Move apphealthmonitor into a cron job

This makes sure that it only runs post activation

See also a9c1af50f7

(cherry picked from commit a49969f2be)

CHANGES

@@ -1377,3 +1377,33 @@
 * Prevent dashboard domain from being deleted
 * Add alternateDomains to app install route
 
+[3.1.4]
+* Fix issue where support tab was redirecting
+
+[3.1.4]
+* Fix issue where support tab was redirecting
+
+[3.2.0]
+* Add acme2 support. This provides DNS based validation removing inbound port 80 requirement
+* Add support for wildcard certificates
+* Allow mailbox name to be reset to the buit-in '.app' name
+* Fix permission issue when restoring a Cloudron
+* Fix a crash when restoring Cloudron
+* Allow alternate domains to be set in app installation REST API
+* Add SFO2 region for DigitalOcean Spaces
+* Show the title in port bindings instead of the long description
+
+[3.2.1]
+* Add acme2 support. This provides DNS based validation removing inbound port 80 requirement
+* Add support for wildcard certificates
+* Allow mailbox name to be reset to the buit-in '.app' name
+* Fix permission issue when restoring a Cloudron
+* Fix a crash when restoring Cloudron
+* Allow alternate domains to be set in app installation REST API
+* Add SFO2 region for DigitalOcean Spaces
+* Show the title in port bindings instead of the long description
+
+[3.2.2]
+* Update Haraka to 2.8.20
+* (mail) Fix issue where LDAP connections where not cleaned up
+

box.js

@@ -9,8 +9,7 @@ require('debug').formatArgs = function formatArgs(args) {
     args[0] = this.namespace + ' ' + args[0];
 };
 
-var appHealthMonitor = require('./src/apphealthmonitor.js'),
-    async = require('async'),
+let async = require('async'),
     config = require('./src/config.js'),
     ldap = require('./src/ldap.js'),
     dockerProxy = require('./src/dockerproxy.js'),
@@ -36,8 +35,7 @@ console.log();
 async.series([
     server.start,
     ldap.start,
-    dockerProxy.start,
-    appHealthMonitor.start,
+    dockerProxy.start
 ], function (error) {
     if (error) {
         console.error('Error starting server', error);

migrations/20180628163616-migrate-app-subdomains.js

@@ -4,7 +4,7 @@ var async = require('async');
 
 exports.up = function(db, callback) {
     db.all('SELECT * from apps', [ ], function (error, results) {
-        if (error) return done(error);
+        if (error) return callback(error);
 
         var queries = [
             db.runSql.bind(db, 'START TRANSACTION;')

migrations/20180907025934-domains-migrate-wildcard.js

@@ -0,0 +1,21 @@
+'use strict';
+
+var async = require('async');
+
+exports.up = function(db, callback) {
+    db.all('SELECT * from domains WHERE provider=?', [ 'manual' ], function (error, results) {
+        if (error) return callback(error);
+
+        async.eachSeries(results, function (result, iteratorDone) {
+            var config = JSON.parse(result.configJson || '{}');
+            if (!config.wildcard) return iteratorDone();
+            delete config.wildcard;
+
+            db.runSql('UPDATE domains SET provider=?, configJson=? WHERE domain=?', [ 'wildcard', JSON.stringify(config), result.domain ], iteratorDone);
+        }, callback);
+    });
+};
+
+exports.down = function(db, callback) {
+    callback();
+};

scripts/createReleaseTarball

@@ -44,7 +44,7 @@ branch=$(git rev-parse --abbrev-ref HEAD)
 if [[ "${branch}" == "master" ]]; then
     dashboard_version=$(cd "${SOURCE_DIR}/../dashboard" && git rev-parse "${branch}")
 else
-    dashboard_version=$(cd "${SOURCE_DIR}/../dashboard" && git fetch && git rev-parse "origin/${branch}")
+    dashboard_version=$(cd "${SOURCE_DIR}/../dashboard" && git fetch && git rev-parse "${branch}")
 fi
 bundle_dir=$(mktemp -d -t box 2>/dev/null || mktemp -d box-XXXXXXXXXX --tmpdir=$TMPDIR)
 [[ -z "$bundle_file" ]] && bundle_file="${TMPDIR}/box-${box_version:0:10}-${dashboard_version:0:10}.tar.gz"

src/apphealthmonitor.js

@@ -12,15 +12,14 @@ var appdb = require('./appdb.js'),
     util = require('util');
 
 exports = module.exports = {
-    start: start,
-    stop: stop
+    run: run
 };
 
 var HEALTHCHECK_INTERVAL = 10 * 1000; // every 10 seconds. this needs to be small since the UI makes only healthy apps clickable
 var UNHEALTHY_THRESHOLD = 10 * 60 * 1000; // 10 minutes
 var gHealthInfo = { }; // { time, emailSent }
-var gRunTimeout = null;
-var gDockerEventStream = null;
+
+const NOOP_CALLBACK = function (error) { if (error) console.error(error); };
 
 function debugApp(app) {
     assert(typeof app === 'object');
@@ -110,48 +109,23 @@ function checkAppHealth(app, callback) {
     });
 }
 
-function processApps(callback) {
-    apps.getAll(function (error, result) {
-        if (error) return callback(error);
-
-        async.each(result, checkAppHealth, function (error) {
-            if (error) console.error(error);
-
-            var alive = result
-                .filter(function (a) { return a.installationState === appdb.ISTATE_INSTALLED && a.runState === appdb.RSTATE_RUNNING && a.health === appdb.HEALTH_HEALTHY; })
-                .map(function (a) { return (a.location || 'naked_domain') + '|' + a.manifest.id; }).join(', ');
-
-            debug('apps alive: [%s]', alive);
-
-            callback(null);
-        });
-    });
-}
-
-function run() {
-    processApps(function (error) {
-        if (error) console.error(error);
-
-        gRunTimeout = setTimeout(run, HEALTHCHECK_INTERVAL);
-    });
-}
-
 /*
     OOM can be tested using stress tool like so:
         docker run -ti -m 100M cloudron/base:0.10.0 /bin/bash
         apt-get update && apt-get install stress
         stress --vm 1 --vm-bytes 200M --vm-hang 0
 */
-function processDockerEvents() {
-    // note that for some reason, the callback is called only on the first event
-    debug('Listening for docker events');
+function processDockerEvents(interval, callback) {
+    assert.strictEqual(typeof interval, 'number');
+    assert.strictEqual(typeof callback, 'function');
+
     const OOM_MAIL_LIMIT = 60 * 60 * 1000; // 60 minutes
-    var lastOomMailTime = new Date(new Date() - OOM_MAIL_LIMIT);
+    let lastOomMailTime = new Date(new Date() - OOM_MAIL_LIMIT);
+    const since = ((new Date().getTime() / 1000) - interval).toFixed(0);
+    const until = ((new Date().getTime() / 1000) - 1).toFixed(0);
 
-    docker.getEvents({ filters: JSON.stringify({ event: [ 'oom' ] }) }, function (error, stream) {
-        if (error) return console.error(error);
-
-        gDockerEventStream = stream;
+    docker.getEvents({ since: since, until: until, filters: JSON.stringify({ event: [ 'oom' ] }) }, function (error, stream) {
+        if (error) return callback(error);
 
         stream.setEncoding('utf8');
         stream.on('data', function (data) {
@@ -173,34 +147,48 @@ function processDockerEvents() {
         });
 
         stream.on('error', function (error) {
-            console.error('Error reading docker events', error);
-            gDockerEventStream = null; // TODO: reconnect?
+            debug('Error reading docker events', error);
+            callback();
         });
 
-        stream.on('end', function () {
-            console.error('Docker event stream ended');
-            gDockerEventStream = null; // TODO: reconnect?
+        stream.on('end', callback);
+
+        // safety hatch if 'until' doesn't work (there are cases where docker is working with a different time)
+        setTimeout(stream.destroy.bind(stream), 3000); // https://github.com/apocas/dockerode/issues/179
+    });
+}
+
+function processApp(callback) {
+    assert.strictEqual(typeof callback, 'function');
+
+    apps.getAll(function (error, result) {
+        if (error) return callback(error);
+
+        async.each(result, checkAppHealth, function (error) {
+            if (error) console.error(error);
+
+            var alive = result
+                .filter(function (a) { return a.installationState === appdb.ISTATE_INSTALLED && a.runState === appdb.RSTATE_RUNNING && a.health === appdb.HEALTH_HEALTHY; })
+                .map(function (a) { return (a.location || 'naked_domain') + '|' + a.manifest.id; }).join(', ');
+
+            debug('apps alive: [%s]', alive);
+
+            callback(null);
         });
     });
 }
 
-function start(callback) {
-    assert.strictEqual(typeof callback, 'function');
+function run(interval, callback) {
+    assert.strictEqual(typeof interval, 'number');
 
-    debug('Starting apphealthmonitor');
+    callback = callback || NOOP_CALLBACK;
 
-    processDockerEvents();
+    async.series([
+        processDockerEvents.bind(null, interval),
+        processApp
+    ], function (error) {
+        if (error) debug(error);
 
-    run();
-
-    callback();
-}
-
-function stop(callback) {
-    assert.strictEqual(typeof callback, 'function');
-
-    clearTimeout(gRunTimeout);
-    if (gDockerEventStream) gDockerEventStream.end();
-
-    callback();
+        callback();
+    });
 }

src/apps.js

@@ -372,17 +372,21 @@ function get(appId, callback) {
     assert.strictEqual(typeof appId, 'string');
     assert.strictEqual(typeof callback, 'function');
 
-    appdb.get(appId, function (error, app) {
-        if (error && error.reason === DatabaseError.NOT_FOUND) return callback(new AppsError(AppsError.NOT_FOUND, 'No such app'));
+    domaindb.getAll(function (error, domainObjects) {
         if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));
 
-        postProcess(app);
-
-        domaindb.get(app.domain, function (error, domainObject) {
+        appdb.get(appId, function (error, app) {
+            if (error && error.reason === DatabaseError.NOT_FOUND) return callback(new AppsError(AppsError.NOT_FOUND, 'No such app'));
             if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));
 
+            postProcess(app);
+
+            let domainObjectMap = {};
+            for (let d of domainObjects) { domainObjectMap[d.domain] = d; }
+
             app.iconUrl = getIconUrlSync(app);
-            app.fqdn = domains.fqdn(app.location, domainObject);
+            app.fqdn = domains.fqdn(app.location, domainObjectMap[app.domain]);
+            app.alternateDomains.forEach(function (ad) { ad.fqdn = domains.fqdn(ad.subdomain, domainObjectMap[ad.domain]); });
 
             mailboxdb.getByOwnerId(app.id, function (error, mailboxes) {
                 if (error && error.reason !== DatabaseError.NOT_FOUND) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));
@@ -399,27 +403,38 @@ function getByIpAddress(ip, callback) {
     assert.strictEqual(typeof ip, 'string');
     assert.strictEqual(typeof callback, 'function');
 
-    docker.getContainerIdByIp(ip, function (error, containerId) {
+    domaindb.getAll(function (error, domainObjects) {
         if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));
 
-        appdb.getByContainerId(containerId, function (error, app) {
-            if (error && error.reason === DatabaseError.NOT_FOUND) return callback(new AppsError(AppsError.NOT_FOUND, 'No such app'));
+        let domainObjectMap = {};
+        for (let d of domainObjects) { domainObjectMap[d.domain] = d; }
+
+        docker.getContainerIdByIp(ip, function (error, containerId) {
             if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));
 
-            postProcess(app);
-
-            domaindb.get(app.domain, function (error, domainObject) {
+            appdb.getByContainerId(containerId, function (error, app) {
+                if (error && error.reason === DatabaseError.NOT_FOUND) return callback(new AppsError(AppsError.NOT_FOUND, 'No such app'));
                 if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));
 
-                app.iconUrl = getIconUrlSync(app);
-                app.fqdn = domains.fqdn(app.location, domainObject);
+                postProcess(app);
 
-                mailboxdb.getByOwnerId(app.id, function (error, mailboxes) {
-                    if (error && error.reason !== DatabaseError.NOT_FOUND) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));
+                domaindb.getAll(function (error, domainObjects) {
+                    if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));
 
-                    if (!error) app.mailboxName = mailboxes[0].name;
+                    let domainObjectMap = {};
+                    for (let d of domainObjects) { domainObjectMap[d.domain] = d; }
 
-                    callback(null, app);
+                    app.iconUrl = getIconUrlSync(app);
+                    app.fqdn = domains.fqdn(app.location, domainObjectMap[app.domain]);
+                    app.alternateDomains.forEach(function (ad) { ad.fqdn = domains.fqdn(ad.subdomain, domainObjectMap[ad.domain]); });
+
+                    mailboxdb.getByOwnerId(app.id, function (error, mailboxes) {
+                        if (error && error.reason !== DatabaseError.NOT_FOUND) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));
+
+                        if (!error) app.mailboxName = mailboxes[0].name;
+
+                        callback(null, app);
+                    });
                 });
             });
         });
@@ -429,30 +444,34 @@ function getByIpAddress(ip, callback) {
 function getAll(callback) {
     assert.strictEqual(typeof callback, 'function');
 
-    appdb.getAll(function (error, apps) {
+    domaindb.getAll(function (error, domainObjects) {
         if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));
 
-        apps.forEach(postProcess);
+        let domainObjectMap = {};
+        for (let d of domainObjects) { domainObjectMap[d.domain] = d; }
 
-        async.eachSeries(apps, function (app, iteratorDone) {
-            domaindb.get(app.domain, function (error, domainObject) {
-                if (error) return iteratorDone(new AppsError(AppsError.INTERNAL_ERROR, error));
+        appdb.getAll(function (error, apps) {
+            if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));
 
+            apps.forEach(postProcess);
+
+            async.eachSeries(apps, function (app, iteratorDone) {
                 app.iconUrl = getIconUrlSync(app);
-                app.fqdn = domains.fqdn(app.location, domainObject);
+                app.fqdn = domains.fqdn(app.location, domainObjectMap[app.domain]);
+                app.alternateDomains.forEach(function (ad) { ad.fqdn = domains.fqdn(ad.subdomain, domainObjectMap[ad.domain]); });
 
                 mailboxdb.getByOwnerId(app.id, function (error, mailboxes) {
-                    if (error && error.reason !== DatabaseError.NOT_FOUND) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));
+                    if (error && error.reason !== DatabaseError.NOT_FOUND) return iteratorDone(new AppsError(AppsError.INTERNAL_ERROR, error));
 
                     if (!error) app.mailboxName = mailboxes[0].name;
 
                     iteratorDone(null, app);
                 });
-            });
-        }, function (error) {
-            if (error) return callback(error);
+            }, function (error) {
+                if (error) return callback(error);
 
-            callback(null, apps);
+                callback(null, apps);
+            });
         });
     });
 }
@@ -649,7 +668,7 @@ function configure(appId, data, user, auditSource, callback) {
     get(appId, function (error, app) {
         if (error) return callback(error);
 
-        var domain, location, portBindings, values = { };
+        let domain, location, portBindings, values = { }, mailboxName;
         if ('location' in data) location = values.location = data.location.toLowerCase();
         else location = app.location;
 
@@ -696,8 +715,15 @@ function configure(appId, data, user, auditSource, callback) {
         }
 
         if ('mailboxName' in data) {
-            error = mail.validateName(data.mailboxName);
-            if (error) return callback(error);
+            if (data.mailboxName === '') { // special case to reset back to .app
+                mailboxName = mailboxNameForLocation(location, app.manifest);
+            } else {
+                error = mail.validateName(data.mailboxName);
+                if (error) return callback(error);
+                mailboxName = data.mailboxName;
+            }
+        } else { // keep existing name or follow the new location
+            mailboxName = app.mailboxName.endsWith('.app') ? mailboxNameForLocation(location, app.manifest) : app.mailboxName;
         }
 
         if ('alternateDomains' in data) {
@@ -738,10 +764,8 @@ function configure(appId, data, user, auditSource, callback) {
             debug('Will configure app with id:%s values:%j', appId, values);
 
             // make the mailbox name follow the apps new location, if the user did not set it explicitly
-            var oldName = app.mailboxName;
-            var newName = data.mailboxName || (app.mailboxName.endsWith('.app') ? mailboxNameForLocation(location, app.manifest) : app.mailboxName);
-            mailboxdb.updateName(oldName, values.oldConfig.domain, newName, domain, function (error) {
-                if (newName.endsWith('.app')) error = null; // ignore internal mailbox conflict errors since we want to show location conflict errors in the UI
+            mailboxdb.updateName(app.mailboxName /* old */, values.oldConfig.domain, mailboxName, domain, function (error) {
+                if (mailboxName.endsWith('.app')) error = null; // ignore internal mailbox conflict errors since we want to show location conflict errors in the UI
 
                 if (error && error.reason === DatabaseError.ALREADY_EXISTS) return callback(new AppsError(AppsError.ALREADY_EXISTS, 'This mailbox is already taken'));
                 if (error && error.reason === DatabaseError.NOT_FOUND) return callback(new AppsError(AppsError.BAD_STATE));

src/apptask.js

@@ -358,7 +358,7 @@ function unregisterAlternateDomains(app, all, callback) {
     assert.strictEqual(typeof all, 'boolean');
     assert.strictEqual(typeof callback, 'function');
 
-    var obsoleteDomains
+    var obsoleteDomains;
     if (all) obsoleteDomains = app.alternateDomains;
     else obsoleteDomains = app.oldConfig.alternateDomains.filter(function (o) { return !app.alternateDomains.some(function (n) { return n.subdomain === o.subdomain && n.domain === o.domain; }); });
 
@@ -417,13 +417,12 @@ function waitForDnsPropagation(app, callback) {
     sysinfo.getPublicIp(function (error, ip) {
         if (error) return callback(error);
 
-        domains.waitForDnsRecord(app.fqdn, app.domain, ip, { interval: 5000, times: 240 }, function (error) {
+        domains.waitForDnsRecord(app.location, app.domain, 'A', ip, { interval: 5000, times: 240 }, function (error) {
             if (error) return callback(error);
 
             // now wait for alternateDomains, if any
-            async.eachSeries(app.alternateDomains, function (domain, callback) {
-                var fqdn = (domain.subdomain ? (domain.subdomain + '.') : '') + domain.domain;
-                domains.waitForDnsRecord(fqdn, domain.domain, ip, { interval: 5000, times: 240 }, callback);
+            async.eachSeries(app.alternateDomains, function (domain, iteratorCallback) {
+                domains.waitForDnsRecord(domain.subdomain, domain.domain, 'A', ip, { interval: 5000, times: 240 }, iteratorCallback);
             }, callback);
         });
     });
@@ -483,6 +482,9 @@ function install(app, callback) {
         updateApp.bind(null, app, { installationProgress: '30, Registering subdomain' }),
         registerSubdomain.bind(null, app, isRestoring /* overwrite */),
 
+        updateApp.bind(null, app, { installationProgress: '35, Registering alternate domains'}),
+        registerAlternateDomains.bind(null, app, isRestoring /* overwrite */),
+
         updateApp.bind(null, app, { installationProgress: '40, Downloading image' }),
         docker.downloadImage.bind(null, app.manifest),
 

src/backups.js

@@ -565,9 +565,13 @@ function restore(backupConfig, backupId, callback) {
     download(backupConfig, backupId, backupConfig.format, paths.BOX_DATA_DIR, function (error) {
         if (error) return callback(error);
 
+        debug('restore: download completed, importing database');
+
         database.importFromFile(`${paths.BOX_DATA_DIR}/box.mysqldump`, function (error) {
             if (error) return callback(new BackupsError(BackupsError.INTERNAL_ERROR, error));
 
+            debug('restore: database imported');
+
             callback();
         });
     });

src/cert/acme1.js

@@ -3,7 +3,7 @@
 var assert = require('assert'),
     async = require('async'),
     crypto = require('crypto'),
-    debug = require('debug')('box:cert/acme'),
+    debug = require('debug')('box:cert/acme1'),
     execSync = require('safetydance').child_process.execSync,
     fs = require('fs'),
     parseLinks = require('parse-links'),
@@ -25,7 +25,7 @@ exports = module.exports = {
     _name: 'acme'
 };
 
-function AcmeError(reason, errorOrMessage) {
+function Acme1Error(reason, errorOrMessage) {
     assert.strictEqual(typeof reason, 'string');
     assert(errorOrMessage instanceof Error || typeof errorOrMessage === 'string' || typeof errorOrMessage === 'undefined');
 
@@ -43,18 +43,18 @@ function AcmeError(reason, errorOrMessage) {
         this.nestedError = errorOrMessage;
     }
 }
-util.inherits(AcmeError, Error);
-AcmeError.INTERNAL_ERROR = 'Internal Error';
-AcmeError.EXTERNAL_ERROR = 'External Error';
-AcmeError.ALREADY_EXISTS = 'Already Exists';
-AcmeError.NOT_COMPLETED = 'Not Completed';
-AcmeError.FORBIDDEN = 'Forbidden';
+util.inherits(Acme1Error, Error);
+Acme1Error.INTERNAL_ERROR = 'Internal Error';
+Acme1Error.EXTERNAL_ERROR = 'External Error';
+Acme1Error.ALREADY_EXISTS = 'Already Exists';
+Acme1Error.NOT_COMPLETED = 'Not Completed';
+Acme1Error.FORBIDDEN = 'Forbidden';
 
 // http://jose.readthedocs.org/en/latest/
 // https://www.ietf.org/proceedings/92/slides/slides-92-acme-1.pdf
 // https://community.letsencrypt.org/t/list-of-client-implementations/2103
 
-function Acme(options) {
+function Acme1(options) {
     assert.strictEqual(typeof options, 'object');
 
     this.caOrigin = options.prod ? CA_PROD : CA_STAGING;
@@ -62,7 +62,7 @@ function Acme(options) {
     this.email = options.email;
 }
 
-Acme.prototype.getNonce = function (callback) {
+Acme1.prototype.getNonce = function (callback) {
     superagent.get(this.caOrigin + '/directory').timeout(30 * 1000).end(function (error, response) {
         if (error && !error.response) return callback(error);
         if (response.statusCode !== 200) return callback(new Error('Invalid response code when fetching nonce : ' + response.statusCode));
@@ -91,7 +91,7 @@ function getModulus(pem) {
     return Buffer.from(match[1], 'hex');
 }
 
-Acme.prototype.sendSignedRequest = function (url, payload, callback) {
+Acme1.prototype.sendSignedRequest = function (url, payload, callback) {
     assert.strictEqual(typeof url, 'string');
     assert.strictEqual(typeof payload, 'string');
     assert.strictEqual(typeof callback, 'function');
@@ -136,7 +136,7 @@ Acme.prototype.sendSignedRequest = function (url, payload, callback) {
     });
 };
 
-Acme.prototype.updateContact = function (registrationUri, callback) {
+Acme1.prototype.updateContact = function (registrationUri, callback) {
     assert.strictEqual(typeof registrationUri, 'string');
     assert.strictEqual(typeof callback, 'function');
 
@@ -151,8 +151,8 @@ Acme.prototype.updateContact = function (registrationUri, callback) {
 
     var that = this;
     this.sendSignedRequest(registrationUri, JSON.stringify(payload), function (error, result) {
-        if (error) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, 'Network error when registering user: ' + error.message));
-        if (result.statusCode !== 202) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, util.format('Failed to update contact. Expecting 202, got %s %s', result.statusCode, result.text)));
+        if (error) return callback(new Acme1Error(Acme1Error.EXTERNAL_ERROR, 'Network error when registering user: ' + error.message));
+        if (result.statusCode !== 202) return callback(new Acme1Error(Acme1Error.EXTERNAL_ERROR, util.format('Failed to update contact. Expecting 202, got %s %s', result.statusCode, result.text)));
 
         debug('updateContact: contact of user updated to %s', that.email);
 
@@ -160,7 +160,7 @@ Acme.prototype.updateContact = function (registrationUri, callback) {
     });
 };
 
-Acme.prototype.registerUser = function (callback) {
+Acme1.prototype.registerUser = function (callback) {
     assert.strictEqual(typeof callback, 'function');
 
     var payload = {
@@ -173,9 +173,9 @@ Acme.prototype.registerUser = function (callback) {
 
     var that = this;
     this.sendSignedRequest(this.caOrigin + '/acme/new-reg', JSON.stringify(payload), function (error, result) {
-        if (error) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, 'Network error when registering user: ' + error.message));
+        if (error) return callback(new Acme1Error(Acme1Error.EXTERNAL_ERROR, 'Network error when registering user: ' + error.message));
         if (result.statusCode === 409) return that.updateContact(result.headers.location, callback); // already exists
-        if (result.statusCode !== 201) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, util.format('Failed to register user. Expecting 201, got %s %s', result.statusCode, result.text)));
+        if (result.statusCode !== 201) return callback(new Acme1Error(Acme1Error.EXTERNAL_ERROR, util.format('Failed to register user. Expecting 201, got %s %s', result.statusCode, result.text)));
 
         debug('registerUser: registered user %s', that.email);
 
@@ -183,7 +183,7 @@ Acme.prototype.registerUser = function (callback) {
     });
 };
 
-Acme.prototype.registerDomain = function (domain, callback) {
+Acme1.prototype.registerDomain = function (domain, callback) {
     assert.strictEqual(typeof domain, 'string');
     assert.strictEqual(typeof callback, 'function');
 
@@ -198,9 +198,9 @@ Acme.prototype.registerDomain = function (domain, callback) {
     debug('registerDomain: %s', domain);
 
     this.sendSignedRequest(this.caOrigin + '/acme/new-authz', JSON.stringify(payload), function (error, result) {
-        if (error) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, 'Network error when registering domain: ' + error.message));
-        if (result.statusCode === 403) return callback(new AcmeError(AcmeError.FORBIDDEN, result.body.detail));
-        if (result.statusCode !== 201) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, util.format('Failed to register user. Expecting 201, got %s %s', result.statusCode, result.text)));
+        if (error) return callback(new Acme1Error(Acme1Error.EXTERNAL_ERROR, 'Network error when registering domain: ' + error.message));
+        if (result.statusCode === 403) return callback(new Acme1Error(Acme1Error.FORBIDDEN, result.body.detail));
+        if (result.statusCode !== 201) return callback(new Acme1Error(Acme1Error.EXTERNAL_ERROR, util.format('Failed to register user. Expecting 201, got %s %s', result.statusCode, result.text)));
 
         debug('registerDomain: registered %s', domain);
 
@@ -208,7 +208,7 @@ Acme.prototype.registerDomain = function (domain, callback) {
     });
 };
 
-Acme.prototype.prepareHttpChallenge = function (challenge, callback) {
+Acme1.prototype.prepareHttpChallenge = function (challenge, callback) {
     assert.strictEqual(typeof challenge, 'object');
     assert.strictEqual(typeof callback, 'function');
 
@@ -232,13 +232,13 @@ Acme.prototype.prepareHttpChallenge = function (challenge, callback) {
     debug('prepareHttpChallenge: writing %s to %s', keyAuthorization, path.join(paths.ACME_CHALLENGES_DIR, token));
 
     fs.writeFile(path.join(paths.ACME_CHALLENGES_DIR, token), token + '.' + thumbprint, function (error) {
-        if (error) return callback(new AcmeError(AcmeError.INTERNAL_ERROR, error));
+        if (error) return callback(new Acme1Error(Acme1Error.INTERNAL_ERROR, error));
 
         callback();
     });
 };
 
-Acme.prototype.notifyChallengeReady = function (challenge, callback) {
+Acme1.prototype.notifyChallengeReady = function (challenge, callback) {
     assert.strictEqual(typeof challenge, 'object');
     assert.strictEqual(typeof callback, 'function');
 
@@ -252,14 +252,14 @@ Acme.prototype.notifyChallengeReady = function (challenge, callback) {
     };
 
     this.sendSignedRequest(challenge.uri, JSON.stringify(payload), function (error, result) {
-        if (error) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, 'Network error when notifying challenge: ' + error.message));
-        if (result.statusCode !== 202) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, util.format('Failed to notify challenge. Expecting 202, got %s %s', result.statusCode, result.text)));
+        if (error) return callback(new Acme1Error(Acme1Error.EXTERNAL_ERROR, 'Network error when notifying challenge: ' + error.message));
+        if (result.statusCode !== 202) return callback(new Acme1Error(Acme1Error.EXTERNAL_ERROR, util.format('Failed to notify challenge. Expecting 202, got %s %s', result.statusCode, result.text)));
 
         callback();
     });
 };
 
-Acme.prototype.waitForChallenge = function (challenge, callback) {
+Acme1.prototype.waitForChallenge = function (challenge, callback) {
     assert.strictEqual(typeof challenge, 'object');
     assert.strictEqual(typeof callback, 'function');
 
@@ -271,18 +271,18 @@ Acme.prototype.waitForChallenge = function (challenge, callback) {
         superagent.get(challenge.uri).timeout(30 * 1000).end(function (error, result) {
             if (error && !error.response) {
                 debug('waitForChallenge: network error getting uri %s', challenge.uri);
-                return retryCallback(new AcmeError(AcmeError.EXTERNAL_ERROR, error.message)); // network error
+                return retryCallback(new Acme1Error(Acme1Error.EXTERNAL_ERROR, error.message)); // network error
             }
             if (result.statusCode !== 202) {
                 debug('waitForChallenge: invalid response code getting uri %s', result.statusCode);
-                return retryCallback(new AcmeError(AcmeError.EXTERNAL_ERROR, 'Bad response code:' + result.statusCode));
+                return retryCallback(new Acme1Error(Acme1Error.EXTERNAL_ERROR, 'Bad response code:' + result.statusCode));
             }
 
             debug('waitForChallenge: status is "%s %j', result.body.status, result.body);
 
-            if (result.body.status === 'pending') return retryCallback(new AcmeError(AcmeError.NOT_COMPLETED));
+            if (result.body.status === 'pending') return retryCallback(new Acme1Error(Acme1Error.NOT_COMPLETED));
             else if (result.body.status === 'valid') return retryCallback();
-            else return retryCallback(new AcmeError(AcmeError.EXTERNAL_ERROR, 'Unexpected status: ' + result.body.status));
+            else return retryCallback(new Acme1Error(Acme1Error.EXTERNAL_ERROR, 'Unexpected status: ' + result.body.status));
         });
     }, function retryFinished(error) {
         // async.retry will pass 'undefined' as second arg making it unusable with async.waterfall()
@@ -291,7 +291,7 @@ Acme.prototype.waitForChallenge = function (challenge, callback) {
 };
 
 // https://community.letsencrypt.org/t/public-beta-rate-limits/4772 for rate limits
-Acme.prototype.signCertificate = function (domain, csrDer, callback) {
+Acme1.prototype.signCertificate = function (domain, csrDer, callback) {
     assert.strictEqual(typeof domain, 'string');
     assert(util.isBuffer(csrDer));
     assert.strictEqual(typeof callback, 'function');
@@ -306,13 +306,13 @@ Acme.prototype.signCertificate = function (domain, csrDer, callback) {
     debug('signCertificate: sending new-cert request');
 
     this.sendSignedRequest(this.caOrigin + '/acme/new-cert', JSON.stringify(payload), function (error, result) {
-        if (error) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, 'Network error when signing certificate: ' + error.message));
+        if (error) return callback(new Acme1Error(Acme1Error.EXTERNAL_ERROR, 'Network error when signing certificate: ' + error.message));
         // 429 means we reached the cert limit for this domain
-        if (result.statusCode !== 201) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, util.format('Failed to sign certificate. Expecting 201, got %s %s', result.statusCode, result.text)));
+        if (result.statusCode !== 201) return callback(new Acme1Error(Acme1Error.EXTERNAL_ERROR, util.format('Failed to sign certificate. Expecting 201, got %s %s', result.statusCode, result.text)));
 
         var certUrl = result.headers.location;
 
-        if (!certUrl) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, 'Missing location in downloadCertificate'));
+        if (!certUrl) return callback(new Acme1Error(Acme1Error.EXTERNAL_ERROR, 'Missing location in downloadCertificate'));
 
         safe.fs.writeFileSync(path.join(outdir, domain + '.url'), certUrl, 'utf8'); // maybe use for renewal
 
@@ -320,7 +320,7 @@ Acme.prototype.signCertificate = function (domain, csrDer, callback) {
     });
 };
 
-Acme.prototype.createKeyAndCsr = function (domain, callback) {
+Acme1.prototype.createKeyAndCsr = function (domain, callback) {
     assert.strictEqual(typeof domain, 'string');
     assert.strictEqual(typeof callback, 'function');
 
@@ -333,15 +333,15 @@ Acme.prototype.createKeyAndCsr = function (domain, callback) {
         debug('createKeyAndCsr: reuse the key for renewal at %s', privateKeyFile);
     } else {
         var key = execSync('openssl genrsa 4096');
-        if (!key) return callback(new AcmeError(AcmeError.INTERNAL_ERROR, safe.error));
-        if (!safe.fs.writeFileSync(privateKeyFile, key)) return callback(new AcmeError(AcmeError.INTERNAL_ERROR, safe.error));
+        if (!key) return callback(new Acme1Error(Acme1Error.INTERNAL_ERROR, safe.error));
+        if (!safe.fs.writeFileSync(privateKeyFile, key)) return callback(new Acme1Error(Acme1Error.INTERNAL_ERROR, safe.error));
 
         debug('createKeyAndCsr: key file saved at %s', privateKeyFile);
     }
 
     var csrDer = execSync(util.format('openssl req -new -key %s -outform DER -subj /CN=%s', privateKeyFile, domain));
-    if (!csrDer) return callback(new AcmeError(AcmeError.INTERNAL_ERROR, safe.error));
-    if (!safe.fs.writeFileSync(csrFile, csrDer)) return callback(new AcmeError(AcmeError.INTERNAL_ERROR, safe.error)); // bookkeeping
+    if (!csrDer) return callback(new Acme1Error(Acme1Error.INTERNAL_ERROR, safe.error));
+    if (!safe.fs.writeFileSync(csrFile, csrDer)) return callback(new Acme1Error(Acme1Error.INTERNAL_ERROR, safe.error)); // bookkeeping
 
     debug('createKeyAndCsr: csr file (DER) saved at %s', csrFile);
 
@@ -349,13 +349,13 @@ Acme.prototype.createKeyAndCsr = function (domain, callback) {
 };
 
 // TODO: download the chain in a loop following 'up' header
-Acme.prototype.downloadChain = function (linkHeader, callback) {
-    if (!linkHeader) return new AcmeError(AcmeError.EXTERNAL_ERROR, 'Empty link header when downloading certificate chain');
+Acme1.prototype.downloadChain = function (linkHeader, callback) {
+    if (!linkHeader) return new Acme1Error(Acme1Error.EXTERNAL_ERROR, 'Empty link header when downloading certificate chain');
 
     debug('downloadChain: linkHeader %s', linkHeader);
 
     var linkInfo = parseLinks(linkHeader);
-    if (!linkInfo || !linkInfo.up) return new AcmeError(AcmeError.EXTERNAL_ERROR, 'Failed to parse link header when downloading certificate chain');
+    if (!linkInfo || !linkInfo.up) return new Acme1Error(Acme1Error.EXTERNAL_ERROR, 'Failed to parse link header when downloading certificate chain');
 
     var intermediateCertUrl = linkInfo.up.startsWith('https://') ? linkInfo.up : (this.caOrigin + linkInfo.up);
 
@@ -366,18 +366,18 @@ Acme.prototype.downloadChain = function (linkHeader, callback) {
         res.on('data', function(chunk) { data.push(chunk); });
         res.on('end', function () { res.text = Buffer.concat(data); done(); });
     }).timeout(30 * 1000).end(function (error, result) {
-        if (error && !error.response) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, 'Network error when downloading certificate'));
-        if (result.statusCode !== 200) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, util.format('Failed to get cert. Expecting 200, got %s %s', result.statusCode, result.text)));
+        if (error && !error.response) return callback(new Acme1Error(Acme1Error.EXTERNAL_ERROR, 'Network error when downloading certificate'));
+        if (result.statusCode !== 200) return callback(new Acme1Error(Acme1Error.EXTERNAL_ERROR, util.format('Failed to get cert. Expecting 200, got %s %s', result.statusCode, result.text)));
 
         var chainDer = result.text;
         var chainPem = execSync('openssl x509 -inform DER -outform PEM', { input: chainDer }); // this is really just base64 encoding with header
-        if (!chainPem) return callback(new AcmeError(AcmeError.INTERNAL_ERROR, safe.error));
+        if (!chainPem) return callback(new Acme1Error(Acme1Error.INTERNAL_ERROR, safe.error));
 
         callback(null, chainPem);
     });
 };
 
-Acme.prototype.downloadCertificate = function (domain, certUrl, callback) {
+Acme1.prototype.downloadCertificate = function (domain, certUrl, callback) {
     assert.strictEqual(typeof domain, 'string');
     assert.strictEqual(typeof certUrl, 'string');
     assert.strictEqual(typeof callback, 'function');
@@ -390,9 +390,9 @@ Acme.prototype.downloadCertificate = function (domain, certUrl, callback) {
         res.on('data', function(chunk) { data.push(chunk); });
         res.on('end', function () { res.text = Buffer.concat(data); done(); });
     }).timeout(30 * 1000).end(function (error, result) {
-        if (error && !error.response) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, 'Network error when downloading certificate'));
-        if (result.statusCode === 202) return callback(new AcmeError(AcmeError.INTERNAL_ERROR, 'Retry not implemented yet'));
-        if (result.statusCode !== 200) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, util.format('Failed to get cert. Expecting 200, got %s %s', result.statusCode, result.text)));
+        if (error && !error.response) return callback(new Acme1Error(Acme1Error.EXTERNAL_ERROR, 'Network error when downloading certificate'));
+        if (result.statusCode === 202) return callback(new Acme1Error(Acme1Error.INTERNAL_ERROR, 'Retry not implemented yet'));
+        if (result.statusCode !== 200) return callback(new Acme1Error(Acme1Error.EXTERNAL_ERROR, util.format('Failed to get cert. Expecting 200, got %s %s', result.statusCode, result.text)));
 
         var certificateDer = result.text;
 
@@ -400,14 +400,14 @@ Acme.prototype.downloadCertificate = function (domain, certUrl, callback) {
         debug('downloadCertificate: cert der file for %s saved', domain);
 
         var certificatePem = execSync('openssl x509 -inform DER -outform PEM', { input: certificateDer }); // this is really just base64 encoding with header
-        if (!certificatePem) return callback(new AcmeError(AcmeError.INTERNAL_ERROR, safe.error));
+        if (!certificatePem) return callback(new Acme1Error(Acme1Error.INTERNAL_ERROR, safe.error));
 
         that.downloadChain(result.header['link'], function (error, chainPem) {
             if (error) return callback(error);
 
             var certificateFile = path.join(outdir, domain + '.cert');
             var fullChainPem = Buffer.concat([certificatePem, chainPem]);
-            if (!safe.fs.writeFileSync(certificateFile, fullChainPem)) return callback(new AcmeError(AcmeError.INTERNAL_ERROR, safe.error));
+            if (!safe.fs.writeFileSync(certificateFile, fullChainPem)) return callback(new Acme1Error(Acme1Error.INTERNAL_ERROR, safe.error));
 
             debug('downloadCertificate: cert file for %s saved at %s', domain, certificateFile);
 
@@ -416,14 +416,14 @@ Acme.prototype.downloadCertificate = function (domain, certUrl, callback) {
     });
 };
 
-Acme.prototype.acmeFlow = function (domain, callback) {
+Acme1.prototype.acmeFlow = function (domain, callback) {
     assert.strictEqual(typeof domain, 'string');
     assert.strictEqual(typeof callback, 'function');
 
     if (!fs.existsSync(paths.ACME_ACCOUNT_KEY_FILE)) {
         debug('getCertificate: generating acme account key on first run');
         this.accountKeyPem = safe.child_process.execSync('openssl genrsa 4096');
-        if (!this.accountKeyPem) return callback(new AcmeError(AcmeError.INTERNAL_ERROR, safe.error));
+        if (!this.accountKeyPem) return callback(new Acme1Error(Acme1Error.INTERNAL_ERROR, safe.error));
 
         safe.fs.writeFileSync(paths.ACME_ACCOUNT_KEY_FILE, this.accountKeyPem);
     } else {
@@ -441,7 +441,7 @@ Acme.prototype.acmeFlow = function (domain, callback) {
             debug('acmeFlow: challenges: %j', result);
 
             var httpChallenges = result.challenges.filter(function(x) { return x.type === 'http-01'; });
-            if (httpChallenges.length === 0) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, 'no http challenges'));
+            if (httpChallenges.length === 0) return callback(new Acme1Error(Acme1Error.EXTERNAL_ERROR, 'no http challenges'));
             var challenge = httpChallenges[0];
 
             async.waterfall([
@@ -456,24 +456,26 @@ Acme.prototype.acmeFlow = function (domain, callback) {
     });
 };
 
-Acme.prototype.getCertificate = function (domain, callback) {
+Acme1.prototype.getCertificate = function (hostname, domain, callback) {
+    assert.strictEqual(typeof hostname, 'string');
     assert.strictEqual(typeof domain, 'string');
     assert.strictEqual(typeof callback, 'function');
 
-    debug('getCertificate: start acme flow for %s from %s', domain, this.caOrigin);
-    this.acmeFlow(domain, function (error) {
+    debug('getCertificate: start acme flow for %s from %s', hostname, this.caOrigin);
+    this.acmeFlow(hostname, function (error) {
         if (error) return callback(error);
 
         var outdir = paths.APP_CERTS_DIR;
-        callback(null, path.join(outdir, domain + '.cert'), path.join(outdir, domain + '.key'));
+        callback(null, path.join(outdir, hostname + '.cert'), path.join(outdir, hostname + '.key'));
     });
 };
 
-function getCertificate(domain, options, callback) {
+function getCertificate(hostname, domain, options, callback) {
+    assert.strictEqual(typeof hostname, 'string');
     assert.strictEqual(typeof domain, 'string');
     assert.strictEqual(typeof options, 'object');
     assert.strictEqual(typeof callback, 'function');
 
-    var acme = new Acme(options || { });
-    acme.getCertificate(domain, callback);
+    var acme = new Acme1(options || { });
+    acme.getCertificate(hostname, domain, callback);
 }

src/cert/acme2.js

@@ -0,0 +1,633 @@
+'use strict';
+
+var assert = require('assert'),
+    async = require('async'),
+    crypto = require('crypto'),
+    debug = require('debug')('box:cert/acme2'),
+    domains = require('../domains.js'),
+    execSync = require('safetydance').child_process.execSync,
+    fs = require('fs'),
+    path = require('path'),
+    paths = require('../paths.js'),
+    safe = require('safetydance'),
+    superagent = require('superagent'),
+    util = require('util'),
+    _ = require('underscore');
+
+const CA_PROD_DIRECTORY_URL = 'https://acme-v02.api.letsencrypt.org/directory',
+    CA_STAGING_DIRECTORY_URL = 'https://acme-staging-v02.api.letsencrypt.org/directory';
+
+exports = module.exports = {
+    getCertificate: getCertificate,
+
+    // testing
+    _name: 'acme'
+};
+
+function Acme2Error(reason, errorOrMessage) {
+    assert.strictEqual(typeof reason, 'string');
+    assert(errorOrMessage instanceof Error || typeof errorOrMessage === 'string' || typeof errorOrMessage === 'undefined');
+
+    Error.call(this);
+    Error.captureStackTrace(this, this.constructor);
+
+    this.name = this.constructor.name;
+    this.reason = reason;
+    if (typeof errorOrMessage === 'undefined') {
+        this.message = reason;
+    } else if (typeof errorOrMessage === 'string') {
+        this.message = errorOrMessage;
+    } else {
+        this.message = 'Internal error';
+        this.nestedError = errorOrMessage;
+    }
+}
+util.inherits(Acme2Error, Error);
+Acme2Error.INTERNAL_ERROR = 'Internal Error';
+Acme2Error.EXTERNAL_ERROR = 'External Error';
+Acme2Error.ALREADY_EXISTS = 'Already Exists';
+Acme2Error.NOT_COMPLETED = 'Not Completed';
+Acme2Error.FORBIDDEN = 'Forbidden';
+
+// http://jose.readthedocs.org/en/latest/
+// https://www.ietf.org/proceedings/92/slides/slides-92-acme-1.pdf
+// https://community.letsencrypt.org/t/list-of-client-implementations/2103
+
+function Acme2(options) {
+    assert.strictEqual(typeof options, 'object');
+
+    this.accountKeyPem = null; // Buffer
+    this.email = options.email;
+    this.keyId = null;
+    this.caDirectory = options.prod ? CA_PROD_DIRECTORY_URL : CA_STAGING_DIRECTORY_URL;
+    this.directory = {};
+    this.performHttpAuthorization = !!options.performHttpAuthorization;
+    this.wildcard = !!options.wildcard;
+}
+
+Acme2.prototype.getNonce = function (callback) {
+    superagent.get(this.directory.newNonce).timeout(30 * 1000).end(function (error, response) {
+        if (error && !error.response) return callback(error);
+        if (response.statusCode !== 204) return callback(new Error('Invalid response code when fetching nonce : ' + response.statusCode));
+
+        return callback(null, response.headers['Replay-Nonce'.toLowerCase()]);
+    });
+};
+
+// urlsafe base64 encoding (jose)
+function urlBase64Encode(string) {
+    return string.replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+}
+
+function b64(str) {
+    var buf = util.isBuffer(str) ? str : new Buffer(str);
+    return urlBase64Encode(buf.toString('base64'));
+}
+
+function getModulus(pem) {
+    assert(util.isBuffer(pem));
+
+    var stdout = execSync('openssl rsa -modulus -noout', { input: pem, encoding: 'utf8' });
+    if (!stdout) return null;
+    var match = stdout.match(/Modulus=([0-9a-fA-F]+)$/m);
+    if (!match) return null;
+    return Buffer.from(match[1], 'hex');
+}
+
+Acme2.prototype.sendSignedRequest = function (url, payload, callback) {
+    assert.strictEqual(typeof url, 'string');
+    assert.strictEqual(typeof payload, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    assert(util.isBuffer(this.accountKeyPem));
+
+    const that = this;
+    let header = {
+        url: url,
+        alg: 'RS256'
+    };
+
+    // keyId is null when registering account
+    if (this.keyId) {
+        header.kid = this.keyId;
+    } else {
+        header.jwk = {
+            e: b64(Buffer.from([0x01, 0x00, 0x01])), // exponent - 65537
+            kty: 'RSA',
+            n: b64(getModulus(this.accountKeyPem))
+        };
+    }
+
+    var payload64 = b64(payload);
+
+    this.getNonce(function (error, nonce) {
+        if (error) return callback(error);
+
+        debug('sendSignedRequest: using nonce %s for url %s', nonce, url);
+
+        var protected64 = b64(JSON.stringify(_.extend({ }, header, { nonce: nonce })));
+
+        var signer = crypto.createSign('RSA-SHA256');
+        signer.update(protected64 + '.' + payload64, 'utf8');
+        var signature64 = urlBase64Encode(signer.sign(that.accountKeyPem, 'base64'));
+
+        var data = {
+            protected: protected64,
+            payload: payload64,
+            signature: signature64
+        };
+
+        superagent.post(url).set('Content-Type', 'application/jose+json').set('User-Agent', 'acme-cloudron').send(JSON.stringify(data)).timeout(30 * 1000).end(function (error, res) {
+            if (error && !error.response) return callback(error); // network errors
+
+            callback(null, res);
+        });
+    });
+};
+
+Acme2.prototype.updateContact = function (registrationUri, callback) {
+    assert.strictEqual(typeof registrationUri, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    debug(`updateContact: registrationUri: ${registrationUri} email: ${this.email}`);
+
+    // https://github.com/ietf-wg-acme/acme/issues/30
+    const payload = {
+        contact: [ 'mailto:' + this.email ]
+    };
+
+    const that = this;
+    this.sendSignedRequest(registrationUri, JSON.stringify(payload), function (error, result) {
+        if (error) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'Network error when registering user: ' + error.message));
+        if (result.statusCode !== 200) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, util.format('Failed to update contact. Expecting 200, got %s %s', result.statusCode, result.text)));
+
+        debug(`updateContact: contact of user updated to ${that.email}`);
+
+        callback();
+    });
+};
+
+Acme2.prototype.registerUser = function (callback) {
+    assert.strictEqual(typeof callback, 'function');
+
+    var payload = {
+        termsOfServiceAgreed: true
+    };
+
+    debug('registerUser: registering user');
+
+    var that = this;
+    this.sendSignedRequest(this.directory.newAccount, JSON.stringify(payload), function (error, result) {
+        if (error) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'Network error when registering new account: ' + error.message));
+        // 200 if already exists. 201 for new accounts
+        if (result.statusCode !== 200 && result.statusCode !== 201) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, util.format('Failed to register new account. Expecting 200 or 201, got %s %s', result.statusCode, result.text)));
+
+        debug(`registerUser: user registered keyid: ${result.headers.location}`);
+
+        that.keyId = result.headers.location;
+
+        that.updateContact(result.headers.location, callback);
+    });
+};
+
+Acme2.prototype.newOrder = function (domain, callback) {
+    assert.strictEqual(typeof domain, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    var payload = {
+        identifiers: [{
+            type: 'dns',
+            value: domain
+        }]
+    };
+
+    debug('newOrder: %s', domain);
+
+    this.sendSignedRequest(this.directory.newOrder, JSON.stringify(payload), function (error, result) {
+        if (error) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'Network error when registering domain: ' + error.message));
+        if (result.statusCode === 403) return callback(new Acme2Error(Acme2Error.FORBIDDEN, result.body.detail));
+        if (result.statusCode !== 201) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, util.format('Failed to register user. Expecting 201, got %s %s', result.statusCode, result.text)));
+
+        debug('newOrder: created order %s %j', domain, result.body);
+
+        const order = result.body, orderUrl = result.headers.location;
+
+        if (!Array.isArray(order.authorizations)) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'invalid authorizations in order'));
+        if (typeof order.finalize !== 'string') return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'invalid finalize in order'));
+        if (typeof orderUrl !== 'string') return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'invalid order location in order header'));
+
+        callback(null, order, orderUrl);
+    });
+};
+
+Acme2.prototype.waitForOrder = function (orderUrl, callback) {
+    assert.strictEqual(typeof orderUrl, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    debug(`waitForOrder: ${orderUrl}`);
+
+    async.retry({ times: 10, interval: 5000 }, function (retryCallback) {
+        debug('waitForOrder: getting status');
+
+        superagent.get(orderUrl).timeout(30 * 1000).end(function (error, result) {
+            if (error && !error.response) {
+                debug('waitForOrder: network error getting uri %s', orderUrl);
+                return retryCallback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, error.message)); // network error
+            }
+            if (result.statusCode !== 200) {
+                debug('waitForOrder: invalid response code getting uri %s', result.statusCode);
+                return retryCallback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'Bad response code:' + result.statusCode));
+            }
+
+            debug('waitForOrder: status is "%s %j', result.body.status, result.body);
+
+            if (result.body.status === 'pending' || result.body.status === 'processing') return retryCallback(new Acme2Error(Acme2Error.NOT_COMPLETED));
+            else if (result.body.status === 'valid' && result.body.certificate) return retryCallback(null, result.body.certificate);
+            else return retryCallback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'Unexpected status or invalid response: ' + result.body));
+        });
+    }, callback);
+};
+
+Acme2.prototype.getKeyAuthorization = function (token) {
+    assert(util.isBuffer(this.accountKeyPem));
+
+    let jwk = {
+        e: b64(Buffer.from([0x01, 0x00, 0x01])), // Exponent - 65537
+        kty: 'RSA',
+        n: b64(getModulus(this.accountKeyPem))
+    };
+
+    let shasum = crypto.createHash('sha256');
+    shasum.update(JSON.stringify(jwk));
+    let thumbprint = urlBase64Encode(shasum.digest('base64'));
+    return token + '.' + thumbprint;
+};
+
+Acme2.prototype.notifyChallengeReady = function (challenge, callback) {
+    assert.strictEqual(typeof challenge, 'object'); // { type, status, url, token }
+    assert.strictEqual(typeof callback, 'function');
+
+    debug('notifyChallengeReady: %s was met', challenge.url);
+
+    const keyAuthorization = this.getKeyAuthorization(challenge.token);
+
+    var payload = {
+        resource: 'challenge',
+        keyAuthorization: keyAuthorization
+    };
+
+    this.sendSignedRequest(challenge.url, JSON.stringify(payload), function (error, result) {
+        if (error) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'Network error when notifying challenge: ' + error.message));
+        if (result.statusCode !== 200) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, util.format('Failed to notify challenge. Expecting 200, got %s %s', result.statusCode, result.text)));
+
+        callback();
+    });
+};
+
+Acme2.prototype.waitForChallenge = function (challenge, callback) {
+    assert.strictEqual(typeof challenge, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
+    debug('waitingForChallenge: %j', challenge);
+
+    async.retry({ times: 10, interval: 5000 }, function (retryCallback) {
+        debug('waitingForChallenge: getting status');
+
+        superagent.get(challenge.url).timeout(30 * 1000).end(function (error, result) {
+            if (error && !error.response) {
+                debug('waitForChallenge: network error getting uri %s', challenge.url);
+                return retryCallback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, error.message)); // network error
+            }
+            if (result.statusCode !== 200) {
+                debug('waitForChallenge: invalid response code getting uri %s', result.statusCode);
+                return retryCallback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'Bad response code:' + result.statusCode));
+            }
+
+            debug('waitForChallenge: status is "%s %j', result.body.status, result.body);
+
+            if (result.body.status === 'pending') return retryCallback(new Acme2Error(Acme2Error.NOT_COMPLETED));
+            else if (result.body.status === 'valid') return retryCallback();
+            else return retryCallback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'Unexpected status: ' + result.body.status));
+        });
+    }, function retryFinished(error) {
+        // async.retry will pass 'undefined' as second arg making it unusable with async.waterfall()
+        callback(error);
+    });
+};
+
+// https://community.letsencrypt.org/t/public-beta-rate-limits/4772 for rate limits
+Acme2.prototype.signCertificate = function (domain, finalizationUrl, csrDer, callback) {
+    assert.strictEqual(typeof domain, 'string');
+    assert.strictEqual(typeof finalizationUrl, 'string');
+    assert(util.isBuffer(csrDer));
+    assert.strictEqual(typeof callback, 'function');
+
+    const payload = {
+        csr: b64(csrDer)
+    };
+
+    debug('signCertificate: sending sign request');
+
+    this.sendSignedRequest(finalizationUrl, JSON.stringify(payload), function (error, result) {
+        if (error) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'Network error when signing certificate: ' + error.message));
+        // 429 means we reached the cert limit for this domain
+        if (result.statusCode !== 200) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, util.format('Failed to sign certificate. Expecting 200, got %s %s', result.statusCode, result.text)));
+
+        return callback(null);
+    });
+};
+
+Acme2.prototype.createKeyAndCsr = function (hostname, callback) {
+    assert.strictEqual(typeof hostname, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    var outdir = paths.APP_CERTS_DIR;
+    const certName = hostname.replace('*.', '_.');
+    var csrFile = path.join(outdir, `${certName}.csr`);
+    var privateKeyFile = path.join(outdir, `${certName}.key`);
+
+    if (safe.fs.existsSync(privateKeyFile)) {
+        // in some old releases, csr file was corrupt. so always regenerate it
+        debug('createKeyAndCsr: reuse the key for renewal at %s', privateKeyFile);
+    } else {
+        var key = execSync('openssl genrsa 4096');
+        if (!key) return callback(new Acme2Error(Acme2Error.INTERNAL_ERROR, safe.error));
+        if (!safe.fs.writeFileSync(privateKeyFile, key)) return callback(new Acme2Error(Acme2Error.INTERNAL_ERROR, safe.error));
+
+        debug('createKeyAndCsr: key file saved at %s', privateKeyFile);
+    }
+
+    var csrDer = execSync(`openssl req -new -key ${privateKeyFile} -outform DER -subj /CN=${hostname}`);
+    if (!csrDer) return callback(new Acme2Error(Acme2Error.INTERNAL_ERROR, safe.error));
+    if (!safe.fs.writeFileSync(csrFile, csrDer)) return callback(new Acme2Error(Acme2Error.INTERNAL_ERROR, safe.error)); // bookkeeping
+
+    debug('createKeyAndCsr: csr file (DER) saved at %s', csrFile);
+
+    callback(null, csrDer);
+};
+
+Acme2.prototype.downloadCertificate = function (hostname, certUrl, callback) {
+    assert.strictEqual(typeof hostname, 'string');
+    assert.strictEqual(typeof certUrl, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    var outdir = paths.APP_CERTS_DIR;
+
+    superagent.get(certUrl).buffer().parse(function (res, done) {
+        var data = [ ];
+        res.on('data', function(chunk) { data.push(chunk); });
+        res.on('end', function () { res.text = Buffer.concat(data); done(); });
+    }).timeout(30 * 1000).end(function (error, result) {
+        if (error && !error.response) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'Network error when downloading certificate'));
+        if (result.statusCode === 202) return callback(new Acme2Error(Acme2Error.INTERNAL_ERROR, 'Retry not implemented yet'));
+        if (result.statusCode !== 200) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, util.format('Failed to get cert. Expecting 200, got %s %s', result.statusCode, result.text)));
+
+        const fullChainPem = result.text;
+
+        const certName = hostname.replace('*.', '_.');
+        var certificateFile = path.join(outdir, `${certName}.cert`);
+        if (!safe.fs.writeFileSync(certificateFile, fullChainPem)) return callback(new Acme2Error(Acme2Error.INTERNAL_ERROR, safe.error));
+
+        debug('downloadCertificate: cert file for %s saved at %s', hostname, certificateFile);
+
+        callback();
+    });
+};
+
+Acme2.prototype.prepareHttpChallenge = function (hostname, domain, authorization, callback) {
+    assert.strictEqual(typeof hostname, 'string');
+    assert.strictEqual(typeof domain, 'string');
+    assert.strictEqual(typeof authorization, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
+    debug('acmeFlow: challenges: %j', authorization);
+    let httpChallenges = authorization.challenges.filter(function(x) { return x.type === 'http-01'; });
+    if (httpChallenges.length === 0) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'no http challenges'));
+    let challenge = httpChallenges[0];
+
+    debug('prepareHttpChallenge: preparing for challenge %j', challenge);
+
+    let keyAuthorization = this.getKeyAuthorization(challenge.token);
+
+    debug('prepareHttpChallenge: writing %s to %s', keyAuthorization, path.join(paths.ACME_CHALLENGES_DIR, challenge.token));
+
+    fs.writeFile(path.join(paths.ACME_CHALLENGES_DIR, challenge.token), keyAuthorization, function (error) {
+        if (error) return callback(new Acme2Error(Acme2Error.INTERNAL_ERROR, error));
+
+        callback(null, challenge);
+    });
+};
+
+Acme2.prototype.cleanupHttpChallenge = function (hostname, domain, challenge, callback) {
+    assert.strictEqual(typeof hostname, 'string');
+    assert.strictEqual(typeof domain, 'string');
+    assert.strictEqual(typeof challenge, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
+    debug('cleanupHttpChallenge: unlinking %s', path.join(paths.ACME_CHALLENGES_DIR, challenge.token));
+
+    fs.unlink(path.join(paths.ACME_CHALLENGES_DIR, challenge.token), callback);
+};
+
+function getChallengeSubdomain(hostname, domain) {
+    let challengeSubdomain;
+
+    if (hostname === domain) {
+        challengeSubdomain = '_acme-challenge';
+    } else if (hostname.includes('*')) { // wildcard
+        challengeSubdomain = hostname.replace('*', '_acme-challenge').slice(0, -domain.length - 1);
+    } else {
+        challengeSubdomain = '_acme-challenge.' + hostname.slice(0, -domain.length - 1);
+    }
+
+    return challengeSubdomain;
+}
+
+Acme2.prototype.prepareDnsChallenge = function (hostname, domain, authorization, callback) {
+    assert.strictEqual(typeof hostname, 'string');
+    assert.strictEqual(typeof domain, 'string');
+    assert.strictEqual(typeof authorization, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
+    debug('acmeFlow: challenges: %j', authorization);
+    let dnsChallenges = authorization.challenges.filter(function(x) { return x.type === 'dns-01'; });
+    if (dnsChallenges.length === 0) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'no dns challenges'));
+    let challenge = dnsChallenges[0];
+
+    const keyAuthorization = this.getKeyAuthorization(challenge.token);
+    let shasum = crypto.createHash('sha256');
+    shasum.update(keyAuthorization);
+
+    const txtValue = urlBase64Encode(shasum.digest('base64'));
+    let challengeSubdomain = getChallengeSubdomain(hostname, domain);
+
+    debug(`prepareDnsChallenge: update ${challengeSubdomain} with ${txtValue}`);
+
+    domains.upsertDnsRecords(challengeSubdomain, domain, 'TXT', [ `"${txtValue}"` ], function (error) {
+        if (error) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, error.message));
+
+        domains.waitForDnsRecord(`${challengeSubdomain}`, domain, 'TXT', txtValue, { interval: 5000, times: 200 }, function (error) {
+            if (error) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, error.message));
+
+            callback(null, challenge);
+        });
+    });
+};
+
+Acme2.prototype.cleanupDnsChallenge = function (hostname, domain, challenge, callback) {
+    assert.strictEqual(typeof hostname, 'string');
+    assert.strictEqual(typeof domain, 'string');
+    assert.strictEqual(typeof challenge, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
+    const keyAuthorization = this.getKeyAuthorization(challenge.token);
+    let shasum = crypto.createHash('sha256');
+    shasum.update(keyAuthorization);
+
+    const txtValue = urlBase64Encode(shasum.digest('base64'));
+    let challengeSubdomain = getChallengeSubdomain(hostname, domain);
+
+    debug(`cleanupDnsChallenge: remove ${challengeSubdomain} with ${txtValue}`);
+
+    domains.removeDnsRecords(challengeSubdomain, domain, 'TXT', [ `"${txtValue}"` ], function (error) {
+        if (error) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, error));
+
+        callback(null);
+    });
+};
+
+Acme2.prototype.prepareChallenge = function (hostname, domain, authorizationUrl, callback) {
+    assert.strictEqual(typeof hostname, 'string');
+    assert.strictEqual(typeof domain, 'string');
+    assert.strictEqual(typeof authorizationUrl, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    const that = this;
+    superagent.get(authorizationUrl).timeout(30 * 1000).end(function (error, response) {
+        if (error && !error.response) return callback(error);
+        if (response.statusCode !== 200) return callback(new Error('Invalid response code getting authorization : ' + response.statusCode));
+
+        const authorization = response.body;
+
+        if (that.performHttpAuthorization) {
+            that.prepareHttpChallenge(hostname, domain, authorization, callback);
+        } else {
+            that.prepareDnsChallenge(hostname, domain, authorization, callback);
+        }
+    });
+};
+
+Acme2.prototype.cleanupChallenge = function (hostname, domain, challenge, callback) {
+    assert.strictEqual(typeof hostname, 'string');
+    assert.strictEqual(typeof domain, 'string');
+    assert.strictEqual(typeof challenge, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
+    if (this.performHttpAuthorization) {
+        this.cleanupHttpChallenge(hostname, domain, challenge, callback);
+    } else {
+        this.cleanupDnsChallenge(hostname, domain, challenge, callback);
+    }
+};
+
+Acme2.prototype.acmeFlow = function (hostname, domain, callback) {
+    assert.strictEqual(typeof hostname, 'string');
+    assert.strictEqual(typeof domain, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    if (!fs.existsSync(paths.ACME_ACCOUNT_KEY_FILE)) {
+        debug('getCertificate: generating acme account key on first run');
+        this.accountKeyPem = safe.child_process.execSync('openssl genrsa 4096');
+        if (!this.accountKeyPem) return callback(new Acme2Error(Acme2Error.INTERNAL_ERROR, safe.error));
+
+        safe.fs.writeFileSync(paths.ACME_ACCOUNT_KEY_FILE, this.accountKeyPem);
+    } else {
+        debug('getCertificate: using existing acme account key');
+        this.accountKeyPem = fs.readFileSync(paths.ACME_ACCOUNT_KEY_FILE);
+    }
+
+    var that = this;
+    this.registerUser(function (error) {
+        if (error) return callback(error);
+
+        that.newOrder(hostname, function (error, order, orderUrl) {
+            if (error) return callback(error);
+
+            async.eachSeries(order.authorizations, function (authorizationUrl, iteratorCallback) {
+                debug(`acmeFlow: authorizing ${authorizationUrl}`);
+
+                that.prepareChallenge(hostname, domain, authorizationUrl, function (error, challenge) {
+                    if (error) return iteratorCallback(error);
+
+                    async.waterfall([
+                        that.notifyChallengeReady.bind(that, challenge),
+                        that.waitForChallenge.bind(that, challenge),
+                        that.createKeyAndCsr.bind(that, hostname),
+                        that.signCertificate.bind(that, hostname, order.finalize),
+                        that.waitForOrder.bind(that, orderUrl),
+                        that.downloadCertificate.bind(that, hostname)
+                    ], function (error) {
+                        that.cleanupChallenge(hostname, domain, challenge, function (cleanupError) {
+                            if (cleanupError) debug('acmeFlow: ignoring error when cleaning up challenge:', cleanupError);
+
+                            iteratorCallback(error);
+                        });
+                    });
+                });
+            }, callback);
+        });
+    });
+};
+
+Acme2.prototype.getDirectory = function (callback) {
+    const that = this;
+
+    superagent.get(this.caDirectory).timeout(30 * 1000).end(function (error, response) {
+        if (error && !error.response) return callback(error);
+        if (response.statusCode !== 200) return callback(new Error('Invalid response code when fetching directory : ' + response.statusCode));
+
+        if (typeof response.body.newNonce !== 'string' ||
+            typeof response.body.newOrder !== 'string' ||
+            typeof response.body.newAccount !== 'string') return callback(new Error(`Invalid response body : ${response.body}`));
+
+        that.directory = response.body;
+
+        callback(null);
+    });
+};
+
+Acme2.prototype.getCertificate = function (hostname, domain, callback) {
+    assert.strictEqual(typeof hostname, 'string');
+    assert.strictEqual(typeof domain, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    debug(`getCertificate: start acme flow for ${hostname} from ${this.caDirectory}`);
+
+    if (hostname !== domain && this.wildcard) { // bare domain is not part of wildcard SAN
+        hostname = domains.makeWildcard(hostname);
+        debug(`getCertificate: will get wildcard cert for ${hostname}`);
+    }
+
+    const that = this;
+    this.getDirectory(function (error) {
+        if (error) return callback(error);
+
+        that.acmeFlow(hostname, domain, function (error) {
+            if (error) return callback(error);
+
+            var outdir = paths.APP_CERTS_DIR;
+            const certName = hostname.replace('*.', '_.');
+            callback(null, path.join(outdir, `${certName}.cert`), path.join(outdir, `${certName}.key`));
+        });
+    });
+};
+
+function getCertificate(hostname, domain, options, callback) {
+    assert.strictEqual(typeof hostname, 'string');
+    assert.strictEqual(typeof domain, 'string');
+    assert.strictEqual(typeof options, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
+    var acme = new Acme2(options || { });
+    acme.getCertificate(hostname, domain, callback);
+}

src/cert/caas.js

@@ -10,12 +10,13 @@ exports = module.exports = {
 var assert = require('assert'),
     debug = require('debug')('box:cert/caas.js');
 
-function getCertificate(vhost, options, callback) {
-    assert.strictEqual(typeof vhost, 'string');
+function getCertificate(hostname, domain, options, callback) {
+    assert.strictEqual(typeof hostname, 'string');
+    assert.strictEqual(typeof domain, 'string');
     assert.strictEqual(typeof options, 'object');
     assert.strictEqual(typeof callback, 'function');
 
-    debug('getCertificate: using fallback certificate', vhost);
+    debug('getCertificate: using fallback certificate', hostname);
 
     return callback(null, '', '');
 }

src/cert/fallback.js

@@ -10,12 +10,13 @@ exports = module.exports = {
 var assert = require('assert'),
     debug = require('debug')('box:cert/fallback.js');
 
-function getCertificate(vhost, options, callback) {
-    assert.strictEqual(typeof vhost, 'string');
+function getCertificate(hostname, domain, options, callback) {
+    assert.strictEqual(typeof hostname, 'string');
+    assert.strictEqual(typeof domain, 'string');
     assert.strictEqual(typeof options, 'object');
     assert.strictEqual(typeof callback, 'function');
 
-    debug('getCertificate: using fallback certificate', vhost);
+    debug('getCertificate: using fallback certificate', hostname);
 
     return callback(null, '', '');
 }

src/cert/interface.js

@@ -12,7 +12,8 @@ exports = module.exports = {
 
 var assert = require('assert');
 
-function getCertificate(domain, options, callback) {
+function getCertificate(hostname, domain, options, callback) {
+    assert.strictEqual(typeof hostname, 'string');
     assert.strictEqual(typeof domain, 'string');
     assert.strictEqual(typeof options, 'object');
     assert.strictEqual(typeof callback, 'function');

src/cloudron.js

@@ -74,7 +74,7 @@ function initialize(callback) {
     async.series([
         settings.initialize,
         reverseProxy.configureDefaultServer,
-        cron.initialize, // required for caas heartbeat before activation
+        cron.startPreActivationJobs,
         onActivated
     ], callback);
 }
@@ -83,7 +83,7 @@ function uninitialize(callback) {
     assert.strictEqual(typeof callback, 'function');
 
     async.series([
-        cron.uninitialize,
+        cron.stopJobs,
         platform.stop,
         settings.uninitialize
     ], callback);
@@ -99,7 +99,10 @@ function onActivated(callback) {
         if (error) return callback(new CloudronError(CloudronError.INTERNAL_ERROR, error));
         if (!count) return callback(); // not activated
 
-        platform.start(callback);
+        async.series([
+            platform.start,
+            cron.startPostActivationJobs
+        ], callback);
     });
 }
 

src/config.js

@@ -234,7 +234,8 @@ function isSpacesEnabled() {
 }
 
 function allowHyphenatedSubdomains() {
-    return get('edition') === 'hostingprovider';
+    // we should move caas also to hostingprovider edition at some point
+    return get('edition') === 'hostingprovider' || get('provider') === 'caas';
 }
 
 function allowOperatorActions() {

src/cron.js

@@ -1,11 +1,14 @@
 'use strict';
 
 exports = module.exports = {
-    initialize: initialize,
-    uninitialize: uninitialize
+    startPostActivationJobs: startPostActivationJobs,
+    startPreActivationJobs: startPreActivationJobs,
+
+    stopJobs: stopJobs
 };
 
-var apps = require('./apps.js'),
+var appHealthMonitor = require('./apphealthmonitor.js'),
+    apps = require('./apps.js'),
     appstore = require('./appstore.js'),
     assert = require('assert'),
     backups = require('./backups.js'),
@@ -41,7 +44,8 @@ var gJobs = {
     digestEmail: null,
     dockerVolumeCleaner: null,
     dynamicDNS: null,
-    schedulerSync: null
+    schedulerSync: null,
+    appHealthMonitor: null
 };
 
 var NOOP_CALLBACK = function (error) { if (error) console.error(error); };
@@ -55,9 +59,7 @@ var AUDIT_SOURCE = { userId: null, username: 'cron' };
 // Months: 0-11
 // Day of Week: 0-6
 
-function initialize(callback) {
-    assert.strictEqual(typeof callback, 'function');
-
+function startPreActivationJobs(callback) {
     if (config.provider() === 'caas') {
         // hack: send the first heartbeat only after we are running for 60 seconds
         // required as we end up sending a heartbeat and then cloudron-setup reboots the server
@@ -71,6 +73,12 @@ function initialize(callback) {
         });
     }
 
+    callback();
+}
+
+function startPostActivationJobs(callback) {
+    assert.strictEqual(typeof callback, 'function');
+
     var randomHourMinute = Math.floor(60*Math.random());
     gJobs.alive = new CronJob({
         cronTime: '00 ' + randomHourMinute + ' * * * *', // every hour on a random minute
@@ -190,6 +198,14 @@ function recreateJobs(tz) {
         start: true,
         timeZone: tz
     });
+
+    if (gJobs.appHealthMonitor) gJobs.appHealthMonitor.stop();
+    gJobs.appHealthMonitor = new CronJob({
+        cronTime: '*/10 * * * * *', // every 10 seconds
+        onTick: appHealthMonitor.run.bind(null, 10),
+        start: true,
+        timeZone: tz
+    });
 }
 
 function boxAutoupdatePatternChanged(pattern) {
@@ -263,7 +279,7 @@ function dynamicDnsChanged(enabled) {
     }
 }
 
-function uninitialize(callback) {
+function stopJobs(callback) {
     assert.strictEqual(typeof callback, 'function');
 
     settings.events.removeListener(settings.TIME_ZONE_KEY, recreateJobs);

src/dns/cloudflare.js

@@ -32,6 +32,8 @@ function translateRequestError(result, callback) {
         if (error.code === 6003) {
             if (error.error_chain[0] && error.error_chain[0].code === 6103) message = 'Invalid API Key';
             else message = 'Invalid credentials';
+        } else if (error.error_chain[0] && error.error_chain[0].message) {
+            message = message + ' ' + error.error_chain[0].message;
         }
 
         return callback(new DomainsError(DomainsError.ACCESS_DENIED, message));
@@ -112,7 +114,7 @@ function upsert(dnsConfig, zoneName, subdomain, type, values, callback) {
                 var priority = null;
 
                 if (type === 'MX') {
-                    priority = value.split(' ')[0];
+                    priority = parseInt(value.split(' ')[0], 10);
                     value = value.split(' ')[1];
                 }
 
@@ -231,12 +233,10 @@ function verifyDnsConfig(dnsConfig, fqdn, zoneName, ip, callback) {
 
     if (!dnsConfig.token || typeof dnsConfig.token !== 'string') return callback(new DomainsError(DomainsError.BAD_FIELD, 'token must be a non-empty string'));
     if (!dnsConfig.email || typeof dnsConfig.email !== 'string') return callback(new DomainsError(DomainsError.BAD_FIELD, 'email must be a non-empty string'));
-    if ('hyphenatedSubdomains' in dnsConfig && typeof dnsConfig.hyphenatedSubdomains !== 'boolean') return callback(new DomainsError(DomainsError.BAD_FIELD, 'hyphenatedSubdomains must be a boolean'));
 
     var credentials = {
         token: dnsConfig.token,
-        email: dnsConfig.email,
-        hyphenatedSubdomains: !!dnsConfig.hyphenatedSubdomains
+        email: dnsConfig.email
     };
 
     if (process.env.BOX_ENV === 'test') return callback(null, credentials); // this shouldn't be here

src/dns/digitalocean.js

@@ -201,11 +201,9 @@ function verifyDnsConfig(dnsConfig, fqdn, zoneName, ip, callback) {
     assert.strictEqual(typeof callback, 'function');
 
     if (!dnsConfig.token || typeof dnsConfig.token !== 'string') return callback(new DomainsError(DomainsError.BAD_FIELD, 'token must be a non-empty string'));
-    if ('hyphenatedSubdomains' in dnsConfig && typeof dnsConfig.hyphenatedSubdomains !== 'boolean') return callback(new DomainsError(DomainsError.BAD_FIELD, 'hyphenatedSubdomains must be a boolean'));
 
     var credentials = {
-        token: dnsConfig.token,
-        hyphenatedSubdomains: !!dnsConfig.hyphenatedSubdomains
+        token: dnsConfig.token
     };
 
     if (process.env.BOX_ENV === 'test') return callback(null, credentials); // this shouldn't be here

src/dns/gandi.js

@@ -113,11 +113,9 @@ function verifyDnsConfig(dnsConfig, fqdn, zoneName, ip, callback) {
     assert.strictEqual(typeof callback, 'function');
 
     if (!dnsConfig.token || typeof dnsConfig.token !== 'string') return callback(new DomainsError(DomainsError.BAD_FIELD, 'token must be a non-empty string'));
-    if ('hyphenatedSubdomains' in dnsConfig && typeof dnsConfig.hyphenatedSubdomains !== 'boolean') return callback(new DomainsError(DomainsError.BAD_FIELD, 'hyphenatedSubdomains must be a boolean'));
 
     var credentials = {
-        token: dnsConfig.token,
-        hyphenatedSubdomains: !!dnsConfig.hyphenatedSubdomains
+        token: dnsConfig.token
     };
 
     if (process.env.BOX_ENV === 'test') return callback(null, credentials); // this shouldn't be here

src/dns/gcdns.js

@@ -24,8 +24,7 @@ function getDnsCredentials(dnsConfig) {
         credentials: {
             client_email: dnsConfig.credentials.client_email,
             private_key: dnsConfig.credentials.private_key
-        },
-        hyphenatedSubdomains: !!dnsConfig.hyphenatedSubdomains
+        }
     };
 }
 
@@ -168,7 +167,6 @@ function verifyDnsConfig(dnsConfig, fqdn, zoneName, ip, callback) {
     if (!dnsConfig.credentials || typeof dnsConfig.credentials !== 'object') return callback(new DomainsError(DomainsError.BAD_FIELD, 'credentials must be an object'));
     if (typeof dnsConfig.credentials.client_email !== 'string') return callback(new DomainsError(DomainsError.BAD_FIELD, 'credentials.client_email must be a string'));
     if (typeof dnsConfig.credentials.private_key !== 'string') return callback(new DomainsError(DomainsError.BAD_FIELD, 'credentials.private_key must be a string'));
-    if ('hyphenatedSubdomains' in dnsConfig && typeof dnsConfig.hyphenatedSubdomains !== 'boolean') return callback(new DomainsError(DomainsError.BAD_FIELD, 'hyphenatedSubdomains must be a boolean'));
 
     var credentials = getDnsCredentials(dnsConfig);
     if (process.env.BOX_ENV === 'test') return callback(null, credentials); // this shouldn't be here

src/dns/godaddy.js

@@ -21,6 +21,7 @@ const GODADDY_API = 'https://api.godaddy.com/v1/domains';
 // this is a workaround for godaddy not having a delete API
 // https://stackoverflow.com/questions/39347464/delete-record-libcloud-godaddy-api
 const GODADDY_INVALID_IP = '0.0.0.0';
+const GODADDY_INVALID_TXT = '""';
 
 function formatError(response) {
     return util.format(`GoDaddy DNS error [${response.statusCode}] ${response.body.message}`);
@@ -109,7 +110,7 @@ function del(dnsConfig, zoneName, subdomain, type, values, callback) {
 
     debug(`get: ${subdomain} in zone ${zoneName} of type ${type} with values ${JSON.stringify(values)}`);
 
-    if (type !== 'A') return callback(new DomainsError(DomainsError.EXTERNAL_ERROR, new Error('Not supported by GoDaddy API'))); // can never happen
+    if (type !== 'A' && type !== 'TXT') return callback(new DomainsError(DomainsError.EXTERNAL_ERROR, new Error('Record deletion is not supported by GoDaddy API')));
 
     // check if the record exists at all so that we don't insert the "Dead" record for no reason
     get(dnsConfig, zoneName, subdomain, type, function (error, values) {
@@ -119,7 +120,7 @@ function del(dnsConfig, zoneName, subdomain, type, values, callback) {
         // godaddy does not have a delete API. so fill it up with an invalid IP that we can ignore in future get()
         var records = [{
             ttl: 600,
-            data: GODADDY_INVALID_IP
+            data: type === 'A' ? GODADDY_INVALID_IP : GODADDY_INVALID_TXT
         }];
 
         superagent.put(`${GODADDY_API}/${zoneName}/records/${type}/${subdomain}`)
@@ -148,12 +149,10 @@ function verifyDnsConfig(dnsConfig, fqdn, zoneName, ip, callback) {
 
     if (!dnsConfig.apiKey || typeof dnsConfig.apiKey !== 'string') return callback(new DomainsError(DomainsError.BAD_FIELD, 'apiKey must be a non-empty string'));
     if (!dnsConfig.apiSecret || typeof dnsConfig.apiSecret !== 'string') return callback(new DomainsError(DomainsError.BAD_FIELD, 'apiSecret must be a non-empty string'));
-    if ('hyphenatedSubdomains' in dnsConfig && typeof dnsConfig.hyphenatedSubdomains !== 'boolean') return callback(new DomainsError(DomainsError.BAD_FIELD, 'hyphenatedSubdomains must be a boolean'));
 
     var credentials = {
         apiKey: dnsConfig.apiKey,
-        apiSecret: dnsConfig.apiSecret,
-        hyphenatedSubdomains: !!dnsConfig.hyphenatedSubdomains
+        apiSecret: dnsConfig.apiSecret
     };
 
     if (process.env.BOX_ENV === 'test') return callback(null, credentials); // this shouldn't be here

src/dns/manual.js

@@ -55,19 +55,11 @@ function verifyDnsConfig(dnsConfig, domain, zoneName, ip, callback) {
     assert.strictEqual(typeof ip, 'string');
     assert.strictEqual(typeof callback, 'function');
 
-    if ('wildcard' in dnsConfig && typeof dnsConfig.wildcard !== 'boolean') return callback(new DomainsError(DomainsError.BAD_FIELD, 'wildcard must be a boolean'));
-    if ('hyphenatedSubdomains' in dnsConfig && typeof dnsConfig.hyphenatedSubdomains !== 'boolean') return callback(new DomainsError(DomainsError.BAD_FIELD, 'hyphenatedSubdomains must be a boolean'));
-
-    var config = {
-        wildcard: !!dnsConfig.wildcard,
-        hyphenatedSubdomains: !!dnsConfig.hyphenatedSubdomains
-    };
-
     // Very basic check if the nameservers can be fetched
     dns.resolve(zoneName, 'NS', { timeout: 5000 }, function (error, nameservers) {
         if (error && error.code === 'ENOTFOUND') return callback(new DomainsError(DomainsError.BAD_FIELD, 'Unable to resolve nameservers for this domain'));
         if (error || !nameservers) return callback(new DomainsError(DomainsError.BAD_FIELD, error ? error.message : 'Unable to get nameservers'));
 
-        callback(null, config);
+        callback(null, {});
     });
 }

src/dns/namecom.js

@@ -210,12 +210,10 @@ function verifyDnsConfig(dnsConfig, fqdn, zoneName, ip, callback) {
 
     if (typeof dnsConfig.username !== 'string') return callback(new DomainsError(DomainsError.BAD_FIELD, 'username must be a string'));
     if (typeof dnsConfig.token !== 'string') return callback(new DomainsError(DomainsError.BAD_FIELD, 'token must be a string'));
-    if ('hyphenatedSubdomains' in dnsConfig && typeof dnsConfig.hyphenatedSubdomains !== 'boolean') return callback(new DomainsError(DomainsError.BAD_FIELD, 'hyphenatedSubdomains must be a boolean'));
 
     var credentials = {
         username: dnsConfig.username,
-        token: dnsConfig.token,
-        hyphenatedSubdomains: !!dnsConfig.hyphenatedSubdomains
+        token: dnsConfig.token
     };
 
     if (process.env.BOX_ENV === 'test') return callback(null, credentials); // this shouldn't be here

src/dns/noop.js

@@ -46,9 +46,10 @@ function del(dnsConfig, zoneName, subdomain, type, values, callback) {
     return callback();
 }
 
-function waitForDns(domain, zoneName, value, options, callback) {
+function waitForDns(domain, zoneName, type, value, options, callback) {
     assert.strictEqual(typeof domain, 'string');
     assert.strictEqual(typeof zoneName, 'string');
+    assert.strictEqual(typeof type, 'string');
     assert.strictEqual(typeof value, 'string');
     assert(options && typeof options === 'object'); // { interval: 5000, times: 50000 }
     assert.strictEqual(typeof callback, 'function');

src/dns/route53.js

@@ -235,7 +235,6 @@ function verifyDnsConfig(dnsConfig, fqdn, zoneName, ip, callback) {
 
     if (!dnsConfig.accessKeyId || typeof dnsConfig.accessKeyId !== 'string') return callback(new DomainsError(DomainsError.BAD_FIELD, 'accessKeyId must be a non-empty string'));
     if (!dnsConfig.secretAccessKey || typeof dnsConfig.secretAccessKey !== 'string') return callback(new DomainsError(DomainsError.BAD_FIELD, 'secretAccessKey must be a non-empty string'));
-    if ('hyphenatedSubdomains' in dnsConfig && typeof dnsConfig.hyphenatedSubdomains !== 'boolean') return callback(new DomainsError(DomainsError.BAD_FIELD, 'hyphenatedSubdomains must be a boolean'));
 
     var credentials = {
         accessKeyId: dnsConfig.accessKeyId,
@@ -243,7 +242,6 @@ function verifyDnsConfig(dnsConfig, fqdn, zoneName, ip, callback) {
         region: dnsConfig.region || 'us-east-1',
         endpoint: dnsConfig.endpoint || null,
         listHostedZonesByName: true, // new/updated creds require this perm
-        hyphenatedSubdomains: !!dnsConfig.hyphenatedSubdomains
     };
 
     if (process.env.BOX_ENV === 'test') return callback(null, credentials); // this shouldn't be here

src/dns/waitfordns.js

@@ -30,8 +30,9 @@ function resolveIp(hostname, options, callback) {
     });
 }
 
-function isChangeSynced(domain, value, nameserver, callback) {
+function isChangeSynced(domain, type, value, nameserver, callback) {
     assert.strictEqual(typeof domain, 'string');
+    assert.strictEqual(typeof type, 'string');
     assert.strictEqual(typeof value, 'string');
     assert.strictEqual(typeof nameserver, 'string');
     assert.strictEqual(typeof callback, 'function');
@@ -44,20 +45,30 @@ function isChangeSynced(domain, value, nameserver, callback) {
         }
 
         async.every(nsIps, function (nsIp, iteratorCallback) {
-            resolveIp(domain, { server: nsIp, timeout: 5000 }, function (error, answer) {
+            const resolveOptions = { server: nsIp, timeout: 5000 };
+            const resolver = type === 'A' ? resolveIp.bind(null, domain) : dns.resolve.bind(null, domain, 'TXT');
+
+            resolver(resolveOptions, function (error, answer) {
                 if (error && error.code === 'TIMEOUT') {
-                    debug(`isChangeSynced: NS ${nameserver} (${nsIp}) timed out when resolving ${domain}`);
+                    debug(`isChangeSynced: NS ${nameserver} (${nsIp}) timed out when resolving ${domain} (${type})`);
                     return iteratorCallback(null, true); // should be ok if dns server is down
                 }
 
                 if (error) {
-                    debug(`isChangeSynced: NS ${nameserver} (${nsIp}) errored when resolve ${domain}: ${error}`);
+                    debug(`isChangeSynced: NS ${nameserver} (${nsIp}) errored when resolve ${domain} (${type}): ${error}`);
                     return iteratorCallback(null, false);
                 }
 
-                debug(`isChangeSynced: ${domain} was resolved to ${answer} at NS ${nameserver} (${nsIp}). Expecting ${value}`);
+                let match;
+                if (type === 'A') {
+                    match = answer.length === 1 && answer[0] === value;
+                } else if (type === 'TXT') { // answer is a 2d array of strings
+                    match = answer.some(function (a) { return value === a.join(''); });
+                }
 
-                iteratorCallback(null, answer.length === 1 && answer[0] === value);
+                debug(`isChangeSynced: ${domain} (${type}) was resolved to ${answer} at NS ${nameserver} (${nsIp}). Expecting ${value}. Match ${match}`);
+
+                iteratorCallback(null, match);
             });
         }, callback);
 
@@ -65,9 +76,10 @@ function isChangeSynced(domain, value, nameserver, callback) {
 }
 
 // check if IP change has propagated to every nameserver
-function waitForDns(domain, zoneName, value, options, callback) {
+function waitForDns(domain, zoneName, type, value, options, callback) {
     assert.strictEqual(typeof domain, 'string');
     assert.strictEqual(typeof zoneName, 'string');
+    assert(type === 'A' || type === 'TXT');
     assert.strictEqual(typeof value, 'string');
     assert(options && typeof options === 'object'); // { interval: 5000, times: 50000 }
     assert.strictEqual(typeof callback, 'function');
@@ -82,7 +94,7 @@ function waitForDns(domain, zoneName, value, options, callback) {
         dns.resolve(zoneName, 'NS', { timeout: 5000 }, function (error, nameservers) {
             if (error || !nameservers) return retryCallback(error || new DomainsError(DomainsError.EXTERNAL_ERROR, 'Unable to get nameservers'));
 
-            async.every(nameservers, isChangeSynced.bind(null, domain, value), function (error, synced) {
+            async.every(nameservers, isChangeSynced.bind(null, domain, type, value), function (error, synced) {
                 debug('waitForDns: %s %s ns: %j', domain, synced ? 'done' : 'not done', nameservers);
 
                 retryCallback(synced ? null : new DomainsError(DomainsError.EXTERNAL_ERROR, 'ETRYAGAIN'));

src/dns/wildcard.js

@@ -0,0 +1,79 @@
+'use strict';
+
+exports = module.exports = {
+    upsert: upsert,
+    get: get,
+    del: del,
+    waitForDns: require('./waitfordns.js'),
+    verifyDnsConfig: verifyDnsConfig
+};
+
+var assert = require('assert'),
+    debug = require('debug')('box:dns/manual'),
+    dns = require('../native-dns.js'),
+    DomainsError = require('../domains.js').DomainsError,
+    sysinfo = require('../sysinfo.js'),
+    util = require('util');
+
+function upsert(dnsConfig, zoneName, subdomain, type, values, callback) {
+    assert.strictEqual(typeof dnsConfig, 'object');
+    assert.strictEqual(typeof zoneName, 'string');
+    assert.strictEqual(typeof subdomain, 'string');
+    assert.strictEqual(typeof type, 'string');
+    assert(util.isArray(values));
+    assert.strictEqual(typeof callback, 'function');
+
+    debug('upsert: %s for zone %s of type %s with values %j', subdomain, zoneName, type, values);
+
+    return callback(null);
+}
+
+function get(dnsConfig, zoneName, subdomain, type, callback) {
+    assert.strictEqual(typeof dnsConfig, 'object');
+    assert.strictEqual(typeof zoneName, 'string');
+    assert.strictEqual(typeof subdomain, 'string');
+    assert.strictEqual(typeof type, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    callback(null, [ ]); // returning ip confuses apptask into thinking the entry already exists
+}
+
+function del(dnsConfig, zoneName, subdomain, type, values, callback) {
+    assert.strictEqual(typeof dnsConfig, 'object');
+    assert.strictEqual(typeof zoneName, 'string');
+    assert.strictEqual(typeof subdomain, 'string');
+    assert.strictEqual(typeof type, 'string');
+    assert(util.isArray(values));
+    assert.strictEqual(typeof callback, 'function');
+
+    return callback();
+}
+
+function verifyDnsConfig(dnsConfig, domain, zoneName, ip, callback) {
+    assert.strictEqual(typeof dnsConfig, 'object');
+    assert.strictEqual(typeof domain, 'string');
+    assert.strictEqual(typeof zoneName, 'string');
+    assert.strictEqual(typeof ip, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    // Very basic check if the nameservers can be fetched
+    dns.resolve(zoneName, 'NS', { timeout: 5000 }, function (error, nameservers) {
+        if (error && error.code === 'ENOTFOUND') return callback(new DomainsError(DomainsError.BAD_FIELD, 'Unable to resolve nameservers for this domain'));
+        if (error || !nameservers) return callback(new DomainsError(DomainsError.BAD_FIELD, error ? error.message : 'Unable to get nameservers'));
+
+        const separator = dnsConfig.hyphenatedSubdomains ? '-' : '.';
+        const fqdn = `cloudrontest${separator}${domain}`;
+        dns.resolve(fqdn, 'A', { server: '127.0.0.1', timeout: 5000 }, function (error, result) {
+            if (error && error.code === 'ENOTFOUND') return callback(new DomainsError(DomainsError.BAD_FIELD, `Unable to resolve ${fqdn}`));
+            if (error || !result) return callback(new DomainsError(DomainsError.BAD_FIELD, error ? error.message : `Unable to resolve ${fqdn}`));
+
+            sysinfo.getPublicIp(function (error, ip) {
+                if (error) return callback(new DomainsError(DomainsError.EXTERNAL_ERROR, `Failed to detect IP of this server: ${error.message}`));
+
+                if (result.length !== 1 || ip !== result[0]) return callback(new DomainsError(DomainsError.EXTERNAL_ERROR, `Domain resolves to ${JSON.stringify(result)} instead of ${ip}`));
+
+                callback(null, {});
+            });
+        });
+    });
+}

src/domains.js

@@ -22,6 +22,8 @@ module.exports = exports = {
 
     validateHostname: validateHostname,
 
+    makeWildcard: makeWildcard,
+
     DomainsError: DomainsError
 };
 
@@ -73,7 +75,7 @@ DomainsError.STILL_BUSY = 'Still busy';
 DomainsError.IN_USE = 'In Use';
 DomainsError.INTERNAL_ERROR = 'Internal error';
 DomainsError.ACCESS_DENIED = 'Access denied';
-DomainsError.INVALID_PROVIDER = 'provider must be route53, gcdns, digitalocean, gandi, cloudflare, namecom, noop, manual or caas';
+DomainsError.INVALID_PROVIDER = 'provider must be route53, gcdns, digitalocean, gandi, cloudflare, namecom, noop, wildcard, manual or caas';
 
 // choose which subdomain backend we use for test purpose we use route53
 function api(provider) {
@@ -90,12 +92,13 @@ function api(provider) {
     case 'namecom': return require('./dns/namecom.js');
     case 'noop': return require('./dns/noop.js');
     case 'manual': return require('./dns/manual.js');
+    case 'wildcard': return require('./dns/wildcard.js');
     default: return null;
     }
 }
 
-function verifyDnsConfig(config, domain, zoneName, provider, ip, callback) {
-    assert(config && typeof config === 'object'); // the dns config to test with
+function verifyDnsConfig(dnsConfig, domain, zoneName, provider, ip, callback) {
+    assert(dnsConfig && typeof dnsConfig === 'object'); // the dns config to test with
     assert.strictEqual(typeof domain, 'string');
     assert.strictEqual(typeof zoneName, 'string');
     assert.strictEqual(typeof provider, 'string');
@@ -103,9 +106,20 @@ function verifyDnsConfig(config, domain, zoneName, provider, ip, callback) {
     assert.strictEqual(typeof callback, 'function');
 
     var backend = api(provider);
-    if (!backend) return callback(new DomainsError(DomainsError.INVALID_PROVIDER));
+    if (!backend) return callback(new DomainsError(DomainsError.BAD_FIELD, 'Invalid provider'));
 
-    api(provider).verifyDnsConfig(config, domain, zoneName, ip, callback);
+    api(provider).verifyDnsConfig(dnsConfig, domain, zoneName, ip, function (error, result) {
+        if (error && error.reason === DomainsError.ACCESS_DENIED) return callback(new DomainsError(DomainsError.BAD_FIELD, 'Incorrect configuration. Access denied'));
+        if (error && error.reason === DomainsError.NOT_FOUND) return callback(new DomainsError(DomainsError.BAD_FIELD, 'Zone not found'));
+        if (error && error.reason === DomainsError.EXTERNAL_ERROR) return callback(new DomainsError(DomainsError.BAD_FIELD, 'Configuration error: ' + error.message));
+        if (error && error.reason === DomainsError.BAD_FIELD) return callback(new DomainsError(DomainsError.BAD_FIELD, error.message));
+        if (error && error.reason === DomainsError.INVALID_PROVIDER) return callback(new DomainsError(DomainsError.BAD_FIELD, error.message));
+        if (error) return callback(new DomainsError(DomainsError.INTERNAL_ERROR, error));
+
+        result.hyphenatedSubdomains = !!dnsConfig.hyphenatedSubdomains;
+
+        callback(null, result);
+    });
 }
 
 function fqdn(location, domainObject) {
@@ -151,6 +165,28 @@ function validateHostname(location, domainObject) {
     return null;
 }
 
+function validateTlsConfig(tlsConfig, dnsProvider) {
+    assert.strictEqual(typeof tlsConfig, 'object');
+    assert.strictEqual(typeof dnsProvider, 'string');
+
+    switch (tlsConfig.provider) {
+    case 'letsencrypt-prod':
+    case 'letsencrypt-staging':
+    case 'fallback':
+    case 'caas':
+        break;
+    default:
+        return new DomainsError(DomainsError.BAD_FIELD, 'tlsConfig.provider must be caas, fallback, letsencrypt-prod/staging');
+    }
+
+    if (tlsConfig.wildcard) {
+        if (!tlsConfig.provider.startsWith('letsencrypt')) return new DomainsError(DomainsError.BAD_FIELD, 'wildcard can only be set with letsencrypt');
+        if (dnsProvider === 'manual' || dnsProvider === 'noop' || dnsProvider === 'wildcard') return new DomainsError(DomainsError.BAD_FIELD, 'wildcard cert requires a programmable DNS backend');
+    }
+
+    return null;
+}
+
 function add(domain, zoneName, provider, dnsConfig, fallbackCertificate, tlsConfig, callback) {
     assert.strictEqual(typeof domain, 'string');
     assert.strictEqual(typeof zoneName, 'string');
@@ -175,9 +211,8 @@ function add(domain, zoneName, provider, dnsConfig, fallbackCertificate, tlsConf
         if (error) return callback(new DomainsError(DomainsError.BAD_FIELD, error.message));
     }
 
-    if (tlsConfig.provider !== 'fallback' && tlsConfig.provider !== 'caas' && tlsConfig.provider.indexOf('letsencrypt-') !== 0) {
-        return callback(new DomainsError(DomainsError.BAD_FIELD, 'tlsConfig.provider must be caas, fallback or le-*'));
-    }
+    let error = validateTlsConfig(tlsConfig, provider);
+    if (error) return callback(error);
 
     if (dnsConfig.hyphenatedSubdomains && !config.allowHyphenatedSubdomains()) return callback(new DomainsError(DomainsError.BAD_FIELD, 'Not allowed in this edition'));
 
@@ -185,12 +220,7 @@ function add(domain, zoneName, provider, dnsConfig, fallbackCertificate, tlsConf
         if (error) return callback(new DomainsError(DomainsError.INTERNAL_ERROR, 'Error getting IP:' + error.message));
 
         verifyDnsConfig(dnsConfig, domain, zoneName, provider, ip, function (error, result) {
-            if (error && error.reason === DomainsError.ACCESS_DENIED) return callback(new DomainsError(DomainsError.BAD_FIELD, 'Error adding A record. Access denied'));
-            if (error && error.reason === DomainsError.NOT_FOUND) return callback(new DomainsError(DomainsError.BAD_FIELD, 'Zone not found'));
-            if (error && error.reason === DomainsError.EXTERNAL_ERROR) return callback(new DomainsError(DomainsError.BAD_FIELD, 'Error adding A record: ' + error.message));
-            if (error && error.reason === DomainsError.BAD_FIELD) return callback(new DomainsError(DomainsError.BAD_FIELD, error.message));
-            if (error && error.reason === DomainsError.INVALID_PROVIDER) return callback(new DomainsError(DomainsError.BAD_FIELD, error.message));
-            if (error) return callback(new DomainsError(DomainsError.INTERNAL_ERROR, error));
+            if (error) return callback(error);
 
             domaindb.add(domain, { zoneName: zoneName, provider: provider, config: result, tlsConfig: tlsConfig }, function (error) {
                 if (error && error.reason === DatabaseError.ALREADY_EXISTS) return callback(new DomainsError(DomainsError.ALREADY_EXISTS));
@@ -272,9 +302,8 @@ function update(domain, zoneName, provider, dnsConfig, fallbackCertificate, tlsC
             if (error) return callback(new DomainsError(DomainsError.BAD_FIELD, error.message));
         }
 
-        if (tlsConfig.provider !== 'fallback' && tlsConfig.provider !== 'caas' && tlsConfig.provider.indexOf('letsencrypt-') !== 0) {
-            return callback(new DomainsError(DomainsError.BAD_FIELD, 'tlsConfig.provider must be caas, fallback or letsencrypt-*'));
-        }
+        error = validateTlsConfig(tlsConfig, provider);
+        if (error) return callback(error);
 
         if (dnsConfig.hyphenatedSubdomains && !config.allowHyphenatedSubdomains()) return callback(new DomainsError(DomainsError.BAD_FIELD, 'Not allowed in this edition'));
 
@@ -282,12 +311,7 @@ function update(domain, zoneName, provider, dnsConfig, fallbackCertificate, tlsC
             if (error) return callback(new DomainsError(DomainsError.INTERNAL_ERROR, 'Error getting IP:' + error.message));
 
             verifyDnsConfig(dnsConfig, domain, zoneName, provider, ip, function (error, result) {
-                if (error && error.reason === DomainsError.ACCESS_DENIED) return callback(new DomainsError(DomainsError.BAD_FIELD, 'Error adding A record. Access denied'));
-                if (error && error.reason === DomainsError.NOT_FOUND) return callback(new DomainsError(DomainsError.BAD_FIELD, 'Zone not found'));
-                if (error && error.reason === DomainsError.EXTERNAL_ERROR) return callback(new DomainsError(DomainsError.BAD_FIELD, 'Error adding A record:' + error.message));
-                if (error && error.reason === DomainsError.BAD_FIELD) return callback(new DomainsError(DomainsError.BAD_FIELD, error.message));
-                if (error && error.reason === DomainsError.INVALID_PROVIDER) return callback(new DomainsError(DomainsError.BAD_FIELD, error.message));
-                if (error) return callback(new DomainsError(DomainsError.INTERNAL_ERROR, error));
+                if (error) return callback(error);
 
                 domaindb.update(domain, { zoneName: zoneName, provider: provider, config: result, tlsConfig: tlsConfig }, function (error) {
                     if (error && error.reason === DatabaseError.NOT_FOUND) return callback(new DomainsError(DomainsError.NOT_FOUND));
@@ -356,6 +380,7 @@ function getDnsRecords(subdomain, domain, type, callback) {
     });
 }
 
+// note: for TXT records the values must be quoted
 function upsertDnsRecords(subdomain, domain, type, values, callback) {
     assert.strictEqual(typeof subdomain, 'string');
     assert.strictEqual(typeof domain, 'string');
@@ -396,18 +421,20 @@ function removeDnsRecords(subdomain, domain, type, values, callback) {
     });
 }
 
-// only wait for A record
-function waitForDnsRecord(fqdn, domain, value, options, callback) {
-    assert.strictEqual(typeof fqdn, 'string');
+function waitForDnsRecord(subdomain, domain, type, value, options, callback) {
+    assert.strictEqual(typeof subdomain, 'string');
     assert.strictEqual(typeof domain, 'string');
+    assert(type === 'A' || type === 'TXT');
     assert.strictEqual(typeof value, 'string');
     assert(options && typeof options === 'object'); // { interval: 5000, times: 50000 }
     assert.strictEqual(typeof callback, 'function');
 
-    get(domain, function (error, result) {
+    get(domain, function (error, domainObject) {
         if (error) return callback(error);
 
-        api(result.provider).waitForDns(fqdn, result ? result.zoneName : domain, value, options, callback);
+        const hostname = fqdn(subdomain, domainObject);
+
+        api(domainObject.provider).waitForDns(hostname, domainObject.zoneName, type, value, options, callback);
     });
 }
 
@@ -452,3 +479,11 @@ function removeRestrictedFields(domain) {
 
     return result;
 }
+
+function makeWildcard(hostname) {
+    assert.strictEqual(typeof hostname, 'string');
+
+    let parts = hostname.split('.');
+    parts[0] = '*';
+    return parts.join('.');
+}

src/infra_version.js

@@ -18,7 +18,7 @@ exports = module.exports = {
         'postgresql': { repo: 'cloudron/postgresql', tag: 'cloudron/postgresql:1.1.0' },
         'mongodb': { repo: 'cloudron/mongodb', tag: 'cloudron/mongodb:1.1.0' },
         'redis': { repo: 'cloudron/redis', tag: 'cloudron/redis:1.0.0' },
-        'mail': { repo: 'cloudron/mail', tag: 'cloudron/mail:1.4.0' },
+        'mail': { repo: 'cloudron/mail', tag: 'cloudron/mail:1.5.0' },
         'graphite': { repo: 'cloudron/graphite', tag: 'cloudron/graphite:1.0.0' }
     }
 };

src/mail.js

@@ -597,6 +597,20 @@ function restartMail(callback) {
     });
 }
 
+function restartMailIfActivated(callback) {
+    assert.strictEqual(typeof callback, 'function');
+
+    users.count(function (error, count) {
+        if (error) return callback(new MailError(MailError.INTERNAL_ERROR, error));
+        if (!count) {
+            debug('restartMailIfActivated: skipping restart of mail container since Cloudron is not activated yet');
+            return callback(); // not provisioned yet, do not restart container after dns setup
+        }
+
+        restartMail(callback);
+    });
+}
+
 function getDomain(domain, callback) {
     assert.strictEqual(typeof domain, 'string');
     assert.strictEqual(typeof callback, 'function');
@@ -765,7 +779,7 @@ function addDomain(domain, callback) {
 
         async.series([
             setDnsRecords.bind(null, domain), // do this first to ensure DKIM keys
-            restartMail
+            restartMailIfActivated
         ], NOOP_CALLBACK); // do these asynchronously
 
         callback();

src/native-dns.js

@@ -30,6 +30,7 @@ function resolve(hostname, rrtype, options, callback) {
         // result is an empty array if there was no error but there is no record. when you query a random
         // domain, it errors with ENOTFOUND. But if you query an existing domain (A record) but with different
         // type (CNAME) it is not an error and empty array
+        // for TXT records, result is 2d array of strings
         callback(error, result);
     });
 }

src/reverseproxy.js

@@ -22,10 +22,10 @@ exports = module.exports = {
     removeAppConfigs: removeAppConfigs,
 
     // exported for testing
-    _getApi: getApi
+    _getCertApi: getCertApi
 };
 
-var acme = require('./cert/acme.js'),
+var acme2 = require('./cert/acme2.js'),
     apps = require('./apps.js'),
     assert = require('assert'),
     async = require('async'),
@@ -77,7 +77,7 @@ ReverseProxyError.INTERNAL_ERROR = 'Internal Error';
 ReverseProxyError.INVALID_CERT = 'Invalid certificate';
 ReverseProxyError.NOT_FOUND = 'Not Found';
 
-function getApi(domain, callback) {
+function getCertApi(domain, callback) {
     assert.strictEqual(typeof domain, 'string');
     assert.strictEqual(typeof callback, 'function');
 
@@ -86,13 +86,13 @@ function getApi(domain, callback) {
 
         if (result.tlsConfig.provider === 'fallback') return callback(null, fallback, {});
 
-        var api = result.tlsConfig.provider === 'caas' ? caas : acme;
+        var api = result.tlsConfig.provider === 'caas' ? caas : acme2;
 
         var options = { };
-        if (result.tlsConfig.provider === 'caas') {
-            options.prod = true;
-        } else { // acme
-            options.prod = result.tlsConfig.provider.match(/.*-prod/) !== null; // matches 'le-prod' or 'letsencrypt-prod'
+        if (result.tlsConfig.provider !== 'caas') { // matches 'le-prod' or 'letsencrypt-prod'
+            options.prod = result.tlsConfig.provider.match(/.*-prod/) !== null;
+            options.performHttpAuthorization = result.provider.match(/noop|manual|wildcard/) !== null;
+            options.wildcard = !!result.tlsConfig.wildcard;
         }
 
         // registering user with an email requires A or MX record (https://github.com/letsencrypt/boulder/issues/1197)
@@ -195,80 +195,93 @@ function getFallbackCertificate(domain, callback) {
     var certFilePath = path.join(paths.NGINX_CERT_DIR, `${domain}.host.cert`);
     var keyFilePath = path.join(paths.NGINX_CERT_DIR, `${domain}.host.key`);
 
-    if (fs.existsSync(certFilePath) && fs.existsSync(keyFilePath)) return callback(null, { certFilePath, keyFilePath });
+    if (fs.existsSync(certFilePath) && fs.existsSync(keyFilePath)) return callback(null, { certFilePath, keyFilePath, type: 'provisioned' });
 
     // check for auto-generated or user set fallback certs
     certFilePath = path.join(paths.APP_CERTS_DIR, `${domain}.host.cert`);
     keyFilePath = path.join(paths.APP_CERTS_DIR, `${domain}.host.key`);
 
-    callback(null, { certFilePath, keyFilePath });
+    callback(null, { certFilePath, keyFilePath, type: 'fallback' });
+}
+
+function getCertificateByHostname(hostname, domain, callback) {
+    assert.strictEqual(typeof hostname, 'string');
+    assert.strictEqual(typeof domain, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    let certFilePath = path.join(paths.APP_CERTS_DIR, `${hostname}.user.cert`);
+    let keyFilePath = path.join(paths.APP_CERTS_DIR, `${hostname}.user.key`);
+
+    if (fs.existsSync(certFilePath) && fs.existsSync(keyFilePath)) return callback(null, { certFilePath, keyFilePath });
+
+    domains.get(domain, function (error, domainObject) {
+        if (error) return callback(error);
+
+        if (hostname !== domain && domainObject.tlsConfig.wildcard) { // bare domain is not part of wildcard SAN
+            let certName = domains.makeWildcard(hostname).replace('*.', '_.');
+            certFilePath = path.join(paths.APP_CERTS_DIR, `${certName}.cert`);
+            keyFilePath = path.join(paths.APP_CERTS_DIR, `${certName}.key`);
+
+            if (fs.existsSync(certFilePath) && fs.existsSync(keyFilePath)) return callback(null, { certFilePath, keyFilePath });
+        } else {
+            certFilePath = path.join(paths.APP_CERTS_DIR, `${hostname}.cert`);
+            keyFilePath = path.join(paths.APP_CERTS_DIR, `${hostname}.key`);
+
+            if (fs.existsSync(certFilePath) && fs.existsSync(keyFilePath)) return callback(null, { certFilePath, keyFilePath });
+        }
+
+        callback(null);
+    });
 }
 
 function getCertificate(app, callback) {
     assert.strictEqual(typeof app, 'object');
     assert.strictEqual(typeof callback, 'function');
 
-    var certFilePath = path.join(paths.APP_CERTS_DIR, `${app.fqdn}.user.cert`);
-    var keyFilePath = path.join(paths.APP_CERTS_DIR, `${app.fqdn}.user.key`);
+    getCertificateByHostname(app.fqdn, app.domain, function (error, result) {
+        if (error || result) return callback(error, result);
 
-    if (fs.existsSync(certFilePath) && fs.existsSync(keyFilePath)) return callback(null, { certFilePath, keyFilePath });
-
-    certFilePath = path.join(paths.APP_CERTS_DIR, `${app.fqdn}.cert`);
-    keyFilePath = path.join(paths.APP_CERTS_DIR, `${app.fqdn}.key`);
-
-    if (fs.existsSync(certFilePath) && fs.existsSync(keyFilePath)) return callback(null, { certFilePath, keyFilePath });
-
-    return getFallbackCertificate(app.domain, callback);
+        return getFallbackCertificate(app.domain, callback);
+    });
 }
 
-function ensureCertificate(appDomain, auditSource, callback) {
-    assert.strictEqual(typeof appDomain, 'object');
-    assert.strictEqual(typeof appDomain.fqdn, 'string');
-    assert.strictEqual(typeof appDomain.domain, 'string');
+function ensureCertificate(vhost, domain, auditSource, callback) {
+    assert.strictEqual(typeof vhost, 'string');
+    assert.strictEqual(typeof domain, 'string');
     assert.strictEqual(typeof auditSource, 'object');
     assert.strictEqual(typeof callback, 'function');
 
-    const vhost = appDomain.fqdn;
+    getCertificateByHostname(vhost, domain, function (error, result) {
+        if (result) {
+            debug(`ensureCertificate: ${vhost}. certificate already exists at ${result.keyFilePath}`);
 
-    var certFilePath = path.join(paths.APP_CERTS_DIR, `${vhost}.user.cert`);
-    var keyFilePath = path.join(paths.APP_CERTS_DIR, `${vhost}.user.key`);
+            if (result.certFilePath.endsWith('.user.cert')) return callback(null, result); // user certs cannot be renewed
+            if (!isExpiringSync(result.certFilePath, 24 * 30)) return callback(null, result);
+            debug(`ensureCertificate: ${vhost} cert require renewal`);
+        } else {
+            debug(`ensureCertificate: ${vhost} cert does not exist`);
+        }
 
-    if (fs.existsSync(certFilePath) && fs.existsSync(keyFilePath)) {
-        debug('ensureCertificate: %s. user certificate already exists at %s', vhost, keyFilePath);
-        return callback(null, { certFilePath, keyFilePath, reason: 'user' });
-    }
+        getCertApi(domain, function (error, api, apiOptions) {
+            if (error) return callback(error);
 
-    certFilePath = path.join(paths.APP_CERTS_DIR, `${vhost}.cert`);
-    keyFilePath = path.join(paths.APP_CERTS_DIR, `${vhost}.key`);
+            debug('ensureCertificate: getting certificate for %s with options %j', vhost, apiOptions);
 
-    if (fs.existsSync(certFilePath) && fs.existsSync(keyFilePath)) {
-        debug('ensureCertificate: %s. certificate already exists at %s', vhost, keyFilePath);
+            api.getCertificate(vhost, domain, apiOptions, function (error, certFilePath, keyFilePath) {
+                var errorMessage = error ? error.message : '';
 
-        if (!isExpiringSync(certFilePath, 24 * 30)) return callback(null, { certFilePath, keyFilePath, reason: 'existing-le' });
-        debug('ensureCertificate: %s cert require renewal', vhost);
-    } else {
-        debug('ensureCertificate: %s cert does not exist', vhost);
-    }
+                if (error) {
+                    debug('ensureCertificate: could not get certificate. using fallback certs', error);
+                    mailer.certificateRenewalError(vhost, errorMessage);
+                }
 
-    getApi(appDomain.domain, function (error, api, apiOptions) {
-        if (error) return callback(error);
+                eventlog.add(eventlog.ACTION_CERTIFICATE_RENEWAL, auditSource, { domain: vhost, errorMessage: errorMessage });
 
-        debug('ensureCertificate: getting certificate for %s with options %j', vhost, apiOptions);
+                // if no cert was returned use fallback. the fallback/caas provider will not provide any for example
+                if (!certFilePath || !keyFilePath) return getFallbackCertificate(domain, callback);
 
-        api.getCertificate(vhost, apiOptions, function (error, certFilePath, keyFilePath) {
-            var errorMessage = error ? error.message : '';
-
-            if (error) {
-                debug('ensureCertificate: could not get certificate. using fallback certs', error);
-                mailer.certificateRenewalError(vhost, errorMessage);
-            }
-
-            eventlog.add(eventlog.ACTION_CERTIFICATE_RENEWAL, auditSource, { domain: vhost, errorMessage: errorMessage });
-
-            // if no cert was returned use fallback. the fallback/caas provider will not provide any for example
-            if (!certFilePath || !keyFilePath) return getFallbackCertificate(appDomain.domain, callback);
-
-            callback(null, { certFilePath, keyFilePath, reason: 'new-le' });
+                callback(null, { certFilePath, keyFilePath, type: 'new-le' });
+            });
         });
     });
 }
@@ -302,8 +315,7 @@ function configureAdmin(auditSource, callback) {
     assert.strictEqual(typeof auditSource, 'object');
     assert.strictEqual(typeof callback, 'function');
 
-    var adminAppDomain = { domain: config.adminDomain(), fqdn: config.adminFqdn() };
-    ensureCertificate(adminAppDomain, auditSource, function (error, bundle) {
+    ensureCertificate(config.adminFqdn(), config.adminDomain(), auditSource, function (error, bundle) {
         if (error) return callback(error);
 
         writeAdminConfig(bundle, constants.NGINX_ADMIN_CONFIG_FILE_NAME, config.adminFqdn(), callback);
@@ -379,20 +391,17 @@ function configureApp(app, auditSource, callback) {
     assert.strictEqual(typeof auditSource, 'object');
     assert.strictEqual(typeof callback, 'function');
 
-    ensureCertificate({ fqdn: app.fqdn, domain: app.domain }, auditSource, function (error, bundle) {
+    ensureCertificate(app.fqdn, app.domain, auditSource, function (error, bundle) {
         if (error) return callback(error);
 
         writeAppConfig(app, bundle, function (error) {
             if (error) return callback(error);
 
-            // now setup alternateDomain redirects if any
-            async.eachSeries(app.alternateDomains, function (domain, callback) {
-                var fqdn = (domain.subdomain ? (domain.subdomain + '.') : '') + domain.domain;
-
-                ensureCertificate({ fqdn: fqdn, domain: domain.domain }, auditSource, function (error, bundle) {
+            async.eachSeries(app.alternateDomains, function (alternateDomain, callback) {
+                ensureCertificate(alternateDomain.fqdn, alternateDomain.domain, auditSource, function (error, bundle) {
                     if (error) return callback(error);
 
-                    writeAppRedirectConfig(app, fqdn, bundle, callback);
+                    writeAppRedirectConfig(app, alternateDomain.fqdn, bundle, callback);
                 });
             }, callback);
         });
@@ -420,40 +429,40 @@ function renewAll(auditSource, callback) {
     apps.getAll(function (error, allApps) {
         if (error) return callback(error);
 
-        var allDomains = [];
+        var appDomains = [];
 
-         // add webadmin domain
-        allDomains.push({ domain: config.adminDomain(), fqdn: config.adminFqdn(), type: 'webadmin' });
+        // add webadmin domain
+        appDomains.push({ domain: config.adminDomain(), fqdn: config.adminFqdn(), type: 'webadmin', nginxConfigFilename: constants.NGINX_ADMIN_CONFIG_FILE_NAME });
 
         // add app main
         allApps.forEach(function (app) {
-            allDomains.push({ domain: app.domain, fqdn: app.fqdn, type: 'main', app: app });
+            appDomains.push({ domain: app.domain, fqdn: app.fqdn, type: 'main', app: app, nginxConfigFilename: path.join(paths.NGINX_APPCONFIG_DIR, app.id + '.conf') });
 
-            // and alternate domains
-            app.alternateDomains.forEach(function (domain) {
-                // TODO support hyphenated domains here as well
-                var fqdn = (domain.subdomain ? (domain.subdomain + '.') : '') + domain.domain;
-
-                allDomains.push({ domain: domain.domain, fqdn: fqdn, type: 'alternate', app: app });
+            app.alternateDomains.forEach(function (alternateDomain) {
+                let nginxConfigFilename = path.join(paths.NGINX_APPCONFIG_DIR, `${app.id}-redirect-${alternateDomain.fqdn}.conf`);
+                appDomains.push({ domain: alternateDomain.domain, fqdn: alternateDomain.fqdn, type: 'alternate', app: app, nginxConfigFilename: nginxConfigFilename });
             });
         });
 
-        async.eachSeries(allDomains, function (domain, iteratorCallback) {
-            ensureCertificate(domain, auditSource, function (error, bundle) {
+        async.eachSeries(appDomains, function (appDomain, iteratorCallback) {
+            ensureCertificate(appDomain.fqdn, appDomain.domain, auditSource, function (error, bundle) {
                 if (error) return iteratorCallback(error); // this can happen if cloudron is not setup yet
-                if (bundle.reason !== 'new-le' && bundle.reason !== 'fallback') return iteratorCallback();
 
-                // reconfigure for the case where we got a renewed cert after fallback
+                // hack to check if the app's cert changed or not
+                let currentNginxConfig = safe.fs.readFileSync(appDomain.nginxConfigFilename, 'utf8') || '';
+                if (currentNginxConfig.includes(bundle.certFilePath)) return iteratorCallback();
+
+                // reconfigure since the cert changed
                 var configureFunc;
-                if (domain.type === 'webadmin') configureFunc = writeAdminConfig.bind(null, bundle, constants.NGINX_ADMIN_CONFIG_FILE_NAME, config.adminFqdn());
-                else if (domain.type === 'main') configureFunc = writeAppConfig.bind(null, domain.app, bundle);
-                else if (domain.type === 'alternate') configureFunc = writeAppRedirectConfig.bind(null, domain.app, domain.fqdn, bundle);
-                else return callback(new Error(`Unknown domain type for ${domain.fqdn}. This should never happen`));
+                if (appDomain.type === 'webadmin') configureFunc = writeAdminConfig.bind(null, bundle, constants.NGINX_ADMIN_CONFIG_FILE_NAME, config.adminFqdn());
+                else if (appDomain.type === 'main') configureFunc = writeAppConfig.bind(null, appDomain.app, bundle);
+                else if (appDomain.type === 'alternate') configureFunc = writeAppRedirectConfig.bind(null, appDomain.app, appDomain.fqdn, bundle);
+                else return callback(new Error(`Unknown domain type for ${appDomain.fqdn}. This should never happen`));
 
                 configureFunc(function (ignoredError) {
                     if (ignoredError) debug('renewAll: error reconfiguring app', ignoredError);
 
-                    platform.handleCertChanged(domain.fqdn);
+                    platform.handleCertChanged(appDomain.fqdn);
 
                     iteratorCallback(); // move to next domain
                 });

src/routes/apps.js

@@ -154,7 +154,7 @@ function installApp(req, res, next) {
         if (error && error.reason === AppsError.BAD_FIELD) return next(new HttpError(400, error.message));
         if (error && error.reason === AppsError.BILLING_REQUIRED) return next(new HttpError(402, error.message));
         if (error && error.reason === AppsError.BAD_CERTIFICATE) return next(new HttpError(400, error.message));
-        if (error && error.reason === AppsError.EXTERNAL_ERROR) return next(new HttpError(503, error.message));
+        if (error && error.reason === AppsError.EXTERNAL_ERROR) return next(new HttpError(424, error.message));
         if (error) return next(new HttpError(500, error));
 
         next(new HttpSuccess(202, app));
@@ -270,7 +270,7 @@ function backupApp(req, res, next) {
     apps.backup(req.params.id, function (error) {
         if (error && error.reason === AppsError.NOT_FOUND) return next(new HttpError(404, 'No such app'));
         if (error && error.reason === AppsError.BAD_STATE) return next(new HttpError(409, error.message));
-        if (error && error.reason === AppsError.EXTERNAL_ERROR) return next(new HttpError(503, error));
+        if (error && error.reason === AppsError.EXTERNAL_ERROR) return next(new HttpError(424, error));
         if (error) return next(new HttpError(500, error));
 
         next(new HttpSuccess(202, { }));

src/routes/backups.js

@@ -24,7 +24,7 @@ function get(req, res, next) {
     if (!perPage || perPage < 0) return next(new HttpError(400, 'per_page query param has to be a postive number'));
 
     backups.getByStatePaged(backupdb.BACKUP_STATE_NORMAL, page, perPage, function (error, result) {
-        if (error && error.reason === BackupsError.EXTERNAL_ERROR) return next(new HttpError(503, error.message));
+        if (error && error.reason === BackupsError.EXTERNAL_ERROR) return next(new HttpError(424, error.message));
         if (error) return next(new HttpError(500, error));
 
         next(new HttpSuccess(200, { backups: result }));

src/routes/domains.js

@@ -29,13 +29,20 @@ function add(req, res, next) {
 
     if (typeof req.body.domain !== 'string') return next(new HttpError(400, 'domain must be a string'));
     if (typeof req.body.provider !== 'string') return next(new HttpError(400, 'provider must be a string'));
-    if (typeof req.body.config !== 'object') return next(new HttpError(400, 'config must be an object'));
+
+    if (!req.body.config || typeof req.body.config !== 'object') return next(new HttpError(400, 'config must be an object'));
+    if ('hyphenatedSubdomains' in req.body.config && typeof req.body.config.hyphenatedSubdomains !== 'boolean') return next(new HttpError(400, 'hyphenatedSubdomains must be a boolean'));
+    if ('wildcard' in req.body.config && typeof req.body.config.wildcard !== 'boolean') return next(new HttpError(400, 'wildcard must be a boolean'));
+
     if ('zoneName' in req.body && typeof req.body.zoneName !== 'string') return next(new HttpError(400, 'zoneName must be a string'));
     if ('fallbackCertificate' in req.body && typeof req.body.fallbackCertificate !== 'object') return next(new HttpError(400, 'fallbackCertificate must be a object with cert and key strings'));
     if (req.body.fallbackCertificate && (!req.body.cert || typeof req.body.cert !== 'string')) return next(new HttpError(400, 'fallbackCertificate.cert must be a string'));
     if (req.body.fallbackCertificate && (!req.body.key || typeof req.body.key !== 'string')) return next(new HttpError(400, 'fallbackCertificate.key must be a string'));
-    if ('tlsConfig' in req.body && typeof req.body.tlsConfig !== 'object') return next(new HttpError(400, 'tlsConfig must be a object with a provider string property'));
-    if (req.body.tlsConfig && (!req.body.tlsConfig.provider || typeof req.body.tlsConfig.provider !== 'string')) return next(new HttpError(400, 'tlsConfig.provider must be a string'));
+
+    if ('tlsConfig' in req.body) {
+        if (!req.body.tlsConfig || typeof req.body.tlsConfig !== 'object') return next(new HttpError(400, 'tlsConfig must be a object with a provider string property'));
+        if (!req.body.tlsConfig.provider || typeof req.body.tlsConfig.provider !== 'string') return next(new HttpError(400, 'tlsConfig.provider must be a string'));
+    }
 
     // some DNS providers like DigitalOcean take a really long time to verify credentials (https://github.com/expressjs/timeout/issues/26)
     req.clearTimeout();
@@ -76,13 +83,20 @@ function update(req, res, next) {
     assert.strictEqual(typeof req.body, 'object');
 
     if (typeof req.body.provider !== 'string') return next(new HttpError(400, 'provider must be an object'));
-    if (typeof req.body.config !== 'object') return next(new HttpError(400, 'config must be an object'));
+
+    if (!req.body.config || typeof req.body.config !== 'object') return next(new HttpError(400, 'config must be an object'));
+    if ('hyphenatedSubdomains' in req.body.config && typeof req.body.config.hyphenatedSubdomains !== 'boolean') return next(new HttpError(400, 'hyphenatedSubdomains must be a boolean'));
+    if ('wildcard' in req.body.config && typeof req.body.config.wildcard !== 'boolean') return next(new HttpError(400, 'wildcard must be a boolean'));
+
     if ('zoneName' in req.body && typeof req.body.zoneName !== 'string') return next(new HttpError(400, 'zoneName must be a string'));
     if ('fallbackCertificate' in req.body && typeof req.body.fallbackCertificate !== 'object') return next(new HttpError(400, 'fallbackCertificate must be a object with cert and key strings'));
     if (req.body.fallbackCertificate && (!req.body.fallbackCertificate.cert || typeof req.body.fallbackCertificate.cert !== 'string')) return next(new HttpError(400, 'fallbackCertificate.cert must be a string'));
     if (req.body.fallbackCertificate && (!req.body.fallbackCertificate.key || typeof req.body.fallbackCertificate.key !== 'string')) return next(new HttpError(400, 'fallbackCertificate.key must be a string'));
-    if ('tlsConfig' in req.body && typeof req.body.tlsConfig !== 'object') return next(new HttpError(400, 'tlsConfig must be a object with a provider string property'));
-    if (req.body.tlsConfig && (!req.body.tlsConfig.provider || typeof req.body.tlsConfig.provider !== 'string')) return next(new HttpError(400, 'tlsConfig.provider must be a string'));
+
+    if ('tlsConfig' in req.body) {
+        if (!req.body.tlsConfig || typeof req.body.tlsConfig !== 'object') return next(new HttpError(400, 'tlsConfig must be a object with a provider string property'));
+        if (!req.body.tlsConfig.provider || typeof req.body.tlsConfig.provider !== 'string') return next(new HttpError(400, 'tlsConfig.provider must be a string'));
+    }
 
     // some DNS providers like DigitalOcean take a really long time to verify credentials (https://github.com/expressjs/timeout/issues/26)
     req.clearTimeout();

src/routes/mail.js

@@ -88,7 +88,7 @@ function setDnsRecords(req, res, next) {
 
     mail.setDnsRecords(req.params.domain, function (error) {
         if (error && error.reason === MailError.NOT_FOUND) return next(new HttpError(404, error.message));
-        if (error && error.reason === MailError.EXTERNAL_ERROR) return next(new HttpError(503, error.message));
+        if (error && error.reason === MailError.EXTERNAL_ERROR) return next(new HttpError(424, error.message));
         if (error) return next(new HttpError(500, error));
 
         next(new HttpSuccess(201));

src/routes/settings.js

@@ -169,7 +169,7 @@ function setBackupConfig(req, res, next) {
 
     settings.setBackupConfig(req.body, function (error) {
         if (error && error.reason === SettingsError.BAD_FIELD) return next(new HttpError(400, error.message));
-        if (error && error.reason === SettingsError.EXTERNAL_ERROR) return next(new HttpError(402, error.message));
+        if (error && error.reason === SettingsError.EXTERNAL_ERROR) return next(new HttpError(424, error.message));
         if (error) return next(new HttpError(500, error));
 
         next(new HttpSuccess(200, {}));
@@ -197,7 +197,7 @@ function setPlatformConfig(req, res, next) {
 
     settings.setPlatformConfig(req.body, function (error) {
         if (error && error.reason === SettingsError.BAD_FIELD) return next(new HttpError(400, error.message));
-        if (error && error.reason === SettingsError.EXTERNAL_ERROR) return next(new HttpError(402, error.message));
+        if (error && error.reason === SettingsError.EXTERNAL_ERROR) return next(new HttpError(424, error.message));
         if (error) return next(new HttpError(500, error));
 
         next(new HttpSuccess(200, {}));
@@ -225,7 +225,7 @@ function setAppstoreConfig(req, res, next) {
 
     settings.setAppstoreConfig(options, function (error) {
         if (error && error.reason === SettingsError.BAD_FIELD) return next(new HttpError(400, error.message));
-        if (error && error.reason === SettingsError.EXTERNAL_ERROR) return next(new HttpError(406, error.message));
+        if (error && error.reason === SettingsError.EXTERNAL_ERROR) return next(new HttpError(424, error.message));
         if (error) return next(new HttpError(500, error));
 
         settings.getAppstoreConfig(function (error, result) {

src/routes/setup.js

@@ -54,7 +54,7 @@ function setupTokenAuth(req, res, next) {
     caas.verifySetupToken(req.query.setupToken, function (error) {
         if (error && error.reason === CaasError.BAD_STATE) return next(new HttpError(409, 'Already setup'));
         if (error && error.reason === CaasError.INVALID_TOKEN) return next(new HttpError(401, 'Invalid token'));
-        if (error && error.reason === CaasError.EXTERNAL_ERROR) return next(new HttpError(503, error.message));
+        if (error && error.reason === CaasError.EXTERNAL_ERROR) return next(new HttpError(424, error.message));
 
         if (error) return next(new HttpError(500, error));
 
@@ -120,7 +120,7 @@ function activate(req, res, next) {
         caas.setupDone(req.query.setupToken, function (error) {
             if (error && error.reason === CaasError.BAD_STATE) return next(new HttpError(409, 'Already setup'));
             if (error && error.reason === CaasError.INVALID_TOKEN) return next(new HttpError(401, 'Invalid token'));
-            if (error && error.reason === CaasError.EXTERNAL_ERROR) return next(new HttpError(503, error.message));
+            if (error && error.reason === CaasError.EXTERNAL_ERROR) return next(new HttpError(424, error.message));
 
             if (error) return next(new HttpError(500, error));
 
@@ -147,7 +147,7 @@ function restore(req, res, next) {
         if (error && error.reason === SetupError.ALREADY_SETUP) return next(new HttpError(409, error.message));
         if (error && error.reason === SetupError.BAD_FIELD) return next(new HttpError(400, error.message));
         if (error && error.reason === SetupError.BAD_STATE) return next(new HttpError(409, error.message));
-        if (error && error.reason === SetupError.EXTERNAL_ERROR) return next(new HttpError(402, error.message));
+        if (error && error.reason === SetupError.EXTERNAL_ERROR) return next(new HttpError(424, error.message));
         if (error) return next(new HttpError(500, error));
 
         next(new HttpSuccess(200));

src/routes/test/apps-test.js

@@ -15,7 +15,6 @@ var accesscontrol = require('../../accesscontrol.js'),
     clients = require('../../clients.js'),
     config = require('../../config.js'),
     constants = require('../../constants.js'),
-    apphealthmonitor = require('../../apphealthmonitor.js'),
     database = require('../../database.js'),
     docker = require('../../docker.js').connection,
     expect = require('expect.js'),
@@ -251,7 +250,6 @@ function stopBox(done) {
 
     // db is not cleaned up here since it's too late to call it after server.stop. if called before server.stop taskmanager apptasks are unhappy :/
     async.series([
-        apphealthmonitor.stop,
         taskmanager.stopPendingTasks,
         taskmanager.waitForPendingTasks,
         appdb._clear,
@@ -643,7 +641,6 @@ describe('App installation', function () {
 
         async.series([
             startBox,
-            apphealthmonitor.start,
 
             function (callback) {
                 apiHockInstance

src/routes/test/caas-test.js

@@ -122,7 +122,7 @@ describe('Caas', function () {
                 .query({ setupToken: 'somesetuptoken' })
                 .send({ username: 'someuser', password: 'strong#A3asdf', email: 'admin@foo.bar' })
                 .end(function (error, result) {
-                    expect(result.statusCode).to.equal(503);
+                    expect(result.statusCode).to.equal(424);
                     expect(scope.isDone()).to.be.ok();
                     done();
                 });

src/routes/test/mail-test.js

@@ -18,6 +18,15 @@ var async = require('async'),
 
 var SERVER_URL = 'http://localhost:' + config.get('port');
 
+const ADMIN_DOMAIN = {
+    domain: 'admin.com',
+    zoneName: 'admin.com',
+    config: {},
+    provider: 'noop',
+    fallbackCertificate: null,
+    tlsConfig: { provider: 'fallback' }
+};
+
 const DOMAIN_0 = {
     domain: 'example-mail-test.com',
     zoneName: 'example-mail-test.com',
@@ -33,13 +42,21 @@ var userId = '';
 
 function setup(done) {
     config._reset();
-    config.setFqdn(DOMAIN_0.domain);
-    config.setAdminFqdn('my.example-mail-test.com');
 
     async.series([
         server.start.bind(null),
         database._clear.bind(null),
-        domains.add.bind(null, DOMAIN_0.domain, DOMAIN_0.zoneName, DOMAIN_0.provider, DOMAIN_0.config, DOMAIN_0.fallbackCertificate, DOMAIN_0.tlsConfig),
+
+        function dnsSetup(callback) {
+            superagent.post(SERVER_URL + '/api/v1/cloudron/dns_setup')
+                .send({ provider: ADMIN_DOMAIN.provider, domain: ADMIN_DOMAIN.domain, adminFqdn: 'my.' + ADMIN_DOMAIN.domain, config: ADMIN_DOMAIN.config })
+                .end(function (error, result) {
+                    expect(result).to.be.ok();
+                    expect(result.statusCode).to.eql(200);
+
+                    callback();
+                });
+        },
 
         function createAdmin(callback) {
             superagent.post(SERVER_URL + '/api/v1/cloudron/activate')
@@ -57,6 +74,17 @@ function setup(done) {
                 });
         },
 
+        function createDomain(callback) {
+            superagent.post(SERVER_URL + '/api/v1/domains')
+                .query({ access_token: token })
+                .send(DOMAIN_0)
+                .end(function (error, result) {
+                    expect(result.statusCode).to.equal(201);
+
+                    callback();
+                });
+        },
+
         function getUserId(callback) {
             userdb.getByUsername(USERNAME, function (error, result) {
                 expect(error).to.not.be.ok();
@@ -178,7 +206,17 @@ describe('Mail API', function () {
                 });
         });
 
-        it('can delete domain', function (done) {
+        it('cannot delete admin mail domain', function (done) {
+            superagent.del(SERVER_URL + '/api/v1/mail/' + ADMIN_DOMAIN.domain)
+                .send({ password: PASSWORD })
+                .query({ access_token: token })
+                .end(function (err, res) {
+                    expect(res.statusCode).to.equal(409);
+                    done();
+                });
+        });
+
+        it('can delete admin mail domain', function (done) {
             superagent.del(SERVER_URL + '/api/v1/mail/' + DOMAIN_0.domain)
                 .send({ password: PASSWORD })
                 .query({ access_token: token })

src/routes/test/settings-test.js

@@ -320,7 +320,7 @@ describe('Settings API', function () {
                 .send({ userId: 'nebulon', token: 'sometoken' })
                 .end(function (err, res) {
                     expect(scope.isDone()).to.be.ok();
-                    expect(res.statusCode).to.equal(406);
+                    expect(res.statusCode).to.equal(424);
                     expect(res.body.message).to.equal('invalid appstore token');
 
                     done();
@@ -350,7 +350,7 @@ describe('Settings API', function () {
                 .send({ userId: 'nebulon', token: 'sometoken' })
                 .end(function (err, res) {
                     expect(scope.isDone()).to.be.ok();
-                    expect(res.statusCode).to.equal(406);
+                    expect(res.statusCode).to.equal(424);
                     expect(res.body.message).to.equal('wrong user');
 
                     done();

src/setup.js

@@ -144,7 +144,7 @@ function configureWebadmin(callback) {
             debug('addWebadminDnsRecord: updated records with error:', error);
             if (error) return configureReverseProxy(error);
 
-            domains.waitForDnsRecord(config.adminFqdn(), config.adminDomain(), ip, { interval: 30000, times: 50000 }, function (error) {
+            domains.waitForDnsRecord(config.adminLocation(), config.adminDomain(), 'A', ip, { interval: 30000, times: 50000 }, function (error) {
                 if (error) return configureReverseProxy(error);
 
                 gWebadminStatus.dns = true;
@@ -293,8 +293,9 @@ function restore(backupConfig, backupId, version, callback) {
             async.series([
                 backups.restore.bind(null, backupConfig, backupId),
                 autoprovision,
-                // currently, our suggested restore flow is after a dnsSetup. This re-creates DKIM keys and updates the DNS
-                // for this reason, we have to re-setup DNS after a restore. Once we have a 100% IP based restore, we can skip this
+                // currently, our suggested restore flow is after a dnsSetup. The dnSetup creates DKIM keys and updates the DNS
+                // for this reason, we have to re-setup DNS after a restore so it has DKIm from the backup
+                // Once we have a 100% IP based restore, we can skip this
                 mail.setDnsRecords.bind(null, config.adminDomain()),
                 shell.sudo.bind(null, 'restart', [ RESTART_CMD ])
             ], function (error) {

src/storage/s3.js

@@ -48,6 +48,10 @@ function S3_NOT_FOUND(error) {
     return error.code === 'NoSuchKey' || error.code === 'NotFound' || error.code === 'ENOENT';
 }
 
+function S3_ACCESS_DENIED(error) {
+    return error.code === 'AccessDenied' || error.statusCode === 403;
+}
+
 function getCaasConfig(apiConfig, callback) {
     assert.strictEqual(typeof apiConfig, 'object');
     assert.strictEqual(typeof callback, 'function');

src/test/reverseproxy-test.js

@@ -128,19 +128,10 @@ describe('Certificates', function () {
         after(cleanup);
 
         it('returns prod caas for prod cloudron', function (done) {
-            reverseProxy._getApi(DOMAIN_0.domain, function (error, api, options) {
+            reverseProxy._getCertApi(DOMAIN_0.domain, function (error, api, options) {
                 expect(error).to.be(null);
                 expect(api._name).to.be('caas');
-                expect(options.prod).to.be(true);
-                done();
-            });
-        });
-
-        it('returns prod caas for dev cloudron', function (done) {
-            reverseProxy._getApi(DOMAIN_0.domain, function (error, api, options) {
-                expect(error).to.be(null);
-                expect(api._name).to.be('caas');
-                expect(options.prod).to.be(true);
+                expect(options).to.eql({ email: 'support@cloudron.io' });
                 done();
             });
         });
@@ -159,7 +150,7 @@ describe('Certificates', function () {
         after(cleanup);
 
         it('returns prod acme in prod cloudron', function (done) {
-            reverseProxy._getApi(DOMAIN_0.domain, function (error, api, options) {
+            reverseProxy._getCertApi(DOMAIN_0.domain, function (error, api, options) {
                 expect(error).to.be(null);
                 expect(api._name).to.be('acme');
                 expect(options.prod).to.be(true);
@@ -168,7 +159,7 @@ describe('Certificates', function () {
         });
 
         it('returns prod acme in dev cloudron', function (done) {
-            reverseProxy._getApi(DOMAIN_0.domain, function (error, api, options) {
+            reverseProxy._getCertApi(DOMAIN_0.domain, function (error, api, options) {
                 expect(error).to.be(null);
                 expect(api._name).to.be('acme');
                 expect(options.prod).to.be(true);
@@ -190,7 +181,7 @@ describe('Certificates', function () {
         after(cleanup);
 
         it('returns staging acme in prod cloudron', function (done) {
-            reverseProxy._getApi(DOMAIN_0.domain, function (error, api, options) {
+            reverseProxy._getCertApi(DOMAIN_0.domain, function (error, api, options) {
                 expect(error).to.be(null);
                 expect(api._name).to.be('acme');
                 expect(options.prod).to.be(false);
@@ -199,7 +190,7 @@ describe('Certificates', function () {
         });
 
         it('returns staging acme in dev cloudron', function (done) {
-            reverseProxy._getApi(DOMAIN_0.domain, function (error, api, options) {
+            reverseProxy._getCertApi(DOMAIN_0.domain, function (error, api, options) {
                 expect(error).to.be(null);
                 expect(api._name).to.be('acme');
                 expect(options.prod).to.be(false);