Use @fix_letsencrypt argument instead of IPE_FIX_CACERTS to fix Let's Encrypt (#451)

IPE_FIX_CACERTS is still supported, but deprecated

Test: blackfire, ioncube_loader, snuffleupagus, sourceguardian, spx, xdebug, zip
pull/454/head 1.4.0
Michele Locati 2021-10-08 10:24:06 +02:00 committed by GitHub
parent 4d6d8e7815
commit a78c760ef5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 83 additions and 33 deletions

View File

@ -110,6 +110,22 @@ install-php-extensions @composer-1
install-php-extensions @composer-2.0.2 install-php-extensions @composer-2.0.2
``` ```
### Issue with Let's Encrypt certificates
The root CA certificate of Let's Encrypt changes ([more details here](https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/)).
That breaks old linux distributions, namely:
- Debian Jessie (8)
- Debian Stretch (9)
- Alpine Linux 3.7
- Alpine Linux 3.8
This script can fix this issue: simply pass `@fix_letsencrypt` as an argument:
```sh
install-php-extensions @fix_letsencrypt
```
## Supported PHP extensions ## Supported PHP extensions
<!-- START OF EXTENSIONS TABLE --> <!-- START OF EXTENSIONS TABLE -->
@ -298,7 +314,6 @@ Here's the list of all the supported environment variables:
| Extension | Environment variable | Description | | Extension | Environment variable | Description |
|---|---|---| |---|---|---|
| | `IPE_FIX_CACERTS=1` | Old Alpine Linux (3.7 and 3.8) and Debian (Jessie and Stretch) versions don't work anymore with websites whose HTTPS certificate has been signed by Let's Encrypt ([more details here](https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/)).<br /> By setting this environment variable, `install-php-extensions` will fix this issue |
| | `IPE_DONT_ENABLE=1` | By default the script will install and enable the extensions.<br />If you want to only install them (without enabling them) you can set this environment variable.<br />To enable the extensions at a later time you can execute the command `docker-php-ext-enable-<extension>` (for example: `docker-php-ext-enable-xdebug`).<br />**Beware**: installing some PHP extensions require that other PHP extensions are already enabled, so use this feature wisely. | | | `IPE_DONT_ENABLE=1` | By default the script will install and enable the extensions.<br />If you want to only install them (without enabling them) you can set this environment variable.<br />To enable the extensions at a later time you can execute the command `docker-php-ext-enable-<extension>` (for example: `docker-php-ext-enable-xdebug`).<br />**Beware**: installing some PHP extensions require that other PHP extensions are already enabled, so use this feature wisely. |
| | `IPE_KEEP_SYSPKG_CACHE=1` | By default the script will clear the apt/apk/pear cache in order to save disk space. You can disable it by setting this environment variable | | | `IPE_KEEP_SYSPKG_CACHE=1` | By default the script will clear the apt/apk/pear cache in order to save disk space. You can disable it by setting this environment variable |
| lzf | `IPE_LZF_BETTERCOMPRESSION=1` | By default `install-php-extensions` compiles the `lzf` extension to prefer speed over size; you can use this environment variable to compile it preferring size over speed | | lzf | `IPE_LZF_BETTERCOMPRESSION=1` | By default `install-php-extensions` compiles the `lzf` extension to prefer speed over size; you can use this environment variable to compile it preferring size over speed |

View File

@ -291,6 +291,12 @@ setPHPPreinstalledModules() {
processCommandArguments() { processCommandArguments() {
processCommandArguments_endArgs=0 processCommandArguments_endArgs=0
PHP_MODULES_TO_INSTALL='' PHP_MODULES_TO_INSTALL=''
# Support deprecated flag IPE_FIX_CACERTS
case "${IPE_FIX_CACERTS:-}" in
1 | y* | Y*)
PHP_MODULES_TO_INSTALL="$PHP_MODULES_TO_INSTALL @fix_letsencrypt"
;;
esac
while :; do while :; do
if test $# -lt 1; then if test $# -lt 1; then
break break
@ -2878,7 +2884,30 @@ installRemoteModule() {
esac esac
} }
# Configure the PECL package installed # Check if a module/helper may be installed using the pecl archive
#
# Arguments:
# $1: the name of the module
#
# Return:
# 0: true
# 1: false
moduleMayUsePecl() {
case "$1" in
@composer | @fix_letsencrypt)
return 1
;;
blackfire | ioncube_loader | snuffleupagus | sourceguardian | spx | tdlib)
return 1
;;
esac
if stringInList "$1" "$BUNDLED_MODULES"; then
return 1
fi
return 0
}
# Configure the PECL package installer
# #
# Updates: # Updates:
# PHP_MODULES_TO_INSTALL # PHP_MODULES_TO_INSTALL
@ -2887,16 +2916,7 @@ installRemoteModule() {
configureInstaller() { configureInstaller() {
USE_PICKLE=0 USE_PICKLE=0
for PHP_MODULE_TO_INSTALL in $PHP_MODULES_TO_INSTALL; do for PHP_MODULE_TO_INSTALL in $PHP_MODULES_TO_INSTALL; do
if test "${PHP_MODULE_TO_INSTALL#@}" != "$PHP_MODULE_TO_INSTALL"; then if moduleMayUsePecl "$PHP_MODULE_TO_INSTALL"; then
continue
fi
if test "$PHP_MODULE_TO_INSTALL" = 'spx'; then
continue
fi
if test "$PHP_MODULE_TO_INSTALL" = 'amqp' && test $PHP_MAJMIN_VERSION -ge 800; then
continue
fi
if ! stringInList "$PHP_MODULE_TO_INSTALL" "$BUNDLED_MODULES"; then
if test $PHP_MAJMIN_VERSION -lt 800; then if test $PHP_MAJMIN_VERSION -lt 800; then
pecl channel-update pecl.php.net || true pecl channel-update pecl.php.net || true
return return
@ -3028,19 +3048,17 @@ removeStringFromList() {
printf '%s' "$removeStringFromList_result" printf '%s' "$removeStringFromList_result"
} }
# Replace the list of trusted CA with toe ones provided by cURL. # Fix the Let's Encrypt CA certificates on old distros
# (controlled by IPE_FIX_CACERTS is set) fixLetsEncrypt() {
fixCACerts() { printf '### FIXING LETS ENCRYPT CA CERTIFICATES ###\n'
case "${IPE_FIX_CACERTS:-}" in
1 | y* | Y*) ;;
*)
return
;;
esac
case "$DISTRO_VERSION" in case "$DISTRO_VERSION" in
alpine@3.7 | alpine@3.8) ;; alpine@3.7 | alpine@3.8)
printf -- '- old Alpine Linux detected: we should fix the certificates\n'
;;
debian@8 | debian@9) debian@8 | debian@9)
printf -- '- old Debian detected: we should fix the certificates\n'
if ! grep -q 'mozilla/ISRG_Root_X1.crt' /etc/ca-certificates.conf && grep -q 'mozilla/DST_Root_CA_X3.crt' /etc/ca-certificates.conf; then if ! grep -q 'mozilla/ISRG_Root_X1.crt' /etc/ca-certificates.conf && grep -q 'mozilla/DST_Root_CA_X3.crt' /etc/ca-certificates.conf; then
printf -- '- old ca-certificates package detected\n'
fixCACerts_mustUpdate=1 fixCACerts_mustUpdate=1
if test -d /var/lib/apt/lists; then if test -d /var/lib/apt/lists; then
for fixCACerts_item in $(ls -1 /var/lib/apt/lists); do for fixCACerts_item in $(ls -1 /var/lib/apt/lists); do
@ -3054,19 +3072,25 @@ fixCACerts() {
done done
fi fi
if test $fixCACerts_mustUpdate -eq 1; then if test $fixCACerts_mustUpdate -eq 1; then
DEBIAN_FRONTEND=noninteractive apt-get update -q printf -- '- refreshing the APT package list\n'
DEBIAN_FRONTEND=noninteractive apt-get update -qq
fi fi
apt-get install -qqy --no-install-recommends ca-certificates printf -- '- installing newer ca-certificates package\n'
DEBIAN_FRONTEND=noninteractive apt-get install -qqy --no-install-recommends ca-certificates
fi fi
;; ;;
*) *)
# No needs to update the CA list printf -- '- patch not required in this distro version\n'
return return
;; ;;
esac esac
if grep -Eq '^mozilla/ISRG_Root_X1\.crt$' /etc/ca-certificates.conf && grep -Eq '^mozilla/DST_Root_CA_X3\.crt$' /etc/ca-certificates.conf; then if grep -Eq '^mozilla/ISRG_Root_X1\.crt$' /etc/ca-certificates.conf && grep -Eq '^mozilla/DST_Root_CA_X3\.crt$' /etc/ca-certificates.conf; then
printf -- '- disabling the DST_Root_CA_X3 certificate\n'
sed -i '/^mozilla\/DST_Root_CA_X3/s/^/!/' /etc/ca-certificates.conf sed -i '/^mozilla\/DST_Root_CA_X3/s/^/!/' /etc/ca-certificates.conf
printf -- '- refreshing the certificates\n'
update-ca-certificates -f update-ca-certificates -f
else
printf -- '- DST_Root_CA_X3 certificate not found or already disabled\n'
fi fi
} }
@ -3147,7 +3171,10 @@ if test -z "$PHP_MODULES_TO_INSTALL"; then
exit 0 exit 0
fi fi
fixCACerts if stringInList @fix_letsencrypt "$PHP_MODULES_TO_INSTALL"; then
# This must be the very first thing we do
fixLetsEncrypt
fi
sortModulesToInstall sortModulesToInstall
@ -3169,12 +3196,20 @@ if test $USE_PICKLE -gt 1; then
buildPickle buildPickle
fi fi
for PHP_MODULE_TO_INSTALL in $PHP_MODULES_TO_INSTALL; do for PHP_MODULE_TO_INSTALL in $PHP_MODULES_TO_INSTALL; do
if test "$PHP_MODULE_TO_INSTALL" = '@composer'; then case "$PHP_MODULE_TO_INSTALL" in
@fix_letsencrypt)
# Already done: it must be the first thing we do
;;
@composer)
installComposer installComposer
elif stringInList "$PHP_MODULE_TO_INSTALL" "$BUNDLED_MODULES"; then ;;
*)
if stringInList "$PHP_MODULE_TO_INSTALL" "$BUNDLED_MODULES"; then
installBundledModule "$PHP_MODULE_TO_INSTALL" installBundledModule "$PHP_MODULE_TO_INSTALL"
else else
installRemoteModule "$PHP_MODULE_TO_INSTALL" installRemoteModule "$PHP_MODULE_TO_INSTALL"
fi fi
;;
esac
done done
cleanup cleanup