From fea2120849eeb076f086916c43fad92ae3827757 Mon Sep 17 00:00:00 2001 From: Ylian Saint-Hilaire Date: Thu, 5 Mar 2020 01:39:40 -0800 Subject: [PATCH] Added completely new Let's Encrypt system. --- MeshCentralServer.njsproj | 2 + letsEncrypt.js | 198 +++++++++++++++++++++++++++++++++++++- meshcentral.js | 16 ++- meshuser.js | 44 ++++++--- package.json | 8 +- 5 files changed, 246 insertions(+), 22 deletions(-) diff --git a/MeshCentralServer.njsproj b/MeshCentralServer.njsproj index a4ae82ff..37074514 100644 --- a/MeshCentralServer.njsproj +++ b/MeshCentralServer.njsproj @@ -316,6 +316,7 @@ + @@ -325,6 +326,7 @@ + diff --git a/letsEncrypt.js b/letsEncrypt.js index 52bda2b8..6d1ece11 100644 --- a/letsEncrypt.js +++ b/letsEncrypt.js @@ -14,8 +14,8 @@ /*jshint esversion: 6 */ 'use strict'; +// GreenLock Implementation var globalLetsEncrypt = null; - module.exports.CreateLetsEncrypt = function (parent) { try { // Get the GreenLock version @@ -44,6 +44,7 @@ module.exports.CreateLetsEncrypt = function (parent) { var obj = {}; globalLetsEncrypt = obj; obj.parent = parent; + obj.lib = 'greenlock'; obj.path = require('path'); obj.redirWebServerHooked = false; obj.leDomains = null; @@ -322,4 +323,197 @@ module.exports.create = function (options) { }; return manager; -}; \ No newline at end of file +}; + + +// ACME-Client Implementation +var globalLetsEncrypt = null; +module.exports.CreateLetsEncrypt2 = function (parent) { + const acme = require('acme-client'); + + var obj = {}; + obj.lib = 'acme-client'; + obj.fs = require('fs'); + obj.path = require('path'); + obj.parent = parent; + obj.forge = obj.parent.certificateOperations.forge; + obj.leDomains = null; + obj.challenges = {}; + obj.runAsProduction = false; + obj.redirWebServerHooked = false; + + // Setup the certificate storage paths + obj.certPath = obj.path.join(obj.parent.datapath, 'letsencrypt-certs'); + try { obj.parent.fs.mkdirSync(obj.certPath); } catch (e) { } + + // Hook up GreenLock to the redirection server + if (obj.parent.config.settings.rediraliasport === 80) { obj.redirWebServerHooked = true; } + else if ((obj.parent.config.settings.rediraliasport == null) && (obj.parent.redirserver.port == 80)) { obj.redirWebServerHooked = true; } + + // Deal with HTTP challenges + function challengeCreateFn(authz, challenge, keyAuthorization) { if (challenge.type === 'http-01') { obj.challenges[challenge.token] = keyAuthorization; } } + function challengeRemoveFn(authz, challenge, keyAuthorization) { if (challenge.type === 'http-01') { delete obj.challenges[challenge.token]; } } + obj.challenge = function (token, hostname, func) { func(obj.challenges[token]); } + + // Get the current certificate + obj.getCertificate = function(certs, func) { + obj.runAsProduction = (obj.parent.config.letsencrypt.production === true); + parent.debug('cert', "LE: Getting certs from local store (" + (obj.runAsProduction ? "Production" : "Staging") + ")"); + if (certs.CommonName.indexOf('.') == -1) { console.log("ERROR: Use --cert to setup the default server name before using Let's Encrypt."); func(certs); return; } + if (obj.parent.config.letsencrypt == null) { func(certs); return; } + if (obj.parent.config.letsencrypt.email == null) { console.log("ERROR: Let's Encrypt email address not specified."); func(certs); return; } + if ((obj.parent.redirserver == null) || ((typeof obj.parent.config.settings.rediraliasport === 'number') && (obj.parent.config.settings.rediraliasport !== 80)) || ((obj.parent.config.settings.rediraliasport == null) && (obj.parent.redirserver.port !== 80))) { console.log("ERROR: Redirection web server must be active on port 80 for Let's Encrypt to work."); func(certs); return; } + if (obj.redirWebServerHooked !== true) { console.log("ERROR: Redirection web server not setup for Let's Encrypt to work."); func(certs); return; } + if ((obj.parent.config.letsencrypt.rsakeysize != null) && (obj.parent.config.letsencrypt.rsakeysize !== 2048) && (obj.parent.config.letsencrypt.rsakeysize !== 3072)) { console.log("ERROR: Invalid Let's Encrypt certificate key size, must be 2048 or 3072."); func(certs); return; } + + // Get the list of domains + obj.leDomains = [ certs.CommonName ]; + if (obj.parent.config.letsencrypt.names != null) { + if (typeof obj.parent.config.letsencrypt.names == 'string') { obj.parent.config.letsencrypt.names = obj.parent.config.letsencrypt.names.split(','); } + obj.parent.config.letsencrypt.names.map(function (s) { return s.trim(); }); // Trim each name + if ((typeof obj.parent.config.letsencrypt.names != 'object') || (obj.parent.config.letsencrypt.names.length == null)) { console.log("ERROR: Let's Encrypt names must be an array in config.json."); func(certs); return; } + obj.leDomains = obj.parent.config.letsencrypt.names; + } + + // Read TLS certificate from the configPath + var certFile = obj.path.join(obj.certPath, (obj.runAsProduction ? 'production.crt' : 'staging.crt')); + var keyFile = obj.path.join(obj.certPath, (obj.runAsProduction ? 'production.key' : 'staging.key')); + if (obj.fs.existsSync(certFile) && obj.fs.existsSync(keyFile)) { + parent.debug('cert', "LE: Reading certificate files"); + + // Read the certificate and private key + var certPem = obj.fs.readFileSync(certFile).toString('utf8'); + var cert = obj.forge.pki.certificateFromPem(certPem); + var keyPem = obj.fs.readFileSync(keyFile).toString('utf8'); + var key = obj.forge.pki.privateKeyFromPem(keyPem); + + // Decode the certificate common and alt names + obj.certNames = [cert.subject.getField('CN').value]; + var altNames = cert.getExtension('subjectAltName'); + if (altNames) { for (i = 0; i < altNames.altNames.length; i++) { var acn = altNames.altNames[i].value.toLowerCase(); if (obj.certNames.indexOf(acn) == -1) { obj.certNames.push(acn); } } } + + // Decode the certificate expire time + obj.certExpire = cert.validity.notAfter; + + // Use this certificate when possible on any domain + if (obj.certNames.indexOf(certs.CommonName) >= 0) { + certs.web.cert = certPem; + certs.web.key = keyPem; + //certs.web.ca = [results.pems.chain]; + } + for (var i in obj.parent.config.domains) { + if ((obj.parent.config.domains[i].dns != null) && (obj.parent.certificateOperations.compareCertificateNames(obj.certNames, obj.parent.config.domains[i].dns))) { + certs.dns[i].cert = certPem; + certs.dns[i].key = keyPem; + //certs.dns[i].ca = [results.pems.chain]; + } + } + } else { + parent.debug('cert', "LE: No certificate files found"); + } + func(certs); + obj.checkRenewCertificate(); + } + + // Check if we need to get a new certificate + // Return 0 = CertOK, 1 = Request:NoCert, 2 = Request:Expire, 3 = Request:MissingNames + obj.checkRenewCertificate = function () { + parent.debug('cert', "LE: Checking certificate"); + if (obj.certNames == null) { + parent.debug('cert', "LE: Got no certificates, asking for one now."); + obj.requestCertificate(); + return 1; + } else { + // Look at the existing certificate to see if we need to renew it + var daysLeft = Math.floor((obj.certExpire - new Date()) / 86400000); + parent.debug('cert', "LE: Certificate has " + daysLeft + " day(s) left."); + if (daysLeft < 45) { + parent.debug('cert', "LE: Asking for new certificate because of expire time."); + obj.requestCertificate(); + return 2; + } else { + var missingDomain = false; + for (var i in obj.leDomains) { + if (obj.parent.certificateOperations.compareCertificateNames(obj.certNames, obj.leDomains[i]) == false) { + parent.debug('cert', "LE: Missing name " + obj.leDomains[i] + "."); + missingDomain = true; + } + } + if (missingDomain) { + parent.debug('cert', "LE: Asking for new certificate because of missing names."); + obj.requestCertificate(); + return 3; + } else { + parent.debug('cert', "LE: Certificate is ok."); + } + } + } + return 0; + } + + obj.requestCertificate = function () { + // Create a private key + parent.debug('cert', "LE: Generating private key..."); + acme.forge.createPrivateKey().then(function (accountKey) { + // Create the ACME client + parent.debug('cert', "LE: Setting up ACME client..."); + obj.client = new acme.Client({ + directoryUrl: obj.runAsProduction ? acme.directory.letsencrypt.production : acme.directory.letsencrypt.staging, + accountKey: accountKey + }); + + // Create Certificate Request (CSR) + parent.debug('cert', "LE: Creating certificate request..."); + acme.forge.createCsr({ + commonName: obj.leDomains[0], + altNames: obj.leDomains + }).then(function (r) { + var csr = r[1]; + obj.tempPrivateKey = r[0]; + parent.debug('cert', "LE: Requesting certificate from Let's Encrypt..."); + obj.client.auto({ + csr, + email: obj.parent.config.letsencrypt.email, + termsOfServiceAgreed: true, + challengeCreateFn, + challengeRemoveFn + }).then(function (cert) { + parent.debug('cert', "LE: Got certificate."); + + // Save certificate and private key to PEM files + var certFile = obj.path.join(obj.certPath, (obj.runAsProduction ? 'production.crt' : 'staging.crt')); + var keyFile = obj.path.join(obj.certPath, (obj.runAsProduction ? 'production.key' : 'staging.key')); + obj.fs.writeFileSync(certFile, cert); + obj.fs.writeFileSync(keyFile, obj.tempPrivateKey); + delete obj.tempPrivateKey; + + // Cause a server restart + parent.debug('cert', "LE: Performing server restart..."); + obj.parent.performServerCertUpdate(); + }, function (err) { + parent.debug('cert', "LE: Failed to obtain certificate: " + err.message); + }); + }, function (err) { + parent.debug('cert', "LE: Failed to generate certificate request: " + err.message); + }); + }, function (err) { + parent.debug('cert', "LE: Failed to generate private key: " + err.message); + }); + } + + // Return the status of this module + obj.getStats = function () { + var r = { + lib: 'acme-client', + leDomains: obj.leDomains, + challenges: obj.challenges, + production: obj.runAsProduction, + webServer: obj.redirWebServerHooked, + certPath: obj.certPath, + }; + if (obj.certExpire) { r.daysLeft = Math.floor((obj.certExpire - new Date()) / 86400000); } + return r; + } + + return obj; +} \ No newline at end of file diff --git a/meshcentral.js b/meshcentral.js index c4f6ac3e..16d19bba 100644 --- a/meshcentral.js +++ b/meshcentral.js @@ -1072,7 +1072,11 @@ function CreateMeshCentralServer(config, args) { obj.StartEx3(certs); // Just use the configured certificates } else if ((obj.config.letsencrypt != null) && (obj.config.letsencrypt.nochecks == true)) { // Use Let's Encrypt with no checking - obj.letsencrypt = require('./letsencrypt.js').CreateLetsEncrypt(obj); + if (obj.config.letsencrypt.lib == 'acme-client') { + obj.letsencrypt = require('./letsencrypt.js').CreateLetsEncrypt2(obj); + } else { + obj.letsencrypt = require('./letsencrypt.js').CreateLetsEncrypt(obj); + } obj.letsencrypt.getCertificate(certs, obj.StartEx3); // Use Let's Encrypt with no checking, use at your own risk. } else { // Check Let's Encrypt settings @@ -1084,7 +1088,13 @@ function CreateMeshCentralServer(config, args) { else if (obj.config.letsencrypt.email.trim() !== obj.config.letsencrypt.email) { leok = false; addServerWarning("Invalid Let's Encrypt email address."); } else { var le = require('./letsencrypt.js'); - try { obj.letsencrypt = le.CreateLetsEncrypt(obj); } catch (ex) { } + try { + if (obj.config.letsencrypt.lib == 'acme-client') { + obj.letsencrypt = le.CreateLetsEncrypt2(obj); + } else { + obj.letsencrypt = le.CreateLetsEncrypt(obj); + } + } catch (ex) { console.log(ex); } if (obj.letsencrypt == null) { addServerWarning("Unable to setup GreenLock module."); leok = false; } } if (leok == true) { @@ -2379,7 +2389,7 @@ function mainStart() { if (require('os').platform() == 'win32') { modules.push('node-windows'); if (sspi == true) { modules.push('node-sspi'); } } // Add Windows modules if (ldap == true) { modules.push('ldapauth-fork'); } if (recordingIndex == true) { modules.push('image-size'); } // Need to get the remote desktop JPEG sizes to index the recodring file. - if (config.letsencrypt != null) { if ((nodeVersion < 10) || (require('crypto').generateKeyPair == null)) { addServerWarning("Let's Encrypt support requires Node v10.12 or higher.", !args.launch); } else { modules.push('greenlock@4.0.4'); } } // Add Greenlock Module + if (config.letsencrypt != null) { if ((nodeVersion < 10) || (require('crypto').generateKeyPair == null)) { addServerWarning("Let's Encrypt support requires Node v10.12 or higher.", !args.launch); } else { modules.push((config.letsencrypt.lib == 'acme-client') ? 'acme-client' : 'greenlock@4.0.4'); } } // Add Greenlock Module or acme-client module if (config.settings.mqtt != null) { modules.push('aedes'); } // Add MQTT Modules if (config.settings.mysql != null) { modules.push('mysql'); } // Add MySQL, official driver. if (config.settings.mongodb != null) { modules.push('mongodb'); } // Add MongoDB, official driver. diff --git a/meshuser.js b/meshuser.js index 45789e60..9bf2d2d8 100644 --- a/meshuser.js +++ b/meshuser.js @@ -704,20 +704,26 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use if (parent.parent.letsencrypt == null) { r = "Let's Encrypt not in use."; } else { - var leinfo = {}; - var greenLockVersion = null; - try { greenLockVersion = require('greenlock/package.json').version; } catch (ex) { } - if (greenLockVersion) { leinfo.greenLockVer = greenLockVersion; } - leinfo.redirWebServerHooked = parent.parent.letsencrypt.redirWebServerHooked; - leinfo.leDomains = parent.parent.letsencrypt.leDomains; - leinfo.leResults = parent.parent.letsencrypt.leResults; - leinfo.leResultsStaging = parent.parent.letsencrypt.leResultsStaging; - leinfo.performRestart = parent.parent.letsencrypt.performRestart; - leinfo.performMoveToProduction = parent.parent.letsencrypt.performMoveToProduction; - leinfo.runAsProduction = parent.parent.letsencrypt.runAsProduction; - leinfo.leDefaults = parent.parent.letsencrypt.leDefaults; - leinfo.leDefaultsStaging = parent.parent.letsencrypt.leDefaultsStaging; - r = JSON.stringify(leinfo, null, 4); + if (parent.parent.letsencrypt.lib == 'greenlock') { + var leinfo = {}; + var greenLockVersion = null; + try { greenLockVersion = require('greenlock/package.json').version; } catch (ex) { } + if (greenLockVersion) { leinfo.greenLockVer = greenLockVersion; } + leinfo.redirWebServerHooked = parent.parent.letsencrypt.redirWebServerHooked; + leinfo.leDomains = parent.parent.letsencrypt.leDomains; + leinfo.leResults = parent.parent.letsencrypt.leResults; + leinfo.leResultsStaging = parent.parent.letsencrypt.leResultsStaging; + leinfo.performRestart = parent.parent.letsencrypt.performRestart; + leinfo.performMoveToProduction = parent.parent.letsencrypt.performMoveToProduction; + leinfo.runAsProduction = parent.parent.letsencrypt.runAsProduction; + leinfo.leDefaults = parent.parent.letsencrypt.leDefaults; + leinfo.leDefaultsStaging = parent.parent.letsencrypt.leDefaultsStaging; + r = JSON.stringify(leinfo, null, 4); + } else if (parent.parent.letsencrypt.lib == 'acme-client') { + r = JSON.stringify(parent.parent.letsencrypt.getStats(), null, 4); + } else { + r = 'Unknown module'; + } } break; } @@ -725,8 +731,14 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use if (parent.parent.letsencrypt == null) { r = "Let's Encrypt not in use."; } else { - var err = parent.parent.letsencrypt.checkRenewCertificate(); - if (err == null) { r = "Called Let's Encrypt certificate check."; } else { r = err; } + if (parent.parent.letsencrypt.lib == 'greenlock') { + var err = parent.parent.letsencrypt.checkRenewCertificate(); + if (err == null) { r = "Called Let's Encrypt certificate check."; } else { r = err; } + } else if (parent.parent.letsencrypt.lib == 'acme-client') { + r = ["CertOK", "Request:NoCert", "Request:Expire", "Request:MissingNames"][parent.parent.letsencrypt.checkRenewCertificate()]; + } else { + r = 'Unknown module'; + } } break; } diff --git a/package.json b/package.json index 9cdb2225..296d1ba6 100644 --- a/package.json +++ b/package.json @@ -28,8 +28,10 @@ "sample-config.json" ], "dependencies": { + "acme-client": "^3.3.1", "aedes": "^0.40.1", "archiver": "^3.0.0", + "archiver-zip-encrypted": "^1.0.8", "body-parser": "^1.19.0", "cbor": "^4.1.5", "compression": "^1.7.4", @@ -42,11 +44,15 @@ "ipcheck": "^0.1.0", "minimist": "^1.2.0", "multiparty": "^4.2.1", + "nacme": "^2.3.8", "nedb": "^1.8.0", "node-forge": "^0.8.4", + "node-windows": "^1.0.0-beta.1", + "otplib": "^12.0.1", "ws": "^6.2.1", "xmldom": "^0.1.27", - "yauzl": "^2.10.0" + "yauzl": "^2.10.0", + "yubikeyotp": "^0.2.0" }, "devDependencies": {}, "repository": {