diff --git a/src/boxerror.js b/src/boxerror.js index 0be959a15..80fcb1117 100644 --- a/src/boxerror.js +++ b/src/boxerror.js @@ -45,8 +45,10 @@ BoxError.INTERNAL_ERROR = 'Internal Error'; BoxError.LOGROTATE_ERROR = 'Logrotate Error'; BoxError.NETWORK_ERROR = 'Network Error'; BoxError.NOT_FOUND = 'Not found'; +BoxError.OPENSSL_ERROR = 'OpenSSL Error'; BoxError.REVERSEPROXY_ERROR = 'ReverseProxy Error'; BoxError.TASK_ERROR = 'Task Error'; +BoxError.TRY_AGAIN = 'Try Again'; BoxError.UNKNOWN_ERROR = 'Unknown Error'; // only used for porting BoxError.prototype.toPlainObject = function () { diff --git a/src/cert/acme2.js b/src/cert/acme2.js index 333003611..9bd73ec9c 100644 --- a/src/cert/acme2.js +++ b/src/cert/acme2.js @@ -2,6 +2,7 @@ var assert = require('assert'), async = require('async'), + BoxError = require('../boxerror.js'), crypto = require('crypto'), debug = require('debug')('box:cert/acme2'), domains = require('../domains.js'), @@ -24,31 +25,6 @@ exports = module.exports = { _getChallengeSubdomain: getChallengeSubdomain }; -function Acme2Error(reason, errorOrMessage) { - assert.strictEqual(typeof reason, 'string'); - assert(errorOrMessage instanceof Error || typeof errorOrMessage === 'string' || typeof errorOrMessage === 'undefined'); - - Error.call(this); - Error.captureStackTrace(this, this.constructor); - - this.name = this.constructor.name; - this.reason = reason; - if (typeof errorOrMessage === 'undefined') { - this.message = reason; - } else if (typeof errorOrMessage === 'string') { - this.message = errorOrMessage; - } else { - this.message = 'Internal error'; - this.nestedError = errorOrMessage; - } -} -util.inherits(Acme2Error, Error); -Acme2Error.INTERNAL_ERROR = 'Internal Error'; -Acme2Error.EXTERNAL_ERROR = 'External Error'; -Acme2Error.ALREADY_EXISTS = 'Already Exists'; -Acme2Error.NOT_COMPLETED = 'Not Completed'; -Acme2Error.FORBIDDEN = 'Forbidden'; - // http://jose.readthedocs.org/en/latest/ // https://www.ietf.org/proceedings/92/slides/slides-92-acme-1.pdf // https://community.letsencrypt.org/t/list-of-client-implementations/2103 @@ -158,8 +134,8 @@ Acme2.prototype.updateContact = function (registrationUri, callback) { const that = this; this.sendSignedRequest(registrationUri, JSON.stringify(payload), function (error, result) { - if (error) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'Network error when registering user: ' + error.message)); - if (result.statusCode !== 200) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, util.format('Failed to update contact. Expecting 200, got %s %s', result.statusCode, result.text))); + if (error) return callback(new BoxError(BoxError.NETWORK_ERROR, 'Network error when registering user: ' + error.message)); + if (result.statusCode !== 200) return callback(new BoxError(BoxError.EXTERNAL_ERROR, util.format('Failed to update contact. Expecting 200, got %s %s', result.statusCode, result.text))); debug(`updateContact: contact of user updated to ${that.email}`); @@ -178,9 +154,9 @@ Acme2.prototype.registerUser = function (callback) { var that = this; this.sendSignedRequest(this.directory.newAccount, JSON.stringify(payload), function (error, result) { - if (error) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'Network error when registering new account: ' + error.message)); + if (error) return callback(new BoxError(BoxError.NETWORK_ERROR, 'Network error when registering new account: ' + error.message)); // 200 if already exists. 201 for new accounts - if (result.statusCode !== 200 && result.statusCode !== 201) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, util.format('Failed to register new account. Expecting 200 or 201, got %s %s', result.statusCode, result.text))); + if (result.statusCode !== 200 && result.statusCode !== 201) return callback(new BoxError(BoxError.EXTERNAL_ERROR, util.format('Failed to register new account. Expecting 200 or 201, got %s %s', result.statusCode, result.text))); debug(`registerUser: user registered keyid: ${result.headers.location}`); @@ -204,17 +180,17 @@ Acme2.prototype.newOrder = function (domain, callback) { debug('newOrder: %s', domain); this.sendSignedRequest(this.directory.newOrder, JSON.stringify(payload), function (error, result) { - if (error) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'Network error when registering domain: ' + error.message)); - if (result.statusCode === 403) return callback(new Acme2Error(Acme2Error.FORBIDDEN, result.body.detail)); - if (result.statusCode !== 201) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, util.format('Failed to register user. Expecting 201, got %s %s', result.statusCode, result.text))); + if (error) return callback(new BoxError(BoxError.NETWORK_ERROR, 'Network error when registering domain: ' + error.message)); + if (result.statusCode === 403) return callback(new BoxError(BoxError.ACCESS_DENIED, `Forbidden sending signed request: ${result.body.detail}`)); + if (result.statusCode !== 201) return callback(new BoxError(BoxError.EXTERNAL_ERROR, util.format('Failed to register user. Expecting 201, got %s %s', result.statusCode, result.text))); debug('newOrder: created order %s %j', domain, result.body); const order = result.body, orderUrl = result.headers.location; - if (!Array.isArray(order.authorizations)) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'invalid authorizations in order')); - if (typeof order.finalize !== 'string') return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'invalid finalize in order')); - if (typeof orderUrl !== 'string') return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'invalid order location in order header')); + if (!Array.isArray(order.authorizations)) return callback(new BoxError(BoxError.EXTERNAL_ERROR, 'invalid authorizations in order')); + if (typeof order.finalize !== 'string') return callback(new BoxError(BoxError.EXTERNAL_ERROR, 'invalid finalize in order')); + if (typeof orderUrl !== 'string') return callback(new BoxError(BoxError.EXTERNAL_ERROR, 'invalid order location in order header')); callback(null, order, orderUrl); }); @@ -232,18 +208,18 @@ Acme2.prototype.waitForOrder = function (orderUrl, callback) { superagent.get(orderUrl).timeout(30 * 1000).end(function (error, result) { if (error && !error.response) { debug('waitForOrder: network error getting uri %s', orderUrl); - return retryCallback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, error.message)); // network error + return retryCallback(new BoxError(BoxError.NETWORK_ERROR, `Network error waiting for order: ${error.message}`)); // network error } if (result.statusCode !== 200) { debug('waitForOrder: invalid response code getting uri %s', result.statusCode); - return retryCallback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'Bad response code:' + result.statusCode)); + return retryCallback(new BoxError(BoxError.EXTERNAL_ERROR, 'Bad response code:' + result.statusCode)); } debug('waitForOrder: status is "%s %j', result.body.status, result.body); - if (result.body.status === 'pending' || result.body.status === 'processing') return retryCallback(new Acme2Error(Acme2Error.NOT_COMPLETED)); + if (result.body.status === 'pending' || result.body.status === 'processing') return retryCallback(new BoxError(BoxError.TRY_AGAIN, `Request is in ${result.body.status} state`)); else if (result.body.status === 'valid' && result.body.certificate) return retryCallback(null, result.body.certificate); - else return retryCallback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'Unexpected status or invalid response: ' + result.body)); + else return retryCallback(new BoxError(BoxError.EXTERNAL_ERROR, 'Unexpected status or invalid response: ' + result.body)); }); }, callback); }; @@ -277,8 +253,8 @@ Acme2.prototype.notifyChallengeReady = function (challenge, callback) { }; this.sendSignedRequest(challenge.url, JSON.stringify(payload), function (error, result) { - if (error) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'Network error when notifying challenge: ' + error.message)); - if (result.statusCode !== 200) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, util.format('Failed to notify challenge. Expecting 200, got %s %s', result.statusCode, result.text))); + if (error) return callback(new BoxError(BoxError.NETWORK_ERROR, 'Network error when notifying challenge: ' + error.message)); + if (result.statusCode !== 200) return callback(new BoxError(BoxError.EXTERNAL_ERROR, util.format('Failed to notify challenge. Expecting 200, got %s %s', result.statusCode, result.text))); callback(); }); @@ -296,18 +272,18 @@ Acme2.prototype.waitForChallenge = function (challenge, callback) { superagent.get(challenge.url).timeout(30 * 1000).end(function (error, result) { if (error && !error.response) { debug('waitForChallenge: network error getting uri %s', challenge.url); - return retryCallback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, error.message)); // network error + return retryCallback(new BoxError(BoxError.NETWORK_ERROR, error.message)); // network error } if (result.statusCode !== 200) { debug('waitForChallenge: invalid response code getting uri %s', result.statusCode); - return retryCallback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'Bad response code:' + result.statusCode)); + return retryCallback(new BoxError(BoxError.EXTERNAL_ERROR, 'Bad response code:' + result.statusCode)); } debug('waitForChallenge: status is "%s %j', result.body.status, result.body); - if (result.body.status === 'pending') return retryCallback(new Acme2Error(Acme2Error.NOT_COMPLETED)); + if (result.body.status === 'pending') return retryCallback(new BoxError(BoxError.TRY_AGAIN)); else if (result.body.status === 'valid') return retryCallback(); - else return retryCallback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'Unexpected status: ' + result.body.status)); + else return retryCallback(new BoxError(BoxError.EXTERNAL_ERROR, 'Unexpected status: ' + result.body.status)); }); }, function retryFinished(error) { // async.retry will pass 'undefined' as second arg making it unusable with async.waterfall() @@ -329,9 +305,9 @@ Acme2.prototype.signCertificate = function (domain, finalizationUrl, csrDer, cal debug('signCertificate: sending sign request'); this.sendSignedRequest(finalizationUrl, JSON.stringify(payload), function (error, result) { - if (error) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'Network error when signing certificate: ' + error.message)); + if (error) return callback(new BoxError(BoxError.NETWORK_ERROR, 'Network error when signing certificate: ' + error.message)); // 429 means we reached the cert limit for this domain - if (result.statusCode !== 200) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, util.format('Failed to sign certificate. Expecting 200, got %s %s', result.statusCode, result.text))); + if (result.statusCode !== 200) return callback(new BoxError(BoxError.EXTERNAL_ERROR, util.format('Failed to sign certificate. Expecting 200, got %s %s', result.statusCode, result.text))); return callback(null); }); @@ -351,15 +327,15 @@ Acme2.prototype.createKeyAndCsr = function (hostname, callback) { debug('createKeyAndCsr: reuse the key for renewal at %s', privateKeyFile); } else { var key = safe.child_process.execSync('openssl genrsa 4096'); - if (!key) return callback(new Acme2Error(Acme2Error.INTERNAL_ERROR, safe.error)); - if (!safe.fs.writeFileSync(privateKeyFile, key)) return callback(new Acme2Error(Acme2Error.INTERNAL_ERROR, safe.error)); + if (!key) return callback(new BoxError(BoxError.OPENSSL_ERROR, safe.error)); + if (!safe.fs.writeFileSync(privateKeyFile, key)) return callback(new BoxError(BoxError.FS_ERROR, safe.error)); debug('createKeyAndCsr: key file saved at %s', privateKeyFile); } var csrDer = safe.child_process.execSync(`openssl req -new -key ${privateKeyFile} -outform DER -subj /CN=${hostname}`); - if (!csrDer) return callback(new Acme2Error(Acme2Error.INTERNAL_ERROR, safe.error)); - if (!safe.fs.writeFileSync(csrFile, csrDer)) return callback(new Acme2Error(Acme2Error.INTERNAL_ERROR, safe.error)); // bookkeeping + if (!csrDer) return callback(new BoxError(BoxError.OPENSSL_ERROR, safe.error)); + if (!safe.fs.writeFileSync(csrFile, csrDer)) return callback(new BoxError(BoxError.FS_ERROR, safe.error)); // bookkeeping debug('createKeyAndCsr: csr file (DER) saved at %s', csrFile); @@ -378,15 +354,15 @@ Acme2.prototype.downloadCertificate = function (hostname, certUrl, callback) { res.on('data', function(chunk) { data.push(chunk); }); res.on('end', function () { res.text = Buffer.concat(data); done(); }); }).timeout(30 * 1000).end(function (error, result) { - if (error && !error.response) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'Network error when downloading certificate')); - if (result.statusCode === 202) return callback(new Acme2Error(Acme2Error.INTERNAL_ERROR, 'Retry not implemented yet')); - if (result.statusCode !== 200) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, util.format('Failed to get cert. Expecting 200, got %s %s', result.statusCode, result.text))); + if (error && !error.response) return callback(new BoxError(BoxError.NETWORK_ERROR, 'Network error when downloading certificate')); + if (result.statusCode === 202) return callback(new BoxError(BoxError.TRY_AGAIN, 'Retry not implemented yet')); + if (result.statusCode !== 200) return callback(new BoxError(BoxError.EXTERNAL_ERROR, util.format('Failed to get cert. Expecting 200, got %s %s', result.statusCode, result.text))); const fullChainPem = result.text; const certName = hostname.replace('*.', '_.'); var certificateFile = path.join(outdir, `${certName}.cert`); - if (!safe.fs.writeFileSync(certificateFile, fullChainPem)) return callback(new Acme2Error(Acme2Error.INTERNAL_ERROR, safe.error)); + if (!safe.fs.writeFileSync(certificateFile, fullChainPem)) return callback(new BoxError(BoxError.FS_ERROR, safe.error)); debug('downloadCertificate: cert file for %s saved at %s', hostname, certificateFile); @@ -402,7 +378,7 @@ Acme2.prototype.prepareHttpChallenge = function (hostname, domain, authorization debug('acmeFlow: challenges: %j', authorization); let httpChallenges = authorization.challenges.filter(function(x) { return x.type === 'http-01'; }); - if (httpChallenges.length === 0) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'no http challenges')); + if (httpChallenges.length === 0) return callback(new BoxError(BoxError.EXTERNAL_ERROR, 'no http challenges')); let challenge = httpChallenges[0]; debug('prepareHttpChallenge: preparing for challenge %j', challenge); @@ -412,7 +388,7 @@ Acme2.prototype.prepareHttpChallenge = function (hostname, domain, authorization debug('prepareHttpChallenge: writing %s to %s', keyAuthorization, path.join(paths.ACME_CHALLENGES_DIR, challenge.token)); fs.writeFile(path.join(paths.ACME_CHALLENGES_DIR, challenge.token), keyAuthorization, function (error) { - if (error) return callback(new Acme2Error(Acme2Error.INTERNAL_ERROR, error)); + if (error) return callback(new BoxError(BoxError.FS_ERROR, error)); callback(null, challenge); }); @@ -454,7 +430,7 @@ Acme2.prototype.prepareDnsChallenge = function (hostname, domain, authorization, debug('acmeFlow: challenges: %j', authorization); let dnsChallenges = authorization.challenges.filter(function(x) { return x.type === 'dns-01'; }); - if (dnsChallenges.length === 0) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'no dns challenges')); + if (dnsChallenges.length === 0) return callback(new BoxError(BoxError.EXTERNAL_ERROR, 'no dns challenges')); let challenge = dnsChallenges[0]; const keyAuthorization = this.getKeyAuthorization(challenge.token); @@ -467,10 +443,10 @@ Acme2.prototype.prepareDnsChallenge = function (hostname, domain, authorization, debug(`prepareDnsChallenge: update ${challengeSubdomain} with ${txtValue}`); domains.upsertDnsRecords(challengeSubdomain, domain, 'TXT', [ `"${txtValue}"` ], function (error) { - if (error) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, error.message)); + if (error) return callback(error); domains.waitForDnsRecord(challengeSubdomain, domain, 'TXT', txtValue, { interval: 5000, times: 200 }, function (error) { - if (error) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, error.message)); + if (error) return callback(error); callback(null, challenge); }); @@ -493,7 +469,7 @@ Acme2.prototype.cleanupDnsChallenge = function (hostname, domain, challenge, cal debug(`cleanupDnsChallenge: remove ${challengeSubdomain} with ${txtValue}`); domains.removeDnsRecords(challengeSubdomain, domain, 'TXT', [ `"${txtValue}"` ], function (error) { - if (error) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, error)); + if (error) return callback(error); callback(null); }); @@ -507,8 +483,8 @@ Acme2.prototype.prepareChallenge = function (hostname, domain, authorizationUrl, const that = this; superagent.get(authorizationUrl).timeout(30 * 1000).end(function (error, response) { - if (error && !error.response) return callback(error); - if (response.statusCode !== 200) return callback(new Error('Invalid response code getting authorization : ' + response.statusCode)); + if (error && !error.response) return callback(new BoxError(BoxError.NETWORK_ERROR, 'Network error when preparing challenge')); + if (response.statusCode !== 200) return callback(new BoxError(BoxError.EXTERNAL_ERROR, 'Invalid response code getting authorization : ' + response.statusCode)); const authorization = response.body; @@ -541,7 +517,7 @@ Acme2.prototype.acmeFlow = function (hostname, domain, callback) { if (!fs.existsSync(paths.ACME_ACCOUNT_KEY_FILE)) { debug('getCertificate: generating acme account key on first run'); this.accountKeyPem = safe.child_process.execSync('openssl genrsa 4096'); - if (!this.accountKeyPem) return callback(new Acme2Error(Acme2Error.INTERNAL_ERROR, safe.error)); + if (!this.accountKeyPem) return callback(new BoxError(BoxError.OPENSSL_ERROR, safe.error)); safe.fs.writeFileSync(paths.ACME_ACCOUNT_KEY_FILE, this.accountKeyPem); } else { @@ -586,8 +562,8 @@ Acme2.prototype.getDirectory = function (callback) { const that = this; superagent.get(this.caDirectory).timeout(30 * 1000).end(function (error, response) { - if (error && !error.response) return callback(error); - if (response.statusCode !== 200) return callback(new Error('Invalid response code when fetching directory : ' + response.statusCode)); + if (error && !error.response) return callback(new BoxError(BoxError.NETWORK_ERROR, 'Network error getting directory')); + if (response.statusCode !== 200) return callback(new BoxError(BoxError.EXTERNAL_ERROR, 'Invalid response code when fetching directory : ' + response.statusCode)); if (typeof response.body.newNonce !== 'string' || typeof response.body.newOrder !== 'string' ||