uuid = $mdlHAProxy->newAction(
@@ -277,13 +277,9 @@ class SettingsController extends ApiMutableModelControllerBase
                         "and",
                         "use_backend",
                         // Use the new backend uuid in field "useBackend"
-                        $backend_uuid,
-                        "",
-                        "",
-                        "",
-                        ""
+                        array("use_backend" => $backend_uuid)
                     );
-                    //$this->getLogger()->error("LE action: ${action_uuid}");
+
                     // NOTE: This action is linked to frontends.
                     $action_ref = $action_uuid;
 
@@ -298,7 +294,6 @@ class SettingsController extends ApiMutableModelControllerBase
                         "0",
                         ""
                     );
-                    //$this->getLogger()->error("LE server: ${server_uuid}");
 
                     // Update hidden fields to signal that HAProxy integration is complete.
                     $mdlAcme->settings->haproxyAclRef = $acl_uuid;
@@ -308,11 +303,9 @@ class SettingsController extends ApiMutableModelControllerBase
 
                     // Link new ACL to HAProxy action
                     $link_acl_result = $mdlHAProxy->linkAclToAction($acl_uuid, $action_uuid);
-                    //$this->getLogger()->error("LE link acl result: ${link_acl_result}");
 
                     // Link new server to HAProxy backend
                     $link_server_result = $mdlHAProxy->linkServerToBackend($server_uuid, $backend_uuid);
-                    //$this->getLogger()->error("LE link server result: ${link_server_result}");
                 }
 
                 // Ensure HAProxy frontend additions have been applied.
@@ -321,7 +314,6 @@ class SettingsController extends ApiMutableModelControllerBase
                     if ((string)$validation->enabled == "1" and
                         (string)$validation->method == "http01" and
                         (string)$validation->http_service == "haproxy") {
-                        //$this->getLogger()->error("LE HAProxy DEBUG: checking validation method: " . (string)$validation->name);
                         // Check if HAProxy frontends were specified.
                         if (empty((string)$validation->http_haproxyFrontends)) {
                             // Skip item, no HAProxy frontends were specified.
@@ -330,7 +322,6 @@ class SettingsController extends ApiMutableModelControllerBase
                         $_frontends = explode(',', $validation->http_haproxyFrontends);
                         // Walk through all linked frontends.
                         foreach ($_frontends as $_frontend) {
-                            //$this->getLogger()->error("LE HAProxy DEBUG: checking frontend: ${_frontend}");
                             $frontend = $mdlHAProxy->getByFrontendID($_frontend);
                             // Make sure the frontend was found in config.
                             if (!is_null($frontend) && !empty((string)$frontend->id)) {

From b60d8dff1310ac05e04b41ae78330c54f356a76b Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 29 Oct 2017 12:18:01 +0100
Subject: [PATCH 5/7] security/acme-client: fix typo

---
 .../mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml
index 69625fbae..ca475bb1f 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml
@@ -27,7 +27,7 @@
         <id>acmeclient.settings.challengePort</id>
         <label>Local HTTP Port</label>
         <type>text</type>
-        <help><![CDATA[When using HTTP-01 as validation method, a local webserver is used to provide acme challenge data to the Let's Encrypt servers. The local webserver is NOT directly exposed to the outside and should NOT use port 80 or any other well-known port. This setting allows you to change the local port of this webserver in case it interferes with another local services. Defaults to port 43580.]]></help>
+        <help><![CDATA[When using HTTP-01 as validation method, a local webserver is used to provide acme challenge data to the Let's Encrypt servers. The local webserver is NOT directly exposed to the outside and should NOT use port 80 or any other well-known port. This setting allows you to change the local port of this webserver in case it interferes with another local service. Defaults to port 43580.]]></help>
         <advanced>true</advanced>
     </field>
     <field>

From f33ac735649c043da7a2c42bffe673f4b65d788c Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 29 Oct 2017 12:21:36 +0100
Subject: [PATCH 6/7] security/acme-client: config sync is not supported

---
 .../src/etc/inc/plugins.inc.d/acmeclient.inc   | 18 +++---------------
 1 file changed, 3 insertions(+), 15 deletions(-)

diff --git a/security/acme-client/src/etc/inc/plugins.inc.d/acmeclient.inc b/security/acme-client/src/etc/inc/plugins.inc.d/acmeclient.inc
index 0dc25a115..a210c2f85 100644
--- a/security/acme-client/src/etc/inc/plugins.inc.d/acmeclient.inc
+++ b/security/acme-client/src/etc/inc/plugins.inc.d/acmeclient.inc
@@ -40,7 +40,6 @@ function acmeclient_firewall($fw)
         return;
     }
 
-    // TODO
     $fw->registerAnchor('acme-client/*', 'nat');
     $fw->registerAnchor('acme-client/*', 'rdr');
     $fw->registerAnchor('acme-client/*', 'fw');
@@ -73,18 +72,7 @@ function acmeclient_services()
 }
 
 /**
- *  sync configuration via xmlrpc
- * @return array
- */
-
-/**
-XXX: needs investigation, auto-renewal must be disabled on secondary node(s)
-function acmeclient_xmlrpc_sync()
-{
-    $result = array();
-    $result['id'] = 'acmeclient';
-    $result['section'] = 'OPNsense.acmeclient';
-    $result['description'] = gettext('Let\'s Encrypt client');
-    return array($result);
-}
+ *  NOTE: Does NOT support configuration sync (xmlrpc). The required acme.sh
+ *        state files are missing on the secondary node and thus all attempts
+ *        to renew a certificate on the secondary node would fail.
  */

From 8292c8f687c8a4df06c0048ea36a908b88271d7f Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 29 Oct 2017 12:22:10 +0100
Subject: [PATCH 7/7] security/acme-client: bump version

---
 security/acme-client/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index a8898c9c7..743c52491 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		1.11
+PLUGIN_VERSION=		1.12
 PLUGIN_COMMENT=		Let's Encrypt client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh bind911