2021-06-30 23:57:26 +00:00
const _ = require ( 'lodash' ) ;
const fs = require ( 'fs' ) ;
const tempWrite = require ( 'temp-write' ) ;
const moment = require ( 'moment' ) ;
const logger = require ( '../logger' ) . ssl ;
const error = require ( '../lib/error' ) ;
const utils = require ( '../lib/utils' ) ;
const certificateModel = require ( '../models/certificate' ) ;
const dnsPlugins = require ( '../global/certbot-dns-plugins' ) ;
const internalAuditLog = require ( './audit-log' ) ;
const internalNginx = require ( './nginx' ) ;
const internalHost = require ( './host' ) ;
const letsencryptStaging = process . env . NODE _ENV !== 'production' ;
const letsencryptConfig = '/etc/letsencrypt.ini' ;
const certbotCommand = 'certbot' ;
2021-08-23 03:47:42 +00:00
const archiver = require ( 'archiver' ) ;
2020-02-19 04:55:06 +00:00
function omissions ( ) {
return [ 'is_deleted' ] ;
}
const internalCertificate = {
2021-06-30 23:57:26 +00:00
allowedSslFiles : [ 'certificate' , 'certificate_key' , 'intermediate_certificate' ] ,
intervalTimeout : 1000 * 60 * 60 , // 1 hour
interval : null ,
intervalProcessing : false ,
2020-02-19 04:55:06 +00:00
initTimer : ( ) => {
logger . info ( 'Let\'s Encrypt Renewal Timer initialized' ) ;
2021-06-30 23:57:26 +00:00
internalCertificate . interval = setInterval ( internalCertificate . processExpiringHosts , internalCertificate . intervalTimeout ) ;
2020-02-19 04:55:06 +00:00
// And do this now as well
internalCertificate . processExpiringHosts ( ) ;
} ,
/ * *
* Triggered by a timer , this will check for expiring hosts and renew their ssl certs if required
* /
processExpiringHosts : ( ) => {
2021-06-30 23:57:26 +00:00
if ( ! internalCertificate . intervalProcessing ) {
internalCertificate . intervalProcessing = true ;
2020-02-19 04:55:06 +00:00
logger . info ( 'Renewing SSL certs close to expiry...' ) ;
2021-06-30 23:57:26 +00:00
const cmd = certbotCommand + ' renew --non-interactive --quiet ' +
'--config "' + letsencryptConfig + '" ' +
2020-02-19 04:55:06 +00:00
'--preferred-challenges "dns,http" ' +
'--disable-hook-validation ' +
2021-06-30 23:57:26 +00:00
( letsencryptStaging ? '--staging' : '' ) ;
2020-02-19 04:55:06 +00:00
return utils . exec ( cmd )
. then ( ( result ) => {
if ( result ) {
logger . info ( 'Renew Result: ' + result ) ;
}
return internalNginx . reload ( )
. then ( ( ) => {
logger . info ( 'Renew Complete' ) ;
return result ;
} ) ;
} )
. then ( ( ) => {
// Now go and fetch all the letsencrypt certs from the db and query the files and update expiry times
return certificateModel
. query ( )
. where ( 'is_deleted' , 0 )
. andWhere ( 'provider' , 'letsencrypt' )
. then ( ( certificates ) => {
if ( certificates && certificates . length ) {
let promises = [ ] ;
certificates . map ( function ( certificate ) {
promises . push (
internalCertificate . getCertificateInfoFromFile ( '/etc/letsencrypt/live/npm-' + certificate . id + '/fullchain.pem' )
. then ( ( cert _info ) => {
return certificateModel
. query ( )
. where ( 'id' , certificate . id )
. andWhere ( 'provider' , 'letsencrypt' )
. patch ( {
2020-08-14 23:23:19 +00:00
expires _on : moment ( cert _info . dates . to , 'X' ) . format ( 'YYYY-MM-DD HH:mm:ss' )
2020-02-19 04:55:06 +00:00
} ) ;
} )
. catch ( ( err ) => {
// Don't want to stop the train here, just log the error
logger . error ( err . message ) ;
} )
) ;
} ) ;
return Promise . all ( promises ) ;
}
} ) ;
} )
. then ( ( ) => {
2021-06-30 23:57:26 +00:00
internalCertificate . intervalProcessing = false ;
2020-02-19 04:55:06 +00:00
} )
. catch ( ( err ) => {
logger . error ( err ) ;
2021-06-30 23:57:26 +00:00
internalCertificate . intervalProcessing = false ;
2020-02-19 04:55:06 +00:00
} ) ;
}
} ,
/ * *
* @ param { Access } access
* @ param { Object } data
* @ returns { Promise }
* /
create : ( access , data ) => {
return access . can ( 'certificates:create' , data )
. then ( ( ) => {
data . owner _user _id = access . token . getUserId ( 1 ) ;
if ( data . provider === 'letsencrypt' ) {
data . nice _name = data . domain _names . sort ( ) . join ( ', ' ) ;
}
return certificateModel
. query ( )
. omit ( omissions ( ) )
. insertAndFetch ( data ) ;
} )
. then ( ( certificate ) => {
if ( certificate . provider === 'letsencrypt' ) {
// Request a new Cert from LE. Let the fun begin.
// 1. Find out any hosts that are using any of the hostnames in this cert
// 2. Disable them in nginx temporarily
// 3. Generate the LE config
// 4. Request cert
// 5. Remove LE config
// 6. Re-instate previously disabled hosts
// 1. Find out any hosts that are using any of the hostnames in this cert
return internalHost . getHostsWithDomains ( certificate . domain _names )
. then ( ( in _use _result ) => {
// 2. Disable them in nginx temporarily
return internalCertificate . disableInUseHosts ( in _use _result )
. then ( ( ) => {
return in _use _result ;
} ) ;
} )
. then ( ( in _use _result ) => {
2020-10-06 12:52:06 +00:00
// With DNS challenge no config is needed, so skip 3 and 5.
if ( certificate . meta . dns _challenge ) {
2020-08-23 13:24:20 +00:00
return internalNginx . reload ( ) . then ( ( ) => {
2020-02-19 04:55:06 +00:00
// 4. Request cert
2020-10-06 12:52:06 +00:00
return internalCertificate . requestLetsEncryptSslWithDnsChallenge ( certificate ) ;
2020-02-19 04:55:06 +00:00
} )
2020-08-23 18:56:25 +00:00
. then ( internalNginx . reload )
. then ( ( ) => {
// 6. Re-instate previously disabled hosts
return internalCertificate . enableInUseHosts ( in _use _result ) ;
} )
. then ( ( ) => {
return certificate ;
} )
. catch ( ( err ) => {
// In the event of failure, revert things and throw err back
return internalCertificate . enableInUseHosts ( in _use _result )
. then ( internalNginx . reload )
. then ( ( ) => {
throw err ;
} ) ;
} ) ;
2020-08-23 13:24:20 +00:00
} else {
// 3. Generate the LE config
return internalNginx . generateLetsEncryptRequestConfig ( certificate )
. then ( internalNginx . reload )
. then ( ( ) => {
// 4. Request cert
return internalCertificate . requestLetsEncryptSsl ( certificate ) ;
} )
. then ( ( ) => {
// 5. Remove LE config
return internalNginx . deleteLetsEncryptRequestConfig ( certificate ) ;
} )
. then ( internalNginx . reload )
. then ( ( ) => {
// 6. Re-instate previously disabled hosts
return internalCertificate . enableInUseHosts ( in _use _result ) ;
} )
. then ( ( ) => {
return certificate ;
} )
. catch ( ( err ) => {
// In the event of failure, revert things and throw err back
return internalNginx . deleteLetsEncryptRequestConfig ( certificate )
. then ( ( ) => {
return internalCertificate . enableInUseHosts ( in _use _result ) ;
} )
. then ( internalNginx . reload )
. then ( ( ) => {
throw err ;
} ) ;
} ) ;
}
2020-02-19 04:55:06 +00:00
} )
. then ( ( ) => {
// At this point, the letsencrypt cert should exist on disk.
// Lets get the expiry date from the file and update the row silently
return internalCertificate . getCertificateInfoFromFile ( '/etc/letsencrypt/live/npm-' + certificate . id + '/fullchain.pem' )
. then ( ( cert _info ) => {
return certificateModel
. query ( )
. patchAndFetchById ( certificate . id , {
2020-08-14 23:23:19 +00:00
expires _on : moment ( cert _info . dates . to , 'X' ) . format ( 'YYYY-MM-DD HH:mm:ss' )
2020-02-19 04:55:06 +00:00
} )
. then ( ( saved _row ) => {
// Add cert data for audit log
saved _row . meta = _ . assign ( { } , saved _row . meta , {
letsencrypt _certificate : cert _info
} ) ;
return saved _row ;
} ) ;
} ) ;
2020-11-06 11:29:38 +00:00
} ) . catch ( async ( error ) => {
// Delete the certificate from the database if it was not created successfully
await certificateModel
. query ( )
. deleteById ( certificate . id ) ;
2021-06-30 23:57:26 +00:00
2020-11-06 11:29:38 +00:00
throw error ;
2020-02-19 04:55:06 +00:00
} ) ;
} else {
return certificate ;
}
} ) . then ( ( certificate ) => {
data . meta = _ . assign ( { } , data . meta || { } , certificate . meta ) ;
// Add to audit log
return internalAuditLog . add ( access , {
action : 'created' ,
object _type : 'certificate' ,
object _id : certificate . id ,
meta : data
} )
. then ( ( ) => {
return certificate ;
} ) ;
} ) ;
} ,
/ * *
* @ param { Access } access
* @ param { Object } data
* @ param { Number } data . id
* @ param { String } [ data . email ]
* @ param { String } [ data . name ]
* @ return { Promise }
* /
update : ( access , data ) => {
return access . can ( 'certificates:update' , data . id )
. then ( ( /*access_data*/ ) => {
return internalCertificate . get ( access , { id : data . id } ) ;
} )
. then ( ( row ) => {
if ( row . id !== data . id ) {
// Sanity check that something crazy hasn't happened
throw new error . InternalValidationError ( 'Certificate could not be updated, IDs do not match: ' + row . id + ' !== ' + data . id ) ;
}
return certificateModel
. query ( )
. omit ( omissions ( ) )
. patchAndFetchById ( row . id , data )
. then ( ( saved _row ) => {
saved _row . meta = internalCertificate . cleanMeta ( saved _row . meta ) ;
data . meta = internalCertificate . cleanMeta ( data . meta ) ;
// Add row.nice_name for custom certs
if ( saved _row . provider === 'other' ) {
data . nice _name = saved _row . nice _name ;
}
// Add to audit log
return internalAuditLog . add ( access , {
action : 'updated' ,
object _type : 'certificate' ,
object _id : row . id ,
meta : _ . omit ( data , [ 'expires_on' ] ) // this prevents json circular reference because expires_on might be raw
} )
. then ( ( ) => {
return _ . omit ( saved _row , omissions ( ) ) ;
} ) ;
} ) ;
} ) ;
} ,
/ * *
* @ param { Access } access
* @ param { Object } data
* @ param { Number } data . id
* @ param { Array } [ data . expand ]
* @ param { Array } [ data . omit ]
* @ return { Promise }
* /
get : ( access , data ) => {
if ( typeof data === 'undefined' ) {
data = { } ;
}
return access . can ( 'certificates:get' , data . id )
. then ( ( access _data ) => {
let query = certificateModel
. query ( )
. where ( 'is_deleted' , 0 )
. andWhere ( 'id' , data . id )
. allowEager ( '[owner]' )
. first ( ) ;
if ( access _data . permission _visibility !== 'all' ) {
query . andWhere ( 'owner_user_id' , access . token . getUserId ( 1 ) ) ;
}
// Custom omissions
if ( typeof data . omit !== 'undefined' && data . omit !== null ) {
query . omit ( data . omit ) ;
}
if ( typeof data . expand !== 'undefined' && data . expand !== null ) {
query . eager ( '[' + data . expand . join ( ', ' ) + ']' ) ;
}
return query ;
} )
. then ( ( row ) => {
if ( row ) {
return _ . omit ( row , omissions ( ) ) ;
} else {
throw new error . ItemNotFoundError ( data . id ) ;
}
} ) ;
} ,
2021-08-23 03:47:42 +00:00
/ * *
2021-08-24 00:31:08 +00:00
* @ param { Access } access
2021-08-23 03:33:24 +00:00
* @ param { Object } data
* @ param { Number } data . id
* @ returns { Promise }
* /
2021-08-24 00:31:08 +00:00
download : ( access , data ) => {
2021-08-23 03:47:42 +00:00
return new Promise ( ( resolve , reject ) => {
2021-08-24 00:31:08 +00:00
access . can ( 'certificates:get' , data )
2021-08-23 03:47:42 +00:00
. then ( ( ) => {
2021-08-24 00:31:08 +00:00
return internalCertificate . get ( access , data ) ;
} )
. then ( ( certificate ) => {
if ( certificate . provider === 'letsencrypt' ) {
const zipDirectory = '/etc/letsencrypt/live/npm-' + data . id ;
if ( ! fs . existsSync ( zipDirectory ) ) {
throw new error . ItemNotFoundError ( 'Certificate ' + certificate . nice _name + ' does not exists' ) ;
}
const downloadName = 'npm-' + data . id + '-' + ` ${ Date . now ( ) } .zip ` ;
const opName = '/tmp/' + downloadName ;
internalCertificate . zipDirectory ( zipDirectory , opName )
. then ( ( ) => {
logger . debug ( 'zip completed : ' , opName ) ;
const resp = {
fileName : opName
} ;
resolve ( resp ) ;
} ) ;
} else {
throw new error . ValidationError ( 'Only Let\'sEncrypt certificates can be renewed' ) ;
}
} ) . catch ( ( err ) => reject ( err ) ) ;
2021-08-23 03:47:42 +00:00
} ) ;
} ,
2021-08-24 00:31:08 +00:00
2021-08-23 03:47:42 +00:00
/ * *
2021-08-24 01:58:17 +00:00
* @ param { String } source
* @ param { String } out
* @ returns { Promise }
* /
2021-08-23 03:47:42 +00:00
zipDirectory ( source , out ) {
const archive = archiver ( 'zip' , { zlib : { level : 9 } } ) ;
const stream = fs . createWriteStream ( out ) ;
2021-08-23 03:33:24 +00:00
2021-08-23 03:47:42 +00:00
return new Promise ( ( resolve , reject ) => {
archive
. directory ( source , false )
. on ( 'error' , ( err ) => reject ( err ) )
. pipe ( stream ) ;
2021-08-23 03:33:24 +00:00
2021-08-23 03:47:42 +00:00
stream . on ( 'close' , ( ) => resolve ( ) ) ;
archive . finalize ( ) ;
} ) ;
} ,
2021-08-23 03:33:24 +00:00
2020-02-19 04:55:06 +00:00
/ * *
* @ param { Access } access
* @ param { Object } data
* @ param { Number } data . id
* @ param { String } [ data . reason ]
* @ returns { Promise }
* /
delete : ( access , data ) => {
return access . can ( 'certificates:delete' , data . id )
. then ( ( ) => {
return internalCertificate . get ( access , { id : data . id } ) ;
} )
. then ( ( row ) => {
if ( ! row ) {
throw new error . ItemNotFoundError ( data . id ) ;
}
return certificateModel
. query ( )
. where ( 'id' , row . id )
. patch ( {
is _deleted : 1
} )
. then ( ( ) => {
// Add to audit log
row . meta = internalCertificate . cleanMeta ( row . meta ) ;
return internalAuditLog . add ( access , {
action : 'deleted' ,
object _type : 'certificate' ,
object _id : row . id ,
meta : _ . omit ( row , omissions ( ) )
} ) ;
} )
. then ( ( ) => {
if ( row . provider === 'letsencrypt' ) {
// Revoke the cert
return internalCertificate . revokeLetsEncryptSsl ( row ) ;
}
} ) ;
} )
. then ( ( ) => {
return true ;
} ) ;
} ,
/ * *
* All Certs
*
* @ param { Access } access
* @ param { Array } [ expand ]
* @ param { String } [ search _query ]
* @ returns { Promise }
* /
getAll : ( access , expand , search _query ) => {
return access . can ( 'certificates:list' )
. then ( ( access _data ) => {
let query = certificateModel
. query ( )
. where ( 'is_deleted' , 0 )
. groupBy ( 'id' )
. omit ( [ 'is_deleted' ] )
. allowEager ( '[owner]' )
. orderBy ( 'nice_name' , 'ASC' ) ;
if ( access _data . permission _visibility !== 'all' ) {
query . andWhere ( 'owner_user_id' , access . token . getUserId ( 1 ) ) ;
}
// Query is used for searching
if ( typeof search _query === 'string' ) {
query . where ( function ( ) {
this . where ( 'name' , 'like' , '%' + search _query + '%' ) ;
} ) ;
}
if ( typeof expand !== 'undefined' && expand !== null ) {
query . eager ( '[' + expand . join ( ', ' ) + ']' ) ;
}
return query ;
} ) ;
} ,
/ * *
* Report use
*
* @ param { Number } user _id
* @ param { String } visibility
* @ returns { Promise }
* /
getCount : ( user _id , visibility ) => {
let query = certificateModel
. query ( )
. count ( 'id as count' )
. where ( 'is_deleted' , 0 ) ;
if ( visibility !== 'all' ) {
query . andWhere ( 'owner_user_id' , user _id ) ;
}
return query . first ( )
. then ( ( row ) => {
return parseInt ( row . count , 10 ) ;
} ) ;
} ,
/ * *
* @ param { Object } certificate
* @ returns { Promise }
* /
writeCustomCert : ( certificate ) => {
2021-06-30 23:57:26 +00:00
logger . info ( 'Writing Custom Certificate:' , certificate ) ;
2020-02-19 04:55:06 +00:00
2021-06-30 23:57:26 +00:00
const dir = '/data/custom_ssl/npm-' + certificate . id ;
2020-02-19 04:55:06 +00:00
return new Promise ( ( resolve , reject ) => {
if ( certificate . provider === 'letsencrypt' ) {
reject ( new Error ( 'Refusing to write letsencrypt certs here' ) ) ;
return ;
}
2021-06-30 23:57:26 +00:00
let certData = certificate . meta . certificate ;
2020-02-19 04:55:06 +00:00
if ( typeof certificate . meta . intermediate _certificate !== 'undefined' ) {
2021-06-30 23:57:26 +00:00
certData = certData + '\n' + certificate . meta . intermediate _certificate ;
2020-02-19 04:55:06 +00:00
}
try {
if ( ! fs . existsSync ( dir ) ) {
fs . mkdirSync ( dir ) ;
}
} catch ( err ) {
reject ( err ) ;
return ;
}
2021-06-30 23:57:26 +00:00
fs . writeFile ( dir + '/fullchain.pem' , certData , function ( err ) {
2020-02-19 04:55:06 +00:00
if ( err ) {
reject ( err ) ;
} else {
resolve ( ) ;
}
} ) ;
} )
. then ( ( ) => {
return new Promise ( ( resolve , reject ) => {
fs . writeFile ( dir + '/privkey.pem' , certificate . meta . certificate _key , function ( err ) {
if ( err ) {
reject ( err ) ;
} else {
resolve ( ) ;
}
} ) ;
} ) ;
} ) ;
} ,
/ * *
* @ param { Access } access
* @ param { Object } data
* @ param { Array } data . domain _names
* @ param { String } data . meta . letsencrypt _email
* @ param { Boolean } data . meta . letsencrypt _agree
* @ returns { Promise }
* /
createQuickCertificate : ( access , data ) => {
return internalCertificate . create ( access , {
provider : 'letsencrypt' ,
domain _names : data . domain _names ,
meta : data . meta
} ) ;
} ,
/ * *
* Validates that the certs provided are good .
* No access required here , nothing is changed or stored .
*
* @ param { Object } data
* @ param { Object } data . files
* @ returns { Promise }
* /
validate : ( data ) => {
return new Promise ( ( resolve ) => {
// Put file contents into an object
let files = { } ;
_ . map ( data . files , ( file , name ) => {
2021-06-30 23:57:26 +00:00
if ( internalCertificate . allowedSslFiles . indexOf ( name ) !== - 1 ) {
2020-02-19 04:55:06 +00:00
files [ name ] = file . data . toString ( ) ;
}
} ) ;
resolve ( files ) ;
} )
. then ( ( files ) => {
// For each file, create a temp file and write the contents to it
// Then test it depending on the file type
let promises = [ ] ;
_ . map ( files , ( content , type ) => {
promises . push ( new Promise ( ( resolve ) => {
if ( type === 'certificate_key' ) {
resolve ( internalCertificate . checkPrivateKey ( content ) ) ;
} else {
// this should handle `certificate` and intermediate certificate
resolve ( internalCertificate . getCertificateInfo ( content , true ) ) ;
}
} ) . then ( ( res ) => {
return { [ type ] : res } ;
} ) ) ;
} ) ;
return Promise . all ( promises )
. then ( ( files ) => {
let data = { } ;
_ . each ( files , ( file ) => {
data = _ . assign ( { } , data , file ) ;
} ) ;
return data ;
} ) ;
} ) ;
} ,
/ * *
* @ param { Access } access
* @ param { Object } data
* @ param { Number } data . id
* @ param { Object } data . files
* @ returns { Promise }
* /
upload : ( access , data ) => {
return internalCertificate . get ( access , { id : data . id } )
. then ( ( row ) => {
if ( row . provider !== 'other' ) {
throw new error . ValidationError ( 'Cannot upload certificates for this type of provider' ) ;
}
return internalCertificate . validate ( data )
. then ( ( validations ) => {
if ( typeof validations . certificate === 'undefined' ) {
throw new error . ValidationError ( 'Certificate file was not provided' ) ;
}
_ . map ( data . files , ( file , name ) => {
2021-06-30 23:57:26 +00:00
if ( internalCertificate . allowedSslFiles . indexOf ( name ) !== - 1 ) {
2020-02-19 04:55:06 +00:00
row . meta [ name ] = file . data . toString ( ) ;
}
} ) ;
// TODO: This uses a mysql only raw function that won't translate to postgres
return internalCertificate . update ( access , {
id : data . id ,
2020-08-14 23:23:19 +00:00
expires _on : moment ( validations . certificate . dates . to , 'X' ) . format ( 'YYYY-MM-DD HH:mm:ss' ) ,
2020-02-19 04:55:06 +00:00
domain _names : [ validations . certificate . cn ] ,
meta : _ . clone ( row . meta ) // Prevent the update method from changing this value that we'll use later
} )
. then ( ( certificate ) => {
console . log ( 'ROWMETA:' , row . meta ) ;
certificate . meta = row . meta ;
return internalCertificate . writeCustomCert ( certificate ) ;
} ) ;
} )
. then ( ( ) => {
2021-06-30 23:57:26 +00:00
return _ . pick ( row . meta , internalCertificate . allowedSslFiles ) ;
2020-02-19 04:55:06 +00:00
} ) ;
} ) ;
} ,
/ * *
* Uses the openssl command to validate the private key .
* It will save the file to disk first , then run commands on it , then delete the file .
*
* @ param { String } private _key This is the entire key contents as a string
* /
checkPrivateKey : ( private _key ) => {
return tempWrite ( private _key , '/tmp' )
. then ( ( filepath ) => {
2020-12-14 11:08:39 +00:00
return new Promise ( ( resolve , reject ) => {
const failTimeout = setTimeout ( ( ) => {
reject ( new error . ValidationError ( 'Result Validation Error: Validation timed out. This could be due to the key being passphrase-protected.' ) ) ;
} , 10000 ) ;
utils
. exec ( 'openssl pkey -in ' + filepath + ' -check -noout 2>&1 ' )
. then ( ( result ) => {
clearTimeout ( failTimeout ) ;
if ( ! result . toLowerCase ( ) . includes ( 'key is valid' ) ) {
reject ( new error . ValidationError ( 'Result Validation Error: ' + result ) ) ;
}
fs . unlinkSync ( filepath ) ;
resolve ( true ) ;
} )
. catch ( ( err ) => {
clearTimeout ( failTimeout ) ;
fs . unlinkSync ( filepath ) ;
reject ( new error . ValidationError ( 'Certificate Key is not valid (' + err . message + ')' , err ) ) ;
} ) ;
} ) ;
2020-02-19 04:55:06 +00:00
} ) ;
} ,
/ * *
* Uses the openssl command to both validate and get info out of the certificate .
* It will save the file to disk first , then run commands on it , then delete the file .
*
* @ param { String } certificate This is the entire cert contents as a string
* @ param { Boolean } [ throw _expired ] Throw when the certificate is out of date
* /
getCertificateInfo : ( certificate , throw _expired ) => {
return tempWrite ( certificate , '/tmp' )
. then ( ( filepath ) => {
return internalCertificate . getCertificateInfoFromFile ( filepath , throw _expired )
2021-06-30 23:57:26 +00:00
. then ( ( certData ) => {
2020-02-19 04:55:06 +00:00
fs . unlinkSync ( filepath ) ;
2021-06-30 23:57:26 +00:00
return certData ;
2020-02-19 04:55:06 +00:00
} ) . catch ( ( err ) => {
fs . unlinkSync ( filepath ) ;
throw err ;
} ) ;
} ) ;
} ,
/ * *
* Uses the openssl command to both validate and get info out of the certificate .
* It will save the file to disk first , then run commands on it , then delete the file .
*
* @ param { String } certificate _file The file location on disk
* @ param { Boolean } [ throw _expired ] Throw when the certificate is out of date
* /
getCertificateInfoFromFile : ( certificate _file , throw _expired ) => {
2021-06-30 23:57:26 +00:00
let certData = { } ;
2020-02-19 04:55:06 +00:00
return utils . exec ( 'openssl x509 -in ' + certificate _file + ' -subject -noout' )
. then ( ( result ) => {
// subject=CN = something.example.com
2021-06-30 23:57:26 +00:00
const regex = /(?:subject=)?[^=]+=\s+(\S+)/gim ;
const match = regex . exec ( result ) ;
2020-02-19 04:55:06 +00:00
if ( typeof match [ 1 ] === 'undefined' ) {
throw new error . ValidationError ( 'Could not determine subject from certificate: ' + result ) ;
}
2021-06-30 23:57:26 +00:00
certData [ 'cn' ] = match [ 1 ] ;
2020-02-19 04:55:06 +00:00
} )
. then ( ( ) => {
return utils . exec ( 'openssl x509 -in ' + certificate _file + ' -issuer -noout' ) ;
} )
. then ( ( result ) => {
// issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
2021-06-30 23:57:26 +00:00
const regex = /^(?:issuer=)?(.*)$/gim ;
const match = regex . exec ( result ) ;
2020-02-19 04:55:06 +00:00
if ( typeof match [ 1 ] === 'undefined' ) {
throw new error . ValidationError ( 'Could not determine issuer from certificate: ' + result ) ;
}
2021-06-30 23:57:26 +00:00
certData [ 'issuer' ] = match [ 1 ] ;
2020-02-19 04:55:06 +00:00
} )
. then ( ( ) => {
return utils . exec ( 'openssl x509 -in ' + certificate _file + ' -dates -noout' ) ;
} )
. then ( ( result ) => {
// notBefore=Jul 14 04:04:29 2018 GMT
// notAfter=Oct 12 04:04:29 2018 GMT
2021-06-30 23:57:26 +00:00
let validFrom = null ;
let validTo = null ;
2020-02-19 04:55:06 +00:00
2021-06-30 23:57:26 +00:00
const lines = result . split ( '\n' ) ;
2020-02-19 04:55:06 +00:00
lines . map ( function ( str ) {
2021-06-30 23:57:26 +00:00
const regex = /^(\S+)=(.*)$/gim ;
const match = regex . exec ( str . trim ( ) ) ;
2020-02-19 04:55:06 +00:00
if ( match && typeof match [ 2 ] !== 'undefined' ) {
2021-06-30 23:57:26 +00:00
const date = parseInt ( moment ( match [ 2 ] , 'MMM DD HH:mm:ss YYYY z' ) . format ( 'X' ) , 10 ) ;
2020-02-19 04:55:06 +00:00
if ( match [ 1 ] . toLowerCase ( ) === 'notbefore' ) {
2021-06-30 23:57:26 +00:00
validFrom = date ;
2020-02-19 04:55:06 +00:00
} else if ( match [ 1 ] . toLowerCase ( ) === 'notafter' ) {
2021-06-30 23:57:26 +00:00
validTo = date ;
2020-02-19 04:55:06 +00:00
}
}
} ) ;
2021-06-30 23:57:26 +00:00
if ( ! validFrom || ! validTo ) {
2020-02-19 04:55:06 +00:00
throw new error . ValidationError ( 'Could not determine dates from certificate: ' + result ) ;
}
2021-06-30 23:57:26 +00:00
if ( throw _expired && validTo < parseInt ( moment ( ) . format ( 'X' ) , 10 ) ) {
2020-02-19 04:55:06 +00:00
throw new error . ValidationError ( 'Certificate has expired' ) ;
}
2021-06-30 23:57:26 +00:00
certData [ 'dates' ] = {
from : validFrom ,
to : validTo
2020-02-19 04:55:06 +00:00
} ;
2021-06-30 23:57:26 +00:00
return certData ;
2020-02-19 04:55:06 +00:00
} ) . catch ( ( err ) => {
throw new error . ValidationError ( 'Certificate is not valid (' + err . message + ')' , err ) ;
} ) ;
} ,
/ * *
* Cleans the ssl keys from the meta object and sets them to "true"
*
* @ param { Object } meta
* @ param { Boolean } [ remove ]
* @ returns { Object }
* /
cleanMeta : function ( meta , remove ) {
2021-06-30 23:57:26 +00:00
internalCertificate . allowedSslFiles . map ( ( key ) => {
2020-02-19 04:55:06 +00:00
if ( typeof meta [ key ] !== 'undefined' && meta [ key ] ) {
if ( remove ) {
delete meta [ key ] ;
} else {
meta [ key ] = true ;
}
}
} ) ;
return meta ;
} ,
/ * *
2021-08-06 08:56:06 +00:00
* Request a certificate using the http challenge
2020-02-19 04:55:06 +00:00
* @ param { Object } certificate the certificate row
* @ returns { Promise }
* /
requestLetsEncryptSsl : ( certificate ) => {
logger . info ( 'Requesting Let\'sEncrypt certificates for Cert #' + certificate . id + ': ' + certificate . domain _names . join ( ', ' ) ) ;
2021-06-30 23:57:26 +00:00
const cmd = certbotCommand + ' certonly --non-interactive ' +
'--config "' + letsencryptConfig + '" ' +
2020-02-19 04:55:06 +00:00
'--cert-name "npm-' + certificate . id + '" ' +
'--agree-tos ' +
2021-08-06 08:56:06 +00:00
'--authenticator webroot ' +
2020-02-19 04:55:06 +00:00
'--email "' + certificate . meta . letsencrypt _email + '" ' +
'--preferred-challenges "dns,http" ' +
'--domains "' + certificate . domain _names . join ( ',' ) + '" ' +
2021-06-30 23:57:26 +00:00
( letsencryptStaging ? '--staging' : '' ) ;
2020-02-19 04:55:06 +00:00
2021-06-30 23:57:26 +00:00
logger . info ( 'Command:' , cmd ) ;
2020-02-19 04:55:06 +00:00
return utils . exec ( cmd )
. then ( ( result ) => {
logger . success ( result ) ;
return result ;
} ) ;
} ,
2020-08-23 12:50:41 +00:00
/ * *
2021-06-30 23:57:26 +00:00
* @ param { Object } certificate the certificate row
* @ param { String } dns _provider the dns provider name ( key used in ` certbot-dns-plugins.js ` )
* @ param { String | null } credentials the content of this providers credentials file
* @ param { String } propagation _seconds the cloudflare api token
2020-08-23 12:50:41 +00:00
* @ returns { Promise }
* /
2020-10-06 12:52:06 +00:00
requestLetsEncryptSslWithDnsChallenge : ( certificate ) => {
2021-06-30 23:57:26 +00:00
const dns _plugin = dnsPlugins [ certificate . meta . dns _provider ] ;
2020-10-06 12:52:06 +00:00
2020-10-08 12:23:21 +00:00
if ( ! dns _plugin ) {
throw Error ( ` Unknown DNS provider ' ${ certificate . meta . dns _provider } ' ` ) ;
2020-10-06 12:52:06 +00:00
}
logger . info ( ` Requesting Let'sEncrypt certificates via ${ dns _plugin . display _name } for Cert # ${ certificate . id } : ${ certificate . domain _names . join ( ', ' ) } ` ) ;
2020-08-23 12:50:41 +00:00
2021-06-30 23:57:26 +00:00
const credentialsLocation = '/etc/letsencrypt/credentials/credentials-' + certificate . id ;
const credentialsCmd = 'mkdir -p /etc/letsencrypt/credentials 2> /dev/null; echo \'' + certificate . meta . dns _provider _credentials . replace ( '\'' , '\\\'' ) + '\' > \'' + credentialsLocation + '\' && chmod 600 \'' + credentialsLocation + '\'' ;
const prepareCmd = 'pip install ' + dns _plugin . package _name + '==' + dns _plugin . package _version + ' ' + dns _plugin . dependencies ;
2020-08-23 12:50:41 +00:00
2020-10-14 07:20:52 +00:00
// Whether the plugin has a --<name>-credentials argument
2021-06-30 23:57:26 +00:00
const hasConfigArg = certificate . meta . dns _provider !== 'route53' ;
2020-10-14 07:20:52 +00:00
2021-06-30 23:57:26 +00:00
let mainCmd = certbotCommand + ' certonly --non-interactive ' +
2020-08-23 12:50:41 +00:00
'--cert-name "npm-' + certificate . id + '" ' +
'--agree-tos ' +
2021-06-30 23:57:26 +00:00
'--email "' + certificate . meta . letsencrypt _email + '" ' +
2020-08-23 12:50:41 +00:00
'--domains "' + certificate . domain _names . join ( ',' ) + '" ' +
2020-10-06 12:52:06 +00:00
'--authenticator ' + dns _plugin . full _plugin _name + ' ' +
2020-10-14 07:20:52 +00:00
(
2021-06-30 23:57:26 +00:00
hasConfigArg
? '--' + dns _plugin . full _plugin _name + '-credentials "' + credentialsLocation + '"'
2020-10-14 07:20:52 +00:00
: ''
) +
2020-10-06 12:52:06 +00:00
(
2021-06-30 23:57:26 +00:00
certificate . meta . propagation _seconds !== undefined
? ' --' + dns _plugin . full _plugin _name + '-propagation-seconds ' + certificate . meta . propagation _seconds
2020-10-08 12:23:21 +00:00
: ''
2020-10-06 12:52:06 +00:00
) +
2021-06-30 23:57:26 +00:00
( letsencryptStaging ? ' --staging' : '' ) ;
2020-10-14 07:20:52 +00:00
2020-10-14 07:55:45 +00:00
// Prepend the path to the credentials file as an environment variable
if ( certificate . meta . dns _provider === 'route53' ) {
2021-06-30 23:57:26 +00:00
mainCmd = 'AWS_CONFIG_FILE=\'' + credentialsLocation + '\' ' + mainCmd ;
2020-10-14 07:55:45 +00:00
}
2020-08-23 12:50:41 +00:00
2021-06-30 23:57:26 +00:00
logger . info ( 'Command:' , ` ${ credentialsCmd } && ${ prepareCmd } && ${ mainCmd } ` ) ;
2020-08-23 12:50:41 +00:00
2021-06-30 23:57:26 +00:00
return utils . exec ( credentialsCmd )
2020-10-06 12:52:06 +00:00
. then ( ( ) => {
2021-06-30 23:57:26 +00:00
return utils . exec ( prepareCmd )
2020-10-06 12:52:06 +00:00
. then ( ( ) => {
2021-06-30 23:57:26 +00:00
return utils . exec ( mainCmd )
2020-10-06 12:52:06 +00:00
. then ( async ( result ) => {
logger . info ( result ) ;
return result ;
} ) ;
} ) ;
2020-10-17 10:13:08 +00:00
} ) . catch ( async ( err ) => {
// Don't fail if file does not exist
2021-06-30 23:57:26 +00:00
const delete _credentialsCmd = ` rm -f ' ${ credentialsLocation } ' || true ` ;
await utils . exec ( delete _credentialsCmd ) ;
2020-10-17 10:13:08 +00:00
throw err ;
2020-10-06 12:52:06 +00:00
} ) ;
2020-08-23 12:50:41 +00:00
} ,
2020-02-19 04:55:06 +00:00
/ * *
* @ param { Access } access
* @ param { Object } data
* @ param { Number } data . id
* @ returns { Promise }
* /
renew : ( access , data ) => {
return access . can ( 'certificates:update' , data )
. then ( ( ) => {
return internalCertificate . get ( access , data ) ;
} )
. then ( ( certificate ) => {
if ( certificate . provider === 'letsencrypt' ) {
2021-06-30 23:57:26 +00:00
const renewMethod = certificate . meta . dns _challenge ? internalCertificate . renewLetsEncryptSslWithDnsChallenge : internalCertificate . renewLetsEncryptSsl ;
2020-08-23 18:29:16 +00:00
return renewMethod ( certificate )
2020-02-19 04:55:06 +00:00
. then ( ( ) => {
return internalCertificate . getCertificateInfoFromFile ( '/etc/letsencrypt/live/npm-' + certificate . id + '/fullchain.pem' ) ;
} )
. then ( ( cert _info ) => {
return certificateModel
. query ( )
. patchAndFetchById ( certificate . id , {
2020-08-14 23:23:19 +00:00
expires _on : moment ( cert _info . dates . to , 'X' ) . format ( 'YYYY-MM-DD HH:mm:ss' )
2020-02-19 04:55:06 +00:00
} ) ;
} )
. then ( ( updated _certificate ) => {
// Add to audit log
return internalAuditLog . add ( access , {
action : 'renewed' ,
object _type : 'certificate' ,
object _id : updated _certificate . id ,
meta : updated _certificate
} )
. then ( ( ) => {
return updated _certificate ;
} ) ;
} ) ;
} else {
throw new error . ValidationError ( 'Only Let\'sEncrypt certificates can be renewed' ) ;
}
} ) ;
} ,
/ * *
* @ param { Object } certificate the certificate row
* @ returns { Promise }
* /
renewLetsEncryptSsl : ( certificate ) => {
logger . info ( 'Renewing Let\'sEncrypt certificates for Cert #' + certificate . id + ': ' + certificate . domain _names . join ( ', ' ) ) ;
2021-06-30 23:57:26 +00:00
const cmd = certbotCommand + ' renew --force-renewal --non-interactive ' +
'--config "' + letsencryptConfig + '" ' +
2020-02-19 04:55:06 +00:00
'--cert-name "npm-' + certificate . id + '" ' +
'--preferred-challenges "dns,http" ' +
'--disable-hook-validation ' +
2021-06-30 23:57:26 +00:00
( letsencryptStaging ? '--staging' : '' ) ;
2020-02-19 04:55:06 +00:00
2021-06-30 23:57:26 +00:00
logger . info ( 'Command:' , cmd ) ;
2020-02-19 04:55:06 +00:00
return utils . exec ( cmd )
. then ( ( result ) => {
logger . info ( result ) ;
return result ;
} ) ;
} ,
2020-08-23 18:29:16 +00:00
/ * *
* @ param { Object } certificate the certificate row
* @ returns { Promise }
* /
2020-10-06 12:52:06 +00:00
renewLetsEncryptSslWithDnsChallenge : ( certificate ) => {
2021-06-30 23:57:26 +00:00
const dns _plugin = dnsPlugins [ certificate . meta . dns _provider ] ;
2020-08-23 18:29:16 +00:00
2020-10-08 12:23:21 +00:00
if ( ! dns _plugin ) {
throw Error ( ` Unknown DNS provider ' ${ certificate . meta . dns _provider } ' ` ) ;
2020-10-06 12:52:06 +00:00
}
logger . info ( ` Renewing Let'sEncrypt certificates via ${ dns _plugin . display _name } for Cert # ${ certificate . id } : ${ certificate . domain _names . join ( ', ' ) } ` ) ;
2021-06-30 23:57:26 +00:00
let mainCmd = certbotCommand + ' renew --non-interactive ' +
2020-08-23 18:29:16 +00:00
'--cert-name "npm-' + certificate . id + '" ' +
2020-10-06 12:52:06 +00:00
'--disable-hook-validation' +
2021-06-30 23:57:26 +00:00
( letsencryptStaging ? ' --staging' : '' ) ;
2020-10-06 12:52:06 +00:00
2020-10-14 07:20:52 +00:00
// Prepend the path to the credentials file as an environment variable
if ( certificate . meta . dns _provider === 'route53' ) {
2021-06-30 23:57:26 +00:00
const credentialsLocation = '/etc/letsencrypt/credentials/credentials-' + certificate . id ;
mainCmd = 'AWS_CONFIG_FILE=\'' + credentialsLocation + '\' ' + mainCmd ;
2020-10-14 07:20:52 +00:00
}
2021-06-30 23:57:26 +00:00
logger . info ( 'Command:' , mainCmd ) ;
2020-08-23 18:29:16 +00:00
2021-06-30 23:57:26 +00:00
return utils . exec ( mainCmd )
2020-10-17 10:13:08 +00:00
. then ( async ( result ) => {
logger . info ( result ) ;
return result ;
2020-08-23 18:29:16 +00:00
} ) ;
} ,
2020-02-19 04:55:06 +00:00
/ * *
* @ param { Object } certificate the certificate row
* @ param { Boolean } [ throw _errors ]
* @ returns { Promise }
* /
revokeLetsEncryptSsl : ( certificate , throw _errors ) => {
logger . info ( 'Revoking Let\'sEncrypt certificates for Cert #' + certificate . id + ': ' + certificate . domain _names . join ( ', ' ) ) ;
2021-06-30 23:57:26 +00:00
const mainCmd = certbotCommand + ' revoke --non-interactive ' +
2020-02-19 04:55:06 +00:00
'--cert-path "/etc/letsencrypt/live/npm-' + certificate . id + '/fullchain.pem" ' +
'--delete-after-revoke ' +
2021-06-30 23:57:26 +00:00
( letsencryptStaging ? '--staging' : '' ) ;
2020-02-19 04:55:06 +00:00
2020-10-17 10:13:08 +00:00
// Don't fail command if file does not exist
2021-06-30 23:57:26 +00:00
const delete _credentialsCmd = ` rm -f '/etc/letsencrypt/credentials/credentials- ${ certificate . id } ' || true ` ;
2020-10-17 10:13:08 +00:00
2021-06-30 23:57:26 +00:00
logger . info ( 'Command:' , mainCmd + '; ' + delete _credentialsCmd ) ;
2020-02-19 04:55:06 +00:00
2021-06-30 23:57:26 +00:00
return utils . exec ( mainCmd )
2020-10-17 10:13:08 +00:00
. then ( async ( result ) => {
2021-06-30 23:57:26 +00:00
await utils . exec ( delete _credentialsCmd ) ;
2020-02-19 04:55:06 +00:00
logger . info ( result ) ;
return result ;
} )
. catch ( ( err ) => {
2021-06-30 23:57:26 +00:00
logger . error ( err . message ) ;
2020-02-19 04:55:06 +00:00
if ( throw _errors ) {
throw err ;
}
} ) ;
} ,
/ * *
* @ param { Object } certificate
* @ returns { Boolean }
* /
hasLetsEncryptSslCerts : ( certificate ) => {
2021-06-30 23:57:26 +00:00
const letsencryptPath = '/etc/letsencrypt/live/npm-' + certificate . id ;
2020-02-19 04:55:06 +00:00
2021-06-30 23:57:26 +00:00
return fs . existsSync ( letsencryptPath + '/fullchain.pem' ) && fs . existsSync ( letsencryptPath + '/privkey.pem' ) ;
2020-02-19 04:55:06 +00:00
} ,
/ * *
* @ param { Object } in _use _result
* @ param { Number } in _use _result . total _count
* @ param { Array } in _use _result . proxy _hosts
* @ param { Array } in _use _result . redirection _hosts
* @ param { Array } in _use _result . dead _hosts
* /
disableInUseHosts : ( in _use _result ) => {
if ( in _use _result . total _count ) {
let promises = [ ] ;
if ( in _use _result . proxy _hosts . length ) {
promises . push ( internalNginx . bulkDeleteConfigs ( 'proxy_host' , in _use _result . proxy _hosts ) ) ;
}
if ( in _use _result . redirection _hosts . length ) {
promises . push ( internalNginx . bulkDeleteConfigs ( 'redirection_host' , in _use _result . redirection _hosts ) ) ;
}
if ( in _use _result . dead _hosts . length ) {
promises . push ( internalNginx . bulkDeleteConfigs ( 'dead_host' , in _use _result . dead _hosts ) ) ;
}
return Promise . all ( promises ) ;
} else {
return Promise . resolve ( ) ;
}
} ,
/ * *
* @ param { Object } in _use _result
* @ param { Number } in _use _result . total _count
* @ param { Array } in _use _result . proxy _hosts
* @ param { Array } in _use _result . redirection _hosts
* @ param { Array } in _use _result . dead _hosts
* /
enableInUseHosts : ( in _use _result ) => {
if ( in _use _result . total _count ) {
let promises = [ ] ;
if ( in _use _result . proxy _hosts . length ) {
promises . push ( internalNginx . bulkGenerateConfigs ( 'proxy_host' , in _use _result . proxy _hosts ) ) ;
}
if ( in _use _result . redirection _hosts . length ) {
promises . push ( internalNginx . bulkGenerateConfigs ( 'redirection_host' , in _use _result . redirection _hosts ) ) ;
}
if ( in _use _result . dead _hosts . length ) {
promises . push ( internalNginx . bulkGenerateConfigs ( 'dead_host' , in _use _result . dead _hosts ) ) ;
}
return Promise . all ( promises ) ;
} else {
return Promise . resolve ( ) ;
}
}
} ;
module . exports = internalCertificate ;