Simplify get acme client
This commit is contained in:
parent
2758664226
commit
7451449dd6
3 changed files with 100 additions and 71 deletions
19
acme/acme.go
19
acme/acme.go
|
@ -117,14 +117,18 @@ func (a *ACME) CreateClusterConfig(leadership *cluster.Leadership, tlsConfig *tl
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
if len(a.Storage) == 0 {
|
if len(a.Storage) == 0 {
|
||||||
return errors.New("Empty Store, please provide a key for certs storage")
|
return errors.New("Empty Store, please provide a key for certs storage")
|
||||||
}
|
}
|
||||||
|
|
||||||
a.checkOnDemandDomain = checkOnDemandDomain
|
a.checkOnDemandDomain = checkOnDemandDomain
|
||||||
a.dynamicCerts = certs
|
a.dynamicCerts = certs
|
||||||
|
|
||||||
tlsConfig.Certificates = append(tlsConfig.Certificates, *a.defaultCertificate)
|
tlsConfig.Certificates = append(tlsConfig.Certificates, *a.defaultCertificate)
|
||||||
tlsConfig.GetCertificate = a.getCertificate
|
tlsConfig.GetCertificate = a.getCertificate
|
||||||
a.TLSConfig = tlsConfig
|
a.TLSConfig = tlsConfig
|
||||||
|
|
||||||
listener := func(object cluster.Object) error {
|
listener := func(object cluster.Object) error {
|
||||||
account := object.(*Account)
|
account := object.(*Account)
|
||||||
account.Init()
|
account.Init()
|
||||||
|
@ -404,6 +408,7 @@ func (a *ACME) buildACMEClient(account *Account) (*acme.Client, error) {
|
||||||
if len(a.CAServer) > 0 {
|
if len(a.CAServer) > 0 {
|
||||||
caServer = a.CAServer
|
caServer = a.CAServer
|
||||||
}
|
}
|
||||||
|
|
||||||
client, err := acme.NewClient(caServer, account, account.KeyType)
|
client, err := acme.NewClient(caServer, account, account.KeyType)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
|
@ -425,19 +430,19 @@ func (a *ACME) buildACMEClient(account *Account) (*acme.Client, error) {
|
||||||
|
|
||||||
client.ExcludeChallenges([]acme.Challenge{acme.HTTP01})
|
client.ExcludeChallenges([]acme.Challenge{acme.HTTP01})
|
||||||
err = client.SetChallengeProvider(acme.DNS01, provider)
|
err = client.SetChallengeProvider(acme.DNS01, provider)
|
||||||
} else if a.HTTPChallenge != nil && len(a.HTTPChallenge.EntryPoint) > 0 {
|
return client, err
|
||||||
|
}
|
||||||
|
|
||||||
|
if a.HTTPChallenge != nil && len(a.HTTPChallenge.EntryPoint) > 0 {
|
||||||
log.Debug("Using HTTP Challenge provider.")
|
log.Debug("Using HTTP Challenge provider.")
|
||||||
|
|
||||||
client.ExcludeChallenges([]acme.Challenge{acme.DNS01})
|
client.ExcludeChallenges([]acme.Challenge{acme.DNS01})
|
||||||
a.challengeHTTPProvider = &challengeHTTPProvider{store: a.store}
|
a.challengeHTTPProvider = &challengeHTTPProvider{store: a.store}
|
||||||
err = client.SetChallengeProvider(acme.HTTP01, a.challengeHTTPProvider)
|
err = client.SetChallengeProvider(acme.HTTP01, a.challengeHTTPProvider)
|
||||||
} else {
|
return client, err
|
||||||
return nil, errors.New("ACME challenge not specified, please select HTTP or DNS Challenge")
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if err != nil {
|
return nil, errors.New("ACME challenge not specified, please select HTTP or DNS Challenge")
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
return client, nil
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func (a *ACME) loadCertificateOnDemand(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
func (a *ACME) loadCertificateOnDemand(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
||||||
|
|
|
@ -23,10 +23,12 @@ func (c *challengeHTTPProvider) getTokenValue(token, domain string) []byte {
|
||||||
log.Debugf("Looking for an existing ACME challenge for token %v...", token)
|
log.Debugf("Looking for an existing ACME challenge for token %v...", token)
|
||||||
c.lock.RLock()
|
c.lock.RLock()
|
||||||
defer c.lock.RUnlock()
|
defer c.lock.RUnlock()
|
||||||
|
|
||||||
account := c.store.Get().(*Account)
|
account := c.store.Get().(*Account)
|
||||||
if account.HTTPChallenge == nil {
|
if account.HTTPChallenge == nil {
|
||||||
return []byte{}
|
return []byte{}
|
||||||
}
|
}
|
||||||
|
|
||||||
var result []byte
|
var result []byte
|
||||||
operation := func() error {
|
operation := func() error {
|
||||||
var ok bool
|
var ok bool
|
||||||
|
@ -35,9 +37,11 @@ func (c *challengeHTTPProvider) getTokenValue(token, domain string) []byte {
|
||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
notify := func(err error, time time.Duration) {
|
notify := func(err error, time time.Duration) {
|
||||||
log.Errorf("Error getting challenge for token retrying in %s", time)
|
log.Errorf("Error getting challenge for token retrying in %s", time)
|
||||||
}
|
}
|
||||||
|
|
||||||
ebo := backoff.NewExponentialBackOff()
|
ebo := backoff.NewExponentialBackOff()
|
||||||
ebo.MaxElapsedTime = 60 * time.Second
|
ebo.MaxElapsedTime = 60 * time.Second
|
||||||
err := backoff.RetryNotify(safe.OperationWithRecover(operation), ebo, notify)
|
err := backoff.RetryNotify(safe.OperationWithRecover(operation), ebo, notify)
|
||||||
|
@ -52,18 +56,23 @@ func (c *challengeHTTPProvider) Present(domain, token, keyAuth string) error {
|
||||||
log.Debugf("Challenge Present %s", domain)
|
log.Debugf("Challenge Present %s", domain)
|
||||||
c.lock.Lock()
|
c.lock.Lock()
|
||||||
defer c.lock.Unlock()
|
defer c.lock.Unlock()
|
||||||
|
|
||||||
transaction, object, err := c.store.Begin()
|
transaction, object, err := c.store.Begin()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
account := object.(*Account)
|
account := object.(*Account)
|
||||||
if account.HTTPChallenge == nil {
|
if account.HTTPChallenge == nil {
|
||||||
account.HTTPChallenge = map[string]map[string][]byte{}
|
account.HTTPChallenge = map[string]map[string][]byte{}
|
||||||
}
|
}
|
||||||
|
|
||||||
if _, ok := account.HTTPChallenge[token]; !ok {
|
if _, ok := account.HTTPChallenge[token]; !ok {
|
||||||
account.HTTPChallenge[token] = map[string][]byte{}
|
account.HTTPChallenge[token] = map[string][]byte{}
|
||||||
}
|
}
|
||||||
|
|
||||||
account.HTTPChallenge[token][domain] = []byte(keyAuth)
|
account.HTTPChallenge[token][domain] = []byte(keyAuth)
|
||||||
|
|
||||||
return transaction.Commit(account)
|
return transaction.Commit(account)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -71,10 +80,12 @@ func (c *challengeHTTPProvider) CleanUp(domain, token, keyAuth string) error {
|
||||||
log.Debugf("Challenge CleanUp %s", domain)
|
log.Debugf("Challenge CleanUp %s", domain)
|
||||||
c.lock.Lock()
|
c.lock.Lock()
|
||||||
defer c.lock.Unlock()
|
defer c.lock.Unlock()
|
||||||
|
|
||||||
transaction, object, err := c.store.Begin()
|
transaction, object, err := c.store.Begin()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
account := object.(*Account)
|
account := object.(*Account)
|
||||||
if _, ok := account.HTTPChallenge[token]; ok {
|
if _, ok := account.HTTPChallenge[token]; ok {
|
||||||
if _, domainOk := account.HTTPChallenge[token][domain]; domainOk {
|
if _, domainOk := account.HTTPChallenge[token][domain]; domainOk {
|
||||||
|
@ -84,6 +95,7 @@ func (c *challengeHTTPProvider) CleanUp(domain, token, keyAuth string) error {
|
||||||
delete(account.HTTPChallenge, token)
|
delete(account.HTTPChallenge, token)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return transaction.Commit(account)
|
return transaction.Commit(account)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -211,6 +211,7 @@ func (p *Provider) resolveCertificate(domain types.Domain, domainFromConfigurati
|
||||||
}
|
}
|
||||||
|
|
||||||
log.Debugf("Loading ACME certificates %+v...", uncheckedDomains)
|
log.Debugf("Loading ACME certificates %+v...", uncheckedDomains)
|
||||||
|
|
||||||
client, err := p.getClient()
|
client, err := p.getClient()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("cannot get ACME client %v", err)
|
return nil, fmt.Errorf("cannot get ACME client %v", err)
|
||||||
|
@ -226,6 +227,7 @@ func (p *Provider) resolveCertificate(domain types.Domain, domainFromConfigurati
|
||||||
if len(certificate.Certificate) == 0 || len(certificate.PrivateKey) == 0 {
|
if len(certificate.Certificate) == 0 || len(certificate.PrivateKey) == 0 {
|
||||||
return nil, fmt.Errorf("domains %v generate certificate with no value: %v", uncheckedDomains, certificate)
|
return nil, fmt.Errorf("domains %v generate certificate with no value: %v", uncheckedDomains, certificate)
|
||||||
}
|
}
|
||||||
|
|
||||||
log.Debugf("Certificates obtained for domains %+v", uncheckedDomains)
|
log.Debugf("Certificates obtained for domains %+v", uncheckedDomains)
|
||||||
|
|
||||||
if len(uncheckedDomains) > 1 {
|
if len(uncheckedDomains) > 1 {
|
||||||
|
@ -241,72 +243,82 @@ func (p *Provider) resolveCertificate(domain types.Domain, domainFromConfigurati
|
||||||
func (p *Provider) getClient() (*acme.Client, error) {
|
func (p *Provider) getClient() (*acme.Client, error) {
|
||||||
p.clientMutex.Lock()
|
p.clientMutex.Lock()
|
||||||
defer p.clientMutex.Unlock()
|
defer p.clientMutex.Unlock()
|
||||||
var account *Account
|
|
||||||
if p.client == nil {
|
|
||||||
var err error
|
|
||||||
account, err = p.initAccount()
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
log.Debug("Building ACME client...")
|
if p.client != nil {
|
||||||
caServer := "https://acme-v02.api.letsencrypt.org/directory"
|
return p.client, nil
|
||||||
if len(p.CAServer) > 0 {
|
|
||||||
caServer = p.CAServer
|
|
||||||
}
|
|
||||||
log.Debugf(caServer)
|
|
||||||
client, err := acme.NewClient(caServer, account, account.KeyType)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
if account.GetRegistration() == nil {
|
|
||||||
// New users will need to register; be sure to save it
|
|
||||||
log.Info("Register...")
|
|
||||||
reg, err := client.Register(true)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
account.Registration = reg
|
|
||||||
}
|
|
||||||
|
|
||||||
// Save the account once before all the certificates generation/storing
|
|
||||||
// No certificate can be generated if account is not initialized
|
|
||||||
err = p.Store.SaveAccount(account)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
if p.DNSChallenge != nil && len(p.DNSChallenge.Provider) > 0 {
|
|
||||||
log.Debugf("Using DNS Challenge provider: %s", p.DNSChallenge.Provider)
|
|
||||||
|
|
||||||
err = dnsOverrideDelay(p.DNSChallenge.DelayBeforeCheck)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
var provider acme.ChallengeProvider
|
|
||||||
provider, err = dns.NewDNSChallengeProviderByName(p.DNSChallenge.Provider)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
client.ExcludeChallenges([]acme.Challenge{acme.HTTP01})
|
|
||||||
err = client.SetChallengeProvider(acme.DNS01, provider)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
} else if p.HTTPChallenge != nil && len(p.HTTPChallenge.EntryPoint) > 0 {
|
|
||||||
log.Debug("Using HTTP Challenge provider.")
|
|
||||||
client.ExcludeChallenges([]acme.Challenge{acme.DNS01})
|
|
||||||
err = client.SetChallengeProvider(acme.HTTP01, p)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
return nil, errors.New("ACME challenge not specified, please select HTTP or DNS Challenge")
|
|
||||||
}
|
|
||||||
p.client = client
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
account, err := p.initAccount()
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
log.Debug("Building ACME client...")
|
||||||
|
|
||||||
|
caServer := "https://acme-v02.api.letsencrypt.org/directory"
|
||||||
|
if len(p.CAServer) > 0 {
|
||||||
|
caServer = p.CAServer
|
||||||
|
}
|
||||||
|
log.Debug(caServer)
|
||||||
|
|
||||||
|
client, err := acme.NewClient(caServer, account, account.KeyType)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// New users will need to register; be sure to save it
|
||||||
|
if account.GetRegistration() == nil {
|
||||||
|
log.Info("Register...")
|
||||||
|
|
||||||
|
reg, err := client.Register(true)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
account.Registration = reg
|
||||||
|
}
|
||||||
|
|
||||||
|
// Save the account once before all the certificates generation/storing
|
||||||
|
// No certificate can be generated if account is not initialized
|
||||||
|
err = p.Store.SaveAccount(account)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
if p.DNSChallenge != nil && len(p.DNSChallenge.Provider) > 0 {
|
||||||
|
log.Debugf("Using DNS Challenge provider: %s", p.DNSChallenge.Provider)
|
||||||
|
|
||||||
|
err = dnsOverrideDelay(p.DNSChallenge.DelayBeforeCheck)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
var provider acme.ChallengeProvider
|
||||||
|
provider, err = dns.NewDNSChallengeProviderByName(p.DNSChallenge.Provider)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
client.ExcludeChallenges([]acme.Challenge{acme.HTTP01})
|
||||||
|
|
||||||
|
err = client.SetChallengeProvider(acme.DNS01, provider)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
} else if p.HTTPChallenge != nil && len(p.HTTPChallenge.EntryPoint) > 0 {
|
||||||
|
log.Debug("Using HTTP Challenge provider.")
|
||||||
|
|
||||||
|
client.ExcludeChallenges([]acme.Challenge{acme.DNS01})
|
||||||
|
|
||||||
|
err = client.SetChallengeProvider(acme.HTTP01, p)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
return nil, errors.New("ACME challenge not specified, please select HTTP or DNS Challenge")
|
||||||
|
}
|
||||||
|
|
||||||
|
p.client = client
|
||||||
return p.client, nil
|
return p.client, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue