2015-12-11 14:22:46 +00:00
'use strict' ;
2016-08-16 00:50:55 +00:00
var DAY = 24 * 60 * 60 * 1000 ;
//var MIN = 60 * 1000;
2018-04-16 01:28:05 +00:00
var ACME = require ( 'acme-v2/compat' ) . ACME ;
2018-11-05 18:18:06 +00:00
var pkg = require ( './package.json' ) ;
2018-06-29 08:51:35 +00:00
var PromiseA ;
try {
PromiseA = require ( 'bluebird' ) ;
} catch ( e ) {
PromiseA = global . Promise ;
}
2018-07-04 08:13:11 +00:00
var util = require ( 'util' ) ;
function promisifyAllSelf ( obj ) {
if ( obj . _ _promisified ) { return obj ; }
Object . keys ( obj ) . forEach ( function ( key ) {
if ( 'function' === typeof obj [ key ] ) {
obj [ key + 'Async' ] = util . promisify ( obj [ key ] ) ;
}
} ) ;
obj . _ _promisified = true ;
return obj ;
}
2015-12-12 15:05:45 +00:00
2018-05-15 22:01:09 +00:00
var Greenlock = module . exports ;
Greenlock . Greenlock = Greenlock ;
Greenlock . LE = Greenlock ;
2016-08-05 22:50:42 +00:00
// in-process cache, shared between all instances
var ipc = { } ;
2016-08-04 22:49:35 +00:00
2016-08-25 20:09:23 +00:00
function _log ( debug ) {
if ( debug ) {
var args = Array . prototype . slice . call ( arguments ) ;
args . shift ( ) ;
2018-05-15 22:01:09 +00:00
args . unshift ( "[gl/index.js]" ) ;
2016-08-25 20:09:23 +00:00
console . log . apply ( console , args ) ;
}
}
2018-05-15 22:01:09 +00:00
Greenlock . defaults = {
2018-05-15 21:42:04 +00:00
productionServerUrl : 'https://acme-v01.api.letsencrypt.org/directory'
, stagingServerUrl : 'https://acme-staging.api.letsencrypt.org/directory'
2016-08-04 22:49:35 +00:00
2016-08-08 19:17:09 +00:00
, rsaKeySize : ACME . rsaKeySize || 2048
, challengeType : ACME . challengeType || 'http-01'
2018-04-16 01:28:05 +00:00
, challengeTypes : ACME . challengeTypes || [ 'http-01' , 'dns-01' ]
2016-08-05 22:21:10 +00:00
2016-08-08 19:17:09 +00:00
, acmeChallengePrefix : ACME . acmeChallengePrefix
2016-02-13 02:33:50 +00:00
} ;
2015-12-20 10:41:17 +00:00
2015-12-16 09:11:31 +00:00
// backwards compat
2018-05-15 22:01:09 +00:00
Object . keys ( Greenlock . defaults ) . forEach ( function ( key ) {
Greenlock [ key ] = Greenlock . defaults [ key ] ;
2016-08-04 22:49:35 +00:00
} ) ;
2015-12-13 01:04:12 +00:00
2016-08-05 22:21:10 +00:00
// show all possible options
2016-08-05 22:16:29 +00:00
var u ; // undefined
2018-05-15 22:01:09 +00:00
Greenlock . _undefined = {
2016-08-08 15:21:33 +00:00
acme : u
, store : u
2016-08-09 18:05:47 +00:00
, challenge : u
2016-08-15 21:33:26 +00:00
, challenges : u
, sni : u
2017-04-10 20:41:54 +00:00
, tlsOptions : u
2016-08-08 23:14:53 +00:00
2016-08-05 22:16:29 +00:00
, register : u
, check : u
2016-08-08 23:14:53 +00:00
2016-08-16 00:50:55 +00:00
, renewWithin : u // le-auto-sni and core
//, renewBy: u // le-auto-sni
2016-08-05 22:16:29 +00:00
, acmeChallengePrefix : u
2016-08-05 22:21:10 +00:00
, rsaKeySize : u
, challengeType : u
, server : u
2018-04-16 01:28:05 +00:00
, version : u
2016-08-06 05:33:19 +00:00
, agreeToTerms : u
2016-08-05 22:50:42 +00:00
, _ipc : u
2016-08-09 18:05:47 +00:00
, duplicate : u
, _acmeUrls : u
2016-08-05 22:16:29 +00:00
} ;
2018-05-15 22:01:09 +00:00
Greenlock . _undefine = function ( gl ) {
Object . keys ( Greenlock . _undefined ) . forEach ( function ( key ) {
if ( ! ( key in gl ) ) {
gl [ key ] = u ;
2016-08-05 22:16:29 +00:00
}
} ) ;
2018-05-15 22:01:09 +00:00
return gl ;
2016-08-05 22:16:29 +00:00
} ;
2018-05-15 22:01:09 +00:00
Greenlock . create = function ( gl ) {
2018-06-15 02:11:56 +00:00
gl . store = gl . store || require ( 'le-store-certbot' ) . create ( {
debug : gl . debug
, configDir : gl . configDir
, logsDir : gl . logsDir
, webrootPath : gl . webrootPath
} ) ;
2018-05-15 22:01:09 +00:00
gl . core = require ( './lib/core' ) ;
var log = gl . log || _log ;
2016-08-05 22:16:29 +00:00
2018-05-15 22:01:09 +00:00
if ( ! gl . challenges ) {
gl . challenges = { } ;
2016-08-15 21:33:26 +00:00
}
2018-05-15 22:01:09 +00:00
if ( ! gl . challenges [ 'http-01' ] ) {
2018-06-15 02:11:56 +00:00
gl . challenges [ 'http-01' ] = require ( 'le-challenge-fs' ) . create ( {
debug : gl . debug
, webrootPath : gl . webrootPath
} ) ;
2016-08-15 21:33:26 +00:00
}
2018-05-15 22:01:09 +00:00
if ( ! gl . challenges [ 'dns-01' ] ) {
2016-08-15 21:33:26 +00:00
try {
2018-05-15 22:01:09 +00:00
gl . challenges [ 'dns-01' ] = require ( 'le-challenge-ddns' ) . create ( { debug : gl . debug } ) ;
2016-08-15 21:33:26 +00:00
} catch ( e ) {
try {
2018-05-15 22:01:09 +00:00
gl . challenges [ 'dns-01' ] = require ( 'le-challenge-dns' ) . create ( { debug : gl . debug } ) ;
2016-08-15 21:33:26 +00:00
} catch ( e ) {
// not yet implemented
}
}
}
2018-05-15 22:01:09 +00:00
gl = Greenlock . _undefine ( gl ) ;
gl . acmeChallengePrefix = Greenlock . acmeChallengePrefix ;
gl . rsaKeySize = gl . rsaKeySize || Greenlock . rsaKeySize ;
gl . challengeType = gl . challengeType || Greenlock . challengeType ;
gl . _ipc = ipc ;
gl . _communityPackage = gl . _communityPackage || 'greenlock.js' ;
2018-11-05 18:10:22 +00:00
if ( 'greenlock.js' === gl . _communityPackage ) {
2018-11-05 18:18:06 +00:00
gl . _communityPackageVersion = pkg . version ;
2018-11-05 18:10:22 +00:00
} else {
2018-11-05 18:18:06 +00:00
gl . _communityPackageVersion = gl . _communityPackageVersion || ( 'greenlock.js-' + pkg . version ) ;
2018-11-05 18:10:22 +00:00
}
2018-05-15 22:01:09 +00:00
gl . agreeToTerms = gl . agreeToTerms || function ( args , agreeCb ) {
agreeCb ( new Error ( "'agreeToTerms' was not supplied to Greenlock and 'agreeTos' was not supplied to Greenlock.register" ) ) ;
2016-08-08 23:14:53 +00:00
} ;
2016-08-05 22:16:29 +00:00
2018-05-15 22:01:09 +00:00
if ( ! gl . renewWithin ) { gl . renewWithin = 14 * DAY ; }
2016-08-16 00:50:55 +00:00
// renewBy has a default in le-sni-auto
2016-08-05 22:16:29 +00:00
2018-05-15 21:42:04 +00:00
///////////////////////////
// BEGIN VERSION MADNESS //
///////////////////////////
2018-12-22 14:35:54 +00:00
gl . version = gl . version || 'draft-11' ;
gl . server = gl . server || 'https://acme-v02.api.letsencrypt.org/directory' ;
2018-05-15 22:01:09 +00:00
if ( ! gl . version ) {
2018-07-07 21:36:35 +00:00
//console.warn("Please specify version: 'v01' (Let's Encrypt v1) or 'draft-12' (Let's Encrypt v2 / ACME draft 12)");
2018-05-15 21:42:04 +00:00
console . warn ( "" ) ;
console . warn ( "" ) ;
console . warn ( "" ) ;
2018-05-21 19:47:54 +00:00
console . warn ( "==========================================================" ) ;
console . warn ( "== greenlock.js (v2.2.0+) ==" ) ;
console . warn ( "==========================================================" ) ;
2018-05-15 21:42:04 +00:00
console . warn ( "" ) ;
console . warn ( "Please specify 'version' option:" ) ;
console . warn ( "" ) ;
2018-07-07 21:36:35 +00:00
console . warn ( " 'draft-12' for Let's Encrypt v2 and ACME draft 12" ) ;
console . warn ( " ('v02' is an alias of 'draft-12'" ) ;
2018-05-15 21:42:04 +00:00
console . warn ( "" ) ;
console . warn ( "or" ) ;
console . warn ( "" ) ;
console . warn ( " 'v01' for Let's Encrypt v1 (deprecated)" ) ;
2018-05-21 19:57:58 +00:00
console . warn ( " (also 'npm install --save le-acme-core' as this legacy dependency will soon be removed)" ) ;
2018-05-15 21:42:04 +00:00
console . warn ( "" ) ;
2018-05-21 19:47:54 +00:00
console . warn ( "This will be required in versions v2.3+" ) ;
2018-05-15 21:42:04 +00:00
console . warn ( "" ) ;
console . warn ( "" ) ;
2018-05-15 22:01:09 +00:00
} else if ( 'v02' === gl . version ) {
gl . version = 'draft-11' ;
2018-07-07 21:36:35 +00:00
} else if ( 'draft-12' === gl . version ) {
gl . version = 'draft-11' ;
} else if ( 'draft-11' === gl . version ) {
// no-op
} else if ( 'v01' !== gl . version ) {
2018-05-15 22:01:09 +00:00
throw new Error ( "Unrecognized version '" + gl . version + "'" ) ;
2018-05-15 21:42:04 +00:00
}
2018-05-15 22:01:09 +00:00
if ( ! gl . server ) {
2018-05-15 21:42:04 +00:00
throw new Error ( "opts.server must specify an ACME directory URL, such as 'https://acme-staging-v02.api.letsencrypt.org/directory'" ) ;
2016-08-05 22:16:29 +00:00
}
2018-05-21 19:47:54 +00:00
if ( 'staging' === gl . server || 'production' === gl . server ) {
if ( 'staging' === gl . server ) {
gl . server = 'https://acme-staging.api.letsencrypt.org/directory' ;
gl . version = 'v01' ;
gl . _deprecatedServerName = 'staging' ;
}
else if ( 'production' === gl . server ) {
gl . server = 'https://acme-v01.api.letsencrypt.org/directory' ;
gl . version = 'v01' ;
gl . _deprecatedServerName = 'production' ;
}
2018-05-15 21:42:04 +00:00
console . warn ( "" ) ;
console . warn ( "" ) ;
console . warn ( "=== WARNING ===" ) ;
console . warn ( "" ) ;
2018-05-21 19:47:54 +00:00
console . warn ( "Due to versioning issues the '" + gl . _deprecatedServerName + "' option is deprecated." ) ;
console . warn ( "Please specify the full url and version." ) ;
2018-05-15 21:42:04 +00:00
console . warn ( "" ) ;
2018-05-21 19:47:54 +00:00
console . warn ( "For APIs add:" ) ;
console . warn ( "\t, \"version\": \"" + gl . version + "\"" ) ;
console . warn ( "\t, \"server\": \"" + gl . server + "\"" ) ;
2018-05-15 21:42:04 +00:00
console . warn ( "" ) ;
2018-05-21 19:47:54 +00:00
console . warn ( "For the CLI add:" ) ;
2018-05-15 22:01:09 +00:00
console . warn ( "\t--acme-url '" + gl . server + "' \\" ) ;
console . warn ( "\t--acme-version '" + gl . version + "' \\" ) ;
2018-05-15 21:42:04 +00:00
console . warn ( "" ) ;
console . warn ( "" ) ;
2015-12-13 05:03:48 +00:00
}
2015-12-17 08:46:40 +00:00
2018-05-15 21:42:04 +00:00
function loadLeV01 ( ) {
console . warn ( "" ) ;
console . warn ( "=== WARNING ===" ) ;
console . warn ( "" ) ;
2018-05-21 19:47:54 +00:00
console . warn ( "Let's Encrypt v1 is deprecated." ) ;
2018-07-07 21:36:35 +00:00
console . warn ( "Please update to Let's Encrypt v2 (ACME draft 12)" ) ;
2018-05-15 21:42:04 +00:00
console . warn ( "" ) ;
try {
return require ( 'le-acme-core' ) . ACME ;
} catch ( e ) {
2018-05-21 19:47:54 +00:00
console . error ( "" ) ;
console . error ( "=== Error (easy-to-fix) ===" ) ;
console . error ( "" ) ;
console . error ( "Hey, this isn't a big deal, but you need to manually add v1 support:" ) ;
console . error ( "" ) ;
console . error ( " npm install --save le-acme-core" ) ;
console . error ( "" ) ;
console . error ( "Just run that real quick, restart, and everything will work great." ) ;
console . error ( "" ) ;
console . error ( "" ) ;
2018-05-15 21:42:04 +00:00
process . exit ( e . code || 13 ) ;
}
2018-04-16 01:28:05 +00:00
}
2018-05-15 21:42:04 +00:00
if ( - 1 !== [
'https://acme-v02.api.letsencrypt.org/directory'
2018-05-15 22:01:09 +00:00
, 'https://acme-staging-v02.api.letsencrypt.org/directory' ] . indexOf ( gl . server )
2018-05-15 21:42:04 +00:00
) {
2018-05-15 22:01:09 +00:00
if ( 'draft-11' !== gl . version ) {
2018-07-07 21:36:35 +00:00
console . warn ( "Detected Let's Encrypt v02 URL. Changing version to draft-12." ) ;
2018-05-15 22:01:09 +00:00
gl . version = 'draft-11' ;
2018-05-15 21:42:04 +00:00
}
} else if ( - 1 !== [
'https://acme-v01.api.letsencrypt.org/directory'
2018-05-15 22:01:09 +00:00
, 'https://acme-staging.api.letsencrypt.org/directory' ] . indexOf ( gl . server )
|| 'v01' === gl . version
2018-05-15 21:42:04 +00:00
) {
2018-05-15 22:01:09 +00:00
if ( 'v01' !== gl . version ) {
2018-05-15 21:42:04 +00:00
console . warn ( "Detected Let's Encrypt v01 URL (deprecated). Changing version to v01." ) ;
2018-05-15 22:01:09 +00:00
gl . version = 'v01' ;
2018-04-16 01:28:05 +00:00
}
}
2018-05-15 22:01:09 +00:00
if ( 'v01' === gl . version ) {
2018-05-15 21:42:04 +00:00
ACME = loadLeV01 ( ) ;
}
/////////////////////////
// END VERSION MADNESS //
/////////////////////////
2018-04-16 01:28:05 +00:00
2018-05-15 22:01:09 +00:00
gl . acme = gl . acme || ACME . create ( { debug : gl . debug } ) ;
if ( gl . acme . create ) {
gl . acme = gl . acme . create ( gl ) ;
2016-08-08 15:21:33 +00:00
}
2018-07-04 08:13:11 +00:00
gl . acme = promisifyAllSelf ( gl . acme ) ;
2018-05-15 22:01:09 +00:00
gl . _acmeOpts = gl . acme . getOptions ( ) ;
Object . keys ( gl . _acmeOpts ) . forEach ( function ( key ) {
if ( ! ( key in gl ) ) {
gl [ key ] = gl . _acmeOpts [ key ] ;
2016-08-08 15:21:33 +00:00
}
} ) ;
2018-05-15 22:01:09 +00:00
if ( gl . store . create ) {
gl . store = gl . store . create ( gl ) ;
2015-12-15 15:40:44 +00:00
}
2018-07-04 08:13:11 +00:00
gl . store = promisifyAllSelf ( gl . store ) ;
gl . store . accounts = promisifyAllSelf ( gl . store . accounts ) ;
gl . store . certificates = promisifyAllSelf ( gl . store . certificates ) ;
2018-05-15 22:01:09 +00:00
gl . _storeOpts = gl . store . getOptions ( ) ;
Object . keys ( gl . _storeOpts ) . forEach ( function ( key ) {
if ( ! ( key in gl ) ) {
gl [ key ] = gl . _storeOpts [ key ] ;
2015-12-12 14:20:12 +00:00
}
2016-08-05 22:16:29 +00:00
} ) ;
2016-09-21 23:30:47 +00:00
//
// Backwards compat for <= v2.1.7
//
2018-05-15 22:01:09 +00:00
if ( gl . challenge ) {
console . warn ( "Deprecated use of gl.challenge. Use gl.challenges['" + Greenlock . challengeType + "'] instead." ) ;
gl . challenges [ gl . challengeType ] = gl . challenge ;
2016-09-21 23:30:47 +00:00
}
2018-05-15 22:01:09 +00:00
Greenlock . challengeTypes . forEach ( function ( challengeType ) {
var challenger = gl . challenges [ challengeType ] ;
2016-09-21 23:30:47 +00:00
if ( ! challenger ) {
2016-08-16 16:35:18 +00:00
return ;
}
2016-09-21 23:30:47 +00:00
if ( challenger . create ) {
2018-05-15 22:01:09 +00:00
challenger = gl . challenges [ challengeType ] = challenger . create ( gl ) ;
2015-12-20 10:41:17 +00:00
}
2018-07-04 08:13:11 +00:00
if ( ! challenger . getOptionsAsync ) {
challenger = gl . challenges [ challengeType ] = promisifyAllSelf ( challenger ) ;
}
2018-05-15 22:01:09 +00:00
gl [ '_challengeOpts_' + challengeType ] = challenger . getOptions ( ) ;
Object . keys ( gl [ '_challengeOpts_' + challengeType ] ) . forEach ( function ( key ) {
if ( ! ( key in gl ) ) {
gl [ key ] = gl [ '_challengeOpts_' + challengeType ] [ key ] ;
2016-08-15 21:33:26 +00:00
}
} ) ;
2016-08-12 21:24:28 +00:00
2016-09-21 23:30:47 +00:00
// TODO wrap these here and now with tplCopy?
if ( ! challenger . set || 5 !== challenger . set . length ) {
2018-05-15 22:01:09 +00:00
throw new Error ( "gl.challenges[" + challengeType + "].set receives the wrong number of arguments."
2016-09-21 23:30:47 +00:00
+ " You must define setChallenge as function (opts, domain, token, keyAuthorization, cb) { }" ) ;
2016-08-15 21:33:26 +00:00
}
2016-09-21 23:30:47 +00:00
if ( challenger . get && 4 !== challenger . get . length ) {
2018-05-15 22:01:09 +00:00
throw new Error ( "gl.challenges[" + challengeType + "].get receives the wrong number of arguments."
2016-09-21 23:30:47 +00:00
+ " You must define getChallenge as function (opts, domain, token, cb) { }" ) ;
}
if ( ! challenger . remove || 4 !== challenger . remove . length ) {
2018-05-15 22:01:09 +00:00
throw new Error ( "gl.challenges[" + challengeType + "].remove receives the wrong number of arguments."
2016-09-21 23:30:47 +00:00
+ " You must define removeChallenge as function (opts, domain, token, cb) { }" ) ;
}
2016-10-12 23:25:05 +00:00
2018-04-16 01:28:05 +00:00
/ *
2018-05-15 22:01:09 +00:00
if ( ! gl . _challengeWarn && ( ! challenger . loopback || 4 !== challenger . loopback . length ) ) {
gl . _challengeWarn = true ;
console . warn ( "gl.challenges[" + challengeType + "].loopback should be defined as function (opts, domain, token, cb) { ... } and should prove (by external means) that the ACME server challenge '" + challengeType + "' will succeed" ) ;
2016-10-12 23:25:05 +00:00
}
2018-05-15 22:01:09 +00:00
else if ( ! gl . _challengeWarn && ( ! challenger . test || 5 !== challenger . test . length ) ) {
gl . _challengeWarn = true ;
console . warn ( "gl.challenges[" + challengeType + "].test should be defined as function (opts, domain, token, keyAuthorization, cb) { ... } and should prove (by external means) that the ACME server challenge '" + challengeType + "' will succeed" ) ;
2016-09-21 23:30:47 +00:00
}
2018-04-16 01:28:05 +00:00
* /
2016-09-21 23:30:47 +00:00
} ) ;
2016-08-15 21:33:26 +00:00
2018-05-15 22:01:09 +00:00
gl . sni = gl . sni || null ;
gl . tlsOptions = gl . tlsOptions || gl . httpsOptions || { } ;
2018-11-05 06:33:36 +00:00
// Workaround for https://github.com/nodejs/node/issues/22389
gl . _updateServernames = function ( cert ) {
if ( ! gl . _certnames ) { gl . _certnames = { } ; }
// Note: Any given domain could exist on multiple certs
// (especially during renewal where some may be added)
// hence we use a separate object for each domain and list each domain on it
// to get the minimal full set associated with each cert and domain
var allDomains = [ cert . subject ] . concat ( cert . altnames . slice ( 0 ) ) ;
allDomains . forEach ( function ( name ) {
name = name . toLowerCase ( ) ;
if ( ! gl . _certnames [ name ] ) {
gl . _certnames [ name ] = { } ;
}
allDomains . forEach ( function ( name2 ) {
name2 = name2 . toLowerCase ( ) ;
gl . _certnames [ name ] [ name2 ] = true ;
} ) ;
} ) ;
} ;
gl . _checkServername = function ( safeHost , servername ) {
// odd, but acceptable
if ( ! safeHost || ! servername ) { return true ; }
if ( safeHost === servername ) { return true ; }
// connection established with servername and session is re-used for allowed name
if ( gl . _certnames [ servername ] && gl . _certnames [ servername ] [ safeHost ] ) {
return true ;
}
return false ;
} ;
2018-05-15 22:01:09 +00:00
if ( ! gl . tlsOptions . SNICallback ) {
if ( ! gl . getCertificatesAsync && ! gl . getCertificates ) {
if ( Array . isArray ( gl . approveDomains ) ) {
gl . approvedDomains = gl . approveDomains ;
gl . approveDomains = null ;
2016-08-17 15:19:52 +00:00
}
2018-05-15 22:01:09 +00:00
if ( ! gl . approveDomains ) {
gl . approveDomains = function ( lexOpts , certs , cb ) {
2018-05-18 00:51:44 +00:00
var err ;
var emsg ;
2018-05-15 22:01:09 +00:00
if ( ! gl . email ) {
2017-04-18 21:42:47 +00:00
throw new Error ( "le-sni-auto is not properly configured. Missing email" ) ;
}
2018-05-15 22:01:09 +00:00
if ( ! gl . agreeTos ) {
2017-04-18 21:42:47 +00:00
throw new Error ( "le-sni-auto is not properly configured. Missing agreeTos" ) ;
}
2018-12-22 14:35:54 +00:00
if ( ! /[a-z]/i . test ( lexOpts . domain ) ) {
cb ( new Error ( "le-sni-auto does not allow IP addresses in SNI" ) ) ;
return ;
2016-08-16 19:03:15 +00:00
}
2018-12-22 14:35:54 +00:00
if ( ! Array . isArray ( gl . approvedDomains ) ) {
// The acme-v2 package uses pre-flight test challenges to
// verify that each requested domain is hosted by the server
// these checks are sufficient for most use cases
return cb ( null , { options : lexOpts , certs : certs } ) ;
}
2016-08-16 00:42:11 +00:00
if ( lexOpts . domains . every ( function ( domain ) {
2018-05-15 22:01:09 +00:00
return - 1 !== gl . approvedDomains . indexOf ( domain ) ;
2016-08-16 00:42:11 +00:00
} ) ) {
2018-12-22 09:20:46 +00:00
// commented this out because people expect to be able to edit the list of domains
// lexOpts.domains = gl.approvedDomains.slice(0);
2018-05-15 22:01:09 +00:00
lexOpts . email = gl . email ;
lexOpts . agreeTos = gl . agreeTos ;
2018-11-05 18:25:05 +00:00
lexOpts . communityMember = gl . communityMember ;
lexOpts . telemetry = gl . telemetry ;
2016-08-16 16:35:18 +00:00
return cb ( null , { options : lexOpts , certs : certs } ) ;
}
2018-05-18 00:51:44 +00:00
emsg = "tls SNI for '" + lexOpts . domains . join ( ',' ) + "' rejected: not in list '" + gl . approvedDomains + "'" ;
log ( gl . debug , emsg , lexOpts . domains , gl . approvedDomains ) ;
err = new Error ( emsg ) ;
err . code = 'E_REJECT_SNI' ;
cb ( err ) ;
2016-08-16 00:42:11 +00:00
} ;
}
2018-05-15 22:01:09 +00:00
gl . getCertificates = function ( domain , certs , cb ) {
2016-08-16 17:02:14 +00:00
// certs come from current in-memory cache, not lookup
2018-05-15 22:01:09 +00:00
log ( gl . debug , 'gl.getCertificates called for' , domain , 'with certs for' , certs && certs . altnames || 'NONE' ) ;
2016-08-16 00:42:11 +00:00
var opts = { domain : domain , domains : certs && certs . altnames || [ domain ] } ;
2018-05-11 21:07:28 +00:00
try {
2018-05-15 22:01:09 +00:00
gl . approveDomains ( opts , certs , function ( _err , results ) {
2018-05-11 21:07:28 +00:00
if ( _err ) {
2018-05-17 21:35:03 +00:00
if ( false !== gl . logRejectedDomains ) {
2018-05-18 00:51:44 +00:00
console . error ( "[Error] approveDomains rejected tls sni '" + domain + "'" ) ;
console . error ( "[Error] (see https://git.coolaj86.com/coolaj86/greenlock.js/issues/11)" ) ;
if ( 'E_REJECT_SNI' !== _err . code ) {
console . error ( "[Error] This is the rejection message:" ) ;
console . error ( _err . message ) ;
}
console . error ( "" ) ;
2018-05-17 21:35:03 +00:00
}
2018-05-11 21:07:28 +00:00
cb ( _err ) ;
return ;
}
2018-05-15 22:01:09 +00:00
log ( gl . debug , 'gl.approveDomains called with certs for' , results . certs && results . certs . altnames || 'NONE' , 'and options:' ) ;
log ( gl . debug , results . options ) ;
2018-05-11 21:07:28 +00:00
if ( results . certs ) {
2018-05-15 22:01:09 +00:00
log ( gl . debug , 'gl renewing' ) ;
2018-05-17 21:35:03 +00:00
return gl . core . certificates . renewAsync ( results . options , results . certs ) . then (
2018-11-05 06:33:36 +00:00
function ( certs ) {
// Workaround for https://github.com/nodejs/node/issues/22389
gl . _updateServernames ( certs ) ;
cb ( null , certs ) ;
}
2018-05-17 21:35:03 +00:00
, function ( e ) {
console . debug ( "Error renewing certificate for '" + domain + "':" ) ;
console . debug ( e ) ;
2018-05-18 00:51:44 +00:00
console . error ( "" ) ;
2018-05-17 21:35:03 +00:00
cb ( e ) ;
}
2018-07-04 07:53:40 +00:00
) ;
2018-05-11 21:07:28 +00:00
}
else {
2018-05-15 22:01:09 +00:00
log ( gl . debug , 'gl getting from disk or registering new' ) ;
2018-05-17 21:35:03 +00:00
return gl . core . certificates . getAsync ( results . options ) . then (
2018-11-05 06:33:36 +00:00
function ( certs ) {
// Workaround for https://github.com/nodejs/node/issues/22389
gl . _updateServernames ( certs ) ;
cb ( null , certs ) ;
}
2018-05-17 21:35:03 +00:00
, function ( e ) {
console . debug ( "Error loading/registering certificate for '" + domain + "':" ) ;
console . debug ( e ) ;
2018-05-18 00:51:44 +00:00
console . error ( "" ) ;
2018-05-17 21:35:03 +00:00
cb ( e ) ;
}
) ;
2018-05-11 21:07:28 +00:00
}
} ) ;
} catch ( e ) {
console . error ( "[ERROR] Something went wrong in approveDomains:" ) ;
console . error ( e ) ;
console . error ( "BUT WAIT! Good news: It's probably your fault, so you can probably fix it." ) ;
}
2016-08-16 00:42:11 +00:00
} ;
}
2018-05-15 22:01:09 +00:00
gl . sni = gl . sni || require ( 'le-sni-auto' ) ;
if ( gl . sni . create ) {
gl . sni = gl . sni . create ( gl ) ;
2016-08-15 20:36:58 +00:00
}
2018-08-16 05:23:39 +00:00
gl . tlsOptions . SNICallback = function ( _domain , cb ) {
2018-07-04 07:53:40 +00:00
// format and (lightly) sanitize sni so that users can be naive
// and not have to worry about SQL injection or fs discovery
2018-08-16 05:23:39 +00:00
var domain = ( _domain || '' ) . toLowerCase ( ) ;
2018-07-04 07:53:40 +00:00
// hostname labels allow a-z, 0-9, -, and are separated by dots
// _ is sometimes allowed
2018-08-16 05:23:39 +00:00
// REGEX // https://www.codeproject.com/Questions/1063023/alphanumeric-validation-javascript-without-regex
if ( ! gl . _ _sni _allow _dangerous _names && ( ! /^[a-z0-9_\.\-]+$/i . test ( domain ) || - 1 !== domain . indexOf ( '..' ) ) ) {
2018-07-04 07:53:40 +00:00
log ( gl . debug , "invalid sni '" + domain + "'" ) ;
cb ( new Error ( "invalid SNI" ) ) ;
return ;
}
2018-05-11 21:07:28 +00:00
try {
2018-08-16 05:23:39 +00:00
gl . sni . sniCallback ( gl . _ _sni _preserve _case && _domain || domain , cb ) ;
2018-05-11 21:07:28 +00:00
} catch ( e ) {
console . error ( "[ERROR] Something went wrong in the SNICallback:" ) ;
console . error ( e ) ;
cb ( e ) ;
}
} ;
2016-08-15 20:36:58 +00:00
}
2018-05-12 22:48:21 +00:00
2017-04-10 20:41:54 +00:00
// We want to move to using tlsOptions instead of httpsOptions, but we also need to make
// sure anything that uses this object will still work if looking for httpsOptions.
2018-05-15 22:01:09 +00:00
gl . httpsOptions = gl . tlsOptions ;
2016-08-12 21:24:28 +00:00
2018-05-15 22:01:09 +00:00
if ( gl . core . create ) {
gl . core = gl . core . create ( gl ) ;
2016-08-05 22:50:42 +00:00
}
2016-08-05 22:16:29 +00:00
2018-05-15 22:01:09 +00:00
gl . renew = function ( args , certs ) {
return gl . core . certificates . renewAsync ( args , certs ) ;
2016-08-16 16:35:18 +00:00
} ;
2018-05-15 22:01:09 +00:00
gl . register = function ( args ) {
return gl . core . certificates . getAsync ( args ) ;
2015-12-12 14:20:12 +00:00
} ;
2015-12-11 14:22:46 +00:00
2018-05-15 22:01:09 +00:00
gl . check = function ( args ) {
2016-08-05 22:16:29 +00:00
// TODO must return email, domains, tos, pems
2018-05-15 22:01:09 +00:00
return gl . core . certificates . checkAsync ( args ) ;
2016-08-05 22:16:29 +00:00
} ;
2018-05-15 22:01:09 +00:00
gl . middleware = gl . middleware || require ( './lib/middleware' ) ;
if ( gl . middleware . create ) {
gl . middleware = gl . middleware . create ( gl ) ;
2016-08-09 18:05:47 +00:00
}
2016-08-05 08:14:40 +00:00
2018-08-17 01:55:02 +00:00
//var SERVERNAME_RE = /^[a-z0-9\.\-_]+$/;
var SERVERNAME _G = /[^a-z0-9\.\-_]/ ;
2018-08-17 02:43:55 +00:00
gl . middleware . sanitizeHost = function ( app ) {
return function ( req , res , next ) {
function realNext ( ) {
if ( 'function' === typeof app ) {
app ( req , res ) ;
} else if ( 'function' === typeof next ) {
next ( ) ;
} else {
res . statusCode = 500 ;
res . end ( "Error: no middleware assigned" ) ;
}
}
// Get the host:port combo, if it exists
var host = ( req . headers . host || '' ) . split ( ':' ) ;
2018-08-17 01:55:02 +00:00
2018-08-17 02:43:55 +00:00
// if not, move along
if ( ! host [ 0 ] ) { realNext ( ) ; return ; }
2018-08-17 01:55:02 +00:00
2018-08-17 02:43:55 +00:00
// if so, remove non-allowed characters
2018-08-18 08:27:34 +00:00
var safehost = host [ 0 ] . toLowerCase ( ) . replace ( SERVERNAME _G , '' ) ;
2018-08-17 01:55:02 +00:00
2018-08-17 02:43:55 +00:00
// if there were unallowed characters, complain
2018-08-18 08:06:49 +00:00
if ( ! gl . _ _sni _allow _dangerous _names && safehost . length !== host [ 0 ] . length ) {
2018-08-17 02:43:55 +00:00
res . statusCode = 400 ;
res . end ( "Malformed HTTP Header: 'Host: " + host [ 0 ] + "'" ) ;
return ;
}
2018-08-17 01:55:02 +00:00
2018-08-17 02:43:55 +00:00
// make lowercase
if ( ! gl . _ _sni _preserve _case ) {
2018-08-18 08:27:34 +00:00
host [ 0 ] = safehost ;
2018-08-17 02:43:55 +00:00
req . headers . host = host . join ( ':' ) ;
}
2018-08-17 01:55:02 +00:00
2018-11-05 07:39:04 +00:00
// Note: This sanitize function is also called on plain sockets, which don't need Domain Fronting checks
if ( req . socket . encrypted && ! gl . _ _sni _allow _domain _fronting ) {
2018-08-22 21:49:32 +00:00
if ( req . socket && 'string' === typeof req . socket . servername ) {
2018-11-05 06:33:36 +00:00
// Workaround for https://github.com/nodejs/node/issues/22389
if ( ! gl . _checkServername ( safehost , req . socket . servername . toLowerCase ( ) ) ) {
2018-08-22 21:49:32 +00:00
res . statusCode = 400 ;
2018-11-05 00:17:16 +00:00
res . setHeader ( 'Content-Type' , 'text/html; charset=utf-8' ) ;
res . end (
"<h1>Domain Fronting Error</h1>"
+ "<p>This connection was secured using TLS/SSL for '" + req . socket . servername . toLowerCase ( ) + "'</p>"
+ "<p>The HTTP request specified 'Host: " + safehost + "', which is (obviously) different.</p>"
+ "<p>Because this looks like a domain fronting attack, the connection has been terminated.</p>"
) ;
2018-08-22 21:49:32 +00:00
return ;
}
} else if ( safehost && ! gl . middleware . sanitizeHost . _skip _fronting _check ) {
// TODO how to handle wrapped sockets, as with telebit?
console . warn ( "\n\n\n[greenlock] WARN: no string for req.socket.servername,"
+ " skipping fronting check for '" + safehost + "'\n\n\n" ) ;
gl . middleware . sanitizeHost . _skip _fronting _check = true ;
}
}
2018-08-17 02:43:55 +00:00
// carry on
realNext ( ) ;
} ;
2018-08-17 01:55:02 +00:00
} ;
2018-08-22 21:49:32 +00:00
gl . middleware . sanitizeHost . _skip _fronting _check = false ;
2018-08-17 01:55:02 +00:00
2018-05-15 22:01:09 +00:00
return gl ;
2015-12-11 14:22:46 +00:00
} ;