Beispiel #1
0
func (a *ACME) renewCertificates(client *acme.Client, account *Account) error {
	for _, certificateResource := range account.DomainsCertificate.Certs {
		if certificateResource.needRenew() {
			log.Debugf("Renewing certificate %+v", certificateResource.Domains)
			renewedCert, err := client.RenewCertificate(acme.CertificateResource{
				Domain:        certificateResource.Certificate.Domain,
				CertURL:       certificateResource.Certificate.CertURL,
				CertStableURL: certificateResource.Certificate.CertStableURL,
				PrivateKey:    certificateResource.Certificate.PrivateKey,
				Certificate:   certificateResource.Certificate.Certificate,
			}, false)
			if err != nil {
				return err
			}
			log.Debugf("Renewed certificate %+v", certificateResource.Domains)
			renewedACMECert := &Certificate{
				Domain:        renewedCert.Domain,
				CertURL:       renewedCert.CertURL,
				CertStableURL: renewedCert.CertStableURL,
				PrivateKey:    renewedCert.PrivateKey,
				Certificate:   renewedCert.Certificate,
			}
			err = account.DomainsCertificate.renewCertificates(renewedACMECert, certificateResource.Domains)
			if err != nil {
				return err
			}
			if err = a.saveAccount(account); err != nil {
				return err
			}
		}
	}
	return nil
}
Beispiel #2
0
// obtainCertificates obtains certificates from the CA server for
// the configurations in serverConfigs using client.
func obtainCertificates(client *acme.Client, serverConfigs []server.Config) ([]acme.CertificateResource, map[string]error) {
	var hosts []string
	for _, cfg := range serverConfigs {
		hosts = append(hosts, cfg.Host)
	}
	return client.ObtainCertificates(hosts, true)
}
Beispiel #3
0
func (a *ACME) getDomainsCertificates(client *acme.Client, domains []string) (*Certificate, error) {
	log.Debugf("Loading ACME certificates %s...", domains)
	bundle := true
	certificate, failures := client.ObtainCertificate(domains, bundle, nil)
	if len(failures) > 0 {
		log.Error(failures)
		return nil, fmt.Errorf("Cannot obtain certificates %s+v", failures)
	}
	log.Debugf("Loaded ACME certificates %s", domains)
	return &Certificate{
		Domain:        certificate.Domain,
		CertURL:       certificate.CertURL,
		CertStableURL: certificate.CertStableURL,
		PrivateKey:    certificate.PrivateKey,
		Certificate:   certificate.Certificate,
	}, nil
}
Beispiel #4
0
func handleTOS(c *cli.Context, client *acme.Client, acc *Account) {
	// Check for a global accept override
	if c.GlobalBool("accept-tos") {
		err := client.AgreeToTOS()
		if err != nil {
			logger().Fatalf("Could not agree to TOS: %s", err.Error())
		}

		acc.Save()
		return
	}

	reader := bufio.NewReader(os.Stdin)
	logger().Printf("Please review the TOS at %s", acc.Registration.TosURL)

	for {
		logger().Println("Do you accept the TOS? Y/n")
		text, err := reader.ReadString('\n')
		if err != nil {
			logger().Fatalf("Could not read from console: %s", err.Error())
		}

		text = strings.Trim(text, "\r\n")

		if text == "n" {
			logger().Fatal("You did not accept the TOS. Unable to proceed.")
		}

		if text == "Y" || text == "y" || text == "" {
			err = client.AgreeToTOS()
			if err != nil {
				logger().Fatalf("Could not agree to TOS: %s", err.Error())
			}
			acc.Save()
			break
		}

		logger().Println("Your input was invalid. Please answer with one of Y/y, n or by pressing enter.")
	}
}
Beispiel #5
0
// renewCertificates loops through all configured site and
// looks for certificates to renew. Nothing is mutated
// through this function; all changes happen directly on disk.
// It returns the number of certificates renewed and any errors
// that occurred. It only performs a renewal if necessary.
// If useCustomPort is true, a custom port will be used, and
// whatever is listening at 443 better proxy ACME requests to it.
// Otherwise, the acme package will create its own listener on 443.
func renewCertificates(configs []server.Config, useCustomPort bool) (int, []error) {
	log.Printf("[INFO] Checking certificates for %d hosts", len(configs))
	var errs []error
	var n int

	for _, cfg := range configs {
		// Host must be TLS-enabled and have existing assets managed by LE
		if !cfg.TLS.Enabled || !existingCertAndKey(cfg.Host) {
			continue
		}

		// Read the certificate and get the NotAfter time.
		certBytes, err := ioutil.ReadFile(storage.SiteCertFile(cfg.Host))
		if err != nil {
			errs = append(errs, err)
			continue // still have to check other certificates
		}
		expTime, err := acme.GetPEMCertExpiration(certBytes)
		if err != nil {
			errs = append(errs, err)
			continue
		}

		// The time returned from the certificate is always in UTC.
		// So calculate the time left with local time as UTC.
		// Directly convert it to days for the following checks.
		daysLeft := int(expTime.Sub(time.Now().UTC()).Hours() / 24)

		// Renew with two weeks or less remaining.
		if daysLeft <= 14 {
			log.Printf("[INFO] Certificate for %s has %d days remaining; attempting renewal", cfg.Host, daysLeft)
			var client *acme.Client
			if useCustomPort {
				client, err = newClientPort("", alternatePort) // email not used for renewal
			} else {
				client, err = newClient("")
			}
			if err != nil {
				errs = append(errs, err)
				continue
			}

			// Read and set up cert meta, required for renewal
			metaBytes, err := ioutil.ReadFile(storage.SiteMetaFile(cfg.Host))
			if err != nil {
				errs = append(errs, err)
				continue
			}
			privBytes, err := ioutil.ReadFile(storage.SiteKeyFile(cfg.Host))
			if err != nil {
				errs = append(errs, err)
				continue
			}
			var certMeta acme.CertificateResource
			err = json.Unmarshal(metaBytes, &certMeta)
			certMeta.Certificate = certBytes
			certMeta.PrivateKey = privBytes

			// Renew certificate
		Renew:
			newCertMeta, err := client.RenewCertificate(certMeta, true, true)
			if err != nil {
				if _, ok := err.(acme.TOSError); ok {
					err := client.AgreeToTOS()
					if err != nil {
						errs = append(errs, err)
					}
					goto Renew
				}

				time.Sleep(10 * time.Second)
				newCertMeta, err = client.RenewCertificate(certMeta, true, true)
				if err != nil {
					errs = append(errs, err)
					continue
				}
			}

			saveCertsAndKeys([]acme.CertificateResource{newCertMeta})
			n++
		} else if daysLeft <= 30 {
			// Warn on 30 days remaining. TODO: Just do this once...
			log.Printf("[WARNING] Certificate for %s has %d days remaining; will automatically renew when 14 days remain\n", cfg.Host, daysLeft)
		}
	}

	return n, errs
}