forked from TrueCloudLab/lego
87 lines
2.5 KiB
Go
87 lines
2.5 KiB
Go
|
package acme
|
||
|
|
||
|
import (
|
||
|
"crypto/tls"
|
||
|
"fmt"
|
||
|
"net"
|
||
|
"net/http"
|
||
|
)
|
||
|
|
||
|
const (
|
||
|
// acmeTLS1Protocol is the ALPN Protocol ID for the ACME-TLS/1 Protocol.
|
||
|
acmeTLS1Protocol = "acme-tls/1"
|
||
|
|
||
|
// defaultTLSPort is the port that the TLSALPNProviderServer will default to
|
||
|
// when no other port is provided.
|
||
|
defaultTLSPort = "443"
|
||
|
)
|
||
|
|
||
|
// TLSALPNProviderServer implements ChallengeProvider for `TLS-ALPN-01`
|
||
|
// challenge. It may be instantiated without using the NewTLSALPNProviderServer
|
||
|
// if you want only to use the default values.
|
||
|
type TLSALPNProviderServer struct {
|
||
|
iface string
|
||
|
port string
|
||
|
listener net.Listener
|
||
|
}
|
||
|
|
||
|
// NewTLSALPNProviderServer creates a new TLSALPNProviderServer on the selected
|
||
|
// interface and port. Setting iface and / or port to an empty string will make
|
||
|
// the server fall back to the "any" interface and port 443 respectively.
|
||
|
func NewTLSALPNProviderServer(iface, port string) *TLSALPNProviderServer {
|
||
|
return &TLSALPNProviderServer{iface: iface, port: port}
|
||
|
}
|
||
|
|
||
|
// Present generates a certificate with a SHA-256 digest of the keyAuth provided
|
||
|
// as the acmeValidation-v1 extension value to conform to the ACME-TLS-ALPN
|
||
|
// spec.
|
||
|
func (t *TLSALPNProviderServer) Present(domain, token, keyAuth string) error {
|
||
|
if t.port == "" {
|
||
|
// Fallback to port 443 if the port was not provided.
|
||
|
t.port = defaultTLSPort
|
||
|
}
|
||
|
|
||
|
// Generate the challenge certificate using the provided keyAuth and domain.
|
||
|
cert, err := TLSALPNChallengeCert(domain, keyAuth)
|
||
|
if err != nil {
|
||
|
return err
|
||
|
}
|
||
|
|
||
|
// Place the generated certificate with the extension into the TLS config
|
||
|
// so that it can serve the correct details.
|
||
|
tlsConf := new(tls.Config)
|
||
|
tlsConf.Certificates = []tls.Certificate{*cert}
|
||
|
|
||
|
// We must set that the `acme-tls/1` application level protocol is supported
|
||
|
// so that the protocol negotiation can succeed. Reference:
|
||
|
// https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-01#section-5.2
|
||
|
tlsConf.NextProtos = []string{acmeTLS1Protocol}
|
||
|
|
||
|
// Create the listener with the created tls.Config.
|
||
|
t.listener, err = tls.Listen("tcp", net.JoinHostPort(t.iface, t.port), tlsConf)
|
||
|
if err != nil {
|
||
|
return fmt.Errorf("could not start HTTPS server for challenge -> %v", err)
|
||
|
}
|
||
|
|
||
|
// Shut the server down when we're finished.
|
||
|
go func() {
|
||
|
http.Serve(t.listener, nil)
|
||
|
}()
|
||
|
|
||
|
return nil
|
||
|
}
|
||
|
|
||
|
// CleanUp closes the HTTPS server.
|
||
|
func (t *TLSALPNProviderServer) CleanUp(domain, token, keyAuth string) error {
|
||
|
if t.listener == nil {
|
||
|
return nil
|
||
|
}
|
||
|
|
||
|
// Server was created, close it.
|
||
|
if err := t.listener.Close(); err != nil && err != http.ErrServerClosed {
|
||
|
return err
|
||
|
}
|
||
|
|
||
|
return nil
|
||
|
}
|