system: adapt lighttpd ssl.privkey approach #4728

While we need to hide the key we do not have to chmod the certificate or the chain. ;)
2026-03-20 03:16:12 +00:00 · 2021-02-22 09:22:31 +01:00 · 2021-02-22 09:22:31 +01:00 · 48c9b3b403
commit 48c9b3b403
parent 13c4f8eab6
1 changed files with 10 additions and 26 deletions
--- a/src/etc/inc/plugins.inc.d/webgui.inc
+++ b/src/etc/inc/plugins.inc.d/webgui.inc
@ -194,8 +194,8 @@ function webgui_generate_config($port, $cert, $key, $ca, $listeners)
 {
    global $config;

-    $cert_location = 'cert.pem';
-    $ca_location = 'ca.pem';
+    $cert_location = '/var/etc/cert.pem';
+    $key_location = '/var/etc/key.pem';

    @mkdir('/tmp/lighttpdcompress');

@ -250,7 +250,6 @@ EOD;

    $lighty_modules = !empty($config['system']['webgui']['httpaccesslog']) ? ', "mod_accesslog"' : "";

-
    $lighty_config = <<<EOD
 #
 # lighttpd configuration file
@ -368,33 +367,18 @@ EOD;
    $ca = str_replace("\n\n", "\n", $ca);

    if (!empty($cert) && !empty($key)) {
-        $fd = fopen("/var/etc/{$cert_location}", "w");
-        if (!$fd) {
-            log_error('Error: cannot open cert.pem');
-            return 0;
-        }
-        chmod("/var/etc/{$cert_location}", 0600);
-        fwrite($fd, $cert);
-        fwrite($fd, "\n");
-        fwrite($fd, $key);
-        fclose($fd);
-        if (!(empty($ca) || (strlen(trim($ca)) == 0))) {
-            $fd = fopen("/var/etc/{$ca_location}", "w");
-            if (!$fd) {
-                log_error('Error: cannot open ca.pem');
-                return 0;
-            }
-            chmod("/var/etc/{$ca_location}", 0600);
-            fwrite($fd, $ca);
-            fclose($fd);
+        $chain = $cert;
+        if (!empty($ca) && strlen(trim($ca))) {
+            $chain .= "\n" . $ca;
        }
+        file_put_contents($cert_location, $chain).
+        file_put_contents($key_location, $key);
+        chmod($key_location, 0600);

        $lighty_config .= "\n## ssl configuration\n";
        $lighty_config .= "ssl.engine = \"enable\"\n";
-        $lighty_config .= "ssl.pemfile = \"/var/etc/{$cert_location}\"\n";
-        if (!empty($ca)) {
-            $lighty_config .= "ssl.ca-file = \"/var/etc/{$ca_location}\"\n";
-        }
+        $lighty_config .= "ssl.privkey = \"{$key_location}\"\n";
+        $lighty_config .= "ssl.pemfile = \"{$cert_location}\"\n";

        if (empty($config['system']['webgui']['ssl-ciphers'])) {
            /* harden TLS for PCI conformance */