|
|
// Copyright 2016 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
// Package autocert provides automatic access to certificates from Let's Encrypt
// and any other ACME-based CA.
//
// This package is a work in progress and makes no API stability promises.
package autocert
import ( "bytes" "context" "crypto" "crypto/ecdsa" "crypto/elliptic" "crypto/rand" "crypto/rsa" "crypto/tls" "crypto/x509" "crypto/x509/pkix" "encoding/pem" "errors" "fmt" "io" mathrand "math/rand" "net/http" "strconv" "strings" "sync" "time"
"golang.org/x/crypto/acme")
// createCertRetryAfter is how much time to wait before removing a failed state
// entry due to an unsuccessful createCert call.
// This is a variable instead of a const for testing.
// TODO: Consider making it configurable or an exp backoff?
var createCertRetryAfter = time.Minute
// pseudoRand is safe for concurrent use.
var pseudoRand *lockedMathRand
func init() { src := mathrand.NewSource(timeNow().UnixNano()) pseudoRand = &lockedMathRand{rnd: mathrand.New(src)}}
// AcceptTOS is a Manager.Prompt function that always returns true to
// indicate acceptance of the CA's Terms of Service during account
// registration.
func AcceptTOS(tosURL string) bool { return true }
// HostPolicy specifies which host names the Manager is allowed to respond to.
// It returns a non-nil error if the host should be rejected.
// The returned error is accessible via tls.Conn.Handshake and its callers.
// See Manager's HostPolicy field and GetCertificate method docs for more details.
type HostPolicy func(ctx context.Context, host string) error
// HostWhitelist returns a policy where only the specified host names are allowed.
// Only exact matches are currently supported. Subdomains, regexp or wildcard
// will not match.
func HostWhitelist(hosts ...string) HostPolicy { whitelist := make(map[string]bool, len(hosts)) for _, h := range hosts { whitelist[h] = true } return func(_ context.Context, host string) error { if !whitelist[host] { return errors.New("acme/autocert: host not configured") } return nil }}
// defaultHostPolicy is used when Manager.HostPolicy is not set.
func defaultHostPolicy(context.Context, string) error { return nil}
// Manager is a stateful certificate manager built on top of acme.Client.
// It obtains and refreshes certificates automatically,
// as well as providing them to a TLS server via tls.Config.
//
// You must specify a cache implementation, such as DirCache,
// to reuse obtained certificates across program restarts.
// Otherwise your server is very likely to exceed the certificate
// issuer's request rate limits.
type Manager struct { // Prompt specifies a callback function to conditionally accept a CA's Terms of Service (TOS).
// The registration may require the caller to agree to the CA's TOS.
// If so, Manager calls Prompt with a TOS URL provided by the CA. Prompt should report
// whether the caller agrees to the terms.
//
// To always accept the terms, the callers can use AcceptTOS.
Prompt func(tosURL string) bool
// Cache optionally stores and retrieves previously-obtained certificates.
// If nil, certs will only be cached for the lifetime of the Manager.
//
// Manager passes the Cache certificates data encoded in PEM, with private/public
// parts combined in a single Cache.Put call, private key first.
Cache Cache
// HostPolicy controls which domains the Manager will attempt
// to retrieve new certificates for. It does not affect cached certs.
//
// If non-nil, HostPolicy is called before requesting a new cert.
// If nil, all hosts are currently allowed. This is not recommended,
// as it opens a potential attack where clients connect to a server
// by IP address and pretend to be asking for an incorrect host name.
// Manager will attempt to obtain a certificate for that host, incorrectly,
// eventually reaching the CA's rate limit for certificate requests
// and making it impossible to obtain actual certificates.
//
// See GetCertificate for more details.
HostPolicy HostPolicy
// RenewBefore optionally specifies how early certificates should
// be renewed before they expire.
//
// If zero, they're renewed 30 days before expiration.
RenewBefore time.Duration
// Client is used to perform low-level operations, such as account registration
// and requesting new certificates.
// If Client is nil, a zero-value acme.Client is used with acme.LetsEncryptURL
// directory endpoint and a newly-generated ECDSA P-256 key.
//
// Mutating the field after the first call of GetCertificate method will have no effect.
Client *acme.Client
// Email optionally specifies a contact email address.
// This is used by CAs, such as Let's Encrypt, to notify about problems
// with issued certificates.
//
// If the Client's account key is already registered, Email is not used.
Email string
// ForceRSA makes the Manager generate certificates with 2048-bit RSA keys.
//
// If false, a default is used. Currently the default
// is EC-based keys using the P-256 curve.
ForceRSA bool
clientMu sync.Mutex client *acme.Client // initialized by acmeClient method
stateMu sync.Mutex state map[string]*certState // keyed by domain name
// tokenCert is keyed by token domain name, which matches server name
// of ClientHello. Keys always have ".acme.invalid" suffix.
tokenCertMu sync.RWMutex tokenCert map[string]*tls.Certificate
// renewal tracks the set of domains currently running renewal timers.
// It is keyed by domain name.
renewalMu sync.Mutex renewal map[string]*domainRenewal}
// GetCertificate implements the tls.Config.GetCertificate hook.
// It provides a TLS certificate for hello.ServerName host, including answering
// *.acme.invalid (TLS-SNI) challenges. All other fields of hello are ignored.
//
// If m.HostPolicy is non-nil, GetCertificate calls the policy before requesting
// a new cert. A non-nil error returned from m.HostPolicy halts TLS negotiation.
// The error is propagated back to the caller of GetCertificate and is user-visible.
// This does not affect cached certs. See HostPolicy field description for more details.
func (m *Manager) GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error) { if m.Prompt == nil { return nil, errors.New("acme/autocert: Manager.Prompt not set") }
name := hello.ServerName if name == "" { return nil, errors.New("acme/autocert: missing server name") } if !strings.Contains(strings.Trim(name, "."), ".") { return nil, errors.New("acme/autocert: server name component count invalid") } if strings.ContainsAny(name, `/\`) { return nil, errors.New("acme/autocert: server name contains invalid character") }
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute) defer cancel()
// check whether this is a token cert requested for TLS-SNI challenge
if strings.HasSuffix(name, ".acme.invalid") { m.tokenCertMu.RLock() defer m.tokenCertMu.RUnlock() if cert := m.tokenCert[name]; cert != nil { return cert, nil } if cert, err := m.cacheGet(ctx, name); err == nil { return cert, nil } // TODO: cache error results?
return nil, fmt.Errorf("acme/autocert: no token cert for %q", name) }
// regular domain
name = strings.TrimSuffix(name, ".") // golang.org/issue/18114
cert, err := m.cert(ctx, name) if err == nil { return cert, nil } if err != ErrCacheMiss { return nil, err }
// first-time
if err := m.hostPolicy()(ctx, name); err != nil { return nil, err } cert, err = m.createCert(ctx, name) if err != nil { return nil, err } m.cachePut(ctx, name, cert) return cert, nil}
// cert returns an existing certificate either from m.state or cache.
// If a certificate is found in cache but not in m.state, the latter will be filled
// with the cached value.
func (m *Manager) cert(ctx context.Context, name string) (*tls.Certificate, error) { m.stateMu.Lock() if s, ok := m.state[name]; ok { m.stateMu.Unlock() s.RLock() defer s.RUnlock() return s.tlscert() } defer m.stateMu.Unlock() cert, err := m.cacheGet(ctx, name) if err != nil { return nil, err } signer, ok := cert.PrivateKey.(crypto.Signer) if !ok { return nil, errors.New("acme/autocert: private key cannot sign") } if m.state == nil { m.state = make(map[string]*certState) } s := &certState{ key: signer, cert: cert.Certificate, leaf: cert.Leaf, } m.state[name] = s go m.renew(name, s.key, s.leaf.NotAfter) return cert, nil}
// cacheGet always returns a valid certificate, or an error otherwise.
// If a cached certficate exists but is not valid, ErrCacheMiss is returned.
func (m *Manager) cacheGet(ctx context.Context, domain string) (*tls.Certificate, error) { if m.Cache == nil { return nil, ErrCacheMiss } data, err := m.Cache.Get(ctx, domain) if err != nil { return nil, err }
// private
priv, pub := pem.Decode(data) if priv == nil || !strings.Contains(priv.Type, "PRIVATE") { return nil, ErrCacheMiss } privKey, err := parsePrivateKey(priv.Bytes) if err != nil { return nil, err }
// public
var pubDER [][]byte for len(pub) > 0 { var b *pem.Block b, pub = pem.Decode(pub) if b == nil { break } pubDER = append(pubDER, b.Bytes) } if len(pub) > 0 { // Leftover content not consumed by pem.Decode. Corrupt. Ignore.
return nil, ErrCacheMiss }
// verify and create TLS cert
leaf, err := validCert(domain, pubDER, privKey) if err != nil { return nil, ErrCacheMiss } tlscert := &tls.Certificate{ Certificate: pubDER, PrivateKey: privKey, Leaf: leaf, } return tlscert, nil}
func (m *Manager) cachePut(ctx context.Context, domain string, tlscert *tls.Certificate) error { if m.Cache == nil { return nil }
// contains PEM-encoded data
var buf bytes.Buffer
// private
switch key := tlscert.PrivateKey.(type) { case *ecdsa.PrivateKey: if err := encodeECDSAKey(&buf, key); err != nil { return err } case *rsa.PrivateKey: b := x509.MarshalPKCS1PrivateKey(key) pb := &pem.Block{Type: "RSA PRIVATE KEY", Bytes: b} if err := pem.Encode(&buf, pb); err != nil { return err } default: return errors.New("acme/autocert: unknown private key type") }
// public
for _, b := range tlscert.Certificate { pb := &pem.Block{Type: "CERTIFICATE", Bytes: b} if err := pem.Encode(&buf, pb); err != nil { return err } }
return m.Cache.Put(ctx, domain, buf.Bytes())}
func encodeECDSAKey(w io.Writer, key *ecdsa.PrivateKey) error { b, err := x509.MarshalECPrivateKey(key) if err != nil { return err } pb := &pem.Block{Type: "EC PRIVATE KEY", Bytes: b} return pem.Encode(w, pb)}
// createCert starts the domain ownership verification and returns a certificate
// for that domain upon success.
//
// If the domain is already being verified, it waits for the existing verification to complete.
// Either way, createCert blocks for the duration of the whole process.
func (m *Manager) createCert(ctx context.Context, domain string) (*tls.Certificate, error) { // TODO: maybe rewrite this whole piece using sync.Once
state, err := m.certState(domain) if err != nil { return nil, err } // state may exist if another goroutine is already working on it
// in which case just wait for it to finish
if !state.locked { state.RLock() defer state.RUnlock() return state.tlscert() }
// We are the first; state is locked.
// Unblock the readers when domain ownership is verified
// and we got the cert or the process failed.
defer state.Unlock() state.locked = false
der, leaf, err := m.authorizedCert(ctx, state.key, domain) if err != nil { // Remove the failed state after some time,
// making the manager call createCert again on the following TLS hello.
time.AfterFunc(createCertRetryAfter, func() { defer testDidRemoveState(domain) m.stateMu.Lock() defer m.stateMu.Unlock() // Verify the state hasn't changed and it's still invalid
// before deleting.
s, ok := m.state[domain] if !ok { return } if _, err := validCert(domain, s.cert, s.key); err == nil { return } delete(m.state, domain) }) return nil, err } state.cert = der state.leaf = leaf go m.renew(domain, state.key, state.leaf.NotAfter) return state.tlscert()}
// certState returns a new or existing certState.
// If a new certState is returned, state.exist is false and the state is locked.
// The returned error is non-nil only in the case where a new state could not be created.
func (m *Manager) certState(domain string) (*certState, error) { m.stateMu.Lock() defer m.stateMu.Unlock() if m.state == nil { m.state = make(map[string]*certState) } // existing state
if state, ok := m.state[domain]; ok { return state, nil }
// new locked state
var ( err error key crypto.Signer ) if m.ForceRSA { key, err = rsa.GenerateKey(rand.Reader, 2048) } else { key, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader) } if err != nil { return nil, err }
state := &certState{ key: key, locked: true, } state.Lock() // will be unlocked by m.certState caller
m.state[domain] = state return state, nil}
// authorizedCert starts the domain ownership verification process and requests a new cert upon success.
// The key argument is the certificate private key.
func (m *Manager) authorizedCert(ctx context.Context, key crypto.Signer, domain string) (der [][]byte, leaf *x509.Certificate, err error) { if err := m.verify(ctx, domain); err != nil { return nil, nil, err } client, err := m.acmeClient(ctx) if err != nil { return nil, nil, err } csr, err := certRequest(key, domain) if err != nil { return nil, nil, err } der, _, err = client.CreateCert(ctx, csr, 0, true) if err != nil { return nil, nil, err } leaf, err = validCert(domain, der, key) if err != nil { return nil, nil, err } return der, leaf, nil}
// verify starts a new identifier (domain) authorization flow.
// It prepares a challenge response and then blocks until the authorization
// is marked as "completed" by the CA (either succeeded or failed).
//
// verify returns nil iff the verification was successful.
func (m *Manager) verify(ctx context.Context, domain string) error { client, err := m.acmeClient(ctx) if err != nil { return err }
// start domain authorization and get the challenge
authz, err := client.Authorize(ctx, domain) if err != nil { return err } // maybe don't need to at all
if authz.Status == acme.StatusValid { return nil }
// pick a challenge: prefer tls-sni-02 over tls-sni-01
// TODO: consider authz.Combinations
var chal *acme.Challenge for _, c := range authz.Challenges { if c.Type == "tls-sni-02" { chal = c break } if c.Type == "tls-sni-01" { chal = c } } if chal == nil { return errors.New("acme/autocert: no supported challenge type found") }
// create a token cert for the challenge response
var ( cert tls.Certificate name string ) switch chal.Type { case "tls-sni-01": cert, name, err = client.TLSSNI01ChallengeCert(chal.Token) case "tls-sni-02": cert, name, err = client.TLSSNI02ChallengeCert(chal.Token) default: err = fmt.Errorf("acme/autocert: unknown challenge type %q", chal.Type) } if err != nil { return err } m.putTokenCert(ctx, name, &cert) defer func() { // verification has ended at this point
// don't need token cert anymore
go m.deleteTokenCert(name) }()
// ready to fulfill the challenge
if _, err := client.Accept(ctx, chal); err != nil { return err } // wait for the CA to validate
_, err = client.WaitAuthorization(ctx, authz.URI) return err}
// putTokenCert stores the cert under the named key in both m.tokenCert map
// and m.Cache.
func (m *Manager) putTokenCert(ctx context.Context, name string, cert *tls.Certificate) { m.tokenCertMu.Lock() defer m.tokenCertMu.Unlock() if m.tokenCert == nil { m.tokenCert = make(map[string]*tls.Certificate) } m.tokenCert[name] = cert m.cachePut(ctx, name, cert)}
// deleteTokenCert removes the token certificate for the specified domain name
// from both m.tokenCert map and m.Cache.
func (m *Manager) deleteTokenCert(name string) { m.tokenCertMu.Lock() defer m.tokenCertMu.Unlock() delete(m.tokenCert, name) if m.Cache != nil { m.Cache.Delete(context.Background(), name) }}
// renew starts a cert renewal timer loop, one per domain.
//
// The loop is scheduled in two cases:
// - a cert was fetched from cache for the first time (wasn't in m.state)
// - a new cert was created by m.createCert
//
// The key argument is a certificate private key.
// The exp argument is the cert expiration time (NotAfter).
func (m *Manager) renew(domain string, key crypto.Signer, exp time.Time) { m.renewalMu.Lock() defer m.renewalMu.Unlock() if m.renewal[domain] != nil { // another goroutine is already on it
return } if m.renewal == nil { m.renewal = make(map[string]*domainRenewal) } dr := &domainRenewal{m: m, domain: domain, key: key} m.renewal[domain] = dr dr.start(exp)}
// stopRenew stops all currently running cert renewal timers.
// The timers are not restarted during the lifetime of the Manager.
func (m *Manager) stopRenew() { m.renewalMu.Lock() defer m.renewalMu.Unlock() for name, dr := range m.renewal { delete(m.renewal, name) dr.stop() }}
func (m *Manager) accountKey(ctx context.Context) (crypto.Signer, error) { const keyName = "acme_account.key"
genKey := func() (*ecdsa.PrivateKey, error) { return ecdsa.GenerateKey(elliptic.P256(), rand.Reader) }
if m.Cache == nil { return genKey() }
data, err := m.Cache.Get(ctx, keyName) if err == ErrCacheMiss { key, err := genKey() if err != nil { return nil, err } var buf bytes.Buffer if err := encodeECDSAKey(&buf, key); err != nil { return nil, err } if err := m.Cache.Put(ctx, keyName, buf.Bytes()); err != nil { return nil, err } return key, nil } if err != nil { return nil, err }
priv, _ := pem.Decode(data) if priv == nil || !strings.Contains(priv.Type, "PRIVATE") { return nil, errors.New("acme/autocert: invalid account key found in cache") } return parsePrivateKey(priv.Bytes)}
func (m *Manager) acmeClient(ctx context.Context) (*acme.Client, error) { m.clientMu.Lock() defer m.clientMu.Unlock() if m.client != nil { return m.client, nil }
client := m.Client if client == nil { client = &acme.Client{DirectoryURL: acme.LetsEncryptURL} } if client.Key == nil { var err error client.Key, err = m.accountKey(ctx) if err != nil { return nil, err } } var contact []string if m.Email != "" { contact = []string{"mailto:" + m.Email} } a := &acme.Account{Contact: contact} _, err := client.Register(ctx, a, m.Prompt) if ae, ok := err.(*acme.Error); err == nil || ok && ae.StatusCode == http.StatusConflict { // conflict indicates the key is already registered
m.client = client err = nil } return m.client, err}
func (m *Manager) hostPolicy() HostPolicy { if m.HostPolicy != nil { return m.HostPolicy } return defaultHostPolicy}
func (m *Manager) renewBefore() time.Duration { if m.RenewBefore > renewJitter { return m.RenewBefore } return 720 * time.Hour // 30 days
}
// certState is ready when its mutex is unlocked for reading.
type certState struct { sync.RWMutex locked bool // locked for read/write
key crypto.Signer // private key for cert
cert [][]byte // DER encoding
leaf *x509.Certificate // parsed cert[0]; always non-nil if cert != nil
}
// tlscert creates a tls.Certificate from s.key and s.cert.
// Callers should wrap it in s.RLock() and s.RUnlock().
func (s *certState) tlscert() (*tls.Certificate, error) { if s.key == nil { return nil, errors.New("acme/autocert: missing signer") } if len(s.cert) == 0 { return nil, errors.New("acme/autocert: missing certificate") } return &tls.Certificate{ PrivateKey: s.key, Certificate: s.cert, Leaf: s.leaf, }, nil}
// certRequest creates a certificate request for the given common name cn
// and optional SANs.
func certRequest(key crypto.Signer, cn string, san ...string) ([]byte, error) { req := &x509.CertificateRequest{ Subject: pkix.Name{CommonName: cn}, DNSNames: san, } return x509.CreateCertificateRequest(rand.Reader, req, key)}
// Attempt to parse the given private key DER block. OpenSSL 0.9.8 generates
// PKCS#1 private keys by default, while OpenSSL 1.0.0 generates PKCS#8 keys.
// OpenSSL ecparam generates SEC1 EC private keys for ECDSA. We try all three.
//
// Inspired by parsePrivateKey in crypto/tls/tls.go.
func parsePrivateKey(der []byte) (crypto.Signer, error) { if key, err := x509.ParsePKCS1PrivateKey(der); err == nil { return key, nil } if key, err := x509.ParsePKCS8PrivateKey(der); err == nil { switch key := key.(type) { case *rsa.PrivateKey: return key, nil case *ecdsa.PrivateKey: return key, nil default: return nil, errors.New("acme/autocert: unknown private key type in PKCS#8 wrapping") } } if key, err := x509.ParseECPrivateKey(der); err == nil { return key, nil }
return nil, errors.New("acme/autocert: failed to parse private key")}
// validCert parses a cert chain provided as der argument and verifies the leaf, der[0],
// corresponds to the private key, as well as the domain match and expiration dates.
// It doesn't do any revocation checking.
//
// The returned value is the verified leaf cert.
func validCert(domain string, der [][]byte, key crypto.Signer) (leaf *x509.Certificate, err error) { // parse public part(s)
var n int for _, b := range der { n += len(b) } pub := make([]byte, n) n = 0 for _, b := range der { n += copy(pub[n:], b) } x509Cert, err := x509.ParseCertificates(pub) if len(x509Cert) == 0 { return nil, errors.New("acme/autocert: no public key found") } // verify the leaf is not expired and matches the domain name
leaf = x509Cert[0] now := timeNow() if now.Before(leaf.NotBefore) { return nil, errors.New("acme/autocert: certificate is not valid yet") } if now.After(leaf.NotAfter) { return nil, errors.New("acme/autocert: expired certificate") } if err := leaf.VerifyHostname(domain); err != nil { return nil, err } // ensure the leaf corresponds to the private key
switch pub := leaf.PublicKey.(type) { case *rsa.PublicKey: prv, ok := key.(*rsa.PrivateKey) if !ok { return nil, errors.New("acme/autocert: private key type does not match public key type") } if pub.N.Cmp(prv.N) != 0 { return nil, errors.New("acme/autocert: private key does not match public key") } case *ecdsa.PublicKey: prv, ok := key.(*ecdsa.PrivateKey) if !ok { return nil, errors.New("acme/autocert: private key type does not match public key type") } if pub.X.Cmp(prv.X) != 0 || pub.Y.Cmp(prv.Y) != 0 { return nil, errors.New("acme/autocert: private key does not match public key") } default: return nil, errors.New("acme/autocert: unknown public key algorithm") } return leaf, nil}
func retryAfter(v string) time.Duration { if i, err := strconv.Atoi(v); err == nil { return time.Duration(i) * time.Second } if t, err := http.ParseTime(v); err == nil { return t.Sub(timeNow()) } return time.Second}
type lockedMathRand struct { sync.Mutex rnd *mathrand.Rand}
func (r *lockedMathRand) int63n(max int64) int64 { r.Lock() n := r.rnd.Int63n(max) r.Unlock() return n}
// For easier testing.
var ( timeNow = time.Now
// Called when a state is removed.
testDidRemoveState = func(domain string) {})
|
