From 0db38e9d9567592a1036fb0085f52b938ea4f979 Mon Sep 17 00:00:00 2001 From: Ewoud Kohl van Wijngaarden Date: Tue, 23 Feb 2016 14:09:07 +0100 Subject: [PATCH 1/3] Correct permissions on files --- src/Commands/Issue.php | 2 +- src/Commands/Register.php | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/src/Commands/Issue.php b/src/Commands/Issue.php index 966db13..6c3f372 100644 --- a/src/Commands/Issue.php +++ b/src/Commands/Issue.php @@ -95,7 +95,7 @@ class Issue implements Command { file_put_contents("{$path}/{$token}", $payload); chown("{$path}/{$token}", $userInfo["uid"]); - chmod("{$path}/{$token}", 0660); + chmod("{$path}/{$token}", 0664); yield $acme->selfVerify($domain, $token, $payload); $this->logger->info("Successfully self-verified challenge."); diff --git a/src/Commands/Register.php b/src/Commands/Register.php index ce145ea..8ca0055 100644 --- a/src/Commands/Register.php +++ b/src/Commands/Register.php @@ -70,8 +70,7 @@ class Register implements Command { file_put_contents($pathPrivate, $keyPair->getPrivate()); file_put_contents($pathPublic, $keyPair->getPublic()); - chmod($pathPrivate, 600); - chmod($pathPrivate, 600); + chmod($pathPrivate, 0600); } $acme = new AcmeService(new AcmeClient($server, $keyPair), $keyPair); From 1fcd437aafb5e5414a682c3df24e952ab67d31cc Mon Sep 17 00:00:00 2001 From: Ewoud Kohl van Wijngaarden Date: Tue, 23 Feb 2016 14:09:19 +0100 Subject: [PATCH 2/3] Remove the requirement to run as root --- src/Commands/Issue.php | 11 ++++++++--- src/Commands/Register.php | 4 ---- src/Commands/Revoke.php | 4 ---- 3 files changed, 8 insertions(+), 11 deletions(-) diff --git a/src/Commands/Issue.php b/src/Commands/Issue.php index 6c3f372..c9301cc 100644 --- a/src/Commands/Issue.php +++ b/src/Commands/Issue.php @@ -32,11 +32,16 @@ class Issue implements Command { private function doExecute(Manager $args): Generator { if (posix_geteuid() !== 0) { - throw new AcmeException("Please run this script as root!"); + $processUser = posix_getpwuid(posix_geteuid()); + $currentUsername = $processUser['name']; + $user = $args->get("user") ?? $currentUsername; + if ($currentUsername !== $user) { + throw new AcmeException("Running this script with --user only works as root"); + } + } else { + $user = $args->get("user") ?? "www-data"; } - $user = $args->get("user") ?? "www-data"; - $server = $args->get("server"); $protocol = substr($server, 0, strpos("://", $server)); diff --git a/src/Commands/Register.php b/src/Commands/Register.php index 8ca0055..cf1de23 100644 --- a/src/Commands/Register.php +++ b/src/Commands/Register.php @@ -29,10 +29,6 @@ class Register implements Command { } public function doExecute(Manager $args): Generator { - if (posix_geteuid() !== 0) { - throw new AcmeException("Please run this script as root!"); - } - $email = $args->get("email"); yield resolve($this->checkEmail($email)); diff --git a/src/Commands/Revoke.php b/src/Commands/Revoke.php index 6927a66..7b2f801 100644 --- a/src/Commands/Revoke.php +++ b/src/Commands/Revoke.php @@ -27,10 +27,6 @@ class Revoke implements Command { } private function doExecute(Manager $args): Generator { - if (posix_geteuid() !== 0) { - throw new AcmeException("Please run this script as root!"); - } - $server = $args->get("server"); $protocol = substr($server, 0, strpos("://", $server)); From 8ed17841b87be962518307defdea7c0dd33c6490 Mon Sep 17 00:00:00 2001 From: Ewoud Kohl van Wijngaarden Date: Tue, 23 Feb 2016 14:11:20 +0100 Subject: [PATCH 3/3] Rewrite to kelunik/acme version 0.3.0-dev --- composer.json | 4 ++-- src/Commands/Issue.php | 6 +++--- src/Commands/Register.php | 2 +- src/Commands/Revoke.php | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/composer.json b/composer.json index 3809941..04a4fc8 100644 --- a/composer.json +++ b/composer.json @@ -6,8 +6,8 @@ "ext-posix": "*", "ext-openssl": "*", "bramus/monolog-colored-line-formatter": "^2", - "kelunik/acme": "dev-master", - "kelunik/certificate": "dev-master", + "kelunik/acme": "^0.3", + "kelunik/certificate": "^1", "league/climate": "^3", "monolog/monolog": "^1.17", "psr/log": "^1", diff --git a/src/Commands/Issue.php b/src/Commands/Issue.php index c9301cc..7337498 100644 --- a/src/Commands/Issue.php +++ b/src/Commands/Issue.php @@ -57,7 +57,7 @@ class Issue implements Command { $keyPair = $this->checkRegistration($args); - $acme = new AcmeService(new AcmeClient($server, $keyPair), $keyPair); + $acme = new AcmeService(new AcmeClient($server, $keyPair)); foreach ($domains as $domain) { list($location, $challenges) = yield $acme->requestChallenges($domain); @@ -75,7 +75,7 @@ class Issue implements Command { } $this->logger->debug("Generating payload..."); - $payload = $acme->generateHttp01Payload($token); + $payload = $acme->generateHttp01Payload($keyPair, $token); $docRoot = rtrim($args->get("path") ?? __DIR__ . "/../../data/public", "/\\"); $path = $docRoot . "/.well-known/acme-challenge"; @@ -102,7 +102,7 @@ class Issue implements Command { chown("{$path}/{$token}", $userInfo["uid"]); chmod("{$path}/{$token}", 0664); - yield $acme->selfVerify($domain, $token, $payload); + yield $acme->verifyHttp01Challenge($domain, $token, $payload); $this->logger->info("Successfully self-verified challenge."); yield $acme->answerChallenge($challenge->uri, $payload); diff --git a/src/Commands/Register.php b/src/Commands/Register.php index cf1de23..68902e6 100644 --- a/src/Commands/Register.php +++ b/src/Commands/Register.php @@ -69,7 +69,7 @@ class Register implements Command { chmod($pathPrivate, 0600); } - $acme = new AcmeService(new AcmeClient($server, $keyPair), $keyPair); + $acme = new AcmeService(new AcmeClient($server, $keyPair)); $this->logger->info("Registering with ACME server " . substr($server, 8) . " ..."); diff --git a/src/Commands/Revoke.php b/src/Commands/Revoke.php index 7b2f801..4fe1253 100644 --- a/src/Commands/Revoke.php +++ b/src/Commands/Revoke.php @@ -37,7 +37,7 @@ class Revoke implements Command { } $keyPair = $this->checkRegistration($args); - $acme = new AcmeService(new AcmeClient($server, $keyPair), $keyPair); + $acme = new AcmeService(new AcmeClient($server, $keyPair)); $this->logger->info("Revoking certificate ...");