Browse Source

mirror greenlock to unscoped npm package

npm
AJ ONeal 4 years ago
parent
commit
2585997138
  1. 517
      MIGRATION_GUIDE_V2_V3.md
  2. 4
      README.md
  3. 219
      accounts.js
  4. 378
      bin/certonly.js
  5. 234
      bin/cli.js
  6. 13
      bin/greenlock.js
  7. 318
      certificates.js
  8. 96
      challenges-underlay.js
  9. 58
      errors.js
  10. 682
      greenlock.js
  11. BIN
      logo/beaker-browser-301x112.png
  12. BIN
      logo/from-not-secure-to-secure-url-bar.png
  13. BIN
      logo/greenlock-1063x250.png
  14. BIN
      logo/greenlock-850x200.png
  15. BIN
      logo/ibm-301x112.png
  16. BIN
      logo/telebit-301x112.png
  17. 258
      manager-underlay.js
  18. 95
      order.js
  19. 331
      plugins.js
  20. 16
      publish.sh
  21. 54
      tests/index.js
  22. 7
      user-events.js
  23. 281
      utils.js

517
MIGRATION_GUIDE_V2_V3.md

@ -1,517 +0,0 @@
# Migrating from Greenlock v2 to v3
**Greenlock Express** uses Greenlock directly, the same as before.
All options described for `Greenlock.create({...})` also apply to the Greenlock Express `init()` callback.
# Overview of Major Differences
- Reduced API
- No code in the config
- (config is completely serializable)
- Manager callbacks replace `approveDomains`
- Greenlock Express does more, with less config
- cluster is supported out-of-the-box
- high-performance
- scalable
- ACME challenges are simplified
- init
- zones (dns-01)
- set
- get
- remove
- Store callbacks are simplified
- accounts
- checkKeypairs
- certificates
- checkKeypairs
- check
- set
# Greenlock JavaScript API greatly reduced
Whereas before there were many different methods with nuance differences,
now there's just `create`, `get`, `renew`, and sometimes `add` ().
- Greenlock.create({ maintainerEmail, packageAgent, notify })
- Greenlock.get({ servername, wildname, duplicate, force })
- (just a convenience wrapper around renew)
- Greenlock.renew({ subject, altnames, issuedBefore, expiresAfter })
- (retrieves, issues, renews, all-in-one)
- _optional_ Greenlock.add({ subject, altnames, subscriberEmail })
- (partially replaces `approveDomains`)
Also, some disambiguation on terms:
- `domains` was often ambiguous and confusing, it has been replaced by:
- `subject` refers to the subject of a certificate - the primary domain
- `altnames` refers to the domains in the SAN (Subject Alternative Names) section of the certificate
- `servername` refers to the TLS (SSL) SNI (Server Name Indication) request for a cetificate
- `wildname` refers to the wildcard version of the servername (ex: `www.example.com => *.example.com`)
When you create an instance of Greenlock, you only supply package and maintainer info.
All other configuration is A) optional and B) handled by the _Manager_.
```js
'use strict';
var pkg = require('./package.json');
var Greenlock = require('greenlock');
var greenlock = Greenlock.create({
// used for the ACME client User-Agent string as per RFC 8555 and RFC 7231
packageAgent: pkg.name + '/' + pkg.version,
// used as the contact for critical bug and security notices
// should be the same as pkg.author.email
maintainerEmail: 'jon@example.com',
// used for logging background events and errors
notify: function(ev, args) {
if ('error' === ev || 'warning' === ev) {
console.error(ev, args);
return;
}
console.info(ev, args);
}
});
```
By default **no certificates will be issued**. See the _manager_ section.
When you want to get a single certificate, you use `get`, which will:
- will return null if neither the `servername` or its `wildname` (wildcard) variant can be found
- retrieve a non-expired certificate, if possible
- will renew the certificate in the background, if stale
- will wait for the certificate to be issued if new
```js
greenlock
.get({ servername: 'www.example.com' })
.then(function(result) {
if (!result) {
// certificate is not on the approved list
return null;
}
var fullchain = result.pems.cert + '\n' + result.pems.chain + '\n';
var privkey = result.pems.privkey;
return {
fullchain: fullchain,
privkey: privkey
};
})
.catch(function(e) {
// something went wrong in the renew process
console.error(e);
});
```
By default **no certificates will be issued**. See the _manager_ section.
When you want to renew certificates, _en masse_, you use `renew`, which will:
- check all certificates matching the given criteria
- only renew stale certificates by default
- return error objects (will NOT throw exception for failed renewals)
```js
greenlock
.renew({})
.then(function(results) {
if (!result.length) {
// no certificates found
return null;
}
// [{ site, error }]
return results;
})
.catch(function(e) {
// an unexpected error, not related to renewal
console.error(e);
});
```
Options:
| Option | Description |
| ------------- | -------------------------------------------------------------------------- |
| `altnames` | only check and renew certs matching these altnames (including wildcards) |
| `renewBefore` | only check and renew certs marked for renewal before the given date, in ms |
| `duplicate` | renew certificates regardless of timing |
| `force` | allow silly things, like tiny `renewOffset`s |
By default **no certificates will be issued**. See the _manager_ section.
# Greenlock Express Example
The options that must be returned from `init()` are the same that are used in `Greenlock.create()`,
with a few extra that are specific to Greenlock Express:
```js
require('@root/greenlock-express')
.init(function() {
// This object will be passed to Greenlock.create()
var options = {
// some options, like cluster, are special to Greenlock Express
cluster: false,
// The rest are the same as for Greenlock
packageAgent: pkg.name + '/' + pkg.version,
maintainerEmail: 'jon@example.com',
notify: function(ev, args) {
console.info(ev, args);
}
};
return options;
})
.serve(function(glx) {
// will start servers on port 80 and 443
glx.serveApp(function(req, res) {
res.end('Hello, Encrypted World!');
});
// you can get access to the raw server (i.e. for websockets)
glx.httpsServer(); // returns raw server object
});
```
# _Manager_ replaces `approveDomains`
`approveDomains` was always a little confusing. Most people didn't need it.
Instead, now there is a simple config file that will work for most people,
as well as a set of callbacks for easy configurability.
### Default Manager
The default manager is `greenlock-manager-fs` and the default `configFile` is `~/.config/greenlock/manager.json`.
The config file should look something like this:
`~/.config/greenlock/manager.json`:
```json
{
"subscriberEmail": "jon@example.com",
"agreeToTerms": true,
"sites": {
"example.com": {
"subject": "example.com",
"altnames": ["example.com", "www.example.com"]
}
}
}
```
You can specify a `acme-dns-01-*` or `acme-http-01-*` challenge plugin globally, or per-site.
```json
{
"subscriberEmail": "jon@example.com",
"agreeToTerms": true,
"sites": {
"example.com": {
"subject": "example.com",
"altnames": ["example.com", "www.example.com"],
"challenges": {
"dns-01": {
"module": "acme-dns-01-digitalocean",
"token": "apikey-xxxxx"
}
}
}
}
}
```
The same is true with `greenlock-store-*` plugins:
```json
{
"subscriberEmail": "jon@example.com",
"agreeToTerms": true,
"sites": {
"example.com": {
"subject": "example.com",
"altnames": ["example.com", "www.example.com"]
}
},
"store": {
"module": "greenlock-store-fs",
"basePath": "~/.config/greenlock"
}
}
```
### Customer Manager, the lazy way
At the very least you have to implement `find({ servername })`.
Since this is a very common use case, it's supported out of the box as part of the default manager plugin:
```js
var greenlock = Greenlock.create({
packageAgent: pkg.name + '/' + pkg.version,
maintainerEmail: 'jon@example.com',
notify: notify,
find: find
});
// In the simplest case you can ignore all incoming options
// and return a single site config in the same format as the config file
function find(options) {
var servername = options.servername; // www.example.com
var wildname = options.wildname; // *.example.com
return Promise.resolve([
{ subject: 'example.com', altnames: ['example.com', 'www.example.com'] }
]);
}
function notify(ev, args) {
if ('error' === ev || 'warning' === ev) {
console.error(ev, args);
return;
}
console.info(ev, args);
}
```
If you want to use wildcards or local domains, you must specify the `dns-01` challenge plugin to use:
```js
function find(options) {
var subject = options.subject;
// may include wildcard
var altnames = options.altnames;
var wildname = options.wildname; // *.example.com
return Promise.resolve([
{
subject: 'example.com',
altnames: ['example.com', 'www.example.com'],
challenges: {
'dns-01': { module: 'acme-dns-01-namedotcom', apikey: 'xxxx' }
}
}
]);
}
```
### Customer Manager, complete
To use a fully custom manager, you give the npm package name, or absolute path to the file to load
```js
Greenlock.create({
// Greenlock Options
maintainerEmail: 'jon@example.com',
packageAgent: 'my-package/v2.1.1',
notify: notify,
// file path or npm package name
manager: '/path/to/manager.js',
// options that get passed to the manager
myFooOption: 'whatever'
});
```
The manager itself is, again relatively simple:
- find(options)
- set(siteConfig)
- remove(options)
- defaults(globalOptions) (as setter)
- defaults() => globalOptions (as getter)
`/path/to/manager.js`:
```js
'use strict';
module.exports.create = function() {
var manager = {};
manager.find = async function({ subject, altnames, renewBefore }) {
if (subject) {
return getSiteConfigBySubject(subject);
}
if (altnames) {
// may include wildcards
return getSiteConfigByAnyAltname(altnames);
}
if (renewBefore) {
return getSiteConfigsWhereRenewAtIsLessThan(renewBefore);
}
return [];
};
manage.set = function(opts) {
// this is called by greenlock.add({ subject, altnames })
// it's also called by greenlock._update({ subject, renewAt })
return mergSiteConfig(subject, opts);
};
manage.remove = function({ subject, altname }) {
if (subject) {
return removeSiteConfig(subject);
}
return removeFromSiteConfigAndResetRenewAtToZero(altname);
};
// set the global config
manage.defaults = function(options) {
if (!options) {
return getGlobalConfig();
}
return mergeGlobalConfig(options);
};
};
```
# ACME Challenge Plugins
The ACME challenge plugins are just a few simple callbacks:
- `init`
- `zones` (dns-01 only)
- `set`
- `get`
- `remove`
They are described here:
- [dns-01 documentation](https://git.rootprojects.org/root/acme-dns-01-test.js)
- [http-01 documentation](https://git.rootprojects.org/root/acme-http-01-test.js)
# Key and Cert Store Plugins
Again, these are just a few simple callbacks:
- `certificates.checkKeypair`
- `certificates.check`
- `certificates.setKeypair`
- `certificates.set`
- `accounts.checkKeypair`
- `accounts.check` (optional)
- `accounts.setKeypair`
- `accounts.set` (optional)
The name `check` is used instead of `get` because they only need to return something if it exists. They do not need to fail, nor do they need to generate anything.
They are described here:
- [greenlock store documentation](https://git.rootprojects.org/root/greenlock-store-test.js)
If you are just implenting in-house and are not going to publish a module, you can also do some hack things like this:
### Custome Store, The hacky / lazy way
`/path/to/project/my-hacky-store.js`:
```js
'use strict';
module.exports.create = function(options) {
// ex: /path/to/account.ecdsa.jwk.json
var accountJwk = require(options.accountJwkPath);
// ex: /path/to/privkey.rsa.pem
var serverPem = fs.readFileSync(options.serverPemPath, 'ascii');
var accounts = {};
var certificates = {};
var store = { accounts, certificates };
// bare essential account callbacks
accounts.checkKeypair = function() {
// ignore all options and just return a single, global keypair
return Promise.resolve({
privateKeyJwk: accountJwk
});
};
accounts.setKeypair = function() {
// this will never get called if checkKeypair always returns
return Promise.resolve({});
};
// bare essential cert and key callbacks
certificates.checkKeypair = function() {
// ignore all options and just return a global server keypair
return {
privateKeyPem: serverPem
};
};
certificates.setKeypair = function() {
// never gets called if checkKeypair always returns an existing key
return Promise.resolve(null);
};
certificates.check = function(args) {
var subject = args.subject;
// make a database call or whatever to get a certificate
return goGetCertBySubject(subject).then(function() {
return {
pems: {
chain: '<PEM>',
cert: '<PEM>'
}
};
});
};
certificates.set = function(args) {
var subject = args.subject;
var cert = args.pems.cert;
var chain = args.pems.chain;
// make a database call or whatever to get a certificate
return goSaveCert({
subject,
cert,
chain
});
};
};
```
### Using the hacky / lazy store plugin
That sort of implementation won't pass the test suite, but it'll work just fine a use case where you only have one subscriber email (most of the time),
you only have one server key (not recommended, but works), and you only really want to worry about storing cetificates.
Then you could assign it as the default for all of your sites:
```json
{
"subscriberEmail": "jon@example.com",
"agreeToTerms": true,
"sites": {
"example.com": {
"subject": "example.com",
"altnames": ["example.com", "www.example.com"]
}
},
"store": {
"module": "/path/to/project/my-hacky-store.js",
"accountJwkPath": "/path/to/account.ecdsa.jwk.json",
"serverPemPath": "/path/to/privkey.rsa.pem"
}
}
```

4
README.md

@ -402,7 +402,7 @@ Greenlock comes with reasonable defaults but when you install it,
you should also install any plugins that you need.
```bash
npm install --save @root/greenlock
npm install --save greenlock
npm install --save greenlock-manager-fs
npm install --save greenlock-store-fs
npm install --save acme-http-01-standalone
@ -420,7 +420,7 @@ TODO
```js
'use strict';
var Greenlock = require(@root/greenlock-express);
var Greenlock = require(greenlock-express);
var greenlock = Greenlock.create({
// for security and critical bug notices

219
accounts.js

@ -1,219 +0,0 @@
'use strict';
var A = module.exports;
var U = require('./utils.js');
var E = require('./errors.js');
var pending = {};
A._getOrCreate = function(gnlck, mconf, db, acme, args) {
var email = args.subscriberEmail || mconf.subscriberEmail;
if (!email) {
throw E.NO_SUBSCRIBER('get account', args.subject);
}
// TODO send welcome message with benefit info
return U._validMx(email)
.catch(function() {
throw E.NO_SUBSCRIBER('get account', args.subcriberEmail);
})
.then(function() {
if (pending[email]) {
return pending[email];
}
pending[email] = A._rawGetOrCreate(
gnlck,
mconf,
db,
acme,
args,
email
)
.catch(function(e) {
delete pending[email];
throw e;
})
.then(function(result) {
delete pending[email];
return result;
});
return pending[email];
});
};
// What we really need out of this is the private key and the ACME "key" id
A._rawGetOrCreate = function(gnlck, mconf, db, acme, args, email) {
var p;
if (db.check) {
p = A._checkStore(gnlck, mconf, db, acme, args, email);
} else {
p = Promise.resolve(null);
}
return p.then(function(fullAccount) {
if (!fullAccount) {
return A._newAccount(gnlck, mconf, db, acme, args, email, null);
}
if (fullAccount.keypair && fullAccount.key && fullAccount.key.kid) {
return fullAccount;
}
return A._newAccount(gnlck, mconf, db, acme, args, email, fullAccount);
});
};
A._newAccount = function(gnlck, mconf, db, acme, args, email, fullAccount) {
var keyType = args.accountKeyType || mconf.accountKeyType;
var query = {
subject: args.subject,
email: email,
subscriberEmail: email,
customerEmail: args.customerEmail,
account: fullAccount || {},
directoryUrl:
args.directoryUrl ||
mconf.directoryUrl ||
gnlck._defaults.directoryUrl
};
return U._getOrCreateKeypair(db, args.subject, query, keyType).then(
function(kresult) {
var keypair = kresult.keypair;
var accReg = {
subscriberEmail: email,
agreeToTerms:
args.agreeToTerms ||
mconf.agreeToTerms ||
gnlck._defaults.agreeToTerms,
accountKey: keypair.privateKeyJwk || keypair.private,
debug: args.debug
};
return acme.accounts.create(accReg).then(function(receipt) {
var reg = {
keypair: keypair,
receipt: receipt,
// shudder... not actually a KeyID... but so it is called anyway...
kid:
receipt &&
receipt.key &&
(receipt.key.kid || receipt.kid),
email: args.email,
subscriberEmail: email,
customerEmail: args.customerEmail
};
var keyP;
if (kresult.exists) {
keyP = Promise.resolve();
} else {
query.keypair = keypair;
query.receipt = receipt;
/*
query.server = gnlck._defaults.directoryUrl.replace(
/^https?:\/\//i,
''
);
*/
keyP = db.setKeypair(query, keypair);
}
return keyP
.then(function() {
if (!db.set) {
return Promise.resolve({
keypair: keypair
});
}
return db.set(
{
// id to be set by Store
email: email,
subscriberEmail: email,
customerEmail: args.customerEmail,
agreeTos: true,
agreeToTerms: true,
directoryUrl:
args.directoryUrl ||
mconf.directoryUrl ||
gnlck._defaults.directoryUrl
/*
server: gnlck._defaults.directoryUrl.replace(
/^https?:\/\//i,
''
)
*/
},
reg
);
})
.then(function(fullAccount) {
if (fullAccount && 'object' !== typeof fullAccount) {
throw new Error(
"accounts.set should either return 'null' or an object with an 'id' string"
);
}
if (!fullAccount) {
fullAccount = {};
}
fullAccount.keypair = keypair;
if (!fullAccount.key) {
fullAccount.key = {};
}
fullAccount.key.kid = reg.kid;
return fullAccount;
});
});
}
);
};
A._checkStore = function(gnlck, mconf, db, acme, args, email) {
if ((args.domain || args.domains) && !args.subject) {
console.warn("use 'subject' instead of 'domain'");
args.subject = args.domain;
}
var account = args.account;
if (!account) {
account = {};
}
if (args.accountKey) {
console.warn(
'rather than passing accountKey, put it directly into your account key store'
);
// TODO we probably don't need this
return U._importKeypair(args.accountKey);
}
if (!db.check) {
return Promise.resolve(null);
}
return db
.check({
//keypair: undefined,
//receipt: undefined,
email: email,
subscriberEmail: email,
customerEmail: args.customerEmail || mconf.customerEmail,
account: account,
directoryUrl:
args.directoryUrl ||
mconf.directoryUrl ||
gnlck._defaults.directoryUrl
})
.then(function(fullAccount) {
if (!fullAccount) {
return null;
}
return fullAccount;
});
};

378
bin/certonly.js

@ -1,378 +0,0 @@
'use strict';
var mkdirp = require('@root/mkdirp');
var cli = require('./cli.js');
cli.parse({
'directory-url': [
false,
' ACME Directory Resource URL',
'string',
'https://acme-v02.api.letsencrypt.org/directory',
'server,acme-url'
],
email: [
false,
' Email used for registration and recovery contact. (default: null)',
'email'
],
'agree-tos': [
false,
" Agree to the Greenlock and Let's Encrypt Subscriber Agreements",
'boolean',
false
],
'community-member': [
false,
' Submit stats to and get updates from Greenlock',
'boolean',
false
],
domains: [
false,
' Domain names to apply. For multiple domains you can enter a comma separated list of domains as a parameter. (default: [])',
'string'
],
'renew-offset': [
false,
' Positive (time after issue) or negative (time before expiry) offset, such as 30d or -45d',
'string',
'45d'
],
'renew-within': [
false,
' (ignored) use renew-offset instead',
'ignore',
undefined
],
'cert-path': [
false,
' Path to where new cert.pem is saved',
'string',
':configDir/live/:hostname/cert.pem'
],
'fullchain-path': [
false,
' Path to where new fullchain.pem (cert + chain) is saved',
'string',
':configDir/live/:hostname/fullchain.pem'
],
'bundle-path': [
false,
' Path to where new bundle.pem (fullchain + privkey) is saved',
'string',
':configDir/live/:hostname/bundle.pem'
],
'chain-path': [
false,
' Path to where new chain.pem is saved',
'string',
':configDir/live/:hostname/chain.pem'
],
'privkey-path': [
false,
' Path to where privkey.pem is saved',
'string',
':configDir/live/:hostname/privkey.pem'
],
'config-dir': [
false,
' Configuration directory.',
'string',
'~/letsencrypt/etc/'
],
store: [
false,
' The name of the storage module to use',
'string',
'greenlock-store-fs'
],
'store-xxxx': [
false,
' An option for the chosen storage module, such as --store-apikey or --store-bucket',
'bag'
],
'store-json': [
false,
' A JSON string containing all option for the chosen store module (instead of --store-xxxx)',
'json',
'{}'
],
challenge: [
false,
' The name of the HTTP-01, DNS-01, or TLS-ALPN-01 challenge module to use',
'string',
'@greenlock/acme-http-01-fs'
],
'challenge-xxxx': [
false,
' An option for the chosen challenge module, such as --challenge-apikey or --challenge-bucket',
'bag'
],
'challenge-json': [
false,
' A JSON string containing all option for the chosen challenge module (instead of --challenge-xxxx)',
'json',
'{}'
],
'skip-dry-run': [
false,
' Use with caution (and test with the staging url first). Creates an Order on the ACME server without a self-test.',
'boolean'
],
'skip-challenge-tests': [
false,
' Use with caution (and with the staging url first). Presents challenges to the ACME server without first testing locally.',
'boolean'
],
'http-01-port': [
false,
' Required to be 80 for live servers. Do not use. For special test environments only.',
'int'
],
'dns-01': [false, ' Use DNS-01 challange type', 'boolean', false],
standalone: [
false,
' Obtain certs using a "standalone" webserver.',
'boolean',
false
],
manual: [
false,
' Print the token and key to the screen and wait for you to hit enter, giving you time to copy it somewhere before continuing (uses acme-http-01-cli or acme-dns-01-cli)',
'boolean',
false
],
debug: [false, ' show traces and logs', 'boolean', false],
root: [
false,
' public_html / webroot path (may use the :hostname template such as /srv/www/:hostname)',
'string',
undefined,
'webroot-path'
],
//
// backwards compat
//
duplicate: [
false,
' Allow getting a certificate that duplicates an existing one/is an early renewal',
'boolean',
false
],
'rsa-key-size': [
false,
' (ignored) use server-key-type or account-key-type instead',
'ignore',
2048
],
'server-key-path': [
false,
' Path to privkey.pem to use for certificate (default: generate new)',
'string',
undefined,
'domain-key-path'
],
'server-key-type': [
false,
" One of 'RSA' (2048), 'RSA-3084', 'RSA-4096', 'ECDSA' (P-256), or 'P-384'. For best compatibility, security, and efficiency use the default (More bits != More security)",
'string',
'RSA'
],
'account-key-path': [
false,
' Path to privkey.pem to use for account (default: generate new)',
'string'
],
'account-key-type': [
false,
" One of 'ECDSA' (P-256), 'P-384', 'RSA', 'RSA-3084', or 'RSA-4096'. Stick with 'ECDSA' (P-256) unless you need 'RSA' (2048) for legacy compatibility. (More bits != More security)",
'string',
'P-256'
],
webroot: [false, ' (ignored) for certbot compatibility', 'ignore', false],
//, 'standalone-supported-challenges': [ false, " Supported challenges, order preferences are randomly chosen. (default: http-01,tls-alpn-01)", 'string', 'http-01']
'work-dir': [
false,
' for certbot compatibility (ignored)',
'string',
'~/letsencrypt/var/lib/'
],
'logs-dir': [
false,
' for certbot compatibility (ignored)',
'string',
'~/letsencrypt/var/log/'
],
'acme-version': [
false,
' (ignored) ACME is now RFC 8555 and prior drafts are no longer supported',
'ignore',
'rfc8555'
]
});
// ignore certonly and extraneous arguments
cli.main(function(_, options) {
console.info('');
[
'configDir',
'privkeyPath',
'certPath',
'chainPath',
'fullchainPath',
'bundlePath'
].forEach(function(k) {
if (options[k]) {
options.storeOpts[k] = options[k];
}
delete options[k];
});
if (options.workDir) {
options.challengeOpts.workDir = options.workDir;
delete options.workDir;
}
if (options.debug) {
console.debug(options);
}
var args = {};
var homedir = require('os').homedir();
Object.keys(options).forEach(function(key) {
var val = options[key];
if ('string' === typeof val) {
val = val.replace(/^~/, homedir);
}
key = key.replace(/\-([a-z0-9A-Z])/g, function(c) {
return c[1].toUpperCase();
});
args[key] = val;
});
Object.keys(args).forEach(function(key) {
var val = args[key];
if ('string' === typeof val) {
val = val.replace(/(\:configDir)|(\:config)/, args.configDir);
}
args[key] = val;
});
if (args.domains) {
args.domains = args.domains.split(',');
}
if (
!(Array.isArray(args.domains) && args.domains.length) ||
!args.email ||
!args.agreeTos ||
(!args.server && !args.directoryUrl)
) {
console.error('\nUsage:\n\ngreenlock certonly --standalone \\');
console.error(
'\t--agree-tos --email user@example.com --domains example.com \\'
);
console.error('\t--config-dir ~/acme/etc \\');
console.error('\nSee greenlock --help for more details\n');
return;
}
if (args.http01Port) {
// [@agnat]: Coerce to string. cli returns a number although we request a string.
args.http01Port = '' + args.http01Port;
args.http01Port = args.http01Port.split(',').map(function(port) {
return parseInt(port, 10);
});
}
function run() {
var challenges = {};
if (/http.?01/i.test(args.challenge)) {
challenges['http-01'] = args.challengeOpts;
}
if (/dns.?01/i.test(args.challenge)) {
challenges['dns-01'] = args.challengeOpts;
}
if (/alpn.?01/i.test(args.challenge)) {
challenges['tls-alpn-01'] = args.challengeOpts;
}
if (!Object.keys(challenges).length) {
throw new Error(
"Could not determine the challenge type for '" +
args.challengeOpts.module +
"'. Expected a name like @you/acme-xxxx-01-foo. Please name the module with http-01, dns-01, or tls-alpn-01."
);
}
args.challengeOpts.module = args.challenge;
args.storeOpts.module = args.store;
console.log('\ngot to the run step');
require(args.challenge);
require(args.store);
var greenlock = require('../').create({
maintainerEmail: args.maintainerEmail || 'coolaj86@gmail.com',
manager: './manager.js',
configFile: '~/.config/greenlock/certs.json',
challenges: challenges,
store: args.storeOpts,
renewOffset: args.renewOffset || '30d',
renewStagger: '1d'
});
// for long-running processes
if (args.renewEvery) {
setInterval(function() {
greenlock.renew({
period: args.renewEvery
});
}, args.renewEvery);
}
// TODO should greenlock.add simply always include greenlock.renew?
// the concern is conflating error events
return greenlock
.add({
subject: args.subject,
altnames: args.altnames,
subscriberEmail: args.subscriberEmail || args.email
})
.then(function(changes) {
console.info(changes);
// renew should always
return greenlock
.renew({
subject: args.subject,
force: false
})
.then(function() {});
});
}
if ('greenlock-store-fs' !== args.store) {
run();
return;
}
// TODO remove mkdirp and let greenlock-store-fs do this?
mkdirp(args.storeOpts.configDir, function(err) {
if (!err) {
run();
}
console.error(
"Could not create --config-dir '" + args.configDir + "':",
err.code
);
console.error("Try setting --config-dir '/tmp'");
return;
});
}, process.argv.slice(3));

234
bin/cli.js

@ -1,234 +0,0 @@
'use strict';
var CLI = module.exports;
var defaultConf;
var defaultOpts;
var bags = [];
CLI.parse = function(conf) {
var opts = (defaultOpts = {});
defaultConf = conf;
Object.keys(conf).forEach(function(k) {
var v = conf[k];
var aliases = v[5];
var bag;
var bagName;
// the name of the argument set is now the 0th argument
v.unshift(k);
// v[0] flagname
// v[1] short flagname
// v[2] description
// v[3] type
// v[4] default value
// v[5] aliases
if ('bag' === v[3]) {
bag = v[0]; // 'bag-option-xxxx' => '--bag-option-'
bag = '--' + bag.replace(/xxx.*/, '');
bags.push(bag);
bagName = toBagName(bag.replace(/^--/, ''));
opts[bagName] = {};
}
if ('json' === v[3]) {
bagName = toBagName(v[0].replace(/-json$/, '')); // 'bag-option-json' => 'bagOptionOpts'
opts[bagName] = {};
} else if ('ignore' !== v[3] && 'undefined' !== typeof v[4]) {
// set the default values (where 'undefined' is not an allowed value)
opts[toCamel(k)] = v[4];
}
if (!aliases) {
aliases = [];
} else if ('string' === typeof aliases) {
aliases = aliases.split(',');
}
aliases.forEach(function(alias) {
if (alias in conf) {
throw new Error(
"Cannot alias '" +
alias +
"' from '" +
k +
"': option already exists"
);
}
conf[alias] = v;
});
});
};
CLI.main = function(cb, args) {
var leftovers = [];
var conf = defaultConf;
var opts = defaultOpts;
if (!opts) {
throw new Error("you didn't call `CLI.parse(configuration)`");
}
// TODO what's the existing API for this?
if (!args) {
args = process.argv.slice(2);
}
var flag;
var cnf;
var typ;
function grab(bag) {
var bagName = toBagName(bag);
if (bag !== flag.slice(0, bag.length)) {
return false;
}
console.log(bagName, toCamel(flag.slice(bag.length)));
opts[bagName][toCamel(flag.slice(bag.length))] = args.shift();
return true;
}
while (args.length) {
// take one off the top
flag = args.shift();
// mind the gap
if ('--' === flag) {
leftovers = leftovers.concat(args);
break;
}
// help!
if (
'--help' === flag ||
'-h' === flag ||
'/?' === flag ||
'help' === flag
) {
printHelp(conf);
process.exit(1);
}
// only long names are actually used
if ('--' !== flag.slice(0, 2)) {
console.error("Unrecognized argument '" + flag + "'");
process.exit(1);
}
cnf = conf[flag.slice(2)];
if (!cnf) {
// look for arbitrary flags
if (bags.some(grab)) {
continue;
}
// other arbitrary args are not used
console.error("Unrecognized flag '" + flag + "'");
process.exit(1);
}
// encourage switching to non-aliased version
if (flag !== '--' + cnf[0]) {
console.warn(
"use of '" +
flag +
"' is deprecated, use '--" +
cnf[0] +
"' instead"
);
}
// look for xxx-json flags
if ('json' === cnf[3]) {
try {
var json = JSON.parse(args.shift());
var bagName = toBagName(cnf[0].replace(/-json$/, ''));
Object.keys(json).forEach(function(k) {
opts[bagName][k] = json[k];
});
} catch (e) {
console.error("Could not parse option '" + flag + "' as JSON:");
console.error(e.message);
process.exit(1);
}
continue;
}
// set booleans, otherwise grab the next arg in line
typ = cnf[3];
// TODO --no-<whatever> to negate
if (Boolean === typ || 'boolean' === typ) {
opts[toCamel(cnf[0])] = true;
continue;
}
opts[toCamel(cnf[0])] = args.shift();
continue;
}
cb(leftovers, opts);
};
function toCamel(str) {
return str.replace(/-([a-z0-9])/g, function(m) {
return m[1].toUpperCase();
});
}
function toBagName(bag) {
// trim leading and trailing '-'
bag = bag.replace(/^-+/g, '').replace(/-+$/g, '');
return toCamel(bag) + 'Opts'; // '--bag-option-' => bagOptionOpts
}
function printHelp(conf) {
var flagLen = 0;
var typeLen = 0;
var defLen = 0;
Object.keys(conf).forEach(function(k) {
flagLen = Math.max(flagLen, conf[k][0].length);
typeLen = Math.max(typeLen, conf[k][3].length);
if ('undefined' !== typeof conf[k][4]) {
defLen = Math.max(
defLen,
'(Default: )'.length + String(conf[k][4]).length
);
}
});
Object.keys(conf).forEach(function(k) {
var v = conf[k];
// skip aliases
if (v[0] !== k) {
return;
}
var def = v[4];
if ('undefined' === typeof def) {
def = '';
} else {
def = '(default: ' + JSON.stringify(def) + ')';
}
var msg =
' --' +
v[0].padEnd(flagLen) +
' ' +
v[3].padStart(typeLen + 1) +
' ' +
(v[2] || '') +
' ' +
def; /*.padStart(defLen)*/
// v[0] flagname
// v[1] short flagname
// v[2] description
// v[3] type
// v[4] default value
// v[5] aliases
console.info(msg);
});
}

13
bin/greenlock.js

@ -1,13 +0,0 @@
#!/usr/bin/env node
'use strict';
var args = process.argv.slice(2);
//console.log(args);
//['certonly', 'add', 'config', 'defaults', 'remove']
if ('certonly' === args[0]) {
require('./certonly.js');
return;
}
console.error("command not yet implemented");
process.exit();

318
certificates.js

@ -1,318 +0,0 @@
'use strict';
var C = module.exports;
var U = require('./utils.js');
var CSR = require('@root/csr');
var Enc = require('@root/encoding');
var Keypairs = require('@root/keypairs');
var pending = {};
var rawPending = {};
// What the abbreviations mean
//
// gnlkc => greenlock
// mconf => manager config
// db => greenlock store instance
// acme => instance of ACME.js
// chs => instances of challenges
// acc => account
// args => site / extra options
// Certificates
C._getOrOrder = function(gnlck, mconf, db, acme, chs, acc, args) {
var email = args.subscriberEmail || mconf.subscriberEmail;
var id = args.altnames
.slice(0)
.sort()
.join(' ');
if (pending[id]) {
return pending[id];
}
pending[id] = C._rawGetOrOrder(
gnlck,
mconf,
db,
acme,
chs,
acc,
email,
args
)
.then(function(pems) {
delete pending[id];
return pems;
})
.catch(function(err) {
delete pending[id];
throw err;
});
return pending[id];
};
// Certificates
C._rawGetOrOrder = function(gnlck, mconf, db, acme, chs, acc, email, args) {
return C._check(gnlck, mconf, db, args).then(function(pems) {
// Nice and fresh? We're done!
if (pems) {
if (!C._isStale(gnlck, mconf, args, pems)) {
// return existing unexpired (although potentially stale) certificates when available
// there will be an additional .renewing property if the certs are being asynchronously renewed
//pems._type = 'current';
return pems;
}
}
// We're either starting fresh or freshening up...
var p = C._rawOrder(gnlck, mconf, db, acme, chs, acc, email, args);
var evname = pems ? 'cert_renewal' : 'cert_issue';
p.then(function(newPems) {
// notify in the background
var renewAt = C._renewWithStagger(gnlck, mconf, args, newPems);
gnlck._notify(evname, {
renewAt: renewAt,
subject: args.subject,
altnames: args.altnames
});
gnlck._notify('_cert_issue', {
renewAt: renewAt,
subject: args.subject,
altnames: args.altnames,
pems: newPems
});
}).catch(function(err) {
if (!err.context) {
err.context = evname;
}
err.subject = args.subject;
err.altnames = args.altnames;
gnlck._notify('error', err);
});
// No choice but to hang tight and wait for it
if (
!pems ||
pems.renewAt < Date.now() - 24 * 60 * 60 * 1000 ||
pems.expiresAt <= Date.now() + 24 * 60 * 60 * 1000
) {
return p;
}
// Wait it out
// TODO should we call this waitForRenewal?
if (args.waitForRenewal) {
return p;
}
// Let the certs renew in the background
return pems;
});
};
// we have another promise here because it the optional renewal
// may resolve in a different stack than the returned pems
C._rawOrder = function(gnlck, mconf, db, acme, chs, acc, email, args) {
var id = args.altnames
.slice(0)
.sort()
.join(' ');
if (rawPending[id]) {
return rawPending[id];
}
var keyType = args.serverKeyType || mconf.serverKeyType;
var query = {
subject: args.subject,
certificate: args.certificate || {},
directoryUrl: args.directoryUrl || gnlck._defaults.directoryUrl
};
rawPending[id] = U._getOrCreateKeypair(db, args.subject, query, keyType)
.then(function(kresult) {
var serverKeypair = kresult.keypair;
var domains = args.altnames.slice(0);
return CSR.csr({
jwk: serverKeypair.privateKeyJwk || serverKeypair.private,
domains: domains,
encoding: 'der'
})
.then(function(csrDer) {
// TODO let CSR support 'urlBase64' ?
return Enc.bufToUrlBase64(csrDer);
})
.then(function(csr) {
function notify(ev, opts) {
gnlck._notify(ev, opts);
}
var certReq = {
debug: args.debug || gnlck._defaults.debug,
challenges: chs,
account: acc, // only used if accounts.key.kid exists
accountKey:
acc.keypair.privateKeyJwk || acc.keypair.private,
keypair: acc.keypair, // TODO
csr: csr,
domains: domains, // because ACME.js v3 uses `domains` still, actually
onChallengeStatus: notify,
notify: notify // TODO
// TODO handle this in acme-v2
//subject: args.subject,
//altnames: args.altnames.slice(0),
};
return acme.certificates
.create(certReq)
.then(U._attachCertInfo);
})
.then(function(pems) {
if (kresult.exists) {
return pems;
}
query.keypair = serverKeypair;
return db.setKeypair(query, serverKeypair).then(function() {
return pems;
});
});
})
.then(function(pems) {
// TODO put this in the docs
// { cert, chain, privkey, subject, altnames, issuedAt, expiresAt }
// Note: the query has been updated
query.pems = pems;
return db.set(query);
})
.then(function() {
return C._check(gnlck, mconf, db, args);
})
.then(function(bundle) {
// TODO notify Manager
delete rawPending[id];
return bundle;
})
.catch(function(err) {
// Todo notify manager
delete rawPending[id];
throw err;
});
return rawPending[id];
};
// returns pems, if they exist
C._check = function(gnlck, mconf, db, args) {
var query = {
subject: args.subject,
// may contain certificate.id
certificate: args.certificate,
directoryUrl: args.directoryUrl || gnlck._defaults.directoryUrl
};
return db.check(query).then(function(pems) {
if (!pems) {
return null;
}
pems = U._attachCertInfo(pems);
// For eager management
if (args.subject && !U._certHasDomain(pems, args.subject)) {
// TODO report error, but continue the process as with no cert
return null;
}
// For lazy SNI requests
if (args.domain && !U._certHasDomain(pems, args.domain)) {
// TODO report error, but continue the process as with no cert
return null;
}
return U._getKeypair(db, args.subject, query)
.then(function(keypair) {
return Keypairs.export({
jwk: keypair.privateKeyJwk || keypair.private,
encoding: 'pem'
}).then(function(pem) {
pems.privkey = pem;
return pems;
});
})
.catch(function() {
// TODO report error, but continue the process as with no cert
return null;
});
});
};
// Certificates
C._isStale = function(gnlck, mconf, args, pems) {
if (args.duplicate) {
return true;
}
var renewAt = C._renewableAt(gnlck, mconf, args, pems);
if (Date.now() >= renewAt) {
return true;
}
return false;
};
C._renewWithStagger = function(gnlck, mconf, args, pems) {
var renewOffset = C._renewOffset(gnlck, mconf, args, pems);
var renewStagger;
try {
renewStagger = U._parseDuration(
args.renewStagger || mconf.renewStagger || 0
);
} catch (e) {
renewStagger = U._parseDuration(
args.renewStagger || mconf.renewStagger
);
}
// TODO check this beforehand
if (!args.force && renewStagger / renewOffset >= 0.5) {
renewStagger = renewOffset * 0.1;
}
if (renewOffset > 0) {
// stagger forward, away from issued at
return Math.round(
pems.issuedAt + renewOffset + Math.random() * renewStagger
);
}
// stagger backward, toward issued at
return Math.round(
pems.expiresAt + renewOffset - Math.random() * renewStagger
);
};
C._renewOffset = function(gnlck, mconf, args /*, pems*/) {
var renewOffset = U._parseDuration(
args.renewOffset || mconf.renewOffset || 0
);
var week = 1000 * 60 * 60 * 24 * 6;
if (!args.force && Math.abs(renewOffset) < week) {
throw new Error(
'developer error: `renewOffset` should always be at least a week, use `force` to not safety-check renewOffset'
);
}
return renewOffset;
};
C._renewableAt = function(gnlck, mconf, args, pems) {
if (args.renewAt) {