diff options
-rw-r--r-- | macir.rb | 315 |
1 files changed, 209 insertions, 106 deletions
@@ -1,104 +1,109 @@ #!/usr/bin/ruby +# frozen_string_literal: true + require 'yaml' require 'openssl' require 'acme-client' require 'dnsruby' require 'time' +require 'English' -def read_config( path = 'config.yaml' ) +def read_config(path = 'config.yaml') p "Reading config from #{path}" - begin - config = YAML.load_file( path ) - rescue Psych::SyntaxError - $stderr.puts "Parsing configfile failed: " + $!.to_s - raise - rescue Errno::ENOENT - $stderr.puts "IO failed: " + $!.to_s - raise - end - return config + YAML.load_file(path) +rescue Psych::SyntaxError => e + warn "Parsing configfile failed: #{e}" + raise +rescue Errno::ENOENT => e + warn "IO failed: #{e}" + raise end -def ensure_cert_dir( path = './certs' ) - if not File.exist?( path ) +def ensure_cert_dir(path = './certs') + unless File.exist?(path) puts 'Certificate directory does not exist. Creating with secure permissions.' - Dir.mkdir( path, 0700 ) - File.chmod( 0700, path ) - end - if File.world_writable?( path ) - $stderr.puts "WARNING! Certificate directory is world writable! This could be a serious security issue!" - end - if File.world_readable?( path ) - $stderr.puts "WARNING! Certificate directory is world readable! This could be a serious security issue!" - end - if File.file?( path ) - raise( 'Certificate directory is not a directory but a file. Aborting.' ) - end - if not File.writable?( path ) - raise( 'Certificate directory is not writable. Aborting.' ) + Dir.mkdir(path, 0o0700) end + File.world_writable?(path) && warn('WARNING! Certificate directory is world writable! This could be a serious security issue!') + File.world_readable?(path) && warn('WARNING! Certificate directory is world readable! This could be a serious security issue!') + File.file?(path) && raise('Certificate directory is not a directory but a file. Aborting.') + File.writable?(path) || raise('Certificate directory is not writable. Aborting.') end -def read_account_key( path = 'pkey.pem' ) +def read_account_key(path = 'pkey.pem') p "Reading account key from #{path}" - if File.readable?( path ) + if File.readable?(path) p "File #{path} is readable, trying to parse" - privatekey_string = File.read( path ) - private_key = OpenSSL::PKey::EC.new( privatekey_string ) + privatekey_string = File.read(path) + private_key = OpenSSL::PKey::EC.new(privatekey_string) + elsif File.exist?(path) + raise("The file #{path} exists but is not readable. Make it readable or specify different path") else - if File.exists?( path ) - raise( "The file #{path} exists but is not readable. Make it readable or specify different path" ) - else - p "File #{path} does not exist, trying to create" - private_key = OpenSSL::PKey::EC.generate( "prime256v1" ) - File.write( path, private_key.private_to_pem ) - end + p "File #{path} does not exist, trying to create" + private_key = OpenSSL::PKey::EC.generate('prime256v1') + File.write(path, private_key.private_to_pem) end return private_key end -def read_cert_key( cert_name ) +def read_cert_key(cert_name) folder = "./certs/#{cert_name}/" path = "#{folder}/current.key" p "cert_name #{cert_name}: Reading cert key from #{path}" - if File.readable?( path ) + if File.readable?(path) p "cert_name #{cert_name}: File #{path} is readable, trying to parse" - privatekey_string = File.read( path ) - private_key = OpenSSL::PKey::EC.new( privatekey_string ) + privatekey_string = File.read(path) + private_key = OpenSSL::PKey::EC.new(privatekey_string) + elsif File.exist?(path) + raise("cert_name #{cert_name}: The file #{path} exists but is not readable. Make it readable or specify different path") else - if File.exists?( path ) - raise( "cert_name #{cert_name}: The file #{path} exists but is not readable. Make it readable or specify different path" ) - else - p "cert_name #{cert_name}: File #{path} does not exist, trying to create" - private_key = OpenSSL::PKey::EC.generate( "prime256v1" ) - pkey_file = File.new( folder + Time.now.to_i.to_s + ".key", 'w' ) - pkey_file.write( private_key.private_to_pem ) - File.symlink( File.basename( pkey_file ), File.dirname( pkey_file ) + "/current.key" ) - end + p "cert_name #{cert_name}: File #{path} does not exist, trying to create" + private_key = OpenSSL::PKey::EC.generate('prime256v1') + pkey_file = File.new("#{folder}#{Time.now.to_i}.key", 'w') + pkey_file.write(private_key.private_to_pem) + File.symlink(File.basename(pkey_file), "#{File.dirname(pkey_file)}/current.key") end return private_key end -def deploy_dns01_challenge_token( domain, challenge, nameserver, config ) +def lookup_soa(domain) + rec = Dnsruby::Recursor.new + p "Domain #{domain}: Getting SOA records for #{domain}" + rec.query_no_validation_or_recursion(domain, 'SOA') +rescue StandardError => e + warn "Domain #{domain}: SOA lookup during deploy failed: #{e}" + raise +end + +def find_apex_domain(domain) + domain_soa_resp = lookup_soa(domain) + if domain_soa_resp.answer.empty? + domain_soa_resp.authority[0].name + else + domain_soa_resp.answer[0].name + end +end + +def deploy_dns01_challenge_token(domain, challenge, nameserver, config) p "Domain #{domain}: Creating DNS UPDATE packet" - update = Dnsruby::Update.new( domain ) + + apex_domain = find_apex_domain(domain) + + update = Dnsruby::Update.new(apex_domain) # TODO: delete challenge token record after validation - update.delete( challenge.record_name + "." + domain, challenge.record_type ) - update.add( challenge.record_name + "." + domain, challenge.record_type, 10, challenge.record_content ) + update.delete("#{challenge.record_name}.#{domain}", challenge.record_type) + update.add("#{challenge.record_name}.#{domain}", challenge.record_type, 10, challenge.record_content) p "Domain #{domain}: Creating object for contacting nameserver" - res = Dnsruby::Resolver.new( nameserver ) + res = Dnsruby::Resolver.new(nameserver) res.dnssec = false p "Domain #{domain}: Looking up TSIG parameters" - tsig_name = config.dig( 'domains', domain, 'tsig_key' ) || config.dig( 'defaults', 'domains', 'tsig_key' ) - tsig_key = config.dig( 'tsig_keys', tsig_name, 'key' ) - tsig_alg = config.dig( 'tsig_keys', tsig_name, 'algorithm' ) - p tsig_name - p tsig_key - p tsig_alg + tsig_name = config.dig('domains', domain, 'tsig_key') || config.dig('defaults', 'domains', 'tsig_key') + tsig_key = config.dig('tsig_keys', tsig_name, 'key') + tsig_alg = config.dig('tsig_keys', tsig_name, 'algorithm') p "Domain #{domain}: Creating TSIG object" tsig = Dnsruby::RR.create( @@ -112,22 +117,38 @@ def deploy_dns01_challenge_token( domain, challenge, nameserver, config ) p "Domain #{domain}: Signing DNS UPDATE packet with TSIG object" tsig.apply(update) - p update p "Domain #{domain}: Sending UPDATE to nameserver" + res.send_message(update) +rescue StandardError => e + warn "Domain #{domain}: DNS Update failed: #{e}" + raise +end + +def wait_for_challenge_propagation(domain, challenge) + rec = Dnsruby::Recursor.new + p "Domain #{domain}: Getting SOA records for #{domain}" begin - response = res.send_message(update) - rescue Exception - $stderr.puts "Domain #{domain}: IO failed: " + $!.to_s + domain_soa_resp = rec.query_no_validation_or_recursion(domain, 'SOA') + rescue StandardError => e + warn "Domain #{domain}: SOA lookup during propagation wait failed: #{e}" raise end -end + apex_domain = if domain_soa_resp.answer.empty? + domain_soa_resp.authority[0].name + else + domain_soa_resp.answer[0].name + end -def wait_for_challenge_propagation( domain, challenge ) p "Domain #{domain}: Creating recursor object for checking challenge propagation" rec = Dnsruby::Recursor.new - p "Domain #{domain}: Getting NS records for #{domain}" - domain_auth_ns = rec.query_no_validation_or_recursion( domain, "NS" ) + p "Domain #{domain}: Getting NS records for #{apex_domain}" + begin + domain_auth_ns = rec.query_no_validation_or_recursion(apex_domain, 'NS') + rescue StandardError => e + warn "Domain #{domain}: NS lookup failed: #{e}" + raise + end p "Domain #{domain}: Checking challenge status on all NS" @@ -137,65 +158,121 @@ def wait_for_challenge_propagation( domain, challenge ) threads << Thread.new(ns) do |my_ns| nameserver = my_ns.rdata.to_s p "Domain #{domain}: Creating resolver object for checking propagation on #{nameserver}" - res = Dnsruby::Resolver.new( nameserver ) + res = Dnsruby::Resolver.new(nameserver) res.dnssec = false res.do_caching = false begin p "Domain #{domain}: Querying ACME challenge record" - result = res.query_no_validation_or_recursion( "_acme-challenge." + domain, "TXT" ) + begin + result = res.query_no_validation_or_recursion("_acme-challenge.#{domain}", 'TXT') + rescue Dnsruby::NXDomain + p "Domain #{domain}: Not yet propagated, sleeping before checking again" + Thread.pass + sleep(0.1) + retry + rescue StandardError => e + warn "Domain #{domain}: ACME challenge lookup failed: #{e}" + raise + end # p result propagated = result.answer.any? do |answer| answer.rdata[0] == challenge.record_content end unless propagated p "Domain #{domain}: Not yet propagated, sleeping before checking again" - sleep(1) + Thread.pass + sleep(0.1) end end until propagated end end - threads.each { |thread| thread.join } + threads.each(&:join) end -def wait_for_challenge_validation( challenge ) +def wait_for_challenge_validation(challenge) p 'Requesting validation of challenge' - challenge.request_validation + begin + retries ||= 0 + challenge.request_validation + rescue Acme::Client::Error::BadNonce + retries += 1 + p 'Retrying because of invalid nonce.' + retry if retries <= 5 + end while challenge.status == 'pending' p 'Sleeping because challenge validation is pending' sleep(1) p 'Checking again' - challenge.reload + begin + retries ||= 0 + challenge.reload + rescue Acme::Client::Error::BadNonce + retries += 1 + p 'Retrying because of invalid nonce.' + retry if retries <= 5 + end end end -def get_cert( order, cert_name, domains, domain_key ) +def get_cert(order, cert_name, domains, domain_key) path = "./certs/#{cert_name}/" crt_file = "#{path}/cert.pem" p "Cert #{cert_name}: Creating CSR object" csr = Acme::Client::CertificateRequest.new( private_key: domain_key, names: domains, - subject: { common_name: "#{domains[0]}" } + subject: { common_name: domains[0] } ) p "Cert #{cert_name}: Finalize cert order" - order.finalize(csr: csr) + begin + retries ||= 0 + order.reload + rescue Acme::Client::Error::BadNonce + retries += 1 + p 'Retrying because of invalid nonce.' + retry if retries <= 5 + end + begin + retries ||= 0 + order.finalize(csr: csr) + rescue Acme::Client::Error::BadNonce + retries += 1 + p 'Retrying because of invalid nonce.' + retry if retries <= 5 + end while order.status == 'processing' p "Cert #{cert_name}: Sleep while order is processing" sleep(1) p "Cert #{cert_name}: Rechecking order status" - order.reload + begin + retries ||= 0 + order.reload + rescue Acme::Client::Error::BadNonce + retries += 1 + p 'Retrying because of invalid nonce.' + retry if retries <= 5 + end + end + # p "order status: #{order.status}" + # pp order + begin + retries ||= 0 + cert = order.certificate + rescue Acme::Client::Error::BadNonce + retries += 1 + p 'Retrying because of invalid nonce.' + retry if retries <= 5 end - cert = order.certificate p "Cert #{cert_name}: Writing cert" - cert_file = File.new( path + Time.now.to_i.to_s + ".crt", 'w' ) - cert_file.write( cert ) - if File.symlink?( File.dirname( cert_file ) + "/current.crt" ) - File.unlink( File.dirname( cert_file ) + "/current.crt" ) - File.symlink( File.basename( cert_file ), File.dirname( cert_file ) + "/current.crt" ) - elsif File.file?( File.dirname( cert_file ) + "/current.crt" ) + cert_file = File.new(path + Time.now.to_i.to_s + ".crt", 'w') + cert_file.write(cert) + if File.symlink?(File.dirname(cert_file) + "/current.crt") + File.unlink(File.dirname(cert_file) + "/current.crt") + File.symlink(File.basename(cert_file), File.dirname(cert_file) + "/current.crt") + elsif File.file?(File.dirname(cert_file) + "/current.crt") raise 'Could not place symlink for "current.crt" because that is already a normal file.' end return cert @@ -206,63 +283,89 @@ config = read_config cert_dir = config.dig('global', 'cert_dir') || './certs/' -ensure_cert_dir( cert_dir ) +ensure_cert_dir(cert_dir) acme_threads = [] # iterate over configured certs # TODO: make this one thread per cert config['certs'].each_pair do |cert_name, cert_opts| acme_threads << Thread.new(cert_name, cert_opts) do |cert_name, cert_opts| - ensure_cert_dir( cert_dir + cert_name ) + ensure_cert_dir(cert_dir + cert_name) p "Cert #{cert_name}: Finding CA to use for cert" - cert_ca = cert_opts['ca'] || config.dig( 'defaults', 'certs', 'ca' ) + cert_ca = cert_opts['ca'] || config.dig('defaults', 'certs', 'ca') cert_ca_name = cert_ca['name'] cert_ca_account = cert_ca['account'] p "Cert #{cert_name}: Finding directory URL for CA" - acme_directory_url = config.dig( 'CAs', cert_ca_name, 'directory_url' ) + acme_directory_url = config.dig('CAs', cert_ca_name, 'directory_url') p "Cert #{cert_name}: Finding account to use for cert #{cert_name} from CA #{cert_ca_name}" - account = config.dig( 'ca_accounts', cert_ca_account ) + account = config.dig('ca_accounts', cert_ca_account) email = account['email'] - private_key = read_account_key( account['keyfile'] ) + private_key = read_account_key(account['keyfile']) p "Cert #{cert_name}: Creating client object for communication with CA" - client = Acme::Client.new( private_key: private_key, directory: acme_directory_url ) - - client.new_account(contact: "mailto:#{email}", terms_of_service_agreed: true) + client = Acme::Client.new(private_key: private_key, directory: acme_directory_url) + + begin + retries ||= 0 + client.new_account(contact: "mailto:#{email}", terms_of_service_agreed: true) + rescue Acme::Client::Error::BadNonce + retries += 1 + p 'Retrying because of invalid nonce.' + retry if retries <= 5 + end p "Cert #{cert_name}: Creating order object for cert #{cert_name}" - order = client.new_order(identifiers: cert_opts['domain_names'] ) + begin + retries ||= 0 + order = client.new_order(identifiers: cert_opts['domain_names']) + rescue Acme::Client::Error::BadNonce + retries += 1 + p 'Retrying because of invalid nonce.' + retry if retries <= 5 + end + p "Cert #{cert_name}: order status" p order.status + if order.status != 'ready' p "Cert #{cert_name}: Order is not ready, we need to authorize first" p "Cert #{cert_name}: Iterating over required authorizations" - order.authorizations.each do |auth| + begin + retries ||= 0 + auths = order.authorizations + rescue Acme::Client::Error::BadNonce + retries += 1 + p 'Retrying because of invalid nonce.' + retry if retries <= 5 + end + auths.each do |auth| p "Cert #{cert_name}: Processing authorization for #{auth.domain}" p "Cert #{cert_name}: Finding challenge type for #{auth.domain}" + # p "Cert #{cert_name}: auth is:" + # pp auth if auth.status == 'valid' p "Cert #{cert_name}: Authorization for #{auth.domain} is still valid, skipping" next end challenge = auth.dns01 - primary_ns = config.dig( 'domains', auth.domain, 'primary_ns' ) || config.dig( 'defaults', 'domains', 'primary_ns' ) - deploy_dns01_challenge_token( auth.domain, challenge, primary_ns, config ) - wait_for_challenge_propagation( auth.domain, challenge ) - wait_for_challenge_validation( challenge ) + primary_ns = config.dig('domains', auth.domain, 'primary_ns') || config.dig('defaults', 'domains', 'primary_ns') + deploy_dns01_challenge_token(auth.domain, challenge, primary_ns, config) + wait_for_challenge_propagation(auth.domain, challenge) + wait_for_challenge_validation(challenge) end else p "Cert #{cert_name}: Order is ready, we don’t need to authorize" end - domain_key = read_cert_key( cert_name ) + domain_key = read_cert_key(cert_name) - get_cert( order, cert_name, cert_opts['domain_names'], domain_key ) + get_cert(order, cert_name, cert_opts['domain_names'], domain_key) end end -acme_threads.each { |thread| thread.join } +acme_threads.each(&:join) |