#!/usr/bin/perl
=head1 install-cert.pl
Replace the SSL certificate or private key for a virtual server.
This command is typically used to install a signed certificate that you
have received from a CA in response to a signing request, generated with
C<generate-cert>. However, it can be used to install any certificate,
private key or CA certificate file into a virtual server.
The server must be specified with the C<--domain> flag, followed by a domain
name. When installing a signed cert, you should use the C<--cert> flag
followed by the path to the certificate file, which will be copied into the
virtual server's home directory. You should also use the C<--use-newkey> flag
to use the key generated at the same time as the CSR.
Alternately, you can install a new matching key and certificate with the
C<--key> and C<--cert> flags. If the key is protected by a passphrase, it
must be specified with the C<--pass> parameter. Any errors in the key or
certificate format or the match between them will cause the command to fail
before the web server configuration is updated.
=cut
package virtual_server;
if (!$module_name) {
$main::no_acl_check++;
$ENV{'WEBMIN_CONFIG'} ||= "/etc/webmin";
$ENV{'WEBMIN_VAR'} ||= "/var/webmin";
if ($0 =~ /^(.*)\/[^\/]+$/) {
chdir($pwd = $1);
}
else {
chop($pwd = `pwd`);
}
$0 = "$pwd/install-cert.pl";
require './virtual-server-lib.pl';
$< == 0 || die "install-cert.pl must be run as root";
}
@OLDARGV = @ARGV;
&set_all_text_print();
# Parse command-line args
while(@ARGV > 0) {
local $a = shift(@ARGV);
if ($a eq "--domain") {
$dname = shift(@ARGV);
}
elsif ($a eq "--cert" || $a eq "--key" ||
$a eq "--csr" || $a eq "--ca") {
$g = substr($a, 2);
$f = shift(@ARGV);
if ($f =~ /^\//) {
# In some file on the server
$data = &read_file_contents($f);
$data || &usage("File $f does not exist");
push(@got, [ $g, $data ]);
}
else {
# In parameter
$f =~ s/\r//g;
$f =~ s/\s+/\n/g;
push(@got, [ $g, $f ]);
}
}
elsif ($a eq "--use-newkey") {
$usenewkey = 1;
}
elsif ($a eq "--pass") {
$newpass = shift(@ARGV);
}
elsif ($a eq "--multiline") {
$multiline = 1;
}
else {
&usage("Unknown parameter $a");
}
}
$dname || &usage("Missing --domain parameter");
@got || &usage("No new certificates or keys given");
$d = &get_domain_by("dom", $dname);
$d || &usage("No virtual server named $dname found");
&domain_has_ssl($d) ||
&usage("Virtual server $dname does not have SSL enabled");
if ($usenewkey) {
($clash) = grep { $_->[0] eq 'key' } @got;
$clash && &usage("--use-newkey and --key cannot both be given");
$d->{'ssl_newkey'} || &usage("--use-newkey can only be given if a ".
"private key and CSR have been created");
$newkey = &read_file_contents($d->{'ssl_newkey'});
$newkey || &usage("Private key matching CSR was not found");
push(@got, [ 'key', $newkey ]);
}
# Validate given certs and keys for basic formatting
foreach $g (@got) {
$err = &validate_cert_format($g->[1], $g->[0]);
$err && &usage("Invalid data for $g->[0] : $err");
}
# Make sure new cert and key will match
$checkcert = &read_file_contents($d->{'ssl_cert'});
$checkkey = &read_file_contents($d->{'ssl_key'});
foreach $g (@got) {
if ($g->[0] eq 'cert') {
$checkcert = $g->[1];
}
elsif ($g->[0] eq 'key') {
$checkkey = $g->[1];
}
}
$passok = &check_passphrase($checkkey, $d->{'ssl_pass'} || $newpass);
$passok || &usage("Private key is password-protected, but either none was entered or the password was incorrect");
$err = &check_cert_key_match($checkcert, $checkkey);
$err && &usage("Certificate problems found : $err");
# Break SSL linkages that no longer work with this cert
($gotcert) = grep { $_->[0] eq 'cert' } @got;
if ($gotcert) {
$temp = &transname();
&open_tempfile(TEMP, ">$temp", 0, 1);
&print_tempfile(TEMP, $gotcert->[1]);
&close_tempfile(TEMP);
$newcertinfo = &cert_file_info($temp);
&break_invalid_ssl_linkages($d, $newcertinfo);
&unlink_file($temp);
}
&$first_print("Installing new SSL files ..");
$changed = 0;
foreach $g (@got) {
$d->{'ssl_'.$g->[0]} ||= &default_certificate_file($d, $g->[0]);
&lock_file($d->{'ssl_'.$g->[0]});
&open_tempfile_as_domain_user($d, SSL, ">".$d->{'ssl_'.$g->[0]});
&print_tempfile(SSL, $g->[1]);
&close_tempfile_as_domain_user($d, SSL);
&set_certificate_permissions($d, $d->{'ssl_'.$g->[0]});
&unlock_file($d->{'ssl_'.$g->[0]});
if ($g->[0] ne 'csr') {
&save_website_ssl_file($d, $g->[0], $d->{'ssl_'.$g->[0]});
}
}
&$second_print(".. done");
# Remove old private key and CSR, as they are now installed
if ($usenewkey) {
&unlink_logged($d->{'ssl_newkey'});
delete($d->{'ssl_newkey'});
delete($d->{'ssl_csr'});
}
# If a passphrase is needed, add it to the top-level Apache config. This is
# done by creating a small script that outputs the passphrase
$d->{'ssl_pass'} = $passok == 2 ? $newpass : undef;
&save_domain_passphrase($d);
&save_domain($d);
# Copy SSL directives to domains using same cert
foreach $od (&get_domain_by("ssl_same", $d->{'id'})) {
$od->{'ssl_cert'} = $d->{'ssl_cert'};
$od->{'ssl_key'} = $d->{'ssl_key'};
$od->{'ssl_newkey'} = $d->{'ssl_newkey'};
$od->{'ssl_csr'} = $d->{'ssl_csr'};
$od->{'ssl_pass'} = $d->{'ssl_pass'};
&save_domain_passphrase($od);
}
&run_post_actions();
&virtualmin_api_log(\@OLDARGV, $d);
sub usage
{
print "$_[0]\n\n" if ($_[0]);
print "Installs a certificate, private key, CSR or CA certificate.\n";
print "\n";
print "virtualmin install-cert --domain name\n";
print " [--cert file|data]\n";
print " [--key file|data]\n";
print " [--ca file|data]\n";
print " [--csr file|data]\n";
print " [--use-newkey]\n";
print " [--pass key-password]\n";
exit(1);
}
