788 lines
28 KiB
TypeScript
788 lines
28 KiB
TypeScript
import * as plugins from '../../plugins.js';
|
|
import { HttpProxy } from '../http-proxy/index.js';
|
|
import type { IRouteConfig, IRouteTls } from './models/route-types.js';
|
|
import type { IAcmeOptions } from './models/interfaces.js';
|
|
import { CertStore } from './cert-store.js';
|
|
import type { AcmeStateManager } from './acme-state-manager.js';
|
|
import { logger } from '../../core/utils/logger.js';
|
|
|
|
export interface ICertStatus {
|
|
domain: string;
|
|
status: 'valid' | 'pending' | 'expired' | 'error';
|
|
expiryDate?: Date;
|
|
issueDate?: Date;
|
|
source: 'static' | 'acme';
|
|
error?: string;
|
|
}
|
|
|
|
export interface ICertificateData {
|
|
cert: string;
|
|
key: string;
|
|
ca?: string;
|
|
expiryDate: Date;
|
|
issueDate: Date;
|
|
}
|
|
|
|
export class SmartCertManager {
|
|
private certStore: CertStore;
|
|
private smartAcme: plugins.smartacme.SmartAcme | null = null;
|
|
private httpProxy: HttpProxy | null = null;
|
|
private renewalTimer: NodeJS.Timeout | null = null;
|
|
private pendingChallenges: Map<string, string> = new Map();
|
|
private challengeRoute: IRouteConfig | null = null;
|
|
|
|
// Track certificate status by route name
|
|
private certStatus: Map<string, ICertStatus> = new Map();
|
|
|
|
// Global ACME defaults from top-level configuration
|
|
private globalAcmeDefaults: IAcmeOptions | null = null;
|
|
|
|
// Callback to update SmartProxy routes for challenges
|
|
private updateRoutesCallback?: (routes: IRouteConfig[]) => Promise<void>;
|
|
|
|
// Flag to track if challenge route is currently active
|
|
private challengeRouteActive: boolean = false;
|
|
|
|
// Flag to track if provisioning is in progress
|
|
private isProvisioning: boolean = false;
|
|
|
|
// ACME state manager reference
|
|
private acmeStateManager: AcmeStateManager | null = null;
|
|
|
|
constructor(
|
|
private routes: IRouteConfig[],
|
|
private certDir: string = './certs',
|
|
private acmeOptions?: {
|
|
email?: string;
|
|
useProduction?: boolean;
|
|
port?: number;
|
|
},
|
|
private initialState?: {
|
|
challengeRouteActive?: boolean;
|
|
}
|
|
) {
|
|
this.certStore = new CertStore(certDir);
|
|
|
|
// Apply initial state if provided
|
|
if (initialState) {
|
|
this.challengeRouteActive = initialState.challengeRouteActive || false;
|
|
}
|
|
}
|
|
|
|
public setHttpProxy(httpProxy: HttpProxy): void {
|
|
this.httpProxy = httpProxy;
|
|
}
|
|
|
|
|
|
/**
|
|
* Set the ACME state manager
|
|
*/
|
|
public setAcmeStateManager(stateManager: AcmeStateManager): void {
|
|
this.acmeStateManager = stateManager;
|
|
}
|
|
|
|
/**
|
|
* Set global ACME defaults from top-level configuration
|
|
*/
|
|
public setGlobalAcmeDefaults(defaults: IAcmeOptions): void {
|
|
this.globalAcmeDefaults = defaults;
|
|
}
|
|
|
|
/**
|
|
* Set callback for updating routes (used for challenge routes)
|
|
*/
|
|
public setUpdateRoutesCallback(callback: (routes: IRouteConfig[]) => Promise<void>): void {
|
|
this.updateRoutesCallback = callback;
|
|
try {
|
|
logger.log('debug', 'Route update callback set successfully', { component: 'certificate-manager' });
|
|
} catch (error) {
|
|
// Silently handle logging errors
|
|
console.log('[DEBUG] Route update callback set successfully');
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Initialize certificate manager and provision certificates for all routes
|
|
*/
|
|
public async initialize(): Promise<void> {
|
|
// Create certificate directory if it doesn't exist
|
|
await this.certStore.initialize();
|
|
|
|
// Initialize SmartAcme if we have any ACME routes
|
|
const hasAcmeRoutes = this.routes.some(r =>
|
|
r.action.tls?.certificate === 'auto'
|
|
);
|
|
|
|
if (hasAcmeRoutes && this.acmeOptions?.email) {
|
|
// Create HTTP-01 challenge handler
|
|
const http01Handler = new plugins.smartacme.handlers.Http01MemoryHandler();
|
|
|
|
// Set up challenge handler integration with our routing
|
|
this.setupChallengeHandler(http01Handler);
|
|
|
|
// Create SmartAcme instance with built-in MemoryCertManager and HTTP-01 handler
|
|
this.smartAcme = new plugins.smartacme.SmartAcme({
|
|
accountEmail: this.acmeOptions.email,
|
|
environment: this.acmeOptions.useProduction ? 'production' : 'integration',
|
|
certManager: new plugins.smartacme.certmanagers.MemoryCertManager(),
|
|
challengeHandlers: [http01Handler]
|
|
});
|
|
|
|
await this.smartAcme.start();
|
|
|
|
// Add challenge route once at initialization if not already active
|
|
if (!this.challengeRouteActive) {
|
|
logger.log('info', 'Adding ACME challenge route during initialization', { component: 'certificate-manager' });
|
|
await this.addChallengeRoute();
|
|
} else {
|
|
logger.log('info', 'Challenge route already active from previous instance', { component: 'certificate-manager' });
|
|
}
|
|
}
|
|
|
|
// Skip automatic certificate provisioning during initialization
|
|
// This will be called later after ports are listening
|
|
logger.log('info', 'Certificate manager initialized. Deferring certificate provisioning until after ports are listening.', { component: 'certificate-manager' });
|
|
|
|
// Start renewal timer
|
|
this.startRenewalTimer();
|
|
}
|
|
|
|
/**
|
|
* Provision certificates for all routes that need them
|
|
*/
|
|
public async provisionAllCertificates(): Promise<void> {
|
|
const certRoutes = this.routes.filter(r =>
|
|
r.action.tls?.mode === 'terminate' ||
|
|
r.action.tls?.mode === 'terminate-and-reencrypt'
|
|
);
|
|
|
|
// Set provisioning flag to prevent concurrent operations
|
|
this.isProvisioning = true;
|
|
|
|
try {
|
|
for (const route of certRoutes) {
|
|
try {
|
|
await this.provisionCertificate(route, true); // Allow concurrent since we're managing it here
|
|
} catch (error) {
|
|
logger.log('error', `Failed to provision certificate for route ${route.name}`, { routeName: route.name, error, component: 'certificate-manager' });
|
|
}
|
|
}
|
|
} finally {
|
|
this.isProvisioning = false;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Provision certificate for a single route
|
|
*/
|
|
public async provisionCertificate(route: IRouteConfig, allowConcurrent: boolean = false): Promise<void> {
|
|
const tls = route.action.tls;
|
|
if (!tls || (tls.mode !== 'terminate' && tls.mode !== 'terminate-and-reencrypt')) {
|
|
return;
|
|
}
|
|
|
|
// Check if provisioning is already in progress (prevent concurrent provisioning)
|
|
if (!allowConcurrent && this.isProvisioning) {
|
|
logger.log('info', `Certificate provisioning already in progress, skipping ${route.name}`, { routeName: route.name, component: 'certificate-manager' });
|
|
return;
|
|
}
|
|
|
|
const domains = this.extractDomainsFromRoute(route);
|
|
if (domains.length === 0) {
|
|
logger.log('warn', `Route ${route.name} has TLS termination but no domains`, { routeName: route.name, component: 'certificate-manager' });
|
|
return;
|
|
}
|
|
|
|
const primaryDomain = domains[0];
|
|
|
|
if (tls.certificate === 'auto') {
|
|
// ACME certificate
|
|
await this.provisionAcmeCertificate(route, domains);
|
|
} else if (typeof tls.certificate === 'object') {
|
|
// Static certificate
|
|
await this.provisionStaticCertificate(route, primaryDomain, tls.certificate);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Provision ACME certificate
|
|
*/
|
|
private async provisionAcmeCertificate(
|
|
route: IRouteConfig,
|
|
domains: string[]
|
|
): Promise<void> {
|
|
if (!this.smartAcme) {
|
|
throw new Error(
|
|
'SmartAcme not initialized. This usually means no ACME email was provided. ' +
|
|
'Please ensure you have configured ACME with an email address either:\n' +
|
|
'1. In the top-level "acme" configuration\n' +
|
|
'2. In the route\'s "tls.acme" configuration'
|
|
);
|
|
}
|
|
|
|
const primaryDomain = domains[0];
|
|
const routeName = route.name || primaryDomain;
|
|
|
|
// Check if we already have a valid certificate
|
|
const existingCert = await this.certStore.getCertificate(routeName);
|
|
if (existingCert && this.isCertificateValid(existingCert)) {
|
|
logger.log('info', `Using existing valid certificate for ${primaryDomain}`, { domain: primaryDomain, component: 'certificate-manager' });
|
|
await this.applyCertificate(primaryDomain, existingCert);
|
|
this.updateCertStatus(routeName, 'valid', 'acme', existingCert);
|
|
return;
|
|
}
|
|
|
|
// Apply renewal threshold from global defaults or route config
|
|
const renewThreshold = route.action.tls?.acme?.renewBeforeDays ||
|
|
this.globalAcmeDefaults?.renewThresholdDays ||
|
|
30;
|
|
|
|
logger.log('info', `Requesting ACME certificate for ${domains.join(', ')} (renew ${renewThreshold} days before expiry)`, { domains: domains.join(', '), renewThreshold, component: 'certificate-manager' });
|
|
this.updateCertStatus(routeName, 'pending', 'acme');
|
|
|
|
try {
|
|
// Challenge route should already be active from initialization
|
|
// No need to add it for each certificate
|
|
|
|
// Determine if we should request a wildcard certificate
|
|
// Only request wildcards if:
|
|
// 1. The primary domain is not already a wildcard
|
|
// 2. The domain has multiple parts (can have subdomains)
|
|
// 3. We have DNS-01 challenge support (required for wildcards)
|
|
const hasDnsChallenge = (this.smartAcme as any).challengeHandlers?.some((handler: any) =>
|
|
handler.getSupportedTypes && handler.getSupportedTypes().includes('dns-01')
|
|
);
|
|
|
|
const shouldIncludeWildcard = !primaryDomain.startsWith('*.') &&
|
|
primaryDomain.includes('.') &&
|
|
primaryDomain.split('.').length >= 2 &&
|
|
hasDnsChallenge;
|
|
|
|
if (shouldIncludeWildcard) {
|
|
logger.log('info', `Requesting wildcard certificate for ${primaryDomain} (DNS-01 available)`, { domain: primaryDomain, challengeType: 'DNS-01', component: 'certificate-manager' });
|
|
}
|
|
|
|
// Use smartacme to get certificate with optional wildcard
|
|
const cert = await this.smartAcme.getCertificateForDomain(
|
|
primaryDomain,
|
|
shouldIncludeWildcard ? { includeWildcard: true } : undefined
|
|
);
|
|
|
|
// SmartAcme's Cert object has these properties:
|
|
// - publicKey: The certificate PEM string
|
|
// - privateKey: The private key PEM string
|
|
// - csr: Certificate signing request
|
|
// - validUntil: Timestamp in milliseconds
|
|
// - domainName: The domain name
|
|
const certData: ICertificateData = {
|
|
cert: cert.publicKey,
|
|
key: cert.privateKey,
|
|
ca: cert.publicKey, // Use same as cert for now
|
|
expiryDate: new Date(cert.validUntil),
|
|
issueDate: new Date(cert.created)
|
|
};
|
|
|
|
await this.certStore.saveCertificate(routeName, certData);
|
|
await this.applyCertificate(primaryDomain, certData);
|
|
this.updateCertStatus(routeName, 'valid', 'acme', certData);
|
|
|
|
logger.log('info', `Successfully provisioned ACME certificate for ${primaryDomain}`, { domain: primaryDomain, component: 'certificate-manager' });
|
|
} catch (error) {
|
|
logger.log('error', `Failed to provision ACME certificate for ${primaryDomain}: ${error.message}`, { domain: primaryDomain, error: error.message, component: 'certificate-manager' });
|
|
this.updateCertStatus(routeName, 'error', 'acme', undefined, error.message);
|
|
throw error;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Provision static certificate
|
|
*/
|
|
private async provisionStaticCertificate(
|
|
route: IRouteConfig,
|
|
domain: string,
|
|
certConfig: { key: string; cert: string; keyFile?: string; certFile?: string }
|
|
): Promise<void> {
|
|
const routeName = route.name || domain;
|
|
|
|
try {
|
|
let key: string = certConfig.key;
|
|
let cert: string = certConfig.cert;
|
|
|
|
// Load from files if paths are provided
|
|
if (certConfig.keyFile) {
|
|
const keyFile = await plugins.smartfile.SmartFile.fromFilePath(certConfig.keyFile);
|
|
key = keyFile.contents.toString();
|
|
}
|
|
if (certConfig.certFile) {
|
|
const certFile = await plugins.smartfile.SmartFile.fromFilePath(certConfig.certFile);
|
|
cert = certFile.contents.toString();
|
|
}
|
|
|
|
// Parse certificate to get dates
|
|
// Parse certificate to get dates - for now just use defaults
|
|
// TODO: Implement actual certificate parsing if needed
|
|
const certInfo = { validTo: new Date(Date.now() + 90 * 24 * 60 * 60 * 1000), validFrom: new Date() };
|
|
|
|
const certData: ICertificateData = {
|
|
cert,
|
|
key,
|
|
expiryDate: certInfo.validTo,
|
|
issueDate: certInfo.validFrom
|
|
};
|
|
|
|
// Save to store for consistency
|
|
await this.certStore.saveCertificate(routeName, certData);
|
|
await this.applyCertificate(domain, certData);
|
|
this.updateCertStatus(routeName, 'valid', 'static', certData);
|
|
|
|
logger.log('info', `Successfully loaded static certificate for ${domain}`, { domain, component: 'certificate-manager' });
|
|
} catch (error) {
|
|
logger.log('error', `Failed to provision static certificate for ${domain}: ${error.message}`, { domain, error: error.message, component: 'certificate-manager' });
|
|
this.updateCertStatus(routeName, 'error', 'static', undefined, error.message);
|
|
throw error;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Apply certificate to HttpProxy
|
|
*/
|
|
private async applyCertificate(domain: string, certData: ICertificateData): Promise<void> {
|
|
if (!this.httpProxy) {
|
|
logger.log('warn', `HttpProxy not set, cannot apply certificate for domain ${domain}`, { domain, component: 'certificate-manager' });
|
|
return;
|
|
}
|
|
|
|
// Apply certificate to HttpProxy
|
|
this.httpProxy.updateCertificate(domain, certData.cert, certData.key);
|
|
|
|
// Also apply for wildcard if it's a subdomain
|
|
if (domain.includes('.') && !domain.startsWith('*.')) {
|
|
const parts = domain.split('.');
|
|
if (parts.length >= 2) {
|
|
const wildcardDomain = `*.${parts.slice(-2).join('.')}`;
|
|
this.httpProxy.updateCertificate(wildcardDomain, certData.cert, certData.key);
|
|
}
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Extract domains from route configuration
|
|
*/
|
|
private extractDomainsFromRoute(route: IRouteConfig): string[] {
|
|
if (!route.match.domains) {
|
|
return [];
|
|
}
|
|
|
|
const domains = Array.isArray(route.match.domains)
|
|
? route.match.domains
|
|
: [route.match.domains];
|
|
|
|
// Filter out wildcards and patterns
|
|
return domains.filter(d =>
|
|
!d.includes('*') &&
|
|
!d.includes('{') &&
|
|
d.includes('.')
|
|
);
|
|
}
|
|
|
|
/**
|
|
* Check if certificate is valid
|
|
*/
|
|
private isCertificateValid(cert: ICertificateData): boolean {
|
|
const now = new Date();
|
|
|
|
// Use renewal threshold from global defaults or fallback to 30 days
|
|
const renewThresholdDays = this.globalAcmeDefaults?.renewThresholdDays || 30;
|
|
const expiryThreshold = new Date(now.getTime() + renewThresholdDays * 24 * 60 * 60 * 1000);
|
|
|
|
return cert.expiryDate > expiryThreshold;
|
|
}
|
|
|
|
|
|
/**
|
|
* Add challenge route to SmartProxy
|
|
*
|
|
* This method adds a special route for ACME HTTP-01 challenges, which typically uses port 80.
|
|
* Since we may already be listening on port 80 for regular routes, we need to be
|
|
* careful about how we add this route to avoid binding conflicts.
|
|
*/
|
|
private async addChallengeRoute(): Promise<void> {
|
|
// Check with state manager first - avoid duplication
|
|
if (this.acmeStateManager && this.acmeStateManager.isChallengeRouteActive()) {
|
|
try {
|
|
logger.log('info', 'Challenge route already active in global state, skipping', { component: 'certificate-manager' });
|
|
} catch (error) {
|
|
// Silently handle logging errors
|
|
console.log('[INFO] Challenge route already active in global state, skipping');
|
|
}
|
|
this.challengeRouteActive = true;
|
|
return;
|
|
}
|
|
|
|
if (this.challengeRouteActive) {
|
|
try {
|
|
logger.log('info', 'Challenge route already active locally, skipping', { component: 'certificate-manager' });
|
|
} catch (error) {
|
|
// Silently handle logging errors
|
|
console.log('[INFO] Challenge route already active locally, skipping');
|
|
}
|
|
return;
|
|
}
|
|
|
|
if (!this.updateRoutesCallback) {
|
|
throw new Error('No route update callback set');
|
|
}
|
|
|
|
if (!this.challengeRoute) {
|
|
throw new Error('Challenge route not initialized');
|
|
}
|
|
|
|
// Get the challenge port
|
|
const challengePort = this.globalAcmeDefaults?.port || 80;
|
|
|
|
// Check if any existing routes are already using this port
|
|
// This helps us determine if we need to create a new binding or can reuse existing one
|
|
const portInUseByRoutes = this.routes.some(route => {
|
|
const routePorts = Array.isArray(route.match.ports) ? route.match.ports : [route.match.ports];
|
|
return routePorts.some(p => {
|
|
// Handle both number and port range objects
|
|
if (typeof p === 'number') {
|
|
return p === challengePort;
|
|
} else if (typeof p === 'object' && 'from' in p && 'to' in p) {
|
|
// Port range case - check if challengePort is in range
|
|
return challengePort >= p.from && challengePort <= p.to;
|
|
}
|
|
return false;
|
|
});
|
|
});
|
|
|
|
try {
|
|
// Log whether port is already in use by other routes
|
|
if (portInUseByRoutes) {
|
|
try {
|
|
logger.log('info', `Port ${challengePort} is already used by another route, merging ACME challenge route`, {
|
|
port: challengePort,
|
|
component: 'certificate-manager'
|
|
});
|
|
} catch (error) {
|
|
// Silently handle logging errors
|
|
console.log(`[INFO] Port ${challengePort} is already used by another route, merging ACME challenge route`);
|
|
}
|
|
} else {
|
|
try {
|
|
logger.log('info', `Adding new ACME challenge route on port ${challengePort}`, {
|
|
port: challengePort,
|
|
component: 'certificate-manager'
|
|
});
|
|
} catch (error) {
|
|
// Silently handle logging errors
|
|
console.log(`[INFO] Adding new ACME challenge route on port ${challengePort}`);
|
|
}
|
|
}
|
|
|
|
// Add the challenge route to the existing routes
|
|
const challengeRoute = this.challengeRoute;
|
|
const updatedRoutes = [...this.routes, challengeRoute];
|
|
|
|
// With the re-ordering of start(), port binding should already be done
|
|
// This updateRoutes call should just add the route without binding again
|
|
await this.updateRoutesCallback(updatedRoutes);
|
|
this.challengeRouteActive = true;
|
|
|
|
// Register with state manager
|
|
if (this.acmeStateManager) {
|
|
this.acmeStateManager.addChallengeRoute(challengeRoute);
|
|
}
|
|
|
|
try {
|
|
logger.log('info', 'ACME challenge route successfully added', { component: 'certificate-manager' });
|
|
} catch (error) {
|
|
// Silently handle logging errors
|
|
console.log('[INFO] ACME challenge route successfully added');
|
|
}
|
|
} catch (error) {
|
|
// Enhanced error handling based on error type
|
|
if ((error as any).code === 'EADDRINUSE') {
|
|
try {
|
|
logger.log('warn', `Challenge port ${challengePort} is unavailable - it's already in use by another process. Consider configuring a different ACME port.`, {
|
|
port: challengePort,
|
|
error: (error as Error).message,
|
|
component: 'certificate-manager'
|
|
});
|
|
} catch (logError) {
|
|
// Silently handle logging errors
|
|
console.log(`[WARN] Challenge port ${challengePort} is unavailable - it's already in use by another process. Consider configuring a different ACME port.`);
|
|
}
|
|
|
|
// Provide a more informative and actionable error message
|
|
throw new Error(
|
|
`ACME HTTP-01 challenge port ${challengePort} is already in use by another process. ` +
|
|
`Please configure a different port using the acme.port setting (e.g., 8080).`
|
|
);
|
|
} else if (error.message && error.message.includes('EADDRINUSE')) {
|
|
// Some Node.js versions embed the error code in the message rather than the code property
|
|
try {
|
|
logger.log('warn', `Port ${challengePort} conflict detected: ${error.message}`, {
|
|
port: challengePort,
|
|
component: 'certificate-manager'
|
|
});
|
|
} catch (logError) {
|
|
// Silently handle logging errors
|
|
console.log(`[WARN] Port ${challengePort} conflict detected: ${error.message}`);
|
|
}
|
|
|
|
// More detailed error message with suggestions
|
|
throw new Error(
|
|
`ACME HTTP challenge port ${challengePort} conflict detected. ` +
|
|
`To resolve this issue, try one of these approaches:\n` +
|
|
`1. Configure a different port in ACME settings (acme.port)\n` +
|
|
`2. Add a regular route that uses port ${challengePort} before initializing the certificate manager\n` +
|
|
`3. Stop any other services that might be using port ${challengePort}`
|
|
);
|
|
}
|
|
|
|
// Log and rethrow other types of errors
|
|
try {
|
|
logger.log('error', `Failed to add challenge route: ${(error as Error).message}`, {
|
|
error: (error as Error).message,
|
|
component: 'certificate-manager'
|
|
});
|
|
} catch (logError) {
|
|
// Silently handle logging errors
|
|
console.log(`[ERROR] Failed to add challenge route: ${(error as Error).message}`);
|
|
}
|
|
throw error;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Remove challenge route from SmartProxy
|
|
*/
|
|
private async removeChallengeRoute(): Promise<void> {
|
|
if (!this.challengeRouteActive) {
|
|
try {
|
|
logger.log('info', 'Challenge route not active, skipping removal', { component: 'certificate-manager' });
|
|
} catch (error) {
|
|
// Silently handle logging errors
|
|
console.log('[INFO] Challenge route not active, skipping removal');
|
|
}
|
|
return;
|
|
}
|
|
|
|
if (!this.updateRoutesCallback) {
|
|
return;
|
|
}
|
|
|
|
try {
|
|
const filteredRoutes = this.routes.filter(r => r.name !== 'acme-challenge');
|
|
await this.updateRoutesCallback(filteredRoutes);
|
|
this.challengeRouteActive = false;
|
|
|
|
// Remove from state manager
|
|
if (this.acmeStateManager) {
|
|
this.acmeStateManager.removeChallengeRoute('acme-challenge');
|
|
}
|
|
|
|
try {
|
|
logger.log('info', 'ACME challenge route successfully removed', { component: 'certificate-manager' });
|
|
} catch (error) {
|
|
// Silently handle logging errors
|
|
console.log('[INFO] ACME challenge route successfully removed');
|
|
}
|
|
} catch (error) {
|
|
try {
|
|
logger.log('error', `Failed to remove challenge route: ${error.message}`, { error: error.message, component: 'certificate-manager' });
|
|
} catch (logError) {
|
|
// Silently handle logging errors
|
|
console.log(`[ERROR] Failed to remove challenge route: ${error.message}`);
|
|
}
|
|
// Reset the flag even on error to avoid getting stuck
|
|
this.challengeRouteActive = false;
|
|
throw error;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Start renewal timer
|
|
*/
|
|
private startRenewalTimer(): void {
|
|
// Check for renewals every 12 hours
|
|
this.renewalTimer = setInterval(() => {
|
|
this.checkAndRenewCertificates();
|
|
}, 12 * 60 * 60 * 1000);
|
|
|
|
// Also do an immediate check
|
|
this.checkAndRenewCertificates();
|
|
}
|
|
|
|
/**
|
|
* Check and renew certificates that are expiring
|
|
*/
|
|
private async checkAndRenewCertificates(): Promise<void> {
|
|
for (const route of this.routes) {
|
|
if (route.action.tls?.certificate === 'auto') {
|
|
const routeName = route.name || this.extractDomainsFromRoute(route)[0];
|
|
const cert = await this.certStore.getCertificate(routeName);
|
|
|
|
if (cert && !this.isCertificateValid(cert)) {
|
|
logger.log('info', `Certificate for ${routeName} needs renewal`, { routeName, component: 'certificate-manager' });
|
|
try {
|
|
await this.provisionCertificate(route);
|
|
} catch (error) {
|
|
logger.log('error', `Failed to renew certificate for ${routeName}: ${error.message}`, { routeName, error: error.message, component: 'certificate-manager' });
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Update certificate status
|
|
*/
|
|
private updateCertStatus(
|
|
routeName: string,
|
|
status: ICertStatus['status'],
|
|
source: ICertStatus['source'],
|
|
certData?: ICertificateData,
|
|
error?: string
|
|
): void {
|
|
this.certStatus.set(routeName, {
|
|
domain: routeName,
|
|
status,
|
|
source,
|
|
expiryDate: certData?.expiryDate,
|
|
issueDate: certData?.issueDate,
|
|
error
|
|
});
|
|
}
|
|
|
|
/**
|
|
* Get certificate status for a route
|
|
*/
|
|
public getCertificateStatus(routeName: string): ICertStatus | undefined {
|
|
return this.certStatus.get(routeName);
|
|
}
|
|
|
|
/**
|
|
* Force renewal of a certificate
|
|
*/
|
|
public async renewCertificate(routeName: string): Promise<void> {
|
|
const route = this.routes.find(r => r.name === routeName);
|
|
if (!route) {
|
|
throw new Error(`Route ${routeName} not found`);
|
|
}
|
|
|
|
// Remove existing certificate to force renewal
|
|
await this.certStore.deleteCertificate(routeName);
|
|
await this.provisionCertificate(route);
|
|
}
|
|
|
|
/**
|
|
* Setup challenge handler integration with SmartProxy routing
|
|
*/
|
|
private setupChallengeHandler(http01Handler: plugins.smartacme.handlers.Http01MemoryHandler): void {
|
|
// Use challenge port from global config or default to 80
|
|
const challengePort = this.globalAcmeDefaults?.port || 80;
|
|
|
|
// Create a challenge route that delegates to SmartAcme's HTTP-01 handler
|
|
const challengeRoute: IRouteConfig = {
|
|
name: 'acme-challenge',
|
|
priority: 1000, // High priority
|
|
match: {
|
|
ports: challengePort,
|
|
path: '/.well-known/acme-challenge/*'
|
|
},
|
|
action: {
|
|
type: 'static',
|
|
handler: async (context) => {
|
|
// Extract the token from the path
|
|
const token = context.path?.split('/').pop();
|
|
if (!token) {
|
|
return { status: 404, body: 'Not found' };
|
|
}
|
|
|
|
// Create mock request/response objects for SmartAcme
|
|
const mockReq = {
|
|
url: context.path,
|
|
method: 'GET',
|
|
headers: context.headers || {}
|
|
};
|
|
|
|
let responseData: any = null;
|
|
const mockRes = {
|
|
statusCode: 200,
|
|
setHeader: (name: string, value: string) => {},
|
|
end: (data: any) => {
|
|
responseData = data;
|
|
}
|
|
};
|
|
|
|
// Use SmartAcme's handler
|
|
const handled = await new Promise<boolean>((resolve) => {
|
|
http01Handler.handleRequest(mockReq as any, mockRes as any, () => {
|
|
resolve(false);
|
|
});
|
|
// Give it a moment to process
|
|
setTimeout(() => resolve(true), 100);
|
|
});
|
|
|
|
if (handled && responseData) {
|
|
return {
|
|
status: mockRes.statusCode,
|
|
headers: { 'Content-Type': 'text/plain' },
|
|
body: responseData
|
|
};
|
|
} else {
|
|
return { status: 404, body: 'Not found' };
|
|
}
|
|
}
|
|
}
|
|
};
|
|
|
|
// Store the challenge route to add it when needed
|
|
this.challengeRoute = challengeRoute;
|
|
}
|
|
|
|
/**
|
|
* Stop certificate manager
|
|
*/
|
|
public async stop(): Promise<void> {
|
|
if (this.renewalTimer) {
|
|
clearInterval(this.renewalTimer);
|
|
this.renewalTimer = null;
|
|
}
|
|
|
|
// Always remove challenge route on shutdown
|
|
if (this.challengeRoute) {
|
|
logger.log('info', 'Removing ACME challenge route during shutdown', { component: 'certificate-manager' });
|
|
await this.removeChallengeRoute();
|
|
}
|
|
|
|
if (this.smartAcme) {
|
|
await this.smartAcme.stop();
|
|
}
|
|
|
|
// Clear any pending challenges
|
|
if (this.pendingChallenges.size > 0) {
|
|
this.pendingChallenges.clear();
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Get ACME options (for recreating after route updates)
|
|
*/
|
|
public getAcmeOptions(): { email?: string; useProduction?: boolean; port?: number } | undefined {
|
|
return this.acmeOptions;
|
|
}
|
|
|
|
/**
|
|
* Get certificate manager state
|
|
*/
|
|
public getState(): { challengeRouteActive: boolean } {
|
|
return {
|
|
challengeRouteActive: this.challengeRouteActive
|
|
};
|
|
}
|
|
}
|
|
|