266 lines
9.7 KiB
JavaScript
266 lines
9.7 KiB
JavaScript
"use strict";
|
|
|
|
var certificates = module.exports;
|
|
var store = certificates;
|
|
var U = require("./utils.js");
|
|
|
|
var fs = require("fs");
|
|
var path = require("path");
|
|
var PromiseA = require("./promise.js");
|
|
var sfs = require("safe-replace");
|
|
var readFileAsync = PromiseA.promisify(fs.readFile);
|
|
var writeFileAsync = PromiseA.promisify(fs.writeFile);
|
|
var mkdirpAsync = PromiseA.promisify(require("@root/mkdirp"));
|
|
|
|
// Certificates.check
|
|
//
|
|
// Use certificate.id, or subject, if id hasn't been set, to find a certificate.
|
|
// Return an object with string PEMs for cert and chain (or null, not undefined)
|
|
certificates.check = function(opts) {
|
|
// { directoryUrl, subject, certificate.id, ... }
|
|
var id = (opts.certificate && opts.certificate.id) || opts.subject;
|
|
//console.log('certificates.check for', opts);
|
|
|
|
// For advanced use cases:
|
|
// This just goes to show that any options set in approveDomains() will be available here
|
|
// (the same is true for all of the hooks in this file)
|
|
if (opts.exampleThrowError) {
|
|
return Promise.reject(new Error("You want an error? You got it!"));
|
|
}
|
|
if (opts.exampleReturnNull) {
|
|
return Promise.resolve(null);
|
|
}
|
|
if (opts.exampleReturnCerts) {
|
|
return Promise.resolve(opts.exampleReturnCerts);
|
|
}
|
|
|
|
return Promise.all([
|
|
readFileAsync(U._tameWild(privkeyPath(store, opts), id), "ascii"), // 0 // all other PEM types are just
|
|
readFileAsync(U._tameWild(certPath(store, opts), id), "ascii"), // 1 // some arrangement of these 3
|
|
readFileAsync(U._tameWild(chainPath(store, opts), id), "ascii") // 2 // (bundle, combined, fullchain, etc)
|
|
])
|
|
.then(function(all) {
|
|
////////////////////////
|
|
// PAY ATTENTION HERE //
|
|
////////////////////////
|
|
// This is all you have to return: cert, chain
|
|
return {
|
|
cert: all[1], // string PEM. the bare cert, half of the concatonated fullchain.pem you need
|
|
chain: all[2], // string PEM. the bare chain, the second half of the fullchain.pem
|
|
privkey: all[0] // string PEM. optional, allows checkKeypair to be skipped
|
|
|
|
// These can be useful to store in your database,
|
|
// but otherwise they're easy to derive from the cert.
|
|
// (when not available they'll be generated from cert-info)
|
|
//, subject: certinfo.subject // string domain name
|
|
//, altnames: certinfo.altnames // array of domain name strings
|
|
//, issuedAt: certinfo.issuedAt // number in ms (a.k.a. NotBefore)
|
|
//, expiresAt: certinfo.expiresAt // number in ms (a.k.a. NotAfter)
|
|
};
|
|
})
|
|
.catch(function(err) {
|
|
// Treat non-exceptional failures as null returns (not undefined)
|
|
if ("ENOENT" === err.code) {
|
|
return null;
|
|
}
|
|
throw err; // True exceptions should be thrown
|
|
});
|
|
};
|
|
|
|
// Certificates.checkKeypair
|
|
//
|
|
// Use certificate.kid, certificate.id, or subject to find a certificate keypair
|
|
// Return an object with string privateKeyPem and/or object privateKeyJwk (or null, not undefined)
|
|
certificates.checkKeypair = function(opts) {
|
|
//console.log('certificates.checkKeypair:', opts);
|
|
|
|
return readFileAsync(
|
|
U._tameWild(privkeyPath(store, opts), opts.subject),
|
|
"ascii"
|
|
)
|
|
.then(function(key) {
|
|
////////////////////////
|
|
// PAY ATTENTION HERE //
|
|
////////////////////////
|
|
return {
|
|
privateKeyPem: key // In this case we only saved privateKeyPem, so we only return it
|
|
//privateKeyJwk: null // (but it's fine, just different encodings of the same thing)
|
|
};
|
|
})
|
|
.catch(function(err) {
|
|
if ("ENOENT" === err.code) {
|
|
return null;
|
|
}
|
|
throw err;
|
|
});
|
|
};
|
|
|
|
// Certificates.setKeypair({ certificate, subject, keypair, ... }):
|
|
//
|
|
// Use certificate.kid (or certificate.id or subject if no kid is present) to find a certificate keypair
|
|
// Return null (not undefined) on success, or throw on error
|
|
certificates.setKeypair = function(opts) {
|
|
var keypair = opts.keypair || keypair;
|
|
|
|
// Ignore.
|
|
// Just specific implementation details.
|
|
return mkdirpAsync(
|
|
U._tameWild(path.dirname(privkeyPath(store, opts)), opts.subject)
|
|
).then(function() {
|
|
// keypair is normally an opaque object, but here it's a PEM for the FS (for things like Apache and Nginx)
|
|
return writeFileAsync(
|
|
U._tameWild(privkeyPath(store, opts), opts.subject),
|
|
keypair.privateKeyPem,
|
|
"ascii"
|
|
).then(function() {
|
|
return null;
|
|
});
|
|
});
|
|
};
|
|
|
|
// Certificates.set({ subject, pems, ... }):
|
|
//
|
|
// Use certificate.id (or subject if no ki is present) to save a certificate
|
|
// Return null (not undefined) on success, or throw on error
|
|
certificates.set = function(opts) {
|
|
//console.log('certificates.set:', opts);
|
|
var pems = {
|
|
cert: opts.pems.cert, // string PEM the first half of the concatonated fullchain.pem cert
|
|
chain: opts.pems.chain, // string PEM the second half (yes, you need this too)
|
|
privkey: opts.pems.privkey // Ignore. string PEM, useful if you have to create bundle.pem
|
|
};
|
|
|
|
// Ignore
|
|
// Just implementation specific details (writing lots of combinatons of files)
|
|
return mkdirpAsync(path.dirname(certPath(store, opts)))
|
|
.then(function() {
|
|
return mkdirpAsync(
|
|
path.dirname(U._tameWild(chainPath(store, opts), opts.subject))
|
|
).then(function() {
|
|
return mkdirpAsync(
|
|
path.dirname(
|
|
U._tameWild(fullchainPath(store, opts), opts.subject)
|
|
)
|
|
).then(function() {
|
|
return mkdirpAsync(
|
|
path.dirname(
|
|
U._tameWild(bundlePath(store, opts), opts.subject)
|
|
)
|
|
).then(function() {
|
|
var fullchainPem = [
|
|
pems.cert.trim() + "\n",
|
|
pems.chain.trim() + "\n"
|
|
].join("\n"); // for Apache, Nginx, etc
|
|
var bundlePem = [
|
|
pems.privkey,
|
|
pems.cert,
|
|
pems.chain
|
|
].join("\n"); // for HAProxy
|
|
return PromiseA.all([
|
|
sfs.writeFileAsync(
|
|
U._tameWild(
|
|
certPath(store, opts),
|
|
opts.subject
|
|
),
|
|
pems.cert,
|
|
"ascii"
|
|
),
|
|
sfs.writeFileAsync(
|
|
U._tameWild(
|
|
chainPath(store, opts),
|
|
opts.subject
|
|
),
|
|
pems.chain,
|
|
"ascii"
|
|
),
|
|
// Most web servers need these two
|
|
sfs.writeFileAsync(
|
|
U._tameWild(
|
|
fullchainPath(store, opts),
|
|
opts.subject
|
|
),
|
|
fullchainPem,
|
|
"ascii"
|
|
),
|
|
// HAProxy needs "bundle.pem" aka "combined.pem"
|
|
sfs.writeFileAsync(
|
|
U._tameWild(
|
|
bundlePath(store, opts),
|
|
opts.subject
|
|
),
|
|
bundlePem,
|
|
"ascii"
|
|
)
|
|
]);
|
|
});
|
|
});
|
|
});
|
|
})
|
|
.then(function() {
|
|
// That's your job: return null
|
|
return null;
|
|
});
|
|
};
|
|
|
|
function liveDir(store, opts) {
|
|
return opts.liveDir || path.join(opts.configDir, "live", opts.subject);
|
|
}
|
|
|
|
function privkeyPath(store, opts) {
|
|
var dir = U._tpl(
|
|
store,
|
|
opts,
|
|
opts.serverKeyPath ||
|
|
opts.privkeyPath ||
|
|
opts.domainKeyPath ||
|
|
store.options.serverKeyPath ||
|
|
store.options.privkeyPath ||
|
|
store.options.domainKeyPath ||
|
|
path.join(liveDir(), "privkey.pem")
|
|
);
|
|
return U._tameWild(dir, opts.subject || "");
|
|
}
|
|
|
|
function certPath(store, opts) {
|
|
var pathname =
|
|
opts.certPath ||
|
|
store.options.certPath ||
|
|
path.join(liveDir(), "cert.pem");
|
|
|
|
var dir = U._tpl(store, opts, pathname);
|
|
return U._tameWild(dir, opts.subject || "");
|
|
}
|
|
|
|
function fullchainPath(store, opts) {
|
|
var dir = U._tpl(
|
|
store,
|
|
opts,
|
|
opts.fullchainPath ||
|
|
store.options.fullchainPath ||
|
|
path.join(liveDir(), "fullchain.pem")
|
|
);
|
|
return U._tameWild(dir, opts.subject || "");
|
|
}
|
|
|
|
function chainPath(store, opts) {
|
|
var dir = U._tpl(
|
|
store,
|
|
opts,
|
|
opts.chainPath ||
|
|
store.options.chainPath ||
|
|
path.join(liveDir(), "chain.pem")
|
|
);
|
|
return U._tameWild(dir, opts.subject || "");
|
|
}
|
|
|
|
function bundlePath(store, opts) {
|
|
var dir = U._tpl(
|
|
store,
|
|
opts,
|
|
opts.bundlePath ||
|
|
store.options.bundlePath ||
|
|
path.join(liveDir(), "bundle.pem")
|
|
);
|
|
return U._tameWild(dir, opts.subject || "");
|
|
}
|