forked from TrueCloudLab/lego
42941ccea6
- Packages - Isolate code used by the CLI into the package `cmd` - (experimental) Add e2e tests for HTTP01, TLS-ALPN-01 and DNS-01, use [Pebble](https://github.com/letsencrypt/pebble) and [challtestsrv](https://github.com/letsencrypt/boulder/tree/master/test/challtestsrv) - Support non-ascii domain name (punnycode) - Check all challenges in a predictable order - No more global exported variables - Archive revoked certificates - Fixes revocation for subdomains and non-ascii domains - Disable pending authorizations - use pointer for RemoteError/ProblemDetails - Poll authz URL instead of challenge URL - The ability for a DNS provider to solve the challenge sequentially - Check all nameservers in a predictable order - Option to disable the complete propagation Requirement - CLI, support for renew with CSR - CLI, add SAN on renew - Add command to list certificates. - Logs every iteration of waiting for the propagation - update DNSimple client - update github.com/miekg/dns
128 lines
2.9 KiB
Go
128 lines
2.9 KiB
Go
package cmd
|
|
|
|
import (
|
|
"crypto/x509"
|
|
"encoding/pem"
|
|
"fmt"
|
|
"io/ioutil"
|
|
"os"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/urfave/cli"
|
|
"github.com/xenolf/lego/certcrypto"
|
|
"github.com/xenolf/lego/lego"
|
|
"github.com/xenolf/lego/log"
|
|
"github.com/xenolf/lego/registration"
|
|
)
|
|
|
|
const filePerm os.FileMode = 0600
|
|
|
|
func setup(ctx *cli.Context, accountsStorage *AccountsStorage) (*Account, *lego.Client) {
|
|
privateKey := accountsStorage.GetPrivateKey()
|
|
|
|
var account *Account
|
|
if accountsStorage.ExistsAccountFilePath() {
|
|
account = accountsStorage.LoadAccount(privateKey)
|
|
} else {
|
|
account = &Account{Email: accountsStorage.GetUserID(), key: privateKey}
|
|
}
|
|
|
|
client := newClient(ctx, account)
|
|
|
|
return account, client
|
|
}
|
|
|
|
func newClient(ctx *cli.Context, acc registration.User) *lego.Client {
|
|
keyType := getKeyType(ctx)
|
|
|
|
config := lego.NewConfig(acc)
|
|
config.CADirURL = ctx.GlobalString("server")
|
|
config.KeyType = keyType
|
|
config.UserAgent = fmt.Sprintf("lego-cli/%s", ctx.App.Version)
|
|
|
|
if ctx.GlobalIsSet("http-timeout") {
|
|
config.HTTPClient.Timeout = time.Duration(ctx.GlobalInt("http-timeout")) * time.Second
|
|
}
|
|
|
|
client, err := lego.NewClient(config)
|
|
if err != nil {
|
|
log.Fatalf("Could not create client: %v", err)
|
|
}
|
|
|
|
setupChallenges(ctx, client)
|
|
|
|
if client.GetExternalAccountRequired() && !ctx.GlobalIsSet("eab") {
|
|
log.Fatal("Server requires External Account Binding. Use --eab with --kid and --hmac.")
|
|
}
|
|
|
|
return client
|
|
}
|
|
|
|
// getKeyType the type from which private keys should be generated
|
|
func getKeyType(ctx *cli.Context) certcrypto.KeyType {
|
|
keyType := ctx.GlobalString("key-type")
|
|
switch strings.ToUpper(keyType) {
|
|
case "RSA2048":
|
|
return certcrypto.RSA2048
|
|
case "RSA4096":
|
|
return certcrypto.RSA4096
|
|
case "RSA8192":
|
|
return certcrypto.RSA8192
|
|
case "EC256":
|
|
return certcrypto.EC256
|
|
case "EC384":
|
|
return certcrypto.EC384
|
|
}
|
|
|
|
log.Fatalf("Unsupported KeyType: %s", keyType)
|
|
return ""
|
|
}
|
|
|
|
func getEmail(ctx *cli.Context) string {
|
|
email := ctx.GlobalString("email")
|
|
if len(email) == 0 {
|
|
log.Fatal("You have to pass an account (email address) to the program using --email or -m")
|
|
}
|
|
return email
|
|
}
|
|
|
|
func createNonExistingFolder(path string) error {
|
|
if _, err := os.Stat(path); os.IsNotExist(err) {
|
|
return os.MkdirAll(path, 0700)
|
|
} else if err != nil {
|
|
return err
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func readCSRFile(filename string) (*x509.CertificateRequest, error) {
|
|
bytes, err := ioutil.ReadFile(filename)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
raw := bytes
|
|
|
|
// see if we can find a PEM-encoded CSR
|
|
var p *pem.Block
|
|
rest := bytes
|
|
for {
|
|
// decode a PEM block
|
|
p, rest = pem.Decode(rest)
|
|
|
|
// did we fail?
|
|
if p == nil {
|
|
break
|
|
}
|
|
|
|
// did we get a CSR?
|
|
if p.Type == "CERTIFICATE REQUEST" {
|
|
raw = p.Bytes
|
|
}
|
|
}
|
|
|
|
// no PEM-encoded CSR
|
|
// assume we were given a DER-encoded ASN.1 CSR
|
|
// (if this assumption is wrong, parsing these bytes will fail)
|
|
return x509.ParseCertificateRequest(raw)
|
|
}
|