mirror of
https://github.com/opnsense/plugins.git
synced 2026-05-28 04:34:15 -04:00
security/acme-client: merge version 1.12 from master
"DO IT :D" @fraenki
This commit is contained in:
Franco Fichtner
parent
d970addb77
commit
91dc0bf674
5 changed files with 23 additions and 38 deletions
|
|
@ -1,5 +1,5 @@
|
|||
PLUGIN_NAME= acme-client
|
||||
PLUGIN_VERSION= 1.11
|
||||
PLUGIN_VERSION= 1.12
|
||||
PLUGIN_COMMENT= Let's Encrypt client
|
||||
PLUGIN_MAINTAINER= opnsense@moov.de
|
||||
PLUGIN_DEPENDS= acme.sh bind911
|
||||
|
|
|
|||
|
|
@ -40,7 +40,6 @@ function acmeclient_firewall($fw)
|
|||
return;
|
||||
}
|
||||
|
||||
// TODO
|
||||
$fw->registerAnchor('acme-client/*', 'nat');
|
||||
$fw->registerAnchor('acme-client/*', 'rdr');
|
||||
$fw->registerAnchor('acme-client/*', 'fw');
|
||||
|
|
@ -73,18 +72,7 @@ function acmeclient_services()
|
|||
}
|
||||
|
||||
/**
|
||||
* sync configuration via xmlrpc
|
||||
* @return array
|
||||
*/
|
||||
|
||||
/**
|
||||
XXX: needs investigation, auto-renewal must be disabled on secondary node(s)
|
||||
function acmeclient_xmlrpc_sync()
|
||||
{
|
||||
$result = array();
|
||||
$result['id'] = 'acmeclient';
|
||||
$result['section'] = 'OPNsense.acmeclient';
|
||||
$result['description'] = gettext('Let\'s Encrypt client');
|
||||
return array($result);
|
||||
}
|
||||
* NOTE: Does NOT support configuration sync (xmlrpc). The required acme.sh
|
||||
* state files are missing on the secondary node and thus all attempts
|
||||
* to renew a certificate on the secondary node would fail.
|
||||
*/
|
||||
|
|
|
|||
|
|
@ -200,11 +200,13 @@ class SettingsController extends ApiMutableModelControllerBase
|
|||
$this->getLogger()->error("LE check: HAProxy integration is complete");
|
||||
} else {
|
||||
$integration_changes = true;
|
||||
// Check if we need to remove relics of incomplete HAProxy integration.
|
||||
// NOTE: We try to automatically repair a broken HAProxy integration,
|
||||
// although the user may have deleted some items intentionally.
|
||||
// As long as the HAProxy integration is enabled we assume that
|
||||
// this is an error that should *automatically* be fixed.
|
||||
/**
|
||||
* Check if we need to remove relics of incomplete HAProxy integration.
|
||||
* NOTE: We try to automatically repair a broken HAProxy integration,
|
||||
* although the user may have deleted some items intentionally.
|
||||
* As long as the HAProxy integration is enabled we assume that
|
||||
* this is an error that should *automatically* be fixed.
|
||||
*/
|
||||
if ($integration_found and !$integration_complete) {
|
||||
// NOTE: We ignore the return value of the del() calls
|
||||
// too keep this as simple as possible.
|
||||
|
|
@ -250,11 +252,10 @@ class SettingsController extends ApiMutableModelControllerBase
|
|||
$acl_uuid = $mdlHAProxy->newAcl(
|
||||
"find_acme_challenge",
|
||||
"Added by Let's Encrypt plugin",
|
||||
"path_starts_with",
|
||||
"path_beg",
|
||||
"0",
|
||||
"/.well-known/acme-challenge/"
|
||||
array("path_beg" => "/.well-known/acme-challenge/")
|
||||
);
|
||||
//$this->getLogger()->error("LE acl: ${acl_uuid}");
|
||||
|
||||
// Add a new HAProxy backend
|
||||
$backend_uuid = $mdlHAProxy->newBackend(
|
||||
|
|
@ -266,7 +267,6 @@ class SettingsController extends ApiMutableModelControllerBase
|
|||
"",
|
||||
""
|
||||
);
|
||||
//$this->getLogger()->error("LE backend: ${backend_uuid}");
|
||||
|
||||
// Add a new HAProxy action
|
||||
$action_uuid = $mdlHAProxy->newAction(
|
||||
|
|
@ -277,13 +277,9 @@ class SettingsController extends ApiMutableModelControllerBase
|
|||
"and",
|
||||
"use_backend",
|
||||
// Use the new backend uuid in field "useBackend"
|
||||
$backend_uuid,
|
||||
"",
|
||||
"",
|
||||
"",
|
||||
""
|
||||
array("use_backend" => $backend_uuid)
|
||||
);
|
||||
//$this->getLogger()->error("LE action: ${action_uuid}");
|
||||
|
||||
// NOTE: This action is linked to frontends.
|
||||
$action_ref = $action_uuid;
|
||||
|
||||
|
|
@ -298,7 +294,6 @@ class SettingsController extends ApiMutableModelControllerBase
|
|||
"0",
|
||||
""
|
||||
);
|
||||
//$this->getLogger()->error("LE server: ${server_uuid}");
|
||||
|
||||
// Update hidden fields to signal that HAProxy integration is complete.
|
||||
$mdlAcme->settings->haproxyAclRef = $acl_uuid;
|
||||
|
|
@ -308,11 +303,9 @@ class SettingsController extends ApiMutableModelControllerBase
|
|||
|
||||
// Link new ACL to HAProxy action
|
||||
$link_acl_result = $mdlHAProxy->linkAclToAction($acl_uuid, $action_uuid);
|
||||
//$this->getLogger()->error("LE link acl result: ${link_acl_result}");
|
||||
|
||||
// Link new server to HAProxy backend
|
||||
$link_server_result = $mdlHAProxy->linkServerToBackend($server_uuid, $backend_uuid);
|
||||
//$this->getLogger()->error("LE link server result: ${link_server_result}");
|
||||
}
|
||||
|
||||
// Ensure HAProxy frontend additions have been applied.
|
||||
|
|
@ -321,7 +314,6 @@ class SettingsController extends ApiMutableModelControllerBase
|
|||
if ((string)$validation->enabled == "1" and
|
||||
(string)$validation->method == "http01" and
|
||||
(string)$validation->http_service == "haproxy") {
|
||||
//$this->getLogger()->error("LE HAProxy DEBUG: checking validation method: " . (string)$validation->name);
|
||||
// Check if HAProxy frontends were specified.
|
||||
if (empty((string)$validation->http_haproxyFrontends)) {
|
||||
// Skip item, no HAProxy frontends were specified.
|
||||
|
|
@ -330,7 +322,6 @@ class SettingsController extends ApiMutableModelControllerBase
|
|||
$_frontends = explode(',', $validation->http_haproxyFrontends);
|
||||
// Walk through all linked frontends.
|
||||
foreach ($_frontends as $_frontend) {
|
||||
//$this->getLogger()->error("LE HAProxy DEBUG: checking frontend: ${_frontend}");
|
||||
$frontend = $mdlHAProxy->getByFrontendID($_frontend);
|
||||
// Make sure the frontend was found in config.
|
||||
if (!is_null($frontend) && !empty((string)$frontend->id)) {
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@
|
|||
<id>acmeclient.settings.challengePort</id>
|
||||
<label>Local HTTP Port</label>
|
||||
<type>text</type>
|
||||
<help><![CDATA[When using HTTP-01 as validation method, a local webserver is used to provide acme challenge data to the Let's Encrypt servers. This setting allows you to change the local port of this webserver in case it interferes with another local services. Defaults to port 43580.]]></help>
|
||||
<help><![CDATA[When using HTTP-01 as validation method, a local webserver is used to provide acme challenge data to the Let's Encrypt servers. The local webserver is NOT directly exposed to the outside and should NOT use port 80 or any other well-known port. This setting allows you to change the local port of this webserver in case it interferes with another local service. Defaults to port 43580.]]></help>
|
||||
<advanced>true</advanced>
|
||||
</field>
|
||||
<field>
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
<model>
|
||||
|
||||
<mount>//OPNsense/AcmeClient</mount>
|
||||
<version>1.1.0</version>
|
||||
<version>1.2.0</version>
|
||||
<description>
|
||||
a secure Let's Encrypt plugin
|
||||
</description>
|
||||
|
|
@ -430,6 +430,12 @@
|
|||
<dns_gd_secret type="TextField">
|
||||
<Required>N</Required>
|
||||
</dns_gd_secret>
|
||||
<dns_he_user type="TextField">
|
||||
<Required>N</Required>
|
||||
</dns_he_user>
|
||||
<dns_he_password type="TextField">
|
||||
<Required>N</Required>
|
||||
</dns_he_password>
|
||||
<dns_ispconfig_user type="TextField">
|
||||
<Required>N</Required>
|
||||
</dns_ispconfig_user>
|
||||
|
|
|
|||
Loading…
Reference in a new issue