pfSense

#!/usr/bin/env php

<?php

/**

 * Import SSL certificates from a pre-determined place on the filesystem.

 * Once imported, set them for use in the GUI

 */

if (empty($argc)) {

	echo "Only accessible from the CLI.\r\n";

	die(1);

}

if ($argc != 3) {

	echo "Usage: php " . $argv[0] . " /path/to/certificate.crt /path/to/private/key.pem \r\n";

	die(1);

}

require_once "certs.inc";

require_once "pfsense-utils.inc";

require_once "functions.inc";

require_once "filter.inc";

require_once "shaper.inc";

$certificate = trim(file_get_contents($argv[1]));

$key = trim(file_get_contents($argv[2]));

// Do some quick verification of the certificate, similar to what the GUI does

if (empty($certificate)) {

	echo "The certificate is empty.\r\n";

	die(1);

}

if (!strstr($certificate, "BEGIN CERTIFICATE") || !strstr($certificate, "END CERTIFICATE")) {

	echo "This certificate does not appear to be valid.\r\n";

	die(1);

}

// Verification that the certificate matches the key

if (empty($key)) {

	echo "The key is empty.\r\n";

	die(1);

}

if (cert_get_publickey($certificate, false) != cert_get_publickey($key, false, 'prv')) {

	echo "The private key does not match the certificate.\r\n";

	die(1);

}

$cert = array();

//$cert['refid'] = uniqid();

$cert['refid'] = hash('sha256', $certificate); // if we don't take a hash each iteration will have a new unique id and update each time

$cert['descr'] = "Certificate added to pfsense through " . $argv[0] . " on " . date("Y/m/d");

echo "Certificate sha256: ".$cert['refid']."\r\n";

cert_import($cert, $certificate, $key);

// Set up the existing certificate store

// Copied from system_certmanager.php

if (!is_array($config['ca'])) {

	$config['ca'] = array();

}

$a_ca =& $config['ca'];

if (!is_array($config['cert'])) {

	$config['cert'] = array();

}

$a_cert =& $config['cert'];

echo "Current Web GUI Certificate ID: `".$config['system']['webgui']['ssl-certref']."`\r\n";

echo "Current Unbound Certificate ID: `".$config['unbound']['sslcertref']."`\r\n";

$updateConfig = true;

// Check if the certificate we just parsed is already imported (we'll check the certificate portion)

foreach ($a_cert as $existing_cert) {

	if ($existing_cert['crt'] === $cert['crt']) {

		$updateConfig = false; // no need to update cert configuration

	}

}

if ($updateConfig) {

	// Append the final certificate

	$a_cert[] = $cert;

	// Write out the updated configuration

	write_config("Save new certificate config, from pfsense-import-certificate.php");

	sleep(3); //sleep to space out the write_config calls so they show distinctly

} else {

	echo "Certificate is already installed, skipping configuration update.\r\n";

}

echo "Checking if services are using the latest certificate.\r\n";

$updateCertWebGui = false;

if ($config['system']['webgui']['ssl-certref'] !== $cert['refid']) {

	echo "Web GUI certificate changed, installing!\r\n";

	$updateCertWebGui = true;

}

// Assuming that all worked, we now need to set the new certificate for use in the GUI

$config['system']['webgui']['ssl-certref'] = $cert['refid'];

$updateCertUnbound = false;

// If Unbound is set to use TLS, then set the new certificate to be used by Unbound also.

if (isset($config['unbound']['enable']) and isset($config['unbound']['enablessl'])) {

	if ($config['unbound']['sslcertref'] !== $cert['refid']) {

		echo "Unbound certificate changed, installing!\r\n";

		$updateCertUnbound = true;

	}

	$config['unbound']['sslcertref'] = $cert['refid'];

} else {

	echo "Unbound SSL is disabled, ignoring.\r\n";

}

$updateCertCaptivePortal = false;

// If captive portal is set to use TLS, then set the new certificate

//   to be used by captive portals

foreach ($config['captiveportal'] as $cpid => $cportal) {

	if(isset($cportal['enable']) and isset($cportal['httpslogin'])){

		if ($config['captiveportal'][$cpid]['certref'] !== $cert['refid']) {

			echo "Captive Portal certificate changed, installing!\r\n";

			$updateCertCaptivePortal = true;

		}

		$config['captiveportal'][$cpid]['certref'] = $cert['refid'];

	}

}

if (!$updateCertWebGui and !$updateCertUnbound and !$updateCertCaptivePortal) {

	echo "No certificate changes, no need to update config.\r\n";

	die(); // exit with a valid error code, as this is intended behaviour

}

write_config("Set new certificate as active for webgui, from pfsense-import-certificate.php");

sleep(3); //sleep to space out the write_config calls

//Use cert_get_all_services to grab all services now using the new cert.

$services = cert_get_all_services($cert['refid']);

//Restart all services that are using the new cert.

echo "Restart services that are using the new certificate.\r\n";

var_dump($services);

log_error(gettext("Restart services that are using the new cert"));

cert_restart_services($services);

//All except unbound, there is a bug in cert_restart_services... it doesn't restart unbound

//https://redmine.pfsense.org/issues/15062

echo "Completed! New certificate installed.\r\n";

// If unbound cert was updated, then restart unbound.

// Remove once bug fixed

if ($updateCertUnbound) {

  echo "Restart Unbound\n";

  log_error(gettext("Unbound configuration has changed. Restarting Unbound."));

  service_control_restart('unbound','');

}

// Delete unused certificates added by this script

$a_cert =& $config['cert'];

$name = '';

foreach ($a_cert as $cid => $acrt) {

	echo "Validating certificate $cid for deletion.\r\n";

	if (!cert_in_use($acrt['refid']) and preg_match("/pfsense-import-certificate\.php/",$acrt['descr'])) {

		echo "--> Delete, no longer in use.\r\n";

		// cert not in use and matches description pattern

		$name.=htmlspecialchars($acrt['descr'])." ";

		unset($a_cert[$cid]);

	} else {

		echo "--> Ignoring.\r\n";

	}

}

if($name){

        echo "Deleted old certificates: save the config.\r\n";

        $savemsg = sprintf(gettext("Deleted certificate: %s , from pfsense-import-certificate.php"), $name);

        write_config($savemsg);

}