2023-03-21 06:53:39 +00:00
const _ = require ( 'lodash' ) ;
const fs = require ( 'fs' ) ;
const https = require ( 'https' ) ;
const tempWrite = require ( 'temp-write' ) ;
const moment = require ( 'moment' ) ;
const logger = require ( '../logger' ) . ssl ;
const config = require ( '../lib/config' ) ;
const error = require ( '../lib/error' ) ;
const utils = require ( '../lib/utils' ) ;
const certificateModel = require ( '../models/certificate' ) ;
2024-01-11 04:05:50 +00:00
const tokenModel = require ( '../models/token' ) ;
2023-03-21 06:53:39 +00:00
const dnsPlugins = require ( '../global/certbot-dns-plugins' ) ;
const internalAuditLog = require ( './audit-log' ) ;
const internalNginx = require ( './nginx' ) ;
const internalHost = require ( './host' ) ;
const archiver = require ( 'archiver' ) ;
const path = require ( 'path' ) ;
const { isArray } = require ( 'lodash' ) ;
const letsencryptStaging = config . useLetsencryptStaging ( ) ;
2021-06-30 23:57:26 +00:00
const letsencryptConfig = '/etc/letsencrypt.ini' ;
const certbotCommand = 'certbot' ;
2020-02-19 04:55:06 +00:00
function omissions ( ) {
return [ 'is_deleted' ] ;
}
const internalCertificate = {
2023-12-15 00:21:08 +00:00
allowedSslFiles : [ 'certificate' , 'certificate_key' , 'intermediate_certificate' ] ,
intervalTimeout : 1000 * 60 * 60 , // 1 hour
interval : null ,
intervalProcessing : false ,
2024-01-02 22:04:16 +00:00
renewBeforeExpirationBy : [ 30 , 'days' ] ,
2020-02-19 04:55:06 +00:00
initTimer : ( ) => {
logger . info ( 'Let\'s Encrypt Renewal Timer initialized' ) ;
2021-06-30 23:57:26 +00:00
internalCertificate . interval = setInterval ( internalCertificate . processExpiringHosts , internalCertificate . intervalTimeout ) ;
2020-02-19 04:55:06 +00:00
// And do this now as well
internalCertificate . processExpiringHosts ( ) ;
} ,
/ * *
* Triggered by a timer , this will check for expiring hosts and renew their ssl certs if required
* /
processExpiringHosts : ( ) => {
2021-06-30 23:57:26 +00:00
if ( ! internalCertificate . intervalProcessing ) {
internalCertificate . intervalProcessing = true ;
2024-01-11 04:05:50 +00:00
logger . info ( 'Renewing SSL certs expiring within ' + internalCertificate . renewBeforeExpirationBy [ 0 ] + ' ' + internalCertificate . renewBeforeExpirationBy [ 1 ] + ' ...' ) ;
2020-02-19 04:55:06 +00:00
2023-12-15 00:21:08 +00:00
const expirationThreshold = moment ( ) . add ( internalCertificate . renewBeforeExpirationBy [ 0 ] , internalCertificate . renewBeforeExpirationBy [ 1 ] ) . format ( 'YYYY-MM-DD HH:mm:ss' ) ;
2020-02-19 04:55:06 +00:00
2024-01-11 04:05:50 +00:00
// Fetch all the letsencrypt certs from the db that will expire within the configured threshold
2023-12-15 00:21:08 +00:00
certificateModel
. query ( )
. where ( 'is_deleted' , 0 )
. andWhere ( 'provider' , 'letsencrypt' )
. andWhere ( 'expires_on' , '<' , expirationThreshold )
. then ( ( certificates ) => {
if ( ! certificates || ! certificates . length ) {
return null ;
2020-02-19 04:55:06 +00:00
}
2024-01-02 22:04:16 +00:00
/ * *
* Renews must be run sequentially or we 'll get an error ' Another
* instance of Certbot is already running . '
* /
let sequence = Promise . resolve ( ) ;
2020-02-19 04:55:06 +00:00
2023-12-15 00:21:08 +00:00
certificates . forEach ( function ( certificate ) {
2024-01-02 22:04:16 +00:00
sequence = sequence . then ( ( ) =>
internalCertificate
. renew (
{
can : ( ) =>
Promise . resolve ( {
permission _visibility : 'all' ,
} ) ,
2024-01-11 04:05:50 +00:00
token : new tokenModel ( ) ,
2024-01-02 22:04:16 +00:00
} ,
{ id : certificate . id } ,
)
. catch ( ( err ) => {
// Don't want to stop the train here, just log the error
logger . error ( err . message ) ;
} ) ,
) ;
2023-12-15 00:21:08 +00:00
} ) ;
2020-02-19 04:55:06 +00:00
2024-01-02 22:04:16 +00:00
return sequence ;
2020-02-19 04:55:06 +00:00
} )
. then ( ( ) => {
2024-01-11 04:05:50 +00:00
logger . info ( 'Completed SSL cert renew process' ) ;
2021-06-30 23:57:26 +00:00
internalCertificate . intervalProcessing = false ;
2020-02-19 04:55:06 +00:00
} )
. catch ( ( err ) => {
logger . error ( err ) ;
2021-06-30 23:57:26 +00:00
internalCertificate . intervalProcessing = false ;
2020-02-19 04:55:06 +00:00
} ) ;
}
} ,
/ * *
* @ param { Access } access
* @ param { Object } data
* @ returns { Promise }
* /
create : ( access , data ) => {
return access . can ( 'certificates:create' , data )
. then ( ( ) => {
data . owner _user _id = access . token . getUserId ( 1 ) ;
if ( data . provider === 'letsencrypt' ) {
2021-10-12 14:18:11 +00:00
data . nice _name = data . domain _names . join ( ', ' ) ;
2020-02-19 04:55:06 +00:00
}
return certificateModel
. query ( )
2023-03-17 04:18:51 +00:00
. insertAndFetch ( data )
. then ( utils . omitRow ( omissions ( ) ) ) ;
2020-02-19 04:55:06 +00:00
} )
. then ( ( certificate ) => {
if ( certificate . provider === 'letsencrypt' ) {
// Request a new Cert from LE. Let the fun begin.
// 1. Find out any hosts that are using any of the hostnames in this cert
// 2. Disable them in nginx temporarily
// 3. Generate the LE config
// 4. Request cert
// 5. Remove LE config
// 6. Re-instate previously disabled hosts
// 1. Find out any hosts that are using any of the hostnames in this cert
return internalHost . getHostsWithDomains ( certificate . domain _names )
. then ( ( in _use _result ) => {
// 2. Disable them in nginx temporarily
return internalCertificate . disableInUseHosts ( in _use _result )
. then ( ( ) => {
return in _use _result ;
} ) ;
} )
. then ( ( in _use _result ) => {
2020-10-06 12:52:06 +00:00
// With DNS challenge no config is needed, so skip 3 and 5.
if ( certificate . meta . dns _challenge ) {
2020-08-23 13:24:20 +00:00
return internalNginx . reload ( ) . then ( ( ) => {
2020-02-19 04:55:06 +00:00
// 4. Request cert
2020-10-06 12:52:06 +00:00
return internalCertificate . requestLetsEncryptSslWithDnsChallenge ( certificate ) ;
2020-02-19 04:55:06 +00:00
} )
2020-08-23 18:56:25 +00:00
. then ( internalNginx . reload )
. then ( ( ) => {
// 6. Re-instate previously disabled hosts
return internalCertificate . enableInUseHosts ( in _use _result ) ;
} )
. then ( ( ) => {
return certificate ;
} )
. catch ( ( err ) => {
// In the event of failure, revert things and throw err back
return internalCertificate . enableInUseHosts ( in _use _result )
. then ( internalNginx . reload )
. then ( ( ) => {
throw err ;
} ) ;
} ) ;
2020-08-23 13:24:20 +00:00
} else {
// 3. Generate the LE config
return internalNginx . generateLetsEncryptRequestConfig ( certificate )
. then ( internalNginx . reload )
2021-12-30 12:21:21 +00:00
. then ( async ( ) => await new Promise ( ( r ) => setTimeout ( r , 5000 ) ) )
2020-08-23 13:24:20 +00:00
. then ( ( ) => {
// 4. Request cert
return internalCertificate . requestLetsEncryptSsl ( certificate ) ;
} )
. then ( ( ) => {
// 5. Remove LE config
return internalNginx . deleteLetsEncryptRequestConfig ( certificate ) ;
} )
. then ( internalNginx . reload )
. then ( ( ) => {
// 6. Re-instate previously disabled hosts
return internalCertificate . enableInUseHosts ( in _use _result ) ;
} )
. then ( ( ) => {
return certificate ;
} )
. catch ( ( err ) => {
// In the event of failure, revert things and throw err back
return internalNginx . deleteLetsEncryptRequestConfig ( certificate )
. then ( ( ) => {
return internalCertificate . enableInUseHosts ( in _use _result ) ;
} )
. then ( internalNginx . reload )
. then ( ( ) => {
throw err ;
} ) ;
} ) ;
}
2020-02-19 04:55:06 +00:00
} )
. then ( ( ) => {
// At this point, the letsencrypt cert should exist on disk.
// Lets get the expiry date from the file and update the row silently
return internalCertificate . getCertificateInfoFromFile ( '/etc/letsencrypt/live/npm-' + certificate . id + '/fullchain.pem' )
. then ( ( cert _info ) => {
return certificateModel
. query ( )
. patchAndFetchById ( certificate . id , {
2020-08-14 23:23:19 +00:00
expires _on : moment ( cert _info . dates . to , 'X' ) . format ( 'YYYY-MM-DD HH:mm:ss' )
2020-02-19 04:55:06 +00:00
} )
. then ( ( saved _row ) => {
// Add cert data for audit log
saved _row . meta = _ . assign ( { } , saved _row . meta , {
letsencrypt _certificate : cert _info
} ) ;
return saved _row ;
} ) ;
} ) ;
2020-11-06 11:29:38 +00:00
} ) . catch ( async ( error ) => {
// Delete the certificate from the database if it was not created successfully
await certificateModel
. query ( )
. deleteById ( certificate . id ) ;
2021-06-30 23:57:26 +00:00
2020-11-06 11:29:38 +00:00
throw error ;
2020-02-19 04:55:06 +00:00
} ) ;
} else {
return certificate ;
}
} ) . then ( ( certificate ) => {
data . meta = _ . assign ( { } , data . meta || { } , certificate . meta ) ;
// Add to audit log
return internalAuditLog . add ( access , {
action : 'created' ,
object _type : 'certificate' ,
object _id : certificate . id ,
meta : data
} )
. then ( ( ) => {
return certificate ;
} ) ;
} ) ;
} ,
/ * *
* @ param { Access } access
* @ param { Object } data
* @ param { Number } data . id
* @ param { String } [ data . email ]
* @ param { String } [ data . name ]
* @ return { Promise }
* /
update : ( access , data ) => {
return access . can ( 'certificates:update' , data . id )
. then ( ( /*access_data*/ ) => {
return internalCertificate . get ( access , { id : data . id } ) ;
} )
. then ( ( row ) => {
if ( row . id !== data . id ) {
// Sanity check that something crazy hasn't happened
throw new error . InternalValidationError ( 'Certificate could not be updated, IDs do not match: ' + row . id + ' !== ' + data . id ) ;
}
return certificateModel
. query ( )
. patchAndFetchById ( row . id , data )
2023-03-17 04:18:51 +00:00
. then ( utils . omitRow ( omissions ( ) ) )
2020-02-19 04:55:06 +00:00
. then ( ( saved _row ) => {
saved _row . meta = internalCertificate . cleanMeta ( saved _row . meta ) ;
data . meta = internalCertificate . cleanMeta ( data . meta ) ;
// Add row.nice_name for custom certs
if ( saved _row . provider === 'other' ) {
data . nice _name = saved _row . nice _name ;
}
// Add to audit log
return internalAuditLog . add ( access , {
action : 'updated' ,
object _type : 'certificate' ,
object _id : row . id ,
meta : _ . omit ( data , [ 'expires_on' ] ) // this prevents json circular reference because expires_on might be raw
} )
. then ( ( ) => {
2023-03-17 04:18:51 +00:00
return saved _row ;
2020-02-19 04:55:06 +00:00
} ) ;
} ) ;
} ) ;
} ,
/ * *
* @ param { Access } access
* @ param { Object } data
* @ param { Number } data . id
* @ param { Array } [ data . expand ]
* @ param { Array } [ data . omit ]
* @ return { Promise }
* /
get : ( access , data ) => {
if ( typeof data === 'undefined' ) {
data = { } ;
}
return access . can ( 'certificates:get' , data . id )
. then ( ( access _data ) => {
let query = certificateModel
. query ( )
. where ( 'is_deleted' , 0 )
. andWhere ( 'id' , data . id )
2023-03-17 04:18:51 +00:00
. allowGraph ( '[owner]' )
2020-02-19 04:55:06 +00:00
. first ( ) ;
if ( access _data . permission _visibility !== 'all' ) {
query . andWhere ( 'owner_user_id' , access . token . getUserId ( 1 ) ) ;
}
if ( typeof data . expand !== 'undefined' && data . expand !== null ) {
2023-03-17 04:18:51 +00:00
query . withGraphFetched ( '[' + data . expand . join ( ', ' ) + ']' ) ;
2020-02-19 04:55:06 +00:00
}
2023-03-17 04:18:51 +00:00
return query . then ( utils . omitRow ( omissions ( ) ) ) ;
2020-02-19 04:55:06 +00:00
} )
. then ( ( row ) => {
2023-03-17 04:18:51 +00:00
if ( ! row ) {
2020-02-19 04:55:06 +00:00
throw new error . ItemNotFoundError ( data . id ) ;
}
2023-03-17 04:18:51 +00:00
// Custom omissions
if ( typeof data . omit !== 'undefined' && data . omit !== null ) {
row = _ . omit ( row , data . omit ) ;
}
return row ;
2020-02-19 04:55:06 +00:00
} ) ;
} ,
2021-08-23 03:47:42 +00:00
/ * *
2021-08-24 00:31:08 +00:00
* @ param { Access } access
2021-08-23 03:33:24 +00:00
* @ param { Object } data
* @ param { Number } data . id
* @ returns { Promise }
* /
2021-08-24 00:31:08 +00:00
download : ( access , data ) => {
2021-08-23 03:47:42 +00:00
return new Promise ( ( resolve , reject ) => {
2021-08-24 00:31:08 +00:00
access . can ( 'certificates:get' , data )
2021-08-23 03:47:42 +00:00
. then ( ( ) => {
2021-08-24 00:31:08 +00:00
return internalCertificate . get ( access , data ) ;
} )
. then ( ( certificate ) => {
if ( certificate . provider === 'letsencrypt' ) {
2021-09-01 06:11:27 +00:00
const zipDirectory = '/etc/letsencrypt/live/npm-' + data . id ;
2021-08-24 00:31:08 +00:00
if ( ! fs . existsSync ( zipDirectory ) ) {
throw new error . ItemNotFoundError ( 'Certificate ' + certificate . nice _name + ' does not exists' ) ;
}
2021-09-01 06:11:27 +00:00
let certFiles = fs . readdirSync ( zipDirectory )
. filter ( ( fn ) => fn . endsWith ( '.pem' ) )
. map ( ( fn ) => fs . realpathSync ( path . join ( zipDirectory , fn ) ) ) ;
2021-08-24 00:31:08 +00:00
const downloadName = 'npm-' + data . id + '-' + ` ${ Date . now ( ) } .zip ` ;
const opName = '/tmp/' + downloadName ;
2021-09-01 06:11:27 +00:00
internalCertificate . zipFiles ( certFiles , opName )
2021-08-24 00:31:08 +00:00
. then ( ( ) => {
logger . debug ( 'zip completed : ' , opName ) ;
const resp = {
fileName : opName
} ;
resolve ( resp ) ;
2021-09-01 06:11:27 +00:00
} ) . catch ( ( err ) => reject ( err ) ) ;
2021-08-24 00:31:08 +00:00
} else {
2021-08-30 11:06:13 +00:00
throw new error . ValidationError ( 'Only Let\'sEncrypt certificates can be downloaded' ) ;
2021-08-24 00:31:08 +00:00
}
} ) . catch ( ( err ) => reject ( err ) ) ;
2021-08-23 03:47:42 +00:00
} ) ;
} ,
2021-08-24 00:31:08 +00:00
2021-08-23 03:47:42 +00:00
/ * *
2021-08-24 01:58:17 +00:00
* @ param { String } source
* @ param { String } out
* @ returns { Promise }
* /
2021-09-01 06:11:27 +00:00
zipFiles ( source , out ) {
2021-08-23 03:47:42 +00:00
const archive = archiver ( 'zip' , { zlib : { level : 9 } } ) ;
const stream = fs . createWriteStream ( out ) ;
2022-02-12 05:46:06 +00:00
2021-08-23 03:47:42 +00:00
return new Promise ( ( resolve , reject ) => {
2021-09-01 06:11:27 +00:00
source
. map ( ( fl ) => {
let fileName = path . basename ( fl ) ;
2021-09-01 06:20:51 +00:00
logger . debug ( fl , 'added to certificate zip' ) ;
2021-09-01 06:11:27 +00:00
archive . file ( fl , { name : fileName } ) ;
} ) ;
2021-08-23 03:47:42 +00:00
archive
. on ( 'error' , ( err ) => reject ( err ) )
. pipe ( stream ) ;
2022-02-12 05:46:06 +00:00
2021-08-23 03:47:42 +00:00
stream . on ( 'close' , ( ) => resolve ( ) ) ;
archive . finalize ( ) ;
} ) ;
} ,
2021-09-01 06:11:27 +00:00
2020-02-19 04:55:06 +00:00
/ * *
* @ param { Access } access
* @ param { Object } data
* @ param { Number } data . id
* @ param { String } [ data . reason ]
* @ returns { Promise }
* /
delete : ( access , data ) => {
return access . can ( 'certificates:delete' , data . id )
. then ( ( ) => {
return internalCertificate . get ( access , { id : data . id } ) ;
} )
. then ( ( row ) => {
if ( ! row ) {
throw new error . ItemNotFoundError ( data . id ) ;
}
return certificateModel
. query ( )
. where ( 'id' , row . id )
. patch ( {
is _deleted : 1
} )
. then ( ( ) => {
// Add to audit log
row . meta = internalCertificate . cleanMeta ( row . meta ) ;
return internalAuditLog . add ( access , {
action : 'deleted' ,
object _type : 'certificate' ,
object _id : row . id ,
meta : _ . omit ( row , omissions ( ) )
} ) ;
} )
. then ( ( ) => {
if ( row . provider === 'letsencrypt' ) {
// Revoke the cert
return internalCertificate . revokeLetsEncryptSsl ( row ) ;
}
} ) ;
} )
. then ( ( ) => {
return true ;
} ) ;
} ,
/ * *
* All Certs
*
* @ param { Access } access
* @ param { Array } [ expand ]
* @ param { String } [ search _query ]
* @ returns { Promise }
* /
getAll : ( access , expand , search _query ) => {
return access . can ( 'certificates:list' )
. then ( ( access _data ) => {
let query = certificateModel
. query ( )
. where ( 'is_deleted' , 0 )
. groupBy ( 'id' )
2023-03-17 04:18:51 +00:00
. allowGraph ( '[owner]' )
2020-02-19 04:55:06 +00:00
. orderBy ( 'nice_name' , 'ASC' ) ;
if ( access _data . permission _visibility !== 'all' ) {
query . andWhere ( 'owner_user_id' , access . token . getUserId ( 1 ) ) ;
}
// Query is used for searching
if ( typeof search _query === 'string' ) {
query . where ( function ( ) {
2022-02-12 05:46:06 +00:00
this . where ( 'nice_name' , 'like' , '%' + search _query + '%' ) ;
2020-02-19 04:55:06 +00:00
} ) ;
}
if ( typeof expand !== 'undefined' && expand !== null ) {
2023-03-17 04:18:51 +00:00
query . withGraphFetched ( '[' + expand . join ( ', ' ) + ']' ) ;
2020-02-19 04:55:06 +00:00
}
2023-03-17 04:18:51 +00:00
return query . then ( utils . omitRows ( omissions ( ) ) ) ;
2020-02-19 04:55:06 +00:00
} ) ;
} ,
/ * *
* Report use
*
* @ param { Number } user _id
* @ param { String } visibility
* @ returns { Promise }
* /
getCount : ( user _id , visibility ) => {
let query = certificateModel
. query ( )
. count ( 'id as count' )
. where ( 'is_deleted' , 0 ) ;
if ( visibility !== 'all' ) {
query . andWhere ( 'owner_user_id' , user _id ) ;
}
return query . first ( )
. then ( ( row ) => {
return parseInt ( row . count , 10 ) ;
} ) ;
} ,
/ * *
* @ param { Object } certificate
* @ returns { Promise }
* /
writeCustomCert : ( certificate ) => {
2021-06-30 23:57:26 +00:00
logger . info ( 'Writing Custom Certificate:' , certificate ) ;
2020-02-19 04:55:06 +00:00
2021-06-30 23:57:26 +00:00
const dir = '/data/custom_ssl/npm-' + certificate . id ;
2020-02-19 04:55:06 +00:00
return new Promise ( ( resolve , reject ) => {
if ( certificate . provider === 'letsencrypt' ) {
reject ( new Error ( 'Refusing to write letsencrypt certs here' ) ) ;
return ;
}
2021-06-30 23:57:26 +00:00
let certData = certificate . meta . certificate ;
2020-02-19 04:55:06 +00:00
if ( typeof certificate . meta . intermediate _certificate !== 'undefined' ) {
2021-06-30 23:57:26 +00:00
certData = certData + '\n' + certificate . meta . intermediate _certificate ;
2020-02-19 04:55:06 +00:00
}
try {
if ( ! fs . existsSync ( dir ) ) {
fs . mkdirSync ( dir ) ;
}
} catch ( err ) {
reject ( err ) ;
return ;
}
2021-06-30 23:57:26 +00:00
fs . writeFile ( dir + '/fullchain.pem' , certData , function ( err ) {
2020-02-19 04:55:06 +00:00
if ( err ) {
reject ( err ) ;
} else {
resolve ( ) ;
}
} ) ;
} )
. then ( ( ) => {
return new Promise ( ( resolve , reject ) => {
fs . writeFile ( dir + '/privkey.pem' , certificate . meta . certificate _key , function ( err ) {
if ( err ) {
reject ( err ) ;
} else {
resolve ( ) ;
}
} ) ;
} ) ;
} ) ;
} ,
/ * *
* @ param { Access } access
* @ param { Object } data
* @ param { Array } data . domain _names
* @ param { String } data . meta . letsencrypt _email
* @ param { Boolean } data . meta . letsencrypt _agree
* @ returns { Promise }
* /
createQuickCertificate : ( access , data ) => {
return internalCertificate . create ( access , {
provider : 'letsencrypt' ,
domain _names : data . domain _names ,
meta : data . meta
} ) ;
} ,
/ * *
* Validates that the certs provided are good .
* No access required here , nothing is changed or stored .
*
* @ param { Object } data
* @ param { Object } data . files
* @ returns { Promise }
* /
validate : ( data ) => {
return new Promise ( ( resolve ) => {
// Put file contents into an object
let files = { } ;
_ . map ( data . files , ( file , name ) => {
2021-06-30 23:57:26 +00:00
if ( internalCertificate . allowedSslFiles . indexOf ( name ) !== - 1 ) {
2020-02-19 04:55:06 +00:00
files [ name ] = file . data . toString ( ) ;
}
} ) ;
resolve ( files ) ;
} )
. then ( ( files ) => {
// For each file, create a temp file and write the contents to it
// Then test it depending on the file type
let promises = [ ] ;
_ . map ( files , ( content , type ) => {
promises . push ( new Promise ( ( resolve ) => {
if ( type === 'certificate_key' ) {
resolve ( internalCertificate . checkPrivateKey ( content ) ) ;
} else {
// this should handle `certificate` and intermediate certificate
resolve ( internalCertificate . getCertificateInfo ( content , true ) ) ;
}
} ) . then ( ( res ) => {
return { [ type ] : res } ;
} ) ) ;
} ) ;
return Promise . all ( promises )
. then ( ( files ) => {
let data = { } ;
_ . each ( files , ( file ) => {
data = _ . assign ( { } , data , file ) ;
} ) ;
return data ;
} ) ;
} ) ;
} ,
/ * *
* @ param { Access } access
* @ param { Object } data
* @ param { Number } data . id
* @ param { Object } data . files
* @ returns { Promise }
* /
upload : ( access , data ) => {
return internalCertificate . get ( access , { id : data . id } )
. then ( ( row ) => {
if ( row . provider !== 'other' ) {
throw new error . ValidationError ( 'Cannot upload certificates for this type of provider' ) ;
}
return internalCertificate . validate ( data )
. then ( ( validations ) => {
if ( typeof validations . certificate === 'undefined' ) {
throw new error . ValidationError ( 'Certificate file was not provided' ) ;
}
_ . map ( data . files , ( file , name ) => {
2021-06-30 23:57:26 +00:00
if ( internalCertificate . allowedSslFiles . indexOf ( name ) !== - 1 ) {
2020-02-19 04:55:06 +00:00
row . meta [ name ] = file . data . toString ( ) ;
}
} ) ;
// TODO: This uses a mysql only raw function that won't translate to postgres
return internalCertificate . update ( access , {
id : data . id ,
2020-08-14 23:23:19 +00:00
expires _on : moment ( validations . certificate . dates . to , 'X' ) . format ( 'YYYY-MM-DD HH:mm:ss' ) ,
2020-02-19 04:55:06 +00:00
domain _names : [ validations . certificate . cn ] ,
meta : _ . clone ( row . meta ) // Prevent the update method from changing this value that we'll use later
} )
. then ( ( certificate ) => {
certificate . meta = row . meta ;
return internalCertificate . writeCustomCert ( certificate ) ;
} ) ;
} )
. then ( ( ) => {
2021-06-30 23:57:26 +00:00
return _ . pick ( row . meta , internalCertificate . allowedSslFiles ) ;
2020-02-19 04:55:06 +00:00
} ) ;
} ) ;
} ,
/ * *
* Uses the openssl command to validate the private key .
* It will save the file to disk first , then run commands on it , then delete the file .
*
* @ param { String } private _key This is the entire key contents as a string
* /
checkPrivateKey : ( private _key ) => {
return tempWrite ( private _key , '/tmp' )
. then ( ( filepath ) => {
2020-12-14 11:08:39 +00:00
return new Promise ( ( resolve , reject ) => {
const failTimeout = setTimeout ( ( ) => {
reject ( new error . ValidationError ( 'Result Validation Error: Validation timed out. This could be due to the key being passphrase-protected.' ) ) ;
} , 10000 ) ;
utils
. exec ( 'openssl pkey -in ' + filepath + ' -check -noout 2>&1 ' )
. then ( ( result ) => {
clearTimeout ( failTimeout ) ;
if ( ! result . toLowerCase ( ) . includes ( 'key is valid' ) ) {
reject ( new error . ValidationError ( 'Result Validation Error: ' + result ) ) ;
}
fs . unlinkSync ( filepath ) ;
resolve ( true ) ;
} )
. catch ( ( err ) => {
clearTimeout ( failTimeout ) ;
fs . unlinkSync ( filepath ) ;
reject ( new error . ValidationError ( 'Certificate Key is not valid (' + err . message + ')' , err ) ) ;
} ) ;
} ) ;
2020-02-19 04:55:06 +00:00
} ) ;
} ,
/ * *
* Uses the openssl command to both validate and get info out of the certificate .
* It will save the file to disk first , then run commands on it , then delete the file .
*
* @ param { String } certificate This is the entire cert contents as a string
* @ param { Boolean } [ throw _expired ] Throw when the certificate is out of date
* /
getCertificateInfo : ( certificate , throw _expired ) => {
return tempWrite ( certificate , '/tmp' )
. then ( ( filepath ) => {
return internalCertificate . getCertificateInfoFromFile ( filepath , throw _expired )
2021-06-30 23:57:26 +00:00
. then ( ( certData ) => {
2020-02-19 04:55:06 +00:00
fs . unlinkSync ( filepath ) ;
2021-06-30 23:57:26 +00:00
return certData ;
2020-02-19 04:55:06 +00:00
} ) . catch ( ( err ) => {
fs . unlinkSync ( filepath ) ;
throw err ;
} ) ;
} ) ;
} ,
/ * *
* Uses the openssl command to both validate and get info out of the certificate .
* It will save the file to disk first , then run commands on it , then delete the file .
*
* @ param { String } certificate _file The file location on disk
* @ param { Boolean } [ throw _expired ] Throw when the certificate is out of date
* /
getCertificateInfoFromFile : ( certificate _file , throw _expired ) => {
2021-06-30 23:57:26 +00:00
let certData = { } ;
2020-02-19 04:55:06 +00:00
return utils . exec ( 'openssl x509 -in ' + certificate _file + ' -subject -noout' )
. then ( ( result ) => {
// subject=CN = something.example.com
2021-06-30 23:57:26 +00:00
const regex = /(?:subject=)?[^=]+=\s+(\S+)/gim ;
const match = regex . exec ( result ) ;
2020-02-19 04:55:06 +00:00
if ( typeof match [ 1 ] === 'undefined' ) {
throw new error . ValidationError ( 'Could not determine subject from certificate: ' + result ) ;
}
2021-06-30 23:57:26 +00:00
certData [ 'cn' ] = match [ 1 ] ;
2020-02-19 04:55:06 +00:00
} )
. then ( ( ) => {
return utils . exec ( 'openssl x509 -in ' + certificate _file + ' -issuer -noout' ) ;
} )
. then ( ( result ) => {
// issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
2021-06-30 23:57:26 +00:00
const regex = /^(?:issuer=)?(.*)$/gim ;
const match = regex . exec ( result ) ;
2020-02-19 04:55:06 +00:00
if ( typeof match [ 1 ] === 'undefined' ) {
throw new error . ValidationError ( 'Could not determine issuer from certificate: ' + result ) ;
}
2021-06-30 23:57:26 +00:00
certData [ 'issuer' ] = match [ 1 ] ;
2020-02-19 04:55:06 +00:00
} )
. then ( ( ) => {
return utils . exec ( 'openssl x509 -in ' + certificate _file + ' -dates -noout' ) ;
} )
. then ( ( result ) => {
// notBefore=Jul 14 04:04:29 2018 GMT
// notAfter=Oct 12 04:04:29 2018 GMT
2021-06-30 23:57:26 +00:00
let validFrom = null ;
let validTo = null ;
2020-02-19 04:55:06 +00:00
2021-06-30 23:57:26 +00:00
const lines = result . split ( '\n' ) ;
2020-02-19 04:55:06 +00:00
lines . map ( function ( str ) {
2021-06-30 23:57:26 +00:00
const regex = /^(\S+)=(.*)$/gim ;
const match = regex . exec ( str . trim ( ) ) ;
2020-02-19 04:55:06 +00:00
if ( match && typeof match [ 2 ] !== 'undefined' ) {
2021-06-30 23:57:26 +00:00
const date = parseInt ( moment ( match [ 2 ] , 'MMM DD HH:mm:ss YYYY z' ) . format ( 'X' ) , 10 ) ;
2020-02-19 04:55:06 +00:00
if ( match [ 1 ] . toLowerCase ( ) === 'notbefore' ) {
2021-06-30 23:57:26 +00:00
validFrom = date ;
2020-02-19 04:55:06 +00:00
} else if ( match [ 1 ] . toLowerCase ( ) === 'notafter' ) {
2021-06-30 23:57:26 +00:00
validTo = date ;
2020-02-19 04:55:06 +00:00
}
}
} ) ;
2021-06-30 23:57:26 +00:00
if ( ! validFrom || ! validTo ) {
2020-02-19 04:55:06 +00:00
throw new error . ValidationError ( 'Could not determine dates from certificate: ' + result ) ;
}
2021-06-30 23:57:26 +00:00
if ( throw _expired && validTo < parseInt ( moment ( ) . format ( 'X' ) , 10 ) ) {
2020-02-19 04:55:06 +00:00
throw new error . ValidationError ( 'Certificate has expired' ) ;
}
2021-06-30 23:57:26 +00:00
certData [ 'dates' ] = {
from : validFrom ,
to : validTo
2020-02-19 04:55:06 +00:00
} ;
2021-06-30 23:57:26 +00:00
return certData ;
2020-02-19 04:55:06 +00:00
} ) . catch ( ( err ) => {
throw new error . ValidationError ( 'Certificate is not valid (' + err . message + ')' , err ) ;
} ) ;
} ,
/ * *
* Cleans the ssl keys from the meta object and sets them to "true"
*
* @ param { Object } meta
* @ param { Boolean } [ remove ]
* @ returns { Object }
* /
cleanMeta : function ( meta , remove ) {
2021-06-30 23:57:26 +00:00
internalCertificate . allowedSslFiles . map ( ( key ) => {
2020-02-19 04:55:06 +00:00
if ( typeof meta [ key ] !== 'undefined' && meta [ key ] ) {
if ( remove ) {
delete meta [ key ] ;
} else {
meta [ key ] = true ;
}
}
} ) ;
return meta ;
} ,
/ * *
2021-08-06 08:56:06 +00:00
* Request a certificate using the http challenge
2020-02-19 04:55:06 +00:00
* @ param { Object } certificate the certificate row
* @ returns { Promise }
* /
requestLetsEncryptSsl : ( certificate ) => {
logger . info ( 'Requesting Let\'sEncrypt certificates for Cert #' + certificate . id + ': ' + certificate . domain _names . join ( ', ' ) ) ;
2021-11-06 21:31:13 +00:00
const cmd = certbotCommand + ' certonly ' +
2021-06-30 23:57:26 +00:00
'--config "' + letsencryptConfig + '" ' +
2023-03-20 06:56:52 +00:00
'--work-dir "/tmp/letsencrypt-lib" ' +
'--logs-dir "/tmp/letsencrypt-log" ' +
2020-02-19 04:55:06 +00:00
'--cert-name "npm-' + certificate . id + '" ' +
'--agree-tos ' +
2021-08-06 08:56:06 +00:00
'--authenticator webroot ' +
2020-02-19 04:55:06 +00:00
'--email "' + certificate . meta . letsencrypt _email + '" ' +
'--preferred-challenges "dns,http" ' +
'--domains "' + certificate . domain _names . join ( ',' ) + '" ' +
2021-06-30 23:57:26 +00:00
( letsencryptStaging ? '--staging' : '' ) ;
2020-02-19 04:55:06 +00:00
2021-06-30 23:57:26 +00:00
logger . info ( 'Command:' , cmd ) ;
2020-02-19 04:55:06 +00:00
return utils . exec ( cmd )
. then ( ( result ) => {
logger . success ( result ) ;
return result ;
} ) ;
} ,
2020-08-23 12:50:41 +00:00
/ * *
2021-06-30 23:57:26 +00:00
* @ param { Object } certificate the certificate row
* @ param { String } dns _provider the dns provider name ( key used in ` certbot-dns-plugins.js ` )
* @ param { String | null } credentials the content of this providers credentials file
* @ param { String } propagation _seconds the cloudflare api token
2020-08-23 12:50:41 +00:00
* @ returns { Promise }
* /
2020-10-06 12:52:06 +00:00
requestLetsEncryptSslWithDnsChallenge : ( certificate ) => {
2021-06-30 23:57:26 +00:00
const dns _plugin = dnsPlugins [ certificate . meta . dns _provider ] ;
2020-10-06 12:52:06 +00:00
2020-10-08 12:23:21 +00:00
if ( ! dns _plugin ) {
throw Error ( ` Unknown DNS provider ' ${ certificate . meta . dns _provider } ' ` ) ;
2020-10-06 12:52:06 +00:00
}
logger . info ( ` Requesting Let'sEncrypt certificates via ${ dns _plugin . display _name } for Cert # ${ certificate . id } : ${ certificate . domain _names . join ( ', ' ) } ` ) ;
2020-08-23 12:50:41 +00:00
2021-06-30 23:57:26 +00:00
const credentialsLocation = '/etc/letsencrypt/credentials/credentials-' + certificate . id ;
2021-12-29 15:30:49 +00:00
// Escape single quotes and backslashes
const escapedCredentials = certificate . meta . dns _provider _credentials . replaceAll ( '\'' , '\\\'' ) . replaceAll ( '\\' , '\\\\' ) ;
const credentialsCmd = 'mkdir -p /etc/letsencrypt/credentials 2> /dev/null; echo \'' + escapedCredentials + '\' > \'' + credentialsLocation + '\' && chmod 600 \'' + credentialsLocation + '\'' ;
2022-11-18 12:06:19 +00:00
// we call `. /opt/certbot/bin/activate` (`.` is alternative to `source` in dash) to access certbot venv
2023-06-01 18:02:06 +00:00
const prepareCmd = '. /opt/certbot/bin/activate && pip install --no-cache-dir ' + dns _plugin . package _name + ( dns _plugin . version _requirement || '' ) + ' ' + dns _plugin . dependencies + ' && deactivate' ;
2020-08-23 12:50:41 +00:00
2020-10-14 07:20:52 +00:00
// Whether the plugin has a --<name>-credentials argument
2021-06-30 23:57:26 +00:00
const hasConfigArg = certificate . meta . dns _provider !== 'route53' ;
2020-10-14 07:20:52 +00:00
2021-11-06 21:31:13 +00:00
let mainCmd = certbotCommand + ' certonly ' +
'--config "' + letsencryptConfig + '" ' +
2023-03-20 06:56:52 +00:00
'--work-dir "/tmp/letsencrypt-lib" ' +
'--logs-dir "/tmp/letsencrypt-log" ' +
2020-08-23 12:50:41 +00:00
'--cert-name "npm-' + certificate . id + '" ' +
'--agree-tos ' +
2021-06-30 23:57:26 +00:00
'--email "' + certificate . meta . letsencrypt _email + '" ' +
2020-08-23 12:50:41 +00:00
'--domains "' + certificate . domain _names . join ( ',' ) + '" ' +
2020-10-06 12:52:06 +00:00
'--authenticator ' + dns _plugin . full _plugin _name + ' ' +
2020-10-14 07:20:52 +00:00
(
2021-06-30 23:57:26 +00:00
hasConfigArg
? '--' + dns _plugin . full _plugin _name + '-credentials "' + credentialsLocation + '"'
2020-10-14 07:20:52 +00:00
: ''
) +
2020-10-06 12:52:06 +00:00
(
2021-06-30 23:57:26 +00:00
certificate . meta . propagation _seconds !== undefined
? ' --' + dns _plugin . full _plugin _name + '-propagation-seconds ' + certificate . meta . propagation _seconds
2020-10-08 12:23:21 +00:00
: ''
2020-10-06 12:52:06 +00:00
) +
2021-06-30 23:57:26 +00:00
( letsencryptStaging ? ' --staging' : '' ) ;
2020-10-14 07:20:52 +00:00
2020-10-14 07:55:45 +00:00
// Prepend the path to the credentials file as an environment variable
if ( certificate . meta . dns _provider === 'route53' ) {
2021-06-30 23:57:26 +00:00
mainCmd = 'AWS_CONFIG_FILE=\'' + credentialsLocation + '\' ' + mainCmd ;
2020-10-14 07:55:45 +00:00
}
2020-08-23 12:50:41 +00:00
2023-08-24 11:21:01 +00:00
if ( certificate . meta . dns _provider === 'duckdns' ) {
mainCmd = mainCmd + ' --dns-duckdns-no-txt-restore' ;
}
2021-06-30 23:57:26 +00:00
logger . info ( 'Command:' , ` ${ credentialsCmd } && ${ prepareCmd } && ${ mainCmd } ` ) ;
2020-08-23 12:50:41 +00:00
2021-06-30 23:57:26 +00:00
return utils . exec ( credentialsCmd )
2020-10-06 12:52:06 +00:00
. then ( ( ) => {
2021-06-30 23:57:26 +00:00
return utils . exec ( prepareCmd )
2020-10-06 12:52:06 +00:00
. then ( ( ) => {
2021-06-30 23:57:26 +00:00
return utils . exec ( mainCmd )
2020-10-06 12:52:06 +00:00
. then ( async ( result ) => {
logger . info ( result ) ;
return result ;
} ) ;
} ) ;
2020-10-17 10:13:08 +00:00
} ) . catch ( async ( err ) => {
// Don't fail if file does not exist
2021-06-30 23:57:26 +00:00
const delete _credentialsCmd = ` rm -f ' ${ credentialsLocation } ' || true ` ;
await utils . exec ( delete _credentialsCmd ) ;
2020-10-17 10:13:08 +00:00
throw err ;
2020-10-06 12:52:06 +00:00
} ) ;
2020-08-23 12:50:41 +00:00
} ,
2020-02-19 04:55:06 +00:00
/ * *
* @ param { Access } access
* @ param { Object } data
* @ param { Number } data . id
* @ returns { Promise }
* /
renew : ( access , data ) => {
return access . can ( 'certificates:update' , data )
. then ( ( ) => {
return internalCertificate . get ( access , data ) ;
} )
. then ( ( certificate ) => {
if ( certificate . provider === 'letsencrypt' ) {
2021-06-30 23:57:26 +00:00
const renewMethod = certificate . meta . dns _challenge ? internalCertificate . renewLetsEncryptSslWithDnsChallenge : internalCertificate . renewLetsEncryptSsl ;
2020-08-23 18:29:16 +00:00
return renewMethod ( certificate )
2020-02-19 04:55:06 +00:00
. then ( ( ) => {
return internalCertificate . getCertificateInfoFromFile ( '/etc/letsencrypt/live/npm-' + certificate . id + '/fullchain.pem' ) ;
} )
. then ( ( cert _info ) => {
return certificateModel
. query ( )
. patchAndFetchById ( certificate . id , {
2020-08-14 23:23:19 +00:00
expires _on : moment ( cert _info . dates . to , 'X' ) . format ( 'YYYY-MM-DD HH:mm:ss' )
2020-02-19 04:55:06 +00:00
} ) ;
} )
. then ( ( updated _certificate ) => {
// Add to audit log
return internalAuditLog . add ( access , {
action : 'renewed' ,
object _type : 'certificate' ,
object _id : updated _certificate . id ,
meta : updated _certificate
} )
. then ( ( ) => {
return updated _certificate ;
} ) ;
} ) ;
} else {
throw new error . ValidationError ( 'Only Let\'sEncrypt certificates can be renewed' ) ;
}
} ) ;
} ,
/ * *
* @ param { Object } certificate the certificate row
* @ returns { Promise }
* /
renewLetsEncryptSsl : ( certificate ) => {
logger . info ( 'Renewing Let\'sEncrypt certificates for Cert #' + certificate . id + ': ' + certificate . domain _names . join ( ', ' ) ) ;
2021-11-06 21:31:13 +00:00
const cmd = certbotCommand + ' renew --force-renewal ' +
2021-06-30 23:57:26 +00:00
'--config "' + letsencryptConfig + '" ' +
2023-03-22 03:40:36 +00:00
'--work-dir "/tmp/letsencrypt-lib" ' +
'--logs-dir "/tmp/letsencrypt-log" ' +
2020-02-19 04:55:06 +00:00
'--cert-name "npm-' + certificate . id + '" ' +
'--preferred-challenges "dns,http" ' +
2021-11-05 13:20:12 +00:00
'--no-random-sleep-on-renew ' +
2020-02-19 04:55:06 +00:00
'--disable-hook-validation ' +
2021-06-30 23:57:26 +00:00
( letsencryptStaging ? '--staging' : '' ) ;
2020-02-19 04:55:06 +00:00
2021-06-30 23:57:26 +00:00
logger . info ( 'Command:' , cmd ) ;
2020-02-19 04:55:06 +00:00
return utils . exec ( cmd )
. then ( ( result ) => {
logger . info ( result ) ;
return result ;
} ) ;
} ,
2020-08-23 18:29:16 +00:00
/ * *
* @ param { Object } certificate the certificate row
* @ returns { Promise }
* /
2020-10-06 12:52:06 +00:00
renewLetsEncryptSslWithDnsChallenge : ( certificate ) => {
2021-06-30 23:57:26 +00:00
const dns _plugin = dnsPlugins [ certificate . meta . dns _provider ] ;
2020-08-23 18:29:16 +00:00
2020-10-08 12:23:21 +00:00
if ( ! dns _plugin ) {
throw Error ( ` Unknown DNS provider ' ${ certificate . meta . dns _provider } ' ` ) ;
2020-10-06 12:52:06 +00:00
}
logger . info ( ` Renewing Let'sEncrypt certificates via ${ dns _plugin . display _name } for Cert # ${ certificate . id } : ${ certificate . domain _names . join ( ', ' ) } ` ) ;
2023-08-24 11:21:01 +00:00
let mainCmd = certbotCommand + ' renew --force-renewal ' +
2021-11-06 21:31:13 +00:00
'--config "' + letsencryptConfig + '" ' +
2023-03-22 03:40:36 +00:00
'--work-dir "/tmp/letsencrypt-lib" ' +
'--logs-dir "/tmp/letsencrypt-log" ' +
2020-08-23 18:29:16 +00:00
'--cert-name "npm-' + certificate . id + '" ' +
2021-11-05 13:20:12 +00:00
'--disable-hook-validation ' +
'--no-random-sleep-on-renew ' +
2021-06-30 23:57:26 +00:00
( letsencryptStaging ? ' --staging' : '' ) ;
2020-10-06 12:52:06 +00:00
2020-10-14 07:20:52 +00:00
// Prepend the path to the credentials file as an environment variable
if ( certificate . meta . dns _provider === 'route53' ) {
2021-06-30 23:57:26 +00:00
const credentialsLocation = '/etc/letsencrypt/credentials/credentials-' + certificate . id ;
mainCmd = 'AWS_CONFIG_FILE=\'' + credentialsLocation + '\' ' + mainCmd ;
2020-10-14 07:20:52 +00:00
}
2021-06-30 23:57:26 +00:00
logger . info ( 'Command:' , mainCmd ) ;
2020-08-23 18:29:16 +00:00
2021-06-30 23:57:26 +00:00
return utils . exec ( mainCmd )
2020-10-17 10:13:08 +00:00
. then ( async ( result ) => {
logger . info ( result ) ;
return result ;
2020-08-23 18:29:16 +00:00
} ) ;
} ,
2020-02-19 04:55:06 +00:00
/ * *
* @ param { Object } certificate the certificate row
* @ param { Boolean } [ throw _errors ]
* @ returns { Promise }
* /
revokeLetsEncryptSsl : ( certificate , throw _errors ) => {
logger . info ( 'Revoking Let\'sEncrypt certificates for Cert #' + certificate . id + ': ' + certificate . domain _names . join ( ', ' ) ) ;
2021-11-06 21:31:13 +00:00
const mainCmd = certbotCommand + ' revoke ' +
'--config "' + letsencryptConfig + '" ' +
2020-02-19 04:55:06 +00:00
'--cert-path "/etc/letsencrypt/live/npm-' + certificate . id + '/fullchain.pem" ' +
'--delete-after-revoke ' +
2021-06-30 23:57:26 +00:00
( letsencryptStaging ? '--staging' : '' ) ;
2020-02-19 04:55:06 +00:00
2020-10-17 10:13:08 +00:00
// Don't fail command if file does not exist
2021-06-30 23:57:26 +00:00
const delete _credentialsCmd = ` rm -f '/etc/letsencrypt/credentials/credentials- ${ certificate . id } ' || true ` ;
2020-10-17 10:13:08 +00:00
2021-06-30 23:57:26 +00:00
logger . info ( 'Command:' , mainCmd + '; ' + delete _credentialsCmd ) ;
2020-02-19 04:55:06 +00:00
2021-06-30 23:57:26 +00:00
return utils . exec ( mainCmd )
2020-10-17 10:13:08 +00:00
. then ( async ( result ) => {
2021-06-30 23:57:26 +00:00
await utils . exec ( delete _credentialsCmd ) ;
2020-02-19 04:55:06 +00:00
logger . info ( result ) ;
return result ;
} )
. catch ( ( err ) => {
2021-06-30 23:57:26 +00:00
logger . error ( err . message ) ;
2020-02-19 04:55:06 +00:00
if ( throw _errors ) {
throw err ;
}
} ) ;
} ,
/ * *
* @ param { Object } certificate
* @ returns { Boolean }
* /
hasLetsEncryptSslCerts : ( certificate ) => {
2021-06-30 23:57:26 +00:00
const letsencryptPath = '/etc/letsencrypt/live/npm-' + certificate . id ;
2020-02-19 04:55:06 +00:00
2021-06-30 23:57:26 +00:00
return fs . existsSync ( letsencryptPath + '/fullchain.pem' ) && fs . existsSync ( letsencryptPath + '/privkey.pem' ) ;
2020-02-19 04:55:06 +00:00
} ,
/ * *
* @ param { Object } in _use _result
* @ param { Number } in _use _result . total _count
* @ param { Array } in _use _result . proxy _hosts
* @ param { Array } in _use _result . redirection _hosts
* @ param { Array } in _use _result . dead _hosts
* /
disableInUseHosts : ( in _use _result ) => {
if ( in _use _result . total _count ) {
let promises = [ ] ;
if ( in _use _result . proxy _hosts . length ) {
promises . push ( internalNginx . bulkDeleteConfigs ( 'proxy_host' , in _use _result . proxy _hosts ) ) ;
}
if ( in _use _result . redirection _hosts . length ) {
promises . push ( internalNginx . bulkDeleteConfigs ( 'redirection_host' , in _use _result . redirection _hosts ) ) ;
}
if ( in _use _result . dead _hosts . length ) {
promises . push ( internalNginx . bulkDeleteConfigs ( 'dead_host' , in _use _result . dead _hosts ) ) ;
}
return Promise . all ( promises ) ;
} else {
return Promise . resolve ( ) ;
}
} ,
/ * *
* @ param { Object } in _use _result
* @ param { Number } in _use _result . total _count
* @ param { Array } in _use _result . proxy _hosts
* @ param { Array } in _use _result . redirection _hosts
* @ param { Array } in _use _result . dead _hosts
* /
enableInUseHosts : ( in _use _result ) => {
if ( in _use _result . total _count ) {
let promises = [ ] ;
if ( in _use _result . proxy _hosts . length ) {
promises . push ( internalNginx . bulkGenerateConfigs ( 'proxy_host' , in _use _result . proxy _hosts ) ) ;
}
if ( in _use _result . redirection _hosts . length ) {
promises . push ( internalNginx . bulkGenerateConfigs ( 'redirection_host' , in _use _result . redirection _hosts ) ) ;
}
if ( in _use _result . dead _hosts . length ) {
promises . push ( internalNginx . bulkGenerateConfigs ( 'dead_host' , in _use _result . dead _hosts ) ) ;
}
return Promise . all ( promises ) ;
} else {
return Promise . resolve ( ) ;
}
2021-10-30 22:19:18 +00:00
} ,
testHttpsChallenge : async ( access , domains ) => {
await access . can ( 'certificates:list' ) ;
if ( ! isArray ( domains ) ) {
throw new error . InternalValidationError ( 'Domains must be an array of strings' ) ;
}
if ( domains . length === 0 ) {
throw new error . InternalValidationError ( 'No domains provided' ) ;
}
2022-02-12 05:46:06 +00:00
2021-10-30 22:19:18 +00:00
// Create a test challenge file
2021-10-30 22:28:43 +00:00
const testChallengeDir = '/data/letsencrypt-acme-challenge/.well-known/acme-challenge' ;
2021-10-30 22:19:18 +00:00
const testChallengeFile = testChallengeDir + '/test-challenge' ;
fs . mkdirSync ( testChallengeDir , { recursive : true } ) ;
fs . writeFileSync ( testChallengeFile , 'Success' , { encoding : 'utf8' } ) ;
async function performTestForDomain ( domain ) {
logger . info ( 'Testing http challenge for ' + domain ) ;
const url = ` http:// ${ domain } /.well-known/acme-challenge/test-challenge ` ;
const formBody = ` method=G&url= ${ encodeURI ( url ) } &bodytype=T&requestbody=&headername=User-Agent&headervalue=None&locationid=1&ch=false&cc=false ` ;
const options = {
method : 'POST' ,
headers : {
2023-12-14 01:32:50 +00:00
'User-Agent' : 'Mozilla/5.0' ,
2021-10-30 22:19:18 +00:00
'Content-Type' : 'application/x-www-form-urlencoded' ,
'Content-Length' : Buffer . byteLength ( formBody )
}
} ;
const result = await new Promise ( ( resolve ) => {
const req = https . request ( 'https://www.site24x7.com/tools/restapi-tester' , options , function ( res ) {
let responseBody = '' ;
res . on ( 'data' , ( chunk ) => responseBody = responseBody + chunk ) ;
res . on ( 'end' , function ( ) {
2023-12-14 01:32:50 +00:00
try {
const parsedBody = JSON . parse ( responseBody + '' ) ;
if ( res . statusCode !== 200 ) {
logger . warn ( ` Failed to test HTTP challenge for domain ${ domain } because HTTP status code ${ res . statusCode } was returned: ${ parsedBody . message } ` ) ;
resolve ( undefined ) ;
} else {
resolve ( parsedBody ) ;
}
} catch ( err ) {
if ( res . statusCode !== 200 ) {
logger . warn ( ` Failed to test HTTP challenge for domain ${ domain } because HTTP status code ${ res . statusCode } was returned ` ) ;
} else {
logger . warn ( ` Failed to test HTTP challenge for domain ${ domain } because response failed to be parsed: ${ err . message } ` ) ;
}
2021-10-30 22:19:18 +00:00
resolve ( undefined ) ;
}
} ) ;
} ) ;
// Make sure to write the request body.
req . write ( formBody ) ;
req . end ( ) ;
req . on ( 'error' , function ( e ) { logger . warn ( ` Failed to test HTTP challenge for domain ${ domain } ` , e ) ;
resolve ( undefined ) ; } ) ;
} ) ;
if ( ! result ) {
// Some error occurred while trying to get the data
return 'failed' ;
2023-12-14 01:32:50 +00:00
} else if ( result . error ) {
logger . info ( ` HTTP challenge test failed for domain ${ domain } because error was returned: ${ result . error . msg } ` ) ;
return ` other: ${ result . error . msg } ` ;
2021-10-30 22:19:18 +00:00
} else if ( ` ${ result . responsecode } ` === '200' && result . htmlresponse === 'Success' ) {
// Server exists and has responded with the correct data
return 'ok' ;
2021-10-31 12:41:29 +00:00
} else if ( ` ${ result . responsecode } ` === '200' ) {
2021-11-04 10:16:23 +00:00
// Server exists but has responded with wrong data
logger . info ( ` HTTP challenge test failed for domain ${ domain } because of invalid returned data: ` , result . htmlresponse ) ;
2021-10-31 12:41:29 +00:00
return 'wrong-data' ;
2021-10-30 22:19:18 +00:00
} else if ( ` ${ result . responsecode } ` === '404' ) {
// Server exists but responded with a 404
2021-11-04 10:16:23 +00:00
logger . info ( ` HTTP challenge test failed for domain ${ domain } because code 404 was returned ` ) ;
2021-10-30 22:19:18 +00:00
return '404' ;
2021-10-31 12:41:29 +00:00
} else if ( ` ${ result . responsecode } ` === '0' || ( typeof result . reason === 'string' && result . reason . toLowerCase ( ) === 'host unavailable' ) ) {
2021-10-30 22:19:18 +00:00
// Server does not exist at domain
2021-11-04 10:16:23 +00:00
logger . info ( ` HTTP challenge test failed for domain ${ domain } the host was not found ` ) ;
2021-10-30 22:19:18 +00:00
return 'no-host' ;
} else {
// Other errors
2021-11-04 10:16:23 +00:00
logger . info ( ` HTTP challenge test failed for domain ${ domain } because code ${ result . responsecode } was returned ` ) ;
2021-10-30 22:19:18 +00:00
return ` other: ${ result . responsecode } ` ;
}
}
const results = { } ;
for ( const domain of domains ) {
results [ domain ] = await performTestForDomain ( domain ) ;
}
// Remove the test challenge file
fs . unlinkSync ( testChallengeFile ) ;
2022-02-12 05:46:06 +00:00
2021-10-30 22:19:18 +00:00
return results ;
2020-02-19 04:55:06 +00:00
}
} ;
module . exports = internalCertificate ;