2016-03-21 11:10:18 +01:00
package acme
import (
2016-08-16 16:26:10 +01:00
"context"
2016-03-21 11:10:18 +01:00
"crypto/tls"
"errors"
"fmt"
2016-12-30 09:21:13 +01:00
"io/ioutil"
fmtlog "log"
2018-01-15 16:04:05 +01:00
"net"
"net/http"
2018-07-31 11:50:03 +02:00
"net/url"
2018-03-26 14:12:03 +02:00
"reflect"
2016-12-30 09:21:13 +01:00
"strings"
2018-08-20 09:40:03 +02:00
"sync"
2016-12-30 09:21:13 +01:00
"time"
2016-10-14 16:04:09 +02:00
"github.com/BurntSushi/ty/fun"
2019-02-04 16:38:08 +01:00
"github.com/cenkalti/backoff"
2018-01-15 16:04:05 +01:00
"github.com/containous/mux"
2016-08-18 14:20:11 +02:00
"github.com/containous/staert"
"github.com/containous/traefik/cluster"
"github.com/containous/traefik/log"
2018-11-27 17:42:04 +01:00
acmeprovider "github.com/containous/traefik/provider/acme"
2016-08-18 14:20:11 +02:00
"github.com/containous/traefik/safe"
2018-11-27 17:42:04 +01:00
"github.com/containous/traefik/types"
2018-06-05 09:54:03 +02:00
"github.com/containous/traefik/version"
2016-12-09 14:37:39 +01:00
"github.com/eapache/channels"
2019-01-07 18:30:06 +01:00
"github.com/xenolf/lego/certificate"
"github.com/xenolf/lego/challenge"
"github.com/xenolf/lego/challenge/dns01"
"github.com/xenolf/lego/challenge/http01"
"github.com/xenolf/lego/lego"
2018-05-31 09:30:04 +02:00
legolog "github.com/xenolf/lego/log"
2016-10-14 01:33:01 +01:00
"github.com/xenolf/lego/providers/dns"
2019-01-07 18:30:06 +01:00
"github.com/xenolf/lego/registration"
2016-03-21 11:10:18 +01:00
)
2016-10-14 01:33:01 +01:00
var (
// OSCPMustStaple enables OSCP stapling as from https://github.com/xenolf/lego/issues/270
OSCPMustStaple = false
)
2016-03-21 11:10:18 +01:00
// ACME allows to connect to lets encrypt and retrieve certs
2018-03-06 14:50:03 +01:00
// Deprecated Please use provider/acme/Provider
2016-03-21 11:10:18 +01:00
type ACME struct {
2018-03-05 20:54:04 +01:00
Email string ` description:"Email address used for registration" `
Domains [ ] types . Domain ` description:"SANs (alternative domains) to each main domain using format: --acme.domains='main.com,san1.com,san2.com' --acme.domains='main.net,san1.net,san2.net'" `
Storage string ` description:"File or key used for certificates storage." `
2018-05-31 09:30:04 +02:00
OnDemand bool ` description:"(Deprecated) Enable on demand certificate generation. This will request a certificate from Let's Encrypt during the first TLS handshake for a hostname that does not yet have a certificate." ` // Deprecated
2018-03-05 20:54:04 +01:00
OnHostRule bool ` description:"Enable certificate generation on frontends Host rules." `
CAServer string ` description:"CA server to use." `
EntryPoint string ` description:"Entrypoint to proxy acme challenge to." `
2018-05-16 11:44:03 +02:00
KeyType string ` description:"KeyType used for generating certificate private key. Allow value 'EC256', 'EC384', 'RSA2048', 'RSA4096', 'RSA8192'. Default to 'RSA4096'" `
2018-04-11 17:16:07 +02:00
DNSChallenge * acmeprovider . DNSChallenge ` description:"Activate DNS-01 Challenge" `
2018-03-05 20:54:04 +01:00
HTTPChallenge * acmeprovider . HTTPChallenge ` description:"Activate HTTP-01 Challenge" `
2018-07-03 12:44:04 +02:00
TLSChallenge * acmeprovider . TLSChallenge ` description:"Activate TLS-ALPN-01 Challenge" `
2018-03-05 20:54:04 +01:00
ACMELogging bool ` description:"Enable debug logging of ACME actions." `
2018-05-17 06:32:03 -04:00
OverrideCertificates bool ` description:"Enable to override certificates in key-value store when using storeconfig" `
2019-01-07 18:30:06 +01:00
client * lego . Client
2018-01-15 16:04:05 +01:00
store cluster . Store
challengeHTTPProvider * challengeHTTPProvider
2018-07-03 12:44:04 +02:00
challengeTLSProvider * challengeTLSProvider
2018-01-15 16:04:05 +01:00
checkOnDemandDomain func ( domain string ) bool
jobs * channels . InfiniteChannel
TLSConfig * tls . Config ` description:"TLS config in case wildcard certs are used" `
dynamicCerts * safe . Safe
2018-08-20 09:40:03 +02:00
resolvingDomains map [ string ] struct { }
resolvingDomainsMutex sync . RWMutex
2018-01-15 16:04:05 +01:00
}
2016-08-16 19:13:18 +02:00
func ( a * ACME ) init ( ) error {
2016-10-14 01:33:01 +01:00
if a . ACMELogging {
2018-11-14 10:18:03 +01:00
legolog . Logger = log . WithoutContext ( )
2016-10-14 01:33:01 +01:00
} else {
2018-05-31 09:30:04 +02:00
legolog . Logger = fmtlog . New ( ioutil . Discard , "" , 0 )
2016-10-14 01:33:01 +01:00
}
2018-06-15 16:08:03 +02:00
2016-12-09 14:37:39 +01:00
a . jobs = channels . NewInfiniteChannel ( )
2018-08-20 09:40:03 +02:00
// Init the currently resolved domain map
a . resolvingDomains = make ( map [ string ] struct { } )
2016-08-16 19:13:18 +02:00
return nil
}
2016-03-21 11:10:18 +01:00
2018-01-15 16:04:05 +01:00
// AddRoutes add routes on internal router
func ( a * ACME ) AddRoutes ( router * mux . Router ) {
router . Methods ( http . MethodGet ) .
2019-01-07 18:30:06 +01:00
Path ( http01 . ChallengePath ( "{token}" ) ) .
2018-01-15 16:04:05 +01:00
Handler ( http . HandlerFunc ( func ( rw http . ResponseWriter , req * http . Request ) {
if a . challengeHTTPProvider == nil {
rw . WriteHeader ( http . StatusNotFound )
return
}
vars := mux . Vars ( req )
if token , ok := vars [ "token" ] ; ok {
domain , _ , err := net . SplitHostPort ( req . Host )
if err != nil {
log . Debugf ( "Unable to split host and port: %v. Fallback to request host." , err )
domain = req . Host
}
tokenValue := a . challengeHTTPProvider . getTokenValue ( token , domain )
if len ( tokenValue ) > 0 {
rw . WriteHeader ( http . StatusOK )
rw . Write ( tokenValue )
return
}
}
rw . WriteHeader ( http . StatusNotFound )
} ) )
}
2016-08-18 14:20:11 +02:00
// CreateClusterConfig creates a tls.config using ACME configuration in cluster mode
2017-11-09 12:16:03 +01:00
func ( a * ACME ) CreateClusterConfig ( leadership * cluster . Leadership , tlsConfig * tls . Config , certs * safe . Safe , checkOnDemandDomain func ( domain string ) bool ) error {
2016-08-16 19:13:18 +02:00
err := a . init ( )
if err != nil {
return err
2016-03-21 11:10:18 +01:00
}
2018-06-15 16:42:03 +02:00
2016-08-18 14:20:11 +02:00
if len ( a . Storage ) == 0 {
2018-07-03 12:44:04 +02:00
return errors . New ( "empty Store, please provide a key for certs storage" )
2016-08-16 19:13:18 +02:00
}
2018-06-15 16:42:03 +02:00
2016-08-18 14:20:11 +02:00
a . checkOnDemandDomain = checkOnDemandDomain
2017-11-09 12:16:03 +01:00
a . dynamicCerts = certs
2018-06-15 16:42:03 +02:00
2016-08-18 14:20:11 +02:00
tlsConfig . GetCertificate = a . getCertificate
2017-01-04 14:23:18 -07:00
a . TLSConfig = tlsConfig
2018-06-15 16:42:03 +02:00
2016-09-29 15:36:52 +02:00
listener := func ( object cluster . Object ) error {
account := object . ( * Account )
account . Init ( )
if ! leadership . IsLeader ( ) {
a . client , err = a . buildACMEClient ( account )
if err != nil {
log . Errorf ( "Error building ACME client %+v: %s" , object , err . Error ( ) )
}
}
return nil
}
2016-08-18 14:20:11 +02:00
datastore , err := cluster . NewDataStore (
2016-11-16 08:56:52 +00:00
leadership . Pool . Ctx ( ) ,
2016-08-18 14:20:11 +02:00
staert . KvSource {
Store : leadership . Store ,
2016-09-29 15:36:52 +02:00
Prefix : a . Storage ,
2016-08-18 14:20:11 +02:00
} ,
2016-11-16 08:56:52 +00:00
& Account { } ,
2016-09-29 15:36:52 +02:00
listener )
2016-08-18 14:20:11 +02:00
if err != nil {
return err
}
a . store = datastore
2018-09-27 16:54:05 +02:00
a . challengeTLSProvider = & challengeTLSProvider { store : a . store }
2016-08-18 14:20:11 +02:00
ticker := time . NewTicker ( 24 * time . Hour )
leadership . Pool . AddGoCtx ( func ( ctx context . Context ) {
2017-05-26 17:03:14 +02:00
log . Info ( "Starting ACME renew job..." )
defer log . Info ( "Stopped ACME renew job..." )
2016-10-27 16:09:28 +02:00
for {
select {
case <- ctx . Done ( ) :
return
case <- ticker . C :
2016-12-09 14:37:39 +01:00
a . renewCertificates ( )
2016-08-18 14:20:11 +02:00
}
}
} )
2018-01-15 16:04:05 +01:00
leadership . AddListener ( a . leadershipListener )
return nil
}
func ( a * ACME ) leadershipListener ( elected bool ) error {
if elected {
_ , err := a . store . Load ( )
if err != nil {
return err
}
2018-03-26 14:12:03 +02:00
2018-01-15 16:04:05 +01:00
transaction , object , err := a . store . Begin ( )
if err != nil {
return err
}
2018-03-26 14:12:03 +02:00
2018-01-15 16:04:05 +01:00
account := object . ( * Account )
account . Init ( )
2018-05-28 14:40:03 +02:00
// Reset Account values if caServer changed, thus registration URI can be updated
2018-07-31 11:50:03 +02:00
if account != nil && account . Registration != nil && ! isAccountMatchingCaServer ( account . Registration . URI , a . CAServer ) {
log . Info ( "Account URI does not match the current CAServer. The account will be reset" )
2018-05-28 14:40:03 +02:00
account . reset ( )
}
2018-03-26 14:12:03 +02:00
2018-01-15 16:04:05 +01:00
var needRegister bool
if account == nil || len ( account . Email ) == 0 {
2018-03-26 14:12:03 +02:00
domainsCerts := DomainsCertificates { Certs : [ ] * DomainsCertificate { } }
if account != nil {
domainsCerts = account . DomainsCertificate
}
2018-05-16 11:44:03 +02:00
account , err = NewAccount ( a . Email , domainsCerts . Certs , a . KeyType )
2016-08-18 14:20:11 +02:00
if err != nil {
return err
}
2018-03-26 14:12:03 +02:00
2018-01-15 16:04:05 +01:00
needRegister = true
2018-08-08 07:58:03 +02:00
} else if len ( account . KeyType ) == 0 {
// Set the KeyType if not already defined in the account
2018-11-27 17:42:04 +01:00
account . KeyType = acmeprovider . GetKeyType ( context . Background ( ) , a . KeyType )
2018-01-15 16:04:05 +01:00
}
2018-03-26 14:12:03 +02:00
2018-01-15 16:04:05 +01:00
a . client , err = a . buildACMEClient ( account )
if err != nil {
return err
}
if needRegister {
// New users will need to register; be sure to save it
log . Debug ( "Register..." )
2018-03-26 14:12:03 +02:00
2019-01-07 18:30:06 +01:00
reg , err := a . client . Registration . Register ( registration . RegisterOptions { TermsOfServiceAgreed : true } )
2016-08-18 14:20:11 +02:00
if err != nil {
return err
}
2018-03-26 14:12:03 +02:00
2018-01-15 16:04:05 +01:00
account . Registration = reg
2016-08-18 14:20:11 +02:00
}
2018-03-26 14:12:03 +02:00
2018-01-15 16:04:05 +01:00
err = transaction . Commit ( account )
if err != nil {
return err
}
a . retrieveCertificates ( )
a . renewCertificates ( )
a . runJobs ( )
}
2016-08-16 19:13:18 +02:00
return nil
}
2016-03-21 11:10:18 +01:00
2018-07-31 11:50:03 +02:00
func isAccountMatchingCaServer ( accountURI string , serverURI string ) bool {
aru , err := url . Parse ( accountURI )
if err != nil {
log . Infof ( "Unable to parse account.Registration URL : %v" , err )
return false
}
cau , err := url . Parse ( serverURI )
if err != nil {
log . Infof ( "Unable to parse CAServer URL : %v" , err )
return false
}
return cau . Hostname ( ) == aru . Hostname ( )
}
2016-08-18 14:20:11 +02:00
func ( a * ACME ) getCertificate ( clientHello * tls . ClientHelloInfo ) ( * tls . Certificate , error ) {
2016-10-14 16:04:09 +02:00
domain := types . CanonicalDomain ( clientHello . ServerName )
2016-08-18 14:20:11 +02:00
account := a . store . Get ( ) . ( * Account )
2017-06-19 13:22:41 +02:00
2018-07-03 12:44:04 +02:00
if challengeCert , ok := a . challengeTLSProvider . getCertificate ( domain ) ; ok {
log . Debugf ( "ACME got challenge %s" , domain )
return challengeCert , nil
}
2018-07-12 19:10:03 +02:00
if providedCertificate := a . getProvidedCertificate ( domain ) ; providedCertificate != nil {
return providedCertificate , nil
}
2016-10-14 16:04:09 +02:00
if domainCert , ok := account . DomainsCertificate . getCertificateForDomain ( domain ) ; ok {
log . Debugf ( "ACME got domain cert %s" , domain )
2016-08-18 14:20:11 +02:00
return domainCert . tlsCert , nil
}
2018-07-03 12:44:04 +02:00
2016-08-18 14:20:11 +02:00
if a . OnDemand {
2016-10-14 16:04:09 +02:00
if a . checkOnDemandDomain != nil && ! a . checkOnDemandDomain ( domain ) {
2016-08-18 14:20:11 +02:00
return nil , nil
}
return a . loadCertificateOnDemand ( clientHello )
}
2018-07-03 12:44:04 +02:00
2018-01-10 15:20:04 +01:00
log . Debugf ( "No certificate found or generated for %s" , domain )
2016-08-18 14:20:11 +02:00
return nil , nil
}
func ( a * ACME ) retrieveCertificates ( ) {
2016-12-09 14:37:39 +01:00
a . jobs . In ( ) <- func ( ) {
2017-05-26 17:03:14 +02:00
log . Info ( "Retrieving ACME certificates..." )
2018-03-26 14:12:03 +02:00
a . deleteUnnecessaryDomains ( )
for i := 0 ; i < len ( a . Domains ) ; i ++ {
domain := a . Domains [ i ]
2016-12-09 14:37:39 +01:00
// check if cert isn't already loaded
account := a . store . Get ( ) . ( * Account )
if _ , exists := account . DomainsCertificate . exists ( domain ) ; ! exists {
2018-03-26 14:12:03 +02:00
var domains [ ] string
2016-12-09 14:37:39 +01:00
domains = append ( domains , domain . Main )
domains = append ( domains , domain . SANs ... )
2018-03-26 14:12:03 +02:00
domains , err := a . getValidDomains ( domains , true )
if err != nil {
log . Errorf ( "Error validating ACME certificate for domain %q: %s" , domains , err )
continue
}
2016-12-09 14:37:39 +01:00
certificateResource , err := a . getDomainsCertificates ( domains )
if err != nil {
2018-03-26 14:12:03 +02:00
log . Errorf ( "Error getting ACME certificate for domain %q: %s" , domains , err )
2016-12-09 14:37:39 +01:00
continue
}
2018-03-26 14:12:03 +02:00
2016-12-09 14:37:39 +01:00
transaction , object , err := a . store . Begin ( )
if err != nil {
2018-03-26 14:12:03 +02:00
log . Errorf ( "Error creating ACME store transaction from domain %q: %s" , domain , err )
2016-12-09 14:37:39 +01:00
continue
}
2018-03-26 14:12:03 +02:00
2016-12-09 14:37:39 +01:00
account = object . ( * Account )
_ , err = account . DomainsCertificate . addCertificateForDomains ( certificateResource , domain )
if err != nil {
2018-03-26 14:12:03 +02:00
log . Errorf ( "Error adding ACME certificate for domain %q: %s" , domains , err )
2016-12-09 14:37:39 +01:00
continue
}
2016-08-18 14:20:11 +02:00
2016-12-09 14:37:39 +01:00
if err = transaction . Commit ( account ) ; err != nil {
2018-03-26 14:12:03 +02:00
log . Errorf ( "Error Saving ACME account %+v: %s" , account , err )
2016-12-09 14:37:39 +01:00
continue
}
2016-03-22 01:32:02 +01:00
}
}
2018-03-26 14:12:03 +02:00
2017-05-26 17:03:14 +02:00
log . Info ( "Retrieved ACME certificates" )
2016-03-22 01:32:02 +01:00
}
}
2016-12-09 14:37:39 +01:00
func ( a * ACME ) renewCertificates ( ) {
a . jobs . In ( ) <- func ( ) {
2017-12-05 15:42:03 +01:00
log . Info ( "Testing certificate renew..." )
2016-12-09 14:37:39 +01:00
account := a . store . Get ( ) . ( * Account )
for _ , certificateResource := range account . DomainsCertificate . Certs {
if certificateResource . needRenew ( ) {
2017-12-05 15:42:03 +01:00
log . Infof ( "Renewing certificate from LE : %+v" , certificateResource . Domains )
renewedACMECert , err := a . renewACMECertificate ( certificateResource )
2016-12-09 14:37:39 +01:00
if err != nil {
2017-12-05 15:42:03 +01:00
log . Errorf ( "Error renewing certificate from LE: %v" , err )
2016-12-09 14:37:39 +01:00
continue
}
2017-12-05 15:42:03 +01:00
operation := func ( ) error {
2017-12-27 14:22:02 +01:00
return a . storeRenewedCertificate ( certificateResource , renewedACMECert )
2016-12-09 14:37:39 +01:00
}
2017-12-05 15:42:03 +01:00
notify := func ( err error , time time . Duration ) {
log . Warnf ( "Renewed certificate storage error: %v, retrying in %s" , err , time )
2016-12-09 14:37:39 +01:00
}
2017-12-05 15:42:03 +01:00
ebo := backoff . NewExponentialBackOff ( )
ebo . MaxElapsedTime = 60 * time . Second
err = backoff . RetryNotify ( safe . OperationWithRecover ( operation ) , ebo , notify )
2016-12-09 14:37:39 +01:00
if err != nil {
2017-12-05 15:42:03 +01:00
log . Errorf ( "Datastore cannot sync: %v" , err )
2016-12-09 14:37:39 +01:00
continue
}
2016-03-21 11:10:18 +01:00
}
}
}
}
2017-12-05 15:42:03 +01:00
func ( a * ACME ) renewACMECertificate ( certificateResource * DomainsCertificate ) ( * Certificate , error ) {
2019-01-07 18:30:06 +01:00
renewedCert , err := a . client . Certificate . Renew ( certificate . Resource {
2017-12-05 15:42:03 +01:00
Domain : certificateResource . Certificate . Domain ,
CertURL : certificateResource . Certificate . CertURL ,
CertStableURL : certificateResource . Certificate . CertStableURL ,
PrivateKey : certificateResource . Certificate . PrivateKey ,
Certificate : certificateResource . Certificate . Certificate ,
} , true , OSCPMustStaple )
if err != nil {
return nil , err
}
log . Infof ( "Renewed certificate from LE: %+v" , certificateResource . Domains )
return & Certificate {
Domain : renewedCert . Domain ,
CertURL : renewedCert . CertURL ,
CertStableURL : renewedCert . CertStableURL ,
PrivateKey : renewedCert . PrivateKey ,
Certificate : renewedCert . Certificate ,
} , nil
}
2017-12-27 14:22:02 +01:00
func ( a * ACME ) storeRenewedCertificate ( certificateResource * DomainsCertificate , renewedACMECert * Certificate ) error {
2017-12-05 15:42:03 +01:00
transaction , object , err := a . store . Begin ( )
if err != nil {
return fmt . Errorf ( "error during transaction initialization for renewing certificate: %v" , err )
}
log . Infof ( "Renewing certificate in data store : %+v " , certificateResource . Domains )
2017-12-27 14:22:02 +01:00
account := object . ( * Account )
2017-12-05 15:42:03 +01:00
err = account . DomainsCertificate . renewCertificates ( renewedACMECert , certificateResource . Domains )
if err != nil {
return fmt . Errorf ( "error renewing certificate in datastore: %v " , err )
}
log . Infof ( "Commit certificate renewed in data store : %+v" , certificateResource . Domains )
if err = transaction . Commit ( account ) ; err != nil {
return fmt . Errorf ( "error saving ACME account %+v: %v" , account , err )
}
oldAccount := a . store . Get ( ) . ( * Account )
for _ , oldCertificateResource := range oldAccount . DomainsCertificate . Certs {
if oldCertificateResource . Domains . Main == certificateResource . Domains . Main && strings . Join ( oldCertificateResource . Domains . SANs , "," ) == strings . Join ( certificateResource . Domains . SANs , "," ) && certificateResource . Certificate != renewedACMECert {
return fmt . Errorf ( "renewed certificate not stored: %+v" , certificateResource . Domains )
}
}
log . Infof ( "Certificate successfully renewed in data store: %+v" , certificateResource . Domains )
return nil
}
2019-01-07 18:30:06 +01:00
func ( a * ACME ) buildACMEClient ( account * Account ) ( * lego . Client , error ) {
2017-05-26 17:03:14 +02:00
log . Debug ( "Building ACME client..." )
2018-03-26 14:12:03 +02:00
caServer := "https://acme-v02.api.letsencrypt.org/directory"
2016-03-21 11:10:18 +01:00
if len ( a . CAServer ) > 0 {
caServer = a . CAServer
}
2018-06-15 16:42:03 +02:00
2019-01-07 18:30:06 +01:00
config := lego . NewConfig ( account )
config . CADirURL = caServer
2019-01-11 16:22:03 +01:00
config . Certificate . KeyType = account . KeyType
2019-01-07 18:30:06 +01:00
config . UserAgent = fmt . Sprintf ( "containous-traefik/%s" , version . Version )
client , err := lego . NewClient ( config )
2016-08-18 14:20:11 +02:00
if err != nil {
return nil , err
}
2016-10-14 01:33:01 +01:00
2018-07-03 12:44:04 +02:00
// DNS challenge
2018-01-15 16:04:05 +01:00
if a . DNSChallenge != nil && len ( a . DNSChallenge . Provider ) > 0 {
log . Debugf ( "Using DNS Challenge provider: %s" , a . DNSChallenge . Provider )
2016-10-14 01:33:01 +01:00
2019-01-07 18:30:06 +01:00
var provider challenge . Provider
2018-01-15 16:04:05 +01:00
provider , err = dns . NewDNSChallengeProviderByName ( a . DNSChallenge . Provider )
2016-10-14 01:33:01 +01:00
if err != nil {
return nil , err
}
2019-01-07 18:30:06 +01:00
err = client . Challenge . SetDNS01Provider ( provider ,
dns01 . CondOption ( len ( a . DNSChallenge . Resolvers ) > 0 , dns01 . AddRecursiveNameservers ( a . DNSChallenge . Resolvers ) ) ,
dns01 . CondOption ( a . DNSChallenge . DisablePropagationCheck || a . DNSChallenge . DelayBeforeCheck > 0 ,
dns01 . AddPreCheck ( func ( _ , _ string ) ( bool , error ) {
if a . DNSChallenge . DelayBeforeCheck > 0 {
log . Debugf ( "Delaying %d rather than validating DNS propagation now." , a . DNSChallenge . DelayBeforeCheck )
time . Sleep ( time . Duration ( a . DNSChallenge . DelayBeforeCheck ) )
}
return true , nil
} ) ) ,
)
2018-06-15 16:42:03 +02:00
return client , err
}
2018-07-03 12:44:04 +02:00
// HTTP challenge
2018-06-15 16:42:03 +02:00
if a . HTTPChallenge != nil && len ( a . HTTPChallenge . EntryPoint ) > 0 {
2018-03-05 20:54:04 +01:00
log . Debug ( "Using HTTP Challenge provider." )
2018-06-15 16:42:03 +02:00
2018-01-15 16:04:05 +01:00
a . challengeHTTPProvider = & challengeHTTPProvider { store : a . store }
2019-01-07 18:30:06 +01:00
err = client . Challenge . SetHTTP01Provider ( a . challengeHTTPProvider )
2018-06-15 16:42:03 +02:00
return client , err
2016-10-14 01:33:01 +01:00
}
2018-07-03 12:44:04 +02:00
// TLS Challenge
if a . TLSChallenge != nil {
log . Debug ( "Using TLS Challenge provider." )
2019-01-07 18:30:06 +01:00
err = client . Challenge . SetTLSALPN01Provider ( a . challengeTLSProvider )
2018-07-03 12:44:04 +02:00
return client , err
}
return nil , errors . New ( "ACME challenge not specified, please select TLS or HTTP or DNS Challenge" )
2016-03-21 11:10:18 +01:00
}
2016-08-05 20:42:45 +02:00
func ( a * ACME ) loadCertificateOnDemand ( clientHello * tls . ClientHelloInfo ) ( * tls . Certificate , error ) {
2016-10-14 16:04:09 +02:00
domain := types . CanonicalDomain ( clientHello . ServerName )
2016-08-18 14:20:11 +02:00
account := a . store . Get ( ) . ( * Account )
2016-10-14 16:04:09 +02:00
if certificateResource , ok := account . DomainsCertificate . getCertificateForDomain ( domain ) ; ok {
2016-03-21 11:10:18 +01:00
return certificateResource . tlsCert , nil
}
2016-10-14 16:04:09 +02:00
certificate , err := a . getDomainsCertificates ( [ ] string { domain } )
2016-03-21 11:10:18 +01:00
if err != nil {
return nil , err
}
2016-10-14 16:04:09 +02:00
log . Debugf ( "Got certificate on demand for domain %s" , domain )
2016-08-18 14:20:11 +02:00
transaction , object , err := a . store . Begin ( )
2016-03-21 11:10:18 +01:00
if err != nil {
return nil , err
}
2016-08-18 14:20:11 +02:00
account = object . ( * Account )
2018-03-05 20:54:04 +01:00
cert , err := account . DomainsCertificate . addCertificateForDomains ( certificate , types . Domain { Main : domain } )
2016-08-18 14:20:11 +02:00
if err != nil {
return nil , err
}
if err = transaction . Commit ( account ) ; err != nil {
2016-03-21 11:10:18 +01:00
return nil , err
}
return cert . tlsCert , nil
}
2016-08-05 20:42:45 +02:00
// LoadCertificateForDomains loads certificates from ACME for given domains
func ( a * ACME ) LoadCertificateForDomains ( domains [ ] string ) {
2016-12-09 14:37:39 +01:00
a . jobs . In ( ) <- func ( ) {
2017-06-19 13:22:41 +02:00
log . Debugf ( "LoadCertificateForDomains %v..." , domains )
2018-03-26 14:12:03 +02:00
domains , err := a . getValidDomains ( domains , false )
if err != nil {
log . Errorf ( "Error getting valid domain: %v" , err )
2017-06-19 13:22:41 +02:00
return
}
2016-09-23 18:27:01 +02:00
operation := func ( ) error {
if a . client == nil {
2017-06-27 14:42:12 +02:00
return errors . New ( "ACME client still not built" )
2016-09-23 18:27:01 +02:00
}
return nil
}
notify := func ( err error , time time . Duration ) {
log . Errorf ( "Error getting ACME client: %v, retrying in %s" , err , time )
}
ebo := backoff . NewExponentialBackOff ( )
ebo . MaxElapsedTime = 30 * time . Second
2018-03-26 14:12:03 +02:00
err = backoff . RetryNotify ( safe . OperationWithRecover ( operation ) , ebo , notify )
2016-09-23 18:27:01 +02:00
if err != nil {
log . Errorf ( "Error getting ACME client: %v" , err )
return
}
2016-08-18 14:20:11 +02:00
account := a . store . Get ( ) . ( * Account )
2018-02-26 11:38:03 +01:00
// Check provided certificates
uncheckedDomains := a . getUncheckedDomains ( domains , account )
if len ( uncheckedDomains ) == 0 {
2016-08-05 20:42:45 +02:00
return
}
2018-08-20 09:40:03 +02:00
a . addResolvingDomains ( uncheckedDomains )
defer a . removeResolvingDomains ( uncheckedDomains )
2019-01-07 18:30:06 +01:00
cert , err := a . getDomainsCertificates ( uncheckedDomains )
2016-08-05 20:42:45 +02:00
if err != nil {
2018-02-26 11:38:03 +01:00
log . Errorf ( "Error getting ACME certificates %+v : %v" , uncheckedDomains , err )
2016-08-05 20:42:45 +02:00
return
}
2018-02-26 11:38:03 +01:00
log . Debugf ( "Got certificate for domains %+v" , uncheckedDomains )
2016-08-18 14:20:11 +02:00
transaction , object , err := a . store . Begin ( )
if err != nil {
2018-02-26 11:38:03 +01:00
log . Errorf ( "Error creating transaction %+v : %v" , uncheckedDomains , err )
2016-08-18 14:20:11 +02:00
return
}
2018-03-05 20:54:04 +01:00
var domain types . Domain
2018-02-26 11:38:03 +01:00
if len ( uncheckedDomains ) > 1 {
2018-03-05 20:54:04 +01:00
domain = types . Domain { Main : uncheckedDomains [ 0 ] , SANs : uncheckedDomains [ 1 : ] }
2018-02-26 11:38:03 +01:00
} else {
2018-03-05 20:54:04 +01:00
domain = types . Domain { Main : uncheckedDomains [ 0 ] }
2018-02-26 11:38:03 +01:00
}
2016-08-18 14:20:11 +02:00
account = object . ( * Account )
2019-01-07 18:30:06 +01:00
_ , err = account . DomainsCertificate . addCertificateForDomains ( cert , domain )
2016-08-05 20:42:45 +02:00
if err != nil {
2018-02-26 11:38:03 +01:00
log . Errorf ( "Error adding ACME certificates %+v : %v" , uncheckedDomains , err )
2016-08-05 20:42:45 +02:00
return
}
2016-08-18 14:20:11 +02:00
if err = transaction . Commit ( account ) ; err != nil {
log . Errorf ( "Error Saving ACME account %+v: %v" , account , err )
2016-08-05 20:42:45 +02:00
return
}
2016-12-09 14:37:39 +01:00
}
2016-08-05 20:42:45 +02:00
}
2018-08-20 09:40:03 +02:00
func ( a * ACME ) addResolvingDomains ( resolvingDomains [ ] string ) {
a . resolvingDomainsMutex . Lock ( )
defer a . resolvingDomainsMutex . Unlock ( )
for _ , domain := range resolvingDomains {
a . resolvingDomains [ domain ] = struct { } { }
}
}
func ( a * ACME ) removeResolvingDomains ( resolvingDomains [ ] string ) {
a . resolvingDomainsMutex . Lock ( )
defer a . resolvingDomainsMutex . Unlock ( )
for _ , domain := range resolvingDomains {
delete ( a . resolvingDomains , domain )
}
}
2017-06-19 13:22:41 +02:00
// Get provided certificate which check a domains list (Main and SANs)
2017-11-09 12:16:03 +01:00
// from static and dynamic provided certificates
2018-02-26 11:38:03 +01:00
func ( a * ACME ) getProvidedCertificate ( domains string ) * tls . Certificate {
2018-01-10 15:20:04 +01:00
log . Debugf ( "Looking for provided certificate to validate %s..." , domains )
2017-11-09 12:16:03 +01:00
cert := searchProvidedCertificateForDomains ( domains , a . TLSConfig . NameToCertificate )
if cert == nil && a . dynamicCerts != nil && a . dynamicCerts . Get ( ) != nil {
2018-03-05 20:54:04 +01:00
cert = searchProvidedCertificateForDomains ( domains , a . dynamicCerts . Get ( ) . ( map [ string ] * tls . Certificate ) )
2017-11-09 12:16:03 +01:00
}
2018-02-26 11:38:03 +01:00
if cert == nil {
log . Debugf ( "No provided certificate found for domains %s, get ACME certificate." , domains )
}
2017-11-09 12:16:03 +01:00
return cert
}
2018-02-26 11:38:03 +01:00
func searchProvidedCertificateForDomains ( domain string , certs map [ string ] * tls . Certificate ) * tls . Certificate {
2017-06-19 13:22:41 +02:00
// Use regex to test for provided certs that might have been added into TLSConfig
2018-02-26 11:38:03 +01:00
for certDomains := range certs {
2018-03-27 10:18:03 -04:00
domainChecked := false
2018-02-26 11:38:03 +01:00
for _ , certDomain := range strings . Split ( certDomains , "," ) {
2018-03-27 10:18:03 -04:00
domainChecked = types . MatchDomain ( domain , certDomain )
if domainChecked {
2017-06-19 13:22:41 +02:00
break
}
}
2018-03-27 10:18:03 -04:00
if domainChecked {
2018-02-26 11:38:03 +01:00
log . Debugf ( "Domain %q checked by provided certificate %q" , domain , certDomains )
return certs [ certDomains ]
2017-06-19 13:22:41 +02:00
}
}
return nil
}
2018-02-26 11:38:03 +01:00
// Get provided certificate which check a domains list (Main and SANs)
// from static and dynamic provided certificates
func ( a * ACME ) getUncheckedDomains ( domains [ ] string , account * Account ) [ ] string {
2018-08-20 09:40:03 +02:00
a . resolvingDomainsMutex . RLock ( )
defer a . resolvingDomainsMutex . RUnlock ( )
2018-02-26 11:38:03 +01:00
log . Debugf ( "Looking for provided certificate to validate %s..." , domains )
allCerts := make ( map [ string ] * tls . Certificate )
// Get static certificates
for domains , certificate := range a . TLSConfig . NameToCertificate {
allCerts [ domains ] = certificate
}
// Get dynamic certificates
if a . dynamicCerts != nil && a . dynamicCerts . Get ( ) != nil {
2018-03-06 10:12:04 +01:00
for domains , certificate := range a . dynamicCerts . Get ( ) . ( map [ string ] * tls . Certificate ) {
2018-02-26 11:38:03 +01:00
allCerts [ domains ] = certificate
}
}
// Get ACME certificates
if account != nil {
for domains , certificate := range account . DomainsCertificate . toDomainsMap ( ) {
allCerts [ domains ] = certificate
}
}
2018-08-20 09:40:03 +02:00
// Get currently resolved domains
for domain := range a . resolvingDomains {
if _ , ok := allCerts [ domain ] ; ! ok {
allCerts [ domain ] = & tls . Certificate { }
}
}
2018-03-26 14:12:03 +02:00
// Get Configuration Domains
for i := 0 ; i < len ( a . Domains ) ; i ++ {
allCerts [ a . Domains [ i ] . Main ] = & tls . Certificate { }
for _ , san := range a . Domains [ i ] . SANs {
allCerts [ san ] = & tls . Certificate { }
}
}
2018-02-26 11:38:03 +01:00
return searchUncheckedDomains ( domains , allCerts )
}
func searchUncheckedDomains ( domains [ ] string , certs map [ string ] * tls . Certificate ) [ ] string {
2018-03-26 14:12:03 +02:00
var uncheckedDomains [ ] string
2018-02-26 11:38:03 +01:00
for _ , domainToCheck := range domains {
2018-03-26 14:12:03 +02:00
if ! isDomainAlreadyChecked ( domainToCheck , certs ) {
2018-02-26 11:38:03 +01:00
uncheckedDomains = append ( uncheckedDomains , domainToCheck )
}
}
2018-03-26 14:12:03 +02:00
2018-02-26 11:38:03 +01:00
if len ( uncheckedDomains ) == 0 {
log . Debugf ( "No ACME certificate to generate for domains %q." , domains )
} else {
log . Debugf ( "Domains %q need ACME certificates generation for domains %q." , domains , strings . Join ( uncheckedDomains , "," ) )
}
return uncheckedDomains
}
2016-08-18 14:20:11 +02:00
func ( a * ACME ) getDomainsCertificates ( domains [ ] string ) ( * Certificate , error ) {
2018-10-11 10:50:03 +02:00
var cleanDomains [ ] string
for _ , domain := range domains {
canonicalDomain := types . CanonicalDomain ( domain )
2019-01-07 18:30:06 +01:00
cleanDomain := dns01 . UnFqdn ( canonicalDomain )
2018-10-11 10:50:03 +02:00
if canonicalDomain != cleanDomain {
log . Warnf ( "FQDN detected, please remove the trailing dot: %s" , canonicalDomain )
}
cleanDomains = append ( cleanDomains , cleanDomain )
}
log . Debugf ( "Loading ACME certificates %s..." , cleanDomains )
2016-05-02 20:01:10 -04:00
bundle := true
2018-05-15 17:28:02 +02:00
2019-01-07 18:30:06 +01:00
request := certificate . ObtainRequest {
Domains : cleanDomains ,
Bundle : bundle ,
MustStaple : OSCPMustStaple ,
}
cert , err := a . client . Certificate . Obtain ( request )
2018-05-15 17:28:02 +02:00
if err != nil {
return nil , fmt . Errorf ( "cannot obtain certificates: %+v" , err )
2016-03-21 11:10:18 +01:00
}
2018-05-15 17:28:02 +02:00
2018-10-11 10:50:03 +02:00
log . Debugf ( "Loaded ACME certificates %s" , cleanDomains )
2016-03-21 11:10:18 +01:00
return & Certificate {
2019-01-07 18:30:06 +01:00
Domain : cert . Domain ,
CertURL : cert . CertURL ,
CertStableURL : cert . CertStableURL ,
PrivateKey : cert . PrivateKey ,
Certificate : cert . Certificate ,
2016-03-21 11:10:18 +01:00
} , nil
}
2016-12-09 14:37:39 +01:00
func ( a * ACME ) runJobs ( ) {
safe . Go ( func ( ) {
for job := range a . jobs . Out ( ) {
function := job . ( func ( ) )
function ( )
}
} )
}
2018-03-26 14:12:03 +02:00
// getValidDomains checks if given domain is allowed to generate a ACME certificate and return it
func ( a * ACME ) getValidDomains ( domains [ ] string , wildcardAllowed bool ) ( [ ] string , error ) {
2018-04-11 17:16:07 +02:00
// Check if the domains array is empty or contains only one empty value
2018-03-26 14:12:03 +02:00
if len ( domains ) == 0 || ( len ( domains ) == 1 && len ( domains [ 0 ] ) == 0 ) {
return nil , errors . New ( "unable to generate a certificate when no domain is given" )
}
if strings . HasPrefix ( domains [ 0 ] , "*" ) {
if ! wildcardAllowed {
return nil , fmt . Errorf ( "unable to generate a wildcard certificate for domain %q from a 'Host' rule" , strings . Join ( domains , "," ) )
}
2018-11-14 10:18:03 +01:00
if a . DNSChallenge == nil {
2018-03-26 14:12:03 +02:00
return nil , fmt . Errorf ( "unable to generate a wildcard certificate for domain %q : ACME needs a DNSChallenge" , strings . Join ( domains , "," ) )
}
2018-04-11 17:16:07 +02:00
if strings . HasPrefix ( domains [ 0 ] , "*.*" ) {
return nil , fmt . Errorf ( "unable to generate a wildcard certificate for domain %q : ACME does not allow '*.*' wildcard domain" , strings . Join ( domains , "," ) )
2018-03-26 14:12:03 +02:00
}
2018-04-11 17:16:07 +02:00
}
for _ , san := range domains [ 1 : ] {
if strings . HasPrefix ( san , "*" ) {
return nil , fmt . Errorf ( "unable to generate a certificate for domains %q: SANs can not be a wildcard domain" , strings . Join ( domains , "," ) )
2018-03-26 14:12:03 +02:00
}
}
domains = fun . Map ( types . CanonicalDomain , domains ) . ( [ ] string )
return domains , nil
}
func isDomainAlreadyChecked ( domainToCheck string , existentDomains map [ string ] * tls . Certificate ) bool {
for certDomains := range existentDomains {
for _ , certDomain := range strings . Split ( certDomains , "," ) {
2018-03-27 10:18:03 -04:00
if types . MatchDomain ( domainToCheck , certDomain ) {
2018-03-26 14:12:03 +02:00
return true
}
}
}
return false
}
// deleteUnnecessaryDomains deletes from the configuration :
// - Duplicated domains
// - Domains which are checked by wildcard domain
func ( a * ACME ) deleteUnnecessaryDomains ( ) {
var newDomains [ ] types . Domain
for idxDomainToCheck , domainToCheck := range a . Domains {
keepDomain := true
for idxDomain , domain := range a . Domains {
if idxDomainToCheck == idxDomain {
continue
}
if reflect . DeepEqual ( domain , domainToCheck ) {
if idxDomainToCheck > idxDomain {
log . Warnf ( "The domain %v is duplicated in the configuration but will be process by ACME only once." , domainToCheck )
keepDomain = false
}
break
2018-04-11 17:16:07 +02:00
}
2018-03-26 14:12:03 +02:00
2018-04-11 17:16:07 +02:00
var newDomainsToCheck [ ] string
2018-03-26 14:12:03 +02:00
2018-04-11 17:16:07 +02:00
// Check if domains can be validated by the wildcard domain
domainsMap := make ( map [ string ] * tls . Certificate )
domainsMap [ domain . Main ] = & tls . Certificate { }
if len ( domain . SANs ) > 0 {
domainsMap [ strings . Join ( domain . SANs , "," ) ] = & tls . Certificate { }
}
2018-03-26 14:12:03 +02:00
2018-04-11 17:16:07 +02:00
for _ , domainProcessed := range domainToCheck . ToStrArray ( ) {
if idxDomain < idxDomainToCheck && isDomainAlreadyChecked ( domainProcessed , domainsMap ) {
// The domain is duplicated in a CN
log . Warnf ( "Domain %q is duplicated in the configuration or validated by the domain %v. It will be processed once." , domainProcessed , domain )
continue
} else if domain . Main != domainProcessed && strings . HasPrefix ( domain . Main , "*" ) && types . MatchDomain ( domainProcessed , domain . Main ) {
// Check if a wildcard can validate the domain
log . Warnf ( "Domain %q will not be processed by ACME provider because it is validated by the wildcard %q" , domainProcessed , domain . Main )
continue
2018-03-26 14:12:03 +02:00
}
2018-04-11 17:16:07 +02:00
newDomainsToCheck = append ( newDomainsToCheck , domainProcessed )
}
2018-03-26 14:12:03 +02:00
2018-04-11 17:16:07 +02:00
// Delete the domain if both Main and SANs can be validated by the wildcard domain
// otherwise keep the unchecked values
if newDomainsToCheck == nil {
keepDomain = false
break
2018-03-26 14:12:03 +02:00
}
2018-04-11 17:16:07 +02:00
domainToCheck . Set ( newDomainsToCheck )
2018-03-26 14:12:03 +02:00
}
if keepDomain {
newDomains = append ( newDomains , domainToCheck )
}
}
a . Domains = newDomains
}