local-ip.sh/certs/certs.go

156 lines
4.2 KiB
Go
Raw Normal View History

package certs
import (
2023-02-26 13:06:15 +00:00
"encoding/json"
2024-07-09 23:09:18 +00:00
"fmt"
"log"
2023-02-26 13:06:15 +00:00
"os"
"strings"
2023-02-26 13:35:07 +00:00
"time"
2023-02-26 13:35:07 +00:00
"github.com/go-acme/lego/v4/certcrypto"
"github.com/go-acme/lego/v4/certificate"
"github.com/go-acme/lego/v4/challenge/dns01"
"github.com/go-acme/lego/v4/lego"
"local-ip.sh/xip"
)
type certsClient struct {
2024-07-09 23:09:18 +00:00
legoClient *lego.Client
lastWildcardCertificate *certificate.Resource
lastRootCertificate *certificate.Resource
}
2024-07-09 23:09:18 +00:00
func (c *certsClient) RequestCertificates() {
c.requestCertificate("wildcard")
c.requestCertificate("root")
}
func (c *certsClient) requestCertificate(certType string) {
var lastCertificate *certificate.Resource
var domains []string
if certType == "wildcard" {
lastCertificate = c.lastWildcardCertificate
domains = []string{"*.local-ip.sh"}
} else if certType == "root" {
lastCertificate = c.lastRootCertificate
domains = []string{"local-ip.sh"}
} else {
log.Fatalf("Unexpected certType %s. Only \"wildcard\" and \"root\" are supported", certType)
}
log.Printf("requesting %s certificate\n", certType)
if lastCertificate != nil {
certificates, err := certcrypto.ParsePEMBundle(c.lastWildcardCertificate.Certificate)
2023-02-26 13:35:07 +00:00
if err != nil {
log.Fatal(err)
}
x509Cert := certificates[0]
timeLeft := x509Cert.NotAfter.Sub(time.Now().UTC())
if timeLeft > time.Hour*24*30 {
log.Printf("%d days left before expiration, will not renew", int(timeLeft.Hours()/24))
return
}
2024-07-09 23:09:18 +00:00
c.renewCertificates()
2023-02-26 13:06:15 +00:00
return
}
certificates, err := c.legoClient.Certificate.Obtain(certificate.ObtainRequest{
2024-07-09 23:09:18 +00:00
Domains: domains,
Bundle: true,
})
if err != nil {
log.Fatal(err)
}
2024-07-09 23:09:18 +00:00
if certType == "wildcard" {
c.lastWildcardCertificate = certificates
} else if certType == "root" {
c.lastRootCertificate = certificates
}
persistFiles(certificates, certType)
2023-02-26 13:06:15 +00:00
}
2024-07-09 23:09:18 +00:00
func (c *certsClient) renewCertificates() {
2023-02-26 13:06:15 +00:00
log.Println("renewing currently existing certificate")
2024-07-09 23:09:18 +00:00
wildcardCertificate, err := c.legoClient.Certificate.Renew(*c.lastWildcardCertificate, true, false, "")
2023-02-26 13:06:15 +00:00
if err != nil {
log.Fatal(err)
}
2024-07-09 23:09:18 +00:00
c.lastWildcardCertificate = wildcardCertificate
persistFiles(wildcardCertificate, "wildcard")
2023-02-26 13:06:15 +00:00
2024-07-09 23:09:18 +00:00
rootCertificate, err := c.legoClient.Certificate.Renew(*c.lastRootCertificate, true, false, "")
if err != nil {
log.Fatal(err)
}
c.lastRootCertificate = rootCertificate
persistFiles(rootCertificate, "root")
2023-02-26 13:06:15 +00:00
}
2024-07-09 23:09:18 +00:00
func persistFiles(certificates *certificate.Resource, certType string) {
os.MkdirAll(fmt.Sprintf("/certs/%s", certType), 0o755)
os.WriteFile(fmt.Sprintf("/certs/%s/server.pem", certType), certificates.Certificate, 0o644)
os.WriteFile(fmt.Sprintf("/certs/%s/server.key", certType), certificates.PrivateKey, 0o644)
2023-02-26 13:06:15 +00:00
jsonBytes, err := json.MarshalIndent(certificates, "", "\t")
if err != nil {
log.Fatal(err)
}
2024-07-09 23:09:18 +00:00
os.WriteFile(fmt.Sprintf("/certs/%s/output.json", certType), jsonBytes, 0o644)
}
func NewCertsClient(xip *xip.Xip, user *Account) *certsClient {
config := lego.NewConfig(user)
config.CADirURL = caDirUrl
legoClient, err := lego.NewClient(config)
if err != nil {
log.Fatal(err)
}
provider := newProviderLocalIp(xip)
2023-02-26 13:06:15 +00:00
legoClient.Challenge.SetDNS01Provider(provider, dns01.AddRecursiveNameservers([]string{"1.1.1.1:53", "8.8.8.8:53"}), dns01.DisableCompletePropagationRequirement())
2024-07-09 23:09:18 +00:00
lastWildcardCertificate := getLastCertificate(legoClient, "wildcard")
lastRootCertificate := getLastCertificate(legoClient, "root")
return &certsClient{
legoClient,
2024-07-09 23:09:18 +00:00
lastWildcardCertificate,
lastRootCertificate,
}
}
2023-02-26 13:06:15 +00:00
2024-07-09 23:09:18 +00:00
func getLastCertificate(legoClient *lego.Client, certType string) *certificate.Resource {
jsonBytes, err := os.ReadFile(fmt.Sprintf("/certs/%s/output.json", certType))
2023-02-26 13:06:15 +00:00
if err != nil {
if strings.Contains(err.Error(), "no such file or directory") {
return nil
}
log.Println(err)
log.Println("falling back to getting a brand new cert")
return nil
}
2023-12-12 21:25:39 +00:00
lastCertificate := &certificate.Resource{}
2023-02-26 13:06:15 +00:00
err = json.Unmarshal(jsonBytes, lastCertificate)
if err != nil {
log.Println(err)
log.Println("falling back to getting a brand new cert")
return nil
}
lastCertificate, err = legoClient.Certificate.Get(lastCertificate.CertURL, true)
if err != nil {
log.Println(err)
log.Println("falling back to getting a brand new cert")
return nil
}
return lastCertificate
}