From 48c9b3b403d2b00c58fead8d40913b0d29b03042 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 22 Feb 2021 09:22:31 +0100
Subject: [PATCH] system: adapt lighttpd ssl.privkey approach #4728

While we need to hide the key we do not have to chmod the
certificate or the chain.  ;)
---
 src/etc/inc/plugins.inc.d/webgui.inc | 36 ++++++++--------------------
 1 file changed, 10 insertions(+), 26 deletions(-)

diff --git a/src/etc/inc/plugins.inc.d/webgui.inc b/src/etc/inc/plugins.inc.d/webgui.inc
index 8154d76a8..e96b61127 100644
--- a/src/etc/inc/plugins.inc.d/webgui.inc
+++ b/src/etc/inc/plugins.inc.d/webgui.inc
@@ -194,8 +194,8 @@ function webgui_generate_config($port, $cert, $key, $ca, $listeners)
 {
     global $config;
 
-    $cert_location = 'cert.pem';
-    $ca_location = 'ca.pem';
+    $cert_location = '/var/etc/cert.pem';
+    $key_location = '/var/etc/key.pem';
 
     @mkdir('/tmp/lighttpdcompress');
 
@@ -250,7 +250,6 @@ EOD;
 
     $lighty_modules = !empty($config['system']['webgui']['httpaccesslog']) ? ', "mod_accesslog"' : "";
 
-
     $lighty_config = <<<EOD
 #
 # lighttpd configuration file
@@ -368,33 +367,18 @@ EOD;
     $ca = str_replace("\n\n", "\n", $ca);
 
     if (!empty($cert) && !empty($key)) {
-        $fd = fopen("/var/etc/{$cert_location}", "w");
-        if (!$fd) {
-            log_error('Error: cannot open cert.pem');
-            return 0;
-        }
-        chmod("/var/etc/{$cert_location}", 0600);
-        fwrite($fd, $cert);
-        fwrite($fd, "\n");
-        fwrite($fd, $key);
-        fclose($fd);
-        if (!(empty($ca) || (strlen(trim($ca)) == 0))) {
-            $fd = fopen("/var/etc/{$ca_location}", "w");
-            if (!$fd) {
-                log_error('Error: cannot open ca.pem');
-                return 0;
-            }
-            chmod("/var/etc/{$ca_location}", 0600);
-            fwrite($fd, $ca);
-            fclose($fd);
+        $chain = $cert;
+        if (!empty($ca) && strlen(trim($ca))) {
+            $chain .= "\n" . $ca;
         }
+        file_put_contents($cert_location, $chain).
+        file_put_contents($key_location, $key);
+        chmod($key_location, 0600);
 
         $lighty_config .= "\n## ssl configuration\n";
         $lighty_config .= "ssl.engine = \"enable\"\n";
-        $lighty_config .= "ssl.pemfile = \"/var/etc/{$cert_location}\"\n";
-        if (!empty($ca)) {
-            $lighty_config .= "ssl.ca-file = \"/var/etc/{$ca_location}\"\n";
-        }
+        $lighty_config .= "ssl.privkey = \"{$key_location}\"\n";
+        $lighty_config .= "ssl.pemfile = \"{$cert_location}\"\n";
 
         if (empty($config['system']['webgui']['ssl-ciphers'])) {
             /* harden TLS for PCI conformance */