approveDomains equivalent in version 4 #35

New Issue

Ghost · 2020-03-19T10:03:41Z

Ghost commented

2020-03-19 10:03:41 +00:00

Hi,

I'm looking for an equivalent the the approveDomains hook function that was available in version 2, in the latest version.

I'll be needing to dynamically approve or decline the creation of certificates at runtime. How would I do this with the current version?

I see there is an API for adding domains, but I'm unclear how that would work at runtime. Perhaps if I can see an example of an equivalent setup to the approveDomains hook function using this?

My usecase is almost identical to this walkthrough, which recommends the old approveDomains hook: https://blog.checklyhq.com/setting-up-ssl-with-letsencrypt-for-saas-customers/

Thanks very much!

Hi, I'm looking for an equivalent the the approveDomains hook function that was available in version 2, in the latest version. I'll be needing to dynamically approve or decline the creation of certificates at runtime. How would I do this with the current version? I see there is an API for adding domains, but I'm unclear how that would work at runtime. Perhaps if I can see an example of an equivalent setup to the approveDomains hook function using this? My usecase is almost identical to this walkthrough, which recommends the old approveDomains hook: https://blog.checklyhq.com/setting-up-ssl-with-letsencrypt-for-saas-customers/ Thanks very much!

coolaj86 commented

2020-03-20 16:53:17 +00:00

See https://git.rootprojects.org/root/greenlock-express.js#user-content-easy-to-customize

Specifically https://git.rootprojects.org/root/greenlock-manager-test.js

You need to create a file that exposes a get and set function with the desired behavior for connecting to a database, etc.

If all you do is run this:

npm install --save-dev greenlock-manager-test
npx greenlock-manager-init

Then you get a minimal set of callbacks that pass the tests (as well as a test file node manager.test.js). Modify them as desired to work with your database.

If you don't want to get that fancy, then just use the default file plugin.

Anonymous domain registration is no longer supported because it leads to security vulnerabilities.

See https://git.rootprojects.org/root/greenlock-express.js#user-content-easy-to-customize Specifically https://git.rootprojects.org/root/greenlock-manager-test.js You need to create a file that exposes a `get` and `set` function with the desired behavior for connecting to a database, etc. If all you do is run this: ``` npm install --save-dev greenlock-manager-test npx greenlock-manager-init ``` Then you get a minimal set of callbacks that pass the tests (as well as a test file `node manager.test.js`). Modify them as desired to work with your database. If you don't want to get that fancy, then just use the default file plugin. Anonymous domain registration is no longer supported because it leads to security vulnerabilities.

Ghost commented

2020-03-21 05:10:19 +00:00

Hi,

Thanks for your response.

Using the default file plugin, is it possible to use the JS API to add domains into greenlock.d at the time of request?

E.g. Request comes in -> Application JS determines whether domain is a valid customer -> if valid, add to greenlock.d using JS API and thus issue cert?

Or would a custom manager be required for this behaviour?

Thanks.

Hi, Thanks for your response. Using the default file plugin, is it possible to use the JS API to add domains into greenlock.d at the time of request? E.g. Request comes in -> Application JS determines whether domain is a valid customer -> if valid, add to greenlock.d using JS API and thus issue cert? Or would a custom manager be required for this behaviour? Thanks.

Ghost commented

2020-03-26 20:34:14 +00:00

It would be nice to have Anonymous domain registration because in my use case I am just redirecting the root domains to www. It's a pain to put thousands of domains into a json file for this use case.

coolaj86 commented

2020-03-27 15:04:31 +00:00

@jlaird + @whiskeywizard: just create a manager file and replace the dummy get function with one that checks to see if the domain is allowed. The 2 or 3 callbacks you define for the manager are what fulfill the API.

https://git.rootprojects.org/root/greenlock-manager-test.js

@jlaird + @whiskeywizard: just create a manager file and replace the dummy `get` function with one that checks to see if the domain is allowed. The 2 or 3 callbacks you define for the manager are what fulfill the API. https://git.rootprojects.org/root/greenlock-manager-test.js

Ghost commented

2020-06-18 01:02:41 +00:00

Is this answer still valid? I am trying to write a custom manager that approves domains based on what we have in our database but greenlock-express on startup calls the find method and expects and exhaustive list. get doesn't seem to be used at all. If find doesn't return anything on startup no new certs can be issued:

ubuntu@ip-10-0-0-185:~/server$ sudo node dist/greenlock.js -- --staging

[staging] ACME Staging Directory URL: https://acme-staging-v02.api.letsencrypt.org/directory 
FAKE CERTIFICATES (for testing) only  

Find called
With opts {}
Listening on 0.0.0.0:80 for ACME challenges, and redirecting to HTTPS
Listening on 0.0.0.0:443 for secure traffic
Warning: `find({})` returned 0 sites.
         Does `./dist/greenlock/manager.js` implement `find({})`?
         Did you add sites?
         npx greenlock add --subject example.com --altnames example.com

Is the way forward to have find return a set of all existing certs + valid domains without a cert? Or is there some config I am missing? .greenlockrc looks like this

{"manager":{"module":"./dist/greenlock/manager.js"},"configDir":"./greenlock.d"}

The manager is the default implementation taken from https://git.rootprojects.org/root/greenlock-manager-test.js

with get returning a hard coded list of sites as described here
https://git.rootprojects.org/root/greenlock.js/src/branch/master/MIGRATION_GUIDE.md#user-content-customer-manager-the-lazy-way

Is this answer still valid? I am trying to write a custom manager that approves domains based on what we have in our database but greenlock-express on startup calls the `find` method and expects and exhaustive list. `get` doesn't seem to be used at all. If `find` doesn't return anything on startup no new certs can be issued: ``` ubuntu@ip-10-0-0-185:~/server$ sudo node dist/greenlock.js -- --staging [staging] ACME Staging Directory URL: https://acme-staging-v02.api.letsencrypt.org/directory FAKE CERTIFICATES (for testing) only Find called With opts {} Listening on 0.0.0.0:80 for ACME challenges, and redirecting to HTTPS Listening on 0.0.0.0:443 for secure traffic Warning: `find({})` returned 0 sites. Does `./dist/greenlock/manager.js` implement `find({})`? Did you add sites? npx greenlock add --subject example.com --altnames example.com ``` Is the way forward to have `find` return a set of all existing certs + valid domains without a cert? Or is there some config I am missing? `.greenlockrc` looks like this ``` {"manager":{"module":"./dist/greenlock/manager.js"},"configDir":"./greenlock.d"} ``` The manager is the default implementation taken from https://git.rootprojects.org/root/greenlock-manager-test.js with `get` returning a hard coded list of sites as described here https://git.rootprojects.org/root/greenlock.js/src/branch/master/MIGRATION_GUIDE.md#user-content-customer-manager-the-lazy-way

Ghost commented

2020-08-07 00:28:27 +00:00

I'm also having a really hard time figuring out the migration path from using approveDomains in v2 to the latest v4 version.

The most useful part of approveDomains was that you could dynamically check if a domain was valid and allow greenlock to handle the rest of the provisioning.

It looks like if you want to dynamically check domains in v4, at a minimum, you also have to also implement storing the renewAt and deletedAt values as well as returning all possible domains through find(). Is that correct?

I'm also having a really hard time figuring out the migration path from using approveDomains in v2 to the latest v4 version. The most useful part of approveDomains was that you could dynamically check if a domain was valid and allow greenlock to handle the rest of the provisioning. It looks like if you want to dynamically check domains in v4, at a minimum, you also have to also implement storing the renewAt and deletedAt values as well as returning all possible domains through find(). Is that correct?

Ghost commented

2020-08-10 09:05:30 +00:00

Hi,

Been a while since I last attempted to get this working, and running into the same issue described by @valzam above.

@solderjs Any advice would be appreciated.|

Thanks.

Hi, Been a while since I last attempted to get this working, and running into the same issue described by @valzam above. @solderjs Any advice would be appreciated.| Thanks.

Ghost commented

2020-08-11 00:00:02 +00:00

@whiskeywizard I spent a while trying to solve this without success.

It doesn't look like manager.get is used at all. If you start with https://git.rootprojects.org/root/greenlock-manager.js/src/branch/master/manager.js and implement the manager.find() method, you can sort of replicate what approveDomains did.

However, it turns out there's another issue. The Greenlock core appears to cache rejected lookups for an hour. I couldn't find a way to override this. This becomes a real issue in this use-case because if you have someone trying to map across a domain. If they (or a spider) tries to access the domain after the CNAME, but before adding it to your system, then the domain will not load for at least another hour.

It doesn't look like mapping custom domains using a callback is a supported use-case for Greenlock at the moment.

I ended up switching over to Caddy which does support this and it can be enabled with a much more simple config file. For reference here's my Caddyfile which does the same thing you'd looking for;

{
	# Used when creating an ACME account with your CA (default CA is Let's Encrypt production)
	email ssl@your-domain.com

	on_demand_tls {
		# Send a HTTP request to the URL below. Domain is added to query, so final URL will look like https://your-domain.com/approve-domain?domain={domain}
		# Docs: https://caddyserver.com/docs/json/apps/tls/automation/on_demand/
		ask https://your-domain.com/approve-domain

		# Every 30 min allow up to 100 certificates to be issued
		interval 30m
		burst 100
	}
}

# You only need to cofigure HTTPS, HTTP -> HTTPS is enabled by default
:443  {
    tls {
        # Certificates will be issued on demand, if not already present using the on_demand_tls settings above
        on_demand
    }

    reverse_proxy {
        # Send a reverse proxy request to the URL below.
        # Docs: https://caddyserver.com/docs/caddyfile/directives/reverse_proxy
        to https://mapping.your-domain.com

        # Change headers in request to your server
        header_up Host "mapping.your-domain.com"
        header_up X-Proxy-Host "{http.request.host}"
        header_up X-Proxy-IP "{http.request.remote.host}"
        header_up X-Forwarded-Proto "https"
    }
}

@whiskeywizard I spent a while trying to solve this without success. It doesn't look like manager.get is used at all. If you start with https://git.rootprojects.org/root/greenlock-manager.js/src/branch/master/manager.js and implement the manager.find() method, you can sort of replicate what approveDomains did. However, it turns out there's another issue. The Greenlock core appears to cache rejected lookups for an hour. I couldn't find a way to override this. This becomes a real issue in this use-case because if you have someone trying to map across a domain. If they (or a spider) tries to access the domain after the CNAME, but before adding it to your system, then the domain will not load for at least another hour. It doesn't look like mapping custom domains using a callback is a supported use-case for Greenlock at the moment. I ended up switching over to [Caddy](https://caddyserver.com/) which does support this and it can be enabled with a much more simple config file. For reference here's my Caddyfile which does the same thing you'd looking for; ``` { # Used when creating an ACME account with your CA (default CA is Let's Encrypt production) email ssl@your-domain.com on_demand_tls { # Send a HTTP request to the URL below. Domain is added to query, so final URL will look like https://your-domain.com/approve-domain?domain={domain} # Docs: https://caddyserver.com/docs/json/apps/tls/automation/on_demand/ ask https://your-domain.com/approve-domain # Every 30 min allow up to 100 certificates to be issued interval 30m burst 100 } } # You only need to cofigure HTTPS, HTTP -> HTTPS is enabled by default :443 { tls { # Certificates will be issued on demand, if not already present using the on_demand_tls settings above on_demand } reverse_proxy { # Send a reverse proxy request to the URL below. # Docs: https://caddyserver.com/docs/caddyfile/directives/reverse_proxy to https://mapping.your-domain.com # Change headers in request to your server header_up Host "mapping.your-domain.com" header_up X-Proxy-Host "{http.request.host}" header_up X-Proxy-IP "{http.request.remote.host}" header_up X-Forwarded-Proto "https" } } ```

Sign in to join this conversation.

No Label

No Milestone

No Assignees

2 Participants

Notifications

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: root/greenlock-express.js#35