389 lines
12 KiB
Go
389 lines
12 KiB
Go
|
// Copyright 2015 Matthew Holt
|
||
|
//
|
||
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
||
|
// you may not use this file except in compliance with the License.
|
||
|
// You may obtain a copy of the License at
|
||
|
//
|
||
|
// http://www.apache.org/licenses/LICENSE-2.0
|
||
|
//
|
||
|
// Unless required by applicable law or agreed to in writing, software
|
||
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
||
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||
|
// See the License for the specific language governing permissions and
|
||
|
// limitations under the License.
|
||
|
|
||
|
package certmagic
|
||
|
|
||
|
import (
|
||
|
"fmt"
|
||
|
"log"
|
||
|
"net"
|
||
|
"net/url"
|
||
|
"strings"
|
||
|
"sync"
|
||
|
"time"
|
||
|
|
||
|
"github.com/xenolf/lego/certificate"
|
||
|
"github.com/xenolf/lego/challenge"
|
||
|
"github.com/xenolf/lego/challenge/http01"
|
||
|
"github.com/xenolf/lego/challenge/tlsalpn01"
|
||
|
"github.com/xenolf/lego/lego"
|
||
|
"github.com/xenolf/lego/registration"
|
||
|
)
|
||
|
|
||
|
// acmeMu ensures that only one ACME challenge occurs at a time.
|
||
|
var acmeMu sync.Mutex
|
||
|
|
||
|
// acmeClient is a wrapper over acme.Client with
|
||
|
// some custom state attached. It is used to obtain,
|
||
|
// renew, and revoke certificates with ACME.
|
||
|
type acmeClient struct {
|
||
|
config *Config
|
||
|
acmeClient *lego.Client
|
||
|
}
|
||
|
|
||
|
// listenerAddressInUse returns true if a TCP connection
|
||
|
// can be made to addr within a short time interval.
|
||
|
func listenerAddressInUse(addr string) bool {
|
||
|
conn, err := net.DialTimeout("tcp", addr, 250*time.Millisecond)
|
||
|
if err == nil {
|
||
|
conn.Close()
|
||
|
}
|
||
|
return err == nil
|
||
|
}
|
||
|
|
||
|
func (cfg *Config) newACMEClient(interactive bool) (*acmeClient, error) {
|
||
|
// look up or create the user account
|
||
|
leUser, err := cfg.getUser(cfg.Email)
|
||
|
if err != nil {
|
||
|
return nil, err
|
||
|
}
|
||
|
|
||
|
// ensure key type is set
|
||
|
keyType := KeyType
|
||
|
if cfg.KeyType != "" {
|
||
|
keyType = cfg.KeyType
|
||
|
}
|
||
|
|
||
|
// ensure CA URL (directory endpoint) is set
|
||
|
caURL := CA
|
||
|
if cfg.CA != "" {
|
||
|
caURL = cfg.CA
|
||
|
}
|
||
|
|
||
|
// ensure endpoint is secure (assume HTTPS if scheme is missing)
|
||
|
if !strings.Contains(caURL, "://") {
|
||
|
caURL = "https://" + caURL
|
||
|
}
|
||
|
u, err := url.Parse(caURL)
|
||
|
if err != nil {
|
||
|
return nil, err
|
||
|
}
|
||
|
|
||
|
if u.Scheme != "https" && !isLoopback(u.Host) && !isInternal(u.Host) {
|
||
|
return nil, fmt.Errorf("%s: insecure CA URL (HTTPS required)", caURL)
|
||
|
}
|
||
|
|
||
|
clientKey := caURL + leUser.Email + string(keyType)
|
||
|
|
||
|
// if an underlying client with this configuration already exists, reuse it
|
||
|
cfg.acmeClientsMu.Lock()
|
||
|
client, ok := cfg.acmeClients[clientKey]
|
||
|
if !ok {
|
||
|
// the client facilitates our communication with the CA server
|
||
|
legoCfg := lego.NewConfig(&leUser)
|
||
|
legoCfg.CADirURL = caURL
|
||
|
legoCfg.KeyType = keyType
|
||
|
legoCfg.UserAgent = buildUAString()
|
||
|
legoCfg.HTTPClient.Timeout = HTTPTimeout
|
||
|
client, err = lego.NewClient(legoCfg)
|
||
|
if err != nil {
|
||
|
cfg.acmeClientsMu.Unlock()
|
||
|
return nil, err
|
||
|
}
|
||
|
cfg.acmeClients[clientKey] = client
|
||
|
}
|
||
|
cfg.acmeClientsMu.Unlock()
|
||
|
|
||
|
// if not registered, the user must register an account
|
||
|
// with the CA and agree to terms
|
||
|
if leUser.Registration == nil {
|
||
|
if interactive { // can't prompt a user who isn't there
|
||
|
termsURL := client.GetToSURL()
|
||
|
if !cfg.Agreed && termsURL != "" {
|
||
|
cfg.Agreed = cfg.askUserAgreement(client.GetToSURL())
|
||
|
}
|
||
|
if !cfg.Agreed && termsURL != "" {
|
||
|
return nil, fmt.Errorf("user must agree to CA terms")
|
||
|
}
|
||
|
}
|
||
|
|
||
|
reg, err := client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: cfg.Agreed})
|
||
|
if err != nil {
|
||
|
return nil, fmt.Errorf("registration error: %v", err)
|
||
|
}
|
||
|
leUser.Registration = reg
|
||
|
|
||
|
// persist the user to storage
|
||
|
err = cfg.saveUser(leUser)
|
||
|
if err != nil {
|
||
|
return nil, fmt.Errorf("could not save user: %v", err)
|
||
|
}
|
||
|
}
|
||
|
|
||
|
c := &acmeClient{
|
||
|
config: cfg,
|
||
|
acmeClient: client,
|
||
|
}
|
||
|
|
||
|
if cfg.DNSProvider == nil {
|
||
|
// Use HTTP and TLS-ALPN challenges by default
|
||
|
|
||
|
// figure out which ports we'll be serving the challenges on
|
||
|
useHTTPPort := HTTPChallengePort
|
||
|
useTLSALPNPort := TLSALPNChallengePort
|
||
|
if HTTPPort > 0 && HTTPPort != HTTPChallengePort {
|
||
|
useHTTPPort = HTTPPort
|
||
|
}
|
||
|
if HTTPSPort > 0 && HTTPSPort != TLSALPNChallengePort {
|
||
|
useTLSALPNPort = HTTPSPort
|
||
|
}
|
||
|
if cfg.AltHTTPPort > 0 {
|
||
|
useHTTPPort = cfg.AltHTTPPort
|
||
|
}
|
||
|
if cfg.AltTLSALPNPort > 0 {
|
||
|
useTLSALPNPort = cfg.AltTLSALPNPort
|
||
|
}
|
||
|
|
||
|
// If this machine is already listening on the HTTP or TLS-ALPN port
|
||
|
// designated for the challenges, then we need to handle the challenges
|
||
|
// a little differently: for HTTP, we will answer the challenge request
|
||
|
// using our own HTTP handler (the HandleHTTPChallenge function - this
|
||
|
// works only because challenge info is written to storage associated
|
||
|
// with cfg when the challenge is initiated); for TLS-ALPN, we will add
|
||
|
// the challenge cert to our cert cache and serve it up during the
|
||
|
// handshake. As for the default solvers... we are careful to honor the
|
||
|
// listener bind preferences by using cfg.ListenHost.
|
||
|
var httpSolver, alpnSolver challenge.Provider
|
||
|
httpSolver = http01.NewProviderServer(cfg.ListenHost, fmt.Sprintf("%d", useHTTPPort))
|
||
|
alpnSolver = tlsalpn01.NewProviderServer(cfg.ListenHost, fmt.Sprintf("%d", useTLSALPNPort))
|
||
|
if listenerAddressInUse(net.JoinHostPort(cfg.ListenHost, fmt.Sprintf("%d", useHTTPPort))) {
|
||
|
httpSolver = nil
|
||
|
}
|
||
|
if listenerAddressInUse(net.JoinHostPort(cfg.ListenHost, fmt.Sprintf("%d", useTLSALPNPort))) {
|
||
|
alpnSolver = tlsALPNSolver{certCache: cfg.certCache}
|
||
|
}
|
||
|
|
||
|
// because of our nifty Storage interface, we can distribute the HTTP and
|
||
|
// TLS-ALPN challenges across all instances that share the same storage -
|
||
|
// in fact, this is required now for successful solving of the HTTP challenge
|
||
|
// if the port is already in use, since we must write the challenge info
|
||
|
// to storage for the HTTPChallengeHandler to solve it successfully
|
||
|
c.acmeClient.Challenge.SetHTTP01Provider(distributedSolver{
|
||
|
config: cfg,
|
||
|
providerServer: httpSolver,
|
||
|
})
|
||
|
c.acmeClient.Challenge.SetTLSALPN01Provider(distributedSolver{
|
||
|
config: cfg,
|
||
|
providerServer: alpnSolver,
|
||
|
})
|
||
|
|
||
|
// disable any challenges that should not be used
|
||
|
var disabledChallenges []challenge.Type
|
||
|
if cfg.DisableHTTPChallenge {
|
||
|
disabledChallenges = append(disabledChallenges, challenge.HTTP01)
|
||
|
}
|
||
|
if cfg.DisableTLSALPNChallenge {
|
||
|
disabledChallenges = append(disabledChallenges, challenge.TLSALPN01)
|
||
|
}
|
||
|
if len(disabledChallenges) > 0 {
|
||
|
c.acmeClient.Challenge.Exclude(disabledChallenges)
|
||
|
}
|
||
|
} else {
|
||
|
// Otherwise, use DNS challenge exclusively
|
||
|
c.acmeClient.Challenge.Exclude([]challenge.Type{challenge.HTTP01, challenge.TLSALPN01})
|
||
|
c.acmeClient.Challenge.SetDNS01Provider(cfg.DNSProvider)
|
||
|
}
|
||
|
|
||
|
return c, nil
|
||
|
}
|
||
|
|
||
|
func (cfg *Config) lockKey(op, domainName string) string {
|
||
|
return fmt.Sprintf("%s:%s:%s", op, domainName, cfg.CA)
|
||
|
}
|
||
|
|
||
|
// Obtain obtains a single certificate for name. It stores the certificate
|
||
|
// on the disk if successful. This function is safe for concurrent use.
|
||
|
//
|
||
|
// Right now our storage mechanism only supports one name per certificate,
|
||
|
// so this function (along with Renew and Revoke) only accepts one domain
|
||
|
// as input. It can be easily modified to support SAN certificates if our
|
||
|
// storage mechanism is upgraded later.
|
||
|
//
|
||
|
// Callers who have access to a Config value should use the ObtainCert
|
||
|
// method on that instead of this lower-level method.
|
||
|
func (c *acmeClient) Obtain(name string) error {
|
||
|
lockKey := c.config.lockKey("cert_acme", name)
|
||
|
waiter, err := c.config.certCache.storage.TryLock(lockKey)
|
||
|
if err != nil {
|
||
|
return err
|
||
|
}
|
||
|
if waiter != nil {
|
||
|
log.Printf("[INFO] Certificate for %s is already being obtained elsewhere and stored; waiting", name)
|
||
|
waiter.Wait()
|
||
|
return nil // we assume the process with the lock succeeded, rather than hammering this execution path again
|
||
|
}
|
||
|
defer func() {
|
||
|
if err := c.config.certCache.storage.Unlock(lockKey); err != nil {
|
||
|
log.Printf("[ERROR] Unable to unlock obtain call for %s: %v", name, err)
|
||
|
}
|
||
|
}()
|
||
|
|
||
|
for attempts := 0; attempts < 2; attempts++ {
|
||
|
request := certificate.ObtainRequest{
|
||
|
Domains: []string{name},
|
||
|
Bundle: true,
|
||
|
MustStaple: c.config.MustStaple,
|
||
|
}
|
||
|
acmeMu.Lock()
|
||
|
certificate, err := c.acmeClient.Certificate.Obtain(request)
|
||
|
acmeMu.Unlock()
|
||
|
if err != nil {
|
||
|
return fmt.Errorf("[%s] failed to obtain certificate: %s", name, err)
|
||
|
}
|
||
|
|
||
|
// double-check that we actually got a certificate, in case there's a bug upstream (see issue mholt/caddy#2121)
|
||
|
if certificate.Domain == "" || certificate.Certificate == nil {
|
||
|
return fmt.Errorf("returned certificate was empty; probably an unchecked error obtaining it")
|
||
|
}
|
||
|
|
||
|
// Success - immediately save the certificate resource
|
||
|
err = c.config.saveCertResource(certificate)
|
||
|
if err != nil {
|
||
|
return fmt.Errorf("error saving assets for %v: %v", name, err)
|
||
|
}
|
||
|
|
||
|
break
|
||
|
}
|
||
|
|
||
|
if c.config.OnEvent != nil {
|
||
|
c.config.OnEvent("acme_cert_obtained", name)
|
||
|
}
|
||
|
|
||
|
return nil
|
||
|
}
|
||
|
|
||
|
// Renew renews the managed certificate for name. It puts the renewed
|
||
|
// certificate into storage (not the cache). This function is safe for
|
||
|
// concurrent use.
|
||
|
//
|
||
|
// Callers who have access to a Config value should use the RenewCert
|
||
|
// method on that instead of this lower-level method.
|
||
|
func (c *acmeClient) Renew(name string) error {
|
||
|
lockKey := c.config.lockKey("cert_acme", name)
|
||
|
waiter, err := c.config.certCache.storage.TryLock(lockKey)
|
||
|
if err != nil {
|
||
|
return err
|
||
|
}
|
||
|
if waiter != nil {
|
||
|
log.Printf("[INFO] Certificate for %s is already being renewed elsewhere and stored; waiting", name)
|
||
|
waiter.Wait()
|
||
|
return nil // assume that the worker that renewed the cert succeeded to avoid hammering this path over and over
|
||
|
}
|
||
|
defer func() {
|
||
|
if err := c.config.certCache.storage.Unlock(lockKey); err != nil {
|
||
|
log.Printf("[ERROR] Unable to unlock renew call for %s: %v", name, err)
|
||
|
}
|
||
|
}()
|
||
|
|
||
|
// Prepare for renewal (load PEM cert, key, and meta)
|
||
|
certRes, err := c.config.loadCertResource(name)
|
||
|
if err != nil {
|
||
|
return err
|
||
|
}
|
||
|
|
||
|
// Perform renewal and retry if necessary, but not too many times.
|
||
|
var newCertMeta *certificate.Resource
|
||
|
var success bool
|
||
|
for attempts := 0; attempts < 2; attempts++ {
|
||
|
acmeMu.Lock()
|
||
|
newCertMeta, err = c.acmeClient.Certificate.Renew(certRes, true, c.config.MustStaple)
|
||
|
acmeMu.Unlock()
|
||
|
if err == nil {
|
||
|
// double-check that we actually got a certificate; check a couple fields, just in case
|
||
|
if newCertMeta == nil || newCertMeta.Domain == "" || newCertMeta.Certificate == nil {
|
||
|
err = fmt.Errorf("returned certificate was empty; probably an unchecked error renewing it")
|
||
|
} else {
|
||
|
success = true
|
||
|
break
|
||
|
}
|
||
|
}
|
||
|
|
||
|
// wait a little bit and try again
|
||
|
wait := 10 * time.Second
|
||
|
log.Printf("[ERROR] Renewing [%v]: %v; trying again in %s", name, err, wait)
|
||
|
time.Sleep(wait)
|
||
|
}
|
||
|
|
||
|
if !success {
|
||
|
return fmt.Errorf("too many renewal attempts; last error: %v", err)
|
||
|
}
|
||
|
|
||
|
if c.config.OnEvent != nil {
|
||
|
c.config.OnEvent("acme_cert_renewed", name)
|
||
|
}
|
||
|
|
||
|
return c.config.saveCertResource(newCertMeta)
|
||
|
}
|
||
|
|
||
|
// Revoke revokes the certificate for name and deletes
|
||
|
// it from storage.
|
||
|
func (c *acmeClient) Revoke(name string) error {
|
||
|
if !c.config.certCache.storage.Exists(StorageKeys.SitePrivateKey(c.config.CA, name)) {
|
||
|
return fmt.Errorf("private key not found for %s", name)
|
||
|
}
|
||
|
|
||
|
certRes, err := c.config.loadCertResource(name)
|
||
|
if err != nil {
|
||
|
return err
|
||
|
}
|
||
|
|
||
|
err = c.acmeClient.Certificate.Revoke(certRes.Certificate)
|
||
|
if err != nil {
|
||
|
return err
|
||
|
}
|
||
|
|
||
|
if c.config.OnEvent != nil {
|
||
|
c.config.OnEvent("acme_cert_revoked", name)
|
||
|
}
|
||
|
|
||
|
err = c.config.certCache.storage.Delete(StorageKeys.SiteCert(c.config.CA, name))
|
||
|
if err != nil {
|
||
|
return fmt.Errorf("certificate revoked, but unable to delete certificate file: %v", err)
|
||
|
}
|
||
|
err = c.config.certCache.storage.Delete(StorageKeys.SitePrivateKey(c.config.CA, name))
|
||
|
if err != nil {
|
||
|
return fmt.Errorf("certificate revoked, but unable to delete private key: %v", err)
|
||
|
}
|
||
|
err = c.config.certCache.storage.Delete(StorageKeys.SiteMeta(c.config.CA, name))
|
||
|
if err != nil {
|
||
|
return fmt.Errorf("certificate revoked, but unable to delete certificate metadata: %v", err)
|
||
|
}
|
||
|
|
||
|
return nil
|
||
|
}
|
||
|
|
||
|
func buildUAString() string {
|
||
|
ua := "CertMagic"
|
||
|
if UserAgent != "" {
|
||
|
ua += " " + UserAgent
|
||
|
}
|
||
|
return ua
|
||
|
}
|
||
|
|
||
|
// Some default values passed down to the underlying lego client.
|
||
|
var (
|
||
|
UserAgent string
|
||
|
HTTPTimeout = 30 * time.Second
|
||
|
)
|