mirror of
https://github.com/caddyserver/caddy.git
synced 2025-02-03 23:09:57 -05:00
tls: Auto-migrate cert assets to new path (details in #3124)
This commit is contained in:
Matthew Holt
parent
b216d285df
commit
4d18587192
1 changed files with 128 additions and 2 deletions
|
|
@ -18,7 +18,11 @@ import (
|
||||||
"crypto/tls"
|
"crypto/tls"
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"io/ioutil"
|
||||||
"net/http"
|
"net/http"
|
||||||
|
"os"
|
||||||
|
"path/filepath"
|
||||||
|
"strings"
|
||||||
"sync"
|
"sync"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
|
@ -71,8 +75,6 @@ func (TLS) CaddyModule() caddy.ModuleInfo {
|
||||||
|
|
||||||
// Provision sets up the configuration for the TLS app.
|
// Provision sets up the configuration for the TLS app.
|
||||||
func (t *TLS) Provision(ctx caddy.Context) error {
|
func (t *TLS) Provision(ctx caddy.Context) error {
|
||||||
// TODO: Move assets to the new folder structure!!
|
|
||||||
|
|
||||||
t.ctx = ctx
|
t.ctx = ctx
|
||||||
t.logger = ctx.Logger(t)
|
t.logger = ctx.Logger(t)
|
||||||
|
|
||||||
|
|
@ -162,6 +164,14 @@ func (t *TLS) Provision(ctx caddy.Context) error {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// TODO: TEMPORARY UNTIL RELEASE CANDIDATES:
|
||||||
|
// MIGRATE MANAGED CERTIFICATE ASSETS TO NEW PATH
|
||||||
|
err = t.moveCertificates()
|
||||||
|
if err != nil {
|
||||||
|
t.logger.Error("migrating certificates", zap.Error(err))
|
||||||
|
}
|
||||||
|
// END TODO: TEMPORARY.
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -661,3 +671,119 @@ var (
|
||||||
)
|
)
|
||||||
|
|
||||||
const automateKey = "automate"
|
const automateKey = "automate"
|
||||||
|
|
||||||
|
// TODO: This is temporary until the release candidates
|
||||||
|
// (beta 16 changed the storage path for certificates),
|
||||||
|
// after which this function can be deleted
|
||||||
|
func (t *TLS) moveCertificates() error {
|
||||||
|
log := t.logger.Named("automigrate")
|
||||||
|
|
||||||
|
oldAcmeDir := filepath.Join(caddy.AppDataDir(), "acme")
|
||||||
|
|
||||||
|
// if custom storage path was defined, use that instead
|
||||||
|
if fs, ok := t.ctx.Storage().(*certmagic.FileStorage); ok {
|
||||||
|
oldAcmeDir = fs.Path
|
||||||
|
}
|
||||||
|
|
||||||
|
oldAcmeCas, err := ioutil.ReadDir(oldAcmeDir)
|
||||||
|
if err != nil {
|
||||||
|
if os.IsNotExist(err) {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
return fmt.Errorf("listing used ACME CAs: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
// get list of used CAs
|
||||||
|
var oldCANames []string
|
||||||
|
for _, fi := range oldAcmeCas {
|
||||||
|
if !fi.IsDir() {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
oldCANames = append(oldCANames, fi.Name())
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, oldCA := range oldCANames {
|
||||||
|
// make new destination path
|
||||||
|
newCAName := oldCA
|
||||||
|
if strings.Contains(oldCA, "api.letsencrypt.org") {
|
||||||
|
newCAName += "-directory"
|
||||||
|
}
|
||||||
|
newBaseDir := filepath.Join(caddy.AppDataDir(), "certificates", newCAName)
|
||||||
|
err := os.MkdirAll(newBaseDir, 0700)
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("making new certs directory: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
// list sites in old path
|
||||||
|
oldAcmeSitesDir := filepath.Join(oldAcmeDir, oldCA, "sites")
|
||||||
|
oldAcmeSites, err := ioutil.ReadDir(oldAcmeSitesDir)
|
||||||
|
if err != nil {
|
||||||
|
if os.IsNotExist(err) {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
return fmt.Errorf("listing sites: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(oldAcmeSites) > 0 {
|
||||||
|
log.Warn("certificate storage path has changed; attempting one-time auto-migration",
|
||||||
|
zap.String("old_folder", oldAcmeSitesDir),
|
||||||
|
zap.String("new_folder", newBaseDir),
|
||||||
|
zap.String("details", "https://github.com/caddyserver/caddy/issues/2955"))
|
||||||
|
}
|
||||||
|
|
||||||
|
// for each site, move its folder and re-encode its metadata
|
||||||
|
for _, siteInfo := range oldAcmeSites {
|
||||||
|
if !siteInfo.IsDir() {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
// move the folder
|
||||||
|
oldPath := filepath.Join(oldAcmeSitesDir, siteInfo.Name())
|
||||||
|
newPath := filepath.Join(newBaseDir, siteInfo.Name())
|
||||||
|
log.Info("moving certificate assets",
|
||||||
|
zap.String("ca", oldCA),
|
||||||
|
zap.String("site", siteInfo.Name()),
|
||||||
|
zap.String("destination", newPath))
|
||||||
|
err = os.Rename(oldPath, newPath)
|
||||||
|
if err != nil {
|
||||||
|
log.Error("failed moving site to new path; skipping",
|
||||||
|
zap.String("old_path", oldPath),
|
||||||
|
zap.String("new_path", newPath),
|
||||||
|
zap.Error(err))
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
// re-encode metadata file
|
||||||
|
metaFilePath := filepath.Join(newPath, siteInfo.Name()+".json")
|
||||||
|
metaContents, err := ioutil.ReadFile(metaFilePath)
|
||||||
|
if err != nil {
|
||||||
|
log.Error("could not read metadata file",
|
||||||
|
zap.String("filename", metaFilePath),
|
||||||
|
zap.Error(err))
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
if len(metaContents) == 0 {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
cr := certmagic.CertificateResource{
|
||||||
|
SANs: []string{siteInfo.Name()},
|
||||||
|
IssuerData: json.RawMessage(metaContents),
|
||||||
|
}
|
||||||
|
newMeta, err := json.MarshalIndent(cr, "", "\t")
|
||||||
|
if err != nil {
|
||||||
|
log.Error("encoding new metadata file", zap.Error(err))
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
err = ioutil.WriteFile(metaFilePath, newMeta, 0600)
|
||||||
|
if err != nil {
|
||||||
|
log.Error("writing new metadata file", zap.Error(err))
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// delete now-empty old sites dir (OK if fails)
|
||||||
|
os.Remove(oldAcmeSitesDir)
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue