mirror of
https://github.com/Ylianst/MeshCentral.git
synced 2024-12-23 22:13:14 +03:00
Added completely new Let's Encrypt system.
This commit is contained in:
parent
672517f27d
commit
fea2120849
@ -316,6 +316,7 @@
|
||||
<Folder Include="typings\" />
|
||||
<Folder Include="typings\globals\" />
|
||||
<Folder Include="typings\globals\connect-redis\" />
|
||||
<Folder Include="typings\globals\cookie-session\" />
|
||||
<Folder Include="typings\globals\express-handlebars\" />
|
||||
<Folder Include="typings\globals\express-session\" />
|
||||
<Folder Include="typings\globals\node-forge\" />
|
||||
@ -325,6 +326,7 @@
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<TypeScriptCompile Include="typings\globals\connect-redis\index.d.ts" />
|
||||
<TypeScriptCompile Include="typings\globals\cookie-session\index.d.ts" />
|
||||
<TypeScriptCompile Include="typings\globals\express-handlebars\index.d.ts" />
|
||||
<TypeScriptCompile Include="typings\globals\express-session\index.d.ts" />
|
||||
<TypeScriptCompile Include="typings\globals\node-forge\index.d.ts" />
|
||||
|
198
letsEncrypt.js
198
letsEncrypt.js
@ -14,8 +14,8 @@
|
||||
/*jshint esversion: 6 */
|
||||
'use strict';
|
||||
|
||||
// GreenLock Implementation
|
||||
var globalLetsEncrypt = null;
|
||||
|
||||
module.exports.CreateLetsEncrypt = function (parent) {
|
||||
try {
|
||||
// Get the GreenLock version
|
||||
@ -44,6 +44,7 @@ module.exports.CreateLetsEncrypt = function (parent) {
|
||||
var obj = {};
|
||||
globalLetsEncrypt = obj;
|
||||
obj.parent = parent;
|
||||
obj.lib = 'greenlock';
|
||||
obj.path = require('path');
|
||||
obj.redirWebServerHooked = false;
|
||||
obj.leDomains = null;
|
||||
@ -322,4 +323,197 @@ module.exports.create = function (options) {
|
||||
};
|
||||
|
||||
return manager;
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
// ACME-Client Implementation
|
||||
var globalLetsEncrypt = null;
|
||||
module.exports.CreateLetsEncrypt2 = function (parent) {
|
||||
const acme = require('acme-client');
|
||||
|
||||
var obj = {};
|
||||
obj.lib = 'acme-client';
|
||||
obj.fs = require('fs');
|
||||
obj.path = require('path');
|
||||
obj.parent = parent;
|
||||
obj.forge = obj.parent.certificateOperations.forge;
|
||||
obj.leDomains = null;
|
||||
obj.challenges = {};
|
||||
obj.runAsProduction = false;
|
||||
obj.redirWebServerHooked = false;
|
||||
|
||||
// Setup the certificate storage paths
|
||||
obj.certPath = obj.path.join(obj.parent.datapath, 'letsencrypt-certs');
|
||||
try { obj.parent.fs.mkdirSync(obj.certPath); } catch (e) { }
|
||||
|
||||
// Hook up GreenLock to the redirection server
|
||||
if (obj.parent.config.settings.rediraliasport === 80) { obj.redirWebServerHooked = true; }
|
||||
else if ((obj.parent.config.settings.rediraliasport == null) && (obj.parent.redirserver.port == 80)) { obj.redirWebServerHooked = true; }
|
||||
|
||||
// Deal with HTTP challenges
|
||||
function challengeCreateFn(authz, challenge, keyAuthorization) { if (challenge.type === 'http-01') { obj.challenges[challenge.token] = keyAuthorization; } }
|
||||
function challengeRemoveFn(authz, challenge, keyAuthorization) { if (challenge.type === 'http-01') { delete obj.challenges[challenge.token]; } }
|
||||
obj.challenge = function (token, hostname, func) { func(obj.challenges[token]); }
|
||||
|
||||
// Get the current certificate
|
||||
obj.getCertificate = function(certs, func) {
|
||||
obj.runAsProduction = (obj.parent.config.letsencrypt.production === true);
|
||||
parent.debug('cert', "LE: Getting certs from local store (" + (obj.runAsProduction ? "Production" : "Staging") + ")");
|
||||
if (certs.CommonName.indexOf('.') == -1) { console.log("ERROR: Use --cert to setup the default server name before using Let's Encrypt."); func(certs); return; }
|
||||
if (obj.parent.config.letsencrypt == null) { func(certs); return; }
|
||||
if (obj.parent.config.letsencrypt.email == null) { console.log("ERROR: Let's Encrypt email address not specified."); func(certs); return; }
|
||||
if ((obj.parent.redirserver == null) || ((typeof obj.parent.config.settings.rediraliasport === 'number') && (obj.parent.config.settings.rediraliasport !== 80)) || ((obj.parent.config.settings.rediraliasport == null) && (obj.parent.redirserver.port !== 80))) { console.log("ERROR: Redirection web server must be active on port 80 for Let's Encrypt to work."); func(certs); return; }
|
||||
if (obj.redirWebServerHooked !== true) { console.log("ERROR: Redirection web server not setup for Let's Encrypt to work."); func(certs); return; }
|
||||
if ((obj.parent.config.letsencrypt.rsakeysize != null) && (obj.parent.config.letsencrypt.rsakeysize !== 2048) && (obj.parent.config.letsencrypt.rsakeysize !== 3072)) { console.log("ERROR: Invalid Let's Encrypt certificate key size, must be 2048 or 3072."); func(certs); return; }
|
||||
|
||||
// Get the list of domains
|
||||
obj.leDomains = [ certs.CommonName ];
|
||||
if (obj.parent.config.letsencrypt.names != null) {
|
||||
if (typeof obj.parent.config.letsencrypt.names == 'string') { obj.parent.config.letsencrypt.names = obj.parent.config.letsencrypt.names.split(','); }
|
||||
obj.parent.config.letsencrypt.names.map(function (s) { return s.trim(); }); // Trim each name
|
||||
if ((typeof obj.parent.config.letsencrypt.names != 'object') || (obj.parent.config.letsencrypt.names.length == null)) { console.log("ERROR: Let's Encrypt names must be an array in config.json."); func(certs); return; }
|
||||
obj.leDomains = obj.parent.config.letsencrypt.names;
|
||||
}
|
||||
|
||||
// Read TLS certificate from the configPath
|
||||
var certFile = obj.path.join(obj.certPath, (obj.runAsProduction ? 'production.crt' : 'staging.crt'));
|
||||
var keyFile = obj.path.join(obj.certPath, (obj.runAsProduction ? 'production.key' : 'staging.key'));
|
||||
if (obj.fs.existsSync(certFile) && obj.fs.existsSync(keyFile)) {
|
||||
parent.debug('cert', "LE: Reading certificate files");
|
||||
|
||||
// Read the certificate and private key
|
||||
var certPem = obj.fs.readFileSync(certFile).toString('utf8');
|
||||
var cert = obj.forge.pki.certificateFromPem(certPem);
|
||||
var keyPem = obj.fs.readFileSync(keyFile).toString('utf8');
|
||||
var key = obj.forge.pki.privateKeyFromPem(keyPem);
|
||||
|
||||
// Decode the certificate common and alt names
|
||||
obj.certNames = [cert.subject.getField('CN').value];
|
||||
var altNames = cert.getExtension('subjectAltName');
|
||||
if (altNames) { for (i = 0; i < altNames.altNames.length; i++) { var acn = altNames.altNames[i].value.toLowerCase(); if (obj.certNames.indexOf(acn) == -1) { obj.certNames.push(acn); } } }
|
||||
|
||||
// Decode the certificate expire time
|
||||
obj.certExpire = cert.validity.notAfter;
|
||||
|
||||
// Use this certificate when possible on any domain
|
||||
if (obj.certNames.indexOf(certs.CommonName) >= 0) {
|
||||
certs.web.cert = certPem;
|
||||
certs.web.key = keyPem;
|
||||
//certs.web.ca = [results.pems.chain];
|
||||
}
|
||||
for (var i in obj.parent.config.domains) {
|
||||
if ((obj.parent.config.domains[i].dns != null) && (obj.parent.certificateOperations.compareCertificateNames(obj.certNames, obj.parent.config.domains[i].dns))) {
|
||||
certs.dns[i].cert = certPem;
|
||||
certs.dns[i].key = keyPem;
|
||||
//certs.dns[i].ca = [results.pems.chain];
|
||||
}
|
||||
}
|
||||
} else {
|
||||
parent.debug('cert', "LE: No certificate files found");
|
||||
}
|
||||
func(certs);
|
||||
obj.checkRenewCertificate();
|
||||
}
|
||||
|
||||
// Check if we need to get a new certificate
|
||||
// Return 0 = CertOK, 1 = Request:NoCert, 2 = Request:Expire, 3 = Request:MissingNames
|
||||
obj.checkRenewCertificate = function () {
|
||||
parent.debug('cert', "LE: Checking certificate");
|
||||
if (obj.certNames == null) {
|
||||
parent.debug('cert', "LE: Got no certificates, asking for one now.");
|
||||
obj.requestCertificate();
|
||||
return 1;
|
||||
} else {
|
||||
// Look at the existing certificate to see if we need to renew it
|
||||
var daysLeft = Math.floor((obj.certExpire - new Date()) / 86400000);
|
||||
parent.debug('cert', "LE: Certificate has " + daysLeft + " day(s) left.");
|
||||
if (daysLeft < 45) {
|
||||
parent.debug('cert', "LE: Asking for new certificate because of expire time.");
|
||||
obj.requestCertificate();
|
||||
return 2;
|
||||
} else {
|
||||
var missingDomain = false;
|
||||
for (var i in obj.leDomains) {
|
||||
if (obj.parent.certificateOperations.compareCertificateNames(obj.certNames, obj.leDomains[i]) == false) {
|
||||
parent.debug('cert', "LE: Missing name " + obj.leDomains[i] + ".");
|
||||
missingDomain = true;
|
||||
}
|
||||
}
|
||||
if (missingDomain) {
|
||||
parent.debug('cert', "LE: Asking for new certificate because of missing names.");
|
||||
obj.requestCertificate();
|
||||
return 3;
|
||||
} else {
|
||||
parent.debug('cert', "LE: Certificate is ok.");
|
||||
}
|
||||
}
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
obj.requestCertificate = function () {
|
||||
// Create a private key
|
||||
parent.debug('cert', "LE: Generating private key...");
|
||||
acme.forge.createPrivateKey().then(function (accountKey) {
|
||||
// Create the ACME client
|
||||
parent.debug('cert', "LE: Setting up ACME client...");
|
||||
obj.client = new acme.Client({
|
||||
directoryUrl: obj.runAsProduction ? acme.directory.letsencrypt.production : acme.directory.letsencrypt.staging,
|
||||
accountKey: accountKey
|
||||
});
|
||||
|
||||
// Create Certificate Request (CSR)
|
||||
parent.debug('cert', "LE: Creating certificate request...");
|
||||
acme.forge.createCsr({
|
||||
commonName: obj.leDomains[0],
|
||||
altNames: obj.leDomains
|
||||
}).then(function (r) {
|
||||
var csr = r[1];
|
||||
obj.tempPrivateKey = r[0];
|
||||
parent.debug('cert', "LE: Requesting certificate from Let's Encrypt...");
|
||||
obj.client.auto({
|
||||
csr,
|
||||
email: obj.parent.config.letsencrypt.email,
|
||||
termsOfServiceAgreed: true,
|
||||
challengeCreateFn,
|
||||
challengeRemoveFn
|
||||
}).then(function (cert) {
|
||||
parent.debug('cert', "LE: Got certificate.");
|
||||
|
||||
// Save certificate and private key to PEM files
|
||||
var certFile = obj.path.join(obj.certPath, (obj.runAsProduction ? 'production.crt' : 'staging.crt'));
|
||||
var keyFile = obj.path.join(obj.certPath, (obj.runAsProduction ? 'production.key' : 'staging.key'));
|
||||
obj.fs.writeFileSync(certFile, cert);
|
||||
obj.fs.writeFileSync(keyFile, obj.tempPrivateKey);
|
||||
delete obj.tempPrivateKey;
|
||||
|
||||
// Cause a server restart
|
||||
parent.debug('cert', "LE: Performing server restart...");
|
||||
obj.parent.performServerCertUpdate();
|
||||
}, function (err) {
|
||||
parent.debug('cert', "LE: Failed to obtain certificate: " + err.message);
|
||||
});
|
||||
}, function (err) {
|
||||
parent.debug('cert', "LE: Failed to generate certificate request: " + err.message);
|
||||
});
|
||||
}, function (err) {
|
||||
parent.debug('cert', "LE: Failed to generate private key: " + err.message);
|
||||
});
|
||||
}
|
||||
|
||||
// Return the status of this module
|
||||
obj.getStats = function () {
|
||||
var r = {
|
||||
lib: 'acme-client',
|
||||
leDomains: obj.leDomains,
|
||||
challenges: obj.challenges,
|
||||
production: obj.runAsProduction,
|
||||
webServer: obj.redirWebServerHooked,
|
||||
certPath: obj.certPath,
|
||||
};
|
||||
if (obj.certExpire) { r.daysLeft = Math.floor((obj.certExpire - new Date()) / 86400000); }
|
||||
return r;
|
||||
}
|
||||
|
||||
return obj;
|
||||
}
|
@ -1072,7 +1072,11 @@ function CreateMeshCentralServer(config, args) {
|
||||
obj.StartEx3(certs); // Just use the configured certificates
|
||||
} else if ((obj.config.letsencrypt != null) && (obj.config.letsencrypt.nochecks == true)) {
|
||||
// Use Let's Encrypt with no checking
|
||||
obj.letsencrypt = require('./letsencrypt.js').CreateLetsEncrypt(obj);
|
||||
if (obj.config.letsencrypt.lib == 'acme-client') {
|
||||
obj.letsencrypt = require('./letsencrypt.js').CreateLetsEncrypt2(obj);
|
||||
} else {
|
||||
obj.letsencrypt = require('./letsencrypt.js').CreateLetsEncrypt(obj);
|
||||
}
|
||||
obj.letsencrypt.getCertificate(certs, obj.StartEx3); // Use Let's Encrypt with no checking, use at your own risk.
|
||||
} else {
|
||||
// Check Let's Encrypt settings
|
||||
@ -1084,7 +1088,13 @@ function CreateMeshCentralServer(config, args) {
|
||||
else if (obj.config.letsencrypt.email.trim() !== obj.config.letsencrypt.email) { leok = false; addServerWarning("Invalid Let's Encrypt email address."); }
|
||||
else {
|
||||
var le = require('./letsencrypt.js');
|
||||
try { obj.letsencrypt = le.CreateLetsEncrypt(obj); } catch (ex) { }
|
||||
try {
|
||||
if (obj.config.letsencrypt.lib == 'acme-client') {
|
||||
obj.letsencrypt = le.CreateLetsEncrypt2(obj);
|
||||
} else {
|
||||
obj.letsencrypt = le.CreateLetsEncrypt(obj);
|
||||
}
|
||||
} catch (ex) { console.log(ex); }
|
||||
if (obj.letsencrypt == null) { addServerWarning("Unable to setup GreenLock module."); leok = false; }
|
||||
}
|
||||
if (leok == true) {
|
||||
@ -2379,7 +2389,7 @@ function mainStart() {
|
||||
if (require('os').platform() == 'win32') { modules.push('node-windows'); if (sspi == true) { modules.push('node-sspi'); } } // Add Windows modules
|
||||
if (ldap == true) { modules.push('ldapauth-fork'); }
|
||||
if (recordingIndex == true) { modules.push('image-size'); } // Need to get the remote desktop JPEG sizes to index the recodring file.
|
||||
if (config.letsencrypt != null) { if ((nodeVersion < 10) || (require('crypto').generateKeyPair == null)) { addServerWarning("Let's Encrypt support requires Node v10.12 or higher.", !args.launch); } else { modules.push('greenlock@4.0.4'); } } // Add Greenlock Module
|
||||
if (config.letsencrypt != null) { if ((nodeVersion < 10) || (require('crypto').generateKeyPair == null)) { addServerWarning("Let's Encrypt support requires Node v10.12 or higher.", !args.launch); } else { modules.push((config.letsencrypt.lib == 'acme-client') ? 'acme-client' : 'greenlock@4.0.4'); } } // Add Greenlock Module or acme-client module
|
||||
if (config.settings.mqtt != null) { modules.push('aedes'); } // Add MQTT Modules
|
||||
if (config.settings.mysql != null) { modules.push('mysql'); } // Add MySQL, official driver.
|
||||
if (config.settings.mongodb != null) { modules.push('mongodb'); } // Add MongoDB, official driver.
|
||||
|
44
meshuser.js
44
meshuser.js
@ -704,20 +704,26 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
|
||||
if (parent.parent.letsencrypt == null) {
|
||||
r = "Let's Encrypt not in use.";
|
||||
} else {
|
||||
var leinfo = {};
|
||||
var greenLockVersion = null;
|
||||
try { greenLockVersion = require('greenlock/package.json').version; } catch (ex) { }
|
||||
if (greenLockVersion) { leinfo.greenLockVer = greenLockVersion; }
|
||||
leinfo.redirWebServerHooked = parent.parent.letsencrypt.redirWebServerHooked;
|
||||
leinfo.leDomains = parent.parent.letsencrypt.leDomains;
|
||||
leinfo.leResults = parent.parent.letsencrypt.leResults;
|
||||
leinfo.leResultsStaging = parent.parent.letsencrypt.leResultsStaging;
|
||||
leinfo.performRestart = parent.parent.letsencrypt.performRestart;
|
||||
leinfo.performMoveToProduction = parent.parent.letsencrypt.performMoveToProduction;
|
||||
leinfo.runAsProduction = parent.parent.letsencrypt.runAsProduction;
|
||||
leinfo.leDefaults = parent.parent.letsencrypt.leDefaults;
|
||||
leinfo.leDefaultsStaging = parent.parent.letsencrypt.leDefaultsStaging;
|
||||
r = JSON.stringify(leinfo, null, 4);
|
||||
if (parent.parent.letsencrypt.lib == 'greenlock') {
|
||||
var leinfo = {};
|
||||
var greenLockVersion = null;
|
||||
try { greenLockVersion = require('greenlock/package.json').version; } catch (ex) { }
|
||||
if (greenLockVersion) { leinfo.greenLockVer = greenLockVersion; }
|
||||
leinfo.redirWebServerHooked = parent.parent.letsencrypt.redirWebServerHooked;
|
||||
leinfo.leDomains = parent.parent.letsencrypt.leDomains;
|
||||
leinfo.leResults = parent.parent.letsencrypt.leResults;
|
||||
leinfo.leResultsStaging = parent.parent.letsencrypt.leResultsStaging;
|
||||
leinfo.performRestart = parent.parent.letsencrypt.performRestart;
|
||||
leinfo.performMoveToProduction = parent.parent.letsencrypt.performMoveToProduction;
|
||||
leinfo.runAsProduction = parent.parent.letsencrypt.runAsProduction;
|
||||
leinfo.leDefaults = parent.parent.letsencrypt.leDefaults;
|
||||
leinfo.leDefaultsStaging = parent.parent.letsencrypt.leDefaultsStaging;
|
||||
r = JSON.stringify(leinfo, null, 4);
|
||||
} else if (parent.parent.letsencrypt.lib == 'acme-client') {
|
||||
r = JSON.stringify(parent.parent.letsencrypt.getStats(), null, 4);
|
||||
} else {
|
||||
r = 'Unknown module';
|
||||
}
|
||||
}
|
||||
break;
|
||||
}
|
||||
@ -725,8 +731,14 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
|
||||
if (parent.parent.letsencrypt == null) {
|
||||
r = "Let's Encrypt not in use.";
|
||||
} else {
|
||||
var err = parent.parent.letsencrypt.checkRenewCertificate();
|
||||
if (err == null) { r = "Called Let's Encrypt certificate check."; } else { r = err; }
|
||||
if (parent.parent.letsencrypt.lib == 'greenlock') {
|
||||
var err = parent.parent.letsencrypt.checkRenewCertificate();
|
||||
if (err == null) { r = "Called Let's Encrypt certificate check."; } else { r = err; }
|
||||
} else if (parent.parent.letsencrypt.lib == 'acme-client') {
|
||||
r = ["CertOK", "Request:NoCert", "Request:Expire", "Request:MissingNames"][parent.parent.letsencrypt.checkRenewCertificate()];
|
||||
} else {
|
||||
r = 'Unknown module';
|
||||
}
|
||||
}
|
||||
break;
|
||||
}
|
||||
|
@ -28,8 +28,10 @@
|
||||
"sample-config.json"
|
||||
],
|
||||
"dependencies": {
|
||||
"acme-client": "^3.3.1",
|
||||
"aedes": "^0.40.1",
|
||||
"archiver": "^3.0.0",
|
||||
"archiver-zip-encrypted": "^1.0.8",
|
||||
"body-parser": "^1.19.0",
|
||||
"cbor": "^4.1.5",
|
||||
"compression": "^1.7.4",
|
||||
@ -42,11 +44,15 @@
|
||||
"ipcheck": "^0.1.0",
|
||||
"minimist": "^1.2.0",
|
||||
"multiparty": "^4.2.1",
|
||||
"nacme": "^2.3.8",
|
||||
"nedb": "^1.8.0",
|
||||
"node-forge": "^0.8.4",
|
||||
"node-windows": "^1.0.0-beta.1",
|
||||
"otplib": "^12.0.1",
|
||||
"ws": "^6.2.1",
|
||||
"xmldom": "^0.1.27",
|
||||
"yauzl": "^2.10.0"
|
||||
"yauzl": "^2.10.0",
|
||||
"yubikeyotp": "^0.2.0"
|
||||
},
|
||||
"devDependencies": {},
|
||||
"repository": {
|
||||
|
Loading…
Reference in New Issue
Block a user