lego/cli_handlers.go

305 lines
8.6 KiB
Go
Raw Normal View History

package main
import (
"bufio"
"encoding/json"
"io/ioutil"
"os"
"path"
"strings"
"time"
"github.com/codegangsta/cli"
"github.com/xenolf/lego/acme"
)
func checkFolder(path string) error {
if _, err := os.Stat(path); os.IsNotExist(err) {
return os.MkdirAll(path, 0700)
}
return nil
}
func setup(c *cli.Context) (*Configuration, *Account, *acme.Client) {
err := checkFolder(c.GlobalString("path"))
if err != nil {
2016-02-15 14:18:31 +00:00
logger().Fatalf("Could not check/create path: %s", err.Error())
}
conf := NewConfiguration(c)
2015-12-15 18:21:46 +00:00
if len(c.GlobalString("email")) == 0 {
logger().Fatal("You have to pass an account (email address) to the program using --email or -m")
}
//TODO: move to account struct? Currently MUST pass email.
acc := NewAccount(c.GlobalString("email"), conf)
2015-10-27 23:05:40 +00:00
client, err := acme.NewClient(c.GlobalString("server"), acc, conf.RsaBits())
2015-10-27 23:05:40 +00:00
if err != nil {
logger().Fatalf("Could not create client: %s", err.Error())
2015-10-27 23:05:40 +00:00
}
if len(c.GlobalStringSlice("exclude")) > 0 {
client.ExcludeChallenges(conf.ExcludedSolvers())
}
2016-01-08 07:05:07 +00:00
if c.GlobalIsSet("http") {
if strings.Index(c.GlobalString("http"), ":") == -1 {
logger().Fatalf("The --http switch only accepts interface:port or :port for its argument.")
}
2016-01-08 07:05:07 +00:00
client.SetHTTPAddress(c.GlobalString("http"))
}
2016-01-08 07:05:07 +00:00
if c.GlobalIsSet("tls") {
if strings.Index(c.GlobalString("tls"), ":") == -1 {
logger().Fatalf("The --tls switch only accepts interface:port or :port for its argument.")
}
2016-01-08 07:05:07 +00:00
client.SetTLSAddress(c.GlobalString("tls"))
}
2016-01-30 01:40:57 +00:00
if c.GlobalIsSet("dns") {
var err error
var provider acme.ChallengeProvider
switch c.GlobalString("dns") {
case "cloudflare":
provider, err = acme.NewDNSProviderCloudFlare("", "")
case "digitalocean":
authToken := os.Getenv("DO_AUTH_TOKEN")
provider, err = acme.NewDNSProviderDigitalOcean(authToken)
case "dnsimple":
provider, err = acme.NewDNSProviderDNSimple("", "")
case "route53":
awsRegion := os.Getenv("AWS_REGION")
provider, err = acme.NewDNSProviderRoute53("", "", awsRegion)
case "rfc2136":
nameserver := os.Getenv("RFC2136_NAMESERVER")
zone := os.Getenv("RFC2136_ZONE")
tsigAlgorithm := os.Getenv("RFC2136_TSIG_ALGORITHM")
2016-01-30 01:40:57 +00:00
tsigKey := os.Getenv("RFC2136_TSIG_KEY")
tsigSecret := os.Getenv("RFC2136_TSIG_SECRET")
provider, err = acme.NewDNSProviderRFC2136(nameserver, zone, tsigAlgorithm, tsigKey, tsigSecret)
2016-01-30 01:40:57 +00:00
case "manual":
provider, err = acme.NewDNSProviderManual()
}
if err != nil {
logger().Fatal(err)
}
client.SetChallengeProvider(acme.DNS01, provider)
// --dns=foo indicates that the user specifically want to do a DNS challenge
// infer that the user also wants to exclude all other challenges
client.ExcludeChallenges([]acme.Challenge{acme.HTTP01, acme.TLSSNI01})
2016-01-30 01:40:57 +00:00
}
2015-10-27 23:05:40 +00:00
return conf, acc, client
}
func saveCertRes(certRes acme.CertificateResource, conf *Configuration) {
// We store the certificate, private key and metadata in different files
// as web servers would not be able to work with a combined file.
certOut := path.Join(conf.CertPath(), certRes.Domain+".crt")
privOut := path.Join(conf.CertPath(), certRes.Domain+".key")
metaOut := path.Join(conf.CertPath(), certRes.Domain+".json")
err := ioutil.WriteFile(certOut, certRes.Certificate, 0600)
if err != nil {
logger().Fatalf("Unable to save Certificate for domain %s\n\t%s", certRes.Domain, err.Error())
}
err = ioutil.WriteFile(privOut, certRes.PrivateKey, 0600)
if err != nil {
logger().Fatalf("Unable to save PrivateKey for domain %s\n\t%s", certRes.Domain, err.Error())
}
jsonBytes, err := json.MarshalIndent(certRes, "", "\t")
if err != nil {
logger().Fatalf("Unable to marshal CertResource for domain %s\n\t%s", certRes.Domain, err.Error())
}
err = ioutil.WriteFile(metaOut, jsonBytes, 0600)
if err != nil {
logger().Fatalf("Unable to save CertResource for domain %s\n\t%s", certRes.Domain, err.Error())
}
}
func handleTOS(c *cli.Context, client *acme.Client, acc *Account) {
// Check for a global accept override
if c.GlobalBool("accept-tos") {
err := client.AgreeToTOS()
if err != nil {
logger().Fatalf("Could not agree to TOS: %s", err.Error())
}
acc.Save()
return
}
reader := bufio.NewReader(os.Stdin)
logger().Printf("Please review the TOS at %s", acc.Registration.TosURL)
for {
logger().Println("Do you accept the TOS? Y/n")
text, err := reader.ReadString('\n')
if err != nil {
logger().Fatalf("Could not read from console: %s", err.Error())
}
text = strings.Trim(text, "\r\n")
if text == "n" {
logger().Fatal("You did not accept the TOS. Unable to proceed.")
}
if text == "Y" || text == "y" || text == "" {
err = client.AgreeToTOS()
if err != nil {
logger().Fatalf("Could not agree to TOS: %s", err.Error())
}
acc.Save()
break
}
logger().Println("Your input was invalid. Please answer with one of Y/y, n or by pressing enter.")
}
}
func run(c *cli.Context) {
conf, acc, client := setup(c)
if acc.Registration == nil {
reg, err := client.Register()
if err != nil {
logger().Fatalf("Could not complete registration\n\t%s", err.Error())
}
acc.Registration = reg
acc.Save()
logger().Print("!!!! HEADS UP !!!!")
logger().Printf(`
2015-09-26 18:00:19 +00:00
Your account credentials have been saved in your Let's Encrypt
configuration directory at "%s".
You should make a secure backup of this folder now. This
configuration directory will also contain certificates and
private keys obtained from Let's Encrypt so making regular
backups of this folder is ideal.`, conf.AccountPath(c.GlobalString("email")))
}
// If the agreement URL is empty, the account still needs to accept the LE TOS.
if acc.Registration.Body.Agreement == "" {
handleTOS(c, client, acc)
}
2015-12-15 18:21:46 +00:00
if len(c.GlobalStringSlice("domains")) == 0 {
2015-12-15 18:18:51 +00:00
logger().Fatal("Please specify --domains or -d")
}
2016-01-08 09:14:41 +00:00
cert, failures := client.ObtainCertificate(c.GlobalStringSlice("domains"), true, nil)
if len(failures) > 0 {
for k, v := range failures {
logger().Printf("[%s] Could not obtain certificates\n\t%s", k, v.Error())
}
2015-12-15 18:18:51 +00:00
// Make sure to return a non-zero exit code if ObtainSANCertificate
// returned at least one error. Due to us not returning partial
// certificate we can just exit here instead of at the end.
os.Exit(1)
}
err := checkFolder(conf.CertPath())
if err != nil {
2016-02-15 14:18:31 +00:00
logger().Fatalf("Could not check/create path: %s", err.Error())
}
2015-11-11 17:05:09 +00:00
saveCertRes(cert, conf)
}
2015-09-27 12:51:44 +00:00
func revoke(c *cli.Context) {
conf, _, client := setup(c)
2015-09-27 12:51:44 +00:00
err := checkFolder(conf.CertPath())
2015-09-27 12:51:44 +00:00
if err != nil {
2016-02-15 14:18:31 +00:00
logger().Fatalf("Could not check/create path: %s", err.Error())
2015-09-27 12:51:44 +00:00
}
for _, domain := range c.GlobalStringSlice("domains") {
logger().Printf("Trying to revoke certificate for domain %s", domain)
certPath := path.Join(conf.CertPath(), domain+".crt")
certBytes, err := ioutil.ReadFile(certPath)
err = client.RevokeCertificate(certBytes)
if err != nil {
logger().Fatalf("Error while revoking the certificate for domain %s\n\t%s", domain, err.Error())
2015-09-27 12:51:44 +00:00
} else {
logger().Print("Certificate was revoked.")
}
}
}
2015-10-18 22:42:04 +00:00
func renew(c *cli.Context) {
conf, _, client := setup(c)
2015-12-24 08:57:09 +00:00
if len(c.GlobalStringSlice("domains")) <= 0 {
logger().Fatal("Please specify at least one domain.")
}
2015-12-24 08:57:09 +00:00
domain := c.GlobalStringSlice("domains")[0]
2015-10-18 22:42:04 +00:00
// load the cert resource from files.
// We store the certificate, private key and metadata in different files
// as web servers would not be able to work with a combined file.
certPath := path.Join(conf.CertPath(), domain+".crt")
privPath := path.Join(conf.CertPath(), domain+".key")
metaPath := path.Join(conf.CertPath(), domain+".json")
certBytes, err := ioutil.ReadFile(certPath)
if err != nil {
logger().Fatalf("Error while loading the certificate for domain %s\n\t%s", domain, err.Error())
}
if c.IsSet("days") {
expTime, err := acme.GetPEMCertExpiration(certBytes)
2015-10-18 22:42:04 +00:00
if err != nil {
logger().Printf("Could not get Certification expiration for domain %s", domain)
2015-10-18 22:42:04 +00:00
}
2015-12-24 08:57:09 +00:00
if int(expTime.Sub(time.Now()).Hours()/24.0) > c.Int("days") {
return
2015-10-18 22:42:04 +00:00
}
}
2015-10-18 22:42:04 +00:00
metaBytes, err := ioutil.ReadFile(metaPath)
if err != nil {
logger().Fatalf("Error while loading the meta data for domain %s\n\t%s", domain, err.Error())
}
2015-10-18 22:42:04 +00:00
var certRes acme.CertificateResource
err = json.Unmarshal(metaBytes, &certRes)
if err != nil {
logger().Fatalf("Error while marshalling the meta data for domain %s\n\t%s", domain, err.Error())
}
2015-10-18 22:42:04 +00:00
2016-01-08 09:14:41 +00:00
if c.Bool("reuse-key") {
keyBytes, err := ioutil.ReadFile(privPath)
if err != nil {
logger().Fatalf("Error while loading the private key for domain %s\n\t%s", domain, err.Error())
}
certRes.PrivateKey = keyBytes
}
certRes.Certificate = certBytes
newCert, err := client.RenewCertificate(certRes, true)
if err != nil {
logger().Fatalf("%s", err.Error())
2015-10-18 22:42:04 +00:00
}
saveCertRes(newCert, conf)
2015-10-18 22:42:04 +00:00
}