From 842cff130b801b1605f7bdaa49614ea5375dfdbe Mon Sep 17 00:00:00 2001 From: Jamie Curnow Date: Thu, 1 Jul 2021 09:57:26 +1000 Subject: [PATCH] Re-add missing certbot force renewal flag and cleaned up this horrible file a bit --- backend/internal/certificate.js | 233 +++++++++++++++----------------- 1 file changed, 108 insertions(+), 125 deletions(-) diff --git a/backend/internal/certificate.js b/backend/internal/certificate.js index 17130c2..96972fe 100644 --- a/backend/internal/certificate.js +++ b/backend/internal/certificate.js @@ -1,19 +1,18 @@ -const fs = require('fs'); -const _ = require('lodash'); -const logger = require('../logger').ssl; -const error = require('../lib/error'); -const certificateModel = require('../models/certificate'); -const internalAuditLog = require('./audit-log'); -const tempWrite = require('temp-write'); -const utils = require('../lib/utils'); -const moment = require('moment'); -const debug_mode = process.env.NODE_ENV !== 'production' || !!process.env.DEBUG; -const le_staging = process.env.NODE_ENV !== 'production'; -const internalNginx = require('./nginx'); -const internalHost = require('./host'); -const certbot_command = 'certbot'; -const le_config = '/etc/letsencrypt.ini'; -const dns_plugins = require('../global/certbot-dns-plugins'); +const _ = require('lodash'); +const fs = require('fs'); +const tempWrite = require('temp-write'); +const moment = require('moment'); +const logger = require('../logger').ssl; +const error = require('../lib/error'); +const utils = require('../lib/utils'); +const certificateModel = require('../models/certificate'); +const dnsPlugins = require('../global/certbot-dns-plugins'); +const internalAuditLog = require('./audit-log'); +const internalNginx = require('./nginx'); +const internalHost = require('./host'); +const letsencryptStaging = process.env.NODE_ENV !== 'production'; +const letsencryptConfig = '/etc/letsencrypt.ini'; +const certbotCommand = 'certbot'; function omissions() { return ['is_deleted']; @@ -21,14 +20,14 @@ function omissions() { const internalCertificate = { - allowed_ssl_files: ['certificate', 'certificate_key', 'intermediate_certificate'], - interval_timeout: 1000 * 60 * 60, // 1 hour - interval: null, - interval_processing: false, + allowedSslFiles: ['certificate', 'certificate_key', 'intermediate_certificate'], + intervalTimeout: 1000 * 60 * 60, // 1 hour + interval: null, + intervalProcessing: false, initTimer: () => { logger.info('Let\'s Encrypt Renewal Timer initialized'); - internalCertificate.interval = setInterval(internalCertificate.processExpiringHosts, internalCertificate.interval_timeout); + internalCertificate.interval = setInterval(internalCertificate.processExpiringHosts, internalCertificate.intervalTimeout); // And do this now as well internalCertificate.processExpiringHosts(); }, @@ -37,15 +36,15 @@ const internalCertificate = { * Triggered by a timer, this will check for expiring hosts and renew their ssl certs if required */ processExpiringHosts: () => { - if (!internalCertificate.interval_processing) { - internalCertificate.interval_processing = true; + if (!internalCertificate.intervalProcessing) { + internalCertificate.intervalProcessing = true; logger.info('Renewing SSL certs close to expiry...'); - let cmd = certbot_command + ' renew --non-interactive --quiet ' + - '--config "' + le_config + '" ' + + const cmd = certbotCommand + ' renew --non-interactive --quiet ' + + '--config "' + letsencryptConfig + '" ' + '--preferred-challenges "dns,http" ' + '--disable-hook-validation ' + - (le_staging ? '--staging' : ''); + (letsencryptStaging ? '--staging' : ''); return utils.exec(cmd) .then((result) => { @@ -93,11 +92,11 @@ const internalCertificate = { }); }) .then(() => { - internalCertificate.interval_processing = false; + internalCertificate.intervalProcessing = false; }) .catch((err) => { logger.error(err); - internalCertificate.interval_processing = false; + internalCertificate.intervalProcessing = false; }); } }, @@ -221,7 +220,7 @@ const internalCertificate = { await certificateModel .query() .deleteById(certificate.id); - + throw error; }); } else { @@ -448,11 +447,9 @@ const internalCertificate = { * @returns {Promise} */ writeCustomCert: (certificate) => { - if (debug_mode) { - logger.info('Writing Custom Certificate:', certificate); - } + logger.info('Writing Custom Certificate:', certificate); - let dir = '/data/custom_ssl/npm-' + certificate.id; + const dir = '/data/custom_ssl/npm-' + certificate.id; return new Promise((resolve, reject) => { if (certificate.provider === 'letsencrypt') { @@ -460,9 +457,9 @@ const internalCertificate = { return; } - let cert_data = certificate.meta.certificate; + let certData = certificate.meta.certificate; if (typeof certificate.meta.intermediate_certificate !== 'undefined') { - cert_data = cert_data + '\n' + certificate.meta.intermediate_certificate; + certData = certData + '\n' + certificate.meta.intermediate_certificate; } try { @@ -474,7 +471,7 @@ const internalCertificate = { return; } - fs.writeFile(dir + '/fullchain.pem', cert_data, function (err) { + fs.writeFile(dir + '/fullchain.pem', certData, function (err) { if (err) { reject(err); } else { @@ -524,7 +521,7 @@ const internalCertificate = { // Put file contents into an object let files = {}; _.map(data.files, (file, name) => { - if (internalCertificate.allowed_ssl_files.indexOf(name) !== -1) { + if (internalCertificate.allowedSslFiles.indexOf(name) !== -1) { files[name] = file.data.toString(); } }); @@ -582,7 +579,7 @@ const internalCertificate = { } _.map(data.files, (file, name) => { - if (internalCertificate.allowed_ssl_files.indexOf(name) !== -1) { + if (internalCertificate.allowedSslFiles.indexOf(name) !== -1) { row.meta[name] = file.data.toString(); } }); @@ -601,7 +598,7 @@ const internalCertificate = { }); }) .then(() => { - return _.pick(row.meta, internalCertificate.allowed_ssl_files); + return _.pick(row.meta, internalCertificate.allowedSslFiles); }); }); }, @@ -649,9 +646,9 @@ const internalCertificate = { return tempWrite(certificate, '/tmp') .then((filepath) => { return internalCertificate.getCertificateInfoFromFile(filepath, throw_expired) - .then((cert_data) => { + .then((certData) => { fs.unlinkSync(filepath); - return cert_data; + return certData; }).catch((err) => { fs.unlinkSync(filepath); throw err; @@ -667,33 +664,33 @@ const internalCertificate = { * @param {Boolean} [throw_expired] Throw when the certificate is out of date */ getCertificateInfoFromFile: (certificate_file, throw_expired) => { - let cert_data = {}; + let certData = {}; return utils.exec('openssl x509 -in ' + certificate_file + ' -subject -noout') .then((result) => { // subject=CN = something.example.com - let regex = /(?:subject=)?[^=]+=\s+(\S+)/gim; - let match = regex.exec(result); + const regex = /(?:subject=)?[^=]+=\s+(\S+)/gim; + const match = regex.exec(result); if (typeof match[1] === 'undefined') { throw new error.ValidationError('Could not determine subject from certificate: ' + result); } - cert_data['cn'] = match[1]; + certData['cn'] = match[1]; }) .then(() => { return utils.exec('openssl x509 -in ' + certificate_file + ' -issuer -noout'); }) .then((result) => { // issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 - let regex = /^(?:issuer=)?(.*)$/gim; - let match = regex.exec(result); + const regex = /^(?:issuer=)?(.*)$/gim; + const match = regex.exec(result); if (typeof match[1] === 'undefined') { throw new error.ValidationError('Could not determine issuer from certificate: ' + result); } - cert_data['issuer'] = match[1]; + certData['issuer'] = match[1]; }) .then(() => { return utils.exec('openssl x509 -in ' + certificate_file + ' -dates -noout'); @@ -701,39 +698,39 @@ const internalCertificate = { .then((result) => { // notBefore=Jul 14 04:04:29 2018 GMT // notAfter=Oct 12 04:04:29 2018 GMT - let valid_from = null; - let valid_to = null; + let validFrom = null; + let validTo = null; - let lines = result.split('\n'); + const lines = result.split('\n'); lines.map(function (str) { - let regex = /^(\S+)=(.*)$/gim; - let match = regex.exec(str.trim()); + const regex = /^(\S+)=(.*)$/gim; + const match = regex.exec(str.trim()); if (match && typeof match[2] !== 'undefined') { - let date = parseInt(moment(match[2], 'MMM DD HH:mm:ss YYYY z').format('X'), 10); + const date = parseInt(moment(match[2], 'MMM DD HH:mm:ss YYYY z').format('X'), 10); if (match[1].toLowerCase() === 'notbefore') { - valid_from = date; + validFrom = date; } else if (match[1].toLowerCase() === 'notafter') { - valid_to = date; + validTo = date; } } }); - if (!valid_from || !valid_to) { + if (!validFrom || !validTo) { throw new error.ValidationError('Could not determine dates from certificate: ' + result); } - if (throw_expired && valid_to < parseInt(moment().format('X'), 10)) { + if (throw_expired && validTo < parseInt(moment().format('X'), 10)) { throw new error.ValidationError('Certificate has expired'); } - cert_data['dates'] = { - from: valid_from, - to: valid_to + certData['dates'] = { + from: validFrom, + to: validTo }; - return cert_data; + return certData; }).catch((err) => { throw new error.ValidationError('Certificate is not valid (' + err.message + ')', err); }); @@ -747,7 +744,7 @@ const internalCertificate = { * @returns {Object} */ cleanMeta: function (meta, remove) { - internalCertificate.allowed_ssl_files.map((key) => { + internalCertificate.allowedSslFiles.map((key) => { if (typeof meta[key] !== 'undefined' && meta[key]) { if (remove) { delete meta[key]; @@ -767,18 +764,16 @@ const internalCertificate = { requestLetsEncryptSsl: (certificate) => { logger.info('Requesting Let\'sEncrypt certificates for Cert #' + certificate.id + ': ' + certificate.domain_names.join(', ')); - let cmd = certbot_command + ' certonly --non-interactive ' + - '--config "' + le_config + '" ' + + const cmd = certbotCommand + ' certonly --non-interactive ' + + '--config "' + letsencryptConfig + '" ' + '--cert-name "npm-' + certificate.id + '" ' + '--agree-tos ' + '--email "' + certificate.meta.letsencrypt_email + '" ' + '--preferred-challenges "dns,http" ' + '--domains "' + certificate.domain_names.join(',') + '" ' + - (le_staging ? '--staging' : ''); + (letsencryptStaging ? '--staging' : ''); - if (debug_mode) { - logger.info('Command:', cmd); - } + logger.info('Command:', cmd); return utils.exec(cmd) .then((result) => { @@ -788,14 +783,14 @@ const internalCertificate = { }, /** - * @param {Object} certificate the certificate row - * @param {String} dns_provider the dns provider name (key used in `certbot-dns-plugins.js`) - * @param {String | null} credentials the content of this providers credentials file - * @param {String} propagation_seconds the cloudflare api token + * @param {Object} certificate the certificate row + * @param {String} dns_provider the dns provider name (key used in `certbot-dns-plugins.js`) + * @param {String | null} credentials the content of this providers credentials file + * @param {String} propagation_seconds the cloudflare api token * @returns {Promise} */ requestLetsEncryptSslWithDnsChallenge: (certificate) => { - const dns_plugin = dns_plugins[certificate.meta.dns_provider]; + const dns_plugin = dnsPlugins[certificate.meta.dns_provider]; if (!dns_plugin) { throw Error(`Unknown DNS provider '${certificate.meta.dns_provider}'`); @@ -803,46 +798,43 @@ const internalCertificate = { logger.info(`Requesting Let'sEncrypt certificates via ${dns_plugin.display_name} for Cert #${certificate.id}: ${certificate.domain_names.join(', ')}`); - const credentials_loc = '/etc/letsencrypt/credentials/credentials-' + certificate.id; - const credentials_cmd = 'mkdir -p /etc/letsencrypt/credentials 2> /dev/null; echo \'' + certificate.meta.dns_provider_credentials.replace('\'', '\\\'') + '\' > \'' + credentials_loc + '\' && chmod 600 \'' + credentials_loc + '\''; - const prepare_cmd = 'pip install ' + dns_plugin.package_name + '==' + dns_plugin.package_version + ' ' + dns_plugin.dependencies; + const credentialsLocation = '/etc/letsencrypt/credentials/credentials-' + certificate.id; + const credentialsCmd = 'mkdir -p /etc/letsencrypt/credentials 2> /dev/null; echo \'' + certificate.meta.dns_provider_credentials.replace('\'', '\\\'') + '\' > \'' + credentialsLocation + '\' && chmod 600 \'' + credentialsLocation + '\''; + const prepareCmd = 'pip install ' + dns_plugin.package_name + '==' + dns_plugin.package_version + ' ' + dns_plugin.dependencies; // Whether the plugin has a ---credentials argument - const has_config_arg = certificate.meta.dns_provider !== 'route53'; + const hasConfigArg = certificate.meta.dns_provider !== 'route53'; - let main_cmd = - certbot_command + ' certonly --non-interactive ' + + let mainCmd = certbotCommand + ' certonly --non-interactive ' + '--cert-name "npm-' + certificate.id + '" ' + '--agree-tos ' + - '--email "' + certificate.meta.letsencrypt_email + '" ' + + '--email "' + certificate.meta.letsencrypt_email + '" ' + '--domains "' + certificate.domain_names.join(',') + '" ' + '--authenticator ' + dns_plugin.full_plugin_name + ' ' + ( - has_config_arg - ? '--' + dns_plugin.full_plugin_name + '-credentials "' + credentials_loc + '"' + hasConfigArg + ? '--' + dns_plugin.full_plugin_name + '-credentials "' + credentialsLocation + '"' : '' ) + ( - certificate.meta.propagation_seconds !== undefined - ? ' --' + dns_plugin.full_plugin_name + '-propagation-seconds ' + certificate.meta.propagation_seconds + certificate.meta.propagation_seconds !== undefined + ? ' --' + dns_plugin.full_plugin_name + '-propagation-seconds ' + certificate.meta.propagation_seconds : '' ) + - (le_staging ? ' --staging' : ''); + (letsencryptStaging ? ' --staging' : ''); // Prepend the path to the credentials file as an environment variable if (certificate.meta.dns_provider === 'route53') { - main_cmd = 'AWS_CONFIG_FILE=\'' + credentials_loc + '\' ' + main_cmd; + mainCmd = 'AWS_CONFIG_FILE=\'' + credentialsLocation + '\' ' + mainCmd; } - if (debug_mode) { - logger.info('Command:', `${credentials_cmd} && ${prepare_cmd} && ${main_cmd}`); - } + logger.info('Command:', `${credentialsCmd} && ${prepareCmd} && ${mainCmd}`); - return utils.exec(credentials_cmd) + return utils.exec(credentialsCmd) .then(() => { - return utils.exec(prepare_cmd) + return utils.exec(prepareCmd) .then(() => { - return utils.exec(main_cmd) + return utils.exec(mainCmd) .then(async (result) => { logger.info(result); return result; @@ -850,8 +842,8 @@ const internalCertificate = { }); }).catch(async (err) => { // Don't fail if file does not exist - const delete_credentials_cmd = `rm -f '${credentials_loc}' || true`; - await utils.exec(delete_credentials_cmd); + const delete_credentialsCmd = `rm -f '${credentialsLocation}' || true`; + await utils.exec(delete_credentialsCmd); throw err; }); }, @@ -870,7 +862,7 @@ const internalCertificate = { }) .then((certificate) => { if (certificate.provider === 'letsencrypt') { - let renewMethod = certificate.meta.dns_challenge ? internalCertificate.renewLetsEncryptSslWithDnsChallenge : internalCertificate.renewLetsEncryptSsl; + const renewMethod = certificate.meta.dns_challenge ? internalCertificate.renewLetsEncryptSslWithDnsChallenge : internalCertificate.renewLetsEncryptSsl; return renewMethod(certificate) .then(() => { @@ -908,16 +900,14 @@ const internalCertificate = { renewLetsEncryptSsl: (certificate) => { logger.info('Renewing Let\'sEncrypt certificates for Cert #' + certificate.id + ': ' + certificate.domain_names.join(', ')); - let cmd = certbot_command + ' renew --non-interactive ' + - '--config "' + le_config + '" ' + + const cmd = certbotCommand + ' renew --force-renewal --non-interactive ' + + '--config "' + letsencryptConfig + '" ' + '--cert-name "npm-' + certificate.id + '" ' + '--preferred-challenges "dns,http" ' + '--disable-hook-validation ' + - (le_staging ? '--staging' : ''); + (letsencryptStaging ? '--staging' : ''); - if (debug_mode) { - logger.info('Command:', cmd); - } + logger.info('Command:', cmd); return utils.exec(cmd) .then((result) => { @@ -931,7 +921,7 @@ const internalCertificate = { * @returns {Promise} */ renewLetsEncryptSslWithDnsChallenge: (certificate) => { - const dns_plugin = dns_plugins[certificate.meta.dns_provider]; + const dns_plugin = dnsPlugins[certificate.meta.dns_provider]; if (!dns_plugin) { throw Error(`Unknown DNS provider '${certificate.meta.dns_provider}'`); @@ -939,23 +929,20 @@ const internalCertificate = { logger.info(`Renewing Let'sEncrypt certificates via ${dns_plugin.display_name} for Cert #${certificate.id}: ${certificate.domain_names.join(', ')}`); - let main_cmd = - certbot_command + ' renew --non-interactive ' + + let mainCmd = certbotCommand + ' renew --non-interactive ' + '--cert-name "npm-' + certificate.id + '" ' + '--disable-hook-validation' + - (le_staging ? ' --staging' : ''); + (letsencryptStaging ? ' --staging' : ''); // Prepend the path to the credentials file as an environment variable if (certificate.meta.dns_provider === 'route53') { - const credentials_loc = '/etc/letsencrypt/credentials/credentials-' + certificate.id; - main_cmd = 'AWS_CONFIG_FILE=\'' + credentials_loc + '\' ' + main_cmd; + const credentialsLocation = '/etc/letsencrypt/credentials/credentials-' + certificate.id; + mainCmd = 'AWS_CONFIG_FILE=\'' + credentialsLocation + '\' ' + mainCmd; } - if (debug_mode) { - logger.info('Command:', main_cmd); - } + logger.info('Command:', mainCmd); - return utils.exec(main_cmd) + return utils.exec(mainCmd) .then(async (result) => { logger.info(result); return result; @@ -970,28 +957,24 @@ const internalCertificate = { revokeLetsEncryptSsl: (certificate, throw_errors) => { logger.info('Revoking Let\'sEncrypt certificates for Cert #' + certificate.id + ': ' + certificate.domain_names.join(', ')); - const main_cmd = certbot_command + ' revoke --non-interactive ' + + const mainCmd = certbotCommand + ' revoke --non-interactive ' + '--cert-path "/etc/letsencrypt/live/npm-' + certificate.id + '/fullchain.pem" ' + '--delete-after-revoke ' + - (le_staging ? '--staging' : ''); + (letsencryptStaging ? '--staging' : ''); // Don't fail command if file does not exist - const delete_credentials_cmd = `rm -f '/etc/letsencrypt/credentials/credentials-${certificate.id}' || true`; + const delete_credentialsCmd = `rm -f '/etc/letsencrypt/credentials/credentials-${certificate.id}' || true`; - if (debug_mode) { - logger.info('Command:', main_cmd + '; ' + delete_credentials_cmd); - } + logger.info('Command:', mainCmd + '; ' + delete_credentialsCmd); - return utils.exec(main_cmd) + return utils.exec(mainCmd) .then(async (result) => { - await utils.exec(delete_credentials_cmd); + await utils.exec(delete_credentialsCmd); logger.info(result); return result; }) .catch((err) => { - if (debug_mode) { - logger.error(err.message); - } + logger.error(err.message); if (throw_errors) { throw err; @@ -1004,9 +987,9 @@ const internalCertificate = { * @returns {Boolean} */ hasLetsEncryptSslCerts: (certificate) => { - let le_path = '/etc/letsencrypt/live/npm-' + certificate.id; + const letsencryptPath = '/etc/letsencrypt/live/npm-' + certificate.id; - return fs.existsSync(le_path + '/fullchain.pem') && fs.existsSync(le_path + '/privkey.pem'); + return fs.existsSync(letsencryptPath + '/fullchain.pem') && fs.existsSync(letsencryptPath + '/privkey.pem'); }, /**