jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
c138c4bb5f52aecf72e25ec0e8c3e844f9e201ea
cloudron-box/src/reverseproxy.js

499 lines
21 KiB
JavaScript
Raw Normal View History

add certificate manager stub
2015-12-10 13:31:47 -08:00
'use strict';
Avoid circular dependencies with apps and certificates
2016-05-06 18:44:37 +02:00
exports = module.exports = {
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
ReverseProxyError: ReverseProxyError,
Move nginx config and cert generation to box code
2017-01-05 14:38:36 -08:00
Avoid circular dependencies with apps and certificates
2016-05-06 18:44:37 +02:00
setFallbackCertificate: setFallbackCertificate,
allow to set domain specific fallback certs
2017-11-12 00:53:28 +01:00
getFallbackCertificate: getFallbackCertificate,
make code a bit readable
2017-01-17 09:57:15 -08:00
Avoid circular dependencies with apps and certificates
2016-05-06 18:44:37 +02:00
validateCertificate: validateCertificate,
make code a bit readable
2017-01-17 09:57:15 -08:00
Rename getAdminCerticate to getCertificate
2018-01-30 10:13:28 -08:00
getCertificate: getCertificate,
fix acme prod setting detection
2016-06-22 13:48:07 -05:00
make code a bit readable
2017-01-17 09:57:15 -08:00
renewAll: renewAll,
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
configureDefaultServer: configureDefaultServer,
Merge ensureCertificate and configuring nginx
2018-01-30 13:54:13 -08:00
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
configureAdmin: configureAdmin,
configureApp: configureApp,
unconfigureApp: unconfigureApp,
Merge ensureCertificate and configuring nginx
2018-01-30 13:54:13 -08:00
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
reload: reload,
removeAppConfigs: removeAppConfigs,
fix acme prod setting detection
2016-06-22 13:48:07 -05:00
// exported for testing
pass domain arg to getCertificate API
2018-09-10 20:41:38 -07:00
_getCertApi: getCertApi
Avoid circular dependencies with apps and certificates
2016-05-06 18:44:37 +02:00
};
acme2 implementation
2018-09-10 15:19:10 -07:00
var acme2 = require('./cert/acme2.js'),
use fallback certs if renewal fails
2016-03-17 12:20:02 -07:00
apps = require('./apps.js'),
add certificate manager stub
2015-12-10 13:31:47 -08:00
assert = require('assert'),
add getApi
2015-12-14 12:28:00 -08:00
async = require('async'),
add a backend for caas
2015-12-13 19:06:19 -08:00
caas = require('./cert/caas.js'),
add certificate manager stub
2015-12-10 13:31:47 -08:00
config = require('./config.js'),
refactor certificate settings
2015-12-11 13:52:21 -08:00
constants = require('./constants.js'),
Generate fallback cert to contain naked domain in SAN
2018-02-09 13:44:29 -08:00
crypto = require('crypto'),
remove src/ prefix in debug tags
2017-04-23 21:53:59 -07:00
debug = require('debug')('box:certificates'),
Use tlsConfig from the domain, not from settings
2018-01-31 18:27:18 +01:00
domains = require('./domains.js'),
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
ejs = require('ejs'),
add certificate renew event
2016-04-30 22:27:33 -07:00
eventlog = require('./eventlog.js'),
Add fallback certificate backend
2016-12-05 17:01:23 +01:00
fallback = require('./cert/fallback.js'),
refactor certificate settings
2015-12-11 13:52:21 -08:00
fs = require('fs'),
send a message for cert renewal status
2016-03-19 20:40:03 -07:00
mailer = require('./mailer.js'),
Generate fallback cert to contain naked domain in SAN
2018-02-09 13:44:29 -08:00
os = require('os'),
refactor certificate settings
2015-12-11 13:52:21 -08:00
path = require('path'),
add certificate manager stub
2015-12-10 13:31:47 -08:00
paths = require('./paths.js'),
remove overcomplicated certificate events
2018-01-26 22:35:08 -08:00
platform = require('./platform.js'),
Ensure we purge all nginx configs of an app
2018-06-29 23:01:22 +02:00
rimraf = require('rimraf'),
move validateCertificate to certificateManager
2015-12-10 20:31:38 -08:00
safe = require('safetydance'),
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
shell = require('./shell.js'),
Rename user.js to users.js
2018-04-29 10:58:45 -07:00
users = require('./users.js'),
Get rid of x509 module This is the last of the "native" modules. These modules take forever to rebuild in low memory machines
2017-02-24 19:21:53 -08:00
util = require('util');
add certificate manager stub
2015-12-10 13:31:47 -08:00
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
var NGINX_APPCONFIG_EJS = fs.readFileSync(__dirname + '/../setup/start/nginx/appconfig.ejs', { encoding: 'utf8' }),
RELOAD_NGINX_CMD = path.join(__dirname, 'scripts/reloadnginx.sh'),
NOOP_CALLBACK = function (error) { if (error) debug(error); };
function ReverseProxyError(reason, errorOrMessage) {
Add CertificatesError
2015-12-11 13:43:33 -08:00
assert.strictEqual(typeof reason, 'string');
assert(errorOrMessage instanceof Error || typeof errorOrMessage === 'string' || typeof errorOrMessage === 'undefined');
Error.call(this);
Error.captureStackTrace(this, this.constructor);
this.name = this.constructor.name;
this.reason = reason;
if (typeof errorOrMessage === 'undefined') {
this.message = reason;
} else if (typeof errorOrMessage === 'string') {
this.message = errorOrMessage;
} else {
this.message = 'Internal error';
this.nestedError = errorOrMessage;
}
}
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
util.inherits(ReverseProxyError, Error);
ReverseProxyError.INTERNAL_ERROR = 'Internal Error';
ReverseProxyError.INVALID_CERT = 'Invalid certificate';
ReverseProxyError.NOT_FOUND = 'Not Found';
Add CertificatesError
2015-12-11 13:43:33 -08:00
rename func
2018-09-10 20:35:48 -07:00
function getCertApi(domain, callback) {
Make getApi takes a string domain
2018-08-24 14:40:12 -07:00
assert.strictEqual(typeof domain, 'string');
use the acme backend when using altDomain
2016-04-19 08:21:23 -07:00
assert.strictEqual(typeof callback, 'function');
Make getApi takes a string domain
2018-08-24 14:40:12 -07:00
domains.get(domain, function (error, result) {
add getApi
2015-12-14 12:28:00 -08:00
if (error) return callback(error);
Make getApi takes a string domain
2018-08-24 14:40:12 -07:00
if (result.tlsConfig.provider === 'fallback') return callback(null, fallback, {});
Add fallback certificate backend
2016-12-05 17:01:23 +01:00
acme2 implementation
2018-09-10 15:19:10 -07:00
var api = result.tlsConfig.provider === 'caas' ? caas : acme2;
add getApi
2015-12-14 12:28:00 -08:00
set prod option based on provider
2015-12-17 13:17:46 -08:00
var options = { };
acme2: dns authorization
2018-09-10 20:50:36 -07:00
if (result.tlsConfig.provider !== 'caas') { // matches 'le-prod' or 'letsencrypt-prod'
options.prod = result.tlsConfig.provider.match(/.*-prod/) !== null;
options.performHttpAuthorization = result.provider.match(/noop|manual|wildcard/) !== null;
acme2: implement wildcard certs
2018-09-11 22:46:17 -07:00
options.wildcard = !!result.tlsConfig.wildcard;
fix acme prod setting detection
2016-06-22 13:48:07 -05:00
}
acme: update account with owner email fixes #544
2016-01-13 14:21:23 -08:00
allow email to be configured
2016-01-13 12:15:27 -08:00
// registering user with an email requires A or MX record (https://github.com/letsencrypt/boulder/issues/1197)
// we cannot use admin@fqdn because the user might not have set it up.
acme: update account with owner email fixes #544
2016-01-13 14:21:23 -08:00
// we simply update the account with the latest email we have each time when getting letsencrypt certs
// https://github.com/ietf-wg-acme/acme/issues/30
Rename user.js to users.js
2018-04-29 10:58:45 -07:00
users.getOwner(function (error, owner) {
Replace alternateEmail with fallbackEmail
2018-01-21 14:50:24 +01:00
options.email = error ? 'support@cloudron.io' : (owner.fallbackEmail || owner.email); // can error if not activated yet
set prod option based on provider
2015-12-17 13:17:46 -08:00
acme: update account with owner email fixes #544
2016-01-13 14:21:23 -08:00
callback(null, api, options);
});
add getApi
2015-12-14 12:28:00 -08:00
});
}
do not renew apps without any cert autoRenew was mistakenly reconfiguring app without a cert (this is the common case for apps in non-custom domain)
2016-03-23 08:49:08 -07:00
function isExpiringSync(certFilePath, hours) {
assert.strictEqual(typeof certFilePath, 'string');
Refactor code to take hours
2016-03-18 22:59:51 -07:00
assert.strictEqual(typeof hours, 'number');
refactor expiry check
2016-03-19 12:50:31 -07:00
do not renew apps without any cert autoRenew was mistakenly reconfiguring app without a cert (this is the common case for apps in non-custom domain)
2016-03-23 08:49:08 -07:00
if (!fs.existsSync(certFilePath)) return 2; // not found
ensureCertificate: check if cert needs renewal
2015-12-14 12:38:19 -08:00
fix linter errors
2016-03-19 13:22:38 -07:00
var result = safe.child_process.spawnSync('/usr/bin/openssl', [ 'x509', '-checkend', String(60 * 60 * hours), '-in', certFilePath ]);
Refactor code to take hours
2016-03-18 22:59:51 -07:00
trim the output string
2016-03-21 08:25:10 -07:00
debug('isExpiringSync: %s %s %s', certFilePath, result.stdout.toString('utf8').trim(), result.status);
cert: check expiry correctly
2016-03-14 22:50:06 -07:00
return result.status === 1; // 1 - expired 0 - not expired
ensureCertificate: check if cert needs renewal
2015-12-14 12:38:19 -08:00
}
move validateCertificate to certificateManager
2015-12-10 20:31:38 -08:00
// note: https://tools.ietf.org/html/rfc4346#section-7.4.2 (certificate_list) requires that the
// servers certificate appears first (and not the intermediate cert)
change order of validateCertificate args
2018-01-26 20:34:15 -08:00
function validateCertificate(domain, cert, key) {
fqdn -> domain
2018-01-24 14:28:35 -08:00
assert.strictEqual(typeof domain, 'string');
certificates: cert/key cannot be null
2018-01-26 19:31:06 -08:00
assert.strictEqual(typeof cert, 'string');
assert.strictEqual(typeof key, 'string');
move validateCertificate to certificateManager
2015-12-10 20:31:38 -08:00
certificates: cert/key cannot be null
2018-01-26 19:31:06 -08:00
// check for empty cert and key strings
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
if (!cert && key) return new ReverseProxyError(ReverseProxyError.INVALID_CERT, 'missing cert');
if (cert && !key) return new ReverseProxyError(ReverseProxyError.INVALID_CERT, 'missing key');
move validateCertificate to certificateManager
2015-12-10 20:31:38 -08:00
Remove SAN check -checkhost already checks the SAN. It is implementation dependent as to whether the CN is checked for.
2018-02-09 14:05:01 -08:00
// -checkhost checks for SAN or CN exclusively. SAN takes precedence and if present, ignores the CN.
Add cert tests
2018-02-09 10:21:06 -08:00
var result = safe.child_process.execSync(`openssl x509 -noout -checkhost "${domain}"`, { encoding: 'utf8', input: cert });
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
if (!result) return new ReverseProxyError(ReverseProxyError.INVALID_CERT, 'Unable to get certificate subject.');
Bring back code for alt domain match There are no actual tests for this yet. Should be added.
2017-05-11 21:55:25 +02:00
Remove SAN check -checkhost already checks the SAN. It is implementation dependent as to whether the CN is checked for.
2018-02-09 14:05:01 -08:00
if (result.indexOf('does match certificate') === -1) return new ReverseProxyError(ReverseProxyError.INVALID_CERT, `Certificate is not valid for this domain. Expecting ${domain}`);
move validateCertificate to certificateManager
2015-12-10 20:31:38 -08:00
// http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#verify
var certModulus = safe.child_process.execSync('openssl x509 -noout -modulus', { encoding: 'utf8', input: cert });
var keyModulus = safe.child_process.execSync('openssl rsa -noout -modulus', { encoding: 'utf8', input: key });
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
if (certModulus !== keyModulus) return new ReverseProxyError(ReverseProxyError.INVALID_CERT, 'Key does not match the certificate.');
move validateCertificate to certificateManager
2015-12-10 20:31:38 -08:00
lint
2017-11-27 10:39:42 -08:00
// check expiration
Get rid of x509 module This is the last of the "native" modules. These modules take forever to rebuild in low memory machines
2017-02-24 19:21:53 -08:00
result = safe.child_process.execSync('openssl x509 -checkend 0', { encoding: 'utf8', input: cert });
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
if (!result) return new ReverseProxyError(ReverseProxyError.INVALID_CERT, 'Certificate has expired.');
Get rid of x509 module This is the last of the "native" modules. These modules take forever to rebuild in low memory machines
2017-02-24 19:21:53 -08:00
move validateCertificate to certificateManager
2015-12-10 20:31:38 -08:00
return null;
}
refactor certificate settings
2015-12-11 13:52:21 -08:00
Move the BOX_ENV check for more test coverage
2018-01-30 16:14:05 -08:00
function reload(callback) {
if (process.env.BOX_ENV === 'test') return callback();
shell.sudo('reload', [ RELOAD_NGINX_CMD ], callback);
}
generate fallback cert for domains if not provided
2018-01-26 20:30:37 -08:00
function setFallbackCertificate(domain, fallback, callback) {
fqdn -> domain
2018-01-24 14:28:35 -08:00
assert.strictEqual(typeof domain, 'string');
generate fallback cert for domains if not provided
2018-01-26 20:30:37 -08:00
assert.strictEqual(typeof fallback, 'object');
refactor certificate settings
2015-12-11 13:52:21 -08:00
assert.strictEqual(typeof callback, 'function');
generate fallback cert for domains if not provided
2018-01-26 20:30:37 -08:00
const certFilePath = path.join(paths.APP_CERTS_DIR, `${domain}.host.cert`);
const keyFilePath = path.join(paths.APP_CERTS_DIR, `${domain}.host.key`);
do not regenerate fallback certificate
2018-01-26 22:27:32 -08:00
if (fallback) {
generate fallback cert for domains if not provided
2018-01-26 20:30:37 -08:00
// backup the cert
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
if (!safe.fs.writeFileSync(path.join(paths.APP_CERTS_DIR, `${domain}.host.cert`), fallback.cert)) return callback(new ReverseProxyError(ReverseProxyError.INTERNAL_ERROR, safe.error.message));
if (!safe.fs.writeFileSync(path.join(paths.APP_CERTS_DIR, `${domain}.host.key`), fallback.key)) return callback(new ReverseProxyError(ReverseProxyError.INTERNAL_ERROR, safe.error.message));
do not regenerate fallback certificate
2018-01-26 22:27:32 -08:00
} else if (!fs.existsSync(certFilePath) || !fs.existsSync(keyFilePath)) { // generate it
Generate fallback cert to contain naked domain in SAN
2018-02-09 13:44:29 -08:00
let opensslConf = safe.fs.readFileSync('/etc/ssl/openssl.cnf', 'utf8');
Remove SAN check -checkhost already checks the SAN. It is implementation dependent as to whether the CN is checked for.
2018-02-09 14:05:01 -08:00
// SAN must contain all the domains since CN check is based on implementation if SAN is found. -checkhost also checks only SAN if present!
let opensslConfWithSan = `${opensslConf}\n[SAN]\nsubjectAltName=DNS:${domain},DNS:*.${domain}\n`;
Generate fallback cert to contain naked domain in SAN
2018-02-09 13:44:29 -08:00
let configFile = path.join(os.tmpdir(), 'openssl-' + crypto.randomBytes(4).readUInt32LE(0) + '.conf');
safe.fs.writeFileSync(configFile, opensslConfWithSan, 'utf8');
let certCommand = util.format(`openssl req -x509 -newkey rsa:2048 -keyout ${keyFilePath} -out ${certFilePath} -days 3650 -subj /CN=*.${domain} -extensions SAN -config ${configFile} -nodes`);
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
if (!safe.child_process.execSync(certCommand)) return callback(new ReverseProxyError(ReverseProxyError.INTERNAL_ERROR, safe.error.message));
Generate fallback cert to contain naked domain in SAN
2018-02-09 13:44:29 -08:00
safe.fs.unlinkSync(configFile);
generate fallback cert for domains if not provided
2018-01-26 20:30:37 -08:00
}
refactor certificate settings
2015-12-11 13:52:21 -08:00
remove overcomplicated certificate events
2018-01-26 22:35:08 -08:00
platform.handleCertChanged('*.' + domain);
listen for cert changed events and restart mail container neither haraka nor dovecot restarts on cert change Fixes #47
2017-01-17 10:53:26 -08:00
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
reload(function (error) {
if (error) return callback(new ReverseProxyError(ReverseProxyError.INTERNAL_ERROR, error));
refactor certificate settings
2015-12-11 13:52:21 -08:00
return callback(null);
});
}
fqdn -> domain
2018-01-24 14:28:35 -08:00
function getFallbackCertificate(domain, callback) {
assert.strictEqual(typeof domain, 'string');
Add getters for fallback and admin cert
2016-05-04 17:37:21 -07:00
assert.strictEqual(typeof callback, 'function');
Fix use of fallback certs We used to always use nginx cert dir. When custom fallback certs were set, we used to copy it in boxdata cert dir and then nginx cert dir. The issue is then that we have to copy all certs to nginx cert dir on cloudron restore. To fix this, we simply give priority to nginx cert dir and not copy around certs anymore. caas cert will reside in nginx cert dir and not get backed up, as expected.
2018-01-31 18:20:29 -08:00
// check for any pre-provisioned (caas) certs. they get first priority
var certFilePath = path.join(paths.NGINX_CERT_DIR, `${domain}.host.cert`);
var keyFilePath = path.join(paths.NGINX_CERT_DIR, `${domain}.host.key`);
if (fs.existsSync(certFilePath) && fs.existsSync(keyFilePath)) return callback(null, { certFilePath, keyFilePath });
// check for auto-generated or user set fallback certs
certFilePath = path.join(paths.APP_CERTS_DIR, `${domain}.host.cert`);
keyFilePath = path.join(paths.APP_CERTS_DIR, `${domain}.host.key`);
callback(null, { certFilePath, keyFilePath });
Add getters for fallback and admin cert
2016-05-04 17:37:21 -07:00
}
Rename getAdminCerticate to getCertificate
2018-01-30 10:13:28 -08:00
function getCertificate(app, callback) {
assert.strictEqual(typeof app, 'object');
Add getters for fallback and admin cert
2016-05-04 17:37:21 -07:00
assert.strictEqual(typeof callback, 'function');
Remove intrinsicFqdn
2018-02-08 15:07:49 +01:00
var certFilePath = path.join(paths.APP_CERTS_DIR, `${app.fqdn}.user.cert`);
var keyFilePath = path.join(paths.APP_CERTS_DIR, `${app.fqdn}.user.key`);
check user cert and then the le cert part of #47
2017-01-17 09:58:55 -08:00
Fix use of fallback certs We used to always use nginx cert dir. When custom fallback certs were set, we used to copy it in boxdata cert dir and then nginx cert dir. The issue is then that we have to copy all certs to nginx cert dir on cloudron restore. To fix this, we simply give priority to nginx cert dir and not copy around certs anymore. caas cert will reside in nginx cert dir and not get backed up, as expected.
2018-01-31 18:20:29 -08:00
if (fs.existsSync(certFilePath) && fs.existsSync(keyFilePath)) return callback(null, { certFilePath, keyFilePath });
check user cert and then the le cert part of #47
2017-01-17 09:58:55 -08:00
Remove intrinsicFqdn
2018-02-08 15:07:49 +01:00
certFilePath = path.join(paths.APP_CERTS_DIR, `${app.fqdn}.cert`);
keyFilePath = path.join(paths.APP_CERTS_DIR, `${app.fqdn}.key`);
Add getters for fallback and admin cert
2016-05-04 17:37:21 -07:00
Fix use of fallback certs We used to always use nginx cert dir. When custom fallback certs were set, we used to copy it in boxdata cert dir and then nginx cert dir. The issue is then that we have to copy all certs to nginx cert dir on cloudron restore. To fix this, we simply give priority to nginx cert dir and not copy around certs anymore. caas cert will reside in nginx cert dir and not get backed up, as expected.
2018-01-31 18:20:29 -08:00
if (fs.existsSync(certFilePath) && fs.existsSync(keyFilePath)) return callback(null, { certFilePath, keyFilePath });
Add getters for fallback and admin cert
2016-05-04 17:37:21 -07:00
acme2: implement wildcard certs
2018-09-11 22:46:17 -07:00
let certName = domains.makeWildcard(app.fqdn).replace('*.', '_.');
certFilePath = path.join(paths.APP_CERTS_DIR, `${certName}.cert`);
keyFilePath = path.join(paths.APP_CERTS_DIR, `${certName}.key`);
if (fs.existsSync(certFilePath) && fs.existsSync(keyFilePath)) return callback(null, { certFilePath, keyFilePath });
Fix use of fallback certs We used to always use nginx cert dir. When custom fallback certs were set, we used to copy it in boxdata cert dir and then nginx cert dir. The issue is then that we have to copy all certs to nginx cert dir on cloudron restore. To fix this, we simply give priority to nginx cert dir and not copy around certs anymore. caas cert will reside in nginx cert dir and not get backed up, as expected.
2018-01-31 18:20:29 -08:00
return getFallbackCertificate(app.domain, callback);
generate cert files for mail container this allows us to not track paths anymore part of #47
2017-01-17 10:21:42 -08:00
}
ensureCertificate: make it take appDomain object
2018-08-24 14:42:05 -07:00
function ensureCertificate(appDomain, auditSource, callback) {
assert.strictEqual(typeof appDomain, 'object');
assert.strictEqual(typeof appDomain.fqdn, 'string');
assert.strictEqual(typeof appDomain.domain, 'string');
Add auditSource to ensureCertificate
2018-01-30 15:16:34 -08:00
assert.strictEqual(typeof auditSource, 'object');
Add certificates.ensureCertificate which gets cert via acme
2015-12-11 14:15:23 -08:00
assert.strictEqual(typeof callback, 'function');
ensureCertificate: make it take appDomain object
2018-08-24 14:42:05 -07:00
const vhost = appDomain.fqdn;
Fix intrinsicFqdn removal breakage
2018-02-08 15:23:38 +01:00
var certFilePath = path.join(paths.APP_CERTS_DIR, `${vhost}.user.cert`);
var keyFilePath = path.join(paths.APP_CERTS_DIR, `${vhost}.user.key`);
Save user certs separately from automatic certs Fixing the admin cert is a bit more complex since it is used in setup script as well. Can do that in a later task. Fixes #44
2016-09-12 01:21:51 -07:00
if (fs.existsSync(certFilePath) && fs.existsSync(keyFilePath)) {
Fix intrinsicFqdn removal breakage
2018-02-08 15:23:38 +01:00
debug('ensureCertificate: %s. user certificate already exists at %s', vhost, keyFilePath);
rewrite renewAll to use existing functions
2018-01-30 16:16:10 -08:00
return callback(null, { certFilePath, keyFilePath, reason: 'user' });
Save user certs separately from automatic certs Fixing the admin cert is a bit more complex since it is used in setup script as well. Can do that in a later task. Fixes #44
2016-09-12 01:21:51 -07:00
}
Fix intrinsicFqdn removal breakage
2018-02-08 15:23:38 +01:00
certFilePath = path.join(paths.APP_CERTS_DIR, `${vhost}.cert`);
keyFilePath = path.join(paths.APP_CERTS_DIR, `${vhost}.key`);
do not renew apps without any cert autoRenew was mistakenly reconfiguring app without a cert (this is the common case for apps in non-custom domain)
2016-03-23 08:49:08 -07:00
Save user certs separately from automatic certs Fixing the admin cert is a bit more complex since it is used in setup script as well. Can do that in a later task. Fixes #44
2016-09-12 01:21:51 -07:00
if (fs.existsSync(certFilePath) && fs.existsSync(keyFilePath)) {
Fix intrinsicFqdn removal breakage
2018-02-08 15:23:38 +01:00
debug('ensureCertificate: %s. certificate already exists at %s', vhost, keyFilePath);
fix linter errors
2016-03-19 13:22:38 -07:00
rewrite renewAll to use existing functions
2018-01-30 16:16:10 -08:00
if (!isExpiringSync(certFilePath, 24 * 30)) return callback(null, { certFilePath, keyFilePath, reason: 'existing-le' });
Fix intrinsicFqdn removal breakage
2018-02-08 15:23:38 +01:00
debug('ensureCertificate: %s cert require renewal', vhost);
acme2: implement wildcard certs
2018-09-11 22:46:17 -07:00
} else { // FIXME: check wildcard cert
Fix intrinsicFqdn removal breakage
2018-02-08 15:23:38 +01:00
debug('ensureCertificate: %s cert does not exist', vhost);
ensureCertificate: check if cert needs renewal
2015-12-14 12:38:19 -08:00
}
rename func
2018-09-10 20:35:48 -07:00
getCertApi(appDomain.domain, function (error, api, apiOptions) {
ensureCertificate: check if cert needs renewal
2015-12-14 12:38:19 -08:00
if (error) return callback(error);
use tlsConfig to determine acme or not
2015-12-11 22:25:22 -08:00
caas: make the cert provider use domain fallback certs
2018-01-30 14:18:25 -08:00
debug('ensureCertificate: getting certificate for %s with options %j', vhost, apiOptions);
Add certificates.ensureCertificate which gets cert via acme
2015-12-11 14:15:23 -08:00
pass domain arg to getCertificate API
2018-09-10 20:41:38 -07:00
api.getCertificate(vhost, appDomain.domain, apiOptions, function (error, certFilePath, keyFilePath) {
Fix crash when cert renewal fails
2018-02-02 21:21:51 -08:00
var errorMessage = error ? error.message : '';
Add auditSource to ensureCertificate
2018-01-30 15:16:34 -08:00
if (error) {
debug('ensureCertificate: could not get certificate. using fallback certs', error);
mailer.certificateRenewalError(vhost, errorMessage);
}
eventlog.add(eventlog.ACTION_CERTIFICATE_RENEWAL, auditSource, { domain: vhost, errorMessage: errorMessage });
allow to set domain specific fallback certs
2017-11-12 00:53:28 +01:00
caas: make the cert provider use domain fallback certs
2018-01-30 14:18:25 -08:00
// if no cert was returned use fallback. the fallback/caas provider will not provide any for example
ensureCertificate: make it take appDomain object
2018-08-24 14:42:05 -07:00
if (!certFilePath || !keyFilePath) return getFallbackCertificate(appDomain.domain, callback);
simply use fallback certs if LE fails currently, it fails if we cannot get a cert. This means that we need to provide some option to simply use fallback cert. This requires UI changes that I want to avoid :-)
2015-12-14 17:09:40 -08:00
rewrite renewAll to use existing functions
2018-01-30 16:16:10 -08:00
callback(null, { certFilePath, keyFilePath, reason: 'new-le' });
simply use fallback certs if LE fails currently, it fails if we cannot get a cert. This means that we need to provide some option to simply use fallback cert. This requires UI changes that I want to avoid :-)
2015-12-14 17:09:40 -08:00
});
Add certificates.ensureCertificate which gets cert via acme
2015-12-11 14:15:23 -08:00
});
}
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
Better name for internal functions
2018-08-24 15:38:44 -07:00
function writeAdminConfig(bundle, configFileName, vhost, callback) {
rewrite renewAll to use existing functions
2018-01-30 16:16:10 -08:00
assert.strictEqual(typeof bundle, 'object');
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
assert.strictEqual(typeof configFileName, 'string');
assert.strictEqual(typeof vhost, 'string');
assert.strictEqual(typeof callback, 'function');
var data = {
sourceDir: path.resolve(__dirname, '..'),
adminOrigin: config.adminOrigin(),
vhost: vhost, // if vhost is empty it will become the default_server
hasIPv6: config.hasIPv6(),
endpoint: 'admin',
rewrite renewAll to use existing functions
2018-01-30 16:16:10 -08:00
certFilePath: bundle.certFilePath,
keyFilePath: bundle.keyFilePath,
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
xFrameOptions: 'SAMEORIGIN',
robotsTxtQuoted: JSON.stringify('User-agent: *\nDisallow: /\n')
};
var nginxConf = ejs.render(NGINX_APPCONFIG_EJS, data);
var nginxConfigFilename = path.join(paths.NGINX_APPCONFIG_DIR, configFileName);
if (!safe.fs.writeFileSync(nginxConfigFilename, nginxConf)) return callback(safe.error);
reload(callback);
}
Add auditSource to ensureCertificate
2018-01-30 15:16:34 -08:00
function configureAdmin(auditSource, callback) {
typos
2018-01-30 19:59:09 -08:00
assert.strictEqual(typeof auditSource, 'object');
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
assert.strictEqual(typeof callback, 'function');
ensureCertificate: make it take appDomain object
2018-08-24 14:42:05 -07:00
var adminAppDomain = { domain: config.adminDomain(), fqdn: config.adminFqdn() };
ensureCertificate(adminAppDomain, auditSource, function (error, bundle) {
Merge ensureCertificate and configuring nginx
2018-01-30 13:54:13 -08:00
if (error) return callback(error);
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
Better name for internal functions
2018-08-24 15:38:44 -07:00
writeAdminConfig(bundle, constants.NGINX_ADMIN_CONFIG_FILE_NAME, config.adminFqdn(), callback);
Merge ensureCertificate and configuring nginx
2018-01-30 13:54:13 -08:00
});
}
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
Better name for internal functions
2018-08-24 15:38:44 -07:00
function writeAppConfig(app, bundle, callback) {
rewrite renewAll to use existing functions
2018-01-30 16:16:10 -08:00
assert.strictEqual(typeof app, 'object');
assert.strictEqual(typeof bundle, 'object');
assert.strictEqual(typeof callback, 'function');
var sourceDir = path.resolve(__dirname, '..');
var endpoint = 'app';
var data = {
sourceDir: sourceDir,
adminOrigin: config.adminOrigin(),
Remove intrinsicFqdn
2018-02-08 15:07:49 +01:00
vhost: app.fqdn,
rewrite renewAll to use existing functions
2018-01-30 16:16:10 -08:00
hasIPv6: config.hasIPv6(),
port: app.httpPort,
endpoint: endpoint,
certFilePath: bundle.certFilePath,
keyFilePath: bundle.keyFilePath,
robotsTxtQuoted: app.robotsTxt ? JSON.stringify(app.robotsTxt) : null,
xFrameOptions: app.xFrameOptions || 'SAMEORIGIN' // once all apps have been updated/
};
var nginxConf = ejs.render(NGINX_APPCONFIG_EJS, data);
var nginxConfigFilename = path.join(paths.NGINX_APPCONFIG_DIR, app.id + '.conf');
Remove intrinsicFqdn
2018-02-08 15:07:49 +01:00
debug('writing config for "%s" to %s with options %j', app.fqdn, nginxConfigFilename, data);
rewrite renewAll to use existing functions
2018-01-30 16:16:10 -08:00
if (!safe.fs.writeFileSync(nginxConfigFilename, nginxConf)) {
Remove intrinsicFqdn
2018-02-08 15:07:49 +01:00
debug('Error creating nginx config for "%s" : %s', app.fqdn, safe.error.message);
rewrite renewAll to use existing functions
2018-01-30 16:16:10 -08:00
return callback(safe.error);
}
reload(callback);
}
Better name for internal functions
2018-08-24 15:38:44 -07:00
function writeAppRedirectConfig(app, fqdn, bundle, callback) {
Create nginx configs for app redirects
2018-06-29 16:14:13 +02:00
assert.strictEqual(typeof app, 'object');
assert.strictEqual(typeof fqdn, 'string');
assert.strictEqual(typeof bundle, 'object');
assert.strictEqual(typeof callback, 'function');
var data = {
sourceDir: path.resolve(__dirname, '..'),
vhost: fqdn,
redirectTo: app.fqdn,
hasIPv6: config.hasIPv6(),
endpoint: 'redirect',
certFilePath: bundle.certFilePath,
keyFilePath: bundle.keyFilePath,
robotsTxtQuoted: null,
xFrameOptions: 'SAMEORIGIN'
};
var nginxConf = ejs.render(NGINX_APPCONFIG_EJS, data);
Cleanup alternateDomain dns records and nginx config
2018-06-29 19:04:48 +02:00
// if we change the filename, also change it in unconfigureApp()
Put redirect label into alternateDomain nginx configs
2018-06-29 17:20:02 +02:00
var nginxConfigFilename = path.join(paths.NGINX_APPCONFIG_DIR, `${app.id}-redirect-${fqdn}.conf`);
Create nginx configs for app redirects
2018-06-29 16:14:13 +02:00
debug('writing config for "%s" redirecting to "%s" to %s with options %j', app.fqdn, fqdn, nginxConfigFilename, data);
if (!safe.fs.writeFileSync(nginxConfigFilename, nginxConf)) {
debug('Error creating nginx redirect config for "%s" : %s', app.fqdn, safe.error.message);
return callback(safe.error);
}
reload(callback);
}
Add auditSource to ensureCertificate
2018-01-30 15:16:34 -08:00
function configureApp(app, auditSource, callback) {
Merge ensureCertificate and configuring nginx
2018-01-30 13:54:13 -08:00
assert.strictEqual(typeof app, 'object');
Add auditSource to ensureCertificate
2018-01-30 15:16:34 -08:00
assert.strictEqual(typeof auditSource, 'object');
Merge ensureCertificate and configuring nginx
2018-01-30 13:54:13 -08:00
assert.strictEqual(typeof callback, 'function');
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
Ensure certificates for alternateDomains
2018-06-29 16:02:33 +02:00
ensureCertificate({ fqdn: app.fqdn, domain: app.domain }, auditSource, function (error, bundle) {
Merge ensureCertificate and configuring nginx
2018-01-30 13:54:13 -08:00
if (error) return callback(error);
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
Better name for internal functions
2018-08-24 15:38:44 -07:00
writeAppConfig(app, bundle, function (error) {
Ensure certificates for alternateDomains
2018-06-29 16:02:33 +02:00
if (error) return callback(error);
// now setup alternateDomain redirects if any
async.eachSeries(app.alternateDomains, function (domain, callback) {
Fix fqdn building for alternateDomains
2018-06-29 17:08:18 +02:00
var fqdn = (domain.subdomain ? (domain.subdomain + '.') : '') + domain.domain;
ensureCertificate({ fqdn: fqdn, domain: domain.domain }, auditSource, function (error, bundle) {
Ensure certificates for alternateDomains
2018-06-29 16:02:33 +02:00
if (error) return callback(error);
Create nginx configs for app redirects
2018-06-29 16:14:13 +02:00
Better name for internal functions
2018-08-24 15:38:44 -07:00
writeAppRedirectConfig(app, fqdn, bundle, callback);
Ensure certificates for alternateDomains
2018-06-29 16:02:33 +02:00
});
}, callback);
});
Merge ensureCertificate and configuring nginx
2018-01-30 13:54:13 -08:00
});
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
}
function unconfigureApp(app, callback) {
assert.strictEqual(typeof app, 'object');
assert.strictEqual(typeof callback, 'function');
Ensure we purge all nginx configs of an app
2018-06-29 23:01:22 +02:00
// we use globbing to find all nginx configs for an app
rimraf(path.join(paths.NGINX_APPCONFIG_DIR, `${app.id}*.conf`), function (error) {
if (error) debug('Error removing nginx configurations of "%s":', app.fqdn, error);
Cleanup alternateDomain dns records and nginx config
2018-06-29 19:04:48 +02:00
Ensure we purge all nginx configs of an app
2018-06-29 23:01:22 +02:00
reload(callback);
Cleanup alternateDomain dns records and nginx config
2018-06-29 19:04:48 +02:00
});
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
}
rewrite renewAll to use existing functions
2018-01-30 16:16:10 -08:00
function renewAll(auditSource, callback) {
assert.strictEqual(typeof auditSource, 'object');
assert.strictEqual(typeof callback, 'function');
debug('renewAll: Checking certificates for renewal');
apps.getAll(function (error, allApps) {
if (error) return callback(error);
Also renew alternate domain certificates Part of #583
2018-08-25 11:04:49 +02:00
var allDomains = [];
rewrite renewAll to use existing functions
2018-01-30 16:16:10 -08:00
Also renew alternate domain certificates Part of #583
2018-08-25 11:04:49 +02:00
// add webadmin domain
allDomains.push({ domain: config.adminDomain(), fqdn: config.adminFqdn(), type: 'webadmin' });
// add app main
allApps.forEach(function (app) {
allDomains.push({ domain: app.domain, fqdn: app.fqdn, type: 'main', app: app });
// and alternate domains
app.alternateDomains.forEach(function (domain) {
// TODO support hyphenated domains here as well
var fqdn = (domain.subdomain ? (domain.subdomain + '.') : '') + domain.domain;
allDomains.push({ domain: domain.domain, fqdn: fqdn, type: 'alternate', app: app });
});
});
async.eachSeries(allDomains, function (domain, iteratorCallback) {
ensureCertificate(domain, auditSource, function (error, bundle) {
Fix crash when renewAll is called when cloudron is not setup yet
2018-06-05 21:27:32 -07:00
if (error) return iteratorCallback(error); // this can happen if cloudron is not setup yet
rewrite renewAll to use existing functions
2018-01-30 16:16:10 -08:00
if (bundle.reason !== 'new-le' && bundle.reason !== 'fallback') return iteratorCallback();
// reconfigure for the case where we got a renewed cert after fallback
Also renew alternate domain certificates Part of #583
2018-08-25 11:04:49 +02:00
var configureFunc;
if (domain.type === 'webadmin') configureFunc = writeAdminConfig.bind(null, bundle, constants.NGINX_ADMIN_CONFIG_FILE_NAME, config.adminFqdn());
else if (domain.type === 'main') configureFunc = writeAppConfig.bind(null, domain.app, bundle);
else if (domain.type === 'alternate') configureFunc = writeAppRedirectConfig.bind(null, domain.app, domain.fqdn, bundle);
else return callback(new Error(`Unknown domain type for ${domain.fqdn}. This should never happen`));
rewrite renewAll to use existing functions
2018-01-30 16:16:10 -08:00
configureFunc(function (ignoredError) {
Also renew alternate domain certificates Part of #583
2018-08-25 11:04:49 +02:00
if (ignoredError) debug('renewAll: error reconfiguring app', ignoredError);
rewrite renewAll to use existing functions
2018-01-30 16:16:10 -08:00
Also renew alternate domain certificates Part of #583
2018-08-25 11:04:49 +02:00
platform.handleCertChanged(domain.fqdn);
rewrite renewAll to use existing functions
2018-01-30 16:16:10 -08:00
Also renew alternate domain certificates Part of #583
2018-08-25 11:04:49 +02:00
iteratorCallback(); // move to next domain
rewrite renewAll to use existing functions
2018-01-30 16:16:10 -08:00
});
});
});
});
}
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
function removeAppConfigs() {
for (var appConfigFile of fs.readdirSync(paths.NGINX_APPCONFIG_DIR)) {
fs.unlinkSync(path.join(paths.NGINX_APPCONFIG_DIR, appConfigFile));
}
}
function configureDefaultServer(callback) {
callback = callback || NOOP_CALLBACK;
var certFilePath = path.join(paths.NGINX_CERT_DIR, 'default.cert');
var keyFilePath = path.join(paths.NGINX_CERT_DIR, 'default.key');
if (!fs.existsSync(certFilePath) || !fs.existsSync(keyFilePath)) {
debug('configureDefaultServer: create new cert');
var cn = 'cloudron-' + (new Date()).toISOString(); // randomize date a bit to keep firefox happy
var certCommand = util.format('openssl req -x509 -newkey rsa:2048 -keyout %s -out %s -days 3650 -subj /CN=%s -nodes', keyFilePath, certFilePath, cn);
safe.child_process.execSync(certCommand);
}
Better name for internal functions
2018-08-24 15:38:44 -07:00
writeAdminConfig({ certFilePath, keyFilePath }, 'default.conf', '', function (error) {
merge certificates.js and nginx.js to reverseproxy.js when certs change, we have to call into nginx anyway. since they go hand in hand, just merge those files. modern reverse proxies do this job integrated already.
2018-01-30 12:23:27 -08:00
if (error) return callback(error);
debug('configureDefaultServer: done');
callback(null);
});
}
Reference in New Issue Copy Permalink