diff --git a/plugins/dynamix/SSLSettings.page b/plugins/dynamix/SSLSettings.page index 3f57ecc99..8b9872d67 100644 --- a/plugins/dynamix/SSLSettings.page +++ b/plugins/dynamix/SSLSettings.page @@ -27,13 +27,17 @@ function provisionSSL(internalip, keyfile, form) { result = false; }; - $.post('https://keys.lime-technology.com/account/ssl/provisioncert',{internalip:internalip,keyfile:keyfile},function(data) { + $.post("https://keys.lime-technology.com/account/ssl/provisioncert",{internalip:internalip,keyfile:keyfile},function(data) { if (data.bundle) { - $.post("/webGui/include/CertUpload.php",{text:data.bundle,csrf_token:''},function(data) { - var msg = "Your Let's Encrypt SSL Certificate has been provisioned and a DNS record " + - "for local IP address "+internalip+" has been created on unraid.net."; - swal({title:'',text:msg,type:'success'},function(){form.submit();}); - }).fail(failure); + $.get("//"+data.internal_dns+"/dnscheck",function() { + $.post("/webGui/include/CertUpload.php",{text:data.bundle,csrf_token:""},function(data) { + var msg = "Your Let's Encrypt SSL Certificate has been provisioned and a DNS record " + + "for local IP address "+internalip+" has been created on unraid.net."; + swal({title:'',text:msg,type:'success'},function(){form.submit();}); + }).fail(failure); + }).fail(function(){ + failure({"status": 403, "responseJSON": {"error": "Your router or configured DNS servers are protecting against DNS rebinding thus preventing this SSL certificate from working. See help for more details and workarounds"}}); + }); } else { failure({"status": 403, "responseJSON": {"error": "Server was unable to provision SSL certificate"}}); } diff --git a/plugins/dynamix/include/CertUpload.php b/plugins/dynamix/include/CertUpload.php index a317d4141..fb00ea483 100644 --- a/plugins/dynamix/include/CertUpload.php +++ b/plugins/dynamix/include/CertUpload.php @@ -16,20 +16,7 @@ $text = $_POST['text'] ?? ''; file_put_contents('/boot/config/ssl/certs/certificate_bundle.pem.new', $text); //validate certificate_bundle.pem.new is for *.unraid.net before moving it over to certificate_bundle.pem -if (preg_match('/CN=([0-9a-f]{40}\.unraid\.net)$/', exec('openssl x509 -in /boot/config/ssl/certs/certificate_bundle.pem.new -subject -noout 2>&1'), $matches)) { - // Successful cases: - // If unraid.net and .unraid.net both fail then the dns servers are inaccessible ==> cross-fingers and hope their browser has proper dns - // If unraid.net and .unraid.net both resolve ==> dns rebinding protection isn't going to be a issue - // - // Failure case: - // If unraid.net resolves but .unraid.net fails ==> dns rebinding protection is a issue - if (count(dns_get_record('unraid.net', DNS_A)) !== count(dns_get_record($matches[1], DNS_A))) { - http_response_code(406); - header("Content-Type: application/json"); - echo json_encode(['error' => 'Your router or configured DNS servers are protecting against DNS rebinding thus preventing this SSL certificate from working. See help for more details and workarounds']); - exit; - } - +if (preg_match('/CN=[0-9a-f]{40}\.unraid\.net$/', exec('openssl x509 -in /boot/config/ssl/certs/certificate_bundle.pem.new -subject -noout 2>&1'))) { rename('/boot/config/ssl/certs/certificate_bundle.pem.new', '/boot/config/ssl/certs/certificate_bundle.pem'); } else { unlink('/boot/config/ssl/certs/certificate_bundle.pem.new');