2019-06-30 17:07:58 -05:00
|
|
|
// Copyright 2015 Matthew Holt and The Caddy Authors
|
|
|
|
//
|
|
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
// you may not use this file except in compliance with the License.
|
|
|
|
// You may obtain a copy of the License at
|
|
|
|
//
|
|
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
//
|
|
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
// See the License for the specific language governing permissions and
|
|
|
|
// limitations under the License.
|
|
|
|
|
2019-04-25 14:54:48 -05:00
|
|
|
package caddytls
|
|
|
|
|
|
|
|
import (
|
2019-09-24 17:46:39 -05:00
|
|
|
"crypto/x509"
|
2019-04-25 14:54:48 -05:00
|
|
|
"encoding/json"
|
|
|
|
"fmt"
|
2019-09-24 17:46:39 -05:00
|
|
|
"io/ioutil"
|
2019-06-20 21:36:29 -05:00
|
|
|
"net/url"
|
2019-04-26 13:35:39 -05:00
|
|
|
"time"
|
2019-04-25 14:54:48 -05:00
|
|
|
|
2019-07-02 13:37:06 -05:00
|
|
|
"github.com/caddyserver/caddy/v2"
|
2019-09-12 18:31:10 -05:00
|
|
|
"github.com/go-acme/lego/v3/challenge"
|
2019-04-25 14:54:48 -05:00
|
|
|
"github.com/mholt/certmagic"
|
|
|
|
)
|
|
|
|
|
|
|
|
func init() {
|
2019-08-21 11:46:35 -05:00
|
|
|
caddy.RegisterModule(ACMEManagerMaker{})
|
2019-04-25 14:54:48 -05:00
|
|
|
}
|
|
|
|
|
2019-06-04 23:43:21 -05:00
|
|
|
// ACMEManagerMaker makes an ACME manager
|
|
|
|
// for managing certificates using ACME.
|
|
|
|
// If crafting one manually rather than
|
|
|
|
// through the config-unmarshal process
|
|
|
|
// (provisioning), be sure to call
|
|
|
|
// SetDefaults to ensure sane defaults
|
|
|
|
// after you have configured this struct
|
|
|
|
// to your liking.
|
|
|
|
type ACMEManagerMaker struct {
|
2019-12-10 15:36:46 -05:00
|
|
|
// The URL to the CA's ACME directory endpoint.
|
|
|
|
CA string `json:"ca,omitempty"`
|
|
|
|
|
|
|
|
// Your email address, so the CA can contact you if necessary.
|
|
|
|
// Not required, but strongly recommended to provide one so
|
|
|
|
// you can be reached if there is a problem. Your email is
|
|
|
|
// not sent to any Caddy mothership or used for any purpose
|
|
|
|
// other than ACME transactions.
|
|
|
|
Email string `json:"email,omitempty"`
|
|
|
|
|
|
|
|
// How long before a certificate's expiration to try renewing it.
|
|
|
|
// Should usually be about 1/3 of certificate lifetime, but long
|
|
|
|
// enough to give yourself time to troubleshoot problems before
|
|
|
|
// expiration. Default: 30d
|
|
|
|
RenewAhead caddy.Duration `json:"renew_ahead,omitempty"`
|
|
|
|
|
|
|
|
// The type of key to generate for the certificate.
|
|
|
|
// Supported values: `rsa2048`, `rsa4096`, `p256`, `p384`.
|
|
|
|
KeyType string `json:"key_type,omitempty"`
|
|
|
|
|
|
|
|
// Time to wait before timing out an ACME operation.
|
|
|
|
ACMETimeout caddy.Duration `json:"acme_timeout,omitempty"`
|
|
|
|
|
|
|
|
// If true, certificates will be requested with MustStaple. Not all
|
|
|
|
// CAs support this, and there are potentially serious consequences
|
|
|
|
// of enabling this feature without proper threat modeling.
|
|
|
|
MustStaple bool `json:"must_staple,omitempty"`
|
|
|
|
|
|
|
|
// Configures the various ACME challenge types.
|
|
|
|
Challenges *ChallengesConfig `json:"challenges,omitempty"`
|
|
|
|
|
|
|
|
// If true, certificates will be managed "on demand", that is, during
|
|
|
|
// TLS handshakes or when needed, as opposed to at startup or config
|
|
|
|
// load.
|
|
|
|
OnDemand bool `json:"on_demand,omitempty"`
|
|
|
|
|
|
|
|
// Optionally configure a separate storage module associated with this
|
|
|
|
// manager, instead of using Caddy's global/default-configured storage.
|
2020-01-06 10:10:20 -05:00
|
|
|
Storage json.RawMessage `json:"storage,omitempty" caddy:"namespace=caddy.storage inline_key=module"`
|
2019-12-10 15:36:46 -05:00
|
|
|
|
|
|
|
// An array of files of CA certificates to accept when connecting to the
|
|
|
|
// ACME CA. Generally, you should only use this if the ACME CA endpoint
|
|
|
|
// is internal or for development/testing purposes.
|
|
|
|
TrustedRootsPEMFiles []string `json:"trusted_roots_pem_files,omitempty"`
|
2019-09-24 17:46:39 -05:00
|
|
|
|
|
|
|
storage certmagic.Storage
|
|
|
|
rootPool *x509.CertPool
|
2019-04-25 14:54:48 -05:00
|
|
|
}
|
|
|
|
|
2019-08-21 11:46:35 -05:00
|
|
|
// CaddyModule returns the Caddy module information.
|
|
|
|
func (ACMEManagerMaker) CaddyModule() caddy.ModuleInfo {
|
|
|
|
return caddy.ModuleInfo{
|
2019-12-10 15:36:46 -05:00
|
|
|
ID: "tls.management.acme",
|
|
|
|
New: func() caddy.Module { return new(ACMEManagerMaker) },
|
2019-08-21 11:46:35 -05:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// NewManager is a no-op to satisfy the ManagerMaker interface,
|
2019-06-04 23:43:21 -05:00
|
|
|
// because this manager type is a special case.
|
2019-08-21 11:46:35 -05:00
|
|
|
func (m ACMEManagerMaker) NewManager(interactive bool) (certmagic.Manager, error) {
|
2019-04-26 13:35:39 -05:00
|
|
|
return nil, nil
|
|
|
|
}
|
2019-04-25 14:54:48 -05:00
|
|
|
|
2019-06-04 23:43:21 -05:00
|
|
|
// Provision sets up m.
|
2019-06-14 12:58:28 -05:00
|
|
|
func (m *ACMEManagerMaker) Provision(ctx caddy.Context) error {
|
2019-04-25 14:54:48 -05:00
|
|
|
// DNS providers
|
2019-09-30 10:07:43 -05:00
|
|
|
if m.Challenges != nil && m.Challenges.DNSRaw != nil {
|
2019-12-10 15:36:46 -05:00
|
|
|
val, err := ctx.LoadModule(m.Challenges, "DNSRaw")
|
2019-04-25 14:54:48 -05:00
|
|
|
if err != nil {
|
2019-12-10 15:36:46 -05:00
|
|
|
return fmt.Errorf("loading DNS provider module: %v", err)
|
2019-04-25 14:54:48 -05:00
|
|
|
}
|
2019-06-04 23:43:21 -05:00
|
|
|
m.Challenges.DNS = val.(challenge.Provider)
|
2019-04-25 14:54:48 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
// policy-specific storage implementation
|
|
|
|
if m.Storage != nil {
|
2019-12-10 15:36:46 -05:00
|
|
|
val, err := ctx.LoadModule(m, "Storage")
|
2019-04-25 14:54:48 -05:00
|
|
|
if err != nil {
|
2019-12-10 15:36:46 -05:00
|
|
|
return fmt.Errorf("loading TLS storage module: %v", err)
|
2019-04-25 14:54:48 -05:00
|
|
|
}
|
2019-06-14 12:58:28 -05:00
|
|
|
cmStorage, err := val.(caddy.StorageConverter).CertMagicStorage()
|
2019-04-25 14:54:48 -05:00
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("creating TLS storage configuration: %v", err)
|
|
|
|
}
|
|
|
|
m.storage = cmStorage
|
|
|
|
}
|
|
|
|
|
2019-09-24 17:46:39 -05:00
|
|
|
// add any custom CAs to trust store
|
|
|
|
if len(m.TrustedRootsPEMFiles) > 0 {
|
|
|
|
m.rootPool = x509.NewCertPool()
|
|
|
|
for _, pemFile := range m.TrustedRootsPEMFiles {
|
|
|
|
pemData, err := ioutil.ReadFile(pemFile)
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("loading trusted root CA's PEM file: %s: %v", pemFile, err)
|
|
|
|
}
|
|
|
|
if !m.rootPool.AppendCertsFromPEM(pemData) {
|
|
|
|
return fmt.Errorf("unable to add %s to trust pool: %v", pemFile, err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-04-25 14:54:48 -05:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2019-04-26 13:35:39 -05:00
|
|
|
// makeCertMagicConfig converts m into a certmagic.Config, because
|
|
|
|
// this is a special case where the default manager is the certmagic
|
|
|
|
// Config and not a separate manager.
|
2019-06-14 12:58:28 -05:00
|
|
|
func (m *ACMEManagerMaker) makeCertMagicConfig(ctx caddy.Context) certmagic.Config {
|
2019-04-26 13:35:39 -05:00
|
|
|
storage := m.storage
|
|
|
|
if storage == nil {
|
2019-05-16 17:05:38 -05:00
|
|
|
storage = ctx.Storage()
|
2019-04-26 13:35:39 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
var ond *certmagic.OnDemandConfig
|
2019-06-20 21:36:29 -05:00
|
|
|
if m.OnDemand {
|
|
|
|
var onDemand *OnDemandConfig
|
|
|
|
appVal, err := ctx.App("tls")
|
2019-09-30 10:07:43 -05:00
|
|
|
if err == nil && appVal.(*TLS).Automation != nil {
|
2019-06-20 21:36:29 -05:00
|
|
|
onDemand = appVal.(*TLS).Automation.OnDemand
|
|
|
|
}
|
|
|
|
|
2019-04-26 13:35:39 -05:00
|
|
|
ond = &certmagic.OnDemandConfig{
|
2019-06-20 21:36:29 -05:00
|
|
|
DecisionFunc: func(name string) error {
|
|
|
|
if onDemand != nil {
|
|
|
|
if onDemand.Ask != "" {
|
|
|
|
err := onDemandAskRequest(onDemand.Ask, name)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
2019-10-21 13:03:51 -05:00
|
|
|
// check the rate limiter last because
|
|
|
|
// doing so makes a reservation
|
|
|
|
if !onDemandRateLimiter.Allow() {
|
|
|
|
return fmt.Errorf("on-demand rate limit exceeded")
|
2019-06-20 21:36:29 -05:00
|
|
|
}
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
},
|
2019-04-26 13:35:39 -05:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-09-30 10:07:43 -05:00
|
|
|
cfg := certmagic.Config{
|
|
|
|
CA: m.CA,
|
|
|
|
Email: m.Email,
|
|
|
|
Agreed: true,
|
|
|
|
RenewDurationBefore: time.Duration(m.RenewAhead),
|
|
|
|
KeyType: supportedCertKeyTypes[m.KeyType],
|
|
|
|
CertObtainTimeout: time.Duration(m.ACMETimeout),
|
|
|
|
OnDemand: ond,
|
|
|
|
MustStaple: m.MustStaple,
|
|
|
|
Storage: storage,
|
|
|
|
TrustedRoots: m.rootPool,
|
2019-04-26 13:35:39 -05:00
|
|
|
// TODO: listenHost
|
|
|
|
}
|
2019-09-30 10:07:43 -05:00
|
|
|
|
|
|
|
if m.Challenges != nil {
|
|
|
|
if m.Challenges.HTTP != nil {
|
|
|
|
cfg.DisableHTTPChallenge = m.Challenges.HTTP.Disabled
|
|
|
|
cfg.AltHTTPPort = m.Challenges.HTTP.AlternatePort
|
|
|
|
}
|
|
|
|
if m.Challenges.TLSALPN != nil {
|
|
|
|
cfg.DisableTLSALPNChallenge = m.Challenges.TLSALPN.Disabled
|
|
|
|
cfg.AltTLSALPNPort = m.Challenges.TLSALPN.AlternatePort
|
|
|
|
}
|
|
|
|
cfg.DNSProvider = m.Challenges.DNS
|
|
|
|
}
|
|
|
|
|
|
|
|
return cfg
|
2019-04-26 13:35:39 -05:00
|
|
|
}
|
|
|
|
|
2019-06-20 21:36:29 -05:00
|
|
|
// onDemandAskRequest makes a request to the ask URL
|
|
|
|
// to see if a certificate can be obtained for name.
|
|
|
|
// The certificate request should be denied if this
|
|
|
|
// returns an error.
|
|
|
|
func onDemandAskRequest(ask string, name string) error {
|
|
|
|
askURL, err := url.Parse(ask)
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("parsing ask URL: %v", err)
|
|
|
|
}
|
|
|
|
qs := askURL.Query()
|
|
|
|
qs.Set("domain", name)
|
|
|
|
askURL.RawQuery = qs.Encode()
|
|
|
|
|
|
|
|
resp, err := onDemandAskClient.Get(askURL.String())
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("error checking %v to deterine if certificate for hostname '%s' should be allowed: %v",
|
|
|
|
ask, name, err)
|
|
|
|
}
|
|
|
|
resp.Body.Close()
|
|
|
|
|
|
|
|
if resp.StatusCode < 200 || resp.StatusCode > 299 {
|
|
|
|
return fmt.Errorf("certificate for hostname '%s' not allowed; non-2xx status code %d returned from %v",
|
|
|
|
name, resp.StatusCode, ask)
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2019-06-04 23:43:21 -05:00
|
|
|
// Interface guard
|
2019-08-21 11:46:35 -05:00
|
|
|
var _ ManagerMaker = (*ACMEManagerMaker)(nil)
|