Menu="Identification"
Title="SSL Certificate Settings"
Icon="ident.png"
Tag="expeditedssl"
---
<?PHP
/* Copyright 2005-2017, Lime Technology
 * Copyright 2012-2017, Bergware International.
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License version 2,
 * as published by the Free Software Foundation.
 *
 * The above copyright notice and this permission notice shall be included in
 * all copies or substantial portions of the Software.
 */
?>
<?
$keyfile = @file_get_contents($var['regFILE']);
if ($keyfile !== false)
  $keyfile = @base64_encode($keyfile);
$isLEcert = file_exists("/boot/config/ssl/certs/certificate_bundle.pem");
if ($isLEcert)
  exec("/usr/bin/openssl x509 -checkend 2592000 -noout -in /etc/ssl/certs/unraid_bundle.pem",$arrout,$retval_expired);
$provisionlabel = $isLEcert ? 'Renew' : 'Provision';
$disabled_provision = $keyfile===false || ($isLEcert && $retval_expired===0) || $var['USE_SSL']!="auto" ? 'disabled' : '';
$disabled_updatedns = $keyfile!==false && $isLEcert ? '' : 'disabled';
$internalip = $eth0['IPADDR:0'];
?>
<script>
function provisionSSL(button) {
    var oldlabel = $.trim($(button).text());
    $(button).prop("disabled", true).html("<i class=\"fa fa-spinner fa-spin\" aria-hidden=\"true\"></i> "+oldlabel+"ing");

    var msg = "Your Let's Encrypt SSL Certificate has been provisioned and a DNS record " +
              "for local IP address <?=$internalip?> has been created on unraid.net.";

    var failure = function(data) {
        var status = data.status;
        var obj = data.responseJSON;
        msg = "Sorry, an error ("+status+") occurred "+oldlabel.toLowerCase()+"ing your SSL certificate. " +
              "The error is: "+obj.error+".";
        $(button).prop("disabled", false).html(oldlabel);
        swal("Oops",msg,"error");
    };

    var success_provision = function(data) {
        if (data.bundle) {
            if (oldlabel == 'Renew') {
                msg = "Your Let's Encrypt SSL Certificate has been renewed.";
                success_rebind_check(data);
            } else {
                $.get("//"+data.internal_dns+":<?=$var['PORT']?>/dnscheck",function() {
                    success_rebind_check(data);
                }).fail(function(){
                    failure({"status": 403, "responseJSON": {"error": "Your router or DNS server has DNS rebinding protection enabled, preventing "+data.internal_dns+" <?=$internalip?> resolution.  See Help for more details and workarounds"}});
                });
            }
        } else {
            failure({"status": 403, "responseJSON": {"error": "Server was unable to provision SSL certificate"}});
        }
    };

    var success_rebind_check = function(data) {
        $.post("/webGui/include/CertUpload.php",{text:data.bundle,csrf_token:"<?=$var['csrf_token']?>"},function(data2) {
            swal({title:"",text:msg,type:"success",allowEscapeKey:false},function(){button.form.submit();});
        }).fail(failure);
    };

    $.post("https://keys.lime-technology.com/account/ssl/provisioncert",{internalip:"<?=$internalip?>",internalport:<?=$var['PORTSSL']?>,keyfile:"<?=$keyfile?>"},success_provision).fail(failure);
}

function updateDNS(button) {
    $(button).prop("disabled", true).html("<i class=\"fa fa-spinner fa-spin\" aria-hidden=\"true\"></i> Updating DNS");

    var failure = function(data) {
        var status = data.status;
        var obj = data.responseJSON;
        var msg = "Sorry, an error ("+status+") occurred updating unraid.net DNS records. " +
                  "The error is: "+obj.error+".";
        $(button).prop("disabled", false).html("Update DNS");
        swal('Oops',msg,'error');
    };

    var success = function(data) {
        $(button).prop("disabled", false).html("Update DNS");
        swal("","Your local IP address <?=$internalip?> has been updated for unraid.net.","success");
    };

    $.post("https://keys.lime-technology.com/account/ssl/updatedns",{internalip:"<?=$internalip?>",internalport:<?=$var['PORTSSL']?>,keyfile:"<?=$keyfile?>"},success).fail(failure);
}
</script>
<form markdown="1" name="SSLSettings" method="POST" action="/update.htm" target="progressFrame">
Use SSL/TLS:
: <select name="USE_SSL" size="1" class="narrow">
  <?=mk_option($var['USE_SSL'], "auto", "Auto")?>
  <?=mk_option($var['USE_SSL'], "no", "No")?>
  <?=mk_option($var['USE_SSL'], "yes", "Yes")?>
  </select>

> Determines how the webGui responds to HTTP and/or HTTPS protocol.
>
> Select **No** to disable HTTPS (but HTTPS is recognized and redirected to HTTP).
>
> Select **Yes** to enable HTTPS and redirect HTTP to HTTPS.
>
> With **Auto** selected, behaves like **No** if only a self-signed SSL certificate is present.  If
> a Lets Encrypt or other user supplied SSL certificate if present, behavies like **Yes**.
>
> A self-signed SSL certificate is automatically generated during start-up in the
> file `/boot/config/ssl/certs/<hostname>_unraid_bundle.pem` if it does not already exist.
>
> A Lets Encrypt or other user-generated SSL certificate, must be stored in the
> file `/boot/config/ssl/csrts/certificate_bundle.pem`.  *nginx* will prefer ths certificate if present.

HTTP port:
: <input type="number" name="PORT" class="trim" min="0" max="65535" value="<?=htmlspecialchars($var['PORT'])?>">

> Enter the HTTP port, default is 80.

HTTPS port:
: <input type="number" name="PORTSSL" class="trim" min="0" max="65535" value="<?=htmlspecialchars($var['PORTSSL'])?>">

> Enter the HTTPS port, default is 443.

&nbsp;
: <input type="submit" name="changePorts" value="Apply"><input type="button" value="Done" onclick="done()">

</form>
<form markdown="1" name="Provision" method="POST" action="/update.htm" target="progressFrame">
<input type="hidden" name="changePorts" value="apply">
Certificate issuer:
: <?=shell_exec("/usr/bin/openssl x509 -text -noout -in /etc/ssl/certs/unraid_bundle.pem|sed -n -e 's/^.*Issuer: //p'")?>

Certificate expiration:
: <?=shell_exec("/usr/bin/openssl x509 -text -noout -in /etc/ssl/certs/unraid_bundle.pem|sed -n -e 's/^.*Not After : //p'")?>

&nbsp;
: <button type="button" onclick="provisionSSL(this)" <?=$disabled_provision?>><?=$provisionlabel?></button><button type="button" onclick="updateDNS(this)" <?=$disabled_updatedns?>>Update DNS</button>

> **Provision** may be used to allocate a *free* SSL Certficiate from [Let's Encrypt](https://letsencrypt.org/) and
> then upload to your server.  Note: We **highly** recommend using a static IP address in this case.

> **Update DNS** may be used to manually initiate updating the DNS A-record of your server FQDN on unraid.net.  Note
> that DNS propagation change could take anywhere from 1 minute to several hours (we set TTL to 60 seconds).

> Note: **Provision** may fail if your router or upstream DNS server has
> [DNS rebinding protection](https://en.wikipedia.org/wiki/DNS_rebinding) enabled.  DNS rebinding
> protection prevents DNS from resolving a private IP network range.  DNS rebinding protection is meant as
> a security feature on a local LAN which includes legacy devices with buggy/insecure "web" interfaces.

> One source of DNS rebinding protection could be your ISP DNS server.  In this case the problem may be solved by
> switching to a different DNS server such as Google's public DNS.

> More commonly, DNS rebinding protection could be enabled in your router.  Most consumer routers do not implement DNS
> rebinding protection; but, if they do, a configuration setting should be available to turn it off.

> Higher end routers usually do enable DNS rebinding protection however.  Typically there are ways of turning it off
> entirely or selectively based on domain.  Examples:

> **DD-WRT:** If you are using "dnsmasq" with DNS rebinding protection enabled, you can add this line to your router
> configuration file:

> `rebind-domain-ok=/unraid.net/`

> **pfSense:** If you are using pfSense internal DNS resolver service, you can add these Custom Option lines:

> `server:`<br>
> `private-domain: "unraid.net"`

> **Ubiquiti USG router:** you can add this configuration line:

> `set service dns forwarding options rebind-domain-ok=/unraid.net/`

> **OpenDNS:** Go to Settings -> Security and *remove* the checkbox next to
>  "Suspicious Responses - Block internal IP addresses". It is an all-or-nothing setting.

> When all else fails, you can create an entry in your PC's *hosts* file to override external DNS and
> directly resolve your servers unraid.net FQDN to its local IP address.

</form>