From 0916add402992fd7b9ef988b952da2887f4b041d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Sat, 15 Nov 2025 18:31:59 -0500
Subject: [PATCH] security/acme-client: fix legacy inclusion

---
 security/acme-client/Makefile                      |  2 +-
 .../AcmeClient/LeValidation/HttpOpnsense.php       | 14 +++++++-------
 .../AcmeClient/LeValidation/TlsalpnAcme.php        | 14 +++++++-------
 3 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index 711735a66..9c3b42af0 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		acme-client
 PLUGIN_VERSION=		4.10
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		ACME Client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php
index 8670eb96c..03ca5e97c 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php
@@ -31,6 +31,8 @@ namespace OPNsense\AcmeClient\LeValidation;
 use OPNsense\AcmeClient\LeValidationInterface;
 use OPNsense\AcmeClient\LeUtils;
 use OPNsense\Core\Config;
+use OPNsense\Core\File;
+use OPNsense\Core\Shell;
 
 /**
  * Use internal OPNsense webserver for HTTP-01 validation
@@ -125,18 +127,16 @@ class HttpOpnsense extends Base implements LeValidationInterface
         }
 
         // Create temporary port forward to allow acme challenges to get through
-        $anchor_setup = "rdr-anchor \"acme-client\"\n";
-        // XXX Should not be using util.inc from here
-        file_safe("{$configdir}/acme_anchor_setup", $anchor_setup, 0600);
-        mwexecf('/sbin/pfctl -f %s', ["{$configdir}/acme_anchor_setup"]);
-        file_safe("{$configdir}/acme_anchor_rules", $anchor_rules, 0600);
-        mwexecf('/sbin/pfctl -a %s -f %s', ['acme-client', "{$configdir}/acme_anchor_rules"]);
+        File::file_put_contents("{$configdir}/acme_anchor_setup", "rdr-anchor \"acme-client\"\n", 0600);
+        Shell::run_safe('/sbin/pfctl -f %s', ["{$configdir}/acme_anchor_setup"]);
+        File::file_put_contents("{$configdir}/acme_anchor_rules", $anchor_rules, 0600);
+        Shell::run_safe('/sbin/pfctl -a %s -f %s', ['acme-client', "{$configdir}/acme_anchor_rules"]);
     }
 
     public function cleanup()
     {
         // Flush OPNsense port forward rules.
-        mwexecf('/sbin/pfctl -a %s -F %s', ['acme-client', 'all']);
+        Shell::run_safe('/sbin/pfctl -a %s -F %s', ['acme-client', 'all']);
 
         // Workaround to solve disconnection issues reported by some users.
         $backend = new \OPNsense\Core\Backend();
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php
index 068adc823..df5819600 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php
@@ -31,6 +31,8 @@ namespace OPNsense\AcmeClient\LeValidation;
 use OPNsense\AcmeClient\LeValidationInterface;
 use OPNsense\AcmeClient\LeUtils;
 use OPNsense\Core\Config;
+use OPNsense\Core\File;
+use OPNsense\Core\Shell;
 
 /**
  * Use acme.sh TLS web server for TLS-ALPN-01 validation
@@ -126,18 +128,16 @@ class TlsalpnAcme extends Base implements LeValidationInterface
         }
 
         // Create temporary port forward to allow acme challenges to get through
-        $anchor_setup = "rdr-anchor \"acme-client\"\n";
-        // XXX Should not be using util.inc from here
-        file_safe("{$configdir}/acme_anchor_setup", $anchor_setup, 0600);
-        mwexecf('/sbin/pfctl -f %s', ["{$configdir}/acme_anchor_setup"]);
-        file_safe("{$configdir}/acme_anchor_rules", $anchor_rules, 0600);
-        mwexecf("/sbin/pfctl -a %s -f %s", ['acme-client', "{$configdir}/acme_anchor_rules"]);
+        File::file_put_contents("{$configdir}/acme_anchor_setup", "rdr-anchor \"acme-client\"\n", 0600);
+        Shell::run_safe('/sbin/pfctl -f %s', ["{$configdir}/acme_anchor_setup"]);
+        File::file_put_contents("{$configdir}/acme_anchor_rules", $anchor_rules, 0600);
+        Shell::run_safe("/sbin/pfctl -a %s -f %s", ['acme-client', "{$configdir}/acme_anchor_rules"]);
     }
 
     public function cleanup()
     {
         // Flush OPNsense port forward rules.
-        mwexecf('/sbin/pfctl -a %s -F %s', ['acme-client', 'all']);
+        Shell::run_safe('/sbin/pfctl -a %s -F %s', ['acme-client', 'all']);
 
         // Workaround to solve disconnection issues reported by some users.
         $backend = new \OPNsense\Core\Backend();