2015-06-08 00:36:07 +00:00
|
|
|
package acme
|
|
|
|
|
|
|
|
import (
|
|
|
|
"crypto/rsa"
|
2015-10-18 22:42:04 +00:00
|
|
|
"crypto/x509"
|
2015-06-13 01:55:53 +00:00
|
|
|
"encoding/base64"
|
2015-06-08 00:36:07 +00:00
|
|
|
"encoding/json"
|
|
|
|
"errors"
|
2015-06-08 21:54:15 +00:00
|
|
|
"fmt"
|
2015-06-08 00:36:07 +00:00
|
|
|
"io/ioutil"
|
|
|
|
"log"
|
|
|
|
"net/http"
|
|
|
|
"regexp"
|
2015-10-18 00:16:15 +00:00
|
|
|
"strconv"
|
2015-06-08 00:36:07 +00:00
|
|
|
"strings"
|
2015-10-18 00:16:15 +00:00
|
|
|
"time"
|
2015-06-08 00:36:07 +00:00
|
|
|
)
|
|
|
|
|
2015-11-06 06:43:42 +00:00
|
|
|
// Logger is an optional custom logger.
|
2015-06-08 00:36:07 +00:00
|
|
|
var Logger *log.Logger
|
|
|
|
|
2015-11-06 06:43:42 +00:00
|
|
|
// logf writes a log entry. It uses Logger if not
|
|
|
|
// nil, otherwise it uses the default log.Logger.
|
|
|
|
func logf(format string, args ...interface{}) {
|
|
|
|
if Logger != nil {
|
|
|
|
Logger.Printf(format, args...)
|
|
|
|
} else {
|
|
|
|
log.Printf(format, args...)
|
2015-06-08 00:36:07 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// User interface is to be implemented by users of this library.
|
|
|
|
// It is used by the client type to get user specific information.
|
|
|
|
type User interface {
|
|
|
|
GetEmail() string
|
|
|
|
GetRegistration() *RegistrationResource
|
|
|
|
GetPrivateKey() *rsa.PrivateKey
|
|
|
|
}
|
|
|
|
|
2015-06-13 02:50:36 +00:00
|
|
|
// Interface for all challenge solvers to implement.
|
2015-06-11 13:31:09 +00:00
|
|
|
type solver interface {
|
2015-06-13 01:55:53 +00:00
|
|
|
Solve(challenge challenge, domain string) error
|
2015-06-10 13:11:01 +00:00
|
|
|
}
|
|
|
|
|
2015-06-08 00:36:07 +00:00
|
|
|
// Client is the user-friendy way to ACME
|
|
|
|
type Client struct {
|
2015-10-24 01:55:18 +00:00
|
|
|
directory directory
|
|
|
|
user User
|
|
|
|
jws *jws
|
|
|
|
keyBits int
|
|
|
|
issuerCert []byte
|
|
|
|
solvers map[string]solver
|
2015-06-08 00:36:07 +00:00
|
|
|
}
|
|
|
|
|
2015-11-20 19:01:06 +00:00
|
|
|
// NewClient creates a new ACME client on behalf of user. The client will depend on
|
|
|
|
// the ACME directory located at caDirURL for the rest of its actions. It will
|
|
|
|
// generate private keys for certificates of size keyBits. And, if the challenge
|
|
|
|
// type requires it, the client will open a port at optPort to solve the challenge.
|
|
|
|
// If optPort is blank, the port required by the spec will be used, but you must
|
|
|
|
// forward the required port to optPort for the challenge to succeed.
|
|
|
|
func NewClient(caDirURL string, user User, keyBits int, optPort string) (*Client, error) {
|
|
|
|
privKey := user.GetPrivateKey()
|
2015-10-27 23:00:42 +00:00
|
|
|
if privKey == nil {
|
|
|
|
return nil, errors.New("private key was nil")
|
2015-06-08 00:36:07 +00:00
|
|
|
}
|
2015-10-27 23:00:42 +00:00
|
|
|
|
|
|
|
if err := privKey.Validate(); err != nil {
|
|
|
|
return nil, fmt.Errorf("invalid private key: %v", err)
|
|
|
|
}
|
|
|
|
|
2015-11-20 19:01:06 +00:00
|
|
|
dirResp, err := http.Get(caDirURL)
|
2015-09-26 20:59:16 +00:00
|
|
|
if err != nil {
|
2015-11-20 19:01:06 +00:00
|
|
|
return nil, fmt.Errorf("get directory at '%s': %v", caDirURL, err)
|
2015-09-26 20:59:16 +00:00
|
|
|
}
|
2015-10-22 04:16:29 +00:00
|
|
|
defer dirResp.Body.Close()
|
|
|
|
|
2015-09-26 20:59:16 +00:00
|
|
|
var dir directory
|
2015-10-27 23:00:42 +00:00
|
|
|
err = json.NewDecoder(dirResp.Body).Decode(&dir)
|
2015-09-26 20:59:16 +00:00
|
|
|
if err != nil {
|
2015-10-27 23:00:42 +00:00
|
|
|
return nil, fmt.Errorf("decode directory: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
if dir.NewRegURL == "" {
|
|
|
|
return nil, errors.New("directory missing new registration URL")
|
|
|
|
}
|
|
|
|
if dir.NewAuthzURL == "" {
|
|
|
|
return nil, errors.New("directory missing new authz URL")
|
2015-09-26 20:59:16 +00:00
|
|
|
}
|
2015-10-27 23:00:42 +00:00
|
|
|
if dir.NewCertURL == "" {
|
|
|
|
return nil, errors.New("directory missing new certificate URL")
|
|
|
|
}
|
|
|
|
if dir.RevokeCertURL == "" {
|
|
|
|
return nil, errors.New("directory missing revoke certificate URL")
|
2015-09-26 20:59:16 +00:00
|
|
|
}
|
|
|
|
|
2015-11-20 19:01:06 +00:00
|
|
|
jws := &jws{privKey: privKey, directoryURL: caDirURL}
|
2015-11-12 01:55:28 +00:00
|
|
|
|
|
|
|
// REVIEW: best possibility?
|
|
|
|
// Add all available solvers with the right index as per ACME
|
|
|
|
// spec to this map. Otherwise they won`t be found.
|
|
|
|
solvers := make(map[string]solver)
|
2015-11-12 21:32:27 +00:00
|
|
|
solvers["http-01"] = &httpChallenge{jws: jws, optPort: optPort}
|
2015-11-19 23:33:46 +00:00
|
|
|
solvers["tls-sni-01"] = &tlsSNIChallenge{jws: jws, optPort: optPort}
|
2015-11-12 01:55:28 +00:00
|
|
|
|
2015-11-20 19:01:06 +00:00
|
|
|
return &Client{directory: dir, user: user, jws: jws, keyBits: keyBits, solvers: solvers}, nil
|
2015-06-08 00:36:07 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Register the current account to the ACME server.
|
|
|
|
func (c *Client) Register() (*RegistrationResource, error) {
|
2015-11-07 06:22:32 +00:00
|
|
|
if c == nil || c.user == nil {
|
|
|
|
return nil, errors.New("acme: cannot register a nil client or user")
|
|
|
|
}
|
|
|
|
logf("[INFO] acme: Registering account for %s", c.user.GetEmail())
|
2015-10-23 14:24:02 +00:00
|
|
|
|
2015-10-30 23:11:33 +00:00
|
|
|
regMsg := registrationMessage{
|
2015-10-23 14:24:02 +00:00
|
|
|
Resource: "new-reg",
|
2015-10-30 23:11:33 +00:00
|
|
|
}
|
|
|
|
if c.user.GetEmail() != "" {
|
|
|
|
regMsg.Contact = []string{"mailto:" + c.user.GetEmail()}
|
|
|
|
} else {
|
|
|
|
regMsg.Contact = []string{}
|
|
|
|
}
|
|
|
|
|
|
|
|
jsonBytes, err := json.Marshal(regMsg)
|
2015-06-08 00:36:07 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2015-09-26 20:59:16 +00:00
|
|
|
resp, err := c.jws.post(c.directory.NewRegURL, jsonBytes)
|
2015-06-08 00:36:07 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2015-10-22 04:16:29 +00:00
|
|
|
defer resp.Body.Close()
|
2015-06-08 00:36:07 +00:00
|
|
|
|
2015-10-29 00:42:05 +00:00
|
|
|
if resp.StatusCode >= http.StatusBadRequest {
|
|
|
|
return nil, handleHTTPError(resp)
|
2015-06-08 00:36:07 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
var serverReg Registration
|
|
|
|
decoder := json.NewDecoder(resp.Body)
|
|
|
|
err = decoder.Decode(&serverReg)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
reg := &RegistrationResource{Body: serverReg}
|
|
|
|
|
|
|
|
links := parseLinks(resp.Header["Link"])
|
|
|
|
reg.URI = resp.Header.Get("Location")
|
|
|
|
if links["terms-of-service"] != "" {
|
|
|
|
reg.TosURL = links["terms-of-service"]
|
|
|
|
}
|
|
|
|
|
|
|
|
if links["next"] != "" {
|
|
|
|
reg.NewAuthzURL = links["next"]
|
|
|
|
} else {
|
2015-11-07 06:22:32 +00:00
|
|
|
return nil, errors.New("acme: The server did not return 'next' link to proceed")
|
2015-06-08 00:36:07 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return reg, nil
|
|
|
|
}
|
|
|
|
|
2015-10-23 08:15:57 +00:00
|
|
|
// AgreeToTOS updates the Client registration and sends the agreement to
|
2015-06-08 21:54:15 +00:00
|
|
|
// the server.
|
2015-10-23 08:15:57 +00:00
|
|
|
func (c *Client) AgreeToTOS() error {
|
2015-06-08 21:54:15 +00:00
|
|
|
c.user.GetRegistration().Body.Agreement = c.user.GetRegistration().TosURL
|
2015-09-26 17:45:52 +00:00
|
|
|
c.user.GetRegistration().Body.Resource = "reg"
|
2015-06-08 21:54:15 +00:00
|
|
|
jsonBytes, err := json.Marshal(&c.user.GetRegistration().Body)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2015-06-11 22:13:43 +00:00
|
|
|
resp, err := c.jws.post(c.user.GetRegistration().URI, jsonBytes)
|
2015-06-08 21:54:15 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2015-10-22 04:16:29 +00:00
|
|
|
defer resp.Body.Close()
|
2015-06-08 21:54:15 +00:00
|
|
|
|
|
|
|
if resp.StatusCode != http.StatusAccepted {
|
2015-10-29 00:42:05 +00:00
|
|
|
return handleHTTPError(resp)
|
2015-06-08 21:54:15 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// ObtainCertificates tries to obtain certificates from the CA server
|
2015-06-13 01:55:53 +00:00
|
|
|
// using the challenges it has configured. The returned certificates are
|
2015-10-18 01:10:46 +00:00
|
|
|
// PEM encoded byte slices.
|
2015-10-24 01:55:18 +00:00
|
|
|
// If bundle is true, the []byte contains both the issuer certificate and
|
|
|
|
// your issued certificate as a bundle.
|
2015-11-02 00:01:00 +00:00
|
|
|
func (c *Client) ObtainCertificates(domains []string, bundle bool) ([]CertificateResource, map[string]error) {
|
2015-11-07 06:22:32 +00:00
|
|
|
if bundle {
|
|
|
|
logf("[INFO] acme: Obtaining bundled certificates for %v", strings.Join(domains, ", "))
|
|
|
|
} else {
|
|
|
|
logf("[INFO] acme: Obtaining certificates for %v", strings.Join(domains, ", "))
|
|
|
|
}
|
|
|
|
|
2015-11-02 00:01:00 +00:00
|
|
|
challenges, failures := c.getChallenges(domains)
|
|
|
|
if len(challenges) == 0 {
|
|
|
|
return nil, failures
|
|
|
|
}
|
|
|
|
|
2015-06-13 01:55:53 +00:00
|
|
|
err := c.solveChallenges(challenges)
|
2015-11-02 00:01:00 +00:00
|
|
|
for k, v := range err {
|
|
|
|
failures[k] = v
|
|
|
|
}
|
|
|
|
|
|
|
|
if len(failures) == len(domains) {
|
|
|
|
return nil, failures
|
2015-06-13 01:55:53 +00:00
|
|
|
}
|
|
|
|
|
2015-11-11 00:01:15 +00:00
|
|
|
// remove failed challenges from slice
|
|
|
|
var succeededChallenges []authorizationResource
|
|
|
|
for _, chln := range challenges {
|
|
|
|
if failures[chln.Domain] == nil {
|
|
|
|
succeededChallenges = append(succeededChallenges, chln)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-11-07 06:22:32 +00:00
|
|
|
logf("[INFO] acme: Validations succeeded; requesting certificates")
|
2015-06-13 01:55:53 +00:00
|
|
|
|
2015-11-11 00:01:15 +00:00
|
|
|
certs, err := c.requestCertificates(succeededChallenges, bundle)
|
2015-11-02 00:01:00 +00:00
|
|
|
for k, v := range err {
|
|
|
|
failures[k] = v
|
|
|
|
}
|
|
|
|
|
|
|
|
return certs, failures
|
2015-06-10 13:11:01 +00:00
|
|
|
}
|
|
|
|
|
2015-11-18 18:53:42 +00:00
|
|
|
// ObtainSANCertificate tries to obtain a single certificate using all domains passed into it.
|
|
|
|
// The first domain in domains is used for the CommonName field of the certificate, all other
|
|
|
|
// domains are added using the Subject Alternate Names extension.
|
|
|
|
// If bundle is true, the []byte contains both the issuer certificate and
|
|
|
|
// your issued certificate as a bundle.
|
2015-11-11 00:01:15 +00:00
|
|
|
func (c *Client) ObtainSANCertificate(domains []string, bundle bool) (CertificateResource, map[string]error) {
|
|
|
|
if bundle {
|
|
|
|
logf("[INFO] acme: Obtaining bundled SAN certificate for %v", strings.Join(domains, ", "))
|
|
|
|
} else {
|
|
|
|
logf("[INFO] acme: Obtaining SAN certificate for %v", strings.Join(domains, ", "))
|
|
|
|
}
|
|
|
|
|
|
|
|
challenges, failures := c.getChallenges(domains)
|
2015-11-17 21:22:25 +00:00
|
|
|
// If any challenge fails - return. Do not generate partial SAN certificates.
|
|
|
|
if len(failures) > 0 {
|
2015-11-11 00:01:15 +00:00
|
|
|
return CertificateResource{}, failures
|
|
|
|
}
|
|
|
|
|
|
|
|
errs := c.solveChallenges(challenges)
|
2015-11-17 18:45:15 +00:00
|
|
|
// If any challenge fails - return. Do not generate partial SAN certificates.
|
|
|
|
if len(errs) > 0 {
|
2015-11-17 22:07:13 +00:00
|
|
|
return CertificateResource{}, errs
|
2015-11-11 00:01:15 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
logf("[INFO] acme: Validations succeeded; requesting certificates")
|
|
|
|
|
2015-11-17 21:22:25 +00:00
|
|
|
cert, err := c.requestCertificate(challenges, bundle)
|
2015-11-11 00:01:15 +00:00
|
|
|
if err != nil {
|
2015-11-17 21:22:25 +00:00
|
|
|
for _, chln := range challenges {
|
2015-11-11 00:01:15 +00:00
|
|
|
failures[chln.Domain] = err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return cert, failures
|
|
|
|
}
|
|
|
|
|
2015-10-24 01:55:18 +00:00
|
|
|
// RevokeCertificate takes a PEM encoded certificate or bundle and tries to revoke it at the CA.
|
2015-09-27 12:51:44 +00:00
|
|
|
func (c *Client) RevokeCertificate(certificate []byte) error {
|
2015-10-24 01:55:18 +00:00
|
|
|
certificates, err := parsePEMBundle(certificate)
|
2015-10-19 01:18:06 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2015-10-24 02:31:12 +00:00
|
|
|
x509Cert := certificates[0]
|
2015-10-24 01:55:18 +00:00
|
|
|
if x509Cert.IsCA {
|
2015-10-24 02:31:12 +00:00
|
|
|
return fmt.Errorf("Certificate bundle starts with a CA certificate")
|
2015-10-24 01:55:18 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
encodedCert := base64.URLEncoding.EncodeToString(x509Cert.Raw)
|
2015-09-27 12:51:44 +00:00
|
|
|
|
|
|
|
jsonBytes, err := json.Marshal(revokeCertMessage{Resource: "revoke-cert", Certificate: encodedCert})
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
resp, err := c.jws.post(c.directory.RevokeCertURL, jsonBytes)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2015-10-22 04:16:29 +00:00
|
|
|
defer resp.Body.Close()
|
2015-09-27 12:51:44 +00:00
|
|
|
|
2015-10-29 00:42:05 +00:00
|
|
|
if resp.StatusCode != http.StatusOK {
|
|
|
|
return handleHTTPError(resp)
|
2015-09-27 12:51:44 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2015-10-18 22:42:04 +00:00
|
|
|
// RenewCertificate takes a CertificateResource and tries to renew the certificate.
|
2015-10-25 22:37:26 +00:00
|
|
|
// If the renewal process succeeds, the new certificate will ge returned in a new CertResource.
|
2015-10-18 22:42:04 +00:00
|
|
|
// Please be aware that this function will return a new certificate in ANY case that is not an error.
|
|
|
|
// If the server does not provide us with a new cert on a GET request to the CertURL
|
2015-10-19 01:18:06 +00:00
|
|
|
// this function will start a new-cert flow where a new certificate gets generated.
|
2015-10-24 01:55:18 +00:00
|
|
|
// If bundle is true, the []byte contains both the issuer certificate and
|
|
|
|
// your issued certificate as a bundle.
|
|
|
|
func (c *Client) RenewCertificate(cert CertificateResource, revokeOld bool, bundle bool) (CertificateResource, error) {
|
2015-10-18 22:42:04 +00:00
|
|
|
// Input certificate is PEM encoded. Decode it here as we may need the decoded
|
2015-10-24 01:55:18 +00:00
|
|
|
// cert later on in the renewal process. The input may be a bundle or a single certificate.
|
|
|
|
certificates, err := parsePEMBundle(cert.Certificate)
|
2015-10-18 22:42:04 +00:00
|
|
|
if err != nil {
|
2015-10-19 01:18:06 +00:00
|
|
|
return CertificateResource{}, err
|
2015-10-18 22:42:04 +00:00
|
|
|
}
|
|
|
|
|
2015-10-24 02:31:12 +00:00
|
|
|
x509Cert := certificates[0]
|
2015-10-24 01:55:18 +00:00
|
|
|
if x509Cert.IsCA {
|
2015-10-24 02:31:12 +00:00
|
|
|
return CertificateResource{}, fmt.Errorf("[%s] Certificate bundle starts with a CA certificate", cert.Domain)
|
2015-10-24 01:55:18 +00:00
|
|
|
}
|
|
|
|
|
2015-10-18 22:42:04 +00:00
|
|
|
// This is just meant to be informal for the user.
|
|
|
|
timeLeft := x509Cert.NotAfter.Sub(time.Now().UTC())
|
2015-11-07 06:22:32 +00:00
|
|
|
logf("[INFO] acme: [%s] Trying renewal with %d hours remaining", cert.Domain, int(timeLeft.Hours()))
|
2015-10-18 22:42:04 +00:00
|
|
|
|
|
|
|
// The first step of renewal is to check if we get a renewed cert
|
|
|
|
// directly from the cert URL.
|
|
|
|
resp, err := http.Get(cert.CertURL)
|
2015-10-22 04:16:29 +00:00
|
|
|
if err != nil {
|
|
|
|
return CertificateResource{}, err
|
|
|
|
}
|
|
|
|
defer resp.Body.Close()
|
2015-10-18 22:42:04 +00:00
|
|
|
serverCertBytes, err := ioutil.ReadAll(resp.Body)
|
|
|
|
if err != nil {
|
2015-10-19 01:18:06 +00:00
|
|
|
return CertificateResource{}, err
|
2015-10-18 22:42:04 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
serverCert, err := x509.ParseCertificate(serverCertBytes)
|
|
|
|
if err != nil {
|
2015-10-19 01:18:06 +00:00
|
|
|
return CertificateResource{}, err
|
2015-10-18 22:42:04 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// If the server responds with a different certificate we are effectively renewed.
|
|
|
|
// TODO: Further test if we can actually use the new certificate (Our private key works)
|
|
|
|
if !x509Cert.Equal(serverCert) {
|
2015-11-07 06:22:32 +00:00
|
|
|
logf("[INFO] acme: [%s] Server responded with renewed certificate", cert.Domain)
|
2015-10-19 01:18:06 +00:00
|
|
|
if revokeOld {
|
|
|
|
c.RevokeCertificate(cert.Certificate)
|
|
|
|
}
|
2015-10-24 01:55:18 +00:00
|
|
|
issuedCert := pemEncode(derCertificateBytes(serverCertBytes))
|
|
|
|
// If bundle is true, we want to return a certificate bundle.
|
|
|
|
// To do this, we need the issuer certificate.
|
|
|
|
if bundle {
|
|
|
|
// The issuer certificate link is always supplied via an "up" link
|
|
|
|
// in the response headers of a new certificate.
|
|
|
|
links := parseLinks(resp.Header["Link"])
|
|
|
|
issuerCert, err := c.getIssuerCertificate(links["up"])
|
|
|
|
if err != nil {
|
|
|
|
// If we fail to aquire the issuer cert, return the issued certificate - do not fail.
|
2015-11-07 06:22:32 +00:00
|
|
|
logf("[ERROR] acme: [%s] Could not bundle issuer certificate: %v", cert.Domain, err)
|
2015-10-24 01:55:18 +00:00
|
|
|
} else {
|
2015-10-24 02:31:12 +00:00
|
|
|
// Success - append the issuer cert to the issued cert.
|
2015-10-24 01:55:18 +00:00
|
|
|
issuerCert = pemEncode(derCertificateBytes(issuerCert))
|
2015-10-24 02:31:12 +00:00
|
|
|
issuedCert = append(issuedCert, issuerCert...)
|
|
|
|
cert.Certificate = issuedCert
|
2015-10-24 01:55:18 +00:00
|
|
|
}
|
|
|
|
}
|
2015-10-24 02:31:12 +00:00
|
|
|
|
|
|
|
cert.Certificate = issuedCert
|
2015-10-18 22:42:04 +00:00
|
|
|
return cert, nil
|
|
|
|
}
|
|
|
|
|
2015-11-02 00:01:00 +00:00
|
|
|
newCerts, failures := c.ObtainCertificates([]string{cert.Domain}, bundle)
|
|
|
|
if len(failures) > 0 {
|
|
|
|
return CertificateResource{}, failures[cert.Domain]
|
2015-10-19 01:18:06 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if revokeOld {
|
|
|
|
c.RevokeCertificate(cert.Certificate)
|
2015-10-18 22:42:04 +00:00
|
|
|
}
|
|
|
|
|
2015-10-19 01:18:06 +00:00
|
|
|
return newCerts[0], nil
|
2015-10-18 22:42:04 +00:00
|
|
|
}
|
|
|
|
|
2015-06-10 23:11:14 +00:00
|
|
|
// Looks through the challenge combinations to find a solvable match.
|
|
|
|
// Then solves the challenges in series and returns.
|
2015-11-11 00:01:15 +00:00
|
|
|
func (c *Client) solveChallenges(challenges []authorizationResource) map[string]error {
|
2015-06-10 23:11:14 +00:00
|
|
|
// loop through the resources, basically through the domains.
|
2015-11-02 00:01:00 +00:00
|
|
|
failures := make(map[string]error)
|
2015-06-11 22:15:13 +00:00
|
|
|
for _, authz := range challenges {
|
|
|
|
// no solvers - no solving
|
2015-06-13 16:37:30 +00:00
|
|
|
if solvers := c.chooseSolvers(authz.Body, authz.Domain); solvers != nil {
|
2015-06-11 22:15:13 +00:00
|
|
|
for i, solver := range solvers {
|
2015-06-13 01:55:53 +00:00
|
|
|
// TODO: do not immediately fail if one domain fails to validate.
|
|
|
|
err := solver.Solve(authz.Body.Challenges[i], authz.Domain)
|
|
|
|
if err != nil {
|
2015-11-02 00:01:00 +00:00
|
|
|
failures[authz.Domain] = err
|
2015-06-13 01:55:53 +00:00
|
|
|
}
|
2015-06-11 22:15:13 +00:00
|
|
|
}
|
|
|
|
} else {
|
2015-11-07 06:22:32 +00:00
|
|
|
failures[authz.Domain] = fmt.Errorf("acme: Could not determine solvers for %s", authz.Domain)
|
2015-06-11 22:15:13 +00:00
|
|
|
}
|
2015-06-10 13:11:01 +00:00
|
|
|
}
|
2015-06-11 22:15:13 +00:00
|
|
|
|
2015-11-02 00:01:00 +00:00
|
|
|
return failures
|
2015-06-11 22:15:13 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Checks all combinations from the server and returns an array of
|
|
|
|
// solvers which should get executed in series.
|
2015-06-13 16:37:30 +00:00
|
|
|
func (c *Client) chooseSolvers(auth authorization, domain string) map[int]solver {
|
2015-06-11 22:15:13 +00:00
|
|
|
for _, combination := range auth.Combinations {
|
|
|
|
solvers := make(map[int]solver)
|
2015-06-13 01:55:53 +00:00
|
|
|
for _, idx := range combination {
|
2015-10-25 23:39:24 +00:00
|
|
|
if solver, ok := c.solvers[auth.Challenges[idx].Type]; ok {
|
2015-06-13 01:55:53 +00:00
|
|
|
solvers[idx] = solver
|
|
|
|
} else {
|
2015-11-19 23:33:46 +00:00
|
|
|
logf("[INFO] acme: Could not find solver for: %s", auth.Challenges[idx].Type)
|
2015-06-11 22:15:13 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// If we can solve the whole combination, return the solvers
|
|
|
|
if len(solvers) == len(combination) {
|
|
|
|
return solvers
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return nil
|
2015-06-10 13:11:01 +00:00
|
|
|
}
|
|
|
|
|
2015-06-10 23:11:14 +00:00
|
|
|
// Get the challenges needed to proof our identifier to the ACME server.
|
2015-11-11 00:01:15 +00:00
|
|
|
func (c *Client) getChallenges(domains []string) ([]authorizationResource, map[string]error) {
|
|
|
|
resc, errc := make(chan authorizationResource), make(chan domainError)
|
2015-06-10 13:11:01 +00:00
|
|
|
|
2015-06-08 21:54:15 +00:00
|
|
|
for _, domain := range domains {
|
|
|
|
go func(domain string) {
|
2015-09-26 17:45:52 +00:00
|
|
|
jsonBytes, err := json.Marshal(authorization{Resource: "new-authz", Identifier: identifier{Type: "dns", Value: domain}})
|
2015-06-08 21:54:15 +00:00
|
|
|
if err != nil {
|
2015-11-02 00:01:00 +00:00
|
|
|
errc <- domainError{Domain: domain, Error: err}
|
2015-06-08 21:54:15 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2015-06-11 22:13:43 +00:00
|
|
|
resp, err := c.jws.post(c.user.GetRegistration().NewAuthzURL, jsonBytes)
|
2015-06-08 21:54:15 +00:00
|
|
|
if err != nil {
|
2015-11-02 00:01:00 +00:00
|
|
|
errc <- domainError{Domain: domain, Error: err}
|
2015-06-08 21:54:15 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
if resp.StatusCode != http.StatusCreated {
|
2015-11-02 00:01:00 +00:00
|
|
|
errc <- domainError{Domain: domain, Error: handleHTTPError(resp)}
|
2015-06-08 21:54:15 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
links := parseLinks(resp.Header["Link"])
|
|
|
|
if links["next"] == "" {
|
2015-11-07 06:22:32 +00:00
|
|
|
logf("[ERROR] acme: Server did not provide next link to proceed")
|
2015-10-27 23:00:42 +00:00
|
|
|
return
|
2015-06-08 21:54:15 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
var authz authorization
|
|
|
|
decoder := json.NewDecoder(resp.Body)
|
|
|
|
err = decoder.Decode(&authz)
|
|
|
|
if err != nil {
|
2015-11-02 00:01:00 +00:00
|
|
|
errc <- domainError{Domain: domain, Error: err}
|
2015-06-08 21:54:15 +00:00
|
|
|
}
|
2015-10-22 04:16:29 +00:00
|
|
|
resp.Body.Close()
|
2015-06-08 21:54:15 +00:00
|
|
|
|
2015-11-11 00:01:15 +00:00
|
|
|
resc <- authorizationResource{Body: authz, NewCertURL: links["next"], AuthURL: resp.Header.Get("Location"), Domain: domain}
|
2015-06-08 21:54:15 +00:00
|
|
|
}(domain)
|
|
|
|
}
|
|
|
|
|
2015-11-18 18:44:47 +00:00
|
|
|
responses := make(map[string]authorizationResource)
|
2015-11-02 00:01:00 +00:00
|
|
|
failures := make(map[string]error)
|
2015-06-08 21:54:15 +00:00
|
|
|
for i := 0; i < len(domains); i++ {
|
|
|
|
select {
|
|
|
|
case res := <-resc:
|
2015-11-18 18:44:47 +00:00
|
|
|
responses[res.Domain] = res
|
2015-06-08 21:54:15 +00:00
|
|
|
case err := <-errc:
|
2015-11-02 00:01:00 +00:00
|
|
|
failures[err.Domain] = err.Error
|
2015-06-08 21:54:15 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-11-18 18:44:47 +00:00
|
|
|
challenges := make([]authorizationResource, 0, len(responses))
|
|
|
|
for _, domain := range domains {
|
|
|
|
if challenge, ok := responses[domain]; ok {
|
|
|
|
challenges = append(challenges, challenge)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-06-08 21:54:15 +00:00
|
|
|
close(resc)
|
|
|
|
close(errc)
|
|
|
|
|
2015-11-18 18:44:47 +00:00
|
|
|
return challenges, failures
|
2015-06-08 21:54:15 +00:00
|
|
|
}
|
|
|
|
|
2015-06-13 02:50:36 +00:00
|
|
|
// requestCertificates iterates all granted authorizations, creates RSA private keys and CSRs.
|
|
|
|
// It then uses these to request a certificate from the CA and returns the list of successfully
|
|
|
|
// granted certificates.
|
2015-11-11 00:01:15 +00:00
|
|
|
func (c *Client) requestCertificates(challenges []authorizationResource, bundle bool) ([]CertificateResource, map[string]error) {
|
2015-11-02 00:01:00 +00:00
|
|
|
resc, errc := make(chan CertificateResource), make(chan domainError)
|
2015-06-13 01:55:53 +00:00
|
|
|
for _, authz := range challenges {
|
2015-11-11 00:01:15 +00:00
|
|
|
go func(authz authorizationResource, resc chan CertificateResource, errc chan domainError) {
|
|
|
|
certRes, err := c.requestCertificate([]authorizationResource{authz}, bundle)
|
|
|
|
if err != nil {
|
|
|
|
errc <- domainError{Domain: authz.Domain, Error: err}
|
|
|
|
} else {
|
|
|
|
resc <- certRes
|
|
|
|
}
|
|
|
|
}(authz, resc, errc)
|
2015-10-18 00:16:15 +00:00
|
|
|
}
|
2015-06-13 01:55:53 +00:00
|
|
|
|
2015-10-18 00:16:15 +00:00
|
|
|
var certs []CertificateResource
|
2015-11-02 00:01:00 +00:00
|
|
|
failures := make(map[string]error)
|
2015-10-18 00:16:15 +00:00
|
|
|
for i := 0; i < len(challenges); i++ {
|
|
|
|
select {
|
|
|
|
case res := <-resc:
|
|
|
|
certs = append(certs, res)
|
|
|
|
case err := <-errc:
|
2015-11-02 00:01:00 +00:00
|
|
|
failures[err.Domain] = err.Error
|
2015-06-13 01:55:53 +00:00
|
|
|
}
|
2015-10-18 00:16:15 +00:00
|
|
|
}
|
2015-06-13 01:55:53 +00:00
|
|
|
|
2015-10-18 15:27:59 +00:00
|
|
|
close(resc)
|
|
|
|
close(errc)
|
|
|
|
|
2015-11-11 00:01:15 +00:00
|
|
|
return certs, failures
|
2015-10-18 00:16:15 +00:00
|
|
|
}
|
|
|
|
|
2015-11-11 00:01:15 +00:00
|
|
|
func (c *Client) requestCertificate(authz []authorizationResource, bundle bool) (CertificateResource, error) {
|
|
|
|
if len(authz) == 0 {
|
|
|
|
return CertificateResource{}, errors.New("Passed no authorizations to requestCertificate!")
|
|
|
|
}
|
|
|
|
|
|
|
|
commonName := authz[0]
|
2015-10-23 14:24:02 +00:00
|
|
|
privKey, err := generatePrivateKey(rsakey, c.keyBits)
|
2015-10-18 00:16:15 +00:00
|
|
|
if err != nil {
|
2015-11-11 00:01:15 +00:00
|
|
|
return CertificateResource{}, err
|
|
|
|
}
|
|
|
|
|
|
|
|
var san []string
|
|
|
|
var authURLs []string
|
|
|
|
for _, auth := range authz[1:] {
|
|
|
|
san = append(san, auth.Domain)
|
|
|
|
authURLs = append(authURLs, auth.AuthURL)
|
2015-10-18 00:16:15 +00:00
|
|
|
}
|
|
|
|
|
2015-10-24 01:55:18 +00:00
|
|
|
// TODO: should the CSR be customizable?
|
2015-11-11 00:01:15 +00:00
|
|
|
csr, err := generateCsr(privKey.(*rsa.PrivateKey), commonName.Domain, san)
|
2015-10-18 00:16:15 +00:00
|
|
|
if err != nil {
|
2015-11-11 00:01:15 +00:00
|
|
|
return CertificateResource{}, err
|
2015-10-18 00:16:15 +00:00
|
|
|
}
|
2015-06-13 01:55:53 +00:00
|
|
|
|
2015-10-18 00:16:15 +00:00
|
|
|
csrString := base64.URLEncoding.EncodeToString(csr)
|
2015-11-11 00:01:15 +00:00
|
|
|
jsonBytes, err := json.Marshal(csrMessage{Resource: "new-cert", Csr: csrString, Authorizations: authURLs})
|
2015-10-18 00:16:15 +00:00
|
|
|
if err != nil {
|
2015-11-11 00:01:15 +00:00
|
|
|
return CertificateResource{}, err
|
2015-10-18 00:16:15 +00:00
|
|
|
}
|
|
|
|
|
2015-11-11 00:01:15 +00:00
|
|
|
resp, err := c.jws.post(commonName.NewCertURL, jsonBytes)
|
2015-10-18 00:16:15 +00:00
|
|
|
if err != nil {
|
2015-11-11 00:01:15 +00:00
|
|
|
return CertificateResource{}, err
|
2015-10-18 00:16:15 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
privateKeyPem := pemEncode(privKey)
|
|
|
|
cerRes := CertificateResource{
|
2015-11-11 00:01:15 +00:00
|
|
|
Domain: commonName.Domain,
|
2015-10-18 00:16:15 +00:00
|
|
|
CertURL: resp.Header.Get("Location"),
|
|
|
|
PrivateKey: privateKeyPem}
|
|
|
|
|
|
|
|
for {
|
|
|
|
|
|
|
|
switch resp.StatusCode {
|
|
|
|
case 202:
|
|
|
|
case 201:
|
|
|
|
|
|
|
|
cert, err := ioutil.ReadAll(resp.Body)
|
2015-10-22 04:16:29 +00:00
|
|
|
resp.Body.Close()
|
2015-10-18 00:16:15 +00:00
|
|
|
if err != nil {
|
2015-11-11 00:01:15 +00:00
|
|
|
return CertificateResource{}, err
|
2015-10-18 00:16:15 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// The server returns a body with a length of zero if the
|
|
|
|
// certificate was not ready at the time this request completed.
|
|
|
|
// Otherwise the body is the certificate.
|
|
|
|
if len(cert) > 0 {
|
2015-10-24 01:55:18 +00:00
|
|
|
|
2015-10-18 00:16:15 +00:00
|
|
|
cerRes.CertStableURL = resp.Header.Get("Content-Location")
|
2015-10-24 01:55:18 +00:00
|
|
|
|
|
|
|
issuedCert := pemEncode(derCertificateBytes(cert))
|
|
|
|
// If bundle is true, we want to return a certificate bundle.
|
|
|
|
// To do this, we need the issuer certificate.
|
|
|
|
if bundle {
|
|
|
|
// The issuer certificate link is always supplied via an "up" link
|
|
|
|
// in the response headers of a new certificate.
|
|
|
|
links := parseLinks(resp.Header["Link"])
|
|
|
|
issuerCert, err := c.getIssuerCertificate(links["up"])
|
|
|
|
if err != nil {
|
|
|
|
// If we fail to aquire the issuer cert, return the issued certificate - do not fail.
|
2015-11-11 00:01:15 +00:00
|
|
|
logf("[WARNING] acme: [%s] Could not bundle issuer certificate: %v", commonName.Domain, err)
|
2015-10-24 01:55:18 +00:00
|
|
|
} else {
|
2015-10-24 02:31:12 +00:00
|
|
|
// Success - append the issuer cert to the issued cert.
|
2015-10-24 01:55:18 +00:00
|
|
|
issuerCert = pemEncode(derCertificateBytes(issuerCert))
|
2015-10-24 02:31:12 +00:00
|
|
|
issuedCert = append(issuedCert, issuerCert...)
|
2015-10-24 01:55:18 +00:00
|
|
|
}
|
|
|
|
}
|
2015-10-24 02:31:12 +00:00
|
|
|
|
|
|
|
cerRes.Certificate = issuedCert
|
2015-11-11 00:01:15 +00:00
|
|
|
logf("[%s] Server responded with a certificate.", commonName.Domain)
|
|
|
|
return cerRes, nil
|
2015-10-18 15:27:59 +00:00
|
|
|
}
|
2015-10-18 00:16:15 +00:00
|
|
|
|
2015-10-18 15:27:59 +00:00
|
|
|
// The certificate was granted but is not yet issued.
|
|
|
|
// Check retry-after and loop.
|
|
|
|
ra := resp.Header.Get("Retry-After")
|
|
|
|
retryAfter, err := strconv.Atoi(ra)
|
|
|
|
if err != nil {
|
2015-11-11 00:01:15 +00:00
|
|
|
return CertificateResource{}, err
|
2015-10-18 00:16:15 +00:00
|
|
|
}
|
2015-10-18 15:27:59 +00:00
|
|
|
|
2015-11-11 00:01:15 +00:00
|
|
|
logf("[INFO] acme: [%s] Server responded with status 202; retrying after %ds", commonName.Domain, retryAfter)
|
2015-10-18 15:27:59 +00:00
|
|
|
time.Sleep(time.Duration(retryAfter) * time.Second)
|
|
|
|
|
2015-10-18 00:16:15 +00:00
|
|
|
break
|
|
|
|
default:
|
2015-11-11 00:01:15 +00:00
|
|
|
return CertificateResource{}, handleHTTPError(resp)
|
2015-06-13 01:55:53 +00:00
|
|
|
}
|
|
|
|
|
2015-10-18 00:16:15 +00:00
|
|
|
resp, err = http.Get(cerRes.CertURL)
|
2015-06-13 01:55:53 +00:00
|
|
|
if err != nil {
|
2015-11-11 00:01:15 +00:00
|
|
|
return CertificateResource{}, err
|
2015-06-13 01:55:53 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-10-24 01:55:18 +00:00
|
|
|
// getIssuerCertificate requests the issuer certificate and caches it for
|
|
|
|
// subsequent requests.
|
|
|
|
func (c *Client) getIssuerCertificate(url string) ([]byte, error) {
|
2015-11-07 06:22:32 +00:00
|
|
|
logf("[INFO] acme: Requesting issuer cert from %s", url)
|
2015-10-24 01:55:18 +00:00
|
|
|
if c.issuerCert != nil {
|
|
|
|
return c.issuerCert, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
resp, err := http.Get(url)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
issuerBytes, err := ioutil.ReadAll(resp.Body)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
_, err = x509.ParseCertificate(issuerBytes)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
c.issuerCert = issuerBytes
|
|
|
|
return issuerBytes, err
|
|
|
|
}
|
|
|
|
|
2015-06-08 00:36:07 +00:00
|
|
|
func parseLinks(links []string) map[string]string {
|
|
|
|
aBrkt := regexp.MustCompile("[<>]")
|
|
|
|
slver := regexp.MustCompile("(.+) *= *\"(.+)\"")
|
|
|
|
linkMap := make(map[string]string)
|
|
|
|
|
|
|
|
for _, link := range links {
|
|
|
|
|
|
|
|
link = aBrkt.ReplaceAllString(link, "")
|
|
|
|
parts := strings.Split(link, ";")
|
|
|
|
|
|
|
|
matches := slver.FindStringSubmatch(parts[1])
|
|
|
|
if len(matches) > 0 {
|
|
|
|
linkMap[matches[2]] = parts[0]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return linkMap
|
|
|
|
}
|
2015-12-05 11:51:30 +00:00
|
|
|
|
|
|
|
// validate makes the ACME server start validating a
|
|
|
|
// challenge response, only returning once it is done.
|
|
|
|
func validate(j *jws, uri string, chlng challenge) error {
|
|
|
|
var challengeResponse challenge
|
|
|
|
|
|
|
|
if err := postJSON(j, uri, chlng, &challengeResponse); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
interval := 1 * time.Second
|
|
|
|
maxInterval := 15 * time.Minute
|
|
|
|
|
|
|
|
// After the path is sent, the ACME server will access our server.
|
|
|
|
// Repeatedly check the server for an updated status on our request.
|
|
|
|
for {
|
|
|
|
switch challengeResponse.Status {
|
|
|
|
case "valid":
|
|
|
|
logf("The server validated our request")
|
|
|
|
return nil
|
|
|
|
case "pending":
|
|
|
|
break
|
|
|
|
case "invalid":
|
|
|
|
return errors.New("The server could not validate our request.")
|
|
|
|
default:
|
|
|
|
return errors.New("The server returned an unexpected state.")
|
|
|
|
}
|
|
|
|
|
|
|
|
// Poll with exponential back-off.
|
|
|
|
time.Sleep(interval)
|
|
|
|
interval *= 2
|
|
|
|
if interval > maxInterval {
|
|
|
|
interval = maxInterval
|
|
|
|
}
|
|
|
|
|
|
|
|
if err := getJSON(uri, &challengeResponse); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// getJSON performs an HTTP GET request and parses the response body
|
|
|
|
// as JSON, into the provided respBody object.
|
|
|
|
func getJSON(uri string, respBody interface{}) error {
|
|
|
|
resp, err := http.Get(uri)
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("failed to get %q: %v", uri, err)
|
|
|
|
}
|
|
|
|
defer resp.Body.Close()
|
|
|
|
|
|
|
|
if resp.StatusCode >= http.StatusBadRequest {
|
|
|
|
return handleHTTPError(resp)
|
|
|
|
}
|
|
|
|
|
|
|
|
return json.NewDecoder(resp.Body).Decode(respBody)
|
|
|
|
}
|
|
|
|
|
|
|
|
// postJSON performs an HTTP POST request and parses the response body
|
|
|
|
// as JSON, into the provided respBody object.
|
|
|
|
func postJSON(j *jws, uri string, reqBody, respBody interface{}) error {
|
|
|
|
jsonBytes, err := json.Marshal(reqBody)
|
|
|
|
if err != nil {
|
|
|
|
return errors.New("Failed to marshal network message...")
|
|
|
|
}
|
|
|
|
|
|
|
|
resp, err := j.post(uri, jsonBytes)
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("Failed to post JWS message. -> %v", err)
|
|
|
|
}
|
|
|
|
defer resp.Body.Close()
|
|
|
|
|
|
|
|
if resp.StatusCode >= http.StatusBadRequest {
|
|
|
|
return handleHTTPError(resp)
|
|
|
|
}
|
|
|
|
|
|
|
|
return json.NewDecoder(resp.Body).Decode(respBody)
|
|
|
|
}
|