Mirror
/
acmed
mirror of https://github.com/breard-r/acmed.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Improve the logging format 

In order to renew different certificate at the same time, log messages
must display which certificate they are referring to.
pull/5/head
Rodolphe Breard 6 years ago
parent
cd5f8d9e0d
commit
08c9410028
9 changed files with 252 additions and 165 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 1
      CHANGELOG.md
  2. 8
      acme_common/src/error.rs
  3. 67
      acmed/src/acme_proto.rs
  4. 9
      acmed/src/acme_proto/account.rs
  5. 78
      acmed/src/acme_proto/http.rs
  6. 154
      acmed/src/certificate.rs
  7. 48
      acmed/src/hooks.rs
  8. 27
      acmed/src/main_event_loop.rs
  9. 25
      acmed/src/storage.rs

1
CHANGELOG.md
View File

@ -22,6 +22,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
### Changed ### Changed
- Hooks are now cleaned right after the current challenge has been validated instead of after the certificate's retrieval. - Hooks are now cleaned right after the current challenge has been validated instead of after the certificate's retrieval.
- In hooks, the `stdin` field now refers to the path of the file that should be written into the hook's standard input. - In hooks, the `stdin` field now refers to the path of the file that should be written into the hook's standard input.
- The logging format has been re-written.
### Fixed ### Fixed
- The http-01-echo hook now correctly sets the file's access rights - The http-01-echo hook now correctly sets the file's access rights

8
acme_common/src/error.rs
View File

@ -5,6 +5,14 @@ pub struct Error {
pub message: String, pub message: String,
} }
impl Error {
pub fn prefix(&self, prefix: &str) -> Self {
Error {
message: format!("{}: {}", prefix, &self.message),
}
}
}
impl fmt::Display for Error { impl fmt::Display for Error {
fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
write!(f, "{}", self.message) write!(f, "{}", self.message)

67
acmed/src/acme_proto.rs
View File

@ -6,7 +6,6 @@ use crate::acme_proto::structs::{
use crate::certificate::Certificate; use crate::certificate::Certificate;
use crate::storage; use crate::storage;
use acme_common::error::Error; use acme_common::error::Error;
use log::{info, warn};
use std::fmt; use std::fmt;
mod account; mod account;
@ -75,10 +74,10 @@ pub fn request_certificate(cert: &Certificate, root_certs: &[String]) -> Result<
let mut hook_datas = vec![]; let mut hook_datas = vec![];
// 1. Get the directory // 1. Get the directory
let directory = http::get_directory(root_certs, &cert.remote_url)?;
let directory = http::get_directory(cert, root_certs, &cert.remote_url)?;
// 2. Get a first nonce // 2. Get a first nonce
let nonce = http::get_nonce(root_certs, &directory.new_nonce)?;
let nonce = http::get_nonce(cert, root_certs, &directory.new_nonce)?;
// 3. Get or create the account // 3. Get or create the account
let (account, nonce) = AccountManager::new(cert, &directory, &nonce, root_certs)?; let (account, nonce) = AccountManager::new(cert, &directory, &nonce, root_certs)?;
@ -87,21 +86,26 @@ pub fn request_certificate(cert: &Certificate, root_certs: &[String]) -> Result<
let new_order = NewOrder::new(&domains); let new_order = NewOrder::new(&domains);
let new_order = serde_json::to_string(&new_order)?; let new_order = serde_json::to_string(&new_order)?;
let data_builder = set_data_builder!(account, new_order.as_bytes(), directory.new_order); let data_builder = set_data_builder!(account, new_order.as_bytes(), directory.new_order);
let (order, order_url, mut nonce): (Order, String, String) =
http::get_obj_loc(root_certs, &directory.new_order, &data_builder, &nonce)?;
let (order, order_url, mut nonce): (Order, String, String) = http::get_obj_loc(
cert,
root_certs,
&directory.new_order,
&data_builder,
&nonce,
)?;
if let Some(e) = order.get_error() { if let Some(e) = order.get_error() {
warn!("Error: {}", e);
cert.warn(&e.prefix("Error").message);
} }
// 5. Get all the required authorizations // 5. Get all the required authorizations
for auth_url in order.authorizations.iter() { for auth_url in order.authorizations.iter() {
let data_builder = set_empty_data_builder!(account, auth_url); let data_builder = set_empty_data_builder!(account, auth_url);
let (auth, new_nonce): (Authorization, String) = let (auth, new_nonce): (Authorization, String) =
http::get_obj(root_certs, &auth_url, &data_builder, &nonce)?;
http::get_obj(cert, root_certs, &auth_url, &data_builder, &nonce)?;
nonce = new_nonce; nonce = new_nonce;
if let Some(e) = auth.get_error() { if let Some(e) = auth.get_error() {
warn!("Error: {}", e);
cert.warn(&e.prefix("Error").message);
} }
if auth.status == AuthorizationStatus::Valid { if auth.status == AuthorizationStatus::Valid {
continue; continue;
@ -130,8 +134,13 @@ pub fn request_certificate(cert: &Certificate, root_certs: &[String]) -> Result<
// 8. Tell the server the challenge has been completed // 8. Tell the server the challenge has been completed
let chall_url = challenge.get_url(); let chall_url = challenge.get_url();
let data_builder = set_data_builder!(account, b"{}", chall_url); let data_builder = set_data_builder!(account, b"{}", chall_url);
let new_nonce =
http::post_challenge_response(root_certs, &chall_url, &data_builder, &nonce)?;
let new_nonce = http::post_challenge_response(
cert,
root_certs,
&chall_url,
&data_builder,
&nonce,
)?;
nonce = new_nonce; nonce = new_nonce;
} }
} }
@ -139,8 +148,14 @@ pub fn request_certificate(cert: &Certificate, root_certs: &[String]) -> Result<
// 9. Pool the authorization in order to see whether or not it is valid // 9. Pool the authorization in order to see whether or not it is valid
let data_builder = set_empty_data_builder!(account, auth_url); let data_builder = set_empty_data_builder!(account, auth_url);
let break_fn = |a: &Authorization| a.status == AuthorizationStatus::Valid; let break_fn = |a: &Authorization| a.status == AuthorizationStatus::Valid;
let (_, new_nonce): (Authorization, String) =
http::pool_obj(root_certs, &auth_url, &data_builder, &break_fn, &nonce)?;
let (_, new_nonce): (Authorization, String) = http::pool_obj(
cert,
root_certs,
&auth_url,
&data_builder,
&break_fn,
&nonce,
)?;
nonce = new_nonce; nonce = new_nonce;
for (data, hook_type) in hook_datas.iter() { for (data, hook_type) in hook_datas.iter() {
cert.call_challenge_hooks_clean(&data, (*hook_type).to_owned())?; cert.call_challenge_hooks_clean(&data, (*hook_type).to_owned())?;
@ -151,33 +166,45 @@ pub fn request_certificate(cert: &Certificate, root_certs: &[String]) -> Result<
// 10. Pool the order in order to see whether or not it is ready // 10. Pool the order in order to see whether or not it is ready
let data_builder = set_empty_data_builder!(account, order_url); let data_builder = set_empty_data_builder!(account, order_url);
let break_fn = |o: &Order| o.status == OrderStatus::Ready; let break_fn = |o: &Order| o.status == OrderStatus::Ready;
let (order, nonce): (Order, String) =
http::pool_obj(root_certs, &order_url, &data_builder, &break_fn, &nonce)?;
let (order, nonce): (Order, String) = http::pool_obj(
cert,
root_certs,
&order_url,
&data_builder,
&break_fn,
&nonce,
)?;
// 11. Finalize the order by sending the CSR // 11. Finalize the order by sending the CSR
let (priv_key, pub_key) = certificate::get_key_pair(cert)?; let (priv_key, pub_key) = certificate::get_key_pair(cert)?;
let csr = certificate::generate_csr(cert, &priv_key, &pub_key)?; let csr = certificate::generate_csr(cert, &priv_key, &pub_key)?;
let data_builder = set_data_builder!(account, csr.as_bytes(), order.finalize); let data_builder = set_data_builder!(account, csr.as_bytes(), order.finalize);
let (order, nonce): (Order, String) = let (order, nonce): (Order, String) =
http::get_obj(root_certs, &order.finalize, &data_builder, &nonce)?;
http::get_obj(cert, root_certs, &order.finalize, &data_builder, &nonce)?;
if let Some(e) = order.get_error() { if let Some(e) = order.get_error() {
warn!("Error: {}", e);
cert.warn(&e.prefix("Error").message);
} }
// 12. Pool the order in order to see whether or not it is valid // 12. Pool the order in order to see whether or not it is valid
let data_builder = set_empty_data_builder!(account, order_url); let data_builder = set_empty_data_builder!(account, order_url);
let break_fn = |o: &Order| o.status == OrderStatus::Valid; let break_fn = |o: &Order| o.status == OrderStatus::Valid;
let (order, nonce): (Order, String) =
http::pool_obj(root_certs, &order_url, &data_builder, &break_fn, &nonce)?;
let (order, nonce): (Order, String) = http::pool_obj(
cert,
root_certs,
&order_url,
&data_builder,
&break_fn,
&nonce,
)?;
// 13. Download the certificate // 13. Download the certificate
let crt_url = order let crt_url = order
.certificate .certificate
.ok_or_else(|| Error::from("No certificate available for download."))?; .ok_or_else(|| Error::from("No certificate available for download."))?;
let data_builder = set_empty_data_builder!(account, crt_url); let data_builder = set_empty_data_builder!(account, crt_url);
let (crt, _) = http::get_certificate(root_certs, &crt_url, &data_builder, &nonce)?;
let (crt, _) = http::get_certificate(cert, root_certs, &crt_url, &data_builder, &nonce)?;
storage::write_certificate(cert, &crt.as_bytes())?; storage::write_certificate(cert, &crt.as_bytes())?;
info!("Certificate renewed for {}", domains.join(", "));
cert.info("Certificate renewed");
Ok(()) Ok(())
} }

9
acmed/src/acme_proto/account.rs
View File

@ -42,8 +42,13 @@ impl AccountManager {
let account = serde_json::to_string(&account)?; let account = serde_json::to_string(&account)?;
let data_builder = let data_builder =
|n: &str| encode_jwk(&priv_key, account.as_bytes(), &directory.new_account, n); |n: &str| encode_jwk(&priv_key, account.as_bytes(), &directory.new_account, n);
let (acc_rep, account_url, nonce): (AccountResponse, String, String) =
http::get_obj_loc(root_certs, &directory.new_account, &data_builder, &nonce)?;
let (acc_rep, account_url, nonce): (AccountResponse, String, String) = http::get_obj_loc(
cert,
root_certs,
&directory.new_account,
&data_builder,
&nonce,
)?;
let ac = AccountManager { let ac = AccountManager {
priv_key, priv_key,
pub_key, pub_key,

78
acmed/src/acme_proto/http.rs
View File

@ -1,9 +1,9 @@
use crate::acme_proto::structs::{AcmeError, ApiError, Directory, HttpApiError}; use crate::acme_proto::structs::{AcmeError, ApiError, Directory, HttpApiError};
use crate::certificate::Certificate;
use acme_common::error::Error; use acme_common::error::Error;
use http_req::request::{Method, Request}; use http_req::request::{Method, Request};
use http_req::response::Response; use http_req::response::Response;
use http_req::uri::Uri; use http_req::uri::Uri;
use log::{debug, trace, warn};
use std::path::Path; use std::path::Path;
use std::str::FromStr; use std::str::FromStr;
use std::{thread, time}; use std::{thread, time};
@ -25,8 +25,13 @@ impl FromStr for DummyString {
} }
} }
fn new_request<'a>(root_certs: &'a [String], uri: &'a Uri, method: Method) -> Request<'a> {
debug!("{}: {}", method, uri);
fn new_request<'a>(
cert: &Certificate,
root_certs: &'a [String],
uri: &'a Uri,
method: Method,
) -> Request<'a> {
cert.debug(&format!("{}: {}", method, uri));
let useragent = format!( let useragent = format!(
"{}/{} ({}) {}", "{}/{} ({}) {}",
crate::APP_NAME, crate::APP_NAME,
@ -52,7 +57,7 @@ fn send_request(request: &Request) -> Result<(Response, String), Error> {
Ok((res, res_str)) Ok((res, res_str))
} }
fn send_request_retry(request: &Request) -> Result<(Response, String), Error> {
fn send_request_retry(cert: &Certificate, request: &Request) -> Result<(Response, String), Error> {
for _ in 0..crate::DEFAULT_HTTP_FAIL_NB_RETRY { for _ in 0..crate::DEFAULT_HTTP_FAIL_NB_RETRY {
let (res, res_body) = send_request(request)?; let (res, res_body) = send_request(request)?;
match check_response(&res, &res_body) { match check_response(&res, &res_body) {
@ -64,7 +69,7 @@ fn send_request_retry(request: &Request) -> Result<(Response, String), Error> {
let msg = format!("HTTP error: {}: {}", res.status_code(), res.reason()); let msg = format!("HTTP error: {}: {}", res.status_code(), res.reason());
return Err(msg.into()); return Err(msg.into());
} }
warn!("{}", e);
cert.warn(&format!("{}", e));
} }
}; };
thread::sleep(time::Duration::from_secs(crate::DEFAULT_HTTP_FAIL_WAIT_SEC)); thread::sleep(time::Duration::from_secs(crate::DEFAULT_HTTP_FAIL_WAIT_SEC));
@ -86,10 +91,10 @@ fn is_nonce(data: &str) -> bool {
.all(|c| c.is_ascii_alphanumeric() || c == b'-' || c == b'_') .all(|c| c.is_ascii_alphanumeric() || c == b'-' || c == b'_')
} }
fn nonce_from_response(res: &Response) -> Result<String, Error> {
fn nonce_from_response(cert: &Certificate, res: &Response) -> Result<String, Error> {
let nonce = get_header(res, "Replay-Nonce")?; let nonce = get_header(res, "Replay-Nonce")?;
if is_nonce(&nonce) { if is_nonce(&nonce) {
trace!("New nonce: {}", nonce);
cert.trace(&format!("New nonce: {}", nonce));
Ok(nonce.to_string()) Ok(nonce.to_string())
} else { } else {
let msg = format!("{}: invalid nonce.", nonce); let msg = format!("{}: invalid nonce.", nonce);
@ -98,21 +103,22 @@ fn nonce_from_response(res: &Response) -> Result<String, Error> {
} }
fn post_jose_type( fn post_jose_type(
cert: &Certificate,
root_certs: &[String], root_certs: &[String],
url: &str, url: &str,
data: &[u8], data: &[u8],
accept_type: &str, accept_type: &str,
) -> Result<(Response, String), Error> { ) -> Result<(Response, String), Error> {
let uri = url.parse::<Uri>()?; let uri = url.parse::<Uri>()?;
let mut request = new_request(root_certs, &uri, Method::POST);
let mut request = new_request(cert, root_certs, &uri, Method::POST);
request.header("Content-Type", CONTENT_TYPE_JOSE); request.header("Content-Type", CONTENT_TYPE_JOSE);
request.header("Content-Length", &data.len().to_string()); request.header("Content-Length", &data.len().to_string());
request.header("Accept", accept_type); request.header("Accept", accept_type);
request.body(data); request.body(data);
let rstr = String::from_utf8_lossy(data); let rstr = String::from_utf8_lossy(data);
trace!("request body: {}", rstr);
cert.trace(&format!("request body: {}", rstr));
let (res, res_body) = send_request(&request)?; let (res, res_body) = send_request(&request)?;
trace!("response body: {}", res_body);
cert.trace(&format!("response body: {}", res_body));
Ok((res, res_body)) Ok((res, res_body))
} }
@ -125,6 +131,7 @@ fn check_response(res: &Response, body: &str) -> Result<(), AcmeError> {
} }
fn fetch_obj_type<T, G>( fn fetch_obj_type<T, G>(
cert: &Certificate,
root_certs: &[String], root_certs: &[String],
url: &str, url: &str,
data_builder: &G, data_builder: &G,
@ -138,8 +145,8 @@ where
let mut nonce = nonce.to_string(); let mut nonce = nonce.to_string();
for _ in 0..crate::DEFAULT_HTTP_FAIL_NB_RETRY { for _ in 0..crate::DEFAULT_HTTP_FAIL_NB_RETRY {
let data = data_builder(&nonce)?; let data = data_builder(&nonce)?;
let (res, res_body) = post_jose_type(root_certs, url, data.as_bytes(), accept_type)?;
nonce = nonce_from_response(&res)?;
let (res, res_body) = post_jose_type(cert, root_certs, url, data.as_bytes(), accept_type)?;
nonce = nonce_from_response(cert, &res)?;
match check_response(&res, &res_body) { match check_response(&res, &res_body) {
Ok(()) => { Ok(()) => {
@ -152,7 +159,7 @@ where
let msg = format!("HTTP error: {}: {}", res.status_code(), res.reason()); let msg = format!("HTTP error: {}: {}", res.status_code(), res.reason());
return Err(msg.into()); return Err(msg.into());
} }
warn!("{}", e);
cert.warn(&format!("{}", e));
} }
}; };
thread::sleep(time::Duration::from_secs(crate::DEFAULT_HTTP_FAIL_WAIT_SEC)); thread::sleep(time::Duration::from_secs(crate::DEFAULT_HTTP_FAIL_WAIT_SEC));
@ -161,6 +168,7 @@ where
} }
fn fetch_obj<T, G>( fn fetch_obj<T, G>(
cert: &Certificate,
root_certs: &[String], root_certs: &[String],
url: &str, url: &str,
data_builder: &G, data_builder: &G,
@ -170,10 +178,18 @@ where
T: std::str::FromStr<Err = Error>, T: std::str::FromStr<Err = Error>,
G: Fn(&str) -> Result<String, Error>, G: Fn(&str) -> Result<String, Error>,
{ {
fetch_obj_type(root_certs, url, data_builder, nonce, CONTENT_TYPE_JSON)
fetch_obj_type(
cert,
root_certs,
url,
data_builder,
nonce,
CONTENT_TYPE_JSON,
)
} }
pub fn get_obj_loc<T, G>( pub fn get_obj_loc<T, G>(
cert: &Certificate,
root_certs: &[String], root_certs: &[String],
url: &str, url: &str,
data_builder: &G, data_builder: &G,
@ -183,7 +199,7 @@ where
T: std::str::FromStr<Err = Error>, T: std::str::FromStr<Err = Error>,
G: Fn(&str) -> Result<String, Error>, G: Fn(&str) -> Result<String, Error>,
{ {
let (obj, location, nonce) = fetch_obj(root_certs, url, data_builder, nonce)?;
let (obj, location, nonce) = fetch_obj(cert, root_certs, url, data_builder, nonce)?;
if location.is_empty() { if location.is_empty() {
Err("Location header not found.".into()) Err("Location header not found.".into())
} else { } else {
@ -192,6 +208,7 @@ where
} }
pub fn get_obj<T, G>( pub fn get_obj<T, G>(
cert: &Certificate,
root_certs: &[String], root_certs: &[String],
url: &str, url: &str,
data_builder: &G, data_builder: &G,
@ -201,11 +218,12 @@ where
T: std::str::FromStr<Err = Error>, T: std::str::FromStr<Err = Error>,
G: Fn(&str) -> Result<String, Error>, G: Fn(&str) -> Result<String, Error>,
{ {
let (obj, _, nonce) = fetch_obj(root_certs, url, data_builder, nonce)?;
let (obj, _, nonce) = fetch_obj(cert, root_certs, url, data_builder, nonce)?;
Ok((obj, nonce)) Ok((obj, nonce))
} }
pub fn pool_obj<T, G, S>( pub fn pool_obj<T, G, S>(
cert: &Certificate,
root_certs: &[String], root_certs: &[String],
url: &str, url: &str,
data_builder: &G, data_builder: &G,
@ -220,12 +238,12 @@ where
let mut nonce: String = nonce.to_string(); let mut nonce: String = nonce.to_string();
for _ in 0..crate::DEFAULT_POOL_NB_TRIES { for _ in 0..crate::DEFAULT_POOL_NB_TRIES {
thread::sleep(time::Duration::from_secs(crate::DEFAULT_POOL_WAIT_SEC)); thread::sleep(time::Duration::from_secs(crate::DEFAULT_POOL_WAIT_SEC));
let (obj, _, new_nonce) = fetch_obj(root_certs, url, data_builder, &nonce)?;
let (obj, _, new_nonce) = fetch_obj(cert, root_certs, url, data_builder, &nonce)?;
if break_fn(&obj) { if break_fn(&obj) {
return Ok((obj, new_nonce)); return Ok((obj, new_nonce));
} }
if let Some(e) = obj.get_error() { if let Some(e) = obj.get_error() {
warn!("Error: {}", e);
cert.warn(&e.prefix("Error").message);
} }
nonce = new_nonce; nonce = new_nonce;
} }
@ -234,6 +252,7 @@ where
} }
pub fn post_challenge_response<G>( pub fn post_challenge_response<G>(
cert: &Certificate,
root_certs: &[String], root_certs: &[String],
url: &str, url: &str,
data_builder: &G, data_builder: &G,
@ -243,11 +262,12 @@ where
G: Fn(&str) -> Result<String, Error>, G: Fn(&str) -> Result<String, Error>,
{ {
let (_, _, nonce): (DummyString, String, String) = let (_, _, nonce): (DummyString, String, String) =
fetch_obj(root_certs, url, data_builder, nonce)?;
fetch_obj(cert, root_certs, url, data_builder, nonce)?;
Ok(nonce) Ok(nonce)
} }
pub fn get_certificate<G>( pub fn get_certificate<G>(
cert: &Certificate,
root_certs: &[String], root_certs: &[String],
url: &str, url: &str,
data_builder: &G, data_builder: &G,
@ -257,25 +277,29 @@ where
G: Fn(&str) -> Result<String, Error>, G: Fn(&str) -> Result<String, Error>,
{ {
let (res_body, _, nonce): (DummyString, String, String) = let (res_body, _, nonce): (DummyString, String, String) =
fetch_obj(root_certs, url, data_builder, nonce)?;
fetch_obj(cert, root_certs, url, data_builder, nonce)?;
Ok((res_body.content, nonce)) Ok((res_body.content, nonce))
} }
pub fn get_directory(root_certs: &[String], url: &str) -> Result<Directory, Error> {
pub fn get_directory(
cert: &Certificate,
root_certs: &[String],
url: &str,
) -> Result<Directory, Error> {
let uri = url.parse::<Uri>()?; let uri = url.parse::<Uri>()?;
let mut request = new_request(root_certs, &uri, Method::GET);
let mut request = new_request(cert, root_certs, &uri, Method::GET);
request.header("Accept", CONTENT_TYPE_JSON); request.header("Accept", CONTENT_TYPE_JSON);
let (r, s) = send_request_retry(&request)?;
let (r, s) = send_request_retry(cert, &request)?;
check_response(&r, &s)?; check_response(&r, &s)?;
Directory::from_str(&s) Directory::from_str(&s)
} }
pub fn get_nonce(root_certs: &[String], url: &str) -> Result<String, Error> {
pub fn get_nonce(cert: &Certificate, root_certs: &[String], url: &str) -> Result<String, Error> {
let uri = url.parse::<Uri>()?; let uri = url.parse::<Uri>()?;
let request = new_request(root_certs, &uri, Method::HEAD);
let (res, res_body) = send_request_retry(&request)?;
let request = new_request(cert, root_certs, &uri, Method::HEAD);
let (res, res_body) = send_request_retry(cert, &request)?;
check_response(&res, &res_body)?; check_response(&res, &res_body)?;
nonce_from_response(&res)
nonce_from_response(cert, &res)
} }
#[cfg(test)] #[cfg(test)]

154
acmed/src/certificate.rs
View File

@ -3,40 +3,12 @@ use crate::config::{Account, Domain, HookType};
use crate::hooks::{self, ChallengeHookData, Hook, HookEnvData, PostOperationHookData}; use crate::hooks::{self, ChallengeHookData, Hook, HookEnvData, PostOperationHookData};
use crate::storage::{certificate_files_exists, get_certificate}; use crate::storage::{certificate_files_exists, get_certificate};
use acme_common::error::Error; use acme_common::error::Error;
use log::{debug, trace};
use log::{debug, info, trace, warn};
use openssl::x509::X509; use openssl::x509::X509;
use std::collections::{HashMap, HashSet}; use std::collections::{HashMap, HashSet};
use std::fmt; use std::fmt;
use time::{strptime, Duration}; use time::{strptime, Duration};
// OpenSSL ASN1_TIME_print madness
// The real fix would be to add Asn1TimeRef access in the openssl crate.
//
// https://github.com/sfackler/rust-openssl/issues/687
// https://github.com/sfackler/rust-openssl/pull/673
fn parse_openssl_time_string(time: &str) -> Result<time::Tm, Error> {
debug!("Parsing OpenSSL time: \"{}\"", time);
let formats = [
"%b %d %T %Y %Z",
"%b %d %T %Y %Z",
"%b %d %T %Y",
"%b %d %T %Y",
"%b %d %T.%f %Y %Z",
"%b %d %T.%f %Y %Z",
"%b %d %T.%f %Y",
"%b %d %T.%f %Y",
];
for fmt in formats.iter() {
if let Ok(t) = strptime(time, fmt) {
trace!("Format \"{}\" matches", fmt);
return Ok(t);
}
trace!("Format \"{}\" does not match", fmt);
}
let msg = format!("invalid time string: {}", time);
Err(msg.into())
}
#[derive(Clone, Debug)] #[derive(Clone, Debug)]
pub enum Algorithm { pub enum Algorithm {
Rsa2048, Rsa2048,
@ -89,40 +61,60 @@ pub struct Certificate {
pub pk_file_owner: Option<String>, pub pk_file_owner: Option<String>,
pub pk_file_group: Option<String>, pub pk_file_group: Option<String>,
pub env: HashMap<String, String>, pub env: HashMap<String, String>,
pub id: usize,
} }
impl fmt::Display for Certificate { impl fmt::Display for Certificate {
fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
let hooks = self
.hooks
.iter()
.map(std::string::ToString::to_string)
.collect::<Vec<String>>()
.join(", ");
let domains = self
.domains
.iter()
.map(|d| format!("{} ({})", d.dns, d.challenge))
.collect::<Vec<String>>()
.join(", ");
write!(
f,
"Certificate information:
Domains: {domains}
Algorithm: {algo}
Account: {account}
Private key reuse: {kp_reuse}
Hooks: {hooks}",
domains = domains,
algo = self.algo,
account = self.account.name,
kp_reuse = self.kp_reuse,
hooks = hooks,
)
// TODO: set a more "funky" id
write!(f, "crt-{:x}", self.id)
} }
} }
impl Certificate { impl Certificate {
pub fn warn(&self, msg: &str) {
warn!("{}: {}", &self, msg);
}
pub fn info(&self, msg: &str) {
info!("{}: {}", &self, msg);
}
pub fn debug(&self, msg: &str) {
debug!("{}: {}", &self, msg);
}
pub fn trace(&self, msg: &str) {
trace!("{}: {}", &self, msg);
}
// OpenSSL ASN1_TIME_print madness
// The real fix would be to add Asn1TimeRef access in the openssl crate.
//
// https://github.com/sfackler/rust-openssl/issues/687
// https://github.com/sfackler/rust-openssl/pull/673
fn parse_openssl_time_string(&self, time: &str) -> Result<time::Tm, Error> {
self.debug(&format!("Parsing OpenSSL time: \"{}\"", time));
let formats = [
"%b %d %T %Y %Z",
"%b %d %T %Y %Z",
"%b %d %T %Y",
"%b %d %T %Y",
"%b %d %T.%f %Y %Z",
"%b %d %T.%f %Y %Z",
"%b %d %T.%f %Y",
"%b %d %T.%f %Y",
];
for fmt in formats.iter() {
if let Ok(t) = strptime(time, fmt) {
self.trace(&format!("Format \"{}\" matches", fmt));
return Ok(t);
}
self.trace(&format!("Format \"{}\" does not match", fmt));
}
Err(format!("invalid time string: {}", time).into())
}
pub fn get_domain_challenge(&self, domain_name: &str) -> Result<Challenge, Error> { pub fn get_domain_challenge(&self, domain_name: &str) -> Result<Challenge, Error> {
let domain_name = domain_name.to_string(); let domain_name = domain_name.to_string();
for d in self.domains.iter() { for d in self.domains.iter() {
@ -131,17 +123,16 @@ impl Certificate {
return Ok(c); return Ok(c);
} }
} }
let msg = format!("{}: domain name not found", domain_name);
Err(msg.into())
Err(format!("{}: domain name not found", domain_name).into())
} }
fn is_expiring(&self, cert: &X509) -> Result<bool, Error> { fn is_expiring(&self, cert: &X509) -> Result<bool, Error> {
let not_after = cert.not_after().to_string(); let not_after = cert.not_after().to_string();
let not_after = parse_openssl_time_string(&not_after)?;
debug!("not after: {}", not_after.asctime());
let not_after = self.parse_openssl_time_string(&not_after)?;
self.debug(&format!("not after: {}", not_after.asctime()));
// TODO: allow a custom duration (using time-parse ?) // TODO: allow a custom duration (using time-parse ?)
let renewal_time = not_after - Duration::weeks(3); let renewal_time = not_after - Duration::weeks(3);
debug!("renew on: {}", renewal_time.asctime());
self.debug(&format!("renew on: {}", renewal_time.asctime()));
Ok(time::now_utc() > renewal_time) Ok(time::now_utc() > renewal_time)
} }
@ -166,17 +157,17 @@ impl Certificate {
.map(std::borrow::ToOwned::to_owned) .map(std::borrow::ToOwned::to_owned)
.collect::<Vec<String>>() .collect::<Vec<String>>()
.join(", "); .join(", ");
debug!(
self.debug(&format!(
"The certificate does not include the following domains: {}", "The certificate does not include the following domains: {}",
domains domains
);
));
} }
has_miss has_miss
} }
pub fn should_renew(&self) -> Result<bool, Error> { pub fn should_renew(&self) -> Result<bool, Error> {
if !certificate_files_exists(&self) { if !certificate_files_exists(&self) {
debug!("certificate does not exist: requesting one");
self.debug("certificate does not exist: requesting one");
return Ok(true); return Ok(true);
} }
let cert = get_certificate(&self)?; let cert = get_certificate(&self)?;
@ -185,9 +176,9 @@ impl Certificate {
let renew = renew || self.is_expiring(&cert)?; let renew = renew || self.is_expiring(&cert)?;
if renew { if renew {
debug!("The certificate will be renewed now.");
self.debug("The certificate will be renewed now.");
} else { } else {
debug!("The certificate will not be renewed now.");
self.debug("The certificate will not be renewed now.");
} }
Ok(renew) Ok(renew)
} }
@ -252,7 +243,35 @@ impl Certificate {
#[cfg(test)] #[cfg(test)]
mod tests { mod tests {
use super::parse_openssl_time_string;
use super::{Algorithm, Certificate};
use std::collections::HashMap;
fn get_dummy_certificate() -> Certificate {
Certificate {
account: crate::config::Account {
name: String::new(),
email: String::new(),
},
domains: Vec::new(),
algo: Algorithm::Rsa2048,
kp_reuse: false,
remote_url: String::new(),
tos_agreed: false,
hooks: Vec::new(),
account_directory: String::new(),
crt_directory: String::new(),
crt_name: String::new(),
crt_name_format: String::new(),
cert_file_mode: 0,
cert_file_owner: None,
cert_file_group: None,
pk_file_mode: 0,
pk_file_owner: None,
pk_file_group: None,
env: HashMap::new(),
id: 0,
}
}
#[test] #[test]
fn test_parse_openssl_time() { fn test_parse_openssl_time() {
@ -266,8 +285,9 @@ mod tests {
"May 17 18:34:07.922661874 2024", "May 17 18:34:07.922661874 2024",
"May 17 18:34:07.922661874 2024 GMT", "May 17 18:34:07.922661874 2024 GMT",
]; ];
let crt = get_dummy_certificate();
for time_str in time_str_lst.iter() { for time_str in time_str_lst.iter() {
let time_res = parse_openssl_time_string(time_str);
let time_res = crt.parse_openssl_time_string(time_str);
assert!(time_res.is_ok()); assert!(time_res.is_ok());
} }
} }

48
acmed/src/hooks.rs
View File

@ -2,7 +2,6 @@ use crate::certificate::Certificate;
use crate::config::HookType; use crate::config::HookType;
use acme_common::error::Error; use acme_common::error::Error;
use handlebars::Handlebars; use handlebars::Handlebars;
use log::debug;
use serde::Serialize; use serde::Serialize;
use std::collections::hash_map::Iter; use std::collections::hash_map::Iter;
use std::collections::HashMap; use std::collections::HashMap;
@ -102,11 +101,12 @@ impl fmt::Display for Hook {
} }
macro_rules! get_hook_output { macro_rules! get_hook_output {
($out: expr, $reg: ident, $data: expr) => {{
($cert: expr, $out: expr, $reg: ident, $data: expr, $hook_name: expr, $out_name: expr) => {{
match $out { match $out {
Some(path) => { Some(path) => {
let path = $reg.render_template(path, $data)?; let path = $reg.render_template(path, $data)?;
let file = File::create(path)?;
$cert.trace(&format!("Hook {}: {}: {}", $hook_name, $out_name, &path));
let file = File::create(&path)?;
Stdio::from(file) Stdio::from(file)
} }
None => Stdio::null(), None => Stdio::null(),
@ -114,11 +114,11 @@ macro_rules! get_hook_output {
}}; }};
} }
fn call_single<T>(data: &T, hook: &Hook) -> Result<(), Error>
fn call_single<T>(cert: &Certificate, data: &T, hook: &Hook) -> Result<(), Error>
where where
T: Clone + HookEnvData + Serialize, T: Clone + HookEnvData + Serialize,
{ {
debug!("Calling hook: {}", hook.name);
cert.debug(&format!("Calling hook: {}", hook.name));
let reg = Handlebars::new(); let reg = Handlebars::new();
let mut v = vec![]; let mut v = vec![];
let args = match &hook.args { let args = match &hook.args {
@ -131,13 +131,27 @@ where
} }
None => &[], None => &[],
}; };
debug!("Hook {}: cmd: {}", hook.name, hook.cmd);
debug!("Hook {}: args: {:?}", hook.name, args);
cert.trace(&format!("Hook {}: cmd: {}", hook.name, hook.cmd));
cert.trace(&format!("Hook {}: args: {:?}", hook.name, args));
let mut cmd = Command::new(&hook.cmd) let mut cmd = Command::new(&hook.cmd)
.envs(data.get_env()) .envs(data.get_env())
.args(args) .args(args)
.stdout(get_hook_output!(&hook.stdout, reg, &data))
.stderr(get_hook_output!(&hook.stderr, reg, &data))
.stdout(get_hook_output!(
cert,
&hook.stdout,
reg,
&data,
&hook.name,
"stdout"
))
.stderr(get_hook_output!(
cert,
&hook.stderr,
reg,
&data,
&hook.name,
"stderr"
))
.stdin(match &hook.stdin { .stdin(match &hook.stdin {
HookStdin::Str(_) | HookStdin::File(_) => Stdio::piped(), HookStdin::Str(_) | HookStdin::File(_) => Stdio::piped(),
HookStdin::None => Stdio::null(), HookStdin::None => Stdio::null(),
@ -146,13 +160,13 @@ where
match &hook.stdin { match &hook.stdin {
HookStdin::Str(s) => { HookStdin::Str(s) => {
let data_in = reg.render_template(&s, &data)?; let data_in = reg.render_template(&s, &data)?;
debug!("Hook {}: string stdin: {}", hook.name, &data_in);
cert.trace(&format!("Hook {}: string stdin: {}", hook.name, &data_in));
let stdin = cmd.stdin.as_mut().ok_or("stdin not found")?; let stdin = cmd.stdin.as_mut().ok_or("stdin not found")?;
stdin.write_all(data_in.as_bytes())?; stdin.write_all(data_in.as_bytes())?;
} }
HookStdin::File(f) => { HookStdin::File(f) => {
let file_name = reg.render_template(&f, &data)?; let file_name = reg.render_template(&f, &data)?;
debug!("Hook {}: file stdin: {}", hook.name, &file_name);
cert.trace(&format!("Hook {}: file stdin: {}", hook.name, &file_name));
let stdin = cmd.stdin.as_mut().ok_or("stdin not found")?; let stdin = cmd.stdin.as_mut().ok_or("stdin not found")?;
let file = File::open(&file_name)?; let file = File::open(&file_name)?;
let buf_reader = BufReader::new(file); let buf_reader = BufReader::new(file);
@ -167,14 +181,14 @@ where
let status = cmd.wait()?; let status = cmd.wait()?;
if !status.success() && !hook.allow_failure { if !status.success() && !hook.allow_failure {
let msg = match status.code() { let msg = match status.code() {
Some(code) => format!("Hook {}: unrecoverable failure: code {}", hook.name, code),
None => format!("Hook {}: unrecoverable failure", hook.name),
Some(code) => format!("Unrecoverable failure: code {}", code).into(),
None => "Unrecoverable failure".into(),
}; };
return Err(msg.into());
return Err(msg);
} }
match status.code() { match status.code() {
Some(code) => debug!("Hook {}: exited: code {}", hook.name, code),
None => debug!("Hook {}: exited", hook.name),
Some(code) => cert.debug(&format!("Hook {}: exited: code {}", hook.name, code)),
None => cert.debug(&format!("Hook {}: exited", hook.name)),
}; };
Ok(()) Ok(())
} }
@ -188,7 +202,7 @@ where
.iter() .iter()
.filter(|h| h.hook_type.contains(&hook_type)) .filter(|h| h.hook_type.contains(&hook_type))
{ {
call_single(data, &hook)?;
call_single(cert, data, &hook).map_err(|e| e.prefix(&hook.name))?;
} }
Ok(()) Ok(())
} }

27
acmed/src/main_event_loop.rs
View File

@ -2,7 +2,6 @@ use crate::acme_proto::request_certificate;
use crate::certificate::Certificate; use crate::certificate::Certificate;
use crate::config; use crate::config;
use acme_common::error::Error; use acme_common::error::Error;
use log::{debug, warn};
use std::thread; use std::thread;
use std::time::Duration; use std::time::Duration;
@ -16,7 +15,7 @@ impl MainEventLoop {
let cnf = config::from_file(config_file)?; let cnf = config::from_file(config_file)?;
let mut certs = Vec::new(); let mut certs = Vec::new();
for crt in cnf.certificate.iter() {
for (i, crt) in cnf.certificate.iter().enumerate() {
let cert = Certificate { let cert = Certificate {
account: crt.get_account(&cnf)?, account: crt.get_account(&cnf)?,
domains: crt.domains.to_owned(), domains: crt.domains.to_owned(),
@ -36,6 +35,7 @@ impl MainEventLoop {
pk_file_owner: cnf.get_pk_file_user(), pk_file_owner: cnf.get_pk_file_user(),
pk_file_group: cnf.get_pk_file_group(), pk_file_group: cnf.get_pk_file_group(),
env: crt.env.to_owned(), env: crt.env.to_owned(),
id: i + 1,
}; };
certs.push(cert); certs.push(cert);
} }
@ -49,7 +49,6 @@ impl MainEventLoop {
pub fn run(&mut self) { pub fn run(&mut self) {
loop { loop {
for crt in self.certs.iter_mut() { for crt in self.certs.iter_mut() {
debug!("{}", crt);
match crt.should_renew() { match crt.should_renew() {
Ok(sr) => { Ok(sr) => {
if sr { if sr {
@ -57,32 +56,22 @@ impl MainEventLoop {
match request_certificate(crt, &self.root_certs) { match request_certificate(crt, &self.root_certs) {
Ok(_) => ("Success.".to_string(), true), Ok(_) => ("Success.".to_string(), true),
Err(e) => { Err(e) => {
let msg = format!(
"Unable to renew the {} certificate for {}: {}",
crt.algo,
&crt.domains.first().unwrap().dns,
e
);
warn!("{}", msg);
(format!("Failed: {}", msg), false)
let e = e.prefix("Unable to renew the certificate");
crt.warn(&e.message);
(e.message, false)
} }
}; };
match crt.call_post_operation_hooks(&status, is_success) { match crt.call_post_operation_hooks(&status, is_success) {
Ok(_) => {} Ok(_) => {}
Err(e) => { Err(e) => {
let msg = format!(
"{} certificate for {}: post-operation hook error: {}",
crt.algo,
&crt.domains.first().unwrap().dns,
e
);
warn!("{}", msg);
let e = e.prefix("Post-operation hook error");
crt.warn(&e.message);
} }
}; };
} }
} }
Err(e) => { Err(e) => {
warn!("{}", e);
crt.warn(&e.message);
} }
}; };
} }

25
acmed/src/storage.rs
View File

@ -3,7 +3,6 @@ use crate::config::HookType;
use crate::hooks::{self, FileStorageHookData, HookEnvData}; use crate::hooks::{self, FileStorageHookData, HookEnvData};
use acme_common::b64_encode; use acme_common::b64_encode;
use acme_common::error::Error; use acme_common::error::Error;
use log::trace;
use openssl::pkey::{PKey, Private, Public}; use openssl::pkey::{PKey, Private, Public};
use openssl::x509::X509; use openssl::x509::X509;
use std::collections::HashMap; use std::collections::HashMap;
@ -72,8 +71,8 @@ fn get_file_path(cert: &Certificate, file_type: FileType) -> Result<PathBuf, Err
Ok(path) Ok(path)
} }
fn read_file(path: &PathBuf) -> Result<Vec<u8>, Error> {
trace!("Reading file {:?}", path);
fn read_file(cert: &Certificate, path: &PathBuf) -> Result<Vec<u8>, Error> {
cert.trace(&format!("Reading file {:?}", path));
let mut file = File::open(path)?; let mut file = File::open(path)?;
let mut contents = vec![]; let mut contents = vec![];
file.read_to_end(&mut contents)?; file.read_to_end(&mut contents)?;
@ -120,12 +119,12 @@ fn set_owner(cert: &Certificate, path: &PathBuf, file_type: FileType) -> Result<
None => None, None => None,
}; };
match uid { match uid {
Some(u) => trace!("Setting the uid to {}", u.as_raw()),
None => trace!("Uid unchanged"),
Some(u) => cert.trace(&format!("{:?}: setting the uid to {}", path, u.as_raw())),
None => cert.trace(&format!("{:?}: uid unchanged", path)),
}; };
match gid { match gid {
Some(g) => trace!("Setting the gid to {}", g.as_raw()),
None => trace!("Gid unchanged"),
Some(g) => cert.trace(&format!("{:?}: setting the gid to {}", path, g.as_raw())),
None => cert.trace(&format!("{:?}: gid unchanged", path)),
}; };
match nix::unistd::chown(path, uid, gid) { match nix::unistd::chown(path, uid, gid) {
Ok(_) => Ok(()), Ok(_) => Ok(()),
@ -150,7 +149,7 @@ fn write_file(cert: &Certificate, file_type: FileType, data: &[u8]) -> Result<()
hooks::call(cert, &hook_data, HookType::FilePreEdit)?; hooks::call(cert, &hook_data, HookType::FilePreEdit)?;
} }
trace!("Writing file {:?}", path);
cert.trace(&format!("Writing file {:?}", path));
let mut file = if cfg!(unix) { let mut file = if cfg!(unix) {
let mut options = OpenOptions::new(); let mut options = OpenOptions::new();
options.mode(match &file_type { options.mode(match &file_type {
@ -178,7 +177,7 @@ fn write_file(cert: &Certificate, file_type: FileType, data: &[u8]) -> Result<()
pub fn get_account_priv_key(cert: &Certificate) -> Result<PKey<Private>, Error> { pub fn get_account_priv_key(cert: &Certificate) -> Result<PKey<Private>, Error> {
let path = get_file_path(cert, FileType::AccountPrivateKey)?; let path = get_file_path(cert, FileType::AccountPrivateKey)?;
let raw_key = read_file(&path)?;
let raw_key = read_file(cert, &path)?;
let key = PKey::private_key_from_pem(&raw_key)?; let key = PKey::private_key_from_pem(&raw_key)?;
Ok(key) Ok(key)
} }
@ -190,7 +189,7 @@ pub fn set_account_priv_key(cert: &Certificate, key: &PKey<Private>) -> Result<(
pub fn get_account_pub_key(cert: &Certificate) -> Result<PKey<Public>, Error> { pub fn get_account_pub_key(cert: &Certificate) -> Result<PKey<Public>, Error> {
let path = get_file_path(cert, FileType::AccountPublicKey)?; let path = get_file_path(cert, FileType::AccountPublicKey)?;
let raw_key = read_file(&path)?;
let raw_key = read_file(cert, &path)?;
let key = PKey::public_key_from_pem(&raw_key)?; let key = PKey::public_key_from_pem(&raw_key)?;
Ok(key) Ok(key)
} }
@ -202,7 +201,7 @@ pub fn set_account_pub_key(cert: &Certificate, key: &PKey<Public>) -> Result<(),
pub fn get_priv_key(cert: &Certificate) -> Result<PKey<Private>, Error> { pub fn get_priv_key(cert: &Certificate) -> Result<PKey<Private>, Error> {
let path = get_file_path(cert, FileType::PrivateKey)?; let path = get_file_path(cert, FileType::PrivateKey)?;
let raw_key = read_file(&path)?;
let raw_key = read_file(cert, &path)?;
let key = PKey::private_key_from_pem(&raw_key)?; let key = PKey::private_key_from_pem(&raw_key)?;
Ok(key) Ok(key)
} }
@ -219,7 +218,7 @@ pub fn get_pub_key(cert: &Certificate) -> Result<PKey<Public>, Error> {
pub fn get_certificate(cert: &Certificate) -> Result<X509, Error> { pub fn get_certificate(cert: &Certificate) -> Result<X509, Error> {
let path = get_file_path(cert, FileType::Certificate)?; let path = get_file_path(cert, FileType::Certificate)?;
let raw_crt = read_file(&path)?;
let raw_crt = read_file(cert, &path)?;
let crt = X509::from_pem(&raw_crt)?; let crt = X509::from_pem(&raw_crt)?;
Ok(crt) Ok(crt)
} }
@ -236,7 +235,7 @@ fn check_files(cert: &Certificate, file_types: &[FileType]) -> bool {
return false; return false;
} }
}; };
trace!("Testing file path: {}", path.to_str().unwrap());
cert.trace(&format!("Testing file path: {}", path.to_str().unwrap()));
if !path.is_file() { if !path.is_file() {
return false; return false;
} }

Write Preview
Loading…
Cancel
Save