sni callback stuff

This commit is contained in:
AJ ONeal 2015-12-17 03:03:07 +00:00
parent 3132e7a592
commit 75d259dbb1
3 changed files with 152 additions and 6 deletions

View File

@ -24,7 +24,7 @@ npm install --save letsencrypt-express
'use strict';
// Note: using staging server url, remove .testing() for production
var le = require('letsencrypt-express').testing();
var lex = require('letsencrypt-express').testing();
var express = require('express');
var app = express();
@ -32,7 +32,7 @@ app.use('/', function (req, res) {
res.send({ success: true });
});
le.create('/etc/letsencrypt', app).listen([80], [443, 5001], function () {
lex.create('/etc/letsencrypt', app).listen([80], [443, 5001], function () {
console.log("ENCRYPT __ALL__ THE DOMAINS!");
});
```
@ -42,7 +42,7 @@ le.create('/etc/letsencrypt', app).listen([80], [443, 5001], function () {
```javascript
'use strict';
var le = require('letsencrypt-express');
var lex = require('letsencrypt-express');
var express = require('express');
var app = express();
@ -50,7 +50,7 @@ app.use('/', function (req, res) {
res.send({ success: true });
});
var results = le.create({
var results = lex.create({
configDir: '/etc/letsencrypt'
, onRequest: app
, server: require('letsencrypt').productionServerUrl
@ -84,6 +84,21 @@ results.tlsServers.forEach(function (server) {
});
```
## API
```
LEX.create(options) // checks options and sets up defaults. returns object with `listen`
// (it was really just done this way to appeal to what people are used to seeing)
lex.listen(plain, tls, fn) // actually creates the servers and causes them to listen
LEX.createSniCallback(le) // receives an instance of letsencrypt, returns an SNICallback handler for https.createServer()
LEX.getChallenge(opts, hostname, key cb) // uses `opts.webrootPath` to read from the filesystem
```
## Options
If any of these values are `undefined` or `null` the will assume use reasonable defaults.

128
lib/sni-callback.js Normal file
View File

@ -0,0 +1,128 @@
'use strict';
var crypto = require('crypto');
var tls = require('tls');
module.exports.create = function (memos) {
var ipc = {}; // in-process cache
if (!memos) { throw new Error("requires opts to be an object"); }
if (!memos.letsencrypt) { throw new Error("requires opts.letsencrypt to be a letsencrypt instance"); }
if (!memos.lifetime) { memos.lifetime = 90 * 24 * 60 * 60 * 1000; }
if (!memos.failedWait) { memos.failedWait = 5 * 60 * 1000; }
if (!memos.renewWithin) { memos.renewWithin = 3 * 24 * 60 * 60 * 1000; }
if (!memos.memorizeFor) { memos.memorizeFor = 1 * 24 * 60 * 60 * 1000; }
if (!memos.handleRegistration) { memos.handleRegistration = function (args, cb) { cb(null, null); }; }
if (!memos.handleRenewFailure) { memos.handleRenewFailure = function () {}; }
function assignBestByDates(now, certInfo) {
certInfo = certInfo || { loadedAt: now, expiresAt: 0, issuedAt: 0, lifetime: 0 };
var rnds = crypto.randomBytes(3)[0];
var rnd1 = ((rnds[0] + 1) / 257);
var rnd2 = ((rnds[1] + 1) / 257);
var rnd3 = ((rnds[2] + 1) / 257);
// Stagger randomly by plus 0% to 25% to prevent all caches expiring at once
var memorizeFor = Math.floor(memos.memorizeFor + ((memos.memorizeFor / 4) * rnd1));
// Stagger randomly to renew between n and 2n days before renewal is due
// this *greatly* reduces the risk of multiple cluster processes renewing the same domain at once
var bestIfUsedBy = certInfo.expiresAt - (memos.renewWithin + Math.floor(memos.renewWithin * rnd2));
// Stagger randomly by plus 0 to 5 min to reduce risk of multiple cluster processes
// renewing at once on boot when the certs have expired
var renewTimeout = Math.floor((5 * 60 * 1000) * rnd3);
certInfo.loadedAt = now;
certInfo.memorizeFor = memorizeFor;
certInfo.bestIfUsedBy = bestIfUsedBy;
certInfo.renewTimeout = renewTimeout;
}
function renewInBackground(now, hostname, certInfo) {
if ((now - certInfo.loadedAt) < memos.failedWait) {
// wait a few minutes
return;
}
if (now > certInfo.bestIfUsedBy && !certInfo.timeout) {
// EXPIRING
if (now > certInfo.expiresAt) {
// EXPIRED
certInfo.renewTimeout = Math.floor(certInfo.renewTimeout / 2);
}
certInfo.timeout = setTimeout(function () {
var opts = { domains: [ hostname ], duplicate: false };
le.renew(opts, function (err, certInfo) {
if (err || !certInfo) {
memos.handleRenewFailure(err, certInfo, opts);
}
ipc[hostname] = assignBestByDates(now, certInfo);
});
}, certInfo.renewTimeout);
}
}
function fetch(hostname, cb) {
le.fetch({ domains: [hostname] }, function (err, certInfo) {
var now = Date.now();
ipc[hostname] = assignBestByDates(now, certInfo);
if (!certInfo) {
// handles registration
memos.handleRegistration(hostname, cb);
return;
}
// handles renewals
renewInBackground(now, hostname, certInfo);
if (err) {
cb(err);
return;
}
try {
certInfo.tlsContext = tls.createSecureContext({
key: certInfo.key // privkey.pem
, cert: certInfo.cert // fullchain.pem (cert.pem + '\n' + chain.pem)
});
} catch(e) {
console.warn("[Sanity Check Fail]: a weird object was passed back through le.fetch to lex.fetch");
cb(e);
return;
}
cb(null, certInfo.tlsContext);
});
}
return function sniCallback(hostname, cb) {
var now = Date.now();
var certInfo = ipc[hostname];
// TODO once ECDSA is available, wait for cert renewal if its due
if (!certInfo) {
fetch(hostname, cb);
return;
}
if (certInfo.context) {
cb(null, certInfo.context);
if ((now - certInfo.loadedAt) < (certInfo.memorizeFor)) {
// these aren't stale, so don't fall through
return;
}
}
else if ((now - certInfo.loadedAt) < memos.failedWait) {
// this was just fetched and failed, wait a few minutes
cb(null, null);
return;
}
fetch({ domains: [hostname] }, cb);
};
};

View File

@ -2,6 +2,7 @@
var path = require('path');
var challengeStore = require('./lib/challange-handlers');
var createSniCallback = require('./lib/sni-callback').create;
var LE = require('letsencrypt');
function LEX(obj, app) {
@ -105,6 +106,7 @@ function LEX(obj, app) {
httpsOptions.SNICallback = obj.sniCallback;
}
else if (sniCallback) {
obj._sniCallback = createSniCallback(obj);
httpsOptions.SNICallback = function (domain, cb) {
sniCallback(domain, function (err, context) {
if (context) {
@ -112,12 +114,12 @@ function LEX(obj, app) {
return;
}
obj.letsencrypt.sniCallback(domain, cb);
obj._sniCallback(domain, cb);
});
};
}
else {
httpsOptions.SNICallback = obj.letsencrypt.sniCallback;
httpsOptions.SNICallback = createSniCallback(obj);
}
function listen(plainPorts, tlsPorts, onListening) {
@ -190,6 +192,7 @@ function LEX(obj, app) {
}
module.exports = LEX;
LEX.create = LEX;
LEX.setChallenge = challengeStore.set;
LEX.getChallenge = challengeStore.get;