//LEAPI - ACME Certificate Renewal Control API - Copyright 2022-2024 Ruel Tmeizeh All Rights Reserved package main import ( "bytes" "crypto/tls" "encoding/json" "errors" "io/ioutil" "log" "net/http" "os" "os/exec" "path" "strconv" "strings" "sync" ) func writeDomains() error { b := new(bytes.Buffer) err := json.NewEncoder(b).Encode(domains) if err != nil { return errors.New("Couldn't encode domains list into JSON: " + err.Error()) } err = ioutil.WriteFile(configDir+"/domains.json", b.Bytes(), 0644) if err != nil { return errors.New("Couldn't write domains file: " + configDir + "/domains.json") } return nil } func writeServers() error { b := new(bytes.Buffer) err := json.NewEncoder(b).Encode(servers) if err != nil { return errors.New("Couldn't encode servers list into JSON: " + err.Error()) } err = ioutil.WriteFile(configDir+"/servers.json", b.Bytes(), 0644) if err != nil { return errors.New("Couldn't write servers file: " + configDir + "/servers.json") } return nil } func sendFileToAllServers(filePath string) error { var theError error numservers := len(servers) c := make(chan string) var wg sync.WaitGroup wg.Add(numservers) for n := 0; n < numservers; n++ { go func(c chan string) { for { srv, more := <-c if more == false { wg.Done() return } log.Println("Parallel execution send file to server: " + srv + "...") err := sendFileToServer(filePath, srv) if err != nil { log.Println(err.Error()) theError = err } } }(c) } for _, server := range servers { //send each server to the channel if server == appconf.Hostname { //don't send myself continue } c <- server } close(c) wg.Wait() if theError == nil { log.Println("Finished sending file " + filePath + " to all servers.") } err := os.Remove(filePath) if err != nil { log.Println("Error deleting temporary file: " + filePath + " - " + err.Error()) } return theError //if any one or more fail, return an error for it (the last one that fails) } func sendFileToServer(filePath, server string) error { log.Println("Send file " + filePath + " to " + server + " starting...") _, fileName := path.Split(filePath) dest := strings.SplitN(fileName, "__", 2)[0] //cert__abcdef1234567890.tmpfile --> "cert" data, err := os.Open(filePath) if err != nil { return errors.New("sendFileToServer: Could not open temporary file " + filePath + ": " + err.Error()) } url := syncScheme + server + ":" + syncPort + "/api/file/upload/" + dest log.Println("Send file " + filePath + " to " + url + "...") req, err := http.NewRequest("PUT", url, data) if err != nil { log.Println(err.Error()) return errors.New("Couldn't create new HTTP file upload request for server: " + server) } req.Close = true req.Header.Set("User-Agent", myUserAgent) req.SetBasicAuth(appconf.Username, appconf.SecretKey) //req.Header.Set("Authorization", "Bearer "+appconf.SecretKey) //skip verification of cert, since the cert may not be setup properly at first customTransport := http.DefaultTransport.(*http.Transport).Clone() customTransport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} client := &http.Client{Transport: customTransport, Timeout: timeout} //client := &http.Client{Timeout: timeout} response, err := client.Do(req) if err != nil { log.Println(err.Error()) return errors.New("Couldn't do HTTP file upload to server: " + server) } body, err := ioutil.ReadAll(response.Body) if err != nil { log.Println(err.Error()) return errors.New("Couldn't parse response body on request to server: " + server) } if response.StatusCode != 200 { errorString := "Problem uploading file to server " + server + ". Status code: " + strconv.Itoa(response.StatusCode) + " Body: " + string(body) log.Println(errorString) return errors.New(errorString) } log.Println("Upload [" + dest + "] to " + server + " success!") return nil } func renew() error { log.Println("Renew operation initiated...") //BUILD/SET GETSSL ENVIRONMENT VARIABLES THEN EXECUTE GETSSL //domain list var domainlist string for _, d := range domains { if d == appconf.PrimaryDomain { //ignore primary domain continue } domainlist = domainlist + "," + d } domainlist = strings.TrimLeft(domainlist, ",") //Take off leading comma err := os.Setenv("SANS", domainlist) if err != nil { return errors.New("RENEW: error setting SANS domains list environment variable: " + err.Error()) } if appconf.Debug { log.Println(domainlist) } //ACL string aclstring := appconf.LetsEncryptValidationPath if appconf.SyncType == "ssh" { for _, server := range servers { if server == appconf.Hostname { continue } aclstring += ";ssh:" + appconf.Username + "@" + server + ":" + appconf.LetsEncryptValidationPath //aclstring += ";davs:leapi:" + appconf.SecretKey + ":" + server + ":" + syncPort + ":/api/file/upload/" } } else { //file sync type is HTTPS aclstring += ";davs:" + appconf.Username + ":" + appconf.SecretKey + ":" + appconf.Hostname + ":" + appconf.HTTPS_ServerPort + ":/api/file/sync" //aclstring += " ;cmd:\"curl -s -k -u" + appconf.Username + "\\:" + appconf.SecretKey + " " + syncScheme + appconf.Hostname + ":" + syncPort + "/api/file/upload/" + "$destfile" + " -T $src \"" + ":" + appconf.LetsEncryptValidationPath } err = os.Setenv("ACL", aclstring) if err != nil { return errors.New("RENEW: error setting ACL environment variable: " + err.Error()) } if appconf.Debug { log.Println("ACL STRING:") log.Println(aclstring) } //Cert and key locations domain_cert_location := appconf.TLSCertFile if appconf.SyncType == "ssh" { for _, server := range servers { if server == appconf.Hostname { continue } domain_cert_location += ";ssh:" + appconf.Username + "@" + server + ":" + appconf.TLSCertFile //domain_cert_location += ";davs:leapi:" + appconf.SecretKey + ":" + server + ":" + syncPort + ":/api/file/upload/cert" } } else { //file sync type is HTTPS domain_cert_location += ";davs:" + appconf.Username + ":" + appconf.SecretKey + ":" + appconf.Hostname + ":" + appconf.HTTPS_ServerPort + ":/api/file/sync/cert" } err = os.Setenv("DOMAIN_CERT_LOCATION", domain_cert_location) if err != nil { return errors.New("RENEW: error setting DOMAIN_CERT_LOCATION environment variable: " + err.Error()) } domain_key_location := appconf.TLSKeyFile if appconf.SyncType == "ssh" { for _, server := range servers { if server == appconf.Hostname { continue } domain_key_location += ";ssh:" + appconf.Username + "@" + server + ":" + appconf.TLSKeyFile //domain_key_location += ";davs:leapi:" + appconf.SecretKey + ":" + server + ":" + syncPort + ":/api/file/upload/key" } } else { //file sync type is HTTPS domain_key_location += ";davs:" + appconf.Username + ":" + appconf.SecretKey + ":" + appconf.Hostname + ":" + appconf.HTTPS_ServerPort + ":/api/file/sync/key" } err = os.Setenv("DOMAIN_KEY_LOCATION", domain_key_location) if err != nil { return errors.New("RENEW: error setting DOMAIN_KEY_LOCATION environment variable: " + err.Error()) } domain_chain_location := appconf.TLSChainFile if appconf.SyncType == "ssh" { for _, server := range servers { if server == appconf.Hostname { continue } domain_chain_location += ";ssh:" + appconf.Username + "@" + server + ":" + appconf.TLSChainFile //domain_chain_location += ";davs:leapi:" + appconf.SecretKey + ":" + server + ":" + syncPort + ":/api/file/upload/chain" } } else { //file sync type is HTTPS domain_chain_location += ";davs:" + appconf.Username + ":" + appconf.SecretKey + ":" + appconf.Hostname + ":" + appconf.HTTPS_ServerPort + ":/api/file/sync/chain" } err = os.Setenv("DOMAIN_CHAIN_LOCATION", domain_chain_location) if err != nil { return errors.New("RENEW: error setting DOMAIN_CHAIN_LOCATION environment variable: " + err.Error()) } domain_pem_location := appconf.TLSPEMFile if appconf.SyncType == "ssh" { for _, server := range servers { if server == appconf.Hostname { continue } domain_pem_location += ";ssh:" + appconf.Username + "@" + server + ":" + appconf.TLSPEMFile //domain_pem_location += ";davs:leapi:" + appconf.SecretKey + ":" + server + ":" + syncPort + ":/api/file/upload/pem" } } else { //file sync type is HTTPS domain_pem_location += ";davs:" + appconf.Username + ":" + appconf.SecretKey + ":" + appconf.Hostname + ":" + appconf.HTTPS_ServerPort + ":/api/file/sync/pem" } err = os.Setenv("DOMAIN_PEM_LOCATION", domain_pem_location) if err != nil { return errors.New("RENEW: error setting DOMAIN_PEM_LOCATION environment variable: " + err.Error()) } //these parameters don't seem to be respected by gettssl from environment variables, so write them to config file: ca_cert_location := appconf.TLSCAFile if appconf.SyncType == "ssh" { for _, server := range servers { if server == appconf.Hostname { continue } ca_cert_location += ";ssh:" + appconf.Username + "@" + server + ":" + appconf.TLSCAFile //ca_cert_location += ";davs:leapi:" + appconf.SecretKey + ":" + server + ":" + syncPort + ":/api/file/upload/ca" } } else { //file sync type is HTTPS ca_cert_location += ";davs:" + appconf.Username + ":" + appconf.SecretKey + ":" + appconf.Hostname + ":" + appconf.HTTPS_ServerPort + ":/api/file/sync/ca" } reload_command := appconf.ReloadCommand for _, server := range servers { if server == appconf.Hostname { continue } //old ssh method; requires ssh key //reload_command += "; ssh " + appconf.Username + "@" + server + " '" + appconf.ReloadCommand + "'" //new method; calls LEAPI to trigger reload reload_command += " ; curl -s -k -X POST -H 'Authorization: Bearer " + appconf.SecretKey + "' " + syncScheme + server + "/api/reload" //reload_command += "; 'curl -s -X POST -H \\\"Authorization: Bearer " + appconf.SecretKey + "\\\" " + syncScheme + server + "/api/reload" } ca_server := "https://acme-staging-v02.api.letsencrypt.org" if appconf.Production { ca_server = "https://acme-v02.api.letsencrypt.org" } var configFile string configFile = "CA=\"" + ca_server + "\"\n" configFile += "USE_SINGLE_ACL=\"true\"\n" configFile += "CA_CERT_LOCATION=\"" + appconf.TLSCAFile + "\"\n" configFile += "RELOAD_CMD=\"" + reload_command + "\"\n" configFile += "RENEW_ALLOW=\"" + appconf.RenewAllow + "\"\n" configFile += "CHECK_REMOTE=\"true\"\n" configFile += "SERVER_TYPE=\"" + appconf.CheckPort + "\"\n" configFile += "CHECK_REMOTE_WAIT=\"5\"\n" //write config file err = ioutil.WriteFile(configDir+"/"+appconf.PrimaryDomain+"/getssl.cfg", []byte(configFile), 0644) if err != nil { return errors.New("Couldn't write getssl config file: " + configDir + "/" + appconf.PrimaryDomain + "/getssl.cfg") } if appconf.Debug { //////PRINT VARS for _, e := range os.Environ() { log.Println(e) } } //RUN GETSSL //first patch getssl to disable cert verification checking: cmd := exec.Command("/usr/bin/sed", "-i", "s/NOMETER} -u/NOMETER} -k -u/g", appconf.SrvDir+"/getssl") output, err := cmd.CombinedOutput() if err != nil { log.Println(string(output)) return errors.New("RENEW: patching of getssl to disable curl certificate verification during LEAPI sync failed: " + err.Error()) } //RUN getssl on primary domain to renew //cmd = exec.Command(appconf.SrvDir+"/getssl", "-u", "-w", appconf.SrvDir, appconf.PrimaryDomain) if appconf.Debug { cmd = exec.Command(appconf.SrvDir+"/getssl", "-d", "-w", appconf.SrvDir, appconf.PrimaryDomain) } else { cmd = exec.Command(appconf.SrvDir+"/getssl", "-w", appconf.SrvDir, appconf.PrimaryDomain) } output, err = cmd.CombinedOutput() if err != nil { log.Println("BEGIN GETSSL OUTPUT:") log.Println(string(output)) log.Println("END GETSSL OUTPUT") return errors.New("RENEW: execution of getssl failed: " + err.Error() + " Check log file " + appconf.LogFile + " for more details.") } log.Println("BEGIN GETSSL OUTPUT:") log.Println(string(output)) log.Println("END GETSSL OUTPUT") return nil } func reload() error { //To avoid problems with spaces in the command, we build a script file and run it in shell, rather than directly. reloadScript := "#!/bin/sh\n" reloadScript += appconf.ReloadCommand + "\n" //write script file to run reload command[s] err := ioutil.WriteFile(configDir+"/reloadscript.sh", []byte(reloadScript), 0755) if err != nil { return errors.New("Couldn't write reload script file: " + configDir + "/reloadscript.sh") } cmd := exec.Command(appconf.SrvDir + "/reloadscript.sh") output, err := cmd.CombinedOutput() if err != nil { log.Println("BEGIN RELOADSCRIPT OUTPUT:") log.Println(string(output)) log.Println("END RELOADSCRIPT OUTPUT") return errors.New("RELOAD: execution of reload script failed: " + err.Error()) } log.Println("BEGIN RELOADSCRIPT OUTPUT:") log.Println(string(output)) log.Println("END RELOADSCRIPT OUTPUT") return nil }