├── .github ├── CONTRIBUTING.md ├── FUNDING.yml ├── ISSUE_TEMPLATE │ ├── bug_report.md │ ├── feature_request.md │ └── question.md └── workflows │ └── ci.yml ├── .gitignore ├── LICENSE.txt ├── README.md ├── account.go ├── account_test.go ├── acmeclient.go ├── acmeissuer.go ├── acmeissuer_test.go ├── async.go ├── cache.go ├── cache_test.go ├── certificates.go ├── certificates_test.go ├── certmagic.go ├── certmagic_test.go ├── config.go ├── config_test.go ├── crypto.go ├── crypto_test.go ├── dnsutil.go ├── dnsutil_test.go ├── doc_test.go ├── filestorage.go ├── filestorage_test.go ├── go.mod ├── go.sum ├── handshake.go ├── handshake_test.go ├── httphandlers.go ├── httphandlers_test.go ├── internal ├── atomicfile │ ├── README │ ├── file.go │ └── file_test.go └── testutil │ ├── readme.md │ └── testutil.go ├── maintain.go ├── ocsp.go ├── ocsp_test.go ├── ratelimiter.go ├── solvers.go ├── solvers_test.go ├── storage.go ├── storage_test.go ├── testdata └── resolv.conf.1 └── zerosslissuer.go /.github/CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | Contributing to CertMagic 2 | ========================= 3 | 4 | ## Common Tasks 5 | 6 | - [Contributing code](#contributing-code) 7 | - [Reporting a bug](#reporting-bugs) 8 | - [Suggesting an enhancement or a new feature](#suggesting-features) 9 | - [Improving documentation](#improving-documentation) 10 | 11 | Other menu items: 12 | 13 | - [Values](#values) 14 | - [Thank You](#thank-you) 15 | 16 | 17 | ### Contributing code 18 | 19 | You can have a direct impact on the project by helping with its code. To contribute code to CertMagic, open a [pull request](https://github.com/caddyserver/certmagic/pulls) (PR). If you're new to our community, that's okay: **we gladly welcome pull requests from anyone, regardless of your native language or coding experience.** You can get familiar with CertMagic's code base by using [code search at Sourcegraph](https://sourcegraph.com/github.com/caddyserver/certmagic). 20 | 21 | We hold contributions to a high standard for quality :bowtie:, so don't be surprised if we ask for revisions—even if it seems small or insignificant. Please don't take it personally. :wink: If your change is on the right track, we can guide you to make it mergable. 22 | 23 | Here are some of the expectations we have of contributors: 24 | 25 | - If your change is more than just a minor alteration, **open an issue to propose your change first.** This way we can avoid confusion, coordinate what everyone is working on, and ensure that changes are in-line with the project's goals and the best interests of its users. If there's already an issue about it, comment on the existing issue to claim it. 26 | 27 | - **Keep pull requests small.** Smaller PRs are more likely to be merged because they are easier to review! We might ask you to break up large PRs into smaller ones. [An example of what we DON'T do.](https://twitter.com/iamdevloper/status/397664295875805184) 28 | 29 | - [**Don't "push" your pull requests.**](https://www.igvita.com/2011/12/19/dont-push-your-pull-requests/) Basically, work with—not against—the maintainers -- theirs is not a glorious job. In fact, consider becoming a CertMagic maintainer yourself! 30 | 31 | - **Keep related commits together in a PR.** We do want pull requests to be small, but you should also keep multiple related commits in the same PR if they rely on each other. 32 | 33 | - **Write tests.** Tests are essential! Written properly, they ensure your change works, and that other changes in the future won't break your change. CI checks should pass. 34 | 35 | - **Benchmarks should be included for optimizations.** Optimizations sometimes make code harder to read or have changes that are less than obvious. They should be proven with benchmarks or profiling. 36 | 37 | - **[Squash](https://gitready.com/advanced/2009/02/10/squashing-commits-with-rebase.html) insignificant commits.** Every commit should be significant. Commits which merely rewrite a comment or fix a typo can be combined into another commit that has more substance. Interactive rebase can do this, or a simpler way is `git reset --soft ` then `git commit -s`. 38 | 39 | - **Maintain your contributions.** Please help maintain your change after it is merged. 40 | 41 | - **Use comments properly.** We expect good godoc comments for package-level functions, types, and values. Comments are also useful whenever the purpose for a line of code is not obvious, and comments should not state the obvious. 42 | 43 | We often grant [collaborator status](#collaborator-instructions) to contributors who author one or more significant, high-quality PRs that are merged into the code base! 44 | 45 | 46 | ### HOW TO MAKE A PULL REQUEST TO CERTMAGIC 47 | 48 | Contributing to Go projects on GitHub is fun and easy. We recommend the following workflow: 49 | 50 | 1. [Fork this repo](https://github.com/caddyserver/certmagic). This makes a copy of the code you can write to. 51 | 52 | 2. If you don't already have this repo (caddyserver/certmagic.git) repo on your computer, get it with `go get github.com/caddyserver/certmagic`. 53 | 54 | 3. Tell git that it can push the caddyserver/certmagic.git repo to your fork by adding a remote: `git remote add myfork https://github.com/you/certmagic.git` 55 | 56 | 4. Make your changes in the caddyserver/certmagic.git repo on your computer. 57 | 58 | 5. Push your changes to your fork: `git push myfork` 59 | 60 | 6. [Create a pull request](https://github.com/caddyserver/certmagic/pull/new/master) to merge your changes into caddyserver/certmagic @ master. (Click "compare across forks" and change the head fork.) 61 | 62 | This workflow is nice because you don't have to change import paths. You can get fancier by using different branches if you want. 63 | 64 | 65 | 66 | ### Reporting bugs 67 | 68 | Like every software, CertMagic has its flaws. If you find one, [search the issues](https://github.com/caddyserver/certmagic/issues) to see if it has already been reported. If not, [open a new issue](https://github.com/caddyserver/certmagic/issues/new) and describe the bug clearly. 69 | 70 | **You can help stop bugs in their tracks!** Speed up the patching process by identifying the bug in the code. This can sometimes be done by adding `fmt.Println()` statements (or similar) in relevant code paths to narrow down where the problem may be. It's a good way to [introduce yourself to the Go language](https://tour.golang.org), too. 71 | 72 | Please follow the issue template so we have all the needed information. Unredacted—yes, actual values matter. We need to be able to repeat the bug using your instructions. Please simplify the issue as much as possible. The burden is on you to convince us that it is actually a bug in CertMagic. This is easiest to do when you write clear, concise instructions so we can reproduce the behavior (even if it seems obvious). The more detailed and specific you are, the faster we will be able to help you! 73 | 74 | Failure to fill out the issue template will probably result in the issue being closed. 75 | 76 | We suggest reading [How to Report Bugs Effectively](https://www.chiark.greenend.org.uk/~sgtatham/bugs.html). 77 | 78 | Please be kind. :smile: Remember that CertMagic comes at no cost to you, and you're getting free support when we fix your issues. If we helped you, please consider helping someone else! 79 | 80 | 81 | ### Suggesting features 82 | 83 | First, [search to see if your feature has already been requested](https://github.com/caddyserver/certmagic/issues). If it has, you can add a :+1: reaction to vote for it. If your feature idea is new, open an issue to request the feature. You don't have to follow the bug template for feature requests. Please describe your idea thoroughly so that we know how to implement it! Really vague requests may not be helpful or actionable and without clarification will have to be closed. 84 | 85 | **Please do not "bump" issues with comments that ask if there are any updates.** 86 | 87 | While we really do value your requests and implement many of them, not all features are a good fit for CertMagic. If a feature is not in the best interest of the CertMagic project or its users in general, we may politely decline to implement it. 88 | 89 | 90 | 91 | ## Collaborator Instructions 92 | 93 | Collabators have push rights to the repository. We grant this permission after one or more successful, high-quality PRs are merged! We thank them for their help.The expectations we have of collaborators are: 94 | 95 | - **Help review pull requests.** Be meticulous, but also kind. We love our contributors, but we critique the contribution to make it better. Multiple, thorough reviews make for the best contributions! Here are some questions to consider: 96 | - Can the change be made more elegant? 97 | - Is this a maintenance burden? 98 | - What assumptions does the code make? 99 | - Is it well-tested? 100 | - Is the change a good fit for the project? 101 | - Does it actually fix the problem or is it creating a special case instead? 102 | - Does the change incur any new dependencies? (Avoid these!) 103 | 104 | - **Answer issues.** If every collaborator helped out with issues, we could count the number of open issues on two hands. This means getting involved in the discussion, investigating the code, and yes, debugging it. It's fun. Really! :smile: Please, please help with open issues. Granted, some issues need to be done before others. And of course some are larger than others: you don't have to do it all yourself. Work with other collaborators as a team! 105 | 106 | - **Do not merge pull requests until they have been approved by one or two other collaborators.** If a project owner approves the PR, it can be merged (as long as the conversation has finished too). 107 | 108 | - **Prefer squashed commits over a messy merge.** If there are many little commits, please [squash the commits](https://stackoverflow.com/a/11732910/1048862) so we don't clutter the commit history. 109 | 110 | - **Don't accept new dependencies lightly.** Dependencies can make the world crash and burn, but they are sometimes necessary. Choose carefully. Extremely small dependencies (a few lines of code) can be inlined. The rest may not be needed. 111 | 112 | - **Make sure tests test the actual thing.** Double-check that the tests fail without the change, and pass with it. It's important that they assert what they're purported to assert. 113 | 114 | - **Recommended reading** 115 | - [CodeReviewComments](https://github.com/golang/go/wiki/CodeReviewComments) for an idea of what we look for in good, clean Go code 116 | - [Linus Torvalds describes a good commit message](https://gist.github.com/matthewhudson/1475276) 117 | - [Best Practices for Maintainers](https://opensource.guide/best-practices/) 118 | - [Shrinking Code Review](https://alexgaynor.net/2015/dec/29/shrinking-code-review/) 119 | 120 | 121 | 122 | ## Values 123 | 124 | - A person is always more important than code. People don't like being handled "efficiently". But we can still process issues and pull requests efficiently while being kind, patient, and considerate. 125 | 126 | - The ends justify the means, if the means are good. A good tree won't produce bad fruit. But if we cut corners or are hasty in our process, the end result will not be good. 127 | 128 | 129 | ## Thank you 130 | 131 | Thanks for your help! CertMagic would not be what it is today without your contributions. -------------------------------------------------------------------------------- /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | # These are supported funding model platforms 2 | 3 | github: [mholt] # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2] 4 | patreon: # Replace with a single Patreon username 5 | open_collective: # Replace with a single Open Collective username 6 | ko_fi: # Replace with a single Ko-fi username 7 | tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel 8 | community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry 9 | liberapay: # Replace with a single Liberapay username 10 | issuehunt: # Replace with a single IssueHunt username 11 | otechie: # Replace with a single Otechie username 12 | custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2'] 13 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | about: For behaviors which violate documentation or cause incorrect results 4 | title: '' 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | 10 | 17 | 18 | ## What version of the package are you using? 19 | 20 | 21 | 22 | ## What are you trying to do? 23 | 24 | 25 | 26 | ## What steps did you take? 27 | 28 | 29 | 30 | ## What did you expect to happen, and what actually happened instead? 31 | 32 | 33 | 34 | ## How do you think this should be fixed? 35 | 36 | 37 | 38 | ## Please link to any related issues, pull requests, and/or discussion 39 | 40 | 41 | 42 | ## Bonus: What do you use CertMagic for, and do you find it useful? 43 | 44 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request 3 | about: Suggest an idea for this project 4 | title: '' 5 | labels: feature request 6 | assignees: '' 7 | 8 | --- 9 | 10 | 14 | 15 | ## What would you like to have changed? 16 | 17 | 18 | 19 | ## Why is this feature a useful, necessary, and/or important addition to this project? 20 | 21 | 22 | 23 | ## What alternatives are there, or what are you doing in the meantime to work around the lack of this feature? 24 | 25 | 26 | 27 | ## Please link to any relevant issues, pull requests, or other discussions. 28 | 29 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/question.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Question 3 | about: For help or questions about this package 4 | title: '' 5 | labels: question 6 | assignees: '' 7 | 8 | --- 9 | 10 | 15 | 16 | ## What is your question? 17 | 18 | 19 | 20 | ## What have you already tried? 21 | 22 | 23 | 24 | ## Include any other information or discussion. 25 | 26 | 27 | 28 | ## Bonus: What do you use this package for, and does it help you? 29 | 30 | -------------------------------------------------------------------------------- /.github/workflows/ci.yml: -------------------------------------------------------------------------------- 1 | # Used as inspiration: https://github.com/mvdan/github-actions-golang 2 | 3 | name: Tests 4 | 5 | on: 6 | push: 7 | branches: 8 | - master 9 | pull_request: 10 | branches: 11 | - master 12 | 13 | jobs: 14 | test: 15 | strategy: 16 | matrix: 17 | os: [ ubuntu-latest, macos-latest, windows-latest ] 18 | go: [ '1.21', '1.22' ] 19 | 20 | runs-on: ${{ matrix.os }} 21 | 22 | steps: 23 | - name: Checkout code 24 | uses: actions/checkout@v3 25 | 26 | - name: Install Go 27 | uses: actions/setup-go@v4 28 | with: 29 | go-version: ${{ matrix.go }} 30 | 31 | - name: Print Go version and environment 32 | id: vars 33 | run: | 34 | printf "Using go at: $(which go)\n" 35 | printf "Go version: $(go version)\n" 36 | printf "\n\nGo environment:\n\n" 37 | go env 38 | printf "\n\nSystem environment:\n\n" 39 | env 40 | 41 | - name: Install dependencies 42 | run: go mod download 43 | 44 | - name: Run tests 45 | run: go test -v -short -race ./... 46 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | _gitignore/ 2 | -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "{}" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright {yyyy} {name of copyright owner} 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /acmeclient.go: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Matthew Holt 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package certmagic 16 | 17 | import ( 18 | "context" 19 | "crypto/x509" 20 | "fmt" 21 | "log/slog" 22 | "net" 23 | "net/http" 24 | "net/url" 25 | "strconv" 26 | "strings" 27 | "sync" 28 | "time" 29 | 30 | "github.com/mholt/acmez/v3" 31 | "github.com/mholt/acmez/v3/acme" 32 | "go.uber.org/zap" 33 | "go.uber.org/zap/exp/zapslog" 34 | ) 35 | 36 | // acmeClient holds state necessary to perform ACME operations 37 | // for certificate management with an ACME account. Call 38 | // ACMEIssuer.newACMEClientWithAccount() to get a valid one. 39 | type acmeClient struct { 40 | iss *ACMEIssuer 41 | acmeClient *acmez.Client 42 | account acme.Account 43 | } 44 | 45 | // newACMEClientWithAccount creates an ACME client ready to use with an account, including 46 | // loading one from storage or registering a new account with the CA if necessary. If 47 | // useTestCA is true, am.TestCA will be used if set; otherwise, the primary CA will be used. 48 | func (iss *ACMEIssuer) newACMEClientWithAccount(ctx context.Context, useTestCA, interactive bool) (*acmeClient, error) { 49 | // first, get underlying ACME client 50 | client, err := iss.newACMEClient(useTestCA) 51 | if err != nil { 52 | return nil, err 53 | } 54 | 55 | // we try loading the account from storage before a potential 56 | // lock, and after obtaining the lock as well, to ensure we don't 57 | // repeat work done by another instance or goroutine 58 | getAccount := func() (acme.Account, error) { 59 | // look up or create the ACME account 60 | var account acme.Account 61 | if iss.AccountKeyPEM != "" { 62 | iss.Logger.Info("using configured ACME account") 63 | account, err = iss.GetAccount(ctx, []byte(iss.AccountKeyPEM)) 64 | } else { 65 | account, err = iss.getAccount(ctx, client.Directory, iss.getEmail()) 66 | } 67 | if err != nil { 68 | return acme.Account{}, fmt.Errorf("getting ACME account: %v", err) 69 | } 70 | return account, nil 71 | } 72 | 73 | // first try getting the account 74 | account, err := getAccount() 75 | if err != nil { 76 | return nil, err 77 | } 78 | 79 | // register account if it is new 80 | if account.Status == "" { 81 | iss.Logger.Info("ACME account has empty status; registering account with ACME server", 82 | zap.Strings("contact", account.Contact), 83 | zap.String("location", account.Location)) 84 | 85 | // synchronize this so the account is only created once 86 | acctLockKey := accountRegLockKey(account) 87 | err = acquireLock(ctx, iss.config.Storage, acctLockKey) 88 | if err != nil { 89 | return nil, fmt.Errorf("locking account registration: %v", err) 90 | } 91 | defer func() { 92 | if err := releaseLock(ctx, iss.config.Storage, acctLockKey); err != nil { 93 | iss.Logger.Error("failed to unlock account registration lock", zap.Error(err)) 94 | } 95 | }() 96 | 97 | // if we're not the only one waiting for this account, then by this point it should already be registered and in storage; reload it 98 | account, err = getAccount() 99 | if err != nil { 100 | return nil, err 101 | } 102 | 103 | // if we are the only or first one waiting for this account, then proceed to register it while we have the lock 104 | if account.Status == "" { 105 | if iss.NewAccountFunc != nil { 106 | // obtain lock here, since NewAccountFunc calls happen concurrently and they typically read and change the issuer 107 | iss.mu.Lock() 108 | account, err = iss.NewAccountFunc(ctx, iss, account) 109 | iss.mu.Unlock() 110 | if err != nil { 111 | return nil, fmt.Errorf("account pre-registration callback: %v", err) 112 | } 113 | } 114 | 115 | // agree to terms 116 | if interactive { 117 | if !iss.isAgreed() { 118 | var termsURL string 119 | dir, err := client.GetDirectory(ctx) 120 | if err != nil { 121 | return nil, fmt.Errorf("getting directory: %w", err) 122 | } 123 | if dir.Meta != nil { 124 | termsURL = dir.Meta.TermsOfService 125 | } 126 | if termsURL != "" { 127 | agreed := iss.askUserAgreement(termsURL) 128 | if !agreed { 129 | return nil, fmt.Errorf("user must agree to CA terms") 130 | } 131 | iss.mu.Lock() 132 | iss.agreed = agreed 133 | iss.mu.Unlock() 134 | } 135 | } 136 | } else { 137 | // can't prompt a user who isn't there; they should 138 | // have reviewed the terms beforehand 139 | iss.mu.Lock() 140 | iss.agreed = true 141 | iss.mu.Unlock() 142 | } 143 | account.TermsOfServiceAgreed = iss.isAgreed() 144 | 145 | // associate account with external binding, if configured 146 | if iss.ExternalAccount != nil { 147 | err := account.SetExternalAccountBinding(ctx, client.Client, *iss.ExternalAccount) 148 | if err != nil { 149 | return nil, err 150 | } 151 | } 152 | 153 | // create account 154 | account, err = client.NewAccount(ctx, account) 155 | if err != nil { 156 | return nil, fmt.Errorf("registering account %v with server: %w", account.Contact, err) 157 | } 158 | iss.Logger.Info("new ACME account registered", 159 | zap.Strings("contact", account.Contact), 160 | zap.String("status", account.Status)) 161 | 162 | // persist the account to storage 163 | err = iss.saveAccount(ctx, client.Directory, account) 164 | if err != nil { 165 | return nil, fmt.Errorf("could not save account %v: %v", account.Contact, err) 166 | } 167 | } else { 168 | iss.Logger.Info("account has already been registered; reloaded", 169 | zap.Strings("contact", account.Contact), 170 | zap.String("status", account.Status), 171 | zap.String("location", account.Location)) 172 | } 173 | } 174 | 175 | c := &acmeClient{ 176 | iss: iss, 177 | acmeClient: client, 178 | account: account, 179 | } 180 | 181 | return c, nil 182 | } 183 | 184 | // newACMEClient creates a new underlying ACME client using the settings in am, 185 | // independent of any particular ACME account. If useTestCA is true, am.TestCA 186 | // will be used if it is set; otherwise, the primary CA will be used. 187 | func (iss *ACMEIssuer) newACMEClient(useTestCA bool) (*acmez.Client, error) { 188 | client, err := iss.newBasicACMEClient() 189 | if err != nil { 190 | return nil, err 191 | } 192 | 193 | // fill in a little more beyond a basic client 194 | if useTestCA && iss.TestCA != "" { 195 | client.Client.Directory = iss.TestCA 196 | } 197 | certObtainTimeout := iss.CertObtainTimeout 198 | if certObtainTimeout == 0 { 199 | certObtainTimeout = DefaultACME.CertObtainTimeout 200 | } 201 | client.Client.PollTimeout = certObtainTimeout 202 | client.ChallengeSolvers = make(map[string]acmez.Solver) 203 | 204 | // configure challenges (most of the time, DNS challenge is 205 | // exclusive of other ones because it is usually only used 206 | // in situations where the default challenges would fail) 207 | if iss.DNS01Solver == nil { 208 | // enable HTTP-01 challenge 209 | if !iss.DisableHTTPChallenge { 210 | client.ChallengeSolvers[acme.ChallengeTypeHTTP01] = distributedSolver{ 211 | storage: iss.config.Storage, 212 | storageKeyIssuerPrefix: iss.storageKeyCAPrefix(client.Directory), 213 | solver: &httpSolver{ 214 | handler: iss.HTTPChallengeHandler(http.NewServeMux()), 215 | address: net.JoinHostPort(iss.ListenHost, strconv.Itoa(iss.getHTTPPort())), 216 | }, 217 | } 218 | } 219 | 220 | // enable TLS-ALPN-01 challenge 221 | if !iss.DisableTLSALPNChallenge { 222 | client.ChallengeSolvers[acme.ChallengeTypeTLSALPN01] = distributedSolver{ 223 | storage: iss.config.Storage, 224 | storageKeyIssuerPrefix: iss.storageKeyCAPrefix(client.Directory), 225 | solver: &tlsALPNSolver{ 226 | config: iss.config, 227 | address: net.JoinHostPort(iss.ListenHost, strconv.Itoa(iss.getTLSALPNPort())), 228 | }, 229 | } 230 | } 231 | } else { 232 | // use DNS challenge exclusively 233 | client.ChallengeSolvers[acme.ChallengeTypeDNS01] = iss.DNS01Solver 234 | } 235 | 236 | // wrap solvers in our wrapper so that we can keep track of challenge 237 | // info: this is useful for solving challenges globally as a process; 238 | // for example, usually there is only one process that can solve the 239 | // HTTP and TLS-ALPN challenges, and only one server in that process 240 | // that can bind the necessary port(s), so if a server listening on 241 | // a different port needed a certificate, it would have to know about 242 | // the other server listening on that port, and somehow convey its 243 | // challenge info or share its config, but this isn't always feasible; 244 | // what the wrapper does is it accesses a global challenge memory so 245 | // that unrelated servers in this process can all solve each others' 246 | // challenges without having to know about each other - Caddy's admin 247 | // endpoint uses this functionality since it and the HTTP/TLS modules 248 | // do not know about each other 249 | // (doing this here in a separate loop ensures that even if we expose 250 | // solver config to users later, we will even wrap their own solvers) 251 | for name, solver := range client.ChallengeSolvers { 252 | client.ChallengeSolvers[name] = solverWrapper{solver} 253 | } 254 | 255 | return client, nil 256 | } 257 | 258 | // newBasicACMEClient sets up a basically-functional ACME client that is not capable 259 | // of solving challenges but can provide basic interactions with the server. 260 | func (iss *ACMEIssuer) newBasicACMEClient() (*acmez.Client, error) { 261 | caURL := iss.CA 262 | if caURL == "" { 263 | caURL = DefaultACME.CA 264 | } 265 | // ensure endpoint is secure (assume HTTPS if scheme is missing) 266 | if !strings.Contains(caURL, "://") { 267 | caURL = "https://" + caURL 268 | } 269 | u, err := url.Parse(caURL) 270 | if err != nil { 271 | return nil, err 272 | } 273 | if u.Scheme != "https" && !SubjectIsInternal(u.Host) { 274 | return nil, fmt.Errorf("%s: insecure CA URL (HTTPS required for non-internal CA)", caURL) 275 | } 276 | return &acmez.Client{ 277 | Client: &acme.Client{ 278 | Directory: caURL, 279 | UserAgent: buildUAString(), 280 | HTTPClient: iss.httpClient, 281 | Logger: slog.New(zapslog.NewHandler(iss.Logger.Named("acme_client").Core())), 282 | }, 283 | }, nil 284 | } 285 | 286 | // GetRenewalInfo gets the ACME Renewal Information (ARI) for the certificate. 287 | func (iss *ACMEIssuer) GetRenewalInfo(ctx context.Context, cert Certificate) (acme.RenewalInfo, error) { 288 | acmeClient, err := iss.newBasicACMEClient() 289 | if err != nil { 290 | return acme.RenewalInfo{}, err 291 | } 292 | return acmeClient.GetRenewalInfo(ctx, cert.Certificate.Leaf) 293 | } 294 | 295 | func (iss *ACMEIssuer) getHTTPPort() int { 296 | useHTTPPort := HTTPChallengePort 297 | if HTTPPort > 0 && HTTPPort != HTTPChallengePort { 298 | useHTTPPort = HTTPPort 299 | } 300 | if iss.AltHTTPPort > 0 { 301 | useHTTPPort = iss.AltHTTPPort 302 | } 303 | return useHTTPPort 304 | } 305 | 306 | func (iss *ACMEIssuer) getTLSALPNPort() int { 307 | useTLSALPNPort := TLSALPNChallengePort 308 | if HTTPSPort > 0 && HTTPSPort != TLSALPNChallengePort { 309 | useTLSALPNPort = HTTPSPort 310 | } 311 | if iss.AltTLSALPNPort > 0 { 312 | useTLSALPNPort = iss.AltTLSALPNPort 313 | } 314 | return useTLSALPNPort 315 | } 316 | 317 | func (c *acmeClient) throttle(ctx context.Context, names []string) error { 318 | email := c.iss.getEmail() 319 | 320 | // throttling is scoped to CA + account email 321 | rateLimiterKey := c.acmeClient.Directory + "," + email 322 | rateLimitersMu.Lock() 323 | rl, ok := rateLimiters[rateLimiterKey] 324 | if !ok { 325 | rl = NewRateLimiter(RateLimitEvents, RateLimitEventsWindow) 326 | rateLimiters[rateLimiterKey] = rl 327 | // TODO: stop rate limiter when it is garbage-collected... 328 | } 329 | rateLimitersMu.Unlock() 330 | c.iss.Logger.Info("waiting on internal rate limiter", 331 | zap.Strings("identifiers", names), 332 | zap.String("ca", c.acmeClient.Directory), 333 | zap.String("account", email), 334 | ) 335 | err := rl.Wait(ctx) 336 | if err != nil { 337 | return err 338 | } 339 | c.iss.Logger.Info("done waiting on internal rate limiter", 340 | zap.Strings("identifiers", names), 341 | zap.String("ca", c.acmeClient.Directory), 342 | zap.String("account", email), 343 | ) 344 | return nil 345 | } 346 | 347 | func (c *acmeClient) usingTestCA() bool { 348 | return c.iss.TestCA != "" && c.acmeClient.Directory == c.iss.TestCA 349 | } 350 | 351 | func (c *acmeClient) revoke(ctx context.Context, cert *x509.Certificate, reason int) error { 352 | return c.acmeClient.RevokeCertificate(ctx, c.account, 353 | cert, c.account.PrivateKey, reason) 354 | } 355 | 356 | func buildUAString() string { 357 | ua := "CertMagic" 358 | if UserAgent != "" { 359 | ua = UserAgent + " " + ua 360 | } 361 | return ua 362 | } 363 | 364 | // RenewalInfoGetter is a type that can get ACME Renewal Information (ARI). 365 | // Users of this package that wrap the ACMEIssuer or use any other issuer 366 | // that supports ARI will need to implement this so that CertMagic can 367 | // update ARI which happens outside the normal issuance flow and is thus 368 | // not required by the Issuer interface (a type assertion is performed). 369 | type RenewalInfoGetter interface { 370 | GetRenewalInfo(context.Context, Certificate) (acme.RenewalInfo, error) 371 | } 372 | 373 | // These internal rate limits are designed to prevent accidentally 374 | // firehosing a CA's ACME endpoints. They are not intended to 375 | // replace or replicate the CA's actual rate limits. 376 | // 377 | // Let's Encrypt's rate limits can be found here: 378 | // https://letsencrypt.org/docs/rate-limits/ 379 | // 380 | // Currently (as of December 2019), Let's Encrypt's most relevant 381 | // rate limit for large deployments is 300 new orders per account 382 | // per 3 hours (on average, or best case, that's about 1 every 36 383 | // seconds, or 2 every 72 seconds, etc.); but it's not reasonable 384 | // to try to assume that our internal state is the same as the CA's 385 | // (due to process restarts, config changes, failed validations, 386 | // etc.) and ultimately, only the CA's actual rate limiter is the 387 | // authority. Thus, our own rate limiters do not attempt to enforce 388 | // external rate limits. Doing so causes problems when the domains 389 | // are not in our control (i.e. serving customer sites) and/or lots 390 | // of domains fail validation: they clog our internal rate limiter 391 | // and nearly starve out (or at least slow down) the other domains 392 | // that need certificates. Failed transactions are already retried 393 | // with exponential backoff, so adding in rate limiting can slow 394 | // things down even more. 395 | // 396 | // Instead, the point of our internal rate limiter is to avoid 397 | // hammering the CA's endpoint when there are thousands or even 398 | // millions of certificates under management. Our goal is to 399 | // allow small bursts in a relatively short timeframe so as to 400 | // not block any one domain for too long, without unleashing 401 | // thousands of requests to the CA at once. 402 | var ( 403 | rateLimiters = make(map[string]*RingBufferRateLimiter) 404 | rateLimitersMu sync.RWMutex 405 | 406 | // RateLimitEvents is how many new events can be allowed 407 | // in RateLimitEventsWindow. 408 | RateLimitEvents = 10 409 | 410 | // RateLimitEventsWindow is the size of the sliding 411 | // window that throttles events. 412 | RateLimitEventsWindow = 10 * time.Second 413 | ) 414 | 415 | // Some default values passed down to the underlying ACME client. 416 | var ( 417 | UserAgent string 418 | HTTPTimeout = 30 * time.Second 419 | ) 420 | -------------------------------------------------------------------------------- /acmeissuer_test.go: -------------------------------------------------------------------------------- 1 | package certmagic 2 | 3 | const dummyCA = "https://example.com/acme/directory" 4 | -------------------------------------------------------------------------------- /async.go: -------------------------------------------------------------------------------- 1 | package certmagic 2 | 3 | import ( 4 | "context" 5 | "errors" 6 | "log" 7 | "runtime" 8 | "sync" 9 | "time" 10 | 11 | "go.uber.org/zap" 12 | ) 13 | 14 | var jm = &jobManager{maxConcurrentJobs: 1000} 15 | 16 | type jobManager struct { 17 | mu sync.Mutex 18 | maxConcurrentJobs int 19 | activeWorkers int 20 | queue []namedJob 21 | names map[string]struct{} 22 | } 23 | 24 | type namedJob struct { 25 | name string 26 | job func() error 27 | logger *zap.Logger 28 | } 29 | 30 | // Submit enqueues the given job with the given name. If name is non-empty 31 | // and a job with the same name is already enqueued or running, this is a 32 | // no-op. If name is empty, no duplicate prevention will occur. The job 33 | // manager will then run this job as soon as it is able. 34 | func (jm *jobManager) Submit(logger *zap.Logger, name string, job func() error) { 35 | jm.mu.Lock() 36 | defer jm.mu.Unlock() 37 | if jm.names == nil { 38 | jm.names = make(map[string]struct{}) 39 | } 40 | if name != "" { 41 | // prevent duplicate jobs 42 | if _, ok := jm.names[name]; ok { 43 | return 44 | } 45 | jm.names[name] = struct{}{} 46 | } 47 | jm.queue = append(jm.queue, namedJob{name, job, logger}) 48 | if jm.activeWorkers < jm.maxConcurrentJobs { 49 | jm.activeWorkers++ 50 | go jm.worker() 51 | } 52 | } 53 | 54 | func (jm *jobManager) worker() { 55 | defer func() { 56 | if err := recover(); err != nil { 57 | buf := make([]byte, stackTraceBufferSize) 58 | buf = buf[:runtime.Stack(buf, false)] 59 | log.Printf("panic: certificate worker: %v\n%s", err, buf) 60 | } 61 | }() 62 | 63 | for { 64 | jm.mu.Lock() 65 | if len(jm.queue) == 0 { 66 | jm.activeWorkers-- 67 | jm.mu.Unlock() 68 | return 69 | } 70 | next := jm.queue[0] 71 | jm.queue = jm.queue[1:] 72 | jm.mu.Unlock() 73 | if err := next.job(); err != nil { 74 | next.logger.Error("job failed", zap.Error(err)) 75 | } 76 | if next.name != "" { 77 | jm.mu.Lock() 78 | delete(jm.names, next.name) 79 | jm.mu.Unlock() 80 | } 81 | } 82 | } 83 | 84 | func doWithRetry(ctx context.Context, log *zap.Logger, f func(context.Context) error) error { 85 | var attempts int 86 | ctx = context.WithValue(ctx, AttemptsCtxKey, &attempts) 87 | 88 | // the initial intervalIndex is -1, signaling 89 | // that we should not wait for the first attempt 90 | start, intervalIndex := time.Now(), -1 91 | var err error 92 | 93 | for time.Since(start) < maxRetryDuration { 94 | var wait time.Duration 95 | if intervalIndex >= 0 { 96 | wait = retryIntervals[intervalIndex] 97 | } 98 | timer := time.NewTimer(wait) 99 | select { 100 | case <-ctx.Done(): 101 | timer.Stop() 102 | return context.Canceled 103 | case <-timer.C: 104 | err = f(ctx) 105 | attempts++ 106 | if err == nil || errors.Is(err, context.Canceled) { 107 | return err 108 | } 109 | var errNoRetry ErrNoRetry 110 | if errors.As(err, &errNoRetry) { 111 | return err 112 | } 113 | if intervalIndex < len(retryIntervals)-1 { 114 | intervalIndex++ 115 | } 116 | if time.Since(start) < maxRetryDuration { 117 | log.Error("will retry", 118 | zap.Error(err), 119 | zap.Int("attempt", attempts), 120 | zap.Duration("retrying_in", retryIntervals[intervalIndex]), 121 | zap.Duration("elapsed", time.Since(start)), 122 | zap.Duration("max_duration", maxRetryDuration)) 123 | 124 | } else { 125 | log.Error("final attempt; giving up", 126 | zap.Error(err), 127 | zap.Int("attempt", attempts), 128 | zap.Duration("elapsed", time.Since(start)), 129 | zap.Duration("max_duration", maxRetryDuration)) 130 | return nil 131 | } 132 | } 133 | } 134 | return err 135 | } 136 | 137 | // ErrNoRetry is an error type which signals 138 | // to stop retries early. 139 | type ErrNoRetry struct{ Err error } 140 | 141 | // Unwrap makes it so that e wraps e.Err. 142 | func (e ErrNoRetry) Unwrap() error { return e.Err } 143 | func (e ErrNoRetry) Error() string { return e.Err.Error() } 144 | 145 | type retryStateCtxKey struct{} 146 | 147 | // AttemptsCtxKey is the context key for the value 148 | // that holds the attempt counter. The value counts 149 | // how many times the operation has been attempted. 150 | // A value of 0 means first attempt. 151 | var AttemptsCtxKey retryStateCtxKey 152 | 153 | // retryIntervals are based on the idea of exponential 154 | // backoff, but weighed a little more heavily to the 155 | // front. We figure that intermittent errors would be 156 | // resolved after the first retry, but any errors after 157 | // that would probably require at least a few minutes 158 | // or hours to clear up: either for DNS to propagate, for 159 | // the administrator to fix their DNS or network config, 160 | // or some other external factor needs to change. We 161 | // chose intervals that we think will be most useful 162 | // without introducing unnecessary delay. The last 163 | // interval in this list will be used until the time 164 | // of maxRetryDuration has elapsed. 165 | var retryIntervals = []time.Duration{ 166 | 1 * time.Minute, 167 | 2 * time.Minute, 168 | 2 * time.Minute, 169 | 5 * time.Minute, // elapsed: 10 min 170 | 10 * time.Minute, 171 | 10 * time.Minute, 172 | 10 * time.Minute, 173 | 20 * time.Minute, // elapsed: 1 hr 174 | 20 * time.Minute, 175 | 20 * time.Minute, 176 | 20 * time.Minute, // elapsed: 2 hr 177 | 30 * time.Minute, 178 | 30 * time.Minute, // elapsed: 3 hr 179 | 30 * time.Minute, 180 | 30 * time.Minute, // elapsed: 4 hr 181 | 30 * time.Minute, 182 | 30 * time.Minute, // elapsed: 5 hr 183 | 1 * time.Hour, // elapsed: 6 hr 184 | 1 * time.Hour, 185 | 1 * time.Hour, // elapsed: 8 hr 186 | 2 * time.Hour, 187 | 2 * time.Hour, // elapsed: 12 hr 188 | 3 * time.Hour, 189 | 3 * time.Hour, // elapsed: 18 hr 190 | 6 * time.Hour, // repeat for up to maxRetryDuration 191 | } 192 | 193 | // maxRetryDuration is the maximum duration to try 194 | // doing retries using the above intervals. 195 | const maxRetryDuration = 24 * time.Hour * 30 196 | -------------------------------------------------------------------------------- /cache.go: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Matthew Holt 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package certmagic 16 | 17 | import ( 18 | "fmt" 19 | weakrand "math/rand" 20 | "strings" 21 | "sync" 22 | "time" 23 | 24 | "go.uber.org/zap" 25 | ) 26 | 27 | // Cache is a structure that stores certificates in memory. 28 | // A Cache indexes certificates by name for quick access 29 | // during TLS handshakes, and avoids duplicating certificates 30 | // in memory. Generally, there should only be one per process. 31 | // However, that is not a strict requirement; but using more 32 | // than one is a code smell, and may indicate an 33 | // over-engineered design. 34 | // 35 | // An empty cache is INVALID and must not be used. Be sure 36 | // to call NewCache to get a valid value. 37 | // 38 | // These should be very long-lived values and must not be 39 | // copied. Before all references leave scope to be garbage 40 | // collected, ensure you call Stop() to stop maintenance on 41 | // the certificates stored in this cache and release locks. 42 | // 43 | // Caches are not usually manipulated directly; create a 44 | // Config value with a pointer to a Cache, and then use 45 | // the Config to interact with the cache. Caches are 46 | // agnostic of any particular storage or ACME config, 47 | // since each certificate may be managed and stored 48 | // differently. 49 | type Cache struct { 50 | // User configuration of the cache 51 | options CacheOptions 52 | optionsMu sync.RWMutex 53 | 54 | // The cache is keyed by certificate hash 55 | cache map[string]Certificate 56 | 57 | // cacheIndex is a map of SAN to cache key (cert hash) 58 | cacheIndex map[string][]string 59 | 60 | // Protects the cache and cacheIndex maps 61 | mu sync.RWMutex 62 | 63 | // Close this channel to cancel asset maintenance 64 | stopChan chan struct{} 65 | 66 | // Used to signal when stopping is completed 67 | doneChan chan struct{} 68 | 69 | logger *zap.Logger 70 | } 71 | 72 | // NewCache returns a new, valid Cache for efficiently 73 | // accessing certificates in memory. It also begins a 74 | // maintenance goroutine to tend to the certificates 75 | // in the cache. Call Stop() when you are done with the 76 | // cache so it can clean up locks and stuff. 77 | // 78 | // Most users of this package will not need to call this 79 | // because a default certificate cache is created for you. 80 | // Only advanced use cases require creating a new cache. 81 | // 82 | // This function panics if opts.GetConfigForCert is not 83 | // set. The reason is that a cache absolutely needs to 84 | // be able to get a Config with which to manage TLS 85 | // assets, and it is not safe to assume that the Default 86 | // config is always the correct one, since you have 87 | // created the cache yourself. 88 | // 89 | // See the godoc for Cache to use it properly. When 90 | // no longer needed, caches should be stopped with 91 | // Stop() to clean up resources even if the process 92 | // is being terminated, so that it can clean up 93 | // any locks for other processes to unblock! 94 | func NewCache(opts CacheOptions) *Cache { 95 | c := &Cache{ 96 | cache: make(map[string]Certificate), 97 | cacheIndex: make(map[string][]string), 98 | stopChan: make(chan struct{}), 99 | doneChan: make(chan struct{}), 100 | logger: opts.Logger, 101 | } 102 | 103 | // absolutely do not allow a nil logger; panics galore 104 | if c.logger == nil { 105 | c.logger = defaultLogger 106 | } 107 | 108 | c.SetOptions(opts) 109 | 110 | go c.maintainAssets(0) 111 | 112 | return c 113 | } 114 | 115 | func (certCache *Cache) SetOptions(opts CacheOptions) { 116 | // assume default options if necessary 117 | if opts.OCSPCheckInterval <= 0 { 118 | opts.OCSPCheckInterval = DefaultOCSPCheckInterval 119 | } 120 | if opts.RenewCheckInterval <= 0 { 121 | opts.RenewCheckInterval = DefaultRenewCheckInterval 122 | } 123 | if opts.Capacity < 0 { 124 | opts.Capacity = 0 125 | } 126 | 127 | // this must be set, because we cannot not 128 | // safely assume that the Default Config 129 | // is always the correct one to use 130 | if opts.GetConfigForCert == nil { 131 | panic("cache must be initialized with a GetConfigForCert callback") 132 | } 133 | 134 | certCache.optionsMu.Lock() 135 | certCache.options = opts 136 | certCache.optionsMu.Unlock() 137 | } 138 | 139 | // Stop stops the maintenance goroutine for 140 | // certificates in certCache. It blocks until 141 | // stopping is complete. Once a cache is 142 | // stopped, it cannot be reused. 143 | func (certCache *Cache) Stop() { 144 | close(certCache.stopChan) // signal to stop 145 | <-certCache.doneChan // wait for stop to complete 146 | } 147 | 148 | // CacheOptions is used to configure certificate caches. 149 | // Once a cache has been created with certain options, 150 | // those settings cannot be changed. 151 | type CacheOptions struct { 152 | // REQUIRED. A function that returns a configuration 153 | // used for managing a certificate, or for accessing 154 | // that certificate's asset storage (e.g. for 155 | // OCSP staples, etc). The returned Config MUST 156 | // be associated with the same Cache as the caller, 157 | // use New to obtain a valid Config. 158 | // 159 | // The reason this is a callback function, dynamically 160 | // returning a Config (instead of attaching a static 161 | // pointer to a Config on each certificate) is because 162 | // the config for how to manage a domain's certificate 163 | // might change from maintenance to maintenance. The 164 | // cache is so long-lived, we cannot assume that the 165 | // host's situation will always be the same; e.g. the 166 | // certificate might switch DNS providers, so the DNS 167 | // challenge (if used) would need to be adjusted from 168 | // the last time it was run ~8 weeks ago. 169 | GetConfigForCert ConfigGetter 170 | 171 | // How often to check certificates for renewal; 172 | // if unset, DefaultOCSPCheckInterval will be used. 173 | OCSPCheckInterval time.Duration 174 | 175 | // How often to check certificates for renewal; 176 | // if unset, DefaultRenewCheckInterval will be used. 177 | RenewCheckInterval time.Duration 178 | 179 | // Maximum number of certificates to allow in the cache. 180 | // If reached, certificates will be randomly evicted to 181 | // make room for new ones. 0 means unlimited. 182 | Capacity int 183 | 184 | // Set a logger to enable logging 185 | Logger *zap.Logger 186 | } 187 | 188 | // ConfigGetter is a function that returns a prepared, 189 | // valid config that should be used when managing the 190 | // given certificate or its assets. 191 | type ConfigGetter func(Certificate) (*Config, error) 192 | 193 | // cacheCertificate calls unsyncedCacheCertificate with a write lock. 194 | // 195 | // This function is safe for concurrent use. 196 | func (certCache *Cache) cacheCertificate(cert Certificate) { 197 | certCache.mu.Lock() 198 | certCache.unsyncedCacheCertificate(cert) 199 | certCache.mu.Unlock() 200 | } 201 | 202 | // unsyncedCacheCertificate adds cert to the in-memory cache unless 203 | // it already exists in the cache (according to cert.Hash). It 204 | // updates the name index. 205 | // 206 | // This function is NOT safe for concurrent use. Callers MUST acquire 207 | // a write lock on certCache.mu first. 208 | func (certCache *Cache) unsyncedCacheCertificate(cert Certificate) { 209 | // if this certificate already exists in the cache, this is basically 210 | // a no-op so we reuse existing cert (prevent duplication), but we do 211 | // modify the cert to add tags it may be missing (see issue #211) 212 | if existingCert, ok := certCache.cache[cert.hash]; ok { 213 | logMsg := "certificate already cached" 214 | 215 | if len(cert.Tags) > 0 { 216 | for _, tag := range cert.Tags { 217 | if !existingCert.HasTag(tag) { 218 | existingCert.Tags = append(existingCert.Tags, tag) 219 | } 220 | } 221 | certCache.cache[cert.hash] = existingCert 222 | logMsg += "; appended any missing tags to cert" 223 | } 224 | 225 | certCache.logger.Debug(logMsg, 226 | zap.Strings("subjects", cert.Names), 227 | zap.Time("expiration", expiresAt(cert.Leaf)), 228 | zap.Bool("managed", cert.managed), 229 | zap.String("issuer_key", cert.issuerKey), 230 | zap.String("hash", cert.hash), 231 | zap.Strings("tags", cert.Tags)) 232 | return 233 | } 234 | 235 | // if the cache is at capacity, make room for new cert 236 | cacheSize := len(certCache.cache) 237 | certCache.optionsMu.RLock() 238 | atCapacity := certCache.options.Capacity > 0 && cacheSize >= certCache.options.Capacity 239 | certCache.optionsMu.RUnlock() 240 | 241 | if atCapacity { 242 | // Go maps are "nondeterministic" but not actually random, 243 | // so although we could just chop off the "front" of the 244 | // map with less code, that is a heavily skewed eviction 245 | // strategy; generating random numbers is cheap and 246 | // ensures a much better distribution. 247 | rnd := weakrand.Intn(cacheSize) 248 | i := 0 249 | for _, randomCert := range certCache.cache { 250 | if i == rnd { 251 | certCache.logger.Debug("cache full; evicting random certificate", 252 | zap.Strings("removing_subjects", randomCert.Names), 253 | zap.String("removing_hash", randomCert.hash), 254 | zap.Strings("inserting_subjects", cert.Names), 255 | zap.String("inserting_hash", cert.hash)) 256 | certCache.removeCertificate(randomCert) 257 | break 258 | } 259 | i++ 260 | } 261 | } 262 | 263 | // store the certificate 264 | certCache.cache[cert.hash] = cert 265 | 266 | // update the index so we can access it by name 267 | for _, name := range cert.Names { 268 | certCache.cacheIndex[name] = append(certCache.cacheIndex[name], cert.hash) 269 | } 270 | 271 | certCache.optionsMu.RLock() 272 | certCache.logger.Debug("added certificate to cache", 273 | zap.Strings("subjects", cert.Names), 274 | zap.Time("expiration", expiresAt(cert.Leaf)), 275 | zap.Bool("managed", cert.managed), 276 | zap.String("issuer_key", cert.issuerKey), 277 | zap.String("hash", cert.hash), 278 | zap.Int("cache_size", len(certCache.cache)), 279 | zap.Int("cache_capacity", certCache.options.Capacity)) 280 | certCache.optionsMu.RUnlock() 281 | } 282 | 283 | // removeCertificate removes cert from the cache. 284 | // 285 | // This function is NOT safe for concurrent use; callers 286 | // MUST first acquire a write lock on certCache.mu. 287 | func (certCache *Cache) removeCertificate(cert Certificate) { 288 | // delete all mentions of this cert from the name index 289 | for _, name := range cert.Names { 290 | keyList := certCache.cacheIndex[name] 291 | for i := 0; i < len(keyList); i++ { 292 | if keyList[i] == cert.hash { 293 | keyList = append(keyList[:i], keyList[i+1:]...) 294 | i-- 295 | } 296 | } 297 | if len(keyList) == 0 { 298 | delete(certCache.cacheIndex, name) 299 | } else { 300 | certCache.cacheIndex[name] = keyList 301 | } 302 | } 303 | 304 | // delete the actual cert from the cache 305 | delete(certCache.cache, cert.hash) 306 | 307 | certCache.optionsMu.RLock() 308 | certCache.logger.Debug("removed certificate from cache", 309 | zap.Strings("subjects", cert.Names), 310 | zap.Time("expiration", expiresAt(cert.Leaf)), 311 | zap.Bool("managed", cert.managed), 312 | zap.String("issuer_key", cert.issuerKey), 313 | zap.String("hash", cert.hash), 314 | zap.Int("cache_size", len(certCache.cache)), 315 | zap.Int("cache_capacity", certCache.options.Capacity)) 316 | certCache.optionsMu.RUnlock() 317 | } 318 | 319 | // replaceCertificate atomically replaces oldCert with newCert in 320 | // the cache. 321 | // 322 | // This method is safe for concurrent use. 323 | func (certCache *Cache) replaceCertificate(oldCert, newCert Certificate) { 324 | certCache.mu.Lock() 325 | certCache.removeCertificate(oldCert) 326 | certCache.unsyncedCacheCertificate(newCert) 327 | certCache.mu.Unlock() 328 | certCache.logger.Info("replaced certificate in cache", 329 | zap.Strings("subjects", newCert.Names), 330 | zap.Time("new_expiration", expiresAt(newCert.Leaf))) 331 | } 332 | 333 | // getAllMatchingCerts returns all certificates with exactly this subject 334 | // (wildcards are NOT expanded). 335 | func (certCache *Cache) getAllMatchingCerts(subject string) []Certificate { 336 | certCache.mu.RLock() 337 | defer certCache.mu.RUnlock() 338 | 339 | allCertKeys := certCache.cacheIndex[subject] 340 | 341 | certs := make([]Certificate, len(allCertKeys)) 342 | for i := range allCertKeys { 343 | certs[i] = certCache.cache[allCertKeys[i]] 344 | } 345 | 346 | return certs 347 | } 348 | 349 | func (certCache *Cache) getAllCerts() []Certificate { 350 | certCache.mu.RLock() 351 | defer certCache.mu.RUnlock() 352 | certs := make([]Certificate, 0, len(certCache.cache)) 353 | for _, cert := range certCache.cache { 354 | certs = append(certs, cert) 355 | } 356 | return certs 357 | } 358 | 359 | func (certCache *Cache) getConfig(cert Certificate) (*Config, error) { 360 | certCache.optionsMu.RLock() 361 | getCert := certCache.options.GetConfigForCert 362 | certCache.optionsMu.RUnlock() 363 | 364 | cfg, err := getCert(cert) 365 | if err != nil { 366 | return nil, err 367 | } 368 | if cfg.certCache == nil { 369 | return nil, fmt.Errorf("config returned for certificate %v has nil cache; expected %p (this one)", 370 | cert.Names, certCache) 371 | } 372 | if cfg.certCache != certCache { 373 | return nil, fmt.Errorf("config returned for certificate %v is not nil and points to different cache; got %p, expected %p (this one)", 374 | cert.Names, cfg.certCache, certCache) 375 | } 376 | return cfg, nil 377 | } 378 | 379 | // AllMatchingCertificates returns a list of all certificates that could 380 | // be used to serve the given SNI name, including exact SAN matches and 381 | // wildcard matches. 382 | func (certCache *Cache) AllMatchingCertificates(name string) []Certificate { 383 | // get exact matches first 384 | certs := certCache.getAllMatchingCerts(name) 385 | 386 | // then look for wildcard matches by replacing each 387 | // label of the domain name with wildcards 388 | labels := strings.Split(name, ".") 389 | for i := range labels { 390 | labels[i] = "*" 391 | candidate := strings.Join(labels, ".") 392 | certs = append(certs, certCache.getAllMatchingCerts(candidate)...) 393 | } 394 | 395 | return certs 396 | } 397 | 398 | // SubjectIssuer pairs a subject name with an issuer ID/key. 399 | type SubjectIssuer struct { 400 | Subject, IssuerKey string 401 | } 402 | 403 | // RemoveManaged removes managed certificates for the given subjects from the cache. 404 | // This effectively stops maintenance of those certificates. If an IssuerKey is 405 | // specified alongside the subject, only certificates for that subject from the 406 | // specified issuer will be removed. 407 | func (certCache *Cache) RemoveManaged(subjects []SubjectIssuer) { 408 | deleteQueue := make([]string, 0, len(subjects)) 409 | for _, subj := range subjects { 410 | certs := certCache.getAllMatchingCerts(subj.Subject) // does NOT expand wildcards; exact matches only 411 | for _, cert := range certs { 412 | if !cert.managed { 413 | continue 414 | } 415 | if subj.IssuerKey == "" || cert.issuerKey == subj.IssuerKey { 416 | deleteQueue = append(deleteQueue, cert.hash) 417 | } 418 | } 419 | } 420 | certCache.Remove(deleteQueue) 421 | } 422 | 423 | // Remove removes certificates with the given hashes from the cache. 424 | // This is effectively used to unload manually-loaded certificates. 425 | func (certCache *Cache) Remove(hashes []string) { 426 | certCache.mu.Lock() 427 | for _, h := range hashes { 428 | cert := certCache.cache[h] 429 | certCache.removeCertificate(cert) 430 | } 431 | certCache.mu.Unlock() 432 | } 433 | 434 | var ( 435 | defaultCache *Cache 436 | defaultCacheMu sync.Mutex 437 | ) 438 | -------------------------------------------------------------------------------- /cache_test.go: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Matthew Holt 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package certmagic 16 | 17 | import "testing" 18 | 19 | func TestNewCache(t *testing.T) { 20 | noop := func(Certificate) (*Config, error) { return new(Config), nil } 21 | c := NewCache(CacheOptions{GetConfigForCert: noop}) 22 | defer c.Stop() 23 | 24 | c.optionsMu.RLock() 25 | defer c.optionsMu.RUnlock() 26 | 27 | if c.options.RenewCheckInterval != DefaultRenewCheckInterval { 28 | t.Errorf("Expected RenewCheckInterval to be set to default value, but it wasn't: %s", c.options.RenewCheckInterval) 29 | } 30 | if c.options.OCSPCheckInterval != DefaultOCSPCheckInterval { 31 | t.Errorf("Expected OCSPCheckInterval to be set to default value, but it wasn't: %s", c.options.OCSPCheckInterval) 32 | } 33 | if c.options.GetConfigForCert == nil { 34 | t.Error("Expected GetConfigForCert to be set, but it was nil") 35 | } 36 | if c.cache == nil { 37 | t.Error("Expected cache to be set, but it was nil") 38 | } 39 | if c.stopChan == nil { 40 | t.Error("Expected stopChan to be set, but it was nil") 41 | } 42 | } 43 | -------------------------------------------------------------------------------- /certificates_test.go: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Matthew Holt 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package certmagic 16 | 17 | import ( 18 | "crypto/tls" 19 | "crypto/x509" 20 | "reflect" 21 | "testing" 22 | "time" 23 | ) 24 | 25 | func TestUnexportedGetCertificate(t *testing.T) { 26 | certCache := &Cache{cache: make(map[string]Certificate), cacheIndex: make(map[string][]string), logger: defaultTestLogger} 27 | cfg := &Config{Logger: defaultTestLogger, certCache: certCache} 28 | 29 | // When cache is empty 30 | if _, matched, defaulted := cfg.getCertificateFromCache(&tls.ClientHelloInfo{ServerName: "example.com"}); matched || defaulted { 31 | t.Errorf("Got a certificate when cache was empty; matched=%v, defaulted=%v", matched, defaulted) 32 | } 33 | 34 | // When cache has one certificate in it 35 | firstCert := Certificate{Names: []string{"example.com"}} 36 | certCache.cache["0xdeadbeef"] = firstCert 37 | certCache.cacheIndex["example.com"] = []string{"0xdeadbeef"} 38 | if cert, matched, defaulted := cfg.getCertificateFromCache(&tls.ClientHelloInfo{ServerName: "example.com"}); !matched || defaulted || cert.Names[0] != "example.com" { 39 | t.Errorf("Didn't get a cert for 'example.com' or got the wrong one: %v, matched=%v, defaulted=%v", cert, matched, defaulted) 40 | } 41 | 42 | // When retrieving wildcard certificate 43 | certCache.cache["0xb01dface"] = Certificate{Names: []string{"*.example.com"}} 44 | certCache.cacheIndex["*.example.com"] = []string{"0xb01dface"} 45 | if cert, matched, defaulted := cfg.getCertificateFromCache(&tls.ClientHelloInfo{ServerName: "sub.example.com"}); !matched || defaulted || cert.Names[0] != "*.example.com" { 46 | t.Errorf("Didn't get wildcard cert for 'sub.example.com' or got the wrong one: %v, matched=%v, defaulted=%v", cert, matched, defaulted) 47 | } 48 | 49 | // When no certificate matches and SNI is provided, return no certificate (should be TLS alert) 50 | if cert, matched, defaulted := cfg.getCertificateFromCache(&tls.ClientHelloInfo{ServerName: "nomatch"}); matched || defaulted { 51 | t.Errorf("Expected matched=false, defaulted=false; but got matched=%v, defaulted=%v (cert: %v)", matched, defaulted, cert) 52 | } 53 | } 54 | 55 | func TestCacheCertificate(t *testing.T) { 56 | certCache := &Cache{cache: make(map[string]Certificate), cacheIndex: make(map[string][]string), logger: defaultTestLogger} 57 | 58 | certCache.cacheCertificate(Certificate{Names: []string{"example.com", "sub.example.com"}, hash: "foobar", Certificate: tls.Certificate{Leaf: &x509.Certificate{NotAfter: time.Now()}}}) 59 | if len(certCache.cache) != 1 { 60 | t.Errorf("Expected length of certificate cache to be 1") 61 | } 62 | if _, ok := certCache.cache["foobar"]; !ok { 63 | t.Error("Expected first cert to be cached by key 'foobar', but it wasn't") 64 | } 65 | if _, ok := certCache.cacheIndex["example.com"]; !ok { 66 | t.Error("Expected first cert to be keyed by 'example.com', but it wasn't") 67 | } 68 | if _, ok := certCache.cacheIndex["sub.example.com"]; !ok { 69 | t.Error("Expected first cert to be keyed by 'sub.example.com', but it wasn't") 70 | } 71 | 72 | // using same cache; and has cert with overlapping name, but different hash 73 | certCache.cacheCertificate(Certificate{Names: []string{"example.com"}, hash: "barbaz", Certificate: tls.Certificate{Leaf: &x509.Certificate{NotAfter: time.Now()}}}) 74 | if _, ok := certCache.cache["barbaz"]; !ok { 75 | t.Error("Expected second cert to be cached by key 'barbaz.com', but it wasn't") 76 | } 77 | if hashes, ok := certCache.cacheIndex["example.com"]; !ok { 78 | t.Error("Expected second cert to be keyed by 'example.com', but it wasn't") 79 | } else if !reflect.DeepEqual(hashes, []string{"foobar", "barbaz"}) { 80 | t.Errorf("Expected second cert to map to 'barbaz' but it was %v instead", hashes) 81 | } 82 | } 83 | 84 | func TestSubjectQualifiesForCert(t *testing.T) { 85 | for i, test := range []struct { 86 | host string 87 | expect bool 88 | }{ 89 | {"hostname", true}, 90 | {"example.com", true}, 91 | {"sub.example.com", true}, 92 | {"Sub.Example.COM", true}, 93 | {"127.0.0.1", true}, 94 | {"127.0.1.5", true}, 95 | {"69.123.43.94", true}, 96 | {"::1", true}, 97 | {"::", true}, 98 | {"0.0.0.0", true}, 99 | {"", false}, 100 | {" ", false}, 101 | {"*.example.com", true}, 102 | {"*.*.example.com", true}, 103 | {"sub.*.example.com", false}, 104 | {"*sub.example.com", false}, 105 | {"**.tld", false}, 106 | {"*", true}, 107 | {"*.tld", true}, 108 | {".tld", false}, 109 | {"example.com.", false}, 110 | {"localhost", true}, 111 | {"foo.localhost", true}, 112 | {"local", true}, 113 | {"192.168.1.3", true}, 114 | {"10.0.2.1", true}, 115 | {"169.112.53.4", true}, 116 | {"$hostname", false}, 117 | {"%HOSTNAME%", false}, 118 | {"{hostname}", false}, 119 | {"hostname!", false}, 120 | {"", false}, 121 | {"# hostname", false}, 122 | {"// hostname", false}, 123 | {"user@hostname", false}, 124 | {"hostname;", false}, 125 | {`"hostname"`, false}, 126 | } { 127 | actual := SubjectQualifiesForCert(test.host) 128 | if actual != test.expect { 129 | t.Errorf("Test %d: Expected SubjectQualifiesForCert(%s)=%v, but got %v", 130 | i, test.host, test.expect, actual) 131 | } 132 | } 133 | } 134 | 135 | func TestSubjectQualifiesForPublicCert(t *testing.T) { 136 | for i, test := range []struct { 137 | host string 138 | expect bool 139 | }{ 140 | {"hostname", true}, 141 | {"example.com", true}, 142 | {"sub.example.com", true}, 143 | {"Sub.Example.COM", true}, 144 | {"127.0.0.1", false}, 145 | {"127.0.1.5", false}, 146 | {"1.2.3.4", true}, 147 | {"69.123.43.94", true}, 148 | {"::1", false}, 149 | {"::", false}, 150 | {"0.0.0.0", false}, 151 | {"", false}, 152 | {" ", false}, 153 | {"*.example.com", true}, 154 | {"*.*.example.com", false}, 155 | {"sub.*.example.com", false}, 156 | {"*sub.example.com", false}, 157 | {"*", false}, // won't be trusted by browsers 158 | {"*.tld", false}, // won't be trusted by browsers 159 | {".tld", false}, 160 | {"example.com.", false}, 161 | {"localhost", false}, 162 | {"foo.localhost", false}, 163 | {"local", true}, 164 | {"foo.local", false}, 165 | {"foo.bar.local", false}, 166 | {"foo.internal", false}, 167 | {"foo.bar.internal", false}, 168 | {"foo.home.arpa", false}, 169 | {"foo.bar.home.arpa", false}, 170 | {"192.168.1.3", false}, 171 | {"10.0.2.1", false}, 172 | {"169.112.53.4", true}, 173 | {"$hostname", false}, 174 | {"%HOSTNAME%", false}, 175 | {"{hostname}", false}, 176 | {"hostname!", false}, 177 | {"", false}, 178 | {"# hostname", false}, 179 | {"// hostname", false}, 180 | {"user@hostname", false}, 181 | {"hostname;", false}, 182 | {`"hostname"`, false}, 183 | } { 184 | actual := SubjectQualifiesForPublicCert(test.host) 185 | if actual != test.expect { 186 | t.Errorf("Test %d: Expected SubjectQualifiesForPublicCert(%s)=%v, but got %v", 187 | i, test.host, test.expect, actual) 188 | } 189 | } 190 | } 191 | 192 | func TestMatchWildcard(t *testing.T) { 193 | for i, test := range []struct { 194 | subject, wildcard string 195 | expect bool 196 | }{ 197 | {"hostname", "hostname", true}, 198 | {"HOSTNAME", "hostname", true}, 199 | {"hostname", "HOSTNAME", true}, 200 | {"foo.localhost", "foo.localhost", true}, 201 | {"foo.localhost", "bar.localhost", false}, 202 | {"foo.localhost", "*.localhost", true}, 203 | {"bar.localhost", "*.localhost", true}, 204 | {"FOO.LocalHost", "*.localhost", true}, 205 | {"Bar.localhost", "*.LOCALHOST", true}, 206 | {"foo.bar.localhost", "*.localhost", false}, 207 | {".localhost", "*.localhost", false}, 208 | {"foo.localhost", "foo.*", false}, 209 | {"foo.bar.local", "foo.*.local", false}, 210 | {"foo.bar.local", "foo.bar.*", false}, 211 | {"foo.bar.local", "*.bar.local", true}, 212 | {"1.2.3.4.5.6", "*.2.3.4.5.6", true}, 213 | {"1.2.3.4.5.6", "*.*.3.4.5.6", true}, 214 | {"1.2.3.4.5.6", "*.*.*.4.5.6", true}, 215 | {"1.2.3.4.5.6", "*.*.*.*.5.6", true}, 216 | {"1.2.3.4.5.6", "*.*.*.*.*.6", true}, 217 | {"1.2.3.4.5.6", "*.*.*.*.*.*", true}, 218 | {"0.1.2.3.4.5.6", "*.*.*.*.*.*", false}, 219 | {"1.2.3.4", "1.2.3.*", false}, // https://tools.ietf.org/html/rfc2818#section-3.1 220 | } { 221 | actual := MatchWildcard(test.subject, test.wildcard) 222 | if actual != test.expect { 223 | t.Errorf("Test %d: Expected MatchWildcard(%s, %s)=%v, but got %v", 224 | i, test.subject, test.wildcard, test.expect, actual) 225 | } 226 | } 227 | } 228 | -------------------------------------------------------------------------------- /certmagic_test.go: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Matthew Holt 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package certmagic 16 | 17 | import ( 18 | "os" 19 | 20 | "go.uber.org/zap" 21 | "go.uber.org/zap/zapcore" 22 | ) 23 | 24 | // TODO 25 | 26 | var defaultTestLogger = zap.New(zapcore.NewCore( 27 | zapcore.NewConsoleEncoder(zap.NewDevelopmentEncoderConfig()), 28 | os.Stderr, 29 | zap.DebugLevel, 30 | )) 31 | -------------------------------------------------------------------------------- /config_test.go: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Matthew Holt 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package certmagic 16 | 17 | import ( 18 | "bytes" 19 | "context" 20 | "encoding/json" 21 | "os" 22 | "reflect" 23 | "testing" 24 | 25 | "github.com/mholt/acmez/v3/acme" 26 | ) 27 | 28 | func TestSaveCertResource(t *testing.T) { 29 | ctx := context.Background() 30 | 31 | am := &ACMEIssuer{CA: "https://example.com/acme/directory"} 32 | testConfig := &Config{ 33 | Issuers: []Issuer{am}, 34 | Storage: &FileStorage{Path: "./_testdata_tmp"}, 35 | Logger: defaultTestLogger, 36 | certCache: new(Cache), 37 | } 38 | am.config = testConfig 39 | 40 | testStorageDir := testConfig.Storage.(*FileStorage).Path 41 | defer func() { 42 | err := os.RemoveAll(testStorageDir) 43 | if err != nil { 44 | t.Fatalf("Could not remove temporary storage directory (%s): %v", testStorageDir, err) 45 | } 46 | }() 47 | 48 | domain := "example.com" 49 | certContents := "certificate" 50 | keyContents := "private key" 51 | 52 | cert := CertificateResource{ 53 | SANs: []string{domain}, 54 | PrivateKeyPEM: []byte(keyContents), 55 | CertificatePEM: []byte(certContents), 56 | IssuerData: mustJSON(acme.Certificate{ 57 | URL: "https://example.com/cert", 58 | }), 59 | issuerKey: am.IssuerKey(), 60 | } 61 | 62 | err := testConfig.saveCertResource(ctx, am, cert) 63 | if err != nil { 64 | t.Fatalf("Expected no error, got: %v", err) 65 | } 66 | 67 | siteData, err := testConfig.loadCertResource(ctx, am, domain) 68 | if err != nil { 69 | t.Fatalf("Expected no error reading site, got: %v", err) 70 | } 71 | siteData.IssuerData = bytes.ReplaceAll(siteData.IssuerData, []byte("\t"), []byte("")) 72 | siteData.IssuerData = bytes.ReplaceAll(siteData.IssuerData, []byte("\n"), []byte("")) 73 | siteData.IssuerData = bytes.ReplaceAll(siteData.IssuerData, []byte(" "), []byte("")) 74 | if !reflect.DeepEqual(cert, siteData) { 75 | t.Errorf("Expected '%+v' to match '%+v'\n%s\n%s", cert.IssuerData, siteData.IssuerData, string(cert.IssuerData), string(siteData.IssuerData)) 76 | } 77 | } 78 | 79 | func mustJSON(val any) []byte { 80 | result, err := json.Marshal(val) 81 | if err != nil { 82 | panic("marshaling JSON: " + err.Error()) 83 | } 84 | return result 85 | } 86 | -------------------------------------------------------------------------------- /crypto.go: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Matthew Holt 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package certmagic 16 | 17 | import ( 18 | "context" 19 | "crypto" 20 | "crypto/ecdsa" 21 | "crypto/ed25519" 22 | "crypto/elliptic" 23 | "crypto/rand" 24 | "crypto/rsa" 25 | "crypto/tls" 26 | "crypto/x509" 27 | "encoding/json" 28 | "encoding/pem" 29 | "errors" 30 | "fmt" 31 | "hash/fnv" 32 | "io/fs" 33 | "sort" 34 | "strings" 35 | 36 | "github.com/klauspost/cpuid/v2" 37 | "github.com/zeebo/blake3" 38 | "go.uber.org/zap" 39 | "golang.org/x/net/idna" 40 | ) 41 | 42 | // PEMEncodePrivateKey marshals a private key into a PEM-encoded block. 43 | // The private key must be one of *ecdsa.PrivateKey, *rsa.PrivateKey, or 44 | // *ed25519.PrivateKey. 45 | func PEMEncodePrivateKey(key crypto.PrivateKey) ([]byte, error) { 46 | var pemType string 47 | var keyBytes []byte 48 | switch key := key.(type) { 49 | case *ecdsa.PrivateKey: 50 | var err error 51 | pemType = "EC" 52 | keyBytes, err = x509.MarshalECPrivateKey(key) 53 | if err != nil { 54 | return nil, err 55 | } 56 | case *rsa.PrivateKey: 57 | pemType = "RSA" 58 | keyBytes = x509.MarshalPKCS1PrivateKey(key) 59 | case ed25519.PrivateKey: 60 | var err error 61 | pemType = "ED25519" 62 | keyBytes, err = x509.MarshalPKCS8PrivateKey(key) 63 | if err != nil { 64 | return nil, err 65 | } 66 | default: 67 | return nil, fmt.Errorf("unsupported key type: %T", key) 68 | } 69 | pemKey := pem.Block{Type: pemType + " PRIVATE KEY", Bytes: keyBytes} 70 | return pem.EncodeToMemory(&pemKey), nil 71 | } 72 | 73 | // PEMDecodePrivateKey loads a PEM-encoded ECC/RSA private key from an array of bytes. 74 | // Borrowed from Go standard library, to handle various private key and PEM block types. 75 | func PEMDecodePrivateKey(keyPEMBytes []byte) (crypto.Signer, error) { 76 | // Modified from original: 77 | // https://github.com/golang/go/blob/693748e9fa385f1e2c3b91ca9acbb6c0ad2d133d/src/crypto/tls/tls.go#L291-L308 78 | // https://github.com/golang/go/blob/693748e9fa385f1e2c3b91ca9acbb6c0ad2d133d/src/crypto/tls/tls.go#L238 79 | 80 | keyBlockDER, _ := pem.Decode(keyPEMBytes) 81 | 82 | if keyBlockDER == nil { 83 | return nil, fmt.Errorf("failed to decode PEM block containing private key") 84 | } 85 | 86 | if keyBlockDER.Type != "PRIVATE KEY" && !strings.HasSuffix(keyBlockDER.Type, " PRIVATE KEY") { 87 | return nil, fmt.Errorf("unknown PEM header %q", keyBlockDER.Type) 88 | } 89 | 90 | if key, err := x509.ParsePKCS1PrivateKey(keyBlockDER.Bytes); err == nil { 91 | return key, nil 92 | } 93 | 94 | if key, err := x509.ParsePKCS8PrivateKey(keyBlockDER.Bytes); err == nil { 95 | switch key := key.(type) { 96 | case *rsa.PrivateKey, *ecdsa.PrivateKey, ed25519.PrivateKey: 97 | return key.(crypto.Signer), nil 98 | default: 99 | return nil, fmt.Errorf("found unknown private key type in PKCS#8 wrapping: %T", key) 100 | } 101 | } 102 | 103 | if key, err := x509.ParseECPrivateKey(keyBlockDER.Bytes); err == nil { 104 | return key, nil 105 | } 106 | 107 | return nil, fmt.Errorf("unknown private key type") 108 | } 109 | 110 | // parseCertsFromPEMBundle parses a certificate bundle from top to bottom and returns 111 | // a slice of x509 certificates. This function will error if no certificates are found. 112 | func parseCertsFromPEMBundle(bundle []byte) ([]*x509.Certificate, error) { 113 | var certificates []*x509.Certificate 114 | var certDERBlock *pem.Block 115 | for { 116 | certDERBlock, bundle = pem.Decode(bundle) 117 | if certDERBlock == nil { 118 | break 119 | } 120 | if certDERBlock.Type == "CERTIFICATE" { 121 | cert, err := x509.ParseCertificate(certDERBlock.Bytes) 122 | if err != nil { 123 | return nil, err 124 | } 125 | certificates = append(certificates, cert) 126 | } 127 | } 128 | if len(certificates) == 0 { 129 | return nil, fmt.Errorf("no certificates found in bundle") 130 | } 131 | return certificates, nil 132 | } 133 | 134 | // fastHash hashes input using a hashing algorithm that 135 | // is fast, and returns the hash as a hex-encoded string. 136 | // Do not use this for cryptographic purposes. 137 | func fastHash(input []byte) string { 138 | h := fnv.New32a() 139 | h.Write(input) 140 | return fmt.Sprintf("%x", h.Sum32()) 141 | } 142 | 143 | // saveCertResource saves the certificate resource to disk. This 144 | // includes the certificate file itself, the private key, and the 145 | // metadata file. 146 | func (cfg *Config) saveCertResource(ctx context.Context, issuer Issuer, cert CertificateResource) error { 147 | metaBytes, err := json.MarshalIndent(cert, "", "\t") 148 | if err != nil { 149 | return fmt.Errorf("encoding certificate metadata: %v", err) 150 | } 151 | 152 | issuerKey := issuer.IssuerKey() 153 | certKey := cert.NamesKey() 154 | 155 | all := []keyValue{ 156 | { 157 | key: StorageKeys.SitePrivateKey(issuerKey, certKey), 158 | value: cert.PrivateKeyPEM, 159 | }, 160 | { 161 | key: StorageKeys.SiteCert(issuerKey, certKey), 162 | value: cert.CertificatePEM, 163 | }, 164 | { 165 | key: StorageKeys.SiteMeta(issuerKey, certKey), 166 | value: metaBytes, 167 | }, 168 | } 169 | 170 | return storeTx(ctx, cfg.Storage, all) 171 | } 172 | 173 | // loadCertResourceAnyIssuer loads and returns the certificate resource from any 174 | // of the configured issuers. If multiple are found (e.g. if there are 3 issuers 175 | // configured, and all 3 have a resource matching certNamesKey), then the newest 176 | // (latest NotBefore date) resource will be chosen. 177 | func (cfg *Config) loadCertResourceAnyIssuer(ctx context.Context, certNamesKey string) (CertificateResource, error) { 178 | // we can save some extra decoding steps if there's only one issuer, since 179 | // we don't need to compare potentially multiple available resources to 180 | // select the best one, when there's only one choice anyway 181 | if len(cfg.Issuers) == 1 { 182 | return cfg.loadCertResource(ctx, cfg.Issuers[0], certNamesKey) 183 | } 184 | 185 | type decodedCertResource struct { 186 | CertificateResource 187 | issuer Issuer 188 | decoded *x509.Certificate 189 | } 190 | var certResources []decodedCertResource 191 | var lastErr error 192 | 193 | // load and decode all certificate resources found with the 194 | // configured issuers so we can sort by newest 195 | for _, issuer := range cfg.Issuers { 196 | certRes, err := cfg.loadCertResource(ctx, issuer, certNamesKey) 197 | if err != nil { 198 | if errors.Is(err, fs.ErrNotExist) { 199 | // not a problem, but we need to remember the error 200 | // in case we end up not finding any cert resources 201 | // since we'll need an error to return in that case 202 | lastErr = err 203 | continue 204 | } 205 | return CertificateResource{}, err 206 | } 207 | certs, err := parseCertsFromPEMBundle(certRes.CertificatePEM) 208 | if err != nil { 209 | return CertificateResource{}, err 210 | } 211 | certResources = append(certResources, decodedCertResource{ 212 | CertificateResource: certRes, 213 | issuer: issuer, 214 | decoded: certs[0], 215 | }) 216 | } 217 | if len(certResources) == 0 { 218 | if lastErr == nil { 219 | lastErr = fmt.Errorf("no certificate resources found") // just in case; e.g. no Issuers configured 220 | } 221 | return CertificateResource{}, lastErr 222 | } 223 | 224 | // sort by date so the most recently issued comes first 225 | sort.Slice(certResources, func(i, j int) bool { 226 | return certResources[j].decoded.NotBefore.Before(certResources[i].decoded.NotBefore) 227 | }) 228 | 229 | cfg.Logger.Debug("loading managed certificate", 230 | zap.String("domain", certNamesKey), 231 | zap.Time("expiration", expiresAt(certResources[0].decoded)), 232 | zap.String("issuer_key", certResources[0].issuer.IssuerKey()), 233 | zap.Any("storage", cfg.Storage), 234 | ) 235 | 236 | return certResources[0].CertificateResource, nil 237 | } 238 | 239 | // loadCertResource loads a certificate resource from the given issuer's storage location. 240 | func (cfg *Config) loadCertResource(ctx context.Context, issuer Issuer, certNamesKey string) (CertificateResource, error) { 241 | certRes := CertificateResource{issuerKey: issuer.IssuerKey()} 242 | 243 | // don't use the Lookup profile because we might be loading a wildcard cert which is rejected by the Lookup profile 244 | normalizedName, err := idna.ToASCII(certNamesKey) 245 | if err != nil { 246 | return CertificateResource{}, fmt.Errorf("converting '%s' to ASCII: %v", certNamesKey, err) 247 | } 248 | 249 | keyBytes, err := cfg.Storage.Load(ctx, StorageKeys.SitePrivateKey(certRes.issuerKey, normalizedName)) 250 | if err != nil { 251 | return CertificateResource{}, err 252 | } 253 | certRes.PrivateKeyPEM = keyBytes 254 | certBytes, err := cfg.Storage.Load(ctx, StorageKeys.SiteCert(certRes.issuerKey, normalizedName)) 255 | if err != nil { 256 | return CertificateResource{}, err 257 | } 258 | certRes.CertificatePEM = certBytes 259 | metaBytes, err := cfg.Storage.Load(ctx, StorageKeys.SiteMeta(certRes.issuerKey, normalizedName)) 260 | if err != nil { 261 | return CertificateResource{}, err 262 | } 263 | err = json.Unmarshal(metaBytes, &certRes) 264 | if err != nil { 265 | return CertificateResource{}, fmt.Errorf("decoding certificate metadata: %v", err) 266 | } 267 | 268 | return certRes, nil 269 | } 270 | 271 | // hashCertificateChain computes the unique hash of certChain, 272 | // which is the chain of DER-encoded bytes. It returns the 273 | // hex encoding of the hash. 274 | func hashCertificateChain(certChain [][]byte) string { 275 | h := blake3.New() 276 | for _, certInChain := range certChain { 277 | h.Write(certInChain) 278 | } 279 | return fmt.Sprintf("%x", h.Sum(nil)) 280 | } 281 | 282 | func namesFromCSR(csr *x509.CertificateRequest) []string { 283 | var nameSet []string 284 | // TODO: CommonName should not be used (it has been deprecated for 25+ years, 285 | // but ZeroSSL CA still requires it to be filled out and not overlap SANs...) 286 | if csr.Subject.CommonName != "" { 287 | nameSet = append(nameSet, csr.Subject.CommonName) 288 | } 289 | nameSet = append(nameSet, csr.DNSNames...) 290 | nameSet = append(nameSet, csr.EmailAddresses...) 291 | for _, v := range csr.IPAddresses { 292 | nameSet = append(nameSet, v.String()) 293 | } 294 | for _, v := range csr.URIs { 295 | nameSet = append(nameSet, v.String()) 296 | } 297 | return nameSet 298 | } 299 | 300 | // preferredDefaultCipherSuites returns an appropriate 301 | // cipher suite to use depending on hardware support 302 | // for AES-NI. 303 | // 304 | // See https://github.com/mholt/caddy/issues/1674 305 | func preferredDefaultCipherSuites() []uint16 { 306 | if cpuid.CPU.Supports(cpuid.AESNI) { 307 | return defaultCiphersPreferAES 308 | } 309 | return defaultCiphersPreferChaCha 310 | } 311 | 312 | var ( 313 | defaultCiphersPreferAES = []uint16{ 314 | tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 315 | tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 316 | tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 317 | tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 318 | tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 319 | tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 320 | } 321 | defaultCiphersPreferChaCha = []uint16{ 322 | tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 323 | tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 324 | tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 325 | tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 326 | tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 327 | tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 328 | } 329 | ) 330 | 331 | // StandardKeyGenerator is the standard, in-memory key source 332 | // that uses crypto/rand. 333 | type StandardKeyGenerator struct { 334 | // The type of keys to generate. 335 | KeyType KeyType 336 | } 337 | 338 | // GenerateKey generates a new private key according to kg.KeyType. 339 | func (kg StandardKeyGenerator) GenerateKey() (crypto.PrivateKey, error) { 340 | switch kg.KeyType { 341 | case ED25519: 342 | _, priv, err := ed25519.GenerateKey(rand.Reader) 343 | return priv, err 344 | case "", P256: 345 | return ecdsa.GenerateKey(elliptic.P256(), rand.Reader) 346 | case P384: 347 | return ecdsa.GenerateKey(elliptic.P384(), rand.Reader) 348 | case RSA2048: 349 | return rsa.GenerateKey(rand.Reader, 2048) 350 | case RSA4096: 351 | return rsa.GenerateKey(rand.Reader, 4096) 352 | case RSA8192: 353 | return rsa.GenerateKey(rand.Reader, 8192) 354 | } 355 | return nil, fmt.Errorf("unrecognized or unsupported key type: %s", kg.KeyType) 356 | } 357 | 358 | // DefaultKeyGenerator is the default key source. 359 | var DefaultKeyGenerator = StandardKeyGenerator{KeyType: P256} 360 | 361 | // KeyType enumerates the known/supported key types. 362 | type KeyType string 363 | 364 | // Constants for all key types we support. 365 | const ( 366 | ED25519 = KeyType("ed25519") 367 | P256 = KeyType("p256") 368 | P384 = KeyType("p384") 369 | RSA2048 = KeyType("rsa2048") 370 | RSA4096 = KeyType("rsa4096") 371 | RSA8192 = KeyType("rsa8192") 372 | ) 373 | -------------------------------------------------------------------------------- /crypto_test.go: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Matthew Holt 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package certmagic 16 | 17 | import ( 18 | "bytes" 19 | "crypto" 20 | "crypto/ecdsa" 21 | "crypto/ed25519" 22 | "crypto/elliptic" 23 | "crypto/rand" 24 | "crypto/rsa" 25 | "crypto/x509" 26 | "testing" 27 | ) 28 | 29 | func TestEncodeDecodeRSAPrivateKey(t *testing.T) { 30 | privateKey, err := rsa.GenerateKey(rand.Reader, 128) // make tests faster; small key size OK for testing 31 | if err != nil { 32 | t.Fatal(err) 33 | } 34 | 35 | // test save 36 | savedBytes, err := PEMEncodePrivateKey(privateKey) 37 | if err != nil { 38 | t.Fatal("error saving private key:", err) 39 | } 40 | 41 | // test load 42 | loadedKey, err := PEMDecodePrivateKey(savedBytes) 43 | if err != nil { 44 | t.Error("error loading private key:", err) 45 | } 46 | 47 | // test load (should fail) 48 | _, err = PEMDecodePrivateKey(savedBytes[2:]) 49 | if err == nil { 50 | t.Error("loading private key should have failed") 51 | } 52 | 53 | // verify loaded key is correct 54 | if !privateKeysSame(privateKey, loadedKey) { 55 | t.Error("Expected key bytes to be the same, but they weren't") 56 | } 57 | } 58 | 59 | func TestSaveAndLoadECCPrivateKey(t *testing.T) { 60 | privateKey, err := ecdsa.GenerateKey(elliptic.P384(), rand.Reader) 61 | if err != nil { 62 | t.Fatal(err) 63 | } 64 | 65 | // test save 66 | savedBytes, err := PEMEncodePrivateKey(privateKey) 67 | if err != nil { 68 | t.Fatal("error saving private key:", err) 69 | } 70 | 71 | // test load 72 | loadedKey, err := PEMDecodePrivateKey(savedBytes) 73 | if err != nil { 74 | t.Error("error loading private key:", err) 75 | } 76 | 77 | // verify loaded key is correct 78 | if !privateKeysSame(privateKey, loadedKey) { 79 | t.Error("Expected key bytes to be the same, but they weren't") 80 | } 81 | } 82 | 83 | // privateKeysSame compares the bytes of a and b and returns true if they are the same. 84 | func privateKeysSame(a, b crypto.PrivateKey) bool { 85 | return bytes.Equal(privateKeyBytes(a), privateKeyBytes(b)) 86 | } 87 | 88 | // privateKeyBytes returns the bytes of DER-encoded key. 89 | func privateKeyBytes(key crypto.PrivateKey) []byte { 90 | var keyBytes []byte 91 | switch key := key.(type) { 92 | case *rsa.PrivateKey: 93 | keyBytes = x509.MarshalPKCS1PrivateKey(key) 94 | case *ecdsa.PrivateKey: 95 | keyBytes, _ = x509.MarshalECPrivateKey(key) 96 | case ed25519.PrivateKey: 97 | return key 98 | } 99 | return keyBytes 100 | } 101 | -------------------------------------------------------------------------------- /dnsutil.go: -------------------------------------------------------------------------------- 1 | package certmagic 2 | 3 | import ( 4 | "context" 5 | "errors" 6 | "fmt" 7 | "net" 8 | "strings" 9 | "sync" 10 | "time" 11 | 12 | "github.com/miekg/dns" 13 | "go.uber.org/zap" 14 | ) 15 | 16 | // Code in this file adapted from go-acme/lego, July 2020: 17 | // https://github.com/go-acme/lego 18 | // by Ludovic Fernandez and Dominik Menke 19 | // 20 | // It has been modified. 21 | 22 | // FindZoneByFQDN determines the zone apex for the given fully-qualified 23 | // domain name (FQDN) by recursing up the domain labels until the nameserver 24 | // returns a SOA record in the answer section. The logger must be non-nil. 25 | // 26 | // EXPERIMENTAL: This API was previously unexported, and may be changed or 27 | // unexported again in the future. Do not rely on it at this time. 28 | func FindZoneByFQDN(ctx context.Context, logger *zap.Logger, fqdn string, nameservers []string) (string, error) { 29 | if !strings.HasSuffix(fqdn, ".") { 30 | fqdn += "." 31 | } 32 | soa, err := lookupSoaByFqdn(ctx, logger, fqdn, nameservers) 33 | if err != nil { 34 | return "", err 35 | } 36 | return soa.zone, nil 37 | } 38 | 39 | func lookupSoaByFqdn(ctx context.Context, logger *zap.Logger, fqdn string, nameservers []string) (*soaCacheEntry, error) { 40 | logger = logger.Named("soa_lookup") 41 | 42 | if !strings.HasSuffix(fqdn, ".") { 43 | fqdn += "." 44 | } 45 | 46 | fqdnSOACacheMu.Lock() 47 | defer fqdnSOACacheMu.Unlock() 48 | 49 | if err := ctx.Err(); err != nil { 50 | return nil, err 51 | } 52 | 53 | // prefer cached version if fresh 54 | if ent := fqdnSOACache[fqdn]; ent != nil && !ent.isExpired() { 55 | logger.Debug("using cached SOA result", zap.String("entry", ent.zone)) 56 | return ent, nil 57 | } 58 | 59 | ent, err := fetchSoaByFqdn(ctx, logger, fqdn, nameservers) 60 | if err != nil { 61 | return nil, err 62 | } 63 | 64 | // save result to cache, but don't allow 65 | // the cache to grow out of control 66 | if len(fqdnSOACache) >= 1000 { 67 | for key := range fqdnSOACache { 68 | delete(fqdnSOACache, key) 69 | break 70 | } 71 | } 72 | fqdnSOACache[fqdn] = ent 73 | 74 | return ent, nil 75 | } 76 | 77 | func fetchSoaByFqdn(ctx context.Context, logger *zap.Logger, fqdn string, nameservers []string) (*soaCacheEntry, error) { 78 | var err error 79 | var in *dns.Msg 80 | 81 | labelIndexes := dns.Split(fqdn) 82 | for _, index := range labelIndexes { 83 | if err := ctx.Err(); err != nil { 84 | return nil, err 85 | } 86 | 87 | domain := fqdn[index:] 88 | 89 | in, err = dnsQuery(ctx, domain, dns.TypeSOA, nameservers, true) 90 | if err != nil { 91 | continue 92 | } 93 | if in == nil { 94 | continue 95 | } 96 | logger.Debug("fetched SOA", zap.String("msg", in.String())) 97 | 98 | switch in.Rcode { 99 | case dns.RcodeSuccess: 100 | // Check if we got a SOA RR in the answer section 101 | if len(in.Answer) == 0 { 102 | continue 103 | } 104 | 105 | // CNAME records cannot/should not exist at the root of a zone. 106 | // So we skip a domain when a CNAME is found. 107 | if dnsMsgContainsCNAME(in) { 108 | continue 109 | } 110 | 111 | for _, ans := range in.Answer { 112 | if soa, ok := ans.(*dns.SOA); ok { 113 | return newSoaCacheEntry(soa), nil 114 | } 115 | } 116 | case dns.RcodeNameError: 117 | // NXDOMAIN 118 | default: 119 | // Any response code other than NOERROR and NXDOMAIN is treated as error 120 | return nil, fmt.Errorf("unexpected response code '%s' for %s", dns.RcodeToString[in.Rcode], domain) 121 | } 122 | } 123 | 124 | return nil, fmt.Errorf("could not find the start of authority for %s%s", fqdn, formatDNSError(in, err)) 125 | } 126 | 127 | // dnsMsgContainsCNAME checks for a CNAME answer in msg 128 | func dnsMsgContainsCNAME(msg *dns.Msg) bool { 129 | for _, ans := range msg.Answer { 130 | if _, ok := ans.(*dns.CNAME); ok { 131 | return true 132 | } 133 | } 134 | return false 135 | } 136 | 137 | func dnsQuery(ctx context.Context, fqdn string, rtype uint16, nameservers []string, recursive bool) (*dns.Msg, error) { 138 | m := createDNSMsg(fqdn, rtype, recursive) 139 | var in *dns.Msg 140 | var err error 141 | for _, ns := range nameservers { 142 | in, err = sendDNSQuery(ctx, m, ns) 143 | if err == nil && len(in.Answer) > 0 { 144 | break 145 | } 146 | } 147 | return in, err 148 | } 149 | 150 | func createDNSMsg(fqdn string, rtype uint16, recursive bool) *dns.Msg { 151 | m := new(dns.Msg) 152 | m.SetQuestion(fqdn, rtype) 153 | 154 | // See: https://caddy.community/t/hard-time-getting-a-response-on-a-dns-01-challenge/15721/16 155 | m.SetEdns0(1232, false) 156 | if !recursive { 157 | m.RecursionDesired = false 158 | } 159 | return m 160 | } 161 | 162 | func sendDNSQuery(ctx context.Context, m *dns.Msg, ns string) (*dns.Msg, error) { 163 | udp := &dns.Client{Net: "udp", Timeout: dnsTimeout} 164 | in, _, err := udp.ExchangeContext(ctx, m, ns) 165 | // two kinds of errors we can handle by retrying with TCP: 166 | // truncation and timeout; see https://github.com/caddyserver/caddy/issues/3639 167 | truncated := in != nil && in.Truncated 168 | timeoutErr := err != nil && strings.Contains(err.Error(), "timeout") 169 | if truncated || timeoutErr { 170 | tcp := &dns.Client{Net: "tcp", Timeout: dnsTimeout} 171 | in, _, err = tcp.ExchangeContext(ctx, m, ns) 172 | } 173 | return in, err 174 | } 175 | 176 | func formatDNSError(msg *dns.Msg, err error) string { 177 | var parts []string 178 | if msg != nil { 179 | parts = append(parts, dns.RcodeToString[msg.Rcode]) 180 | } 181 | if err != nil { 182 | parts = append(parts, err.Error()) 183 | } 184 | if len(parts) > 0 { 185 | return ": " + strings.Join(parts, " ") 186 | } 187 | return "" 188 | } 189 | 190 | // soaCacheEntry holds a cached SOA record (only selected fields) 191 | type soaCacheEntry struct { 192 | zone string // zone apex (a domain name) 193 | primaryNs string // primary nameserver for the zone apex 194 | expires time.Time // time when this cache entry should be evicted 195 | } 196 | 197 | func newSoaCacheEntry(soa *dns.SOA) *soaCacheEntry { 198 | return &soaCacheEntry{ 199 | zone: soa.Hdr.Name, 200 | primaryNs: soa.Ns, 201 | expires: time.Now().Add(time.Duration(soa.Refresh) * time.Second), 202 | } 203 | } 204 | 205 | // isExpired checks whether a cache entry should be considered expired. 206 | func (cache *soaCacheEntry) isExpired() bool { 207 | return time.Now().After(cache.expires) 208 | } 209 | 210 | // systemOrDefaultNameservers attempts to get system nameservers from the 211 | // resolv.conf file given by path before falling back to hard-coded defaults. 212 | func systemOrDefaultNameservers(path string, defaults []string) []string { 213 | config, err := dns.ClientConfigFromFile(path) 214 | if err != nil || len(config.Servers) == 0 { 215 | return defaults 216 | } 217 | return config.Servers 218 | } 219 | 220 | // populateNameserverPorts ensures that all nameservers have a port number 221 | // If not, the the default DNS server port of 53 will be appended. 222 | func populateNameserverPorts(servers []string) { 223 | for i := range servers { 224 | _, port, _ := net.SplitHostPort(servers[i]) 225 | if port == "" { 226 | servers[i] = net.JoinHostPort(servers[i], "53") 227 | } 228 | } 229 | } 230 | 231 | // checkDNSPropagation checks if the expected record has been propagated to all authoritative nameservers. 232 | func checkDNSPropagation(ctx context.Context, logger *zap.Logger, fqdn string, recType uint16, expectedValue string, checkAuthoritativeServers bool, resolvers []string) (bool, error) { 233 | logger = logger.Named("propagation") 234 | 235 | if !strings.HasSuffix(fqdn, ".") { 236 | fqdn += "." 237 | } 238 | 239 | // Initial attempt to resolve at the recursive NS - but do not actually 240 | // dereference (follow) a CNAME record if we are targeting a CNAME record 241 | // itself 242 | if recType != dns.TypeCNAME { 243 | r, err := dnsQuery(ctx, fqdn, recType, resolvers, true) 244 | if err != nil { 245 | return false, fmt.Errorf("CNAME dns query: %v", err) 246 | } 247 | if r.Rcode == dns.RcodeSuccess { 248 | fqdn = updateDomainWithCName(r, fqdn) 249 | } 250 | } 251 | 252 | if checkAuthoritativeServers { 253 | authoritativeServers, err := lookupNameservers(ctx, logger, fqdn, resolvers) 254 | if err != nil { 255 | return false, fmt.Errorf("looking up authoritative nameservers: %v", err) 256 | } 257 | populateNameserverPorts(authoritativeServers) 258 | resolvers = authoritativeServers 259 | } 260 | logger.Debug("checking authoritative nameservers", zap.Strings("resolvers", resolvers)) 261 | 262 | return checkAuthoritativeNss(ctx, fqdn, recType, expectedValue, resolvers) 263 | } 264 | 265 | // checkAuthoritativeNss queries each of the given nameservers for the expected record. 266 | func checkAuthoritativeNss(ctx context.Context, fqdn string, recType uint16, expectedValue string, nameservers []string) (bool, error) { 267 | for _, ns := range nameservers { 268 | r, err := dnsQuery(ctx, fqdn, recType, []string{ns}, true) 269 | if err != nil { 270 | return false, fmt.Errorf("querying authoritative nameservers: %v", err) 271 | } 272 | 273 | if r.Rcode != dns.RcodeSuccess { 274 | if r.Rcode == dns.RcodeNameError || r.Rcode == dns.RcodeServerFailure { 275 | // if Present() succeeded, then it must show up eventually, or else 276 | // something is really broken in the DNS provider or their API; 277 | // no need for error here, simply have the caller try again 278 | return false, nil 279 | } 280 | return false, fmt.Errorf("NS %s returned %s for %s", ns, dns.RcodeToString[r.Rcode], fqdn) 281 | } 282 | 283 | for _, rr := range r.Answer { 284 | switch recType { 285 | case dns.TypeTXT: 286 | if txt, ok := rr.(*dns.TXT); ok { 287 | record := strings.Join(txt.Txt, "") 288 | if record == expectedValue { 289 | return true, nil 290 | } 291 | } 292 | case dns.TypeCNAME: 293 | if cname, ok := rr.(*dns.CNAME); ok { 294 | // TODO: whether a DNS provider assumes a trailing dot or not varies, and we may have to standardize this in libdns packages 295 | if strings.TrimSuffix(cname.Target, ".") == strings.TrimSuffix(expectedValue, ".") { 296 | return true, nil 297 | } 298 | } 299 | default: 300 | return false, fmt.Errorf("unsupported record type: %d", recType) 301 | } 302 | } 303 | } 304 | 305 | return false, nil 306 | } 307 | 308 | // lookupNameservers returns the authoritative nameservers for the given fqdn. 309 | func lookupNameservers(ctx context.Context, logger *zap.Logger, fqdn string, resolvers []string) ([]string, error) { 310 | var authoritativeNss []string 311 | 312 | zone, err := FindZoneByFQDN(ctx, logger, fqdn, resolvers) 313 | if err != nil { 314 | return nil, fmt.Errorf("could not determine the zone for '%s': %w", fqdn, err) 315 | } 316 | 317 | r, err := dnsQuery(ctx, zone, dns.TypeNS, resolvers, true) 318 | if err != nil { 319 | return nil, fmt.Errorf("querying NS resolver for zone '%s' recursively: %v", zone, err) 320 | } 321 | 322 | for _, rr := range r.Answer { 323 | if ns, ok := rr.(*dns.NS); ok { 324 | authoritativeNss = append(authoritativeNss, strings.ToLower(ns.Ns)) 325 | } 326 | } 327 | 328 | if len(authoritativeNss) > 0 { 329 | return authoritativeNss, nil 330 | } 331 | return nil, errors.New("could not determine authoritative nameservers") 332 | } 333 | 334 | // Update FQDN with CNAME if any 335 | func updateDomainWithCName(r *dns.Msg, fqdn string) string { 336 | for _, rr := range r.Answer { 337 | if cn, ok := rr.(*dns.CNAME); ok { 338 | if cn.Hdr.Name == fqdn { 339 | return cn.Target 340 | } 341 | } 342 | } 343 | return fqdn 344 | } 345 | 346 | // RecursiveNameservers are used to pre-check DNS propagation. It 347 | // picks user-configured nameservers (custom) OR the defaults 348 | // obtained from resolv.conf and defaultNameservers if none is 349 | // configured and ensures that all server addresses have a port value. 350 | // 351 | // EXPERIMENTAL: This API was previously unexported, and may be 352 | // be unexported again in the future. Do not rely on it at this time. 353 | func RecursiveNameservers(custom []string) []string { 354 | var servers []string 355 | if len(custom) == 0 { 356 | servers = systemOrDefaultNameservers(defaultResolvConf, defaultNameservers) 357 | } else { 358 | servers = make([]string, len(custom)) 359 | copy(servers, custom) 360 | } 361 | populateNameserverPorts(servers) 362 | return servers 363 | } 364 | 365 | var defaultNameservers = []string{ 366 | "8.8.8.8:53", 367 | "8.8.4.4:53", 368 | "1.1.1.1:53", 369 | "1.0.0.1:53", 370 | } 371 | 372 | var dnsTimeout = 10 * time.Second 373 | 374 | var ( 375 | fqdnSOACache = map[string]*soaCacheEntry{} 376 | fqdnSOACacheMu sync.Mutex 377 | ) 378 | 379 | const defaultResolvConf = "/etc/resolv.conf" 380 | -------------------------------------------------------------------------------- /dnsutil_test.go: -------------------------------------------------------------------------------- 1 | package certmagic 2 | 3 | // Code in this file adapted from go-acme/lego, July 2020: 4 | // https://github.com/go-acme/lego 5 | // by Ludovic Fernandez and Dominik Menke 6 | // 7 | // It has been modified. 8 | 9 | import ( 10 | "context" 11 | "net" 12 | "reflect" 13 | "runtime" 14 | "sort" 15 | "strings" 16 | "testing" 17 | 18 | "go.uber.org/zap" 19 | ) 20 | 21 | func TestLookupNameserversOK(t *testing.T) { 22 | testCases := []struct { 23 | fqdn string 24 | nss []string 25 | }{ 26 | { 27 | fqdn: "physics.georgetown.edu.", 28 | nss: []string{"ns.b1ddi.physics.georgetown.edu.", "ns4.georgetown.edu.", "ns5.georgetown.edu.", "ns6.georgetown.edu."}, 29 | }, 30 | } 31 | 32 | for i, test := range testCases { 33 | test := test 34 | i := i 35 | t.Run(test.fqdn, func(t *testing.T) { 36 | t.Parallel() 37 | 38 | nss, err := lookupNameservers(context.Background(), zap.NewNop(), test.fqdn, RecursiveNameservers(nil)) 39 | if err != nil { 40 | t.Errorf("Expected no error, got: %v", err) 41 | } 42 | 43 | sort.Strings(nss) 44 | sort.Strings(test.nss) 45 | 46 | if !reflect.DeepEqual(test.nss, nss) { 47 | t.Errorf("Test %d: expected %+v but got %+v", i, test.nss, nss) 48 | } 49 | }) 50 | } 51 | } 52 | 53 | func TestLookupNameserversErr(t *testing.T) { 54 | testCases := []struct { 55 | desc string 56 | fqdn string 57 | error string 58 | }{ 59 | { 60 | desc: "invalid tld", 61 | fqdn: "_null.n0n0.", 62 | error: "could not determine the zone", 63 | }, 64 | } 65 | 66 | for i, test := range testCases { 67 | test := test 68 | i := i 69 | t.Run(test.desc, func(t *testing.T) { 70 | t.Parallel() 71 | 72 | _, err := lookupNameservers(context.Background(), zap.NewNop(), test.fqdn, nil) 73 | if err == nil { 74 | t.Errorf("expected error, got none") 75 | } 76 | if !strings.Contains(err.Error(), test.error) { 77 | t.Errorf("Test %d: Expected error to contain '%s' but got '%s'", i, test.error, err.Error()) 78 | } 79 | }) 80 | } 81 | } 82 | 83 | var findXByFqdnTestCases = []struct { 84 | desc string 85 | fqdn string 86 | zone string 87 | primaryNs string 88 | nameservers []string 89 | expectedError string 90 | skipTest bool 91 | }{ 92 | { 93 | desc: "domain is a CNAME", 94 | fqdn: "scholar.google.com.", 95 | zone: "google.com.", 96 | primaryNs: "ns1.google.com.", 97 | nameservers: RecursiveNameservers(nil), 98 | }, 99 | { 100 | desc: "domain is a non-existent subdomain", 101 | fqdn: "foo.google.com.", 102 | zone: "google.com.", 103 | primaryNs: "ns1.google.com.", 104 | nameservers: RecursiveNameservers(nil), 105 | }, 106 | { 107 | desc: "domain is a eTLD", 108 | fqdn: "example.com.ac.", 109 | zone: "ac.", 110 | primaryNs: "a0.nic.ac.", 111 | nameservers: RecursiveNameservers(nil), 112 | }, 113 | { 114 | desc: "domain is a cross-zone CNAME", 115 | fqdn: "cross-zone-example.assets.sh.", 116 | zone: "assets.sh.", 117 | primaryNs: "gina.ns.cloudflare.com.", 118 | nameservers: RecursiveNameservers(nil), 119 | }, 120 | { 121 | desc: "NXDOMAIN", 122 | fqdn: "test.loho.jkl.", 123 | zone: "loho.jkl.", 124 | nameservers: []string{"1.1.1.1:53"}, 125 | expectedError: "could not find the start of authority for test.loho.jkl.: NXDOMAIN", 126 | }, 127 | { 128 | desc: "several non existent nameservers", 129 | fqdn: "scholar.google.com.", 130 | zone: "google.com.", 131 | primaryNs: "ns1.google.com.", 132 | nameservers: []string{":7053", ":8053", "1.1.1.1:53"}, 133 | // Windows takes a super long time to timeout and this negatively impacts CI. 134 | // Essentially, we know this works, but Windows is just slow to give up. 135 | skipTest: runtime.GOOS == "windows", 136 | }, 137 | { 138 | desc: "only non existent nameservers", 139 | fqdn: "scholar.google.com.", 140 | zone: "google.com.", 141 | nameservers: []string{":7053", ":8053", ":9053"}, 142 | expectedError: "could not find the start of authority for scholar.google.com.:", 143 | // Windows takes a super long time to timeout and this negatively impacts CI. 144 | // Essentially, we know this works, but Windows is just slow to give up. 145 | skipTest: runtime.GOOS == "windows", 146 | }, 147 | { 148 | desc: "no nameservers", 149 | fqdn: "test.ldez.com.", 150 | zone: "ldez.com.", 151 | nameservers: []string{}, 152 | expectedError: "could not find the start of authority for test.ldez.com.", 153 | }, 154 | } 155 | 156 | func TestFindZoneByFqdn(t *testing.T) { 157 | for i, test := range findXByFqdnTestCases { 158 | t.Run(test.desc, func(t *testing.T) { 159 | if test.skipTest { 160 | t.Skip("skipping test") 161 | } 162 | clearFqdnCache() 163 | 164 | zone, err := FindZoneByFQDN(context.Background(), zap.NewNop(), test.fqdn, test.nameservers) 165 | if test.expectedError != "" { 166 | if err == nil { 167 | t.Errorf("test %d: expected error, got none", i) 168 | return 169 | } 170 | if !strings.Contains(err.Error(), test.expectedError) { 171 | t.Errorf("test %d: expected error to contain '%s' but got '%s'", i, test.expectedError, err.Error()) 172 | } 173 | } else { 174 | if err != nil { 175 | t.Errorf("test %d: expected no error, but got: %v", i, err) 176 | } 177 | if zone != test.zone { 178 | t.Errorf("test %d: expected zone '%s' but got '%s'", i, zone, test.zone) 179 | } 180 | } 181 | }) 182 | } 183 | } 184 | 185 | func TestResolveConfServers(t *testing.T) { 186 | var testCases = []struct { 187 | fixture string 188 | expected []string 189 | defaults []string 190 | }{ 191 | { 192 | fixture: "testdata/resolv.conf.1", 193 | defaults: []string{"127.0.0.1:53"}, 194 | expected: []string{"10.200.3.249", "10.200.3.250:5353", "2001:4860:4860::8844", "[10.0.0.1]:5353"}, 195 | }, 196 | { 197 | fixture: "testdata/resolv.conf.nonexistent", 198 | defaults: []string{"127.0.0.1:53"}, 199 | expected: []string{"127.0.0.1:53"}, 200 | }, 201 | } 202 | 203 | for i, test := range testCases { 204 | t.Run(test.fixture, func(t *testing.T) { 205 | result := systemOrDefaultNameservers(test.fixture, test.defaults) 206 | 207 | sort.Strings(result) 208 | sort.Strings(test.expected) 209 | 210 | if !reflect.DeepEqual(test.expected, result) { 211 | t.Errorf("Test %d: Expected %v but got %v", i, test.expected, result) 212 | } 213 | }) 214 | } 215 | } 216 | 217 | func TestRecursiveNameserversAddsPort(t *testing.T) { 218 | type want struct { 219 | port string 220 | } 221 | custom := []string{"127.0.0.1", "ns1.google.com:43"} 222 | expectations := []want{{port: "53"}, {port: "43"}} 223 | results := RecursiveNameservers(custom) 224 | 225 | if !reflect.DeepEqual(custom, []string{"127.0.0.1", "ns1.google.com:43"}) { 226 | t.Errorf("Expected custom nameservers to be unmodified. got %v", custom) 227 | } 228 | 229 | if len(results) != len(expectations) { 230 | t.Errorf("%v wrong results length. got %d, want %d", results, len(results), len(expectations)) 231 | } 232 | 233 | var hasCustom bool 234 | for i, res := range results { 235 | hasCustom = hasCustom || strings.HasPrefix(res, custom[0]) 236 | if _, port, err := net.SplitHostPort(res); err != nil { 237 | t.Errorf("%v Error splitting result %d into host and port: %v", results, i, err) 238 | } else { 239 | if port != expectations[i].port { 240 | t.Errorf("%v Expected result %d to have port %s but got %s", results, i, expectations[i].port, port) 241 | } 242 | } 243 | } 244 | if !hasCustom { 245 | t.Errorf("%v Expected custom resolvers to be included, but they weren't: %v", results, custom) 246 | } 247 | 248 | } 249 | 250 | func TestRecursiveNameserversDefaults(t *testing.T) { 251 | results := RecursiveNameservers(nil) 252 | if len(results) < 1 { 253 | t.Errorf("%v Expected at least 1 records as default when nil custom", results) 254 | } 255 | 256 | results = RecursiveNameservers([]string{}) 257 | if len(results) < 1 { 258 | t.Errorf("%v Expected at least 1 records as default when empty custom", results) 259 | } 260 | } 261 | 262 | func clearFqdnCache() { 263 | fqdnSOACacheMu.Lock() 264 | fqdnSOACache = make(map[string]*soaCacheEntry) 265 | fqdnSOACacheMu.Unlock() 266 | } 267 | -------------------------------------------------------------------------------- /doc_test.go: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Matthew Holt 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package certmagic 16 | 17 | import ( 18 | "fmt" 19 | "log" 20 | "net/http" 21 | ) 22 | 23 | // This is the simplest way for HTTP servers to use this package. 24 | // Call HTTPS() with your domain names and your handler (or nil 25 | // for the http.DefaultMux), and CertMagic will do the rest. 26 | func ExampleHTTPS() { 27 | http.HandleFunc("/", func(w http.ResponseWriter, req *http.Request) { 28 | fmt.Fprintf(w, "Hello, HTTPS visitor!") 29 | }) 30 | 31 | err := HTTPS([]string{"example.com", "www.example.com"}, nil) 32 | if err != nil { 33 | log.Fatal(err) 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /filestorage.go: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Matthew Holt 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package certmagic 16 | 17 | import ( 18 | "context" 19 | "encoding/json" 20 | "errors" 21 | "fmt" 22 | "io" 23 | "io/fs" 24 | "log" 25 | "os" 26 | "path" 27 | "path/filepath" 28 | "runtime" 29 | "time" 30 | 31 | "github.com/caddyserver/certmagic/internal/atomicfile" 32 | ) 33 | 34 | // FileStorage facilitates forming file paths derived from a root 35 | // directory. It is used to get file paths in a consistent, 36 | // cross-platform way or persisting ACME assets on the file system. 37 | // The presence of a lock file for a given key indicates a lock 38 | // is held and is thus unavailable. 39 | // 40 | // Locks are created atomically by relying on the file system to 41 | // enforce the O_EXCL flag. Acquirers that are forcefully terminated 42 | // will not have a chance to clean up their locks before they exit, 43 | // so locks may become stale. That is why, while a lock is actively 44 | // held, the contents of the lockfile are updated with the current 45 | // timestamp periodically. If another instance tries to acquire the 46 | // lock but fails, it can see if the timestamp within is still fresh. 47 | // If so, it patiently waits by polling occasionally. Otherwise, 48 | // the stale lockfile is deleted, essentially forcing an unlock. 49 | // 50 | // While locking is atomic, unlocking is not perfectly atomic. File 51 | // systems offer native atomic operations when creating files, but 52 | // not necessarily when deleting them. It is theoretically possible 53 | // for two instances to discover the same stale lock and both proceed 54 | // to delete it, but if one instance is able to delete the lockfile 55 | // and create a new one before the other one calls delete, then the 56 | // new lock file created by the first instance will get deleted by 57 | // mistake. This does mean that mutual exclusion is not guaranteed 58 | // to be perfectly enforced in the presence of stale locks. One 59 | // alternative is to lock the unlock operation by using ".unlock" 60 | // files; and we did this for some time, but those files themselves 61 | // may become stale, leading applications into infinite loops if 62 | // they always expect the unlock file to be deleted by the instance 63 | // that created it. We instead prefer the simpler solution that 64 | // implies imperfect mutual exclusion if locks become stale, but 65 | // that is probably less severe a consequence than infinite loops. 66 | // 67 | // See https://github.com/caddyserver/caddy/issues/4448 for discussion. 68 | // See commit 468bfd25e452196b140148928cdd1f1a2285ae4b for where we 69 | // switched away from using .unlock files. 70 | type FileStorage struct { 71 | Path string 72 | } 73 | 74 | // Exists returns true if key exists in s. 75 | func (s *FileStorage) Exists(_ context.Context, key string) bool { 76 | _, err := os.Stat(s.Filename(key)) 77 | return !errors.Is(err, fs.ErrNotExist) 78 | } 79 | 80 | // Store saves value at key. 81 | func (s *FileStorage) Store(_ context.Context, key string, value []byte) error { 82 | filename := s.Filename(key) 83 | err := os.MkdirAll(filepath.Dir(filename), 0700) 84 | if err != nil { 85 | return err 86 | } 87 | fp, err := atomicfile.New(filename, 0o600) 88 | if err != nil { 89 | return err 90 | } 91 | _, err = fp.Write(value) 92 | if err != nil { 93 | // cancel the write 94 | fp.Cancel() 95 | return err 96 | } 97 | // close, thereby flushing the write 98 | return fp.Close() 99 | } 100 | 101 | // Load retrieves the value at key. 102 | func (s *FileStorage) Load(_ context.Context, key string) ([]byte, error) { 103 | // i believe it's possible for the read call to error but still return bytes, in event of something like a shortread? 104 | // therefore, i think it's appropriate to not return any bytes to avoid downstream users of the package erroniously believing that 105 | // bytes read + error is a valid response (it should not be) 106 | xs, err := os.ReadFile(s.Filename(key)) 107 | if err != nil { 108 | return nil, err 109 | } 110 | return xs, nil 111 | } 112 | 113 | // Delete deletes the value at key. 114 | func (s *FileStorage) Delete(_ context.Context, key string) error { 115 | return os.RemoveAll(s.Filename(key)) 116 | } 117 | 118 | // List returns all keys that match prefix. 119 | func (s *FileStorage) List(ctx context.Context, prefix string, recursive bool) ([]string, error) { 120 | var keys []string 121 | walkPrefix := s.Filename(prefix) 122 | 123 | err := filepath.Walk(walkPrefix, func(fpath string, info os.FileInfo, err error) error { 124 | if err != nil { 125 | return err 126 | } 127 | if info == nil { 128 | return fmt.Errorf("%s: file info is nil", fpath) 129 | } 130 | if fpath == walkPrefix { 131 | return nil 132 | } 133 | if ctxErr := ctx.Err(); ctxErr != nil { 134 | return ctxErr 135 | } 136 | 137 | suffix, err := filepath.Rel(walkPrefix, fpath) 138 | if err != nil { 139 | return fmt.Errorf("%s: could not make path relative: %v", fpath, err) 140 | } 141 | keys = append(keys, path.Join(prefix, suffix)) 142 | 143 | if !recursive && info.IsDir() { 144 | return filepath.SkipDir 145 | } 146 | return nil 147 | }) 148 | 149 | return keys, err 150 | } 151 | 152 | // Stat returns information about key. 153 | func (s *FileStorage) Stat(_ context.Context, key string) (KeyInfo, error) { 154 | fi, err := os.Stat(s.Filename(key)) 155 | if err != nil { 156 | return KeyInfo{}, err 157 | } 158 | return KeyInfo{ 159 | Key: key, 160 | Modified: fi.ModTime(), 161 | Size: fi.Size(), 162 | IsTerminal: !fi.IsDir(), 163 | }, nil 164 | } 165 | 166 | // Filename returns the key as a path on the file 167 | // system prefixed by s.Path. 168 | func (s *FileStorage) Filename(key string) string { 169 | return filepath.Join(s.Path, filepath.FromSlash(key)) 170 | } 171 | 172 | // Lock obtains a lock named by the given name. It blocks 173 | // until the lock can be obtained or an error is returned. 174 | func (s *FileStorage) Lock(ctx context.Context, name string) error { 175 | filename := s.lockFilename(name) 176 | 177 | // sometimes the lockfiles read as empty (size 0) - this is either a stale lock or it 178 | // is currently being written; we can retry a few times in this case, as it has been 179 | // shown to help (issue #232) 180 | var emptyCount int 181 | 182 | for { 183 | err := createLockfile(filename) 184 | if err == nil { 185 | // got the lock, yay 186 | return nil 187 | } 188 | if !os.IsExist(err) { 189 | // unexpected error 190 | return fmt.Errorf("creating lock file: %v", err) 191 | } 192 | 193 | // lock file already exists 194 | 195 | var meta lockMeta 196 | f, err := os.Open(filename) 197 | if err == nil { 198 | err2 := json.NewDecoder(f).Decode(&meta) 199 | f.Close() 200 | if errors.Is(err2, io.EOF) { 201 | emptyCount++ 202 | if emptyCount < 8 { 203 | // wait for brief time and retry; could be that the file is in the process 204 | // of being written or updated (which involves truncating) - see issue #232 205 | select { 206 | case <-time.After(250 * time.Millisecond): 207 | case <-ctx.Done(): 208 | return ctx.Err() 209 | } 210 | continue 211 | } else { 212 | // lockfile is empty or truncated multiple times; I *think* we can assume 213 | // the previous acquirer either crashed or had some sort of failure that 214 | // caused them to be unable to fully acquire or retain the lock, therefore 215 | // we should treat it as if the lockfile did not exist 216 | log.Printf("[INFO][%s] %s: Empty lockfile (%v) - likely previous process crashed or storage medium failure; treating as stale", s, filename, err2) 217 | } 218 | } else if err2 != nil { 219 | return fmt.Errorf("decoding lockfile contents: %w", err2) 220 | } 221 | } 222 | 223 | switch { 224 | case os.IsNotExist(err): 225 | // must have just been removed; try again to create it 226 | continue 227 | 228 | case err != nil: 229 | // unexpected error 230 | return fmt.Errorf("accessing lock file: %v", err) 231 | 232 | case fileLockIsStale(meta): 233 | // lock file is stale - delete it and try again to obtain lock 234 | // (NOTE: locking becomes imperfect if lock files are stale; known solutions 235 | // either have potential to cause infinite loops, as in caddyserver/caddy#4448, 236 | // or must give up on perfect mutual exclusivity; however, these cases are rare, 237 | // so we prefer the simpler solution that avoids infinite loops) 238 | log.Printf("[INFO][%s] Lock for '%s' is stale (created: %s, last update: %s); removing then retrying: %s", 239 | s, name, meta.Created, meta.Updated, filename) 240 | if err = os.Remove(filename); err != nil { // hopefully we can replace the lock file quickly! 241 | if !errors.Is(err, fs.ErrNotExist) { 242 | return fmt.Errorf("unable to delete stale lockfile; deadlocked: %w", err) 243 | } 244 | } 245 | continue 246 | 247 | default: 248 | // lockfile exists and is not stale; 249 | // just wait a moment and try again, 250 | // or return if context cancelled 251 | select { 252 | case <-time.After(fileLockPollInterval): 253 | case <-ctx.Done(): 254 | return ctx.Err() 255 | } 256 | } 257 | } 258 | } 259 | 260 | // Unlock releases the lock for name. 261 | func (s *FileStorage) Unlock(_ context.Context, name string) error { 262 | return os.Remove(s.lockFilename(name)) 263 | } 264 | 265 | func (s *FileStorage) String() string { 266 | return "FileStorage:" + s.Path 267 | } 268 | 269 | func (s *FileStorage) lockFilename(name string) string { 270 | return filepath.Join(s.lockDir(), StorageKeys.Safe(name)+".lock") 271 | } 272 | 273 | func (s *FileStorage) lockDir() string { 274 | return filepath.Join(s.Path, "locks") 275 | } 276 | 277 | func fileLockIsStale(meta lockMeta) bool { 278 | ref := meta.Updated 279 | if ref.IsZero() { 280 | ref = meta.Created 281 | } 282 | // since updates are exactly every lockFreshnessInterval, 283 | // add a grace period for the actual file read+write to 284 | // take place 285 | return time.Since(ref) > lockFreshnessInterval*2 286 | } 287 | 288 | // createLockfile atomically creates the lockfile 289 | // identified by filename. A successfully created 290 | // lockfile should be removed with removeLockfile. 291 | func createLockfile(filename string) error { 292 | err := atomicallyCreateFile(filename, true) 293 | if err != nil { 294 | return err 295 | } 296 | 297 | go keepLockfileFresh(filename) 298 | 299 | return nil 300 | } 301 | 302 | // keepLockfileFresh continuously updates the lock file 303 | // at filename with the current timestamp. It stops 304 | // when the file disappears (happy path = lock released), 305 | // or when there is an error at any point. Since it polls 306 | // every lockFreshnessInterval, this function might 307 | // not terminate until up to lockFreshnessInterval after 308 | // the lock is released. 309 | func keepLockfileFresh(filename string) { 310 | defer func() { 311 | if err := recover(); err != nil { 312 | buf := make([]byte, stackTraceBufferSize) 313 | buf = buf[:runtime.Stack(buf, false)] 314 | log.Printf("panic: active locking: %v\n%s", err, buf) 315 | } 316 | }() 317 | 318 | for { 319 | time.Sleep(lockFreshnessInterval) 320 | done, err := updateLockfileFreshness(filename) 321 | if err != nil { 322 | log.Printf("[ERROR] Keeping lock file fresh: %v - terminating lock maintenance (lockfile: %s)", err, filename) 323 | return 324 | } 325 | if done { 326 | return 327 | } 328 | } 329 | } 330 | 331 | // updateLockfileFreshness updates the lock file at filename 332 | // with the current timestamp. It returns true if the parent 333 | // loop can terminate (i.e. no more need to update the lock). 334 | func updateLockfileFreshness(filename string) (bool, error) { 335 | f, err := os.OpenFile(filename, os.O_RDWR, 0644) 336 | if os.IsNotExist(err) { 337 | return true, nil // lock released 338 | } 339 | if err != nil { 340 | return true, err 341 | } 342 | defer f.Close() 343 | 344 | // read contents 345 | metaBytes, err := io.ReadAll(io.LimitReader(f, 2048)) 346 | if err != nil { 347 | return true, err 348 | } 349 | var meta lockMeta 350 | if err := json.Unmarshal(metaBytes, &meta); err != nil { 351 | // see issue #232: this can error if the file is empty, 352 | // which happens sometimes when the disk is REALLY slow 353 | return true, err 354 | } 355 | 356 | // truncate file and reset I/O offset to beginning 357 | if err := f.Truncate(0); err != nil { 358 | return true, err 359 | } 360 | if _, err := f.Seek(0, io.SeekStart); err != nil { 361 | return true, err 362 | } 363 | 364 | // write updated timestamp 365 | meta.Updated = time.Now() 366 | if err = json.NewEncoder(f).Encode(meta); err != nil { 367 | return false, err 368 | } 369 | 370 | // sync to device; we suspect that sometimes file systems 371 | // (particularly AWS EFS) don't do this on their own, 372 | // leaving the file empty when we close it; see 373 | // https://github.com/caddyserver/caddy/issues/3954 374 | return false, f.Sync() 375 | } 376 | 377 | // atomicallyCreateFile atomically creates the file 378 | // identified by filename if it doesn't already exist. 379 | func atomicallyCreateFile(filename string, writeLockInfo bool) error { 380 | // no need to check this error, we only really care about the file creation error 381 | _ = os.MkdirAll(filepath.Dir(filename), 0700) 382 | f, err := os.OpenFile(filename, os.O_CREATE|os.O_WRONLY|os.O_EXCL, 0644) 383 | if err != nil { 384 | return err 385 | } 386 | defer f.Close() 387 | if writeLockInfo { 388 | now := time.Now() 389 | meta := lockMeta{ 390 | Created: now, 391 | Updated: now, 392 | } 393 | if err := json.NewEncoder(f).Encode(meta); err != nil { 394 | return err 395 | } 396 | // see https://github.com/caddyserver/caddy/issues/3954 397 | if err := f.Sync(); err != nil { 398 | return err 399 | } 400 | } 401 | return nil 402 | } 403 | 404 | // homeDir returns the best guess of the current user's home 405 | // directory from environment variables. If unknown, "." (the 406 | // current directory) is returned instead. 407 | func homeDir() string { 408 | home := os.Getenv("HOME") 409 | if home == "" && runtime.GOOS == "windows" { 410 | drive := os.Getenv("HOMEDRIVE") 411 | path := os.Getenv("HOMEPATH") 412 | home = drive + path 413 | if drive == "" || path == "" { 414 | home = os.Getenv("USERPROFILE") 415 | } 416 | } 417 | if home == "" { 418 | home = "." 419 | } 420 | return home 421 | } 422 | 423 | func dataDir() string { 424 | baseDir := filepath.Join(homeDir(), ".local", "share") 425 | if xdgData := os.Getenv("XDG_DATA_HOME"); xdgData != "" { 426 | baseDir = xdgData 427 | } 428 | return filepath.Join(baseDir, "certmagic") 429 | } 430 | 431 | // lockMeta is written into a lock file. 432 | type lockMeta struct { 433 | Created time.Time `json:"created,omitempty"` 434 | Updated time.Time `json:"updated,omitempty"` 435 | } 436 | 437 | // lockFreshnessInterval is how often to update 438 | // a lock's timestamp. Locks with a timestamp 439 | // more than this duration in the past (plus a 440 | // grace period for latency) can be considered 441 | // stale. 442 | const lockFreshnessInterval = 5 * time.Second 443 | 444 | // fileLockPollInterval is how frequently 445 | // to check the existence of a lock file 446 | const fileLockPollInterval = 1 * time.Second 447 | 448 | // Interface guard 449 | var _ Storage = (*FileStorage)(nil) 450 | -------------------------------------------------------------------------------- /filestorage_test.go: -------------------------------------------------------------------------------- 1 | package certmagic_test 2 | 3 | import ( 4 | "bytes" 5 | "context" 6 | "os" 7 | "testing" 8 | 9 | "github.com/caddyserver/certmagic" 10 | "github.com/caddyserver/certmagic/internal/testutil" 11 | ) 12 | 13 | func TestFileStorageStoreLoad(t *testing.T) { 14 | ctx := context.Background() 15 | tmpDir, err := os.MkdirTemp(os.TempDir(), "certmagic*") 16 | testutil.RequireNoError(t, err, "allocating tmp dir") 17 | defer os.RemoveAll(tmpDir) 18 | s := &certmagic.FileStorage{ 19 | Path: tmpDir, 20 | } 21 | err = s.Store(ctx, "foo", []byte("bar")) 22 | testutil.RequireNoError(t, err) 23 | dat, err := s.Load(ctx, "foo") 24 | testutil.RequireNoError(t, err) 25 | testutil.RequireEqualValues(t, dat, []byte("bar")) 26 | } 27 | 28 | func TestFileStorageStoreLoadRace(t *testing.T) { 29 | ctx := context.Background() 30 | tmpDir, err := os.MkdirTemp(os.TempDir(), "certmagic*") 31 | testutil.RequireNoError(t, err, "allocating tmp dir") 32 | defer os.RemoveAll(tmpDir) 33 | s := &certmagic.FileStorage{ 34 | Path: tmpDir, 35 | } 36 | a := bytes.Repeat([]byte("a"), 4096*1024) 37 | b := bytes.Repeat([]byte("b"), 4096*1024) 38 | err = s.Store(ctx, "foo", a) 39 | testutil.RequireNoError(t, err) 40 | done := make(chan struct{}) 41 | go func() { 42 | err := s.Store(ctx, "foo", b) 43 | testutil.RequireNoError(t, err) 44 | close(done) 45 | }() 46 | dat, err := s.Load(ctx, "foo") 47 | <-done 48 | testutil.RequireNoError(t, err) 49 | testutil.RequireEqualValues(t, 4096*1024, len(dat)) 50 | } 51 | 52 | func TestFileStorageWriteLock(t *testing.T) { 53 | ctx := context.Background() 54 | tmpDir, err := os.MkdirTemp(os.TempDir(), "certmagic*") 55 | testutil.RequireNoError(t, err, "allocating tmp dir") 56 | defer os.RemoveAll(tmpDir) 57 | s := &certmagic.FileStorage{ 58 | Path: tmpDir, 59 | } 60 | // cctx is a cancelled ctx. so if we can't immediately get the lock, it will fail 61 | cctx, cn := context.WithCancel(ctx) 62 | cn() 63 | // should success 64 | err = s.Lock(cctx, "foo") 65 | testutil.RequireNoError(t, err) 66 | // should fail 67 | err = s.Lock(cctx, "foo") 68 | testutil.RequireError(t, err) 69 | 70 | err = s.Unlock(cctx, "foo") 71 | testutil.RequireNoError(t, err) 72 | // shouldn't fail 73 | err = s.Lock(cctx, "foo") 74 | testutil.RequireNoError(t, err) 75 | 76 | err = s.Unlock(cctx, "foo") 77 | testutil.RequireNoError(t, err) 78 | } 79 | -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module github.com/caddyserver/certmagic 2 | 3 | go 1.23.0 4 | 5 | toolchain go1.24.0 6 | 7 | require ( 8 | github.com/caddyserver/zerossl v0.1.3 9 | github.com/klauspost/cpuid/v2 v2.2.10 10 | github.com/libdns/libdns v1.0.0 11 | github.com/mholt/acmez/v3 v3.1.2 12 | github.com/miekg/dns v1.1.63 13 | github.com/zeebo/blake3 v0.2.4 14 | go.uber.org/zap v1.27.0 15 | go.uber.org/zap/exp v0.3.0 16 | golang.org/x/crypto v0.36.0 17 | golang.org/x/net v0.38.0 18 | ) 19 | 20 | require ( 21 | go.uber.org/multierr v1.11.0 // indirect 22 | golang.org/x/mod v0.24.0 // indirect 23 | golang.org/x/sync v0.12.0 // indirect 24 | golang.org/x/sys v0.31.0 // indirect 25 | golang.org/x/text v0.23.0 // indirect 26 | golang.org/x/tools v0.31.0 // indirect 27 | ) 28 | -------------------------------------------------------------------------------- /go.sum: -------------------------------------------------------------------------------- 1 | github.com/caddyserver/zerossl v0.1.3 h1:onS+pxp3M8HnHpN5MMbOMyNjmTheJyWRaZYwn+YTAyA= 2 | github.com/caddyserver/zerossl v0.1.3/go.mod h1:CxA0acn7oEGO6//4rtrRjYgEoa4MFw/XofZnrYwGqG4= 3 | github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= 4 | github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 5 | github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= 6 | github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= 7 | github.com/klauspost/cpuid/v2 v2.2.10 h1:tBs3QSyvjDyFTq3uoc/9xFpCuOsJQFNPiAhYdw2skhE= 8 | github.com/klauspost/cpuid/v2 v2.2.10/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0= 9 | github.com/libdns/libdns v1.0.0 h1:IvYaz07JNz6jUQ4h/fv2R4sVnRnm77J/aOuC9B+TQTA= 10 | github.com/libdns/libdns v1.0.0/go.mod h1:4Bj9+5CQiNMVGf87wjX4CY3HQJypUHRuLvlsfsZqLWQ= 11 | github.com/mholt/acmez/v3 v3.1.2 h1:auob8J/0FhmdClQicvJvuDavgd5ezwLBfKuYmynhYzc= 12 | github.com/mholt/acmez/v3 v3.1.2/go.mod h1:L1wOU06KKvq7tswuMDwKdcHeKpFFgkppZy/y0DFxagQ= 13 | github.com/miekg/dns v1.1.63 h1:8M5aAw6OMZfFXTT7K5V0Eu5YiiL8l7nUAkyN6C9YwaY= 14 | github.com/miekg/dns v1.1.63/go.mod h1:6NGHfjhpmr5lt3XPLuyfDJi5AXbNIPM9PY6H6sF1Nfs= 15 | github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= 16 | github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= 17 | github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk= 18 | github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= 19 | github.com/zeebo/assert v1.1.0 h1:hU1L1vLTHsnO8x8c9KAR5GmM5QscxHg5RNU5z5qbUWY= 20 | github.com/zeebo/assert v1.1.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN/wJ0= 21 | github.com/zeebo/blake3 v0.2.4 h1:KYQPkhpRtcqh0ssGYcKLG1JYvddkEA8QwCM/yBqhaZI= 22 | github.com/zeebo/blake3 v0.2.4/go.mod h1:7eeQ6d2iXWRGF6npfaxl2CU+xy2Fjo2gxeyZGCRUjcE= 23 | github.com/zeebo/pcg v1.0.1 h1:lyqfGeWiv4ahac6ttHs+I5hwtH/+1mrhlCtVNQM2kHo= 24 | github.com/zeebo/pcg v1.0.1/go.mod h1:09F0S9iiKrwn9rlI5yjLkmrug154/YRW6KnnXVDM/l4= 25 | go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= 26 | go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= 27 | go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= 28 | go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= 29 | go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= 30 | go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= 31 | go.uber.org/zap/exp v0.3.0 h1:6JYzdifzYkGmTdRR59oYH+Ng7k49H9qVpWwNSsGJj3U= 32 | go.uber.org/zap/exp v0.3.0/go.mod h1:5I384qq7XGxYyByIhHm6jg5CHkGY0nsTfbDLgDDlgJQ= 33 | golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34= 34 | golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc= 35 | golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU= 36 | golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww= 37 | golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8= 38 | golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8= 39 | golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw= 40 | golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= 41 | golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik= 42 | golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= 43 | golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY= 44 | golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4= 45 | golang.org/x/tools v0.31.0 h1:0EedkvKDbh+qistFTd0Bcwe/YLh4vHwWEkiI0toFIBU= 46 | golang.org/x/tools v0.31.0/go.mod h1:naFTU+Cev749tSJRXJlna0T3WxKvb1kWEx15xA4SdmQ= 47 | gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= 48 | gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= 49 | -------------------------------------------------------------------------------- /handshake_test.go: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Matthew Holt 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | package certmagic 15 | 16 | import ( 17 | "crypto/tls" 18 | "crypto/x509" 19 | "net" 20 | "testing" 21 | ) 22 | 23 | func TestGetCertificate(t *testing.T) { 24 | c := &Cache{ 25 | cache: make(map[string]Certificate), 26 | cacheIndex: make(map[string][]string), 27 | logger: defaultTestLogger, 28 | } 29 | cfg := &Config{Logger: defaultTestLogger, certCache: c} 30 | 31 | // create a test connection for conn.LocalAddr() 32 | l, _ := net.Listen("tcp", "127.0.0.1:0") 33 | defer l.Close() 34 | conn, _ := net.Dial("tcp", l.Addr().String()) 35 | if conn == nil { 36 | t.Errorf("failed to create a test connection") 37 | } 38 | defer conn.Close() 39 | 40 | hello := &tls.ClientHelloInfo{ServerName: "example.com", Conn: conn} 41 | helloSub := &tls.ClientHelloInfo{ServerName: "sub.example.com", Conn: conn} 42 | helloNoSNI := &tls.ClientHelloInfo{Conn: conn} 43 | helloNoMatch := &tls.ClientHelloInfo{ServerName: "nomatch", Conn: conn} 44 | 45 | // When cache is empty 46 | if cert, err := cfg.GetCertificate(hello); err == nil { 47 | t.Errorf("GetCertificate should return error when cache is empty, got: %v", cert) 48 | } 49 | if cert, err := cfg.GetCertificate(helloNoSNI); err == nil { 50 | t.Errorf("GetCertificate should return error when cache is empty even if server name is blank, got: %v", cert) 51 | } 52 | 53 | // When cache has one certificate in it 54 | firstCert := Certificate{Names: []string{"example.com"}, Certificate: tls.Certificate{Leaf: &x509.Certificate{DNSNames: []string{"example.com"}}}} 55 | c.cacheCertificate(firstCert) 56 | if cert, err := cfg.GetCertificate(hello); err != nil { 57 | t.Errorf("Got an error but shouldn't have, when cert exists in cache: %v", err) 58 | } else if cert.Leaf.DNSNames[0] != "example.com" { 59 | t.Errorf("Got wrong certificate with exact match; expected 'example.com', got: %v", cert) 60 | } 61 | if _, err := cfg.GetCertificate(helloNoSNI); err == nil { 62 | t.Errorf("Did not get an error with no SNI and no DefaultServerName, but should have: %v", err) 63 | } 64 | 65 | // When retrieving wildcard certificate 66 | wildcardCert := Certificate{ 67 | Names: []string{"*.example.com"}, 68 | Certificate: tls.Certificate{Leaf: &x509.Certificate{DNSNames: []string{"*.example.com"}}}, 69 | hash: "(don't overwrite the first one)", 70 | } 71 | c.cacheCertificate(wildcardCert) 72 | if cert, err := cfg.GetCertificate(helloSub); err != nil { 73 | t.Errorf("Didn't get wildcard cert, got: cert=%v, err=%v ", cert, err) 74 | } else if cert.Leaf.DNSNames[0] != "*.example.com" { 75 | t.Errorf("Got wrong certificate, expected wildcard: %v", cert) 76 | } 77 | 78 | // When cache is NOT empty but there's no SNI 79 | if _, err := cfg.GetCertificate(helloNoSNI); err == nil { 80 | t.Errorf("Expected TLS allert when no SNI and no DefaultServerName, but got: %v", err) 81 | } 82 | 83 | // When no certificate matches, raise an alert 84 | if _, err := cfg.GetCertificate(helloNoMatch); err == nil { 85 | t.Errorf("Expected an error when no certificate matched the SNI, got: %v", err) 86 | } 87 | 88 | // When default SNI is set and SNI is missing, retrieve default cert 89 | cfg.DefaultServerName = "example.com" 90 | if cert, err := cfg.GetCertificate(helloNoSNI); err != nil { 91 | t.Errorf("Got an error with no SNI with DefaultServerName, but shouldn't have: %v", err) 92 | } else if cert == nil || cert.Leaf.DNSNames[0] != "example.com" { 93 | t.Errorf("Expected default cert, got: %v", cert) 94 | } 95 | 96 | // When default SNI is set and SNI is missing but IP address matches, retrieve IP cert 97 | ipCert := Certificate{ 98 | Names: []string{"127.0.0.1"}, 99 | Certificate: tls.Certificate{Leaf: &x509.Certificate{IPAddresses: []net.IP{net.ParseIP("127.0.0.1")}}}, 100 | hash: "(don't overwrite the first or second one)", 101 | } 102 | c.cacheCertificate(ipCert) 103 | if cert, err := cfg.GetCertificate(helloNoSNI); err != nil { 104 | t.Errorf("Got an error with no SNI but matching IP, but shouldn't have: %v", err) 105 | } else if cert == nil || len(cert.Leaf.IPAddresses) == 0 { 106 | t.Errorf("Expected IP cert, got: %v", cert) 107 | } 108 | } 109 | -------------------------------------------------------------------------------- /httphandlers.go: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Matthew Holt 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package certmagic 16 | 17 | import ( 18 | "net/http" 19 | "net/url" 20 | "strings" 21 | 22 | "github.com/mholt/acmez/v3/acme" 23 | "go.uber.org/zap" 24 | ) 25 | 26 | // HTTPChallengeHandler wraps h in a handler that can solve the ACME 27 | // HTTP challenge. cfg is required, and it must have a certificate 28 | // cache backed by a functional storage facility, since that is where 29 | // the challenge state is stored between initiation and solution. 30 | // 31 | // If a request is not an ACME HTTP challenge, h will be invoked. 32 | func (am *ACMEIssuer) HTTPChallengeHandler(h http.Handler) http.Handler { 33 | return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 34 | if am.HandleHTTPChallenge(w, r) { 35 | return 36 | } 37 | h.ServeHTTP(w, r) 38 | }) 39 | } 40 | 41 | // HandleHTTPChallenge uses am to solve challenge requests from an ACME 42 | // server that were initiated by this instance or any other instance in 43 | // this cluster (being, any instances using the same storage am does). 44 | // 45 | // If the HTTP challenge is disabled, this function is a no-op. 46 | // 47 | // If am is nil or if am does not have a certificate cache backed by 48 | // usable storage, solving the HTTP challenge will fail. 49 | // 50 | // It returns true if it handled the request; if so, the response has 51 | // already been written. If false is returned, this call was a no-op and 52 | // the request has not been handled. 53 | func (am *ACMEIssuer) HandleHTTPChallenge(w http.ResponseWriter, r *http.Request) bool { 54 | if am == nil { 55 | return false 56 | } 57 | if am.DisableHTTPChallenge { 58 | return false 59 | } 60 | if !LooksLikeHTTPChallenge(r) { 61 | return false 62 | } 63 | return am.distributedHTTPChallengeSolver(w, r) 64 | } 65 | 66 | // distributedHTTPChallengeSolver checks to see if this challenge 67 | // request was initiated by this or another instance which uses the 68 | // same storage as am does, and attempts to complete the challenge for 69 | // it. It returns true if the request was handled; false otherwise. 70 | func (am *ACMEIssuer) distributedHTTPChallengeSolver(w http.ResponseWriter, r *http.Request) bool { 71 | if am == nil { 72 | return false 73 | } 74 | host := hostOnly(r.Host) 75 | chalInfo, distributed, err := am.config.getChallengeInfo(r.Context(), host) 76 | if err != nil { 77 | am.Logger.Warn("looking up info for HTTP challenge", 78 | zap.String("host", host), 79 | zap.String("remote_addr", r.RemoteAddr), 80 | zap.String("user_agent", r.Header.Get("User-Agent")), 81 | zap.Error(err)) 82 | return false 83 | } 84 | return solveHTTPChallenge(am.Logger, w, r, chalInfo.Challenge, distributed) 85 | } 86 | 87 | // solveHTTPChallenge solves the HTTP challenge using the given challenge information. 88 | // If the challenge is being solved in a distributed fahsion, set distributed to true for logging purposes. 89 | // It returns true the properties of the request check out in relation to the HTTP challenge. 90 | // Most of this code borrowed from xenolf's built-in HTTP-01 challenge solver in March 2018. 91 | func solveHTTPChallenge(logger *zap.Logger, w http.ResponseWriter, r *http.Request, challenge acme.Challenge, distributed bool) bool { 92 | challengeReqPath := challenge.HTTP01ResourcePath() 93 | if r.URL.Path == challengeReqPath && 94 | strings.EqualFold(hostOnly(r.Host), challenge.Identifier.Value) && // mitigate DNS rebinding attacks 95 | r.Method == http.MethodGet { 96 | w.Header().Add("Content-Type", "text/plain") 97 | w.Write([]byte(challenge.KeyAuthorization)) 98 | r.Close = true 99 | logger.Info("served key authentication", 100 | zap.String("identifier", challenge.Identifier.Value), 101 | zap.String("challenge", "http-01"), 102 | zap.String("remote", r.RemoteAddr), 103 | zap.Bool("distributed", distributed)) 104 | return true 105 | } 106 | return false 107 | } 108 | 109 | // SolveHTTPChallenge solves the HTTP challenge. It should be used only on HTTP requests that are 110 | // from ACME servers trying to validate an identifier (i.e. LooksLikeHTTPChallenge() == true). It 111 | // returns true if the request criteria check out and it answered with key authentication, in which 112 | // case no further handling of the request is necessary. 113 | func SolveHTTPChallenge(logger *zap.Logger, w http.ResponseWriter, r *http.Request, challenge acme.Challenge) bool { 114 | return solveHTTPChallenge(logger, w, r, challenge, false) 115 | } 116 | 117 | // LooksLikeHTTPChallenge returns true if r looks like an ACME 118 | // HTTP challenge request from an ACME server. 119 | func LooksLikeHTTPChallenge(r *http.Request) bool { 120 | return r.Method == http.MethodGet && 121 | strings.HasPrefix(r.URL.Path, acmeHTTPChallengeBasePath) 122 | } 123 | 124 | // LooksLikeZeroSSLHTTPValidation returns true if the request appears to be 125 | // domain validation from a ZeroSSL/Sectigo CA. NOTE: This API is 126 | // non-standard and is subject to change. 127 | func LooksLikeZeroSSLHTTPValidation(r *http.Request) bool { 128 | return r.Method == http.MethodGet && 129 | strings.HasPrefix(r.URL.Path, zerosslHTTPValidationBasePath) 130 | } 131 | 132 | // HTTPValidationHandler wraps the ZeroSSL HTTP validation handler such that 133 | // it can pass verification checks from ZeroSSL's API. 134 | // 135 | // If a request is not a ZeroSSL HTTP validation request, h will be invoked. 136 | func (iss *ZeroSSLIssuer) HTTPValidationHandler(h http.Handler) http.Handler { 137 | return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 138 | if iss.HandleZeroSSLHTTPValidation(w, r) { 139 | return 140 | } 141 | h.ServeHTTP(w, r) 142 | }) 143 | } 144 | 145 | // HandleZeroSSLHTTPValidation is to ZeroSSL API HTTP validation requests like HandleHTTPChallenge 146 | // is to ACME HTTP challenge requests. 147 | func (iss *ZeroSSLIssuer) HandleZeroSSLHTTPValidation(w http.ResponseWriter, r *http.Request) bool { 148 | if iss == nil { 149 | return false 150 | } 151 | if !LooksLikeZeroSSLHTTPValidation(r) { 152 | return false 153 | } 154 | return iss.distributedHTTPValidationAnswer(w, r) 155 | } 156 | 157 | func (iss *ZeroSSLIssuer) distributedHTTPValidationAnswer(w http.ResponseWriter, r *http.Request) bool { 158 | if iss == nil { 159 | return false 160 | } 161 | logger := iss.Logger 162 | if logger == nil { 163 | logger = zap.NewNop() 164 | } 165 | host := hostOnly(r.Host) 166 | valInfo, distributed, err := iss.getDistributedValidationInfo(r.Context(), host) 167 | if err != nil { 168 | logger.Warn("looking up info for HTTP validation", 169 | zap.String("host", host), 170 | zap.String("remote_addr", r.RemoteAddr), 171 | zap.String("user_agent", r.Header.Get("User-Agent")), 172 | zap.Error(err)) 173 | return false 174 | } 175 | return answerHTTPValidation(logger, w, r, valInfo, distributed) 176 | } 177 | 178 | func answerHTTPValidation(logger *zap.Logger, rw http.ResponseWriter, req *http.Request, valInfo acme.Challenge, distributed bool) bool { 179 | // ensure URL matches 180 | validationURL, err := url.Parse(valInfo.URL) 181 | if err != nil { 182 | logger.Error("got invalid URL from CA", 183 | zap.String("file_validation_url", valInfo.URL), 184 | zap.Error(err)) 185 | rw.WriteHeader(http.StatusInternalServerError) 186 | return true 187 | } 188 | if req.URL.Path != validationURL.Path { 189 | rw.WriteHeader(http.StatusNotFound) 190 | return true 191 | } 192 | 193 | rw.Header().Add("Content-Type", "text/plain") 194 | req.Close = true 195 | 196 | rw.Write([]byte(valInfo.Token)) 197 | 198 | logger.Info("served HTTP validation credential", 199 | zap.String("validation_path", valInfo.URL), 200 | zap.String("challenge", "http-01"), 201 | zap.String("remote", req.RemoteAddr), 202 | zap.Bool("distributed", distributed)) 203 | 204 | return true 205 | } 206 | 207 | const ( 208 | acmeHTTPChallengeBasePath = "/.well-known/acme-challenge" 209 | zerosslHTTPValidationBasePath = "/.well-known/pki-validation/" 210 | ) 211 | -------------------------------------------------------------------------------- /httphandlers_test.go: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Matthew Holt 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package certmagic 16 | 17 | import ( 18 | "net/http" 19 | "net/http/httptest" 20 | "os" 21 | "testing" 22 | ) 23 | 24 | func TestHTTPChallengeHandlerNoOp(t *testing.T) { 25 | am := &ACMEIssuer{CA: "https://example.com/acme/directory", Logger: defaultTestLogger} 26 | testConfig := &Config{ 27 | Issuers: []Issuer{am}, 28 | Storage: &FileStorage{Path: "./_testdata_tmp"}, 29 | Logger: defaultTestLogger, 30 | certCache: new(Cache), 31 | } 32 | am.config = testConfig 33 | 34 | testStorageDir := testConfig.Storage.(*FileStorage).Path 35 | defer func() { 36 | err := os.RemoveAll(testStorageDir) 37 | if err != nil { 38 | t.Fatalf("Could not remove temporary storage directory (%s): %v", testStorageDir, err) 39 | } 40 | }() 41 | 42 | // try base paths and host names that aren't 43 | // handled by this handler 44 | for _, url := range []string{ 45 | "http://localhost/", 46 | "http://localhost/foo.html", 47 | "http://localhost/.git", 48 | "http://localhost/.well-known/", 49 | "http://localhost/.well-known/acme-challenging", 50 | "http://other/.well-known/acme-challenge/foo", 51 | } { 52 | req, err := http.NewRequest("GET", url, nil) 53 | if err != nil { 54 | t.Fatalf("Could not craft request, got error: %v", err) 55 | } 56 | rw := httptest.NewRecorder() 57 | if am.HandleHTTPChallenge(rw, req) { 58 | t.Errorf("Got true with this URL, but shouldn't have: %s", url) 59 | } 60 | } 61 | } 62 | -------------------------------------------------------------------------------- /internal/atomicfile/README: -------------------------------------------------------------------------------- 1 | # atomic file 2 | 3 | 4 | this is copied from 5 | 6 | https://github.com/containerd/containerd/blob/main/pkg%2Fatomicfile%2Ffile.go 7 | 8 | 9 | see 10 | 11 | https://github.com/caddyserver/certmagic/issues/296 12 | -------------------------------------------------------------------------------- /internal/atomicfile/file.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The containerd Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | /* 18 | Package atomicfile provides a mechanism (on Unix-like platforms) to present a consistent view of a file to separate 19 | processes even while the file is being written. This is accomplished by writing a temporary file, syncing to disk, and 20 | renaming over the destination file name. 21 | 22 | Partial/inconsistent reads can occur due to: 23 | 1. A process attempting to read the file while it is being written to (both in the case of a new file with a 24 | short/incomplete write or in the case of an existing, updated file where new bytes may be written at the beginning 25 | but old bytes may still be present after). 26 | 2. Concurrent goroutines leading to multiple active writers of the same file. 27 | 28 | The above mechanism explicitly protects against (1) as all writes are to a file with a temporary name. 29 | 30 | There is no explicit protection against multiple, concurrent goroutines attempting to write the same file. However, 31 | atomically writing the file should mean only one writer will "win" and a consistent file will be visible. 32 | 33 | Note: atomicfile is partially implemented for Windows. The Windows codepath performs the same operations, however 34 | Windows does not guarantee that a rename operation is atomic; a crash in the middle may leave the destination file 35 | truncated rather than with the expected content. 36 | */ 37 | package atomicfile 38 | 39 | import ( 40 | "errors" 41 | "fmt" 42 | "io" 43 | "os" 44 | "path/filepath" 45 | "sync" 46 | ) 47 | 48 | // File is an io.ReadWriteCloser that can also be Canceled if a change needs to be abandoned. 49 | type File interface { 50 | io.ReadWriteCloser 51 | // Cancel abandons a change to a file. This can be called if a write fails or another error occurs. 52 | Cancel() error 53 | } 54 | 55 | // ErrClosed is returned if Read or Write are called on a closed File. 56 | var ErrClosed = errors.New("file is closed") 57 | 58 | // New returns a new atomic file. On Unix-like platforms, the writer (an io.ReadWriteCloser) is backed by a temporary 59 | // file placed into the same directory as the destination file (using filepath.Dir to split the directory from the 60 | // name). On a call to Close the temporary file is synced to disk and renamed to its final name, hiding any previous 61 | // file by the same name. 62 | // 63 | // Note: Take care to call Close and handle any errors that are returned. Errors returned from Close may indicate that 64 | // the file was not written with its final name. 65 | func New(name string, mode os.FileMode) (File, error) { 66 | return newFile(name, mode) 67 | } 68 | 69 | type atomicFile struct { 70 | name string 71 | f *os.File 72 | closed bool 73 | closedMu sync.RWMutex 74 | } 75 | 76 | func newFile(name string, mode os.FileMode) (File, error) { 77 | dir := filepath.Dir(name) 78 | f, err := os.CreateTemp(dir, "") 79 | if err != nil { 80 | return nil, fmt.Errorf("failed to create temp file: %w", err) 81 | } 82 | if err := f.Chmod(mode); err != nil { 83 | return nil, fmt.Errorf("failed to change temp file permissions: %w", err) 84 | } 85 | return &atomicFile{name: name, f: f}, nil 86 | } 87 | 88 | func (a *atomicFile) Close() (err error) { 89 | a.closedMu.Lock() 90 | defer a.closedMu.Unlock() 91 | 92 | if a.closed { 93 | return nil 94 | } 95 | a.closed = true 96 | 97 | defer func() { 98 | if err != nil { 99 | _ = os.Remove(a.f.Name()) // ignore errors 100 | } 101 | }() 102 | // The order of operations here is: 103 | // 1. sync 104 | // 2. close 105 | // 3. rename 106 | // While the ordering of 2 and 3 is not important on Unix-like operating systems, Windows cannot rename an open 107 | // file. By closing first, we allow the rename operation to succeed. 108 | if err = a.f.Sync(); err != nil { 109 | return fmt.Errorf("failed to sync temp file %q: %w", a.f.Name(), err) 110 | } 111 | if err = a.f.Close(); err != nil { 112 | return fmt.Errorf("failed to close temp file %q: %w", a.f.Name(), err) 113 | } 114 | if err = os.Rename(a.f.Name(), a.name); err != nil { 115 | return fmt.Errorf("failed to rename %q to %q: %w", a.f.Name(), a.name, err) 116 | } 117 | return nil 118 | } 119 | 120 | func (a *atomicFile) Cancel() error { 121 | a.closedMu.Lock() 122 | defer a.closedMu.Unlock() 123 | 124 | if a.closed { 125 | return nil 126 | } 127 | a.closed = true 128 | _ = a.f.Close() // ignore error 129 | return os.Remove(a.f.Name()) 130 | } 131 | 132 | func (a *atomicFile) Read(p []byte) (n int, err error) { 133 | a.closedMu.RLock() 134 | defer a.closedMu.RUnlock() 135 | if a.closed { 136 | return 0, ErrClosed 137 | } 138 | return a.f.Read(p) 139 | } 140 | 141 | func (a *atomicFile) Write(p []byte) (n int, err error) { 142 | a.closedMu.RLock() 143 | defer a.closedMu.RUnlock() 144 | if a.closed { 145 | return 0, ErrClosed 146 | } 147 | return a.f.Write(p) 148 | } 149 | -------------------------------------------------------------------------------- /internal/atomicfile/file_test.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The containerd Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package atomicfile_test 18 | 19 | import ( 20 | "fmt" 21 | "os" 22 | "path/filepath" 23 | "testing" 24 | 25 | "github.com/caddyserver/certmagic/internal/atomicfile" 26 | "github.com/caddyserver/certmagic/internal/testutil" 27 | ) 28 | 29 | func TestFile(t *testing.T) { 30 | const content = "this is some test content for a file" 31 | dir := t.TempDir() 32 | path := filepath.Join(dir, "test-file") 33 | 34 | f, err := atomicfile.New(path, 0o644) 35 | testutil.RequireNoError(t, err, "failed to create file") 36 | n, err := fmt.Fprint(f, content) 37 | testutil.AssertNoError(t, err, "failed to write content") 38 | testutil.AssertEqual(t, len(content), n, "written bytes should be equal") 39 | err = f.Close() 40 | testutil.RequireNoError(t, err, "failed to close file") 41 | 42 | actual, err := os.ReadFile(path) 43 | testutil.AssertNoError(t, err, "failed to read file") 44 | testutil.AssertEqual(t, content, string(actual)) 45 | } 46 | 47 | func TestConcurrentWrites(t *testing.T) { 48 | const content1 = "this is the first content of the file. there should be none other." 49 | const content2 = "the second content of the file should win!" 50 | dir := t.TempDir() 51 | path := filepath.Join(dir, "test-file") 52 | 53 | file1, err := atomicfile.New(path, 0o600) 54 | testutil.RequireNoError(t, err, "failed to create file1") 55 | file2, err := atomicfile.New(path, 0o644) 56 | testutil.RequireNoError(t, err, "failed to create file2") 57 | 58 | n, err := fmt.Fprint(file1, content1) 59 | testutil.AssertNoError(t, err, "failed to write content1") 60 | testutil.AssertEqual(t, len(content1), n, "written bytes should be equal") 61 | 62 | n, err = fmt.Fprint(file2, content2) 63 | testutil.AssertNoError(t, err, "failed to write content2") 64 | testutil.AssertEqual(t, len(content2), n, "written bytes should be equal") 65 | 66 | err = file1.Close() 67 | testutil.RequireNoError(t, err, "failed to close file1") 68 | actual, err := os.ReadFile(path) 69 | testutil.AssertNoError(t, err, "failed to read file") 70 | testutil.AssertEqual(t, content1, string(actual)) 71 | 72 | err = file2.Close() 73 | testutil.RequireNoError(t, err, "failed to close file2") 74 | actual, err = os.ReadFile(path) 75 | testutil.AssertNoError(t, err, "failed to read file") 76 | testutil.AssertEqual(t, content2, string(actual)) 77 | } 78 | -------------------------------------------------------------------------------- /internal/testutil/readme.md: -------------------------------------------------------------------------------- 1 | # testutil 2 | 3 | some testing functions copied out of github.com/stretchr/testify, which were originally used by atomicfile 4 | 5 | ``` 6 | MIT License 7 | 8 | Copyright (c) 2012-2020 Mat Ryer, Tyler Bunnell and contributors. 9 | 10 | Permission is hereby granted, free of charge, to any person obtaining a copy 11 | of this software and associated documentation files (the "Software"), to deal 12 | in the Software without restriction, including without limitation the rights 13 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 14 | copies of the Software, and to permit persons to whom the Software is 15 | furnished to do so, subject to the following conditions: 16 | 17 | The above copyright notice and this permission notice shall be included in all 18 | copies or substantial portions of the Software. 19 | 20 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 21 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 22 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 23 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 24 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 25 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 26 | SOFTWARE. 27 | ``` 28 | -------------------------------------------------------------------------------- /internal/testutil/testutil.go: -------------------------------------------------------------------------------- 1 | package testutil 2 | 3 | import ( 4 | "bytes" 5 | "fmt" 6 | "reflect" 7 | "strings" 8 | "testing" 9 | ) 10 | 11 | func AssertNoError(t *testing.T, err error, msgAndArgs ...string) { 12 | if err != nil { 13 | Fail(t, fmt.Sprintf("Received unexpected error:\n%+v", err), msgAndArgs...) 14 | } 15 | } 16 | 17 | func AssertEqual(t *testing.T, a, b any, msgAndArgs ...string) { 18 | if !ObjectsAreEqual(a, b) { 19 | Fail(t, fmt.Sprintf("Not equal: \n"+ 20 | "expected: %v\n"+ 21 | "actual : %v", a, b), msgAndArgs...) 22 | } 23 | } 24 | func RequireNoError(t *testing.T, err error, msgAndArgs ...string) { 25 | if err != nil { 26 | Failnow(t, fmt.Sprintf("Received unexpected error:\n%+v", err), msgAndArgs...) 27 | } 28 | } 29 | func RequireError(t *testing.T, err error, msgAndArgs ...string) { 30 | if err == nil { 31 | Failnow(t, fmt.Sprintf("Received no error when expecting error:\n%+v", err), msgAndArgs...) 32 | } 33 | } 34 | 35 | func RequireEqual(t *testing.T, a, b any, msgAndArgs ...string) { 36 | if !ObjectsAreEqual(a, b) { 37 | Failnow(t, fmt.Sprintf("Not equal: \n"+ 38 | "expected: %v\n"+ 39 | "actual : %v", a, b), msgAndArgs...) 40 | } 41 | } 42 | func RequireEqualValues(t *testing.T, a, b any, msgAndArgs ...string) { 43 | if !ObjectsAreEqualValues(a, b) { 44 | Failnow(t, fmt.Sprintf("Not equal: \n"+ 45 | "expected: %v\n"+ 46 | "actual : %v", a, b), msgAndArgs...) 47 | } 48 | } 49 | 50 | func Fail(t testing.TB, xs string, msgs ...string) { 51 | var testName string 52 | // Add test name if the Go version supports it 53 | if n, ok := t.(interface { 54 | Name() string 55 | }); ok { 56 | testName = n.Name() 57 | } 58 | 59 | t.Errorf("error %s:%s\n%s\n", testName, xs, strings.Join(msgs, "")) 60 | } 61 | 62 | func Failnow(t testing.TB, xs string, msgs ...string) { 63 | Fail(t, xs, msgs...) 64 | t.FailNow() 65 | } 66 | 67 | func ObjectsAreEqual(expected, actual any) bool { 68 | if expected == nil || actual == nil { 69 | return expected == actual 70 | } 71 | 72 | exp, ok := expected.([]byte) 73 | if !ok { 74 | return reflect.DeepEqual(expected, actual) 75 | } 76 | 77 | act, ok := actual.([]byte) 78 | if !ok { 79 | return false 80 | } 81 | if exp == nil || act == nil { 82 | return exp == nil && act == nil 83 | } 84 | return bytes.Equal(exp, act) 85 | } 86 | 87 | func ObjectsAreEqualValues(expected, actual any) bool { 88 | if ObjectsAreEqual(expected, actual) { 89 | return true 90 | } 91 | 92 | actualType := reflect.TypeOf(actual) 93 | if actualType == nil { 94 | return false 95 | } 96 | expectedValue := reflect.ValueOf(expected) 97 | if expectedValue.IsValid() && expectedValue.Type().ConvertibleTo(actualType) { 98 | // Attempt comparison after type conversion 99 | return reflect.DeepEqual(expectedValue.Convert(actualType).Interface(), actual) 100 | } 101 | 102 | return false 103 | } 104 | -------------------------------------------------------------------------------- /ocsp.go: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Matthew Holt 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package certmagic 16 | 17 | import ( 18 | "bytes" 19 | "context" 20 | "crypto/x509" 21 | "encoding/pem" 22 | "errors" 23 | "fmt" 24 | "io" 25 | "log" 26 | "net/http" 27 | "time" 28 | 29 | "golang.org/x/crypto/ocsp" 30 | ) 31 | 32 | // ErrNoOCSPServerSpecified indicates that OCSP information could not be 33 | // stapled because the certificate does not support OCSP. 34 | var ErrNoOCSPServerSpecified = errors.New("no OCSP server specified in certificate") 35 | 36 | // stapleOCSP staples OCSP information to cert for hostname name. 37 | // If you have it handy, you should pass in the PEM-encoded certificate 38 | // bundle; otherwise the DER-encoded cert will have to be PEM-encoded. 39 | // If you don't have the PEM blocks already, just pass in nil. 40 | // 41 | // If successful, the OCSP response will be set to cert's ocsp field, 42 | // regardless of the OCSP status. It is only stapled, however, if the 43 | // status is Good. 44 | // 45 | // Errors here are not necessarily fatal, it could just be that the 46 | // certificate doesn't have an issuer URL. 47 | func stapleOCSP(ctx context.Context, ocspConfig OCSPConfig, storage Storage, cert *Certificate, pemBundle []byte) error { 48 | if ocspConfig.DisableStapling { 49 | return nil 50 | } 51 | 52 | if pemBundle == nil { 53 | // we need a PEM encoding only for some function calls below 54 | bundle := new(bytes.Buffer) 55 | for _, derBytes := range cert.Certificate.Certificate { 56 | pem.Encode(bundle, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes}) 57 | } 58 | pemBundle = bundle.Bytes() 59 | } 60 | 61 | var ocspBytes []byte 62 | var ocspResp *ocsp.Response 63 | var ocspErr error 64 | var gotNewOCSP bool 65 | 66 | // First try to load OCSP staple from storage and see if 67 | // we can still use it. 68 | ocspStapleKey := StorageKeys.OCSPStaple(cert, pemBundle) 69 | cachedOCSP, err := storage.Load(ctx, ocspStapleKey) 70 | if err == nil { 71 | resp, err := ocsp.ParseResponse(cachedOCSP, nil) 72 | if err == nil { 73 | if freshOCSP(resp) { 74 | // staple is still fresh; use it 75 | ocspBytes = cachedOCSP 76 | ocspResp = resp 77 | } 78 | } else { 79 | // invalid contents; delete the file 80 | // (we do this independently of the maintenance routine because 81 | // in this case we know for sure this should be a staple file 82 | // because we loaded it by name, whereas the maintenance routine 83 | // just iterates the list of files, even if somehow a non-staple 84 | // file gets in the folder. in this case we are sure it is corrupt.) 85 | err := storage.Delete(ctx, ocspStapleKey) 86 | if err != nil { 87 | log.Printf("[WARNING] Unable to delete invalid OCSP staple file: %v", err) 88 | } 89 | } 90 | } 91 | 92 | // If we couldn't get a fresh staple by reading the cache, 93 | // then we need to request it from the OCSP responder 94 | if ocspResp == nil || len(ocspBytes) == 0 { 95 | ocspBytes, ocspResp, ocspErr = getOCSPForCert(ocspConfig, pemBundle) 96 | // An error here is not a problem because a certificate 97 | // may simply not contain a link to an OCSP server. 98 | if ocspErr != nil { 99 | // For short-lived certificates, this is fine and we can ignore 100 | // logging because OCSP doesn't make much sense for them anyway. 101 | if cert.Lifetime() < 7*24*time.Hour { 102 | return nil 103 | } 104 | // There's nothing else we can do to get OCSP for this certificate, 105 | // so we can return here with the error to warn about it. 106 | return fmt.Errorf("no OCSP stapling for %v: %w", cert.Names, ocspErr) 107 | } 108 | gotNewOCSP = true 109 | } 110 | 111 | if ocspResp.NextUpdate.After(expiresAt(cert.Leaf)) { 112 | // uh oh, this OCSP response expires AFTER the certificate does, that's kinda bogus. 113 | // it was the reason a lot of Symantec-validated sites (not Caddy) went down 114 | // in October 2017. https://twitter.com/mattiasgeniar/status/919432824708648961 115 | return fmt.Errorf("invalid: OCSP response for %v valid after certificate expiration (%s)", 116 | cert.Names, expiresAt(cert.Leaf).Sub(ocspResp.NextUpdate)) 117 | } 118 | 119 | // Attach the latest OCSP response to the certificate; this is NOT the same 120 | // as stapling it, which we do below only if the status is Good, but it is 121 | // useful to keep with the cert in order to act on it later (like if Revoked). 122 | cert.ocsp = ocspResp 123 | 124 | // If the response is good, staple it to the certificate. If the OCSP 125 | // response was not loaded from storage, we persist it for next time. 126 | if ocspResp.Status == ocsp.Good { 127 | cert.Certificate.OCSPStaple = ocspBytes 128 | if gotNewOCSP { 129 | err := storage.Store(ctx, ocspStapleKey, ocspBytes) 130 | if err != nil { 131 | return fmt.Errorf("unable to write OCSP staple file for %v: %v", cert.Names, err) 132 | } 133 | } 134 | } 135 | 136 | return nil 137 | } 138 | 139 | // getOCSPForCert takes a PEM encoded cert or cert bundle returning the raw OCSP response, 140 | // the parsed response, and an error, if any. The returned []byte can be passed directly 141 | // into the OCSPStaple property of a tls.Certificate. If the bundle only contains the 142 | // issued certificate, this function will try to get the issuer certificate from the 143 | // IssuingCertificateURL in the certificate. If the []byte and/or ocsp.Response return 144 | // values are nil, the OCSP status may be assumed OCSPUnknown. 145 | // 146 | // Borrowed from xenolf. 147 | func getOCSPForCert(ocspConfig OCSPConfig, bundle []byte) ([]byte, *ocsp.Response, error) { 148 | // TODO: Perhaps this should be synchronized too, with a Locker? 149 | 150 | certificates, err := parseCertsFromPEMBundle(bundle) 151 | if err != nil { 152 | return nil, nil, err 153 | } 154 | 155 | // We expect the certificate slice to be ordered downwards the chain. 156 | // SRV CRT -> CA. We need to pull the leaf and issuer certs out of it, 157 | // which should always be the first two certificates. If there's no 158 | // OCSP server listed in the leaf cert, there's nothing to do. And if 159 | // we have only one certificate so far, we need to get the issuer cert. 160 | issuedCert := certificates[0] 161 | if len(issuedCert.OCSPServer) == 0 { 162 | return nil, nil, ErrNoOCSPServerSpecified 163 | } 164 | 165 | // apply override for responder URL 166 | respURL := issuedCert.OCSPServer[0] 167 | if len(ocspConfig.ResponderOverrides) > 0 { 168 | if override, ok := ocspConfig.ResponderOverrides[respURL]; ok { 169 | respURL = override 170 | } 171 | } 172 | if respURL == "" { 173 | return nil, nil, fmt.Errorf("override disables querying OCSP responder: %v", issuedCert.OCSPServer[0]) 174 | } 175 | 176 | // configure HTTP client if necessary 177 | httpClient := http.DefaultClient 178 | if ocspConfig.HTTPProxy != nil { 179 | httpClient = &http.Client{ 180 | Transport: &http.Transport{ 181 | Proxy: ocspConfig.HTTPProxy, 182 | }, 183 | Timeout: 30 * time.Second, 184 | } 185 | } 186 | 187 | // get issuer certificate if needed 188 | if len(certificates) == 1 { 189 | if len(issuedCert.IssuingCertificateURL) == 0 { 190 | return nil, nil, fmt.Errorf("no URL to issuing certificate") 191 | } 192 | 193 | resp, err := httpClient.Get(issuedCert.IssuingCertificateURL[0]) 194 | if err != nil { 195 | return nil, nil, fmt.Errorf("getting issuer certificate: %v", err) 196 | } 197 | defer resp.Body.Close() 198 | 199 | issuerBytes, err := io.ReadAll(io.LimitReader(resp.Body, 1024*1024)) 200 | if err != nil { 201 | return nil, nil, fmt.Errorf("reading issuer certificate: %v", err) 202 | } 203 | 204 | issuerCert, err := x509.ParseCertificate(issuerBytes) 205 | if err != nil { 206 | return nil, nil, fmt.Errorf("parsing issuer certificate: %v", err) 207 | } 208 | 209 | // insert it into the slice on position 0; 210 | // we want it ordered right SRV CRT -> CA 211 | certificates = append(certificates, issuerCert) 212 | } 213 | 214 | issuerCert := certificates[1] 215 | 216 | ocspReq, err := ocsp.CreateRequest(issuedCert, issuerCert, nil) 217 | if err != nil { 218 | return nil, nil, fmt.Errorf("creating OCSP request: %v", err) 219 | } 220 | 221 | reader := bytes.NewReader(ocspReq) 222 | req, err := httpClient.Post(respURL, "application/ocsp-request", reader) 223 | if err != nil { 224 | return nil, nil, fmt.Errorf("making OCSP request: %v", err) 225 | } 226 | defer req.Body.Close() 227 | 228 | ocspResBytes, err := io.ReadAll(io.LimitReader(req.Body, 1024*1024)) 229 | if err != nil { 230 | return nil, nil, fmt.Errorf("reading OCSP response: %v", err) 231 | } 232 | 233 | ocspRes, err := ocsp.ParseResponse(ocspResBytes, issuerCert) 234 | if err != nil { 235 | return nil, nil, fmt.Errorf("parsing OCSP response: %v", err) 236 | } 237 | 238 | return ocspResBytes, ocspRes, nil 239 | } 240 | 241 | // freshOCSP returns true if resp is still fresh, 242 | // meaning that it is not expedient to get an 243 | // updated response from the OCSP server. 244 | func freshOCSP(resp *ocsp.Response) bool { 245 | nextUpdate := resp.NextUpdate 246 | // If there is an OCSP responder certificate, and it expires before the 247 | // OCSP response, use its expiration date as the end of the OCSP 248 | // response's validity period. 249 | if resp.Certificate != nil && resp.Certificate.NotAfter.Before(nextUpdate) { 250 | nextUpdate = resp.Certificate.NotAfter 251 | } 252 | // start checking OCSP staple about halfway through validity period for good measure 253 | refreshTime := resp.ThisUpdate.Add(nextUpdate.Sub(resp.ThisUpdate) / 2) 254 | return time.Now().Before(refreshTime) 255 | } 256 | -------------------------------------------------------------------------------- /ocsp_test.go: -------------------------------------------------------------------------------- 1 | package certmagic 2 | 3 | import ( 4 | "bytes" 5 | "context" 6 | "crypto" 7 | "errors" 8 | "io" 9 | "net/http" 10 | "net/http/httptest" 11 | "testing" 12 | 13 | "golang.org/x/crypto/ocsp" 14 | ) 15 | 16 | const certWithOCSPServer = `-----BEGIN CERTIFICATE----- 17 | MIIBgjCCASegAwIBAgICIAAwCgYIKoZIzj0EAwIwEjEQMA4GA1UEAxMHVGVzdCBD 18 | QTAeFw0yMzAxMDExMjAwMDBaFw0yMzAyMDExMjAwMDBaMCAxHjAcBgNVBAMTFU9D 19 | U1AgVGVzdCBDZXJ0aWZpY2F0ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABIoe 20 | I/bjo34qony8LdRJD+Jhuk8/S8YHXRHl6rH9t5VFCFtX8lIPN/Ll1zCrQ2KB3Wlb 21 | fxSgiQyLrCpZyrdhVPSjXzBdMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU+Eo3 22 | 5sST4LRrwS4dueIdGBZ5d7IwLAYIKwYBBQUHAQEEIDAeMBwGCCsGAQUFBzABhhBv 23 | Y3NwLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDg94xY/+/VepESdvTT 24 | ykCwiWOS2aCpjyryrKpwMKkR0AIhAPc/+ZEz4W10OENxC1t+NUTvS8JbEGOwulkZ 25 | z9yfaLuD 26 | -----END CERTIFICATE-----` 27 | 28 | const certWithoutOCSPServer = `-----BEGIN CERTIFICATE----- 29 | MIIBUzCB+aADAgECAgIgADAKBggqhkjOPQQDAjASMRAwDgYDVQQDEwdUZXN0IENB 30 | MB4XDTIzMDEwMTEyMDAwMFoXDTIzMDIwMTEyMDAwMFowIDEeMBwGA1UEAxMVT0NT 31 | UCBUZXN0IENlcnRpZmljYXRlMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEih4j 32 | 9uOjfiqifLwt1EkP4mG6Tz9LxgddEeXqsf23lUUIW1fyUg838uXXMKtDYoHdaVt/ 33 | FKCJDIusKlnKt2FU9KMxMC8wDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBT4Sjfm 34 | xJPgtGvBLh254h0YFnl3sjAKBggqhkjOPQQDAgNJADBGAiEA3rWetLGblfSuNZKf 35 | 5CpZxhj3A0BjEocEh+2P+nAgIdUCIQDIgptabR1qTLQaF2u0hJsEX2IKuIUvYWH3 36 | 6Lb92+zIHg== 37 | -----END CERTIFICATE-----` 38 | 39 | // certKey is the private key for both certWithOCSPServer and 40 | // certWithoutOCSPServer. 41 | const certKey = `-----BEGIN EC PRIVATE KEY----- 42 | MHcCAQEEINnVcgrSNh4HlThWlZpegq14M8G/p9NVDtdVjZrseUGLoAoGCCqGSM49 43 | AwEHoUQDQgAEih4j9uOjfiqifLwt1EkP4mG6Tz9LxgddEeXqsf23lUUIW1fyUg83 44 | 8uXXMKtDYoHdaVt/FKCJDIusKlnKt2FU9A== 45 | -----END EC PRIVATE KEY-----` 46 | 47 | // caCert is the issuing certificate for certWithOCSPServer and 48 | // certWithoutOCSPServer. 49 | const caCert = `-----BEGIN CERTIFICATE----- 50 | MIIBazCCARGgAwIBAgICEAAwCgYIKoZIzj0EAwIwEjEQMA4GA1UEAxMHVGVzdCBD 51 | QTAeFw0yMzAxMDExMjAwMDBaFw0yMzAyMDExMjAwMDBaMBIxEDAOBgNVBAMTB1Rl 52 | c3QgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASdKexSor/aeazDM57UHhAX 53 | rCkJxUeF2BWf0lZYCRxc3f0GdrEsVvjJW8+/E06eAzDCGSdM/08Nvun1nb6AmAlt 54 | o1cwVTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYBBQUHAwkwDwYDVR0T 55 | AQH/BAUwAwEB/zAdBgNVHQ4EFgQU+Eo35sST4LRrwS4dueIdGBZ5d7IwCgYIKoZI 56 | zj0EAwIDSAAwRQIgGbA39+kETTB/YMLBFoC2fpZe1cDWfFB7TUdfINUqdH4CIQCR 57 | ByUFC8A+hRNkK5YNH78bgjnKk/88zUQF5ONy4oPGdQ== 58 | -----END CERTIFICATE-----` 59 | 60 | const caKey = `-----BEGIN EC PRIVATE KEY----- 61 | MHcCAQEEIDJ59ptjq3MzILH4zn5IKoH1sYn+zrUeq2kD8+DD2x+OoAoGCCqGSM49 62 | AwEHoUQDQgAEnSnsUqK/2nmswzOe1B4QF6wpCcVHhdgVn9JWWAkcXN39BnaxLFb4 63 | yVvPvxNOngMwwhknTP9PDb7p9Z2+gJgJbQ== 64 | -----END EC PRIVATE KEY-----` 65 | 66 | func TestStapleOCSP(t *testing.T) { 67 | ctx := context.Background() 68 | storage := &FileStorage{Path: t.TempDir()} 69 | 70 | t.Run("disabled", func(t *testing.T) { 71 | cert := mustMakeCertificate(t, certWithOCSPServer, certKey) 72 | config := OCSPConfig{DisableStapling: true} 73 | err := stapleOCSP(ctx, config, storage, &cert, nil) 74 | if err != nil { 75 | t.Error("unexpected error:", err) 76 | } else if cert.Certificate.OCSPStaple != nil { 77 | t.Error("unexpected OCSP staple") 78 | } 79 | }) 80 | t.Run("no OCSP server", func(t *testing.T) { 81 | cert := mustMakeCertificate(t, certWithoutOCSPServer, certKey) 82 | err := stapleOCSP(ctx, OCSPConfig{}, storage, &cert, nil) 83 | if !errors.Is(err, ErrNoOCSPServerSpecified) { 84 | t.Error("expected ErrNoOCSPServerSpecified in error", err) 85 | } 86 | }) 87 | 88 | // Start an OCSP responder test server. 89 | responses := make(map[string][]byte) 90 | responder := startOCSPResponder(t, responses) 91 | t.Cleanup(responder.Close) 92 | 93 | ca := mustMakeCertificate(t, caCert, caKey) 94 | 95 | // The certWithOCSPServer certificate has a bogus ocsp.example.com endpoint. 96 | // Use the ResponderOverrides option to point to the test server instead. 97 | config := OCSPConfig{ 98 | ResponderOverrides: map[string]string{ 99 | "ocsp.example.com": responder.URL, 100 | }, 101 | } 102 | 103 | t.Run("ok", func(t *testing.T) { 104 | cert := mustMakeCertificate(t, certWithOCSPServer, certKey) 105 | tpl := ocsp.Response{ 106 | Status: ocsp.Good, 107 | SerialNumber: cert.Leaf.SerialNumber, 108 | } 109 | r, err := ocsp.CreateResponse( 110 | ca.Leaf, ca.Leaf, tpl, ca.PrivateKey.(crypto.Signer)) 111 | if err != nil { 112 | t.Fatal("couldn't create OCSP response", err) 113 | } 114 | responses[cert.Leaf.SerialNumber.String()] = r 115 | 116 | bundle := []byte(certWithOCSPServer + "\n" + caCert) 117 | err = stapleOCSP(ctx, config, storage, &cert, bundle) 118 | if err != nil { 119 | t.Error("unexpected error:", err) 120 | } else if !bytes.Equal(cert.Certificate.OCSPStaple, r) { 121 | t.Error("expected OCSP response to be stapled to certificate") 122 | } 123 | }) 124 | t.Run("revoked", func(t *testing.T) { 125 | cert := mustMakeCertificate(t, certWithOCSPServer, certKey) 126 | tpl := ocsp.Response{ 127 | Status: ocsp.Revoked, 128 | SerialNumber: cert.Leaf.SerialNumber, 129 | } 130 | r, err := ocsp.CreateResponse( 131 | ca.Leaf, ca.Leaf, tpl, ca.PrivateKey.(crypto.Signer)) 132 | if err != nil { 133 | t.Fatal("couldn't create OCSP response", err) 134 | } 135 | responses[cert.Leaf.SerialNumber.String()] = r 136 | 137 | bundle := []byte(certWithOCSPServer + "\n" + caCert) 138 | err = stapleOCSP(ctx, config, storage, &cert, bundle) 139 | if err != nil { 140 | t.Error("unexpected error:", err) 141 | } else if cert.Certificate.OCSPStaple != nil { 142 | t.Error("revoked OCSP response should not be stapled") 143 | } 144 | }) 145 | t.Run("no issuing cert", func(t *testing.T) { 146 | cert := mustMakeCertificate(t, certWithOCSPServer, certKey) 147 | err := stapleOCSP(ctx, config, storage, &cert, nil) 148 | expected := "no OCSP stapling for [ocsp test certificate]: " + 149 | "no URL to issuing certificate" 150 | if err == nil || err.Error() != expected { 151 | t.Errorf("expected error %q but got %q", expected, err) 152 | } 153 | }) 154 | } 155 | 156 | func mustMakeCertificate(t *testing.T, cert, key string) Certificate { 157 | t.Helper() 158 | c, err := makeCertificate([]byte(cert), []byte(key)) 159 | if err != nil { 160 | t.Fatal("couldn't make certificate:", err) 161 | } 162 | return c 163 | } 164 | 165 | func startOCSPResponder( 166 | t *testing.T, responses map[string][]byte, 167 | ) *httptest.Server { 168 | h := func(w http.ResponseWriter, r *http.Request) { 169 | ct := r.Header.Get("Content-Type") 170 | if ct != "application/ocsp-request" { 171 | t.Errorf("unexpected request Content-Type %q", ct) 172 | } 173 | b, _ := io.ReadAll(r.Body) 174 | request, err := ocsp.ParseRequest(b) 175 | if err != nil { 176 | t.Fatal(err) 177 | } 178 | w.Header().Set("Content-Type", "application/ocsp-response") 179 | w.Write(responses[request.SerialNumber.String()]) 180 | } 181 | return httptest.NewServer(http.HandlerFunc(h)) 182 | } 183 | -------------------------------------------------------------------------------- /ratelimiter.go: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Matthew Holt 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package certmagic 16 | 17 | import ( 18 | "context" 19 | "log" 20 | "runtime" 21 | "sync" 22 | "time" 23 | ) 24 | 25 | // NewRateLimiter returns a rate limiter that allows up to maxEvents 26 | // in a sliding window of size window. If maxEvents and window are 27 | // both 0, or if maxEvents is non-zero and window is 0, rate limiting 28 | // is disabled. This function panics if maxEvents is less than 0 or 29 | // if maxEvents is 0 and window is non-zero, which is considered to be 30 | // an invalid configuration, as it would never allow events. 31 | func NewRateLimiter(maxEvents int, window time.Duration) *RingBufferRateLimiter { 32 | if maxEvents < 0 { 33 | panic("maxEvents cannot be less than zero") 34 | } 35 | if maxEvents == 0 && window != 0 { 36 | panic("NewRateLimiter: invalid configuration: maxEvents = 0 and window != 0 would not allow any events") 37 | } 38 | rbrl := &RingBufferRateLimiter{ 39 | window: window, 40 | ring: make([]time.Time, maxEvents), 41 | started: make(chan struct{}), 42 | stopped: make(chan struct{}), 43 | ticket: make(chan struct{}), 44 | } 45 | go rbrl.loop() 46 | <-rbrl.started // make sure loop is ready to receive before we return 47 | return rbrl 48 | } 49 | 50 | // RingBufferRateLimiter uses a ring to enforce rate limits 51 | // consisting of a maximum number of events within a single 52 | // sliding window of a given duration. An empty value is 53 | // not valid; use NewRateLimiter to get one. 54 | type RingBufferRateLimiter struct { 55 | window time.Duration 56 | ring []time.Time // maxEvents == len(ring) 57 | cursor int // always points to the oldest timestamp 58 | mu sync.Mutex // protects ring, cursor, and window 59 | started chan struct{} 60 | stopped chan struct{} 61 | ticket chan struct{} 62 | } 63 | 64 | // Stop cleans up r's scheduling goroutine. 65 | func (r *RingBufferRateLimiter) Stop() { 66 | close(r.stopped) 67 | } 68 | 69 | func (r *RingBufferRateLimiter) loop() { 70 | defer func() { 71 | if err := recover(); err != nil { 72 | buf := make([]byte, stackTraceBufferSize) 73 | buf = buf[:runtime.Stack(buf, false)] 74 | log.Printf("panic: ring buffer rate limiter: %v\n%s", err, buf) 75 | } 76 | }() 77 | 78 | for { 79 | // if we've been stopped, return 80 | select { 81 | case <-r.stopped: 82 | return 83 | default: 84 | } 85 | 86 | if len(r.ring) == 0 { 87 | if r.window == 0 { 88 | // rate limiting is disabled; always allow immediately 89 | r.permit() 90 | continue 91 | } 92 | panic("invalid configuration: maxEvents = 0 and window != 0 does not allow any events") 93 | } 94 | 95 | // wait until next slot is available or until we've been stopped 96 | r.mu.Lock() 97 | then := r.ring[r.cursor].Add(r.window) 98 | r.mu.Unlock() 99 | waitDuration := time.Until(then) 100 | waitTimer := time.NewTimer(waitDuration) 101 | select { 102 | case <-waitTimer.C: 103 | r.permit() 104 | case <-r.stopped: 105 | waitTimer.Stop() 106 | return 107 | } 108 | } 109 | } 110 | 111 | // Allow returns true if the event is allowed to 112 | // happen right now. It does not wait. If the event 113 | // is allowed, a ticket is claimed. 114 | func (r *RingBufferRateLimiter) Allow() bool { 115 | select { 116 | case <-r.ticket: 117 | return true 118 | default: 119 | return false 120 | } 121 | } 122 | 123 | // Wait blocks until the event is allowed to occur. It returns an 124 | // error if the context is cancelled. 125 | func (r *RingBufferRateLimiter) Wait(ctx context.Context) error { 126 | select { 127 | case <-ctx.Done(): 128 | return context.Canceled 129 | case <-r.ticket: 130 | return nil 131 | } 132 | } 133 | 134 | // MaxEvents returns the maximum number of events that 135 | // are allowed within the sliding window. 136 | func (r *RingBufferRateLimiter) MaxEvents() int { 137 | r.mu.Lock() 138 | defer r.mu.Unlock() 139 | return len(r.ring) 140 | } 141 | 142 | // SetMaxEvents changes the maximum number of events that are 143 | // allowed in the sliding window. If the new limit is lower, 144 | // the oldest events will be forgotten. If the new limit is 145 | // higher, the window will suddenly have capacity for new 146 | // reservations. It panics if maxEvents is 0 and window size 147 | // is not zero; if setting both the events limit and the 148 | // window size to 0, call SetWindow() first. 149 | func (r *RingBufferRateLimiter) SetMaxEvents(maxEvents int) { 150 | newRing := make([]time.Time, maxEvents) 151 | r.mu.Lock() 152 | defer r.mu.Unlock() 153 | 154 | if r.window != 0 && maxEvents == 0 { 155 | panic("SetMaxEvents: invalid configuration: maxEvents = 0 and window != 0 would not allow any events") 156 | } 157 | 158 | // only make the change if the new limit is different 159 | if maxEvents == len(r.ring) { 160 | return 161 | } 162 | 163 | // the new ring may be smaller; fast-forward to the 164 | // oldest timestamp that will be kept in the new 165 | // ring so the oldest ones are forgotten and the 166 | // newest ones will be remembered 167 | sizeDiff := len(r.ring) - maxEvents 168 | for i := 0; i < sizeDiff; i++ { 169 | r.advance() 170 | } 171 | 172 | if len(r.ring) > 0 { 173 | // copy timestamps into the new ring until we 174 | // have either copied all of them or have reached 175 | // the capacity of the new ring 176 | startCursor := r.cursor 177 | for i := 0; i < len(newRing); i++ { 178 | newRing[i] = r.ring[r.cursor] 179 | r.advance() 180 | if r.cursor == startCursor { 181 | // new ring is larger than old one; 182 | // "we've come full circle" 183 | break 184 | } 185 | } 186 | } 187 | 188 | r.ring = newRing 189 | r.cursor = 0 190 | } 191 | 192 | // Window returns the size of the sliding window. 193 | func (r *RingBufferRateLimiter) Window() time.Duration { 194 | r.mu.Lock() 195 | defer r.mu.Unlock() 196 | return r.window 197 | } 198 | 199 | // SetWindow changes r's sliding window duration to window. 200 | // Goroutines that are already blocked on a call to Wait() 201 | // will not be affected. It panics if window is non-zero 202 | // but the max event limit is 0. 203 | func (r *RingBufferRateLimiter) SetWindow(window time.Duration) { 204 | r.mu.Lock() 205 | defer r.mu.Unlock() 206 | if window != 0 && len(r.ring) == 0 { 207 | panic("SetWindow: invalid configuration: maxEvents = 0 and window != 0 would not allow any events") 208 | } 209 | r.window = window 210 | } 211 | 212 | // permit allows one event through the throttle. This method 213 | // blocks until a goroutine is waiting for a ticket or until 214 | // the rate limiter is stopped. 215 | func (r *RingBufferRateLimiter) permit() { 216 | for { 217 | select { 218 | case r.started <- struct{}{}: 219 | // notify parent goroutine that we've started; should 220 | // only happen once, before constructor returns 221 | continue 222 | case <-r.stopped: 223 | return 224 | case r.ticket <- struct{}{}: 225 | r.mu.Lock() 226 | defer r.mu.Unlock() 227 | if len(r.ring) > 0 { 228 | r.ring[r.cursor] = time.Now() 229 | r.advance() 230 | } 231 | return 232 | } 233 | } 234 | } 235 | 236 | // advance moves the cursor to the next position. 237 | // It is NOT safe for concurrent use, so it must 238 | // be called inside a lock on r.mu. 239 | func (r *RingBufferRateLimiter) advance() { 240 | r.cursor++ 241 | if r.cursor >= len(r.ring) { 242 | r.cursor = 0 243 | } 244 | } 245 | -------------------------------------------------------------------------------- /solvers_test.go: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Matthew Holt 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package certmagic 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/mholt/acmez/v3/acme" 21 | ) 22 | 23 | func Test_challengeKey(t *testing.T) { 24 | type args struct { 25 | chal acme.Challenge 26 | } 27 | tests := []struct { 28 | name string 29 | args args 30 | want string 31 | }{ 32 | { 33 | name: "ok/dns-dns", 34 | args: args{ 35 | chal: acme.Challenge{ 36 | Type: acme.ChallengeTypeDNS01, 37 | Identifier: acme.Identifier{ 38 | Type: "dns", 39 | Value: "*.example.com", 40 | }, 41 | }, 42 | }, 43 | want: "*.example.com", 44 | }, 45 | { 46 | name: "ok/http-dns", 47 | args: args{ 48 | chal: acme.Challenge{ 49 | Type: acme.ChallengeTypeHTTP01, 50 | Identifier: acme.Identifier{ 51 | Type: "dns", 52 | Value: "*.example.com", 53 | }, 54 | }, 55 | }, 56 | want: "*.example.com", 57 | }, 58 | { 59 | name: "ok/tls-dns", 60 | args: args{ 61 | chal: acme.Challenge{ 62 | Type: acme.ChallengeTypeTLSALPN01, 63 | Identifier: acme.Identifier{ 64 | Type: "dns", 65 | Value: "*.example.com", 66 | }, 67 | }, 68 | }, 69 | want: "*.example.com", 70 | }, 71 | { 72 | name: "ok/http-ipv4", 73 | args: args{ 74 | chal: acme.Challenge{ 75 | Type: acme.ChallengeTypeHTTP01, 76 | Identifier: acme.Identifier{ 77 | Type: "ip", 78 | Value: "127.0.0.1", 79 | }, 80 | }, 81 | }, 82 | want: "127.0.0.1", 83 | }, 84 | { 85 | name: "ok/http-ipv6", 86 | args: args{ 87 | chal: acme.Challenge{ 88 | Type: acme.ChallengeTypeHTTP01, 89 | Identifier: acme.Identifier{ 90 | Type: "ip", 91 | Value: "2001:db8::1", 92 | }, 93 | }, 94 | }, 95 | want: "2001:db8::1", 96 | }, 97 | { 98 | name: "ok/tls-ipv4", 99 | args: args{ 100 | chal: acme.Challenge{ 101 | Type: acme.ChallengeTypeTLSALPN01, 102 | Identifier: acme.Identifier{ 103 | Type: "ip", 104 | Value: "127.0.0.1", 105 | }, 106 | }, 107 | }, 108 | want: "1.0.0.127.in-addr.arpa", 109 | }, 110 | { 111 | name: "ok/tls-ipv6", 112 | args: args{ 113 | chal: acme.Challenge{ 114 | Type: acme.ChallengeTypeTLSALPN01, 115 | Identifier: acme.Identifier{ 116 | Type: "ip", 117 | Value: "2001:db8::1", 118 | }, 119 | }, 120 | }, 121 | want: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa", 122 | }, 123 | { 124 | name: "fail/tls-ipv4", 125 | args: args{ 126 | chal: acme.Challenge{ 127 | Type: acme.ChallengeTypeTLSALPN01, 128 | Identifier: acme.Identifier{ 129 | Type: "ip", 130 | Value: "127.0.0.1000", 131 | }, 132 | }, 133 | }, 134 | want: "127.0.0.1000", // reversing this fails; default to identifier value 135 | }, 136 | { 137 | name: "fail/tls-ipv6", 138 | args: args{ 139 | chal: acme.Challenge{ 140 | Type: acme.ChallengeTypeTLSALPN01, 141 | Identifier: acme.Identifier{ 142 | Type: "ip", 143 | Value: "2001:db8::10000", 144 | }, 145 | }, 146 | }, 147 | want: "2001:db8::10000", // reversing this fails; default to identifier value 148 | }, 149 | } 150 | for _, tt := range tests { 151 | t.Run(tt.name, func(t *testing.T) { 152 | if got := challengeKey(tt.args.chal); got != tt.want { 153 | t.Errorf("challengeKey() = %v, want %v", got, tt.want) 154 | } 155 | }) 156 | } 157 | } 158 | -------------------------------------------------------------------------------- /storage.go: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Matthew Holt 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package certmagic 16 | 17 | import ( 18 | "context" 19 | "path" 20 | "regexp" 21 | "strings" 22 | "sync" 23 | "time" 24 | 25 | "go.uber.org/zap" 26 | ) 27 | 28 | // Storage is a type that implements a key-value store with 29 | // basic file system (folder path) semantics. Keys use the 30 | // forward slash '/' to separate path components and have no 31 | // leading or trailing slashes. 32 | // 33 | // A "prefix" of a key is defined on a component basis, 34 | // e.g. "a" is a prefix of "a/b" but not "ab/c". 35 | // 36 | // A "file" is a key with a value associated with it. 37 | // 38 | // A "directory" is a key with no value, but which may be 39 | // the prefix of other keys. 40 | // 41 | // Keys passed into Load and Store always have "file" semantics, 42 | // whereas "directories" are only implicit by leading up to the 43 | // file. 44 | // 45 | // The Load, Delete, List, and Stat methods should return 46 | // fs.ErrNotExist if the key does not exist. 47 | // 48 | // Processes running in a cluster should use the same Storage 49 | // value (with the same configuration) in order to share 50 | // certificates and other TLS resources with the cluster. 51 | // 52 | // Implementations of Storage MUST be safe for concurrent use 53 | // and honor context cancellations. Methods should block until 54 | // their operation is complete; that is, Load() should always 55 | // return the value from the last call to Store() for a given 56 | // key, and concurrent calls to Store() should not corrupt a 57 | // file. 58 | // 59 | // For simplicity, this is not a streaming API and is not 60 | // suitable for very large files. 61 | type Storage interface { 62 | // Locker enables the storage backend to synchronize 63 | // operational units of work. 64 | // 65 | // The use of Locker is NOT employed around every 66 | // Storage method call (Store, Load, etc), as these 67 | // should already be thread-safe. Locker is used for 68 | // high-level jobs or transactions that need 69 | // synchronization across a cluster; it's a simple 70 | // distributed lock. For example, CertMagic uses the 71 | // Locker interface to coordinate the obtaining of 72 | // certificates. 73 | Locker 74 | 75 | // Store puts value at key. It creates the key if it does 76 | // not exist and overwrites any existing value at this key. 77 | Store(ctx context.Context, key string, value []byte) error 78 | 79 | // Load retrieves the value at key. 80 | Load(ctx context.Context, key string) ([]byte, error) 81 | 82 | // Delete deletes the named key. If the name is a 83 | // directory (i.e. prefix of other keys), all keys 84 | // prefixed by this key should be deleted. An error 85 | // should be returned only if the key still exists 86 | // when the method returns. 87 | Delete(ctx context.Context, key string) error 88 | 89 | // Exists returns true if the key exists either as 90 | // a directory (prefix to other keys) or a file, 91 | // and there was no error checking. 92 | Exists(ctx context.Context, key string) bool 93 | 94 | // List returns all keys in the given path. 95 | // 96 | // If recursive is true, non-terminal keys 97 | // will be enumerated (i.e. "directories" 98 | // should be walked); otherwise, only keys 99 | // prefixed exactly by prefix will be listed. 100 | List(ctx context.Context, path string, recursive bool) ([]string, error) 101 | 102 | // Stat returns information about key. 103 | Stat(ctx context.Context, key string) (KeyInfo, error) 104 | } 105 | 106 | // Locker facilitates synchronization across machines and networks. 107 | // It essentially provides a distributed named-mutex service so 108 | // that multiple consumers can coordinate tasks and share resources. 109 | // 110 | // If possible, a Locker should implement a coordinated distributed 111 | // locking mechanism by generating fencing tokens (see 112 | // https://martin.kleppmann.com/2016/02/08/how-to-do-distributed-locking.html). 113 | // This typically requires a central server or consensus algorithm 114 | // However, if that is not feasible, Lockers may implement an 115 | // alternative mechanism that uses timeouts to detect node or network 116 | // failures and avoid deadlocks. For example, the default FileStorage 117 | // writes a timestamp to the lock file every few seconds, and if another 118 | // node acquiring the lock sees that timestamp is too old, it may 119 | // assume the lock is stale. 120 | // 121 | // As not all Locker implementations use fencing tokens, code relying 122 | // upon Locker must be tolerant of some mis-synchronizations but can 123 | // expect them to be rare. 124 | // 125 | // This interface should only be used for coordinating expensive 126 | // operations across nodes in a cluster; not for internal, extremely 127 | // short-lived, or high-contention locks. 128 | type Locker interface { 129 | // Lock acquires the lock for name, blocking until the lock 130 | // can be obtained or an error is returned. Only one lock 131 | // for the given name can exist at a time. A call to Lock for 132 | // a name which already exists blocks until the named lock 133 | // is released or becomes stale. 134 | // 135 | // If the named lock represents an idempotent operation, callers 136 | // should always check to make sure the work still needs to be 137 | // completed after acquiring the lock. You never know if another 138 | // process already completed the task while you were waiting to 139 | // acquire it. 140 | // 141 | // Implementations should honor context cancellation. 142 | Lock(ctx context.Context, name string) error 143 | 144 | // Unlock releases named lock. This method must ONLY be called 145 | // after a successful call to Lock, and only after the critical 146 | // section is finished, even if it errored or timed out. Unlock 147 | // cleans up any resources allocated during Lock. Unlock should 148 | // only return an error if the lock was unable to be released. 149 | Unlock(ctx context.Context, name string) error 150 | } 151 | 152 | // KeyInfo holds information about a key in storage. 153 | // Key and IsTerminal are required; Modified and Size 154 | // are optional if the storage implementation is not 155 | // able to get that information. Setting them will 156 | // make certain operations more consistent or 157 | // predictable, but it is not crucial to basic 158 | // functionality. 159 | type KeyInfo struct { 160 | Key string 161 | Modified time.Time 162 | Size int64 163 | IsTerminal bool // false for directories (keys that act as prefix for other keys) 164 | } 165 | 166 | // storeTx stores all the values or none at all. 167 | func storeTx(ctx context.Context, s Storage, all []keyValue) error { 168 | for i, kv := range all { 169 | err := s.Store(ctx, kv.key, kv.value) 170 | if err != nil { 171 | for j := i - 1; j >= 0; j-- { 172 | s.Delete(ctx, all[j].key) 173 | } 174 | return err 175 | } 176 | } 177 | return nil 178 | } 179 | 180 | // keyValue pairs a key and a value. 181 | type keyValue struct { 182 | key string 183 | value []byte 184 | } 185 | 186 | // KeyBuilder provides a namespace for methods that 187 | // build keys and key prefixes, for addressing items 188 | // in a Storage implementation. 189 | type KeyBuilder struct{} 190 | 191 | // CertsPrefix returns the storage key prefix for 192 | // the given certificate issuer. 193 | func (keys KeyBuilder) CertsPrefix(issuerKey string) string { 194 | return path.Join(prefixCerts, keys.Safe(issuerKey)) 195 | } 196 | 197 | // CertsSitePrefix returns a key prefix for items associated with 198 | // the site given by domain using the given issuer key. 199 | func (keys KeyBuilder) CertsSitePrefix(issuerKey, domain string) string { 200 | return path.Join(keys.CertsPrefix(issuerKey), keys.Safe(domain)) 201 | } 202 | 203 | // SiteCert returns the path to the certificate file for domain 204 | // that is associated with the issuer with the given issuerKey. 205 | func (keys KeyBuilder) SiteCert(issuerKey, domain string) string { 206 | safeDomain := keys.Safe(domain) 207 | return path.Join(keys.CertsSitePrefix(issuerKey, domain), safeDomain+".crt") 208 | } 209 | 210 | // SitePrivateKey returns the path to the private key file for domain 211 | // that is associated with the certificate from the given issuer with 212 | // the given issuerKey. 213 | func (keys KeyBuilder) SitePrivateKey(issuerKey, domain string) string { 214 | safeDomain := keys.Safe(domain) 215 | return path.Join(keys.CertsSitePrefix(issuerKey, domain), safeDomain+".key") 216 | } 217 | 218 | // SiteMeta returns the path to the metadata file for domain that 219 | // is associated with the certificate from the given issuer with 220 | // the given issuerKey. 221 | func (keys KeyBuilder) SiteMeta(issuerKey, domain string) string { 222 | safeDomain := keys.Safe(domain) 223 | return path.Join(keys.CertsSitePrefix(issuerKey, domain), safeDomain+".json") 224 | } 225 | 226 | // OCSPStaple returns a key for the OCSP staple associated 227 | // with the given certificate. If you have the PEM bundle 228 | // handy, pass that in to save an extra encoding step. 229 | func (keys KeyBuilder) OCSPStaple(cert *Certificate, pemBundle []byte) string { 230 | var ocspFileName string 231 | if len(cert.Names) > 0 { 232 | firstName := keys.Safe(cert.Names[0]) 233 | ocspFileName = firstName + "-" 234 | } 235 | ocspFileName += fastHash(pemBundle) 236 | return path.Join(prefixOCSP, ocspFileName) 237 | } 238 | 239 | // Safe standardizes and sanitizes str for use as 240 | // a single component of a storage key. This method 241 | // is idempotent. 242 | func (keys KeyBuilder) Safe(str string) string { 243 | str = strings.ToLower(str) 244 | str = strings.TrimSpace(str) 245 | 246 | // replace a few specific characters 247 | repl := strings.NewReplacer( 248 | " ", "_", 249 | "+", "_plus_", 250 | "*", "wildcard_", 251 | ":", "-", 252 | "..", "", // prevent directory traversal (regex allows single dots) 253 | ) 254 | str = repl.Replace(str) 255 | 256 | // finally remove all non-word characters 257 | return safeKeyRE.ReplaceAllLiteralString(str, "") 258 | } 259 | 260 | // CleanUpOwnLocks immediately cleans up all 261 | // current locks obtained by this process. Since 262 | // this does not cancel the operations that 263 | // the locks are synchronizing, this should be 264 | // called only immediately before process exit. 265 | // Errors are only reported if a logger is given. 266 | func CleanUpOwnLocks(ctx context.Context, logger *zap.Logger) { 267 | locksMu.Lock() 268 | defer locksMu.Unlock() 269 | for lockKey, storage := range locks { 270 | if err := storage.Unlock(ctx, lockKey); err != nil { 271 | logger.Error("unable to clean up lock in storage backend", 272 | zap.Any("storage", storage), 273 | zap.String("lock_key", lockKey), 274 | zap.Error(err)) 275 | continue 276 | } 277 | delete(locks, lockKey) 278 | } 279 | } 280 | 281 | func acquireLock(ctx context.Context, storage Storage, lockKey string) error { 282 | err := storage.Lock(ctx, lockKey) 283 | if err == nil { 284 | locksMu.Lock() 285 | locks[lockKey] = storage 286 | locksMu.Unlock() 287 | } 288 | return err 289 | } 290 | 291 | func releaseLock(ctx context.Context, storage Storage, lockKey string) error { 292 | err := storage.Unlock(context.WithoutCancel(ctx), lockKey) 293 | if err == nil { 294 | locksMu.Lock() 295 | delete(locks, lockKey) 296 | locksMu.Unlock() 297 | } 298 | return err 299 | } 300 | 301 | // locks stores a reference to all the current 302 | // locks obtained by this process. 303 | var locks = make(map[string]Storage) 304 | var locksMu sync.Mutex 305 | 306 | // StorageKeys provides methods for accessing 307 | // keys and key prefixes for items in a Storage. 308 | // Typically, you will not need to use this 309 | // because accessing storage is abstracted away 310 | // for most cases. Only use this if you need to 311 | // directly access TLS assets in your application. 312 | var StorageKeys KeyBuilder 313 | 314 | const ( 315 | prefixCerts = "certificates" 316 | prefixOCSP = "ocsp" 317 | ) 318 | 319 | // safeKeyRE matches any undesirable characters in storage keys. 320 | // Note that this allows dots, so you'll have to strip ".." manually. 321 | var safeKeyRE = regexp.MustCompile(`[^\w@.-]`) 322 | 323 | // defaultFileStorage is a convenient, default storage 324 | // implementation using the local file system. 325 | var defaultFileStorage = &FileStorage{Path: dataDir()} 326 | -------------------------------------------------------------------------------- /storage_test.go: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Matthew Holt 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package certmagic 16 | 17 | import ( 18 | "path" 19 | "testing" 20 | ) 21 | 22 | func TestPrefixAndKeyBuilders(t *testing.T) { 23 | am := &ACMEIssuer{CA: "https://example.com/acme-ca/directory"} 24 | 25 | base := path.Join("certificates", "example.com-acme-ca-directory") 26 | 27 | for i, testcase := range []struct { 28 | in, folder, certFile, keyFile, metaFile string 29 | }{ 30 | { 31 | in: "example.com", 32 | folder: path.Join(base, "example.com"), 33 | certFile: path.Join(base, "example.com", "example.com.crt"), 34 | keyFile: path.Join(base, "example.com", "example.com.key"), 35 | metaFile: path.Join(base, "example.com", "example.com.json"), 36 | }, 37 | { 38 | in: "*.example.com", 39 | folder: path.Join(base, "wildcard_.example.com"), 40 | certFile: path.Join(base, "wildcard_.example.com", "wildcard_.example.com.crt"), 41 | keyFile: path.Join(base, "wildcard_.example.com", "wildcard_.example.com.key"), 42 | metaFile: path.Join(base, "wildcard_.example.com", "wildcard_.example.com.json"), 43 | }, 44 | { 45 | // prevent directory traversal! very important, esp. with on-demand TLS 46 | // see issue #2092 47 | in: "a/../../../foo", 48 | folder: path.Join(base, "afoo"), 49 | certFile: path.Join(base, "afoo", "afoo.crt"), 50 | keyFile: path.Join(base, "afoo", "afoo.key"), 51 | metaFile: path.Join(base, "afoo", "afoo.json"), 52 | }, 53 | { 54 | in: "b\\..\\..\\..\\foo", 55 | folder: path.Join(base, "bfoo"), 56 | certFile: path.Join(base, "bfoo", "bfoo.crt"), 57 | keyFile: path.Join(base, "bfoo", "bfoo.key"), 58 | metaFile: path.Join(base, "bfoo", "bfoo.json"), 59 | }, 60 | { 61 | in: "c/foo", 62 | folder: path.Join(base, "cfoo"), 63 | certFile: path.Join(base, "cfoo", "cfoo.crt"), 64 | keyFile: path.Join(base, "cfoo", "cfoo.key"), 65 | metaFile: path.Join(base, "cfoo", "cfoo.json"), 66 | }, 67 | } { 68 | if actual := StorageKeys.SiteCert(am.IssuerKey(), testcase.in); actual != testcase.certFile { 69 | t.Errorf("Test %d: site cert file: Expected '%s' but got '%s'", i, testcase.certFile, actual) 70 | } 71 | if actual := StorageKeys.SitePrivateKey(am.IssuerKey(), testcase.in); actual != testcase.keyFile { 72 | t.Errorf("Test %d: site key file: Expected '%s' but got '%s'", i, testcase.keyFile, actual) 73 | } 74 | if actual := StorageKeys.SiteMeta(am.IssuerKey(), testcase.in); actual != testcase.metaFile { 75 | t.Errorf("Test %d: site meta file: Expected '%s' but got '%s'", i, testcase.metaFile, actual) 76 | } 77 | } 78 | } 79 | -------------------------------------------------------------------------------- /testdata/resolv.conf.1: -------------------------------------------------------------------------------- 1 | domain company.com 2 | nameserver 10.200.3.249 3 | nameserver 10.200.3.250:5353 4 | nameserver 2001:4860:4860::8844 5 | nameserver [10.0.0.1]:5353 6 | -------------------------------------------------------------------------------- /zerosslissuer.go: -------------------------------------------------------------------------------- 1 | // Copyright 2015 Matthew Holt 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package certmagic 16 | 17 | import ( 18 | "context" 19 | "crypto/x509" 20 | "encoding/json" 21 | "fmt" 22 | "net" 23 | "net/http" 24 | "strconv" 25 | "strings" 26 | "time" 27 | 28 | "github.com/caddyserver/zerossl" 29 | "github.com/mholt/acmez/v3" 30 | "github.com/mholt/acmez/v3/acme" 31 | "go.uber.org/zap" 32 | ) 33 | 34 | // ZeroSSLIssuer can get certificates from ZeroSSL's API. (To use ZeroSSL's ACME 35 | // endpoint, use the ACMEIssuer instead.) Note that use of the API is restricted 36 | // by payment tier. 37 | type ZeroSSLIssuer struct { 38 | // The API key (or "access key") for using the ZeroSSL API. 39 | // REQUIRED. 40 | APIKey string 41 | 42 | // Where to store verification material temporarily. 43 | // All instances in a cluster should have the same 44 | // Storage value to enable distributed verification. 45 | // REQUIRED. (TODO: Make it optional for those not 46 | // operating in a cluster. For now, it's simpler to 47 | // put info in storage whether distributed or not.) 48 | Storage Storage 49 | 50 | // How many days the certificate should be valid for. 51 | ValidityDays int 52 | 53 | // The host to bind to when opening a listener for 54 | // verifying domain names (or IPs). 55 | ListenHost string 56 | 57 | // If HTTP is forwarded from port 80, specify the 58 | // forwarded port here. 59 | AltHTTPPort int 60 | 61 | // To use CNAME validation instead of HTTP 62 | // validation, set this field. 63 | CNAMEValidation *DNSManager 64 | 65 | // Delay between poll attempts. 66 | PollInterval time.Duration 67 | 68 | // An optional (but highly recommended) logger. 69 | Logger *zap.Logger 70 | } 71 | 72 | // Issue obtains a certificate for the given csr. 73 | func (iss *ZeroSSLIssuer) Issue(ctx context.Context, csr *x509.CertificateRequest) (*IssuedCertificate, error) { 74 | client := iss.getClient() 75 | 76 | identifiers := namesFromCSR(csr) 77 | if len(identifiers) == 0 { 78 | return nil, fmt.Errorf("no identifiers on CSR") 79 | } 80 | 81 | logger := iss.Logger 82 | if logger == nil { 83 | logger = zap.NewNop() 84 | } 85 | logger = logger.With(zap.Strings("identifiers", identifiers)) 86 | 87 | logger.Info("creating certificate") 88 | 89 | cert, err := client.CreateCertificate(ctx, csr, iss.ValidityDays) 90 | if err != nil { 91 | return nil, fmt.Errorf("creating certificate: %v", err) 92 | } 93 | 94 | logger = logger.With(zap.String("cert_id", cert.ID)) 95 | logger.Info("created certificate") 96 | 97 | defer func(certID string) { 98 | if err != nil { 99 | err := client.CancelCertificate(context.WithoutCancel(ctx), certID) 100 | if err == nil { 101 | logger.Info("canceled certificate") 102 | } else { 103 | logger.Error("unable to cancel certificate", zap.Error(err)) 104 | } 105 | } 106 | }(cert.ID) 107 | 108 | var verificationMethod zerossl.VerificationMethod 109 | 110 | if iss.CNAMEValidation == nil { 111 | verificationMethod = zerossl.HTTPVerification 112 | logger = logger.With(zap.String("verification_method", string(verificationMethod))) 113 | 114 | httpVerifier := &httpSolver{ 115 | address: net.JoinHostPort(iss.ListenHost, strconv.Itoa(iss.getHTTPPort())), 116 | handler: iss.HTTPValidationHandler(http.NewServeMux()), 117 | } 118 | 119 | var solver acmez.Solver = httpVerifier 120 | if iss.Storage != nil { 121 | solver = distributedSolver{ 122 | storage: iss.Storage, 123 | storageKeyIssuerPrefix: iss.IssuerKey(), 124 | solver: httpVerifier, 125 | } 126 | } 127 | 128 | // since the distributed solver was originally designed for ACME, 129 | // the API is geared around ACME challenges. ZeroSSL's HTTP validation 130 | // is very similar to the HTTP challenge, but not quite compatible, 131 | // so we kind of shim the ZeroSSL validation data into a Challenge 132 | // object... it is not a perfect use of this type but it's pretty close 133 | valInfo := cert.Validation.OtherMethods[identifiers[0]] 134 | fakeChallenge := acme.Challenge{ 135 | Identifier: acme.Identifier{ 136 | Value: identifiers[0], // used for storage key 137 | }, 138 | URL: valInfo.FileValidationURLHTTP, 139 | Token: strings.Join(cert.Validation.OtherMethods[identifiers[0]].FileValidationContent, "\n"), 140 | } 141 | if err = solver.Present(ctx, fakeChallenge); err != nil { 142 | return nil, fmt.Errorf("presenting validation file for verification: %v", err) 143 | } 144 | defer solver.CleanUp(ctx, fakeChallenge) 145 | } else { 146 | verificationMethod = zerossl.CNAMEVerification 147 | logger = logger.With(zap.String("verification_method", string(verificationMethod))) 148 | 149 | // create the CNAME record(s) 150 | records := make(map[string]zoneRecord, len(cert.Validation.OtherMethods)) 151 | for name, verifyInfo := range cert.Validation.OtherMethods { 152 | zr, err := iss.CNAMEValidation.createRecord(ctx, verifyInfo.CnameValidationP1, "CNAME", verifyInfo.CnameValidationP2+".") // see issue #304 153 | if err != nil { 154 | return nil, fmt.Errorf("creating CNAME record: %v", err) 155 | } 156 | defer func(name string, zr zoneRecord) { 157 | if err := iss.CNAMEValidation.cleanUpRecord(ctx, zr); err != nil { 158 | logger.Warn("cleaning up temporary validation record failed", 159 | zap.String("dns_name", name), 160 | zap.Error(err)) 161 | } 162 | }(name, zr) 163 | records[name] = zr 164 | } 165 | 166 | // wait for them to propagate 167 | for name, zr := range records { 168 | if err := iss.CNAMEValidation.wait(ctx, zr); err != nil { 169 | // allow it, since the CA will ultimately decide, but definitely log it 170 | logger.Warn("failed CNAME record propagation check", zap.String("domain", name), zap.Error(err)) 171 | } 172 | } 173 | } 174 | 175 | logger.Info("validating identifiers") 176 | 177 | cert, err = client.VerifyIdentifiers(ctx, cert.ID, verificationMethod, nil) 178 | if err != nil { 179 | return nil, fmt.Errorf("verifying identifiers: %v", err) 180 | } 181 | 182 | switch cert.Status { 183 | case "pending_validation": 184 | logger.Info("validations initiated; waiting for certificate to be issued") 185 | 186 | cert, err = iss.waitForCertToBeIssued(ctx, client, cert) 187 | if err != nil { 188 | return nil, fmt.Errorf("waiting for certificate to be issued: %v", err) 189 | } 190 | case "issued": 191 | logger.Info("validations succeeded; downloading certificate bundle") 192 | default: 193 | return nil, fmt.Errorf("unexpected certificate status: %s", cert.Status) 194 | } 195 | 196 | bundle, err := client.DownloadCertificate(ctx, cert.ID, false) 197 | if err != nil { 198 | return nil, fmt.Errorf("downloading certificate: %v", err) 199 | } 200 | 201 | logger.Info("successfully downloaded issued certificate") 202 | 203 | return &IssuedCertificate{ 204 | Certificate: []byte(bundle.CertificateCrt + bundle.CABundleCrt), 205 | Metadata: cert, 206 | }, nil 207 | } 208 | 209 | func (iss *ZeroSSLIssuer) waitForCertToBeIssued(ctx context.Context, client zerossl.Client, cert zerossl.CertificateObject) (zerossl.CertificateObject, error) { 210 | ticker := time.NewTicker(iss.pollInterval()) 211 | defer ticker.Stop() 212 | 213 | for { 214 | select { 215 | case <-ctx.Done(): 216 | return cert, ctx.Err() 217 | case <-ticker.C: 218 | var err error 219 | cert, err = client.GetCertificate(ctx, cert.ID) 220 | if err != nil { 221 | return cert, err 222 | } 223 | if cert.Status == "issued" { 224 | return cert, nil 225 | } 226 | if cert.Status != "pending_validation" { 227 | return cert, fmt.Errorf("unexpected certificate status: %s", cert.Status) 228 | } 229 | } 230 | } 231 | } 232 | 233 | func (iss *ZeroSSLIssuer) pollInterval() time.Duration { 234 | if iss.PollInterval == 0 { 235 | return defaultPollInterval 236 | } 237 | return iss.PollInterval 238 | } 239 | 240 | func (iss *ZeroSSLIssuer) getClient() zerossl.Client { 241 | return zerossl.Client{AccessKey: iss.APIKey} 242 | } 243 | 244 | func (iss *ZeroSSLIssuer) getHTTPPort() int { 245 | useHTTPPort := HTTPChallengePort 246 | if HTTPPort > 0 && HTTPPort != HTTPChallengePort { 247 | useHTTPPort = HTTPPort 248 | } 249 | if iss.AltHTTPPort > 0 { 250 | useHTTPPort = iss.AltHTTPPort 251 | } 252 | return useHTTPPort 253 | } 254 | 255 | // IssuerKey returns the unique issuer key for ZeroSSL. 256 | func (iss *ZeroSSLIssuer) IssuerKey() string { return zerosslIssuerKey } 257 | 258 | // Revoke revokes the given certificate. Only do this if there is a security or trust 259 | // concern with the certificate. 260 | func (iss *ZeroSSLIssuer) Revoke(ctx context.Context, cert CertificateResource, reason int) error { 261 | var r zerossl.RevocationReason 262 | switch reason { 263 | case acme.ReasonKeyCompromise: 264 | r = zerossl.KeyCompromise 265 | case acme.ReasonAffiliationChanged: 266 | r = zerossl.AffiliationChanged 267 | case acme.ReasonSuperseded: 268 | r = zerossl.Superseded 269 | case acme.ReasonCessationOfOperation: 270 | r = zerossl.CessationOfOperation 271 | case acme.ReasonUnspecified: 272 | r = zerossl.UnspecifiedReason 273 | default: 274 | return fmt.Errorf("unsupported reason: %d", reason) 275 | } 276 | var certObj zerossl.CertificateObject 277 | if err := json.Unmarshal(cert.IssuerData, &certObj); err != nil { 278 | return err 279 | } 280 | return iss.getClient().RevokeCertificate(ctx, certObj.ID, r) 281 | } 282 | 283 | func (iss *ZeroSSLIssuer) getDistributedValidationInfo(ctx context.Context, identifier string) (acme.Challenge, bool, error) { 284 | if iss.Storage == nil { 285 | return acme.Challenge{}, false, nil 286 | } 287 | 288 | ds := distributedSolver{ 289 | storage: iss.Storage, 290 | storageKeyIssuerPrefix: StorageKeys.Safe(iss.IssuerKey()), 291 | } 292 | tokenKey := ds.challengeTokensKey(identifier) 293 | 294 | valObjectBytes, err := iss.Storage.Load(ctx, tokenKey) 295 | if err != nil { 296 | return acme.Challenge{}, false, fmt.Errorf("opening distributed challenge token file %s: %v", tokenKey, err) 297 | } 298 | 299 | if len(valObjectBytes) == 0 { 300 | return acme.Challenge{}, false, fmt.Errorf("no information found to solve challenge for identifier: %s", identifier) 301 | } 302 | 303 | // since the distributed solver's API is geared around ACME challenges, 304 | // we crammed the validation info into a Challenge object 305 | var chal acme.Challenge 306 | if err = json.Unmarshal(valObjectBytes, &chal); err != nil { 307 | return acme.Challenge{}, false, fmt.Errorf("decoding HTTP validation token file %s (corrupted?): %v", tokenKey, err) 308 | } 309 | 310 | return chal, true, nil 311 | } 312 | 313 | const ( 314 | zerosslIssuerKey = "zerossl" 315 | defaultPollInterval = 5 * time.Second 316 | ) 317 | 318 | // Interface guards 319 | var ( 320 | _ Issuer = (*ZeroSSLIssuer)(nil) 321 | _ Revoker = (*ZeroSSLIssuer)(nil) 322 | ) 323 | --------------------------------------------------------------------------------