Merge branch 'develop' for v3.6.0

Author: mrrobot47

migrations/db/20250927101545_site-command_fix_ssl_flag_for_existing_le_certs.php

@@ -0,0 +1,117 @@
+<?php
+
+namespace EE\Migration;
+
+use EE;
+use EE\Model\Site;
+use EE\Migration\Base;
+
+class FixSslFlagForExistingLeCerts extends Base {
+	public function __construct() {
+		parent::__construct();
+		$this->sites = Site::all();
+		if ( $this->is_first_execution || ! $this->sites ) {
+			$this->skip_this_migration = true;
+		}
+	}
+
+	public function up() {
+		if ( $this->skip_this_migration ) {
+			EE::debug( 'Skipping fix_ssl_flag_for_existing_le_certs migration as it is not needed.' );
+
+			return;
+		}
+		$certs_dir  = EE_ROOT_DIR . '/services/nginx-proxy/certs/';
+		$conf_dir   = EE_ROOT_DIR . '/services/nginx-proxy/conf.d/';
+		$backup_dir = defined( 'EE_BACKUP_DIR' ) ? EE_BACKUP_DIR : EE_ROOT_DIR . '/.backup';
+		if ( ! is_dir( $backup_dir ) ) {
+			@mkdir( $backup_dir, 0755, true );
+		}
+		$log_file    = $backup_dir . '/.ssl-fix.log';
+		$log_entries = [];
+		foreach ( $this->sites as $site ) {
+			$site_url      = $site->site_url;
+			$crt           = $certs_dir . $site_url . '.crt';
+			$key           = $certs_dir . $site_url . '.key';
+			$chain         = $certs_dir . $site_url . '.chain.pem';
+			$redirect_conf = $conf_dir . $site_url . '-redirect.conf';
+
+			$crt_exists   = file_exists( $crt );
+			$key_exists   = file_exists( $key );
+			$chain_exists = file_exists( $chain );
+			$db_ssl       = $site->site_ssl;
+			$actions      = [];
+
+			// If redirect conf exists but no certs, remove conf and reload nginx proxy
+			if ( file_exists( $redirect_conf ) && ( ! $crt_exists || ! $key_exists || ! $chain_exists ) ) {
+				EE::log( "Removing orphan redirect conf for $site_url and reloading nginx proxy." );
+				@unlink( $redirect_conf );
+				$actions[] = "Removed redirect conf: $redirect_conf";
+				\EE\Site\Utils\reload_global_nginx_proxy();
+			}
+
+			if ( $crt_exists && $key_exists && $chain_exists ) {
+				if ( empty( $db_ssl ) || $db_ssl !== 'le' ) {
+					// Check if the cert is a valid Let's Encrypt cert using CertificateParser
+					try {
+						$crt_pem = file_get_contents( $crt );
+						if ( ! function_exists( 'openssl_x509_parse' ) ) {
+							EE::warning( "openssl_x509_parse() not available in PHP. Cannot check issuer for $site_url." );
+							$actions[] = "openssl_x509_parse() not available, skipping Let's Encrypt detection";
+						} else {
+							$cert_data     = openssl_x509_parse( $crt_pem );
+							$issuer_full   = isset( $cert_data['issuer'] ) ? $cert_data['issuer'] : [];
+							$issuer_json   = json_encode( $issuer_full );
+							$subject_cn    = isset( $cert_data['subject']['CN'] ) ? $cert_data['subject']['CN'] : '';
+							$crt_pem_lines = implode( ' | ', array_slice( explode( "\n", $crt_pem ), 0, 2 ) );
+							$actions[]     = "Cert issuer: $issuer_json";
+							$actions[]     = "Cert subject CN: '$subject_cn'";
+							$actions[]     = "Cert PEM first lines: $crt_pem_lines";
+
+							// Check all issuer fields for 'Let's Encrypt'
+							$le_found = false;
+							foreach ( $issuer_full as $field => $value ) {
+								if ( stripos( $value, "Let's Encrypt" ) !== false ) {
+									$le_found = true;
+									break;
+								}
+							}
+							if ( $le_found ) {
+								EE::log( "Updating SSL flag for site $site_url: found valid Let's Encrypt cert." );
+								$site->site_ssl = 'le';
+								$site->save();
+								$actions[] = "Updated DB: set site_ssl=le (valid LE cert)";
+							} else {
+								$actions[] = "Cert is not from Let's Encrypt, no DB update";
+							}
+						}
+					} catch ( \Exception $e ) {
+						EE::debug( "Failed to parse certificate for $site_url: " . $e->getMessage() );
+						$actions[] = "Failed to parse certificate: " . $e->getMessage();
+					}
+				}
+			}
+
+			if ( empty( $actions ) ) {
+				$actions[] = 'No action needed';
+			}
+			$log_entries[] = sprintf(
+				"%s [%s] DB: '%s', crt: %s, key: %s, chain: %s -- %s",
+				date( 'c' ),
+				$site_url,
+				$db_ssl === null ? '' : $db_ssl,
+				$crt_exists ? 'yes' : 'no',
+				$key_exists ? 'yes' : 'no',
+				$chain_exists ? 'yes' : 'no',
+				implode( '; ', $actions )
+			);
+		}
+		if ( $log_entries ) {
+			file_put_contents( $log_file, implode( "\n", $log_entries ) . "\n", FILE_APPEND );
+		}
+	}
+
+	public function down() {
+		// No-op: This migration is not reversible.
+	}
+}

src/helper/Site_Letsencrypt.php

@@ -488,6 +488,8 @@ private function executeFirstRequest( $domain, array $alternativeNames, $email )
 
 		// Post-generate actions
 		$this->moveCertsToNginxProxy( $domain );
+
+		return true;
 	}
 
 	private function moveCertsToNginxProxy( string $domain ) {
@@ -523,7 +525,7 @@ public function isAlreadyExpired( $domain ) {
 			if ( $parsedCertificate->getValidTo()->format( 'U' ) - time() < 0 ) {
 				\EE::log(
 					sprintf(
-						'Current certificate is alerady expired on %s, renewal is necessary.',
+						'Current certificate is already expired on %s, renewal is necessary.',
 						$parsedCertificate->getValidTo()->format( 'Y-m-d H:i:s' )
 					)
 				);
@@ -636,6 +638,8 @@ private function executeRenewal( $domain, array $alternativeNames, $force = fals
 			$this->moveCertsToNginxProxy( $domain );
 			\EE::log( 'Certificate renewed successfully!' );
 
+			return true;
+
 		} catch ( \Exception $e ) {
 			\EE::warning( 'A critical error occured during certificate renewal' );
 			\EE::debug( print_r( $e, true ) );
@@ -734,5 +738,26 @@ public function cleanup() {
 			$fs->remove( $challange_dir );
 		}
 	}
-}
 
+	/**
+	 * Check if a domain has a stored ACME authorization challenge.
+	 *
+	 * @param string $domain The domain to check for a stored challenge.
+	 *
+	 * @return bool True if a challenge exists for the domain, false otherwise.
+	 */
+	public function hasDomainAuthorizationChallenge( $domain ) {
+		return $this->repository->hasDomainAuthorizationChallenge( $domain );
+	}
+
+	/**
+	 * Load the stored ACME authorization challenge for a domain.
+	 *
+	 * @param string $domain The domain to load the challenge for.
+	 *
+	 * @return AuthorizationChallenge|null The challenge object, or null if not found.
+	 */
+	public function loadDomainAuthorizationChallenge( $domain ) {
+		return $this->repository->loadDomainAuthorizationChallenge( $domain );
+	}
+}

src/helper/class-ee-site.php

@@ -1719,6 +1719,193 @@ public function ssl_verify( $args = [], $assoc_args = [], $www_or_non_www = fals
 		return true;
 	}
 
+	/**
+	 * Shows SSL info and DNS challenge records for a site.
+	 *
+	 * ## OPTIONS
+	 *
+	 * [<site-name>]
+	 * : Name of website.
+	 *
+	 * [--get-dns-records]
+	 * : Show DNS challenge records (if using DNS-01 challenge).
+	 *
+	 * [--format=<format>]
+	 * : Render output in a particular format.
+	 * ---
+	 * default: table
+	 * options:
+	 *   - table
+	 *   - csv
+	 *   - yaml
+	 *   - json
+	 * ---
+	 *
+	 * ## EXAMPLES
+	 *
+	 *     # Show SSL info for a site
+	 *     $ ee site ssl-info example.com
+	 *
+	 *     # Show DNS challenge info for a site
+	 *     $ ee site ssl-info example.com --get-dns-records
+	 *
+	 * @subcommand ssl-info
+	 */
+	public function ssl_info( $args, $assoc_args ) {
+		$args            = auto_site_name( $args, 'site', __FUNCTION__ );
+		$this->site_data = get_site_info( $args, false, true, false );
+
+		$site_url      = $this->site_data->site_url;
+		$wildcard      = ! empty( $this->site_data->site_ssl_wildcard );
+		$alias_domains = empty( $this->site_data->alias_domains ) ? [] : explode( ',', $this->site_data->alias_domains );
+		$domains       = $this->get_cert_domains( $site_url, $wildcard );
+		$domains       = array_unique( array_merge( $domains, $alias_domains ) );
+
+		$output   = [];
+		$warnings = [];
+
+		// If --get-dns-records is passed, show DNS challenge info (old behavior)
+		if ( \EE\Utils\get_flag_value( $assoc_args, 'get-dns-records', false ) ) {
+			$preferred_challenge = get_preferred_ssl_challenge( $domains );
+			$is_dns              = $wildcard || $preferred_challenge === 'dns';
+
+			if ( ! $is_dns ) {
+				$warnings[] = 'This site does not use DNS-based (DNS-01) SSL challenge.';
+			} else {
+				$client = new \EE\Site\Type\Site_Letsencrypt();
+				$rows   = [];
+				foreach ( $domains as $domain ) {
+					if ( $client->hasDomainAuthorizationChallenge( $domain ) ) {
+						$challenge = $client->loadDomainAuthorizationChallenge( $domain );
+						if ( method_exists( $challenge, 'toArray' ) ) {
+							$data        = $challenge->toArray();
+							$record_name = isset( $data['dnsRecordName'] ) ? $data['dnsRecordName'] : '_acme-challenge.' . $domain;
+							if ( isset( $data['dnsRecordValue'] ) ) {
+								$record_value = $data['dnsRecordValue'];
+							} elseif ( isset( $data['payload'] ) ) {
+								$keyAuthorization = $data['payload'];
+								$digest           = rtrim( strtr( base64_encode( hash( 'sha256', $keyAuthorization, true ) ), '+/', '-_' ), '=' );
+								$record_value     = $digest;
+							} else {
+								$record_value = '';
+							}
+							$rows[] = [
+								'domain'       => $domain,
+								'record_name'  => $record_name,
+								'record_value' => $record_value,
+							];
+						} else {
+							$warnings[] = "Could not extract DNS challenge for $domain.";
+						}
+					} else {
+						$warnings[] = "No pending DNS challenge found for $domain. (Try running 'ee site ssl-verify $site_url' if you are setting up SSL)";
+					}
+				}
+				$output['dns_challenges'] = $rows;
+			}
+			$output['warnings'] = $warnings;
+			$formatter          = new \EE\Formatter( $assoc_args, array_keys( $output ) );
+			$formatter->display_items( [ $output ] );
+
+			return;
+		}
+
+		// Otherwise, show SSL status and cert details
+		$ssl_type           = $this->site_data->site_ssl;
+		$output['ssl_type'] = $ssl_type ? $ssl_type : 'off';
+
+		if ( ! $ssl_type || $ssl_type === 'off' ) {
+			$output['status']   = 'SSL is not enabled for this site.';
+			$output['warnings'] = $warnings;
+			$formatter          = new \EE\Formatter( $assoc_args, array_keys( $output ) );
+			$formatter->display_items( [ $output ] );
+
+			return;
+		}
+
+		// Determine which cert to show (le, self, inherit, custom)
+		$cert_site_name = $site_url;
+		if ( $ssl_type === 'inherit' ) {
+			$cert_site_name = implode( '.', array_slice( explode( '.', $site_url ), 1 ) );
+		}
+
+		$certs_dir = EE_ROOT_DIR . '/services/nginx-proxy/certs/';
+		$crt_file  = $certs_dir . $cert_site_name . '.crt';
+
+		if ( ! file_exists( $crt_file ) ) {
+			$warnings[]         = "Certificate file not found for $cert_site_name ($crt_file)";
+			$output['status']   = 'Certificate file not found / yet to be issued.';
+			$output['warnings'] = $warnings;
+			$formatter          = new \EE\Formatter( $assoc_args, array_keys( $output ) );
+			$formatter->display_items( [ $output ] );
+
+			return;
+		}
+
+		try {
+			$certificate       = new \AcmePhp\Ssl\Certificate( file_get_contents( $crt_file ) );
+			$certificateParser = new \AcmePhp\Ssl\Parser\CertificateParser();
+			$parsedCertificate = $certificateParser->parse( $certificate );
+
+			$issuer    = $parsedCertificate->getIssuer();
+			$subject   = $parsedCertificate->getSubject();
+			$validFrom = $parsedCertificate->getValidFrom()->format( 'Y-m-d H:i:s' );
+			$validTo   = $parsedCertificate->getValidTo()->format( 'Y-m-d H:i:s' );
+			$serial    = $parsedCertificate->getSerialNumber();
+
+			// Use openssl_x509_parse for CN fields, as in migration
+			$crt_pem = file_get_contents( $crt_file );
+			if ( function_exists( 'openssl_x509_parse' ) ) {
+				$cert_data   = openssl_x509_parse( $crt_pem );
+				$subjectCN   = isset( $cert_data['subject']['CN'] ) ? $cert_data['subject']['CN'] : '';
+				$issuer_full = isset( $cert_data['issuer'] ) ? $cert_data['issuer'] : [];
+				$le_found    = false;
+				foreach ( $issuer_full as $field => $value ) {
+					if ( stripos( $value, "Let's Encrypt" ) !== false ) {
+						$le_found = true;
+						break;
+					}
+				}
+				if ( $le_found ) {
+					$issuerCN = "Let's Encrypt";
+				} else {
+					$issuerCN = isset( $issuer_full['CN'] ) ? $issuer_full['CN'] : implode( ', ', $issuer_full );
+				}
+			} else {
+				if ( is_object( $subject ) && method_exists( $subject, 'getField' ) ) {
+					$subjectCN = $subject->getField( 'CN' );
+				} else {
+					$subjectCN  = is_string( $subject ) ? $subject : json_encode( $subject );
+					$warnings[] = 'Could not parse subject CN: unexpected type.';
+				}
+				if ( is_object( $issuer ) && method_exists( $issuer, 'getField' ) ) {
+					$issuerCN = $issuer->getField( 'CN' );
+				} else {
+					$issuerCN   = is_string( $issuer ) ? $issuer : json_encode( $issuer );
+					$warnings[] = 'Could not parse issuer CN: unexpected type.';
+				}
+				$warnings[] = 'openssl_x509_parse() not available in PHP. Used fallback parser.';
+			}
+			$san = $parsedCertificate->getSubjectAlternativeNames();
+
+			$output['cert_file']     = $crt_file;
+			$output['issued_to_CN']  = $subjectCN;
+			$output['issued_by_CN']  = $issuerCN;
+			$output['valid_from']    = $validFrom;
+			$output['valid_till']    = $validTo;
+			$output['serial_number'] = $serial;
+			$output['SANs']          = implode( ', ', $san );
+			$output['status']        = 'SSL certificate details loaded.';
+		} catch ( \Exception $e ) {
+			$warnings[]       = 'Could not parse certificate: ' . $e->getMessage();
+			$output['status'] = 'Could not parse certificate.';
+		}
+		$output['warnings'] = $warnings;
+
+		$formatter = new \EE\Formatter( $assoc_args, array_keys( $output ) );
+		$formatter->display_items( [ $output ] );
+	}
+
 	/**
 	 * Renews letsencrypt ssl certificates.
 	 *