🔱: [acme] sync upgrade with 2 commits [trident-sync]

Example for on-demand http-01
pull/29/head
GitHub Actions Bot 2024-02-02 19:24:16 +00:00
parent 7e8842b452
commit a6bf198604
2 changed files with 193 additions and 0 deletions

View File

@ -0,0 +1,21 @@
# http-01
The `http-01` challenge type is the simplest to implement and should likely be your default choice, unless you either require wildcard certificates or if port 80 is unavailable for use.
## How it works
When solving `http-01` challenges, you prove ownership of a domain name by serving a specific payload from a specific URL. The ACME authority provides the client with a token that is used to generate the URL and file contents. The file must exist at `http://$YOUR_DOMAIN/.well-known/acme-challenge/$TOKEN` and contain the token and a thumbprint of your account key.
Once the order is finalized, the ACME authority will verify that the URL responds with the correct payload by sending HTTP requests before the challenge is valid. HTTP redirects are followed, and Let's Encrypt allows redirecting to HTTPS although this diverges from the ACME spec.
## Pros and cons
* Challenge must be satisfied using port 80 (HTTP)
* The simplest challenge type to implement
* Can not be used to issue wildcard certificates
* If using multiple web servers, all of them need to respond with the correct token
## External links
* [https://letsencrypt.org/docs/challenge-types/#http-01-challenge](https://letsencrypt.org/docs/challenge-types/#http-01-challenge)
* [https://datatracker.ietf.org/doc/html/rfc8555#section-8.3](https://datatracker.ietf.org/doc/html/rfc8555#section-8.3)

View File

@ -0,0 +1,172 @@
/**
* Example using http-01 challenge to generate certificates on-demand
*/
const fs = require('fs');
const path = require('path');
const http = require('http');
const https = require('https');
const tls = require('tls');
const acme = require('./../../');
const HTTP_SERVER_PORT = 80;
const HTTPS_SERVER_PORT = 443;
const VALID_DOMAINS = ['example.com', 'example.org'];
const FALLBACK_KEY = fs.readFileSync(path.join(__dirname, '..', 'fallback.key'));
const FALLBACK_CERT = fs.readFileSync(path.join(__dirname, '..', 'fallback.crt'));
const pendingDomains = {};
const challengeResponses = {};
const certificateStore = {};
function log(m) {
process.stdout.write(`${(new Date()).toISOString()} ${m}\n`);
}
/**
* On-demand certificate generation using http-01
*/
async function getCertOnDemand(client, servername, attempt = 0) {
/* Invalid domain */
if (!VALID_DOMAINS.includes(servername)) {
throw new Error(`Invalid domain: ${servername}`);
}
/* Certificate exists */
if (servername in certificateStore) {
return certificateStore[servername];
}
/* Waiting on certificate order to go through */
if (servername in pendingDomains) {
if (attempt >= 10) {
throw new Error(`Gave up waiting on certificate for ${servername}`);
}
await new Promise((resolve) => { setTimeout(resolve, 1000); });
return getCertOnDemand(client, servername, (attempt + 1));
}
/* Create CSR */
log(`Creating CSR for ${servername}`);
const [key, csr] = await acme.crypto.createCsr({
commonName: servername
});
/* Order certificate */
log(`Ordering certificate for ${servername}`);
const cert = await client.auto({
csr,
email: 'test@example.com',
termsOfServiceAgreed: true,
challengePriority: ['http-01'],
challengeCreateFn: (authz, challenge, keyAuthorization) => {
challengeResponses[challenge.token] = keyAuthorization;
},
challengeRemoveFn: (authz, challenge) => {
delete challengeResponses[challenge.token];
}
});
/* Done, store certificate */
log(`Certificate for ${servername} created successfully`);
certificateStore[servername] = [key, cert];
delete pendingDomains[servername];
return certificateStore[servername];
}
/**
* Main
*/
(async () => {
try {
/**
* Initialize ACME client
*/
log('Initializing ACME client');
const client = new acme.Client({
directoryUrl: acme.directory.letsencrypt.staging,
accountKey: await acme.crypto.createPrivateKey()
});
/**
* HTTP server
*/
const httpServer = http.createServer((req, res) => {
if (req.url.match(/\/\.well-known\/acme-challenge\/.+/)) {
const token = req.url.split('/').pop();
log(`Received challenge request for token=${token}`);
/* ACME challenge response */
if (token in challengeResponses) {
log(`Serving challenge response HTTP 200 token=${token}`);
res.writeHead(200);
res.end(challengeResponses[token]);
return;
}
/* Challenge response not found */
log(`Oops, challenge response not found for token=${token}`);
res.writeHead(404);
res.end();
return;
}
/* HTTP 302 redirect */
log(`HTTP 302 ${req.headers.host}${req.url}`);
res.writeHead(302, { Location: `https://${req.headers.host}${req.url}` });
res.end();
});
httpServer.listen(HTTP_SERVER_PORT, () => {
log(`HTTP server listening on port ${HTTP_SERVER_PORT}`);
});
/**
* HTTPS server
*/
const requestListener = (req, res) => {
log(`HTTP 200 ${req.headers.host}${req.url}`);
res.writeHead(200);
res.end('Hello world\n');
};
const httpsServer = https.createServer({
/* Fallback certificate */
key: FALLBACK_KEY,
cert: FALLBACK_CERT,
/* Serve certificate based on servername */
SNICallback: async (servername, cb) => {
try {
log(`Handling SNI request for ${servername}`);
const [key, cert] = await getCertOnDemand(client, servername);
log(`Found certificate for ${servername}, serving secure context`);
cb(null, tls.createSecureContext({ key, cert }));
}
catch (e) {
log(`[ERROR] ${e.message}`);
cb(e.message);
}
}
}, requestListener);
httpsServer.listen(HTTPS_SERVER_PORT, () => {
log(`HTTPS server listening on port ${HTTPS_SERVER_PORT}`);
});
}
catch (e) {
log(`[FATAL] ${e.message}`);
process.exit(1);
}
})();