#!/usr/local/cpanel/3rdparty/bin/perl # cpanel - scripts/ensure_conf_dir_crt_key Copyright 2022 cPanel, L.L.C. # All rights reserved. # copyright@cpanel.net http://cpanel.net # This code is subject to the cPanel license. Unauthorized copying is prohibited use strict; use warnings; use Cpanel::ConfigFiles::Apache (); use Cpanel::Hostname (); use Cpanel::SSLPath (); use Cpanel::Logger (); use Cpanel::FileUtils::Copy (); use Cpanel::FileUtils::Chown (); my $apacheconf = Cpanel::ConfigFiles::Apache->new(); if ( !-e '/var/cpanel/ssl' ) { mkdir '/var/cpanel/ssl', 0755; } if ( !-e '/var/cpanel/ssl/cpanel' ) { mkdir '/var/cpanel/ssl/cpanel', 0755; } if ( !-e '/var/cpanel/ssl/cpanel/cpanel.pem' && !-e '/var/cpanel/ssl/cpanel/mycpanel.pem' ) { # When we added the free hostname certificate, checkallsslcerts does quite # a bit more than the original design which is not what we want here. require Cpanel::SSLCerts; Cpanel::SSLCerts::createDefaultSSLFiles( 'service' => 'cpanel' ); } my $hostname = Cpanel::Hostname::gethostname(); my $ssl_root = Cpanel::SSLPath::getsslroot(); my %certificates = ( 'crt' => { 'dir' => $apacheconf->dir_conf() . '/ssl.crt', 'file' => 'server.crt', }, 'key' => { 'dir' => $apacheconf->dir_conf() . '/ssl.key', 'file' => 'server.key', }, ); foreach my $type ( keys %certificates ) { my $dir = $certificates{$type}{'dir'}; my $file = $certificates{$type}{'file'}; mkdir $dir if !-d $dir; my $path = $dir . '/' . $file; my $initialized = 0; if ( !-e $path || -z _ ) { Cpanel::FileUtils::Copy::safecopy( '/var/cpanel/ssl/cpanel/cpanel.pem', $path ); $initialized = 1; } else { if ( open my $look_fh, '<', $path ) { my $cont = do { local $/; <$look_fh> }; close $look_fh; if ( $cont =~ m/SKIPME/m ) { Cpanel::FileUtils::Copy::safecopy( '/var/cpanel/ssl/cpanel/cpanel.pem', $path ); $initialized = 1; } } else { Cpanel::Logger::logger( { 'message' => "Unable to read $path: $!", 'level' => 'warn', 'service' => 'ensure_conf_dir_crt_key', 'output' => 1, 'backtrace' => 0, } ); } } if ( $initialized && $type ne 'key' ) { # remove key from this .pem if ( open my $crt_fh, '<', $path ) { my $cont = do { local $/; <$crt_fh> }; close $crt_fh; if ( open my $new_fh, '>', $path ) { $cont =~ s{ -----BEGIN(\s+\w+)*\s+PRIVATE\s+KEY----- .* -----END(\s+\w+)*\s+PRIVATE\s+KEY----- }{}xms; print {$new_fh} $cont; close $new_fh; } } } if ( $type eq 'key' ) { if ( !-e $ssl_root . '/private/' . $hostname . '.key' || -z _ ) { Cpanel::FileUtils::Copy::safecopy( $path, $ssl_root . '/private/' . $hostname . '.key' ); } #fix any possible perm/ownership problems. for my $p ( $path, $ssl_root . '/private/' . $hostname . '.key' ) { Cpanel::FileUtils::Chown::check_and_fix_owner_and_permissions_for( 'uid' => 0, 'gid' => 0, 'octal_perms' => 0600, 'path' => $p ); } } else { if ( !-e $ssl_root . '/certs/' . $hostname . '.crt' || -z _ ) { Cpanel::FileUtils::Copy::safecopy( $path, $ssl_root . '/certs/' . $hostname . '.crt' ); } #fix any possible perm/ownership problems. for my $p ( $path, $ssl_root . '/certs/' . $hostname . '.crt' ) { Cpanel::FileUtils::Chown::check_and_fix_owner_and_permissions_for( 'uid' => 0, 'gid' => 0, 'octal_perms' => 0644, 'path' => $p ); } } } # Check for any keys left by the transition between EA3 and EA4 and fix their perms. if ( -f '/etc/cpanel/ea4/is_ea4' ) { Cpanel::FileUtils::Chown::check_and_fix_owner_and_permissions_for( 'uid' => 0, 'gid' => 0, 'octal_perms' => 0600, 'path' => '/usr/local/apache/conf/ssl.key/server.key' ); } else { Cpanel::FileUtils::Chown::check_and_fix_owner_and_permissions_for( 'uid' => 0, 'gid' => 0, 'octal_perms' => 0600, 'path' => '/etc/apache2/conf.d/ssl.key/server.key' ); }