jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
10,126 Commits 33 Branches 583 Tags
dea31109e2926f8d68682822cae9d02629ef7234
Commit Graph

45 Commits

Author SHA1 Message Date
Girish Ramakrishnan
84af9580a6 migrate certs into the blobs database 
use platformdata/nginx/cert to store the certs
 2021-05-07 21:26:49 -07:00
Girish Ramakrishnan
d8422ea976 fix safe() error handling 2021-05-07 15:56:43 -07:00
Girish Ramakrishnan
cc684b4ea0 acme: async'ify 2021-05-06 22:52:49 -07:00
Girish Ramakrishnan
c17743d869 migrate secrets into the database 
the infra version is bumped because the nginx's dhparams path has changed
and the sftp server key path has changed.
 2021-05-03 22:11:18 -07:00
Girish Ramakrishnan
3c09416e44 Use Buffer.isBuffer instead 2021-04-29 15:37:32 -07:00
Girish Ramakrishnan
df0532714e Fix various debugs 2021-04-29 15:25:19 -07:00
Girish Ramakrishnan
7a7223a261 OCSP: do not set must-staple in certificate request 
On first visit in firefox, must-staple certs (unlike chrome which ignores must-staple) always fail.
Investigating, it turns out, nginx does not fetch OCSP responses on reload or restart - https://trac.nginx.org/nginx/ticket/812 .
So, one has to prime the OCSP cache using curl requests. Alternately, one can use `openssl ocsp -noverify -no_nonce` and
then set `ssl_stapling_file`. Both approaches won't work if the OCSP servers are down and then we have to have some retry logic.
Also, the cache is per nginx worker, so I have no clue how many times one has to call curl. The `ssl_stapling_file` approach
requires some refresh logic as well. All very messy.

For the moment, do not set must-staple in the cert. Instead, check if the cert has a CSP URL and then enable
stapling in nginx accordingly.
 2021-04-16 13:33:32 -07:00
Girish Ramakrishnan
4d919127a7 implement OCSP stapling 
can verify stapling using openssl s_client -connect hostname:443 -status

status_request is RFC6066. there is also status_request_v2 (RFC6961) but this is
not implemented even in openssl libs yet
 2021-04-16 12:13:54 -07:00
Girish Ramakrishnan
7df89e66c8 request has no retry method 
i thought it was using superagent
 2021-03-20 11:19:45 -07:00
Girish Ramakrishnan
4954b94d4a acme2: add a retry to getDirectory, since users are reporting a 429 2021-03-19 09:59:09 -07:00
Girish Ramakrishnan
67bdf47ef6 rename hostname to vhost to make the code less magical 2021-01-19 14:09:31 -08:00
Girish Ramakrishnan
3ccd527c8b acme2: fix logs 2020-12-19 16:24:56 -08:00
Girish Ramakrishnan
922c1ea317 acme2: fix error messages 2020-12-04 11:42:18 -08:00
Girish Ramakrishnan
e51705c41d acme: request ECC certs 2020-04-17 10:22:01 -07:00
Girish Ramakrishnan
9ea12e71f0 linode: dns backend 
the dns is very slow - https://github.com/certbot/certbot/pull/6320
takes a good 15 minutes at minimum to propagate

https://certbot-dns-linode.readthedocs.io/en/stable/
https://www.linode.com/community/questions/17296/linode-dns-propagation-time
 2020-03-13 11:44:43 -07:00
Girish Ramakrishnan
9ac194bbea fix missing quote in debug message 2020-02-23 11:15:30 -08:00
Girish Ramakrishnan
9a77fb6306 acme2: implement post-as-get 
https://tools.ietf.org/html/rfc8555#section-6.3
https://community.letsencrypt.org/t/post-as-get-and-empty-payload-instead-of/86720/3
https://community.letsencrypt.org/t/problem-with-renew-certificates-the-request-message-was-malformed-method-not-allowed/107889/17
 2019-12-08 19:17:52 -08:00
Girish Ramakrishnan
30eccfb54b Use BoxError instead of Error in all places 
This moves everything other than the addon code and some 'done' logic
 2019-12-04 11:02:54 -08:00
Girish Ramakrishnan
9cd025972c Try acme flow 3 times 2019-10-03 14:47:18 -07:00
Girish Ramakrishnan
21111eccc4 retry downloadCertificate 2019-10-03 14:37:12 -07:00
Girish Ramakrishnan
917079f341 Add error message to network error 2019-10-03 14:33:49 -07:00
Girish Ramakrishnan
7e75ef7685 cert: add more debugs 2019-10-03 10:36:57 -07:00
Girish Ramakrishnan
d9723b72e4 Replace Acme2Error with BoxError 2019-09-25 14:13:10 -07:00
Girish Ramakrishnan
81b721be2b Fix buffer warnings 2019-03-21 20:06:14 -07:00
Girish Ramakrishnan
ff359c477f acme: Wait for 5mins 
often, let's encrypt is failing to get the new DNS. not sure why
 2019-01-21 10:45:43 -08:00
Girish Ramakrishnan
4142d7a050 Fix error handling of all the execSync usage 2018-11-23 13:11:15 -08:00
Girish Ramakrishnan
c09aa2a498 Make LE work with hyphenated domains 2018-11-01 19:08:05 -07:00
Girish Ramakrishnan
8dd3c55ecf Use async unlink 2018-09-28 17:05:53 -07:00
Girish Ramakrishnan
1ee902a541 typoe 2018-09-28 17:01:56 -07:00
Girish Ramakrishnan
5a8a4e7907 acme2: Display any errors when cleaning up challenge 2018-09-28 14:33:08 -07:00
Girish Ramakrishnan
3b5be641f0 acme2: fix challenge subdomain calculation in cleanup 2018-09-28 13:24:34 -07:00
Girish Ramakrishnan
a34fe120fb TXT values must be quoted 2018-09-27 20:17:39 -07:00
Girish Ramakrishnan
e69004548b waitForDnsRecord: use subdomain as argument 
this allows to hyphenate the subdomain correctly in all places

the original issue was that altDomain in caas was not working
because waitForDnsRecord was not hyphenating.
 2018-09-22 11:26:33 -07:00
Girish Ramakrishnan
ed14115ff1 Fix new account return value 
https://tools.ietf.org/html/draft-ietf-acme-acme-07#section-7.3
 2018-09-17 15:30:16 -07:00
Girish Ramakrishnan
6d9c6ffba3 acme2: register new account returns 201 2018-09-17 15:19:19 -07:00
Girish Ramakrishnan
6ba574432a calculate subdomain correctly for non-wildcard domains 2018-09-12 15:55:20 -07:00
Girish Ramakrishnan
96075c7c20 Fix double callback 2018-09-12 14:43:15 -07:00
Girish Ramakrishnan
64665542bc select app's cert based on domain's wildcard flag 
this also removes the confusing type field in the bundle. we instead
check the current nginx config to see what cert is in use.
 2018-09-12 14:22:54 -07:00
Girish Ramakrishnan
c138c4bb5f acme2: implement wildcard certs 2018-09-11 23:15:50 -07:00
Girish Ramakrishnan
35f69cfea9 acme2: wait for dns 2018-09-11 19:41:41 -07:00
Girish Ramakrishnan
d0dde04695 acme2: dns authorization 2018-09-10 21:46:53 -07:00
Girish Ramakrishnan
2f38a4018c pass domain arg to getCertificate API 2018-09-10 20:48:47 -07:00
Girish Ramakrishnan
f38b87c660 lint 2018-09-10 20:30:38 -07:00
Girish Ramakrishnan
9bac2acc37 Fix callback use 2018-09-10 17:39:13 -07:00
Girish Ramakrishnan
68536b6d7d acme2 implementation 2018-09-10 16:26:24 -07:00