mirror of
https://github.com/nodemailer/wildduck.git
synced 2025-01-04 07:02:45 +08:00
376 lines
12 KiB
JavaScript
376 lines
12 KiB
JavaScript
'use strict';
|
|
|
|
const config = require('wild-config');
|
|
const ACME = require('@root/acme');
|
|
const { pem2jwk } = require('pem-jwk');
|
|
const CSR = require('@root/csr');
|
|
const { Certificate } = require('@fidm/x509');
|
|
const AcmeChallenge = require('./acme-challenge');
|
|
const pkg = require('../../package.json');
|
|
const { normalizeDomain } = require('../tools');
|
|
const Lock = require('ioredfour');
|
|
const log = require('npmlog');
|
|
const { Resolver } = require('dns').promises;
|
|
const resolver = new Resolver();
|
|
const Joi = require('joi');
|
|
const db = require('../db');
|
|
const { SettingsHandler } = require('../settings-handler');
|
|
|
|
if (config.resolver && config.resolver.ns && config.resolver.ns.length) {
|
|
resolver.setServers([].concat(config.resolver.ns || []));
|
|
}
|
|
|
|
const RENEW_AFTER_REMAINING = 10000 + 30 * 24 * 3600 * 1000;
|
|
const BLOCK_RENEW_AFTER_ERROR_TTL = 3600;
|
|
|
|
const acme = ACME.create({
|
|
maintainerEmail: pkg.author.email,
|
|
packageAgent: pkg.name + '/' + pkg.version,
|
|
notify(ev, params) {
|
|
log.info('ACME', 'Notification for %s (%s)', ev, JSON.stringify(params));
|
|
}
|
|
});
|
|
|
|
let settings;
|
|
|
|
let getLock, releaseLock;
|
|
|
|
// First try triggers initialization, others will wait until first is finished
|
|
let acmeInitialized = false;
|
|
let acmeInitializing = false;
|
|
let acmeInitPending = [];
|
|
|
|
const ensureAcme = async acmeOptions => {
|
|
if (!settings) {
|
|
settings = new SettingsHandler({ db: db.database });
|
|
}
|
|
|
|
if (acmeInitialized) {
|
|
return true;
|
|
}
|
|
if (acmeInitializing) {
|
|
return new Promise((resolve, reject) => {
|
|
acmeInitPending.push({ resolve, reject });
|
|
});
|
|
}
|
|
|
|
try {
|
|
await acme.init(acmeOptions.directoryUrl);
|
|
acmeInitialized = true;
|
|
|
|
if (acmeInitPending.length) {
|
|
for (let entry of acmeInitPending) {
|
|
entry.resolve(true);
|
|
}
|
|
}
|
|
} catch (err) {
|
|
if (acmeInitPending.length) {
|
|
for (let entry of acmeInitPending) {
|
|
entry.reject(err);
|
|
}
|
|
}
|
|
throw err;
|
|
} finally {
|
|
acmeInitializing = false;
|
|
}
|
|
|
|
return true;
|
|
};
|
|
|
|
const getAcmeAccount = async (acmeOptions, certHandler) => {
|
|
await ensureAcme(acmeOptions);
|
|
|
|
const entryKey = `acme:account:${acmeOptions.key}`;
|
|
|
|
const settingsValue = await settings.get(entryKey);
|
|
|
|
// there is already an existing acme account, no need to create a new one
|
|
if (settingsValue) {
|
|
return settingsValue;
|
|
}
|
|
|
|
// account not found, create a new one
|
|
log.info('ACME', 'ACME account for %s not found, provisioning new one from %s', acmeOptions.key, acmeOptions.directoryUrl);
|
|
const accountKey = await certHandler.generateKey(acmeOptions.keyBits, acmeOptions.keyExponent);
|
|
|
|
const jwkAccount = pem2jwk(accountKey);
|
|
log.info('ACME', 'Generated Acme account key for %s', acmeOptions.key);
|
|
|
|
const accountOptions = {
|
|
subscriberEmail: acmeOptions.email,
|
|
agreeToTerms: true,
|
|
accountKey: jwkAccount
|
|
};
|
|
|
|
const account = await acme.accounts.create(accountOptions);
|
|
|
|
await settings.set(
|
|
entryKey,
|
|
{
|
|
key: accountKey,
|
|
account
|
|
},
|
|
{ enumerable: false }
|
|
);
|
|
|
|
log.info('ACME', 'ACME account provisioned for %s', acmeOptions.key);
|
|
|
|
return {
|
|
key: accountKey,
|
|
account
|
|
};
|
|
};
|
|
|
|
const validateDomain = async domain => {
|
|
// check domain name format
|
|
const validation = Joi.string()
|
|
.domain({ tlds: { allow: true } })
|
|
.validate(domain);
|
|
|
|
if (validation.error) {
|
|
// invalid domain name, can not create certificate
|
|
let err = new Error('${domain} is not a valid domain name');
|
|
err.responseCode = 400;
|
|
err.code = 'invalid_domain';
|
|
throw err;
|
|
}
|
|
|
|
// check CAA support
|
|
const caaDomains = config.acme.caaDomains.map(normalizeDomain).filter(d => d);
|
|
|
|
// CAA support in node 15+
|
|
if (typeof resolver.resolveCaa === 'function' && caaDomains.length) {
|
|
let parts = domain.split('.');
|
|
for (let i = 0; i < parts.length - 1; i++) {
|
|
let subdomain = parts.slice(i).join('.');
|
|
let caaRes;
|
|
|
|
try {
|
|
caaRes = await resolver.resolveCaa(subdomain);
|
|
} catch (err) {
|
|
// assume not found
|
|
}
|
|
|
|
if (caaRes && caaRes.length && !caaRes.some(r => config.acme.caaDomains.includes(normalizeDomain(r && r.issue)))) {
|
|
let err = new Error(`LE not listed in the CAA record for ${subdomain} (${domain})`);
|
|
err.responseCode = 403;
|
|
err.code = 'caa_mismatch';
|
|
throw err;
|
|
} else if (caaRes && caaRes.length) {
|
|
log.info('ACME', 'Found matching CAA record for %s (%s)', subdomain, domain);
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
return true;
|
|
};
|
|
|
|
const acquireCert = async (domain, acmeOptions, certificateData, certHandler) => {
|
|
const domainSafeLockKey = `d:lock:safe:${domain}`;
|
|
const domainOpLockKey = `d:lock:op:${domain}`;
|
|
|
|
if (await db.redis.exists(domainSafeLockKey)) {
|
|
// nothing to do here, renewal blocked
|
|
log.info('ACME', 'Renewal blocked by failsafe lock for %s', domain);
|
|
|
|
// use default
|
|
return certificateData;
|
|
}
|
|
|
|
try {
|
|
// throws if can not validate domain
|
|
await validateDomain(domain);
|
|
log.info('ACME', 'Domain validation for %s passed', domain);
|
|
} catch (err) {
|
|
log.error('ACME', 'Failed to validate domain %s: %s', domain, err.message);
|
|
return certificateData;
|
|
}
|
|
|
|
// Use locking to avoid race conditions, first try gets the lock, others wait until first is finished
|
|
if (!getLock) {
|
|
let lock = new Lock({
|
|
redis: db.redis,
|
|
namespace: 'acme'
|
|
});
|
|
getLock = (...args) => lock.waitAcquireLock(...args);
|
|
releaseLock = (...args) => lock.releaseLock(...args);
|
|
}
|
|
|
|
let lock = await getLock(domainOpLockKey, 10 * 60 * 1000, 3 * 60 * 1000);
|
|
if (!lock.success) {
|
|
return certificateData;
|
|
}
|
|
|
|
try {
|
|
// reload from db, maybe already renewed
|
|
if (certificateData.expires > new Date(Date.now() + RENEW_AFTER_REMAINING)) {
|
|
// no need to renew
|
|
return certificateData;
|
|
}
|
|
|
|
let privateKey = certificateData.privateKey;
|
|
if (!privateKey) {
|
|
// generate new key
|
|
log.info('ACME', 'Provision new private key for %s', domain);
|
|
privateKey = await certHandler.resetPrivateKey({ _id: certificateData._id }, config.acme);
|
|
}
|
|
|
|
const jwkPrivateKey = pem2jwk(privateKey);
|
|
const csr = await CSR.csr({
|
|
jwk: jwkPrivateKey,
|
|
domains: [domain],
|
|
encoding: 'pem'
|
|
});
|
|
|
|
const acmeAccount = await getAcmeAccount(acmeOptions, certHandler);
|
|
if (!acmeAccount) {
|
|
log.info('ACME', 'Skip certificate renwal for %s, acme account not found', domain);
|
|
return false;
|
|
}
|
|
|
|
const jwkAccount = pem2jwk(acmeAccount.key);
|
|
const certificateOptions = {
|
|
account: acmeAccount.account,
|
|
accountKey: jwkAccount,
|
|
csr,
|
|
domains: [domain],
|
|
challenges: {
|
|
'http-01': AcmeChallenge.create({
|
|
db: db.database
|
|
})
|
|
}
|
|
};
|
|
|
|
const aID = ((acmeAccount && acmeAccount.account && acmeAccount.account.key && acmeAccount.account.key.kid) || '').split('/acct/').pop();
|
|
log.info('ACME', 'Generate ACME cert for %s (account=%s)', domain, aID);
|
|
const cert = await acme.certificates.create(certificateOptions);
|
|
if (!cert || !cert.cert) {
|
|
log.error('ACME', 'Failed to generate certificate for %s. Empty response', domain);
|
|
return cert;
|
|
}
|
|
|
|
log.info('ACME', 'Received certificate from ACME for %s', domain);
|
|
let now = new Date();
|
|
const parsed = Certificate.fromPEM(cert.cert);
|
|
|
|
let updates = {
|
|
cert: cert.cert,
|
|
ca: [].concat(cert.chain || []),
|
|
validFrom: new Date(parsed.validFrom),
|
|
expires: new Date(parsed.validTo),
|
|
altNames: parsed.dnsNames,
|
|
issuer: parsed.issuer.commonName,
|
|
lastCheck: now,
|
|
status: 'valid'
|
|
};
|
|
|
|
let updated = await certHandler.update({ _id: certificateData._id }, updates, { certUpdated: true });
|
|
if (!updated) {
|
|
log.error('ACME', 'Failed to generate certificate for %s. Update failed', domain);
|
|
certHandler.loggelf({
|
|
short_message: `SNI cert provisioning failed for ${domain}`,
|
|
_sni_servername: domain,
|
|
_cert_id: certificateData._id.toString(),
|
|
_cert_action: 'provision',
|
|
_cert_error: 'No response',
|
|
_cert_error_code: 'NoResponse'
|
|
});
|
|
return cert;
|
|
}
|
|
|
|
log.info('ACME', 'Certificate successfully generated for %s (expires %s)', domain, parsed.validTo);
|
|
certHandler.loggelf({
|
|
short_message: `SNI cert provisioned for ${domain}`,
|
|
_sni_servername: domain,
|
|
_cert_id: certificateData._id.toString(),
|
|
_cert_action: 'provision',
|
|
_cert_result: 'success',
|
|
_cert_expires: updates.expires.toISOString()
|
|
});
|
|
return await certHandler.getRecord({ _id: certificateData._id }, true);
|
|
} catch (err) {
|
|
try {
|
|
await db.redis.multi().set(domainSafeLockKey, 1).expire(domainSafeLockKey, BLOCK_RENEW_AFTER_ERROR_TTL).exec();
|
|
} catch (err) {
|
|
log.error('ACME', 'Redis call failed key=%s domains=%s error=%s', domainSafeLockKey, domain, err.message);
|
|
}
|
|
|
|
log.error('ACME', 'Failed to generate certificate domains=%s error=%s', domain, err.stack);
|
|
|
|
if (certificateData && certificateData._id) {
|
|
try {
|
|
await db.database.collection('certs').findOneAndUpdate(
|
|
{ _id: certificateData._id },
|
|
{
|
|
$set: {
|
|
'_acme.lastError': {
|
|
err: err.message,
|
|
code: err.code,
|
|
time: new Date()
|
|
}
|
|
}
|
|
}
|
|
);
|
|
} catch (err) {
|
|
log.error('ACME', 'Failed to update certificate record domain=%s error=%s', domain, err.message);
|
|
}
|
|
|
|
certHandler.loggelf({
|
|
short_message: `SNI cert provisioning failed for ${domain}`,
|
|
_sni_servername: domain,
|
|
_cert_id: certificateData._id.toString(),
|
|
_cert_action: 'provision',
|
|
_cert_error: err.message,
|
|
_cert_error_code: err.code
|
|
});
|
|
|
|
if (certificateData && certificateData.cert) {
|
|
// use existing certificate data if exists
|
|
return certificateData;
|
|
}
|
|
}
|
|
|
|
throw err;
|
|
} finally {
|
|
try {
|
|
await releaseLock(lock);
|
|
} catch (err) {
|
|
log.error('Lock', 'Failed to release lock for %s: %s', domainOpLockKey, err);
|
|
}
|
|
}
|
|
};
|
|
|
|
const getCertificate = async (domain, acmeOptions, certHandler) => {
|
|
await ensureAcme(acmeOptions, certHandler);
|
|
|
|
domain = normalizeDomain(domain);
|
|
|
|
let certificateData = await certHandler.getRecord({ servername: domain }, true);
|
|
if (!certificateData) {
|
|
let err = new Error('Missing certificate info for ${domain}');
|
|
err.responseCode = 404;
|
|
err.code = 'missing_certificate';
|
|
throw err;
|
|
}
|
|
|
|
if (!certificateData.status) {
|
|
certificateData.status = 'pending';
|
|
}
|
|
|
|
if (certificateData.status === 'valid' && certificateData.expires < new Date()) {
|
|
certificateData.status = 'expired';
|
|
}
|
|
|
|
if (certificateData.expires > new Date(Date.now() + RENEW_AFTER_REMAINING)) {
|
|
// no need to renew, use existing
|
|
return certificateData;
|
|
}
|
|
|
|
return await acquireCert(domain, acmeOptions, certificateData, certHandler);
|
|
};
|
|
|
|
module.exports = {
|
|
getCertificate,
|
|
acquireCert
|
|
};
|