2019-03-11 18:56:48 +02:00
|
|
|
package cmd
|
2018-12-06 23:50:17 +02:00
|
|
|
|
|
|
|
import (
|
|
|
|
"crypto/x509"
|
|
|
|
"encoding/pem"
|
|
|
|
"fmt"
|
2024-11-10 20:42:01 +02:00
|
|
|
"net/http"
|
2018-12-06 23:50:17 +02:00
|
|
|
"os"
|
|
|
|
"strings"
|
|
|
|
"time"
|
|
|
|
|
2020-09-02 03:20:01 +02:00
|
|
|
"github.com/go-acme/lego/v4/certcrypto"
|
|
|
|
"github.com/go-acme/lego/v4/lego"
|
|
|
|
"github.com/go-acme/lego/v4/log"
|
|
|
|
"github.com/go-acme/lego/v4/registration"
|
2024-12-10 16:02:07 +02:00
|
|
|
"github.com/hashicorp/go-retryablehttp"
|
2022-02-13 13:28:51 +02:00
|
|
|
"github.com/urfave/cli/v2"
|
2018-12-06 23:50:17 +02:00
|
|
|
)
|
|
|
|
|
2020-07-10 01:48:18 +02:00
|
|
|
const filePerm os.FileMode = 0o600
|
2018-12-06 23:50:17 +02:00
|
|
|
|
2024-12-03 15:03:49 +02:00
|
|
|
// setupClient creates a new client with challenge settings.
|
|
|
|
func setupClient(ctx *cli.Context, account *Account, keyType certcrypto.KeyType) *lego.Client {
|
|
|
|
client := newClient(ctx, account, keyType)
|
|
|
|
|
|
|
|
setupChallenges(ctx, client)
|
|
|
|
|
|
|
|
return client
|
|
|
|
}
|
|
|
|
|
|
|
|
func setupAccount(ctx *cli.Context, accountsStorage *AccountsStorage) (*Account, certcrypto.KeyType) {
|
2019-02-08 20:29:28 +02:00
|
|
|
keyType := getKeyType(ctx)
|
|
|
|
privateKey := accountsStorage.GetPrivateKey(keyType)
|
2018-12-06 23:50:17 +02:00
|
|
|
|
|
|
|
var account *Account
|
|
|
|
if accountsStorage.ExistsAccountFilePath() {
|
|
|
|
account = accountsStorage.LoadAccount(privateKey)
|
|
|
|
} else {
|
|
|
|
account = &Account{Email: accountsStorage.GetUserID(), key: privateKey}
|
|
|
|
}
|
|
|
|
|
2024-12-03 15:03:49 +02:00
|
|
|
return account, keyType
|
2018-12-06 23:50:17 +02:00
|
|
|
}
|
|
|
|
|
2019-02-08 20:29:28 +02:00
|
|
|
func newClient(ctx *cli.Context, acc registration.User, keyType certcrypto.KeyType) *lego.Client {
|
2018-12-06 23:50:17 +02:00
|
|
|
config := lego.NewConfig(acc)
|
2024-09-20 19:47:50 +02:00
|
|
|
config.CADirURL = ctx.String(flgServer)
|
2019-01-09 09:29:17 +02:00
|
|
|
|
|
|
|
config.Certificate = lego.CertificateConfig{
|
2024-06-13 22:48:04 +02:00
|
|
|
KeyType: keyType,
|
2024-09-20 19:47:50 +02:00
|
|
|
Timeout: time.Duration(ctx.Int(flgCertTimeout)) * time.Second,
|
|
|
|
OverallRequestLimit: ctx.Int(flgOverallRequestLimit),
|
2019-01-09 09:29:17 +02:00
|
|
|
}
|
2022-06-29 20:56:56 +02:00
|
|
|
config.UserAgent = getUserAgent(ctx)
|
2018-12-06 23:50:17 +02:00
|
|
|
|
2024-09-20 19:47:50 +02:00
|
|
|
if ctx.IsSet(flgHTTPTimeout) {
|
|
|
|
config.HTTPClient.Timeout = time.Duration(ctx.Int(flgHTTPTimeout)) * time.Second
|
2018-12-06 23:50:17 +02:00
|
|
|
}
|
|
|
|
|
2024-11-10 20:42:01 +02:00
|
|
|
if ctx.Bool(flgTLSSkipVerify) {
|
2024-12-01 17:29:02 +02:00
|
|
|
defaultTransport, ok := config.HTTPClient.Transport.(*http.Transport)
|
|
|
|
if ok { // This is always true because the default client used by the CLI defined the transport.
|
|
|
|
tr := defaultTransport.Clone()
|
|
|
|
tr.TLSClientConfig.InsecureSkipVerify = true
|
|
|
|
config.HTTPClient.Transport = tr
|
2024-11-10 20:42:01 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2024-12-10 16:02:07 +02:00
|
|
|
retryClient := retryablehttp.NewClient()
|
|
|
|
retryClient.RetryMax = 5
|
|
|
|
retryClient.HTTPClient = config.HTTPClient
|
|
|
|
|
|
|
|
config.HTTPClient = retryClient.StandardClient()
|
|
|
|
|
2018-12-06 23:50:17 +02:00
|
|
|
client, err := lego.NewClient(config)
|
|
|
|
if err != nil {
|
|
|
|
log.Fatalf("Could not create client: %v", err)
|
|
|
|
}
|
|
|
|
|
2024-09-20 19:47:50 +02:00
|
|
|
if client.GetExternalAccountRequired() && !ctx.IsSet(flgEAB) {
|
|
|
|
log.Fatalf("Server requires External Account Binding. Use --%s with --%s and --%s.", flgEAB, flgKID, flgHMAC)
|
2018-12-06 23:50:17 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
return client
|
|
|
|
}
|
|
|
|
|
2020-05-08 19:35:25 +02:00
|
|
|
// getKeyType the type from which private keys should be generated.
|
2018-12-06 23:50:17 +02:00
|
|
|
func getKeyType(ctx *cli.Context) certcrypto.KeyType {
|
2024-09-20 19:47:50 +02:00
|
|
|
keyType := ctx.String(flgKeyType)
|
2018-12-06 23:50:17 +02:00
|
|
|
switch strings.ToUpper(keyType) {
|
|
|
|
case "RSA2048":
|
|
|
|
return certcrypto.RSA2048
|
2023-03-01 17:27:20 +02:00
|
|
|
case "RSA3072":
|
|
|
|
return certcrypto.RSA3072
|
2018-12-06 23:50:17 +02:00
|
|
|
case "RSA4096":
|
|
|
|
return certcrypto.RSA4096
|
|
|
|
case "RSA8192":
|
|
|
|
return certcrypto.RSA8192
|
|
|
|
case "EC256":
|
|
|
|
return certcrypto.EC256
|
|
|
|
case "EC384":
|
|
|
|
return certcrypto.EC384
|
|
|
|
}
|
|
|
|
|
|
|
|
log.Fatalf("Unsupported KeyType: %s", keyType)
|
|
|
|
return ""
|
|
|
|
}
|
|
|
|
|
|
|
|
func getEmail(ctx *cli.Context) string {
|
2024-09-20 19:47:50 +02:00
|
|
|
email := ctx.String(flgEmail)
|
2021-03-04 21:16:59 +02:00
|
|
|
if email == "" {
|
2024-09-20 19:47:50 +02:00
|
|
|
log.Fatalf("You have to pass an account (email address) to the program using --%s or -m", flgEmail)
|
2018-12-06 23:50:17 +02:00
|
|
|
}
|
|
|
|
return email
|
|
|
|
}
|
|
|
|
|
2022-06-29 20:56:56 +02:00
|
|
|
func getUserAgent(ctx *cli.Context) string {
|
2024-09-20 19:47:50 +02:00
|
|
|
return strings.TrimSpace(fmt.Sprintf("%s lego-cli/%s", ctx.String(flgUserAgent), ctx.App.Version))
|
2022-06-29 20:56:56 +02:00
|
|
|
}
|
|
|
|
|
2018-12-06 23:50:17 +02:00
|
|
|
func createNonExistingFolder(path string) error {
|
|
|
|
if _, err := os.Stat(path); os.IsNotExist(err) {
|
2020-07-10 01:48:18 +02:00
|
|
|
return os.MkdirAll(path, 0o700)
|
2018-12-06 23:50:17 +02:00
|
|
|
} else if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func readCSRFile(filename string) (*x509.CertificateRequest, error) {
|
2021-08-25 11:44:11 +02:00
|
|
|
bytes, err := os.ReadFile(filename)
|
2018-12-06 23:50:17 +02:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
raw := bytes
|
|
|
|
|
|
|
|
// see if we can find a PEM-encoded CSR
|
|
|
|
var p *pem.Block
|
|
|
|
rest := bytes
|
|
|
|
for {
|
|
|
|
// decode a PEM block
|
|
|
|
p, rest = pem.Decode(rest)
|
|
|
|
|
|
|
|
// did we fail?
|
|
|
|
if p == nil {
|
|
|
|
break
|
|
|
|
}
|
|
|
|
|
|
|
|
// did we get a CSR?
|
2021-06-05 13:47:39 +02:00
|
|
|
if p.Type == "CERTIFICATE REQUEST" || p.Type == "NEW CERTIFICATE REQUEST" {
|
2018-12-06 23:50:17 +02:00
|
|
|
raw = p.Bytes
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// no PEM-encoded CSR
|
|
|
|
// assume we were given a DER-encoded ASN.1 CSR
|
|
|
|
// (if this assumption is wrong, parsing these bytes will fail)
|
|
|
|
return x509.ParseCertificateRequest(raw)
|
|
|
|
}
|