feat: temporarily open port 80 for ACME HTTP-01 validation

Add AcmeHttpPort class that creates a dedicated nginx server block on
port 80 serving only /.well-known/acme-challenge/ (returns 444 for
everything else) and adds iptables rules when firewall is managed.

Port 80 is opened before certificate request and guaranteed closed
after via try/finally in all code paths: REST API GET-CERT handler,
updateCert.php, and new cronRenewCert.php wrapper for cron renewal.

Safety mechanisms:
- Lock file with PID+timestamp in /var/run (tmpfs, survives no crash)
- Watchdog cron (every minute) cleans up stale state after 5min/dead PID
- Cleanup on PBX startup via onAfterPbxStarted

Also adds timestamp wrapper for getssl output (ISO format matching
syslog) and phpstan.neon config for the module.

Author: jorikfon

Lib/AcmeHttpPort.php

@@ -0,0 +1,241 @@
+<?php
+
+/*
+ * MikoPBX - free phone system for small business
+ * Copyright © 2017-2024 Alexey Portnov and Nikolay Beketov
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program.
+ * If not, see <https://www.gnu.org/licenses/>.
+ */
+
+namespace Modules\ModuleGetSsl\Lib;
+
+use MikoPBX\Common\Models\PbxSettings;
+use MikoPBX\Core\System\Processes;
+use MikoPBX\Core\System\System;
+use MikoPBX\Core\System\Util;
+use Modules\ModuleGetSsl\Models\ModuleGetSsl;
+
+/**
+ * Manages temporary port 80 opening for ACME HTTP-01 validation.
+ *
+ * Creates a dedicated nginx server block on port 80 serving only
+ * /.well-known/acme-challenge/ and adds iptables rules when firewall is active.
+ */
+class AcmeHttpPort
+{
+    private const LOCK_FILE = '/var/run/custom_modules/ModuleGetSsl/acme_port80.lock';
+    private const NGINX_ACME_CONF = '/etc/nginx/mikopbx/modules_servers/ModuleGetSsl_acme80.conf';
+    private const MAX_OPEN_SECONDS = 300;
+
+    /**
+     * Opens port 80 for ACME HTTP-01 validation.
+     *
+     * Creates a dedicated nginx server block and adds firewall rules if needed.
+     *
+     * @return bool true on success or if port is already open
+     */
+    public function openPort(): bool
+    {
+        if ($this->isAlreadyOpen()) {
+            return true;
+        }
+
+        $lockDir = dirname(self::LOCK_FILE);
+        Util::mwMkdir($lockDir);
+        $lockData = json_encode(['pid' => getmypid(), 'time' => time()]);
+        file_put_contents(self::LOCK_FILE, $lockData);
+
+        $domainName = $this->getDomainName();
+        if (empty($domainName)) {
+            unlink(self::LOCK_FILE);
+            return false;
+        }
+
+        $this->createNginxConf($domainName);
+        $this->reloadNginx();
+        $this->addFirewallRules();
+
+        return true;
+    }
+
+    /**
+     * Closes port 80 after ACME validation completes.
+     *
+     * Removes the nginx config, reloads nginx, removes firewall rules, and cleans up the lock file.
+     */
+    public function closePort(): void
+    {
+        if (file_exists(self::NGINX_ACME_CONF)) {
+            unlink(self::NGINX_ACME_CONF);
+        }
+        $this->reloadNginx();
+        $this->removeFirewallRules();
+
+        if (file_exists(self::LOCK_FILE)) {
+            unlink(self::LOCK_FILE);
+        }
+    }
+
+    /**
+     * Cleans up stale port 80 state from a previous crash or timeout.
+     */
+    public static function cleanupStale(): void
+    {
+        if (!file_exists(self::LOCK_FILE)) {
+            return;
+        }
+
+        $lockContent = file_get_contents(self::LOCK_FILE);
+        $lockData = json_decode($lockContent, true);
+        if (!is_array($lockData)) {
+            // Corrupted lock file, clean up
+            $instance = new self();
+            $instance->closePort();
+            Util::sysLogMsg(__CLASS__, 'Cleaned up corrupted ACME port 80 lock file');
+            return;
+        }
+
+        $pid = $lockData['pid'] ?? 0;
+        $lockTime = $lockData['time'] ?? 0;
+        $elapsed = time() - $lockTime;
+        $pidDead = ($pid > 0) ? !file_exists("/proc/$pid") : true;
+
+        if ($elapsed > self::MAX_OPEN_SECONDS || $pidDead) {
+            $instance = new self();
+            $instance->closePort();
+            Util::sysLogMsg(
+                __CLASS__,
+                "Cleaned up stale ACME port 80 (elapsed: {$elapsed}s, pid: $pid, dead: " . ($pidDead ? 'yes' : 'no') . ')'
+            );
+        }
+    }
+
+    /**
+     * Checks if port 80 is already open by this module.
+     */
+    private function isAlreadyOpen(): bool
+    {
+        if (!file_exists(self::LOCK_FILE)) {
+            return false;
+        }
+
+        $lockContent = file_get_contents(self::LOCK_FILE);
+        $lockData = json_decode($lockContent, true);
+        if (!is_array($lockData)) {
+            return false;
+        }
+
+        $pid = $lockData['pid'] ?? 0;
+        if ($pid > 0 && file_exists("/proc/$pid")) {
+            return true;
+        }
+
+        return false;
+    }
+
+    /**
+     * Gets domain name from module settings.
+     */
+    private function getDomainName(): string
+    {
+        $settings = ModuleGetSsl::findFirst();
+        if ($settings === null) {
+            return '';
+        }
+        return $settings->domainName ?? '';
+    }
+
+    /**
+     * Creates a dedicated nginx server block for ACME validation on port 80.
+     */
+    private function createNginxConf(string $domainName): void
+    {
+        $confDir = dirname(self::NGINX_ACME_CONF);
+        Util::mwMkdir($confDir);
+
+        $conf = <<<NGINX
+server {
+    listen 80;
+    listen [::]:80;
+    server_name $domainName;
+
+    location /.well-known/acme-challenge/ {
+        root /usr/www/sites;
+        allow all;
+    }
+
+    location / {
+        return 444;
+    }
+}
+NGINX;
+
+        file_put_contents(self::NGINX_ACME_CONF, $conf);
+    }
+
+    /**
+     * Reloads nginx configuration.
+     */
+    private function reloadNginx(): void
+    {
+        $nginxPath = Util::which('nginx');
+        Processes::mwExec("$nginxPath -s reload");
+    }
+
+    /**
+     * Adds iptables rules to allow traffic on port 80.
+     */
+    private function addFirewallRules(): void
+    {
+        if (!$this->isFirewallManaged()) {
+            return;
+        }
+
+        $iptablesPath = Util::which('iptables');
+        Processes::mwExec("$iptablesPath -I INPUT -p tcp --dport 80 -j ACCEPT");
+
+        $ip6tablesPath = Util::which('ip6tables');
+        Processes::mwExec("$ip6tablesPath -I INPUT -p tcp --dport 80 -j ACCEPT");
+    }
+
+    /**
+     * Removes iptables rules for port 80.
+     */
+    private function removeFirewallRules(): void
+    {
+        if (!$this->isFirewallManaged()) {
+            return;
+        }
+
+        $iptablesPath = Util::which('iptables');
+        Processes::mwExec("$iptablesPath -D INPUT -p tcp --dport 80 -j ACCEPT");
+
+        $ip6tablesPath = Util::which('ip6tables');
+        Processes::mwExec("$ip6tablesPath -D INPUT -p tcp --dport 80 -j ACCEPT");
+    }
+
+    /**
+     * Checks whether firewall rules need to be managed.
+     *
+     * Returns true only when PBX firewall is enabled AND system can manage iptables.
+     */
+    private function isFirewallManaged(): bool
+    {
+        $firewallEnabled = PbxSettings::getValueByKey(PbxSettings::PBX_FIREWALL_ENABLED);
+        if ($firewallEnabled !== '1') {
+            return false;
+        }
+        return System::canManageFirewall();
+    }
+}

Lib/GetSslConf.php

@@ -25,6 +25,7 @@
 use MikoPBX\Core\System\Util;
 use MikoPBX\Modules\Config\ConfigClass;
 use MikoPBX\PBXCoreREST\Lib\PBXApiResult;
+use Modules\ModuleGetSsl\Lib\AcmeHttpPort;
 use Modules\ModuleGetSsl\Models\ModuleGetSsl;
 
 class GetSslConf extends ConfigClass
@@ -65,11 +66,17 @@ public function moduleRestAPICallback(array $request): PBXApiResult
         }
         switch ($action) {
             case 'GET-CERT':
-                $moduleMain = new GetSslMain($asyncChannelId);
-                $moduleMain->createAclConf();
-                $res = $moduleMain->startGetCertSsl();
-                if (!empty($asyncChannelId)) {
-                    $res = $moduleMain->checkResultAsync();
+                $portManager = new AcmeHttpPort();
+                $portManager->openPort();
+                try {
+                    $moduleMain = new GetSslMain($asyncChannelId);
+                    $moduleMain->createAclConf();
+                    $res = $moduleMain->startGetCertSsl();
+                    if (!empty($asyncChannelId)) {
+                        $res = $moduleMain->checkResultAsync();
+                    }
+                } finally {
+                    $portManager->closePort();
                 }
                 break;
             case 'CHECK-RESULT':
@@ -92,6 +99,7 @@ public function moduleRestAPICallback(array $request): PBXApiResult
      */
     public function onAfterPbxStarted(): void
     {
+        AcmeHttpPort::cleanupStale();
         $moduleMain = new GetSslMain();
         $moduleMain->createAclConf();
     }
@@ -123,5 +131,9 @@ public function createCronTasks(array &$tasks): void
         if (!empty($task)) {
             $tasks[] = $task;
         }
+
+        // Watchdog: check every minute for stale port 80 state
+        $phpPath = Util::which('php');
+        $tasks[] = "* * * * * $phpPath -f $this->moduleDir/bin/cleanupPort80.php > /dev/null 2>&1" . PHP_EOL;
     }
 }

Lib/GetSslMain.php

@@ -298,13 +298,15 @@ public function startGetCertSsl(bool $asynchronously = true): PBXApiResult
         $pid = Processes::getPidOfProcess("$getSsl $extHostname");
         if ($pid === '') {
             $confDir = $this->dirs['confDir'];
+            $shPath = Util::which('sh');
+            $tsWrapper = $this->dirs['binDir'] . '/timestampWrapper.sh';
             if($asynchronously){
-                Processes::mwExecBg("$getSsl $extHostname -w '$confDir'", $this->logFile);
+                Processes::mwExecBg("$shPath $tsWrapper $getSsl $extHostname -w '$confDir'", $this->logFile);
                 $pid = Processes::getPidOfProcess("$getSsl $extHostname");
             }else{
                 echo('starting'.PHP_EOL);
                 passthru("cat '$confDir/getssl.cfg' ");
-                passthru("$getSsl $extHostname -w '$confDir'", $this->logFile);
+                passthru("$shPath $tsWrapper $getSsl $extHostname -w '$confDir'", $this->logFile);
             }
         }
         $result->data['result'] = $this->translation->_('module_getssl_GetSSLProcessing');
@@ -400,9 +402,9 @@ public function getCronTask(): string
             && intval($this->module_settings['autoUpdate']) === 1
             && !empty($this->module_settings['domainName'])
         ) {
-            $workerPath = $this->dirs['moduleDir']. '/db/getssl';
-            $getSslPath = $this->dirs['getSslPath'];
-            return "0 1 1,15 * * $getSslPath -a -U -q -w '$workerPath' > /dev/null 2> /dev/null" . PHP_EOL;
+            $phpPath = Util::which('php');
+            $cronScript = $this->dirs['moduleDir'] . '/bin/cronRenewCert.php';
+            return "0 1 1,15 * * $phpPath -f $cronScript > /dev/null 2>&1" . PHP_EOL;
         }
         return '';
     }

bin/cleanupPort80.php

@@ -0,0 +1,26 @@
+#!/usr/bin/php
+<?php
+
+/*
+ * MikoPBX - free phone system for small business
+ * Copyright © 2017-2024 Alexey Portnov and Nikolay Beketov
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program.
+ * If not, see <https://www.gnu.org/licenses/>.
+ */
+
+use Modules\ModuleGetSsl\Lib\AcmeHttpPort;
+
+require_once('Globals.php');
+
+AcmeHttpPort::cleanupStale();

bin/cronRenewCert.php

@@ -0,0 +1,44 @@
+#!/usr/bin/php
+<?php
+
+/*
+ * MikoPBX - free phone system for small business
+ * Copyright © 2017-2024 Alexey Portnov and Nikolay Beketov
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program.
+ * If not, see <https://www.gnu.org/licenses/>.
+ */
+
+use MikoPBX\Core\System\Processes;
+use MikoPBX\Core\System\Util;
+use Modules\ModuleGetSsl\Lib\AcmeHttpPort;
+use Modules\ModuleGetSsl\Lib\GetSslMain;
+
+require_once('Globals.php');
+
+$portManager = new AcmeHttpPort();
+$portManager->openPort();
+try {
+    $moduleMain = new GetSslMain();
+    $moduleMain->createAclConf();
+
+    $getSslPath = $moduleMain->dirs['getSslPath'];
+    $confDir = $moduleMain->dirs['confDir'];
+    $shPath = Util::which('sh');
+    $tsWrapper = $moduleMain->dirs['binDir'] . '/timestampWrapper.sh';
+    Processes::mwExec("$shPath $tsWrapper $getSslPath -a -U -q -w '$confDir'");
+
+    $moduleMain->run();
+} finally {
+    $portManager->closePort();
+}

bin/timestampWrapper.sh

@@ -0,0 +1,5 @@
+#!/bin/sh
+# Wraps a command's output with ISO timestamps on each line
+"$@" 2>&1 | while IFS= read -r line; do
+    printf "[%s] %s\n" "$(date '+%Y-%m-%d %H:%M:%S')" "$line"
+done