BREAKING CHANGE(core): streamline scope to certificate retrieval using dns challenge
This commit is contained in:
@ -13,8 +13,8 @@ export interface ISmartAcmeOptions {
|
||||
accountPrivateKey?: string;
|
||||
accountEmail: string;
|
||||
mongoDescriptor: plugins.smartdata.IMongoDescriptor;
|
||||
setChallenge: (domainName: string, keyAuthorization: string) => Promise<any>;
|
||||
removeChallenge: (domainName: string) => Promise<any>;
|
||||
setChallenge: (dnsChallengeArg: plugins.tsclass.network.IDnsChallenge) => Promise<any>;
|
||||
removeChallenge: (dnsChallengeArg: plugins.tsclass.network.IDnsChallenge) => Promise<any>;
|
||||
environment: 'production' | 'integration';
|
||||
logger?: plugins.smartlog.Smartlog;
|
||||
}
|
||||
@ -41,53 +41,13 @@ export class SmartAcme {
|
||||
private privateKey: string;
|
||||
|
||||
// challenge fullfillment
|
||||
private setChallenge: (domainName: string, keyAuthorization: string) => Promise<any>;
|
||||
private removeChallenge: (domainName: string) => Promise<any>;
|
||||
private setChallenge: (dnsChallengeArg: plugins.tsclass.network.IDnsChallenge) => Promise<any>;
|
||||
private removeChallenge: (dnsChallengeArg: plugins.tsclass.network.IDnsChallenge) => Promise<any>;
|
||||
|
||||
// certmanager
|
||||
private certmanager: CertManager;
|
||||
private certmatcher: CertMatcher;
|
||||
|
||||
/**
|
||||
* the remote handler to hand the request and response to.
|
||||
*/
|
||||
public certremoteHandler = async (
|
||||
req: plugins.smartexpress.Request,
|
||||
res: plugins.smartexpress.Response
|
||||
) => {
|
||||
const requestBody: interfaces.ICertRemoteRequest = req.body;
|
||||
this.logger.log('ok', `got certificate request for ${requestBody.domainName}`);
|
||||
const certDomain = this.certmatcher.getCertificateDomainNameByDomainName(
|
||||
requestBody.domainName
|
||||
);
|
||||
this.logger.log('ok', `mapping ${requestBody.domainName} to ${certDomain}`);
|
||||
let status: interfaces.TCertStatus = await this.certmanager.getCertificateStatus(certDomain);
|
||||
let response: interfaces.ICertRemoteResponse;
|
||||
switch (status) {
|
||||
case 'existing':
|
||||
this.logger.log('ok', `certificate exists for ${certDomain}. Sending certificate!`);
|
||||
response = {
|
||||
status,
|
||||
certificate: await (
|
||||
await this.certmanager.retrieveCertificate(certDomain)
|
||||
).createSavableObject()
|
||||
};
|
||||
break;
|
||||
default:
|
||||
if (status === 'nonexisting') {
|
||||
this.getCertificateForDomain(certDomain);
|
||||
status = 'pending';
|
||||
}
|
||||
response = {
|
||||
status
|
||||
};
|
||||
break;
|
||||
}
|
||||
res.status(200);
|
||||
res.send(response);
|
||||
res.end();
|
||||
};
|
||||
|
||||
constructor(optionsArg: ISmartAcmeOptions) {
|
||||
this.options = optionsArg;
|
||||
this.options.logger
|
||||
@ -144,8 +104,8 @@ export class SmartAcme {
|
||||
* it runs through the following steps
|
||||
*
|
||||
* * look in the database
|
||||
* * if in the database return it
|
||||
* * of not in the database announce it
|
||||
* * if in the database and still valid return it
|
||||
* * if not in the database announce it
|
||||
* * then get it from letsencrypt
|
||||
* * store it
|
||||
* * remove it from the pending map (which it go onto by announcing it)
|
||||
@ -154,20 +114,28 @@ export class SmartAcme {
|
||||
* @param domainArg
|
||||
*/
|
||||
public async getCertificateForDomain(domainArg: string): Promise<Cert> {
|
||||
const certDomain = this.certmatcher.getCertificateDomainNameByDomainName(domainArg);
|
||||
const retrievedCertificate = await this.certmanager.retrieveCertificate(certDomain);
|
||||
const certDomainName = this.certmatcher.getCertificateDomainNameByDomainName(domainArg);
|
||||
const retrievedCertificate = await this.certmanager.retrieveCertificate(certDomainName);
|
||||
|
||||
if (retrievedCertificate) {
|
||||
if (!retrievedCertificate && await this.certmanager.interestMap.checkInterest(certDomainName)) {
|
||||
const existingCertificateInterest = this.certmanager.interestMap.findInterest(certDomainName);
|
||||
const certificate = existingCertificateInterest.interestFullfilled;
|
||||
return certificate;
|
||||
} else if (retrievedCertificate && !retrievedCertificate.shouldBeRenewed()) {
|
||||
return retrievedCertificate;
|
||||
} else {
|
||||
await this.certmanager.announceCertificate(certDomain);
|
||||
} else if (retrievedCertificate && retrievedCertificate.shouldBeRenewed) {
|
||||
await retrievedCertificate.delete();
|
||||
}
|
||||
|
||||
// lets make sure others get the same interest
|
||||
await this.certmanager.interestMap.addInterest(certDomainName);
|
||||
|
||||
|
||||
/* Place new order */
|
||||
const order = await this.client.createOrder({
|
||||
identifiers: [
|
||||
{ type: 'dns', value: certDomain },
|
||||
{ type: 'dns', value: `*.${certDomain}` }
|
||||
{ type: 'dns', value: certDomainName },
|
||||
{ type: 'dns', value: `*.${certDomainName}` }
|
||||
]
|
||||
});
|
||||
|
||||
@ -176,7 +144,7 @@ export class SmartAcme {
|
||||
|
||||
for (const authz of authorizations) {
|
||||
console.log(authz);
|
||||
const domainDnsName: string = `_acme-challenge.${authz.identifier.value}`;
|
||||
const fullHostName: string = `_acme-challenge.${authz.identifier.value}`;
|
||||
const dnsChallenge: string = authz.challenges.find(challengeArg => {
|
||||
return challengeArg.type === 'dns-01';
|
||||
});
|
||||
@ -185,8 +153,11 @@ export class SmartAcme {
|
||||
|
||||
try {
|
||||
/* Satisfy challenge */
|
||||
await this.setChallenge(domainDnsName, keyAuthorization);
|
||||
await this.smartdns.checkUntilAvailable(domainDnsName, 'TXT', keyAuthorization, 100, 5000);
|
||||
await this.setChallenge({
|
||||
hostName: fullHostName,
|
||||
challenge: keyAuthorization
|
||||
});
|
||||
await this.smartdns.checkUntilAvailable(fullHostName, 'TXT', keyAuthorization, 100, 5000);
|
||||
console.log('Cool down an extra 60 second for region availability');
|
||||
await plugins.smartdelay.delayFor(60000);
|
||||
|
||||
@ -201,7 +172,10 @@ export class SmartAcme {
|
||||
} finally {
|
||||
/* Clean up challenge response */
|
||||
try {
|
||||
await this.removeChallenge(domainDnsName);
|
||||
await this.removeChallenge({
|
||||
hostName: fullHostName,
|
||||
challenge: keyAuthorization
|
||||
});
|
||||
} catch (e) {
|
||||
console.log(e);
|
||||
}
|
||||
@ -210,8 +184,8 @@ export class SmartAcme {
|
||||
|
||||
/* Finalize order */
|
||||
const [key, csr] = await plugins.acme.forge.createCsr({
|
||||
commonName: `*.${certDomain}`,
|
||||
altNames: [certDomain]
|
||||
commonName: `*.${certDomainName}`,
|
||||
altNames: [certDomainName]
|
||||
});
|
||||
|
||||
await this.client.finalizeOrder(order, csr);
|
||||
@ -221,14 +195,19 @@ export class SmartAcme {
|
||||
|
||||
await this.certmanager.storeCertificate({
|
||||
id: plugins.smartunique.shortId(),
|
||||
domainName: certDomain,
|
||||
domainName: certDomainName,
|
||||
privateKey: key.toString(),
|
||||
publicKey: cert.toString(),
|
||||
csr: csr.toString(),
|
||||
created: Date.now()
|
||||
created: Date.now(),
|
||||
validUntil:
|
||||
Date.now() +
|
||||
plugins.smarttime.getMilliSecondsFromUnits({
|
||||
days: 90
|
||||
})
|
||||
});
|
||||
|
||||
const newCertificate = await this.certmanager.retrieveCertificate(certDomain);
|
||||
const newCertificate = await this.certmanager.retrieveCertificate(certDomainName);
|
||||
return newCertificate;
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user