coolaj86
/
acme-dns-01-cli.js
1
0
Fork 0
Code Issues 1 Pull Requests Releases Wiki Activity

merge (and re-add test.js)

This commit is contained in:
AJ ONeal 2016-10-17 15:31:04 -06:00
parent 56055eaedc 48743260eb
commit 2010797d8a
3 changed files with 69 additions and 199 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
README.md
View File

@ -7,39 +7,37 @@
| [letsencrypt-hapi](https://github.com/Daplie/letsencrypt-hapi) | [letsencrypt-hapi](https://github.com/Daplie/letsencrypt-hapi)
| |
le-challenge-ddns le-challenge-dns
================ ================
A dns-based strategy for node-letsencrypt for setting, retrieving, **For production** use [`le-challenge-ddns`](https://github.com/Daplie/le-challenge-ddns) (or a similar ddns tool)
A manual (interactive CLI) dns-based strategy for node-letsencrypt for setting, retrieving,
and clearing ACME DNS-01 challenges issued by the ACME server and clearing ACME DNS-01 challenges issued by the ACME server
It creates a subdomain record for `_acme-challenge` with `keyAuthDigest` Prints out a subdomain record for `_acme-challenge` with `keyAuthDigest`
to be tested by the ACME server. to be tested by the ACME server.
You can then update your DNS manually by whichever method you use and then
press [enter] to continue the process.
``` ```
_acme-challenge.example.com TXT xxxxxxxxxxxxxxxx TTL 60 _acme-challenge.example.com TXT xxxxxxxxxxxxxxxx TTL 60
``` ```
* Safe to use with node cluster
* Safe to use with ephemeral services (Heroku, Joyent, etc)
Install Install
------- -------
```bash ```bash
npm install --save le-challenge-ddns@2.x npm install --save le-challenge-dns@2.x
``` ```
Usage Usage
----- -----
```bash ```bash
var leChallengeDdns = require('le-challenge-ddns').create({ var leChallengeDns = require('le-challenge-dns').create({
email: 'john.doe@example.com' debug: false
, refreshToken: '...'
, ttl: 60
, debug: false
}); });
var LE = require('letsencrypt'); var LE = require('letsencrypt');
@ -48,7 +46,7 @@ LE.create({
server: LE.stagingServerUrl // Change to LE.productionServerUrl in production server: LE.stagingServerUrl // Change to LE.productionServerUrl in production
, challengeType: 'dns-01' , challengeType: 'dns-01'
, challenges: { , challenges: {
'dns-01': leChallengeDdns 'dns-01': leChallengeDns
} }
, approveDomains: [ 'example.com' ] , approveDomains: [ 'example.com' ]
}); });

220
index.js
View File

@ -1,200 +1,76 @@
'use strict'; 'use strict';
// See https://tools.ietf.org/html/draft-ietf-acme-acme-01
// also https://gitlab.com/pushrocks/cert/blob/master/ts/cert.hook.ts
var PromiseA = require('bluebird'); var PromiseA = require('bluebird');
var dns = PromiseA.promisifyAll(require('dns')); var dns = PromiseA.promisifyAll(require('dns'));
var DDNS = require('ddns-cli');
//var count = 0;
var defaults = {
oauth3: 'oauth3.org'
, debug: false
, acmeChallengeDns: '_acme-challenge.' // _acme-challenge.example.com TXT xxxxxxxxxxxxxxxx
, memstoreConfig: {
name: 'le-ddns'
}
};
var Challenge = module.exports; var Challenge = module.exports;
Challenge.create = function (options) { Challenge.create = function (defaults) {
// count += 1; return {
var store = require('cluster-store'); getOptions: function () {
var results = {}; return defaults || {};
Object.keys(Challenge).forEach(function (key) {
results[key] = Challenge[key];
});
results.create = undefined;
Object.keys(defaults).forEach(function (key) {
if (!(key in options)) {
options[key] = defaults[key];
} }
}); , set: Challenge.set
results._options = options; , get: Challenge.get
, remove: Challenge.remove
results.getOptions = function () { , loopback: Challenge.loopback
return results._options; , test: Challenge.test
}; };
// TODO fix race condition at startup
results._memstore = options.memstore;
if (!results._memstore) {
store.create(options.memstoreConfig).then(function (store) {
// same api as new sqlite3.Database(options.filename)
results._memstore = store;
// app.use(expressSession({ secret: 'keyboard cat', store: store }));
});
}
return results;
}; };
// // Show the user the token and key and wait for them to be ready to continue
// NOTE: the "args" here in `set()` are NOT accessible to `get()` and `remove()` Challenge.set = function (args, domain, challenge, keyAuthorization, cb) {
// They are provided so that you can store them in an implementation-specific way
// if you need access to them.
//
Challenge.set = function (args, domain, challenge, keyAuthorization, done) {
var me = this;
// TODO use base64url module
var keyAuthDigest = require('crypto').createHash('sha256').update(keyAuthorization||'').digest('base64') var keyAuthDigest = require('crypto').createHash('sha256').update(keyAuthorization||'').digest('base64')
.replace(/\+/g, '-') .replace(/\+/g, '-')
.replace(/\//g, '_') .replace(/\//g, '_')
.replace(/=+$/g, '') .replace(/=+$/g, '')
; ;
if (!challenge || !keyAuthorization) {
console.warn("SANITY FAIL: missing challenge or keyAuthorization", domain, challenge, keyAuthorization);
}
return me._memstore.set(domain, {
email: args.email
, refreshToken: args.refreshToken
, keyAuthDigest: keyAuthDigest
}, function (err) {
if (err) { done(err); return; }
var challengeDomain = (args.test || '') + args.acmeChallengeDns + domain; var challengeDomain = (args.test || '') + args.acmeChallengeDns + domain;
var update = {
email: args.email
, refreshToken: args.refreshToken
, silent: true
, name: challengeDomain console.info("");
, type: "TXT" console.info("Challenge for '" + domain + "'");
, value: keyAuthDigest || challenge console.info("");
, ttl: args.ttl || 0 console.info("We now present (for you copy-and-paste pleasure) your ACME Challenge");
}; console.info("public Challenge and secret KeyAuthorization and Digest, in that order, respectively:");
console.info(challenge);
return DDNS.update(update, { console.info(keyAuthorization);
//debug: true console.info(keyAuthDigest);
}).then(function () { console.info("");
if (args.debug) { console.info(challengeDomain + "\tTXT " + keyAuthDigest + "\tTTL 60");
console.log("Test DNS Record:"); console.info("");
console.log("dig TXT +noall +answer @ns1.redirect-www.org '" + challengeDomain + "' # " + challenge); console.info(JSON.stringify({
} domain: domain
done(null, keyAuthDigest); , challenge: challenge
}, function (err) { , keyAuthorization: keyAuthorization
console.error(err); , keyAuthDigest: keyAuthDigest
done(err); }, null, ' ').replace(/^/gm, '\t'));
return PromiseA.reject(err); console.info("");
}); console.info("hit enter to continue...");
process.stdin.resume();
process.stdin.on('data', function () {
process.stdin.pause();
cb(null);
}); });
}; };
// nothing to do here, that's why it's manual
// Challenge.get = function (defaults, domain, challenge, cb) {
// NOTE: the "defaults" here are still merged and templated, just like "args" would be, cb(null);
// but if you specifically need "args" you must retrieve them from some storage mechanism
// based on domain and key
//
Challenge.get = function (defaults, domain, challenge, done) {
done = null; // nix linter error for unused vars
throw new Error("Challenge.get() does not need an implementation for dns-01. (did you mean Challenge.loopback?)");
}; };
Challenge.remove = function (defaults, domain, challenge, done) { // might as well tell the user that whatever they were setting up has been checked
var me = this; Challenge.remove = function (args, domain, challenge, cb) {
console.info("Challenge for '" + domain + "' complete. You may remove it.");
return me._memstore.get(domain, function (err, data) { console.info("");
if (err) { done(err); return; } //console.info("hit enter to continue...");
if (!data) { //process.stdin.resume();
console.warn("[warning] could not remove '" + domain + "': already removed"); //process.stdin.on('data', function () {
done(null); // process.stdin.pause();
return; cb(null);
} //});
var challengeDomain = (defaults.test || '') + defaults.acmeChallengeDns + domain;
return DDNS.update({
email: data.email
, refreshToken: data.refreshToken
, silent: true
, name: challengeDomain
, type: "TXT"
, value: data.keyAuthDigest || challenge
, ttl: defaults.ttl || 0
, remove: true
}, {
//debug: true
}).then(function () {
done(null);
}, done).then(function () {
me._memstore.destroy(domain);
});
});
}; };
// same as get, but external
Challenge.loopback = function (defaults, domain, challenge, done) { Challenge.loopback = function (defaults, domain, challenge, done) {
var challengeDomain = (defaults.test || '') + defaults.acmeChallengeDns + domain; var challengeDomain = (defaults.test || '') + defaults.acmeChallengeDns + domain;
console.log("dig TXT +noall +answer @8.8.8.8 '" + challengeDomain + "' # " + challenge);
dns.resolveTxtAsync(challengeDomain).then(function (x) { done(null, x); }, done); dns.resolveTxtAsync(challengeDomain).then(function (x) { done(null, x); }, done);
}; };
Challenge.test = function (args, domain, challenge, keyAuthorization, done) {
var me = this;
args.test = args.test || '_test.';
defaults.test = args.test;
me.set(args, domain, challenge, keyAuthorization || challenge, function (err, k) {
if (err) { done(err); return; }
me.loopback(defaults, domain, challenge, function (err, arr) {
if (err) { done(err); return; }
if (!arr.some(function (a) {
return a.some(function (keyAuthDigest) {
return keyAuthDigest === k;
});
})) {
err = new Error("txt record '" + challenge + "' doesn't match '" + k + "'");
}
me.remove(defaults, domain, challenge, function (_err) {
if (_err) { done(_err); return; }
// TODO needs to use native-dns so that specific nameservers can be used
// (otherwise the cache will still have the old answer)
done(err || null);
/*
me.loopback(defaults, domain, challenge, function (err) {
if (err) { done(err); return; }
done();
});
*/
});
});
});
};

22
package.json
View File

@ -1,14 +1,14 @@
{ {
"name": "le-challenge-ddns", "name": "le-challenge-dns",
"version": "2.0.3", "version": "2.1.0",
"description": "A dns-based strategy for node-letsencrypt for setting, retrieving, and clearing ACME DNS-01 challenges issued by the ACME server", "description": "A manual (interactive CLI) dns-based strategy for node-letsencrypt for setting, retrieving, and clearing ACME DNS-01 challenges issued by the ACME server",
"main": "index.js", "main": "index.js",
"scripts": { "scripts": {
"test": "node test.js" "test": "node test.js"
}, },
"repository": { "repository": {
"type": "git", "type": "git",
"url": "git+https://github.com/Daplie/le-challenge-ddns.git" "url": "git+https://github.com/Daplie/le-challenge-dns.git"
}, },
"keywords": [ "keywords": [
"le", "le",
@ -16,25 +16,21 @@
"le-challenge", "le-challenge",
"le-challenge-", "le-challenge-",
"le-challenge-dns", "le-challenge-dns",
"le-challenge-ddns", "manual",
"interactive",
"cli",
"acme", "acme",
"challenge", "challenge",
"dns", "dns",
"ddns",
"cluster", "cluster",
"ephemeral" "ephemeral"
], ],
"author": "AJ ONeal <coolaj86@gmail.com> (https://coolaj86.com/)", "author": "AJ ONeal <coolaj86@gmail.com> (https://coolaj86.com/)",
"license": "(MIT OR Apache-2.0)", "license": "(MIT OR Apache-2.0)",
"bugs": { "bugs": {
"url": "https://github.com/Daplie/le-challenge-ddns/issues" "url": "https://github.com/Daplie/le-challenge-dns/issues"
}, },
"homepage": "https://github.com/Daplie/le-challenge-ddns#readme", "homepage": "https://github.com/Daplie/le-challenge-dns#readme",
"dependencies": { "dependencies": {
"cluster-store": "^2.0.4",
"daplie-dns": "git+https://github.com/Daplie/daplie-cli-dns.git#master",
"daplie-domains": "git+https://github.com/Daplie/daplie-cli-domains.git#master",
"ddns-cli": "git+https://github.com/Daplie/node-ddns-client.git#master",
"oauth3-cli": "git+https://github.com/OAuth3/oauth3-cli.git#master"
} }
} }