From 59ea576d5258ec0ba74fbe3fe2d226bd58422b14 Mon Sep 17 00:00:00 2001 From: "alexey.lazarenko" Date: Thu, 26 Jan 2023 16:34:32 +0200 Subject: [PATCH 1/8] Je 60560 (#222) * JE-60560 [LE] updatefromcontainer->4121 with empty Error message * JE-60560 [LE] updatefromcontainer->4121 with empty Error message --- scripts/auto-update-ssl-cert.sh | 1 + scripts/install-ssl.js | 7 +++++++ 2 files changed, 8 insertions(+) diff --git a/scripts/auto-update-ssl-cert.sh b/scripts/auto-update-ssl-cert.sh index 44e8f885..803801a5 100755 --- a/scripts/auto-update-ssl-cert.sh +++ b/scripts/auto-update-ssl-cert.sh @@ -69,6 +69,7 @@ _delta_time=$(( $_exp_date_unixtime - $_cur_date_unixtime )); echo "$(date) - update required" >> /var/log/letsencrypt.log; validateLatestVersion resp=$($WGET --no-check-certificate -qO- "${auto_update_url}"); + [[ $? -ne 0 ]] && [[ -z $resp ]] && resp="Temporary network Issue"; { echo "${resp#*response*}" | sed 's/"//g' | grep -q 'result:0' ;} || $WGET -qO- "${jerror_url}/jerror?appid=$appid&actionname=updatefromcontainer&callparameters=$auto_update_url&email=$email&errorcode=4121&errormessage=$resp&priority=high" } diff --git a/scripts/install-ssl.js b/scripts/install-ssl.js index 8cae7499..3f3da1dd 100644 --- a/scripts/install-ssl.js +++ b/scripts/install-ssl.js @@ -52,6 +52,13 @@ function run() { function use(script, config) { var Transport = com.hivext.api.core.utils.Transport, body = new Transport().get(baseUrl + "/" + script + "?_r=" + Math.random()); + + if (!body) { + return { + result : com.hivext.api.Response.ERROR_UNKNOWN, + error: "Error: Unable to get ssl-manager script from GitHub" + } + } return new (new Function("return " + body)())(config); } From 2d9280dc18a08320c6720a308e37d701b253ddd8 Mon Sep 17 00:00:00 2001 From: "alexey.lazarenko" Date: Thu, 26 Jan 2023 16:35:04 +0200 Subject: [PATCH 2/8] changed baseurl to stage --- manifest.jps | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifest.jps b/manifest.jps index 1c274209..c4977c13 100644 --- a/manifest.jps +++ b/manifest.jps @@ -50,7 +50,7 @@ targetNodes: - jenkins2 homepage: https://github.com/jelastic-jps/lets-encrypt -baseUrl: https://raw.githubusercontent.com/jelastic-jps/lets-encrypt/master +baseUrl: https://raw.githubusercontent.com/jelastic-jps/lets-encrypt/stage logo: images/letsencrypt.png description: From 96ea8387ebf905fa43626163dcf4a05e26d77f9c Mon Sep 17 00:00:00 2001 From: "alexey.lazarenko" Date: Tue, 7 Feb 2023 11:09:21 +0200 Subject: [PATCH 3/8] Je 58868 (#195) * JE-58868 [LE] EndConfigureLEUpdate ErrorCode 0 for incorrect DNS settings * JE-58868 [LE] EndConfigureLEUpdate ErrorCode 0 for incorrect DNS settings * WP-8 [WP Standalone Multiregional] LE for multiregion deployment (#246) * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * JE-58868 [LE] EndConfigureLEUpdate ErrorCode 0 for incorrect DNS settings --- manifest.jps | 11 ++++------- scripts/generate-ssl-cert.sh | 11 +++++++++++ scripts/ssl-manager.js | 14 ++++++++++++++ 3 files changed, 29 insertions(+), 7 deletions(-) diff --git a/manifest.jps b/manifest.jps index c4977c13..b996ca42 100644 --- a/manifest.jps +++ b/manifest.jps @@ -135,8 +135,8 @@ onInstall: nodeGroup: ${targetNodes.nodeGroup} app_id: ${globals.app_id} - if (globals.isSecondaryEnv): - script: | - return {result: 0} + return: + type: success - else: installScript - else: @@ -167,9 +167,6 @@ onUninstall: - removeExecutedEnvFile: nodeGroup: ${targetNodes.nodeGroup} app_id: ${globals.app_id} - - if (globals.isSecondaryEnv): - script: | - return {result: 0} - delete onBeforeDelete: delete @@ -250,8 +247,8 @@ actions: nodeGroup: ${targetNodes.nodeGroup} app_id: ${globals.app_id} - if (globals.isSecondaryEnv): - script: | - return {result: 0} + return: + type: success - installScript delete: diff --git a/scripts/generate-ssl-cert.sh b/scripts/generate-ssl-cert.sh index f58ecef3..9e69c687 100644 --- a/scripts/generate-ssl-cert.sh +++ b/scripts/generate-ssl-cert.sh @@ -9,6 +9,7 @@ TOO_MANY_CERTS=22 WRONG_WEBROOT_ERROR=25 UPLOAD_CERTS_ERROR=26 TIME_OUT_ERROR=27 +NO_VALID_IP_ADDRESSES=28 counter=1 [ -f "${SETTINGS}" ] && source "${SETTINGS}" || { echo "No settings available" ; exit 3 ; } @@ -92,6 +93,15 @@ do invalid_domain=$(echo $error | sed -rn 's/Fetching https?:\/\/(.*)\/.well-known.*/\1/p') } + [[ -z $error ]] && { + error=$(sed -rn 's|.*"detail":"(No valid IP addresses found [^"]+)".*|\1|p' $LOG_FILE | sed '$!d') + [[ -z $error ]] && { + error=$(sed -rn 's|.*"detail":"(no valid A records found for [^;]+).*|\1|p' $LOG_FILE | sed '$!d') + } + invalid_domain=$(echo $error | sed -rn 's/.*for (.*)/\1/p') + [[ ! -z $error ]] && no_valid_ip=true + } + [[ -z $error ]] && { error=$(sed -rn 's/.*(Error creating new order \:\: )(.*)\"\,/\2/p' $LOG_FILE | sed '$!d'); [[ ! -z $error ]] && { @@ -136,6 +146,7 @@ fi [[ $invalid_webroot_dir == true ]] && exit $WRONG_WEBROOT_ERROR; [[ $timed_out == true ]] && exit $TIME_OUT_ERROR; +[[ $no_valid_ip == true ]] && { echo "$error"; exit $NO_VALID_IP_ADDRESSES; } [[ $rate_limit_exceeded == true ]] && { echo "$error"; exit $TOO_MANY_CERTS; } [[ $result_code != "0" ]] && { echo "$all_invalid_domains_errors"; exit $GENERAL_RESULT_ERROR; } diff --git a/scripts/ssl-manager.js b/scripts/ssl-manager.js index 5e8d4498..4f9d9ef7 100644 --- a/scripts/ssl-manager.js +++ b/scripts/ssl-manager.js @@ -42,6 +42,7 @@ function SSLManager(config) { INVALID_WEBROOT_DIR = 12005, UPLOADER_ERROR = 12006, READ_TIMED_OUT = 12007, + NO_VALID_IP_ADDRESSES = 12008, VALIDATION_SCRIPT = "validation.sh", SHELL_CODES = {}, INSTALL_LE_SCRIPT = "install-le.sh", @@ -1096,6 +1097,7 @@ function SSLManager(config) { SHELL_CODES[INVALID_WEBROOT_DIR] = 25; SHELL_CODES[UPLOADER_ERROR] = 26; SHELL_CODES[READ_TIMED_OUT] = 27; + SHELL_CODES[NO_VALID_IP_ADDRESSES] = 28; }; me.generateSslCerts = function generateSslCerts() { @@ -1221,6 +1223,17 @@ function SSLManager(config) { }; } + if (resp.result == NO_VALID_IP_ADDRESSES) { + text = "Error: " + resp.response; + return { + result: NO_VALID_IP_ADDRESSES, + error: text, + response: text, + type: "warning", + message: text + }; + } + if (resp.result && resp.result == READ_TIMED_OUT) { text = "The Let's Encrypt service is currently unavailable. Check the /var/log/letsencrypt log for more details or try again in a few minutes."; return { @@ -1285,6 +1298,7 @@ function SSLManager(config) { if (resp.exitStatus == SHELL_CODES[INVALID_WEBROOT_DIR]) return { result: INVALID_WEBROOT_DIR} if (resp.exitStatus == SHELL_CODES[UPLOADER_ERROR]) return { result: UPLOADER_ERROR} if (resp.exitStatus == SHELL_CODES[READ_TIMED_OUT]) return { result: READ_TIMED_OUT} + if (resp.exitStatus == SHELL_CODES[NO_VALID_IP_ADDRESSES]) return { result: NO_VALID_IP_ADDRESSES, response: resp.out } if (resp.exitStatus == SHELL_CODES[RATE_LIMIT_EXCEEDED]) return { result: RATE_LIMIT_EXCEEDED, response: resp.out } } From 35d8a61adc954abca7d430be79a0f091b7d3106b Mon Sep 17 00:00:00 2001 From: "alexey.lazarenko" Date: Tue, 7 Feb 2023 11:11:12 +0200 Subject: [PATCH 4/8] WP-8 [WP Standalone Multiregional] LE for multiregion deployment (#246) (#248) * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * WP-8 [WP Standalone Multiregional] LE for multiregion deployment From fb415d43328bb4d45d46a5a3e644abcaf54ebee7 Mon Sep 17 00:00:00 2001 From: "alexey.lazarenko" Date: Tue, 7 Feb 2023 11:12:10 +0200 Subject: [PATCH 5/8] changed baseUrl --- manifest.jps | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifest.jps b/manifest.jps index b996ca42..2bdf9082 100644 --- a/manifest.jps +++ b/manifest.jps @@ -50,7 +50,7 @@ targetNodes: - jenkins2 homepage: https://github.com/jelastic-jps/lets-encrypt -baseUrl: https://raw.githubusercontent.com/jelastic-jps/lets-encrypt/stage +baseUrl: https://raw.githubusercontent.com/jelastic-jps/lets-encrypt/master logo: images/letsencrypt.png description: From 62cc8adf51fa9599af8d6f05c7cfb1dff3e6d1e7 Mon Sep 17 00:00:00 2001 From: "alexey.lazarenko" Date: Tue, 21 Mar 2023 17:53:20 +0200 Subject: [PATCH 6/8] JE-65859 [Let's Encrypt] Uninstalling addon not deleted all it's data (#250) --- manifest.jps | 2 ++ 1 file changed, 2 insertions(+) diff --git a/manifest.jps b/manifest.jps index 2bdf9082..c31063e3 100644 --- a/manifest.jps +++ b/manifest.jps @@ -167,6 +167,8 @@ onUninstall: - removeExecutedEnvFile: nodeGroup: ${targetNodes.nodeGroup} app_id: ${globals.app_id} + - callScript: + action: uninstall - delete onBeforeDelete: delete From 4d3aab8e1da3f9860b11e755f9a1cb5c530d63e0 Mon Sep 17 00:00:00 2001 From: "alexey.lazarenko" Date: Wed, 22 Mar 2023 17:29:07 +0200 Subject: [PATCH 7/8] JE-65628 Let's Encrypt Addon stuck during the update if the custom domain name matches the domain name of the environment --- scripts/generate-ssl-cert.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/scripts/generate-ssl-cert.sh b/scripts/generate-ssl-cert.sh index 9e69c687..5a4d16fb 100644 --- a/scripts/generate-ssl-cert.sh +++ b/scripts/generate-ssl-cert.sh @@ -113,8 +113,7 @@ do all_invalid_domains_errors+=$error";" all_invalid_domains+=$invalid_domain" " - domain=$(echo $domain | sed 's/'${invalid_domain}'\(\s-d\s\)\?//') - domain=$(echo $domain | sed "s/\s-d$//") + domain=$(echo $domain | sed 's/^'${invalid_domain}'\s-d\s//' | sed 's/\s-d\s'${invalid_domain}'\s-d\s//' | sed 's/\s-d\s'${invalid_domain}'$//') } counter=$((counter + 1)) done From 0034dc1db3a396c413e1d0efda249ce210ed2424 Mon Sep 17 00:00:00 2001 From: "alexey.lazarenko" Date: Tue, 14 Nov 2023 10:07:36 +0200 Subject: [PATCH 8/8] master into JE-65628 (#276) * Stage (#251) * Je 60560 (#222) * JE-60560 [LE] updatefromcontainer->4121 with empty Error message * JE-60560 [LE] updatefromcontainer->4121 with empty Error message * changed baseurl to stage * Je 58868 (#195) * JE-58868 [LE] EndConfigureLEUpdate ErrorCode 0 for incorrect DNS settings * JE-58868 [LE] EndConfigureLEUpdate ErrorCode 0 for incorrect DNS settings * WP-8 [WP Standalone Multiregional] LE for multiregion deployment (#246) * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * JE-58868 [LE] EndConfigureLEUpdate ErrorCode 0 for incorrect DNS settings * WP-8 [WP Standalone Multiregional] LE for multiregion deployment (#246) (#248) * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * changed baseUrl * JE-65859 [Let's Encrypt] Uninstalling addon not deleted all it's data (#250) * JE-66541 [LE] Custom setting withExtIp doesn't apply (#255) * JE-66541 [LE] Custom setting withExtIp doesn't apply * Je 66541 test (#256) * JE-66541 * JE-66541 * JE-66541 * Update manifest.jps * Stage (#257) * Je 60560 (#222) * JE-60560 [LE] updatefromcontainer->4121 with empty Error message * JE-60560 [LE] updatefromcontainer->4121 with empty Error message * changed baseurl to stage * Je 58868 (#195) * JE-58868 [LE] EndConfigureLEUpdate ErrorCode 0 for incorrect DNS settings * JE-58868 [LE] EndConfigureLEUpdate ErrorCode 0 for incorrect DNS settings * WP-8 [WP Standalone Multiregional] LE for multiregion deployment (#246) * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * JE-58868 [LE] EndConfigureLEUpdate ErrorCode 0 for incorrect DNS settings * WP-8 [WP Standalone Multiregional] LE for multiregion deployment (#246) (#248) * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * changed baseUrl * JE-65859 [Let's Encrypt] Uninstalling addon not deleted all it's data (#250) * JE-66541 [LE] Custom setting withExtIp doesn't apply (#255) * JE-66541 [LE] Custom setting withExtIp doesn't apply * Je 66541 test (#256) * JE-66541 * JE-66541 * JE-66541 * Update manifest.jps * Je 65951 (#258) * JE-65951 * JE-65951 * JE-65951 * JE-65951 * JE-65950 [Review JPS packages and addons for AlmaLinux9] Lets Encrypt * JE-65951 [Review JPS packages and addons for AlmaLinux9] Lets Encrypt * changed baseurl * update baseUrl * JE-67263 [LE] Unable install LE in old VAP versions (5.9.1) * changed baseUrl * changed baseUrl * JE-67263 [LE] Unable install LE in old VAP versions (5.9.1) (#260) * JE-67263 [LE] Unable install LE in old VAP versions (5.9.1) * changed baseUrl * changed baseUrl * JE-67516 [LE] Define custom settings while auto update action (#262) * JE-67516 [LE] Define custom settings while auto update action * JE-67516 [LE] Define custom settings while auto update action * master into stage (#264) * Stage (#251) * Je 60560 (#222) * JE-60560 [LE] updatefromcontainer->4121 with empty Error message * JE-60560 [LE] updatefromcontainer->4121 with empty Error message * changed baseurl to stage * Je 58868 (#195) * JE-58868 [LE] EndConfigureLEUpdate ErrorCode 0 for incorrect DNS settings * JE-58868 [LE] EndConfigureLEUpdate ErrorCode 0 for incorrect DNS settings * WP-8 [WP Standalone Multiregional] LE for multiregion deployment (#246) * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * JE-58868 [LE] EndConfigureLEUpdate ErrorCode 0 for incorrect DNS settings * WP-8 [WP Standalone Multiregional] LE for multiregion deployment (#246) (#248) * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * changed baseUrl * JE-65859 [Let's Encrypt] Uninstalling addon not deleted all it's data (#250) * Stage (#257) * Je 60560 (#222) * JE-60560 [LE] updatefromcontainer->4121 with empty Error message * JE-60560 [LE] updatefromcontainer->4121 with empty Error message * changed baseurl to stage * Je 58868 (#195) * JE-58868 [LE] EndConfigureLEUpdate ErrorCode 0 for incorrect DNS settings * JE-58868 [LE] EndConfigureLEUpdate ErrorCode 0 for incorrect DNS settings * WP-8 [WP Standalone Multiregional] LE for multiregion deployment (#246) * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * JE-58868 [LE] EndConfigureLEUpdate ErrorCode 0 for incorrect DNS settings * WP-8 [WP Standalone Multiregional] LE for multiregion deployment (#246) (#248) * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * changed baseUrl * JE-65859 [Let's Encrypt] Uninstalling addon not deleted all it's data (#250) * JE-66541 [LE] Custom setting withExtIp doesn't apply (#255) * JE-66541 [LE] Custom setting withExtIp doesn't apply * Je 66541 test (#256) * JE-66541 * JE-66541 * JE-66541 * Update manifest.jps * JE-67263 [LE] Unable install LE in old VAP versions (5.9.1) (#260) * JE-67263 [LE] Unable install LE in old VAP versions (5.9.1) * changed baseUrl * changed baseUrl * Stage (#265) * JE-67263 [LE] Unable install LE in old VAP versions (5.9.1) * changed baseUrl * changed baseUrl * JE-67516 [LE] Define custom settings while auto update action (#262) * JE-67516 [LE] Define custom settings while auto update action * JE-67516 [LE] Define custom settings while auto update action * master into stage (#264) * Stage (#251) * Je 60560 (#222) * JE-60560 [LE] updatefromcontainer->4121 with empty Error message * JE-60560 [LE] updatefromcontainer->4121 with empty Error message * changed baseurl to stage * Je 58868 (#195) * JE-58868 [LE] EndConfigureLEUpdate ErrorCode 0 for incorrect DNS settings * JE-58868 [LE] EndConfigureLEUpdate ErrorCode 0 for incorrect DNS settings * WP-8 [WP Standalone Multiregional] LE for multiregion deployment (#246) * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * JE-58868 [LE] EndConfigureLEUpdate ErrorCode 0 for incorrect DNS settings * WP-8 [WP Standalone Multiregional] LE for multiregion deployment (#246) (#248) * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * changed baseUrl * JE-65859 [Let's Encrypt] Uninstalling addon not deleted all it's data (#250) * Stage (#257) * Je 60560 (#222) * JE-60560 [LE] updatefromcontainer->4121 with empty Error message * JE-60560 [LE] updatefromcontainer->4121 with empty Error message * changed baseurl to stage * Je 58868 (#195) * JE-58868 [LE] EndConfigureLEUpdate ErrorCode 0 for incorrect DNS settings * JE-58868 [LE] EndConfigureLEUpdate ErrorCode 0 for incorrect DNS settings * WP-8 [WP Standalone Multiregional] LE for multiregion deployment (#246) * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * JE-58868 [LE] EndConfigureLEUpdate ErrorCode 0 for incorrect DNS settings * WP-8 [WP Standalone Multiregional] LE for multiregion deployment (#246) (#248) * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * changed baseUrl * JE-65859 [Let's Encrypt] Uninstalling addon not deleted all it's data (#250) * JE-66541 [LE] Custom setting withExtIp doesn't apply (#255) * JE-66541 [LE] Custom setting withExtIp doesn't apply * Je 66541 test (#256) * JE-66541 * JE-66541 * JE-66541 * Update manifest.jps * JE-67263 [LE] Unable install LE in old VAP versions (5.9.1) (#260) * JE-67263 [LE] Unable install LE in old VAP versions (5.9.1) * changed baseUrl * changed baseUrl * baseUrl * JE-68478 * JE-68478 * JE-68478 * JE-68478 * merged (#270) * Stage (#251) * Je 60560 (#222) * JE-60560 [LE] updatefromcontainer->4121 with empty Error message * JE-60560 [LE] updatefromcontainer->4121 with empty Error message * changed baseurl to stage * Je 58868 (#195) * JE-58868 [LE] EndConfigureLEUpdate ErrorCode 0 for incorrect DNS settings * JE-58868 [LE] EndConfigureLEUpdate ErrorCode 0 for incorrect DNS settings * WP-8 [WP Standalone Multiregional] LE for multiregion deployment (#246) * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * JE-58868 [LE] EndConfigureLEUpdate ErrorCode 0 for incorrect DNS settings * WP-8 [WP Standalone Multiregional] LE for multiregion deployment (#246) (#248) * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * changed baseUrl * JE-65859 [Let's Encrypt] Uninstalling addon not deleted all it's data (#250) * Stage (#257) * Je 60560 (#222) * JE-60560 [LE] updatefromcontainer->4121 with empty Error message * JE-60560 [LE] updatefromcontainer->4121 with empty Error message * changed baseurl to stage * Je 58868 (#195) * JE-58868 [LE] EndConfigureLEUpdate ErrorCode 0 for incorrect DNS settings * JE-58868 [LE] EndConfigureLEUpdate ErrorCode 0 for incorrect DNS settings * WP-8 [WP Standalone Multiregional] LE for multiregion deployment (#246) * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * JE-58868 [LE] EndConfigureLEUpdate ErrorCode 0 for incorrect DNS settings * WP-8 [WP Standalone Multiregional] LE for multiregion deployment (#246) (#248) * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * changed baseUrl * JE-65859 [Let's Encrypt] Uninstalling addon not deleted all it's data (#250) * JE-66541 [LE] Custom setting withExtIp doesn't apply (#255) * JE-66541 [LE] Custom setting withExtIp doesn't apply * Je 66541 test (#256) * JE-66541 * JE-66541 * JE-66541 * Update manifest.jps * JE-67263 [LE] Unable install LE in old VAP versions (5.9.1) (#260) * JE-67263 [LE] Unable install LE in old VAP versions (5.9.1) * changed baseUrl * changed baseUrl * Stage (#265) * JE-67263 [LE] Unable install LE in old VAP versions (5.9.1) * changed baseUrl * changed baseUrl * JE-67516 [LE] Define custom settings while auto update action (#262) * JE-67516 [LE] Define custom settings while auto update action * JE-67516 [LE] Define custom settings while auto update action * master into stage (#264) * Stage (#251) * Je 60560 (#222) * JE-60560 [LE] updatefromcontainer->4121 with empty Error message * JE-60560 [LE] updatefromcontainer->4121 with empty Error message * changed baseurl to stage * Je 58868 (#195) * JE-58868 [LE] EndConfigureLEUpdate ErrorCode 0 for incorrect DNS settings * JE-58868 [LE] EndConfigureLEUpdate ErrorCode 0 for incorrect DNS settings * WP-8 [WP Standalone Multiregional] LE for multiregion deployment (#246) * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * JE-58868 [LE] EndConfigureLEUpdate ErrorCode 0 for incorrect DNS settings * WP-8 [WP Standalone Multiregional] LE for multiregion deployment (#246) (#248) * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * changed baseUrl * JE-65859 [Let's Encrypt] Uninstalling addon not deleted all it's data (#250) * Stage (#257) * Je 60560 (#222) * JE-60560 [LE] updatefromcontainer->4121 with empty Error message * JE-60560 [LE] updatefromcontainer->4121 with empty Error message * changed baseurl to stage * Je 58868 (#195) * JE-58868 [LE] EndConfigureLEUpdate ErrorCode 0 for incorrect DNS settings * JE-58868 [LE] EndConfigureLEUpdate ErrorCode 0 for incorrect DNS settings * WP-8 [WP Standalone Multiregional] LE for multiregion deployment (#246) * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * JE-58868 [LE] EndConfigureLEUpdate ErrorCode 0 for incorrect DNS settings * WP-8 [WP Standalone Multiregional] LE for multiregion deployment (#246) (#248) * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * WP-8 [WP Standalone Multiregional] LE for multiregion deployment * changed baseUrl * JE-65859 [Let's Encrypt] Uninstalling addon not deleted all it's data (#250) * JE-66541 [LE] Custom setting withExtIp doesn't apply (#255) * JE-66541 [LE] Custom setting withExtIp doesn't apply * Je 66541 test (#256) * JE-66541 * JE-66541 * JE-66541 * Update manifest.jps * JE-67263 [LE] Unable install LE in old VAP versions (5.9.1) (#260) * JE-67263 [LE] Unable install LE in old VAP versions (5.9.1) * changed baseUrl * changed baseUrl * baseUrl * JE-68478 * JE-68478 * JE-68478 * JE-68478 * JE-68478 * JE-68478 * JE-68478 * baseUrl * JE-68478 * baseUrl * JE-68478 * JE-68478 * baseUrl * baseUrl --------- Co-authored-by: sych74 --- manifest.jps | 5 ++- scripts/auto-update-ssl-cert.sh | 2 + scripts/create-installation-script.js | 4 +- scripts/generate-ssl-cert.sh | 24 ++++++++-- scripts/install-le.sh | 15 +++++-- scripts/install-ssl.js | 1 + scripts/ssl-manager.js | 63 ++++++++++++++++++++++----- 7 files changed, 94 insertions(+), 20 deletions(-) diff --git a/manifest.jps b/manifest.jps index c31063e3..a4d20b2e 100644 --- a/manifest.jps +++ b/manifest.jps @@ -104,7 +104,8 @@ onInstall: - setGlobals: nodeId: ${settings.nodeId:} nodeGroup: ${targetNodes.nodeGroup:} - withExtIp: ${settings.withExtIp:true} + withExtIp: ${settings.withExtIp:} + withIntSSL: ${settings.withIntSSL:true} webroot: ${settings.webroot:} webrootPath: ${settings.webrootPath:} fallbackToX1: ${settings.fallbackToX1:} @@ -194,6 +195,7 @@ actions: undeployHook: ${globals.undeployHook} undeployHookType: ${globals.undeployHookType} withExtIp: ${globals.withExtIp} + withIntSSL: ${globals.withIntSSL} webroot: ${globals.webroot} webrootPath: ${globals.webrootPath} fallbackToX1: ${globals.fallbackToX1} @@ -268,6 +270,7 @@ actions: deployHookType: ${globals.deployHookType} undeployHookType: ${globals.undeployHookType} withExtIp: ${globals.withExtIp} + withIntSSL: ${globals.withIntSSL} webroot: ${globals.webroot} webrootPath: ${globals.webrootPath} fallbackToX1: ${globals.fallbackToX1} diff --git a/scripts/auto-update-ssl-cert.sh b/scripts/auto-update-ssl-cert.sh index 803801a5..f3a8589c 100755 --- a/scripts/auto-update-ssl-cert.sh +++ b/scripts/auto-update-ssl-cert.sh @@ -9,6 +9,7 @@ SED=$(which sed) GIT=$(which git); BASE_REPO_URL="https://github.com/jelastic-jps/lets-encrypt" RAW_REPO_SCRIPS_URL="https://raw.githubusercontent.com/jelastic-jps/lets-encrypt/master/scripts/" +SETTINGS_CUSTOM="/var/lib/jelastic/keys/letsencrypt/settings-custom" [[ -z "$WGET" || -z "$OPENSSL" || -z "$GREP" || -z "$SED" || -z "$GIT" ]] && { echo "PATH not set with neccessary commands"; exit 3 ; } @@ -39,6 +40,7 @@ function updateScripts(){ updateScripts [ -f "${DIR}/opt/letsencrypt/settings" ] && source "${DIR}/opt/letsencrypt/settings" || { echo "No settings available" ; exit 3 ; } +[ -f "${DIR}${SETTINGS_CUSTOM}" ] && source "${DIR}${SETTINGS_CUSTOM}" [ -f "${DIR}/root/validation.sh" ] && source "${DIR}/root/validation.sh" || { echo "No validation library available" ; exit 3 ; } validateExtIP diff --git a/scripts/create-installation-script.js b/scripts/create-installation-script.js index 40f0ddc9..4fa574cf 100644 --- a/scripts/create-installation-script.js +++ b/scripts/create-installation-script.js @@ -11,8 +11,9 @@ var baseDir = getParam("baseDir", "/"), undeployHook = getParam("undeployHook", ""), undeployHookType = getParam("undeployHookType", ""), withExtIp = getParam("withExtIp", ""), + withIntSSL = getParam("withIntSSL", ""), webroot = getParam("webroot", ""), - webrootPath = getParam("webrootPath", ""), + webrootPath = getParam("webrootPath", ""), appId = getParam("appId", "letsencrypt-ssl-addon"), fallbackToX1 = getParam("fallbackToX1", ""), test = getParam("test", ""), @@ -34,6 +35,7 @@ function run() { undeployHook : replace(undeployHook), undeployHookType : replace(undeployHookType), withExtIp : replace(withExtIp) || "", + withIntSSL : replace(withIntSSL) || "", fallbackToX1 : replace(fallbackToX1) || "", webroot : replace(webroot) || "", webrootPath : replace(webrootPath) || "", diff --git a/scripts/generate-ssl-cert.sh b/scripts/generate-ssl-cert.sh index 5a4d16fb..c22af26f 100644 --- a/scripts/generate-ssl-cert.sh +++ b/scripts/generate-ssl-cert.sh @@ -1,6 +1,6 @@ #!/bin/bash DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )/.."; -LOG_FILE=$DIR/var/log/letsencrypt/letsencrypt.log-$(date '+%s') +DEFAULT_LOG_FILE=$DIR/var/log/letsencrypt/letsencrypt.log-$(date '+%s') KEYS_DIR="$DIR/var/lib/jelastic/keys/" SETTINGS="$DIR/opt/letsencrypt/settings" DOMAIN_SEP=" -d " @@ -51,18 +51,27 @@ mkdir -p $DIR/var/log/letsencrypt [[ "$webroot" == "false" ]] && { service tinyproxy start || { echo "Failed to start proxy server" ; exit 3 ; } + if grep -a 'AlmaLinux' /etc/system-release ; then + /usr/sbin/nft insert rule ip filter INPUT tcp dport ${PROXY_PORT} counter accept comment "LE" + /usr/sbin/nft insert rule ip filter INPUT tcp dport ${LE_PORT} counter accept comment "LE" + /usr/sbin/nft insert rule ip6 filter INPUT tcp dport ${LE_PORT} counter accept comment "LE" + /usr/sbin/nft insert rule ip nat PREROUTING ip saddr != 127.0.0.1 tcp dport 80 counter redirect to ${PROXY_PORT} comment "LE" + /usr/sbin/nft insert rule ip6 nat PREROUTING ip6 saddr ::0 ip6 daddr ::0 tcp dport 80 counter redirect to ${LE_PORT} comment "LE" || \ + /usr/sbin/nft insert rule ip6 filter INPUT tcp dport 80 counter drop comment "LE" + else iptables -I INPUT -p tcp -m tcp --dport ${PROXY_PORT} -j ACCEPT iptables -I INPUT -p tcp -m tcp --dport ${LE_PORT} -j ACCEPT ip6tables -I INPUT -p tcp -m tcp --dport ${LE_PORT} -j ACCEPT iptables -t nat -I PREROUTING -p tcp -m tcp ! -s 127.0.0.1/32 --dport 80 -j REDIRECT --to-ports ${PROXY_PORT} ip6tables -t nat -I PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports ${LE_PORT} || ip6tables -I INPUT -p tcp -m tcp --dport 80 -j DROP + fi } result_code=$GENERAL_RESULT_ERROR; while [ "$result_code" != "0" ] do [[ -z $domain ]] && break; - LOG_FILE=$LOG_FILE"-"$counter + LOG_FILE=$DEFAULT_LOG_FILE"-"$counter resp=$($DIR/opt/letsencrypt/acme.sh --issue $params $test_params --listen-v6 --domain $domain --nocron -f --log-level 2 --log $LOG_FILE 2>&1) @@ -128,12 +137,21 @@ domain=$(echo $domain | sed -r "s/\s-d//g"); sed -i "s|^domain=.*|domain='${domain}'|g" ${SETTINGS}; [[ "$webroot" == "false" ]] && { + if grep -a 'AlmaLinux' /etc/system-release ; then + for _family in ip ip6; do + for _table in 'filter INPUT' 'nat PREROUTING'; do + for handle in $(nft -a list table $_family ${_table/ *} | grep 'comment \"LE\"'| sed -r 's/.*#\s+handle\s+([0-9]+)/\1/g' 2>/dev/null); do + /usr/sbin/nft delete rule $_family $_table handle $handle; + done + done + done + else iptables -t nat -D PREROUTING -p tcp -m tcp ! -s 127.0.0.1/32 --dport 80 -j REDIRECT --to-ports ${PROXY_PORT} ip6tables -t nat -D PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports ${LE_PORT} || ip6tables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT iptables -D INPUT -p tcp -m tcp --dport ${PROXY_PORT} -j ACCEPT iptables -D INPUT -p tcp -m tcp --dport ${LE_PORT} -j ACCEPT ip6tables -D INPUT -p tcp -m tcp --dport ${LE_PORT} -j ACCEPT - + fi service tinyproxy stop || echo "Failed to stop proxy server" chkconfig tinyproxy off } diff --git a/scripts/install-le.sh b/scripts/install-le.sh index f872b59a..dc0b7a11 100644 --- a/scripts/install-le.sh +++ b/scripts/install-le.sh @@ -27,10 +27,17 @@ echo "Installing required packages" } } } - yum-config-manager --save --setopt=\*.retries=5 --setopt=\*.skip_if_unavailable=true --setopt=\*.timeout=5 - yum -y install epel-release git bc nss; - yum -y install tinyproxy socat --enablerepo='epel'; - + if grep -a 'AlmaLinux' /etc/system-release ; then + microdnf -y install epel-release; microdnf install -y git bc nss socat --enablerepo='epel'; + wget http://repository.jelastic.com/pub/tinyproxy-1.8.3-2.el9.x86_64.rpm -O /tmp/tinyproxy-1.8.3-2.el9.x86_64.rpm + dnf install -y /tmp/tinyproxy-1.8.3-2.el9.x86_64.rpm --disablerepo=* ; rm -f /tmp/tinyproxy-1.8.3-2.el9.x86_64.rpm + else + + yum-config-manager --save --setopt=\*.retries=5 --setopt=\*.skip_if_unavailable=true --setopt=\*.timeout=5 + yum -y install epel-release git bc nss; + yum -y install tinyproxy socat --enablerepo='epel'; + fi + mkdir -p ${DIR}/opt; [[ -z $CLIENT_VERSION ]] && { diff --git a/scripts/install-ssl.js b/scripts/install-ssl.js index 3f3da1dd..8ab971ac 100644 --- a/scripts/install-ssl.js +++ b/scripts/install-ssl.js @@ -32,6 +32,7 @@ function run() { undeployHook : "${undeployHook}", undeployHookType : "${undeployHookType}", withExtIp : "${withExtIp}", + withIntSSL : "${withIntSSL}", webroot : "${webroot}", webrootPath : "${webrootPath}", fallbackToX1 : "${fallbackToX1}", diff --git a/scripts/ssl-manager.js b/scripts/ssl-manager.js index 4f9d9ef7..22cb1c0a 100644 --- a/scripts/ssl-manager.js +++ b/scripts/ssl-manager.js @@ -24,6 +24,7 @@ function SSLManager(config) { * [undeployHook] : {String} * [undeployHookType] : {String} * [withExtIp] : {Boolean} + * [withIntSSL] : {Boolean} * [webroot] : {Boolean} * [webrootPath] : {String} * [test] : {Boolean} @@ -131,6 +132,7 @@ function SSLManager(config) { var resp = me.exec([ [ me.initCustomConfigs ], [ me.initAddOnExtIp, config.withExtIp ], + [ me.initIntSSL, config.withIntSSL ], [ me.initWebrootMethod, config.webroot ], [ me.initFalbackToFake, config.fallbackToX1 ], [ me.initEntryPoint ], @@ -325,6 +327,7 @@ function SSLManager(config) { webroot : config.webroot || "", webrootPath : config.webrootPath || "", withExtIp : config.withExtIp, + withIntSSL : config.withIntSSL, customDomains : me.getCustomDomains(), nodeGroup : config.nodeGroup || "", deployHook : config.deployHook || "", @@ -595,9 +598,12 @@ function SSLManager(config) { }; me.createScriptAndInstall = function createInstallationScript() { - var resp = me.exec([ - [ me.initCustomConfigs ], + var resp = me.initCustomConfigs(); + if (resp.result != 0) return resp; + + resp = me.exec([ [ me.initAddOnExtIp, config.withExtIp ], + [ me.initIntSSL, config.withIntSSL ], [ me.initWebrootMethod, config.webroot ], [ me.initFalbackToFake, config.fallbackToX1 ], [ me.applyCustomDomains, config.customDomains ], @@ -716,6 +722,12 @@ function SSLManager(config) { return { result: 0 }; }; + me.initIntSSL = function initIntSSL(withIntSSL) { + withIntSSL = String(withIntSSL) || false; + config.withIntSSL = me.initBoolValue(withIntSSL); + return { result: 0 }; + }; + me.initAddOnExtIp = function initAddOnExtIp(withExtIp) { var resp; @@ -1083,7 +1095,7 @@ function SSLManager(config) { withExtIp : config.withExtIp, webroot : config.webroot, webrootPath : config.webrootPath || "", - skipped : config.skippedDomains || "", + skipped : me.getSkippedDomains().join(DOMAINS_SEP), updateDecreased: !!config.updateDecreased, updateDisabled: !!config.updateDisabled }), @@ -1330,14 +1342,38 @@ function SSLManager(config) { //managing certificate challenge validation by routing all requests to master node with let's encrypt engine me.manageDnat = function manageDnat(action) { - return nodeManager.cmd( - "ip a | grep -q '%(nodeIp)' || { iptables -t nat %(action) PREROUTING -p tcp --dport 80 -j DNAT --to-destination %(nodeIp):80; iptables %(action) FORWARD -p tcp -j ACCEPT; iptables -t nat %(action) POSTROUTING -d %(nodeIp) -j MASQUERADE; }", - { - nodeGroup : config.nodeGroup, - nodeIp : config.nodeIp, - action : action == 'add' ? '-I' : '-D' - } - ); + var GREP_IP = "ip a | grep -q '%(nodeIp)'", + GREP_ALMA = "grep -q 'AlmaLinux' /etc/system-release", + CENTOS_IPTABLES = "iptables -t nat %(action) PREROUTING -p tcp --dport 80 -j DNAT --to-destination %(nodeIp):80; iptables %(action) FORWARD -p tcp -j ACCEPT; iptables -t nat %(action) POSTROUTING -d %(nodeIp) -j MASQUERADE;", + ALMA_LINUX_ADD_RULES = "/usr/sbin/nft insert rule ip nat PREROUTING tcp dport 80 counter dnat to %(nodeIp):80 comment \"LEmasq\"; /usr/sbin/nft insert rule ip filter FORWARD meta l4proto tcp counter accept comment \"LEmasq\"; /usr/sbin/nft insert rule ip nat POSTROUTING ip daddr %(nodeIp) counter masquerade comment \"LEmasq\"; ", + ALMA_LINUX_REMOVE_RULES = "for _table in 'filter FORWARD' 'nat PREROUTING' 'nat POSTROUTING'; do for handle in $(nft -a list chain ip $_table | grep 'comment \"LEmasq\"' | sed -rn 's|.*#\shandle\s([0-9])|\1|p'); do /usr/sbin/nft delete rule ip $_table handle $handle; done; done;", + resp; + + if (action == 'add'){ + resp = nodeManager.cmd( + GREP_ALMA + " && { " + GREP_IP + " || { %(almaLinux) } } || { " + GREP_IP + " || { %(centOS) } }", + { + almaLinux : ALMA_LINUX_ADD_RULES, + centOS : CENTOS_IPTABLES, + action : '-I', + nodeGroup : config.nodeGroup, + nodeIp : config.nodeIp + } + ); + }else{ + resp = nodeManager.cmd( + GREP_ALMA + " && { " + GREP_IP + " || { %(almaLinux) } } || { " + GREP_IP + " || { %(centOS) } }", + { + action : '-D', + almaLinux : ALMA_LINUX_REMOVE_RULES, + centOS : CENTOS_IPTABLES, + nodeGroup : config.nodeGroup, + nodeIp : config.nodeIp + } + ); + } + + return resp; }; me.checkEnvSsl = function checkEnvSsl() { @@ -1488,7 +1524,12 @@ function SSLManager(config) { cert: cert.body, interm: chain.body }); + me.exec(me.bindSSLCerts); + + if (config.withIntSSL && nodeManager.checkCustomSSL()) { + me.exec(me.bindSSLOnExtraNode, cert_key.body, cert.body, chain.body); + } } } else { resp = error(Response.ERROR_UNKNOWN, "Can't read SSL certificate: key=%(key) cert=%(cert) chain=%(chain)", {