merge (and re-add test.js)
This commit is contained in:
commit
2010797d8a
26
README.md
26
README.md
|
@ -7,39 +7,37 @@
|
||||||
| [letsencrypt-hapi](https://github.com/Daplie/letsencrypt-hapi)
|
| [letsencrypt-hapi](https://github.com/Daplie/letsencrypt-hapi)
|
||||||
|
|
|
|
||||||
|
|
||||||
le-challenge-ddns
|
le-challenge-dns
|
||||||
================
|
================
|
||||||
|
|
||||||
A dns-based strategy for node-letsencrypt for setting, retrieving,
|
**For production** use [`le-challenge-ddns`](https://github.com/Daplie/le-challenge-ddns) (or a similar ddns tool)
|
||||||
|
|
||||||
|
A manual (interactive CLI) dns-based strategy for node-letsencrypt for setting, retrieving,
|
||||||
and clearing ACME DNS-01 challenges issued by the ACME server
|
and clearing ACME DNS-01 challenges issued by the ACME server
|
||||||
|
|
||||||
It creates a subdomain record for `_acme-challenge` with `keyAuthDigest`
|
Prints out a subdomain record for `_acme-challenge` with `keyAuthDigest`
|
||||||
to be tested by the ACME server.
|
to be tested by the ACME server.
|
||||||
|
|
||||||
|
You can then update your DNS manually by whichever method you use and then
|
||||||
|
press [enter] to continue the process.
|
||||||
|
|
||||||
```
|
```
|
||||||
_acme-challenge.example.com TXT xxxxxxxxxxxxxxxx TTL 60
|
_acme-challenge.example.com TXT xxxxxxxxxxxxxxxx TTL 60
|
||||||
```
|
```
|
||||||
|
|
||||||
* Safe to use with node cluster
|
|
||||||
* Safe to use with ephemeral services (Heroku, Joyent, etc)
|
|
||||||
|
|
||||||
Install
|
Install
|
||||||
-------
|
-------
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
npm install --save le-challenge-ddns@2.x
|
npm install --save le-challenge-dns@2.x
|
||||||
```
|
```
|
||||||
|
|
||||||
Usage
|
Usage
|
||||||
-----
|
-----
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
var leChallengeDdns = require('le-challenge-ddns').create({
|
var leChallengeDns = require('le-challenge-dns').create({
|
||||||
email: 'john.doe@example.com'
|
debug: false
|
||||||
, refreshToken: '...'
|
|
||||||
, ttl: 60
|
|
||||||
|
|
||||||
, debug: false
|
|
||||||
});
|
});
|
||||||
|
|
||||||
var LE = require('letsencrypt');
|
var LE = require('letsencrypt');
|
||||||
|
@ -48,7 +46,7 @@ LE.create({
|
||||||
server: LE.stagingServerUrl // Change to LE.productionServerUrl in production
|
server: LE.stagingServerUrl // Change to LE.productionServerUrl in production
|
||||||
, challengeType: 'dns-01'
|
, challengeType: 'dns-01'
|
||||||
, challenges: {
|
, challenges: {
|
||||||
'dns-01': leChallengeDdns
|
'dns-01': leChallengeDns
|
||||||
}
|
}
|
||||||
, approveDomains: [ 'example.com' ]
|
, approveDomains: [ 'example.com' ]
|
||||||
});
|
});
|
||||||
|
|
222
index.js
222
index.js
|
@ -1,200 +1,76 @@
|
||||||
'use strict';
|
'use strict';
|
||||||
|
|
||||||
// See https://tools.ietf.org/html/draft-ietf-acme-acme-01
|
|
||||||
// also https://gitlab.com/pushrocks/cert/blob/master/ts/cert.hook.ts
|
|
||||||
|
|
||||||
var PromiseA = require('bluebird');
|
var PromiseA = require('bluebird');
|
||||||
var dns = PromiseA.promisifyAll(require('dns'));
|
var dns = PromiseA.promisifyAll(require('dns'));
|
||||||
var DDNS = require('ddns-cli');
|
|
||||||
|
|
||||||
//var count = 0;
|
|
||||||
var defaults = {
|
|
||||||
oauth3: 'oauth3.org'
|
|
||||||
, debug: false
|
|
||||||
, acmeChallengeDns: '_acme-challenge.' // _acme-challenge.example.com TXT xxxxxxxxxxxxxxxx
|
|
||||||
, memstoreConfig: {
|
|
||||||
name: 'le-ddns'
|
|
||||||
}
|
|
||||||
};
|
|
||||||
|
|
||||||
var Challenge = module.exports;
|
var Challenge = module.exports;
|
||||||
|
|
||||||
Challenge.create = function (options) {
|
Challenge.create = function (defaults) {
|
||||||
// count += 1;
|
return {
|
||||||
var store = require('cluster-store');
|
getOptions: function () {
|
||||||
var results = {};
|
return defaults || {};
|
||||||
|
|
||||||
Object.keys(Challenge).forEach(function (key) {
|
|
||||||
results[key] = Challenge[key];
|
|
||||||
});
|
|
||||||
results.create = undefined;
|
|
||||||
|
|
||||||
Object.keys(defaults).forEach(function (key) {
|
|
||||||
if (!(key in options)) {
|
|
||||||
options[key] = defaults[key];
|
|
||||||
}
|
}
|
||||||
});
|
, set: Challenge.set
|
||||||
results._options = options;
|
, get: Challenge.get
|
||||||
|
, remove: Challenge.remove
|
||||||
results.getOptions = function () {
|
, loopback: Challenge.loopback
|
||||||
return results._options;
|
, test: Challenge.test
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
// TODO fix race condition at startup
|
// Show the user the token and key and wait for them to be ready to continue
|
||||||
results._memstore = options.memstore;
|
Challenge.set = function (args, domain, challenge, keyAuthorization, cb) {
|
||||||
|
|
||||||
if (!results._memstore) {
|
|
||||||
store.create(options.memstoreConfig).then(function (store) {
|
|
||||||
// same api as new sqlite3.Database(options.filename)
|
|
||||||
|
|
||||||
results._memstore = store;
|
|
||||||
|
|
||||||
// app.use(expressSession({ secret: 'keyboard cat', store: store }));
|
|
||||||
});
|
|
||||||
}
|
|
||||||
|
|
||||||
return results;
|
|
||||||
};
|
|
||||||
|
|
||||||
//
|
|
||||||
// NOTE: the "args" here in `set()` are NOT accessible to `get()` and `remove()`
|
|
||||||
// They are provided so that you can store them in an implementation-specific way
|
|
||||||
// if you need access to them.
|
|
||||||
//
|
|
||||||
Challenge.set = function (args, domain, challenge, keyAuthorization, done) {
|
|
||||||
var me = this;
|
|
||||||
// TODO use base64url module
|
|
||||||
var keyAuthDigest = require('crypto').createHash('sha256').update(keyAuthorization||'').digest('base64')
|
var keyAuthDigest = require('crypto').createHash('sha256').update(keyAuthorization||'').digest('base64')
|
||||||
.replace(/\+/g, '-')
|
.replace(/\+/g, '-')
|
||||||
.replace(/\//g, '_')
|
.replace(/\//g, '_')
|
||||||
.replace(/=+$/g, '')
|
.replace(/=+$/g, '')
|
||||||
;
|
;
|
||||||
|
|
||||||
if (!challenge || !keyAuthorization) {
|
|
||||||
console.warn("SANITY FAIL: missing challenge or keyAuthorization", domain, challenge, keyAuthorization);
|
|
||||||
}
|
|
||||||
|
|
||||||
return me._memstore.set(domain, {
|
|
||||||
email: args.email
|
|
||||||
, refreshToken: args.refreshToken
|
|
||||||
, keyAuthDigest: keyAuthDigest
|
|
||||||
}, function (err) {
|
|
||||||
if (err) { done(err); return; }
|
|
||||||
|
|
||||||
var challengeDomain = (args.test || '') + args.acmeChallengeDns + domain;
|
var challengeDomain = (args.test || '') + args.acmeChallengeDns + domain;
|
||||||
var update = {
|
|
||||||
email: args.email
|
|
||||||
, refreshToken: args.refreshToken
|
|
||||||
, silent: true
|
|
||||||
|
|
||||||
, name: challengeDomain
|
console.info("");
|
||||||
, type: "TXT"
|
console.info("Challenge for '" + domain + "'");
|
||||||
, value: keyAuthDigest || challenge
|
console.info("");
|
||||||
, ttl: args.ttl || 0
|
console.info("We now present (for you copy-and-paste pleasure) your ACME Challenge");
|
||||||
};
|
console.info("public Challenge and secret KeyAuthorization and Digest, in that order, respectively:");
|
||||||
|
console.info(challenge);
|
||||||
return DDNS.update(update, {
|
console.info(keyAuthorization);
|
||||||
//debug: true
|
console.info(keyAuthDigest);
|
||||||
}).then(function () {
|
console.info("");
|
||||||
if (args.debug) {
|
console.info(challengeDomain + "\tTXT " + keyAuthDigest + "\tTTL 60");
|
||||||
console.log("Test DNS Record:");
|
console.info("");
|
||||||
console.log("dig TXT +noall +answer @ns1.redirect-www.org '" + challengeDomain + "' # " + challenge);
|
console.info(JSON.stringify({
|
||||||
}
|
domain: domain
|
||||||
done(null, keyAuthDigest);
|
, challenge: challenge
|
||||||
}, function (err) {
|
, keyAuthorization: keyAuthorization
|
||||||
console.error(err);
|
, keyAuthDigest: keyAuthDigest
|
||||||
done(err);
|
}, null, ' ').replace(/^/gm, '\t'));
|
||||||
return PromiseA.reject(err);
|
console.info("");
|
||||||
});
|
console.info("hit enter to continue...");
|
||||||
|
process.stdin.resume();
|
||||||
|
process.stdin.on('data', function () {
|
||||||
|
process.stdin.pause();
|
||||||
|
cb(null);
|
||||||
});
|
});
|
||||||
};
|
};
|
||||||
|
|
||||||
|
// nothing to do here, that's why it's manual
|
||||||
//
|
Challenge.get = function (defaults, domain, challenge, cb) {
|
||||||
// NOTE: the "defaults" here are still merged and templated, just like "args" would be,
|
cb(null);
|
||||||
// but if you specifically need "args" you must retrieve them from some storage mechanism
|
|
||||||
// based on domain and key
|
|
||||||
//
|
|
||||||
Challenge.get = function (defaults, domain, challenge, done) {
|
|
||||||
done = null; // nix linter error for unused vars
|
|
||||||
throw new Error("Challenge.get() does not need an implementation for dns-01. (did you mean Challenge.loopback?)");
|
|
||||||
};
|
};
|
||||||
|
|
||||||
Challenge.remove = function (defaults, domain, challenge, done) {
|
// might as well tell the user that whatever they were setting up has been checked
|
||||||
var me = this;
|
Challenge.remove = function (args, domain, challenge, cb) {
|
||||||
|
console.info("Challenge for '" + domain + "' complete. You may remove it.");
|
||||||
return me._memstore.get(domain, function (err, data) {
|
console.info("");
|
||||||
if (err) { done(err); return; }
|
//console.info("hit enter to continue...");
|
||||||
if (!data) {
|
//process.stdin.resume();
|
||||||
console.warn("[warning] could not remove '" + domain + "': already removed");
|
//process.stdin.on('data', function () {
|
||||||
done(null);
|
// process.stdin.pause();
|
||||||
return;
|
cb(null);
|
||||||
}
|
//});
|
||||||
|
|
||||||
var challengeDomain = (defaults.test || '') + defaults.acmeChallengeDns + domain;
|
|
||||||
|
|
||||||
return DDNS.update({
|
|
||||||
email: data.email
|
|
||||||
, refreshToken: data.refreshToken
|
|
||||||
, silent: true
|
|
||||||
|
|
||||||
, name: challengeDomain
|
|
||||||
, type: "TXT"
|
|
||||||
, value: data.keyAuthDigest || challenge
|
|
||||||
, ttl: defaults.ttl || 0
|
|
||||||
|
|
||||||
, remove: true
|
|
||||||
}, {
|
|
||||||
//debug: true
|
|
||||||
}).then(function () {
|
|
||||||
|
|
||||||
done(null);
|
|
||||||
}, done).then(function () {
|
|
||||||
me._memstore.destroy(domain);
|
|
||||||
});
|
|
||||||
});
|
|
||||||
};
|
};
|
||||||
|
|
||||||
// same as get, but external
|
|
||||||
Challenge.loopback = function (defaults, domain, challenge, done) {
|
Challenge.loopback = function (defaults, domain, challenge, done) {
|
||||||
var challengeDomain = (defaults.test || '') + defaults.acmeChallengeDns + domain;
|
var challengeDomain = (defaults.test || '') + defaults.acmeChallengeDns + domain;
|
||||||
|
console.log("dig TXT +noall +answer @8.8.8.8 '" + challengeDomain + "' # " + challenge);
|
||||||
dns.resolveTxtAsync(challengeDomain).then(function (x) { done(null, x); }, done);
|
dns.resolveTxtAsync(challengeDomain).then(function (x) { done(null, x); }, done);
|
||||||
};
|
};
|
||||||
|
|
||||||
Challenge.test = function (args, domain, challenge, keyAuthorization, done) {
|
|
||||||
var me = this;
|
|
||||||
|
|
||||||
args.test = args.test || '_test.';
|
|
||||||
defaults.test = args.test;
|
|
||||||
|
|
||||||
me.set(args, domain, challenge, keyAuthorization || challenge, function (err, k) {
|
|
||||||
if (err) { done(err); return; }
|
|
||||||
|
|
||||||
me.loopback(defaults, domain, challenge, function (err, arr) {
|
|
||||||
if (err) { done(err); return; }
|
|
||||||
|
|
||||||
if (!arr.some(function (a) {
|
|
||||||
return a.some(function (keyAuthDigest) {
|
|
||||||
return keyAuthDigest === k;
|
|
||||||
});
|
|
||||||
})) {
|
|
||||||
err = new Error("txt record '" + challenge + "' doesn't match '" + k + "'");
|
|
||||||
}
|
|
||||||
|
|
||||||
me.remove(defaults, domain, challenge, function (_err) {
|
|
||||||
if (_err) { done(_err); return; }
|
|
||||||
|
|
||||||
// TODO needs to use native-dns so that specific nameservers can be used
|
|
||||||
// (otherwise the cache will still have the old answer)
|
|
||||||
done(err || null);
|
|
||||||
/*
|
|
||||||
me.loopback(defaults, domain, challenge, function (err) {
|
|
||||||
if (err) { done(err); return; }
|
|
||||||
|
|
||||||
done();
|
|
||||||
});
|
|
||||||
*/
|
|
||||||
});
|
|
||||||
});
|
|
||||||
});
|
|
||||||
};
|
|
||||||
|
|
22
package.json
22
package.json
|
@ -1,14 +1,14 @@
|
||||||
{
|
{
|
||||||
"name": "le-challenge-ddns",
|
"name": "le-challenge-dns",
|
||||||
"version": "2.0.3",
|
"version": "2.1.0",
|
||||||
"description": "A dns-based strategy for node-letsencrypt for setting, retrieving, and clearing ACME DNS-01 challenges issued by the ACME server",
|
"description": "A manual (interactive CLI) dns-based strategy for node-letsencrypt for setting, retrieving, and clearing ACME DNS-01 challenges issued by the ACME server",
|
||||||
"main": "index.js",
|
"main": "index.js",
|
||||||
"scripts": {
|
"scripts": {
|
||||||
"test": "node test.js"
|
"test": "node test.js"
|
||||||
},
|
},
|
||||||
"repository": {
|
"repository": {
|
||||||
"type": "git",
|
"type": "git",
|
||||||
"url": "git+https://github.com/Daplie/le-challenge-ddns.git"
|
"url": "git+https://github.com/Daplie/le-challenge-dns.git"
|
||||||
},
|
},
|
||||||
"keywords": [
|
"keywords": [
|
||||||
"le",
|
"le",
|
||||||
|
@ -16,25 +16,21 @@
|
||||||
"le-challenge",
|
"le-challenge",
|
||||||
"le-challenge-",
|
"le-challenge-",
|
||||||
"le-challenge-dns",
|
"le-challenge-dns",
|
||||||
"le-challenge-ddns",
|
"manual",
|
||||||
|
"interactive",
|
||||||
|
"cli",
|
||||||
"acme",
|
"acme",
|
||||||
"challenge",
|
"challenge",
|
||||||
"dns",
|
"dns",
|
||||||
"ddns",
|
|
||||||
"cluster",
|
"cluster",
|
||||||
"ephemeral"
|
"ephemeral"
|
||||||
],
|
],
|
||||||
"author": "AJ ONeal <coolaj86@gmail.com> (https://coolaj86.com/)",
|
"author": "AJ ONeal <coolaj86@gmail.com> (https://coolaj86.com/)",
|
||||||
"license": "(MIT OR Apache-2.0)",
|
"license": "(MIT OR Apache-2.0)",
|
||||||
"bugs": {
|
"bugs": {
|
||||||
"url": "https://github.com/Daplie/le-challenge-ddns/issues"
|
"url": "https://github.com/Daplie/le-challenge-dns/issues"
|
||||||
},
|
},
|
||||||
"homepage": "https://github.com/Daplie/le-challenge-ddns#readme",
|
"homepage": "https://github.com/Daplie/le-challenge-dns#readme",
|
||||||
"dependencies": {
|
"dependencies": {
|
||||||
"cluster-store": "^2.0.4",
|
|
||||||
"daplie-dns": "git+https://github.com/Daplie/daplie-cli-dns.git#master",
|
|
||||||
"daplie-domains": "git+https://github.com/Daplie/daplie-cli-domains.git#master",
|
|
||||||
"ddns-cli": "git+https://github.com/Daplie/node-ddns-client.git#master",
|
|
||||||
"oauth3-cli": "git+https://github.com/OAuth3/oauth3-cli.git#master"
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue