Clean up some significant portions of the TLS management code

2025-01-13 22:51:08 -05:00 · 2016-09-14 22:30:49 -06:00 · 2016-09-14 22:30:49 -06:00 · bedad34b25
commit bedad34b25
parent 0e7635c54b
6 changed files with 112 additions and 166 deletions
--- a/caddyhttp/httpserver/https.go
+++ b/caddyhttp/httpserver/https.go
@ -23,7 +23,7 @@ func activateHTTPS(cctx caddy.Context) error {
 	// place certificates and keys on disk
 	for _, c := range ctx.siteConfigs {
-		err := c.TLS.ObtainCert(operatorPresent)
+		err := c.TLS.ObtainCert(c.TLS.Hostname, operatorPresent)
 		if err != nil {
 			return err
 		}
--- a/caddytls/client.go
+++ b/caddytls/client.go
@ -18,11 +18,13 @@ import (
 // acmeMu ensures that only one ACME challenge occurs at a time.
 var acmeMu sync.Mutex
-// ACMEClient is an acme.Client with custom state attached.
+// ACMEClient is a wrapper over acme.Client with
 // some custom state attached. It is used to obtain,
 // renew, and revoke certificates with ACME.
 type ACMEClient struct {
 	*acme.Client
 	AllowPrompts bool
 	config       *Config
 	acmeClient   *acme.Client
 }
 // newACMEClient creates a new ACMEClient given an email and whether
@ -100,7 +102,11 @@ var newACMEClient = func(config *Config, allowPrompts bool) (*ACMEClient, error)
 		}
 	}
-	c := &ACMEClient{Client: client, AllowPrompts: allowPrompts, config: config}
+	c := &ACMEClient{
 		AllowPrompts: allowPrompts,
 		config:       config,
 		acmeClient:   client,
 	}
 	if config.DNSProvider == "" {
 		// Use HTTP and TLS-SNI challenges by default
@ -116,15 +122,15 @@ var newACMEClient = func(config *Config, allowPrompts bool) (*ACMEClient, error)
 		// See if TLS challenge needs to be handled by our own facilities
 		if caddy.HasListenerWithAddress(net.JoinHostPort(config.ListenHost, TLSSNIChallengePort)) {
-			c.SetChallengeProvider(acme.TLSSNI01, tlsSniSolver{})
+			c.acmeClient.SetChallengeProvider(acme.TLSSNI01, tlsSniSolver{})
 		}
 		// Always respect user's bind preferences by using config.ListenHost
-		err := c.SetHTTPAddress(net.JoinHostPort(config.ListenHost, useHTTPPort))
+		err := c.acmeClient.SetHTTPAddress(net.JoinHostPort(config.ListenHost, useHTTPPort))
 		if err != nil {
 			return nil, err
 		}
-		err = c.SetTLSAddress(net.JoinHostPort(config.ListenHost, ""))
+		err = c.acmeClient.SetTLSAddress(net.JoinHostPort(config.ListenHost, ""))
 		if err != nil {
 			return nil, err
 		}
@ -145,23 +151,50 @@ var newACMEClient = func(config *Config, allowPrompts bool) (*ACMEClient, error)
 		}
 		// Use the DNS challenge exclusively
-		c.ExcludeChallenges([]acme.Challenge{acme.HTTP01, acme.TLSSNI01})
+		c.acmeClient.ExcludeChallenges([]acme.Challenge{acme.HTTP01, acme.TLSSNI01})
-		c.SetChallengeProvider(acme.DNS01, prov)
+		c.acmeClient.SetChallengeProvider(acme.DNS01, prov)
 	}
 	return c, nil
 }
-// Obtain obtains a single certificate for names. It stores the certificate
+// Obtain obtains a single certificate for name. It stores the certificate
-// on the disk if successful.
+// on the disk if successful. This function is safe for concurrent use.
-func (c *ACMEClient) Obtain(names []string) error {
+//
 // Right now our storage mechanism only supports one name per certificate,
 // so this function (along with Renew and Revoke) only accepts one domain
 // as input. It can be easily modified to support SAN certificates if our
 // storage mechanism is upgraded later.
 //
 // Callers who have access to a Config value should use the ObtainCert
 // method on that instead of this lower-level method.
 func (c *ACMEClient) Obtain(name string) error {
 	// Get access to ACME storage
 	storage, err := c.config.StorageFor(c.config.CAUrl)
 	if err != nil {
 		return err
 	}
 	// We must lock the obtain with the storage engine
 	if lockObtained, err := storage.LockRegister(name); err != nil {
 		return err
 	} else if !lockObtained {
 		log.Printf("[INFO] Certificate for %v is already being obtained elsewhere", name)
 		return nil
 	}
 	defer func() {
 		if err := storage.UnlockRegister(name); err != nil {
 			log.Printf("[ERROR] Unable to unlock obtain lock for %v: %v", name, err)
 		}
 	}()
 Attempts:
 	for attempts := 0; attempts < 2; attempts++ {
-		namesObtaining.Add(names)
+		namesObtaining.Add([]string{name})
 		acmeMu.Lock()
-		certificate, failures := c.ObtainCertificate(names, true, nil)
+		certificate, failures := c.acmeClient.ObtainCertificate([]string{name}, true, nil)
 		acmeMu.Unlock()
-		namesObtaining.Remove(names)
+		namesObtaining.Remove([]string{name})
 		if len(failures) > 0 {
 			// Error - try to fix it or report it to the user and abort
 			var errMsg string             // we'll combine all the failures into a single error message
@ -178,7 +211,7 @@ Attempts:
 						promptedForAgreement = true
 					}
 					if Agreed || !c.AllowPrompts {
-						err := c.AgreeToTOS()
+						err := c.acmeClient.AgreeToTOS()
 						if err != nil {
 							return errors.New("error agreeing to updated terms: " + err.Error())
 						}
@ -193,13 +226,9 @@ Attempts:
 		}
 		// Success - immediately save the certificate resource
 		storage, err := c.config.StorageFor(c.config.CAUrl)
 		if err != nil {
 			return err
 		}
 		err = saveCertResource(storage, certificate)
 		if err != nil {
-			return fmt.Errorf("error saving assets for %v: %v", names, err)
+			return fmt.Errorf("error saving assets for %v: %v", name, err)
 		}
 		break
@ -208,13 +237,11 @@ Attempts:
 	return nil
 }
-// Renew renews the managed certificate for name. Right now our storage
+// Renew renews the managed certificate for name. This function is
-// mechanism only supports one name per certificate, so this function only
+// safe for concurrent use.
 // accepts one domain as input. It can be easily modified to support SAN
 // certificates if, one day, they become desperately needed enough that our
 // storage mechanism is upgraded to be more complex to support SAN certs.
 //
-// Anyway, this function is safe for concurrent use.
+// Callers who have access to a Config value should use the RenewCert
 // method on that instead of this lower-level method.
 func (c *ACMEClient) Renew(name string) error {
 	// Get access to ACME storage
 	storage, err := c.config.StorageFor(c.config.CAUrl)
@ -251,7 +278,7 @@ func (c *ACMEClient) Renew(name string) error {
 	for attempts := 0; attempts < 2; attempts++ {
 		namesObtaining.Add([]string{name})
 		acmeMu.Lock()
-		newCertMeta, err = c.RenewCertificate(certMeta, true)
+		newCertMeta, err = c.acmeClient.RenewCertificate(certMeta, true)
 		acmeMu.Unlock()
 		namesObtaining.Remove([]string{name})
 		if err == nil {
@ -259,10 +286,10 @@ func (c *ACMEClient) Renew(name string) error {
 			break
 		}
-		// If the legal terms changed and need to be agreed to again,
+		// If the legal terms were updated and need to be
-		// we can handle that.
+		// agreed to again, we can handle that.
 		if _, ok := err.(acme.TOSError); ok {
-			err := c.AgreeToTOS()
+			err := c.acmeClient.AgreeToTOS()
 			if err != nil {
 				return err
 			}
@ -304,7 +331,7 @@ func (c *ACMEClient) Revoke(name string) error {
 		return err
 	}
-	err = c.Client.RevokeCertificate(siteData.Cert)
+	err = c.acmeClient.RevokeCertificate(siteData.Cert)
 	if err != nil {
 		return err
 	}
--- a/caddytls/config.go
+++ b/caddytls/config.go
@ -3,13 +3,9 @@ package caddytls
 import (
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"io/ioutil"
 	"time"
 	"log"
 	"net/url"
 	"strings"
@ -116,24 +112,21 @@ type OnDemandState struct {
 	// If it reaches MaxObtain, on-demand issuances must fail.
 	ObtainedCount int32
-	// Based on max_certs in tls config, it specifies the
+	// Set from max_certs in tls config, it specifies the
 	// maximum number of certificates that can be issued.
 	MaxObtain int32
 }
-// ObtainCert obtains a certificate for c.Hostname, as long as a certificate
+// ObtainCert obtains a certificate for name using c, as long
-// does not already exist in storage on disk. It only obtains and stores
+// as a certificate does not already exist in storage for that
-// certificates (and their keys) to disk, it does not load them into memory.
+// name. The name must qualify and c must be flagged as Managed.
-// If allowPrompts is true, the user may be shown a prompt. If proxyACME is
+// This function is a no-op if storage already has a certificate
-// true, the relevant ACME challenges will be proxied to the alternate port.
+// for name.
-func (c *Config) ObtainCert(allowPrompts bool) error {
+//
-	return c.obtainCertName(c.Hostname, allowPrompts)
+// It only obtains and stores certificates (and their keys),
-}
+// it does not load them into memory. If allowPrompts is true,
-
+// the user may be shown a prompt.
-// obtainCertName gets a certificate for name using the ACME config c
+func (c *Config) ObtainCert(name string, allowPrompts bool) error {
 // if c and name both qualify. It places the certificate in storage.
 // It is a no-op if the storage already has a certificate for name.
 func (c *Config) obtainCertName(name string, allowPrompts bool) error {
 	if !c.Managed || !HostQualifies(name) {
 		return nil
 	}
@ -142,29 +135,13 @@ func (c *Config) obtainCertName(name string, allowPrompts bool) error {
 	if err != nil {
 		return err
 	}
 	siteExists, err := storage.SiteExists(name)
 	if err != nil {
 		return err
 	}
 	if siteExists {
 		return nil
 	}
 	// We must lock the obtain with the storage engine
 	if lockObtained, err := storage.LockRegister(name); err != nil {
 		return err
 	} else if !lockObtained {
 		log.Printf("[INFO] Certificate for %v is already being obtained elsewhere", name)
 		return nil
 	}
 	defer func() {
 		if err := storage.UnlockRegister(name); err != nil {
 			log.Printf("[ERROR] Unable to unlock obtain lock for %v: %v", name, err)
 		}
 	}()
 	if c.ACMEEmail == "" {
 		c.ACMEEmail = getEmail(storage, allowPrompts)
 	}
@ -173,86 +150,17 @@ func (c *Config) obtainCertName(name string, allowPrompts bool) error {
 	if err != nil {
 		return err
 	}
-
+	return client.Obtain(name)
 	return client.Obtain([]string{name})
 }
-// RenewCert renews the certificate for c.Hostname. If there is already a lock
+// RenewCert renews the certificate for name using c. It stows the
-// on renewal, this will not perform the renewal and no error will occur.
+// renewed certificate and its assets in storage if successful.
-func (c *Config) RenewCert(allowPrompts bool) error {
+func (c *Config) RenewCert(name string, allowPrompts bool) error {
 	return c.renewCertName(c.Hostname, allowPrompts)
 }
 // renewCertName renews the certificate for the given name. If there is already
 // a lock on renewal, this will not perform the renewal and no error will
 // occur.
 func (c *Config) renewCertName(name string, allowPrompts bool) error {
 	storage, err := c.StorageFor(c.CAUrl)
 	if err != nil {
 		return err
 	}
 	// We must lock the renewal with the storage engine
 	if lockObtained, err := storage.LockRegister(name); err != nil {
 		return err
 	} else if !lockObtained {
 		log.Printf("[INFO] Certificate for %v is already being renewed elsewhere", name)
 		return nil
 	}
 	defer func() {
 		if err := storage.UnlockRegister(name); err != nil {
 			log.Printf("[ERROR] Unable to unlock renewal lock for %v: %v", name, err)
 		}
 	}()
 	// Prepare for renewal (load PEM cert, key, and meta)
 	siteData, err := storage.LoadSite(name)
 	if err != nil {
 		return err
 	}
 	var certMeta acme.CertificateResource
 	err = json.Unmarshal(siteData.Meta, &certMeta)
 	certMeta.Certificate = siteData.Cert
 	certMeta.PrivateKey = siteData.Key
 	client, err := newACMEClient(c, allowPrompts)
 	if err != nil {
 		return err
 	}
-
+	return client.Renew(name)
 	// Perform renewal and retry if necessary, but not too many times.
 	var newCertMeta acme.CertificateResource
 	var success bool
 	for attempts := 0; attempts < 2; attempts++ {
 		namesObtaining.Add([]string{name})
 		acmeMu.Lock()
 		newCertMeta, err = client.RenewCertificate(certMeta, true)
 		acmeMu.Unlock()
 		namesObtaining.Remove([]string{name})
 		if err == nil {
 			success = true
 			break
 		}
 		// If the legal terms were updated and need to be
 		// agreed to again, we can handle that.
 		if _, ok := err.(acme.TOSError); ok {
 			err := client.AgreeToTOS()
 			if err != nil {
 				return err
 			}
 			continue
 		}
 		// For any other kind of error, wait 10s and try again.
 		time.Sleep(10 * time.Second)
 	}
 	if !success {
 		return errors.New("too many renewal attempts; last error: " + err.Error())
 	}
 	return saveCertResource(storage, newCertMeta)
 }
 // StorageFor obtains a TLS Storage instance for the given CA URL which should
--- a/caddytls/filestorage.go
+++ b/caddytls/filestorage.go
@ -123,7 +123,6 @@ func (s FileStorage) readFile(file string) ([]byte, error) {
 		return nil, ErrNotExist(err)
 	}
 	return b, err
 }
 // SiteExists implements Storage.SiteExists by checking for the presence of
--- a/caddytls/handshake.go
+++ b/caddytls/handshake.go
@ -172,22 +172,25 @@ func (cg configGroup) obtainOnDemandCertificate(name string, cfg *Config) (Certi
 		return cg.getCertDuringHandshake(name, true, false)
 	}
-	// looks like it's up to us to do all the work and obtain the cert
+	// looks like it's up to us to do all the work and obtain the cert.
 	// make a chan others can wait on if needed
 	wait = make(chan struct{})
 	obtainCertWaitChans[name] = wait
 	obtainCertWaitChansMu.Unlock()
-	// Unblock waiters and delete waitgroup when we return
+	// do the obtain
-	defer func() {
+	log.Printf("[INFO] Obtaining new certificate for %s", name)
 	err := cfg.ObtainCert(name, false)
 	// immediately unblock anyone waiting for it; doing this in
 	// a defer would risk deadlock because of the recursive call
 	// to getCertDuringHandshake below when we return!
 	obtainCertWaitChansMu.Lock()
 	close(wait)
 	delete(obtainCertWaitChans, name)
 	obtainCertWaitChansMu.Unlock()
 	}()
-	log.Printf("[INFO] Obtaining new certificate for %s", name)
+	if err != nil {
 	if err := cfg.obtainCertName(name, false); err != nil {
 		// Failed to solve challenge, so don't allow another on-demand
 		// issue for this name to be attempted for a little while.
 		failedIssuanceMu.Lock()
@ -208,7 +211,7 @@ func (cg configGroup) obtainOnDemandCertificate(name string, cfg *Config) (Certi
 	lastIssueTime = time.Now()
 	lastIssueTimeMu.Unlock()
-	// The certificate is already on disk; now just start over to load it and serve it
+	// certificate is already on disk; now just start over to load it and serve it
 	return cg.getCertDuringHandshake(name, true, false)
 }
@ -265,17 +268,18 @@ func (cg configGroup) renewDynamicCertificate(name string, cfg *Config) (Certifi
 	obtainCertWaitChans[name] = wait
 	obtainCertWaitChansMu.Unlock()
-	// unblock waiters and delete waitgroup when we return
+	// do the renew
-	defer func() {
+	log.Printf("[INFO] Renewing certificate for %s", name)
 	err := cfg.RenewCert(name, false)
 	// immediately unblock anyone waiting for it; doing this in
 	// a defer would risk deadlock because of the recursive call
 	// to getCertDuringHandshake below when we return!
 	obtainCertWaitChansMu.Lock()
 	close(wait)
 	delete(obtainCertWaitChans, name)
 	obtainCertWaitChansMu.Unlock()
 	}()
 	log.Printf("[INFO] Renewing certificate for %s", name)
 	err := cfg.renewCertName(name, false)
 	if err != nil {
 		return Certificate{}, err
 	}
--- a/caddytls/maintain.go
+++ b/caddytls/maintain.go
@ -99,12 +99,20 @@ func RenewManagedCertificates(allowPrompts bool) (err error) {
 				continue
 			}
-			// This works well because managed certs are only associated with one name per config.
+			// Get the name which we should use to renew this certificate;
-			// Note, the renewal inside here may not actually occur and no error will be returned
+			// we only support managing certificates with one name per cert,
-			// due to renewal lock (i.e. because a renewal is already happening). This lack of
+			// so this should be easy. We can't rely on cert.Config.Hostname
-			// error is by intention to force cache invalidation as though it has renewed.
+			// because it may be a wildcard value from the Caddyfile (e.g.
-			err := cert.Config.RenewCert(allowPrompts)
+			// *.something.com) which, as of 2016, is not supported by ACME.
 			var renewName string
 			for _, name := range cert.Names {
 				if name != "" {
 					renewName = name
 					break
 				}
 			}
 			err := cert.Config.RenewCert(renewName, allowPrompts)
 			if err != nil {
 				if allowPrompts && timeLeft < 0 {
 					// Certificate renewal failed, the operator is present, and the certificate