From dc69374aaa7f5e5d5b499ad90de2fed44b975d8a Mon Sep 17 00:00:00 2001 From: Jamie Cameron Date: Sun, 11 Sep 2016 09:49:18 -0700 Subject: [PATCH] let's encrypt cert size option --- webmin/CHANGELOG | 2 ++ webmin/edit_ssl.cgi | 6 ++++++ webmin/lang/en | 2 +- webmin/letsencrypt-lib.pl | 10 ++++++---- webmin/letsencrypt.cgi | 6 +++++- webmin/webmin-lib.pl | 4 +++- 6 files changed, 23 insertions(+), 7 deletions(-) diff --git a/webmin/CHANGELOG b/webmin/CHANGELOG index 9cea76103..7786688de 100644 --- a/webmin/CHANGELOG +++ b/webmin/CHANGELOG @@ -134,3 +134,5 @@ Added an option for automatically renewing Let's Encrypt certificates. If the Let's Encrypt client is not installed, Webmin will use its own built-in client code to request a certificate. ---- Changes since 1.800 ---- Added an option to the logging page for sending Webmin action log messages via email. +---- Changes since 1.810 ---- +The Let's Encrypt key size can now be customized. diff --git a/webmin/edit_ssl.cgi b/webmin/edit_ssl.cgi index 745139109..f3b49ea65 100755 --- a/webmin/edit_ssl.cgi +++ b/webmin/edit_ssl.cgi @@ -302,9 +302,15 @@ else { print &ui_table_row($text{'ssl_webroot'}, &ui_radio_table("webroot_mode", $mode, \@opts)); + # Install in Webmin now? print &ui_table_row($text{'ssl_usewebmin'}, &ui_yesno_radio("use", 1)); + # SSL key size + print &ui_table_row($text{'ssl_size'}, + &ui_opt_textbox("size", undef, 6, $text{'default'}). + " ".$text{'ssl_bits'}); + # Renewal option my $job = &find_letsencrypt_cron_job(); my $renew = $job && $job->{'months'} =~ /^\*\/(\d+)$/ ? $1 : undef; diff --git a/webmin/lang/en b/webmin/lang/en index 125111abc..be0afb0e4 100644 --- a/webmin/lang/en +++ b/webmin/lang/en @@ -350,7 +350,7 @@ ssl_all=Any hostname ssl_newfile=Write key to file ssl_csrfile=Write CSR to file ssl_usenew=Use new key immediately? -ssl_size=RSA key size +ssl_size=SSL key size ssl_custom=Custom size ssl_bits=bits ssl_eextraca=Additional certificate file '$1' does not exist diff --git a/webmin/letsencrypt-lib.pl b/webmin/letsencrypt-lib.pl index 9e51001a1..46a3c84ee 100644 --- a/webmin/letsencrypt-lib.pl +++ b/webmin/letsencrypt-lib.pl @@ -41,13 +41,13 @@ if ($?) { return undef; } -# request_letsencrypt_cert(domain|&domains, domain-webroot, [email]) +# request_letsencrypt_cert(domain|&domains, domain-webroot, [email], [keysize]) # Attempt to request a cert using a generated key with the Let's Encrypt client # command, and write it to the given path. Returns a status flag, and either # an error message or the paths to cert, key and chain files. sub request_letsencrypt_cert { -my ($dom, $webroot, $email) = @_; +my ($dom, $webroot, $email, $size) = @_; my @doms = ref($dom) ? @$dom : ($dom); $email ||= "root\@$doms[0]"; @@ -75,7 +75,8 @@ if ($letsencrypt_cmd) { &close_tempfile(TEMP); my $dir = $letsencrypt_cmd; $dir =~ s/\/[^\/]+$//; - my $out = &backquote_command("cd $dir && (echo A | $letsencrypt_cmd certonly -a webroot ".join(" ", map { "-d ".quotemeta($_) } @doms)." --webroot-path ".quotemeta($webroot)." --duplicate --config $temp --rsa-key-size 2048 2>&1)"); + $size ||= 2048; + my $out = &backquote_command("cd $dir && (echo A | $letsencrypt_cmd certonly -a webroot ".join(" ", map { "-d ".quotemeta($_) } @doms)." --webroot-path ".quotemeta($webroot)." --duplicate --config $temp --rsa-key-size $size 2>&1)"); if ($?) { return (0, "
".&html_escape($out || "No output from $letsencrypt_cmd")."
"); } @@ -103,6 +104,7 @@ if ($letsencrypt_cmd) { } else { # Fall back to local Python client + $size ||= 4096; # But first check if the native Let's Encrypt client was used previously # for this system - if so, it must be used in future due to the account @@ -122,7 +124,7 @@ else { # Generate a key for the domain my $key = &transname(); - my $out = &backquote_logged("openssl genrsa 4096 2>&1 >$key"); + my $out = &backquote_logged("openssl genrsa $size 2>&1 >$key"); if ($?) { return (0, &text('letsencrypt_ekeygen', &html_escape($out))); } diff --git a/webmin/letsencrypt.cgi b/webmin/letsencrypt.cgi index 5ebdf4a65..6d67ffc8c 100755 --- a/webmin/letsencrypt.cgi +++ b/webmin/letsencrypt.cgi @@ -21,6 +21,9 @@ foreach my $dom (@doms) { } $in{'renew_def'} || $in{'renew'} =~ /^[1-9][0-9]*$/ || &error($text{'letsencrypt_erenew'}); +$in{'size_def'} || $in{'size'} =~ /^\d+$/ || + &error($text{'newkey_esize'}); +my $size = $in{'size_def'} ? undef : $in{'size'}; my $webroot; if ($in{'webroot_mode'} == 2) { # Some directory @@ -68,7 +71,7 @@ else { print &text('letsencrypt_doing', "".&html_escape(join(", ", @doms))."", "".&html_escape($webroot).""),"

\n"; - my ($ok, $cert, $key, $chain) = &request_letsencrypt_cert(\@doms, $webroot); + my ($ok, $cert, $key, $chain) = &request_letsencrypt_cert(\@doms, $webroot, undef, $size); if (!$ok) { print &text('letsencrypt_failed', $cert),"

\n"; } @@ -135,6 +138,7 @@ sub save_renewal_only my ($doms, $webroot) = @_; $config{'letsencrypt_doms'} = join(" ", @$doms); $config{'letsencrypt_webroot'} = $webroot; +$config{'letsencrypt_size'} = $size; &save_module_config(); if (&foreign_check("webmincron")) { my $job = &find_letsencrypt_cron_job(); diff --git a/webmin/webmin-lib.pl b/webmin/webmin-lib.pl index 5ab06c21e..d1884955a 100755 --- a/webmin/webmin-lib.pl +++ b/webmin/webmin-lib.pl @@ -2713,6 +2713,7 @@ sub renew_letsencrypt_cert { my @doms = split(/\s+/, $config{'letsencrypt_doms'}); my $webroot = $config{'letsencrypt_webroot'}; +my $size = $config{'letsencrypt_size'}; if (!@doms) { print "No domains saved to renew cert for!\n"; return; @@ -2725,7 +2726,8 @@ elsif (!-d $webroot) { print "Webroot $webroot does not exist!\n"; return; } -my ($ok, $cert, $key, $chain) = &request_letsencrypt_cert(\@doms, $webroot); +my ($ok, $cert, $key, $chain) = &request_letsencrypt_cert(\@doms, $webroot, + undef, $size); if (!$ok) { print "Failed to renew certificate : $cert\n"; return;