From 5316af67be976a583c214d389c68704774acd058 Mon Sep 17 00:00:00 2001 From: AJ ONeal Date: Mon, 3 Jun 2019 09:12:11 +0000 Subject: [PATCH] v2.7.23: regression bugfixes: node v6 and cloudflare dns-01 --- index.js | 1310 ++++++++++++++++++--------------- lib/compat.js | 21 + lib/core.js | 35 +- lib/utils.js | 20 +- package.json | 2 +- tests/challenge-middleware.js | 106 --- 6 files changed, 781 insertions(+), 713 deletions(-) create mode 100644 lib/compat.js delete mode 100644 tests/challenge-middleware.js diff --git a/index.js b/index.js index 5c708fe..5fb9339 100644 --- a/index.js +++ b/index.js @@ -1,4 +1,6 @@ -'use strict'; +"use strict"; +/*global Promise*/ +require("./lib/compat.js"); // I hate this code so much. // Soooo many shims for backwards compatibility (some stuff dating back to v1) @@ -6,43 +8,44 @@ var DAY = 24 * 60 * 60 * 1000; //var MIN = 60 * 1000; -var ACME = require('acme-v2/compat').ACME; -var pkg = require('./package.json'); -var PromiseA; -try { - PromiseA = require('bluebird'); -} catch(e) { - PromiseA = global.Promise; -} -if (!PromiseA.promisify) { - PromiseA.promisify = require('util').promisify; -} +var ACME = require("acme-v2/compat").ACME; +var pkg = require("./package.json"); +var util = require("util"); + function promisifyAllSelf(obj) { - if (obj.__promisified) { return obj; } - Object.keys(obj).forEach(function (key) { - if ('function' === typeof obj[key] && !/Async$/.test(key)) { - obj[key + 'Async'] = PromiseA.promisify(obj[key]); - } - }); - obj.__promisified = true; - return obj; + if (obj.__promisified) { + return obj; + } + Object.keys(obj).forEach(function(key) { + if ("function" === typeof obj[key] && !/Async$/.test(key)) { + obj[key + "Async"] = util.promisify(obj[key]); + } + }); + obj.__promisified = true; + return obj; } function promisifyAllStore(obj) { - Object.keys(obj).forEach(function (key) { - if ('function' !== typeof obj[key] || /Async$/.test(key)) { return; } + Object.keys(obj).forEach(function(key) { + if ("function" !== typeof obj[key] || /Async$/.test(key)) { + return; + } - var p; - if (0 === obj[key].length || 1 === obj[key].length) { - // wrap just in case it's synchronous (or improperly throws) - p = function (opts) { return PromiseA.resolve().then(function () { return obj[key](opts); }); }; - } else { - p = PromiseA.promisify(obj[key]); - } - // internal backwards compat - obj[key + 'Async'] = p; - }); - obj.__promisified = true; - return obj; + var p; + if (0 === obj[key].length || 1 === obj[key].length) { + // wrap just in case it's synchronous (or improperly throws) + p = function(opts) { + return Promise.resolve().then(function() { + return obj[key](opts); + }); + }; + } else { + p = util.promisify(obj[key]); + } + // internal backwards compat + obj[key + "Async"] = p; + }); + obj.__promisified = true; + return obj; } var Greenlock = module.exports; @@ -52,311 +55,373 @@ Greenlock.LE = Greenlock; var ipc = {}; function _log(debug) { - if (debug) { - var args = Array.prototype.slice.call(arguments); - args.shift(); - args.unshift("[gl/index.js]"); - console.log.apply(console, args); - } + if (debug) { + var args = Array.prototype.slice.call(arguments); + args.shift(); + args.unshift("[gl/index.js]"); + console.log.apply(console, args); + } } Greenlock.defaults = { - productionServerUrl: 'https://acme-v01.api.letsencrypt.org/directory' -, stagingServerUrl: 'https://acme-staging.api.letsencrypt.org/directory' + productionServerUrl: "https://acme-v01.api.letsencrypt.org/directory", + stagingServerUrl: "https://acme-staging.api.letsencrypt.org/directory", -, rsaKeySize: ACME.rsaKeySize || 2048 -, challengeType: ACME.challengeType || 'http-01' -, challengeTypes: ACME.challengeTypes || [ 'http-01', 'dns-01' ] + rsaKeySize: ACME.rsaKeySize || 2048, + challengeType: ACME.challengeType || "http-01", + challengeTypes: ACME.challengeTypes || ["http-01", "dns-01"], -, acmeChallengePrefix: ACME.acmeChallengePrefix + acmeChallengePrefix: ACME.acmeChallengePrefix }; // backwards compat -Object.keys(Greenlock.defaults).forEach(function (key) { - Greenlock[key] = Greenlock.defaults[key]; +Object.keys(Greenlock.defaults).forEach(function(key) { + Greenlock[key] = Greenlock.defaults[key]; }); // show all possible options var u; // undefined Greenlock._undefined = { - acme: u -, store: u -//, challenge: u -, challenges: u -, sni: u -, tlsOptions: u + acme: u, + store: u, + //, challenge: u + challenges: u, + sni: u, + tlsOptions: u, -, register: u -, check: u + register: u, + check: u, -, renewWithin: u // le-auto-sni and core -//, renewBy: u // le-auto-sni -, acmeChallengePrefix: u -, rsaKeySize: u -, challengeType: u -, server: u -, version: u -, agreeToTerms: u -, _ipc: u -, duplicate: u -, _acmeUrls: u + renewWithin: u, // le-auto-sni and core + //, renewBy: u // le-auto-sni + acmeChallengePrefix: u, + rsaKeySize: u, + challengeType: u, + server: u, + version: u, + agreeToTerms: u, + _ipc: u, + duplicate: u, + _acmeUrls: u }; -Greenlock._undefine = function (gl) { - Object.keys(Greenlock._undefined).forEach(function (key) { - if (!(key in gl)) { - gl[key] = u; - } - }); +Greenlock._undefine = function(gl) { + Object.keys(Greenlock._undefined).forEach(function(key) { + if (!(key in gl)) { + gl[key] = u; + } + }); - return gl; + return gl; }; -Greenlock.create = function (gl) { - if (!gl.store) { - console.warn("Deprecation Notice: You're haven't chosen a storage strategy." - + " The old default is 'le-store-certbot', but the new default will be 'greenlock-store-fs'." - + " Please `npm install greenlock-store-fs@3` and explicitly set `{ store: require('greenlock-store-fs') }`."); - gl.store = require('le-store-certbot').create({ - debug: gl.debug - , configDir: gl.configDir - , logsDir: gl.logsDir - , webrootPath: gl.webrootPath - }); - } - gl.core = require('./lib/core'); - var log = gl.log || _log; +Greenlock.create = function(gl) { + if (!gl.store) { + console.warn( + "Deprecation Notice: You're haven't chosen a storage strategy." + + " The old default is 'le-store-certbot', but the new default will be 'greenlock-store-fs'." + + " Please `npm install greenlock-store-fs@3` and explicitly set `{ store: require('greenlock-store-fs') }`." + ); + gl.store = require("le-store-certbot").create({ + debug: gl.debug, + configDir: gl.configDir, + logsDir: gl.logsDir, + webrootPath: gl.webrootPath + }); + } + gl.core = require("./lib/core"); + var log = gl.log || _log; - if (!gl.challenges) { - gl.challenges = {}; - } - if (!gl.challenges['http-01']) { - gl.challenges['http-01'] = require('le-challenge-fs').create({ - debug: gl.debug - , webrootPath: gl.webrootPath - }); - } - if (!gl.challenges['dns-01']) { - try { - gl.challenges['dns-01'] = require('le-challenge-ddns').create({ debug: gl.debug }); - } catch(e) { - try { - gl.challenges['dns-01'] = require('le-challenge-dns').create({ debug: gl.debug }); - } catch(e) { - // not yet implemented - } - } - } + if (!gl.challenges) { + gl.challenges = {}; + } + if (!gl.challenges["http-01"]) { + gl.challenges["http-01"] = require("le-challenge-fs").create({ + debug: gl.debug, + webrootPath: gl.webrootPath + }); + } + if (!gl.challenges["dns-01"]) { + try { + gl.challenges["dns-01"] = require("le-challenge-ddns").create({ + debug: gl.debug + }); + } catch (e) { + try { + gl.challenges["dns-01"] = require("le-challenge-dns").create({ + debug: gl.debug + }); + } catch (e) { + // not yet implemented + } + } + } - gl = Greenlock._undefine(gl); - gl.acmeChallengePrefix = Greenlock.acmeChallengePrefix; - gl.rsaKeySize = gl.rsaKeySize || Greenlock.rsaKeySize; - gl.challengeType = gl.challengeType || Greenlock.challengeType; - gl._ipc = ipc; - gl._communityPackage = gl._communityPackage || 'greenlock.js'; - if ('greenlock.js' === gl._communityPackage) { - gl._communityPackageVersion = pkg.version; - } else { - gl._communityPackageVersion = gl._communityPackageVersion || ('greenlock.js-' + pkg.version); - } - gl.agreeToTerms = gl.agreeToTerms || function (args, agreeCb) { - agreeCb(new Error("'agreeToTerms' was not supplied to Greenlock and 'agreeTos' was not supplied to Greenlock.register")); - }; + gl = Greenlock._undefine(gl); + gl.acmeChallengePrefix = Greenlock.acmeChallengePrefix; + gl.rsaKeySize = gl.rsaKeySize || Greenlock.rsaKeySize; + gl.challengeType = gl.challengeType || Greenlock.challengeType; + gl._ipc = ipc; + gl._communityPackage = gl._communityPackage || "greenlock.js"; + if ("greenlock.js" === gl._communityPackage) { + gl._communityPackageVersion = pkg.version; + } else { + gl._communityPackageVersion = + gl._communityPackageVersion || "greenlock.js-" + pkg.version; + } + gl.agreeToTerms = + gl.agreeToTerms || + function(args, agreeCb) { + agreeCb( + new Error( + "'agreeToTerms' was not supplied to Greenlock and 'agreeTos' was not supplied to Greenlock.register" + ) + ); + }; - if (!gl.renewWithin) { gl.renewWithin = 14 * DAY; } - // renewBy has a default in le-sni-auto + if (!gl.renewWithin) { + gl.renewWithin = 14 * DAY; + } + // renewBy has a default in le-sni-auto + /////////////////////////// + // BEGIN VERSION MADNESS // + /////////////////////////// + gl.version = gl.version || "draft-11"; + gl.server = gl.server || "https://acme-v02.api.letsencrypt.org/directory"; + if (!gl.version) { + //console.warn("Please specify version: 'v01' (Let's Encrypt v1) or 'draft-12' (Let's Encrypt v2 / ACME draft 12)"); + console.warn(""); + console.warn(""); + console.warn(""); + console.warn("=========================================================="); + console.warn("== greenlock.js (v2.2.0+) =="); + console.warn("=========================================================="); + console.warn(""); + console.warn("Please specify 'version' option:"); + console.warn(""); + console.warn(" 'draft-12' for Let's Encrypt v2 and ACME draft 12"); + console.warn(" ('v02' is an alias of 'draft-12'"); + console.warn(""); + console.warn("or"); + console.warn(""); + console.warn(" 'v01' for Let's Encrypt v1 (deprecated)"); + console.warn( + " (also 'npm install --save le-acme-core' as this legacy dependency will soon be removed)" + ); + console.warn(""); + console.warn("This will be required in versions v2.3+"); + console.warn(""); + console.warn(""); + } else if ("v02" === gl.version) { + gl.version = "draft-11"; + } else if ("draft-12" === gl.version) { + gl.version = "draft-11"; + } else if ("draft-11" === gl.version) { + // no-op + } else if ("v01" !== gl.version) { + throw new Error("Unrecognized version '" + gl.version + "'"); + } - /////////////////////////// - // BEGIN VERSION MADNESS // - /////////////////////////// + if (!gl.server) { + throw new Error( + "opts.server must specify an ACME directory URL, such as 'https://acme-staging-v02.api.letsencrypt.org/directory'" + ); + } + if ("staging" === gl.server || "production" === gl.server) { + if ("staging" === gl.server) { + gl.server = "https://acme-staging.api.letsencrypt.org/directory"; + gl.version = "v01"; + gl._deprecatedServerName = "staging"; + } else if ("production" === gl.server) { + gl.server = "https://acme-v01.api.letsencrypt.org/directory"; + gl.version = "v01"; + gl._deprecatedServerName = "production"; + } + console.warn(""); + console.warn(""); + console.warn("=== WARNING ==="); + console.warn(""); + console.warn( + "Due to versioning issues the '" + + gl._deprecatedServerName + + "' option is deprecated." + ); + console.warn("Please specify the full url and version."); + console.warn(""); + console.warn("For APIs add:"); + console.warn('\t, "version": "' + gl.version + '"'); + console.warn('\t, "server": "' + gl.server + '"'); + console.warn(""); + console.warn("For the CLI add:"); + console.warn("\t--acme-url '" + gl.server + "' \\"); + console.warn("\t--acme-version '" + gl.version + "' \\"); + console.warn(""); + console.warn(""); + } - gl.version = gl.version || 'draft-11'; - gl.server = gl.server || 'https://acme-v02.api.letsencrypt.org/directory'; - if (!gl.version) { - //console.warn("Please specify version: 'v01' (Let's Encrypt v1) or 'draft-12' (Let's Encrypt v2 / ACME draft 12)"); - console.warn(""); - console.warn(""); - console.warn(""); - console.warn("=========================================================="); - console.warn("== greenlock.js (v2.2.0+) =="); - console.warn("=========================================================="); - console.warn(""); - console.warn("Please specify 'version' option:"); - console.warn(""); - console.warn(" 'draft-12' for Let's Encrypt v2 and ACME draft 12"); - console.warn(" ('v02' is an alias of 'draft-12'"); - console.warn(""); - console.warn("or"); - console.warn(""); - console.warn(" 'v01' for Let's Encrypt v1 (deprecated)"); - console.warn(" (also 'npm install --save le-acme-core' as this legacy dependency will soon be removed)"); - console.warn(""); - console.warn("This will be required in versions v2.3+"); - console.warn(""); - console.warn(""); - } else if ('v02' === gl.version) { - gl.version = 'draft-11'; - } else if ('draft-12' === gl.version) { - gl.version = 'draft-11'; - } else if ('draft-11' === gl.version) { - // no-op - } else if ('v01' !== gl.version) { - throw new Error("Unrecognized version '" + gl.version + "'"); - } + function loadLeV01() { + console.warn(""); + console.warn("=== WARNING ==="); + console.warn(""); + console.warn("Let's Encrypt v1 is deprecated."); + console.warn("Please update to Let's Encrypt v2 (ACME draft 12)"); + console.warn(""); + try { + return require("le-acme-core").ACME; + } catch (e) { + console.error(""); + console.error("=== Error (easy-to-fix) ==="); + console.error(""); + console.error( + "Hey, this isn't a big deal, but you need to manually add v1 support:" + ); + console.error(""); + console.error(" npm install --save le-acme-core"); + console.error(""); + console.error( + "Just run that real quick, restart, and everything will work great." + ); + console.error(""); + console.error(""); + process.exit(e.code || 13); + } + } - if (!gl.server) { - throw new Error("opts.server must specify an ACME directory URL, such as 'https://acme-staging-v02.api.letsencrypt.org/directory'"); - } - if ('staging' === gl.server || 'production' === gl.server) { - if ('staging' === gl.server) { - gl.server = 'https://acme-staging.api.letsencrypt.org/directory'; - gl.version = 'v01'; - gl._deprecatedServerName = 'staging'; - } - else if ('production' === gl.server) { - gl.server = 'https://acme-v01.api.letsencrypt.org/directory'; - gl.version = 'v01'; - gl._deprecatedServerName = 'production'; - } - console.warn(""); - console.warn(""); - console.warn("=== WARNING ==="); - console.warn(""); - console.warn("Due to versioning issues the '" + gl._deprecatedServerName + "' option is deprecated."); - console.warn("Please specify the full url and version."); - console.warn(""); - console.warn("For APIs add:"); - console.warn("\t, \"version\": \"" + gl.version + "\""); - console.warn("\t, \"server\": \"" + gl.server + "\""); - console.warn(""); - console.warn("For the CLI add:"); - console.warn("\t--acme-url '" + gl.server + "' \\"); - console.warn("\t--acme-version '" + gl.version + "' \\"); - console.warn(""); - console.warn(""); - } + if ( + -1 !== + [ + "https://acme-v02.api.letsencrypt.org/directory", + "https://acme-staging-v02.api.letsencrypt.org/directory" + ].indexOf(gl.server) + ) { + if ("draft-11" !== gl.version) { + console.warn( + "Detected Let's Encrypt v02 URL. Changing version to draft-12." + ); + gl.version = "draft-11"; + } + } else if ( + -1 !== + [ + "https://acme-v01.api.letsencrypt.org/directory", + "https://acme-staging.api.letsencrypt.org/directory" + ].indexOf(gl.server) || + "v01" === gl.version + ) { + if ("v01" !== gl.version) { + console.warn( + "Detected Let's Encrypt v01 URL (deprecated). Changing version to v01." + ); + gl.version = "v01"; + } + } + if ("v01" === gl.version) { + ACME = loadLeV01(); + } + ///////////////////////// + // END VERSION MADNESS // + ///////////////////////// - function loadLeV01() { - console.warn(""); - console.warn("=== WARNING ==="); - console.warn(""); - console.warn("Let's Encrypt v1 is deprecated."); - console.warn("Please update to Let's Encrypt v2 (ACME draft 12)"); - console.warn(""); - try { - return require('le-acme-core').ACME; - } catch(e) { - console.error(""); - console.error("=== Error (easy-to-fix) ==="); - console.error(""); - console.error("Hey, this isn't a big deal, but you need to manually add v1 support:"); - console.error(""); - console.error(" npm install --save le-acme-core"); - console.error(""); - console.error("Just run that real quick, restart, and everything will work great."); - console.error(""); - console.error(""); - process.exit(e.code || 13); - } - } + gl.acme = + gl.acme || + ACME.create({ + debug: gl.debug, + skipChallengeTest: gl.skipChallengeTest, + skipDryRun: gl.skipDryRun + }); + if (gl.acme.create) { + gl.acme = gl.acme.create(gl); + } + gl.acme = promisifyAllSelf(gl.acme); + gl._acmeOpts = + (gl.acme.getOptions && gl.acme.getOptions()) || gl.acme.options || {}; + Object.keys(gl._acmeOpts).forEach(function(key) { + if (!(key in gl)) { + gl[key] = gl._acmeOpts[key]; + } + }); - if (-1 !== [ - 'https://acme-v02.api.letsencrypt.org/directory' - , 'https://acme-staging-v02.api.letsencrypt.org/directory' ].indexOf(gl.server) - ) { - if ('draft-11' !== gl.version) { - console.warn("Detected Let's Encrypt v02 URL. Changing version to draft-12."); - gl.version = 'draft-11'; - } - } else if (-1 !== [ - 'https://acme-v01.api.letsencrypt.org/directory' - , 'https://acme-staging.api.letsencrypt.org/directory' ].indexOf(gl.server) - || 'v01' === gl.version - ) { - if ('v01' !== gl.version) { - console.warn("Detected Let's Encrypt v01 URL (deprecated). Changing version to v01."); - gl.version = 'v01'; - } - } - if ('v01' === gl.version) { - ACME = loadLeV01(); - } - ///////////////////////// - // END VERSION MADNESS // - ///////////////////////// + try { + if (gl.store.create) { + gl.store = gl.store.create(gl); + } + gl.store = promisifyAllSelf(gl.store); + gl.store.accounts = promisifyAllStore(gl.store.accounts); + gl.store.certificates = promisifyAllStore(gl.store.certificates); + gl._storeOpts = + (gl.store.getOptions && gl.store.getOptions()) || gl.store.options || {}; + } catch (e) { + console.error(e); + console.error( + "\nPROBABLE CAUSE:\n" + + "\tYour greenlock-store module should have a create function and return { options, accounts, certificates }\n" + ); + process.exit(18); + return; + } + Object.keys(gl._storeOpts).forEach(function(key) { + if (!(key in gl)) { + gl[key] = gl._storeOpts[key]; + } + }); + // + // Backwards compat for <= v2.1.7 + // + if (gl.challenge) { + console.warn( + "Deprecated use of gl.challenge. Use gl.challenges['" + + Greenlock.challengeType + + "'] instead." + ); + gl.challenges[gl.challengeType] = gl.challenge; + gl.challenge = undefined; + } + Object.keys(gl.challenges || {}).forEach(function(challengeType) { + var challenger = gl.challenges[challengeType]; - gl.acme = gl.acme || ACME.create({ debug: gl.debug }); - if (gl.acme.create) { - gl.acme = gl.acme.create(gl); - } - gl.acme = promisifyAllSelf(gl.acme); - gl._acmeOpts = gl.acme.getOptions && gl.acme.getOptions() || gl.acme.options || {}; - Object.keys(gl._acmeOpts).forEach(function (key) { - if (!(key in gl)) { - gl[key] = gl._acmeOpts[key]; - } - }); + if (challenger.create) { + challenger = gl.challenges[challengeType] = challenger.create(gl); + } + challenger = gl.challenges[challengeType] = promisifyAllSelf(challenger); + gl["_challengeOpts_" + challengeType] = + (challenger.getOptions && challenger.getOptions()) || + challenger.options || + {}; + Object.keys(gl["_challengeOpts_" + challengeType]).forEach(function(key) { + if (!(key in gl)) { + gl[key] = gl["_challengeOpts_" + challengeType][key]; + } + }); - try { - if (gl.store.create) { gl.store = gl.store.create(gl); } - gl.store = promisifyAllSelf(gl.store); - gl.store.accounts = promisifyAllStore(gl.store.accounts); - gl.store.certificates = promisifyAllStore(gl.store.certificates); - gl._storeOpts = gl.store.getOptions && gl.store.getOptions() || gl.store.options || {}; - } catch(e) { - console.error(e); - console.error("\nPROBABLE CAUSE:\n" - + "\tYour greenlock-store module should have a create function and return { options, accounts, certificates }\n"); - process.exit(18); - return; - } - Object.keys(gl._storeOpts).forEach(function (key) { - if (!(key in gl)) { - gl[key] = gl._storeOpts[key]; - } - }); + // TODO wrap these here and now with tplCopy? + if (!challenger.set || ![5, 2, 1].includes(challenger.set.length)) { + throw new Error( + "gl.challenges[" + + challengeType + + "].set receives the wrong number of arguments." + + " You must define setChallenge as function (opts) { return Promise.resolve(); }" + ); + } + if (challenger.get && ![4, 2, 1].includes(challenger.get.length)) { + throw new Error( + "gl.challenges[" + + challengeType + + "].get receives the wrong number of arguments." + + " You must define getChallenge as function (opts) { return Promise.resolve(); }" + ); + } + if (!challenger.remove || ![4, 2, 1].includes(challenger.remove.length)) { + throw new Error( + "gl.challenges[" + + challengeType + + "].remove receives the wrong number of arguments." + + " You must define removeChallenge as function (opts) { return Promise.resolve(); }" + ); + } - - // - // Backwards compat for <= v2.1.7 - // - if (gl.challenge) { - console.warn("Deprecated use of gl.challenge. Use gl.challenges['" + Greenlock.challengeType + "'] instead."); - gl.challenges[gl.challengeType] = gl.challenge; - gl.challenge = undefined; - } - - Object.keys(gl.challenges||{}).forEach(function (challengeType) { - var challenger = gl.challenges[challengeType]; - - if (challenger.create) { - challenger = gl.challenges[challengeType] = challenger.create(gl); - } - challenger = gl.challenges[challengeType] = promisifyAllSelf(challenger); - gl['_challengeOpts_' + challengeType] = challenger.getOptions && challenger.getOptions() || challenger.options || {}; - Object.keys(gl['_challengeOpts_' + challengeType]).forEach(function (key) { - if (!(key in gl)) { - gl[key] = gl['_challengeOpts_' + challengeType][key]; - } - }); - - // TODO wrap these here and now with tplCopy? - if (!challenger.set || ![5,2,1].includes(challenger.set.length)) { - throw new Error("gl.challenges[" + challengeType + "].set receives the wrong number of arguments." - + " You must define setChallenge as function (opts) { return Promise.resolve(); }"); - } - if (challenger.get && ![4,2,1].includes(challenger.get.length)) { - throw new Error("gl.challenges[" + challengeType + "].get receives the wrong number of arguments." - + " You must define getChallenge as function (opts) { return Promise.resolve(); }"); - } - if (!challenger.remove || ![4,2,1].includes(challenger.remove.length)) { - throw new Error("gl.challenges[" + challengeType + "].remove receives the wrong number of arguments." - + " You must define removeChallenge as function (opts) { return Promise.resolve(); }"); - } - -/* + /* if (!gl._challengeWarn && (!challenger.loopback || 4 !== challenger.loopback.length)) { gl._challengeWarn = true; console.warn("gl.challenges[" + challengeType + "].loopback should be defined as function (opts, domain, token, cb) { ... } and should prove (by external means) that the ACME server challenge '" + challengeType + "' will succeed"); @@ -366,309 +431,386 @@ Greenlock.create = function (gl) { console.warn("gl.challenges[" + challengeType + "].test should be defined as function (opts, domain, token, keyAuthorization, cb) { ... } and should prove (by external means) that the ACME server challenge '" + challengeType + "' will succeed"); } */ - }); + }); - gl.sni = gl.sni || null; - gl.tlsOptions = gl.tlsOptions || gl.httpsOptions || {}; + gl.sni = gl.sni || null; + gl.tlsOptions = gl.tlsOptions || gl.httpsOptions || {}; - // Workaround for https://github.com/nodejs/node/issues/22389 - gl._updateServernames = function (cert) { - if (!gl._certnames) { gl._certnames = {}; } + // Workaround for https://github.com/nodejs/node/issues/22389 + gl._updateServernames = function(cert) { + if (!gl._certnames) { + gl._certnames = {}; + } - // Note: Any given domain could exist on multiple certs - // (especially during renewal where some may be added) - // hence we use a separate object for each domain and list each domain on it - // to get the minimal full set associated with each cert and domain - var allDomains = [cert.subject].concat(cert.altnames.slice(0)); - allDomains.forEach(function (name) { - name = name.toLowerCase(); - if (!gl._certnames[name]) { - gl._certnames[name] = {}; - } - allDomains.forEach(function (name2) { - name2 = name2.toLowerCase(); - gl._certnames[name][name2] = true; - }); - }); - }; - gl._checkServername = function (safeHost, servername) { - // odd, but acceptable - if (!safeHost || !servername) { return true; } - if (safeHost === servername) { return true; } - // connection established with servername and session is re-used for allowed name - if (gl._certnames[servername] && gl._certnames[servername][safeHost]) { - return true; - } - return false; - }; + // Note: Any given domain could exist on multiple certs + // (especially during renewal where some may be added) + // hence we use a separate object for each domain and list each domain on it + // to get the minimal full set associated with each cert and domain + var allDomains = [cert.subject].concat(cert.altnames.slice(0)); + allDomains.forEach(function(name) { + name = name.toLowerCase(); + if (!gl._certnames[name]) { + gl._certnames[name] = {}; + } + allDomains.forEach(function(name2) { + name2 = name2.toLowerCase(); + gl._certnames[name][name2] = true; + }); + }); + }; + gl._checkServername = function(safeHost, servername) { + // odd, but acceptable + if (!safeHost || !servername) { + return true; + } + if (safeHost === servername) { + return true; + } + // connection established with servername and session is re-used for allowed name + if (gl._certnames[servername] && gl._certnames[servername][safeHost]) { + return true; + } + return false; + }; - if (!gl.tlsOptions.SNICallback) { - if (!gl.getCertificatesAsync && !gl.getCertificates) { - if (Array.isArray(gl.approveDomains)) { - gl.approvedDomains = gl.approveDomains; - gl.approveDomains = null; - } - if (!gl.approveDomains) { - gl.approveDomains = function (lexOpts, cb) { - var err; - var emsg; + if (!gl.tlsOptions.SNICallback) { + if (!gl.getCertificatesAsync && !gl.getCertificates) { + if (Array.isArray(gl.approveDomains)) { + gl.approvedDomains = gl.approveDomains; + gl.approveDomains = null; + } + if (!gl.approveDomains) { + gl.approveDomains = function(lexOpts, cb) { + var err; + var emsg; - if (!gl.email) { - throw new Error("le-sni-auto is not properly configured. Missing email"); - } - if (!gl.agreeTos) { - throw new Error("le-sni-auto is not properly configured. Missing agreeTos"); - } - if (!/[a-z]/i.test(lexOpts.domain)) { - cb(new Error("le-sni-auto does not allow IP addresses in SNI")); - return; - } + if (!gl.email) { + throw new Error( + "le-sni-auto is not properly configured. Missing email" + ); + } + if (!gl.agreeTos) { + throw new Error( + "le-sni-auto is not properly configured. Missing agreeTos" + ); + } + if (!/[a-z]/i.test(lexOpts.domain)) { + cb(new Error("le-sni-auto does not allow IP addresses in SNI")); + return; + } - if (!Array.isArray(gl.approvedDomains)) { - // The acme-v2 package uses pre-flight test challenges to - // verify that each requested domain is hosted by the server - // these checks are sufficient for most use cases - return cb(null, lexOpts); - } + if (!Array.isArray(gl.approvedDomains)) { + // The acme-v2 package uses pre-flight test challenges to + // verify that each requested domain is hosted by the server + // these checks are sufficient for most use cases + return cb(null, lexOpts); + } - if (lexOpts.domains.every(function (domain) { - return -1 !== gl.approvedDomains.indexOf(domain); - })) { - // commented this out because people expect to be able to edit the list of domains - // lexOpts.domains = gl.approvedDomains.slice(0); - lexOpts.email = gl.email; - lexOpts.agreeTos = gl.agreeTos; - lexOpts.communityMember = gl.communityMember; - lexOpts.telemetry = gl.telemetry; - return cb(null, lexOpts); - } + if ( + lexOpts.domains.every(function(domain) { + return -1 !== gl.approvedDomains.indexOf(domain); + }) + ) { + // commented this out because people expect to be able to edit the list of domains + // lexOpts.domains = gl.approvedDomains.slice(0); + lexOpts.email = gl.email; + lexOpts.agreeTos = gl.agreeTos; + lexOpts.communityMember = gl.communityMember; + lexOpts.telemetry = gl.telemetry; + return cb(null, lexOpts); + } - emsg = "tls SNI for '" + lexOpts.domains.join(',') + "' rejected: not in list '" + gl.approvedDomains + "'"; - log(gl.debug, emsg, lexOpts.domains, gl.approvedDomains); - err = new Error(emsg); - err.code = 'E_REJECT_SNI'; - cb(err); - }; - } + emsg = + "tls SNI for '" + + lexOpts.domains.join(",") + + "' rejected: not in list '" + + gl.approvedDomains + + "'"; + log(gl.debug, emsg, lexOpts.domains, gl.approvedDomains); + err = new Error(emsg); + err.code = "E_REJECT_SNI"; + cb(err); + }; + } - gl.getCertificates = function (domain, certs, cb) { - // certs come from current in-memory cache, not lookup - log(gl.debug, 'gl.getCertificates called for', domain, 'with certs for', certs && certs.altnames || 'NONE'); - var opts = { - domain: domain, domains: certs && certs.altnames || [ domain ] - , certs: certs, certificate: {}, account: {} - }; - opts.wildname = '*.' + (domain||'').split('.').slice(1).join('.'); + gl.getCertificates = function(domain, certs, cb) { + // certs come from current in-memory cache, not lookup + log( + gl.debug, + "gl.getCertificates called for", + domain, + "with certs for", + (certs && certs.altnames) || "NONE" + ); + var opts = { + domain: domain, + domains: (certs && certs.altnames) || [domain], + certs: certs, + certificate: {}, + account: {} + }; + opts.wildname = + "*." + + (domain || "") + .split(".") + .slice(1) + .join("."); - function cb2(results) { - log(gl.debug, 'gl.approveDomains called with certs for', results.certs && results.certs.altnames || 'NONE', 'and options:'); - log(gl.debug, results.options); - var err; - if (!results) { - err = new Error('E_REJECT_SNI'); - err.code = 'E_REJECT_SNI'; - eb2(err); - return; - } + function cb2(results) { + log( + gl.debug, + "gl.approveDomains called with certs for", + (results.certs && results.certs.altnames) || "NONE", + "and options:" + ); + log(gl.debug, results.options || results); + var err; + if (!results) { + err = new Error("E_REJECT_SNI"); + err.code = "E_REJECT_SNI"; + eb2(err); + return; + } - var options = results.options || results; - if (opts !== options) { - Object.keys(options).forEach(function (key) { - if ('undefined' !== typeof options[key] && 'domain' !== key) { - opts[key] = options[key]; - } - }); - options = opts; - } - if (Array.isArray(options.altnames) && options.altnames.length) { - options.domains = options.altnames; - } - options.altnames = options.domains; - // just in case we get a completely different object from the one we originally created - if (!options.account) { options.account = {}; } - if (!options.certificate) { options.certificate = {}; } - if (results.certs) { - log(gl.debug, 'gl renewing'); - return gl.core.certificates.renewAsync(options, results.certs).then( - function (certs) { - // Workaround for https://github.com/nodejs/node/issues/22389 - gl._updateServernames(certs); - cb(null, certs); - } - , function (e) { - console.debug("Error renewing certificate for '" + domain + "':"); - console.debug(e); - console.error(""); - cb(e); - } - ); - } else { - log(gl.debug, 'gl getting from disk or registering new'); - return gl.core.certificates.getAsync(options).then( - function (certs) { - // Workaround for https://github.com/nodejs/node/issues/22389 - gl._updateServernames(certs); - cb(null, certs); - } - , function (e) { - console.debug("Error loading/registering certificate for '" + domain + "':"); - console.debug(e); - console.error(""); - cb(e); - } - ); - } - } - function eb2(_err) { - if (false !== gl.logRejectedDomains) { - console.error("[Error] approveDomains rejected tls sni '" + domain + "'"); - console.error("[Error] (see https://git.coolaj86.com/coolaj86/greenlock.js/issues/11)"); - if ('E_REJECT_SNI' !== _err.code) { - console.error("[Error] This is the rejection message:"); - console.error(_err.message); - } - console.error(""); - } - cb(_err); - return; - } - function mb2(_err, results) { - if (_err) { eb2(_err); return; } - cb2(results); - } + var options = results.options || results; + if (opts !== options) { + Object.keys(options).forEach(function(key) { + if ("undefined" !== typeof options[key] && "domain" !== key) { + opts[key] = options[key]; + } + }); + options = opts; + } + if (Array.isArray(options.altnames) && options.altnames.length) { + options.domains = options.altnames; + } + options.altnames = options.domains; + // just in case we get a completely different object from the one we originally created + if (!options.account) { + options.account = {}; + } + if (!options.certificate) { + options.certificate = {}; + } + if (results.certs) { + log(gl.debug, "gl renewing"); + return gl.core.certificates.renewAsync(options, results.certs).then( + function(certs) { + // Workaround for https://github.com/nodejs/node/issues/22389 + gl._updateServernames(certs); + cb(null, certs); + }, + function(e) { + console.debug( + "Error renewing certificate for '" + domain + "':" + ); + console.debug(e); + console.error(""); + cb(e); + } + ); + } else { + log(gl.debug, "gl getting from disk or registering new"); + return gl.core.certificates.getAsync(options).then( + function(certs) { + // Workaround for https://github.com/nodejs/node/issues/22389 + gl._updateServernames(certs); + cb(null, certs); + }, + function(e) { + console.debug( + "Error loading/registering certificate for '" + domain + "':" + ); + console.debug(e); + console.error(""); + cb(e); + } + ); + } + } + function eb2(_err) { + if (false !== gl.logRejectedDomains) { + console.error( + "[Error] approveDomains rejected tls sni '" + domain + "'" + ); + console.error( + "[Error] (see https://git.coolaj86.com/coolaj86/greenlock.js/issues/11)" + ); + if ("E_REJECT_SNI" !== _err.code) { + console.error("[Error] This is the rejection message:"); + console.error(_err.message); + } + console.error(""); + } + cb(_err); + return; + } + function mb2(_err, results) { + if (_err) { + eb2(_err); + return; + } + cb2(results); + } - try { - if (1 === gl.approveDomains.length) { - PromiseA.resolve(gl.approveDomains(opts)).then(cb2).catch(eb2); - } else if (2 === gl.approveDomains.length) { - gl.approveDomains(opts, mb2); - } else { - gl.approveDomains(opts, certs, mb2); - } - } catch(e) { - console.error("[ERROR] Something went wrong in approveDomains:"); - console.error(e); - console.error("BUT WAIT! Good news: It's probably your fault, so you can probably fix it."); - } - }; - } - gl.sni = gl.sni || require('le-sni-auto'); - if (gl.sni.create) { - gl.sni = gl.sni.create(gl); - } - gl.tlsOptions.SNICallback = function (_domain, cb) { - // format and (lightly) sanitize sni so that users can be naive - // and not have to worry about SQL injection or fs discovery - var domain = (_domain||'').toLowerCase(); - // hostname labels allow a-z, 0-9, -, and are separated by dots - // _ is sometimes allowed - // REGEX // https://www.codeproject.com/Questions/1063023/alphanumeric-validation-javascript-without-regex - if (!gl.__sni_allow_dangerous_names && (!/^[a-z0-9_\.\-]+$/i.test(domain) || -1 !== domain.indexOf('..'))) { - log(gl.debug, "invalid sni '" + domain + "'"); - cb(new Error("invalid SNI")); - return; - } + try { + if (1 === gl.approveDomains.length) { + Promise.resolve(gl.approveDomains(opts)) + .then(cb2) + .catch(eb2); + } else if (2 === gl.approveDomains.length) { + gl.approveDomains(opts, mb2); + } else { + gl.approveDomains(opts, certs, mb2); + } + } catch (e) { + console.error("[ERROR] Something went wrong in approveDomains:"); + console.error(e); + console.error( + "BUT WAIT! Good news: It's probably your fault, so you can probably fix it." + ); + } + }; + } + gl.sni = gl.sni || require("le-sni-auto"); + if (gl.sni.create) { + gl.sni = gl.sni.create(gl); + } + gl.tlsOptions.SNICallback = function(_domain, cb) { + // format and (lightly) sanitize sni so that users can be naive + // and not have to worry about SQL injection or fs discovery + var domain = (_domain || "").toLowerCase(); + // hostname labels allow a-z, 0-9, -, and are separated by dots + // _ is sometimes allowed + // REGEX // https://www.codeproject.com/Questions/1063023/alphanumeric-validation-javascript-without-regex + if ( + !gl.__sni_allow_dangerous_names && + (!/^[a-z0-9_\.\-]+$/i.test(domain) || -1 !== domain.indexOf("..")) + ) { + log(gl.debug, "invalid sni '" + domain + "'"); + cb(new Error("invalid SNI")); + return; + } - try { - gl.sni.sniCallback(gl.__sni_preserve_case && _domain || domain, cb); - } catch(e) { - console.error("[ERROR] Something went wrong in the SNICallback:"); - console.error(e); - cb(e); - } - }; - } + try { + gl.sni.sniCallback((gl.__sni_preserve_case && _domain) || domain, cb); + } catch (e) { + console.error("[ERROR] Something went wrong in the SNICallback:"); + console.error(e); + cb(e); + } + }; + } - // We want to move to using tlsOptions instead of httpsOptions, but we also need to make - // sure anything that uses this object will still work if looking for httpsOptions. - gl.httpsOptions = gl.tlsOptions; + // We want to move to using tlsOptions instead of httpsOptions, but we also need to make + // sure anything that uses this object will still work if looking for httpsOptions. + gl.httpsOptions = gl.tlsOptions; - if (gl.core.create) { - gl.core = gl.core.create(gl); - } + if (gl.core.create) { + gl.core = gl.core.create(gl); + } - gl.renew = function (args, certs) { - return gl.core.certificates.renewAsync(args, certs); - }; + gl.renew = function(args, certs) { + return gl.core.certificates.renewAsync(args, certs); + }; - gl.register = function (args) { - return gl.core.certificates.getAsync(args); - }; + gl.register = function(args) { + return gl.core.certificates.getAsync(args); + }; - gl.check = function (args) { - // TODO must return email, domains, tos, pems - return gl.core.certificates.checkAsync(args); - }; + gl.check = function(args) { + // TODO must return email, domains, tos, pems + return gl.core.certificates.checkAsync(args); + }; - gl.middleware = gl.middleware || require('./lib/middleware'); - if (gl.middleware.create) { - gl.middleware = gl.middleware.create(gl); - } + gl.middleware = gl.middleware || require("./lib/middleware"); + if (gl.middleware.create) { + gl.middleware = gl.middleware.create(gl); + } - //var SERVERNAME_RE = /^[a-z0-9\.\-_]+$/; - var SERVERNAME_G = /[^a-z0-9\.\-_]/; - gl.middleware.sanitizeHost = function (app) { - return function (req, res, next) { - function realNext() { - if ('function' === typeof app) { - app(req, res); - } else if ('function' === typeof next) { - next(); - } else { - res.statusCode = 500; - res.end("Error: no middleware assigned"); - } - } - // Get the host:port combo, if it exists - var host = (req.headers.host||'').split(':'); + //var SERVERNAME_RE = /^[a-z0-9\.\-_]+$/; + var SERVERNAME_G = /[^a-z0-9\.\-_]/; + gl.middleware.sanitizeHost = function(app) { + return function(req, res, next) { + function realNext() { + if ("function" === typeof app) { + app(req, res); + } else if ("function" === typeof next) { + next(); + } else { + res.statusCode = 500; + res.end("Error: no middleware assigned"); + } + } + // Get the host:port combo, if it exists + var host = (req.headers.host || "").split(":"); - // if not, move along - if (!host[0]) { realNext(); return; } + // if not, move along + if (!host[0]) { + realNext(); + return; + } - // if so, remove non-allowed characters - var safehost = host[0].toLowerCase().replace(SERVERNAME_G, ''); + // if so, remove non-allowed characters + var safehost = host[0].toLowerCase().replace(SERVERNAME_G, ""); - // if there were unallowed characters, complain - if (!gl.__sni_allow_dangerous_names && safehost.length !== host[0].length) { - res.statusCode = 400; - res.end("Malformed HTTP Header: 'Host: " + host[0] + "'"); - return; - } + // if there were unallowed characters, complain + if ( + !gl.__sni_allow_dangerous_names && + safehost.length !== host[0].length + ) { + res.statusCode = 400; + res.end("Malformed HTTP Header: 'Host: " + host[0] + "'"); + return; + } - // make lowercase - if (!gl.__sni_preserve_case) { - host[0] = safehost; - req.headers.host = host.join(':'); - } + // make lowercase + if (!gl.__sni_preserve_case) { + host[0] = safehost; + req.headers.host = host.join(":"); + } - // Note: This sanitize function is also called on plain sockets, which don't need Domain Fronting checks - if (req.socket.encrypted && !gl.__sni_allow_domain_fronting) { - if (req.socket && 'string' === typeof req.socket.servername) { - // Workaround for https://github.com/nodejs/node/issues/22389 - if (!gl._checkServername(safehost, req.socket.servername.toLowerCase())) { - res.statusCode = 400; - res.setHeader('Content-Type', 'text/html; charset=utf-8'); - res.end( - "

Domain Fronting Error

" - + "

This connection was secured using TLS/SSL for '" + req.socket.servername.toLowerCase() + "'

" - + "

The HTTP request specified 'Host: " + safehost + "', which is (obviously) different.

" - + "

Because this looks like a domain fronting attack, the connection has been terminated.

" - ); - return; - } - } else if (safehost && !gl.middleware.sanitizeHost._skip_fronting_check) { - // TODO how to handle wrapped sockets, as with telebit? - console.warn("\n\n\n[greenlock] WARN: no string for req.socket.servername," - + " skipping fronting check for '" + safehost + "'\n\n\n"); - gl.middleware.sanitizeHost._skip_fronting_check = true; - } - } + // Note: This sanitize function is also called on plain sockets, which don't need Domain Fronting checks + if (req.socket.encrypted && !gl.__sni_allow_domain_fronting) { + if (req.socket && "string" === typeof req.socket.servername) { + // Workaround for https://github.com/nodejs/node/issues/22389 + if ( + !gl._checkServername(safehost, req.socket.servername.toLowerCase()) + ) { + res.statusCode = 400; + res.setHeader("Content-Type", "text/html; charset=utf-8"); + res.end( + "

Domain Fronting Error

" + + "

This connection was secured using TLS/SSL for '" + + req.socket.servername.toLowerCase() + + "'

" + + "

The HTTP request specified 'Host: " + + safehost + + "', which is (obviously) different.

" + + "

Because this looks like a domain fronting attack, the connection has been terminated.

" + ); + return; + } + } else if ( + safehost && + !gl.middleware.sanitizeHost._skip_fronting_check + ) { + // TODO how to handle wrapped sockets, as with telebit? + console.warn( + "\n\n\n[greenlock] WARN: no string for req.socket.servername," + + " skipping fronting check for '" + + safehost + + "'\n\n\n" + ); + gl.middleware.sanitizeHost._skip_fronting_check = true; + } + } - // carry on - realNext(); - }; - }; - gl.middleware.sanitizeHost._skip_fronting_check = false; + // carry on + realNext(); + }; + }; + gl.middleware.sanitizeHost._skip_fronting_check = false; - return gl; + return gl; }; diff --git a/lib/compat.js b/lib/compat.js new file mode 100644 index 0000000..0f46780 --- /dev/null +++ b/lib/compat.js @@ -0,0 +1,21 @@ +'use strict'; + +function requireBluebird() { + try { + return require('bluebird'); + } catch(e) { + console.error(""); + console.error("DON'T PANIC. You're running an old version of node with incomplete Promise support."); + console.error("EASY FIX: `npm install --save bluebird`"); + console.error(""); + throw e; + } +} + +if ('undefined' === typeof Promise) { + global.Promise = requireBluebird(); +} + +if ('function' !== typeof require('util').promisify) { + require('util').promisify = requireBluebird().promisify; +} diff --git a/lib/core.js b/lib/core.js index c938e4e..f1d4956 100644 --- a/lib/core.js +++ b/lib/core.js @@ -1,11 +1,7 @@ 'use strict'; +/*global Promise*/ +require('./compat.js'); -var PromiseA; -try { - PromiseA = require('bluebird'); -} catch(e) { - PromiseA = global.Promise; -} var util = require('util'); function promisifyAll(obj) { var aobj = {}; @@ -42,7 +38,7 @@ module.exports.create = function (gl) { // TODO check response header on request for cache time if ((now - gl._ipc.acmeUrlsUpdatedAt) < 10 * 60 * 1000) { - return PromiseA.resolve(gl._ipc.acmeUrls); + return Promise.resolve(gl._ipc.acmeUrls); } // TODO acme-v2/nocompat @@ -79,7 +75,7 @@ module.exports.create = function (gl) { + " and 'rsaKeySize' must be 2048 or greater." ); err.code = 'E_ARGS'; - return PromiseA.reject(err); + return Promise.reject(err); } return utils.testEmail(args.email).then(function () { @@ -156,9 +152,9 @@ module.exports.create = function (gl) { if (newAccountKeypair) { accountKeypairPromise = gl.store.accounts.setKeypairAsync(args, keypair); } - return PromiseA.resolve(accountKeypairPromise).then(function () { + return Promise.resolve(accountKeypairPromise).then(function () { // TODO move templating of arguments to right here? - if (!gl.store.accounts.setAsync) { return PromiseA.resolve({ keypair: keypair }); } + if (!gl.store.accounts.setAsync) { return Promise.resolve({ keypair: keypair }); } return gl.store.accounts.setAsync(args, reg).then(function (account) { if (account && 'object' !== typeof account) { throw new Error("store.accounts.setAsync should either return 'null' or an object with at least a string 'id'"); @@ -181,7 +177,7 @@ module.exports.create = function (gl) { if (gl.store.accounts.checkAsync) { accountPromise = core.accounts.checkAsync(args); } - return PromiseA.resolve(accountPromise).then(function (account) { + return Promise.resolve(accountPromise).then(function (account) { if (!account) { return core.accounts.registerAsync(args); } if (account.keypair) { return account; } @@ -201,7 +197,7 @@ module.exports.create = function (gl) { var requiredArgs = ['accountId', 'email', 'domains', 'domain']; if (!(args.account && (args.account.id || args.account.kid)) && !requiredArgs.some(function (key) { return -1 !== Object.keys(args).indexOf(key); })) { - return PromiseA.reject(new Error( + return Promise.reject(new Error( "In order to register or retrieve an account one of '" + requiredArgs.join("', '") + "' must be present" )); } @@ -213,7 +209,7 @@ module.exports.create = function (gl) { // we can re-register the same account until we're blue in the face and it's all the same // of course, we can also skip the lookup if we do store the account, but whatever - if (!gl.store.accounts.checkAsync) { return PromiseA.resolve(null); } + if (!gl.store.accounts.checkAsync) { return Promise.resolve(null); } return gl.store.accounts.checkAsync(args).then(function (account) { if (!account) { @@ -240,7 +236,7 @@ module.exports.create = function (gl) { args = utils.tplCopy(copy); if (!Array.isArray(args.domains)) { - return PromiseA.reject(new Error('args.domains should be an array of domains')); + return Promise.reject(new Error('args.domains should be an array of domains')); } //if (-1 === args.domains.indexOf(args.subject)) // TODO relax the constraint once acme-v2 handles subject? if (args.subject !== args.domains[0]) { @@ -250,7 +246,7 @@ module.exports.create = function (gl) { console.warn('\topts.domains: (set by you in approveDomains()) ' + args.domains.join(',')); console.warn("Updating your code will prevent weird, random, hard-to-repro bugs during renewals"); console.warn("(also this will be required in the next major version of greenlock)"); - //return PromiseA.reject(new Error('certificate subject (primary domain) must be the first in opts.domains')); + //return Promise.reject(new Error('certificate subject (primary domain) must be the first in opts.domains')); } if (!(args.domains.length && args.domains.every(utils.isValidDomain))) { // NOTE: this library can't assume to handle the http loopback @@ -258,7 +254,7 @@ module.exports.create = function (gl) { // so we do not check dns records or attempt a loopback here err = new Error("invalid domain name(s): '(" + args.subject + ') ' + args.domains.join(',') + "'"); err.code = "INVALID_DOMAIN"; - return PromiseA.reject(err); + return Promise.reject(err); } // If a previous request to (re)register a certificate is already underway we need @@ -384,6 +380,9 @@ module.exports.create = function (gl) { Object.keys(challenge).forEach(function (key) { done[key] = challenge[key]; }); + // regression bugfix for le-challenge-cloudflare + // (_acme-challege => _greenlock-dryrun-XXXX) + copy.acmePrefix = (challenge.dnsHost||'').replace(/\.*/, '') || copy.acmePrefix; gl.challenges[challenge.type].set(copy, challenge.altname, challenge.token, challenge.keyAuthorization, done); } }; @@ -429,7 +428,7 @@ module.exports.create = function (gl) { args.keypair = domainKeypair; promise = gl.store.certificates.setKeypairAsync(args, domainKeypair); } - return PromiseA.resolve(promise).then(function () { + return Promise.resolve(promise).then(function () { return gl.store.certificates.setAsync(args).then(function () { return results; }); @@ -455,7 +454,7 @@ module.exports.create = function (gl) { + new Date(renewableAt).toISOString() + "'. Set { duplicate: true } to force." ); err.code = 'E_NOT_RENEWABLE'; - return PromiseA.reject(err); + return Promise.reject(err); } // Either the cert has entered its renewal period diff --git a/lib/utils.js b/lib/utils.js index 36acb02..caa3fb1 100644 --- a/lib/utils.js +++ b/lib/utils.js @@ -1,12 +1,12 @@ 'use strict'; +require('./compat.js'); var path = require('path'); var homeRe = new RegExp("^~(\\/|\\\\|\\" + path.sep + ")"); // very basic check. Allows *.example.com. var re = /^(\*\.)?[a-zA-Z0-9\.\-]+$/; var punycode = require('punycode'); -var promisify = (require('util').promisify || require('bluebird').promisify); -var dnsResolveMxAsync = promisify(require('dns').resolveMx); +var dnsResolveMxAsync = require('util').promisify(require('dns').resolveMx); module.exports.attachCertInfo = function (results) { var certInfo = require('cert-info').info(results.cert); @@ -54,12 +54,24 @@ module.exports.merge = function (/*defaults, args*/) { allDefaults.forEach(function (defaults) { Object.keys(defaults).forEach(function (key) { - copy[key] = defaults[key]; + if ('challenges' === key && copy[key] && defaults[key]) { + Object.keys(defaults[key]).forEach(function (k) { + copy[key][k] = defaults[key][k]; + }); + } else { + copy[key] = defaults[key]; + } }); }); Object.keys(args).forEach(function (key) { - copy[key] = args[key]; + if ('challenges' === key && copy[key] && args[key]) { + Object.keys(args[key]).forEach(function (k) { + copy[key][k] = args[key][k]; + }); + } else { + copy[key] = args[key]; + } }); return copy; diff --git a/package.json b/package.json index 5966c84..2f96add 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "greenlock", - "version": "2.7.22", + "version": "2.7.23", "description": "Greenlock is Let's Encrypt (ACME) client for node.js", "homepage": "https://greenlock.domains/", "main": "index.js", diff --git a/tests/challenge-middleware.js b/tests/challenge-middleware.js deleted file mode 100644 index f97d3ee..0000000 --- a/tests/challenge-middleware.js +++ /dev/null @@ -1,106 +0,0 @@ -'use strict'; - -var PromiseA = require('bluebird'); -var path = require('path'); -var requestAsync = PromiseA.promisify(require('@coolaj86/request')); -var LE = require('../').LE; -var le = LE.create({ - server: 'staging' -, acme: require('le-acme-core').ACME.create() -, store: require('le-store-certbot').create({ - configDir: '~/letsencrypt.test/etc'.split('/').join(path.sep) - , webrootPath: '~/letsencrypt.test/var/:hostname'.split('/').join(path.sep) - }) -, challenge: require('le-challenge-fs').create({ - webrootPath: '~/letsencrypt.test/var/:hostname'.split('/').join(path.sep) - }) -, debug: true -}); -var utils = require('../lib/utils'); - -if ('/.well-known/acme-challenge/' !== LE.acmeChallengePrefix) { - throw new Error("Bad constant 'acmeChallengePrefix'"); -} - -var baseUrl; -// could use localhost as well, but for the sake of an FQDN for testing, we use this -// also, example.com is just a junk domain to make sure that it is ignored -// (even though it should always be an array of only one element in lib/core.js) -var domains = [ 'localhost.daplie.com', 'example.com' ]; // or just localhost -var token = 'token-id'; -var secret = 'key-secret'; - -var tests = [ - function () { - console.log('Test Url:', baseUrl + token); - return requestAsync({ url: baseUrl + token }).then(function (req) { - if (404 !== req.statusCode) { - console.log(req.statusCode); - throw new Error("Should be status 404"); - } - }); - } - -, function () { - var copy = utils.merge({ domains: domains }, le); - copy = utils.tplCopy(copy); - return PromiseA.promisify(le.challenge.set)(copy, domains[0], token, secret); - } - -, function () { - return requestAsync(baseUrl + token).then(function (req) { - if (200 !== req.statusCode) { - console.log(req.statusCode, req.body); - throw new Error("Should be status 200"); - } - - if (req.body !== secret) { - console.error(token, secret, req.body); - throw new Error("req.body should be secret"); - } - }); - } - -, function () { - var copy = utils.merge({ domains: domains }, le); - copy = utils.tplCopy(copy); - return PromiseA.promisify(le.challenge.remove)(copy, domains[0], token); - } - -, function () { - return requestAsync(baseUrl + token).then(function (req) { - if (404 !== req.statusCode) { - console.log(req.statusCode); - throw new Error("Should be status 404"); - } - }); - } -]; - -function run() { - //var express = require(express); - var server = require('http').createServer(le.middleware()); - server.listen(0, function () { - console.log('Server running, proceeding to test.'); - baseUrl = 'http://' + domains[0] + ':' + server.address().port + LE.acmeChallengePrefix; - - function next() { - var test = tests.shift(); - if (!test) { - console.info('All tests passed'); - server.close(); - return; - } - - test().then(next, function (err) { - console.error('ERROR'); - console.error(err.stack); - server.close(); - }); - } - - next(); - }); -} - -run();