'use strict'; /*global Promise*/ require('./lib/compat.js'); // I hate this code so much. // Soooo many shims for backwards compatibility (some stuff dating back to v1) // v3 will be a clean break and I'll delete half of the code... var DAY = 24 * 60 * 60 * 1000; //var MIN = 60 * 1000; var ACME = require('acme-v2/compat').ACME; var pkg = require('./package.json'); var util = require('util'); function promisifyAllSelf(obj) { if (obj.__promisified) { return obj; } Object.keys(obj).forEach(function(key) { if ('function' === typeof obj[key] && !/Async$/.test(key)) { obj[key + 'Async'] = util.promisify(obj[key]); } }); obj.__promisified = true; return obj; } function promisifyAllStore(obj) { Object.keys(obj).forEach(function(key) { if ('function' !== typeof obj[key] || /Async$/.test(key)) { return; } var p; if (0 === obj[key].length || 1 === obj[key].length) { // wrap just in case it's synchronous (or improperly throws) p = function(opts) { return Promise.resolve().then(function() { return obj[key](opts); }); }; } else { p = util.promisify(obj[key]); } // internal backwards compat obj[key + 'Async'] = p; }); obj.__promisified = true; return obj; } var Greenlock = module.exports; Greenlock.Greenlock = Greenlock; Greenlock.LE = Greenlock; // in-process cache, shared between all instances var ipc = {}; function _log(debug) { if (debug) { var args = Array.prototype.slice.call(arguments); args.shift(); args.unshift('[gl/index.js]'); console.log.apply(console, args); } } Greenlock.defaults = { productionServerUrl: 'https://acme-v01.api.letsencrypt.org/directory', stagingServerUrl: 'https://acme-staging.api.letsencrypt.org/directory', rsaKeySize: ACME.rsaKeySize || 2048, challengeType: ACME.challengeType || 'http-01', challengeTypes: ACME.challengeTypes || ['http-01', 'dns-01'], acmeChallengePrefix: ACME.acmeChallengePrefix }; // backwards compat Object.keys(Greenlock.defaults).forEach(function(key) { Greenlock[key] = Greenlock.defaults[key]; }); // show all possible options var u; // undefined Greenlock._undefined = { acme: u, store: u, //, challenge: u challenges: u, sni: u, tlsOptions: u, register: u, check: u, renewWithin: u, // le-auto-sni and core //, renewBy: u // le-auto-sni acmeChallengePrefix: u, rsaKeySize: u, challengeType: u, server: u, version: u, agreeToTerms: u, _ipc: u, duplicate: u, _acmeUrls: u }; Greenlock._undefine = function(gl) { Object.keys(Greenlock._undefined).forEach(function(key) { if (!(key in gl)) { gl[key] = u; } }); return gl; }; Greenlock.create = function(gl) { if (!gl.store) { console.warn( "Deprecation Notice: You're haven't chosen a storage strategy." + " The old default is 'le-store-certbot', but the new default will be 'greenlock-store-fs'." + " Please `npm install greenlock-store-fs@3` and explicitly set `{ store: require('greenlock-store-fs') }`." ); gl.store = require('le-store-certbot').create({ debug: gl.debug, configDir: gl.configDir, logsDir: gl.logsDir, webrootPath: gl.webrootPath }); } gl.core = require('./lib/core'); var log = gl.log || _log; if (!gl.challenges) { gl.challenges = {}; } if (!gl.challenges['http-01']) { gl.challenges['http-01'] = require('le-challenge-fs').create({ debug: gl.debug, webrootPath: gl.webrootPath }); } if (!gl.challenges['dns-01']) { try { gl.challenges['dns-01'] = require('le-challenge-ddns').create({ debug: gl.debug }); } catch (e) { try { gl.challenges['dns-01'] = require('le-challenge-dns').create({ debug: gl.debug }); } catch (e) { // not yet implemented } } } gl = Greenlock._undefine(gl); gl.acmeChallengePrefix = Greenlock.acmeChallengePrefix; gl.rsaKeySize = gl.rsaKeySize || Greenlock.rsaKeySize; gl.challengeType = gl.challengeType || Greenlock.challengeType; gl._ipc = ipc; gl._communityPackage = gl._communityPackage || 'greenlock.js'; if ('greenlock.js' === gl._communityPackage) { gl._communityPackageVersion = pkg.version; } else { gl._communityPackageVersion = gl._communityPackageVersion || 'greenlock.js-' + pkg.version; } gl.agreeToTerms = gl.agreeToTerms || function(args, agreeCb) { agreeCb( new Error( "'agreeToTerms' was not supplied to Greenlock and 'agreeTos' was not supplied to Greenlock.register" ) ); }; if (!gl.renewWithin) { gl.renewWithin = 14 * DAY; } // renewBy has a default in le-sni-auto /////////////////////////// // BEGIN VERSION MADNESS // /////////////////////////// gl.version = gl.version || 'draft-11'; gl.server = gl.server || 'https://acme-v02.api.letsencrypt.org/directory'; if (!gl.version) { //console.warn("Please specify version: 'v01' (Let's Encrypt v1) or 'draft-12' (Let's Encrypt v2 / ACME draft 12)"); console.warn(''); console.warn(''); console.warn(''); console.warn( '==========================================================' ); console.warn( '== greenlock.js (v2.2.0+) ==' ); console.warn( '==========================================================' ); console.warn(''); console.warn("Please specify 'version' option:"); console.warn(''); console.warn( " 'draft-12' for Let's Encrypt v2 and ACME draft 12" ); console.warn(" ('v02' is an alias of 'draft-12'"); console.warn(''); console.warn('or'); console.warn(''); console.warn(" 'v01' for Let's Encrypt v1 (deprecated)"); console.warn( " (also 'npm install --save le-acme-core' as this legacy dependency will soon be removed)" ); console.warn(''); console.warn('This will be required in versions v2.3+'); console.warn(''); console.warn(''); } else if ('v02' === gl.version) { gl.version = 'draft-11'; } else if ('draft-12' === gl.version) { gl.version = 'draft-11'; } else if ('draft-11' === gl.version) { // no-op } else if ('v01' !== gl.version) { throw new Error("Unrecognized version '" + gl.version + "'"); } if (!gl.server) { throw new Error( "opts.server must specify an ACME directory URL, such as 'https://acme-staging-v02.api.letsencrypt.org/directory'" ); } if ('staging' === gl.server || 'production' === gl.server) { if ('staging' === gl.server) { gl.server = 'https://acme-staging.api.letsencrypt.org/directory'; gl.version = 'v01'; gl._deprecatedServerName = 'staging'; } else if ('production' === gl.server) { gl.server = 'https://acme-v01.api.letsencrypt.org/directory'; gl.version = 'v01'; gl._deprecatedServerName = 'production'; } console.warn(''); console.warn(''); console.warn('=== WARNING ==='); console.warn(''); console.warn( "Due to versioning issues the '" + gl._deprecatedServerName + "' option is deprecated." ); console.warn('Please specify the full url and version.'); console.warn(''); console.warn('For APIs add:'); console.warn('\t, "version": "' + gl.version + '"'); console.warn('\t, "server": "' + gl.server + '"'); console.warn(''); console.warn('For the CLI add:'); console.warn("\t--acme-url '" + gl.server + "' \\"); console.warn("\t--acme-version '" + gl.version + "' \\"); console.warn(''); console.warn(''); } function loadLeV01() { console.warn(''); console.warn('=== WARNING ==='); console.warn(''); console.warn("Let's Encrypt v1 is deprecated."); console.warn("Please update to Let's Encrypt v2 (ACME draft 12)"); console.warn(''); try { return require('le-acme-core').ACME; } catch (e) { console.error(''); console.error('=== Error (easy-to-fix) ==='); console.error(''); console.error( "Hey, this isn't a big deal, but you need to manually add v1 support:" ); console.error(''); console.error(' npm install --save le-acme-core'); console.error(''); console.error( 'Just run that real quick, restart, and everything will work great.' ); console.error(''); console.error(''); process.exit(e.code || 13); } } if ( -1 !== [ 'https://acme-v02.api.letsencrypt.org/directory', 'https://acme-staging-v02.api.letsencrypt.org/directory' ].indexOf(gl.server) ) { if ('draft-11' !== gl.version) { console.warn( "Detected Let's Encrypt v02 URL. Changing version to draft-12." ); gl.version = 'draft-11'; } } else if ( -1 !== [ 'https://acme-v01.api.letsencrypt.org/directory', 'https://acme-staging.api.letsencrypt.org/directory' ].indexOf(gl.server) || 'v01' === gl.version ) { if ('v01' !== gl.version) { console.warn( "Detected Let's Encrypt v01 URL (deprecated). Changing version to v01." ); gl.version = 'v01'; } } if ('v01' === gl.version) { ACME = loadLeV01(); } ///////////////////////// // END VERSION MADNESS // ///////////////////////// gl.acme = gl.acme || ACME.create({ debug: gl.debug, skipChallengeTest: gl.skipChallengeTest, skipDryRun: gl.skipDryRun }); if (gl.acme.create) { gl.acme = gl.acme.create(gl); } gl.acme = promisifyAllSelf(gl.acme); gl._acmeOpts = (gl.acme.getOptions && gl.acme.getOptions()) || gl.acme.options || {}; Object.keys(gl._acmeOpts).forEach(function(key) { if (!(key in gl)) { gl[key] = gl._acmeOpts[key]; } }); try { if (gl.store.create) { gl.store = gl.store.create(gl); } gl.store = promisifyAllSelf(gl.store); gl.store.accounts = promisifyAllStore(gl.store.accounts); gl.store.certificates = promisifyAllStore(gl.store.certificates); gl._storeOpts = (gl.store.getOptions && gl.store.getOptions()) || gl.store.options || {}; } catch (e) { console.error(e); console.error( '\nPROBABLE CAUSE:\n' + '\tYour greenlock-store module should have a create function and return { options, accounts, certificates }\n' ); process.exit(18); return; } Object.keys(gl._storeOpts).forEach(function(key) { if (!(key in gl)) { gl[key] = gl._storeOpts[key]; } }); // // Backwards compat for <= v2.1.7 // if (gl.challenge) { console.warn( "Deprecated use of gl.challenge. Use gl.challenges['" + Greenlock.challengeType + "'] instead." ); gl.challenges[gl.challengeType] = gl.challenge; gl.challenge = undefined; } Object.keys(gl.challenges || {}).forEach(function(challengeType) { var challenger = gl.challenges[challengeType]; if (challenger.create) { challenger = gl.challenges[challengeType] = challenger.create(gl); } challenger = gl.challenges[challengeType] = promisifyAllSelf( challenger ); gl['_challengeOpts_' + challengeType] = (challenger.getOptions && challenger.getOptions()) || challenger.options || {}; Object.keys(gl['_challengeOpts_' + challengeType]).forEach(function( key ) { if (!(key in gl)) { gl[key] = gl['_challengeOpts_' + challengeType][key]; } }); // TODO wrap these here and now with tplCopy? if (!challenger.set || ![5, 2, 1].includes(challenger.set.length)) { throw new Error( 'gl.challenges[' + challengeType + '].set receives the wrong number of arguments.' + ' You must define setChallenge as function (opts) { return Promise.resolve(); }' ); } if (challenger.get && ![4, 2, 1].includes(challenger.get.length)) { throw new Error( 'gl.challenges[' + challengeType + '].get receives the wrong number of arguments.' + ' You must define getChallenge as function (opts) { return Promise.resolve(); }' ); } if ( !challenger.remove || ![4, 2, 1].includes(challenger.remove.length) ) { throw new Error( 'gl.challenges[' + challengeType + '].remove receives the wrong number of arguments.' + ' You must define removeChallenge as function (opts) { return Promise.resolve(); }' ); } /* if (!gl._challengeWarn && (!challenger.loopback || 4 !== challenger.loopback.length)) { gl._challengeWarn = true; console.warn("gl.challenges[" + challengeType + "].loopback should be defined as function (opts, domain, token, cb) { ... } and should prove (by external means) that the ACME server challenge '" + challengeType + "' will succeed"); } else if (!gl._challengeWarn && (!challenger.test || 5 !== challenger.test.length)) { gl._challengeWarn = true; console.warn("gl.challenges[" + challengeType + "].test should be defined as function (opts, domain, token, keyAuthorization, cb) { ... } and should prove (by external means) that the ACME server challenge '" + challengeType + "' will succeed"); } */ }); gl.sni = gl.sni || null; gl.tlsOptions = gl.tlsOptions || gl.httpsOptions || {}; // Workaround for https://github.com/nodejs/node/issues/22389 gl._updateServernames = function(cert) { if (!gl._certnames) { gl._certnames = {}; } // Note: Any given domain could exist on multiple certs // (especially during renewal where some may be added) // hence we use a separate object for each domain and list each domain on it // to get the minimal full set associated with each cert and domain var allDomains = [cert.subject].concat(cert.altnames.slice(0)); allDomains.forEach(function(name) { name = name.toLowerCase(); if (!gl._certnames[name]) { gl._certnames[name] = {}; } allDomains.forEach(function(name2) { name2 = name2.toLowerCase(); gl._certnames[name][name2] = true; }); }); }; gl._checkServername = function(safeHost, servername) { // odd, but acceptable if (!safeHost || !servername) { return true; } if (safeHost === servername) { return true; } // connection established with servername and session is re-used for allowed name if (gl._certnames[servername] && gl._certnames[servername][safeHost]) { return true; } return false; }; if (!gl.tlsOptions.SNICallback) { if (!gl.getCertificatesAsync && !gl.getCertificates) { if (Array.isArray(gl.approveDomains)) { gl.approvedDomains = gl.approveDomains; gl.approveDomains = null; } if (!gl.approveDomains) { gl.approveDomains = function(lexOpts, cb) { var err; var emsg; if (!gl.email) { throw new Error( 'le-sni-auto is not properly configured. Missing email' ); } if (!gl.agreeTos) { throw new Error( 'le-sni-auto is not properly configured. Missing agreeTos' ); } if (!/[a-z]/i.test(lexOpts.domain)) { cb( new Error( 'le-sni-auto does not allow IP addresses in SNI' ) ); return; } if (!Array.isArray(gl.approvedDomains)) { // The acme-v2 package uses pre-flight test challenges to // verify that each requested domain is hosted by the server // these checks are sufficient for most use cases return cb(null, lexOpts); } if ( lexOpts.domains.every(function(domain) { return -1 !== gl.approvedDomains.indexOf(domain); }) ) { // commented this out because people expect to be able to edit the list of domains // lexOpts.domains = gl.approvedDomains.slice(0); lexOpts.email = gl.email; lexOpts.agreeTos = gl.agreeTos; lexOpts.communityMember = gl.communityMember; lexOpts.telemetry = gl.telemetry; return cb(null, lexOpts); } emsg = "tls SNI for '" + lexOpts.domains.join(',') + "' rejected: not in list '" + gl.approvedDomains + "'"; log(gl.debug, emsg, lexOpts.domains, gl.approvedDomains); err = new Error(emsg); err.code = 'E_REJECT_SNI'; cb(err); }; } gl.getCertificates = function(domain, certs, cb) { // certs come from current in-memory cache, not lookup log( gl.debug, 'gl.getCertificates called for', domain, 'with certs for', (certs && certs.altnames) || 'NONE' ); var opts = { domain: domain, domains: (certs && certs.altnames) || [domain], certs: certs, certificate: {}, account: {} }; opts.wildname = '*.' + (domain || '') .split('.') .slice(1) .join('.'); function cb2(results) { log( gl.debug, 'gl.approveDomains called with certs for', (results.certs && results.certs.altnames) || 'NONE', 'and options:' ); log(gl.debug, results.options || results); var err; if (!results) { err = new Error('E_REJECT_SNI'); err.code = 'E_REJECT_SNI'; eb2(err); return; } var options = results.options || results; if (opts !== options) { Object.keys(options).forEach(function(key) { if ( 'undefined' !== typeof options[key] && 'domain' !== key ) { opts[key] = options[key]; } }); options = opts; } if ( Array.isArray(options.altnames) && options.altnames.length ) { options.domains = options.altnames; } options.altnames = options.domains; // just in case we get a completely different object from the one we originally created if (!options.account) { options.account = {}; } if (!options.certificate) { options.certificate = {}; } if (results.certs) { log(gl.debug, 'gl renewing'); return gl.core.certificates .renewAsync(options, results.certs) .then( function(certs) { // Workaround for https://github.com/nodejs/node/issues/22389 gl._updateServernames(certs); cb(null, certs); }, function(e) { console.debug( "Error renewing certificate for '" + domain + "':" ); console.debug(e); console.error(''); cb(e); } ); } else { log( gl.debug, 'gl getting from disk or registering new' ); return gl.core.certificates.getAsync(options).then( function(certs) { // Workaround for https://github.com/nodejs/node/issues/22389 gl._updateServernames(certs); cb(null, certs); }, function(e) { console.debug( "Error loading/registering certificate for '" + domain + "':" ); console.debug(e); console.error(''); cb(e); } ); } } function eb2(_err) { if (false !== gl.logRejectedDomains) { console.error( "[Error] approveDomains rejected tls sni '" + domain + "'" ); console.error( '[Error] (see https://git.coolaj86.com/coolaj86/greenlock.js/issues/11)' ); if ('E_REJECT_SNI' !== _err.code) { console.error( '[Error] This is the rejection message:' ); console.error(_err.message); } console.error(''); } cb(_err); return; } function mb2(_err, results) { if (_err) { eb2(_err); return; } cb2(results); } try { if (1 === gl.approveDomains.length) { Promise.resolve(gl.approveDomains(opts)) .then(cb2) .catch(eb2); } else if (2 === gl.approveDomains.length) { gl.approveDomains(opts, mb2); } else { gl.approveDomains(opts, certs, mb2); } } catch (e) { console.error( '[ERROR] Something went wrong in approveDomains:' ); console.error(e); console.error( "BUT WAIT! Good news: It's probably your fault, so you can probably fix it." ); } }; } gl.sni = gl.sni || require('le-sni-auto'); if (gl.sni.create) { gl.sni = gl.sni.create(gl); } gl.tlsOptions.SNICallback = function(_domain, cb) { // format and (lightly) sanitize sni so that users can be naive // and not have to worry about SQL injection or fs discovery var domain = (_domain || '').toLowerCase(); // hostname labels allow a-z, 0-9, -, and are separated by dots // _ is sometimes allowed // REGEX // https://www.codeproject.com/Questions/1063023/alphanumeric-validation-javascript-without-regex if ( !gl.__sni_allow_dangerous_names && (!/^[a-z0-9_\.\-]+$/i.test(domain) || -1 !== domain.indexOf('..')) ) { log(gl.debug, "invalid sni '" + domain + "'"); cb(new Error('invalid SNI')); return; } try { gl.sni.sniCallback( (gl.__sni_preserve_case && _domain) || domain, cb ); } catch (e) { console.error( '[ERROR] Something went wrong in the SNICallback:' ); console.error(e); cb(e); } }; } // We want to move to using tlsOptions instead of httpsOptions, but we also need to make // sure anything that uses this object will still work if looking for httpsOptions. gl.httpsOptions = gl.tlsOptions; if (gl.core.create) { gl.core = gl.core.create(gl); } gl.renew = function(args, certs) { return gl.core.certificates.renewAsync(args, certs); }; gl.register = function(args) { return gl.core.certificates.getAsync(args); }; gl.check = function(args) { // TODO must return email, domains, tos, pems return gl.core.certificates.checkAsync(args); }; gl.middleware = gl.middleware || require('./lib/middleware'); if (gl.middleware.create) { gl.middleware = gl.middleware.create(gl); } //var SERVERNAME_RE = /^[a-z0-9\.\-_]+$/; var SERVERNAME_G = /[^a-z0-9\.\-_]/; gl.middleware.sanitizeHost = function(app) { return function(req, res, next) { function realNext() { if ('function' === typeof app) { app(req, res); } else if ('function' === typeof next) { next(); } else { res.statusCode = 500; res.end('Error: no middleware assigned'); } } // Get the host:port combo, if it exists var host = (req.headers.host || '').split(':'); // if not, move along if (!host[0]) { realNext(); return; } // if so, remove non-allowed characters var safehost = host[0].toLowerCase().replace(SERVERNAME_G, ''); // if there were unallowed characters, complain if ( !gl.__sni_allow_dangerous_names && safehost.length !== host[0].length ) { res.statusCode = 400; res.end("Malformed HTTP Header: 'Host: " + host[0] + "'"); return; } // make lowercase if (!gl.__sni_preserve_case) { host[0] = safehost; req.headers.host = host.join(':'); } // Note: This sanitize function is also called on plain sockets, which don't need Domain Fronting checks if (req.socket.encrypted && !gl.__sni_allow_domain_fronting) { if (req.socket && 'string' === typeof req.socket.servername) { // Workaround for https://github.com/nodejs/node/issues/22389 if ( !gl._checkServername( safehost, req.socket.servername.toLowerCase() ) ) { res.statusCode = 400; res.setHeader( 'Content-Type', 'text/html; charset=utf-8' ); res.end( '
This connection was secured using TLS/SSL for '" + req.socket.servername.toLowerCase() + "'
" + "The HTTP request specified 'Host: " + safehost + "', which is (obviously) different.
" + 'Because this looks like a domain fronting attack, the connection has been terminated.
' ); return; } } else if ( safehost && !gl.middleware.sanitizeHost._skip_fronting_check ) { // TODO how to handle wrapped sockets, as with telebit? console.warn( '\n\n\n[greenlock] WARN: no string for req.socket.servername,' + " skipping fronting check for '" + safehost + "'\n\n\n" ); gl.middleware.sanitizeHost._skip_fronting_check = true; } } // carry on realNext(); }; }; gl.middleware.sanitizeHost._skip_fronting_check = false; return gl; };