fix(ssl): block ssl-verify on non-letsencrypt sites#487
Open
mrrobot47 wants to merge 1 commit into
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
ee site ssl-verify(ssl_verify()) had no guard on the site's SSL type. Run on acustom/self/inheritsite it would still prompt for a Let's Encrypt email, instantiate the ACME client, run the challenge, and request an LE certificate — which overwrites the user's custom certificate if the domain validates, or yields a confusing "Failed to verify SSL" error with a retry hint that can never succeed for a non-LE cert.Fix
Guard
ssl_verify()to error clearly whensite_ssl !== 'le'. The guard sits aftersite_datais populated (so it covers the user-invoked subcommand) and does not affect the internal call frominit_le()during LE site creation — that path is only reached whensite_ssl === 'le', so the guard never fires there.Testing
Manual:
ee site create custom.test --type=html --ssl=custom --ssl-key=... --ssl-crt=...ee site ssl-verify custom.test→ exits with "SSL verification is only applicable to Let's Encrypt certificates." (no email prompt, no ACME run, certs untouched).--ssl=lesite still verifies/renews as before.