Use @fix_letsencrypt argument instead of IPE_FIX_CACERTS to fix Let's Encrypt (#451)
IPE_FIX_CACERTS is still supported, but deprecated Test: blackfire, ioncube_loader, snuffleupagus, sourceguardian, spx, xdebug, zippull/454/head 1.4.0
parent
4d6d8e7815
commit
a78c760ef5
17
README.md
17
README.md
|
@ -110,6 +110,22 @@ install-php-extensions @composer-1
|
||||||
install-php-extensions @composer-2.0.2
|
install-php-extensions @composer-2.0.2
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Issue with Let's Encrypt certificates
|
||||||
|
|
||||||
|
The root CA certificate of Let's Encrypt changes ([more details here](https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/)).
|
||||||
|
That breaks old linux distributions, namely:
|
||||||
|
|
||||||
|
- Debian Jessie (8)
|
||||||
|
- Debian Stretch (9)
|
||||||
|
- Alpine Linux 3.7
|
||||||
|
- Alpine Linux 3.8
|
||||||
|
|
||||||
|
This script can fix this issue: simply pass `@fix_letsencrypt` as an argument:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
install-php-extensions @fix_letsencrypt
|
||||||
|
```
|
||||||
|
|
||||||
## Supported PHP extensions
|
## Supported PHP extensions
|
||||||
|
|
||||||
<!-- START OF EXTENSIONS TABLE -->
|
<!-- START OF EXTENSIONS TABLE -->
|
||||||
|
@ -298,7 +314,6 @@ Here's the list of all the supported environment variables:
|
||||||
|
|
||||||
| Extension | Environment variable | Description |
|
| Extension | Environment variable | Description |
|
||||||
|---|---|---|
|
|---|---|---|
|
||||||
| | `IPE_FIX_CACERTS=1` | Old Alpine Linux (3.7 and 3.8) and Debian (Jessie and Stretch) versions don't work anymore with websites whose HTTPS certificate has been signed by Let's Encrypt ([more details here](https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/)).<br /> By setting this environment variable, `install-php-extensions` will fix this issue |
|
|
||||||
| | `IPE_DONT_ENABLE=1` | By default the script will install and enable the extensions.<br />If you want to only install them (without enabling them) you can set this environment variable.<br />To enable the extensions at a later time you can execute the command `docker-php-ext-enable-<extension>` (for example: `docker-php-ext-enable-xdebug`).<br />**Beware**: installing some PHP extensions require that other PHP extensions are already enabled, so use this feature wisely. |
|
| | `IPE_DONT_ENABLE=1` | By default the script will install and enable the extensions.<br />If you want to only install them (without enabling them) you can set this environment variable.<br />To enable the extensions at a later time you can execute the command `docker-php-ext-enable-<extension>` (for example: `docker-php-ext-enable-xdebug`).<br />**Beware**: installing some PHP extensions require that other PHP extensions are already enabled, so use this feature wisely. |
|
||||||
| | `IPE_KEEP_SYSPKG_CACHE=1` | By default the script will clear the apt/apk/pear cache in order to save disk space. You can disable it by setting this environment variable |
|
| | `IPE_KEEP_SYSPKG_CACHE=1` | By default the script will clear the apt/apk/pear cache in order to save disk space. You can disable it by setting this environment variable |
|
||||||
| lzf | `IPE_LZF_BETTERCOMPRESSION=1` | By default `install-php-extensions` compiles the `lzf` extension to prefer speed over size; you can use this environment variable to compile it preferring size over speed |
|
| lzf | `IPE_LZF_BETTERCOMPRESSION=1` | By default `install-php-extensions` compiles the `lzf` extension to prefer speed over size; you can use this environment variable to compile it preferring size over speed |
|
||||||
|
|
|
@ -291,6 +291,12 @@ setPHPPreinstalledModules() {
|
||||||
processCommandArguments() {
|
processCommandArguments() {
|
||||||
processCommandArguments_endArgs=0
|
processCommandArguments_endArgs=0
|
||||||
PHP_MODULES_TO_INSTALL=''
|
PHP_MODULES_TO_INSTALL=''
|
||||||
|
# Support deprecated flag IPE_FIX_CACERTS
|
||||||
|
case "${IPE_FIX_CACERTS:-}" in
|
||||||
|
1 | y* | Y*)
|
||||||
|
PHP_MODULES_TO_INSTALL="$PHP_MODULES_TO_INSTALL @fix_letsencrypt"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
while :; do
|
while :; do
|
||||||
if test $# -lt 1; then
|
if test $# -lt 1; then
|
||||||
break
|
break
|
||||||
|
@ -2878,7 +2884,30 @@ installRemoteModule() {
|
||||||
esac
|
esac
|
||||||
}
|
}
|
||||||
|
|
||||||
# Configure the PECL package installed
|
# Check if a module/helper may be installed using the pecl archive
|
||||||
|
#
|
||||||
|
# Arguments:
|
||||||
|
# $1: the name of the module
|
||||||
|
#
|
||||||
|
# Return:
|
||||||
|
# 0: true
|
||||||
|
# 1: false
|
||||||
|
moduleMayUsePecl() {
|
||||||
|
case "$1" in
|
||||||
|
@composer | @fix_letsencrypt)
|
||||||
|
return 1
|
||||||
|
;;
|
||||||
|
blackfire | ioncube_loader | snuffleupagus | sourceguardian | spx | tdlib)
|
||||||
|
return 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
if stringInList "$1" "$BUNDLED_MODULES"; then
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
# Configure the PECL package installer
|
||||||
#
|
#
|
||||||
# Updates:
|
# Updates:
|
||||||
# PHP_MODULES_TO_INSTALL
|
# PHP_MODULES_TO_INSTALL
|
||||||
|
@ -2887,16 +2916,7 @@ installRemoteModule() {
|
||||||
configureInstaller() {
|
configureInstaller() {
|
||||||
USE_PICKLE=0
|
USE_PICKLE=0
|
||||||
for PHP_MODULE_TO_INSTALL in $PHP_MODULES_TO_INSTALL; do
|
for PHP_MODULE_TO_INSTALL in $PHP_MODULES_TO_INSTALL; do
|
||||||
if test "${PHP_MODULE_TO_INSTALL#@}" != "$PHP_MODULE_TO_INSTALL"; then
|
if moduleMayUsePecl "$PHP_MODULE_TO_INSTALL"; then
|
||||||
continue
|
|
||||||
fi
|
|
||||||
if test "$PHP_MODULE_TO_INSTALL" = 'spx'; then
|
|
||||||
continue
|
|
||||||
fi
|
|
||||||
if test "$PHP_MODULE_TO_INSTALL" = 'amqp' && test $PHP_MAJMIN_VERSION -ge 800; then
|
|
||||||
continue
|
|
||||||
fi
|
|
||||||
if ! stringInList "$PHP_MODULE_TO_INSTALL" "$BUNDLED_MODULES"; then
|
|
||||||
if test $PHP_MAJMIN_VERSION -lt 800; then
|
if test $PHP_MAJMIN_VERSION -lt 800; then
|
||||||
pecl channel-update pecl.php.net || true
|
pecl channel-update pecl.php.net || true
|
||||||
return
|
return
|
||||||
|
@ -3028,19 +3048,17 @@ removeStringFromList() {
|
||||||
printf '%s' "$removeStringFromList_result"
|
printf '%s' "$removeStringFromList_result"
|
||||||
}
|
}
|
||||||
|
|
||||||
# Replace the list of trusted CA with toe ones provided by cURL.
|
# Fix the Let's Encrypt CA certificates on old distros
|
||||||
# (controlled by IPE_FIX_CACERTS is set)
|
fixLetsEncrypt() {
|
||||||
fixCACerts() {
|
printf '### FIXING LETS ENCRYPT CA CERTIFICATES ###\n'
|
||||||
case "${IPE_FIX_CACERTS:-}" in
|
|
||||||
1 | y* | Y*) ;;
|
|
||||||
*)
|
|
||||||
return
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
case "$DISTRO_VERSION" in
|
case "$DISTRO_VERSION" in
|
||||||
alpine@3.7 | alpine@3.8) ;;
|
alpine@3.7 | alpine@3.8)
|
||||||
|
printf -- '- old Alpine Linux detected: we should fix the certificates\n'
|
||||||
|
;;
|
||||||
debian@8 | debian@9)
|
debian@8 | debian@9)
|
||||||
|
printf -- '- old Debian detected: we should fix the certificates\n'
|
||||||
if ! grep -q 'mozilla/ISRG_Root_X1.crt' /etc/ca-certificates.conf && grep -q 'mozilla/DST_Root_CA_X3.crt' /etc/ca-certificates.conf; then
|
if ! grep -q 'mozilla/ISRG_Root_X1.crt' /etc/ca-certificates.conf && grep -q 'mozilla/DST_Root_CA_X3.crt' /etc/ca-certificates.conf; then
|
||||||
|
printf -- '- old ca-certificates package detected\n'
|
||||||
fixCACerts_mustUpdate=1
|
fixCACerts_mustUpdate=1
|
||||||
if test -d /var/lib/apt/lists; then
|
if test -d /var/lib/apt/lists; then
|
||||||
for fixCACerts_item in $(ls -1 /var/lib/apt/lists); do
|
for fixCACerts_item in $(ls -1 /var/lib/apt/lists); do
|
||||||
|
@ -3054,19 +3072,25 @@ fixCACerts() {
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
if test $fixCACerts_mustUpdate -eq 1; then
|
if test $fixCACerts_mustUpdate -eq 1; then
|
||||||
DEBIAN_FRONTEND=noninteractive apt-get update -q
|
printf -- '- refreshing the APT package list\n'
|
||||||
|
DEBIAN_FRONTEND=noninteractive apt-get update -qq
|
||||||
fi
|
fi
|
||||||
apt-get install -qqy --no-install-recommends ca-certificates
|
printf -- '- installing newer ca-certificates package\n'
|
||||||
|
DEBIAN_FRONTEND=noninteractive apt-get install -qqy --no-install-recommends ca-certificates
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
# No needs to update the CA list
|
printf -- '- patch not required in this distro version\n'
|
||||||
return
|
return
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
if grep -Eq '^mozilla/ISRG_Root_X1\.crt$' /etc/ca-certificates.conf && grep -Eq '^mozilla/DST_Root_CA_X3\.crt$' /etc/ca-certificates.conf; then
|
if grep -Eq '^mozilla/ISRG_Root_X1\.crt$' /etc/ca-certificates.conf && grep -Eq '^mozilla/DST_Root_CA_X3\.crt$' /etc/ca-certificates.conf; then
|
||||||
|
printf -- '- disabling the DST_Root_CA_X3 certificate\n'
|
||||||
sed -i '/^mozilla\/DST_Root_CA_X3/s/^/!/' /etc/ca-certificates.conf
|
sed -i '/^mozilla\/DST_Root_CA_X3/s/^/!/' /etc/ca-certificates.conf
|
||||||
|
printf -- '- refreshing the certificates\n'
|
||||||
update-ca-certificates -f
|
update-ca-certificates -f
|
||||||
|
else
|
||||||
|
printf -- '- DST_Root_CA_X3 certificate not found or already disabled\n'
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -3147,7 +3171,10 @@ if test -z "$PHP_MODULES_TO_INSTALL"; then
|
||||||
exit 0
|
exit 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
fixCACerts
|
if stringInList @fix_letsencrypt "$PHP_MODULES_TO_INSTALL"; then
|
||||||
|
# This must be the very first thing we do
|
||||||
|
fixLetsEncrypt
|
||||||
|
fi
|
||||||
|
|
||||||
sortModulesToInstall
|
sortModulesToInstall
|
||||||
|
|
||||||
|
@ -3169,12 +3196,20 @@ if test $USE_PICKLE -gt 1; then
|
||||||
buildPickle
|
buildPickle
|
||||||
fi
|
fi
|
||||||
for PHP_MODULE_TO_INSTALL in $PHP_MODULES_TO_INSTALL; do
|
for PHP_MODULE_TO_INSTALL in $PHP_MODULES_TO_INSTALL; do
|
||||||
if test "$PHP_MODULE_TO_INSTALL" = '@composer'; then
|
case "$PHP_MODULE_TO_INSTALL" in
|
||||||
|
@fix_letsencrypt)
|
||||||
|
# Already done: it must be the first thing we do
|
||||||
|
;;
|
||||||
|
@composer)
|
||||||
installComposer
|
installComposer
|
||||||
elif stringInList "$PHP_MODULE_TO_INSTALL" "$BUNDLED_MODULES"; then
|
;;
|
||||||
|
*)
|
||||||
|
if stringInList "$PHP_MODULE_TO_INSTALL" "$BUNDLED_MODULES"; then
|
||||||
installBundledModule "$PHP_MODULE_TO_INSTALL"
|
installBundledModule "$PHP_MODULE_TO_INSTALL"
|
||||||
else
|
else
|
||||||
installRemoteModule "$PHP_MODULE_TO_INSTALL"
|
installRemoteModule "$PHP_MODULE_TO_INSTALL"
|
||||||
fi
|
fi
|
||||||
|
;;
|
||||||
|
esac
|
||||||
done
|
done
|
||||||
cleanup
|
cleanup
|
||||||
|
|
Loading…
Reference in New Issue