mirror of
https://github.com/Ylianst/MeshCentral.git
synced 2024-11-27 11:57:45 +03:00
Let's Encrypt Improvements
This commit is contained in:
parent
b45b60fb13
commit
889d935d1a
129
letsEncrypt.js
129
letsEncrypt.js
@ -37,21 +37,20 @@ module.exports.CreateLetsEncrypt = function (parent) {
|
|||||||
obj.redirWebServerHooked = false;
|
obj.redirWebServerHooked = false;
|
||||||
obj.leDomains = null;
|
obj.leDomains = null;
|
||||||
obj.leResults = null;
|
obj.leResults = null;
|
||||||
obj.performRestart = false;
|
obj.leResultsStaging = null;
|
||||||
|
obj.performRestart = false; // Indicates we need to restart the server
|
||||||
|
obj.performMoveToProduction = false; // Indicates we just got a staging certificate and need to move to production
|
||||||
|
obj.runAsProduction = false; // This starts at false and moves to true if staging cert is ok.
|
||||||
|
|
||||||
// Setup the certificate storage paths
|
// Setup the certificate storage paths
|
||||||
obj.configPath = obj.path.join(obj.parent.datapath, 'letsencrypt3');
|
obj.configPath = obj.path.join(obj.parent.datapath, 'letsencrypt3');
|
||||||
try { obj.parent.fs.mkdirSync(obj.configPath); } catch (e) { }
|
try { obj.parent.fs.mkdirSync(obj.configPath); } catch (e) { }
|
||||||
|
obj.configPathStaging = obj.path.join(obj.parent.datapath, 'letsencrypt3-staging');
|
||||||
|
try { obj.parent.fs.mkdirSync(obj.configPathStaging); } catch (e) { }
|
||||||
|
|
||||||
// Setup Let's Encrypt default configuration
|
// Setup Let's Encrypt default configuration
|
||||||
obj.leDefaults = {
|
obj.leDefaults = { agreeToTerms: true, store: { module: 'greenlock-store-fs', basePath: obj.configPath } };
|
||||||
agreeToTerms: true,
|
obj.leDefaultsStaging = { agreeToTerms: true, store: { module: 'greenlock-store-fs', basePath: obj.configPathStaging } };
|
||||||
//serverKeyType: 'RSA-2048', // Seems like only "RSA-2048" or "P-256" is supported.
|
|
||||||
store: {
|
|
||||||
module: 'greenlock-store-fs',
|
|
||||||
basePath: obj.configPath
|
|
||||||
}
|
|
||||||
};
|
|
||||||
|
|
||||||
// Get package and maintainer email
|
// Get package and maintainer email
|
||||||
const pkg = require('./package.json');
|
const pkg = require('./package.json');
|
||||||
@ -68,7 +67,7 @@ module.exports.CreateLetsEncrypt = function (parent) {
|
|||||||
maintainerEmail = pkg.author.email;
|
maintainerEmail = pkg.author.email;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Create the main GreenLock code module.
|
// Create the main GreenLock code module for production.
|
||||||
var greenlockargs = {
|
var greenlockargs = {
|
||||||
parent: obj,
|
parent: obj,
|
||||||
packageRoot: __dirname,
|
packageRoot: __dirname,
|
||||||
@ -76,22 +75,44 @@ module.exports.CreateLetsEncrypt = function (parent) {
|
|||||||
manager: obj.path.join(__dirname, 'letsencrypt.js'),
|
manager: obj.path.join(__dirname, 'letsencrypt.js'),
|
||||||
maintainerEmail: maintainerEmail,
|
maintainerEmail: maintainerEmail,
|
||||||
notify: function (ev, args) { if (typeof args == 'string') { parent.debug('cert', ev + ': ' + args); } else { parent.debug('cert', ev + ': ' + JSON.stringify(args)); } },
|
notify: function (ev, args) { if (typeof args == 'string') { parent.debug('cert', ev + ': ' + args); } else { parent.debug('cert', ev + ': ' + JSON.stringify(args)); } },
|
||||||
staging: (obj.parent.config.letsencrypt.production !== true),
|
staging: false,
|
||||||
debug: (obj.parent.args.debug > 0)
|
debug: (obj.parent.args.debug > 0)
|
||||||
};
|
};
|
||||||
|
|
||||||
if (obj.parent.args.debug == null) { greenlockargs.log = function (debug) { }; } // If not in debug mode, ignore all console output from greenlock (makes things clean).
|
if (obj.parent.args.debug == null) { greenlockargs.log = function (debug) { }; } // If not in debug mode, ignore all console output from greenlock (makes things clean).
|
||||||
obj.le = greenlock.create(greenlockargs);
|
obj.le = greenlock.create(greenlockargs);
|
||||||
|
|
||||||
|
// Create the main GreenLock code module for staging.
|
||||||
|
var greenlockargsstaging = {
|
||||||
|
parent: obj,
|
||||||
|
packageRoot: __dirname,
|
||||||
|
packageAgent: pkg.name + '/' + pkg.version,
|
||||||
|
manager: obj.path.join(__dirname, 'letsencrypt.js'),
|
||||||
|
maintainerEmail: maintainerEmail,
|
||||||
|
notify: function (ev, args) { if (typeof args == 'string') { parent.debug('cert', ev + ': ' + args); } else { parent.debug('cert', ev + ': ' + JSON.stringify(args)); } },
|
||||||
|
staging: true,
|
||||||
|
debug: (obj.parent.args.debug > 0)
|
||||||
|
};
|
||||||
|
if (obj.parent.args.debug == null) { greenlockargsstaging.log = function (debug) { }; } // If not in debug mode, ignore all console output from greenlock (makes things clean).
|
||||||
|
obj.leStaging = greenlock.create(greenlockargsstaging);
|
||||||
|
|
||||||
// Hook up GreenLock to the redirection server
|
// Hook up GreenLock to the redirection server
|
||||||
if (obj.parent.redirserver.port == 80) { obj.redirWebServerHooked = true; }
|
if (obj.parent.redirserver.port == 80) { obj.redirWebServerHooked = true; }
|
||||||
|
|
||||||
// Respond to a challenge
|
// Respond to a challenge
|
||||||
obj.challenge = function (token, hostname, func) {
|
obj.challenge = function (token, hostname, func) {
|
||||||
|
if (obj.runAsProduction === true) {
|
||||||
|
// Production
|
||||||
parent.debug('cert', "Challenge " + hostname + "/" + token);
|
parent.debug('cert', "Challenge " + hostname + "/" + token);
|
||||||
obj.le.challenges.get({ type: 'http-01', servername: hostname, token: token })
|
obj.le.challenges.get({ type: 'http-01', servername: hostname, token: token })
|
||||||
.then(function (results) { func(results.keyAuthorization); })
|
.then(function (results) { func(results.keyAuthorization); })
|
||||||
.catch(function (e) { console.log('LE-ERROR', e); func(null); }); // unexpected error, not related to renewal
|
.catch(function (e) { console.log('LE-ERROR', e); func(null); }); // unexpected error, not related to renewal
|
||||||
|
} else {
|
||||||
|
// Staging
|
||||||
|
parent.debug('cert', "Challenge " + hostname + "/" + token);
|
||||||
|
obj.leStaging.challenges.get({ type: 'http-01', servername: hostname, token: token })
|
||||||
|
.then(function (results) { func(results.keyAuthorization); })
|
||||||
|
.catch(function (e) { console.log('LE-ERROR', e); func(null); }); // unexpected error, not related to renewal
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
obj.getCertificate = function(certs, func) {
|
obj.getCertificate = function(certs, func) {
|
||||||
@ -112,10 +133,47 @@ module.exports.CreateLetsEncrypt = function (parent) {
|
|||||||
obj.leDomains = obj.parent.config.letsencrypt.names;
|
obj.leDomains = obj.parent.config.letsencrypt.names;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Get the Let's Encrypt certificate from our own storage
|
if (obj.parent.config.letsencrypt.production !== true) {
|
||||||
obj.le.get({ servername: obj.leDomains[0] })
|
// We are in staging mode, just go ahead
|
||||||
|
obj.getCertificateEx(certs, func);
|
||||||
|
} else {
|
||||||
|
// We are really in production mode
|
||||||
|
if (obj.runAsProduction === true) {
|
||||||
|
// Staging cert check must have been done already, move to production
|
||||||
|
obj.getCertificateEx(certs, func);
|
||||||
|
} else {
|
||||||
|
// Perform staging certificate check
|
||||||
|
parent.debug('cert', "Checking staging certificate " + obj.leDomains[0] + "...");
|
||||||
|
obj.leStaging.get({ servername: obj.leDomains[0] })
|
||||||
.then(function (results) {
|
.then(function (results) {
|
||||||
// If we already have real certificates, use them.
|
if (results != null) {
|
||||||
|
// We have a staging certificate, move to production for real
|
||||||
|
parent.debug('cert', "Staging certificate is present, moving to production...");
|
||||||
|
obj.runAsProduction = true;
|
||||||
|
obj.getCertificateEx(certs, func);
|
||||||
|
} else {
|
||||||
|
// No staging certificate
|
||||||
|
parent.debug('cert', "No staging certificate present");
|
||||||
|
func(certs);
|
||||||
|
setTimeout(obj.checkRenewCertificate, 10000); // Check the certificate in 10 seconds.
|
||||||
|
}
|
||||||
|
})
|
||||||
|
.catch(function (e) {
|
||||||
|
// No staging certificate
|
||||||
|
parent.debug('cert', "No staging certificate present");
|
||||||
|
func(certs);
|
||||||
|
setTimeout(obj.checkRenewCertificate, 10000); // Check the certificate in 10 seconds.
|
||||||
|
});
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
obj.getCertificateEx = function (certs, func) {
|
||||||
|
// Get the Let's Encrypt certificate from our own storage
|
||||||
|
const xle = (obj.runAsProduction === true)? obj.le : obj.leStaging;
|
||||||
|
xle.get({ servername: obj.leDomains[0] })
|
||||||
|
.then(function (results) {
|
||||||
|
// If we already have real certificates, use them
|
||||||
if (results) {
|
if (results) {
|
||||||
if (results.site.altnames.indexOf(certs.CommonName) >= 0) {
|
if (results.site.altnames.indexOf(certs.CommonName) >= 0) {
|
||||||
certs.web.cert = results.pems.cert;
|
certs.web.cert = results.pems.cert;
|
||||||
@ -130,7 +188,7 @@ module.exports.CreateLetsEncrypt = function (parent) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
parent.debug('cert', "Got certs from local store");
|
parent.debug('cert', "Got certs from local store (" + (obj.runAsProduction ? "Production" : "Staging") + ")");
|
||||||
func(certs);
|
func(certs);
|
||||||
|
|
||||||
// Check if the Let's Encrypt certificate needs to be renewed.
|
// Check if the Let's Encrypt certificate needs to be renewed.
|
||||||
@ -139,7 +197,7 @@ module.exports.CreateLetsEncrypt = function (parent) {
|
|||||||
return;
|
return;
|
||||||
})
|
})
|
||||||
.catch(function (e) {
|
.catch(function (e) {
|
||||||
parent.debug('cert', "Unable to get certs from local store");
|
parent.debug('cert', "Unable to get certs from local store (" + (obj.runAsProduction ? "Production" : "Staging") + ")");
|
||||||
setTimeout(obj.checkRenewCertificate, 10000); // Check the certificate in 10 seconds.
|
setTimeout(obj.checkRenewCertificate, 10000); // Check the certificate in 10 seconds.
|
||||||
func(certs);
|
func(certs);
|
||||||
});
|
});
|
||||||
@ -147,15 +205,23 @@ module.exports.CreateLetsEncrypt = function (parent) {
|
|||||||
|
|
||||||
// Check if we need to renew the certificate, call this every day.
|
// Check if we need to renew the certificate, call this every day.
|
||||||
obj.checkRenewCertificate = function () {
|
obj.checkRenewCertificate = function () {
|
||||||
parent.debug('cert', "Checking certs");
|
parent.debug('cert', "Checking certs (" + (obj.runAsProduction ? "Production" : "Staging") + ")");
|
||||||
|
|
||||||
// Setup renew options
|
// Setup renew options
|
||||||
var renewOptions = { servername: obj.leDomains[0] };
|
var renewOptions = { servername: obj.leDomains[0] };
|
||||||
if (obj.leDomains.length > 0) { renewOptions.altnames = obj.leDomains; }
|
if (obj.leDomains.length > 0) { renewOptions.altnames = obj.leDomains; }
|
||||||
obj.le.renew(renewOptions)
|
const xle = (obj.runAsProduction === true)? obj.le : obj.leStaging;
|
||||||
|
xle.renew(renewOptions)
|
||||||
.then(function (results) {
|
.then(function (results) {
|
||||||
parent.debug('cert', "Checks completed");
|
parent.debug('cert', "Checks completed (" + (obj.runAsProduction ? "Production" : "Staging") + ")");
|
||||||
if (obj.performRestart === true) { parent.debug('cert', "Certs changed, restarting..."); obj.parent.performServerCertUpdate(); } // Reset the server, TODO: Reset all peers
|
if (obj.performRestart === true) { parent.debug('cert', "Certs changed, restarting..."); obj.parent.performServerCertUpdate(); } // Reset the server, TODO: Reset all peers
|
||||||
|
else if (obj.performMoveToProduction == true) {
|
||||||
|
parent.debug('cert', "Staging certificate received, moving to production...");
|
||||||
|
obj.runAsProduction = true;
|
||||||
|
obj.performMoveToProduction = false;
|
||||||
|
obj.performRestart = true;
|
||||||
|
setTimeout(obj.checkRenewCertificate, 10000); // Check the certificate in 10 seconds.
|
||||||
|
}
|
||||||
})
|
})
|
||||||
.catch(function (e) { console.log(e); });
|
.catch(function (e) { console.log(e); });
|
||||||
}
|
}
|
||||||
@ -175,25 +241,40 @@ module.exports.create = function (options) {
|
|||||||
|
|
||||||
manager.set = function (options) {
|
manager.set = function (options) {
|
||||||
manager.parent.parent.debug('cert', "Certificate has been set");
|
manager.parent.parent.debug('cert', "Certificate has been set");
|
||||||
manager.parent.performRestart = true;
|
if (manager.parent.parent.config.letsencrypt.production == manager.parent.runAsProduction) { manager.parent.performRestart = true; }
|
||||||
|
else if ((manager.parent.parent.config.letsencrypt.production === true) && (manager.parent.runAsProduction === false)) { manager.parent.performMoveToProduction = true; }
|
||||||
return null;
|
return null;
|
||||||
};
|
};
|
||||||
|
|
||||||
manager.remove = function (options) {
|
manager.remove = function (options) {
|
||||||
manager.parent.parent.debug('cert', "Certificate has been removed");
|
manager.parent.parent.debug('cert', "Certificate has been removed");
|
||||||
manager.parent.performRestart = true;
|
if (manager.parent.parent.config.letsencrypt.production == manager.parent.runAsProduction) { manager.parent.performRestart = true; }
|
||||||
|
else if ((manager.parent.parent.config.letsencrypt.production === true) && (manager.parent.runAsProduction === false)) { manager.parent.performMoveToProduction = true; }
|
||||||
return null;
|
return null;
|
||||||
};
|
};
|
||||||
|
|
||||||
// set the global config
|
// set the global config
|
||||||
manager.defaults = async function (options) {
|
manager.defaults = async function (options) {
|
||||||
//console.log('LE-DEFAULTS', options);
|
var r;
|
||||||
|
if (manager.parent.runAsProduction === true) {
|
||||||
|
// Production
|
||||||
|
//console.log('LE-DEFAULTS-Production', options);
|
||||||
if (options != null) { for (var i in options) { if (manager.parent.leDefaults[i] == null) { manager.parent.leDefaults[i] = options[i]; } } }
|
if (options != null) { for (var i in options) { if (manager.parent.leDefaults[i] == null) { manager.parent.leDefaults[i] = options[i]; } } }
|
||||||
var r = manager.parent.leDefaults;
|
r = manager.parent.leDefaults;
|
||||||
var mainsite = { subject: manager.parent.leDomains[0] };
|
var mainsite = { subject: manager.parent.leDomains[0] };
|
||||||
if (manager.parent.leDomains.length > 0) { mainsite.altnames = manager.parent.leDomains; }
|
if (manager.parent.leDomains.length > 0) { mainsite.altnames = manager.parent.leDomains; }
|
||||||
r.subscriberEmail = manager.parent.parent.config.letsencrypt.email;
|
r.subscriberEmail = manager.parent.parent.config.letsencrypt.email;
|
||||||
r.sites = { mainsite: mainsite };
|
r.sites = { mainsite: mainsite };
|
||||||
|
} else {
|
||||||
|
// Staging
|
||||||
|
//console.log('LE-DEFAULTS-Staging', options);
|
||||||
|
if (options != null) { for (var i in options) { if (manager.parent.leDefaultsStaging[i] == null) { manager.parent.leDefaultsStaging[i] = options[i]; } } }
|
||||||
|
r = manager.parent.leDefaultsStaging;
|
||||||
|
var mainsite = { subject: manager.parent.leDefaultsStaging[0] };
|
||||||
|
if (manager.parent.leDefaultsStaging.length > 0) { mainsite.altnames = manager.parent.leDefaultsStaging; }
|
||||||
|
r.subscriberEmail = manager.parent.parent.config.letsencrypt.email;
|
||||||
|
r.sites = { mainsite: mainsite };
|
||||||
|
}
|
||||||
return r;
|
return r;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
{
|
{
|
||||||
"name": "meshcentral",
|
"name": "meshcentral",
|
||||||
"version": "0.4.4-e",
|
"version": "0.4.4-f",
|
||||||
"keywords": [
|
"keywords": [
|
||||||
"Remote Management",
|
"Remote Management",
|
||||||
"Intel AMT",
|
"Intel AMT",
|
||||||
|
Loading…
Reference in New Issue
Block a user