Ylianst/MeshCentral
1
0
Fork 0
mirror of https://github.com/Ylianst/MeshCentral.git synced 2024-11-22 22:17:31 +03:00
Code Issues Packages Projects Releases Wiki Activity

Improved alternate Let's Encrypt support.

Browse Source
This commit is contained in:
Ylian Saint-Hilaire 2020-03-05 11:18:50 -08:00
parent fea2120849
commit 7df7576acb
5 changed files with 96 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

76
letsEncrypt.js
View File

@ -341,6 +341,17 @@ module.exports.CreateLetsEncrypt2 = function (parent) {
obj.challenges = {};
obj.runAsProduction = false;
obj.redirWebServerHooked = false;
obj.configErr = null;
obj.configOk = false;
// Let's Encrypt debug logging
obj.log = function (str) {
parent.debug('cert', 'LE: ' + str);
var d = new Date();
obj.events.push(d.toLocaleDateString() + ' ' + d.toLocaleTimeString() + ' - ' + str);
while (obj.events.length > 200) { obj.events.shift(); } // Keep only 200 last events.
}
obj.events = [];
// Setup the certificate storage paths
obj.certPath = obj.path.join(obj.parent.datapath, 'letsencrypt-certs');
@ -353,18 +364,20 @@ module.exports.CreateLetsEncrypt2 = function (parent) {
// Deal with HTTP challenges
function challengeCreateFn(authz, challenge, keyAuthorization) { if (challenge.type === 'http-01') { obj.challenges[challenge.token] = keyAuthorization; } }
function challengeRemoveFn(authz, challenge, keyAuthorization) { if (challenge.type === 'http-01') { delete obj.challenges[challenge.token]; } }
obj.challenge = function (token, hostname, func) { func(obj.challenges[token]); }
obj.challenge = function (token, hostname, func) { obj.log((obj.challenges[token] != null)?"Succesful response to challenge.":"Failed to respond to challenge."); func(obj.challenges[token]); }
// Get the current certificate
obj.getCertificate = function(certs, func) {
obj.runAsProduction = (obj.parent.config.letsencrypt.production === true);
parent.debug('cert', "LE: Getting certs from local store (" + (obj.runAsProduction ? "Production" : "Staging") + ")");
if (certs.CommonName.indexOf('.') == -1) { console.log("ERROR: Use --cert to setup the default server name before using Let's Encrypt."); func(certs); return; }
if (obj.parent.config.letsencrypt == null) { func(certs); return; }
if (obj.parent.config.letsencrypt.email == null) { console.log("ERROR: Let's Encrypt email address not specified."); func(certs); return; }
if ((obj.parent.redirserver == null) || ((typeof obj.parent.config.settings.rediraliasport === 'number') && (obj.parent.config.settings.rediraliasport !== 80)) || ((obj.parent.config.settings.rediraliasport == null) && (obj.parent.redirserver.port !== 80))) { console.log("ERROR: Redirection web server must be active on port 80 for Let's Encrypt to work."); func(certs); return; }
if (obj.redirWebServerHooked !== true) { console.log("ERROR: Redirection web server not setup for Let's Encrypt to work."); func(certs); return; }
if ((obj.parent.config.letsencrypt.rsakeysize != null) && (obj.parent.config.letsencrypt.rsakeysize !== 2048) && (obj.parent.config.letsencrypt.rsakeysize !== 3072)) { console.log("ERROR: Invalid Let's Encrypt certificate key size, must be 2048 or 3072."); func(certs); return; }
obj.log("Getting certs from local store (" + (obj.runAsProduction ? "Production" : "Staging") + ")");
if (certs.CommonName.indexOf('.') == -1) { obj.configErr = "ERROR: Use --cert to setup the default server name before using Let's Encrypt."; obj.log(obj.configErr); console.log(obj.configErr); func(certs); return; }
if (obj.parent.config.letsencrypt == null) { obj.configErr = "No Let's Encrypt configuration"; obj.log(obj.configErr); console.log(obj.configErr); func(certs); return; }
if (obj.parent.config.letsencrypt.email == null) { obj.configErr = "ERROR: Let's Encrypt email address not specified."; obj.log(obj.configErr); console.log(obj.configErr); func(certs); return; }
if ((obj.parent.redirserver == null) || ((typeof obj.parent.config.settings.rediraliasport === 'number') && (obj.parent.config.settings.rediraliasport !== 80)) || ((obj.parent.config.settings.rediraliasport == null) && (obj.parent.redirserver.port !== 80))) { obj.configErr = "ERROR: Redirection web server must be active on port 80 for Let's Encrypt to work."; obj.log(obj.configErr); console.log(obj.configErr); func(certs); return; }
if (obj.redirWebServerHooked !== true) { obj.configErr = "ERROR: Redirection web server not setup for Let's Encrypt to work."; obj.log(obj.configErr); console.log(obj.configErr); func(certs); return; }
if ((obj.parent.config.letsencrypt.rsakeysize != null) && (obj.parent.config.letsencrypt.rsakeysize !== 2048) && (obj.parent.config.letsencrypt.rsakeysize !== 3072)) { obj.configErr = "ERROR: Invalid Let's Encrypt certificate key size, must be 2048 or 3072."; obj.log(obj.configErr); console.log(obj.configErr); func(certs); return; }
if (obj.checkInterval == null) { obj.checkInterval = setInterval(obj.checkRenewCertificate, 86400000); } // Call certificate check every 24 hours.
obj.configOk = true;
// Get the list of domains
obj.leDomains = [ certs.CommonName ];
@ -379,7 +392,7 @@ module.exports.CreateLetsEncrypt2 = function (parent) {
var certFile = obj.path.join(obj.certPath, (obj.runAsProduction ? 'production.crt' : 'staging.crt'));
var keyFile = obj.path.join(obj.certPath, (obj.runAsProduction ? 'production.key' : 'staging.key'));
if (obj.fs.existsSync(certFile) && obj.fs.existsSync(keyFile)) {
parent.debug('cert', "LE: Reading certificate files");
obj.log("Reading certificate files");
// Read the certificate and private key
var certPem = obj.fs.readFileSync(certFile).toString('utf8');
@ -397,54 +410,55 @@ module.exports.CreateLetsEncrypt2 = function (parent) {
// Use this certificate when possible on any domain
if (obj.certNames.indexOf(certs.CommonName) >= 0) {
obj.log("Setting LE cert for default domain.");
certs.web.cert = certPem;
certs.web.key = keyPem;
//certs.web.ca = [results.pems.chain];
}
for (var i in obj.parent.config.domains) {
if ((obj.parent.config.domains[i].dns != null) && (obj.parent.certificateOperations.compareCertificateNames(obj.certNames, obj.parent.config.domains[i].dns))) {
obj.log("Setting LE cert for domain " + i + ".");
certs.dns[i].cert = certPem;
certs.dns[i].key = keyPem;
//certs.dns[i].ca = [results.pems.chain];
}
}
} else {
parent.debug('cert', "LE: No certificate files found");
obj.log("No certificate files found");
}
func(certs);
obj.checkRenewCertificate();
setTimeout(obj.checkRenewCertificate, 5000); // Hold 5 seconds and check if we need to request a certificate.
}
// Check if we need to get a new certificate
// Return 0 = CertOK, 1 = Request:NoCert, 2 = Request:Expire, 3 = Request:MissingNames
obj.checkRenewCertificate = function () {
parent.debug('cert', "LE: Checking certificate");
if (obj.certNames == null) {
parent.debug('cert', "LE: Got no certificates, asking for one now.");
obj.log("Got no certificates, asking for one now.");
obj.requestCertificate();
return 1;
} else {
// Look at the existing certificate to see if we need to renew it
var daysLeft = Math.floor((obj.certExpire - new Date()) / 86400000);
parent.debug('cert', "LE: Certificate has " + daysLeft + " day(s) left.");
obj.log("Certificate has " + daysLeft + " day(s) left.");
if (daysLeft < 45) {
parent.debug('cert', "LE: Asking for new certificate because of expire time.");
obj.log("Asking for new certificate because of expire time.");
obj.requestCertificate();
return 2;
} else {
var missingDomain = false;
for (var i in obj.leDomains) {
if (obj.parent.certificateOperations.compareCertificateNames(obj.certNames, obj.leDomains[i]) == false) {
parent.debug('cert', "LE: Missing name " + obj.leDomains[i] + ".");
obj.log("Missing name \"" + obj.leDomains[i] + "\".");
missingDomain = true;
}
}
if (missingDomain) {
parent.debug('cert', "LE: Asking for new certificate because of missing names.");
obj.log("Asking for new certificate because of missing names.");
obj.requestCertificate();
return 3;
} else {
parent.debug('cert', "LE: Certificate is ok.");
obj.log("Certificate is ok.");
}
}
}
@ -452,25 +466,27 @@ module.exports.CreateLetsEncrypt2 = function (parent) {
}
obj.requestCertificate = function () {
if (obj.configOk == false) { obj.log("Can't request cert, invalid configuration.");return; }
// Create a private key
parent.debug('cert', "LE: Generating private key...");
obj.log("Generating private key...");
acme.forge.createPrivateKey().then(function (accountKey) {
// Create the ACME client
parent.debug('cert', "LE: Setting up ACME client...");
obj.log("Setting up ACME client...");
obj.client = new acme.Client({
directoryUrl: obj.runAsProduction ? acme.directory.letsencrypt.production : acme.directory.letsencrypt.staging,
accountKey: accountKey
});
// Create Certificate Request (CSR)
parent.debug('cert', "LE: Creating certificate request...");
obj.log("Creating certificate request...");
acme.forge.createCsr({
commonName: obj.leDomains[0],
altNames: obj.leDomains
}).then(function (r) {
var csr = r[1];
obj.tempPrivateKey = r[0];
parent.debug('cert', "LE: Requesting certificate from Let's Encrypt...");
obj.log("Requesting certificate from Let's Encrypt...");
obj.client.auto({
csr,
email: obj.parent.config.letsencrypt.email,
@ -478,7 +494,7 @@ module.exports.CreateLetsEncrypt2 = function (parent) {
challengeCreateFn,
challengeRemoveFn
}).then(function (cert) {
parent.debug('cert', "LE: Got certificate.");
obj.log("Got certificate.");
// Save certificate and private key to PEM files
var certFile = obj.path.join(obj.certPath, (obj.runAsProduction ? 'production.crt' : 'staging.crt'));
@ -488,16 +504,16 @@ module.exports.CreateLetsEncrypt2 = function (parent) {
delete obj.tempPrivateKey;
// Cause a server restart
parent.debug('cert', "LE: Performing server restart...");
obj.log("Performing server restart...");
obj.parent.performServerCertUpdate();
}, function (err) {
parent.debug('cert', "LE: Failed to obtain certificate: " + err.message);
obj.log("Failed to obtain certificate: " + err.message);
});
}, function (err) {
parent.debug('cert', "LE: Failed to generate certificate request: " + err.message);
obj.log("Failed to generate certificate request: " + err.message);
});
}, function (err) {
parent.debug('cert', "LE: Failed to generate private key: " + err.message);
obj.log("Failed to generate private key: " + err.message);
});
}
@ -505,13 +521,15 @@ module.exports.CreateLetsEncrypt2 = function (parent) {
obj.getStats = function () {
var r = {
lib: 'acme-client',
configOk: obj.configOk,
leDomains: obj.leDomains,
challenges: obj.challenges,
production: obj.runAsProduction,
webServer: obj.redirWebServerHooked,
certPath: obj.certPath,
certPath: obj.certPath
};
if (obj.certExpire) { r.daysLeft = Math.floor((obj.certExpire - new Date()) / 86400000); }
if (obj.configErr) { r.error = obj.configErr; }
if (obj.certExpire) { r.cert = 'Present'; r.daysLeft = Math.floor((obj.certExpire - new Date()) / 86400000); } else { r.cert = 'None'; }
return r;
}

8
meshcentral.js
View File

@ -2389,7 +2389,13 @@ function mainStart() {
if (require('os').platform() == 'win32') { modules.push('node-windows'); if (sspi == true) { modules.push('node-sspi'); } } // Add Windows modules
if (ldap == true) { modules.push('ldapauth-fork'); }
if (recordingIndex == true) { modules.push('image-size'); } // Need to get the remote desktop JPEG sizes to index the recodring file.
if (config.letsencrypt != null) { if ((nodeVersion < 10) || (require('crypto').generateKeyPair == null)) { addServerWarning("Let's Encrypt support requires Node v10.12 or higher.", !args.launch); } else { modules.push((config.letsencrypt.lib == 'acme-client') ? 'acme-client' : 'greenlock@4.0.4'); } } // Add Greenlock Module or acme-client module
if (config.letsencrypt != null) {
if (config.letsencrypt.lib == 'acme-client') {
if (nodeVersion < 8) { addServerWarning("Let's Encrypt support requires Node v8.x or higher.", !args.launch); } else { modules.push('acme-client'); }
} else {
if ((nodeVersion < 10) || (require('crypto').generateKeyPair == null)) { addServerWarning("Let's Encrypt support requires Node v10.12 or higher.", !args.launch); } else { modules.push('greenlock@4.0.4'); }
}
} // Add Greenlock Module or acme-client module
if (config.settings.mqtt != null) { modules.push('aedes'); } // Add MQTT Modules
if (config.settings.mysql != null) { modules.push('mysql'); } // Add MySQL, official driver.
if (config.settings.mongodb != null) { modules.push('mongodb'); } // Add MongoDB, official driver.

17
meshuser.js
View File

@ -689,7 +689,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
switch (cmd) {
case 'help': {
var fin = '', f = '', availcommands = 'help,info,versions,args,resetserver,showconfig,usersessions,closeusersessions,tasklimiter,setmaxtasks,cores,migrationagents,agentstats,webstats,mpsstats,swarmstats,acceleratorsstats,updatecheck,serverupdate,nodeconfig,heapdump,relays,autobackup,backupconfig,dupagents,dispatchtable,badlogins,showpaths,letsencrypt';
var fin = '', f = '', availcommands = 'help,info,versions,args,resetserver,showconfig,usersessions,closeusersessions,tasklimiter,setmaxtasks,cores,migrationagents,agentstats,webstats,mpsstats,swarmstats,acceleratorsstats,updatecheck,serverupdate,nodeconfig,heapdump,relays,autobackup,backupconfig,dupagents,dispatchtable,badlogins,showpaths,le,lecheck,leevents';
availcommands = availcommands.split(',').sort();
while (availcommands.length > 0) {
if (f.length > 80) { fin += (f + ',\r\n'); f = ''; }
@ -699,8 +699,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
r = 'Available commands: \r\n' + fin + '.';
break;
}
case 'le':
case 'letsencrypt': {
case 'le': {
if (parent.parent.letsencrypt == null) {
r = "Let's Encrypt not in use.";
} else {
@ -742,6 +741,18 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
}
break;
}
case 'leevents': {
if (parent.parent.letsencrypt == null) {
r = "Let's Encrypt not in use.";
} else {
if (parent.parent.letsencrypt.lib == 'acme-client') {
r = parent.parent.letsencrypt.events.join('\r\n');
} else {
r = 'Not supported';
}
}
break;
}
case 'badlogins': {
if (parent.parent.config.settings.maxinvalidlogin == false) {
r = 'Bad login filter is disabled.';

44
translate/translate.json
View File

@ -3031,7 +3031,7 @@
"nl": "Weet u zeker dat u de plug-in {0} wilt gebruiken: {1}",
"ru": "Вы уверенны, что {0} плагин: {1}",
"xloc": [
"default.handlebars->27->1510"
"default.handlebars->27->1511"
]
},
{
@ -3552,7 +3552,7 @@
"pt": "Servidor CIRA",
"ru": "CIRA Сервер",
"xloc": [
"default.handlebars->27->1501"
"default.handlebars->27->1502"
]
},
{
@ -3566,7 +3566,7 @@
"pt": "Comandos do servidor CIRA",
"ru": "CIRA Сервер команды",
"xloc": [
"default.handlebars->27->1502"
"default.handlebars->27->1503"
]
},
{
@ -3665,7 +3665,7 @@
"pt": "Erro de chamada",
"ru": "Ошибка вызова",
"xloc": [
"default.handlebars->27->1511"
"default.handlebars->27->1512"
]
},
{
@ -4000,7 +4000,7 @@
"pt": "Verificando ...",
"ru": "Проверка...",
"xloc": [
"default.handlebars->27->1507",
"default.handlebars->27->1508",
"default.handlebars->27->769"
]
},
@ -4663,7 +4663,7 @@
"pt": "Encaminhador de conexão",
"ru": "Ретранслятор подключения",
"xloc": [
"default.handlebars->27->1500"
"default.handlebars->27->1501"
]
},
{
@ -9089,7 +9089,7 @@
"default.handlebars->27->1194",
"default.handlebars->27->1200",
"default.handlebars->27->1479",
"default.handlebars->27->1499"
"default.handlebars->27->1500"
]
},
{
@ -10500,7 +10500,7 @@
"pt": "Menos",
"ru": "Меньше",
"xloc": [
"default.handlebars->27->1513"
"default.handlebars->27->1514"
]
},
{
@ -12153,7 +12153,7 @@
"pt": "Mais",
"ru": "Еще",
"xloc": [
"default.handlebars->27->1512"
"default.handlebars->27->1513"
]
},
{
@ -14314,7 +14314,7 @@
"nl": "Plugin Actie",
"ru": "Действие плагина",
"xloc": [
"default.handlebars->27->1509",
"default.handlebars->27->1510",
"default.handlebars->27->159"
]
},
@ -16345,6 +16345,12 @@
"default.handlebars->27->1494"
]
},
{
"en": "Server Database",
"xloc": [
"default.handlebars->27->1495"
]
},
{
"cs": "Soubory serveru",
"de": "Server-Dateien",
@ -16455,7 +16461,7 @@
"pt": "Rastreamento de servidor",
"ru": "Трассировка сервера",
"xloc": [
"default.handlebars->27->1503"
"default.handlebars->27->1504"
]
},
{
@ -19152,7 +19158,7 @@
"nl": "Bijgewerkt",
"ru": "Актуально",
"xloc": [
"default.handlebars->27->1508"
"default.handlebars->27->1509"
]
},
{
@ -19991,8 +19997,8 @@
"pt": "Servidor web",
"ru": "Веб-сервер",
"xloc": [
"default.handlebars->27->1495",
"default.handlebars->27->1496"
"default.handlebars->27->1496",
"default.handlebars->27->1497"
]
},
{
@ -20006,7 +20012,7 @@
"pt": "Solicitações de servidor Web",
"ru": "Запросы веб-сервера",
"xloc": [
"default.handlebars->27->1497"
"default.handlebars->27->1498"
]
},
{
@ -20020,7 +20026,7 @@
"pt": "Encaminhador de soquete da Web",
"ru": "Ретранслятор Web Socket",
"xloc": [
"default.handlebars->27->1498"
"default.handlebars->27->1499"
]
},
{
@ -20663,7 +20669,7 @@
"pt": "\\\\'",
"ru": "\\\\'",
"xloc": [
"default.handlebars->27->1506"
"default.handlebars->27->1507"
]
},
{
@ -21088,7 +21094,7 @@
"pt": "servertrace.csv",
"ru": "servertrace.csv",
"xloc": [
"default.handlebars->27->1505"
"default.handlebars->27->1506"
]
},
{
@ -21137,7 +21143,7 @@
"pt": "hora, fonte, mensagem",
"ru": "time, source, message",
"xloc": [
"default.handlebars->27->1504"
"default.handlebars->27->1505"
]
},
{

5
views/default.handlebars
View File

@ -10674,6 +10674,7 @@
x += '<div><label><input type=checkbox id=p41c15 ' + ((serverTraceSources.indexOf('agent') >= 0) ? 'checked' : '') + '>' + "MeshAgent traffic" + '</label></div>';
x += '<div><label><input type=checkbox id=p41c14 ' + ((serverTraceSources.indexOf('agentupdate') >= 0) ? 'checked' : '') + '>' + "MeshAgent update" + '</label></div>';
x += '<div><label><input type=checkbox id=p41c16 ' + ((serverTraceSources.indexOf('cert') >= 0) ? 'checked' : '') + '>' + "Server Certificate" + '</label></div>';
x += '<div><label><input type=checkbox id=p41c17 ' + ((serverTraceSources.indexOf('db') >= 0) ? 'checked' : '') + '>' + "Server Database" + '</label></div>';
x += '<div style="width:100%;border-bottom:1px solid gray;margin-bottom:5px;margin-top:5px"><b>' + "Web Server" + '</b></div>';
x += '<div><label><input type=checkbox id=p41c5 ' + ((serverTraceSources.indexOf('web') >= 0) ? 'checked' : '') + '>' + "Web Server" + '</label></div>';
x += '<div><label><input type=checkbox id=p41c6 ' + ((serverTraceSources.indexOf('webrequest') >= 0) ? 'checked' : '') + '>' + "Web Server Requests" + '</label></div>';
@ -10690,8 +10691,8 @@
}
function setServerTracingEx(b) {
var sources = [], allsources = ['cookie', 'dispatch', 'main', 'peer', 'web', 'webrequest', 'relay', 'webrelaydata', 'webrelay', 'mps', 'mpscmd', 'swarm', 'swarmcmd', 'agentupdate', 'agent', 'cert'];
if (b == 1) { for (var i = 1; i < 17; i++) { try { if (Q('p41c' + i).checked) { sources.push(allsources[i - 1]); } } catch (ex) { } } }
var sources = [], allsources = ['cookie', 'dispatch', 'main', 'peer', 'web', 'webrequest', 'relay', 'webrelaydata', 'webrelay', 'mps', 'mpscmd', 'swarm', 'swarmcmd', 'agentupdate', 'agent', 'cert', 'db'];
if (b == 1) { for (var i = 1; i < 18; i++) { try { if (Q('p41c' + i).checked) { sources.push(allsources[i - 1]); } } catch (ex) { } } }
meshserver.send({ action: 'traceinfo', traceSources: sources });
}