Simplify get acme client

This commit is contained in:
Ludovic Fernandez 2018-06-15 16:42:03 +02:00 committed by Traefiker Bot
parent 2758664226
commit 7451449dd6
3 changed files with 100 additions and 71 deletions

View file

@ -117,14 +117,18 @@ func (a *ACME) CreateClusterConfig(leadership *cluster.Leadership, tlsConfig *tl
if err != nil { if err != nil {
return err return err
} }
if len(a.Storage) == 0 { if len(a.Storage) == 0 {
return errors.New("Empty Store, please provide a key for certs storage") return errors.New("Empty Store, please provide a key for certs storage")
} }
a.checkOnDemandDomain = checkOnDemandDomain a.checkOnDemandDomain = checkOnDemandDomain
a.dynamicCerts = certs a.dynamicCerts = certs
tlsConfig.Certificates = append(tlsConfig.Certificates, *a.defaultCertificate) tlsConfig.Certificates = append(tlsConfig.Certificates, *a.defaultCertificate)
tlsConfig.GetCertificate = a.getCertificate tlsConfig.GetCertificate = a.getCertificate
a.TLSConfig = tlsConfig a.TLSConfig = tlsConfig
listener := func(object cluster.Object) error { listener := func(object cluster.Object) error {
account := object.(*Account) account := object.(*Account)
account.Init() account.Init()
@ -404,6 +408,7 @@ func (a *ACME) buildACMEClient(account *Account) (*acme.Client, error) {
if len(a.CAServer) > 0 { if len(a.CAServer) > 0 {
caServer = a.CAServer caServer = a.CAServer
} }
client, err := acme.NewClient(caServer, account, account.KeyType) client, err := acme.NewClient(caServer, account, account.KeyType)
if err != nil { if err != nil {
return nil, err return nil, err
@ -425,19 +430,19 @@ func (a *ACME) buildACMEClient(account *Account) (*acme.Client, error) {
client.ExcludeChallenges([]acme.Challenge{acme.HTTP01}) client.ExcludeChallenges([]acme.Challenge{acme.HTTP01})
err = client.SetChallengeProvider(acme.DNS01, provider) err = client.SetChallengeProvider(acme.DNS01, provider)
} else if a.HTTPChallenge != nil && len(a.HTTPChallenge.EntryPoint) > 0 { return client, err
}
if a.HTTPChallenge != nil && len(a.HTTPChallenge.EntryPoint) > 0 {
log.Debug("Using HTTP Challenge provider.") log.Debug("Using HTTP Challenge provider.")
client.ExcludeChallenges([]acme.Challenge{acme.DNS01}) client.ExcludeChallenges([]acme.Challenge{acme.DNS01})
a.challengeHTTPProvider = &challengeHTTPProvider{store: a.store} a.challengeHTTPProvider = &challengeHTTPProvider{store: a.store}
err = client.SetChallengeProvider(acme.HTTP01, a.challengeHTTPProvider) err = client.SetChallengeProvider(acme.HTTP01, a.challengeHTTPProvider)
} else { return client, err
return nil, errors.New("ACME challenge not specified, please select HTTP or DNS Challenge")
} }
if err != nil { return nil, errors.New("ACME challenge not specified, please select HTTP or DNS Challenge")
return nil, err
}
return client, nil
} }
func (a *ACME) loadCertificateOnDemand(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) { func (a *ACME) loadCertificateOnDemand(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {

View file

@ -23,10 +23,12 @@ func (c *challengeHTTPProvider) getTokenValue(token, domain string) []byte {
log.Debugf("Looking for an existing ACME challenge for token %v...", token) log.Debugf("Looking for an existing ACME challenge for token %v...", token)
c.lock.RLock() c.lock.RLock()
defer c.lock.RUnlock() defer c.lock.RUnlock()
account := c.store.Get().(*Account) account := c.store.Get().(*Account)
if account.HTTPChallenge == nil { if account.HTTPChallenge == nil {
return []byte{} return []byte{}
} }
var result []byte var result []byte
operation := func() error { operation := func() error {
var ok bool var ok bool
@ -35,9 +37,11 @@ func (c *challengeHTTPProvider) getTokenValue(token, domain string) []byte {
} }
return nil return nil
} }
notify := func(err error, time time.Duration) { notify := func(err error, time time.Duration) {
log.Errorf("Error getting challenge for token retrying in %s", time) log.Errorf("Error getting challenge for token retrying in %s", time)
} }
ebo := backoff.NewExponentialBackOff() ebo := backoff.NewExponentialBackOff()
ebo.MaxElapsedTime = 60 * time.Second ebo.MaxElapsedTime = 60 * time.Second
err := backoff.RetryNotify(safe.OperationWithRecover(operation), ebo, notify) err := backoff.RetryNotify(safe.OperationWithRecover(operation), ebo, notify)
@ -52,18 +56,23 @@ func (c *challengeHTTPProvider) Present(domain, token, keyAuth string) error {
log.Debugf("Challenge Present %s", domain) log.Debugf("Challenge Present %s", domain)
c.lock.Lock() c.lock.Lock()
defer c.lock.Unlock() defer c.lock.Unlock()
transaction, object, err := c.store.Begin() transaction, object, err := c.store.Begin()
if err != nil { if err != nil {
return err return err
} }
account := object.(*Account) account := object.(*Account)
if account.HTTPChallenge == nil { if account.HTTPChallenge == nil {
account.HTTPChallenge = map[string]map[string][]byte{} account.HTTPChallenge = map[string]map[string][]byte{}
} }
if _, ok := account.HTTPChallenge[token]; !ok { if _, ok := account.HTTPChallenge[token]; !ok {
account.HTTPChallenge[token] = map[string][]byte{} account.HTTPChallenge[token] = map[string][]byte{}
} }
account.HTTPChallenge[token][domain] = []byte(keyAuth) account.HTTPChallenge[token][domain] = []byte(keyAuth)
return transaction.Commit(account) return transaction.Commit(account)
} }
@ -71,10 +80,12 @@ func (c *challengeHTTPProvider) CleanUp(domain, token, keyAuth string) error {
log.Debugf("Challenge CleanUp %s", domain) log.Debugf("Challenge CleanUp %s", domain)
c.lock.Lock() c.lock.Lock()
defer c.lock.Unlock() defer c.lock.Unlock()
transaction, object, err := c.store.Begin() transaction, object, err := c.store.Begin()
if err != nil { if err != nil {
return err return err
} }
account := object.(*Account) account := object.(*Account)
if _, ok := account.HTTPChallenge[token]; ok { if _, ok := account.HTTPChallenge[token]; ok {
if _, domainOk := account.HTTPChallenge[token][domain]; domainOk { if _, domainOk := account.HTTPChallenge[token][domain]; domainOk {
@ -84,6 +95,7 @@ func (c *challengeHTTPProvider) CleanUp(domain, token, keyAuth string) error {
delete(account.HTTPChallenge, token) delete(account.HTTPChallenge, token)
} }
} }
return transaction.Commit(account) return transaction.Commit(account)
} }

View file

@ -211,6 +211,7 @@ func (p *Provider) resolveCertificate(domain types.Domain, domainFromConfigurati
} }
log.Debugf("Loading ACME certificates %+v...", uncheckedDomains) log.Debugf("Loading ACME certificates %+v...", uncheckedDomains)
client, err := p.getClient() client, err := p.getClient()
if err != nil { if err != nil {
return nil, fmt.Errorf("cannot get ACME client %v", err) return nil, fmt.Errorf("cannot get ACME client %v", err)
@ -226,6 +227,7 @@ func (p *Provider) resolveCertificate(domain types.Domain, domainFromConfigurati
if len(certificate.Certificate) == 0 || len(certificate.PrivateKey) == 0 { if len(certificate.Certificate) == 0 || len(certificate.PrivateKey) == 0 {
return nil, fmt.Errorf("domains %v generate certificate with no value: %v", uncheckedDomains, certificate) return nil, fmt.Errorf("domains %v generate certificate with no value: %v", uncheckedDomains, certificate)
} }
log.Debugf("Certificates obtained for domains %+v", uncheckedDomains) log.Debugf("Certificates obtained for domains %+v", uncheckedDomains)
if len(uncheckedDomains) > 1 { if len(uncheckedDomains) > 1 {
@ -241,72 +243,82 @@ func (p *Provider) resolveCertificate(domain types.Domain, domainFromConfigurati
func (p *Provider) getClient() (*acme.Client, error) { func (p *Provider) getClient() (*acme.Client, error) {
p.clientMutex.Lock() p.clientMutex.Lock()
defer p.clientMutex.Unlock() defer p.clientMutex.Unlock()
var account *Account
if p.client == nil {
var err error
account, err = p.initAccount()
if err != nil {
return nil, err
}
log.Debug("Building ACME client...") if p.client != nil {
caServer := "https://acme-v02.api.letsencrypt.org/directory" return p.client, nil
if len(p.CAServer) > 0 {
caServer = p.CAServer
}
log.Debugf(caServer)
client, err := acme.NewClient(caServer, account, account.KeyType)
if err != nil {
return nil, err
}
if account.GetRegistration() == nil {
// New users will need to register; be sure to save it
log.Info("Register...")
reg, err := client.Register(true)
if err != nil {
return nil, err
}
account.Registration = reg
}
// Save the account once before all the certificates generation/storing
// No certificate can be generated if account is not initialized
err = p.Store.SaveAccount(account)
if err != nil {
return nil, err
}
if p.DNSChallenge != nil && len(p.DNSChallenge.Provider) > 0 {
log.Debugf("Using DNS Challenge provider: %s", p.DNSChallenge.Provider)
err = dnsOverrideDelay(p.DNSChallenge.DelayBeforeCheck)
if err != nil {
return nil, err
}
var provider acme.ChallengeProvider
provider, err = dns.NewDNSChallengeProviderByName(p.DNSChallenge.Provider)
if err != nil {
return nil, err
}
client.ExcludeChallenges([]acme.Challenge{acme.HTTP01})
err = client.SetChallengeProvider(acme.DNS01, provider)
if err != nil {
return nil, err
}
} else if p.HTTPChallenge != nil && len(p.HTTPChallenge.EntryPoint) > 0 {
log.Debug("Using HTTP Challenge provider.")
client.ExcludeChallenges([]acme.Challenge{acme.DNS01})
err = client.SetChallengeProvider(acme.HTTP01, p)
if err != nil {
return nil, err
}
} else {
return nil, errors.New("ACME challenge not specified, please select HTTP or DNS Challenge")
}
p.client = client
} }
account, err := p.initAccount()
if err != nil {
return nil, err
}
log.Debug("Building ACME client...")
caServer := "https://acme-v02.api.letsencrypt.org/directory"
if len(p.CAServer) > 0 {
caServer = p.CAServer
}
log.Debug(caServer)
client, err := acme.NewClient(caServer, account, account.KeyType)
if err != nil {
return nil, err
}
// New users will need to register; be sure to save it
if account.GetRegistration() == nil {
log.Info("Register...")
reg, err := client.Register(true)
if err != nil {
return nil, err
}
account.Registration = reg
}
// Save the account once before all the certificates generation/storing
// No certificate can be generated if account is not initialized
err = p.Store.SaveAccount(account)
if err != nil {
return nil, err
}
if p.DNSChallenge != nil && len(p.DNSChallenge.Provider) > 0 {
log.Debugf("Using DNS Challenge provider: %s", p.DNSChallenge.Provider)
err = dnsOverrideDelay(p.DNSChallenge.DelayBeforeCheck)
if err != nil {
return nil, err
}
var provider acme.ChallengeProvider
provider, err = dns.NewDNSChallengeProviderByName(p.DNSChallenge.Provider)
if err != nil {
return nil, err
}
client.ExcludeChallenges([]acme.Challenge{acme.HTTP01})
err = client.SetChallengeProvider(acme.DNS01, provider)
if err != nil {
return nil, err
}
} else if p.HTTPChallenge != nil && len(p.HTTPChallenge.EntryPoint) > 0 {
log.Debug("Using HTTP Challenge provider.")
client.ExcludeChallenges([]acme.Challenge{acme.DNS01})
err = client.SetChallengeProvider(acme.HTTP01, p)
if err != nil {
return nil, err
}
} else {
return nil, errors.New("ACME challenge not specified, please select HTTP or DNS Challenge")
}
p.client = client
return p.client, nil return p.client, nil
} }