github/myvesta
1
0
Fork 0
mirror of https://github.com/myvesta/vesta synced 2025-08-14 10:37:42 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch 'pr/34'

Browse source
This commit is contained in:
Peca 2019-08-10 17:09:42 +02:00
commit db8b4ed21e
613 changed files with 18898 additions and 7319 deletions
Download patch file Download diff file Expand all files Collapse all files

3
bin/v-add-backup-host
View file

@ -38,8 +38,7 @@ EOF
sftpc() {
expect -f "-" <<EOF "$@"
set count 0
spawn "/usr/bin/sftp -o StrictHostKeyChecking=no -o \
Port=$port '$user@$host'"
spawn /usr/bin/sftp -o StrictHostKeyChecking=no -o Port=$port $user@$host
expect {
"password:" {
send "$password\r"

8
bin/v-add-dns-record
View file

@ -45,10 +45,12 @@ if [[ $rtype =~ NS|CNAME|MX|PTR|SRV ]]; then
fi
fi
dvalue=${dvalue//\"/}
if [ $rtype != "CAA" ]; then
dvalue=${dvalue//\"/}
if [[ "$dvalue" =~ [\;[:space:]] ]]; then
dvalue='"'"$dvalue"'"'
if [[ "$dvalue" =~ [\;[:space:]] ]]; then
dvalue='"'"$dvalue"'"'
fi
fi
# Additional argument formatting

8
bin/v-add-firewall-chain
View file

@ -47,7 +47,13 @@ is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
# Checking known chains
case $chain in
SSH) port=22; protocol=TCP ;;
SSH) # Get ssh port by reading ssh config file.
sshport=$(grep '^Port ' /etc/ssh/sshd_config | head -1 | cut -d ' ' -f 2)
if [ -z "$sshport" ]; then
sshport=22
fi
port=$sshport;
protocol=TCP ;;
FTP) port=21; protocol=TCP ;;
MAIL) port='25,465,587,2525,110,995,143,993'; protocol=TCP ;;
DNS) port=53; protocol=UDP ;;

254
bin/v-add-letsencrypt-domain
View file

@ -1,13 +1,8 @@
#!/bin/bash
# info: adding letsencrypt ssl cetificate for domain
# options: USER DOMAIN [ALIASES] [RESTART] [NOTIFY]
# info: check letsencrypt domain
# options: USER DOMAIN [ALIASES]
#
# The function turns on SSL support for a domain. Parameter ssl_dir is a path
# to directory where 2 or 3 ssl files can be found. Certificate file
# domain.tld.crt and its key domain.tld.key are mandatory. Certificate
# authority domain.tld.ca file is optional. If home directory parameter
# (ssl_home) is not set, https domain uses public_shtml as separate
# documentroot directory.
# The function check and validates domain with Let's Encript
#----------------------------------------------------------#
@ -18,8 +13,9 @@
user=$1
domain=$2
aliases=$3
restart=$4
notify=$5
# LE API
API='https://acme-v02.api.letsencrypt.org'
# Includes
source $VESTA/func/main.sh
@ -27,30 +23,67 @@ source $VESTA/func/domain.sh
source $VESTA/conf/vesta.conf
# Additional argument formatting
format_domain_idn
format_identifier_idn() {
identifier_idn=$identifier
if [[ "$identifier_idn" = *[![:ascii:]]* ]]; then
identifier_idn=$(idn -t --quiet -a $identifier_idn)
fi
}
# encode base64
encode_base64() {
cat |base64 |tr '+/' '-_' |tr -d '\r\n='
}
# Let's Encrypt v2 curl function
query_le_v2() {
protected='{"nonce": "'$3'",'
protected=''$protected' "url": "'$1'",'
protected=''$protected' "alg": "RS256", "kid": "'$KID'"}'
content="Content-Type: application/jose+json"
payload_=$(echo -n "$2" |encode_base64)
protected_=$(echo -n "$protected" |encode_base64)
signature_=$(printf "%s" "$protected_.$payload_" |\
openssl dgst -sha256 -binary -sign $USER_DATA/ssl/user.key |\
encode_base64)
post_data='{"protected":"'"$protected_"'",'
post_data=$post_data'"payload":"'"$payload_"'",'
post_data=$post_data'"signature":"'"$signature_"'"}'
curl -s -i -d "$post_data" "$1" -H "$content"
}
#----------------------------------------------------------#
# Verifications #
#----------------------------------------------------------#
check_args '2' "$#" 'USER DOMAIN [ALIASES] [RESTART] [NOTIFY]'
is_format_valid 'user' 'domain'
check_args '2' "$#" 'USER DOMAIN [ALIASES]'
is_format_valid 'user' 'domain' 'aliases'
is_system_enabled "$WEB_SYSTEM" 'WEB_SYSTEM'
is_system_enabled "$WEB_SSL" 'SSL_SUPPORT'
is_object_valid 'user' 'USER' "$user"
is_object_unsuspended 'user' 'USER' "$user"
is_object_valid 'web' 'DOMAIN' "$domain"
is_object_unsuspended 'web' 'DOMAIN' "$domain"
get_domain_values 'web'
# check if alias is the letsencrypt wildcard domain, if not, make the normal checks
if [[ "$aliases" != "*.$domain" ]]; then
for alias in $(echo "$aliases" |tr ',' '\n' |sort -u); do
check_alias="$(echo $ALIAS |tr ',' '\n' |grep ^$alias$)"
if [ -z "$check_alias" ]; then
check_result $E_NOTEXIST "domain alias $alias doesn't exist"
fi
done
fi;
#----------------------------------------------------------#
# Action #
#----------------------------------------------------------#
# Parsing domain data
get_domain_values 'web'
# Registering LetsEncrypt user account
$BIN/v-add-letsencrypt-user $user
if [ "$?" -ne 0 ]; then
@ -62,53 +95,153 @@ fi
# Parsing LetsEncrypt account data
source $USER_DATA/ssl/le.conf
email=$EMAIL
# Validating domain and aliases
i=1
for alias in $(echo $domain,$aliases |tr ',' '\n' |sort -u); do
$BIN/v-check-letsencrypt-domain $user $alias
if [ "$?" -ne 0 ]; then
touch $VESTA/data/queue/letsencrypt.pipe
sed -i "/ $domain /d" $VESTA/data/queue/letsencrypt.pipe
send_notice "LETSENCRYPT" "$alias validation failed"
check_result $E_INVALID "LE domain validation" >/dev/null
# Checking wildcard alias
if [ "$aliases" = "*.$domain" ]; then
wildcard='yes'
proto="dns-01"
if [ ! -e "$VESTA/data/users/$user/dns/$domain.conf" ]; then
check_result $E_NOTEXIST "DNS domain $domain doesn't exist"
fi
else
proto="http-01"
fi
# Requesting nonce / STEP 1
answer=$(curl -s -I "$API/directory")
nonce=$(echo "$answer" |grep Nonce |cut -f2 -d \ |tr -d '\r\n')
status=$(echo "$answer"|grep HTTP/1.1 |tail -n1 |cut -f 2 -d ' ')
if [[ "$status" -ne 200 ]]; then
check_result $E_CONNECT "Let's Encrypt nonce request status $status"
fi
# Placing new order / STEP 2
url="$API/acme/new-order"
payload='{"identifiers":['
for identifier in $(echo $domain,$aliases |tr ',' '\n' |sort -u); do
format_identifier_idn
payload=$payload'{"type":"dns","value":"'$identifier_idn'"},'
done
payload=$(echo "$payload"|sed "s/,$//")
payload=$payload']}'
answer=$(query_le_v2 "$url" "$payload" "$nonce")
nonce=$(echo "$answer" |grep Nonce |cut -f2 -d \ |tr -d '\r\n')
authz=$(echo "$answer" |grep "acme/authz" |cut -f2 -d '"')
finalize=$(echo "$answer" |grep 'finalize":' |cut -f4 -d '"')
status=$(echo "$answer" |grep HTTP/1.1 |tail -n1 |cut -f2 -d ' ')
if [[ "$status" -ne 201 ]]; then
check_result $E_CONNECT "Let's Encrypt new auth status $status"
fi
# Requesting authorization token / STEP 3
for auth in $authz; do
payload=''
answer=$(query_le_v2 "$auth" "$payload" "$nonce")
url=$(echo "$answer" |grep -A3 $proto |grep url |cut -f 4 -d \")
token=$(echo "$answer" |grep -A3 $proto |grep token |cut -f 4 -d \")
nonce=$(echo "$answer" |grep Nonce |cut -f2 -d \ |tr -d '\r\n')
status=$(echo "$answer"|grep HTTP/1.1 |tail -n1 |cut -f 2 -d ' ')
if [[ "$status" -ne 200 ]]; then
check_result $E_CONNECT "Let's Encrypt acme/authz bad status $status"
fi
# Checking LE limits per account
if [ "$i" -gt 100 ]; then
touch $VESTA/data/queue/letsencrypt.pipe
sed -i "/ $domain /d" $VESTA/data/queue/letsencrypt.pipe
send_notice 'LETSENCRYPT' 'Limit of domains per account is reached'
check_result $E_LIMIT "LE can't sign more than 100 domains"
# Accepting challenge / STEP 4
if [ "$wildcard" = 'yes' ]; then
record=$(printf "%s" "$token.$THUMB" |\
openssl dgst -sha256 -binary |encode_base64)
old_records=$($BIN/v-list-dns-records $user $domain plain|grep 'TXT')
old_records=$(echo "$old_records" |grep _acme-challenge |cut -f 1)
for old_record in $old_records; do
$BIN/v-delete-dns-record $user $domain $old_record
done
$BIN/v-add-dns-record $user $domain "_acme-challenge" "TXT" $record
check_result $? "DNS _acme-challenge record wasn't created"
else
if [ "$WEB_SYSTEM" = 'nginx' ] || [ ! -z "$PROXY_SYSTEM" ]; then
conf="$HOMEDIR/$user/conf/web/nginx.$domain.conf_letsencrypt"
sconf="$HOMEDIR/$user/conf/web/snginx.$domain.conf_letsencrypt"
if [ ! -e "$conf" ]; then
echo 'location ~ "^/\.well-known/acme-challenge/(.*)$" {' \
> $conf
echo ' default_type text/plain;' >> $conf
echo ' return 200 "$1.'$THUMB'";' >> $conf
echo '}' >> $conf
fi
if [ ! -e "$sconf" ]; then
ln -s "$conf" "$sconf"
fi
$BIN/v-restart-proxy
check_result $? "Proxy restart failed" >/dev/null
else
well_known="$HOMEDIR/$user/web/$domain/public_html/.well-known"
acme_challenge="$well_known/acme-challenge"
mkdir -p $acme_challenge
echo "$token.$THUMB" > $acme_challenge/$token
chown -R $user:$user $well_known
fi
$BIN/v-restart-web
check_result $? "Web restart failed" >/dev/null
fi
# Requesting ACME validation / STEP 5
validation_check=$(echo "$answer" |grep '"valid"')
if [[ ! -z "$validation_check" ]]; then
validation='valid'
else
validation='pending'
fi
# Doing pol check on status
i=1
while [ "$validation" = 'pending' ]; do
payload='{}'
answer=$(query_le_v2 "$url" "$payload" "$nonce")
validation=$(echo "$answer"|grep -A1 $proto |tail -n1|cut -f4 -d \")
nonce=$(echo "$answer" |grep Nonce |cut -f2 -d \ |tr -d '\r\n')
status=$(echo "$answer"|grep HTTP/1.1 |tail -n1 |cut -f 2 -d ' ')
if [[ "$status" -ne 200 ]]; then
check_result $E_CONNECT "Let's Encrypt validation status $status"
fi
i=$((i + 1))
if [ "$i" -gt 10 ]; then
check_result $E_CONNECT "Let's Encrypt domain validation timeout"
fi
sleep 1
done
if [ "$validation" = 'invalid' ]; then
check_result $E_CONNECT "Let's Encrypt domain verification failed"
fi
i=$((i++))
done
# Generating CSR
ssl_dir=$($BIN/v-generate-ssl-cert "$domain" "$email" "US" "California" \
# Generating new ssl certificate
ssl_dir=$($BIN/v-generate-ssl-cert "$domain" "info@$domain" "US" "California"\
"San Francisco" "Vesta" "IT" "$aliases" |tail -n1 |awk '{print $2}')
# Signing CSR
crt=$($BIN/v-sign-letsencrypt-csr $user $domain $ssl_dir)
if [ "$?" -ne 0 ]; then
touch $VESTA/data/queue/letsencrypt.pipe
sed -i "/ $domain /d" $VESTA/data/queue/letsencrypt.pipe
send_notice "LETSENCRYPT" "$alias validation failed"
check_result "$E_INVALID" "LE $domain validation"
# Sending CSR to finalize order / STEP 6
csr=$(openssl req -in $ssl_dir/$domain.csr -outform DER |encode_base64)
payload='{"csr":"'$csr'"}'
answer=$(query_le_v2 "$finalize" "$payload" "$nonce")
nonce=$(echo "$answer" |grep Nonce |cut -f2 -d \ |tr -d '\r\n')
status=$(echo "$answer"|grep HTTP/1.1 |tail -n1 |cut -f 2 -d ' ')
certificate=$(echo "$answer"|grep 'certificate":' |cut -f4 -d '"')
if [[ "$status" -ne 200 ]]; then
check_result $E_CONNECT "Let's Encrypt finalize bad status $status"
fi
echo "$crt" > $ssl_dir/$domain.crt
# Dowloading CA certificate
le_certs='https://letsencrypt.org/certs'
x1='lets-encrypt-x1-cross-signed.pem.txt'
x3='lets-encrypt-x3-cross-signed.pem.txt'
issuer=$(openssl x509 -text -in $ssl_dir/$domain.crt |grep "Issuer:")
if [ -z "$(echo $issuer|grep X3)" ]; then
curl -s $le_certs/$x1 > $ssl_dir/$domain.ca
else
curl -s $le_certs/$x3 > $ssl_dir/$domain.ca
fi
# Downloading signed certificate / STEP 7
curl -s "$certificate" -o $ssl_dir/$domain.pem
# Splitting up downloaded pem
crt_end=$(grep -n END $ssl_dir/$domain.pem |head -n1 |cut -f1 -d:)
head -n $crt_end $ssl_dir/$domain.pem > $ssl_dir/$domain.crt
pem_lines=$(wc -l $ssl_dir/$domain.pem |cut -f 1 -d ' ')
ca_end=$(grep -n "BEGIN" $ssl_dir/$domain.pem |tail -n1 |cut -f 1 -d :)
ca_end=$(( pem_lines - crt_end + 1 ))
tail -n $ca_end $ssl_dir/$domain.pem > $ssl_dir/$domain.ca
# Adding SSL
ssl_home=$(search_objects 'web' 'LETSENCRYPT' 'yes' 'SSL_HOME')
@ -140,18 +273,13 @@ update_object_value 'web' 'DOMAIN' "$domain" '$LETSENCRYPT' 'yes'
# Vesta #
#----------------------------------------------------------#
# Restarting web
$BIN/v-restart-web $restart
if [ "$?" -ne 0 ]; then
send_notice 'LETSENCRYPT' "web server needs to be restarted manually"
fi
# Deleteing task from queue
touch $VESTA/data/queue/letsencrypt.pipe
sed -i "/ $domain /d" $VESTA/data/queue/letsencrypt.pipe
# Notifying user
send_notice 'LETSENCRYPT' "$domain SSL has been installed successfully"
# Deleteing task from queue
touch $VESTA/data/queue/letsencrypt.pipe
sed -i "/ $domain /d" $VESTA/data/queue/letsencrypt.pipe
# Logging
log_event "$OK" "$ARGUMENTS"

161
bin/v-add-letsencrypt-user Executable file → Normal file
View file

@ -1,8 +1,8 @@
#!/bin/bash
# info: register letsencrypt user account
# options: USER [TYPE]
# options: USER
#
# The function creates and register LetsEncript account key
# The function creates and register LetsEncript account
#----------------------------------------------------------#
@ -11,8 +11,9 @@
# Argument definition
user=$1
type=${2-1}
key_size=4096
# LE API
API='https://acme-v02.api.letsencrypt.org'
# Includes
source $VESTA/func/main.sh
@ -23,22 +24,39 @@ encode_base64() {
cat |base64 |tr '+/' '-_' |tr -d '\r\n='
}
# Let's Encrypt v2 curl function
query_le_v2() {
protected='{"nonce": "'$3'",'
protected=''$protected' "url": "'$1'",'
protected=''$protected' "alg": "RS256", "jwk": '$jwk'}'
content="Content-Type: application/jose+json"
payload_=$(echo -n "$2" |encode_base64)
protected_=$(echo -n "$protected" |encode_base64)
signature_=$(printf "%s" "$protected_.$payload_" |\
openssl dgst -sha256 -binary -sign $USER_DATA/ssl/user.key |\
encode_base64)
post_data='{"protected":"'"$protected_"'",'
post_data=$post_data'"payload":"'"$payload_"'",'
post_data=$post_data'"signature":"'"$signature_"'"}'
curl -s -i -d "$post_data" "$1" -H "$content"
}
#----------------------------------------------------------#
# Verifications #
#----------------------------------------------------------#
check_args '1' "$#" 'USER [TYPE]'
check_args '1' "$#" 'USER'
is_format_valid 'user'
is_object_valid 'user' 'USER' "$user"
if [ -e "$USER_DATA/ssl/le.conf" ]; then
source "$USER_DATA/ssl/le.conf"
if [ "$type" -eq 1 ] && [ ! -z "$EMAIL" ]; then
exit
fi
if [ "$type" -eq 2 ] && [ ! -z "$KID" ]; then
exit
fi
fi
if [ ! -z "$KID" ]; then
exit
fi
@ -46,108 +64,57 @@ fi
# Action #
#----------------------------------------------------------#
# Defining LE API endpoint
if [ "$type" -eq 1 ]; then
api='https://acme-v01.api.letsencrypt.org'
else
api='https://acme-v02.api.letsencrypt.org'
fi
# Defining user email
if [ $type -eq 1 ]; then
email=$(get_user_value '$CONTACT')
if [[ -z "$EMAIL" ]]; then
EMAIL=$(get_user_value '$CONTACT')
fi
# Defining user agreement
if [ "$type" -eq 1 ]; then
agreement=$(curl -s -I "$api/terms" |grep Location |\
cut -f 2 -d \ |tr -d '\r\n')
else
#agreement=$(curl -s "$api/directory" |grep termsOfService |\
# cut -f 4 -d '"')
agreement=''
fi
agreement=''
# Generating user key
key="$USER_DATA/ssl/user.key"
if [ ! -e "$key" ]; then
openssl genrsa -out $key $key_size >/dev/null 2>&1
chmod 600 $key
KEY="$USER_DATA/ssl/user.key"
if [ ! -e "$KEY" ]; then
openssl genrsa -out $KEY 4096 >/dev/null 2>&1
chmod 600 $KEY
fi
# Defining key exponent
if [ -z "$EXPONENT" ]; then
exponent=$(openssl pkey -inform pem -in "$key" -noout -text_pub |\
EXPONENT=$(openssl pkey -inform pem -in "$KEY" -noout -text_pub |\
grep Exponent: |cut -f 2 -d '(' |cut -f 1 -d ')' |sed -e 's/x//' |\
xxd -r -p |encode_base64)
else
exponent="$EXPONENT"
fi
# Defining key modulus
if [ -z "$MODULUS" ]; then
modulus=$(openssl rsa -in "$key" -modulus -noout |\
MODULUS=$(openssl rsa -in "$KEY" -modulus -noout |\
sed -e 's/^Modulus=//' |xxd -r -p |encode_base64)
else
modulus="$MODULUS"
fi
# Defining JWK token
jwk='{"e":"'$exponent'","kty":"RSA","n":"'"$modulus"'"}'
# Defining JWK
jwk='{"e":"'$EXPONENT'","kty":"RSA","n":"'"$MODULUS"'"}'
# Defining key thumbnail
if [ -z "$THUMB" ]; then
thumb="$(echo -n "$jwk" |openssl dgst -sha256 -binary |encode_base64)"
else
thumb="$THUMB"
THUMB="$(echo -n "$jwk" |openssl dgst -sha256 -binary |encode_base64)"
fi
# Requesting ACME nonce
nonce=$(curl -s -I "$api/directory" |grep Nonce |cut -f 2 -d \ |tr -d '\r\n')
nonce=$(curl -s -I "$API/directory" |grep Nonce |cut -f 2 -d \ |tr -d '\r\n')
# Defining payload and protected data for v1 and v2
if [ "$type" -eq 1 ]; then
header='{"alg":"RS256","jwk":'"$jwk"'}'
protected='{"nonce":"'"$nonce"'"}'
payload='{"resource":"new-reg","contact":["mailto:'"$email"'"],'
payload=$payload'"agreement":"'$agreement'"}'
# Creating ACME account
url="$API/acme/new-acct"
payload='{"termsOfServiceAgreed": true}'
answer=$(query_le_v2 "$url" "$payload" "$nonce")
kid=$(echo "$answer" |grep Location: |cut -f2 -d ' '|tr -d '\r')
else
protected='{"nonce": "'$nonce'",'
protected=''$protected' "url": "'$api/acme/new-acct'",'
protected=''$protected' "alg": "RS256", "jwk": '$jwk'}'
payload='{"termsOfServiceAgreed": true}'
fi
# Encoding data
protected=$(echo -n "$protected" |encode_base64)
payload=$(echo -n "$payload" |encode_base64)
# Signing request
signature=$(printf "%s" "$protected.$payload" |\
openssl dgst -sha256 -binary -sign "$key" |\
encode_base64)
if [ "$type" -eq 1 ]; then
data='{"header":'"$header"',"protected":"'"$protected"'",'
data=$data'"payload":"'"$payload"'","signature":"'"$signature"'"}'
answer=$(curl -s -i -d "$data" "$api/acme/new-reg")
status=$(echo "$answer" |grep HTTP/1.1 |tail -n1 |cut -f2 -d ' ')
else
data='{"protected":"'"$protected"'",'
data=$data'"payload":"'"$payload"'",'
data=$data'"signature":"'"$signature"'"}'
answer=$(curl -s -i -d "$data" "$api/acme/new-acct" \
-H "Content-Type: application/jose+json")
status=$(echo "$answer" |grep HTTP/1.1 |tail -n1 |cut -f2 -d ' ')
kid=$(echo "$answer" |grep Location: |cut -f2 -d ' '|tr -d '\r')
fi
# Checking http answer status
if [[ "${status:0:2}" -ne "20" ]] && [[ "$status" -ne "409" ]]; then
check_result $E_CONNECT "LetsEncrypt account registration $status"
# Checking answer status
status=$(echo "$answer" |grep HTTP/1.1 |tail -n1 |cut -f2 -d ' ')
if [[ "${status:0:2}" -ne "20" ]]; then
check_result $E_CONNECT "Let's Encrypt acc registration failed $status"
fi
@ -157,25 +124,15 @@ fi
# Adding le.conf
if [ ! -e "$USER_DATA/ssl/le.conf" ]; then
echo "EXPONENT='$exponent'" > $USER_DATA/ssl/le.conf
echo "MODULUS='$modulus'" >> $USER_DATA/ssl/le.conf
echo "THUMB='$thumb'" >> $USER_DATA/ssl/le.conf
if [ "$type" -eq 1 ]; then
echo "EMAIL='$email'" >> $USER_DATA/ssl/le.conf
echo "KID='$kid'" >> $USER_DATA/ssl/le.conf
else
echo "EMAIL='$email'" >> $USER_DATA/ssl/le.conf
echo "KID='$kid'" >> $USER_DATA/ssl/le.conf
fi
echo "EXPONENT='$EXPONENT'" > $USER_DATA/ssl/le.conf
echo "MODULUS='$MODULUS'" >> $USER_DATA/ssl/le.conf
echo "THUMB='$THUMB'" >> $USER_DATA/ssl/le.conf
echo "EMAIL='$EMAIL'" >> $USER_DATA/ssl/le.conf
echo "KID='$kid'" >> $USER_DATA/ssl/le.conf
chmod 660 $USER_DATA/ssl/le.conf
else
if [ "$type" -eq 1 ]; then
sed -i '/^EMAIL=/d' $USER_DATA/ssl/le.conf
echo "EMAIL='$email'" >> $USER_DATA/ssl/le.conf
else
sed -i '/^KID=/d' $USER_DATA/ssl/le.conf
echo "KID='$kid'" >> $USER_DATA/ssl/le.conf
fi
sed -i '/^KID=/d' $USER_DATA/ssl/le.conf
echo "KID='$kid'" >> $USER_DATA/ssl/le.conf
fi
# Logging

106
bin/v-add-sys-mail-ssl Executable file
View file

@ -0,0 +1,106 @@
#!/bin/bash
# info: copy mail ssl certificate
# options: USER DOMAIN [RESTART]
#
# The function copies user domain SSL to mail SSL directory
#----------------------------------------------------------#
# Variable&Function #
#----------------------------------------------------------#
# Argument definition
user=$1
domain=$2
restart=$3
# Includes
source $VESTA/func/main.sh
source $VESTA/func/domain.sh
source $VESTA/conf/vesta.conf
#----------------------------------------------------------#
# Verifications #
#----------------------------------------------------------#
check_args '2' "$#" 'USER DOMAIN [RESTART]'
is_format_valid 'user' 'domain'
is_system_enabled "$MAIL_SYSTEM" 'MAIL_SYSTEM'
is_object_valid 'user' 'USER' "$user"
is_object_valid 'web' 'DOMAIN' "$domain"
is_object_value_exist 'web' 'DOMAIN' "$domain" '$SSL'
#----------------------------------------------------------#
# Action #
#----------------------------------------------------------#
# Defining certificate location
dom_crt="/home/$user/conf/web/ssl.$domain.pem"
dom_key="/home/$user/conf/web/ssl.$domain.key"
vst_crt="$VESTA/ssl/mail.crt"
vst_key="$VESTA/ssl/mail.key"
# Checking certificate
if [ ! -e "$dom_crt" ] || [ ! -e "$dom_key" ]; then
check_result $E_NOTEXIST "$domain certificate doesn't exist"
fi
# Checking difference
diff $dom_crt $vst_crt >/dev/null 2>&1
if [ $? -ne 0 ]; then
rm -f $vst_crt.old $vst_key.old
mv $vst_crt $vst_crt.old >/dev/null 2>&1
mv $vst_key $vst_key.old >/dev/null 2>&1
cp $dom_crt $vst_crt 2>/dev/null
cp $dom_key $vst_key 2>/dev/null
chown root:mail $vst_crt $vst_key
else
restart=no
fi
# Updating mail certificate
case $MAIL_SYSTEM in
exim) conf='/etc/exim/exim.conf';;
exim4) conf='/etc/exim4/exim4.conf.template';;
esac
if [ -e "$conf" ]; then
sed -e "s|^tls_certificate.*|tls_certificate = $vst_crt|" \
-e "s|^tls_privatekey.*|tls_privatekey = $vst_key|" -i $conf
fi
# Updating imap certificate
conf="/etc/dovecot/conf.d/10-ssl.conf"
if [ ! -z "$IMAP_SYSTEM" ] && [ -e "$conf" ]; then
sed -e "s|ssl_cert.*|ssl_cert = <$vst_crt|" \
-e "s|ssl_key.*|ssl_key = <$vst_key|" -i $conf
fi
#----------------------------------------------------------#
# Vesta #
#----------------------------------------------------------#
# Restarting services
if [ "$restart" != 'no' ]; then
if [ ! -z "$MAIL_SYSTEM" ]; then
$BIN/v-restart-service $MAIL_SYSTEM
fi
if [ ! -z "$IMAP_SYSTEM" ]; then
$BIN/v-restart-service $IMAP_SYSTEM
fi
fi
# Updating vesta.conf
if [ -z "$(grep MAIL_CERTIFICATE $VESTA/conf/vesta.conf)" ]; then
echo "MAIL_CERTIFICATE='$user:$domain'" >> $VESTA/conf/vesta.conf
else
sed -i "s/MAIL_CERTIFICATE.*/MAIL_CERTIFICATE='$user:$domain'/g" \
$VESTA/conf/vesta.conf
fi
# Logging
log_event "$OK" "$ARGUMENTS"
exit

97
bin/v-add-sys-vesta-ssl Executable file
View file

@ -0,0 +1,97 @@
#!/bin/bash
# info: add vesta ssl certificate
# options: USER DOMAIN [RESTART]
#
# The function copies user domain SSL to vesta SSL directory
#----------------------------------------------------------#
# Variable&Function #
#----------------------------------------------------------#
# Argument definition
user=$1
domain=$2
restart=$3
# Includes
source $VESTA/func/main.sh
source $VESTA/func/domain.sh
source $VESTA/conf/vesta.conf
#----------------------------------------------------------#
# Verifications #
#----------------------------------------------------------#
check_args '2' "$#" 'USER DOMAIN [RESTART]'
is_format_valid 'user' 'domain'
is_system_enabled "$WEB_SYSTEM" 'WEB_SYSTEM'
is_object_valid 'user' 'USER' "$user"
is_object_valid 'web' 'DOMAIN' "$domain"
is_object_value_exist 'web' 'DOMAIN' "$domain" '$SSL'
#----------------------------------------------------------#
# Action #
#----------------------------------------------------------#
# Defining certificate location
dom_crt="/home/$user/conf/web/ssl.$domain.pem"
dom_key="/home/$user/conf/web/ssl.$domain.key"
vst_crt="$VESTA/ssl/certificate.crt"
vst_key="$VESTA/ssl/certificate.key"
# Checking certificate
if [ ! -e "$dom_crt" ] || [ ! -e "$dom_key" ]; then
check_result $E_NOTEXIST "$domain certificate doesn't exist"
fi
# Checking difference
diff $dom_crt $vst_crt >/dev/null 2>&1
if [ $? -ne 0 ]; then
rm -f $vst_crt.old $vst_key.old
mv $vst_crt $vst_crt.old
mv $vst_key $vst_key.old
cp $dom_crt $vst_crt 2>/dev/null
cp $dom_key $vst_key 2>/dev/null
chown root:mail $vst_crt $vst_key
else
restart=no
fi
#----------------------------------------------------------#
# Vesta #
#----------------------------------------------------------#
# Restarting services
if [ "$restart" != 'no' ]; then
if [ ! -z "$MAIL_SYSTEM" ] && [ -z "$MAIL_CERTIFICATE" ]; then
$BIN/v-restart-service $MAIL_SYSTEM
fi
if [ ! -z "$IMAP_SYSTEM" ] && [ -z "$MAIL_CERTIFICATE" ]; then
$BIN/v-restart-service $IMAP_SYSTEM
fi
if [ ! -z "$FTP_SYSTEM" ]; then
$BIN/v-restart-service "$FTP_SYSTEM"
fi
if [ -e "/var/run/vesta-nginx.pid" ]; then
kill -HUP $(cat /var/run/vesta-nginx.pid)
else
service vesta restart
fi
fi
# Updating vesta.conf
if [ -z "$(grep VESTA_CERTIFICATE $VESTA/conf/vesta.conf)" ]; then
echo "VESTA_CERTIFICATE='$user:$domain'" >> $VESTA/conf/vesta.conf
else
sed -i "s/VESTA_CERTIFICATE.*/VESTA_CERTIFICATE='$user:$domain'/g" \
$VESTA/conf/vesta.conf
fi
# Logging
log_event "$OK" "$ARGUMENTS"
exit

6
bin/v-add-web-domain
View file

@ -63,7 +63,7 @@ fi
source $USER_DATA/user.conf
# Creating domain directories
mkdir -p $HOMEDIR/$user/web/$domain \
sudo -u $user mkdir -p $HOMEDIR/$user/web/$domain \
$HOMEDIR/$user/web/$domain/public_html \
$HOMEDIR/$user/web/$domain/public_shtml \
$HOMEDIR/$user/web/$domain/document_errors \
@ -80,7 +80,7 @@ ln -f -s /var/log/$WEB_SYSTEM/domains/$domain.*log \
$HOMEDIR/$user/web/$domain/logs/
# Adding domain skeleton
cp -r $WEBTPL/skel/* $HOMEDIR/$user/web/$domain/ >/dev/null 2>&1
sudo -u $user cp -r $WEBTPL/skel/* $HOMEDIR/$user/web/$domain/ >/dev/null 2>&1
for file in $(find "$HOMEDIR/$user/web/$domain/" -type f); do
sed -i "s/%domain%/$domain/g" $file
done
@ -91,7 +91,7 @@ chown root:$user /var/log/$WEB_SYSTEM/domains/$domain.* $conf
chmod 640 /var/log/$WEB_SYSTEM/domains/$domain.*
chmod 751 $HOMEDIR/$user/web/$domain $HOMEDIR/$user/web/$domain/*
chmod 551 $HOMEDIR/$user/web/$domain/stats $HOMEDIR/$user/web/$domain/logs
chmod 644 $HOMEDIR/$user/web/$domain/public_*html/*
chmod 644 $HOMEDIR/$user/web/$domain/public_*html/*.*
# Addding PHP-FPM backend
if [ ! -z "$WEB_BACKEND" ]; then

16
bin/v-add-web-domain-ssl
View file

@ -120,6 +120,22 @@ check_result $? "Web restart failed" >/dev/null
$BIN/v-restart-proxy $restart
check_result $? "Proxy restart failed" >/dev/null
# Updating system ssl dependencies
if [ ! -z "$VESTA_CERTIFICATE" ]; then
crt_user=$(echo "$VESTA_CERTIFICATE" |cut -f 1 -d :)
crt_domain=$(echo "$VESTA_CERTIFICATE" |cut -f 2 -d :)
if [ "$user" = "$crt_user" ] && [ "$domain" = "$crt_domain" ]; then
$BIN/v-add-sys-vesta-ssl $user $domain >/dev/null 2>&1
fi
fi
if [ ! -z "$MAIL_CERTIFICATE" ]; then
crt_user=$(echo "$MAIL_CERTIFICATE" |cut -f 1 -d :)
crt_domain=$(echo "$MAIL_CERTIFICATE" |cut -f 2 -d :)
if [ "$user" = "$crt_user" ] && [ "$domain" = "$crt_domain" ]; then
$BIN/v-add-sys-mail-ssl $user $domain >/dev/null 2>&1
fi
fi
if [ ! -z "$UPDATE_HOSTNAME_SSL" ] && [ "$UPDATE_HOSTNAME_SSL" = "yes" ]; then
hostname=$(hostname)
if [ "$hostname" = "$domain" ]; then

18
bin/v-backup-user
View file

@ -210,7 +210,7 @@ if [ ! -z "$WEB_SYSTEM" ] && [ "$WEB" != '*' ]; then
exlusion=$(echo -e "$WEB" |tr ',' '\n' |grep "^$domain:")
set -f
fargs=()
fargs+=(--exclude='logs/*')
fargs+=(--exclude='./logs/*')
if [ ! -z "$exlusion" ]; then
xdirs="$(echo -e "$exlusion" |tr ':' '\n' |grep -v $domain)"
for xpath in $xdirs; do
@ -228,7 +228,7 @@ if [ ! -z "$WEB_SYSTEM" ] && [ "$WEB" != '*' ]; then
set +f
# Backup files
tar -cpf- ${fargs[@]} * |gzip -$BACKUP_GZIP - > $tmpdir/web/$domain/domain_data.tar.gz
tar --anchored -cpf- ${fargs[@]} * |gzip -$BACKUP_GZIP - > $tmpdir/web/$domain/domain_data.tar.gz
done
# Print total
@ -466,11 +466,15 @@ if [ "$USER" != '*' ]; then
fi
fargs=()
for xpath in $(echo "$USER" |tr ',' '\n'); do
fargs+=(-not)
fargs+=(-path)
fargs+=("./$xpath*")
echo "$(date "+%F %T") excluding directory $xpath" |\
if [ -d "$xpath" ]; then
fargs+=(--exclude=$xpath/*)
echo "$(date "+%F %T") excluding directory $xpath" |\
tee -a $BACKUP/$user.log
else
echo "$(date "+%F %T") excluding file $xpath" |\
tee -a $BACKUP/$user.log
fargs+=(--exclude=$xpath)
fi
done
IFS=$'\n'
@ -487,7 +491,7 @@ if [ "$USER" != '*' ]; then
wait_for_backup_if_it_is_not_time_for_backup
# Backup files and dirs
tar -cpf- $udir |gzip -$BACKUP_GZIP - > $tmpdir/user_dir/$udir.tar.gz
tar --anchored -cpf- ${fargs[@]} $udir |gzip -$BACKUP_GZIP - > $tmpdir/user_dir/$udir.tar.gz
fi
done
set +f

12
bin/v-change-sys-service-config
View file

@ -95,13 +95,21 @@ if [ "$update" = 'yes' ] && [ "$restart" != 'no' ]; then
if [ "$service" = 'php' ]; then
if [ "$WEB_SYSTEM" = "nginx" ]; then
service=$(ls /etc/init.d/php*fpm* |cut -f 4 -d / |sed -n 1p)
if [ $(ps --no-headers -o comm 1) == systemd ]; then
service=$(systemctl | grep -o -E "php.*fpm.*\.service")
service=${service//.service/}
else
service=$(ls /etc/init.d/php*fpm* |cut -f 4 -d /)
fi
else
service=$WEB_SYSTEM
fi
fi
service $service restart >/dev/null 2>&1
for single_service in $service; do
service $single_service restart >/dev/null 2>&1
done <<< "$service"
if [ $? -ne 0 ]; then
for config in $dst; do
cat $config.vst.back > $config

162
bin/v-check-letsencrypt-domain
View file

@ -1,162 +0,0 @@
#!/bin/bash
# info: check letsencrypt domain
# options: USER DOMAIN
#
# The function check and validates domain with LetsEncript
#----------------------------------------------------------#
# Variable&Function #
#----------------------------------------------------------#
# Argument definition
user=$1
domain=$2
# Includes
source $VESTA/func/main.sh
source $VESTA/conf/vesta.conf
# encode base64
encode_base64() {
cat |base64 |tr '+/' '-_' |tr -d '\r\n='
}
# Additional argument formatting
format_domain_idn
#----------------------------------------------------------#
# Verifications #
#----------------------------------------------------------#
check_args '2' "$#" 'USER DOMAIN'
is_format_valid 'user' 'domain'
is_system_enabled "$WEB_SYSTEM" 'WEB_SYSTEM'
is_object_valid 'user' 'USER' "$user"
is_object_unsuspended 'user' 'USER' "$user"
if [ ! -e "$USER_DATA/ssl/le.conf" ]; then
check_result $E_NOTEXIST "LetsEncrypt key doesn't exist"
fi
rdomain=$(egrep "'$domain'|'$domain,|,$domain,|,$domain'" $USER_DATA/web.conf)
if [ -z "$rdomain" ]; then
check_result $E_NOTEXIST "domain $domain doesn't exist"
fi
#----------------------------------------------------------#
# Action #
#----------------------------------------------------------#
source $USER_DATA/ssl/le.conf
api='https://acme-v01.api.letsencrypt.org'
r_domain=$(echo "$rdomain" |cut -f 2 -d \')
key="$USER_DATA/ssl/user.key"
exponent="$EXPONENT"
modulus="$MODULUS"
thumb="$THUMB"
# Defining JWK header
header='{"e":"'$exponent'","kty":"RSA","n":"'"$modulus"'"}'
header='{"alg":"RS256","jwk":'"$header"'}'
# Requesting nonce
nonce=$(curl -s -I "$api/directory" |grep Nonce |cut -f2 -d \ |tr -d '\r\n')
protected=$(echo -n '{"nonce":"'"$nonce"'"}' |encode_base64)
# Defining ACME query (request challenge)
query='{"resource":"new-authz","identifier"'
query=$query':{"type":"dns","value":"'"$domain_idn"'"}}'
payload=$(echo -n "$query" |encode_base64)
signature=$(printf "%s" "$protected.$payload" |\
openssl dgst -sha256 -binary -sign "$key" |encode_base64)
data='{"header":'"$header"',"protected":"'"$protected"'",'
data=$data'"payload":"'"$payload"'","signature":"'"$signature"'"}'
# Sending request to LetsEncrypt API
answer=$(curl -s -i -d "$data" "$api/acme/new-authz")
# Checking http answer status
status=$(echo "$answer" |grep HTTP/1.1 |tail -n1 |cut -f2 -d ' ')
if [[ "$status" -ne "201" ]]; then
check_result $E_CONNECT "LetsEncrypt challenge request $status"
fi
# Parsing domain nonce,token and uri
nonce=$(echo "$answer" |grep Nonce |cut -f2 -d \ |tr -d '\r\n')
protected=$(echo -n '{"nonce":"'"$nonce"'"}' |encode_base64)
token=$(echo "$answer" |grep -A 3 http-01 |grep token |cut -f 4 -d \")
uri=$(echo "$answer" |grep -A 3 http-01 |grep uri |cut -f 4 -d \")
# Adding location wrapper for request challenge
if [ "$WEB_SYSTEM" = 'nginx' ] || [ "$PROXY_SYSTEM" = 'nginx' ]; then
conf="$HOMEDIR/$user/conf/web/nginx.$r_domain.conf_letsencrypt"
sconf="$HOMEDIR/$user/conf/web/snginx.$r_domain.conf_letsencrypt"
if [ ! -e "$conf" ]; then
echo 'location ~ "^/\.well-known/acme-challenge/(.*)$" {' > $conf
echo ' default_type text/plain;' >> $conf
echo ' return 200 "$1.'$thumb'";' >> $conf
echo '}' >> $conf
fi
if [ ! -e "$sconf" ]; then
ln -s "$conf" "$sconf"
fi
fi
acme="$HOMEDIR/$user/web/$r_domain/public_html/.well-known/acme-challenge"
if [ ! -d "$acme" ]; then
mkdir -p $acme
fi
echo "$token.$thumb" > $acme/$token
chown -R $user:$user $HOMEDIR/$user/web/$r_domain/public_html/.well-known
# Restarting web server
if [ -z "$PROXY_SYSTEM" ]; then
$BIN/v-restart-web
check_result $? "Proxy restart failed" >/dev/null
else
$BIN/v-restart-proxy
$BIN/v-restart-web
check_result $? "Web restart failed" >/dev/null
fi
# Defining ACME query (request validation)
query='{"resource":"challenge","type":"http-01","keyAuthorization"'
query=$query':"'$token.$thumb'","token":"'$token'"}'
payload=$(echo -n "$query" |encode_base64)
signature=$(printf "%s" "$protected.$payload" |\
openssl dgst -sha256 -binary -sign "$key" |encode_base64)
data='{"header":'"$header"',"protected":"'"$protected"'",'
data=$data'"payload":"'"$payload"'","signature":"'"$signature"'"}'
# Sending request to LetsEncrypt API
answer=$(curl -s -i -d "$data" "$uri")
# Checking domain validation status
i=1
status=$(echo $answer |tr ',' '\n' |grep status |cut -f 4 -d \")
location=$(echo "$answer" |grep Location: |awk '{print $2}' |tr -d '\r\n')
while [ "$status" = 'pending' ]; do
answer=$(curl -s -i "$location")
detail="$(echo $answer |tr ',' '\n' |grep detail |cut -f 4 -d \")"
status=$(echo "$answer" |tr ',' '\n' |grep status |cut -f 4 -d \")
sleep 1
i=$((i + 1))
if [ "$i" -gt 60 ]; then
check_result $E_CONNECT "$detail"
fi
done
if [ "$status" = 'invalid' ]; then
detail="$(echo $answer |tr ',' '\n' |grep detail |cut -f 4 -d \")"
check_result $E_CONNECT "$detail"
fi
#----------------------------------------------------------#
# Vesta #
#----------------------------------------------------------#
# Logging
log_event "$OK" "$ARGUMENTS"
exit

2
bin/v-delete-mail-domain
View file

@ -56,7 +56,7 @@ fi
# Deleting dkim dns record
if [ "$DKIM" = 'yes' ] && [ -e "$USER_DATA/dns/$domain.conf" ]; then
records=$($BIN/v-list-dns-records $user $domain plain)
dkim_records=$(echo "$records" |grep -w '_domainkey' | cut -f 1 -d ' ')
dkim_records=$(echo "$records" |grep -w '_domainkey' |cut -f 1)
for id in $dkim_records; do
$BIN/v-delete-dns-record $user $domain $id
done

75
bin/v-delete-sys-mail-ssl Executable file
View file

@ -0,0 +1,75 @@
#!/bin/bash
# info: delete sys vesta user ssl certificate
# options: NONE
#
# The script disables user domain ssl synchronization
#----------------------------------------------------------#
# Variable & Function #
#----------------------------------------------------------#
# Includes
source $VESTA/func/main.sh
source $VESTA/conf/vesta.conf
#----------------------------------------------------------#
# Verifications #
#----------------------------------------------------------#
#----------------------------------------------------------#
# Action #
#----------------------------------------------------------#
vst_crt="$VESTA/ssl/certificate.crt"
vst_key="$VESTA/ssl/certificate.key"
# Updating mail certificate
case $MAIL_SYSTEM in
exim) conf='/etc/exim/exim.conf';;
exim4) conf='/etc/exim4/exim4.conf.template';;
esac
if [ -e "$conf" ]; then
sed -e "s|^tls_certificate.*|tls_certificate = $vst_crt|" \
-e "s|^tls_privatekey.*|tls_privatekey = $vst_key|" -i $conf
fi
# Updating imap certificate
conf="/etc/dovecot/conf.d/10-ssl.conf"
if [ ! -z "$IMAP_SYSTEM" ] && [ -e "$conf" ]; then
sed -e "s|ssl_cert.*|ssl_cert = <$vst_crt|" \
-e "s|ssl_key.*|ssl_key = <$vst_key|" -i $conf
fi
# Moving old certificates
if [ -e "$VESTA/ssl/mail.crt" ]; then
mv -f $VESTA/ssl/mail.crt $VESTA/ssl/mail.crt.old
fi
if [ -e "VESTA/ssl/mail.key" ]; then
mv $VESTA/ssl/mail.key VESTA/ssl/mail.key.old
fi
# Updating vesta.conf value
sed -i "/MAIL_CERTIFICATE=/ d" $VESTA/conf/vesta.conf
#----------------------------------------------------------#
# Vesta #
#----------------------------------------------------------#
# Restarting services
if [ "$restart" != 'no' ]; then
if [ ! -z "$MAIL_SYSTEM" ]; then
$BIN/v-restart-service $MAIL_SYSTEM
fi
if [ ! -z "$IMAP_SYSTEM" ]; then
$BIN/v-restart-service $IMAP_SYSTEM
fi
fi
# Logging
log_event "$OK" "$ARGUMENTS"
exit

37
bin/v-delete-sys-vesta-ssl Executable file
View file

@ -0,0 +1,37 @@
#!/bin/bash
# info: delete sys vesta user ssl certificate
# options: NONE
#
# The script disables user domain ssl synchronization
#----------------------------------------------------------#
# Variable & Function #
#----------------------------------------------------------#
# Includes
source $VESTA/func/main.sh
source $VESTA/conf/vesta.conf
#----------------------------------------------------------#
# Verifications #
#----------------------------------------------------------#
#----------------------------------------------------------#
# Action #
#----------------------------------------------------------#
# Updating vesta.conf value
sed -i "/VESTA_CERTIFICATE=/ d" $VESTA/conf/vesta.conf
#----------------------------------------------------------#
# Vesta #
#----------------------------------------------------------#
# Logging
log_event "$OK" "$ARGUMENTS"
exit

2
bin/v-delete-user-favourites
View file

@ -32,6 +32,8 @@ case $system in
DNS_REC) is_format_valid 'id' ;;
*) is_format_valid 'object'
esac
is_format_valid 'user'
is_object_valid 'user' 'USER' "$user"
is_object_unsuspended 'user' 'USER' "$user"

1
bin/v-list-dns-domain
View file

@ -71,6 +71,7 @@ csv_list() {
#----------------------------------------------------------#
check_args '2' "$#" 'USER DOMAIN [FORMAT]'
is_format_valid 'user' 'domain'
is_object_valid 'user' 'USER' "$user"
is_object_valid 'dns' 'DOMAIN' "$domain"

1
bin/v-list-letsencrypt-user
View file

@ -56,6 +56,7 @@ csv_list() {
#----------------------------------------------------------#
check_args '1' "$#" 'USER [FORMAT]'
is_format_valid 'user'
is_object_valid 'user' 'USER' "$user"
if [ ! -e "$USER_DATA/ssl/le.conf" ]; then
check_result $E_NOTEXIST "LetsEncrypt user account doesn't exist"

3
bin/v-list-mail-domain-dkim-dns
View file

@ -57,6 +57,7 @@ csv_list() {
#----------------------------------------------------------#
check_args '2' "$#" 'USER DOMAIN [FORMAT]'
is_format_valid 'user' 'domain'
is_object_valid 'user' 'USER' "$user"
is_object_valid 'mail' 'DOMAIN' "$domain"
@ -67,7 +68,7 @@ is_object_valid 'mail' 'DOMAIN' "$domain"
# Parsing domain keys
if [ -e "$USER_DATA/mail/$domain.pub" ]; then
pub=$(cat $USER_DATA/mail/$domain.pub |grep -v "KEY-----")
pub=$(cat $USER_DATA/mail/$domain.pub |grep -v "KEY-----" |tr -d "\n\r")
pub=$(echo "$pub" |sed ':a;N;$!ba;s/\n/\\n/g')
else
pub="DKIM-SUPPORT-IS-NOT-ACTIVATED"

17
bin/v-list-sys-config Executable file → Normal file
View file

@ -53,6 +53,8 @@ json_list() {
"DB_PGA_URL": "'$DB_PGA_URL'",
"SOFTACULOUS": "'$SOFTACULOUS'",
"MAX_DBUSER_LEN": "'$MAX_DBUSER_LEN'"
"MAIL_CERTIFICATE": "'$MAIL_CERTIFICATE'",
"VESTA_CERTIFICATE": "'$VESTA_CERTIFICATE'"
}
}'
}
@ -139,6 +141,12 @@ shell_list() {
if [ ! -z "$LANGUAGE" ] && [ "$LANGUAGE" != 'en' ]; then
echo "Language: $LANGUAGE"
fi
if [ ! -z "$MAIL_CERTIFICATE" ]; then
echo "Mail SSL: $MAIL_CERTIFICATE"
fi
if [ ! -z "$VESTA_CERTIFICATE" ]; then
echo "Vesta SSL: $VESTA_CERTIFICATE"
fi
echo "Version: $VERSION"
}
@ -152,7 +160,8 @@ plain_list() {
echo -ne "$CRON_SYSTEM\t$DISK_QUOTA\t$FIREWALL_SYSTEM\t"
echo -ne "$FIREWALL_EXTENSION\t$FILEMANAGER_KEY\t$SFTPJAIL_KEY\t"
echo -ne "$REPOSITORY\t$VERSION\t$LANGUAGE\t$BACKUP_GZIP\t$BACKUP\t"
echo -e "$MAIL_URL\t$DB_PMA_URL\t$DB_PGA_URL"
echo -ne "$MAIL_URL\t$DB_PMA_URL\t$DB_PGA_URL\t$MAIL_CERTIFICATE\t"
echo -e "$VESTA_CERTIFICATE"
}
@ -166,7 +175,8 @@ csv_list() {
echo -n "'CRON_SYSTEM','DISK_QUOTA','FIREWALL_SYSTEM',"
echo -n "'FIREWALL_EXTENSION','FILEMANAGER_KEY','SFTPJAIL_KEY',"
echo -n "'REPOSITORY','VERSION','LANGUAGE','BACKUP_GZIP','BACKUP',"
echo -n "'MAIL_URL','DB_PMA_URL','DB_PGA_URL'"
echo -n "'MAIL_URL','DB_PMA_URL','DB_PGA_URL', 'SOFTACULOUS',"
echo -n "'MAIL_CERTIFICATE','VESTA_CERTIFICATE'"
echo
echo -n "'$WEB_SYSTEM','$WEB_RGROUPS','$WEB_PORT','$WEB_SSL',"
echo -n "'$WEB_SSL_PORT','$WEB_BACKEND','$PROXY_SYSTEM','$PROXY_PORT',"
@ -177,6 +187,7 @@ csv_list() {
echo -n "'$FIREWALL_EXTENSION','$FILEMANAGER_KEY','$SFTPJAIL_KEY',"
echo -n "'$REPOSITORY','$VERSION','$LANGUAGE','$BACKUP_GZIP','$BACKUP',"
echo -n "'$MAIL_URL','$DB_PMA_URL','$DB_PGA_URL', '$SOFTACULOUS'"
echo -n "'$MAIL_CERTIFICATE','$VESTA_CERTIFICATE'"
echo
}
@ -188,7 +199,7 @@ csv_list() {
# Listing data
case $format in
json) json_list ;;
plain) shell_list ;;
plain) plain_list ;;
csv) csv_list ;;
shell) shell_list ;;
esac

135
bin/v-list-sys-mail-ssl Executable file
View file

@ -0,0 +1,135 @@
#!/bin/bash
# info: list mail ssl certificate
# options: [FORMAT]
#
# The function of obtaining mail ssl files.
#----------------------------------------------------------#
# Variable&Function #
#----------------------------------------------------------#
# Argument definition
format=${1-shell}
# Includes
source $VESTA/func/main.sh
# JSON list function
json_list() {
echo '{'
echo -e "\t\"MAIL\": {"
echo " \"CRT\": \"$crt\","
echo " \"KEY\": \"$key\","
echo " \"CA\": \"$ca\","
echo " \"SUBJECT\": \"$subj\","
echo " \"ALIASES\": \"$alt_dns\","
echo " \"NOT_BEFORE\": \"$before\","
echo " \"NOT_AFTER\": \"$after\","
echo " \"SIGNATURE\": \"$signature\","
echo " \"PUB_KEY\": \"$pub_key\","
echo " \"ISSUER\": \"$issuer\""
echo -e "\t}\n}"
}
# SHELL list function
shell_list() {
if [ ! -z "$crt" ]; then
echo -e "$crt"
fi
if [ ! -z "$key" ]; then
echo -e "\n$key"
fi
if [ ! -z "$crt" ]; then
echo
echo
echo "SUBJECT: $subj"
if [ ! -z "$alt_dns" ]; then
echo "ALIASES: ${alt_dns//,/ }"
fi
echo "VALID FROM: $before"
echo "VALID TIL: $after"
echo "SIGNATURE: $signature"
echo "PUB_KEY: $pub_key"
echo "ISSUER: $issuer"
fi
}
# PLAIN list function
plain_list() {
if [ ! -z "$crt" ]; then
echo -e "$crt"
fi
if [ ! -z "$key" ]; then
echo -e "\n$key"
fi
if [ ! -z "$ca" ]; then
echo -e "\n$ca"
fi
if [ ! -z "$crt" ]; then
echo "$subj"
echo "${alt_dns//,/ }"
echo "$before"
echo "$after"
echo "$signature"
echo "$pub_key"
echo "$issuer"
fi
}
# CSV list function
csv_list() {
echo -n "CRT,KEY,CA,SUBJECT,ALIASES,NOT_BEFORE,NOT_AFTER,SIGNATURE,"
echo "PUB_KEY,ISSUER"
echo -n "\"$crt\",\"$key\",\"$ca\",\"$subj\",\"${alt_dns//,/ }\","
echo "\"$before\",\"$after\",\"$signature\",\"$pub_key\",\"$issuer\""
}
#----------------------------------------------------------#
# Verifications #
#----------------------------------------------------------#
#----------------------------------------------------------#
# Action #
#----------------------------------------------------------#
# Parsing SSL certificate
if [ ! -e "$VESTA/ssl/mail.crt" ] || [ ! -e "$VESTA/ssl/mail.key" ]; then
exit
fi
crt=$(cat $VESTA/ssl/mail.crt |sed ':a;N;$!ba;s/\n/\\n/g')
key=$(cat $VESTA/ssl/mail.key |sed ':a;N;$!ba;s/\n/\\n/g')
# Parsing SSL certificate details without CA
info=$(openssl x509 -text -in $VESTA/ssl/mail.crt)
subj=$(echo "$info" |grep Subject: |cut -f 2 -d =)
before=$(echo "$info" |grep Before: |sed -e "s/.*Before: //")
after=$(echo "$info" |grep "After :" |sed -e "s/.*After : //")
signature=$(echo "$info" |grep "Algorithm:" |head -n1 )
signature=$(echo "$signature"| sed -e "s/.*Algorithm: //")
pub_key=$(echo "$info" |grep Public-Key: |cut -f2 -d \( | tr -d \))
issuer=$(echo "$info" |grep Issuer: |sed -e "s/.*Issuer: //")
alt_dns=$(echo "$info" |grep DNS |sed -e 's/DNS:/\n/g' |tr -d ',')
alt_dns=$(echo "$alt_dns" |tr -d ' ' |sed -e "/^$/d")
alt_dns=$(echo "$alt_dns" |sed -e ':a;N;$!ba;s/\n/,/g')
# Listing data
case $format in
json) json_list ;;
plain) plain_list ;;
csv) csv_list ;;
shell) shell_list ;;
esac
#----------------------------------------------------------#
# Vesta #
#----------------------------------------------------------#
exit

1
bin/v-list-user
View file

@ -154,6 +154,7 @@ csv_list() {
#----------------------------------------------------------#
check_args '1' "$#" 'USER [FORMAT]'
is_format_valid 'user'
is_object_valid 'user' 'USER' "$user"

1
bin/v-list-user-backup
View file

@ -75,6 +75,7 @@ csv_list() {
#----------------------------------------------------------#
check_args '2' "$#" 'USER BACKUP [FORMAT]'
is_format_valid 'user'
is_object_valid 'user' 'USER' "$user"
is_object_valid 'backup' 'BACKUP' "$backup"

1
bin/v-list-user-stats
View file

@ -115,6 +115,7 @@ csv_list() {
#----------------------------------------------------------#
check_args '1' "$#" 'USER [FORMAT]'
is_format_valid 'user'
is_object_valid 'user' 'USER' "$user"

1
bin/v-list-web-domain
View file

@ -110,6 +110,7 @@ csv_list() {
#----------------------------------------------------------#
check_args '2' "$#" 'USER DOMAIN [FORMAT]'
is_format_valid 'user' 'domain'
is_object_valid 'user' 'USER' "$user"
is_object_valid 'web' 'DOMAIN' "$domain"

1
bin/v-list-web-domain-ssl
View file

@ -98,6 +98,7 @@ csv_list() {
#----------------------------------------------------------#
check_args '2' "$#" 'USER DOMAIN [FORMAT]'
is_format_valid 'user' 'domain'
is_object_valid 'user' 'USER' "$user"
is_object_valid 'web' 'DOMAIN' "$domain"

1
bin/v-list-web-domains
View file

@ -100,6 +100,7 @@ csv_list() {
#----------------------------------------------------------#
check_args '1' "$#" 'USER [FORMAT]'
is_format_valid 'user'
is_object_valid 'user' 'USER' "$user"

28
bin/v-restore-user
View file

@ -406,15 +406,21 @@ if [ "$web" != 'no' ] && [ ! -z "$WEB_SYSTEM" ]; then
fi
# Restoring web domain data
tar -xzpf $tmpdir/web/$domain/domain_data.tar.gz \
-C $HOMEDIR/$user/web/$domain/
if [ "$?" -ne 0 ]; then
rm -rf $tmpdir
error="can't unpack $domain data tarball"
echo "$error" |$SENDMAIL -s "$subj" $email $notify
sed -i "/ $user /d" $VESTA/data/queue/backup.pipe
check_result "$E_PARSING" "$error"
chown $user $tmpdir
chmod u+w $HOMEDIR/$user/web/$domain
sudo -u $user tar -xzpf $tmpdir/web/$domain/domain_data.tar.gz \
-C $HOMEDIR/$user/web/$domain/ --exclude=logs/* \
2> $HOMEDIR/$user/web/$domain/restore_errors.log
if [ -e "$HOMEDIR/$user/web/$domain/restore_errors.log" ]; then
chown $user:$user $HOMEDIR/$user/web/$domain/restore_errors.log
fi
#if [ "$?" -ne 0 ]; then
# rm -rf $tmpdir
# error="can't unpack $domain data tarball"
# echo "$error" |$SENDMAIL -s "$subj" $email $notify
# sed -i "/ $user /d" $VESTA/data/queue/backup.pipe
# check_result "$E_PARSING" "$error"
#fi
# Applying Fix for tar < 1.24
find $HOMEDIR/$user/web/$domain -type d \
@ -586,13 +592,15 @@ if [ "$mail" != 'no' ] && [ ! -z "$MAIL_SYSTEM" ]; then
# Rebuilding mail config
rebuild_mail_domain_conf
domain_idn=$domain
format_domain_idn
# Restoring emails
if [ -e "$tmpdir/mail/$domain/accounts.tar.gz" ]; then
tar -xzpf $tmpdir/mail/$domain/accounts.tar.gz \
chown $user $tmpdir
chmod u+w $HOMEDIR/$user/mail/$domain_idn
sudo -u $user tar -xzpf $tmpdir/mail/$domain/accounts.tar.gz \
-C $HOMEDIR/$user/mail/$domain_idn/
if [ "$?" -ne 0 ]; then
rm -rf $tmpdir

93
bin/v-search-ssl-certificates Executable file
View file

@ -0,0 +1,93 @@
#!/bin/bash
# info: search ssl certificates
# options: [FORMAT]
#
# The function to obtain the list of available ssl certificates.
#----------------------------------------------------------#
# Variable&Function #
#----------------------------------------------------------#
# Argument definition
format=${1-shell}
# Includes
source $VESTA/func/main.sh
# JSON list function
json_list() {
IFS=$'\n'
objects=$(echo "$search_cmd" |wc -l)
i=1
echo '['
for str in $search_cmd; do
eval $str
if [ "$i" -lt "$objects" ]; then
echo -e "\t\"$USER:$DOMAIN\","
else
echo -e "\t\"$USER:$DOMAIN\""
fi
(( ++i))
done
echo "]"
}
# SHELL list function
shell_list() {
IFS=$'\n'
echo "USER DOMAIN"
echo "---- ------"
for str in $search_cmd; do
eval $str
echo "$USER $DOMAIN"
done
}
# PLAIN list function
plain_list() {
IFS=$'\n'
for str in $search_cmd; do
eval $str
echo -e "$USER\t$DOMAIN"
done
}
# CSV list function
csv_list() {
IFS=$'\n'
echo "USER,DOMAIN"
for str in $search_cmd; do
eval $str
echo "$USER,$DOMAIN"
done
}
#----------------------------------------------------------#
# Verifications #
#----------------------------------------------------------#
#----------------------------------------------------------#
# Action #
#----------------------------------------------------------#
search_cmd=$(grep -H "SSL='yes'" $VESTA/data/users/*/web.conf |\
cut -f 1 -d ' ' |\
sed -e "s|$VESTA/data/users/|USER='|" -e "s|/web.conf:|' |")
# Listing data
case $format in
json) json_list ;;
plain) plain_list ;;
csv) csv_list ;;
shell) shell_list |column -t ;;
esac
#----------------------------------------------------------#
# Vesta #
#----------------------------------------------------------#
exit

110
bin/v-sign-letsencrypt-csr
View file

@ -1,110 +0,0 @@
#!/bin/bash
# info: sing letsencrypt csr
# options: USER DOMAIN CSR_DIR [FORMAT]
#
# The function signs certificate request using LetsEncript API
#----------------------------------------------------------#
# Variable&Function #
#----------------------------------------------------------#
# Argument definition
user=$1
domain=$2
csr="$3/$domain.csr"
format=$4
# Includes
source $VESTA/func/main.sh
source $VESTA/conf/vesta.conf
# encode base64
encode_base64() {
cat |base64 |tr '+/' '-_' |tr -d '\r\n='
}
#----------------------------------------------------------#
# Verifications #
#----------------------------------------------------------#
check_args '3' "$#" 'USER DOMAIN CSR'
is_format_valid 'user' 'domain'
is_system_enabled "$WEB_SYSTEM" 'WEB_SYSTEM'
is_object_valid 'user' 'USER' "$user"
is_object_unsuspended 'user' 'USER' "$user"
if [ ! -e "$USER_DATA/ssl/le.conf" ]; then
check_result $E_NOTEXIST "LetsEncrypt key doesn't exist"
fi
check_domain=$(grep -w "$domain'" $USER_DATA/web.conf)
if [ -z "$check_domain" ]; then
check_result $E_NOTEXIST "domain $domain doesn't exist"
fi
if [ ! -e "$csr" ]; then
check_result $E_NOTEXIST "$csr doesn't exist"
fi
#----------------------------------------------------------#
# Action #
#----------------------------------------------------------#
source $USER_DATA/ssl/le.conf
api='https://acme-v01.api.letsencrypt.org'
key="$USER_DATA/ssl/user.key"
exponent="$EXPONENT"
modulus="$MODULUS"
thumb="$THUMB"
# Defining JWK header
header='{"e":"'$exponent'","kty":"RSA","n":"'"$modulus"'"}'
header='{"alg":"RS256","jwk":'"$header"'}'
# Requesting nonce
nonce=$(curl -s -I "$api/directory" |grep Nonce |cut -f2 -d \ |tr -d '\r\n')
protected=$(echo -n '{"nonce":"'"$nonce"'"}' |encode_base64)
# Defining ACME query (request challenge)
csr=$(openssl req -in $csr -outform DER |encode_base64)
query='{"resource":"new-cert","csr":"'$csr'"}'
payload=$(echo -n "$query" |encode_base64)
signature=$(printf "%s" "$protected.$payload" |\
openssl dgst -sha256 -binary -sign "$key" |encode_base64)
data='{"header":'"$header"',"protected":"'"$protected"'",'
data=$data'"payload":"'"$payload"'","signature":"'"$signature"'"}'
# Sending request to LetsEncrypt API
answer=$(mktemp)
curl -s -d "$data" "$api/acme/new-cert" -o $answer
if [ ! -z "$(grep Error $answer)" ]; then
detail="$(cat $answer |tr ',' '\n' |grep detail |cut -f 4 -d \")"
detail=$(echo "$detail" |awk -F "::" '{print $2}')
rm $answer
check_result $E_LIMIT "$detail"
fi
# Printing certificate
crt=$(cat "$answer" |openssl base64 -e)
rm $answer
if [ "$format" != 'json' ]; then
echo "-----BEGIN CERTIFICATE-----"
echo "$crt"
echo "-----END CERTIFICATE-----"
else
echo -e "{\n\t\"$domain\": {\n\t\t\"CRT\":\""
echo -n '-----BEGIN CERTIFICATE-----\n'
echo -n "$crt" |sed ':a;N;$!ba;s/\n/\\n/g'
echo -n '-----END CERTIFICATE-----'
echo -e "\"\n\t\t}\n\t}"
fi
#----------------------------------------------------------#
# Vesta #
#----------------------------------------------------------#
# Logging
log_event "$OK" "$ARGUMENTS"
exit

3
bin/v-unsuspend-mail-account
View file

@ -48,6 +48,9 @@ is_object_suspended "mail/$domain" 'ACCOUNT' "$account"
if [[ "$MAIL_SYSTEM" =~ exim ]]; then
md5=$(get_object_value "mail/$domain" 'ACCOUNT' "$account" '$MD5')
quota=$(get_object_value "mail/$domain" 'ACCOUNT' "$account" '$QUOTA')
if [ "$quota" = 'unlimited' ]; then
quota=0
fi
sed -i "/^$account:/d" $HOMEDIR/$user/conf/mail/$domain/passwd
str="$account:$md5:$user:mail::$HOMEDIR/$user:$quota"
echo $str >> $HOMEDIR/$user/conf/mail/$domain/passwd

5
bin/v-update-firewall
View file

@ -51,11 +51,6 @@ if [ $? -ne 0 ]; then
conntrack_ftp='no'
fi
# Checking custom OpenSSH port
sshport=$(grep '^Port ' /etc/ssh/sshd_config | head -1 | cut -d ' ' -f 2)
if [[ "$sshport" =~ ^[0-9]+$ ]] && [ "$sshport" -ne "22" ]; then
sed -i "s/PORT='22'/PORT=\'$sshport\'/" $rules
fi
# Creating temporary file
tmp=$(mktemp)

48
bin/v-update-letsencrypt-ssl
View file

@ -22,50 +22,32 @@ source $VESTA/conf/vesta.conf
# Action #
#----------------------------------------------------------#
# Defining user list
users=$($BIN/v-list-users | tail -n+3 | awk '{ print $1 }')
lecounter=0
# Checking users
for user in $users; do
# Checking user certificates
for user in $($BIN/v-list-users plain |cut -f 1); do
USER_DATA=$VESTA/data/users/$user
# Checking user certificates
for domain in $(search_objects 'web' 'LETSENCRYPT' 'yes' 'DOMAIN'); do
# Working on Web domain check - if is suspended
webSuspended=$(grep "DOMAIN='$domain'" $USER_DATA/web.conf |grep "SUSPENDED='yes")
if [ ! -z "$webSuspended" ]; then
continue;
fi;
crt="$VESTA/data/users/$user/ssl/$domain.crt"
crt_data=$(openssl x509 -text -in "$crt")
expire=$(echo "$crt_data" |grep "Not After")
expire=$(echo "$expire" |cut -f 2,3,4 -d :)
expire=$(date -d "$expire" +%s)
crt_data=$(openssl x509 -text -in $USER_DATA/ssl/$domain.crt)
not_after=$(echo "$crt_data" |grep "Not After" |cut -f 2,3,4 -d :)
expiration=$(date -d "$not_after" +%s)
now=$(date +%s)
expire=$((expire - now))
expire=$((expire / 86400))
domain=$(basename $crt |sed -e "s/.crt$//")
if [[ "$expire" -lt 31 ]]; then
seconds_valid=$((expiration - now))
days_valid=$((seconds_valid / 86400))
if [[ "$days_valid" -lt 31 ]]; then
if [ $lecounter -gt 0 ]; then
sleep 120
fi
((lecounter++))
aliases=$(echo "$crt_data" |grep DNS:)
aliases=$(echo "$aliases" |sed -e "s/DNS://g" -e "s/,//")
aliases=$(echo "$aliases" |sed -e "s/DNS://g" -e "s/,//g")
aliases=$(echo "$aliases" |tr ' ' '\n' |sed "/^$/d")
aliases=$(echo "$aliases" |grep -v "^$domain$")
if [ ! -z "$aliases" ]; then
aliases=$(echo "$aliases" |sed -e ':a;N;$!ba;s/\n/,/g')
msg=$($BIN/v-add-letsencrypt-domain $user $domain $aliases)
if [ $? -ne 0 ]; then
echo "$domain $msg"
fi
else
msg==$($BIN/v-add-letsencrypt-domain $user $domain)
if [ $? -ne 0 ]; then
echo "$domain $msg"
fi
aliases=$(echo "$aliases" |egrep -v "^$domain,?$")
aliases=$(echo "$aliases" |sed -e ':a;N;$!ba;s/\n/,/g')
msg=$($BIN/v-add-letsencrypt-domain $user $domain $aliases)
if [ $? -ne 0 ]; then
echo "$domain $msg"
fi
fi
done

2
bin/v-update-sys-ip
View file

@ -44,7 +44,7 @@ if [[ "$ip_num" -eq '1' ]] && [[ "$v_ip_num" -eq 1 ]]; then
fi
# Updating configs
if [ ! -z "$new" ]; then
if [ ! -z "$old" ]; then
mv $VESTA/data/ips/$old $VESTA/data/ips/$new
# Updating PROXY

2
bin/v-update-sys-rrd-pgsql
View file

@ -85,7 +85,7 @@ for host in $hosts; do
# Parsing data
q='SELECT SUM(xact_commit + xact_rollback), SUM(numbackends)
FROM pg_stat_database;'
status=$($sql plsql -d postgres -c "$q" 2>/dev/null); code="$?"
status=$($sql psql -d postgres -c "$q" 2>/dev/null); code="$?"
if [ '0' -ne "$code" ]; then
active=0
slow=0

2
bin/v-update-sys-vesta
View file

@ -33,7 +33,7 @@ check_args '1' "$#" 'PACKAGE'
# Action #
#----------------------------------------------------------#
if [ -d "/etc/sysconfig" ]; then
if [ -n "$(command -v yum)" ]; then
# Clean yum chache
yum -q clean all