Merge pull request #601 from containous/add-host-cert-acme-generation

Add Host cert ACME generation
This commit is contained in:
Emile Vauge 2016-08-18 15:01:41 +02:00 committed by GitHub
commit fc19ab2868
6 changed files with 182 additions and 52 deletions

View file

@ -166,9 +166,12 @@ type ACME struct {
Domains []Domain `description:"SANs (alternative domains) to each main domain using format: --acme.domains='main.com,san1.com,san2.com' --acme.domains='main.net,san1.net,san2.net'"` Domains []Domain `description:"SANs (alternative domains) to each main domain using format: --acme.domains='main.com,san1.com,san2.com' --acme.domains='main.net,san1.net,san2.net'"`
StorageFile string `description:"File used for certificates storage."` StorageFile string `description:"File used for certificates storage."`
OnDemand bool `description:"Enable on demand certificate. This will request a certificate from Let's Encrypt during the first TLS handshake for a hostname that does not yet have a certificate."` OnDemand bool `description:"Enable on demand certificate. This will request a certificate from Let's Encrypt during the first TLS handshake for a hostname that does not yet have a certificate."`
OnHostRule bool `description:"Enable certificate generation on frontends Host rules."`
CAServer string `description:"CA server to use."` CAServer string `description:"CA server to use."`
EntryPoint string `description:"Entrypoint to proxy acme challenge to."` EntryPoint string `description:"Entrypoint to proxy acme challenge to."`
storageLock sync.RWMutex storageLock sync.RWMutex
client *acme.Client
account *Account
} }
//Domains parse []Domain //Domains parse []Domain
@ -229,14 +232,14 @@ func (a *ACME) CreateConfig(tlsConfig *tls.Config, CheckOnDemandDomain func(doma
} }
tlsConfig.Certificates = append(tlsConfig.Certificates, *cert) tlsConfig.Certificates = append(tlsConfig.Certificates, *cert)
} }
var account *Account
var needRegister bool var needRegister bool
var err error
// if certificates in storage, load them // if certificates in storage, load them
if fileInfo, err := os.Stat(a.StorageFile); err == nil && fileInfo.Size() != 0 { if fileInfo, err := os.Stat(a.StorageFile); err == nil && fileInfo.Size() != 0 {
log.Infof("Loading ACME certificates...") log.Infof("Loading ACME certificates...")
// load account // load account
account, err = a.loadAccount(a) a.account, err = a.loadAccount(a)
if err != nil { if err != nil {
return err return err
} }
@ -247,42 +250,42 @@ func (a *ACME) CreateConfig(tlsConfig *tls.Config, CheckOnDemandDomain func(doma
if err != nil { if err != nil {
return err return err
} }
account = &Account{ a.account = &Account{
Email: a.Email, Email: a.Email,
PrivateKey: x509.MarshalPKCS1PrivateKey(privateKey), PrivateKey: x509.MarshalPKCS1PrivateKey(privateKey),
} }
account.DomainsCertificate = DomainsCertificates{Certs: []*DomainsCertificate{}, lock: &sync.RWMutex{}} a.account.DomainsCertificate = DomainsCertificates{Certs: []*DomainsCertificate{}, lock: &sync.RWMutex{}}
needRegister = true needRegister = true
} }
client, err := a.buildACMEClient(account) a.client, err = a.buildACMEClient()
if err != nil { if err != nil {
return err return err
} }
client.ExcludeChallenges([]acme.Challenge{acme.HTTP01, acme.DNS01}) a.client.ExcludeChallenges([]acme.Challenge{acme.HTTP01, acme.DNS01})
wrapperChallengeProvider := newWrapperChallengeProvider() wrapperChallengeProvider := newWrapperChallengeProvider()
client.SetChallengeProvider(acme.TLSSNI01, wrapperChallengeProvider) a.client.SetChallengeProvider(acme.TLSSNI01, wrapperChallengeProvider)
if needRegister { if needRegister {
// New users will need to register; be sure to save it // New users will need to register; be sure to save it
reg, err := client.Register() reg, err := a.client.Register()
if err != nil { if err != nil {
return err return err
} }
account.Registration = reg a.account.Registration = reg
} }
// The client has a URL to the current Let's Encrypt Subscriber // The client has a URL to the current Let's Encrypt Subscriber
// Agreement. The user will need to agree to it. // Agreement. The user will need to agree to it.
err = client.AgreeToTOS() err = a.client.AgreeToTOS()
if err != nil { if err != nil {
return err return err
} }
safe.Go(func() { safe.Go(func() {
a.retrieveCertificates(client, account) a.retrieveCertificates(a.client)
if err := a.renewCertificates(client, account); err != nil { if err := a.renewCertificates(a.client); err != nil {
log.Errorf("Error renewing ACME certificate %+v: %s", account, err.Error()) log.Errorf("Error renewing ACME certificate %+v: %s", a.account, err.Error())
} }
}) })
@ -290,14 +293,14 @@ func (a *ACME) CreateConfig(tlsConfig *tls.Config, CheckOnDemandDomain func(doma
if challengeCert, ok := wrapperChallengeProvider.getCertificate(clientHello.ServerName); ok { if challengeCert, ok := wrapperChallengeProvider.getCertificate(clientHello.ServerName); ok {
return challengeCert, nil return challengeCert, nil
} }
if domainCert, ok := account.DomainsCertificate.getCertificateForDomain(clientHello.ServerName); ok { if domainCert, ok := a.account.DomainsCertificate.getCertificateForDomain(clientHello.ServerName); ok {
return domainCert.tlsCert, nil return domainCert.tlsCert, nil
} }
if a.OnDemand { if a.OnDemand {
if CheckOnDemandDomain != nil && !CheckOnDemandDomain(clientHello.ServerName) { if CheckOnDemandDomain != nil && !CheckOnDemandDomain(clientHello.ServerName) {
return nil, nil return nil, nil
} }
return a.loadCertificateOnDemand(client, account, clientHello) return a.loadCertificateOnDemand(clientHello)
} }
return nil, nil return nil, nil
} }
@ -307,8 +310,8 @@ func (a *ACME) CreateConfig(tlsConfig *tls.Config, CheckOnDemandDomain func(doma
for { for {
select { select {
case <-ticker.C: case <-ticker.C:
if err := a.renewCertificates(client, account); err != nil { if err := a.renewCertificates(a.client); err != nil {
log.Errorf("Error renewing ACME certificate %+v: %s", account, err.Error()) log.Errorf("Error renewing ACME certificate %+v: %s", a.account, err.Error())
} }
} }
} }
@ -317,11 +320,11 @@ func (a *ACME) CreateConfig(tlsConfig *tls.Config, CheckOnDemandDomain func(doma
return nil return nil
} }
func (a *ACME) retrieveCertificates(client *acme.Client, account *Account) { func (a *ACME) retrieveCertificates(client *acme.Client) {
log.Infof("Retrieving ACME certificates...") log.Infof("Retrieving ACME certificates...")
for _, domain := range a.Domains { for _, domain := range a.Domains {
// check if cert isn't already loaded // check if cert isn't already loaded
if _, exists := account.DomainsCertificate.exists(domain); !exists { if _, exists := a.account.DomainsCertificate.exists(domain); !exists {
domains := []string{} domains := []string{}
domains = append(domains, domain.Main) domains = append(domains, domain.Main)
domains = append(domains, domain.SANs...) domains = append(domains, domain.SANs...)
@ -330,13 +333,13 @@ func (a *ACME) retrieveCertificates(client *acme.Client, account *Account) {
log.Errorf("Error getting ACME certificate for domain %s: %s", domains, err.Error()) log.Errorf("Error getting ACME certificate for domain %s: %s", domains, err.Error())
continue continue
} }
_, err = account.DomainsCertificate.addCertificateForDomains(certificateResource, domain) _, err = a.account.DomainsCertificate.addCertificateForDomains(certificateResource, domain)
if err != nil { if err != nil {
log.Errorf("Error adding ACME certificate for domain %s: %s", domains, err.Error()) log.Errorf("Error adding ACME certificate for domain %s: %s", domains, err.Error())
continue continue
} }
if err = a.saveAccount(account); err != nil { if err = a.saveAccount(); err != nil {
log.Errorf("Error Saving ACME account %+v: %s", account, err.Error()) log.Errorf("Error Saving ACME account %+v: %s", a.account, err.Error())
continue continue
} }
} }
@ -344,9 +347,9 @@ func (a *ACME) retrieveCertificates(client *acme.Client, account *Account) {
log.Infof("Retrieved ACME certificates") log.Infof("Retrieved ACME certificates")
} }
func (a *ACME) renewCertificates(client *acme.Client, account *Account) error { func (a *ACME) renewCertificates(client *acme.Client) error {
log.Debugf("Testing certificate renew...") log.Debugf("Testing certificate renew...")
for _, certificateResource := range account.DomainsCertificate.Certs { for _, certificateResource := range a.account.DomainsCertificate.Certs {
if certificateResource.needRenew() { if certificateResource.needRenew() {
log.Debugf("Renewing certificate %+v", certificateResource.Domains) log.Debugf("Renewing certificate %+v", certificateResource.Domains)
renewedCert, err := client.RenewCertificate(acme.CertificateResource{ renewedCert, err := client.RenewCertificate(acme.CertificateResource{
@ -368,12 +371,12 @@ func (a *ACME) renewCertificates(client *acme.Client, account *Account) error {
PrivateKey: renewedCert.PrivateKey, PrivateKey: renewedCert.PrivateKey,
Certificate: renewedCert.Certificate, Certificate: renewedCert.Certificate,
} }
err = account.DomainsCertificate.renewCertificates(renewedACMECert, certificateResource.Domains) err = a.account.DomainsCertificate.renewCertificates(renewedACMECert, certificateResource.Domains)
if err != nil { if err != nil {
log.Errorf("Error renewing certificate: %v", err) log.Errorf("Error renewing certificate: %v", err)
continue continue
} }
if err = a.saveAccount(account); err != nil { if err = a.saveAccount(); err != nil {
log.Errorf("Error saving ACME account: %v", err) log.Errorf("Error saving ACME account: %v", err)
continue continue
} }
@ -382,12 +385,12 @@ func (a *ACME) renewCertificates(client *acme.Client, account *Account) error {
return nil return nil
} }
func (a *ACME) buildACMEClient(Account *Account) (*acme.Client, error) { func (a *ACME) buildACMEClient() (*acme.Client, error) {
caServer := "https://acme-v01.api.letsencrypt.org/directory" caServer := "https://acme-v01.api.letsencrypt.org/directory"
if len(a.CAServer) > 0 { if len(a.CAServer) > 0 {
caServer = a.CAServer caServer = a.CAServer
} }
client, err := acme.NewClient(caServer, Account, acme.RSA4096) client, err := acme.NewClient(caServer, a.account, acme.RSA4096)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -395,25 +398,60 @@ func (a *ACME) buildACMEClient(Account *Account) (*acme.Client, error) {
return client, nil return client, nil
} }
func (a *ACME) loadCertificateOnDemand(client *acme.Client, Account *Account, clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) { func (a *ACME) loadCertificateOnDemand(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
if certificateResource, ok := Account.DomainsCertificate.getCertificateForDomain(clientHello.ServerName); ok { if certificateResource, ok := a.account.DomainsCertificate.getCertificateForDomain(clientHello.ServerName); ok {
return certificateResource.tlsCert, nil return certificateResource.tlsCert, nil
} }
Certificate, err := a.getDomainsCertificates(client, []string{clientHello.ServerName}) certificate, err := a.getDomainsCertificates(a.client, []string{clientHello.ServerName})
if err != nil { if err != nil {
return nil, err return nil, err
} }
log.Debugf("Got certificate on demand for domain %s", clientHello.ServerName) log.Debugf("Got certificate on demand for domain %s", clientHello.ServerName)
cert, err := Account.DomainsCertificate.addCertificateForDomains(Certificate, Domain{Main: clientHello.ServerName}) cert, err := a.account.DomainsCertificate.addCertificateForDomains(certificate, Domain{Main: clientHello.ServerName})
if err != nil { if err != nil {
return nil, err return nil, err
} }
if err = a.saveAccount(Account); err != nil { if err = a.saveAccount(); err != nil {
return nil, err return nil, err
} }
return cert.tlsCert, nil return cert.tlsCert, nil
} }
// LoadCertificateForDomains loads certificates from ACME for given domains
func (a *ACME) LoadCertificateForDomains(domains []string) {
safe.Go(func() {
var domain Domain
if len(domains) == 0 {
// no domain
return
} else if len(domains) > 1 {
domain = Domain{Main: domains[0], SANs: domains[1:]}
} else {
domain = Domain{Main: domains[0]}
}
if _, exists := a.account.DomainsCertificate.exists(domain); exists {
// domain already exists
return
}
certificate, err := a.getDomainsCertificates(a.client, domains)
if err != nil {
log.Errorf("Error getting ACME certificates %+v : %v", domains, err)
return
}
log.Debugf("Got certificate for domains %+v", domains)
_, err = a.account.DomainsCertificate.addCertificateForDomains(certificate, domain)
if err != nil {
log.Errorf("Error adding ACME certificates %+v : %v", domains, err)
return
}
if err = a.saveAccount(); err != nil {
log.Errorf("Error Saving ACME account %+v: %v", a.account, err)
return
}
})
}
func (a *ACME) loadAccount(acmeConfig *ACME) (*Account, error) { func (a *ACME) loadAccount(acmeConfig *ACME) (*Account, error) {
a.storageLock.RLock() a.storageLock.RLock()
defer a.storageLock.RUnlock() defer a.storageLock.RUnlock()
@ -435,11 +473,11 @@ func (a *ACME) loadAccount(acmeConfig *ACME) (*Account, error) {
return &Account, nil return &Account, nil
} }
func (a *ACME) saveAccount(Account *Account) error { func (a *ACME) saveAccount() error {
a.storageLock.Lock() a.storageLock.Lock()
defer a.storageLock.Unlock() defer a.storageLock.Unlock()
// write account to file // write account to file
data, err := json.MarshalIndent(Account, "", " ") data, err := json.MarshalIndent(a.account, "", " ")
if err != nil { if err != nil {
return err return err
} }

View file

@ -206,6 +206,13 @@ entryPoint = "https"
# #
# onDemand = true # onDemand = true
# Enable certificate generation on frontends Host rules. This will request a certificate from Let's Encrypt for each frontend with a Host rule.
# For example, a rule Host:test1.traefik.io,test2.traefik.io will request a certificate with main domain test1.traefik.io and SAN test2.traefik.io.
#
# Optional
#
# OnHostRule = true
# CA server to use # CA server to use
# Uncomment the line to run on the staging let's encrypt server # Uncomment the line to run on the staging let's encrypt server
# Leave comment to go to prod # Leave comment to go to prod

View file

@ -2,6 +2,7 @@ package main
import ( import (
"errors" "errors"
"fmt"
"github.com/containous/mux" "github.com/containous/mux"
"net" "net"
"net/http" "net/http"
@ -93,8 +94,7 @@ func (r *Rules) headersRegexp(headers ...string) *mux.Route {
return r.route.route.HeadersRegexp(headers...) return r.route.route.HeadersRegexp(headers...)
} }
// Parse parses rules expressions func (r *Rules) parseRules(expression string, onRule func(functionName string, function interface{}, arguments []string) error) error {
func (r *Rules) Parse(expression string) (*mux.Route, error) {
functions := map[string]interface{}{ functions := map[string]interface{}{
"Host": r.host, "Host": r.host,
"HostRegexp": r.hostRegexp, "HostRegexp": r.hostRegexp,
@ -108,7 +108,7 @@ func (r *Rules) Parse(expression string) (*mux.Route, error) {
} }
if len(expression) == 0 { if len(expression) == 0 {
return nil, errors.New("Empty rule") return errors.New("Empty rule")
} }
f := func(c rune) bool { f := func(c rune) bool {
@ -122,17 +122,16 @@ func (r *Rules) Parse(expression string) (*mux.Route, error) {
parsedRules := strings.FieldsFunc(expression, splitRule) parsedRules := strings.FieldsFunc(expression, splitRule)
var resultRoute *mux.Route
for _, rule := range parsedRules { for _, rule := range parsedRules {
// get function // get function
parsedFunctions := strings.FieldsFunc(rule, f) parsedFunctions := strings.FieldsFunc(rule, f)
if len(parsedFunctions) == 0 { if len(parsedFunctions) == 0 {
return nil, errors.New("Error parsing rule: '" + rule + "'") return errors.New("Error parsing rule: '" + rule + "'")
} }
parsedFunction, ok := functions[strings.TrimSpace(parsedFunctions[0])] functionName := strings.TrimSpace(parsedFunctions[0])
parsedFunction, ok := functions[functionName]
if !ok { if !ok {
return nil, errors.New("Error parsing rule: '" + rule + "'. Unknown function: '" + parsedFunctions[0] + "'") return errors.New("Error parsing rule: '" + rule + "'. Unknown function: '" + parsedFunctions[0] + "'")
} }
parsedFunctions = append(parsedFunctions[:0], parsedFunctions[1:]...) parsedFunctions = append(parsedFunctions[:0], parsedFunctions[1:]...)
fargs := func(c rune) bool { fargs := func(c rune) bool {
@ -141,26 +140,62 @@ func (r *Rules) Parse(expression string) (*mux.Route, error) {
// get function // get function
parsedArgs := strings.FieldsFunc(strings.Join(parsedFunctions, ":"), fargs) parsedArgs := strings.FieldsFunc(strings.Join(parsedFunctions, ":"), fargs)
if len(parsedArgs) == 0 { if len(parsedArgs) == 0 {
return nil, errors.New("Error parsing args from rule: '" + rule + "'") return errors.New("Error parsing args from rule: '" + rule + "'")
} }
inputs := make([]reflect.Value, len(parsedArgs))
for i := range parsedArgs { for i := range parsedArgs {
inputs[i] = reflect.ValueOf(strings.TrimSpace(parsedArgs[i])) parsedArgs[i] = strings.TrimSpace(parsedArgs[i])
} }
method := reflect.ValueOf(parsedFunction)
err := onRule(functionName, parsedFunction, parsedArgs)
if err != nil {
return fmt.Errorf("Parsing error on rule:", err)
}
}
return nil
}
// Parse parses rules expressions
func (r *Rules) Parse(expression string) (*mux.Route, error) {
var resultRoute *mux.Route
err := r.parseRules(expression, func(functionName string, function interface{}, arguments []string) error {
inputs := make([]reflect.Value, len(arguments))
for i := range arguments {
inputs[i] = reflect.ValueOf(arguments[i])
}
method := reflect.ValueOf(function)
if method.IsValid() { if method.IsValid() {
resultRoute = method.Call(inputs)[0].Interface().(*mux.Route) resultRoute = method.Call(inputs)[0].Interface().(*mux.Route)
if r.err != nil { if r.err != nil {
return nil, r.err return r.err
} }
if resultRoute.GetError() != nil { if resultRoute.GetError() != nil {
return nil, resultRoute.GetError() return resultRoute.GetError()
} }
} else { } else {
return nil, errors.New("Method not found: '" + parsedFunctions[0] + "'") return errors.New("Method not found: '" + functionName + "'")
} }
return nil
})
if err != nil {
return nil, fmt.Errorf("Error parsing rule:", err)
} }
return resultRoute, nil return resultRoute, nil
} }
// ParseDomains parses rules expressions and returns domains
func (r *Rules) ParseDomains(expression string) ([]string, error) {
domains := []string{}
err := r.parseRules(expression, func(functionName string, function interface{}, arguments []string) error {
if functionName == "Host" {
domains = append(domains, arguments...)
}
return nil
})
if err != nil {
return nil, fmt.Errorf("Error parsing domains:", err)
}
return domains, nil
}

View file

@ -4,11 +4,11 @@ import (
"github.com/containous/mux" "github.com/containous/mux"
"net/http" "net/http"
"net/url" "net/url"
"reflect"
"testing" "testing"
) )
func TestParseOneRule(t *testing.T) { func TestParseOneRule(t *testing.T) {
router := mux.NewRouter() router := mux.NewRouter()
route := router.NewRoute() route := router.NewRoute()
serverRoute := &serverRoute{route: route} serverRoute := &serverRoute{route: route}
@ -31,7 +31,6 @@ func TestParseOneRule(t *testing.T) {
} }
func TestParseTwoRules(t *testing.T) { func TestParseTwoRules(t *testing.T) {
router := mux.NewRouter() router := mux.NewRouter()
route := router.NewRoute() route := router.NewRoute()
serverRoute := &serverRoute{route: route} serverRoute := &serverRoute{route: route}
@ -53,6 +52,29 @@ func TestParseTwoRules(t *testing.T) {
} }
} }
func TestParseDomains(t *testing.T) {
rules := &Rules{}
expressionsSlice := []string{
"Host:foo.bar,test.bar",
"Path:/test",
"Host:foo.bar;Path:/test",
}
domainsSlice := [][]string{
{"foo.bar", "test.bar"},
{},
{"foo.bar"},
}
for i, expression := range expressionsSlice {
domains, err := rules.ParseDomains(expression)
if err != nil {
t.Fatalf("Error while parsing domains: %v", err)
}
if !reflect.DeepEqual(domains, domainsSlice[i]) {
t.Fatalf("Error parsing domains: expected %+v, got %+v", domainsSlice[i], domains)
}
}
}
func TestPriorites(t *testing.T) { func TestPriorites(t *testing.T) {
router := mux.NewRouter() router := mux.NewRouter()
router.StrictSlash(true) router.StrictSlash(true)

View file

@ -244,6 +244,7 @@ func (server *Server) listenConfigurations(stop chan bool) {
log.Infof("Server configuration reloaded on %s", server.serverEntryPoints[newServerEntryPointName].httpServer.Addr) log.Infof("Server configuration reloaded on %s", server.serverEntryPoints[newServerEntryPointName].httpServer.Addr)
} }
server.currentConfigurations.Set(newConfigurations) server.currentConfigurations.Set(newConfigurations)
server.postLoadConfig()
} else { } else {
log.Error("Error loading new configuration, aborted ", err) log.Error("Error loading new configuration, aborted ", err)
} }
@ -251,6 +252,26 @@ func (server *Server) listenConfigurations(stop chan bool) {
} }
} }
func (server *Server) postLoadConfig() {
if server.globalConfiguration.ACME != nil && server.globalConfiguration.ACME.OnHostRule {
currentConfigurations := server.currentConfigurations.Get().(configs)
for _, configuration := range currentConfigurations {
for _, frontend := range configuration.Frontends {
for _, route := range frontend.Routes {
rules := Rules{}
domains, err := rules.ParseDomains(route.Rule)
if err != nil {
log.Errorf("Error parsing domains: %v", err)
} else {
server.globalConfiguration.ACME.LoadCertificateForDomains(domains)
}
}
}
}
}
}
func (server *Server) configureProviders() { func (server *Server) configureProviders() {
// configure providers // configure providers
if server.globalConfiguration.Docker != nil { if server.globalConfiguration.Docker != nil {

View file

@ -96,6 +96,13 @@
# #
# onDemand = true # onDemand = true
# Enable certificate generation on frontends Host rules. This will request a certificate from Let's Encrypt for each frontend with a Host rule.
# For example, a rule Host:test1.traefik.io,test2.traefik.io will request a certificate with main domain test1.traefik.io and SAN test2.traefik.io.
#
# Optional
#
# OnHostRule = true
# CA server to use # CA server to use
# Uncomment the line to run on the staging let's encrypt server # Uncomment the line to run on the staging let's encrypt server
# Leave comment to go to prod # Leave comment to go to prod