forked from TrueCloudLab/lego
Merge pull request #30 from xenolf/add-san-cert
Add SAN certificates - fix #20
This commit is contained in:
commit
7662cbcec5
4 changed files with 106 additions and 43 deletions
135
acme/client.go
135
acme/client.go
|
@ -211,9 +211,17 @@ func (c *Client) ObtainCertificates(domains []string, bundle bool) ([]Certificat
|
|||
return nil, failures
|
||||
}
|
||||
|
||||
// remove failed challenges from slice
|
||||
var succeededChallenges []authorizationResource
|
||||
for _, chln := range challenges {
|
||||
if failures[chln.Domain] == nil {
|
||||
succeededChallenges = append(succeededChallenges, chln)
|
||||
}
|
||||
}
|
||||
|
||||
logf("[INFO] acme: Validations succeeded; requesting certificates")
|
||||
|
||||
certs, err := c.requestCertificates(challenges, bundle)
|
||||
certs, err := c.requestCertificates(succeededChallenges, bundle)
|
||||
for k, v := range err {
|
||||
failures[k] = v
|
||||
}
|
||||
|
@ -221,6 +229,42 @@ func (c *Client) ObtainCertificates(domains []string, bundle bool) ([]Certificat
|
|||
return certs, failures
|
||||
}
|
||||
|
||||
// ObtainSANCertificate tries to obtain a single certificate using all domains passed into it.
|
||||
// The first domain in domains is used for the CommonName field of the certificate, all other
|
||||
// domains are added using the Subject Alternate Names extension.
|
||||
// If bundle is true, the []byte contains both the issuer certificate and
|
||||
// your issued certificate as a bundle.
|
||||
func (c *Client) ObtainSANCertificate(domains []string, bundle bool) (CertificateResource, map[string]error) {
|
||||
if bundle {
|
||||
logf("[INFO] acme: Obtaining bundled SAN certificate for %v", strings.Join(domains, ", "))
|
||||
} else {
|
||||
logf("[INFO] acme: Obtaining SAN certificate for %v", strings.Join(domains, ", "))
|
||||
}
|
||||
|
||||
challenges, failures := c.getChallenges(domains)
|
||||
// If any challenge fails - return. Do not generate partial SAN certificates.
|
||||
if len(failures) > 0 {
|
||||
return CertificateResource{}, failures
|
||||
}
|
||||
|
||||
errs := c.solveChallenges(challenges)
|
||||
// If any challenge fails - return. Do not generate partial SAN certificates.
|
||||
if len(errs) > 0 {
|
||||
return CertificateResource{}, errs
|
||||
}
|
||||
|
||||
logf("[INFO] acme: Validations succeeded; requesting certificates")
|
||||
|
||||
cert, err := c.requestCertificate(challenges, bundle)
|
||||
if err != nil {
|
||||
for _, chln := range challenges {
|
||||
failures[chln.Domain] = err
|
||||
}
|
||||
}
|
||||
|
||||
return cert, failures
|
||||
}
|
||||
|
||||
// RevokeCertificate takes a PEM encoded certificate or bundle and tries to revoke it at the CA.
|
||||
func (c *Client) RevokeCertificate(certificate []byte) error {
|
||||
certificates, err := parsePEMBundle(certificate)
|
||||
|
@ -338,7 +382,7 @@ func (c *Client) RenewCertificate(cert CertificateResource, revokeOld bool, bund
|
|||
|
||||
// Looks through the challenge combinations to find a solvable match.
|
||||
// Then solves the challenges in series and returns.
|
||||
func (c *Client) solveChallenges(challenges []*authorizationResource) map[string]error {
|
||||
func (c *Client) solveChallenges(challenges []authorizationResource) map[string]error {
|
||||
// loop through the resources, basically through the domains.
|
||||
failures := make(map[string]error)
|
||||
for _, authz := range challenges {
|
||||
|
@ -381,8 +425,8 @@ func (c *Client) chooseSolvers(auth authorization, domain string) map[int]solver
|
|||
}
|
||||
|
||||
// Get the challenges needed to proof our identifier to the ACME server.
|
||||
func (c *Client) getChallenges(domains []string) ([]*authorizationResource, map[string]error) {
|
||||
resc, errc := make(chan *authorizationResource), make(chan domainError)
|
||||
func (c *Client) getChallenges(domains []string) ([]authorizationResource, map[string]error) {
|
||||
resc, errc := make(chan authorizationResource), make(chan domainError)
|
||||
|
||||
for _, domain := range domains {
|
||||
go func(domain string) {
|
||||
|
@ -416,34 +460,48 @@ func (c *Client) getChallenges(domains []string) ([]*authorizationResource, map[
|
|||
}
|
||||
resp.Body.Close()
|
||||
|
||||
resc <- &authorizationResource{Body: authz, NewCertURL: links["next"], AuthURL: resp.Header.Get("Location"), Domain: domain}
|
||||
resc <- authorizationResource{Body: authz, NewCertURL: links["next"], AuthURL: resp.Header.Get("Location"), Domain: domain}
|
||||
}(domain)
|
||||
}
|
||||
|
||||
var responses []*authorizationResource
|
||||
responses := make(map[string]authorizationResource)
|
||||
failures := make(map[string]error)
|
||||
for i := 0; i < len(domains); i++ {
|
||||
select {
|
||||
case res := <-resc:
|
||||
responses = append(responses, res)
|
||||
responses[res.Domain] = res
|
||||
case err := <-errc:
|
||||
failures[err.Domain] = err.Error
|
||||
}
|
||||
}
|
||||
|
||||
challenges := make([]authorizationResource, 0, len(responses))
|
||||
for _, domain := range domains {
|
||||
if challenge, ok := responses[domain]; ok {
|
||||
challenges = append(challenges, challenge)
|
||||
}
|
||||
}
|
||||
|
||||
close(resc)
|
||||
close(errc)
|
||||
|
||||
return responses, failures
|
||||
return challenges, failures
|
||||
}
|
||||
|
||||
// requestCertificates iterates all granted authorizations, creates RSA private keys and CSRs.
|
||||
// It then uses these to request a certificate from the CA and returns the list of successfully
|
||||
// granted certificates.
|
||||
func (c *Client) requestCertificates(challenges []*authorizationResource, bundle bool) ([]CertificateResource, map[string]error) {
|
||||
func (c *Client) requestCertificates(challenges []authorizationResource, bundle bool) ([]CertificateResource, map[string]error) {
|
||||
resc, errc := make(chan CertificateResource), make(chan domainError)
|
||||
for _, authz := range challenges {
|
||||
go c.requestCertificate(authz, resc, errc, bundle)
|
||||
go func(authz authorizationResource, resc chan CertificateResource, errc chan domainError) {
|
||||
certRes, err := c.requestCertificate([]authorizationResource{authz}, bundle)
|
||||
if err != nil {
|
||||
errc <- domainError{Domain: authz.Domain, Error: err}
|
||||
} else {
|
||||
resc <- certRes
|
||||
}
|
||||
}(authz, resc, errc)
|
||||
}
|
||||
|
||||
var certs []CertificateResource
|
||||
|
@ -460,39 +518,47 @@ func (c *Client) requestCertificates(challenges []*authorizationResource, bundle
|
|||
close(resc)
|
||||
close(errc)
|
||||
|
||||
return certs, nil
|
||||
return certs, failures
|
||||
}
|
||||
|
||||
func (c *Client) requestCertificate(authz *authorizationResource, result chan CertificateResource, errc chan domainError, bundle bool) {
|
||||
func (c *Client) requestCertificate(authz []authorizationResource, bundle bool) (CertificateResource, error) {
|
||||
if len(authz) == 0 {
|
||||
return CertificateResource{}, errors.New("Passed no authorizations to requestCertificate!")
|
||||
}
|
||||
|
||||
commonName := authz[0]
|
||||
privKey, err := generatePrivateKey(rsakey, c.keyBits)
|
||||
if err != nil {
|
||||
errc <- domainError{Domain: authz.Domain, Error: err}
|
||||
return
|
||||
return CertificateResource{}, err
|
||||
}
|
||||
|
||||
var san []string
|
||||
var authURLs []string
|
||||
for _, auth := range authz[1:] {
|
||||
san = append(san, auth.Domain)
|
||||
authURLs = append(authURLs, auth.AuthURL)
|
||||
}
|
||||
|
||||
// TODO: should the CSR be customizable?
|
||||
csr, err := generateCsr(privKey.(*rsa.PrivateKey), authz.Domain)
|
||||
csr, err := generateCsr(privKey.(*rsa.PrivateKey), commonName.Domain, san)
|
||||
if err != nil {
|
||||
errc <- domainError{Domain: authz.Domain, Error: err}
|
||||
return
|
||||
return CertificateResource{}, err
|
||||
}
|
||||
|
||||
csrString := base64.URLEncoding.EncodeToString(csr)
|
||||
jsonBytes, err := json.Marshal(csrMessage{Resource: "new-cert", Csr: csrString, Authorizations: []string{authz.AuthURL}})
|
||||
jsonBytes, err := json.Marshal(csrMessage{Resource: "new-cert", Csr: csrString, Authorizations: authURLs})
|
||||
if err != nil {
|
||||
errc <- domainError{Domain: authz.Domain, Error: err}
|
||||
return
|
||||
return CertificateResource{}, err
|
||||
}
|
||||
|
||||
resp, err := c.jws.post(authz.NewCertURL, jsonBytes)
|
||||
resp, err := c.jws.post(commonName.NewCertURL, jsonBytes)
|
||||
if err != nil {
|
||||
errc <- domainError{Domain: authz.Domain, Error: err}
|
||||
return
|
||||
return CertificateResource{}, err
|
||||
}
|
||||
|
||||
privateKeyPem := pemEncode(privKey)
|
||||
cerRes := CertificateResource{
|
||||
Domain: authz.Domain,
|
||||
Domain: commonName.Domain,
|
||||
CertURL: resp.Header.Get("Location"),
|
||||
PrivateKey: privateKeyPem}
|
||||
|
||||
|
@ -505,8 +571,7 @@ func (c *Client) requestCertificate(authz *authorizationResource, result chan Ce
|
|||
cert, err := ioutil.ReadAll(resp.Body)
|
||||
resp.Body.Close()
|
||||
if err != nil {
|
||||
errc <- domainError{Domain: authz.Domain, Error: err}
|
||||
return
|
||||
return CertificateResource{}, err
|
||||
}
|
||||
|
||||
// The server returns a body with a length of zero if the
|
||||
|
@ -526,7 +591,7 @@ func (c *Client) requestCertificate(authz *authorizationResource, result chan Ce
|
|||
issuerCert, err := c.getIssuerCertificate(links["up"])
|
||||
if err != nil {
|
||||
// If we fail to aquire the issuer cert, return the issued certificate - do not fail.
|
||||
logf("[WARNING] acme: [%s] Could not bundle issuer certificate: %v", authz.Domain, err)
|
||||
logf("[WARNING] acme: [%s] Could not bundle issuer certificate: %v", commonName.Domain, err)
|
||||
} else {
|
||||
// Success - append the issuer cert to the issued cert.
|
||||
issuerCert = pemEncode(derCertificateBytes(issuerCert))
|
||||
|
@ -535,9 +600,8 @@ func (c *Client) requestCertificate(authz *authorizationResource, result chan Ce
|
|||
}
|
||||
|
||||
cerRes.Certificate = issuedCert
|
||||
logf("[%s] Server responded with a certificate.", authz.Domain)
|
||||
result <- cerRes
|
||||
return
|
||||
logf("[%s] Server responded with a certificate.", commonName.Domain)
|
||||
return cerRes, nil
|
||||
}
|
||||
|
||||
// The certificate was granted but is not yet issued.
|
||||
|
@ -545,23 +609,20 @@ func (c *Client) requestCertificate(authz *authorizationResource, result chan Ce
|
|||
ra := resp.Header.Get("Retry-After")
|
||||
retryAfter, err := strconv.Atoi(ra)
|
||||
if err != nil {
|
||||
errc <- domainError{Domain: authz.Domain, Error: err}
|
||||
return
|
||||
return CertificateResource{}, err
|
||||
}
|
||||
|
||||
logf("[INFO] acme: [%s] Server responded with status 202; retrying after %ds", authz.Domain, retryAfter)
|
||||
logf("[INFO] acme: [%s] Server responded with status 202; retrying after %ds", commonName.Domain, retryAfter)
|
||||
time.Sleep(time.Duration(retryAfter) * time.Second)
|
||||
|
||||
break
|
||||
default:
|
||||
errc <- domainError{Domain: authz.Domain, Error: handleHTTPError(resp)}
|
||||
return
|
||||
return CertificateResource{}, handleHTTPError(resp)
|
||||
}
|
||||
|
||||
resp, err = http.Get(cerRes.CertURL)
|
||||
if err != nil {
|
||||
errc <- domainError{Domain: authz.Domain, Error: err}
|
||||
return
|
||||
return CertificateResource{}, err
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -211,13 +211,17 @@ func generatePrivateKey(t keyType, keyLength int) (crypto.PrivateKey, error) {
|
|||
return nil, fmt.Errorf("Invalid keytype: %d", t)
|
||||
}
|
||||
|
||||
func generateCsr(privateKey *rsa.PrivateKey, domain string) ([]byte, error) {
|
||||
func generateCsr(privateKey *rsa.PrivateKey, domain string, san []string) ([]byte, error) {
|
||||
template := x509.CertificateRequest{
|
||||
Subject: pkix.Name{
|
||||
CommonName: domain,
|
||||
},
|
||||
}
|
||||
|
||||
if len(san) > 0 {
|
||||
template.DNSNames = san
|
||||
}
|
||||
|
||||
return x509.CreateCertificateRequest(rand.Reader, &template, privateKey)
|
||||
}
|
||||
|
||||
|
|
|
@ -23,7 +23,7 @@ func TestGenerateCSR(t *testing.T) {
|
|||
t.Fatal("Error generating private key:", err)
|
||||
}
|
||||
|
||||
csr, err := generateCsr(key.(*rsa.PrivateKey), "fizz.buzz")
|
||||
csr, err := generateCsr(key.(*rsa.PrivateKey), "fizz.buzz", nil)
|
||||
if err != nil {
|
||||
t.Error("Error generating CSR:", err)
|
||||
}
|
||||
|
|
|
@ -125,7 +125,7 @@ func run(c *cli.Context) {
|
|||
logger().Fatal("Please specify --domains")
|
||||
}
|
||||
|
||||
certs, failures := client.ObtainCertificates(c.GlobalStringSlice("domains"), true)
|
||||
cert, failures := client.ObtainSANCertificate(c.GlobalStringSlice("domains"), true)
|
||||
if len(failures) > 0 {
|
||||
for k, v := range failures {
|
||||
logger().Printf("[%s] Could not obtain certificates\n\t%v", k, v)
|
||||
|
@ -137,9 +137,7 @@ func run(c *cli.Context) {
|
|||
logger().Fatalf("Cound not check/create path: %v", err)
|
||||
}
|
||||
|
||||
for _, certRes := range certs {
|
||||
saveCertRes(certRes, conf)
|
||||
}
|
||||
saveCertRes(cert, conf)
|
||||
}
|
||||
|
||||
func revoke(c *cli.Context) {
|
||||
|
|
Loading…
Reference in a new issue