first iteration to automate certificate generation
This commit is contained in:
114
certs/account.go
Normal file
114
certs/account.go
Normal file
@ -0,0 +1,114 @@
|
||||
package certs
|
||||
|
||||
import (
|
||||
"crypto"
|
||||
"crypto/ecdsa"
|
||||
"crypto/elliptic"
|
||||
"crypto/rand"
|
||||
"crypto/x509"
|
||||
"encoding/json"
|
||||
"encoding/pem"
|
||||
"log"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
|
||||
"github.com/go-acme/lego/v4/lego"
|
||||
"github.com/go-acme/lego/v4/registration"
|
||||
)
|
||||
|
||||
type Account struct {
|
||||
Email string
|
||||
Registration *registration.Resource
|
||||
key *ecdsa.PrivateKey
|
||||
}
|
||||
|
||||
func (u *Account) GetEmail() string {
|
||||
return u.Email
|
||||
}
|
||||
func (u *Account) GetRegistration() *registration.Resource {
|
||||
return u.Registration
|
||||
}
|
||||
func (u *Account) GetPrivateKey() crypto.PrivateKey {
|
||||
return u.key
|
||||
}
|
||||
|
||||
func LoadAccount() *Account {
|
||||
jsonBytes, err := os.ReadFile(accountFilePath)
|
||||
if err != nil {
|
||||
if strings.Contains(err.Error(), "no such file or directory") {
|
||||
RegisterAccount()
|
||||
return LoadAccount()
|
||||
}
|
||||
log.Fatal(err)
|
||||
}
|
||||
account := &Account{}
|
||||
err = json.Unmarshal(jsonBytes, account)
|
||||
if err != nil {
|
||||
log.Fatal(err)
|
||||
}
|
||||
|
||||
privKey, err := os.ReadFile(keyFilePath)
|
||||
if err != nil {
|
||||
log.Fatal(err)
|
||||
}
|
||||
privateKey := decode(string(privKey))
|
||||
|
||||
account.key = privateKey
|
||||
return account
|
||||
}
|
||||
|
||||
func RegisterAccount() {
|
||||
privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
||||
if err != nil {
|
||||
log.Fatal(err)
|
||||
}
|
||||
|
||||
account := &Account{
|
||||
Email: email,
|
||||
key: privateKey,
|
||||
}
|
||||
config := lego.NewConfig(account)
|
||||
config.CADirURL = caDirUrl
|
||||
legoClient, err := lego.NewClient(config)
|
||||
|
||||
reg, err := legoClient.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
|
||||
if reg.Body.Status != "valid" {
|
||||
log.Fatalf("registration failed with status %s", reg.Body.Status)
|
||||
}
|
||||
log.Println(reg.Body.TermsOfServiceAgreed)
|
||||
account.Registration = reg
|
||||
|
||||
os.MkdirAll(filepath.Dir(keyFilePath), os.ModePerm)
|
||||
privKey := encode(privateKey)
|
||||
err = os.WriteFile(keyFilePath, []byte(privKey), 0o644)
|
||||
if err != nil {
|
||||
log.Fatal(err)
|
||||
}
|
||||
|
||||
jsonBytes, err := json.MarshalIndent(account, "", "\t")
|
||||
if err != nil {
|
||||
log.Fatal(err)
|
||||
}
|
||||
|
||||
os.MkdirAll(filepath.Dir(accountFilePath), os.ModePerm)
|
||||
err = os.WriteFile(accountFilePath, jsonBytes, 0o600)
|
||||
if err != nil {
|
||||
log.Fatal(err)
|
||||
}
|
||||
}
|
||||
|
||||
func encode(privateKey *ecdsa.PrivateKey) string {
|
||||
x509Encoded, _ := x509.MarshalECPrivateKey(privateKey)
|
||||
pemEncoded := pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: x509Encoded})
|
||||
|
||||
return string(pemEncoded)
|
||||
}
|
||||
|
||||
func decode(pemEncoded string) *ecdsa.PrivateKey {
|
||||
block, _ := pem.Decode([]byte(pemEncoded))
|
||||
x509Encoded := block.Bytes
|
||||
privateKey, _ := x509.ParseECPrivateKey(x509Encoded)
|
||||
|
||||
return privateKey
|
||||
}
|
43
certs/certs.go
Normal file
43
certs/certs.go
Normal file
@ -0,0 +1,43 @@
|
||||
package certs
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"log"
|
||||
|
||||
"github.com/go-acme/lego/v4/certificate"
|
||||
"github.com/go-acme/lego/v4/challenge/dns01"
|
||||
"github.com/go-acme/lego/v4/lego"
|
||||
"local-ip.sh/xip"
|
||||
)
|
||||
|
||||
type certsClient struct {
|
||||
legoClient *lego.Client
|
||||
}
|
||||
|
||||
func (c *certsClient) RequestCertificate() {
|
||||
certificates, err := c.legoClient.Certificate.Obtain(certificate.ObtainRequest{
|
||||
Domains: []string{"*.local-ip.sh"},
|
||||
Bundle: true,
|
||||
})
|
||||
if err != nil {
|
||||
log.Fatal(err)
|
||||
}
|
||||
|
||||
fmt.Printf("%#v\n", certificates)
|
||||
}
|
||||
|
||||
func NewCertsClient(xip *xip.Xip, user *Account) *certsClient {
|
||||
config := lego.NewConfig(user)
|
||||
config.CADirURL = caDirUrl
|
||||
legoClient, err := lego.NewClient(config)
|
||||
if err != nil {
|
||||
log.Fatal(err)
|
||||
}
|
||||
|
||||
provider := newProviderLocalIp(xip)
|
||||
legoClient.Challenge.SetDNS01Provider(provider, dns01.AddRecursiveNameservers([]string{"1.1.1.1:53", "8.8.8.8:53"}))
|
||||
|
||||
return &certsClient{
|
||||
legoClient,
|
||||
}
|
||||
}
|
18
certs/config.go
Normal file
18
certs/config.go
Normal file
@ -0,0 +1,18 @@
|
||||
package certs
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"net/url"
|
||||
|
||||
"github.com/go-acme/lego/v4/lego"
|
||||
)
|
||||
|
||||
const (
|
||||
email = "admin@local-ip.sh"
|
||||
caDirUrl = lego.LEDirectoryStaging
|
||||
)
|
||||
|
||||
var parsedCaDirUrl, _ = url.Parse(caDirUrl)
|
||||
var caDirHostname = parsedCaDirUrl.Hostname()
|
||||
var accountFilePath = fmt.Sprintf("./.lego/accounts/%s/%s/account.json", caDirHostname, email)
|
||||
var keyFilePath = fmt.Sprintf("./.lego/accounts/%s/%s/keys/%s.key", caDirHostname, email, email)
|
29
certs/provider.go
Normal file
29
certs/provider.go
Normal file
@ -0,0 +1,29 @@
|
||||
package certs
|
||||
|
||||
import (
|
||||
"github.com/go-acme/lego/v4/challenge/dns01"
|
||||
|
||||
"local-ip.sh/xip"
|
||||
)
|
||||
|
||||
type DNSProviderLocalIp struct {
|
||||
xip *xip.Xip
|
||||
}
|
||||
|
||||
func (d *DNSProviderLocalIp) Present(domain, token, keyAuth string) error {
|
||||
fqdn, value := dns01.GetRecord(domain, keyAuth)
|
||||
d.xip.SetTXTRecord(fqdn, value)
|
||||
return nil
|
||||
}
|
||||
|
||||
func (d *DNSProviderLocalIp) CleanUp(domain, token, keyAuth string) error {
|
||||
fqdn, _ := dns01.GetRecord(domain, keyAuth)
|
||||
d.xip.UnsetTXTRecord(fqdn)
|
||||
return nil
|
||||
}
|
||||
|
||||
func newProviderLocalIp(xip *xip.Xip) *DNSProviderLocalIp {
|
||||
return &DNSProviderLocalIp{
|
||||
xip,
|
||||
}
|
||||
}
|
Reference in New Issue
Block a user