daxi20/acmeclient
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Remove renew and replace with check mechanism, remove sudo requirement, add multiple accounts again

Browse Source
This commit is contained in:
Niklas Keller
2016-03-12 16:26:49 +01:00
parent 37d054975c
commit 68afa4e0e9
14 changed files with 260 additions and 197 deletions
Download Patch File Download Diff File Expand all files Collapse all files

61
src/Commands/Check.php Normal file
View File

@@ -0,0 +1,61 @@
<?php
namespace Kelunik\AcmeClient\Commands;
use Kelunik\Certificate\Certificate;
use League\CLImate\Argument\Manager;
use Psr\Log\LoggerInterface;
class Check implements Command {
private $logger;
public function __construct(LoggerInterface $logger) {
$this->logger = $logger;
}
public function execute(Manager $args) {
return \Amp\resolve($this->doExecute($args));
}
/**
* @param Manager $args
* @return \Generator
*/
private function doExecute(Manager $args) {
$path = $args->get("cert");
if (!realpath($path)) {
throw new \RuntimeException("Certificate doesn't exist: '{$path}'");
}
$pem = (yield \Amp\File\get($path));
$cert = new Certificate($pem);
$this->logger->info("Certificate is valid until " . date("d.m.Y", $cert->getValidTo()));
if ($cert->getValidTo() > time() + $args->get("ttl") * 24 * 60 * 60) {
exit(0);
}
$this->logger->warning("Certificate is going to expire within the specified " . $args->get("ttl") . " days.");
exit(1);
}
public static function getDefinition() {
return [
"cert" => [
"longPrefix" => "cert",
"prefix" => "c",
"description" => "Certificate to check.",
"required" => true,
],
"ttl" => [
"longPrefix" => "ttl",
"description" => "Minimum valid time in days.",
"defaultValue" => 30,
"castTo" => "int",
],
];
}
}

46
src/Commands/Issue.php
View File

@@ -29,15 +29,30 @@ class Issue implements Command {
}
private function doExecute(Manager $args) {
$domains = array_map("trim", explode(",", $args->get("domains")));
yield \Amp\resolve($this->checkDnsRecords($domains));
if (strtoupper(substr(PHP_OS, 0, 3)) !== 'WIN') {
if (posix_geteuid() !== 0) {
$processUser = posix_getpwnam(posix_geteuid());
$currentUsername = $processUser["name"];
$user = $args->get("user") ?: $currentUsername;
$user = $args->get("user") ?: "www-data";
if ($currentUsername !== $user) {
throw new AcmeException("Running this script with --user only works as root!");
}
} else {
$user = $args->get("user") ?: "www-data";
}
}
$domains = array_map("trim", explode(":", $args->get("domains")));
yield \Amp\resolve($this->checkDnsRecords($domains));
$keyStore = new KeyStore(dirname(dirname(__DIR__)) . "/data");
$keyPair = (yield $keyStore->get("account/key.pem"));
$acme = new AcmeService(new AcmeClient(\Kelunik\AcmeClient\getServer(), $keyPair), $keyPair);
$server = \Kelunik\AcmeClient\resolveServer($args->get("server"));
$keyFile = \Kelunik\AcmeClient\serverToKeyname($server);
$keyPair = (yield $keyStore->get("accounts/{$keyFile}.pem"));
$acme = new AcmeService(new AcmeClient($server, $keyPair));
foreach ($domains as $domain) {
list($location, $challenges) = (yield $acme->requestChallenges($domain));
@@ -51,11 +66,11 @@ class Issue implements Command {
$token = $challenge->token;
if (!preg_match("#^[a-zA-Z0-9-_]+$#", $token)) {
throw new AcmeException("Protocol Violation: Invalid Token!");
throw new AcmeException("Protocol violation: Invalid Token!");
}
$this->logger->debug("Generating payload...");
$payload = $acme->generateHttp01Payload($token);
$payload = $acme->generateHttp01Payload($token, $keyPair);
$this->logger->info("Providing payload at http://{$domain}/.well-known/acme-challenge/{$token}");
$docRoot = rtrim(str_replace("\\", "/", $args->get("path")), "/");
@@ -63,9 +78,9 @@ class Issue implements Command {
$challengeStore = new ChallengeStore($docRoot);
try {
$challengeStore->put($token, $payload, $user);
$challengeStore->put($token, $payload, isset($user) ? $user : null);
yield $acme->selfVerify($domain, $token, $payload);
yield $acme->verifyHttp01Challenge($domain, $token, $payload);
$this->logger->info("Successfully self-verified challenge.");
yield $acme->answerChallenge($challenge->uri, $payload);
@@ -87,7 +102,7 @@ class Issue implements Command {
}
$path = "certs/" . reset($domains) . "/key.pem";
$bits = $args->get("bits") ?: 2048;
$bits = $args->get("bits");
try {
$keyPair = (yield $keyStore->get($path));
@@ -153,23 +168,28 @@ class Issue implements Command {
public static function getDefinition() {
return [
"server" => [
"prefix" => "s",
"longPrefix" => "server",
"description" => "Server to use for issuance, see also 'bin/acme setup'.",
"required" => true,
],
"domains" => [
"prefix" => "d",
"longPrefix" => "domains",
"description" => "Comma separated list of domains to request a certificate for.",
"description" => "Colon separated list of domains to request a certificate for.",
"required" => true,
],
"path" => [
"prefix" => "p",
"longPrefix" => "path",
"description" => "Absolute path to the document root of these domains.",
"description" => "Colon separated list of paths to the document roots. The last one will be used for all remaining ones if fewer than the amount of domains is given.",
"required" => true,
],
"user" => [
"prefix" => "u",
"longPrefix" => "user",
"description" => "User running the web server.",
"defaultValue" => "www-data",
],
"bits" => [
"longPrefix" => "bits",

86
src/Commands/Renew.php
View File

@@ -1,86 +0,0 @@
<?php
namespace Kelunik\AcmeClient\Commands;
use Amp\Process;
use Kelunik\Certificate\Certificate;
use League\CLImate\Argument\Manager;
use Psr\Log\LoggerInterface;
class Renew implements Command {
private $logger;
public function __construct(LoggerInterface $logger) {
$this->logger = $logger;
}
public function execute(Manager $args) {
return \Amp\resolve($this->doExecute($args));
}
private function doExecute(Manager $args) {
$path = dirname(dirname(__DIR__)) . "/data/certs";
if (!realpath($path)) {
throw new \RuntimeException("Certificate path doesn't exist: '{$path}'");
}
$domains = (yield \Amp\File\scandir($path));
$promises = [];
foreach ($domains as $domain) {
$pem = (yield \Amp\File\get($path . "/" . $domain . "/cert.pem"));
$cert = new Certificate($pem);
if ($cert->getValidTo() > time() + 30 * 24 * 60 * 60) {
$this->logger->info("Certificate for " . implode(",", $cert->getNames()) . " is still valid for more than 30 days.");
continue;
}
$json = (yield \Amp\File\get($path . "/" . $domain . "/config.json"));
$config = json_decode($json);
$command = [
PHP_BINARY,
dirname(dirname(__DIR__)) . "/bin/acme",
"issue",
"-d",
implode(",", $config->domains),
"-p",
$config->path,
"-u",
$config->user,
];
$command = array_map("escapeshellarg", $command);
$command = implode(" ", $command);
$promises[] = \Amp\pipe((new Process($command))->exec()->watch(function ($update) {
list($type, $data) = $update;
if ($type === "err") {
$this->logger->error($data);
} else {
$this->logger->info($data);
}
}), function ($result) use ($command) {
$result->command = $command;
return $result;
});
}
$results = (yield \Amp\all($promises));
foreach ($results as $result) {
if ($result->exit !== 0) {
throw new \RuntimeException("Invalid exit code: " . $result->exit . " (" . $result->command . ")");
}
}
}
public static function getDefinition() {
return [];
}
}

17
src/Commands/Revoke.php
View File

@@ -26,14 +26,13 @@ class Revoke implements Command {
}
private function doExecute(Manager $args) {
if (posix_geteuid() !== 0) {
throw new AcmeException("Please run this script as root!");
}
$keyStore = new KeyStore(dirname(dirname(__DIR__)) . "/data");
$keyPair = (yield $keyStore->get("account/key.pem"));
$acme = new AcmeService(new AcmeClient(\Kelunik\AcmeClient\getServer(), $keyPair), $keyPair);
$server = $args->get("server");
$keyFile = \Kelunik\AcmeClient\serverToKeyname($server);
$keyPair = (yield $keyStore->get("accounts/{$keyFile}.pem"));
$acme = new AcmeService(new AcmeClient($server, $keyPair), $keyPair);
$this->logger->info("Revoking certificate ...");
@@ -57,6 +56,12 @@ class Revoke implements Command {
public static function getDefinition() {
return [
"server" => [
"prefix" => "s",
"longPrefix" => "server",
"description" => "",
"required" => true,
],
"name" => [
"longPrefix" => "name",
"description" => "Common name of the certificate to be revoked.",

10
src/Commands/Setup.php
View File

@@ -34,15 +34,9 @@ class Setup implements Command {
yield \Amp\resolve($this->checkEmail($email));
$server = $args->get("server");
$protocol = substr($server, 0, strpos("://", $server));
$keyFile = \Kelunik\AcmeClient\serverToKeyname($server);
if (!$protocol || $protocol === $server) {
$server = "https://" . $server;
} elseif ($protocol !== "https") {
throw new \InvalidArgumentException("Invalid protocol, only https is allowed!");
}
$path = "account/key.pem";
$path = "accounts/{$keyFile}.pem";
$bits = 4096;
$keyStore = new KeyStore(dirname(dirname(__DIR__)) . "/data");