mirror of
https://github.com/Ylianst/MeshCentral.git
synced 2024-12-25 14:45:52 -05:00
Added support for wildcard Let's Encrypt certs.
This commit is contained in:
parent
14470a1de3
commit
365e7af6fd
@ -196,7 +196,7 @@ module.exports.CertificateOperations = function (parent) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Return true if the name is found in the certificates names, we support wildcard certificates
|
// Return true if the name is found in the certificates names, we support wildcard certificates
|
||||||
function compareCertificateNames(certNames, name) {
|
obj.compareCertificateNames = function(certNames, name) {
|
||||||
if (certNames == null) return false;
|
if (certNames == null) return false;
|
||||||
if (certNames.indexOf(name.toLowerCase()) >= 0) return true;
|
if (certNames.indexOf(name.toLowerCase()) >= 0) return true;
|
||||||
for (var i in certNames) {
|
for (var i in certNames) {
|
||||||
@ -317,9 +317,14 @@ module.exports.CertificateOperations = function (parent) {
|
|||||||
if (commonName.startsWith('*.')) { console.log("ERROR: Server can't use a wildcard name: " + commonName); process.exit(0); return; }
|
if (commonName.startsWith('*.')) { console.log("ERROR: Server can't use a wildcard name: " + commonName); process.exit(0); return; }
|
||||||
r.CommonName = commonName;
|
r.CommonName = commonName;
|
||||||
}
|
}
|
||||||
r.CommonNames = [r.CommonName.toLowerCase()];
|
r.CommonNames = [ r.CommonName.toLowerCase() ];
|
||||||
var altNames = webCertificate.getExtension("subjectAltName");
|
var altNames = webCertificate.getExtension("subjectAltName");
|
||||||
if (altNames) { for (i = 0; i < altNames.altNames.length; i++) { r.CommonNames.push(altNames.altNames[i].value.toLowerCase()); } }
|
if (altNames) {
|
||||||
|
for (i = 0; i < altNames.altNames.length; i++) {
|
||||||
|
var acn = altNames.altNames[i].value.toLowerCase();
|
||||||
|
if (r.CommonNames.indexOf(acn) == -1) { r.CommonNames.push(acn); }
|
||||||
|
}
|
||||||
|
}
|
||||||
var rootCertificate = obj.pki.certificateFromPem(r.root.cert);
|
var rootCertificate = obj.pki.certificateFromPem(r.root.cert);
|
||||||
r.RootName = rootCertificate.subject.getField("CN").value;
|
r.RootName = rootCertificate.subject.getField("CN").value;
|
||||||
}
|
}
|
||||||
@ -330,7 +335,7 @@ module.exports.CertificateOperations = function (parent) {
|
|||||||
if ((i != "") && (config.domains[i] != null) && (config.domains[i].dns != null)) {
|
if ((i != "") && (config.domains[i] != null) && (config.domains[i].dns != null)) {
|
||||||
dnsname = config.domains[i].dns;
|
dnsname = config.domains[i].dns;
|
||||||
// Check if this domain matches a parent wildcard cert, if so, use the parent cert.
|
// Check if this domain matches a parent wildcard cert, if so, use the parent cert.
|
||||||
if (compareCertificateNames(r.CommonNames, dnsname) == true) {
|
if (obj.compareCertificateNames(r.CommonNames, dnsname) == true) {
|
||||||
r.dns[i] = { cert: obj.fileLoad("webserver-cert-public.crt", "utf8"), key: obj.fileLoad("webserver-cert-private.key", "utf8") };
|
r.dns[i] = { cert: obj.fileLoad("webserver-cert-public.crt", "utf8"), key: obj.fileLoad("webserver-cert-private.key", "utf8") };
|
||||||
} else {
|
} else {
|
||||||
if (args.tlsoffload) {
|
if (args.tlsoffload) {
|
||||||
@ -374,7 +379,7 @@ module.exports.CertificateOperations = function (parent) {
|
|||||||
if (certargs == null) { commonName = r.CommonName; country = xcountry; organization = xorganization; }
|
if (certargs == null) { commonName = r.CommonName; country = xcountry; organization = xorganization; }
|
||||||
|
|
||||||
// Check if we have correct certificates
|
// Check if we have correct certificates
|
||||||
if (compareCertificateNames(r.CommonNames, commonName) == false) { forceWebCertGen = 1; }
|
if (obj.compareCertificateNames(r.CommonNames, commonName) == false) { forceWebCertGen = 1; }
|
||||||
if (r.AmtMpsName != mpsCommonName) { forceMpsCertGen = 1; }
|
if (r.AmtMpsName != mpsCommonName) { forceMpsCertGen = 1; }
|
||||||
|
|
||||||
// If the certificates matches what we want, use them.
|
// If the certificates matches what we want, use them.
|
||||||
@ -426,10 +431,15 @@ module.exports.CertificateOperations = function (parent) {
|
|||||||
obj.fs.writeFileSync(parent.getConfigFilePath("webserver-cert-private.key"), webPrivateKey);
|
obj.fs.writeFileSync(parent.getConfigFilePath("webserver-cert-private.key"), webPrivateKey);
|
||||||
} else {
|
} else {
|
||||||
// Keep the console certificate we have
|
// Keep the console certificate we have
|
||||||
|
if (args.tlsoffload) {
|
||||||
|
webCertAndKey = { cert: obj.pki.certificateFromPem(r.web.cert) };
|
||||||
|
webCertificate = r.web.cert;
|
||||||
|
} else {
|
||||||
webCertAndKey = { cert: obj.pki.certificateFromPem(r.web.cert), key: obj.pki.privateKeyFromPem(r.web.key) };
|
webCertAndKey = { cert: obj.pki.certificateFromPem(r.web.cert), key: obj.pki.privateKeyFromPem(r.web.key) };
|
||||||
webCertificate = r.web.cert;
|
webCertificate = r.web.cert;
|
||||||
webPrivateKey = r.web.key;
|
webPrivateKey = r.web.key;
|
||||||
}
|
}
|
||||||
|
}
|
||||||
var webIssuer = webCertAndKey.cert.issuer.getField("CN").value;
|
var webIssuer = webCertAndKey.cert.issuer.getField("CN").value;
|
||||||
|
|
||||||
// If the mesh agent server certificate does not exist, create one
|
// If the mesh agent server certificate does not exist, create one
|
||||||
@ -486,7 +496,7 @@ module.exports.CertificateOperations = function (parent) {
|
|||||||
if ((i != "") && (config.domains[i] != null) && (config.domains[i].dns != null)) {
|
if ((i != "") && (config.domains[i] != null) && (config.domains[i].dns != null)) {
|
||||||
dnsname = config.domains[i].dns;
|
dnsname = config.domains[i].dns;
|
||||||
// Check if this domain matches a parent wildcard cert, if so, use the parent cert.
|
// Check if this domain matches a parent wildcard cert, if so, use the parent cert.
|
||||||
if (compareCertificateNames(r.CommonNames, dnsname) == true) {
|
if (obj.compareCertificateNames(r.CommonNames, dnsname) == true) {
|
||||||
r.dns[i] = { cert: obj.fileLoad("webserver-cert-public.crt", "utf8"), key: obj.fileLoad("webserver-cert-private.key", "utf8") };
|
r.dns[i] = { cert: obj.fileLoad("webserver-cert-public.crt", "utf8"), key: obj.fileLoad("webserver-cert-private.key", "utf8") };
|
||||||
} else {
|
} else {
|
||||||
if (!args.tlsoffload) {
|
if (!args.tlsoffload) {
|
||||||
|
@ -92,7 +92,7 @@ module.exports.CreateLetsEncrypt = function (parent) {
|
|||||||
certs.web.ca = [results.chain];
|
certs.web.ca = [results.chain];
|
||||||
}
|
}
|
||||||
for (var i in obj.parent.config.domains) {
|
for (var i in obj.parent.config.domains) {
|
||||||
if ((obj.parent.config.domains[i].dns != null) && (results.altnames.indexOf(obj.parent.config.domains[i].dns) >= 0)) {
|
if ((obj.parent.config.domains[i].dns != null) && (obj.parent.certificateOperations.compareCertificateNames(results.altnames, obj.parent.config.domains[i].dns))) {
|
||||||
certs.dns[i].cert = results.cert;
|
certs.dns[i].cert = results.cert;
|
||||||
certs.dns[i].key = results.privkey;
|
certs.dns[i].key = results.privkey;
|
||||||
certs.dns[i].ca = [results.chain];
|
certs.dns[i].ca = [results.chain];
|
||||||
|
@ -816,6 +816,7 @@ function CreateMeshCentralServer(config, args) {
|
|||||||
if ((obj.config.smtp != null) && (obj.config.smtp.host != null) && (obj.config.smtp.from != null)) {
|
if ((obj.config.smtp != null) && (obj.config.smtp.host != null) && (obj.config.smtp.from != null)) {
|
||||||
obj.mailserver = require('./meshmail.js').CreateMeshMail(obj);
|
obj.mailserver = require('./meshmail.js').CreateMeshMail(obj);
|
||||||
obj.mailserver.verify();
|
obj.mailserver.verify();
|
||||||
|
if (obj.args.lanonly == true) { console.log("WARNING: SMTP server has limited use in LAN mode."); }
|
||||||
}
|
}
|
||||||
|
|
||||||
// Start periodic maintenance
|
// Start periodic maintenance
|
||||||
|
@ -283,7 +283,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
|
|||||||
var httpport = ((args.aliasport != null) ? args.aliasport : args.port);
|
var httpport = ((args.aliasport != null) ? args.aliasport : args.port);
|
||||||
|
|
||||||
// Build server information object
|
// Build server information object
|
||||||
var serverinfo = { name: domain.dns ? domain.dns : parent.certificates.CommonName, mpsname: parent.certificates.AmtMpsName, mpsport: mpsport, mpspass: args.mpspass, port: httpport, emailcheck: ((parent.parent.mailserver != null) && (domain.auth != 'sspi') && (domain.auth != 'ldap')), domainauth: ((domain.auth == 'sspi') || (domain.auth == 'ldap')) };
|
var serverinfo = { name: domain.dns ? domain.dns : parent.certificates.CommonName, mpsname: parent.certificates.AmtMpsName, mpsport: mpsport, mpspass: args.mpspass, port: httpport, emailcheck: ((parent.parent.mailserver != null) && (domain.auth != 'sspi') && (domain.auth != 'ldap') && (args.lanonly != true) && (parent.certificates.CommonName != null) && (parent.certificates.CommonName.indexOf('.') != -1)), domainauth: ((domain.auth == 'sspi') || (domain.auth == 'ldap')) };
|
||||||
if (args.notls == true) { serverinfo.https = false; } else { serverinfo.https = true; serverinfo.redirport = args.redirport; }
|
if (args.notls == true) { serverinfo.https = false; } else { serverinfo.https = true; serverinfo.redirport = args.redirport; }
|
||||||
if (typeof domain.userconsentflags == 'number') { serverinfo.consent = domain.userconsentflags; }
|
if (typeof domain.userconsentflags == 'number') { serverinfo.consent = domain.userconsentflags; }
|
||||||
if ((typeof domain.usersessionidletimeout == 'number') && (domain.usersessionidletimeout > 0)) { serverinfo.timeout = (domain.usersessionidletimeout * 60 * 1000); }
|
if ((typeof domain.usersessionidletimeout == 'number') && (domain.usersessionidletimeout > 0)) { serverinfo.timeout = (domain.usersessionidletimeout * 60 * 1000); }
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
{
|
{
|
||||||
"name": "meshcentral",
|
"name": "meshcentral",
|
||||||
"version": "0.3.6-f",
|
"version": "0.3.6-g",
|
||||||
"keywords": [
|
"keywords": [
|
||||||
"Remote Management",
|
"Remote Management",
|
||||||
"Intel AMT",
|
"Intel AMT",
|
||||||
|
@ -31,7 +31,7 @@
|
|||||||
}
|
}
|
||||||
|
|
||||||
.tab button.active {
|
.tab button.active {
|
||||||
background-color: #ccc;
|
background-color: #8f8;
|
||||||
}
|
}
|
||||||
|
|
||||||
.tabcontent {
|
.tabcontent {
|
||||||
|
@ -911,7 +911,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
|
|||||||
// Called to process an account reset request
|
// Called to process an account reset request
|
||||||
function handleResetAccountRequest(req, res) {
|
function handleResetAccountRequest(req, res) {
|
||||||
const domain = checkUserIpAddress(req, res);
|
const domain = checkUserIpAddress(req, res);
|
||||||
if ((domain == null) || (domain.auth == 'sspi') || (domain.auth == 'ldap')) { res.sendStatus(404); return; }
|
if ((domain == null) || (domain.auth == 'sspi') || (domain.auth == 'ldap') || (obj.args.lanonly == true) || (obj.parent.certificates.CommonName == null) || (obj.parent.certificates.CommonName.indexOf('.') == -1)) { res.sendStatus(404); return; }
|
||||||
|
|
||||||
// Get the email from the body or session.
|
// Get the email from the body or session.
|
||||||
var email = req.body.email;
|
var email = req.body.email;
|
||||||
@ -1416,7 +1416,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
|
|||||||
var message = '';
|
var message = '';
|
||||||
if (err != null) message = '<p class="msg error">' + err + '</p>';
|
if (err != null) message = '<p class="msg error">' + err + '</p>';
|
||||||
if (msg != null) message = '<p class="msg success">' + msg + '</p>';
|
if (msg != null) message = '<p class="msg success">' + msg + '</p>';
|
||||||
var emailcheck = ((obj.parent.mailserver != null) && (domain.auth != 'sspi'));
|
var emailcheck = ((obj.parent.mailserver != null) && (obj.parent.certificates.CommonName != null) && (obj.parent.certificates.CommonName.indexOf('.') != -1) && (obj.args.lanonly != true) && (domain.auth != 'sspi') && (domain.auth != 'ldap'))
|
||||||
|
|
||||||
// Check if we are allowed to create new users using the login screen
|
// Check if we are allowed to create new users using the login screen
|
||||||
var newAccountsAllowed = true;
|
var newAccountsAllowed = true;
|
||||||
|
Loading…
Reference in New Issue
Block a user