From 365e7af6fd66f8ea64d7e390459681edd26a55fc Mon Sep 17 00:00:00 2001 From: Ylian Saint-Hilaire Date: Fri, 7 Jun 2019 15:55:24 -0700 Subject: [PATCH] Added support for wildcard Let's Encrypt certs. --- certoperations.js | 28 +++++++++++++++++++--------- letsEncrypt.js | 2 +- meshcentral.js | 1 + meshuser.js | 2 +- package.json | 2 +- views/agentinvite.handlebars | 4 ++-- webserver.js | 4 ++-- 7 files changed, 27 insertions(+), 16 deletions(-) diff --git a/certoperations.js b/certoperations.js index 70bbfd33..a0f7fff4 100644 --- a/certoperations.js +++ b/certoperations.js @@ -196,7 +196,7 @@ module.exports.CertificateOperations = function (parent) { } // Return true if the name is found in the certificates names, we support wildcard certificates - function compareCertificateNames(certNames, name) { + obj.compareCertificateNames = function(certNames, name) { if (certNames == null) return false; if (certNames.indexOf(name.toLowerCase()) >= 0) return true; for (var i in certNames) { @@ -317,9 +317,14 @@ module.exports.CertificateOperations = function (parent) { if (commonName.startsWith('*.')) { console.log("ERROR: Server can't use a wildcard name: " + commonName); process.exit(0); return; } r.CommonName = commonName; } - r.CommonNames = [r.CommonName.toLowerCase()]; + r.CommonNames = [ r.CommonName.toLowerCase() ]; var altNames = webCertificate.getExtension("subjectAltName"); - if (altNames) { for (i = 0; i < altNames.altNames.length; i++) { r.CommonNames.push(altNames.altNames[i].value.toLowerCase()); } } + if (altNames) { + for (i = 0; i < altNames.altNames.length; i++) { + var acn = altNames.altNames[i].value.toLowerCase(); + if (r.CommonNames.indexOf(acn) == -1) { r.CommonNames.push(acn); } + } + } var rootCertificate = obj.pki.certificateFromPem(r.root.cert); r.RootName = rootCertificate.subject.getField("CN").value; } @@ -330,7 +335,7 @@ module.exports.CertificateOperations = function (parent) { if ((i != "") && (config.domains[i] != null) && (config.domains[i].dns != null)) { dnsname = config.domains[i].dns; // Check if this domain matches a parent wildcard cert, if so, use the parent cert. - if (compareCertificateNames(r.CommonNames, dnsname) == true) { + if (obj.compareCertificateNames(r.CommonNames, dnsname) == true) { r.dns[i] = { cert: obj.fileLoad("webserver-cert-public.crt", "utf8"), key: obj.fileLoad("webserver-cert-private.key", "utf8") }; } else { if (args.tlsoffload) { @@ -374,7 +379,7 @@ module.exports.CertificateOperations = function (parent) { if (certargs == null) { commonName = r.CommonName; country = xcountry; organization = xorganization; } // Check if we have correct certificates - if (compareCertificateNames(r.CommonNames, commonName) == false) { forceWebCertGen = 1; } + if (obj.compareCertificateNames(r.CommonNames, commonName) == false) { forceWebCertGen = 1; } if (r.AmtMpsName != mpsCommonName) { forceMpsCertGen = 1; } // If the certificates matches what we want, use them. @@ -426,9 +431,14 @@ module.exports.CertificateOperations = function (parent) { obj.fs.writeFileSync(parent.getConfigFilePath("webserver-cert-private.key"), webPrivateKey); } else { // Keep the console certificate we have - webCertAndKey = { cert: obj.pki.certificateFromPem(r.web.cert), key: obj.pki.privateKeyFromPem(r.web.key) }; - webCertificate = r.web.cert; - webPrivateKey = r.web.key; + if (args.tlsoffload) { + webCertAndKey = { cert: obj.pki.certificateFromPem(r.web.cert) }; + webCertificate = r.web.cert; + } else { + webCertAndKey = { cert: obj.pki.certificateFromPem(r.web.cert), key: obj.pki.privateKeyFromPem(r.web.key) }; + webCertificate = r.web.cert; + webPrivateKey = r.web.key; + } } var webIssuer = webCertAndKey.cert.issuer.getField("CN").value; @@ -486,7 +496,7 @@ module.exports.CertificateOperations = function (parent) { if ((i != "") && (config.domains[i] != null) && (config.domains[i].dns != null)) { dnsname = config.domains[i].dns; // Check if this domain matches a parent wildcard cert, if so, use the parent cert. - if (compareCertificateNames(r.CommonNames, dnsname) == true) { + if (obj.compareCertificateNames(r.CommonNames, dnsname) == true) { r.dns[i] = { cert: obj.fileLoad("webserver-cert-public.crt", "utf8"), key: obj.fileLoad("webserver-cert-private.key", "utf8") }; } else { if (!args.tlsoffload) { diff --git a/letsEncrypt.js b/letsEncrypt.js index dbba73a7..d4c39c2a 100644 --- a/letsEncrypt.js +++ b/letsEncrypt.js @@ -92,7 +92,7 @@ module.exports.CreateLetsEncrypt = function (parent) { certs.web.ca = [results.chain]; } for (var i in obj.parent.config.domains) { - if ((obj.parent.config.domains[i].dns != null) && (results.altnames.indexOf(obj.parent.config.domains[i].dns) >= 0)) { + if ((obj.parent.config.domains[i].dns != null) && (obj.parent.certificateOperations.compareCertificateNames(results.altnames, obj.parent.config.domains[i].dns))) { certs.dns[i].cert = results.cert; certs.dns[i].key = results.privkey; certs.dns[i].ca = [results.chain]; diff --git a/meshcentral.js b/meshcentral.js index f6d12fb1..3414ad74 100644 --- a/meshcentral.js +++ b/meshcentral.js @@ -816,6 +816,7 @@ function CreateMeshCentralServer(config, args) { if ((obj.config.smtp != null) && (obj.config.smtp.host != null) && (obj.config.smtp.from != null)) { obj.mailserver = require('./meshmail.js').CreateMeshMail(obj); obj.mailserver.verify(); + if (obj.args.lanonly == true) { console.log("WARNING: SMTP server has limited use in LAN mode."); } } // Start periodic maintenance diff --git a/meshuser.js b/meshuser.js index 4fb4fb2b..3e66fa0a 100644 --- a/meshuser.js +++ b/meshuser.js @@ -283,7 +283,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use var httpport = ((args.aliasport != null) ? args.aliasport : args.port); // Build server information object - var serverinfo = { name: domain.dns ? domain.dns : parent.certificates.CommonName, mpsname: parent.certificates.AmtMpsName, mpsport: mpsport, mpspass: args.mpspass, port: httpport, emailcheck: ((parent.parent.mailserver != null) && (domain.auth != 'sspi') && (domain.auth != 'ldap')), domainauth: ((domain.auth == 'sspi') || (domain.auth == 'ldap')) }; + var serverinfo = { name: domain.dns ? domain.dns : parent.certificates.CommonName, mpsname: parent.certificates.AmtMpsName, mpsport: mpsport, mpspass: args.mpspass, port: httpport, emailcheck: ((parent.parent.mailserver != null) && (domain.auth != 'sspi') && (domain.auth != 'ldap') && (args.lanonly != true) && (parent.certificates.CommonName != null) && (parent.certificates.CommonName.indexOf('.') != -1)), domainauth: ((domain.auth == 'sspi') || (domain.auth == 'ldap')) }; if (args.notls == true) { serverinfo.https = false; } else { serverinfo.https = true; serverinfo.redirport = args.redirport; } if (typeof domain.userconsentflags == 'number') { serverinfo.consent = domain.userconsentflags; } if ((typeof domain.usersessionidletimeout == 'number') && (domain.usersessionidletimeout > 0)) { serverinfo.timeout = (domain.usersessionidletimeout * 60 * 1000); } diff --git a/package.json b/package.json index 4689b154..da564b90 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "meshcentral", - "version": "0.3.6-f", + "version": "0.3.6-g", "keywords": [ "Remote Management", "Intel AMT", diff --git a/views/agentinvite.handlebars b/views/agentinvite.handlebars index 35ebde61..6ddcd984 100644 --- a/views/agentinvite.handlebars +++ b/views/agentinvite.handlebars @@ -31,7 +31,7 @@ } .tab button.active { - background-color: #ccc; + background-color: #8f8; } .tabcontent { @@ -39,7 +39,7 @@ padding: 6px 12px; border: 1px solid #ccc; border-top: none; - } + } diff --git a/webserver.js b/webserver.js index df22741e..e6fe902b 100644 --- a/webserver.js +++ b/webserver.js @@ -911,7 +911,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) { // Called to process an account reset request function handleResetAccountRequest(req, res) { const domain = checkUserIpAddress(req, res); - if ((domain == null) || (domain.auth == 'sspi') || (domain.auth == 'ldap')) { res.sendStatus(404); return; } + if ((domain == null) || (domain.auth == 'sspi') || (domain.auth == 'ldap') || (obj.args.lanonly == true) || (obj.parent.certificates.CommonName == null) || (obj.parent.certificates.CommonName.indexOf('.') == -1)) { res.sendStatus(404); return; } // Get the email from the body or session. var email = req.body.email; @@ -1416,7 +1416,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) { var message = ''; if (err != null) message = '

' + err + '

'; if (msg != null) message = '

' + msg + '

'; - var emailcheck = ((obj.parent.mailserver != null) && (domain.auth != 'sspi')); + var emailcheck = ((obj.parent.mailserver != null) && (obj.parent.certificates.CommonName != null) && (obj.parent.certificates.CommonName.indexOf('.') != -1) && (obj.args.lanonly != true) && (domain.auth != 'sspi') && (domain.auth != 'ldap')) // Check if we are allowed to create new users using the login screen var newAccountsAllowed = true;