2019-05-27 00:41:10 +00:00
|
|
|
package acme
|
|
|
|
|
|
|
|
import (
|
|
|
|
"crypto"
|
2020-02-07 14:50:22 +00:00
|
|
|
"crypto/tls"
|
2019-05-27 00:41:10 +00:00
|
|
|
"crypto/x509"
|
|
|
|
"encoding/base64"
|
2020-05-06 14:39:13 +00:00
|
|
|
"log"
|
2019-05-27 00:41:10 +00:00
|
|
|
"net"
|
|
|
|
"net/http"
|
|
|
|
"net/url"
|
2020-05-06 14:39:13 +00:00
|
|
|
"os"
|
|
|
|
"strconv"
|
2019-05-27 00:41:10 +00:00
|
|
|
"time"
|
|
|
|
|
|
|
|
"github.com/pkg/errors"
|
|
|
|
"github.com/smallstep/certificates/authority/provisioner"
|
2019-10-08 01:17:20 +00:00
|
|
|
database "github.com/smallstep/certificates/db"
|
2019-05-27 00:41:10 +00:00
|
|
|
"github.com/smallstep/cli/jose"
|
|
|
|
"github.com/smallstep/nosql"
|
|
|
|
)
|
|
|
|
|
|
|
|
// Interface is the acme authority interface.
|
|
|
|
type Interface interface {
|
|
|
|
DeactivateAccount(provisioner.Interface, string) (*Account, error)
|
|
|
|
FinalizeOrder(provisioner.Interface, string, string, *x509.CertificateRequest) (*Order, error)
|
|
|
|
GetAccount(provisioner.Interface, string) (*Account, error)
|
|
|
|
GetAccountByKey(provisioner.Interface, *jose.JSONWebKey) (*Account, error)
|
|
|
|
GetAuthz(provisioner.Interface, string, string) (*Authz, error)
|
|
|
|
GetCertificate(string, string) ([]byte, error)
|
|
|
|
GetDirectory(provisioner.Interface) *Directory
|
|
|
|
GetLink(Link, string, bool, ...string) string
|
|
|
|
GetOrder(provisioner.Interface, string, string) (*Order, error)
|
|
|
|
GetOrdersByAccount(provisioner.Interface, string) ([]string, error)
|
|
|
|
LoadProvisionerByID(string) (provisioner.Interface, error)
|
|
|
|
NewAccount(provisioner.Interface, AccountOptions) (*Account, error)
|
|
|
|
NewNonce() (string, error)
|
|
|
|
NewOrder(provisioner.Interface, OrderOptions) (*Order, error)
|
|
|
|
UpdateAccount(provisioner.Interface, string, []string) (*Account, error)
|
|
|
|
UseNonce(string) error
|
|
|
|
ValidateChallenge(provisioner.Interface, string, string, *jose.JSONWebKey) (*Challenge, error)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Authority is the layer that handles all ACME interactions.
|
|
|
|
type Authority struct {
|
|
|
|
db nosql.DB
|
|
|
|
dir *directory
|
|
|
|
signAuth SignAuthority
|
|
|
|
}
|
|
|
|
|
2019-10-08 01:17:20 +00:00
|
|
|
var (
|
|
|
|
accountTable = []byte("acme_accounts")
|
|
|
|
accountByKeyIDTable = []byte("acme_keyID_accountID_index")
|
|
|
|
authzTable = []byte("acme_authzs")
|
|
|
|
challengeTable = []byte("acme_challenges")
|
|
|
|
nonceTable = []byte("nonces")
|
|
|
|
orderTable = []byte("acme_orders")
|
2020-01-28 21:17:10 +00:00
|
|
|
ordersByAccountIDTable = []byte("acme_account_orders_index")
|
2019-10-08 01:17:20 +00:00
|
|
|
certTable = []byte("acme_certs")
|
2020-05-07 16:27:16 +00:00
|
|
|
ordinal int
|
2019-10-08 01:17:20 +00:00
|
|
|
)
|
|
|
|
|
2020-05-06 14:39:13 +00:00
|
|
|
// Ordinal is used during challenge retries to indicate ownership.
|
|
|
|
func init() {
|
2020-05-07 16:27:16 +00:00
|
|
|
ordstr := os.Getenv("STEP_CA_ORDINAL")
|
2020-05-06 14:39:13 +00:00
|
|
|
if ordstr == "" {
|
|
|
|
ordinal = 0
|
|
|
|
} else {
|
|
|
|
ord, err := strconv.Atoi(ordstr)
|
|
|
|
if err != nil {
|
|
|
|
log.Fatal("Unrecognized ordinal ingeter value.")
|
|
|
|
panic(nil)
|
|
|
|
}
|
|
|
|
ordinal = ord
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-05-27 00:41:10 +00:00
|
|
|
// NewAuthority returns a new Authority that implements the ACME interface.
|
2019-10-08 01:17:20 +00:00
|
|
|
func NewAuthority(db nosql.DB, dns, prefix string, signAuth SignAuthority) (*Authority, error) {
|
|
|
|
if _, ok := db.(*database.SimpleDB); !ok {
|
|
|
|
// If it's not a SimpleDB then go ahead and bootstrap the DB with the
|
|
|
|
// necessary ACME tables. SimpleDB should ONLY be used for testing.
|
|
|
|
tables := [][]byte{accountTable, accountByKeyIDTable, authzTable,
|
|
|
|
challengeTable, nonceTable, orderTable, ordersByAccountIDTable,
|
|
|
|
certTable}
|
|
|
|
for _, b := range tables {
|
|
|
|
if err := db.CreateTable(b); err != nil {
|
|
|
|
return nil, errors.Wrapf(err, "error creating table %s",
|
|
|
|
string(b))
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2019-05-27 00:41:10 +00:00
|
|
|
return &Authority{
|
|
|
|
db: db, dir: newDirectory(dns, prefix), signAuth: signAuth,
|
2019-10-08 01:17:20 +00:00
|
|
|
}, nil
|
2019-05-27 00:41:10 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// GetLink returns the requested link from the directory.
|
|
|
|
func (a *Authority) GetLink(typ Link, provID string, abs bool, inputs ...string) string {
|
|
|
|
return a.dir.getLink(typ, provID, abs, inputs...)
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetDirectory returns the ACME directory object.
|
|
|
|
func (a *Authority) GetDirectory(p provisioner.Interface) *Directory {
|
|
|
|
name := url.PathEscape(p.GetName())
|
|
|
|
return &Directory{
|
|
|
|
NewNonce: a.dir.getLink(NewNonceLink, name, true),
|
|
|
|
NewAccount: a.dir.getLink(NewAccountLink, name, true),
|
|
|
|
NewOrder: a.dir.getLink(NewOrderLink, name, true),
|
|
|
|
RevokeCert: a.dir.getLink(RevokeCertLink, name, true),
|
|
|
|
KeyChange: a.dir.getLink(KeyChangeLink, name, true),
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// LoadProvisionerByID calls out to the SignAuthority interface to load a
|
|
|
|
// provisioner by ID.
|
|
|
|
func (a *Authority) LoadProvisionerByID(id string) (provisioner.Interface, error) {
|
|
|
|
return a.signAuth.LoadProvisionerByID(id)
|
|
|
|
}
|
|
|
|
|
|
|
|
// NewNonce generates, stores, and returns a new ACME nonce.
|
|
|
|
func (a *Authority) NewNonce() (string, error) {
|
|
|
|
n, err := newNonce(a.db)
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
return n.ID, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// UseNonce consumes the given nonce if it is valid, returns error otherwise.
|
|
|
|
func (a *Authority) UseNonce(nonce string) error {
|
|
|
|
return useNonce(a.db, nonce)
|
|
|
|
}
|
|
|
|
|
|
|
|
// NewAccount creates, stores, and returns a new ACME account.
|
|
|
|
func (a *Authority) NewAccount(p provisioner.Interface, ao AccountOptions) (*Account, error) {
|
|
|
|
acc, err := newAccount(a.db, ao)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return acc.toACME(a.db, a.dir, p)
|
|
|
|
}
|
|
|
|
|
|
|
|
// UpdateAccount updates an ACME account.
|
|
|
|
func (a *Authority) UpdateAccount(p provisioner.Interface, id string, contact []string) (*Account, error) {
|
|
|
|
acc, err := getAccountByID(a.db, id)
|
|
|
|
if err != nil {
|
|
|
|
return nil, ServerInternalErr(err)
|
|
|
|
}
|
|
|
|
if acc, err = acc.update(a.db, contact); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return acc.toACME(a.db, a.dir, p)
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetAccount returns an ACME account.
|
|
|
|
func (a *Authority) GetAccount(p provisioner.Interface, id string) (*Account, error) {
|
|
|
|
acc, err := getAccountByID(a.db, id)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return acc.toACME(a.db, a.dir, p)
|
|
|
|
}
|
|
|
|
|
|
|
|
// DeactivateAccount deactivates an ACME account.
|
|
|
|
func (a *Authority) DeactivateAccount(p provisioner.Interface, id string) (*Account, error) {
|
|
|
|
acc, err := getAccountByID(a.db, id)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
if acc, err = acc.deactivate(a.db); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return acc.toACME(a.db, a.dir, p)
|
|
|
|
}
|
|
|
|
|
|
|
|
func keyToID(jwk *jose.JSONWebKey) (string, error) {
|
|
|
|
kid, err := jwk.Thumbprint(crypto.SHA256)
|
|
|
|
if err != nil {
|
|
|
|
return "", ServerInternalErr(errors.Wrap(err, "error generating jwk thumbprint"))
|
|
|
|
}
|
|
|
|
return base64.RawURLEncoding.EncodeToString(kid), nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetAccountByKey returns the ACME associated with the jwk id.
|
|
|
|
func (a *Authority) GetAccountByKey(p provisioner.Interface, jwk *jose.JSONWebKey) (*Account, error) {
|
|
|
|
kid, err := keyToID(jwk)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
acc, err := getAccountByKeyID(a.db, kid)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return acc.toACME(a.db, a.dir, p)
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetOrder returns an ACME order.
|
|
|
|
func (a *Authority) GetOrder(p provisioner.Interface, accID, orderID string) (*Order, error) {
|
|
|
|
o, err := getOrder(a.db, orderID)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
if accID != o.AccountID {
|
|
|
|
return nil, UnauthorizedErr(errors.New("account does not own order"))
|
|
|
|
}
|
|
|
|
if o, err = o.updateStatus(a.db); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return o.toACME(a.db, a.dir, p)
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetOrdersByAccount returns the list of order urls owned by the account.
|
|
|
|
func (a *Authority) GetOrdersByAccount(p provisioner.Interface, id string) ([]string, error) {
|
|
|
|
oids, err := getOrderIDsByAccount(a.db, id)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
var ret = []string{}
|
|
|
|
for _, oid := range oids {
|
|
|
|
o, err := getOrder(a.db, oid)
|
|
|
|
if err != nil {
|
|
|
|
return nil, ServerInternalErr(err)
|
|
|
|
}
|
|
|
|
if o.Status == StatusInvalid {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
ret = append(ret, a.dir.getLink(OrderLink, URLSafeProvisionerName(p), true, o.ID))
|
|
|
|
}
|
|
|
|
return ret, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// NewOrder generates, stores, and returns a new ACME order.
|
|
|
|
func (a *Authority) NewOrder(p provisioner.Interface, ops OrderOptions) (*Order, error) {
|
|
|
|
order, err := newOrder(a.db, ops)
|
|
|
|
if err != nil {
|
|
|
|
return nil, Wrap(err, "error creating order")
|
|
|
|
}
|
|
|
|
return order.toACME(a.db, a.dir, p)
|
|
|
|
}
|
|
|
|
|
|
|
|
// FinalizeOrder attempts to finalize an order and generate a new certificate.
|
|
|
|
func (a *Authority) FinalizeOrder(p provisioner.Interface, accID, orderID string, csr *x509.CertificateRequest) (*Order, error) {
|
|
|
|
o, err := getOrder(a.db, orderID)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
if accID != o.AccountID {
|
|
|
|
return nil, UnauthorizedErr(errors.New("account does not own order"))
|
|
|
|
}
|
|
|
|
o, err = o.finalize(a.db, csr, a.signAuth, p)
|
|
|
|
if err != nil {
|
|
|
|
return nil, Wrap(err, "error finalizing order")
|
|
|
|
}
|
|
|
|
return o.toACME(a.db, a.dir, p)
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetAuthz retrieves and attempts to update the status on an ACME authz
|
|
|
|
// before returning.
|
|
|
|
func (a *Authority) GetAuthz(p provisioner.Interface, accID, authzID string) (*Authz, error) {
|
2019-09-19 20:17:23 +00:00
|
|
|
az, err := getAuthz(a.db, authzID)
|
2019-05-27 00:41:10 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2019-09-19 20:17:23 +00:00
|
|
|
if accID != az.getAccountID() {
|
2019-05-27 00:41:10 +00:00
|
|
|
return nil, UnauthorizedErr(errors.New("account does not own authz"))
|
|
|
|
}
|
2019-09-19 20:17:23 +00:00
|
|
|
az, err = az.updateStatus(a.db)
|
2019-05-27 00:41:10 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, Wrap(err, "error updating authz status")
|
|
|
|
}
|
2019-09-19 20:17:23 +00:00
|
|
|
return az.toACME(a.db, a.dir, p)
|
2019-05-27 00:41:10 +00:00
|
|
|
}
|
|
|
|
|
2020-05-13 18:38:40 +00:00
|
|
|
// ValidateChallenge loads a challenge resource and then begins the validation process if the challenge
|
|
|
|
// is not in one of its terminal states {valid|invalid}.
|
2020-05-13 12:04:49 +00:00
|
|
|
//
|
2020-05-06 14:39:13 +00:00
|
|
|
// The challenge validation state machine looks like:
|
|
|
|
//
|
|
|
|
// * https://tools.ietf.org/html/rfc8555#section-7.1.6
|
|
|
|
//
|
|
|
|
// While in the processing state, the server may retry as it sees fit. The challenge validation strategy
|
|
|
|
// needs to be rather specific in order for retries to work in a replicated, crash-proof deployment.
|
|
|
|
// In general, the goal is to allow requests to hit arbitrary instances of step-ca while managing retry
|
|
|
|
// responsibility such that multiple instances agree on an owner. Additionally, when a deployment of the
|
|
|
|
// CA is in progress, the ownership should be carried forward and new, updated (or in general, restarted),
|
|
|
|
// instances should pick back up where the crashed instance left off.
|
|
|
|
//
|
|
|
|
// The steps are:
|
|
|
|
//
|
|
|
|
// 1. Upon incoming request to the challenge endpoint, take ownership of the retry responsibility.
|
|
|
|
// (a) Set Retry.Owner to this instance's ordinal (STEP_CA_ORDINAL).
|
|
|
|
// (b) Set Retry.NumAttempts to 0 and Retry.MaxAttempts to the desired max.
|
|
|
|
// (c) Set Challenge.Status to "processing"
|
|
|
|
// (d) Set retry_after to a time (retryInterval) in the future.
|
|
|
|
// 2. Perform the validation attempt.
|
|
|
|
// 3. If the validation attempt results in a challenge that is still processing, schedule a retry.
|
|
|
|
//
|
|
|
|
// It's possible that another request to re-attempt the challenge comes in while a retry attempt is
|
|
|
|
// pending from a previous request. In general, these old attempts will see that Retry.NextAttempt
|
2020-05-13 12:04:49 +00:00
|
|
|
// is in the future and drop their task. Because another instance may have taken ownership, old attempts
|
|
|
|
// would also see a different ordinal than their own.
|
2020-05-06 14:39:13 +00:00
|
|
|
//
|
|
|
|
// 4. When the retry timer fires, check to make sure the retry should still process.
|
|
|
|
// (a) Refresh the challenge from the DB.
|
|
|
|
// (a) Check that Retry.Owner is equal to this instance's ordinal.
|
|
|
|
// (b) Check that Retry.NextAttempt is in the past.
|
|
|
|
// 5. If the retry will commence, immediately update Retry.NextAttempt and save the challenge.
|
|
|
|
//
|
|
|
|
// Finally, if this instance is terminated, retries need to be reschedule when the instance restarts. This
|
|
|
|
// is handled in the acme provisioner (authority/provisioner/acme.go) initialization.
|
|
|
|
//
|
|
|
|
// Note: the default ordinal does not need to be changed unless step-ca is running in a replicated scenario.
|
|
|
|
//
|
2019-05-27 00:41:10 +00:00
|
|
|
func (a *Authority) ValidateChallenge(p provisioner.Interface, accID, chID string, jwk *jose.JSONWebKey) (*Challenge, error) {
|
|
|
|
ch, err := getChallenge(a.db, chID)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2020-05-13 14:55:38 +00:00
|
|
|
switch ch.getStatus() {
|
|
|
|
case StatusPending, StatusProcessing:
|
|
|
|
break
|
|
|
|
case StatusInvalid, StatusValid:
|
|
|
|
return ch.toACME(a.dir, p)
|
|
|
|
default:
|
|
|
|
panic("unknown challenge state: " + ch.getStatus())
|
|
|
|
}
|
2020-05-13 11:03:01 +00:00
|
|
|
|
|
|
|
// Validate the challenge belongs to the account owned by the requester.
|
2019-05-27 00:41:10 +00:00
|
|
|
if accID != ch.getAccountID() {
|
|
|
|
return nil, UnauthorizedErr(errors.New("account does not own challenge"))
|
|
|
|
}
|
2020-05-06 14:39:13 +00:00
|
|
|
|
|
|
|
// Take ownership of the challenge status and retry state. The values must be reset.
|
|
|
|
up := ch.clone()
|
|
|
|
up.Status = StatusProcessing
|
2020-05-07 16:27:16 +00:00
|
|
|
up.Retry = &Retry{
|
|
|
|
Owner: ordinal,
|
2020-05-06 14:39:13 +00:00
|
|
|
ProvisionerID: p.GetID(),
|
2020-05-07 16:27:16 +00:00
|
|
|
NumAttempts: 0,
|
|
|
|
MaxAttempts: 10,
|
|
|
|
NextAttempt: time.Now().Add(retryInterval).UTC().Format(time.RFC3339),
|
2020-05-06 14:39:13 +00:00
|
|
|
}
|
|
|
|
err = up.save(a.db, ch)
|
|
|
|
if err != nil {
|
|
|
|
return nil, Wrap(err, "error saving challenge")
|
2020-02-14 21:17:52 +00:00
|
|
|
}
|
2020-05-06 14:39:13 +00:00
|
|
|
ch = up
|
2020-02-14 21:17:52 +00:00
|
|
|
|
2020-05-06 14:39:13 +00:00
|
|
|
v, err := a.validate(ch, jwk)
|
|
|
|
// An error here is non-recoverable. Recoverable errors are set on the challenge object
|
|
|
|
// and should not be returned directly.
|
|
|
|
if err != nil {
|
|
|
|
return nil, Wrap(err, "error attempting challenge validation")
|
|
|
|
}
|
|
|
|
err = v.save(a.db, ch)
|
|
|
|
if err != nil {
|
|
|
|
return nil, Wrap(err, "error saving challenge")
|
|
|
|
}
|
|
|
|
ch = v
|
|
|
|
|
|
|
|
switch ch.getStatus() {
|
|
|
|
case StatusValid, StatusInvalid:
|
|
|
|
break
|
|
|
|
case StatusProcessing:
|
|
|
|
if ch.getRetry().Active() {
|
|
|
|
time.AfterFunc(retryInterval, func() {
|
|
|
|
a.RetryChallenge(ch.getID())
|
|
|
|
})
|
|
|
|
}
|
|
|
|
default:
|
|
|
|
panic("post-validation challenge in unexpected state" + ch.getStatus())
|
|
|
|
}
|
|
|
|
return ch.toACME(a.dir, p)
|
|
|
|
}
|
|
|
|
|
|
|
|
// The challenge validation process is specific to the type of challenge (dns-01, http-01, tls-alpn-01).
|
|
|
|
// But, we still pass generic "options" to the polymorphic validate call.
|
|
|
|
func (a *Authority) validate(ch challenge, jwk *jose.JSONWebKey) (challenge, error) {
|
2019-05-27 00:41:10 +00:00
|
|
|
client := http.Client{
|
|
|
|
Timeout: time.Duration(30 * time.Second),
|
|
|
|
}
|
2020-02-07 14:50:22 +00:00
|
|
|
dialer := &net.Dialer{
|
|
|
|
Timeout: 30 * time.Second,
|
|
|
|
}
|
2020-05-12 04:23:55 +00:00
|
|
|
return ch.clone().morph().validate(jwk, validateOptions{
|
2020-05-06 14:39:13 +00:00
|
|
|
httpGet: client.Get,
|
|
|
|
lookupTxt: net.LookupTXT,
|
|
|
|
tlsDial: func(network, addr string, config *tls.Config) (*tls.Conn, error) {
|
|
|
|
return tls.DialWithDialer(dialer, network, addr, config)
|
|
|
|
},
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
const retryInterval = 12 * time.Second
|
|
|
|
|
2020-05-13 12:04:49 +00:00
|
|
|
// RetryChallenge behaves similar to ValidateChallenge, but simply attempts to perform a validation and
|
|
|
|
// write update the challenge record in the db if the challenge has remaining retry attempts.
|
|
|
|
//
|
2020-05-06 14:39:13 +00:00
|
|
|
// see: ValidateChallenge
|
|
|
|
func (a *Authority) RetryChallenge(chID string) {
|
|
|
|
ch, err := getChallenge(a.db, chID)
|
|
|
|
if err != nil {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
switch ch.getStatus() {
|
|
|
|
case StatusPending:
|
|
|
|
panic("pending challenges must first be moved to the processing state")
|
|
|
|
case StatusInvalid, StatusValid:
|
|
|
|
return
|
|
|
|
case StatusProcessing:
|
|
|
|
break
|
|
|
|
default:
|
|
|
|
panic("unknown challenge state: " + ch.getStatus())
|
|
|
|
}
|
|
|
|
|
|
|
|
// When retrying, check to make sure the ordinal has not changed.
|
|
|
|
// Make sure there are still retries left.
|
|
|
|
// Then check to make sure Retry.NextAttempt is in the past.
|
|
|
|
retry := ch.getRetry()
|
|
|
|
switch {
|
|
|
|
case retry.Owner != ordinal:
|
|
|
|
return
|
|
|
|
case !retry.Active():
|
|
|
|
return
|
|
|
|
}
|
|
|
|
t, err := time.Parse(time.RFC3339, retry.NextAttempt)
|
|
|
|
now := time.Now().UTC()
|
|
|
|
switch {
|
|
|
|
case err != nil:
|
|
|
|
return
|
|
|
|
case t.Before(now):
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
// Update the db so that other retries simply drop when their timer fires.
|
|
|
|
up := ch.clone()
|
|
|
|
up.Retry.NextAttempt = now.Add(retryInterval).UTC().Format(time.RFC3339)
|
2020-05-13 12:04:49 +00:00
|
|
|
up.Retry.NumAttempts++
|
2020-05-06 14:39:13 +00:00
|
|
|
err = up.save(a.db, ch)
|
|
|
|
if err != nil {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
ch = up
|
|
|
|
|
|
|
|
p, err := a.LoadProvisionerByID(retry.ProvisionerID)
|
|
|
|
acc, err := a.GetAccount(p, ch.getAccountID())
|
|
|
|
|
|
|
|
v, err := a.validate(up, acc.Key)
|
|
|
|
if err != nil {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
err = v.save(a.db, ch)
|
|
|
|
if err != nil {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
ch = v
|
|
|
|
|
|
|
|
switch ch.getStatus() {
|
|
|
|
case StatusValid, StatusInvalid:
|
|
|
|
break
|
|
|
|
case StatusProcessing:
|
|
|
|
if ch.getRetry().Active() {
|
|
|
|
time.AfterFunc(retryInterval, func() {
|
|
|
|
a.RetryChallenge(ch.getID())
|
|
|
|
})
|
2020-02-14 21:17:52 +00:00
|
|
|
}
|
2020-05-06 14:39:13 +00:00
|
|
|
default:
|
|
|
|
panic("post-validation challenge in unexpected state " + ch.getStatus())
|
2019-05-27 00:41:10 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetCertificate retrieves the Certificate by ID.
|
|
|
|
func (a *Authority) GetCertificate(accID, certID string) ([]byte, error) {
|
|
|
|
cert, err := getCert(a.db, certID)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
if accID != cert.AccountID {
|
|
|
|
return nil, UnauthorizedErr(errors.New("account does not own certificate"))
|
|
|
|
}
|
|
|
|
return cert.toACME(a.db, a.dir)
|
|
|
|
}
|