summaryrefslogtreecommitdiff
path: root/modules/md/md_acme_drive.c
diff options
context:
space:
mode:
Diffstat (limited to 'modules/md/md_acme_drive.c')
-rw-r--r--modules/md/md_acme_drive.c926
1 files changed, 926 insertions, 0 deletions
diff --git a/modules/md/md_acme_drive.c b/modules/md/md_acme_drive.c
new file mode 100644
index 0000000000..f72e6bd730
--- /dev/null
+++ b/modules/md/md_acme_drive.c
@@ -0,0 +1,926 @@
+/* Copyright 2017 greenbytes GmbH (https://www.greenbytes.de)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <assert.h>
+#include <stdlib.h>
+
+#include <apr_lib.h>
+#include <apr_strings.h>
+#include <apr_buckets.h>
+#include <apr_hash.h>
+#include <apr_uri.h>
+
+#include "md.h"
+#include "md_crypt.h"
+#include "md_json.h"
+#include "md_jws.h"
+#include "md_http.h"
+#include "md_log.h"
+#include "md_reg.h"
+#include "md_store.h"
+#include "md_util.h"
+
+#include "md_acme.h"
+#include "md_acme_acct.h"
+#include "md_acme_authz.h"
+
+typedef struct {
+ md_proto_driver_t *driver;
+
+ const char *phase;
+ int complete;
+
+ md_pkey_t *pkey;
+ md_cert_t *cert;
+ apr_array_header_t *chain;
+
+ md_acme_t *acme;
+ md_t *md;
+ const md_creds_t *ncreds;
+
+ apr_array_header_t *ca_challenges;
+ md_acme_authz_set_t *authz_set;
+ apr_interval_time_t authz_monitor_timeout;
+
+ const char *csr_der_64;
+ apr_interval_time_t cert_poll_timeout;
+
+ const char *chain_url;
+
+} md_acme_driver_t;
+
+/**************************************************************************************************/
+/* account setup */
+
+static apr_status_t ad_set_acct(md_proto_driver_t *d)
+{
+ md_acme_driver_t *ad = d->baton;
+ md_t *md = ad->md;
+ apr_status_t rv = APR_SUCCESS;
+ int update = 0, acct_installed = 0;
+
+ ad->phase = "setup acme";
+ if (!ad->acme
+ && APR_SUCCESS != (rv = md_acme_create(&ad->acme, d->p, md->ca_url))) {
+ goto out;
+ }
+
+ ad->phase = "choose account";
+ /* Do we have a staged (modified) account? */
+ if (APR_SUCCESS == (rv = md_acme_use_acct_staged(ad->acme, d->store, md, d->p))) {
+ md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, d->p, "re-using staged account");
+ md->ca_account = MD_ACME_ACCT_STAGED;
+ acct_installed = 1;
+ }
+ else if (APR_STATUS_IS_ENOENT(rv)) {
+ rv = APR_SUCCESS;
+ }
+
+ /* Get an account for the ACME server for this MD */
+ if (md->ca_account && !acct_installed) {
+ md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, d->p, "re-use account '%s'", md->ca_account);
+ rv = md_acme_use_acct(ad->acme, d->store, d->p, md->ca_account);
+ if (APR_STATUS_IS_ENOENT(rv) || APR_STATUS_IS_EINVAL(rv)) {
+ md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, d->p, "rejected %s", md->ca_account);
+ md->ca_account = NULL;
+ update = 1;
+ rv = APR_SUCCESS;
+ }
+ }
+
+ if (APR_SUCCESS == rv && !md->ca_account) {
+ /* Find a local account for server, store at MD */
+ md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, d->p, "%s: looking at existing accounts",
+ d->proto->protocol);
+ if (APR_SUCCESS == md_acme_find_acct(ad->acme, d->store, d->p)) {
+ md->ca_account = md_acme_get_acct(ad->acme, d->p);
+ update = 1;
+ }
+ }
+
+ if (APR_SUCCESS == rv && !md->ca_account) {
+ /* 2.2 No local account exists, create a new one */
+ md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, d->p, "%s: creating new account",
+ d->proto->protocol);
+
+ if (!ad->md->contacts || apr_is_empty_array(md->contacts)) {
+ md_log_perror(MD_LOG_MARK, MD_LOG_ERR, APR_EINVAL, d->p,
+ "no contact information for md %s", md->name);
+ rv = APR_EINVAL;
+ goto out;
+ }
+
+ if (APR_SUCCESS == (rv = md_acme_create_acct(ad->acme, d->p,
+ md->contacts, md->ca_agreement))
+ && APR_SUCCESS == (rv = md_acme_acct_save_staged(ad->acme, d->store, md, d->p))) {
+ md->ca_account = MD_ACME_ACCT_STAGED;
+ update = 1;
+ }
+ }
+
+out:
+ if (APR_SUCCESS == rv) {
+ const char *agreement = md_acme_get_agreement(ad->acme);
+ /* Persist the account chosen at the md so we use the same on future runs */
+ if (agreement && (!md->ca_agreement || strcmp(agreement, md->ca_agreement))) {
+ md->ca_agreement = agreement;
+ update = 1;
+ }
+ if (update) {
+ rv = md_save(d->store, d->p, MD_SG_STAGING, ad->md, 0);
+ }
+ }
+ return rv;
+}
+
+/**************************************************************************************************/
+/* authz/challenge setup */
+
+/**
+ * Pre-Req: we have an account for the ACME server that has accepted the current license agreement
+ * For each domain in MD:
+ * - check if there already is a valid AUTHZ resource
+ * - if ot, create an AUTHZ resource with challenge data
+ */
+static apr_status_t ad_setup_authz(md_proto_driver_t *d)
+{
+ md_acme_driver_t *ad = d->baton;
+ apr_status_t rv;
+ md_t *md = ad->md;
+ md_acme_authz_t *authz;
+ int i, changed;
+
+ assert(ad->md);
+ assert(ad->acme);
+
+ ad->phase = "check authz";
+
+ /* For each domain in MD: AUTHZ setup
+ * if an AUTHZ resource is known, check if it is still valid
+ * if known AUTHZ resource is not valid, remove, goto 4.1.1
+ * if no AUTHZ available, create a new one for the domain, store it
+ */
+ rv = md_acme_authz_set_load(d->store, MD_SG_STAGING, md->name, &ad->authz_set, d->p);
+ if (!ad->authz_set || APR_STATUS_IS_ENOENT(rv)) {
+ ad->authz_set = md_acme_authz_set_create(d->p, ad->acme);
+ rv = APR_SUCCESS;
+ }
+ else if (APR_SUCCESS != rv) {
+ md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, d->p, "%s: loading authz data", md->name);
+ md_acme_authz_set_purge(d->store, MD_SG_STAGING, d->p, md->name);
+ return APR_EAGAIN;
+ }
+
+ /* Remove anything we no longer need */
+ for (i = 0; i < ad->authz_set->authzs->nelts; ++i) {
+ authz = APR_ARRAY_IDX(ad->authz_set->authzs, i, md_acme_authz_t*);
+ if (!md_contains(md, authz->domain)) {
+ md_acme_authz_set_remove(ad->authz_set, authz->domain);
+ changed = 1;
+ }
+ }
+
+ /* Add anything we do not already have */
+ for (i = 0; i < md->domains->nelts && APR_SUCCESS == rv; ++i) {
+ const char *domain = APR_ARRAY_IDX(md->domains, i, const char *);
+ changed = 0;
+ authz = md_acme_authz_set_get(ad->authz_set, domain);
+ if (authz) {
+ /* check valid */
+ rv = md_acme_authz_update(authz, ad->acme, d->store, d->p);
+ md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, d->p, "%s: updated authz for %s",
+ md->name, domain);
+ if (APR_SUCCESS != rv) {
+ md_acme_authz_set_remove(ad->authz_set, domain);
+ authz = NULL;
+ changed = 1;
+ }
+ }
+ if (!authz) {
+ /* create new one */
+ rv = md_acme_authz_register(&authz, ad->acme, d->store, domain, d->p);
+ md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, d->p, "%s: created authz for %s",
+ md->name, domain);
+ if (APR_SUCCESS == rv) {
+ rv = md_acme_authz_set_add(ad->authz_set, authz);
+ changed = 1;
+ }
+ }
+ }
+
+ /* Save any changes */
+ if (APR_SUCCESS == rv && changed) {
+ rv = md_acme_authz_set_save(d->store, d->p, MD_SG_STAGING, md->name, ad->authz_set, 0);
+ md_log_perror(MD_LOG_MARK, MD_LOG_TRACE1, rv, d->p, "%s: saved", md->name);
+ }
+
+ return rv;
+}
+
+/**
+ * Pre-Req: all domains have a AUTHZ resources at the ACME server
+ * For each domain in MD:
+ * - if AUTHZ resource is 'valid' -> continue
+ * - if AUTHZ resource is 'pending':
+ * - find preferred challenge choice
+ * - calculate challenge data for httpd to find
+ * - POST challenge start to ACME server
+ * For each domain in MD where AUTHZ is 'pending', until overall timeout:
+ * - wait a certain time, check status again
+ * If not all AUTHZ are valid, fail
+ */
+static apr_status_t ad_start_challenges(md_proto_driver_t *d)
+{
+ md_acme_driver_t *ad = d->baton;
+ apr_status_t rv = APR_SUCCESS;
+ md_acme_authz_t *authz;
+ int i, changed = 0;
+
+ assert(ad->md);
+ assert(ad->acme);
+ assert(ad->authz_set);
+
+ ad->phase = "start challenges";
+
+ for (i = 0; i < ad->authz_set->authzs->nelts && APR_SUCCESS == rv; ++i) {
+ authz = APR_ARRAY_IDX(ad->authz_set->authzs, i, md_acme_authz_t*);
+ md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, d->p, "%s: check AUTHZ for %s",
+ ad->md->name, authz->domain);
+ if (APR_SUCCESS != (rv = md_acme_authz_update(authz, ad->acme, d->store, d->p))) {
+ md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, 0, d->p, "%s: check authz for %s",
+ ad->md->name, authz->domain);
+ break;
+ }
+
+ switch (authz->state) {
+ case MD_ACME_AUTHZ_S_VALID:
+ break;
+ case MD_ACME_AUTHZ_S_PENDING:
+
+ rv = md_acme_authz_respond(authz, ad->acme, d->store, ad->ca_challenges, d->p);
+ changed = 1;
+ break;
+ default:
+ rv = APR_EINVAL;
+ md_log_perror(MD_LOG_MARK, MD_LOG_ERR, rv, d->p,
+ "%s: unexpected AUTHZ state %d at %s",
+ authz->domain, authz->state, authz->location);
+ break;
+ }
+ }
+
+ if (APR_SUCCESS == rv && changed) {
+ rv = md_acme_authz_set_save(d->store, d->p, MD_SG_STAGING, ad->md->name, ad->authz_set, 0);
+ md_log_perror(MD_LOG_MARK, MD_LOG_TRACE1, rv, d->p, "%s: saved", ad->md->name);
+ }
+ return rv;
+}
+
+static apr_status_t check_challenges(void *baton, int attemmpt)
+{
+ md_proto_driver_t *d = baton;
+ md_acme_driver_t *ad = d->baton;
+ md_acme_authz_t *authz;
+ apr_status_t rv = APR_SUCCESS;
+ int i;
+
+ for (i = 0; i < ad->authz_set->authzs->nelts && APR_SUCCESS == rv; ++i) {
+ authz = APR_ARRAY_IDX(ad->authz_set->authzs, i, md_acme_authz_t*);
+ md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, d->p, "%s: check AUTHZ for %s",
+ ad->md->name, authz->domain);
+ if (APR_SUCCESS == (rv = md_acme_authz_update(authz, ad->acme, d->store, d->p))) {
+ switch (authz->state) {
+ case MD_ACME_AUTHZ_S_VALID:
+ break;
+ case MD_ACME_AUTHZ_S_PENDING:
+ rv = APR_EAGAIN;
+ md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, d->p,
+ "%s: status pending at %s", authz->domain, authz->location);
+ break;
+ default:
+ rv = APR_EINVAL;
+ md_log_perror(MD_LOG_MARK, MD_LOG_ERR, rv, d->p,
+ "%s: unexpected AUTHZ state %d at %s",
+ authz->domain, authz->state, authz->location);
+ break;
+ }
+ }
+ }
+ return rv;
+}
+
+static apr_status_t ad_monitor_challenges(md_proto_driver_t *d)
+{
+ md_acme_driver_t *ad = d->baton;
+ apr_status_t rv;
+
+ assert(ad->md);
+ assert(ad->acme);
+ assert(ad->authz_set);
+
+ ad->phase = "monitor challenges";
+ rv = md_util_try(check_challenges, d, 0, ad->authz_monitor_timeout, 0, 0, 1);
+
+ md_log_perror(MD_LOG_MARK, MD_LOG_INFO, rv, d->p,
+ "%s: checked all domain authorizations", ad->md->name);
+ return rv;
+}
+
+/**************************************************************************************************/
+/* poll cert */
+
+
+static apr_status_t read_http_cert(md_cert_t **pcert, apr_pool_t *p,
+ const md_http_response_t *res)
+{
+ apr_status_t rv = APR_SUCCESS;
+
+ if (APR_SUCCESS != (rv = md_cert_read_http(pcert, p, res))
+ && APR_STATUS_IS_ENOENT(rv)) {
+ rv = APR_EAGAIN;
+ md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, p,
+ "cert not in response from %s", res->req->url);
+ }
+ return rv;
+}
+
+static apr_status_t on_got_cert(md_acme_t *acme, const md_http_response_t *res, void *baton)
+{
+ md_proto_driver_t *d = baton;
+ md_acme_driver_t *ad = d->baton;
+ apr_status_t rv = APR_SUCCESS;
+
+
+ if (APR_SUCCESS == (rv = read_http_cert(&ad->cert, d->p, res))) {
+ rv = md_store_save(d->store, d->p, MD_SG_STAGING, ad->md->name, MD_FN_CERT,
+ MD_SV_CERT, ad->cert, 0);
+ md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, d->p, "cert parsed and saved");
+ }
+ return rv;
+}
+
+static apr_status_t get_cert(void *baton, int attempt)
+{
+ md_proto_driver_t *d = baton;
+ md_acme_driver_t *ad = d->baton;
+
+ return md_acme_GET(ad->acme, ad->md->cert_url, NULL, NULL, on_got_cert, d);
+}
+
+static apr_status_t ad_cert_poll(md_proto_driver_t *d, int only_once)
+{
+ md_acme_driver_t *ad = d->baton;
+ apr_status_t rv;
+
+ assert(ad->md);
+ assert(ad->acme);
+ assert(ad->md->cert_url);
+
+ ad->phase = "poll certificate";
+ if (only_once) {
+ rv = get_cert(d, 0);
+ }
+ else {
+ rv = md_util_try(get_cert, d, 1, ad->cert_poll_timeout, 0, 0, 1);
+ }
+
+ md_log_perror(MD_LOG_MARK, MD_LOG_INFO, 0, d->p, "poll for cert at %s", ad->md->cert_url);
+ return rv;
+}
+
+/**************************************************************************************************/
+/* cert setup */
+
+static apr_status_t on_init_csr_req(md_acme_req_t *req, void *baton)
+{
+ md_proto_driver_t *d = baton;
+ md_acme_driver_t *ad = d->baton;
+ md_json_t *jpayload;
+
+ jpayload = md_json_create(req->p);
+ md_json_sets("new-cert", jpayload, MD_KEY_RESOURCE, NULL);
+ md_json_sets(ad->csr_der_64, jpayload, MD_KEY_CSR, NULL);
+
+ return md_acme_req_body_init(req, jpayload);
+}
+
+static apr_status_t csr_req(md_acme_t *acme, const md_http_response_t *res, void *baton)
+{
+ md_proto_driver_t *d = baton;
+ md_acme_driver_t *ad = d->baton;
+ apr_status_t rv = APR_SUCCESS;
+
+ ad->md->cert_url = apr_table_get(res->headers, "location");
+ if (!ad->md->cert_url) {
+ md_log_perror(MD_LOG_MARK, MD_LOG_ERR, APR_EINVAL, d->p,
+ "cert created without giving its location header");
+ return APR_EINVAL;
+ }
+ if (APR_SUCCESS != (rv = md_save(d->store, d->p, MD_SG_STAGING, ad->md, 0))) {
+ md_log_perror(MD_LOG_MARK, MD_LOG_ERR, APR_EINVAL, d->p,
+ "%s: saving cert url %s", ad->md->name, ad->md->cert_url);
+ return rv;
+ }
+
+ /* Check if it already was sent with this response */
+ if (APR_SUCCESS == (rv = md_cert_read_http(&ad->cert, d->p, res))) {
+ rv = md_cert_save(d->store, d->p, MD_SG_STAGING, ad->md->name, ad->cert, 0);
+ md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, d->p, "cert parsed and saved");
+ }
+ else if (APR_STATUS_IS_ENOENT(rv)) {
+ rv = APR_SUCCESS;
+ md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, d->p,
+ "cert not in response, need to poll %s", ad->md->cert_url);
+ }
+
+ return rv;
+}
+
+/**
+ * Pre-Req: all domains have been validated by the ACME server, e.g. all have AUTHZ
+ * resources that have status 'valid'
+ * - Setup private key, if not already there
+ * - Generate a CSR with org, contact, etc
+ * - Optionally enable must-staple OCSP extension
+ * - Submit CSR, expect 201 with location
+ * - POLL location for certificate
+ * - store certificate
+ * - retrieve cert chain information from cert
+ * - GET cert chain
+ * - store cert chain
+ */
+static apr_status_t ad_setup_certificate(md_proto_driver_t *d)
+{
+ md_acme_driver_t *ad = d->baton;
+ md_pkey_t *pkey;
+ apr_status_t rv;
+
+ ad->phase = "setup cert pkey";
+
+ rv = md_pkey_load(d->store, MD_SG_STAGING, ad->md->name, &pkey, d->p);
+ if (APR_STATUS_IS_ENOENT(rv)) {
+ if (APR_SUCCESS == (rv = md_pkey_gen_rsa(&pkey, d->p, ad->acme->pkey_bits))) {
+ rv = md_pkey_save(d->store, d->p, MD_SG_STAGING, ad->md->name, pkey, 1);
+ }
+ md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, d->p, "%s: generate pkey", ad->md->name);
+ }
+
+ if (APR_SUCCESS == rv) {
+ ad->phase = "setup csr";
+ rv = md_cert_req_create(&ad->csr_der_64, ad->md, pkey, d->p);
+ md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, d->p, "%s: create CSR", ad->md->name);
+ }
+
+ if (APR_SUCCESS == rv) {
+ ad->phase = "submit csr";
+ rv = md_acme_POST(ad->acme, ad->acme->new_cert, on_init_csr_req, NULL, csr_req, d);
+ }
+
+ if (APR_SUCCESS == rv) {
+ if (!ad->cert) {
+ rv = ad_cert_poll(d, 0);
+ }
+ }
+ return rv;
+}
+
+/**************************************************************************************************/
+/* cert chain retrieval */
+
+static apr_status_t on_add_chain(md_acme_t *acme, const md_http_response_t *res, void *baton)
+{
+ md_proto_driver_t *d = baton;
+ md_acme_driver_t *ad = d->baton;
+ apr_status_t rv = APR_SUCCESS;
+ md_cert_t *cert;
+ const char *ct;
+
+ ct = apr_table_get(res->headers, "Content-Type");
+ if (ct && !strcmp("application/x-pkcs7-mime", ct)) {
+ /* root cert most likely, end it here */
+ return APR_SUCCESS;
+ }
+
+ if (APR_SUCCESS == (rv = read_http_cert(&cert, d->p, res))) {
+ md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, d->p, "chain cert parsed");
+ APR_ARRAY_PUSH(ad->chain, md_cert_t *) = cert;
+ }
+ return rv;
+}
+
+static apr_status_t get_chain(void *baton, int attempt)
+{
+ md_proto_driver_t *d = baton;
+ md_acme_driver_t *ad = d->baton;
+ md_cert_t *cert;
+ const char *url, *last_url = NULL;
+ apr_status_t rv = APR_SUCCESS;
+
+ while (APR_SUCCESS == rv && ad->chain->nelts < 10) {
+ int nelts = ad->chain->nelts;
+ if (ad->chain && nelts > 0) {
+ cert = APR_ARRAY_IDX(ad->chain, nelts - 1, md_cert_t *);
+ }
+ else {
+ cert = ad->cert;
+ }
+
+ if (APR_SUCCESS == (rv = md_cert_get_issuers_uri(&url, cert, d->p))
+ && (!last_url || strcmp(last_url, url))) {
+ md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, d->p, "next issuer is %s", url);
+#if MD_EXPERIMENTAL
+ if (!strncmp("http://127.0.0.1:", url, sizeof("http://127.0.0.1:")-1)) {
+ /* test boulder instance always reports issuer cert on localhost, but we
+ * may use a different address to reach the boulder server */
+ apr_uri_t curi, ca;
+
+ if (APR_SUCCESS == apr_uri_parse(d->p, url, &curi)
+ && APR_SUCCESS == apr_uri_parse(d->p, ad->acme->url, &ca)) {
+ url = apr_psprintf(d->p, "%s://%s:%s%s",
+ ca.scheme, ca.hostname, ca.port_str, curi.path);
+ }
+ }
+#endif
+ rv = md_acme_GET(ad->acme, url, NULL, NULL, on_add_chain, d);
+
+ if (APR_SUCCESS == rv && nelts == ad->chain->nelts) {
+ break;
+ }
+ }
+ else if (APR_STATUS_IS_ENOENT(rv) || !url || !strlen(url)) {
+ rv = APR_SUCCESS;
+ break;
+ }
+ }
+ md_log_perror(MD_LOG_MARK, MD_LOG_TRACE1, rv, d->p,
+ "got chain with %d certs", ad->chain->nelts);
+ return rv;
+}
+
+static apr_status_t ad_chain_install(md_proto_driver_t *d)
+{
+ md_acme_driver_t *ad = d->baton;
+ apr_status_t rv;
+
+ ad->chain = apr_array_make(d->p, 5, sizeof(md_cert_t *));
+ if (APR_SUCCESS == (rv = md_util_try(get_chain, d, 0, ad->cert_poll_timeout, 0, 0, 0))) {
+ rv = md_store_save(d->store, d->p, MD_SG_STAGING, ad->md->name, MD_FN_CHAIN,
+ MD_SV_CHAIN, ad->chain, 0);
+ md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, d->p, "chain fetched and saved");
+ }
+ return rv;
+}
+
+/**************************************************************************************************/
+/* ACME driver init */
+
+static apr_status_t acme_driver_init(md_proto_driver_t *d)
+{
+ md_acme_driver_t *ad;
+ apr_status_t rv;
+
+ ad = apr_pcalloc(d->p, sizeof(*ad));
+
+ d->baton = ad;
+ ad->driver = d;
+
+ ad->authz_monitor_timeout = apr_time_from_sec(30);
+ ad->cert_poll_timeout = apr_time_from_sec(30);
+
+ /* We can only support challenges if the server is reachable from the outside
+ * via port 80 and/or 443. These ports might be mapped for httpd to something
+ * else, but a mapping needs to exist. */
+ ad->ca_challenges = apr_array_make(d->p, 3, sizeof(const char *));
+ if (d->challenge) {
+ /* we have been told to use this type */
+ APR_ARRAY_PUSH(ad->ca_challenges, const char*) = apr_pstrdup(d->p, d->challenge);
+ }
+ else if (d->md->ca_challenges && d->md->ca_challenges->nelts > 0) {
+ /* pre-configured set for this managed domain */
+ apr_array_cat(ad->ca_challenges, d->md->ca_challenges);
+ }
+ else {
+ /* free to chose. Add all we support and see what we get offered */
+ APR_ARRAY_PUSH(ad->ca_challenges, const char*) = MD_AUTHZ_TYPE_TLSSNI01;
+ APR_ARRAY_PUSH(ad->ca_challenges, const char*) = MD_AUTHZ_TYPE_HTTP01;
+ }
+
+ if (!d->can_http && !d->can_https) {
+ md_log_perror(MD_LOG_MARK, MD_LOG_ERR, 0, d->p, "%s: the server seems neither "
+ "reachable via http (port 80) nor https (port 443). The ACME protocol "
+ "needs at least one of those so the CA can talk to the server and verify "
+ "a domain ownership.", d->md->name);
+ return APR_EGENERAL;
+ }
+
+ md_log_perror(MD_LOG_MARK, MD_LOG_TRACE1, 0, d->p, "%s: init driver", d->md->name);
+
+ rv = md_load(d->store, MD_SG_STAGING, d->md->name, &ad->md, d->p);
+ md_log_perror(MD_LOG_MARK, MD_LOG_TRACE1, rv, d->p, "%s: checked stage md", d->md->name);
+ if (d->reset || APR_STATUS_IS_ENOENT(rv)) {
+ /* reset the staging area for this domain */
+ rv = md_store_purge(d->store, d->p, MD_SG_STAGING, d->md->name);
+ if (APR_SUCCESS != rv && !APR_STATUS_IS_ENOENT(rv)) {
+ return rv;
+ }
+ rv = APR_SUCCESS;
+ }
+
+ if (ad->md) {
+ /* staging in progress.
+ * There are certain md properties that are updated in staging, others are only
+ * updated in the domains store. Are these still the same? If not, we better
+ * start anew.
+ */
+ if (strcmp(d->md->ca_url, ad->md->ca_url)
+ || strcmp(d->md->ca_proto, ad->md->ca_proto)) {
+ /* reject staging info in this case */
+ ad->md = NULL;
+ return APR_SUCCESS;
+ }
+
+ if (d->md->ca_agreement
+ && (!ad->md->ca_agreement || strcmp(d->md->ca_agreement, ad->md->ca_agreement))) {
+ ad->md->ca_agreement = d->md->ca_agreement;
+ }
+
+ /* look for new ACME account information collected there */
+ rv = md_reg_creds_get(&ad->ncreds, d->reg, MD_SG_STAGING, d->md, d->p);
+ md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, d->p, "%s: checked creds", d->md->name);
+ if (APR_STATUS_IS_ENOENT(rv)) {
+ rv = APR_SUCCESS;
+ }
+ }
+
+ return rv;
+}
+
+/**************************************************************************************************/
+/* ACME staging */
+
+static apr_status_t acme_stage(md_proto_driver_t *d)
+{
+ md_acme_driver_t *ad = d->baton;
+ apr_status_t rv = APR_SUCCESS;
+ int renew = 1;
+
+ if (md_log_is_level(d->p, MD_LOG_DEBUG)) {
+ md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, 0, d->p, "%s: staging started, "
+ "state=%d, can_http=%d, can_https=%d, challenges='%s'",
+ d->md->name, d->md->state, d->can_http, d->can_https,
+ apr_array_pstrcat(d->p, ad->ca_challenges, ' '));
+ }
+
+ /* Find out where we're at with this managed domain */
+ if (ad->ncreds && ad->ncreds->pkey && ad->ncreds->cert && ad->ncreds->chain) {
+ /* There is a full set staged, to be loaded */
+ md_log_perror(MD_LOG_MARK, MD_LOG_INFO, 0, d->p, "%s: all data staged", d->md->name);
+ renew = 0;
+ }
+
+ if (renew) {
+ if (APR_SUCCESS != (rv = md_acme_create(&ad->acme, d->p, d->md->ca_url))
+ || APR_SUCCESS != (rv = md_acme_setup(ad->acme))) {
+ md_log_perror(MD_LOG_MARK, MD_LOG_ERR, rv, d->p, "%s: setup ACME(%s)",
+ d->md->name, d->md->ca_url);
+ return rv;
+ }
+
+ if (!ad->md) {
+ /* re-initialize staging */
+ md_log_perror(MD_LOG_MARK, MD_LOG_INFO, 0, d->p, "%s: setup staging", d->md->name);
+ md_store_purge(d->store, d->p, MD_SG_STAGING, d->md->name);
+ ad->md = md_copy(d->p, d->md);
+ ad->md->cert_url = NULL; /* do not retrieve the old cert */
+ rv = md_save(d->store, d->p, MD_SG_STAGING, ad->md, 0);
+ md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, d->p, "%s: save staged md",
+ ad->md->name);
+ }
+
+ if (APR_SUCCESS == rv && !ad->cert) {
+ md_cert_load(d->store, MD_SG_STAGING, ad->md->name, &ad->cert, d->p);
+ }
+
+ if (APR_SUCCESS == rv && !ad->cert) {
+ ad->phase = "get certificate";
+ md_log_perror(MD_LOG_MARK, MD_LOG_INFO, 0, d->p, "%s: need certificate", d->md->name);
+
+ /* Chose (or create) and ACME account to use */
+ rv = ad_set_acct(d);
+
+ /* Check that the account agreed to the terms-of-service, otherwise
+ * requests for new authorizations are denied. ToS may change during the
+ * lifetime of an account */
+ if (APR_SUCCESS == rv) {
+ ad->phase = "check agreement";
+ md_log_perror(MD_LOG_MARK, MD_LOG_INFO, 0, d->p,
+ "%s: check Terms-of-Service agreement", d->md->name);
+
+ rv = md_acme_check_agreement(ad->acme, d->p, ad->md->ca_agreement);
+ }
+
+ /* If we know a cert's location, try to get it. Previous download might
+ * have failed. If server 404 it, we clear our memory of it. */
+ if (APR_SUCCESS == rv && ad->md->cert_url) {
+ md_log_perror(MD_LOG_MARK, MD_LOG_INFO, 0, d->p,
+ "%s: polling certificate", d->md->name);
+ rv = ad_cert_poll(d, 1);
+ if (APR_STATUS_IS_ENOENT(rv)) {
+ /* Server reports to know nothing about it. */
+ ad->md->cert_url = NULL;
+ rv = md_reg_update(d->reg, d->p, ad->md->name, ad->md, MD_UPD_CERT_URL);
+ }
+ }
+
+ if (APR_SUCCESS == rv && !ad->cert) {
+ md_log_perror(MD_LOG_MARK, MD_LOG_INFO, 0, d->p,
+ "%s: setup new authorization", d->md->name);
+ if (APR_SUCCESS != (rv = ad_setup_authz(d))) {
+ md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, d->p, "%s: setup authz resource",
+ ad->md->name);
+ goto out;
+ }
+ md_log_perror(MD_LOG_MARK, MD_LOG_INFO, 0, d->p,
+ "%s: setup new challenges", d->md->name);
+ if (APR_SUCCESS != (rv = ad_start_challenges(d))) {
+ md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, d->p, "%s: start challenges",
+ ad->md->name);
+ goto out;
+ }
+ md_log_perror(MD_LOG_MARK, MD_LOG_INFO, 0, d->p,
+ "%s: monitoring challenge status", d->md->name);
+ if (APR_SUCCESS != (rv = ad_monitor_challenges(d))) {
+ md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, d->p, "%s: monitor challenges",
+ ad->md->name);
+ goto out;
+ }
+ md_log_perror(MD_LOG_MARK, MD_LOG_INFO, 0, d->p,
+ "%s: creating certificate request", d->md->name);
+ if (APR_SUCCESS != (rv = ad_setup_certificate(d))) {
+ md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, d->p, "%s: setup certificate",
+ ad->md->name);
+ goto out;
+ }
+ md_log_perror(MD_LOG_MARK, MD_LOG_INFO, 0, d->p,
+ "%s: received certificate", d->md->name);
+ }
+
+ }
+
+ if (APR_SUCCESS == rv && !ad->chain) {
+ ad->phase = "install chain";
+ md_log_perror(MD_LOG_MARK, MD_LOG_INFO, 0, d->p,
+ "%s: retrieving certificate chain", d->md->name);
+ rv = ad_chain_install(d);
+ }
+ }
+out:
+ return rv;
+}
+
+static apr_status_t acme_driver_stage(md_proto_driver_t *d)
+{
+ md_acme_driver_t *ad = d->baton;
+ apr_status_t rv;
+
+ ad->phase = "ACME staging";
+ if (APR_SUCCESS == (rv = acme_stage(d))) {
+ ad->phase = "staging done";
+ }
+
+ md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, d->p, "%s: %s, %s",
+ d->md->name, d->proto->protocol, ad->phase);
+ return rv;
+}
+
+/**************************************************************************************************/
+/* ACME preload */
+
+static apr_status_t acme_preload(md_store_t *store, md_store_group_t load_group,
+ const char *name, apr_pool_t *p)
+{
+ apr_status_t rv;
+ md_pkey_t *pkey, *acct_key;
+ md_t *md;
+ md_cert_t *cert;
+ apr_array_header_t *chain;
+ struct md_acme_acct_t *acct;
+
+ md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, 0, p, "%s: preload start", name);
+ /* Load all data which will be taken into the DOMAIN storage group.
+ * This serves several purposes:
+ * 1. It's a format check on the input data.
+ * 2. We write back what we read, creating data with our own access permissions
+ * 3. We ignore any other accumulated data in STAGING
+ * 4. Once TMP is verified, we can swap/archive groups with a rename
+ * 5. Reading/Writing the data will apply/remove any group specific data encryption.
+ * With the exemption that DOMAINS and TMP must apply the same policy/keys.
+ */
+ if (APR_SUCCESS != (rv = md_load(store, MD_SG_STAGING, name, &md, p))) {
+ md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, p, "%s: loading md json", name);
+ return rv;
+ }
+ if (APR_SUCCESS != (rv = md_cert_load(store, MD_SG_STAGING, name, &cert, p))) {
+ md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, p, "%s: loading certificate", name);
+ return rv;
+ }
+ if (APR_SUCCESS != (rv = md_chain_load(store, MD_SG_STAGING, name, &chain, p))) {
+ md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, p, "%s: loading cert chain", name);
+ return rv;
+ }
+ if (APR_SUCCESS != (rv = md_pkey_load(store, MD_SG_STAGING, name, &pkey, p))) {
+ md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, p, "%s: loading staging private key", name);
+ return rv;
+ }
+
+ /* See if staging holds a new or modified account data */
+ rv = md_acme_acct_load(&acct, &acct_key, store, MD_SG_STAGING, name, p);
+ if (APR_STATUS_IS_ENOENT(rv)) {
+ acct = NULL;
+ acct_key = NULL;
+ rv = APR_SUCCESS;
+ }
+ else if (APR_SUCCESS != rv) {
+ return rv;
+ }
+
+ /* Remove any authz information we have here or in MD_SG_CHALLENGES */
+ md_acme_authz_set_purge(store, MD_SG_STAGING, p, name);
+
+ md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, p,
+ "%s: staged data load, purging tmp space", name);
+ rv = md_store_purge(store, p, load_group, name);
+ if (APR_SUCCESS != rv) {
+ md_log_perror(MD_LOG_MARK, MD_LOG_ERR, rv, p, "%s: error purging preload storage", name);
+ return rv;
+ }
+
+ if (acct) {
+ md_acme_t *acme;
+
+ if (APR_SUCCESS != (rv = md_acme_create(&acme, p, md->ca_url))
+ || APR_SUCCESS != (rv = md_acme_acct_save(store, p, acme, acct, acct_key))) {
+ md_log_perror(MD_LOG_MARK, MD_LOG_ERR, rv, p, "%s: error saving acct", name);
+ return rv;
+ }
+ md->ca_account = acct->id;
+ md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, p, "%s: saved ACME account %s",
+ name, acct->id);
+ }
+
+ if (APR_SUCCESS != (rv = md_save(store, p, load_group, md, 1))) {
+ md_log_perror(MD_LOG_MARK, MD_LOG_ERR, rv, p, "%s: saving md json", name);
+ return rv;
+ }
+ if (APR_SUCCESS != (rv = md_cert_save(store, p, load_group, name, cert, 1))) {
+ md_log_perror(MD_LOG_MARK, MD_LOG_ERR, rv, p, "%s: saving certificate", name);
+ return rv;
+ }
+ if (APR_SUCCESS != (rv = md_chain_save(store, p, load_group, name, chain, 1))) {
+ md_log_perror(MD_LOG_MARK, MD_LOG_ERR, rv, p, "%s: saving cert chain", name);
+ return rv;
+ }
+ if (APR_SUCCESS != (rv = md_pkey_save(store, p, load_group, name, pkey, 1))) {
+ md_log_perror(MD_LOG_MARK, MD_LOG_ERR, rv, p, "%s: saving domain private key", name);
+ return rv;
+ }
+
+ return rv;
+}
+
+static apr_status_t acme_driver_preload(md_proto_driver_t *d, md_store_group_t group)
+{
+ md_acme_driver_t *ad = d->baton;
+ apr_status_t rv;
+
+ ad->phase = "ACME preload";
+ if (APR_SUCCESS == (rv = acme_preload(d->store, group, d->md->name, d->p))) {
+ ad->phase = "preload done";
+ }
+
+ md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, d->p, "%s: %s, %s",
+ d->md->name, d->proto->protocol, ad->phase);
+ return rv;
+}
+
+static md_proto_t ACME_PROTO = {
+ MD_PROTO_ACME, acme_driver_init, acme_driver_stage, acme_driver_preload
+};
+
+apr_status_t md_acme_protos_add(apr_hash_t *protos, apr_pool_t *p)
+{
+ apr_hash_set(protos, MD_PROTO_ACME, sizeof(MD_PROTO_ACME)-1, &ACME_PROTO);
+ return APR_SUCCESS;
+}
View Lorry Controller Status