haproxy-panel-next/acme.js

'use strict';

const fs = require('fs').promises;
const acme = require('acme-client');
const dev = process.env.NODE_ENV !== 'production';
const redis = require('./redis.js');
const redlock = require('./redlock.js');
const psl = require('psl');


/**
 * Function used to satisfy an ACME challenge
 *
 * @param {object} authz Authorization object
 * @param {object} challenge Selected challenge
 * @param {string} keyAuthorization Authorization key
 * @returns {Promise}
 */

async function challengeCreateFn(authz, challenge, keyAuthorization) {
	console.log('Triggered challengeCreateFn()');
	// console.log('authz', authz);
	// console.log('challenge', challenge);
	// console.log('keyAuthorization', keyAuthorization);

	/* http-01 */
	if (challenge.type === 'http-01') {
		const filePath = `/tmp/.well-known/acme-challenge/${challenge.token}`;
		const fileContents = keyAuthorization;
		console.log(`Creating challenge response for ${authz.identifier.value} at path: ${filePath}`);
		await fs.writeFile(filePath, fileContents);
	}

	/* dns-01 */
	else if (challenge.type === 'dns-01') {
		const parsed = psl.parse(authz.identifier.value);
		const domain = parsed.domain;
		let subdomain = `_acme-challenge`;
		if (parsed.subdomain && parsed.subdomain.length > 0) {
			subdomain += `.${parsed.subdomain}`;
		}
		const lock = await redlock.acquire([`lock:${domain}:${subdomain}`], 10000);
		try {
			const recordValue = keyAuthorization;
			console.log(`Creating TXT record for "${subdomain}.${domain}" with value "${recordValue}"`);
			const record = { ttl: 300, text: recordValue, l: true, t: true };
			let recordSetRaw = await redis.hget(`dns:${domain}.`, subdomain);
			if (!recordSetRaw) {
				recordSetRaw = {};
			}
			recordSetRaw['txt'] = (recordSetRaw['txt']||[]).concat([record]);
			await redis.hset(`dns:${domain}.`, subdomain, recordSetRaw);
			console.log(`Created TXT record for "${subdomain}.${domain}" with value "${recordValue}"`);
		} catch(e) {
			console.error(e);
		} finally {
			await lock.release();
		}
	}
}


/**
 * Function used to remove an ACME challenge response
 *
 * @param {object} authz Authorization object
 * @param {object} challenge Selected challenge
 * @param {string} keyAuthorization Authorization key
 * @returns {Promise}
 */

async function challengeRemoveFn(authz, challenge, keyAuthorization) {
	console.log('Triggered challengeRemoveFn()');

	/* http-01 */
	if (challenge.type === 'http-01') {
		const filePath = `/tmp/.well-known/acme-challenge/${challenge.token}`;
		console.log(`Removing challenge response for ${authz.identifier.value} at path: ${filePath}`);
		await fs.unlink(filePath);
	}

	/* dns-01 */
	else if (challenge.type === 'dns-01') {
		const parsed = psl.parse(authz.identifier.value);
		const domain = parsed.domain;
		let subdomain = `_acme-challenge`;
		if (parsed.subdomain && parsed.subdomain.length > 0) {
			subdomain += `.${parsed.subdomain}`;
		}
		const lock = await redlock.acquire([`lock:${domain}:${subdomain}`], 10000);
		try {
			const recordValue = keyAuthorization;
			console.log(`Removing TXT record "${subdomain}.${domain}" with value "${recordValue}"`);
			let recordSetRaw = await redis.hget(`dns:${domain}.`, subdomain);
			if (!recordSetRaw) {
				recordSetRaw = {};
			}
			recordSetRaw['txt'] = (recordSetRaw['txt']||[]).filter(r => r.text !== recordValue);
			if (recordSetRaw['txt'].length === 0) {
				await redis.hdel(`dns:${domain}.`, subdomain);
			} else {
				await redis.hset(`dns:${domain}.`, subdomain, recordSetRaw);
			}
			console.log(`Removed TXT record "${subdomain}.${domain}" with value "${recordValue}"`);
		} catch(e) {
			console.error(e);
		} finally {
			await lock.release();
		}
	}
}


module.exports = {

	client: null,

	init: async function() {
		/* Init client */
		module.exports.client = new acme.Client({
			directoryUrl: dev ? acme.directory.letsencrypt.staging : acme.directory.letsencrypt.production,
			accountKey: await acme.crypto.createPrivateKey()
		});
	},

	generate: async function(domain, altnames, email, challengePriority=['http-01', 'dns-01']) {
		/* Create CSR */
		const [key, csr] = await acme.crypto.createCsr({
			commonName: domain,
			altNames: altnames,
		});
		/* Certificate */
		const cert = await module.exports.client.auto({
			csr,
			email,
			termsOfServiceAgreed: true,
			skipChallengeVerification: true,
			challengeCreateFn,
			challengeRemoveFn,
			challengePriority,
		});
		/* Done */
		const haproxyCert = `${cert.toString()}\n${key.toString()}`;
		return { key, csr, cert, haproxyCert, date: new Date() };
	},

};
Implement acme client, no writing to db/uploading with dataplane (YET) Speed improvements, some parallel dataplane calls e.g. account page Fix registration Change cluster -> server wording for now on frontend Frontend dixes re overflowing server line 1 year ago			`'use strict';`

			`const fs = require('fs').promises;`
			`const acme = require('acme-client');`
Make certs upload to DB, reflect in UI, and use production letsencrypt when not dev environment variable 1 year ago			`const dev = process.env.NODE_ENV !== 'production';`
Testing backend of allowing wildcard certs with DNS challenge automated Remove default email of mine from letsencrypt Bugfix invalid domain input not returning leads to double header send 10 months ago			`const redis = require('./redis.js');`
Update autorenew and acme handling to allow passing challenge priority, and use dns-01 for autorenewal 9 months ago			`const redlock = require('./redlock.js');`
			`const psl = require('psl');`

Implement acme client, no writing to db/uploading with dataplane (YET) Speed improvements, some parallel dataplane calls e.g. account page Fix registration Change cluster -> server wording for now on frontend Frontend dixes re overflowing server line 1 year ago
			`/**`
			`* Function used to satisfy an ACME challenge`
			`*`
			`* @param {object} authz Authorization object`
			`* @param {object} challenge Selected challenge`
			`* @param {string} keyAuthorization Authorization key`
			`* @returns {Promise}`
			`*/`

			`async function challengeCreateFn(authz, challenge, keyAuthorization) {`
			`console.log('Triggered challengeCreateFn()');`
Fix renewals in some situations (wildcards at least) from overwriting other _acme-challenge TXT record instead of appending/removing individual rrs 8 months ago			`// console.log('authz', authz);`
			`// console.log('challenge', challenge);`
			`// console.log('keyAuthorization', keyAuthorization);`
Implement acme client, no writing to db/uploading with dataplane (YET) Speed improvements, some parallel dataplane calls e.g. account page Fix registration Change cluster -> server wording for now on frontend Frontend dixes re overflowing server line 1 year ago
			`/* http-01 */`
			`if (challenge.type === 'http-01') {`
Fix certificate deleting and regeneration due to temp paths and permissions, todo parameterize it 1 year ago			const filePath = `/tmp/.well-known/acme-challenge/${challenge.token}`;
Implement acme client, no writing to db/uploading with dataplane (YET) Speed improvements, some parallel dataplane calls e.g. account page Fix registration Change cluster -> server wording for now on frontend Frontend dixes re overflowing server line 1 year ago			`const fileContents = keyAuthorization;`
			console.log(`Creating challenge response for ${authz.identifier.value} at path: ${filePath}`);
			`await fs.writeFile(filePath, fileContents);`
			`}`

			`/* dns-01 */`
			`else if (challenge.type === 'dns-01') {`
Update autorenew and acme handling to allow passing challenge priority, and use dns-01 for autorenewal 9 months ago			`const parsed = psl.parse(authz.identifier.value);`
			`const domain = parsed.domain;`
			let subdomain = `_acme-challenge`;
			`if (parsed.subdomain && parsed.subdomain.length > 0) {`
			subdomain += `.${parsed.subdomain}`;
			`}`
			const lock = await redlock.acquire([`lock:${domain}:${subdomain}`], 10000);
			`try {`
			`const recordValue = keyAuthorization;`
			console.log(`Creating TXT record for "${subdomain}.${domain}" with value "${recordValue}"`);
			`const record = { ttl: 300, text: recordValue, l: true, t: true };`
			let recordSetRaw = await redis.hget(`dns:${domain}.`, subdomain);
			`if (!recordSetRaw) {`
			`recordSetRaw = {};`
			`}`
Fix renewals in some situations (wildcards at least) from overwriting other _acme-challenge TXT record instead of appending/removing individual rrs 8 months ago			`recordSetRaw['txt'] = (recordSetRaw['txt']\|\|[]).concat([record]);`
Update autorenew and acme handling to allow passing challenge priority, and use dns-01 for autorenewal 9 months ago			await redis.hset(`dns:${domain}.`, subdomain, recordSetRaw);
			console.log(`Created TXT record for "${subdomain}.${domain}" with value "${recordValue}"`);
			`} catch(e) {`
			`console.error(e);`
			`} finally {`
			`await lock.release();`
Testing backend of allowing wildcard certs with DNS challenge automated Remove default email of mine from letsencrypt Bugfix invalid domain input not returning leads to double header send 10 months ago			`}`
Implement acme client, no writing to db/uploading with dataplane (YET) Speed improvements, some parallel dataplane calls e.g. account page Fix registration Change cluster -> server wording for now on frontend Frontend dixes re overflowing server line 1 year ago			`}`
			`}`


			`/**`
			`* Function used to remove an ACME challenge response`
			`*`
			`* @param {object} authz Authorization object`
			`* @param {object} challenge Selected challenge`
			`* @param {string} keyAuthorization Authorization key`
			`* @returns {Promise}`
			`*/`

			`async function challengeRemoveFn(authz, challenge, keyAuthorization) {`
			`console.log('Triggered challengeRemoveFn()');`

			`/* http-01 */`
			`if (challenge.type === 'http-01') {`
Fix certificate deleting and regeneration due to temp paths and permissions, todo parameterize it 1 year ago			const filePath = `/tmp/.well-known/acme-challenge/${challenge.token}`;
Implement acme client, no writing to db/uploading with dataplane (YET) Speed improvements, some parallel dataplane calls e.g. account page Fix registration Change cluster -> server wording for now on frontend Frontend dixes re overflowing server line 1 year ago			console.log(`Removing challenge response for ${authz.identifier.value} at path: ${filePath}`);
			`await fs.unlink(filePath);`
			`}`

			`/* dns-01 */`
			`else if (challenge.type === 'dns-01') {`
Update autorenew and acme handling to allow passing challenge priority, and use dns-01 for autorenewal 9 months ago			`const parsed = psl.parse(authz.identifier.value);`
			`const domain = parsed.domain;`
			let subdomain = `_acme-challenge`;
			`if (parsed.subdomain && parsed.subdomain.length > 0) {`
			subdomain += `.${parsed.subdomain}`;
			`}`
			const lock = await redlock.acquire([`lock:${domain}:${subdomain}`], 10000);
			`try {`
			`const recordValue = keyAuthorization;`
			console.log(`Removing TXT record "${subdomain}.${domain}" with value "${recordValue}"`);
Fix renewals in some situations (wildcards at least) from overwriting other _acme-challenge TXT record instead of appending/removing individual rrs 8 months ago			let recordSetRaw = await redis.hget(`dns:${domain}.`, subdomain);
			`if (!recordSetRaw) {`
			`recordSetRaw = {};`
			`}`
			`recordSetRaw['txt'] = (recordSetRaw['txt']\|\|[]).filter(r => r.text !== recordValue);`
			`if (recordSetRaw['txt'].length === 0) {`
			await redis.hdel(`dns:${domain}.`, subdomain);
			`} else {`
			await redis.hset(`dns:${domain}.`, subdomain, recordSetRaw);
			`}`
Update autorenew and acme handling to allow passing challenge priority, and use dns-01 for autorenewal 9 months ago			console.log(`Removed TXT record "${subdomain}.${domain}" with value "${recordValue}"`);
			`} catch(e) {`
			`console.error(e);`
			`} finally {`
			`await lock.release();`
			`}`
Implement acme client, no writing to db/uploading with dataplane (YET) Speed improvements, some parallel dataplane calls e.g. account page Fix registration Change cluster -> server wording for now on frontend Frontend dixes re overflowing server line 1 year ago			`}`
			`}`



			`module.exports = {`

			`client: null,`

			`init: async function() {`
			`/* Init client */`
			`module.exports.client = new acme.Client({`
Make certs upload to DB, reflect in UI, and use production letsencrypt when not dev environment variable 1 year ago			`directoryUrl: dev ? acme.directory.letsencrypt.staging : acme.directory.letsencrypt.production,`
Implement acme client, no writing to db/uploading with dataplane (YET) Speed improvements, some parallel dataplane calls e.g. account page Fix registration Change cluster -> server wording for now on frontend Frontend dixes re overflowing server line 1 year ago			`accountKey: await acme.crypto.createPrivateKey()`
			`});`
			`},`

Update autorenew and acme handling to allow passing challenge priority, and use dns-01 for autorenewal 9 months ago			`generate: async function(domain, altnames, email, challengePriority=['http-01', 'dns-01']) {`
Implement acme client, no writing to db/uploading with dataplane (YET) Speed improvements, some parallel dataplane calls e.g. account page Fix registration Change cluster -> server wording for now on frontend Frontend dixes re overflowing server line 1 year ago			`/* Create CSR */`
			`const [key, csr] = await acme.crypto.createCsr({`
Improved certs page and break it out into a separate page, hide internal backends map, setup button coming soon 1 year ago			`commonName: domain,`
			`altNames: altnames,`
Implement acme client, no writing to db/uploading with dataplane (YET) Speed improvements, some parallel dataplane calls e.g. account page Fix registration Change cluster -> server wording for now on frontend Frontend dixes re overflowing server line 1 year ago			`});`
			`/* Certificate */`
			`const cert = await module.exports.client.auto({`
			`csr,`
			`email,`
			`termsOfServiceAgreed: true,`
skip internal verification check in acme because it fails sometimes and doesnt bother trying to get a cert which would work normally 1 year ago			`skipChallengeVerification: true,`
Implement acme client, no writing to db/uploading with dataplane (YET) Speed improvements, some parallel dataplane calls e.g. account page Fix registration Change cluster -> server wording for now on frontend Frontend dixes re overflowing server line 1 year ago			`challengeCreateFn,`
Update autorenew and acme handling to allow passing challenge priority, and use dns-01 for autorenewal 9 months ago			`challengeRemoveFn,`
			`challengePriority,`
Implement acme client, no writing to db/uploading with dataplane (YET) Speed improvements, some parallel dataplane calls e.g. account page Fix registration Change cluster -> server wording for now on frontend Frontend dixes re overflowing server line 1 year ago			`});`
			`/* Done */`
			const haproxyCert = `${cert.toString()}\n${key.toString()}`;
Make certs upload to DB, reflect in UI, and use production letsencrypt when not dev environment variable 1 year ago			`return { key, csr, cert, haproxyCert, date: new Date() };`
Implement acme client, no writing to db/uploading with dataplane (YET) Speed improvements, some parallel dataplane calls e.g. account page Fix registration Change cluster -> server wording for now on frontend Frontend dixes re overflowing server line 1 year ago			`},`

			`};`