From b6933a73fa233a837b40aa8c7ebcb24d74254eca Mon Sep 17 00:00:00 2001
From: Joshua Tauberer <jt@occams.info>
Date: Sat, 10 Oct 2015 22:03:55 +0000
Subject: [PATCH 1/9] provision and install free SSL certificates from Let's
 Encrypt

---
 conf/nginx.conf                |  21 +-
 management/daily_tasks.sh      |   3 +
 management/ssl_certificates.py | 388 ++++++++++++++++++++++++++++++---
 management/status_checks.py    |  42 ++--
 management/web_update.py       |  23 +-
 setup/management.sh            |   7 +-
 setup/start.sh                 |   3 +
 7 files changed, 408 insertions(+), 79 deletions(-)
 mode change 100644 => 100755 management/ssl_certificates.py

diff --git a/conf/nginx.conf b/conf/nginx.conf
index 34117efc..538f0743 100644
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@@ -1,6 +1,8 @@
 ## $HOSTNAME
 
-# Redirect all HTTP to HTTPS.
+# Redirect all HTTP to HTTPS *except* the ACME challenges (Let's Encrypt SSL certificate
+# domain validation challenges) path, which must be served over HTTP per the ACME spec
+# (due to some Apache vulnerability).
 server {
 	listen 80;
 	listen [::]:80;
@@ -12,10 +14,19 @@ server {
 	# error pages and in the "Server" HTTP-Header.
 	server_tokens off;
 
-	# Redirect using the 'return' directive and the built-in
-	# variable '$request_uri' to avoid any capturing, matching
-	# or evaluation of regular expressions.
-	return 301 https://$HOSTNAME$request_uri;
+	location / {
+		# Redirect using the 'return' directive and the built-in
+		# variable '$request_uri' to avoid any capturing, matching
+		# or evaluation of regular expressions.
+		return 301 https://$HOSTNAME$request_uri;
+	}
+
+	location /.well-known/acme-challenge/ {
+		# This path must be served over HTTP for ACME domain validation.
+		# We map this to a special path where our SSL cert provisioning
+		# tool knows to store challenge response files.
+		alias $STORAGE_ROOT/ssl/lets_encrypt/acme_challenges/;
+	}
 }
 
 # The secure HTTPS server.
diff --git a/management/daily_tasks.sh b/management/daily_tasks.sh
index 69d14c71..52bf4602 100755
--- a/management/daily_tasks.sh
+++ b/management/daily_tasks.sh
@@ -4,5 +4,8 @@
 # Take a backup.
 management/backup.py | management/email_administrator.py "Backup Status"
 
+# Provision any new certificates for new domains or domains with expiring certificates.
+management/ssl_certificates.py --headless | management/email_administrator.py "Error Provisioning TLS Certificate"
+
 # Run status checks and email the administrator if anything changed.
 management/status_checks.py --show-changes | management/email_administrator.py "Status Checks Change Notice"
diff --git a/management/ssl_certificates.py b/management/ssl_certificates.py
old mode 100644
new mode 100755
index 1e9a9ca8..7edd2108
--- a/management/ssl_certificates.py
+++ b/management/ssl_certificates.py
@@ -1,8 +1,11 @@
+#!/usr/bin/python3
 # Utilities for installing and selecting SSL certificates.
 
 import os, os.path, re, shutil
 
-from utils import shell, safe_domain_name
+from utils import shell, safe_domain_name, sort_domains
+
+# SELECTING SSL CERTIFICATES FOR USE IN WEB
 
 def get_ssl_certificates(env):
 	# Scan all of the installed SSL certificates and map every domain
@@ -17,6 +20,8 @@ def get_ssl_certificates(env):
 
 	# List all of the files in the SSL directory and one level deep.
 	def get_file_list():
+		if not os.path.exists(ssl_root):
+			return
 		for fn in os.listdir(ssl_root):
 			fn = os.path.join(ssl_root, fn)
 			if os.path.isfile(fn):
@@ -82,10 +87,27 @@ def get_ssl_certificates(env):
 			# prefer one that is not self-signed
 			cert.issuer != cert.subject,
 
+			###########################################################
+			# The above lines ensure that valid certificates are chosen
+			# over invalid certificates. The lines below choose between
+			# multiple valid certificates available for this domain.
+			###########################################################
+
 			# prefer one with the expiration furthest into the future so
 			# that we can easily rotate to new certs as we get them
 			cert.not_valid_after,
 
+			###########################################################
+			# We always choose the certificate that is good for the
+			# longest period of time. This is important for how we
+			# provision certificates for Let's Encrypt. To ensure that
+			# we don't re-provision every night, we have to ensure that
+			# if we choose to provison a certificate that it will
+			# *actually* be used so the provisioning logic knows it
+			# doesn't still need to provision a certificate for the
+			# domain.
+			###########################################################
+
 			# in case a certificate is installed in multiple paths,
 			# prefer the... lexicographically last one?
 			cert._filename,
@@ -96,46 +118,348 @@ def get_ssl_certificates(env):
 			"private-key": cert._private_key._filename,
 			"certificate": cert._filename,
 			"primary-domain": cert._primary_domain,
+			"certificate_object": cert,
 			}
 
 	return ret
 
-def get_domain_ssl_files(domain, ssl_certificates, env, allow_missing_cert=False):
-	# Get the default paths.
+def get_domain_ssl_files(domain, ssl_certificates, env, allow_missing_cert=False, raw=False):
+	# Get the system certificate info.
 	ssl_private_key = os.path.join(os.path.join(env["STORAGE_ROOT"], 'ssl', 'ssl_private_key.pem'))
 	ssl_certificate = os.path.join(os.path.join(env["STORAGE_ROOT"], 'ssl', 'ssl_certificate.pem'))
+	system_certificate = {
+		"private-key": ssl_private_key,
+		"certificate": ssl_certificate,
+		"primary-domain": env['PRIMARY_HOSTNAME'],
+		"certificate_object": load_pem(load_cert_chain(ssl_certificate)[0]),
+	}
 
 	if domain == env['PRIMARY_HOSTNAME']:
 		# The primary domain must use the server certificate because
 		# it is hard-coded in some service configuration files.
-		return ssl_private_key, ssl_certificate, None
+		return system_certificate
 
 	wildcard_domain = re.sub("^[^\.]+", "*", domain)
-
 	if domain in ssl_certificates:
-		cert_info = ssl_certificates[domain]
-		cert_type = "multi-domain"
+		return ssl_certificates[domain]
 	elif wildcard_domain in ssl_certificates:
-		cert_info = ssl_certificates[wildcard_domain]
-		cert_type = "wildcard"
+		return ssl_certificates[wildcard_domain]
 	elif not allow_missing_cert:
-		# No certificate is available for this domain! Return default files.
-		ssl_via = "Using certificate for %s." % env['PRIMARY_HOSTNAME']
-		return ssl_private_key, ssl_certificate, ssl_via
+		# No valid certificate is available for this domain! Return default files.
+		return system_certificate
 	else:
-		# No certificate is available - and warn appropriately.
+		# No valid certificate is available for this domain.
 		return None
 
-	# 'via' is a hint to the user about which certificate is in use for the domain
-	if cert_info['certificate'] == os.path.join(env["STORAGE_ROOT"], 'ssl', 'ssl_certificate.pem'):
-		# Using the server certificate.
-		via = "Using same %s certificate as for %s." % (cert_type, env['PRIMARY_HOSTNAME'])
-	elif cert_info['primary-domain'] != domain and cert_info['primary-domain'] in ssl_certificates and cert_info == ssl_certificates[cert_info['primary-domain']]:
-		via = "Using same %s certificate as for %s." % (cert_type, cert_info['primary-domain'])
-	else:
-		via = None # don't show a hint - show expiration info instead
 
-	return cert_info['private-key'], cert_info['certificate'], via
+# PROVISIONING CERTIFICATES FROM LETSENCRYPT
+
+def get_certificates_to_provision(env):
+	# Get a list of domain names that we should now provision certificates
+	# for. Provision if a domain name has no valid certificate or if any
+	# certificate is expiring in 14 days. If provisioning anything, also
+	# provision certificates expiring within 30 days. The period between
+	# 14 and 30 days allows us to consolidate domains into multi-domain
+	# certificates for domains expiring around the same time.
+
+	from web_update import get_web_domains
+
+	import datetime
+	now = datetime.datetime.utcnow()
+
+	# Get domains with missing & expiring certificates.
+	certs = get_ssl_certificates(env)
+	domains = set()
+	domains_if_any = set()
+	for domain in get_web_domains(env):
+		try:
+			cert = get_domain_ssl_files(domain, certs, env, allow_missing_cert=True)
+		except FileNotFoundError:
+			# system certificate is not present
+			continue
+		if cert is None:
+			# No valid certificate available.
+			domains.add(domain)
+		else:
+			cert = cert["certificate_object"]
+			if cert.issuer == cert.subject:
+				# This is self-signed. Get a real one.
+				domains.add(domain)
+			
+			# Valid certificate today, but is it expiring soon?
+			elif cert.not_valid_after-now < datetime.timedelta(days=14):
+				domains.add(domain)
+			elif cert.not_valid_after-now < datetime.timedelta(days=30):
+				domains_if_any.add(domain)
+
+	# Filter out domains that don't have correct DNS, because then the CA
+	# won't be able to do DNS validation.
+	def is_domain_dns_correct(domain):
+		# Must make qname absolute to prevent a fall-back lookup with a
+		# search domain appended.
+		import dns.resolver
+		try:
+			response = dns.resolver.query(domain + ".", "A")
+		except:
+			return False
+		return len(response) == 1 and str(response[0]) == env["PUBLIC_IP"]
+	domains = set(d for d in domains if is_domain_dns_correct(d))
+	domains_if_any = set(d for d in domains_if_any if is_domain_dns_correct(d))
+
+	# If there are any domains we definitely will provision for, add in
+	# additional domains to do at this time.
+	if len(domains) > 0:
+		domains |= domains_if_any
+
+	# Sort, just to keep related domain names together in the next step.
+	domains = sort_domains(domains, env)
+
+	# Break into groups of up to 100 certificates at a time, which is Let's Encrypt's
+	# limit for a single certificate.
+	cert_domains = []
+	while len(domains) > 0:
+		cert_domains.append( domains[0:100] )
+		domains = domains[100:]
+
+	# Return a list of lists of domain names.
+	return cert_domains
+
+def provision_certificates(env, agree_to_tos_url=None, logger=None):
+	import requests.exceptions
+	import acme.messages
+
+	from free_tls_certificates import client
+
+	# What domains to provision certificates for? This is a list of
+	# lists of domains.
+	certs = get_certificates_to_provision(env)
+	if len(certs) == 0:
+		return {
+			"requests": [],
+		}
+
+	# Prepare to provision.
+
+	# Where should we put our Let's Encrypt account info and state cache.
+	account_path = os.path.join(env['STORAGE_ROOT'], 'ssl/lets_encrypt')
+	if not os.path.exists(account_path):
+		os.mkdir(account_path)
+
+	# Where should we put ACME challenge files. This is mapped to /.well-known/acme_challenge
+	# by the nginx configuration.
+	challenges_path = os.path.join(account_path, 'acme_challenges')
+	if not os.path.exists(challenges_path):
+		os.mkdir(challenges_path)
+
+	# Read in the private key that we use for all TLS certificates. We'll need that
+	# to generate a CSR (done by free_tls_certificates).
+	with open(os.path.join(env['STORAGE_ROOT'], 'ssl/ssl_private_key.pem'), 'rb') as f:
+		private_key = f.read()
+
+	# Provision certificates.
+
+	ret = []
+	for domain_list in certs:
+		# For return.
+		ret_item = {
+			"domains": domain_list,
+			"log": [],
+		}
+		ret.append(ret_item)
+
+		# Logging for free_tls_certificates.
+		def my_logger(message):
+			if logger: logger(message)
+			ret_item["log"].append(message)
+
+		# Attempt to provision a certificate.
+		try:
+			try:
+				cert = client.issue_certificate(
+					domain_list,
+					account_path,
+					agree_to_tos_url=agree_to_tos_url,
+					private_key=private_key,
+					logger=my_logger)
+
+			except client.NeedToTakeAction as e:
+				# Write out the ACME challenge files.
+				
+				for action in e.actions:
+					if isinstance(action, client.NeedToInstallFile):
+						fn = os.path.join(challenges_path, action.file_name)
+						with open(fn, 'w') as f:
+							f.write(action.contents)
+					else:
+						raise ValueError(str(action))
+
+				# Try to provision now that the challenge files are installed.
+
+				cert = client.issue_certificate(
+					domain_list,
+					account_path,
+					private_key=private_key,
+					logger=my_logger)
+
+		except client.NeedToAgreeToTOS as e:
+			# The user must agree to the Let's Encrypt terms of service agreement
+			# before any further action can be taken.
+			ret_item.update({
+				"result": "agree-to-tos",
+				"url": e.url,
+			})
+
+		except client.WaitABit as e:
+			# We need to hold on for a bit before querying again to see if we can
+			# acquire a provisioned certificate.
+			import time, datetime
+			ret_item.update({
+				"result": "wait",
+				"until": e.until_when, #.isoformat(),
+				"seconds": (e.until_when - datetime.datetime.now()).total_seconds()
+			})
+
+		except client.AccountDataIsCorrupt as e:
+			# This is an extremely rare condition.
+			ret_item.update({
+				"result": "error",
+				"message": "Something unexpected went wrong. It looks like your local Let's Encrypt account data is corrupted. There was a problem with the file " + e.account_file_path + ".",
+			})
+
+		except (client.InvalidDomainName, client.NeedToTakeAction, acme.messages.Error, requests.exceptions.RequestException) as e:
+			ret_item.update({
+				"result": "error",
+				"message": "Something unexpected went wrong: " + str(e),
+			})
+
+		else:
+			# A certificate was issued.
+
+			install_status = install_cert(domain_list[0], cert['cert'].decode("ascii"), b"\n".join(cert['chain']).decode("ascii"), env, raw=True)
+
+			# str indicates the certificate was not installed.
+			if isinstance(install_status, str):
+				ret_item.update({
+					"result": "error",
+					"message": "Something unexpected was wrong with the provisioned certificate: " + install_status,
+				})
+			else:
+				# A list indicates success and what happened next.
+				ret_item["log"].extend(install_status)
+				ret_item.update({
+					"result": "installed",
+				})
+
+	# Return what happened with each certificate request.
+	return {
+		"requests": ret
+	}
+
+def provision_certificates_cmdline():
+	import sys
+	from utils import load_environment, exclusive_process
+
+	exclusive_process("update_tls_certificates")
+	env = load_environment()
+
+	agree_to_tos_url = None
+	while True:
+		# Run the provisioning script. This installs certificates. If there are
+		# a very large number of domains on this box, it issues separate
+		# certificates for groups of domains. We have to check the result for
+		# each group.
+		def my_logger(message):
+			if "-v" in sys.argv:
+				print(">", message)
+		status = provision_certificates(env, agree_to_tos_url=agree_to_tos_url, logger=my_logger)
+		agree_to_tos_url = None # reset to prevent infinite looping
+
+		if not status["requests"]:
+			# No domains need certificates.
+			if "--headless" not in sys.argv or "-v" in sys.argv:
+				print("No domains hosted on this box need a certificate at this time.")
+			sys.exit(0)
+
+		# What happened?
+		wait_until = None
+		wait_domains = []
+		for request in status["requests"]:
+			if request["result"] == "agree-to-tos":
+				# We may have asked already in a previous iteration.
+				if agree_to_tos_url is not None:
+					continue
+
+				# Can't ask the user a question in this mode.
+				if "--headless" in sys.argv:
+					print("Can't issue TLS certficate until user has agreed to Let's Encrypt TOS.")
+					sys.exit(1)
+
+				print("""
+I'm going to provision a TLS certificate (formerly called a SSL certificate)
+for you from Let's Encrypt (letsencrypt.org).
+
+TLS certificates are cryptographic keys that ensure communication between
+you and this box are secure when getting and sending mail and visiting
+websites hosted on this box. Let's Encrypt is a free provider of TLS
+certificates.
+
+Please open this document in your web browser:
+
+%s
+
+It is Let's Encrypt's terms of service agreement. If you agree, I can
+provision that TLS certificate. If you don't agree, you will have an
+opportunity to install your own TLS certificate from the Mail-in-a-Box
+control panel.
+
+Do you agree to the agreement? Type Y or N and press <ENTER>: """
+				 % request["url"], end='', flush=True)
+			
+				if sys.stdin.readline().strip().upper() != "Y":
+					print("\nYou didn't agree. Quitting.")
+					sys.exit(1)
+
+				# Okay, indicate agreement on next iteration.
+				agree_to_tos_url = request["url"]
+
+			if request["result"] == "wait":
+				# Must wait. We'll record until when. The wait occurs below.
+				if wait_until is None:
+					wait_until = request["until"]
+				else:
+					wait_until = max(wait_until, request["until"])
+				wait_domains += request["domains"]
+
+			if request["result"] == "error":
+				print(", ".join(request["domains"]) + ":")
+				print(request["message"])
+
+			if request["result"] == "installed":
+				print("A TLS certificate was successfully installed for " + ", ".join(request["domains"]) + ".")
+
+		if wait_until:
+			# Wait, then loop.
+			import time, datetime
+			print()
+			print("A TLS certificate was requested for: " + ", ".join(wait_domains) + ".")
+			first = True
+			while wait_until > datetime.datetime.now():
+				if "--headless" not in sys.argv or first:
+					print ("We have to wait", int(round((wait_until - datetime.datetime.now()).total_seconds())), "seconds for the certificate to be issued...")
+				time.sleep(10)
+				first = False
+
+			continue # Loop!
+
+		if agree_to_tos_url:
+			# The user agrees to the TOS. Loop to try again by agreeing.
+			continue # Loop!
+
+		# Unless we were instructed to wait, or we just agreed to the TOS,
+		# we're done for now.
+		break
+
+# INSTALLING A NEW CERTIFICATE FROM THE CONTROL PANEL
 
 def create_csr(domain, ssl_key, country_code, env):
 	return shell("check_output", [
@@ -144,7 +468,7 @@ def create_csr(domain, ssl_key, country_code, env):
                 "-sha256",
                 "-subj", "/C=%s/ST=/L=/O=/CN=%s" % (country_code, domain)])
 
-def install_cert(domain, ssl_cert, ssl_chain, env):
+def install_cert(domain, ssl_cert, ssl_chain, env, raw=False):
 	# Write the combined cert+chain to a temporary path and validate that it is OK.
 	# The certificate always goes above the chain.
 	import tempfile
@@ -203,8 +527,10 @@ def install_cert(domain, ssl_cert, ssl_chain, env):
 	# Update the web configuration so nginx picks up the new certificate file.
 	from web_update import do_web_update
 	ret.append( do_web_update(env) )
+	if raw: return ret
 	return "\n".join(ret)
 
+# VALIDATION OF CERTIFICATES
 
 def check_certificate(domain, ssl_certificate, ssl_private_key, warn_if_expiring_soon=True, rounded_time=False, just_check_domain=False):
 	# Check that the ssl_certificate & ssl_private_key files are good
@@ -305,16 +631,16 @@ def check_certificate(domain, ssl_certificate, ssl_private_key, warn_if_expiring
 		# But is it expiring soon?
 		cert_expiration_date = cert.not_valid_after
 		ndays = (cert_expiration_date-now).days
-		if not rounded_time or ndays < 7:
+		if not rounded_time or ndays <= 10:
+			# Yikes better renew soon!
 			expiry_info = "The certificate expires in %d days on %s." % (ndays, cert_expiration_date.strftime("%x"))
-		elif ndays <= 14:
-			expiry_info = "The certificate expires in less than two weeks, on %s." % cert_expiration_date.strftime("%x")
-		elif ndays <= 31:
-			expiry_info = "The certificate expires in less than a month, on %s." % cert_expiration_date.strftime("%x")
 		else:
+			# We'll renew it with Lets Encrypt.
 			expiry_info = "The certificate expires on %s." % cert_expiration_date.strftime("%x")
 
-		if ndays <= 31 and warn_if_expiring_soon:
+		if ndays <= 10 and warn_if_expiring_soon:
+			# Warn on day 10 to give 4 days for us to automatically renew the
+			# certificate, which occurs on day 14.
 			return ("The certificate is expiring soon: " + expiry_info, None)
 
 		# Return the special OK code.
@@ -381,3 +707,7 @@ def get_certificate_domains(cert):
 		pass
 
 	return names, cn
+
+if __name__  == "__main__":
+	# Provision certificates.
+	provision_certificates_cmdline()
diff --git a/management/status_checks.py b/management/status_checks.py
index f7578dd2..4a62b091 100755
--- a/management/status_checks.py
+++ b/management/status_checks.py
@@ -278,23 +278,24 @@ def run_domain_checks(rounded_time, env, output, pool):
 	# Get the list of domains that we don't serve web for because of a custom CNAME/A record.
 	domains_with_a_records = get_domains_with_a_records(env)
 
-	ssl_certificates = get_ssl_certificates(env)
-
 	# Serial version:
 	#for domain in sort_domains(domains_to_check, env):
 	#	run_domain_checks_on_domain(domain, rounded_time, env, dns_domains, dns_zonefiles, mail_domains, web_domains)
 
 	# Parallelize the checks across a worker pool.
-	args = ((domain, rounded_time, env, dns_domains, dns_zonefiles, mail_domains, web_domains, domains_with_a_records, ssl_certificates)
+	args = ((domain, rounded_time, env, dns_domains, dns_zonefiles, mail_domains, web_domains, domains_with_a_records)
 		for domain in domains_to_check)
 	ret = pool.starmap(run_domain_checks_on_domain, args, chunksize=1)
 	ret = dict(ret) # (domain, output) => { domain: output }
 	for domain in sort_domains(ret, env):
 		ret[domain].playback(output)
 
-def run_domain_checks_on_domain(domain, rounded_time, env, dns_domains, dns_zonefiles, mail_domains, web_domains, domains_with_a_records, ssl_certificates):
+def run_domain_checks_on_domain(domain, rounded_time, env, dns_domains, dns_zonefiles, mail_domains, web_domains, domains_with_a_records):
 	output = BufferedOutput()
 
+	# we'd move this up, but this returns non-pickleable values
+	ssl_certificates = get_ssl_certificates(env)
+
 	# The domain is IDNA-encoded in the database, but for display use Unicode.
 	try:
 		domain_display = idna.decode(domain.encode('ascii'))
@@ -656,45 +657,28 @@ def check_ssl_cert(domain, rounded_time, ssl_certificates, env, output):
 	if query_dns(domain, "A", None) not in (env['PUBLIC_IP'], None): return
 
 	# Where is the SSL stored?
-	x = get_domain_ssl_files(domain, ssl_certificates, env, allow_missing_cert=True)
-
-	if x is None:
+	tls_cert = get_domain_ssl_files(domain, ssl_certificates, env, allow_missing_cert=True)
+	if tls_cert is None:
 		output.print_warning("""No SSL certificate is installed for this domain. Visitors to a website on
 			this domain will get a security warning. If you are not serving a website on this domain, you do
 			not need to take any action. Use the SSL Certificates page in the control panel to install a
 			SSL certificate.""")
 		return
 
-	ssl_key, ssl_certificate, ssl_via = x
-
 	# Check that the certificate is good.
 
-	cert_status, cert_status_details = check_certificate(domain, ssl_certificate, ssl_key, rounded_time=rounded_time)
+	cert_status, cert_status_details = check_certificate(domain, tls_cert["certificate"], tls_cert["private-key"], rounded_time=rounded_time)
 
 	if cert_status == "OK":
 		# The certificate is ok. The details has expiry info.
-		output.print_ok("SSL certificate is signed & valid. %s %s" % (ssl_via if ssl_via else "", cert_status_details))
+		output.print_ok("SSL certificate is signed & valid. " + cert_status_details)
 
 	elif cert_status == "SELF-SIGNED":
 		# Offer instructions for purchasing a signed certificate.
-
-		fingerprint = shell('check_output', [
-			"openssl",
-			"x509",
-			"-in", ssl_certificate,
-			"-noout",
-			"-fingerprint"
-			])
-		fingerprint = re.sub(".*Fingerprint=", "", fingerprint).strip()
-
 		if domain == env['PRIMARY_HOSTNAME']:
 			output.print_error("""The SSL certificate for this domain is currently self-signed. You will get a security
 			warning when you check or send email and when visiting this domain in a web browser (for webmail or
-			static site hosting). Use the SSL Certificates page in the control panel to install a signed SSL certificate.
-			You may choose to leave the self-signed certificate in place and confirm the security exception, but check that
-			the certificate fingerprint matches the following:""")
-			output.print_line("")
-			output.print_line("   " + fingerprint, monospace=True)
+			static site hosting).""")
 		else:
 			output.print_error("""The SSL certificate for this domain is self-signed.""")
 
@@ -927,10 +911,10 @@ if __name__ == "__main__":
 		if query_dns(domain, "A") != env['PUBLIC_IP']:
 			sys.exit(1)
 		ssl_certificates = get_ssl_certificates(env)
-		ssl_key, ssl_certificate, ssl_via = get_domain_ssl_files(domain, ssl_certificates, env)
-		if not os.path.exists(ssl_certificate):
+		tls_cert = get_domain_ssl_files(domain, ssl_certificates, env)
+		if not os.path.exists(tls_cert["certificate"]):
 			sys.exit(1)
-		cert_status, cert_status_details = check_certificate(domain, ssl_certificate, ssl_key, warn_if_expiring_soon=False)
+		cert_status, cert_status_details = check_certificate(domain, tls_cert["certificate"], tls_cert["private-key"], warn_if_expiring_soon=False)
 		if cert_status != "OK":
 			sys.exit(1)
 		sys.exit(0)
diff --git a/management/web_update.py b/management/web_update.py
index 9757dc84..5f5b6170 100644
--- a/management/web_update.py
+++ b/management/web_update.py
@@ -119,7 +119,7 @@ def make_domain_config(domain, templates, ssl_certificates, env):
 	root = get_web_root(domain, env)
 
 	# What private key and SSL certificate will we use for this domain?
-	ssl_key, ssl_certificate, ssl_via = get_domain_ssl_files(domain, ssl_certificates, env)
+	tls_cert = get_domain_ssl_files(domain, ssl_certificates, env)
 
 	# ADDITIONAL DIRECTIVES.
 
@@ -136,7 +136,7 @@ def make_domain_config(domain, templates, ssl_certificates, env):
 		finally:
 			f.close()
 		return sha1.hexdigest()
-	nginx_conf_extra += "# ssl files sha1: %s / %s\n" % (hashfile(ssl_key), hashfile(ssl_certificate))
+	nginx_conf_extra += "# ssl files sha1: %s / %s\n" % (hashfile(tls_cert["private-key"]), hashfile(tls_cert["certificate"]))
 
 	# Add in any user customizations in YAML format.
 	hsts = "yes"
@@ -177,8 +177,8 @@ def make_domain_config(domain, templates, ssl_certificates, env):
 	nginx_conf = nginx_conf.replace("$STORAGE_ROOT", env['STORAGE_ROOT'])
 	nginx_conf = nginx_conf.replace("$HOSTNAME", domain)
 	nginx_conf = nginx_conf.replace("$ROOT", root)
-	nginx_conf = nginx_conf.replace("$SSL_KEY", ssl_key)
-	nginx_conf = nginx_conf.replace("$SSL_CERTIFICATE", ssl_certificate)
+	nginx_conf = nginx_conf.replace("$SSL_KEY", tls_cert["private-key"])
+	nginx_conf = nginx_conf.replace("$SSL_CERTIFICATE", tls_cert["certificate"])
 	nginx_conf = nginx_conf.replace("$REDIRECT_DOMAIN", re.sub(r"^www\.", "", domain)) # for default www redirects to parent domain
 
 	return nginx_conf
@@ -193,20 +193,15 @@ def get_web_root(domain, env, test_exists=True):
 def get_web_domains_info(env):
 	www_redirects = set(get_web_domains(env)) - set(get_web_domains(env, include_www_redirects=False))
 	has_root_proxy_or_redirect = set(get_web_domains_with_root_overrides(env))
+	ssl_certificates = get_ssl_certificates(env)
 
 	# for the SSL config panel, get cert status
 	def check_cert(domain):
-		ssl_certificates = get_ssl_certificates(env)
-		x = get_domain_ssl_files(domain, ssl_certificates, env, allow_missing_cert=True)
-		if x is None: return ("danger", "No Certificate Installed")
-		ssl_key, ssl_certificate, ssl_via = x
-		cert_status, cert_status_details = check_certificate(domain, ssl_certificate, ssl_key)
+		tls_cert = get_domain_ssl_files(domain, ssl_certificates, env, allow_missing_cert=True)
+		if tls_cert is None: return ("danger", "No Certificate Installed")
+		cert_status, cert_status_details = check_certificate(domain, tls_cert["certificate"], tls_cert["private-key"])
 		if cert_status == "OK":
-			if not ssl_via:
-				return ("success", "Signed & valid. " + cert_status_details)
-			else:
-				# This is an alternate domain but using the same cert as the primary domain.
-				return ("success", "Signed & valid. " + ssl_via)
+			return ("success", "Signed & valid. " + cert_status_details)
 		elif cert_status == "SELF-SIGNED":
 			return ("warning", "Self-signed. Get a signed certificate to stop warnings.")
 		else:
diff --git a/setup/management.sh b/setup/management.sh
index 35e59c41..d4d22638 100755
--- a/setup/management.sh
+++ b/setup/management.sh
@@ -11,8 +11,11 @@ if [ -f /usr/local/lib/python2.7/dist-packages/boto/__init__.py ]; then hide_out
 # build-essential libssl-dev libffi-dev python3-dev: Required to pip install cryptography.
 apt_install python3-flask links duplicity python-boto libyaml-dev python3-dnspython python3-dateutil \
 	build-essential libssl-dev libffi-dev python3-dev python-pip
-hide_output pip3 install --upgrade rtyaml "email_validator>=1.0.0" "idna>=2.0.0" "cryptography>=1.0.2" boto psutil
 
+# Install other Python packages. The first line is the packages that Josh maintains himself!
+hide_output pip3 install --upgrade \
+	rtyaml "email_validator>=1.0.0" free_tls_certificates \
+	"idna>=2.0.0" "cryptography>=1.0.2" boto psutil
 # email_validator is repeated in setup/questions.sh
 
 # Create a backup directory and a random key for encrypting backups.
@@ -44,5 +47,5 @@ cat > /etc/cron.d/mailinabox-nightly << EOF;
 0 3 * * *	root	(cd `pwd` && management/daily_tasks.sh)
 EOF
 
-# Start it.
+# Start the management server.
 restart_service mailinabox
diff --git a/setup/start.sh b/setup/start.sh
index 7f1e989c..8c174109 100755
--- a/setup/start.sh
+++ b/setup/start.sh
@@ -116,6 +116,9 @@ done
 tools/dns_update
 tools/web_update
 
+# If DNS is already working, try to provision TLS certficates from Let's Encrypt.
+management/ssl_certificates.py
+
 # If there aren't any mail users yet, create one.
 source setup/firstuser.sh
 

From b1b57f9bfdcf7abedebe50a657f48e5feb79f989 Mon Sep 17 00:00:00 2001
From: Joshua Tauberer <jt@occams.info>
Date: Fri, 1 Jan 2016 12:10:32 -0500
Subject: [PATCH 2/9] don't try to get certs for IDNA domains and report all
 reasons for not fetching a certificate

fixes #646
---
 management/ssl_certificates.py | 107 +++++++++++++++++++++++----------
 1 file changed, 74 insertions(+), 33 deletions(-)

diff --git a/management/ssl_certificates.py b/management/ssl_certificates.py
index 7edd2108..c71c6950 100755
--- a/management/ssl_certificates.py
+++ b/management/ssl_certificates.py
@@ -5,6 +5,8 @@ import os, os.path, re, shutil
 
 from utils import shell, safe_domain_name, sort_domains
 
+import idna
+
 # SELECTING SSL CERTIFICATES FOR USE IN WEB
 
 def get_ssl_certificates(env):
@@ -155,7 +157,7 @@ def get_domain_ssl_files(domain, ssl_certificates, env, allow_missing_cert=False
 # PROVISIONING CERTIFICATES FROM LETSENCRYPT
 
 def get_certificates_to_provision(env):
-	# Get a list of domain names that we should now provision certificates
+	# Get a set of domain names that we should now provision certificates
 	# for. Provision if a domain name has no valid certificate or if any
 	# certificate is expiring in 14 days. If provisioning anything, also
 	# provision certificates expiring within 30 days. The period between
@@ -171,11 +173,13 @@ def get_certificates_to_provision(env):
 	certs = get_ssl_certificates(env)
 	domains = set()
 	domains_if_any = set()
+	problems = { }
 	for domain in get_web_domains(env):
 		try:
 			cert = get_domain_ssl_files(domain, certs, env, allow_missing_cert=True)
-		except FileNotFoundError:
+		except FileNotFoundError as e:
 			# system certificate is not present
+			problems[domain] = "Error: " + str(e)
 			continue
 		if cert is None:
 			# No valid certificate available.
@@ -192,37 +196,49 @@ def get_certificates_to_provision(env):
 			elif cert.not_valid_after-now < datetime.timedelta(days=30):
 				domains_if_any.add(domain)
 
-	# Filter out domains that don't have correct DNS, because then the CA
-	# won't be able to do DNS validation.
-	def is_domain_dns_correct(domain):
-		# Must make qname absolute to prevent a fall-back lookup with a
-		# search domain appended.
-		import dns.resolver
-		try:
-			response = dns.resolver.query(domain + ".", "A")
-		except:
+			# It's valid.
+			problems[domain] = "The certificate is valid for at least another 30 days --- no need to replace."
+
+	# Filter out domains that we can't provision a certificate for.
+	def can_provision_for_domain(domain):
+		# Let's Encrypt doesn't yet support IDNA domains.
+		# We store domains in IDNA (ASCII). To see if this domain is IDNA,
+		# we'll see if its IDNA-decoded form is different.
+		if idna.decode(domain.encode("ascii")) != domain:
+			problems[domain] = "Let's Encrypt does not yet support provisioning certificates for internationalized domains."
 			return False
-		return len(response) == 1 and str(response[0]) == env["PUBLIC_IP"]
-	domains = set(d for d in domains if is_domain_dns_correct(d))
-	domains_if_any = set(d for d in domains_if_any if is_domain_dns_correct(d))
+
+		# Does the domain resolve to this machine in public DNS? If not,
+		# we can't do domain control validation. For IPv6 is configured,
+		# make sure both IPv4 and IPv6 are correct because we don't know
+		# how Let's Encrypt will connect.
+		import dns.resolver
+		for rtype, value in [("A", env["PUBLIC_IP"]), ("AAAA", env.get("PUBLIC_IPV6"))]:
+			if not value: continue # IPv6 is not configured
+			try:
+				# Must make the qname absolute to prevent a fall-back lookup with a
+				# search domain appended, by adding a period to the end.
+				response = dns.resolver.query(domain + ".", rtype)
+			except (dns.resolver.NoNameservers, dns.resolver.NXDOMAIN, dns.resolver.NoAnswer) as e:
+				problems[domain] = "DNS isn't configured properly for this domain: DNS resolution failed (%s: %s)." % (rtype, str(e) or repr(e)) # NoAnswer's str is empty
+				return False
+			except Exception as e:
+				problems[domain] = "DNS isn't configured properly for this domain: DNS lookup had an error: %s." % str(e)
+				return False
+			if len(response) != 1 or str(response[0]) != value:
+				problems[domain] = "Domain control validation cannot be performed for this domain because DNS points the domain to another machine (%s %s)." % (rtype, ", ".join(str(r) for r in response))
+				return False
+
+		return True
+
+	domains = set(filter(can_provision_for_domain, domains))
 
 	# If there are any domains we definitely will provision for, add in
 	# additional domains to do at this time.
 	if len(domains) > 0:
-		domains |= domains_if_any
+		domains |= set(filter(can_provision_for_domain, domains_if_any))
 
-	# Sort, just to keep related domain names together in the next step.
-	domains = sort_domains(domains, env)
-
-	# Break into groups of up to 100 certificates at a time, which is Let's Encrypt's
-	# limit for a single certificate.
-	cert_domains = []
-	while len(domains) > 0:
-		cert_domains.append( domains[0:100] )
-		domains = domains[100:]
-
-	# Return a list of lists of domain names.
-	return cert_domains
+	return (domains, problems)
 
 def provision_certificates(env, agree_to_tos_url=None, logger=None):
 	import requests.exceptions
@@ -230,14 +246,25 @@ def provision_certificates(env, agree_to_tos_url=None, logger=None):
 
 	from free_tls_certificates import client
 
-	# What domains to provision certificates for? This is a list of
-	# lists of domains.
-	certs = get_certificates_to_provision(env)
-	if len(certs) == 0:
+	# What domains should we provision certificates for? And what
+	# errors prevent provisioning for other domains.
+	domains, problems = get_certificates_to_provision(env)
+
+	# Exit fast if there is nothing to do.
+	if len(domains) == 0:
 		return {
 			"requests": [],
+			"problems": problems,
 		}
 
+	# Break into groups of up to 100 certificates at a time, which is Let's Encrypt's
+	# limit for a single certificate. We'll sort to put related domains together.
+	domains = sort_domains(domains, env)
+	certs = []
+	while len(domains) > 0:
+		certs.append( domains[0:100] )
+		domains = domains[100:]
+
 	# Prepare to provision.
 
 	# Where should we put our Let's Encrypt account info and state cache.
@@ -352,7 +379,8 @@ def provision_certificates(env, agree_to_tos_url=None, logger=None):
 
 	# Return what happened with each certificate request.
 	return {
-		"requests": ret
+		"requests": ret,
+		"problems": problems,
 	}
 
 def provision_certificates_cmdline():
@@ -377,7 +405,14 @@ def provision_certificates_cmdline():
 		if not status["requests"]:
 			# No domains need certificates.
 			if "--headless" not in sys.argv or "-v" in sys.argv:
-				print("No domains hosted on this box need a certificate at this time.")
+				if len(status["problems"]) == 0:
+					print("No domains hosted on this box need a new TLS certificate at this time.")
+				elif len(status["problems"]) > 0:
+					print("No TLS certificates could be provisoned at this time:")
+					print()
+					for domain in sort_domains(status["problems"], env):
+						print("%s: %s" % (domain, status["problems"][domain]))
+
 			sys.exit(0)
 
 		# What happened?
@@ -459,6 +494,12 @@ Do you agree to the agreement? Type Y or N and press <ENTER>: """
 		# we're done for now.
 		break
 
+	# And finally show the domains with problems.
+	if len(status["problems"]) > 0:
+		print("TLS certificates could not be provisoned for:")
+		for domain in sort_domains(status["problems"], env):
+			print("%s: %s" % (domain, status["problems"][domain]))
+
 # INSTALLING A NEW CERTIFICATE FROM THE CONTROL PANEL
 
 def create_csr(domain, ssl_key, country_code, env):

From 4b4f670adf6379718bbdbb9d8b1268e44b8d61a9 Mon Sep 17 00:00:00 2001
From: Joshua Tauberer <jt@occams.info>
Date: Sat, 2 Jan 2016 18:01:20 -0500
Subject: [PATCH 3/9] s/SSL/TLS/ in user-visible text throughout the project

---
 conf/nginx.conf                 |  4 ++--
 management/ssl_certificates.py  |  2 +-
 management/status_checks.py     | 22 +++++++++++-----------
 management/templates/index.html |  4 ++--
 management/templates/ssl.html   | 24 ++++++++++++------------
 security.md                     |  2 +-
 6 files changed, 29 insertions(+), 29 deletions(-)

diff --git a/conf/nginx.conf b/conf/nginx.conf
index 538f0743..0a08439e 100644
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@@ -1,6 +1,6 @@
 ## $HOSTNAME
 
-# Redirect all HTTP to HTTPS *except* the ACME challenges (Let's Encrypt SSL certificate
+# Redirect all HTTP to HTTPS *except* the ACME challenges (Let's Encrypt TLS certificate
 # domain validation challenges) path, which must be served over HTTP per the ACME spec
 # (due to some Apache vulnerability).
 server {
@@ -23,7 +23,7 @@ server {
 
 	location /.well-known/acme-challenge/ {
 		# This path must be served over HTTP for ACME domain validation.
-		# We map this to a special path where our SSL cert provisioning
+		# We map this to a special path where our TLS cert provisioning
 		# tool knows to store challenge response files.
 		alias $STORAGE_ROOT/ssl/lets_encrypt/acme_challenges/;
 	}
diff --git a/management/ssl_certificates.py b/management/ssl_certificates.py
index c71c6950..0f019796 100755
--- a/management/ssl_certificates.py
+++ b/management/ssl_certificates.py
@@ -663,7 +663,7 @@ def check_certificate(domain, ssl_certificate, ssl_private_key, warn_if_expiring
 			return ("The certificate is missing an intermediate chain or the intermediate chain is incorrect or incomplete. (%s)" % verifyoutput, None)
 
 		# There is some unknown problem. Return the `openssl verify` raw output.
-		return ("There is a problem with the SSL certificate.", verifyoutput.strip())
+		return ("There is a problem with the certificate.", verifyoutput.strip())
 
 	else:
 		# `openssl verify` returned a zero exit status so the cert is currently
diff --git a/management/status_checks.py b/management/status_checks.py
index 4a62b091..4e906533 100755
--- a/management/status_checks.py
+++ b/management/status_checks.py
@@ -1,7 +1,7 @@
 #!/usr/bin/python3
 #
 # Checks that the upstream DNS has been set correctly and that
-# SSL certificates have been signed, etc., and if not tells the user
+# TLS certificates have been signed, etc., and if not tells the user
 # what to do next.
 
 import sys, os, os.path, re, subprocess, datetime, multiprocessing.pool
@@ -609,7 +609,7 @@ def check_web_domain(domain, rounded_time, ssl_certificates, env, output):
 				webmail or a website on this domain. The domain currently resolves to %s in public DNS. It may take several hours for
 				public DNS to update after a change. This problem may result from other issues listed here.""" % (env['PUBLIC_IP'], ip))
 
-	# We need a SSL certificate for PRIMARY_HOSTNAME because that's where the
+	# We need a TLS certificate for PRIMARY_HOSTNAME because that's where the
 	# user will log in with IMAP or webmail. Any other domain we serve a
 	# website for also needs a signed certificate.
 	check_ssl_cert(domain, rounded_time, ssl_certificates, env, output)
@@ -651,18 +651,18 @@ def query_dns(qname, rtype, nxdomain='[Not Set]', at=None):
 	return "; ".join(sorted(str(r).rstrip('.') for r in response))
 
 def check_ssl_cert(domain, rounded_time, ssl_certificates, env, output):
-	# Check that SSL certificate is signed.
+	# Check that TLS certificate is signed.
 
 	# Skip the check if the A record is not pointed here.
 	if query_dns(domain, "A", None) not in (env['PUBLIC_IP'], None): return
 
-	# Where is the SSL stored?
+	# Where is the certificate file stored?
 	tls_cert = get_domain_ssl_files(domain, ssl_certificates, env, allow_missing_cert=True)
 	if tls_cert is None:
-		output.print_warning("""No SSL certificate is installed for this domain. Visitors to a website on
+		output.print_warning("""No TLS (SSL) certificate is installed for this domain. Visitors to a website on
 			this domain will get a security warning. If you are not serving a website on this domain, you do
-			not need to take any action. Use the SSL Certificates page in the control panel to install a
-			SSL certificate.""")
+			not need to take any action. Use the TLS Certificates page in the control panel to install a
+			TLS certificate.""")
 		return
 
 	# Check that the certificate is good.
@@ -671,19 +671,19 @@ def check_ssl_cert(domain, rounded_time, ssl_certificates, env, output):
 
 	if cert_status == "OK":
 		# The certificate is ok. The details has expiry info.
-		output.print_ok("SSL certificate is signed & valid. " + cert_status_details)
+		output.print_ok("TLS (SSL) certificate is signed & valid. " + cert_status_details)
 
 	elif cert_status == "SELF-SIGNED":
 		# Offer instructions for purchasing a signed certificate.
 		if domain == env['PRIMARY_HOSTNAME']:
-			output.print_error("""The SSL certificate for this domain is currently self-signed. You will get a security
+			output.print_error("""The TLS (SSL) certificate for this domain is currently self-signed. You will get a security
 			warning when you check or send email and when visiting this domain in a web browser (for webmail or
 			static site hosting).""")
 		else:
-			output.print_error("""The SSL certificate for this domain is self-signed.""")
+			output.print_error("""The TLS (SSL) certificate for this domain is self-signed.""")
 
 	else:
-		output.print_error("The SSL certificate has a problem: " + cert_status)
+		output.print_error("The TLS (SSL) certificate has a problem: " + cert_status)
 		if cert_status_details:
 			output.print_line("")
 			output.print_line(cert_status_details)
diff --git a/management/templates/index.html b/management/templates/index.html
index 2b59abea..6f2929ec 100644
--- a/management/templates/index.html
+++ b/management/templates/index.html
@@ -87,7 +87,7 @@
               <a href="#" class="dropdown-toggle" data-toggle="dropdown">System <b class="caret"></b></a>
               <ul class="dropdown-menu">
                 <li><a href="#system_status" onclick="return show_panel(this);">Status Checks</a></li>
-                <li><a href="#ssl" onclick="return show_panel(this);">SSL Certificates</a></li>
+                <li><a href="#tls" onclick="return show_panel(this);">TLS (SSL) Certificates</a></li>
                 <li><a href="#system_backup" onclick="return show_panel(this);">Backup Status</a></li>
                 <li class="divider"></li>
                 <li class="dropdown-header">Advanced Pages</li>
@@ -155,7 +155,7 @@
       {% include "web.html" %}
       </div>
 
-      <div id="panel_ssl" class="admin_panel">
+      <div id="panel_tls" class="admin_panel">
       {% include "ssl.html" %}
       </div>
 
diff --git a/management/templates/ssl.html b/management/templates/ssl.html
index d411098c..48fc91c8 100644
--- a/management/templates/ssl.html
+++ b/management/templates/ssl.html
@@ -1,7 +1,7 @@
 <style>
 </style>
 
-<h2>SSL Certificates</h2>
+<h2>TLS (SSL) Certificates</h2>
 
 <h3>Certificate Status</h3>
 
@@ -20,15 +20,15 @@
 
 <p>A multi-domain or wildcard certificate will be automatically applied to any domains it is valid for.</p>
 
-<h3 id="ssl_install_header">Install SSL Certificate</h3>
+<h3 id="ssl_install_header">Install Certificate</h3>
 
-<p>There are many places where you can get a free or cheap SSL certificate. We recommend <a href="https://www.namecheap.com/security/ssl-certificates/domain-validation.aspx">Namecheap&rsquo;s $9 certificate</a>, <a href="https://www.startssl.com/">StartSSL&rsquo;s free express lane</a> or <a href="https://buy.wosign.com/free/">WoSign&rsquo;s free SSL</a></a>.</p>
+<p>There are many places where you can get a free or cheap certificate. We recommend <a href="https://www.namecheap.com/security/ssl-certificates/domain-validation.aspx">Namecheap&rsquo;s $9 certificate</a>, <a href="https://www.startssl.com/">StartSSL&rsquo;s free express lane</a> or <a href="https://buy.wosign.com/free/">WoSign&rsquo;s free TLS</a></a>.</p>
 
-<p>Which domain are you getting an SSL certificate for?</p>
+<p>Which domain are you getting a certificate for?</p>
 
 <p><select id="ssldomain" onchange="show_csr()" class="form-control" style="width: auto"></select></p>
 
-<p>What country are you in? This is required by some SSL certificate providers. You may leave this blank if you know your SSL certificate provider doesn't require it.</p>
+<p>What country are you in? This is required by some TLS certificate providers. You may leave this blank if you know your TLS certificate provider doesn't require it.</p>
 
 <p><select id="sslcc" onchange="show_csr()" class="form-control" style="width: auto">
 	<option value="">(Select)</option>
@@ -38,18 +38,18 @@
 </select></p>
 
 <div id="csr_info" style="display: none">
-  <p>You will need to provide the SSL certificate provider this Certificate Signing Request (CSR):</p>
+  <p>You will need to provide the certificate provider this Certificate Signing Request (CSR):</p>
 
   <pre id="ssl_csr"></pre>
 
   <p><small>The CSR is safe to share. It can only be used in combination with a secret key stored on this machine.</small></p>
 
-  <p>The SSL certificate provider will then provide you with an SSL certificate. They may also provide you with an intermediate chain. Paste each separately into the boxes below:</p>
+  <p>The certificate provider will then provide you with a TLS/SSL certificate. They may also provide you with an intermediate chain. Paste each separately into the boxes below:</p>
 
-  <p style="margin-bottom: .5em">SSL certificate:</p>
+  <p style="margin-bottom: .5em">TLS/SSL certificate:</p>
   <p><textarea id="ssl_paste_cert" class="form-control" style="max-width: 40em; height: 8em" placeholder="-----BEGIN CERTIFICATE-----&#xA;stuff here&#xA;-----END CERTIFICATE-----"></textarea></p>
 
-  <p style="margin-bottom: .5em">SSL intermediate chain (if provided):</p>
+  <p style="margin-bottom: .5em">TLS/SSL intermediate chain (if provided):</p>
   <p><textarea id="ssl_paste_chain" class="form-control" style="max-width: 40em; height: 8em" placeholder="-----BEGIN CERTIFICATE-----&#xA;stuff here&#xA;-----END CERTIFICATE-----&#xA;-----BEGIN CERTIFICATE-----&#xA;more stuff here&#xA;-----END CERTIFICATE-----"></textarea></p>
 
   <p>After you paste in the information, click the install button.</p>
@@ -58,7 +58,7 @@
 </div>
 
 <script>
-function show_ssl() {
+function show_tls() {
  api(
     "/web/domains",
     "GET",
@@ -122,9 +122,9 @@ function install_cert() {
     function(status) {
       if (/^OK($|\n)/.test(status)) {
         console.log(status)
-        show_modal_error("SSL Certificate Installation", "Certificate has been installed. Check that you have no connection problems to the domain.", function() { show_ssl(); $('#csr_info').slideUp(); });
+        show_modal_error("TLS Certificate Installation", "Certificate has been installed. Check that you have no connection problems to the domain.", function() { show_ssl(); $('#csr_info').slideUp(); });
       } else {
-        show_modal_error("SSL Certificate Installation", status);
+        show_modal_error("TLS Certificate Installation", status);
       }
     });
 }
diff --git a/security.md b/security.md
index 46808078..3616a5fd 100644
--- a/security.md
+++ b/security.md
@@ -38,7 +38,7 @@ These services are protected by [TLS](https://en.wikipedia.org/wiki/Transport_La
 
 The services all follow these rules:
 
-* SSL certificates are generated with 2048-bit RSA keys and SHA-256 fingerprints. The box provides a self-signed certificate by default. The [setup guide](https://mailinabox.email/guide.html) explains how to verify the certificate fingerprint on first login. Users are encouraged to replace the certificate with a proper CA-signed one. ([source](setup/ssl.sh))
+* TLS certificates are generated with 2048-bit RSA keys and SHA-256 fingerprints. The box provides a self-signed certificate by default. The [setup guide](https://mailinabox.email/guide.html) explains how to verify the certificate fingerprint on first login. Users are encouraged to replace the certificate with a proper CA-signed one. ([source](setup/ssl.sh))
 * Only TLSv1, TLSv1.1 and TLSv1.2 are offered (the older SSL protocols are not offered).
 * Export-grade ciphers, the anonymous DH/ECDH algorithms (aNULL), and clear-text ciphers (eNULL) are not offered.
 * The minimum cipher key length offered is 112 bits. The maximum is 256 bits. Diffie-Hellman ciphers use a 2048-bit key for forward secrecy.

From bac15d391967d26e0ae6e960a30346810f36c292 Mon Sep 17 00:00:00 2001
From: Joshua Tauberer <jt@occams.info>
Date: Sat, 2 Jan 2016 17:53:47 -0500
Subject: [PATCH 4/9] provision tls certificates from the control panel

---
 management/daemon.py           | 13 ++++++++
 management/ssl_certificates.py | 11 +++++--
 management/templates/ssl.html  | 59 +++++++++++++++++++++++++++++-----
 management/web_update.py       | 11 ++++---
 4 files changed, 78 insertions(+), 16 deletions(-)

diff --git a/management/daemon.py b/management/daemon.py
index d223b040..6ba111d7 100755
--- a/management/daemon.py
+++ b/management/daemon.py
@@ -327,6 +327,19 @@ def dns_get_dump():
 
 # SSL
 
+@app.route('/ssl/status')
+@authorized_personnel_only
+def ssl_get_status():
+	from ssl_certificates import get_certificates_to_provision
+	from web_update import get_web_domains_info
+	provision, cant_provision = get_certificates_to_provision(env, ok_as_problem=False)
+	domains_status = get_web_domains_info(env)
+	return json_response({
+		"can_provision": list(provision),
+		"cant_provision": [{ "domain": domain, "problem": cant_provision[domain] } for domain in utils.sort_domains(cant_provision, env) ],
+		"status": [{ "domain": d["domain"], "status": d["ssl_certificate"][0], "text": d["ssl_certificate"][1] } for d in domains_status ],
+	})
+
 @app.route('/ssl/csr/<domain>', methods=['POST'])
 @authorized_personnel_only
 def ssl_get_csr(domain):
diff --git a/management/ssl_certificates.py b/management/ssl_certificates.py
index 0f019796..fd922ede 100755
--- a/management/ssl_certificates.py
+++ b/management/ssl_certificates.py
@@ -156,7 +156,7 @@ def get_domain_ssl_files(domain, ssl_certificates, env, allow_missing_cert=False
 
 # PROVISIONING CERTIFICATES FROM LETSENCRYPT
 
-def get_certificates_to_provision(env):
+def get_certificates_to_provision(env, ok_as_problem=True):
 	# Get a set of domain names that we should now provision certificates
 	# for. Provision if a domain name has no valid certificate or if any
 	# certificate is expiring in 14 days. If provisioning anything, also
@@ -196,8 +196,13 @@ def get_certificates_to_provision(env):
 			elif cert.not_valid_after-now < datetime.timedelta(days=30):
 				domains_if_any.add(domain)
 
-			# It's valid.
-			problems[domain] = "The certificate is valid for at least another 30 days --- no need to replace."
+			# It's valid. Should we report its validness?
+			if ok_as_problem:
+				problems[domain] = "The certificate is valid for at least another 30 days --- no need to replace."
+
+	# Warn the user about domains hosted elsewhere.
+	for domain in set(get_web_domains(env, exclude_dns_elsewhere=False)) - set(get_web_domains(env)):
+		problems[domain] = "The domain's DNS is pointed elsewhere, so a TLS certificate is not necessary here and cannot be provisioned automatically anyway."
 
 	# Filter out domains that we can't provision a certificate for.
 	def can_provision_for_domain(domain):
diff --git a/management/templates/ssl.html b/management/templates/ssl.html
index 48fc91c8..2f9a1cab 100644
--- a/management/templates/ssl.html
+++ b/management/templates/ssl.html
@@ -3,10 +3,30 @@
 
 <h2>TLS (SSL) Certificates</h2>
 
+<p>An SSL certificate is a cryptographic file that proves to anyone connecting to this machine (like you right now) that the connection is secure.</p>
+
+<p>You need an SSL certificate for this box&rsquo;s hostname ({{hostname}}), and although optional you should also get one for every domain name and subdomain managed by this box (unless you&rsquo;ve directed DNS for a domain elsewhere through custom or external DNS).</p>
+
+<h3>Provision a Certificate</h3>
+
+<p>We can provision an SSL certificate for you from <a href="https://letsencrypt.org/" target="_blank">Let&rsquo;s Encrypt</a>, a free SSL certificate provider.</p>
+
+<p id="ssl_provision_status"></p>
+
+<table id="ssl_provision_problems" style="display: none" class="table">
+  <thead>
+    <tr>
+      <th>Domain</th>
+      <th>Problem</th>
+    </tr>
+  </thead>
+  <tbody>
+  </tbody>
+</table>
+
 <h3>Certificate Status</h3>
 
-
-<table id="ssl_domains" class="table" style="margin-bottom: 2em; width: auto;">
+<table id="ssl_domains" class="table" style="margin-bottom: 2em; width: auto; display: none">
   <thead>
     <tr>
       <th>Domain</th>
@@ -60,24 +80,47 @@
 <script>
 function show_tls() {
  api(
-    "/web/domains",
+    "/ssl/status",
     "GET",
     {
     },
-    function(domains) {
+    function(res) {
+      // provisioning status
+      if (res.can_provision.length > 0) {
+          $('#ssl_provision_status').removeClass("text-warning").removeClass("text-success")
+             .text("Domains: " + res.can_provision.join(", "));
+      } else if (res.cant_provision.length == 0) {
+          $('#ssl_provision_status').addClass("text-success").text("No domains hosted on this box need a new TLS certificate at this time.");
+      } else {
+          $('#ssl_provision_status').addClass("text-warning").text("No TLS certificates can be provisoned at this time:");
+      }
+      $('#ssl_provision_problems').toggle(res.cant_provision.length > 0);
+      $('#ssl_provision_problems tbody').text("");
+      for (var i = 0; i < res.cant_provision.length; i++) {
+        var domain = res.cant_provision[i];
+        var row = $("<tr><th class='domain'><a href=''></a></th><td class='status'></td></tr>");
+        $('#ssl_provision_problems tbody').append(row);
+        row.attr('data-domain', domain.domain);
+        row.find('.domain a').text(domain.domain);
+        row.find('.domain a').attr('href', 'https://' + domain.domain);
+        row.find('.status').text(domain.problem);
+      }
+
+      // certificate status
+      var domains = res.status;
       var tb = $('#ssl_domains tbody');
       tb.text('');
       $('#ssldomain').html('<option value="">(select)</option>');
-
+      $('#ssl_domains').show();
       for (var i = 0; i < domains.length; i++) {
         var row = $("<tr><th class='domain'><a href=''></a></th><td class='status'></td> <td class='actions'><a href='#' onclick='return ssl_install(this);' class='btn btn-xs'>Install Certificate</a></td></tr>");
         tb.append(row);
         row.attr('data-domain', domains[i].domain);
         row.find('.domain a').text(domains[i].domain);
         row.find('.domain a').attr('href', 'https://' + domains[i].domain);
-        row.addClass("text-" + domains[i].ssl_certificate[0]);
-        row.find('.status').text(domains[i].ssl_certificate[1]);
-        if (domains[i].ssl_certificate[0] == "success") {
+        row.addClass("text-" + domains[i].status);
+        row.find('.status').text(domains[i].text);
+        if (domains[i].status == "success") {
           row.find('.actions a').addClass('btn-default').text('Replace Certificate');
         } else {
           row.find('.actions a').addClass('btn-primary').text('Install Certificate');
diff --git a/management/web_update.py b/management/web_update.py
index 5f5b6170..ffd1cff9 100644
--- a/management/web_update.py
+++ b/management/web_update.py
@@ -9,7 +9,7 @@ from dns_update import get_custom_dns_config, get_dns_zones
 from ssl_certificates import get_ssl_certificates, get_domain_ssl_files, check_certificate
 from utils import shell, safe_domain_name, sort_domains
 
-def get_web_domains(env, include_www_redirects=True):
+def get_web_domains(env, include_www_redirects=True, exclude_dns_elsewhere=True):
 	# What domains should we serve HTTP(S) for?
 	domains = set()
 
@@ -24,9 +24,10 @@ def get_web_domains(env, include_www_redirects=True):
 		# the topmost of each domain we serve.
 		domains |= set('www.' + zone for zone, zonefile in get_dns_zones(env))
 	 
-	# ...Unless the domain has an A/AAAA record that maps it to a different
-	# IP address than this box. Remove those domains from our list.
-	domains -= get_domains_with_a_records(env)
+	if exclude_dns_elsewhere:
+		# ...Unless the domain has an A/AAAA record that maps it to a different
+		# IP address than this box. Remove those domains from our list.
+		domains -= get_domains_with_a_records(env)
 
 	# Ensure the PRIMARY_HOSTNAME is in the list so we can serve webmail
 	# as well as Z-Push for Exchange ActiveSync. This can't be removed
@@ -216,4 +217,4 @@ def get_web_domains_info(env):
 			"static_enabled": domain not in (www_redirects | has_root_proxy_or_redirect),
 		}
 		for domain in get_web_domains(env)
-	]
\ No newline at end of file
+	]

From b8d6226a9a15acf03e9484725a380f17ad52c6e1 Mon Sep 17 00:00:00 2001
From: Joshua Tauberer <jt@occams.info>
Date: Sat, 2 Jan 2016 18:22:22 -0500
Subject: [PATCH 5/9] when provisioning tls certs from the command line,
 specify domain names as command line arguments to force getting certs for
 those domains

---
 management/daemon.py           |  2 +-
 management/ssl_certificates.py | 44 +++++++++++++++++++++++++++-------
 management/templates/ssl.html  | 15 ++++++++----
 3 files changed, 46 insertions(+), 15 deletions(-)

diff --git a/management/daemon.py b/management/daemon.py
index 6ba111d7..926c65b3 100755
--- a/management/daemon.py
+++ b/management/daemon.py
@@ -335,7 +335,7 @@ def ssl_get_status():
 	provision, cant_provision = get_certificates_to_provision(env, ok_as_problem=False)
 	domains_status = get_web_domains_info(env)
 	return json_response({
-		"can_provision": list(provision),
+		"can_provision": utils.sort_domains(provision, env),
 		"cant_provision": [{ "domain": domain, "problem": cant_provision[domain] } for domain in utils.sort_domains(cant_provision, env) ],
 		"status": [{ "domain": d["domain"], "status": d["ssl_certificate"][0], "text": d["ssl_certificate"][1] } for d in domains_status ],
 	})
diff --git a/management/ssl_certificates.py b/management/ssl_certificates.py
index fd922ede..0d72cc1c 100755
--- a/management/ssl_certificates.py
+++ b/management/ssl_certificates.py
@@ -156,7 +156,7 @@ def get_domain_ssl_files(domain, ssl_certificates, env, allow_missing_cert=False
 
 # PROVISIONING CERTIFICATES FROM LETSENCRYPT
 
-def get_certificates_to_provision(env, ok_as_problem=True):
+def get_certificates_to_provision(env, ok_as_problem=True, force_domains=None):
 	# Get a set of domain names that we should now provision certificates
 	# for. Provision if a domain name has no valid certificate or if any
 	# certificate is expiring in 14 days. If provisioning anything, also
@@ -175,6 +175,13 @@ def get_certificates_to_provision(env, ok_as_problem=True):
 	domains_if_any = set()
 	problems = { }
 	for domain in get_web_domains(env):
+		# If the user really wants a cert for certain domains, include it.
+		if force_domains:
+			if force_domains == "ALL" or (isinstance(force_domains, list) and domain in force_domains):
+				domains.add(domain)
+			continue
+
+		# Include this domain if its certificate is missing, self-signed, or expiring soon.
 		try:
 			cert = get_domain_ssl_files(domain, certs, env, allow_missing_cert=True)
 		except FileNotFoundError as e:
@@ -201,8 +208,9 @@ def get_certificates_to_provision(env, ok_as_problem=True):
 				problems[domain] = "The certificate is valid for at least another 30 days --- no need to replace."
 
 	# Warn the user about domains hosted elsewhere.
-	for domain in set(get_web_domains(env, exclude_dns_elsewhere=False)) - set(get_web_domains(env)):
-		problems[domain] = "The domain's DNS is pointed elsewhere, so a TLS certificate is not necessary here and cannot be provisioned automatically anyway."
+	if force_domains is None:
+		for domain in set(get_web_domains(env, exclude_dns_elsewhere=False)) - set(get_web_domains(env)):
+			problems[domain] = "The domain's DNS is pointed elsewhere, so a TLS certificate is not necessary here and cannot be provisioned automatically anyway."
 
 	# Filter out domains that we can't provision a certificate for.
 	def can_provision_for_domain(domain):
@@ -245,7 +253,7 @@ def get_certificates_to_provision(env, ok_as_problem=True):
 
 	return (domains, problems)
 
-def provision_certificates(env, agree_to_tos_url=None, logger=None):
+def provision_certificates(env, agree_to_tos_url=None, logger=None, force_domains=None):
 	import requests.exceptions
 	import acme.messages
 
@@ -253,7 +261,7 @@ def provision_certificates(env, agree_to_tos_url=None, logger=None):
 
 	# What domains should we provision certificates for? And what
 	# errors prevent provisioning for other domains.
-	domains, problems = get_certificates_to_provision(env)
+	domains, problems = get_certificates_to_provision(env, force_domains=force_domains)
 
 	# Exit fast if there is nothing to do.
 	if len(domains) == 0:
@@ -395,6 +403,24 @@ def provision_certificates_cmdline():
 	exclusive_process("update_tls_certificates")
 	env = load_environment()
 
+	verbose = False
+	headless = False
+	force_domains = None
+	
+	args = list(sys.argv)
+	args.pop(0) # program name
+	if args and args[0] == "-v":
+		verbose = True
+		args.pop(0)
+	if args and args[0] == "--headless":
+		headless = True
+		args.pop(0)
+	if args and args[0] == "--force":
+		force_domains = "ALL"
+		args.pop(0)
+	else:
+		force_domains = args
+
 	agree_to_tos_url = None
 	while True:
 		# Run the provisioning script. This installs certificates. If there are
@@ -402,14 +428,14 @@ def provision_certificates_cmdline():
 		# certificates for groups of domains. We have to check the result for
 		# each group.
 		def my_logger(message):
-			if "-v" in sys.argv:
+			if verbose:
 				print(">", message)
-		status = provision_certificates(env, agree_to_tos_url=agree_to_tos_url, logger=my_logger)
+		status = provision_certificates(env, agree_to_tos_url=agree_to_tos_url, logger=my_logger, force_domains=force_domains)
 		agree_to_tos_url = None # reset to prevent infinite looping
 
 		if not status["requests"]:
 			# No domains need certificates.
-			if "--headless" not in sys.argv or "-v" in sys.argv:
+			if not headless or verbose:
 				if len(status["problems"]) == 0:
 					print("No domains hosted on this box need a new TLS certificate at this time.")
 				elif len(status["problems"]) > 0:
@@ -430,7 +456,7 @@ def provision_certificates_cmdline():
 					continue
 
 				# Can't ask the user a question in this mode.
-				if "--headless" in sys.argv:
+				if headless in sys.argv:
 					print("Can't issue TLS certficate until user has agreed to Let's Encrypt TOS.")
 					sys.exit(1)
 
diff --git a/management/templates/ssl.html b/management/templates/ssl.html
index 2f9a1cab..336eabd3 100644
--- a/management/templates/ssl.html
+++ b/management/templates/ssl.html
@@ -3,9 +3,9 @@
 
 <h2>TLS (SSL) Certificates</h2>
 
-<p>An SSL certificate is a cryptographic file that proves to anyone connecting to this machine (like you right now) that the connection is secure.</p>
+<p>A TLS (formerly called SSL) certificate is a cryptographic file that proves to anyone connecting to a web address that the connection is secure between you and the owner of that address.</p>
 
-<p>You need an SSL certificate for this box&rsquo;s hostname ({{hostname}}), and although optional you should also get one for every domain name and subdomain managed by this box (unless you&rsquo;ve directed DNS for a domain elsewhere through custom or external DNS).</p>
+<p>You need a TLS certificate for this box&rsquo;s hostname ({{hostname}}) and every other domain name and subdomain that this box is hosting a website for (see the list below).</p>
 
 <h3>Provision a Certificate</h3>
 
@@ -87,12 +87,17 @@ function show_tls() {
     function(res) {
       // provisioning status
       if (res.can_provision.length > 0) {
-          $('#ssl_provision_status').removeClass("text-warning").removeClass("text-success")
+          $('#ssl_provision_status')
+             .removeClass("text-warning").removeClass("text-success").addClass("text-danger")
              .text("Domains: " + res.can_provision.join(", "));
       } else if (res.cant_provision.length == 0) {
-          $('#ssl_provision_status').addClass("text-success").text("No domains hosted on this box need a new TLS certificate at this time.");
+          $('#ssl_provision_status')
+              .addClass("text-success").removeClass("text-warning").removeClass("text-danger")
+              .text("No domains hosted on this box need a new TLS certificate at this time.");
       } else {
-          $('#ssl_provision_status').addClass("text-warning").text("No TLS certificates can be provisoned at this time:");
+          $('#ssl_provision_status')
+              .removeClass("text-success").addClass("text-warning").removeClass("text-danger")
+              .text("No TLS certificates can be provisoned at this time:");
       }
       $('#ssl_provision_problems').toggle(res.cant_provision.length > 0);
       $('#ssl_provision_problems tbody').text("");

From 40cdc5aa304a8b65c31900c2edba8a951b729dd5 Mon Sep 17 00:00:00 2001
From: Joshua Tauberer <jt@occams.info>
Date: Mon, 4 Jan 2016 08:45:12 -0500
Subject: [PATCH 6/9] status checks: if a domain's DNS isnt working dont check
 the TLS certificate because we cant automatically provision one now anyway

---
 management/status_checks.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/management/status_checks.py b/management/status_checks.py
index 4e906533..673c3f23 100755
--- a/management/status_checks.py
+++ b/management/status_checks.py
@@ -608,6 +608,7 @@ def check_web_domain(domain, rounded_time, ssl_certificates, env, output):
 			output.print_error("""This domain should resolve to your box's IP address (%s) if you would like the box to serve
 				webmail or a website on this domain. The domain currently resolves to %s in public DNS. It may take several hours for
 				public DNS to update after a change. This problem may result from other issues listed here.""" % (env['PUBLIC_IP'], ip))
+			return
 
 	# We need a TLS certificate for PRIMARY_HOSTNAME because that's where the
 	# user will log in with IMAP or webmail. Any other domain we serve a

From 812ef024ef6dece005c652a029dce5daeac0f5fc Mon Sep 17 00:00:00 2001
From: Joshua Tauberer <jt@occams.info>
Date: Mon, 4 Jan 2016 08:51:15 -0500
Subject: [PATCH 7/9] status checks: check that the non-primary domains also
 resolve over IPv6, if configured

---
 management/status_checks.py | 23 +++++++++++++++--------
 1 file changed, 15 insertions(+), 8 deletions(-)

diff --git a/management/status_checks.py b/management/status_checks.py
index 673c3f23..74116f23 100755
--- a/management/status_checks.py
+++ b/management/status_checks.py
@@ -601,14 +601,21 @@ def check_web_domain(domain, rounded_time, ssl_certificates, env, output):
 	# for PRIMARY_HOSTNAME, for which it is required for mail specifically. For it and
 	# other domains, it is required to access its website.
 	if domain != env['PRIMARY_HOSTNAME']:
-		ip = query_dns(domain, "A")
-		if ip == env['PUBLIC_IP']:
-			output.print_ok("Domain resolves to this box's IP address. [%s ↦ %s]" % (domain, env['PUBLIC_IP']))
-		else:
-			output.print_error("""This domain should resolve to your box's IP address (%s) if you would like the box to serve
-				webmail or a website on this domain. The domain currently resolves to %s in public DNS. It may take several hours for
-				public DNS to update after a change. This problem may result from other issues listed here.""" % (env['PUBLIC_IP'], ip))
-			return
+		ok_values = []
+		for (rtype, expected) in (("A", env['PUBLIC_IP']), ("AAAA", env.get('PUBLIC_IPV6'))):
+			if not expected: continue # IPv6 is not configured
+			value = query_dns(domain, rtype)
+			if value == expected:
+				ok_values.append(value)
+			else:
+				output.print_error("""This domain should resolve to your box's IP address (%s %s) if you would like the box to serve
+					webmail or a website on this domain. The domain currently resolves to %s in public DNS. It may take several hours for
+					public DNS to update after a change. This problem may result from other issues listed here.""" % (rtype, expected, value))
+				return
+
+		# If both A and AAAA are correct...
+		output.print_ok("Domain resolves to this box's IP address. [%s ↦ %s]" % (domain, '; '.join(ok_values)))
+
 
 	# We need a TLS certificate for PRIMARY_HOSTNAME because that's where the
 	# user will log in with IMAP or webmail. Any other domain we serve a

From 2882e63dd8965d6048f60c458846b25a4c7c28d1 Mon Sep 17 00:00:00 2001
From: Joshua Tauberer <jt@occams.info>
Date: Mon, 4 Jan 2016 18:22:02 -0500
Subject: [PATCH 8/9] second part of provisioning tls certificates from the
 control panel

---
 management/daemon.py           |  31 ++++++-
 management/ssl_certificates.py |  13 ++-
 management/templates/ssl.html  | 147 ++++++++++++++++++++++++++++-----
 3 files changed, 160 insertions(+), 31 deletions(-)

diff --git a/management/daemon.py b/management/daemon.py
index 926c65b3..1099a596 100755
--- a/management/daemon.py
+++ b/management/daemon.py
@@ -331,13 +331,27 @@ def dns_get_dump():
 @authorized_personnel_only
 def ssl_get_status():
 	from ssl_certificates import get_certificates_to_provision
-	from web_update import get_web_domains_info
-	provision, cant_provision = get_certificates_to_provision(env, ok_as_problem=False)
+	from web_update import get_web_domains_info, get_web_domains
+
+	# What domains can we provision certificates for? What unexpected problems do we have?
+	provision, cant_provision = get_certificates_to_provision(env, show_extended_problems=False)
+	
+	# What's the current status of TLS certificates on all of the domain?
 	domains_status = get_web_domains_info(env)
+	domains_status = [{ "domain": d["domain"], "status": d["ssl_certificate"][0], "text": d["ssl_certificate"][1] } for d in domains_status ]
+
+	# Warn the user about domain names not hosted here because of other settings.
+	for domain in set(get_web_domains(env, exclude_dns_elsewhere=False)) - set(get_web_domains(env)):
+		domains_status.append({
+			"domain": domain,
+			"status": "not-applicable",
+			"text": "The domain's website is hosted elsewhere.",
+		})
+
 	return json_response({
 		"can_provision": utils.sort_domains(provision, env),
 		"cant_provision": [{ "domain": domain, "problem": cant_provision[domain] } for domain in utils.sort_domains(cant_provision, env) ],
-		"status": [{ "domain": d["domain"], "status": d["ssl_certificate"][0], "text": d["ssl_certificate"][1] } for d in domains_status ],
+		"status": domains_status,
 	})
 
 @app.route('/ssl/csr/<domain>', methods=['POST'])
@@ -359,6 +373,17 @@ def ssl_install_cert():
 		return "Invalid domain name."
 	return install_cert(domain, ssl_cert, ssl_chain, env)
 
+@app.route('/ssl/provision', methods=['POST'])
+@authorized_personnel_only
+def ssl_provision_certs():
+	from ssl_certificates import provision_certificates
+	agree_to_tos_url = request.form.get('agree_to_tos_url')
+	status = provision_certificates(env,
+		agree_to_tos_url=agree_to_tos_url,
+		jsonable=True)
+	return json_response(status)
+
+
 # WEB
 
 @app.route('/web/domains')
diff --git a/management/ssl_certificates.py b/management/ssl_certificates.py
index 0d72cc1c..35379198 100755
--- a/management/ssl_certificates.py
+++ b/management/ssl_certificates.py
@@ -156,7 +156,7 @@ def get_domain_ssl_files(domain, ssl_certificates, env, allow_missing_cert=False
 
 # PROVISIONING CERTIFICATES FROM LETSENCRYPT
 
-def get_certificates_to_provision(env, ok_as_problem=True, force_domains=None):
+def get_certificates_to_provision(env, show_extended_problems=True, force_domains=None):
 	# Get a set of domain names that we should now provision certificates
 	# for. Provision if a domain name has no valid certificate or if any
 	# certificate is expiring in 14 days. If provisioning anything, also
@@ -204,13 +204,13 @@ def get_certificates_to_provision(env, ok_as_problem=True, force_domains=None):
 				domains_if_any.add(domain)
 
 			# It's valid. Should we report its validness?
-			if ok_as_problem:
+			if show_extended_problems:
 				problems[domain] = "The certificate is valid for at least another 30 days --- no need to replace."
 
 	# Warn the user about domains hosted elsewhere.
-	if force_domains is None:
+	if not force_domains and show_extended_problems:
 		for domain in set(get_web_domains(env, exclude_dns_elsewhere=False)) - set(get_web_domains(env)):
-			problems[domain] = "The domain's DNS is pointed elsewhere, so a TLS certificate is not necessary here and cannot be provisioned automatically anyway."
+			problems[domain] = "The domain's DNS is pointed elsewhere, so there is no point to installing a TLS certificate here and we could not automatically provision one anyway because provisioning requires access to the website (which isn't here)."
 
 	# Filter out domains that we can't provision a certificate for.
 	def can_provision_for_domain(domain):
@@ -253,7 +253,7 @@ def get_certificates_to_provision(env, ok_as_problem=True, force_domains=None):
 
 	return (domains, problems)
 
-def provision_certificates(env, agree_to_tos_url=None, logger=None, force_domains=None):
+def provision_certificates(env, agree_to_tos_url=None, logger=None, force_domains=None, jsonable=False):
 	import requests.exceptions
 	import acme.messages
 
@@ -324,7 +324,6 @@ def provision_certificates(env, agree_to_tos_url=None, logger=None, force_domain
 
 			except client.NeedToTakeAction as e:
 				# Write out the ACME challenge files.
-				
 				for action in e.actions:
 					if isinstance(action, client.NeedToInstallFile):
 						fn = os.path.join(challenges_path, action.file_name)
@@ -355,7 +354,7 @@ def provision_certificates(env, agree_to_tos_url=None, logger=None, force_domain
 			import time, datetime
 			ret_item.update({
 				"result": "wait",
-				"until": e.until_when, #.isoformat(),
+				"until": e.until_when if not jsonable else e.until_when.isoformat(),
 				"seconds": (e.until_when - datetime.datetime.now()).total_seconds()
 			})
 
diff --git a/management/templates/ssl.html b/management/templates/ssl.html
index 336eabd3..ca9de298 100644
--- a/management/templates/ssl.html
+++ b/management/templates/ssl.html
@@ -7,13 +7,22 @@
 
 <p>You need a TLS certificate for this box&rsquo;s hostname ({{hostname}}) and every other domain name and subdomain that this box is hosting a website for (see the list below).</p>
 
+<div id="ssl_provision">
 <h3>Provision a Certificate</h3>
 
-<p>We can provision an SSL certificate for you from <a href="https://letsencrypt.org/" target="_blank">Let&rsquo;s Encrypt</a>, a free SSL certificate provider.</p>
+<div id="ssl_provision_p" style="display: none; margin-top: 1.5em">
+  <button onclick='return provision_tls_cert();' class='btn btn-primary' style="float: left; margin: 0 1.5em 1em 0;">Provision</button>
+  <p>A TLS certificate can be automatically provisioned from <a href="https://letsencrypt.org/" target="_blank">Let&rsquo;s Encrypt</a>, a free TLS certificate provider, for:<br>
+  <span class="text-primary"></span></p>
+</div>
 
-<p id="ssl_provision_status"></p>
+<div class="clearfix"> </div>
 
-<table id="ssl_provision_problems" style="display: none" class="table">
+<div id="ssl_provision_result"></div>
+
+<div id="ssl_provision_problems_div" style="display: none;">
+<p style="margin-bottom: .5em;">Certificates cannot be automatically provisioned for:</p>
+<table id="ssl_provision_problems" style="margin-top: 0;" class="table">
   <thead>
     <tr>
       <th>Domain</th>
@@ -23,9 +32,14 @@
   <tbody>
   </tbody>
 </table>
+<p>Use the <em>Install Certificate</em> button below for these domains.</p>
+</div>
+</div>
 
 <h3>Certificate Status</h3>
 
+<p style="margin-top: 1.5em">Certificates expire after a period of time. All certificates will be automatically renewed through <a href="https://letsencrypt.org/" target="_blank">Let&rsquo;s Encrypt</a> 14 days prior to expiration.</p>
+
 <table id="ssl_domains" class="table" style="margin-bottom: 2em; width: auto; display: none">
   <thead>
     <tr>
@@ -38,7 +52,6 @@
   </tbody>
 </table>
 
-<p>A multi-domain or wildcard certificate will be automatically applied to any domains it is valid for.</p>
 
 <h3 id="ssl_install_header">Install Certificate</h3>
 
@@ -48,6 +61,8 @@
 
 <p><select id="ssldomain" onchange="show_csr()" class="form-control" style="width: auto"></select></p>
 
+<p>(A multi-domain or wildcard certificate will be automatically applied to any domains it is valid for besides the one you choose above.)</p>
+
 <p>What country are you in? This is required by some TLS certificate providers. You may leave this blank if you know your TLS certificate provider doesn't require it.</p>
 
 <p><select id="sslcc" onchange="show_csr()" class="form-control" style="width: auto">
@@ -78,7 +93,7 @@
 </div>
 
 <script>
-function show_tls() {
+function show_tls(keep_provisioning_shown) {
  api(
     "/ssl/status",
     "GET",
@@ -86,20 +101,15 @@ function show_tls() {
     },
     function(res) {
       // provisioning status
-      if (res.can_provision.length > 0) {
-          $('#ssl_provision_status')
-             .removeClass("text-warning").removeClass("text-success").addClass("text-danger")
-             .text("Domains: " + res.can_provision.join(", "));
-      } else if (res.cant_provision.length == 0) {
-          $('#ssl_provision_status')
-              .addClass("text-success").removeClass("text-warning").removeClass("text-danger")
-              .text("No domains hosted on this box need a new TLS certificate at this time.");
-      } else {
-          $('#ssl_provision_status')
-              .removeClass("text-success").addClass("text-warning").removeClass("text-danger")
-              .text("No TLS certificates can be provisoned at this time:");
-      }
-      $('#ssl_provision_problems').toggle(res.cant_provision.length > 0);
+
+      if (!keep_provisioning_shown)
+        $('#ssl_provision').toggle(res.can_provision.length + res.cant_provision.length > 0)
+
+      $('#ssl_provision_p').toggle(res.can_provision.length > 0);
+      if (res.can_provision.length > 0)
+          $('#ssl_provision_p span').text(res.can_provision.join(", "));
+      
+      $('#ssl_provision_problems_div').toggle(res.cant_provision.length > 0);
       $('#ssl_provision_problems tbody').text("");
       for (var i = 0; i < res.cant_provision.length; i++) {
         var domain = res.cant_provision[i];
@@ -123,6 +133,10 @@ function show_tls() {
         row.attr('data-domain', domains[i].domain);
         row.find('.domain a').text(domains[i].domain);
         row.find('.domain a').attr('href', 'https://' + domains[i].domain);
+        if (domains[i].status == "not-applicable") {
+          domains[i].status = "muted"; // text-muted css class
+          row.find('.actions a').remove(); // no actions applicable
+        }
         row.addClass("text-" + domains[i].status);
         row.find('.status').text(domains[i].text);
         if (domains[i].status == "success") {
@@ -139,14 +153,15 @@ function show_tls() {
 function ssl_install(elem) {
   var domain = $(elem).parents('tr').attr('data-domain');
   $('#ssldomain').val(domain);
-  $('#csr_info').slideDown();
-  $('#ssl_csr').text('Loading...');
   show_csr();
   $('html, body').animate({ scrollTop: $('#ssl_install_header').offset().top - $('.navbar-fixed-top').height() - 20 })
   return false;
 }
 
 function show_csr() {
+ if ($('#ssldomain').val() == "") return;
+ $('#csr_info').slideDown();
+ $('#ssl_csr').text('Loading...');
  api(
     "/ssl/csr/" + $('#ssldomain').val(),
     "POST",
@@ -176,4 +191,94 @@ function install_cert() {
       }
     });
 }
+
+var agree_to_tos_url_prompt = null;
+var agree_to_tos_url = null;
+function provision_tls_cert() {
+  // Automatically provision any certs.
+  $('#ssl_provision_p .btn').attr('disabled', '1'); // prevent double-clicks
+  api(
+    "/ssl/provision",
+    "POST",
+    {
+      agree_to_tos_url: agree_to_tos_url
+    },
+    function(status) {
+      // Clear last attempt.
+      agree_to_tos_url = null;
+      $('#ssl_provision_result').text("");
+      may_reenable_provision_button = true;
+
+      // Nothing was done. There might also be problem domains, but we've already displayed those.
+      if (status.requests.length == 0) {
+        show_modal_error("TLS Certificate Provisioning", "There were no domain names to provision certificates for.");
+        // don't return - haven't re-enabled the provision button
+      }
+
+      // Each provisioning API call returns zero or more "requests" which represent
+      // a request to Let's Encrypt for a single certificate. Normally there is just
+      // one request (for a single multi-domain certificate).
+      for (var i = 0; i < status.requests.length; i++) {
+        var r = status.requests[i];
+
+        // create an HTML block to display the results of this request
+        var n = $("<div><h4/><p/></div>");
+        $('#ssl_provision_result').append(n);
+
+        // show a header only to disambiguate request blocks
+        if (status.requests.length > 0)
+          n.find("h4").text(r.domains.join(", "));
+
+        if (r.result == "agree-to-tos") {
+          // user needs to agree to Let's Encrypt's TOS
+          agree_to_tos_url_prompt = r.url;
+          $('#ssl_provision_p .btn').attr('disabled', '1');
+          n.find("p").html("Please open and review <a href='" + r.url + "' target='_blank'>Let's Encrypt's terms of service agreement</a>. You must agree to their terms for a certificate to be automatically provisioned from them.");
+          n.append($('<button onclick="agree_to_tos_url = agree_to_tos_url_prompt; return provision_tls_cert();" class="btn btn-success" style="margin-left: 2em">Agree &amp; Try Again</button>'));
+
+          // don't re-enable the Provision button -- user must use the Agree button
+          may_reenable_provision_button = false;
+
+        } else if (r.result == "error") {
+          n.find("p").addClass("text-danger").text(r.message);
+
+        } else if (r.result == "wait") {
+          // Show a button that counts down to zero, at which point it becomes enabled.
+          n.find("p").text("A certificate is now in the process of being provisioned, but it takes some time. Please wait until the Finish button is enabled, and then click it to acquire the certificate.");
+          var b = $('<button onclick="return provision_tls_cert();" class="btn btn-success" style="margin-left: 2em">Finish</button>');
+          b.attr("disabled", "1");
+          var now = new Date();
+          n.append(b);
+          function ready_to_finish() {
+            var remaining = r.seconds - Math.round((new Date() - now)/1000);
+            if (remaining > 0) {
+              setTimeout(ready_to_finish, 1000);
+              b.text("Finish (" + remaining + "...)")
+            } else {
+              b.text("Finish (ready)")
+              b.removeAttr("disabled");
+            }
+          }
+          ready_to_finish();
+          
+          // don't re-enable the Provision button -- user must use the Retry button when it becomes enabled
+          may_reenable_provision_button = false;
+
+        } else if (r.result == "installed") {
+          n.find("p").addClass("text-success").text("The TLS certificate was provisioned and installed.");
+          setTimeout("show_tls(true)", 1); // update main table of certificate statuses, call with arg keep_provisioning_shown true so that we don't clear what we just outputted
+        }
+        
+        // display the detailed log info in case of problems
+        var trace = $("<div class='small text-muted' style='margin-top: 1.5em'>Log:</div>");
+        n.append(trace);
+        for (var j = 0; j < r.log.length; j++)
+          trace.append($("<div/>").text(r.log[j]));
+
+      }
+
+      if (may_reenable_provision_button)
+        $('#ssl_provision_p .btn').removeAttr("disabled");
+    });
+}
 </script>

From 2b9fb9643d11a3e72e2b73f0126bd92276053024 Mon Sep 17 00:00:00 2001
From: Joshua Tauberer <jt@occams.info>
Date: Mon, 4 Jan 2016 18:41:12 -0500
Subject: [PATCH 9/9] changelog entries for lets encrypt

---
 CHANGELOG.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 34f6442d..c90d4ace 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,11 +10,13 @@ Mail:
 
 Control Panel:
 
+* The SSL (now "TLS") certificates page now supports provisioning free SSL certificates from Let's Encrypt.
 * Report free memory usage.
 
 System:
 
 * The daily backup will now email the administrator if there is a problem.
+* Expiring TLS (SSL) certificates are now automatically renewed via Let's Encrypt.
 
 v0.15 (January 1, 2016)
 -----------------------