diff --git a/integration/acme_test.go b/integration/acme_test.go index 94af17641..7ac725299 100644 --- a/integration/acme_test.go +++ b/integration/acme_test.go @@ -11,9 +11,9 @@ import ( "time" "github.com/containous/traefik/integration/try" - "github.com/containous/traefik/old/provider/acme" - "github.com/containous/traefik/old/types" + "github.com/containous/traefik/provider/acme" "github.com/containous/traefik/testhelpers" + "github.com/containous/traefik/types" "github.com/go-check/check" "github.com/miekg/dns" checker "github.com/vdemeester/shakers" diff --git a/old/provider/acme/account.go b/old/provider/acme/account.go deleted file mode 100644 index 8538e49dc..000000000 --- a/old/provider/acme/account.go +++ /dev/null @@ -1,83 +0,0 @@ -package acme - -import ( - "crypto" - "crypto/rand" - "crypto/rsa" - "crypto/x509" - - "github.com/containous/traefik/old/log" - "github.com/xenolf/lego/acme" -) - -// Account is used to store lets encrypt registration info -type Account struct { - Email string - Registration *acme.RegistrationResource - PrivateKey []byte - KeyType acme.KeyType -} - -const ( - // RegistrationURLPathV1Regexp is a regexp which match ACME registration URL in the V1 format - RegistrationURLPathV1Regexp = `^.*/acme/reg/\d+$` -) - -// NewAccount creates an account -func NewAccount(email string, keyTypeValue string) (*Account, error) { - keyType := GetKeyType(keyTypeValue) - - // Create a user. New accounts need an email and private key to start - privateKey, err := rsa.GenerateKey(rand.Reader, 4096) - if err != nil { - return nil, err - } - - return &Account{ - Email: email, - PrivateKey: x509.MarshalPKCS1PrivateKey(privateKey), - KeyType: keyType, - }, nil -} - -// GetEmail returns email -func (a *Account) GetEmail() string { - return a.Email -} - -// GetRegistration returns lets encrypt registration resource -func (a *Account) GetRegistration() *acme.RegistrationResource { - return a.Registration -} - -// GetPrivateKey returns private key -func (a *Account) GetPrivateKey() crypto.PrivateKey { - if privateKey, err := x509.ParsePKCS1PrivateKey(a.PrivateKey); err == nil { - return privateKey - } - - log.Errorf("Cannot unmarshal private key %+v", a.PrivateKey) - return nil -} - -// GetKeyType used to determine which algo to used -func GetKeyType(value string) acme.KeyType { - switch value { - case "EC256": - return acme.EC256 - case "EC384": - return acme.EC384 - case "RSA2048": - return acme.RSA2048 - case "RSA4096": - return acme.RSA4096 - case "RSA8192": - return acme.RSA8192 - case "": - log.Infof("The key type is empty. Use default key type %v.", acme.RSA4096) - return acme.RSA4096 - default: - log.Infof("Unable to determine key type value %q. Use default key type %v.", value, acme.RSA4096) - return acme.RSA4096 - } -} diff --git a/old/provider/acme/challenge_http.go b/old/provider/acme/challenge_http.go deleted file mode 100644 index 02f576688..000000000 --- a/old/provider/acme/challenge_http.go +++ /dev/null @@ -1,86 +0,0 @@ -package acme - -import ( - "net" - "net/http" - "time" - - "github.com/cenk/backoff" - "github.com/containous/mux" - "github.com/containous/traefik/old/log" - "github.com/containous/traefik/safe" - "github.com/xenolf/lego/acme" -) - -var _ acme.ChallengeProviderTimeout = (*challengeHTTP)(nil) - -type challengeHTTP struct { - Store Store -} - -// Present presents a challenge to obtain new ACME certificate -func (c *challengeHTTP) Present(domain, token, keyAuth string) error { - return c.Store.SetHTTPChallengeToken(token, domain, []byte(keyAuth)) -} - -// CleanUp cleans the challenges when certificate is obtained -func (c *challengeHTTP) CleanUp(domain, token, keyAuth string) error { - return c.Store.RemoveHTTPChallengeToken(token, domain) -} - -// Timeout calculates the maximum of time allowed to resolved an ACME challenge -func (c *challengeHTTP) Timeout() (timeout, interval time.Duration) { - return 60 * time.Second, 5 * time.Second -} - -func getTokenValue(token, domain string, store Store) []byte { - log.Debugf("Looking for an existing ACME challenge for token %v...", token) - var result []byte - - operation := func() error { - var err error - result, err = store.GetHTTPChallengeToken(token, domain) - return err - } - - notify := func(err error, time time.Duration) { - log.Errorf("Error getting challenge for token retrying in %s", time) - } - - ebo := backoff.NewExponentialBackOff() - ebo.MaxElapsedTime = 60 * time.Second - err := backoff.RetryNotify(safe.OperationWithRecover(operation), ebo, notify) - if err != nil { - log.Errorf("Error getting challenge for token: %v", err) - return []byte{} - } - - return result -} - -// AddRoutes add routes on internal router -func (p *Provider) AddRoutes(router *mux.Router) { - router.Methods(http.MethodGet). - Path(acme.HTTP01ChallengePath("{token}")). - Handler(http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) { - vars := mux.Vars(req) - if token, ok := vars["token"]; ok { - domain, _, err := net.SplitHostPort(req.Host) - if err != nil { - log.Debugf("Unable to split host and port: %v. Fallback to request host.", err) - domain = req.Host - } - - tokenValue := getTokenValue(token, domain, p.Store) - if len(tokenValue) > 0 { - rw.WriteHeader(http.StatusOK) - _, err = rw.Write(tokenValue) - if err != nil { - log.Errorf("Unable to write token : %v", err) - } - return - } - } - rw.WriteHeader(http.StatusNotFound) - })) -} diff --git a/old/provider/acme/challenge_tls.go b/old/provider/acme/challenge_tls.go deleted file mode 100644 index be71fe900..000000000 --- a/old/provider/acme/challenge_tls.go +++ /dev/null @@ -1,52 +0,0 @@ -package acme - -import ( - "crypto/tls" - - "github.com/containous/traefik/old/log" - "github.com/containous/traefik/old/types" - "github.com/xenolf/lego/acme" -) - -var _ acme.ChallengeProvider = (*challengeTLSALPN)(nil) - -type challengeTLSALPN struct { - Store Store -} - -func (c *challengeTLSALPN) Present(domain, token, keyAuth string) error { - log.Debugf("TLS Challenge Present temp certificate for %s", domain) - - certPEMBlock, keyPEMBlock, err := acme.TLSALPNChallengeBlocks(domain, keyAuth) - if err != nil { - return err - } - - cert := &Certificate{Certificate: certPEMBlock, Key: keyPEMBlock, Domain: types.Domain{Main: "TEMP-" + domain}} - return c.Store.AddTLSChallenge(domain, cert) -} - -func (c *challengeTLSALPN) CleanUp(domain, token, keyAuth string) error { - log.Debugf("TLS Challenge CleanUp temp certificate for %s", domain) - - return c.Store.RemoveTLSChallenge(domain) -} - -// GetTLSALPNCertificate Get the temp certificate for ACME TLS-ALPN-O1 challenge. -func (p *Provider) GetTLSALPNCertificate(domain string) (*tls.Certificate, error) { - cert, err := p.Store.GetTLSChallenge(domain) - if err != nil { - return nil, err - } - - if cert == nil { - return nil, nil - } - - certificate, err := tls.X509KeyPair(cert.Certificate, cert.Key) - if err != nil { - return nil, err - } - - return &certificate, nil -} diff --git a/old/provider/acme/local_store.go b/old/provider/acme/local_store.go deleted file mode 100644 index 405c0f002..000000000 --- a/old/provider/acme/local_store.go +++ /dev/null @@ -1,251 +0,0 @@ -package acme - -import ( - "encoding/json" - "fmt" - "io/ioutil" - "os" - "regexp" - "sync" - - "github.com/containous/traefik/old/log" - "github.com/containous/traefik/safe" -) - -var _ Store = (*LocalStore)(nil) - -// LocalStore Store implementation for local file -type LocalStore struct { - filename string - storedData *StoredData - SaveDataChan chan *StoredData `json:"-"` - lock sync.RWMutex -} - -// NewLocalStore initializes a new LocalStore with a file name -func NewLocalStore(filename string) *LocalStore { - store := &LocalStore{filename: filename, SaveDataChan: make(chan *StoredData)} - store.listenSaveAction() - return store -} - -func (s *LocalStore) get() (*StoredData, error) { - if s.storedData == nil { - s.storedData = &StoredData{ - HTTPChallenges: make(map[string]map[string][]byte), - TLSChallenges: make(map[string]*Certificate), - } - - hasData, err := CheckFile(s.filename) - if err != nil { - return nil, err - } - - if hasData { - f, err := os.Open(s.filename) - if err != nil { - return nil, err - } - defer f.Close() - - file, err := ioutil.ReadAll(f) - if err != nil { - return nil, err - } - - if len(file) > 0 { - if err := json.Unmarshal(file, s.storedData); err != nil { - return nil, err - } - } - - // Check if ACME Account is in ACME V1 format - if s.storedData.Account != nil && s.storedData.Account.Registration != nil { - isOldRegistration, err := regexp.MatchString(RegistrationURLPathV1Regexp, s.storedData.Account.Registration.URI) - if err != nil { - return nil, err - } - if isOldRegistration { - log.Debug("Reset ACME account.") - s.storedData.Account = nil - s.SaveDataChan <- s.storedData - } - } - - // Delete all certificates with no value - var certificates []*Certificate - for _, certificate := range s.storedData.Certificates { - if len(certificate.Certificate) == 0 || len(certificate.Key) == 0 { - log.Debugf("Delete certificate %v for domains %v which have no value.", certificate, certificate.Domain.ToStrArray()) - continue - } - certificates = append(certificates, certificate) - } - - if len(certificates) < len(s.storedData.Certificates) { - s.storedData.Certificates = certificates - s.SaveDataChan <- s.storedData - } - } - } - - return s.storedData, nil -} - -// listenSaveAction listens to a chan to store ACME data in json format into LocalStore.filename -func (s *LocalStore) listenSaveAction() { - safe.Go(func() { - for object := range s.SaveDataChan { - data, err := json.MarshalIndent(object, "", " ") - if err != nil { - log.Error(err) - } - - err = ioutil.WriteFile(s.filename, data, 0600) - if err != nil { - log.Error(err) - } - } - }) -} - -// GetAccount returns ACME Account -func (s *LocalStore) GetAccount() (*Account, error) { - storedData, err := s.get() - if err != nil { - return nil, err - } - - return storedData.Account, nil -} - -// SaveAccount stores ACME Account -func (s *LocalStore) SaveAccount(account *Account) error { - storedData, err := s.get() - if err != nil { - return err - } - - storedData.Account = account - s.SaveDataChan <- storedData - - return nil -} - -// GetCertificates returns ACME Certificates list -func (s *LocalStore) GetCertificates() ([]*Certificate, error) { - storedData, err := s.get() - if err != nil { - return nil, err - } - - return storedData.Certificates, nil -} - -// SaveCertificates stores ACME Certificates list -func (s *LocalStore) SaveCertificates(certificates []*Certificate) error { - storedData, err := s.get() - if err != nil { - return err - } - - storedData.Certificates = certificates - s.SaveDataChan <- storedData - - return nil -} - -// GetHTTPChallengeToken Get the http challenge token from the store -func (s *LocalStore) GetHTTPChallengeToken(token, domain string) ([]byte, error) { - s.lock.RLock() - defer s.lock.RUnlock() - - if s.storedData.HTTPChallenges == nil { - s.storedData.HTTPChallenges = map[string]map[string][]byte{} - } - - if _, ok := s.storedData.HTTPChallenges[token]; !ok { - return nil, fmt.Errorf("cannot find challenge for token %v", token) - } - - result, ok := s.storedData.HTTPChallenges[token][domain] - if !ok { - return nil, fmt.Errorf("cannot find challenge for token %v", token) - } - return result, nil -} - -// SetHTTPChallengeToken Set the http challenge token in the store -func (s *LocalStore) SetHTTPChallengeToken(token, domain string, keyAuth []byte) error { - s.lock.Lock() - defer s.lock.Unlock() - - if s.storedData.HTTPChallenges == nil { - s.storedData.HTTPChallenges = map[string]map[string][]byte{} - } - - if _, ok := s.storedData.HTTPChallenges[token]; !ok { - s.storedData.HTTPChallenges[token] = map[string][]byte{} - } - - s.storedData.HTTPChallenges[token][domain] = keyAuth - return nil -} - -// RemoveHTTPChallengeToken Remove the http challenge token in the store -func (s *LocalStore) RemoveHTTPChallengeToken(token, domain string) error { - s.lock.Lock() - defer s.lock.Unlock() - - if s.storedData.HTTPChallenges == nil { - return nil - } - - if _, ok := s.storedData.HTTPChallenges[token]; ok { - if _, domainOk := s.storedData.HTTPChallenges[token][domain]; domainOk { - delete(s.storedData.HTTPChallenges[token], domain) - } - if len(s.storedData.HTTPChallenges[token]) == 0 { - delete(s.storedData.HTTPChallenges, token) - } - } - return nil -} - -// AddTLSChallenge Add a certificate to the ACME TLS-ALPN-01 certificates storage -func (s *LocalStore) AddTLSChallenge(domain string, cert *Certificate) error { - s.lock.Lock() - defer s.lock.Unlock() - - if s.storedData.TLSChallenges == nil { - s.storedData.TLSChallenges = make(map[string]*Certificate) - } - - s.storedData.TLSChallenges[domain] = cert - return nil -} - -// GetTLSChallenge Get a certificate from the ACME TLS-ALPN-01 certificates storage -func (s *LocalStore) GetTLSChallenge(domain string) (*Certificate, error) { - s.lock.Lock() - defer s.lock.Unlock() - - if s.storedData.TLSChallenges == nil { - s.storedData.TLSChallenges = make(map[string]*Certificate) - } - - return s.storedData.TLSChallenges[domain], nil -} - -// RemoveTLSChallenge Remove a certificate from the ACME TLS-ALPN-01 certificates storage -func (s *LocalStore) RemoveTLSChallenge(domain string) error { - s.lock.Lock() - defer s.lock.Unlock() - - if s.storedData.TLSChallenges == nil { - return nil - } - - delete(s.storedData.TLSChallenges, domain) - return nil -} diff --git a/old/provider/acme/local_store_unix.go b/old/provider/acme/local_store_unix.go deleted file mode 100644 index 0dbb787be..000000000 --- a/old/provider/acme/local_store_unix.go +++ /dev/null @@ -1,35 +0,0 @@ -// +build !windows - -package acme - -import ( - "fmt" - "os" -) - -// CheckFile checks file permissions and content size -func CheckFile(name string) (bool, error) { - f, err := os.Open(name) - if err != nil { - if os.IsNotExist(err) { - f, err = os.Create(name) - if err != nil { - return false, err - } - return false, f.Chmod(0600) - } - return false, err - } - defer f.Close() - - fi, err := f.Stat() - if err != nil { - return false, err - } - - if fi.Mode().Perm()&0077 != 0 { - return false, fmt.Errorf("permissions %o for %s are too open, please use 600", fi.Mode().Perm(), name) - } - - return fi.Size() > 0, nil -} diff --git a/old/provider/acme/local_store_windows.go b/old/provider/acme/local_store_windows.go deleted file mode 100644 index 1804578a3..000000000 --- a/old/provider/acme/local_store_windows.go +++ /dev/null @@ -1,27 +0,0 @@ -package acme - -import "os" - -// CheckFile checks file content size -// Do not check file permissions on Windows right now -func CheckFile(name string) (bool, error) { - f, err := os.Open(name) - if err != nil { - if os.IsNotExist(err) { - f, err = os.Create(name) - if err != nil { - return false, err - } - return false, f.Chmod(0600) - } - return false, err - } - defer f.Close() - - fi, err := f.Stat() - if err != nil { - return false, err - } - - return fi.Size() > 0, nil -} diff --git a/old/provider/acme/provider.go b/old/provider/acme/provider.go deleted file mode 100644 index cfc45f337..000000000 --- a/old/provider/acme/provider.go +++ /dev/null @@ -1,826 +0,0 @@ -package acme - -import ( - "crypto/tls" - "crypto/x509" - "fmt" - "io/ioutil" - fmtlog "log" - "net" - "net/url" - "reflect" - "strings" - "sync" - "time" - - "github.com/cenk/backoff" - "github.com/containous/flaeg/parse" - "github.com/containous/traefik/old/log" - "github.com/containous/traefik/old/types" - "github.com/containous/traefik/rules" - "github.com/containous/traefik/safe" - traefiktls "github.com/containous/traefik/tls" - "github.com/containous/traefik/version" - "github.com/pkg/errors" - "github.com/sirupsen/logrus" - "github.com/xenolf/lego/acme" - legolog "github.com/xenolf/lego/log" - "github.com/xenolf/lego/providers/dns" -) - -var ( - // OSCPMustStaple enables OSCP stapling as from https://github.com/xenolf/lego/issues/270 - OSCPMustStaple = false -) - -// Configuration holds ACME configuration provided by users -type Configuration struct { - Email string `description:"Email address used for registration"` - ACMELogging bool `description:"Enable debug logging of ACME actions."` - CAServer string `description:"CA server to use."` - Storage string `description:"Storage to use."` - EntryPoint string `description:"EntryPoint to use."` - KeyType string `description:"KeyType used for generating certificate private key. Allow value 'EC256', 'EC384', 'RSA2048', 'RSA4096', 'RSA8192'. Default to 'RSA4096'"` - OnHostRule bool `description:"Enable certificate generation on frontends Host rules."` - OnDemand bool `description:"Enable on demand certificate generation. This will request a certificate from Let's Encrypt during the first TLS handshake for a hostname that does not yet have a certificate."` // Deprecated - DNSChallenge *DNSChallenge `description:"Activate DNS-01 Challenge"` - HTTPChallenge *HTTPChallenge `description:"Activate HTTP-01 Challenge"` - TLSChallenge *TLSChallenge `description:"Activate TLS-ALPN-01 Challenge"` - Domains []types.Domain `description:"CN and SANs (alternative domains) to each main domain using format: --acme.domains='main.com,san1.com,san2.com' --acme.domains='*.main.net'. No SANs for wildcards domain. Wildcard domains only accepted with DNSChallenge"` -} - -// Provider holds configurations of the provider. -type Provider struct { - *Configuration - Store Store - certificates []*Certificate - account *Account - client *acme.Client - certsChan chan *Certificate - configurationChan chan<- types.ConfigMessage - certificateStore *traefiktls.CertificateStore - clientMutex sync.Mutex - configFromListenerChan chan types.Configuration - pool *safe.Pool - resolvingDomains map[string]struct{} - resolvingDomainsMutex sync.RWMutex -} - -// Certificate is a struct which contains all data needed from an ACME certificate -type Certificate struct { - Domain types.Domain - Certificate []byte - Key []byte -} - -// DNSChallenge contains DNS challenge Configuration -type DNSChallenge struct { - Provider string `description:"Use a DNS-01 based challenge provider rather than HTTPS."` - DelayBeforeCheck parse.Duration `description:"Assume DNS propagates after a delay in seconds rather than finding and querying nameservers."` - Resolvers types.DNSResolvers `description:"Use following DNS servers to resolve the FQDN authority."` - DisablePropagationCheck bool `description:"Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready. [not recommended]"` - preCheckTimeout time.Duration - preCheckInterval time.Duration -} - -// HTTPChallenge contains HTTP challenge Configuration -type HTTPChallenge struct { - EntryPoint string `description:"HTTP challenge EntryPoint"` -} - -// TLSChallenge contains TLS challenge Configuration -type TLSChallenge struct{} - -// SetConfigListenerChan initializes the configFromListenerChan -func (p *Provider) SetConfigListenerChan(configFromListenerChan chan types.Configuration) { - p.configFromListenerChan = configFromListenerChan -} - -// SetCertificateStore allow to initialize certificate store -func (p *Provider) SetCertificateStore(certificateStore *traefiktls.CertificateStore) { - p.certificateStore = certificateStore -} - -// ListenConfiguration sets a new Configuration into the configFromListenerChan -func (p *Provider) ListenConfiguration(config types.Configuration) { - p.configFromListenerChan <- config -} - -// ListenRequest resolves new certificates for a domain from an incoming request and return a valid Certificate to serve (onDemand option) -func (p *Provider) ListenRequest(domain string) (*tls.Certificate, error) { - acmeCert, err := p.resolveCertificate(types.Domain{Main: domain}, false) - if acmeCert == nil || err != nil { - return nil, err - } - - certificate, err := tls.X509KeyPair(acmeCert.Certificate, acmeCert.PrivateKey) - - return &certificate, err -} - -// Init for compatibility reason the BaseProvider implements an empty Init -func (p *Provider) Init(_ types.Constraints) error { - acme.UserAgent = fmt.Sprintf("containous-traefik/%s", version.Version) - if p.ACMELogging { - legolog.Logger = fmtlog.New(log.WriterLevel(logrus.InfoLevel), "legolog: ", 0) - } else { - legolog.Logger = fmtlog.New(ioutil.Discard, "", 0) - } - - if p.Store == nil { - return errors.New("no store found for the ACME provider") - } - - var err error - p.account, err = p.Store.GetAccount() - if err != nil { - return fmt.Errorf("unable to get ACME account : %v", err) - } - - // Reset Account if caServer changed, thus registration URI can be updated - if p.account != nil && p.account.Registration != nil && !isAccountMatchingCaServer(p.account.Registration.URI, p.CAServer) { - log.Info("Account URI does not match the current CAServer. The account will be reset") - p.account = nil - } - - p.certificates, err = p.Store.GetCertificates() - if err != nil { - return fmt.Errorf("unable to get ACME certificates : %v", err) - } - - // Init the currently resolved domain map - p.resolvingDomains = make(map[string]struct{}) - - return nil -} - -func isAccountMatchingCaServer(accountURI string, serverURI string) bool { - aru, err := url.Parse(accountURI) - if err != nil { - log.Infof("Unable to parse account.Registration URL : %v", err) - return false - } - cau, err := url.Parse(serverURI) - if err != nil { - log.Infof("Unable to parse CAServer URL : %v", err) - return false - } - return cau.Hostname() == aru.Hostname() -} - -// Provide allows the file provider to provide configurations to traefik -// using the given Configuration channel. -func (p *Provider) Provide(configurationChan chan<- types.ConfigMessage, pool *safe.Pool) error { - p.pool = pool - - p.watchCertificate() - p.watchNewDomains() - - p.configurationChan = configurationChan - p.refreshCertificates() - - p.deleteUnnecessaryDomains() - for i := 0; i < len(p.Domains); i++ { - domain := p.Domains[i] - safe.Go(func() { - if _, err := p.resolveCertificate(domain, true); err != nil { - log.Errorf("Unable to obtain ACME certificate for domains %q : %v", strings.Join(domain.ToStrArray(), ","), err) - } - }) - } - - p.renewCertificates() - - ticker := time.NewTicker(24 * time.Hour) - pool.Go(func(stop chan bool) { - for { - select { - case <-ticker.C: - p.renewCertificates() - case <-stop: - ticker.Stop() - return - } - } - }) - - return nil -} - -func (p *Provider) getClient() (*acme.Client, error) { - p.clientMutex.Lock() - defer p.clientMutex.Unlock() - - if p.client != nil { - return p.client, nil - } - - account, err := p.initAccount() - if err != nil { - return nil, err - } - - log.Debug("Building ACME client...") - - caServer := "https://acme-v02.api.letsencrypt.org/directory" - if len(p.CAServer) > 0 { - caServer = p.CAServer - } - log.Debug(caServer) - - client, err := acme.NewClient(caServer, account, account.KeyType) - if err != nil { - return nil, err - } - - // New users will need to register; be sure to save it - if account.GetRegistration() == nil { - log.Info("Register...") - - reg, err := client.Register(true) - if err != nil { - return nil, err - } - - account.Registration = reg - } - - // Save the account once before all the certificates generation/storing - // No certificate can be generated if account is not initialized - err = p.Store.SaveAccount(account) - if err != nil { - return nil, err - } - - if p.DNSChallenge != nil && len(p.DNSChallenge.Provider) > 0 { - log.Debugf("Using DNS Challenge provider: %s", p.DNSChallenge.Provider) - - SetRecursiveNameServers(p.DNSChallenge.Resolvers) - SetPropagationCheck(p.DNSChallenge.DisablePropagationCheck) - - err = dnsOverrideDelay(p.DNSChallenge.DelayBeforeCheck) - if err != nil { - return nil, err - } - - var provider acme.ChallengeProvider - provider, err = dns.NewDNSChallengeProviderByName(p.DNSChallenge.Provider) - if err != nil { - return nil, err - } - - client.ExcludeChallenges([]acme.Challenge{acme.HTTP01, acme.TLSALPN01}) - - err = client.SetChallengeProvider(acme.DNS01, provider) - if err != nil { - return nil, err - } - - // Same default values than LEGO - p.DNSChallenge.preCheckTimeout = 60 * time.Second - p.DNSChallenge.preCheckInterval = 2 * time.Second - - // Set the precheck timeout into the DNSChallenge provider - if challengeProviderTimeout, ok := provider.(acme.ChallengeProviderTimeout); ok { - p.DNSChallenge.preCheckTimeout, p.DNSChallenge.preCheckInterval = challengeProviderTimeout.Timeout() - } - - } else if p.HTTPChallenge != nil && len(p.HTTPChallenge.EntryPoint) > 0 { - log.Debug("Using HTTP Challenge provider.") - - client.ExcludeChallenges([]acme.Challenge{acme.DNS01, acme.TLSALPN01}) - - err = client.SetChallengeProvider(acme.HTTP01, &challengeHTTP{Store: p.Store}) - if err != nil { - return nil, err - } - } else if p.TLSChallenge != nil { - log.Debug("Using TLS Challenge provider.") - - client.ExcludeChallenges([]acme.Challenge{acme.HTTP01, acme.DNS01}) - - err = client.SetChallengeProvider(acme.TLSALPN01, &challengeTLSALPN{Store: p.Store}) - if err != nil { - return nil, err - } - } else { - return nil, errors.New("ACME challenge not specified, please select TLS or HTTP or DNS Challenge") - } - - p.client = client - return p.client, nil -} - -func (p *Provider) initAccount() (*Account, error) { - if p.account == nil || len(p.account.Email) == 0 { - var err error - p.account, err = NewAccount(p.Email, p.KeyType) - if err != nil { - return nil, err - } - } - - // Set the KeyType if not already defined in the account - if len(p.account.KeyType) == 0 { - p.account.KeyType = GetKeyType(p.KeyType) - } - - return p.account, nil -} - -func contains(entryPoints []string, acmeEntryPoint string) bool { - for _, entryPoint := range entryPoints { - if entryPoint == acmeEntryPoint { - return true - } - } - return false -} - -func (p *Provider) watchNewDomains() { - p.pool.Go(func(stop chan bool) { - for { - select { - case config := <-p.configFromListenerChan: - for _, frontend := range config.Frontends { - if !contains(frontend.EntryPoints, p.EntryPoint) { - continue - } - for _, route := range frontend.Routes { - domainRules := rules.Rules{} - domains, err := domainRules.ParseDomains(route.Rule) - if err != nil { - log.Errorf("Error parsing domains in provider ACME: %v", err) - continue - } - - if len(domains) == 0 { - log.Debugf("No domain parsed in rule %q in provider ACME", route.Rule) - continue - } - - log.Debugf("Try to challenge certificate for domain %v founded in Host rule", domains) - - var domain types.Domain - if len(domains) > 0 { - domain = types.Domain{Main: domains[0]} - if len(domains) > 1 { - domain.SANs = domains[1:] - } - - safe.Go(func() { - if _, err := p.resolveCertificate(domain, false); err != nil { - log.Errorf("Unable to obtain ACME certificate for domains %q detected thanks to rule %q : %v", strings.Join(domains, ","), route.Rule, err) - } - }) - } - } - } - case <-stop: - return - } - } - }) -} - -func (p *Provider) resolveCertificate(domain types.Domain, domainFromConfigurationFile bool) (*acme.CertificateResource, error) { - domains, err := p.getValidDomains(domain, domainFromConfigurationFile) - if err != nil { - return nil, err - } - - // Check provided certificates - uncheckedDomains := p.getUncheckedDomains(domains, !domainFromConfigurationFile) - if len(uncheckedDomains) == 0 { - return nil, nil - } - - p.addResolvingDomains(uncheckedDomains) - defer p.removeResolvingDomains(uncheckedDomains) - - log.Debugf("Loading ACME certificates %+v...", uncheckedDomains) - - client, err := p.getClient() - if err != nil { - return nil, fmt.Errorf("cannot get ACME client %v", err) - } - - var certificate *acme.CertificateResource - bundle := true - if p.useCertificateWithRetry(uncheckedDomains) { - certificate, err = obtainCertificateWithRetry(domains, client, p.DNSChallenge.preCheckTimeout, p.DNSChallenge.preCheckInterval, bundle) - } else { - certificate, err = client.ObtainCertificate(domains, bundle, nil, OSCPMustStaple) - } - - if err != nil { - return nil, fmt.Errorf("unable to generate a certificate for the domains %v: %v", uncheckedDomains, err) - } - if certificate == nil { - return nil, fmt.Errorf("domains %v do not generate a certificate", uncheckedDomains) - } - if len(certificate.Certificate) == 0 || len(certificate.PrivateKey) == 0 { - return nil, fmt.Errorf("domains %v generate certificate with no value: %v", uncheckedDomains, certificate) - } - - log.Debugf("Certificates obtained for domains %+v", uncheckedDomains) - - if len(uncheckedDomains) > 1 { - domain = types.Domain{Main: uncheckedDomains[0], SANs: uncheckedDomains[1:]} - } else { - domain = types.Domain{Main: uncheckedDomains[0]} - } - p.addCertificateForDomain(domain, certificate.Certificate, certificate.PrivateKey) - - return certificate, nil -} - -func (p *Provider) removeResolvingDomains(resolvingDomains []string) { - p.resolvingDomainsMutex.Lock() - defer p.resolvingDomainsMutex.Unlock() - - for _, domain := range resolvingDomains { - delete(p.resolvingDomains, domain) - } -} - -func (p *Provider) addResolvingDomains(resolvingDomains []string) { - p.resolvingDomainsMutex.Lock() - defer p.resolvingDomainsMutex.Unlock() - - for _, domain := range resolvingDomains { - p.resolvingDomains[domain] = struct{}{} - } -} - -func (p *Provider) useCertificateWithRetry(domains []string) bool { - // Check if we can use the retry mechanism only if we use the DNS Challenge and if is there are at least 2 domains to check - if p.DNSChallenge != nil && len(domains) > 1 { - rootDomain := "" - for _, searchWildcardDomain := range domains { - // Search a wildcard domain if not already found - if len(rootDomain) == 0 && strings.HasPrefix(searchWildcardDomain, "*.") { - rootDomain = strings.TrimPrefix(searchWildcardDomain, "*.") - if len(rootDomain) > 0 { - // Look for a root domain which matches the wildcard domain - for _, searchRootDomain := range domains { - if rootDomain == searchRootDomain { - // If the domains list contains a wildcard domain and its root domain, we can use the retry mechanism to obtain the certificate - return true - } - } - } - // There is only one wildcard domain in the slice, if its root domain has not been found, the retry mechanism does not have to be used - return false - } - } - } - - return false -} - -func obtainCertificateWithRetry(domains []string, client *acme.Client, timeout, interval time.Duration, bundle bool) (*acme.CertificateResource, error) { - var certificate *acme.CertificateResource - var err error - - operation := func() error { - certificate, err = client.ObtainCertificate(domains, bundle, nil, OSCPMustStaple) - return err - } - - notify := func(err error, time time.Duration) { - log.Errorf("Error obtaining certificate retrying in %s", time) - } - - // Define a retry backOff to let LEGO tries twice to obtain a certificate for both wildcard and root domain - ebo := backoff.NewExponentialBackOff() - ebo.MaxElapsedTime = 2 * timeout - ebo.MaxInterval = interval - rbo := backoff.WithMaxRetries(ebo, 2) - - err = backoff.RetryNotify(safe.OperationWithRecover(operation), rbo, notify) - if err != nil { - log.Errorf("Error obtaining certificate: %v", err) - return nil, err - } - - return certificate, nil -} - -func dnsOverrideDelay(delay parse.Duration) error { - if delay == 0 { - return nil - } - - if delay > 0 { - log.Debugf("Delaying %d rather than validating DNS propagation now.", delay) - - acme.PreCheckDNS = func(_, _ string) (bool, error) { - time.Sleep(time.Duration(delay)) - return true, nil - } - } else { - return fmt.Errorf("delayBeforeCheck: %d cannot be less than 0", delay) - } - return nil -} - -func (p *Provider) addCertificateForDomain(domain types.Domain, certificate []byte, key []byte) { - p.certsChan <- &Certificate{Certificate: certificate, Key: key, Domain: domain} -} - -// deleteUnnecessaryDomains deletes from the configuration : -// - Duplicated domains -// - Domains which are checked by wildcard domain -func (p *Provider) deleteUnnecessaryDomains() { - var newDomains []types.Domain - - for idxDomainToCheck, domainToCheck := range p.Domains { - keepDomain := true - - for idxDomain, domain := range p.Domains { - if idxDomainToCheck == idxDomain { - continue - } - - if reflect.DeepEqual(domain, domainToCheck) { - if idxDomainToCheck > idxDomain { - log.Warnf("The domain %v is duplicated in the configuration but will be process by ACME provider only once.", domainToCheck) - keepDomain = false - } - break - } - - // Check if CN or SANS to check already exists - // or can not be checked by a wildcard - var newDomainsToCheck []string - for _, domainProcessed := range domainToCheck.ToStrArray() { - if idxDomain < idxDomainToCheck && isDomainAlreadyChecked(domainProcessed, domain.ToStrArray()) { - // The domain is duplicated in a CN - log.Warnf("Domain %q is duplicated in the configuration or validated by the domain %v. It will be processed once.", domainProcessed, domain) - continue - } else if domain.Main != domainProcessed && strings.HasPrefix(domain.Main, "*") && isDomainAlreadyChecked(domainProcessed, []string{domain.Main}) { - // Check if a wildcard can validate the domain - log.Warnf("Domain %q will not be processed by ACME provider because it is validated by the wildcard %q", domainProcessed, domain.Main) - continue - } - newDomainsToCheck = append(newDomainsToCheck, domainProcessed) - } - - // Delete the domain if both Main and SANs can be validated by the wildcard domain - // otherwise keep the unchecked values - if newDomainsToCheck == nil { - keepDomain = false - break - } - domainToCheck.Set(newDomainsToCheck) - } - - if keepDomain { - newDomains = append(newDomains, domainToCheck) - } - } - - p.Domains = newDomains -} - -func (p *Provider) watchCertificate() { - p.certsChan = make(chan *Certificate) - p.pool.Go(func(stop chan bool) { - for { - select { - case cert := <-p.certsChan: - certUpdated := false - for _, domainsCertificate := range p.certificates { - if reflect.DeepEqual(cert.Domain, domainsCertificate.Domain) { - domainsCertificate.Certificate = cert.Certificate - domainsCertificate.Key = cert.Key - certUpdated = true - break - } - } - if !certUpdated { - p.certificates = append(p.certificates, cert) - } - - err := p.saveCertificates() - if err != nil { - log.Error(err) - } - - case <-stop: - return - } - } - }) -} - -func (p *Provider) saveCertificates() error { - err := p.Store.SaveCertificates(p.certificates) - - p.refreshCertificates() - - return err -} - -func (p *Provider) refreshCertificates() { - config := types.ConfigMessage{ - ProviderName: "ACME", - Configuration: &types.Configuration{ - Backends: map[string]*types.Backend{}, - Frontends: map[string]*types.Frontend{}, - TLS: []*traefiktls.Configuration{}, - }, - } - - for _, cert := range p.certificates { - certificate := &traefiktls.Certificate{CertFile: traefiktls.FileOrContent(cert.Certificate), KeyFile: traefiktls.FileOrContent(cert.Key)} - config.Configuration.TLS = append(config.Configuration.TLS, &traefiktls.Configuration{Certificate: certificate, EntryPoints: []string{p.EntryPoint}}) - } - p.configurationChan <- config -} - -func (p *Provider) renewCertificates() { - log.Info("Testing certificate renew...") - for _, certificate := range p.certificates { - crt, err := getX509Certificate(certificate) - // If there's an error, we assume the cert is broken, and needs update - // <= 30 days left, renew certificate - if err != nil || crt == nil || crt.NotAfter.Before(time.Now().Add(24*30*time.Hour)) { - client, err := p.getClient() - if err != nil { - log.Infof("Error renewing certificate from LE : %+v, %v", certificate.Domain, err) - continue - } - - log.Infof("Renewing certificate from LE : %+v", certificate.Domain) - - renewedCert, err := client.RenewCertificate(acme.CertificateResource{ - Domain: certificate.Domain.Main, - PrivateKey: certificate.Key, - Certificate: certificate.Certificate, - }, true, OSCPMustStaple) - - if err != nil { - log.Errorf("Error renewing certificate from LE: %v, %v", certificate.Domain, err) - continue - } - - if len(renewedCert.Certificate) == 0 || len(renewedCert.PrivateKey) == 0 { - log.Errorf("domains %v renew certificate with no value: %v", certificate.Domain.ToStrArray(), certificate) - continue - } - - p.addCertificateForDomain(certificate.Domain, renewedCert.Certificate, renewedCert.PrivateKey) - } - } -} - -// Get provided certificate which check a domains list (Main and SANs) -// from static and dynamic provided certificates -func (p *Provider) getUncheckedDomains(domainsToCheck []string, checkConfigurationDomains bool) []string { - p.resolvingDomainsMutex.RLock() - defer p.resolvingDomainsMutex.RUnlock() - - log.Debugf("Looking for provided certificate(s) to validate %q...", domainsToCheck) - - allDomains := p.certificateStore.GetAllDomains() - - // Get ACME certificates - for _, certificate := range p.certificates { - allDomains = append(allDomains, strings.Join(certificate.Domain.ToStrArray(), ",")) - } - - // Get currently resolved domains - for domain := range p.resolvingDomains { - allDomains = append(allDomains, domain) - } - - // Get Configuration Domains - if checkConfigurationDomains { - for i := 0; i < len(p.Domains); i++ { - allDomains = append(allDomains, strings.Join(p.Domains[i].ToStrArray(), ",")) - } - } - - return searchUncheckedDomains(domainsToCheck, allDomains) -} - -func searchUncheckedDomains(domainsToCheck []string, existentDomains []string) []string { - var uncheckedDomains []string - for _, domainToCheck := range domainsToCheck { - if !isDomainAlreadyChecked(domainToCheck, existentDomains) { - uncheckedDomains = append(uncheckedDomains, domainToCheck) - } - } - - if len(uncheckedDomains) == 0 { - log.Debugf("No ACME certificate generation required for domains %q.", domainsToCheck) - } else { - log.Debugf("Domains %q need ACME certificates generation for domains %q.", domainsToCheck, strings.Join(uncheckedDomains, ",")) - } - return uncheckedDomains -} - -func getX509Certificate(certificate *Certificate) (*x509.Certificate, error) { - tlsCert, err := tls.X509KeyPair(certificate.Certificate, certificate.Key) - if err != nil { - log.Errorf("Failed to load TLS keypair from ACME certificate for domain %q (SAN : %q), certificate will be renewed : %v", certificate.Domain.Main, strings.Join(certificate.Domain.SANs, ","), err) - return nil, err - } - - crt := tlsCert.Leaf - if crt == nil { - crt, err = x509.ParseCertificate(tlsCert.Certificate[0]) - if err != nil { - log.Errorf("Failed to parse TLS keypair from ACME certificate for domain %q (SAN : %q), certificate will be renewed : %v", certificate.Domain.Main, strings.Join(certificate.Domain.SANs, ","), err) - } - } - - return crt, err -} - -// getValidDomains checks if given domain is allowed to generate a ACME certificate and return it -func (p *Provider) getValidDomains(domain types.Domain, wildcardAllowed bool) ([]string, error) { - domains := domain.ToStrArray() - if len(domains) == 0 { - return nil, errors.New("unable to generate a certificate in ACME provider when no domain is given") - } - - if strings.HasPrefix(domain.Main, "*") { - if !wildcardAllowed { - return nil, fmt.Errorf("unable to generate a wildcard certificate in ACME provider for domain %q from a 'Host' rule", strings.Join(domains, ",")) - } - - if p.DNSChallenge == nil { - return nil, fmt.Errorf("unable to generate a wildcard certificate in ACME provider for domain %q : ACME needs a DNSChallenge", strings.Join(domains, ",")) - } - - if strings.HasPrefix(domain.Main, "*.*") { - return nil, fmt.Errorf("unable to generate a wildcard certificate in ACME provider for domain %q : ACME does not allow '*.*' wildcard domain", strings.Join(domains, ",")) - } - } - - for _, san := range domain.SANs { - if strings.HasPrefix(san, "*") { - return nil, fmt.Errorf("unable to generate a certificate in ACME provider for domains %q: SAN %q can not be a wildcard domain", strings.Join(domains, ","), san) - } - } - - var cleanDomains []string - for _, domain := range domains { - canonicalDomain := types.CanonicalDomain(domain) - cleanDomain := acme.UnFqdn(canonicalDomain) - if canonicalDomain != cleanDomain { - log.Warnf("FQDN detected, please remove the trailing dot: %s", canonicalDomain) - } - cleanDomains = append(cleanDomains, cleanDomain) - } - - return cleanDomains, nil -} - -func isDomainAlreadyChecked(domainToCheck string, existentDomains []string) bool { - for _, certDomains := range existentDomains { - for _, certDomain := range strings.Split(certDomains, ",") { - if types.MatchDomain(domainToCheck, certDomain) { - return true - } - } - } - return false -} - -// SetPropagationCheck to disable the Lego PreCheck. -func SetPropagationCheck(disable bool) { - if disable { - acme.PreCheckDNS = func(_, _ string) (bool, error) { - return true, nil - } - } -} - -// SetRecursiveNameServers to provide a custom DNS resolver. -func SetRecursiveNameServers(dnsResolvers []string) { - resolvers := normaliseDNSResolvers(dnsResolvers) - if len(resolvers) > 0 { - acme.RecursiveNameservers = resolvers - log.Infof("Validating FQDN authority with DNS using %+v", resolvers) - } -} - -// ensure all servers have a port number -func normaliseDNSResolvers(dnsResolvers []string) []string { - var normalisedResolvers []string - for _, server := range dnsResolvers { - srv := strings.TrimSpace(server) - if len(srv) > 0 { - if host, port, err := net.SplitHostPort(srv); err != nil { - normalisedResolvers = append(normalisedResolvers, net.JoinHostPort(srv, "53")) - } else { - normalisedResolvers = append(normalisedResolvers, net.JoinHostPort(host, port)) - } - } - } - return normalisedResolvers -} diff --git a/old/provider/acme/store.go b/old/provider/acme/store.go deleted file mode 100644 index 7573d1635..000000000 --- a/old/provider/acme/store.go +++ /dev/null @@ -1,25 +0,0 @@ -package acme - -// StoredData represents the data managed by the Store -type StoredData struct { - Account *Account - Certificates []*Certificate - HTTPChallenges map[string]map[string][]byte - TLSChallenges map[string]*Certificate -} - -// Store is a generic interface to represents a storage -type Store interface { - GetAccount() (*Account, error) - SaveAccount(*Account) error - GetCertificates() ([]*Certificate, error) - SaveCertificates([]*Certificate) error - - GetHTTPChallengeToken(token, domain string) ([]byte, error) - SetHTTPChallengeToken(token, domain string, keyAuth []byte) error - RemoveHTTPChallengeToken(token, domain string) error - - AddTLSChallenge(domain string, cert *Certificate) error - GetTLSChallenge(domain string) (*Certificate, error) - RemoveTLSChallenge(domain string) error -}