Fall back to global config for server and storage if possible

Renew a certificate if not all names are covered by the current certificate yet.
Adds a new `--names` option to `check` that makes `check` fail if not all names are covered.
Resolves #34.

.gitignore

@@ -1,3 +1,5 @@
 /build/
 /data/
+/info/
 /vendor/
+/config.test.yml

bin/acme

@@ -80,6 +80,11 @@ if (!in_array(PHP_SAPI, ["cli", "phpdbg"], true)) {
     exit(1);
 }
 
+if (PHP_VERSION_ID < 50600) {
+    $climate->yellow("You're using an older version of PHP which is no longer supported and will not even receive security fixes anymore. Have a look at http://php.net/supported-versions.php and upgrade now!");
+    $climate->br(2);
+}
+
 if (count($argv) === 1 || in_array($argv[1], ["-h", "help", "--help"], true)) {
     $climate->out($logo . $help);
     exit(0);

composer.json

@@ -23,8 +23,8 @@
     },
     "require-dev": {
         "phpunit/phpunit": "^5",
-        "fabpot/php-cs-fixer": "^1.9",
-        "macfja/phar-builder": "dev-events-dev-files"
+        "friendsofphp/php-cs-fixer": "^1.9",
+        "macfja/phar-builder": "^0.2.5"
     },
     "license": "MIT",
     "authors": [

doc/usage.md

@@ -41,8 +41,10 @@ certificates:
     # Required: paths
     # Optional: bits, user
     #
-    # paths: Map of document roots to domains.
-    #        /tmp is used here for domains without a real document root.
+    # paths: Map of document roots to domains. Maps each path to one or multiple
+    #        domains. If one domain is given, it's automatically converted to an
+    #        array. The first domain will be the common name.
+    #
     #        The client will place a file into $path/.well-known/acme-challenge/
     #        to verify ownership to the CA
     #
@@ -53,9 +55,9 @@ certificates:
     #
     - bits: 4096
       paths:
-        /tmp:
-            - docs.example.org
-            - git.example.org
+        /var/www/example:
+            - example.org
+            - www.example.org
     # You can have multiple certificate with different users and key options.
     - user: www-data
       paths:
@@ -75,9 +77,10 @@ the script will be quiet to be cron friendly. If an error occurs, the script wil
 You should execute `acme-client auto` as a daily cron. It's recommended to setup e-mail notifications for all output of
 that script.
 
-```bash
-0 0 * * * acme-client auto; exit=$?; if [[ $exit = 4 ]] || [[ $exit = 5 ]]; then service nginx reload; fi
+```sh
+0 0 * * * /usr/local/sbin/acme-client auto; RC=$?; if [ $RC = 4 ] || [ $RC = 5 ]; then /usr/sbin/service nginx reload; fi
 ```
+The path to `acme-client` should be modified to suit your system. The full path should be used as the system path may not be set up in your cron environment.
 
 | Exit Code | Description |
 |-----------|-------------|

src/Commands/Auto.php

@@ -6,6 +6,7 @@ use Amp\CoroutineResult;
 use Amp\File\FilesystemException;
 use Amp\Process;
 use Kelunik\Acme\AcmeException;
+use Kelunik\AcmeClient\ConfigException;
 use League\CLImate\Argument\Manager;
 use League\CLImate\CLImate;
 use Symfony\Component\Yaml\Exception\ParseException;
@@ -36,8 +37,6 @@ class Auto implements Command {
      * @return \Generator
      */
     private function doExecute(Manager $args) {
-        $server = $args->get("server");
-        $storage = $args->get("storage");
         $configPath = $args->get("config");
 
         try {
@@ -54,6 +53,30 @@ class Auto implements Command {
             return;
         }
 
+        if ($args->defined("server")) {
+            $config["server"] = $args->get("server");
+        } else if (!isset($config["server"]) && $args->exists("server")) {
+            $config["server"] = $args->get("server");
+        }
+
+        if ($args->defined("storage")) {
+            $config["storage"] = $args->get("storage");
+        } else if (!isset($config["storage"]) && $args->exists("storage")) {
+            $config["storage"] = $args->get("storage");
+        }
+
+        if (!isset($config["server"])) {
+            $this->climate->error("Config file ({$configPath}) didn't have a 'server' set nor was it passed as command line argument.");
+            yield new CoroutineResult(self::EXIT_CONFIG_ERROR);
+            return;
+        }
+
+        if (!isset($config["storage"])) {
+            $this->climate->error("Config file ({$configPath}) didn't have a 'storage' set nor was it passed as command line argument.");
+            yield new CoroutineResult(self::EXIT_CONFIG_ERROR);
+            return;
+        }
+
         if (!isset($config["email"])) {
             $this->climate->error("Config file ({$configPath}) didn't have a 'email' set.");
             yield new CoroutineResult(self::EXIT_CONFIG_ERROR);
@@ -71,9 +94,9 @@ class Auto implements Command {
             $GLOBALS["argv"][0],
             "setup",
             "--server",
-            $server,
+            $config["server"],
             "--storage",
-            $storage,
+            $config["storage"],
             "--email",
             $config["email"],
         ]));
@@ -99,7 +122,7 @@ class Auto implements Command {
             $promises = [];
 
             foreach ($certificateChunk as $certificate) {
-                $promises[] = \Amp\resolve($this->checkAndIssue($certificate, $server, $storage));
+                $promises[] = \Amp\resolve($this->checkAndIssue($certificate, $config["server"], $config["storage"]));
             }
 
             list($chunkErrors, $chunkValues) = (yield \Amp\any($promises));
@@ -166,6 +189,8 @@ class Auto implements Command {
             $storage,
             "--name",
             $commonName,
+            "--names",
+            implode(",", $domains),
         ];
 
         $command = implode(" ", array_map("escapeshellarg", $args));
@@ -225,11 +250,47 @@ class Auto implements Command {
         $result = [];
 
         foreach ($paths as $path => $domains) {
+            if (is_numeric($path)) {
+                $message = <<<MESSAGE
+Your configuration has the wrong format. Received a numeric value as path name.
+
+This is most probably due to your "paths" value not being a map but a list instead.
+
+If your configuration looks like this:
+
+certificates:
+ - paths:
+    - /www/a: a.example.org
+    - /www/b: b.example.org
+
+Rewrite it to the following format for a single certificate:
+
+certificates:
+ - paths:
+     /www/a: a.example.org
+     /www/b: b.example.org
+
+Rewrite it to the following format for two separate certificates:
+
+certificates:
+ - paths:
+     /www/a: a.example.org
+ - paths:
+     /www/b: b.example.org
+
+Documentation is available at https://github.com/kelunik/acme-client/blob/master/doc/usage.md#configuration
+
+If this doesn't solve your issue, please reply to the following issue: https://github.com/kelunik/acme-client/issues/30
+MESSAGE;
+
+                throw new ConfigException($message);
+            }
+
             $domains = (array) $domains;
 
             foreach ($domains as $domain) {
                 if (isset($result[$domain])) {
-                    throw new \LogicException("Duplicate domain: {$domain}");
+                    throw new ConfigException("Duplicate domain: {$domain}");
                 }
 
                 $result[$domain] = $path;
@@ -240,9 +301,15 @@ class Auto implements Command {
     }
 
     public static function getDefinition() {
+        $server = \Kelunik\AcmeClient\getArgumentDescription("server");
+        $storage = \Kelunik\AcmeClient\getArgumentDescription("storage");
+
+        $server["required"] = false;
+        $storage["required"] = false;
+
         $args = [
-            "server" => \Kelunik\AcmeClient\getArgumentDescription("server"),
-            "storage" => \Kelunik\AcmeClient\getArgumentDescription("storage"),
+            "server" => $server,
+            "storage" => $storage,
             "config" => [
                 "prefix" => "c",
                 "longPrefix" => "config",

src/Commands/Check.php

@@ -45,6 +45,18 @@ class Check implements Command {
         $this->climate->br();
         $this->climate->whisper("    Certificate is valid until " . date("d.m.Y", $cert->getValidTo()))->br();
 
+        if ($args->defined("names")) {
+            $names = array_map("trim", explode(",", $args->get("names")));
+            $missingNames = array_diff($names, $cert->getNames());
+
+            if ($missingNames) {
+                $this->climate->comment("    The following names are not covered: " . implode(", ", $missingNames))->br();
+
+                yield new CoroutineResult(1);
+                return;
+            }
+        }
+
         if ($cert->getValidTo() > time() + $args->get("ttl") * 24 * 60 * 60) {
             yield new CoroutineResult(0);
             return;
@@ -70,6 +82,11 @@ class Check implements Command {
                 "defaultValue" => 30,
                 "castTo" => "int",
             ],
+            "names" => [
+                "longPrefix" => "names",
+                "description" => "Names that must be covered by the certificate identified based on the common name. Names have to be separated by commas.",
+                "required" => false,
+            ],
         ];
     }
 }

src/Commands/Issue.php

@@ -80,14 +80,22 @@ class Issue implements Command {
         $this->climate->br();
 
         $acme = $this->acmeFactory->build($server, $keyPair);
-        $promises = [];
+        $errors = [];
 
-        foreach ($domains as $i => $domain) {
-            $promises[] = \Amp\resolve($this->solveChallenge($acme, $keyPair, $domain, $docRoots[$i]));
+        $domainChunks = array_chunk($domains, 10, true);
+
+        foreach ($domainChunks as $domainChunk) {
+            $promises = [];
+
+            foreach ($domainChunk as $i => $domain) {
+                $promises[] = \Amp\resolve($this->solveChallenge($acme, $keyPair, $domain, $docRoots[$i]));
+            }
+
+            list($chunkErrors) = (yield \Amp\any($promises));
+
+            $errors += $chunkErrors;
         }
 
-        list($errors) = (yield \Amp\any($promises));
-
         if (!empty($errors)) {
             foreach ($errors as $error) {
                 $this->climate->error($error->getMessage());
@@ -145,7 +153,7 @@ class Issue implements Command {
         $challengeStore = new ChallengeStore($path);
 
         try {
-            $challengeStore->put($token, $payload, isset($user) ? $user : null);
+            yield $challengeStore->put($token, $payload, isset($user) ? $user : null);
 
             yield $acme->verifyHttp01Challenge($domain, $token, $payload);
             yield $acme->answerChallenge($challenge->uri, $payload);
@@ -166,19 +174,27 @@ class Issue implements Command {
     }
 
     private function checkDnsRecords($domains) {
-        $promises = [];
+        $errors = [];
 
-        foreach ($domains as $domain) {
-            $promises[$domain] = \Amp\Dns\resolve($domain, [
-                "types" => [Record::A],
-                "hosts" => false,
-            ]);
+        $domainChunks = array_chunk($domains, 10, true);
+
+        foreach ($domainChunks as $domainChunk) {
+            $promises = [];
+
+            foreach ($domainChunk as $domain) {
+                $promises[$domain] = \Amp\Dns\resolve($domain, [
+                    "types" => [Record::A, Record::AAAA],
+                    "hosts" => false,
+                ]);
+            }
+
+            list($chunkErrors) = (yield \Amp\any($promises));
+
+            $errors += $chunkErrors;
         }
 
-        list($errors) = (yield \Amp\any($promises));
-
         if (!empty($errors)) {
-            throw new AcmeException("Couldn't resolve the following domains to an IPv4 record: " . implode(", ", array_keys($errors)));
+            throw new AcmeException("Couldn't resolve the following domains to an IPv4 nor IPv6 record: " . implode(", ", array_keys($errors)));
         }
     }
 
@@ -231,4 +247,4 @@ class Issue implements Command {
             ],
         ];
     }
-}
+}

src/Stores/KeyStore.php

@@ -68,7 +68,11 @@ class KeyStore {
         try {
             // TODO: Replace with async version once available
             if (!file_exists(dirname($file))) {
-                mkdir(dirname($file), 0755, true);
+                $success = mkdir(dirname($file), 0755, true);
+
+                if (!$success) {
+                    throw new KeyStoreException("Could not create key store directory.");
+                }
             }
 
             yield \Amp\File\put($file, $keyPair->getPrivate());