Improved alternate Let's Encrypt support.

2025-01-11 15:03:20 -05:00 · 2020-03-05 11:18:50 -08:00 · 2020-03-05 11:18:50 -08:00 · 7df7576acb
commit 7df7576acb
parent fea2120849
5 changed files with 96 additions and 54 deletions
--- a/letsEncrypt.js
+++ b/letsEncrypt.js
@ -341,6 +341,17 @@ module.exports.CreateLetsEncrypt2 = function (parent) {
    obj.challenges = {};
    obj.runAsProduction = false;
    obj.redirWebServerHooked = false;
    obj.configErr = null;
    obj.configOk = false;
    // Let's Encrypt debug logging
    obj.log = function (str) {
        parent.debug('cert', 'LE: ' + str);
        var d = new Date();
        obj.events.push(d.toLocaleDateString() + ' ' + d.toLocaleTimeString() + ' - ' + str);
        while (obj.events.length > 200) { obj.events.shift(); } // Keep only 200 last events.
    }
    obj.events = [];
    // Setup the certificate storage paths
    obj.certPath = obj.path.join(obj.parent.datapath, 'letsencrypt-certs');
@ -353,18 +364,20 @@ module.exports.CreateLetsEncrypt2 = function (parent) {
    // Deal with HTTP challenges
    function challengeCreateFn(authz, challenge, keyAuthorization) { if (challenge.type === 'http-01') { obj.challenges[challenge.token] = keyAuthorization; } }
    function challengeRemoveFn(authz, challenge, keyAuthorization) { if (challenge.type === 'http-01') { delete obj.challenges[challenge.token]; } }
-    obj.challenge = function (token, hostname, func) { func(obj.challenges[token]); }
+    obj.challenge = function (token, hostname, func) { obj.log((obj.challenges[token] != null)?"Succesful response to challenge.":"Failed to respond to challenge."); func(obj.challenges[token]); }
    // Get the current certificate
    obj.getCertificate = function(certs, func) {
        obj.runAsProduction = (obj.parent.config.letsencrypt.production === true);
-        parent.debug('cert', "LE: Getting certs from local store (" + (obj.runAsProduction ? "Production" : "Staging") + ")");
+        obj.log("Getting certs from local store (" + (obj.runAsProduction ? "Production" : "Staging") + ")");
-        if (certs.CommonName.indexOf('.') == -1) { console.log("ERROR: Use --cert to setup the default server name before using Let's Encrypt."); func(certs); return; }
+        if (certs.CommonName.indexOf('.') == -1) { obj.configErr = "ERROR: Use --cert to setup the default server name before using Let's Encrypt."; obj.log(obj.configErr); console.log(obj.configErr); func(certs); return; }
-        if (obj.parent.config.letsencrypt == null) { func(certs); return; }
+        if (obj.parent.config.letsencrypt == null) { obj.configErr = "No Let's Encrypt configuration"; obj.log(obj.configErr); console.log(obj.configErr); func(certs); return; }
-        if (obj.parent.config.letsencrypt.email == null) { console.log("ERROR: Let's Encrypt email address not specified."); func(certs); return; }
+        if (obj.parent.config.letsencrypt.email == null) { obj.configErr = "ERROR: Let's Encrypt email address not specified."; obj.log(obj.configErr); console.log(obj.configErr); func(certs); return; }
-        if ((obj.parent.redirserver == null) || ((typeof obj.parent.config.settings.rediraliasport === 'number') && (obj.parent.config.settings.rediraliasport !== 80)) || ((obj.parent.config.settings.rediraliasport == null) && (obj.parent.redirserver.port !== 80))) { console.log("ERROR: Redirection web server must be active on port 80 for Let's Encrypt to work."); func(certs); return; }
+        if ((obj.parent.redirserver == null) || ((typeof obj.parent.config.settings.rediraliasport === 'number') && (obj.parent.config.settings.rediraliasport !== 80)) || ((obj.parent.config.settings.rediraliasport == null) && (obj.parent.redirserver.port !== 80))) { obj.configErr = "ERROR: Redirection web server must be active on port 80 for Let's Encrypt to work."; obj.log(obj.configErr); console.log(obj.configErr); func(certs); return; }
-        if (obj.redirWebServerHooked !== true) { console.log("ERROR: Redirection web server not setup for Let's Encrypt to work."); func(certs); return; }
+        if (obj.redirWebServerHooked !== true) { obj.configErr = "ERROR: Redirection web server not setup for Let's Encrypt to work."; obj.log(obj.configErr); console.log(obj.configErr); func(certs); return; }
-        if ((obj.parent.config.letsencrypt.rsakeysize != null) && (obj.parent.config.letsencrypt.rsakeysize !== 2048) && (obj.parent.config.letsencrypt.rsakeysize !== 3072)) { console.log("ERROR: Invalid Let's Encrypt certificate key size, must be 2048 or 3072."); func(certs); return; }
+        if ((obj.parent.config.letsencrypt.rsakeysize != null) && (obj.parent.config.letsencrypt.rsakeysize !== 2048) && (obj.parent.config.letsencrypt.rsakeysize !== 3072)) { obj.configErr = "ERROR: Invalid Let's Encrypt certificate key size, must be 2048 or 3072."; obj.log(obj.configErr); console.log(obj.configErr); func(certs); return; }
        if (obj.checkInterval == null) { obj.checkInterval = setInterval(obj.checkRenewCertificate, 86400000); } // Call certificate check every 24 hours.
        obj.configOk = true;
        // Get the list of domains
        obj.leDomains = [ certs.CommonName ];
@ -379,7 +392,7 @@ module.exports.CreateLetsEncrypt2 = function (parent) {
        var certFile = obj.path.join(obj.certPath, (obj.runAsProduction ? 'production.crt' : 'staging.crt'));
        var keyFile = obj.path.join(obj.certPath, (obj.runAsProduction ? 'production.key' : 'staging.key'));
        if (obj.fs.existsSync(certFile) && obj.fs.existsSync(keyFile)) {
-            parent.debug('cert', "LE: Reading certificate files");
+            obj.log("Reading certificate files");
            // Read the certificate and private key
            var certPem = obj.fs.readFileSync(certFile).toString('utf8');
@ -397,54 +410,55 @@ module.exports.CreateLetsEncrypt2 = function (parent) {
            // Use this certificate when possible on any domain
            if (obj.certNames.indexOf(certs.CommonName) >= 0) {
                obj.log("Setting LE cert for default domain.");
                certs.web.cert = certPem;
                certs.web.key = keyPem;
                //certs.web.ca = [results.pems.chain];
            }
            for (var i in obj.parent.config.domains) {
                if ((obj.parent.config.domains[i].dns != null) && (obj.parent.certificateOperations.compareCertificateNames(obj.certNames, obj.parent.config.domains[i].dns))) {
                    obj.log("Setting LE cert for domain " + i + ".");
                    certs.dns[i].cert = certPem;
                    certs.dns[i].key = keyPem;
                    //certs.dns[i].ca = [results.pems.chain];
                }
            }
        } else {
-            parent.debug('cert', "LE: No certificate files found");
+            obj.log("No certificate files found");
        }
        func(certs);
-        obj.checkRenewCertificate();
+        setTimeout(obj.checkRenewCertificate, 5000); // Hold 5 seconds and check if we need to request a certificate.
    }
    // Check if we need to get a new certificate
    // Return 0 = CertOK, 1 = Request:NoCert, 2 = Request:Expire, 3 = Request:MissingNames
    obj.checkRenewCertificate = function () {
        parent.debug('cert', "LE: Checking certificate");
        if (obj.certNames == null) {
-            parent.debug('cert', "LE: Got no certificates, asking for one now.");
+            obj.log("Got no certificates, asking for one now.");
            obj.requestCertificate();
            return 1;
        } else {
            // Look at the existing certificate to see if we need to renew it
            var daysLeft = Math.floor((obj.certExpire - new Date()) / 86400000);
-            parent.debug('cert', "LE: Certificate has " + daysLeft + " day(s) left.");
+            obj.log("Certificate has " + daysLeft + " day(s) left.");
            if (daysLeft < 45) {
-                parent.debug('cert', "LE: Asking for new certificate because of expire time.");
+                obj.log("Asking for new certificate because of expire time.");
                obj.requestCertificate();
                return 2;
            } else {
                var missingDomain = false;
                for (var i in obj.leDomains) {
                    if (obj.parent.certificateOperations.compareCertificateNames(obj.certNames, obj.leDomains[i]) == false) {
-                        parent.debug('cert', "LE: Missing name " + obj.leDomains[i] + ".");
+                        obj.log("Missing name \"" + obj.leDomains[i] + "\".");
                        missingDomain = true;
                    }
                }
                if (missingDomain) {
-                    parent.debug('cert', "LE: Asking for new certificate because of missing names.");
+                    obj.log("Asking for new certificate because of missing names.");
                    obj.requestCertificate();
                    return 3;
                } else {
-                    parent.debug('cert', "LE: Certificate is ok.");
+                    obj.log("Certificate is ok.");
                }
            }
        }
@ -452,25 +466,27 @@ module.exports.CreateLetsEncrypt2 = function (parent) {
    }
    obj.requestCertificate = function () {
        if (obj.configOk == false) { obj.log("Can't request cert, invalid configuration.");return; }
        // Create a private key
-        parent.debug('cert', "LE: Generating private key...");
+        obj.log("Generating private key...");
        acme.forge.createPrivateKey().then(function (accountKey) {
            // Create the ACME client
-            parent.debug('cert', "LE: Setting up ACME client...");
+            obj.log("Setting up ACME client...");
            obj.client = new acme.Client({
                directoryUrl: obj.runAsProduction ? acme.directory.letsencrypt.production : acme.directory.letsencrypt.staging,
                accountKey: accountKey
            });
            // Create Certificate Request (CSR)
-            parent.debug('cert', "LE: Creating certificate request...");
+            obj.log("Creating certificate request...");
            acme.forge.createCsr({
                commonName: obj.leDomains[0],
                altNames: obj.leDomains
            }).then(function (r) {
                var csr = r[1];
                obj.tempPrivateKey = r[0];
-                parent.debug('cert', "LE: Requesting certificate from Let's Encrypt...");
+                obj.log("Requesting certificate from Let's Encrypt...");
                obj.client.auto({
                    csr,
                    email: obj.parent.config.letsencrypt.email,
@ -478,7 +494,7 @@ module.exports.CreateLetsEncrypt2 = function (parent) {
                    challengeCreateFn,
                    challengeRemoveFn
                }).then(function (cert) {
-                    parent.debug('cert', "LE: Got certificate.");
+                    obj.log("Got certificate.");
                    // Save certificate and private key to PEM files
                    var certFile = obj.path.join(obj.certPath, (obj.runAsProduction ? 'production.crt' : 'staging.crt'));
@ -488,16 +504,16 @@ module.exports.CreateLetsEncrypt2 = function (parent) {
                    delete obj.tempPrivateKey;
                    // Cause a server restart
-                    parent.debug('cert', "LE: Performing server restart...");
+                    obj.log("Performing server restart...");
                    obj.parent.performServerCertUpdate();
                }, function (err) {
-                    parent.debug('cert', "LE: Failed to obtain certificate: " + err.message);
+                    obj.log("Failed to obtain certificate: " + err.message);
                });
            }, function (err) {
-                parent.debug('cert', "LE: Failed to generate certificate request: " + err.message);
+                obj.log("Failed to generate certificate request: " + err.message);
            });
        }, function (err) {
-            parent.debug('cert', "LE: Failed to generate private key: " + err.message);
+            obj.log("Failed to generate private key: " + err.message);
        });
    }
@ -505,13 +521,15 @@ module.exports.CreateLetsEncrypt2 = function (parent) {
    obj.getStats = function () {
        var r = {
            lib: 'acme-client',
            configOk: obj.configOk,
            leDomains: obj.leDomains,
            challenges: obj.challenges,
            production: obj.runAsProduction,
            webServer: obj.redirWebServerHooked,
-            certPath: obj.certPath,
+            certPath: obj.certPath
        };
-        if (obj.certExpire) { r.daysLeft = Math.floor((obj.certExpire - new Date()) / 86400000); }
+        if (obj.configErr) { r.error = obj.configErr; }
        if (obj.certExpire) { r.cert = 'Present'; r.daysLeft = Math.floor((obj.certExpire - new Date()) / 86400000); } else { r.cert = 'None'; }
        return r;
    }
--- a/meshcentral.js
+++ b/meshcentral.js
@ -2389,7 +2389,13 @@ function mainStart() {
        if (require('os').platform() == 'win32') { modules.push('node-windows'); if (sspi == true) { modules.push('node-sspi'); } } // Add Windows modules
        if (ldap == true) { modules.push('ldapauth-fork'); }
        if (recordingIndex == true) { modules.push('image-size'); } // Need to get the remote desktop JPEG sizes to index the recodring file.
-        if (config.letsencrypt != null) { if ((nodeVersion < 10) || (require('crypto').generateKeyPair == null)) { addServerWarning("Let's Encrypt support requires Node v10.12 or higher.", !args.launch); } else { modules.push((config.letsencrypt.lib == 'acme-client') ? 'acme-client' : 'greenlock@4.0.4'); } } // Add Greenlock Module or acme-client module
+        if (config.letsencrypt != null) {
            if (config.letsencrypt.lib == 'acme-client') {
                if (nodeVersion < 8) { addServerWarning("Let's Encrypt support requires Node v8.x or higher.", !args.launch); } else { modules.push('acme-client'); }
            } else {
                if ((nodeVersion < 10) || (require('crypto').generateKeyPair == null)) { addServerWarning("Let's Encrypt support requires Node v10.12 or higher.", !args.launch); } else { modules.push('greenlock@4.0.4'); }
            }
        } // Add Greenlock Module or acme-client module
        if (config.settings.mqtt != null) { modules.push('aedes'); } // Add MQTT Modules
        if (config.settings.mysql != null) { modules.push('mysql'); } // Add MySQL, official driver.
        if (config.settings.mongodb != null) { modules.push('mongodb'); } // Add MongoDB, official driver.
--- a/meshuser.js
+++ b/meshuser.js
@ -689,7 +689,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
                    switch (cmd) {
                        case 'help': {
-                            var fin = '', f = '', availcommands = 'help,info,versions,args,resetserver,showconfig,usersessions,closeusersessions,tasklimiter,setmaxtasks,cores,migrationagents,agentstats,webstats,mpsstats,swarmstats,acceleratorsstats,updatecheck,serverupdate,nodeconfig,heapdump,relays,autobackup,backupconfig,dupagents,dispatchtable,badlogins,showpaths,letsencrypt';
+                            var fin = '', f = '', availcommands = 'help,info,versions,args,resetserver,showconfig,usersessions,closeusersessions,tasklimiter,setmaxtasks,cores,migrationagents,agentstats,webstats,mpsstats,swarmstats,acceleratorsstats,updatecheck,serverupdate,nodeconfig,heapdump,relays,autobackup,backupconfig,dupagents,dispatchtable,badlogins,showpaths,le,lecheck,leevents';
                            availcommands = availcommands.split(',').sort();
                            while (availcommands.length > 0) {
                                if (f.length > 80) { fin += (f + ',\r\n'); f = ''; }
@ -699,8 +699,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
                            r = 'Available commands: \r\n' + fin + '.';
                            break;
                        }
-                        case 'le':
+                        case 'le': {
                        case 'letsencrypt': {
                            if (parent.parent.letsencrypt == null) {
                                r = "Let's Encrypt not in use.";
                            } else {
@ -742,6 +741,18 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
                            }
                            break;
                        }
                        case 'leevents': {
                            if (parent.parent.letsencrypt == null) {
                                r = "Let's Encrypt not in use.";
                            } else {
                                if (parent.parent.letsencrypt.lib == 'acme-client') {
                                    r = parent.parent.letsencrypt.events.join('\r\n');
                                } else {
                                    r = 'Not supported';
                                }
                            }
                            break;
                        }
                        case 'badlogins': {
                            if (parent.parent.config.settings.maxinvalidlogin == false) {
                                r = 'Bad login filter is disabled.';
--- a/translate/translate.json
+++ b/translate/translate.json
@ -3031,7 +3031,7 @@
      "nl": "Weet u zeker dat u de plug-in {0} wilt gebruiken: {1}",
      "ru": "Вы уверенны, что {0} плагин: {1}",
      "xloc": [
-        "default.handlebars->27->1510"
+        "default.handlebars->27->1511"
      ]
    },
    {
@ -3552,7 +3552,7 @@
      "pt": "Servidor CIRA",
      "ru": "CIRA Сервер",
      "xloc": [
-        "default.handlebars->27->1501"
+        "default.handlebars->27->1502"
      ]
    },
    {
@ -3566,7 +3566,7 @@
      "pt": "Comandos do servidor CIRA",
      "ru": "CIRA Сервер команды",
      "xloc": [
-        "default.handlebars->27->1502"
+        "default.handlebars->27->1503"
      ]
    },
    {
@ -3665,7 +3665,7 @@
      "pt": "Erro de chamada",
      "ru": "Ошибка вызова",
      "xloc": [
-        "default.handlebars->27->1511"
+        "default.handlebars->27->1512"
      ]
    },
    {
@ -4000,7 +4000,7 @@
      "pt": "Verificando ...",
      "ru": "Проверка...",
      "xloc": [
-        "default.handlebars->27->1507",
+        "default.handlebars->27->1508",
        "default.handlebars->27->769"
      ]
    },
@ -4663,7 +4663,7 @@
      "pt": "Encaminhador de conexão",
      "ru": "Ретранслятор подключения",
      "xloc": [
-        "default.handlebars->27->1500"
+        "default.handlebars->27->1501"
      ]
    },
    {
@ -9089,7 +9089,7 @@
        "default.handlebars->27->1194",
        "default.handlebars->27->1200",
        "default.handlebars->27->1479",
-        "default.handlebars->27->1499"
+        "default.handlebars->27->1500"
      ]
    },
    {
@ -10500,7 +10500,7 @@
      "pt": "Menos",
      "ru": "Меньше",
      "xloc": [
-        "default.handlebars->27->1513"
+        "default.handlebars->27->1514"
      ]
    },
    {
@ -12153,7 +12153,7 @@
      "pt": "Mais",
      "ru": "Еще",
      "xloc": [
-        "default.handlebars->27->1512"
+        "default.handlebars->27->1513"
      ]
    },
    {
@ -14314,7 +14314,7 @@
      "nl": "Plugin Actie",
      "ru": "Действие плагина",
      "xloc": [
-        "default.handlebars->27->1509",
+        "default.handlebars->27->1510",
        "default.handlebars->27->159"
      ]
    },
@ -16345,6 +16345,12 @@
        "default.handlebars->27->1494"
      ]
    },
    {
      "en": "Server Database",
      "xloc": [
        "default.handlebars->27->1495"
      ]
    },
    {
      "cs": "Soubory serveru",
      "de": "Server-Dateien",
@ -16455,7 +16461,7 @@
      "pt": "Rastreamento de servidor",
      "ru": "Трассировка сервера",
      "xloc": [
-        "default.handlebars->27->1503"
+        "default.handlebars->27->1504"
      ]
    },
    {
@ -19152,7 +19158,7 @@
      "nl": "Bijgewerkt",
      "ru": "Актуально",
      "xloc": [
-        "default.handlebars->27->1508"
+        "default.handlebars->27->1509"
      ]
    },
    {
@ -19991,8 +19997,8 @@
      "pt": "Servidor web",
      "ru": "Веб-сервер",
      "xloc": [
-        "default.handlebars->27->1495",
+        "default.handlebars->27->1496",
-        "default.handlebars->27->1496"
+        "default.handlebars->27->1497"
      ]
    },
    {
@ -20006,7 +20012,7 @@
      "pt": "Solicitações de servidor Web",
      "ru": "Запросы веб-сервера",
      "xloc": [
-        "default.handlebars->27->1497"
+        "default.handlebars->27->1498"
      ]
    },
    {
@ -20020,7 +20026,7 @@
      "pt": "Encaminhador de soquete da Web",
      "ru": "Ретранслятор Web Socket",
      "xloc": [
-        "default.handlebars->27->1498"
+        "default.handlebars->27->1499"
      ]
    },
    {
@ -20663,7 +20669,7 @@
      "pt": "\\\\'",
      "ru": "\\\\'",
      "xloc": [
-        "default.handlebars->27->1506"
+        "default.handlebars->27->1507"
      ]
    },
    {
@ -21088,7 +21094,7 @@
      "pt": "servertrace.csv",
      "ru": "servertrace.csv",
      "xloc": [
-        "default.handlebars->27->1505"
+        "default.handlebars->27->1506"
      ]
    },
    {
@ -21137,7 +21143,7 @@
      "pt": "hora, fonte, mensagem",
      "ru": "time, source, message",
      "xloc": [
-        "default.handlebars->27->1504"
+        "default.handlebars->27->1505"
      ]
    },
    {
--- a/views/default.handlebars
+++ b/views/default.handlebars
@ -10674,6 +10674,7 @@
            x += '<div><label><input type=checkbox id=p41c15 ' + ((serverTraceSources.indexOf('agent') >= 0) ? 'checked' : '') + '>' + "MeshAgent traffic" + '</label></div>';
            x += '<div><label><input type=checkbox id=p41c14 ' + ((serverTraceSources.indexOf('agentupdate') >= 0) ? 'checked' : '') + '>' + "MeshAgent update" + '</label></div>';
            x += '<div><label><input type=checkbox id=p41c16 ' + ((serverTraceSources.indexOf('cert') >= 0) ? 'checked' : '') + '>' + "Server Certificate" + '</label></div>';
            x += '<div><label><input type=checkbox id=p41c17 ' + ((serverTraceSources.indexOf('db') >= 0) ? 'checked' : '') + '>' + "Server Database" + '</label></div>';
            x += '<div style="width:100%;border-bottom:1px solid gray;margin-bottom:5px;margin-top:5px"><b>' + "Web Server" + '</b></div>';
            x += '<div><label><input type=checkbox id=p41c5 ' + ((serverTraceSources.indexOf('web') >= 0) ? 'checked' : '') + '>' + "Web Server" + '</label></div>';
            x += '<div><label><input type=checkbox id=p41c6 ' + ((serverTraceSources.indexOf('webrequest') >= 0) ? 'checked' : '') + '>' + "Web Server Requests" + '</label></div>';
@ -10690,8 +10691,8 @@
        }
        function setServerTracingEx(b) {
-            var sources = [], allsources = ['cookie', 'dispatch', 'main', 'peer', 'web', 'webrequest', 'relay', 'webrelaydata', 'webrelay', 'mps', 'mpscmd', 'swarm', 'swarmcmd', 'agentupdate', 'agent', 'cert'];
+            var sources = [], allsources = ['cookie', 'dispatch', 'main', 'peer', 'web', 'webrequest', 'relay', 'webrelaydata', 'webrelay', 'mps', 'mpscmd', 'swarm', 'swarmcmd', 'agentupdate', 'agent', 'cert', 'db'];
-            if (b == 1) { for (var i = 1; i < 17; i++) { try { if (Q('p41c' + i).checked) { sources.push(allsources[i - 1]); } } catch (ex) { } } }
+            if (b == 1) { for (var i = 1; i < 18; i++) { try { if (Q('p41c' + i).checked) { sources.push(allsources[i - 1]); } } catch (ex) { } } }
            meshserver.send({ action: 'traceinfo', traceSources: sources });
        }