* Wed Sep 10 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0-10.sme

- fix unexpected behaviour when item set as disabled [SME: 13136] rewrite of 10Domains fragment
* Wed Sep 10 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0-9.sme
2025-09-11 07:07:38 -04:00 · 2025-09-10 22:28:44 -04:00
2 changed files with 79 additions and 116 deletions
--- a/root/etc/e-smith/templates/etc/dehydrated/domains.txt/10Domains
+++ b/root/etc/e-smith/templates/etc/dehydrated/domains.txt/10Domains
@@ -3,131 +3,90 @@
    use warnings;
    use esmith::ConfigDB;
    # $domain : current domain name
    # $DomainName : primary domain name
    # $domainname :  domain name related to current host
    my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB");
    my $domainsDB = esmith::ConfigDB->open_ro('domains')
        or die("can't connect to domains database");
    my $hostsDB = esmith::ConfigDB->open_ro('hosts')
        or die("can't connect to hosts database");
    # my $dbKey     = 'domain';
    #    my $systemMode = $configDB->get("SystemMode")->value;
    #    if ( $systemMode ne 'servergateway' ) {
    #        $OUT .= "# System not in Server Gateway mode\n";
    #    }
    my $letsencryptStatus = $configDB->get_prop( 'letsencrypt', 'status' )
        || 'disabled';
-    if ( $letsencryptStatus ne 'disabled' ) {
+    return "# letsencrypt is disabled\n" if ( $letsencryptStatus eq 'disabled' ) ;
-        # This should get all the connections in an array
+    # if disabled will only ask certs for host pointing to self. 
    # if set otherwise, will try to get one even if host set as remote or local.
    my $hostOverride = $configDB->get_prop( 'letsencrypt', 'hostOverride' )
                        || 'disabled';
    my @domains = $domainsDB->keys;
    my @hosts   = $hostsDB->keys;
-        # print "@domains\n";
+    # Need to check here if we want ALL set if not explicitly disabled
        # Need to check here if we want ALL set
    # all, domains, hosts, both, none
    my $letsencryptConfig = $configDB->get_prop( 'letsencrypt', 'configure' ) || 'none';
-        # First get all the domains
+    # Put Primary domain at top : needs to be the main cert domain.
        # We could do this BUT only once as the array drops $vars
        # my $dom = shift @domains;
        # Patch from JPP
        # Put Primary domain at top
    my $DomainName = $configDB->get('DomainName')->value;
    my $mainDomainStatus = $domainsDB->get_prop( "$DomainName", 'letsencryptSSLcert' )
        || 'disabled';
-        $OUT .= "$DomainName " unless $mainDomainStatus eq 'disabled';
+    $OUT = "$DomainName " unless $mainDomainStatus eq 'disabled';
    foreach my $domain (@domains) {
-            # If we are all or domains then lets do all regardless
+        # If default set to all or domains then do all except if explicitly disabled
        if ( $letsencryptConfig eq 'all' || $letsencryptConfig eq 'domains' ) {
-
+            my $domainEnabled = $domainsDB->get_prop( "$domain", 'letsencryptSSLcert' )
-                # Check for self
+                || 'enabled';
-                #my $domainStatus =
+            $OUT .= "$domain " unless ( $domainEnabled eq 'disabled' || $DomainName eq $domain) ;
                #  $domainsDB->get_prop( "Nameservers", 'HostType' ) || '';
                #
                #if ( $domainStatus eq 'Localhost' ) {
                $OUT .= "$domain ";
                #}
        }
-
+        # otherwise only do if explicitly enabled
        else {
            my $domainEnabled = $domainsDB->get_prop( "$domain", 'letsencryptSSLcert' )
                || 'disabled';
            if ( $domainEnabled eq 'enabled' ) {
                $OUT .= "$domain " unless $DomainName eq $domain;
            }
        }
-            # Now check for hosts
+        # Now check for this domain hosts
            # Buggered if I remember why we check that
            # the host has a domain name in domains !
            # Must have been a reason
        foreach my $fqdn (@hosts) {
-                # If we are set to all or hosts just do it
+            # exclude host identical to primary domain, already done
-                if ( $letsencryptConfig eq 'all' || $letsencryptConfig eq 'hosts' ) {
+            next if $DomainName eq $fqdn;
-                    $OUT .= "$fqdn " unless $DomainName eq $fqdn;
+            # exclude host identical to current domain, already done
-                }
+            next if $domain eq $fqdn;
-                # Just do selected entries
+            # overide hostOverride : default disabled do not ask if host is not self
-                else {
+            my $type = $hostsDB->get_prop( "$fqdn", 'HostType' ) || "Self";
            next unless ( $type eq "Self" || $hostOverride eq "disabled");
            # check if host related to current domain
            # Lets get the hostname
            my $hostname = $fqdn;
            $hostname =~ s/\..*//;
                    # print "$hostname\n";
            # Lets get the domain name
            my $domainname = $fqdn;
            $domainname =~ s/.*?\.//;
            next unless ($domainname eq $domain);
-                    # print "$domainname\n";
+            # If we are set to all or hosts just do it
-
+            if ( $letsencryptConfig eq 'all' || $letsencryptConfig eq 'hosts' ) {
-                    # is the domain name from the hosts file
+                my $hostEnabled = $hostsDB->get_prop( "$fqdn", 'letsencryptSSLcert' )
                    || 'enabled';
                $OUT .= "$fqdn " unless $hostEnabled eq 'disabled';
            }
            else {
                # the same as that in the domains file ?
                my $hostEnabled = $hostsDB->get_prop( "$fqdn", 'letsencryptSSLcert' )
                    || 'disabled';
-
+                $OUT .= "$fqdn " unless $hostEnabled eq 'disabled';
                    if ( $domainname eq $domain && $hostEnabled eq 'enabled' ) {
                        # Are we self ?
                        my $type = $hostsDB->get_prop( "$fqdn", 'HostType' );
                        my $hostOverride = $configDB->get_prop( 'letsencrypt', 'hostOverride' )
                            || 'disabled';
                        # print "Override $hostOverride";
                        if ( $hostOverride eq 'yes' ) {
                            $OUT .= "$fqdn " unless $DomainName eq $fqdn;
                        }
                        elsif ( $type eq 'Self' ) {
                            # print "Here: $fqdn  $type\n";
                            $OUT .= "$fqdn " unless $DomainName eq $fqdn;
                        }
            }
        }
    }
        }
    }
    else {
        $OUT .= "# letsencrypt is disabled\n";
    }
 }
--- a/smeserver-certificates.spec
+++ b/smeserver-certificates.spec
@@ -1,6 +1,6 @@
 %define name smeserver-certificates
 %define version 11.0
-%define release 8
+%define release 10
 Summary: This is what smeserver-certificates does.
 Name: %{name}
 Version: %{version}
@@ -25,8 +25,12 @@ AutoReqProv: no
 %changelog
 * Wed Sep 10 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0-10.sme
 - fix unexpected behaviour when item set as disabled [SME: 13136]
  rewrite of 10Domains fragment
 * Mon Aug 25 2025 John Crisp <jcrisp@safeandsoundit.co.uk> 11.0-8.sme
- Set KEY_ALFO default to rsa - thanks Knuddi [SME: 13109]
+- Set KEY_ALGO default to rsa - thanks Knuddi [SME: 13109]
 - bump server-manager version
 * Fri Jun 27 2025 Brian Read <brianr@koozali.org> 11.0-7.sme
Author	SHA1	Message	Date
Jean-Philippe Pialasse	16b33e6683	* Wed Sep 10 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0-10.sme - fix unexpected behaviour when item set as disabled [SME: 13136] rewrite of 10Domains fragment	2025-09-11 07:07:38 -04:00
Jean-Philippe Pialasse	b85c294ce4	* Wed Sep 10 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0-9.sme - fix unexpected behaviour when item set as disabled [SME: 13136] rewrite of 10Domains fragment	2025-09-10 22:28:44 -04:00