func main() {
flag.Parse()
if *flagKeyID == "" {
log.Fatal("you need to specify -keyid")
}
if *flagClaimedIP == "" {
log.Fatal("you need to specify -ip")
}
gpgchallenge.ClientChallengedPort = *flagPort
cl, err := gpgchallenge.NewClient(
*flagKeyRing,
*flagKeyID,
*flagClaimedIP,
)
if err != nil {
log.Fatal(err)
}
config := &tls.Config{
NextProtos: []string{http2.NextProtoTLS, "http/1.1"},
MinVersion: tls.VersionTLS12,
}
selfCert, selfKey, err := httputil.GenSelfTLS(*flagClaimedIP + "-challenge")
if err != nil {
log.Fatalf("could no generate self-signed certificate: %v", err)
}
config.Certificates = make([]tls.Certificate, 1)
config.Certificates[0], err = tls.X509KeyPair(selfCert, selfKey)
if err != nil {
log.Fatalf("could not load TLS certificate: %v", err)
}
laddr := fmt.Sprintf(":%d", *flagPort)
l, err := tls.Listen("tcp", laddr, config)
if err != nil {
log.Fatalf("could not listen on %v for challenge: %v", laddr, err)
}
pattern, handler := cl.Handler()
http.Handle(pattern, handler)
errc := make(chan error, 1)
go func() {
errc <- http.Serve(l, handler)
}()
time.Sleep(time.Second)
if err := cl.Challenge(*flagServer); err != nil {
log.Fatal(err)
}
log.Printf("Challenge success")
}
// setupHTTPS uploads to the configuration bucket the certificate and key used by the
// instance for HTTPS. It generates them if d.Conf.CertFile or d.Conf.KeyFile is not defined.
// It should be called after setBuckets.
func (d *Deployer) setupHTTPS(storageService *storage.Service) error {
installedCert, _, err := d.getInstalledTLS()
if err != nil && err != os.ErrNotExist {
return err
}
if err == nil {
sigs, err := httputil.CertFingerprints(installedCert)
if err != nil {
return fmt.Errorf("could not get fingerprints of certificate: %v", err)
}
d.certFingerprints = sigs
if Verbose {
d.Printf("Reusing existing certificate with fingerprint %v", sigs["SHA-256"])
}
return nil
}
var cert, key io.ReadCloser
if d.Conf.CertFile != "" && d.Conf.KeyFile != "" {
// Note: it is not a bug that we do not set d.certFingerprint in that case, because only
// the wizard template cares about d.certFingerprint, and we never get here with the wizard
// - but only with camdeploy.
cert, err = os.Open(d.Conf.CertFile)
if err != nil {
return err
}
defer cert.Close()
key, err = os.Open(d.Conf.KeyFile)
if err != nil {
return err
}
defer key.Close()
} else {
if Verbose {
d.Printf("Generating self-signed certificate for %v ...", d.Conf.Hostname)
}
certBytes, keyBytes, err := httputil.GenSelfTLS(d.Conf.Hostname)
if err != nil {
return fmt.Errorf("error generating certificates: %v", err)
}
sigs, err := httputil.CertFingerprints(certBytes)
if err != nil {
return fmt.Errorf("could not get fingerprints of certificate: %v", err)
}
d.certFingerprints = sigs
if Verbose {
d.Printf("Wrote certificate with SHA-256 fingerprint %s", sigs["SHA-256"])
}
cert = ioutil.NopCloser(bytes.NewReader(certBytes))
key = ioutil.NopCloser(bytes.NewReader(keyBytes))
}
if Verbose {
d.Print("Uploading certificate and key...")
}
_, err = storageService.Objects.Insert(d.Conf.bucketBase(),
&storage.Object{Name: path.Join(configDir, certFilename())}).Media(cert).Do()
if err != nil {
return fmt.Errorf("cert upload failed: %v", err)
}
_, err = storageService.Objects.Insert(d.Conf.bucketBase(),
&storage.Object{Name: path.Join(configDir, keyFilename())}).Media(key).Do()
if err != nil {
return fmt.Errorf("key upload failed: %v", err)
}
return nil
}
