dnscontrol/commands/getCerts.go

package commands

import (
	"encoding/json"
	"fmt"
	"os"
	"regexp"
	"strings"

	"github.com/StackExchange/dnscontrol/models"
	"github.com/StackExchange/dnscontrol/pkg/acme"
	"github.com/StackExchange/dnscontrol/pkg/normalize"
	"github.com/StackExchange/dnscontrol/pkg/printer"
	"github.com/urfave/cli"
)

var _ = cmd(catUtils, func() *cli.Command {
	var args GetCertsArgs
	return &cli.Command{
		Name:  "get-certs",
		Usage: "Issue certificates via Let's Encrypt",
		Action: func(c *cli.Context) error {
			return exit(GetCerts(args))
		},
		Flags: args.flags(),
	}
}())

type GetCertsArgs struct {
	GetDNSConfigArgs
	GetCredentialsArgs

	ACMEServer     string
	CertsFile      string
	RenewUnderDays int
	CertDirectory  string
	Email          string
	AgreeTOS       bool
	Verbose        bool
	Vault          bool
	VaultPath      string
	Only           string

	Notify bool

	IgnoredProviders string
}

func (args *GetCertsArgs) flags() []cli.Flag {
	flags := args.GetDNSConfigArgs.flags()
	flags = append(flags, args.GetCredentialsArgs.flags()...)

	flags = append(flags, cli.StringFlag{
		Name:        "acme",
		Destination: &args.ACMEServer,
		Value:       "live",
		Usage:       `ACME server to issue against. Give full directory endpoint. Can also use 'staging' or 'live' for standard Let's Encrpyt endpoints.`,
	})
	flags = append(flags, cli.IntFlag{
		Name:        "renew",
		Destination: &args.RenewUnderDays,
		Value:       15,
		Usage:       `Renew certs with less than this many days remaining`,
	})
	flags = append(flags, cli.StringFlag{
		Name:        "dir",
		Destination: &args.CertDirectory,
		Value:       ".",
		Usage:       `Directory to store certificates and other data`,
	})
	flags = append(flags, cli.StringFlag{
		Name:        "certConfig",
		Destination: &args.CertsFile,
		Value:       "certs.json",
		Usage:       `Json file containing list of certificates to issue`,
	})
	flags = append(flags, cli.StringFlag{
		Name:        "email",
		Destination: &args.Email,
		Value:       "",
		Usage:       `Email to register with let's encrypt`,
	})
	flags = append(flags, cli.BoolFlag{
		Name:        "agreeTOS",
		Destination: &args.AgreeTOS,
		Usage:       `Must provide this to agree to Let's Encrypt terms of service`,
	})
	flags = append(flags, cli.BoolFlag{
		Name:        "vault",
		Destination: &args.Vault,
		Usage:       `Store certificates as secrets in hashicorp vault instead of on disk.`,
	})
	flags = append(flags, cli.StringFlag{
		Name:        "vaultPath",
		Destination: &args.VaultPath,
		Value:       "/secret/certs",
		Usage:       `Path in vault to store certificates`,
	})
	flags = append(flags, cli.StringFlag{
		Name:        "skip",
		Destination: &args.IgnoredProviders,
		Value:       "",
		Usage:       `Provider names to not use for challenges (comma separated)`,
	})
	flags = append(flags, cli.BoolFlag{
		Name:        "verbose",
		Destination: &args.Verbose,
		Usage:       "Enable detailed logging (deprecated: use the global -v flag)",
	})
	flags = append(flags, cli.BoolFlag{
		Name:        "notify",
		Destination: &args.Notify,
		Usage:       `set to true to send notifications to configured destinations`,
	})
	flags = append(flags, cli.StringFlag{
		Name:        "only",
		Destination: &args.Only,
		Usage:       `Only check a single cert. Provide cert name.`,
	})
	return flags
}

func GetCerts(args GetCertsArgs) error {
	fmt.Println(args.JSFile)
	// check agree flag
	if !args.AgreeTOS {
		return fmt.Errorf("You must agree to the Let's Encrypt Terms of Service by using -agreeTOS")
	}
	if args.Email == "" {
		return fmt.Errorf("Must provide email to use for Let's Encrypt registration")
	}

	// load dns config
	cfg, err := GetDNSConfig(args.GetDNSConfigArgs)
	if err != nil {
		return err
	}
	errs := normalize.NormalizeAndValidateConfig(cfg)
	if PrintValidationErrors(errs) {
		return fmt.Errorf("Exiting due to validation errors")
	}
	notifier, err := InitializeProviders(args.CredsFile, cfg, args.Notify)
	if err != nil {
		return err
	}

	for _, skip := range strings.Split(args.IgnoredProviders, ",") {
		acme.IgnoredProviders[skip] = true
	}

	// load cert list
	certList := []*acme.CertConfig{}
	f, err := os.Open(args.CertsFile)
	if err != nil {
		return err
	}
	defer f.Close()
	dec := json.NewDecoder(f)
	err = dec.Decode(&certList)
	if err != nil {
		return err
	}
	if len(certList) == 0 {
		return fmt.Errorf("Must provide at least one certificate to issue in cert configuration")
	}
	if err = validateCertificateList(certList, cfg); err != nil {
		return err
	}

	acmeServer := args.ACMEServer
	if acmeServer == "live" {
		acmeServer = acme.LetsEncryptLive
	} else if acmeServer == "staging" {
		acmeServer = acme.LetsEncryptStage
	}

	var client acme.Client

	if args.Vault {
		client, err = acme.NewVault(cfg, args.VaultPath, args.Email, acmeServer, notifier)
	} else {
		client, err = acme.New(cfg, args.CertDirectory, args.Email, acmeServer, notifier)
	}
	if err != nil {
		return err
	}
	for _, cert := range certList {
		if args.Only != "" && cert.CertName != args.Only {
			continue
		}
		v := args.Verbose || printer.DefaultPrinter.Verbose
		issued, err := client.IssueOrRenewCert(cert, args.RenewUnderDays, v)
		if issued || err != nil {
			notifier.Notify(cert.CertName, "certificate", "Issued new certificate", err, false)
		}
		if err != nil {
			return err
		}
	}
	notifier.Done()
	return nil
}

var validCertNamesRegex = regexp.MustCompile(`^[a-zA-Z][a-zA-Z0-9_\-]*$`)

func validateCertificateList(certs []*acme.CertConfig, cfg *models.DNSConfig) error {
	for _, cert := range certs {
		name := cert.CertName
		if !validCertNamesRegex.MatchString(name) {
			return fmt.Errorf("'%s' is not a valud certificate name. Only alphanumerics, - and _ allowed", name)
		}
		sans := cert.Names
		if len(sans) > 100 {
			return fmt.Errorf("certificate '%s' has too many SANs. Max of 100", name)
		}
		if len(sans) == 0 {
			return fmt.Errorf("certificate '%s' needs at least one SAN", name)
		}
		for _, san := range sans {
			d := cfg.DomainContainingFQDN(san)
			if d == nil {
				return fmt.Errorf("DNS config has no domain that matches SAN '%s'", san)
			}
		}
	}
	return nil
}
Let's Encrypt Certificate Generation (#327) * Manual rebase of get-certs branch * fix endpoints, add verbose flag * more stable pre-check behaviour * start of docs * docs for get-certs * don't require cert for dnscontrol * fix up directory paths * small doc tweaks 2018-04-27 01:11:13 +08:00			`package commands`

			`import (`
			`"encoding/json"`
			`"fmt"`
			`"os"`
			`"regexp"`
			`"strings"`

			`"github.com/StackExchange/dnscontrol/models"`
			`"github.com/StackExchange/dnscontrol/pkg/acme"`
			`"github.com/StackExchange/dnscontrol/pkg/normalize"`
Verbose debug logging via the ConsolePrinter and printer package. (#404) This: * adds a global -v flag for verbosity * refactors the "printer" package to have a DefaultPrinter and package functions that call it, similar to net/http's DefaultServeMux * adds printer tests * moves current users of Debugf to Printf * moves most users of the "log" package to use "printer" * demotes noticably noisy log messages to "Debugf", like "IGNORE"- and "NO_PURGE"-related messages 2018-10-09 04:10:44 +08:00			`"github.com/StackExchange/dnscontrol/pkg/printer"`
Let's Encrypt Certificate Generation (#327) * Manual rebase of get-certs branch * fix endpoints, add verbose flag * more stable pre-check behaviour * start of docs * docs for get-certs * don't require cert for dnscontrol * fix up directory paths * small doc tweaks 2018-04-27 01:11:13 +08:00			`"github.com/urfave/cli"`
			`)`

			`var _ = cmd(catUtils, func() *cli.Command {`
			`var args GetCertsArgs`
			`return &cli.Command{`
			`Name: "get-certs",`
			`Usage: "Issue certificates via Let's Encrypt",`
			`Action: func(c *cli.Context) error {`
			`return exit(GetCerts(args))`
			`},`
			`Flags: args.flags(),`
			`}`
			`}())`

			`type GetCertsArgs struct {`
			`GetDNSConfigArgs`
			`GetCredentialsArgs`

			`ACMEServer string`
			`CertsFile string`
			`RenewUnderDays int`
			`CertDirectory string`
			`Email string`
			`AgreeTOS bool`
			`Verbose bool`
Abstraction for Certificate Storage (+ vault storage) (#406) * new abstraction around storage * re-work completely to fit new acme package pre-solving paradigm * vault storage plugin * add some vendor * delete old vendor pinning mechanism 2018-10-09 04:11:19 +08:00			`Vault bool`
			`VaultPath string`
switch to new go-acme imports from xenolf. Fix api changes (#540) * switch to new go-acme imports from xenolf. Fix api changes * update many vault related dependencies 2019-07-29 22:54:32 +08:00			`Only string`
Let's Encrypt Certificate Generation (#327) * Manual rebase of get-certs branch * fix endpoints, add verbose flag * more stable pre-check behaviour * start of docs * docs for get-certs * don't require cert for dnscontrol * fix up directory paths * small doc tweaks 2018-04-27 01:11:13 +08:00
notifications for get-certs command (#451) 2019-02-22 08:58:50 +08:00			`Notify bool`

Let's Encrypt Certificate Generation (#327) * Manual rebase of get-certs branch * fix endpoints, add verbose flag * more stable pre-check behaviour * start of docs * docs for get-certs * don't require cert for dnscontrol * fix up directory paths * small doc tweaks 2018-04-27 01:11:13 +08:00			`IgnoredProviders string`
			`}`

			`func (args *GetCertsArgs) flags() []cli.Flag {`
			`flags := args.GetDNSConfigArgs.flags()`
			`flags = append(flags, args.GetCredentialsArgs.flags()...)`

			`flags = append(flags, cli.StringFlag{`
			`Name: "acme",`
			`Destination: &args.ACMEServer,`
			`Value: "live",`
			Usage: `ACME server to issue against. Give full directory endpoint. Can also use 'staging' or 'live' for standard Let's Encrpyt endpoints.`,
			`})`
			`flags = append(flags, cli.IntFlag{`
			`Name: "renew",`
			`Destination: &args.RenewUnderDays,`
			`Value: 15,`
			Usage: `Renew certs with less than this many days remaining`,
			`})`
			`flags = append(flags, cli.StringFlag{`
			`Name: "dir",`
			`Destination: &args.CertDirectory,`
			`Value: ".",`
			Usage: `Directory to store certificates and other data`,
			`})`
			`flags = append(flags, cli.StringFlag{`
			`Name: "certConfig",`
			`Destination: &args.CertsFile,`
			`Value: "certs.json",`
			Usage: `Json file containing list of certificates to issue`,
			`})`
			`flags = append(flags, cli.StringFlag{`
			`Name: "email",`
			`Destination: &args.Email,`
			`Value: "",`
			Usage: `Email to register with let's encrypt`,
			`})`
			`flags = append(flags, cli.BoolFlag{`
			`Name: "agreeTOS",`
			`Destination: &args.AgreeTOS,`
			Usage: `Must provide this to agree to Let's Encrypt terms of service`,
			`})`
Abstraction for Certificate Storage (+ vault storage) (#406) * new abstraction around storage * re-work completely to fit new acme package pre-solving paradigm * vault storage plugin * add some vendor * delete old vendor pinning mechanism 2018-10-09 04:11:19 +08:00			`flags = append(flags, cli.BoolFlag{`
			`Name: "vault",`
			`Destination: &args.Vault,`
			Usage: `Store certificates as secrets in hashicorp vault instead of on disk.`,
			`})`
			`flags = append(flags, cli.StringFlag{`
			`Name: "vaultPath",`
			`Destination: &args.VaultPath,`
			`Value: "/secret/certs",`
			Usage: `Path in vault to store certificates`,
			`})`
Let's Encrypt Certificate Generation (#327) * Manual rebase of get-certs branch * fix endpoints, add verbose flag * more stable pre-check behaviour * start of docs * docs for get-certs * don't require cert for dnscontrol * fix up directory paths * small doc tweaks 2018-04-27 01:11:13 +08:00			`flags = append(flags, cli.StringFlag{`
			`Name: "skip",`
			`Destination: &args.IgnoredProviders,`
			`Value: "",`
			Usage: `Provider names to not use for challenges (comma separated)`,
			`})`
			`flags = append(flags, cli.BoolFlag{`
			`Name: "verbose",`
			`Destination: &args.Verbose,`
Verbose debug logging via the ConsolePrinter and printer package. (#404) This: * adds a global -v flag for verbosity * refactors the "printer" package to have a DefaultPrinter and package functions that call it, similar to net/http's DefaultServeMux * adds printer tests * moves current users of Debugf to Printf * moves most users of the "log" package to use "printer" * demotes noticably noisy log messages to "Debugf", like "IGNORE"- and "NO_PURGE"-related messages 2018-10-09 04:10:44 +08:00			`Usage: "Enable detailed logging (deprecated: use the global -v flag)",`
Let's Encrypt Certificate Generation (#327) * Manual rebase of get-certs branch * fix endpoints, add verbose flag * more stable pre-check behaviour * start of docs * docs for get-certs * don't require cert for dnscontrol * fix up directory paths * small doc tweaks 2018-04-27 01:11:13 +08:00			`})`
notifications for get-certs command (#451) 2019-02-22 08:58:50 +08:00			`flags = append(flags, cli.BoolFlag{`
			`Name: "notify",`
			`Destination: &args.Notify,`
			Usage: `set to true to send notifications to configured destinations`,
			`})`
switch to new go-acme imports from xenolf. Fix api changes (#540) * switch to new go-acme imports from xenolf. Fix api changes * update many vault related dependencies 2019-07-29 22:54:32 +08:00			`flags = append(flags, cli.StringFlag{`
			`Name: "only",`
			`Destination: &args.Only,`
			Usage: `Only check a single cert. Provide cert name.`,
			`})`
Let's Encrypt Certificate Generation (#327) * Manual rebase of get-certs branch * fix endpoints, add verbose flag * more stable pre-check behaviour * start of docs * docs for get-certs * don't require cert for dnscontrol * fix up directory paths * small doc tweaks 2018-04-27 01:11:13 +08:00			`return flags`
			`}`

			`func GetCerts(args GetCertsArgs) error {`
			`fmt.Println(args.JSFile)`
			`// check agree flag`
			`if !args.AgreeTOS {`
			`return fmt.Errorf("You must agree to the Let's Encrypt Terms of Service by using -agreeTOS")`
			`}`
			`if args.Email == "" {`
			`return fmt.Errorf("Must provide email to use for Let's Encrypt registration")`
			`}`

			`// load dns config`
			`cfg, err := GetDNSConfig(args.GetDNSConfigArgs)`
			`if err != nil {`
			`return err`
			`}`
			`errs := normalize.NormalizeAndValidateConfig(cfg)`
			`if PrintValidationErrors(errs) {`
			`return fmt.Errorf("Exiting due to validation errors")`
			`}`
notifications for get-certs command (#451) 2019-02-22 08:58:50 +08:00			`notifier, err := InitializeProviders(args.CredsFile, cfg, args.Notify)`
Let's Encrypt Certificate Generation (#327) * Manual rebase of get-certs branch * fix endpoints, add verbose flag * more stable pre-check behaviour * start of docs * docs for get-certs * don't require cert for dnscontrol * fix up directory paths * small doc tweaks 2018-04-27 01:11:13 +08:00			`if err != nil {`
			`return err`
			`}`

			`for _, skip := range strings.Split(args.IgnoredProviders, ",") {`
			`acme.IgnoredProviders[skip] = true`
			`}`

			`// load cert list`
			`certList := []*acme.CertConfig{}`
			`f, err := os.Open(args.CertsFile)`
			`if err != nil {`
			`return err`
			`}`
			`defer f.Close()`
			`dec := json.NewDecoder(f)`
			`err = dec.Decode(&certList)`
			`if err != nil {`
			`return err`
			`}`
			`if len(certList) == 0 {`
			`return fmt.Errorf("Must provide at least one certificate to issue in cert configuration")`
			`}`
			`if err = validateCertificateList(certList, cfg); err != nil {`
			`return err`
			`}`
Abstraction for Certificate Storage (+ vault storage) (#406) * new abstraction around storage * re-work completely to fit new acme package pre-solving paradigm * vault storage plugin * add some vendor * delete old vendor pinning mechanism 2018-10-09 04:11:19 +08:00
Let's Encrypt Certificate Generation (#327) * Manual rebase of get-certs branch * fix endpoints, add verbose flag * more stable pre-check behaviour * start of docs * docs for get-certs * don't require cert for dnscontrol * fix up directory paths * small doc tweaks 2018-04-27 01:11:13 +08:00			`acmeServer := args.ACMEServer`
			`if acmeServer == "live" {`
			`acmeServer = acme.LetsEncryptLive`
			`} else if acmeServer == "staging" {`
			`acmeServer = acme.LetsEncryptStage`
			`}`
Abstraction for Certificate Storage (+ vault storage) (#406) * new abstraction around storage * re-work completely to fit new acme package pre-solving paradigm * vault storage plugin * add some vendor * delete old vendor pinning mechanism 2018-10-09 04:11:19 +08:00
			`var client acme.Client`

			`if args.Vault {`
notifications for get-certs command (#451) 2019-02-22 08:58:50 +08:00			`client, err = acme.NewVault(cfg, args.VaultPath, args.Email, acmeServer, notifier)`
Abstraction for Certificate Storage (+ vault storage) (#406) * new abstraction around storage * re-work completely to fit new acme package pre-solving paradigm * vault storage plugin * add some vendor * delete old vendor pinning mechanism 2018-10-09 04:11:19 +08:00			`} else {`
notifications for get-certs command (#451) 2019-02-22 08:58:50 +08:00			`client, err = acme.New(cfg, args.CertDirectory, args.Email, acmeServer, notifier)`
Abstraction for Certificate Storage (+ vault storage) (#406) * new abstraction around storage * re-work completely to fit new acme package pre-solving paradigm * vault storage plugin * add some vendor * delete old vendor pinning mechanism 2018-10-09 04:11:19 +08:00			`}`
Let's Encrypt Certificate Generation (#327) * Manual rebase of get-certs branch * fix endpoints, add verbose flag * more stable pre-check behaviour * start of docs * docs for get-certs * don't require cert for dnscontrol * fix up directory paths * small doc tweaks 2018-04-27 01:11:13 +08:00			`if err != nil {`
			`return err`
			`}`
			`for _, cert := range certList {`
switch to new go-acme imports from xenolf. Fix api changes (#540) * switch to new go-acme imports from xenolf. Fix api changes * update many vault related dependencies 2019-07-29 22:54:32 +08:00			`if args.Only != "" && cert.CertName != args.Only {`
			`continue`
			`}`
Verbose debug logging via the ConsolePrinter and printer package. (#404) This: * adds a global -v flag for verbosity * refactors the "printer" package to have a DefaultPrinter and package functions that call it, similar to net/http's DefaultServeMux * adds printer tests * moves current users of Debugf to Printf * moves most users of the "log" package to use "printer" * demotes noticably noisy log messages to "Debugf", like "IGNORE"- and "NO_PURGE"-related messages 2018-10-09 04:10:44 +08:00			`v := args.Verbose \|\| printer.DefaultPrinter.Verbose`
notifications for get-certs command (#451) 2019-02-22 08:58:50 +08:00			`issued, err := client.IssueOrRenewCert(cert, args.RenewUnderDays, v)`
			`if issued \|\| err != nil {`
			`notifier.Notify(cert.CertName, "certificate", "Issued new certificate", err, false)`
			`}`
Let's Encrypt Certificate Generation (#327) * Manual rebase of get-certs branch * fix endpoints, add verbose flag * more stable pre-check behaviour * start of docs * docs for get-certs * don't require cert for dnscontrol * fix up directory paths * small doc tweaks 2018-04-27 01:11:13 +08:00			`if err != nil {`
			`return err`
			`}`
			`}`
notifications for get-certs command (#451) 2019-02-22 08:58:50 +08:00			`notifier.Done()`
Let's Encrypt Certificate Generation (#327) * Manual rebase of get-certs branch * fix endpoints, add verbose flag * more stable pre-check behaviour * start of docs * docs for get-certs * don't require cert for dnscontrol * fix up directory paths * small doc tweaks 2018-04-27 01:11:13 +08:00			`return nil`
			`}`

			var validCertNamesRegex = regexp.MustCompile(`^[a-zA-Z][a-zA-Z0-9_\-]*$`)

			`func validateCertificateList(certs []acme.CertConfig, cfg models.DNSConfig) error {`
			`for _, cert := range certs {`
			`name := cert.CertName`
			`if !validCertNamesRegex.MatchString(name) {`
			`return fmt.Errorf("'%s' is not a valud certificate name. Only alphanumerics, - and _ allowed", name)`
			`}`
			`sans := cert.Names`
			`if len(sans) > 100 {`
			`return fmt.Errorf("certificate '%s' has too many SANs. Max of 100", name)`
			`}`
			`if len(sans) == 0 {`
			`return fmt.Errorf("certificate '%s' needs at least one SAN", name)`
			`}`
			`for _, san := range sans {`
			`d := cfg.DomainContainingFQDN(san)`
			`if d == nil {`
			`return fmt.Errorf("DNS config has no domain that matches SAN '%s'", san)`
			`}`
			`}`
			`}`
			`return nil`
			`}`