From 8a58ddb102207207e76ef58b0a62a4d2315ac1b8 Mon Sep 17 00:00:00 2001
From: Daniel Berteaud <daniel@firewall-services.com>
Date: Mon, 6 Jun 2016 18:44:50 +0200
Subject: [PATCH] Add a wrapper script for letsencrypt.sh This wrapper support
 a new ProxyPassACMEChallengesDisableOnRenew prop which allows disabling ACME
 challenge proxypass only during the renewal

---
 .../templates/etc/cron.daily/letsencrypt.sh/10All  |  3 +-
 root/sbin/e-smith/letsencrypt.sh                   | 42 ++++++++++++++++++++++
 2 files changed, 44 insertions(+), 1 deletion(-)
 create mode 100644 root/sbin/e-smith/letsencrypt.sh

diff --git a/root/etc/e-smith/templates/etc/cron.daily/letsencrypt.sh/10All b/root/etc/e-smith/templates/etc/cron.daily/letsencrypt.sh/10All
index d2eecce..07e86bb 100644
--- a/root/etc/e-smith/templates/etc/cron.daily/letsencrypt.sh/10All
+++ b/root/etc/e-smith/templates/etc/cron.daily/letsencrypt.sh/10All
@@ -1,7 +1,8 @@
 {
 
 if (($letsencrypt{'status'} || 'disabled') eq 'enabled'){
-  $OUT .= "/usr/bin/letsencrypt.sh -c 2>&1 | awk '{ print strftime(), \$0; fflush(); }' >> /var/log/letsencrypt.sh.log\n";
+  $OUT .= 'sleep $[ $RANDOM \% 3600 ];' . "\n";
+  $OUT .= "/sbin/e-smith/letsencrypt.sh -c 2>&1 | awk '{ print strftime(), \$0; fflush(); }' >> /var/log/letsencrypt.sh.log\n";
   if (($letsencrypt{'RevokeOldCertificates'} || 'disabled') =~ m/^enabled|on|yes|1$/){
     $OUT .= "/usr/bin/le_revoke.sh 2>&1 | awk '{ print strftime(), \$0; fflush(); }' >> /var/log/letsencrypt.sh.log\n";
   }
diff --git a/root/sbin/e-smith/letsencrypt.sh b/root/sbin/e-smith/letsencrypt.sh
new file mode 100644
index 0000000..07eab49
--- /dev/null
+++ b/root/sbin/e-smith/letsencrypt.sh
@@ -0,0 +1,42 @@
+#!/usr/bin/perl -w
+
+# vim: ft=perl:
+
+use strict;
+use esmith::DomainsDB;
+use esmith::event;
+
+my $d = esmith::DomainsDB->open or die "Couldn't open the domain database\n";
+
+my @domains = ();
+
+# Build a list of domains for which we disable ACME challenge proxypass
+# but only during execution of letsencrypt
+# This is usefull for situations where you have a https website directly reachable
+# from your internal network, but going through a proxypass from the outside. In this case
+# both the backend and the frontend needs to have a valid certificate for this name
+
+foreach my $dom ($d->domains, $d->get_all_by_prop(type => 'vhost')){
+    if (($dom->prop('ProxyPassACMEChallengesDisableOnRenew') || 'no') =~ m/^yes|enabled|1|on$/){
+        push @domains, $dom;
+    }
+}
+
+# Now, temporarily disable ACME chellenge proxypass
+if (@domains > 0){
+    foreach my $dom (@domains){
+      $dom->set_prop('ProxyPassACMEChallenges', 'disabled');
+    }
+    event_signal("letsencrypt-update");
+}
+
+# Execute the real letsencrypt script, passing any arg
+system("/usr/bin/letsencrypt.sh", @ARGV);
+
+# Enable proxypass again
+if (@domains > 0){
+    foreach my $dom (@domains){
+        $dom->set_prop('ProxyPassACMEChallenges', 'enabled');
+    }
+    event_signal("letsencrypt-update");
+}