mirror of
https://github.com/Ylianst/MeshCentral.git
synced 2024-12-24 22:25:52 -05:00
Moved to GreenLock v3
This commit is contained in:
parent
0876ae6ac7
commit
8388fd73a6
190
letsEncrypt.js
190
letsEncrypt.js
@ -12,58 +12,90 @@
|
||||
/*jshint node: true */
|
||||
/*jshint strict: false */
|
||||
/*jshint esversion: 6 */
|
||||
"use strict";
|
||||
'use strict';
|
||||
|
||||
module.exports.CreateLetsEncrypt = function (parent) {
|
||||
module.exports.CreateLetsEncrypt = function(parent) {
|
||||
try {
|
||||
parent.debug('cert', "Initializing Let's Encrypt support");
|
||||
|
||||
// Check the current node version
|
||||
if (Number(process.version.match(/^v(\d+\.\d+)/)[1]) < 8) { return null; }
|
||||
|
||||
// Try to delete the "./ursa-optional" or "./node_modules/ursa-optional" folder if present.
|
||||
// This is an optional module that GreenLock uses that causes issues.
|
||||
try {
|
||||
const fs = require('fs');
|
||||
if (fs.existsSync(obj.path.join(__dirname, 'ursa-optional'))) { fs.unlinkSync(obj.path.join(__dirname, 'ursa-optional')); }
|
||||
if (fs.existsSync(obj.path.join(__dirname, 'node_modules', 'ursa-optional'))) { fs.unlinkSync(obj.path.join(__dirname, 'node_modules', 'ursa-optional')); }
|
||||
if (fs.existsSync(parent.path.join(__dirname, 'ursa-optional'))) { fs.unlinkSync(obj.path.join(__dirname, 'ursa-optional')); }
|
||||
if (fs.existsSync(parent.path.join(__dirname, 'node_modules', 'ursa-optional'))) { fs.unlinkSync(obj.path.join(__dirname, 'node_modules', 'ursa-optional')); }
|
||||
} catch (ex) { }
|
||||
|
||||
// Get GreenLock setup and running.
|
||||
const greenlock = require('greenlock');
|
||||
var obj = {};
|
||||
obj.parent = parent;
|
||||
obj.path = require('path');
|
||||
obj.redirWebServerHooked = false;
|
||||
obj.leDomains = null;
|
||||
obj.leResults = null;
|
||||
obj.performRestart = false;
|
||||
|
||||
// Setup the certificate storage paths
|
||||
obj.configPath = obj.parent.path.join(obj.parent.datapath, 'letsencrypt');
|
||||
obj.webrootPath = obj.parent.path.join(obj.parent.datapath, 'letsencrypt', 'webroot');
|
||||
obj.configPath = obj.path.join(obj.parent.datapath, 'letsencrypt');
|
||||
try { obj.parent.fs.mkdirSync(obj.configPath); } catch (e) { }
|
||||
try { obj.parent.fs.mkdirSync(obj.webrootPath); } catch (e) { }
|
||||
|
||||
// Storage Backend, store data in the "meshcentral-data/letencrypt" folder.
|
||||
var leStore = require('le-store-certbot').create({ configDir: obj.configPath, webrootPath: obj.webrootPath, debug: obj.parent.args.debug > 0 });
|
||||
// Setup Let's Encrypt default configuration
|
||||
obj.leDefaults = {
|
||||
agreeToTerms: true,
|
||||
//serverKeyType: 'RSA-2048', // Seems like only "RSA-2048" or "P-256" is supported.
|
||||
store: {
|
||||
module: 'greenlock-store-fs',
|
||||
basePath: obj.configPath
|
||||
}
|
||||
};
|
||||
|
||||
// ACME Challenge Handlers
|
||||
var leHttpChallenge = require('le-challenge-fs').create({ webrootPath: obj.webrootPath, debug: obj.parent.args.debug > 0 });
|
||||
|
||||
// Function to agree to terms of service
|
||||
function leAgree(opts, agreeCb) { agreeCb(null, opts.tosUrl); }
|
||||
// Get package and maintainer email
|
||||
const pkg = require('./package.json');
|
||||
var maintainerEmail = null;
|
||||
if (typeof pkg.author == 'string') {
|
||||
// Older NodeJS
|
||||
maintainerEmail = pkg.author;
|
||||
var i = maintainerEmail.indexOf('<');
|
||||
if (i >= 0) { maintainerEmail = maintainerEmail.substring(i + 1); }
|
||||
var i = maintainerEmail.indexOf('>');
|
||||
if (i >= 0) { maintainerEmail = maintainerEmail.substring(0, i); }
|
||||
} else if (typeof pkg.author == 'object') {
|
||||
// Latest NodeJS
|
||||
maintainerEmail = pkg.author.email;
|
||||
}
|
||||
|
||||
// Create the main GreenLock code module.
|
||||
var greenlockargs = {
|
||||
version: 'draft-12',
|
||||
server: (obj.parent.config.letsencrypt.production === true) ? 'https://acme-v02.api.letsencrypt.org/directory' : 'https://acme-staging-v02.api.letsencrypt.org/directory',
|
||||
store: leStore,
|
||||
challenges: { 'http-01': leHttpChallenge },
|
||||
challengeType: 'http-01',
|
||||
agreeToTerms: leAgree,
|
||||
debug: obj.parent.args.debug > 0
|
||||
parent: obj,
|
||||
packageRoot: __dirname,
|
||||
packageAgent: pkg.name + '/' + pkg.version,
|
||||
manager: obj.path.join(__dirname, 'letsencrypt.js'),
|
||||
maintainerEmail: maintainerEmail,
|
||||
notify: function (ev, args) { if (typeof args == 'string') { parent.debug('cert', ev + ': ' + args); } else { parent.debug('cert', ev + ': ' + JSON.stringify(args)); } },
|
||||
staging: (obj.parent.config.letsencrypt.production !== true),
|
||||
debug: (obj.parent.args.debug > 0)
|
||||
};
|
||||
|
||||
if (obj.parent.args.debug == null) { greenlockargs.log = function (debug) { }; } // If not in debug mode, ignore all console output from greenlock (makes things clean).
|
||||
obj.le = greenlock.create(greenlockargs);
|
||||
|
||||
// Hook up GreenLock to the redirection server
|
||||
if (obj.parent.redirserver.port == 80) { obj.parent.redirserver.app.use('/', obj.le.middleware()); obj.redirWebServerHooked = true; }
|
||||
if (obj.parent.redirserver.port == 80) { obj.redirWebServerHooked = true; }
|
||||
|
||||
// Respond to a challenge
|
||||
obj.challenge = function (token, hostname, func) {
|
||||
parent.debug('cert', "Challenge " + hostname + "/" + token);
|
||||
obj.le.challenges.get({ type: 'http-01', servername: hostname, token: token })
|
||||
.then(function (results) { func(results.keyAuthorization); })
|
||||
.catch(function (e) { console.log('LE-ERROR', e); func(null); }); // unexpected error, not related to renewal
|
||||
}
|
||||
|
||||
obj.getCertificate = function (certs, func) {
|
||||
parent.debug('cert', "Getting certs from local store");
|
||||
if (certs.CommonName.indexOf('.') == -1) { console.log("ERROR: Use --cert to setup the default server name before using Let's Encrypt."); func(certs); return; }
|
||||
if (obj.parent.config.letsencrypt == null) { func(certs); return; }
|
||||
if (obj.parent.config.letsencrypt.email == null) { console.log("ERROR: Let's Encrypt email address not specified."); func(certs); return; }
|
||||
@ -72,7 +104,7 @@ module.exports.CreateLetsEncrypt = function (parent) {
|
||||
if ((obj.parent.config.letsencrypt.rsakeysize != null) && (obj.parent.config.letsencrypt.rsakeysize !== 2048) && (obj.parent.config.letsencrypt.rsakeysize !== 3072)) { console.log("ERROR: Invalid Let's Encrypt certificate key size, must be 2048 or 3072."); func(certs); return; }
|
||||
|
||||
// Get the list of domains
|
||||
obj.leDomains = [certs.CommonName];
|
||||
obj.leDomains = [ certs.CommonName ];
|
||||
if (obj.parent.config.letsencrypt.names != null) {
|
||||
if (typeof obj.parent.config.letsencrypt.names == 'string') { obj.parent.config.letsencrypt.names = obj.parent.config.letsencrypt.names.split(','); }
|
||||
obj.parent.config.letsencrypt.names.map(function (s) { return s.trim(); }); // Trim each name
|
||||
@ -81,67 +113,95 @@ module.exports.CreateLetsEncrypt = function (parent) {
|
||||
obj.leDomains.sort(); // Sort the array so it's always going to be in the same order.
|
||||
}
|
||||
|
||||
obj.le.check({ domains: obj.leDomains }).then(function (results) {
|
||||
if (results) {
|
||||
obj.leResults = results;
|
||||
// Get altnames
|
||||
obj.altnames = [];
|
||||
obj.servername = certs.CommonName;
|
||||
for (var i in obj.leDomains) { if (obj.leDomains[i] != certs.CommonName) { obj.altnames.push(obj.leDomains[i]); } }
|
||||
|
||||
// Get the Let's Encrypt certificate from our own storage
|
||||
obj.le.get({ servername: certs.CommonName })
|
||||
.then(function (results) {
|
||||
// If we already have real certificates, use them.
|
||||
if (results.altnames.indexOf(certs.CommonName) >= 0) {
|
||||
certs.web.cert = results.cert;
|
||||
certs.web.key = results.privkey;
|
||||
certs.web.ca = [results.chain];
|
||||
if (results) {
|
||||
if (results.site.altnames.indexOf(certs.CommonName) >= 0) {
|
||||
certs.web.cert = results.pems.cert;
|
||||
certs.web.key = results.pems.privkey;
|
||||
certs.web.ca = [results.pems.chain];
|
||||
}
|
||||
for (var i in obj.parent.config.domains) {
|
||||
if ((obj.parent.config.domains[i].dns != null) && (obj.parent.certificateOperations.compareCertificateNames(results.altnames, obj.parent.config.domains[i].dns))) {
|
||||
certs.dns[i].cert = results.cert;
|
||||
certs.dns[i].key = results.privkey;
|
||||
certs.dns[i].ca = [results.chain];
|
||||
if ((obj.parent.config.domains[i].dns != null) && (obj.parent.certificateOperations.compareCertificateNames(results.site.altnames, obj.parent.config.domains[i].dns))) {
|
||||
certs.dns[i].cert = results.pems.cert;
|
||||
certs.dns[i].key = results.pems.privkey;
|
||||
certs.dns[i].ca = [results.pems.chain];
|
||||
}
|
||||
}
|
||||
}
|
||||
parent.debug('cert', "Got certs from local store");
|
||||
func(certs);
|
||||
|
||||
// Check if the Let's Encrypt certificate needs to be renewed.
|
||||
setTimeout(obj.checkRenewCertificate, 60000); // Check in 1 minute.
|
||||
setInterval(obj.checkRenewCertificate, 86400000); // Check again in 24 hours and every 24 hours.
|
||||
return;
|
||||
} else {
|
||||
// Otherwise return default certificates and try to get a real one
|
||||
})
|
||||
.catch(function (e) {
|
||||
parent.debug('cert', "Unable to get certs from local store");
|
||||
setTimeout(obj.checkRenewCertificate, 10000); // Check the certificate in 10 seconds.
|
||||
func(certs);
|
||||
});
|
||||
}
|
||||
console.log("Attempting to get Let's Encrypt certificate, may take a few minutes...");
|
||||
|
||||
// Figure out the RSA key size
|
||||
var rsaKeySize = (obj.parent.config.letsencrypt.rsakeysize === 2048) ? 2048 : 3072;
|
||||
|
||||
// TODO: Only register on one of the peers if multi-peers are active.
|
||||
// Register Certificate manually
|
||||
obj.le.register({
|
||||
domains: obj.leDomains,
|
||||
email: obj.parent.config.letsencrypt.email,
|
||||
agreeTos: true,
|
||||
rsaKeySize: rsaKeySize,
|
||||
challengeType: 'http-01',
|
||||
renewWithin: 45 * 24 * 60 * 60 * 1000, // Certificate renewal may begin at this time (45 days)
|
||||
renewBy: 60 * 24 * 60 * 60 * 1000 // Certificate renewal should happen by this time (60 days)
|
||||
}).then(function (xresults) {
|
||||
obj.parent.performServerCertUpdate(); // Reset the server, TODO: Reset all peers
|
||||
}, function (err) {
|
||||
console.error("ERROR: Let's encrypt error: ", err);
|
||||
});
|
||||
});
|
||||
};
|
||||
|
||||
// Check if we need to renew the certificate, call this every day.
|
||||
obj.checkRenewCertificate = function () {
|
||||
if (obj.leResults == null) { return; }
|
||||
// TODO: Only renew on one of the peers if multi-peers are active.
|
||||
// Check if we need to renew the certificate
|
||||
obj.le.renew({ duplicate: false, domains: obj.leDomains, email: obj.parent.config.letsencrypt.email }, obj.leResults).then(function (xresults) {
|
||||
obj.parent.performServerCertUpdate(); // Reset the server, TODO: Reset all peers
|
||||
}, function (err) { }); // If we can't renew, ignore.
|
||||
};
|
||||
parent.debug('cert', "Checking certs");
|
||||
|
||||
// Setup renew options
|
||||
var renewOptions = { servername: obj.servername };
|
||||
if (obj.altnames.length > 0) { renewOptions.altnames = obj.altnames; }
|
||||
obj.le.renew(renewOptions)
|
||||
.then(function (results) {
|
||||
parent.debug('cert', "Checks completed");
|
||||
if (obj.performRestart === true) { parent.debug('cert', "Certs changed, restarting..."); obj.parent.performServerCertUpdate(); } // Reset the server, TODO: Reset all peers
|
||||
})
|
||||
.catch(function (e) { console.log(e); func(certs); });
|
||||
}
|
||||
|
||||
return obj;
|
||||
} catch (ex) { console.log(ex); } // Unable to start Let's Encrypt
|
||||
return null;
|
||||
};
|
||||
|
||||
// GreenLock v3 Manager
|
||||
module.exports.create = function (options) {
|
||||
var manager = { parent: options.parent };
|
||||
manager.find = async function (options) {
|
||||
//console.log('LE-FIND', options);
|
||||
return Promise.resolve([ { subject: options.servername, altnames: options.altnames } ]);
|
||||
};
|
||||
|
||||
manager.set = function (options) {
|
||||
manager.parent.parent.debug('cert', "Certificate has been set");
|
||||
manager.parent.performRestart = true;
|
||||
return null;
|
||||
};
|
||||
|
||||
manager.remove = function (options) {
|
||||
manager.parent.parent.debug('cert', "Certificate has been removed");
|
||||
manager.parent.performRestart = true;
|
||||
return null;
|
||||
};
|
||||
|
||||
// set the global config
|
||||
manager.defaults = async function (options) {
|
||||
//console.log('LE-DEFAULTS', options);
|
||||
if (options != null) { for (var i in options) { if (manager.parent.leDefaults[i] == null) { manager.parent.leDefaults[i] = options[i]; } } }
|
||||
var r = manager.parent.leDefaults;
|
||||
var mainsite = { subject: manager.parent.servername };
|
||||
if (manager.parent.altnames.length > 0) { mainsite.altnames = manager.parent.altnames; }
|
||||
r.subscriberEmail = manager.parent.parent.config.letsencrypt.email;
|
||||
r.sites = { mainsite: mainsite };
|
||||
return r;
|
||||
};
|
||||
|
||||
return manager;
|
||||
};
|
@ -1935,7 +1935,14 @@ function InstallModules(modules, func) {
|
||||
// Modules may contain a version tag (foobar@1.0.0), remove it so the module can be found using require
|
||||
var moduleName = modules[i].split("@", 1)[0];
|
||||
try {
|
||||
if (moduleName == 'greenlock') {
|
||||
// Check if we have GreenLock v3
|
||||
delete require.cache[require.resolve('greenlock')]; // Clear the require cache
|
||||
if (typeof require('greenlock').challengeType == 'string') { missingModules.push(modules[i]); }
|
||||
} else {
|
||||
// For all other modules, do the check here.
|
||||
require(moduleName);
|
||||
}
|
||||
} catch (e) {
|
||||
if (previouslyInstalledModules[modules[i]] !== true) { missingModules.push(modules[i]); }
|
||||
}
|
||||
@ -2001,20 +2008,21 @@ function mainStart() {
|
||||
if (config.domains[i].auth == 'ldap') { ldap = true; }
|
||||
}
|
||||
|
||||
// Get the current node version
|
||||
var nodeVersion = Number(process.version.match(/^v(\d+\.\d+)/)[1]);
|
||||
|
||||
// Build the list of required modules
|
||||
var modules = ['ws', 'cbor', 'nedb', 'https', 'yauzl', 'xmldom', 'ipcheck', 'express', 'archiver', 'multiparty', 'node-forge', 'express-ws', 'compression', 'body-parser', 'connect-redis', 'cookie-session', 'express-handlebars'];
|
||||
if (require('os').platform() == 'win32') { modules.push('node-windows'); if (sspi == true) { modules.push('node-sspi'); } } // Add Windows modules
|
||||
if (ldap == true) { modules.push('ldapauth-fork'); }
|
||||
if (config.letsencrypt != null) { modules.push('greenlock@2.8.8'); modules.push('le-store-certbot'); modules.push('le-challenge-fs'); modules.push('le-acme-core'); } // Add Greenlock Modules
|
||||
//if (config.letsencrypt != null) { modules.push('greenlock@2.8.8'); modules.push('le-store-certbot'); modules.push('le-challenge-fs'); modules.push('le-acme-core'); } // Add Greenlock Modules
|
||||
if (config.letsencrypt != null) { if (nodeVersion < 8) { console.log("WARNING: Let's Encrypt support requires Node v8 or higher."); } else { modules.push('greenlock'); } } // Add Greenlock Module
|
||||
if (config.settings.mqtt != null) { modules.push('aedes'); } // Add MQTT Modules
|
||||
if (config.settings.mongodb != null) { modules.push('mongodb'); } // Add MongoDB, official driver.
|
||||
if (config.settings.vault != null) { modules.push('node-vault'); } // Add official HashiCorp's Vault module.
|
||||
else if (config.settings.xmongodb != null) { modules.push('mongojs'); } // Add MongoJS, old driver.
|
||||
if (config.smtp != null) { modules.push('nodemailer'); } // Add SMTP support
|
||||
|
||||
// Get the current node version
|
||||
var nodeVersion = Number(process.version.match(/^v(\d+\.\d+)/)[1]);
|
||||
|
||||
// If running NodeJS < 8, install "util.promisify"
|
||||
if (nodeVersion < 8) { modules.push('util.promisify'); }
|
||||
|
||||
|
@ -1,10 +1,6 @@
|
||||
{
|
||||
"name": "meshcentral",
|
||||
<<<<<<< HEAD
|
||||
"version": "0.4.3-t",
|
||||
=======
|
||||
"version": "0.4.3-w",
|
||||
>>>>>>> b8ca6da3db12bf23b94068970eaf63ec22cb391e
|
||||
"version": "0.4.3-z",
|
||||
"keywords": [
|
||||
"Remote Management",
|
||||
"Intel AMT",
|
||||
@ -34,7 +30,7 @@
|
||||
"dependencies": {
|
||||
"archiver": "^3.0.0",
|
||||
"body-parser": "^1.19.0",
|
||||
"cbor": "4.1.5",
|
||||
"cbor": "^4.1.5",
|
||||
"compression": "^1.7.4",
|
||||
"connect-redis": "^3.4.1",
|
||||
"cookie-session": "^2.0.0-beta.3",
|
||||
|
@ -23,11 +23,12 @@ module.exports.CreateRedirServer = function (parent, db, args, func) {
|
||||
obj.db = db;
|
||||
obj.args = args;
|
||||
obj.certificates = null;
|
||||
obj.express = require("express");
|
||||
obj.net = require("net");
|
||||
obj.express = require('express');
|
||||
obj.net = require('net');
|
||||
obj.app = obj.express();
|
||||
obj.tcpServer = null;
|
||||
obj.port = null;
|
||||
const leChallengePrefix = '/.well-known/acme-challenge/';
|
||||
|
||||
// Perform an HTTP to HTTPS redirection
|
||||
function performRedirection(req, res) {
|
||||
@ -49,14 +50,14 @@ module.exports.CreateRedirServer = function (parent, db, args, func) {
|
||||
*/
|
||||
|
||||
// Renter the terms of service.
|
||||
obj.app.get("/MeshServerRootCert.cer", function (req, res) {
|
||||
obj.app.get('/MeshServerRootCert.cer', function (req, res) {
|
||||
// The redirection server starts before certificates are loaded, make sure to handle the case where no certificate is loaded now.
|
||||
if (obj.certificates != null) {
|
||||
res.set({ "Cache-Control": "no-cache, no-store, must-revalidate", "Pragma": "no-cache", "Expires": "0", "Content-Type": "application/octet-stream", "Content-Disposition": "attachment; filename=\"" + obj.certificates.RootName + ".cer\"" });
|
||||
res.set({ 'Cache-Control': "no-cache, no-store, must-revalidate", "Pragma": "no-cache", "Expires": "0", "Content-Type": "application/octet-stream", "Content-Disposition": "attachment; filename=\"" + obj.certificates.RootName + ".cer\"" });
|
||||
var rootcert = obj.certificates.root.cert;
|
||||
var i = rootcert.indexOf("-----BEGIN CERTIFICATE-----\r\n");
|
||||
var i = rootcert.indexOf('-----BEGIN CERTIFICATE-----\r\n');
|
||||
if (i >= 0) { rootcert = rootcert.substring(i + 29); }
|
||||
i = rootcert.indexOf("-----END CERTIFICATE-----");
|
||||
i = rootcert.indexOf('-----END CERTIFICATE-----');
|
||||
if (i >= 0) { rootcert = rootcert.substring(i, 0); }
|
||||
res.send(Buffer.from(rootcert, "base64"));
|
||||
} else {
|
||||
@ -66,9 +67,17 @@ module.exports.CreateRedirServer = function (parent, db, args, func) {
|
||||
|
||||
// Add HTTP security headers to all responses
|
||||
obj.app.use(function (req, res, next) {
|
||||
res.removeHeader("X-Powered-By");
|
||||
res.set({ "strict-transport-security": "max-age=60000; includeSubDomains", "Referrer-Policy": "no-referrer", "x-frame-options": "SAMEORIGIN", "X-XSS-Protection": "1; mode=block", "X-Content-Type-Options": "nosniff", "Content-Security-Policy": "default-src http: ws: \"self\" \"unsafe-inline\"" });
|
||||
parent.debug('webrequest', req.url + ' (RedirServer)');
|
||||
res.removeHeader('X-Powered-By');
|
||||
|
||||
if ((parent.letsencrypt != null) && (req.url.startsWith(leChallengePrefix))) {
|
||||
// Let's Encrypt Support
|
||||
parent.letsencrypt.challenge(req.url.slice(leChallengePrefix.length), getCleanHostname(req), function (response) { if (response == null) { res.sendStatus(404); } else { res.send(response); } });
|
||||
} else {
|
||||
// Everything else
|
||||
res.set({ 'strict-transport-security': "max-age=60000; includeSubDomains", "Referrer-Policy": "no-referrer", "x-frame-options": "SAMEORIGIN", "X-XSS-Protection": "1; mode=block", "X-Content-Type-Options": "nosniff", "Content-Security-Policy": "default-src http: ws: \"self\" \"unsafe-inline\"" });
|
||||
return next();
|
||||
}
|
||||
});
|
||||
|
||||
// Once the main web server is started, call this to hookup additional handlers
|
||||
@ -125,6 +134,17 @@ module.exports.CreateRedirServer = function (parent, db, args, func) {
|
||||
});
|
||||
}
|
||||
|
||||
// Get the remote hostname correctly
|
||||
const servernameRe = /^[a-z0-9\.\-]+$/i;
|
||||
function getHostname(req) { return req.hostname || req.headers['x-forwarded-host'] || (req.headers.host || ''); };
|
||||
function getCleanHostname(req) {
|
||||
var servername = getHostname(req).toLowerCase().replace(/:.*/, '');
|
||||
try { req.hostname = servername; } catch (e) { } // read-only express property
|
||||
if (req.headers['x-forwarded-host']) { req.headers['x-forwarded-host'] = servername; }
|
||||
try { req.headers.host = servername; } catch (e) { }
|
||||
return (servernameRe.test(servername) && -1 === servername.indexOf('..') && servername) || '';
|
||||
};
|
||||
|
||||
CheckListenPort(args.redirport, StartRedirServer);
|
||||
|
||||
return obj;
|
||||
|
Loading…
Reference in New Issue
Block a user