Edit File: migrate_installed_sslstorage_to_apache_tls
#!/usr/local/cpanel/3rdparty/bin/perl # cpanel - scripts/migrate_installed_sslstorage_to_apache_tls # Copyright 2017 cPanel, Inc. # All rights reserved. # copyright@cpanel.net http://cpanel.net # This code is subject to the cPanel license. Unauthorized copying is prohibited package scripts::migrate_installed_sslstorage_to_apache_tls; =encoding utf-8 =head1 NAME migrate_installed_sslstorage_to_apache_tls =head1 USAGE migrate_installed_sslstorage_to_apache_tls [--help] =head1 DESCRIPTION This script migrates SSL certificates from the C<SSLStorage::Installed> format used prior to cPanel & WHM version 68 to the “Apache TLS” format that version 68 introduced. This script runs automatically on upgrade to v68. There should not be a reason to run it manually. It may be removed in an upcoming version of cPanel & WHM. =cut use strict; use warnings; use parent qw( Cpanel::HelpfulScript ); use constant _OPTIONS => (); use Try::Tiny; use Cpanel::Apache::TLS::Write (); use Cpanel::Autodie::More::Lite (); use Cpanel::Config::userdata::Load (); use Cpanel::FileUtils::Read (); use Cpanel::LoadFile (); use Cpanel::SSL::Utils (); use Cpanel::SafeFile (); use Cpanel::ConfigFiles::Apache 'apache_paths_facade'; # see POD for import specifics __PACKAGE__->new(@ARGV)->run() if !caller; sub _ensure_userdata_exists { Cpanel::Autodie::More::Lite::exists($Cpanel::Config::userdata::Load::USERDATA_DIR); if ( !-e _ ) { print STDERR "“$Cpanel::Config::userdata::Load::USERDATA_DIR” does not exist.\n"; print STDERR "There is no work for this script to do. Exiting …\n"; return 0; } return 1; } sub run { my ($self) = @_; _ensure_userdata_exists() or return; # see CPANEL-16757 # Try for a long time to get the lock local $Cpanel::SafeFile::LOCK_WAIT_TIME = 1200; local $Cpanel::SafeFile::MAX_FLOCK_WAIT = 1180; # end see CPANEL-16757 local $| = 1; my $httpd_lock_fh; my $httplock = Cpanel::SafeFile::safeopen( $httpd_lock_fh, '<', apache_paths_facade->file_conf() ); if ( !$httplock ) { # If we can't lock keep going because its going # to be worse left unconverted warn( 'Could not read from ' . apache_paths_facade->file_conf() ); } my $atls_writer = Cpanel::Apache::TLS::Write->new(); Cpanel::FileUtils::Read::for_each_directory_node( $Cpanel::Config::userdata::Load::USERDATA_DIR, sub { my $username = $_; print "USER: $username\n"; for my $vhost_name ( Cpanel::Config::userdata::Load::get_ssl_domains($username) ) { try { print "$vhost_name:"; my $ud = Cpanel::Config::userdata::Load::load_ssl_domain_userdata( $username, $vhost_name, $Cpanel::Config::userdata::Load::ADDON_DOMAIN_CHECK_SKIP ); die "no SSL vhost data for “$vhost_name”!" if !$ud; print " loaded vhost data,"; if ( !$ud->{'sslcertificatefile'} ) { die "no SSL certificate file given for “$vhost_name”"; } my $ctext = Cpanel::LoadFile::load( $ud->{'sslcertificatefile'} ) or do { die "$vhost_name: empty certificate file!"; }; print " certificate"; my ( $cp_ok, $cparse ) = Cpanel::SSL::Utils::parse_certificate_text($ctext); die "$vhost_name: cert parse: $cparse" if !$cp_ok; my $cab_text; if ( $cparse->{'is_self_signed'} ) { print " (self-signed),"; } elsif ( $ud->{'sslcacertificatefile'} ) { $cab_text = Cpanel::LoadFile::load( $ud->{'sslcacertificatefile'} ) or do { die "$vhost_name: CA-signed but empty CA bundle!"; }; print ", CA bundle,"; } else { print " (CA-signed but no CA bundle),"; } my $ktext = Cpanel::LoadFile::load( $ud->{'sslcertificatekeyfile'} ) or do { die "$vhost_name: empty key file!"; }; print " key,"; $atls_writer->set_tls__no_verify( vhost_name => $vhost_name, certificate => $ctext, key => $ktext, cabundle => $cab_text, ); print " done!\n"; } catch { print " - ERROR\n"; warn $_; }; } }, ); Cpanel::SafeFile::safeclose( $httpd_lock_fh, $httplock ); return; } 1;