From 7df7576acb00c429fd29e0d36fc4f869043de857 Mon Sep 17 00:00:00 2001 From: Ylian Saint-Hilaire Date: Thu, 5 Mar 2020 11:18:50 -0800 Subject: [PATCH] Improved alternate Let's Encrypt support. --- letsEncrypt.js | 76 +++++++++++++++++++++++++--------------- meshcentral.js | 8 ++++- meshuser.js | 17 +++++++-- translate/translate.json | 44 +++++++++++++---------- views/default.handlebars | 5 +-- 5 files changed, 96 insertions(+), 54 deletions(-) diff --git a/letsEncrypt.js b/letsEncrypt.js index 6d1ece11..7c944973 100644 --- a/letsEncrypt.js +++ b/letsEncrypt.js @@ -341,6 +341,17 @@ module.exports.CreateLetsEncrypt2 = function (parent) { obj.challenges = {}; obj.runAsProduction = false; obj.redirWebServerHooked = false; + obj.configErr = null; + obj.configOk = false; + + // Let's Encrypt debug logging + obj.log = function (str) { + parent.debug('cert', 'LE: ' + str); + var d = new Date(); + obj.events.push(d.toLocaleDateString() + ' ' + d.toLocaleTimeString() + ' - ' + str); + while (obj.events.length > 200) { obj.events.shift(); } // Keep only 200 last events. + } + obj.events = []; // Setup the certificate storage paths obj.certPath = obj.path.join(obj.parent.datapath, 'letsencrypt-certs'); @@ -353,18 +364,20 @@ module.exports.CreateLetsEncrypt2 = function (parent) { // Deal with HTTP challenges function challengeCreateFn(authz, challenge, keyAuthorization) { if (challenge.type === 'http-01') { obj.challenges[challenge.token] = keyAuthorization; } } function challengeRemoveFn(authz, challenge, keyAuthorization) { if (challenge.type === 'http-01') { delete obj.challenges[challenge.token]; } } - obj.challenge = function (token, hostname, func) { func(obj.challenges[token]); } + obj.challenge = function (token, hostname, func) { obj.log((obj.challenges[token] != null)?"Succesful response to challenge.":"Failed to respond to challenge."); func(obj.challenges[token]); } // Get the current certificate obj.getCertificate = function(certs, func) { obj.runAsProduction = (obj.parent.config.letsencrypt.production === true); - parent.debug('cert', "LE: Getting certs from local store (" + (obj.runAsProduction ? "Production" : "Staging") + ")"); - if (certs.CommonName.indexOf('.') == -1) { console.log("ERROR: Use --cert to setup the default server name before using Let's Encrypt."); func(certs); return; } - if (obj.parent.config.letsencrypt == null) { func(certs); return; } - if (obj.parent.config.letsencrypt.email == null) { console.log("ERROR: Let's Encrypt email address not specified."); func(certs); return; } - if ((obj.parent.redirserver == null) || ((typeof obj.parent.config.settings.rediraliasport === 'number') && (obj.parent.config.settings.rediraliasport !== 80)) || ((obj.parent.config.settings.rediraliasport == null) && (obj.parent.redirserver.port !== 80))) { console.log("ERROR: Redirection web server must be active on port 80 for Let's Encrypt to work."); func(certs); return; } - if (obj.redirWebServerHooked !== true) { console.log("ERROR: Redirection web server not setup for Let's Encrypt to work."); func(certs); return; } - if ((obj.parent.config.letsencrypt.rsakeysize != null) && (obj.parent.config.letsencrypt.rsakeysize !== 2048) && (obj.parent.config.letsencrypt.rsakeysize !== 3072)) { console.log("ERROR: Invalid Let's Encrypt certificate key size, must be 2048 or 3072."); func(certs); return; } + obj.log("Getting certs from local store (" + (obj.runAsProduction ? "Production" : "Staging") + ")"); + if (certs.CommonName.indexOf('.') == -1) { obj.configErr = "ERROR: Use --cert to setup the default server name before using Let's Encrypt."; obj.log(obj.configErr); console.log(obj.configErr); func(certs); return; } + if (obj.parent.config.letsencrypt == null) { obj.configErr = "No Let's Encrypt configuration"; obj.log(obj.configErr); console.log(obj.configErr); func(certs); return; } + if (obj.parent.config.letsencrypt.email == null) { obj.configErr = "ERROR: Let's Encrypt email address not specified."; obj.log(obj.configErr); console.log(obj.configErr); func(certs); return; } + if ((obj.parent.redirserver == null) || ((typeof obj.parent.config.settings.rediraliasport === 'number') && (obj.parent.config.settings.rediraliasport !== 80)) || ((obj.parent.config.settings.rediraliasport == null) && (obj.parent.redirserver.port !== 80))) { obj.configErr = "ERROR: Redirection web server must be active on port 80 for Let's Encrypt to work."; obj.log(obj.configErr); console.log(obj.configErr); func(certs); return; } + if (obj.redirWebServerHooked !== true) { obj.configErr = "ERROR: Redirection web server not setup for Let's Encrypt to work."; obj.log(obj.configErr); console.log(obj.configErr); func(certs); return; } + if ((obj.parent.config.letsencrypt.rsakeysize != null) && (obj.parent.config.letsencrypt.rsakeysize !== 2048) && (obj.parent.config.letsencrypt.rsakeysize !== 3072)) { obj.configErr = "ERROR: Invalid Let's Encrypt certificate key size, must be 2048 or 3072."; obj.log(obj.configErr); console.log(obj.configErr); func(certs); return; } + if (obj.checkInterval == null) { obj.checkInterval = setInterval(obj.checkRenewCertificate, 86400000); } // Call certificate check every 24 hours. + obj.configOk = true; // Get the list of domains obj.leDomains = [ certs.CommonName ]; @@ -379,7 +392,7 @@ module.exports.CreateLetsEncrypt2 = function (parent) { var certFile = obj.path.join(obj.certPath, (obj.runAsProduction ? 'production.crt' : 'staging.crt')); var keyFile = obj.path.join(obj.certPath, (obj.runAsProduction ? 'production.key' : 'staging.key')); if (obj.fs.existsSync(certFile) && obj.fs.existsSync(keyFile)) { - parent.debug('cert', "LE: Reading certificate files"); + obj.log("Reading certificate files"); // Read the certificate and private key var certPem = obj.fs.readFileSync(certFile).toString('utf8'); @@ -397,54 +410,55 @@ module.exports.CreateLetsEncrypt2 = function (parent) { // Use this certificate when possible on any domain if (obj.certNames.indexOf(certs.CommonName) >= 0) { + obj.log("Setting LE cert for default domain."); certs.web.cert = certPem; certs.web.key = keyPem; //certs.web.ca = [results.pems.chain]; } for (var i in obj.parent.config.domains) { if ((obj.parent.config.domains[i].dns != null) && (obj.parent.certificateOperations.compareCertificateNames(obj.certNames, obj.parent.config.domains[i].dns))) { + obj.log("Setting LE cert for domain " + i + "."); certs.dns[i].cert = certPem; certs.dns[i].key = keyPem; //certs.dns[i].ca = [results.pems.chain]; } } } else { - parent.debug('cert', "LE: No certificate files found"); + obj.log("No certificate files found"); } func(certs); - obj.checkRenewCertificate(); + setTimeout(obj.checkRenewCertificate, 5000); // Hold 5 seconds and check if we need to request a certificate. } // Check if we need to get a new certificate // Return 0 = CertOK, 1 = Request:NoCert, 2 = Request:Expire, 3 = Request:MissingNames obj.checkRenewCertificate = function () { - parent.debug('cert', "LE: Checking certificate"); if (obj.certNames == null) { - parent.debug('cert', "LE: Got no certificates, asking for one now."); + obj.log("Got no certificates, asking for one now."); obj.requestCertificate(); return 1; } else { // Look at the existing certificate to see if we need to renew it var daysLeft = Math.floor((obj.certExpire - new Date()) / 86400000); - parent.debug('cert', "LE: Certificate has " + daysLeft + " day(s) left."); + obj.log("Certificate has " + daysLeft + " day(s) left."); if (daysLeft < 45) { - parent.debug('cert', "LE: Asking for new certificate because of expire time."); + obj.log("Asking for new certificate because of expire time."); obj.requestCertificate(); return 2; } else { var missingDomain = false; for (var i in obj.leDomains) { if (obj.parent.certificateOperations.compareCertificateNames(obj.certNames, obj.leDomains[i]) == false) { - parent.debug('cert', "LE: Missing name " + obj.leDomains[i] + "."); + obj.log("Missing name \"" + obj.leDomains[i] + "\"."); missingDomain = true; } } if (missingDomain) { - parent.debug('cert', "LE: Asking for new certificate because of missing names."); + obj.log("Asking for new certificate because of missing names."); obj.requestCertificate(); return 3; } else { - parent.debug('cert', "LE: Certificate is ok."); + obj.log("Certificate is ok."); } } } @@ -452,25 +466,27 @@ module.exports.CreateLetsEncrypt2 = function (parent) { } obj.requestCertificate = function () { + if (obj.configOk == false) { obj.log("Can't request cert, invalid configuration.");return; } + // Create a private key - parent.debug('cert', "LE: Generating private key..."); + obj.log("Generating private key..."); acme.forge.createPrivateKey().then(function (accountKey) { // Create the ACME client - parent.debug('cert', "LE: Setting up ACME client..."); + obj.log("Setting up ACME client..."); obj.client = new acme.Client({ directoryUrl: obj.runAsProduction ? acme.directory.letsencrypt.production : acme.directory.letsencrypt.staging, accountKey: accountKey }); // Create Certificate Request (CSR) - parent.debug('cert', "LE: Creating certificate request..."); + obj.log("Creating certificate request..."); acme.forge.createCsr({ commonName: obj.leDomains[0], altNames: obj.leDomains }).then(function (r) { var csr = r[1]; obj.tempPrivateKey = r[0]; - parent.debug('cert', "LE: Requesting certificate from Let's Encrypt..."); + obj.log("Requesting certificate from Let's Encrypt..."); obj.client.auto({ csr, email: obj.parent.config.letsencrypt.email, @@ -478,7 +494,7 @@ module.exports.CreateLetsEncrypt2 = function (parent) { challengeCreateFn, challengeRemoveFn }).then(function (cert) { - parent.debug('cert', "LE: Got certificate."); + obj.log("Got certificate."); // Save certificate and private key to PEM files var certFile = obj.path.join(obj.certPath, (obj.runAsProduction ? 'production.crt' : 'staging.crt')); @@ -488,16 +504,16 @@ module.exports.CreateLetsEncrypt2 = function (parent) { delete obj.tempPrivateKey; // Cause a server restart - parent.debug('cert', "LE: Performing server restart..."); + obj.log("Performing server restart..."); obj.parent.performServerCertUpdate(); }, function (err) { - parent.debug('cert', "LE: Failed to obtain certificate: " + err.message); + obj.log("Failed to obtain certificate: " + err.message); }); }, function (err) { - parent.debug('cert', "LE: Failed to generate certificate request: " + err.message); + obj.log("Failed to generate certificate request: " + err.message); }); }, function (err) { - parent.debug('cert', "LE: Failed to generate private key: " + err.message); + obj.log("Failed to generate private key: " + err.message); }); } @@ -505,13 +521,15 @@ module.exports.CreateLetsEncrypt2 = function (parent) { obj.getStats = function () { var r = { lib: 'acme-client', + configOk: obj.configOk, leDomains: obj.leDomains, challenges: obj.challenges, production: obj.runAsProduction, webServer: obj.redirWebServerHooked, - certPath: obj.certPath, + certPath: obj.certPath }; - if (obj.certExpire) { r.daysLeft = Math.floor((obj.certExpire - new Date()) / 86400000); } + if (obj.configErr) { r.error = obj.configErr; } + if (obj.certExpire) { r.cert = 'Present'; r.daysLeft = Math.floor((obj.certExpire - new Date()) / 86400000); } else { r.cert = 'None'; } return r; } diff --git a/meshcentral.js b/meshcentral.js index 16d19bba..56d09073 100644 --- a/meshcentral.js +++ b/meshcentral.js @@ -2389,7 +2389,13 @@ function mainStart() { if (require('os').platform() == 'win32') { modules.push('node-windows'); if (sspi == true) { modules.push('node-sspi'); } } // Add Windows modules if (ldap == true) { modules.push('ldapauth-fork'); } if (recordingIndex == true) { modules.push('image-size'); } // Need to get the remote desktop JPEG sizes to index the recodring file. - if (config.letsencrypt != null) { if ((nodeVersion < 10) || (require('crypto').generateKeyPair == null)) { addServerWarning("Let's Encrypt support requires Node v10.12 or higher.", !args.launch); } else { modules.push((config.letsencrypt.lib == 'acme-client') ? 'acme-client' : 'greenlock@4.0.4'); } } // Add Greenlock Module or acme-client module + if (config.letsencrypt != null) { + if (config.letsencrypt.lib == 'acme-client') { + if (nodeVersion < 8) { addServerWarning("Let's Encrypt support requires Node v8.x or higher.", !args.launch); } else { modules.push('acme-client'); } + } else { + if ((nodeVersion < 10) || (require('crypto').generateKeyPair == null)) { addServerWarning("Let's Encrypt support requires Node v10.12 or higher.", !args.launch); } else { modules.push('greenlock@4.0.4'); } + } + } // Add Greenlock Module or acme-client module if (config.settings.mqtt != null) { modules.push('aedes'); } // Add MQTT Modules if (config.settings.mysql != null) { modules.push('mysql'); } // Add MySQL, official driver. if (config.settings.mongodb != null) { modules.push('mongodb'); } // Add MongoDB, official driver. diff --git a/meshuser.js b/meshuser.js index 9bf2d2d8..0f51f16d 100644 --- a/meshuser.js +++ b/meshuser.js @@ -689,7 +689,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use switch (cmd) { case 'help': { - var fin = '', f = '', availcommands = 'help,info,versions,args,resetserver,showconfig,usersessions,closeusersessions,tasklimiter,setmaxtasks,cores,migrationagents,agentstats,webstats,mpsstats,swarmstats,acceleratorsstats,updatecheck,serverupdate,nodeconfig,heapdump,relays,autobackup,backupconfig,dupagents,dispatchtable,badlogins,showpaths,letsencrypt'; + var fin = '', f = '', availcommands = 'help,info,versions,args,resetserver,showconfig,usersessions,closeusersessions,tasklimiter,setmaxtasks,cores,migrationagents,agentstats,webstats,mpsstats,swarmstats,acceleratorsstats,updatecheck,serverupdate,nodeconfig,heapdump,relays,autobackup,backupconfig,dupagents,dispatchtable,badlogins,showpaths,le,lecheck,leevents'; availcommands = availcommands.split(',').sort(); while (availcommands.length > 0) { if (f.length > 80) { fin += (f + ',\r\n'); f = ''; } @@ -699,8 +699,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use r = 'Available commands: \r\n' + fin + '.'; break; } - case 'le': - case 'letsencrypt': { + case 'le': { if (parent.parent.letsencrypt == null) { r = "Let's Encrypt not in use."; } else { @@ -742,6 +741,18 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use } break; } + case 'leevents': { + if (parent.parent.letsencrypt == null) { + r = "Let's Encrypt not in use."; + } else { + if (parent.parent.letsencrypt.lib == 'acme-client') { + r = parent.parent.letsencrypt.events.join('\r\n'); + } else { + r = 'Not supported'; + } + } + break; + } case 'badlogins': { if (parent.parent.config.settings.maxinvalidlogin == false) { r = 'Bad login filter is disabled.'; diff --git a/translate/translate.json b/translate/translate.json index dcd5d090..83bcb122 100644 --- a/translate/translate.json +++ b/translate/translate.json @@ -3031,7 +3031,7 @@ "nl": "Weet u zeker dat u de plug-in {0} wilt gebruiken: {1}", "ru": "Вы уверенны, что {0} плагин: {1}", "xloc": [ - "default.handlebars->27->1510" + "default.handlebars->27->1511" ] }, { @@ -3552,7 +3552,7 @@ "pt": "Servidor CIRA", "ru": "CIRA Сервер", "xloc": [ - "default.handlebars->27->1501" + "default.handlebars->27->1502" ] }, { @@ -3566,7 +3566,7 @@ "pt": "Comandos do servidor CIRA", "ru": "CIRA Сервер команды", "xloc": [ - "default.handlebars->27->1502" + "default.handlebars->27->1503" ] }, { @@ -3665,7 +3665,7 @@ "pt": "Erro de chamada", "ru": "Ошибка вызова", "xloc": [ - "default.handlebars->27->1511" + "default.handlebars->27->1512" ] }, { @@ -4000,7 +4000,7 @@ "pt": "Verificando ...", "ru": "Проверка...", "xloc": [ - "default.handlebars->27->1507", + "default.handlebars->27->1508", "default.handlebars->27->769" ] }, @@ -4663,7 +4663,7 @@ "pt": "Encaminhador de conexão", "ru": "Ретранслятор подключения", "xloc": [ - "default.handlebars->27->1500" + "default.handlebars->27->1501" ] }, { @@ -9089,7 +9089,7 @@ "default.handlebars->27->1194", "default.handlebars->27->1200", "default.handlebars->27->1479", - "default.handlebars->27->1499" + "default.handlebars->27->1500" ] }, { @@ -10500,7 +10500,7 @@ "pt": "Menos", "ru": "Меньше", "xloc": [ - "default.handlebars->27->1513" + "default.handlebars->27->1514" ] }, { @@ -12153,7 +12153,7 @@ "pt": "Mais", "ru": "Еще", "xloc": [ - "default.handlebars->27->1512" + "default.handlebars->27->1513" ] }, { @@ -14314,7 +14314,7 @@ "nl": "Plugin Actie", "ru": "Действие плагина", "xloc": [ - "default.handlebars->27->1509", + "default.handlebars->27->1510", "default.handlebars->27->159" ] }, @@ -16345,6 +16345,12 @@ "default.handlebars->27->1494" ] }, + { + "en": "Server Database", + "xloc": [ + "default.handlebars->27->1495" + ] + }, { "cs": "Soubory serveru", "de": "Server-Dateien", @@ -16455,7 +16461,7 @@ "pt": "Rastreamento de servidor", "ru": "Трассировка сервера", "xloc": [ - "default.handlebars->27->1503" + "default.handlebars->27->1504" ] }, { @@ -19152,7 +19158,7 @@ "nl": "Bijgewerkt", "ru": "Актуально", "xloc": [ - "default.handlebars->27->1508" + "default.handlebars->27->1509" ] }, { @@ -19991,8 +19997,8 @@ "pt": "Servidor web", "ru": "Веб-сервер", "xloc": [ - "default.handlebars->27->1495", - "default.handlebars->27->1496" + "default.handlebars->27->1496", + "default.handlebars->27->1497" ] }, { @@ -20006,7 +20012,7 @@ "pt": "Solicitações de servidor Web", "ru": "Запросы веб-сервера", "xloc": [ - "default.handlebars->27->1497" + "default.handlebars->27->1498" ] }, { @@ -20020,7 +20026,7 @@ "pt": "Encaminhador de soquete da Web", "ru": "Ретранслятор Web Socket", "xloc": [ - "default.handlebars->27->1498" + "default.handlebars->27->1499" ] }, { @@ -20663,7 +20669,7 @@ "pt": "\\\\'", "ru": "\\\\'", "xloc": [ - "default.handlebars->27->1506" + "default.handlebars->27->1507" ] }, { @@ -21088,7 +21094,7 @@ "pt": "servertrace.csv", "ru": "servertrace.csv", "xloc": [ - "default.handlebars->27->1505" + "default.handlebars->27->1506" ] }, { @@ -21137,7 +21143,7 @@ "pt": "hora, fonte, mensagem", "ru": "time, source, message", "xloc": [ - "default.handlebars->27->1504" + "default.handlebars->27->1505" ] }, { diff --git a/views/default.handlebars b/views/default.handlebars index bc9e6c8b..a8992b97 100644 --- a/views/default.handlebars +++ b/views/default.handlebars @@ -10674,6 +10674,7 @@ x += '
'; x += '
'; x += '
'; + x += '
'; x += '
' + "Web Server" + '
'; x += '
'; x += '
'; @@ -10690,8 +10691,8 @@ } function setServerTracingEx(b) { - var sources = [], allsources = ['cookie', 'dispatch', 'main', 'peer', 'web', 'webrequest', 'relay', 'webrelaydata', 'webrelay', 'mps', 'mpscmd', 'swarm', 'swarmcmd', 'agentupdate', 'agent', 'cert']; - if (b == 1) { for (var i = 1; i < 17; i++) { try { if (Q('p41c' + i).checked) { sources.push(allsources[i - 1]); } } catch (ex) { } } } + var sources = [], allsources = ['cookie', 'dispatch', 'main', 'peer', 'web', 'webrequest', 'relay', 'webrelaydata', 'webrelay', 'mps', 'mpscmd', 'swarm', 'swarmcmd', 'agentupdate', 'agent', 'cert', 'db']; + if (b == 1) { for (var i = 1; i < 18; i++) { try { if (Q('p41c' + i).checked) { sources.push(allsources[i - 1]); } } catch (ex) { } } } meshserver.send({ action: 'traceinfo', traceSources: sources }); }