X-Git-Url: https://git.rapsys.eu/.gitweb.cgi/acme/blobdiff_plain/9c3c698790057b5c32bb7daacb9269ddf4b677df..17feca20e7d0e958d43e934cdc4894a0457c2727:/acme.pm

diff --git a/acme.pm b/acme.pm
deleted file mode 100644
index db1c6d4..0000000
--- a/acme.pm
+++ /dev/null
@@ -1,760 +0,0 @@
-# This file is part of Acmepl
-#
-# Acmepl is is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-#
-# Copyright (C) 2016 - 2017 Raphaël Gertz <acmepl@rapsys.eu>
-
-# acme package
-package acme;
-
-# Best practice
-use strict;
-use warnings;
-
-# Symbol export
-use Exporter;
-our @ISA = qw(Exporter);
-our @EXPORT_OK = qw(DS CERT_DIR KEY_DIR REQUEST_CSR ACCOUNT_KEY SERVER_KEY SERVER_CRT CONFIG);
-
-# Load dependancies
-use Carp qw(carp confess);
-use Date::Parse qw(str2time);
-use Digest::SHA qw(sha256_base64);
-use Email::Valid;
-use File::Path qw(make_path);
-use File::Slurp qw(read_file write_file);
-use File::Temp; # qw( :seekable );
-use IPC::System::Simple qw(capturex);
-use JSON qw(from_json to_json);
-use LWP;
-use MIME::Base64 qw(encode_base64url encode_base64);
-use Net::Domain::TLD;
-use POSIX qw(EXIT_FAILURE);
-use Tie::IxHash;
-
-# Documentation links
-#XXX: see https://letsencrypt.github.io/acme-spec/ (probably based on https://ietf-wg-acme.github.io/acme/)
-#XXX: see jwk rfc http://www.rfc-editor.org/rfc/rfc7517.txt
-#XXX: see javascript implementation https://github.com/diafygi/gethttpsforfree/blob/gh-pages/js/index.js
-
-# Set constants
-use constant {
-	# Directory separator
-	DS => '/',
-
-	# Directory for certificates
-	CERT_DIR => 'cert',
-
-	# Directory for keys
-	KEY_DIR => 'key',
-
-	# Directory for pending cache
-	PENDING_DIR => 'pending',
-
-	# Request certificate file name
-	REQUEST_CSR => 'request.der',
-
-	# Account key file name
-	ACCOUNT_KEY => 'account.pem',
-
-	# Server private key
-	SERVER_KEY => 'server.pem',
-
-	# Server public certificate
-	SERVER_CRT => 'server.crt',
-
-	# rsa
-	KEY_TYPE => 'rsa',
-
-	# 2048|4096
-	KEY_SIZE => 4096,
-
-	# Acme infos
-	ACME_CERT => 'https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem',
-	ACME_DIR => 'https://acme-staging.api.letsencrypt.org/directory',
-	ACME_PROD_DIR => 'https://acme-v01.api.letsencrypt.org/directory',
-	ACME_TERMS => 'https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf',
-
-	# Version
-	VERSION => 'v0.6',
-
-	# Config
-	CONFIG => '/etc/acmepl/config'
-};
-
-# User agent object
-our $ua;
-
-# Strerr backup
-our $_stderr;
-
-# JSON Web Key (JWK)
-#XXX: tie to Tie::IxHash to keep a stable ordering of hash keys
-#our %jwk = (
-#	pubkey => undef,
-#	jwk => {
-#		alg => 'RS256',
-#		jwk => {
-#			# Exponent
-#			e => undef,
-#			# Key type
-#			kty => uc(KEY_TYPE),
-#			# Modulus
-#			n => undef
-#		}
-#	},
-#	thumbprint => undef
-#);
-tie(our %jwk, 'Tie::IxHash', pubkey => undef, jwk => undef, thumbprint => undef);
-tie(%{$jwk{jwk}}, 'Tie::IxHash', alg => 'RS256', jwk => undef);
-#XXX: strict ordering only really needed here for thumbprint sha256 digest
-tie(%{$jwk{jwk}{jwk}}, 'Tie::IxHash', e => undef, kty => uc(KEY_TYPE), n => undef);
-
-# Constructor
-sub new {
-	# Extract params
-	my ($class, $mail, $debug, $prod, @domains) = @_;
-
-	# Create self hash
-	my $self = {};
-
-	# Link self to package
-	bless($self, $class);
-
-	# Save debug
-	$self->{debug} = $debug;
-
-	# Save prod
-	$self->{prod} = $prod;
-
-	# Add extra check to mail validity
-	#XXX: mxcheck fail if there is only a A record on the domain
-	my $ev = Email::Valid->new(-fqdn => 1, -tldcheck => 1, -mxcheck => 1);
-
-	# Show error if check fail
-	if (! defined $ev->address($mail)) {
-		map { carp 'failed check: '.$_ if ($self->{debug}) } $ev->details();
-		confess 'Email::Valid->address failed';
-	}
-
-	# Save mail
-	$self->{mail} = $mail;
-
-	# Create resolver
-	my $res = new Net::DNS::Resolver();
-
-	# Check domains
-	map {
-		my $tld;
-
-		# Extract tld
-		unless (($tld) = $_ =~ m/\.(\w+)$/) {
-			confess $_.'\'s tld extraction failed';
-		}
-
-		# Check if tld exists
-		unless(Net::Domain::TLD::tld_exists($tld)) {
-			confess $tld.' tld from '.$_.' don\'t exists';
-		}
-
-		# Check if we get dns answer
-		#XXX: only search A type because letsencrypt don't support ipv6 (AAAA) yet
-		unless(my $rep = $res->search($_, 'A')) {
-			confess 'search A record for '.$_.' failed';
-		} else {
-			unless (scalar map { $_->type eq 'A' ? 1 : (); } $rep->answer) {
-				confess 'search recursively A record for '.$_.' failed';
-			}
-		}
-	} @domains;
-
-	# Save domains
-	@{$self->{domains}} = @domains;
-
-	# Return class reference
-	return $self;
-}
-
-# Prepare environement
-sub prepare {
-	my ($self) = @_;
-
-	# Create all paths
-	make_path(CERT_DIR, KEY_DIR, PENDING_DIR.'/'.$self->{mail}.'.'.($self->{prod} ? 'prod' : 'staging'), {error => \my $err});
-	if (@$err) {
-		map {
-			my ($file, $msg) = %$_;
-			carp ($file eq '' ? '' : $file.': ').$msg if ($self->{debug});
-		} @$err;
-		confess 'make_path failed';
-	}
-
-	# Create user agent
-	$ua = LWP::UserAgent->new;
-	$ua->agent(__PACKAGE__.'/'.VERSION)
-}
-
-# Drop stderr
-sub _dropStdErr {
-	# Save stderr
-	open($_stderr, '>&STDERR') or die $!;
-	# Close it
-	close(STDERR) or die $!;
-	# Send to /dev/null
-	open(STDERR, '>', '/dev/null') or die $!;
-}
-
-# Restore stderr
-sub _restoreStdErr {
-	# Close stderr
-	close(STDERR);
-	# Open it back
-	open(STDERR, '>&', $_stderr) or die $!;
-}
-
-# Generate required keys
-sub genKeys {
-	my ($self) = @_;
-
-	# Generate account and server key if required
-	map {
-		# Check key existence
-		if (! -f $_) {
-			# Drop stderr
-			_dropStdErr();
-			# Generate key
-			#XXX: we drop stderr here because openssl can't be quiet on this command
-			capturex('openssl', ('genrsa', '-out', $_, KEY_SIZE));
-			# Restore stderr
-			_restoreStdErr();
-		}
-	} (KEY_DIR.DS.ACCOUNT_KEY, KEY_DIR.DS.SERVER_KEY);
-
-	# Extract modulus and publicExponent jwk
-	#XXX: same here we tie to keep ordering
-	tie(%{$self->{account}}, 'Tie::IxHash', %jwk);
-	map {
-		if (/^Modulus=([0-9A-F]+)$/) {
-			# Extract to binary from hex and convert to base64 url
-			$self->{account}{jwk}{jwk}{n} = encode_base64url(pack("H*", $1) =~ s/^\0+//r);
-		} elsif (/^publicExponent:\s([0-9]+)\s\(0x[0-1]+\)$/) {
-			# Extract to binary from int, trim leading zeros and convert to base64 url
-			chomp ($self->{account}{jwk}{jwk}{e} = encode_base64url(pack("N", $1) =~ s/^\0+//r));
-		}
-	} capturex('openssl', ('rsa', '-text', '-in', KEY_DIR.DS.ACCOUNT_KEY, '-noout', '-modulus'));
-
-	# Drop stderr
-	_dropStdErr();
-	# Extract account public key
-	$self->{account}{pubkey} = join('', map { chomp; $_; } capturex('openssl', ('rsa', '-in', KEY_DIR.DS.ACCOUNT_KEY, '-pubout')));
-	# Restore stderr
-	_restoreStdErr();
-
-	# Store thumbprint
-	#XXX: convert base64 to base64 url
-	$self->{account}{thumbprint} = (sha256_base64(to_json($self->{account}{jwk}{jwk})) =~ s/=+\z//r) =~ tr[+/][-_]r;
-}
-
-# Generate certificate request
-sub genCsr {
-	my ($self) = @_;
-
-	# Openssl config template
-	my $oct = File::Temp->new();
-
-	# Load template from data
-	map { s/__EMAIL_ADDRESS__/$self->{mail}/; s/__COMMON_NAME__/$self->{domains}[0]/; print $oct $_; } <DATA>;
-
-	# Close data
-	close(DATA);
-
-	# Append domain names
-	my $i = 1;
-	map { print $oct 'DNS.'.$i++.' = '.$_."\n"; } @{$self->{domains}};
-
-	# Generate csr
-	capturex('openssl', ('req', '-new', '-outform', 'DER', '-key', KEY_DIR.DS.SERVER_KEY, '-config', $oct->filename, '-out', CERT_DIR.DS.REQUEST_CSR));
-
-	# Close oct
-	close($oct);
-}
-
-# Directory call
-sub directory {
-	my ($self) = @_;
-
-	# Set time
-	my $time = time;
-
-	# Set directory
-	my $dir = $self->{prod} ? ACME_PROD_DIR : ACME_DIR;
-
-	# Create a request
-	my $req = HTTP::Request->new(GET => $dir.'?'.$time);
-
-	# Get request
-	my $res = $ua->request($req);
-
-	# Handle error
-	unless ($res->is_success) {
-		confess 'GET '.$dir.'?'.$time.' failed: '.$res->status_line;
-	}
-
-	# Save nonce
-	$self->{nonce} = $res->headers->{'replay-nonce'};
-
-	# Merge uris in self content
-	%$self = (%$self, %{from_json($res->content)});
-}
-
-# Post request
-sub _post {
-	my ($self, $uri, $payload) = @_;
-
-	# Protected field
-	my $protected = encode_base64url(to_json({nonce => $self->{nonce}}));
-
-	# Payload field
-	$payload = encode_base64url(to_json($payload));
-
-	# Sign temp file
-	my $stf = File::Temp->new();
-
-	# Append protect.payload to stf
-	print $stf $protected.'.'.$payload;
-
-	# Close stf
-	close($stf);
-
-	# Generate digest of stf
-	my $signature = encode_base64url(join('', capturex('openssl', ('dgst', '-sha256', '-binary', '-sign', KEY_DIR.DS.ACCOUNT_KEY, $stf->filename))) =~ s/^\0+//r);
-
-	# Create a request
-	my $req = HTTP::Request->new(POST => $uri);
-	
-	# Set new-reg request content
-	$req->content(to_json({
-		header => $self->{account}{jwk},
-		protected => $protected,
-		payload => $payload,
-		signature => $signature
-	}));
-
-	# Post request
-	my $res = $ua->request($req);
-
-	# Save nonce
-	if (defined $res->headers->{'replay-nonce'}) {
-		$self->{nonce} = $res->headers->{'replay-nonce'};
-	}
-
-	# Return res object
-	return $res;
-}
-
-# Resolve dns and check content
-#XXX: see https://community.centminmod.com/threads/looks-like-letsencrypt-dns-01-is-ready.5845/#12 for example
-sub _dnsCheck {
-	my ($self, $domain, $token) = @_;
-
-	# Generate signature from content
-	my $signature = ((sha256_base64($token.'.'.$self->{account}{thumbprint})) =~ s/=+\z//r) =~ tr[+/][-_]r;
-
-	# Fix domain
-	$domain = '_acme-challenge.'.$domain.'.';
-
-	# Create resolver
-	my $res = new Net::DNS::Resolver();
-
-	# Check if we get dns answer
-	unless(my $rep = $res->search($domain, 'TXT')) {
-		carp 'TXT record search for '.$domain.' failed' if ($self->{debug});
-		return;
-	} else {
-		unless (scalar map { $_->type eq 'TXT' && $_->txtdata =~ /^$signature$/ ? 1 : (); } $rep->answer) {
-			carp 'TXT record recursive search for '.$domain.' failed' if ($self->{debug});
-			return;
-		}
-	}
-
-	return 1;
-}
-
-# Get uri and check content
-sub _httpCheck {
-	my ($self, $domain, $token) = @_;
-
-	# Create a request
-	my $req = HTTP::Request->new(GET => 'http://'.$domain.'/.well-known/acme-challenge/'.$token);
-
-	# Load config if available
-	my $config = undef;
-	if (
-		#XXX: use eval to workaround a fatal in from_json
-		defined eval {
-			# Check that file exists
-			-f CONFIG &&
-			# Read it
-			($config = read_file(CONFIG)) &&
-			# Decode it
-			($config = from_json($config)) &&
-			# Check defined
-			$config->{thumbprint}
-		}
-	) {
-		# Try to write thumbprint
-		write_file($config->{thumbprint}, $self->{account}{thumbprint});
-	}
-
-	# Get request
-	my $res = $ua->request($req);
-
-	# Handle error
-	unless ($res->is_success) {
-		carp 'GET http://'.$domain.'/.well-known/acme-challenge/'.$token.' failed: '.$res->status_line if ($self->{debug});
-		return;
-	}
-
-	# Handle invalid content
-	unless($res->content =~ /^$token.$self->{account}{thumbprint}\s*$/) {
-		carp 'GET http://'.$domain.'/.well-known/acme-challenge/'.$token.' content match failed: /^'.$token.'.'.$self->{account}{thumbprint}.'\s*$/ !~ '.$res->content if ($self->{debug});
-		return;
-	}
-
-	# Return success
-	return 1;
-}
-
-# Register account
-#XXX: see doc at https://ietf-wg-acme.github.io/acme/#rfc.section.6.3
-sub register {
-	my ($self) = @_;
-
-	# Post new-reg request
-	#XXX: contact array may contain a tel:+33612345678 for example
-	my $res = $self->_post($self->{'new-reg'}, {resource => 'new-reg', contact => ['mailto:'.$self->{mail}], agreement => ACME_TERMS});
-
-	# Handle error
-	unless ($res->is_success || $res->code eq 409) {
-		confess 'POST '.$self->{'new-reg'}.' failed: '.$res->status_line;
-	}
-
-	# Update mail informations
-	if ($res->code eq 409) {
-		# Save registration uri
-		$self->{'reg'} = $res->headers->{location};
-
-		# Post reg request
-		#XXX: contact array may contain a tel:+33612345678 for example
-		$res = $self->_post($self->{'reg'}, {resource => 'reg', contact => ['mailto:'.$self->{mail}]});
-
-		# Handle error
-		unless ($res->is_success) {
-			confess 'POST '.$self->{'reg'}.' failed: '.$res->status_line;
-		}
-	}
-}
-
-# Authorize domains
-sub authorize {
-	my ($self) = @_;
-
-	# Create challenges hash
-	%{$self->{challenges}} = ();
-
-	# Pending list
-	my @pending = ();
-
-	# Create or load auth request for each domain
-	map {
-		# Init content
-		my $content = undef;
-
-		# Init file
-		my $file = PENDING_DIR.'/'.$self->{mail}.'.'.($self->{prod} ? 'prod' : 'staging').'/'.$_;
-
-		# Load auth request content or post a new one
-		#TODO: add more check on cache file ???
-		if (
-			#XXX: use eval to workaround a fatal in from_json
-			! defined eval {
-				# Check that file exists
-				-f $file &&
-				# Read it
-				($content = read_file($file)) &&
-				# Decode it
-				($content = from_json($content))
-			# Check expiration
-			} || (str2time($content->{expires}) <= time()+3600)
-		) {
-			# Post new-authz request
-			my $res = $self->_post($self->{'new-authz'}, {resource => 'new-authz', identifier => {type => 'dns', value => $_}, existing => 'accept'});
-
-			# Handle error
-			unless ($res->is_success) {
-				confess 'POST '.$self->{'new-authz'}.' for '.$_.' failed: '.$res->status_line;
-			}
-
-			# Decode content
-			$content = from_json($res->content);
-
-			# Check domain
-			unless (defined $content->{identifier}{value} && $content->{identifier}{value} eq $_) {
-				confess 'domain matching '.$content->{identifier}{value}.' for '.$_.' failed: '.$res->status_line;
-			}
-
-			# Check status
-			unless ($content->{status} eq 'valid' or $content->{status} eq 'pending') {
-				confess 'POST '.$self->{'new-authz'}.' for '.$_.' failed: '.$res->status_line;
-			}
-
-			# Write to file
-			write_file($file, to_json($content));
-		}
-
-		# Add challenge
-		%{$self->{challenges}{$_}} = (
-			status => $content->{status},
-			expires => $content->{expires},
-			polls => []
-		);
-
-		# Save pending data
-		if ($content->{status} eq 'pending') {
-			# Extract validation data
-			foreach my $challenge (@{$content->{challenges}}) {
-				# One test already validated this auth request
-				if ($self->{challenges}{$_}{status} eq 'valid') {
-					next;
-				} elsif ($challenge->{status} eq 'valid') {
-					$self->{challenges}{$_}{status} = $challenge->{status};
-					next;
-				} elsif ($challenge->{status} eq 'pending') {
-					# Handle check
-					if (
-						($challenge->{type} =~ /^http-01$/ and $self->_httpCheck($_, $challenge->{token})) or
-						($challenge->{type} =~ /^dns-01$/ and $self->_dnsCheck($_, $challenge->{token}))
-					) {
-						# Post challenge request
-						my $res = $self->_post($challenge->{uri}, {resource => 'challenge', keyAuthorization => $challenge->{token}.'.'.$self->{account}{thumbprint}});
-
-						# Handle error
-						unless ($res->is_success) {
-							confess 'POST '.$challenge->{uri}.' failed: '.$res->status_line;
-						}
-
-						# Extract content
-						my $content = from_json($res->content);
-
-						# Save if valid
-						if ($content->{status} eq 'valid') {
-							$self->{challenges}{$_}{status} = $content->{status};
-						# Check is still polling
-						} elsif ($content->{status} eq 'pending') {
-							# Add to poll list for later use
-							push(@{$self->{challenges}{$_}{polls}}, {
-								type => (split(/-/, $challenge->{type}))[0],
-								status => $content->{status},
-								poll => $content->{uri}
-							});
-						}
-					}
-				}
-			}
-			# Check if check is challenge still in pending and no polls
-			if ($self->{challenges}{$_}{status} eq 'pending' && scalar @{$self->{challenges}{$_}{polls}} == 0) {
-				# Loop on all remaining challenges
-				foreach my $challenge (@{$content->{challenges}}) {
-					# Display help for http-01 check
-					if ($challenge->{type} eq 'http-01') {
-						print STDERR 'Create URI http://'.$_.'/.well-known/acme-challenge/'.$challenge->{token}.' with content '.$challenge->{token}.'.'.$self->{account}{thumbprint}."\n";
-					# Display help for dns-01 check
-					} elsif ($challenge->{type} eq 'dns-01') {
-						print STDERR 'Create TXT record _acme-challenge.'.$_.'. with value '.(((sha256_base64($challenge->{token}.'.'.$self->{account}{thumbprint})) =~ s/=+\z//r) =~ tr[+/][-_]r)."\n";
-					}
-				}
-			}
-		}
-	} @{$self->{domains}};
-
-	# Init max run
-	my $remaining = 10;
-
-	# Poll pending
-	while (--$remaining >= 0 and scalar map { $_->{status} eq 'valid' ? 1 : (); } values %{$self->{challenges}}) {
-		# Sleep
-		sleep(1);
-		# Poll remaining pending
-		map {
-			# Init domain
-			my $domain = $_;
-
-			# Poll remaining polls
-			map {
-				# Create a request
-				my $req = HTTP::Request->new(GET => $_->{poll});
-
-				# Get request
-				my $res = $ua->request($req);
-
-				# Handle error
-				unless ($res->is_success) {
-					carp 'GET '.$self->{challenges}{$_}{http_challenge}.' failed: '.$res->status_line if ($self->{debug});
-				}
-
-				# Extract content
-				my $content = from_json($res->content);
-
-				# Save status
-				if ($content->{status} ne 'pending') {
-					$self->{challenges}{$domain}{status} = $content->{status};
-				}
-			} @{$self->{challenges}{$_}{polls}};
-		} map { $self->{challenges}{$_}{status} eq 'pending' ? $_ : (); } keys %{$self->{challenges}};
-	} 
-
-	# Load config if available
-	my $config = undef;
-	if (
-		#XXX: use eval to workaround a fatal in from_json
-		defined eval {
-			# Check that file exists
-			-f CONFIG &&
-			# Read it
-			($config = read_file(CONFIG)) &&
-			# Decode it
-			($config = from_json($config)) &&
-			# Check defined
-			$config->{thumbprint}
-		}
-	) {
-		# Try to write thumbprint
-		write_file($config->{thumbprint}, '');
-	}
-
-	# Stop here with remaining chanllenge
-	if (scalar map { ! defined $_->{status} or $_->{status} ne 'valid' ? 1 : (); } values %{$self->{challenges}}) {
-		# Deactivate all activated domains 
-		#XXX: not implemented by letsencrypt
-		#map {
-		#	# Post deactivation request
-		#	my $res = $self->_post($self->{challenges}{$_}{http_uri}, {resource => 'authz', status => 'deactivated'});
-		#	# Handle error
-		#	unless ($res->is_success) {
-		#		confess 'POST '.$self->{challenges}{$_}{http_uri}.' failed: '.$res->status_line;
-		#	}
-		#} map { $self->{challenges}{$_}{status} eq 'valid' ? $_ : () } keys %{$self->{challenges}};
-
-		# Stop here as a domain of csr list failed authorization
-		if ($self->{debug}) {
-			my @domains = map { ! defined $self->{challenges}{$_}{status} or $self->{challenges}{$_}{status} ne 'valid' ? $_ : (); } keys %{$self->{challenges}};
-			confess 'Fix the challenge'.(scalar @domains > 1?'s':'').' for domain'.(scalar @domains > 1?'s':'').': '.join(', ', @domains);
-		} else {
-			exit EXIT_FAILURE;
-		}
-	}
-}
-
-# Issue certificate
-sub issue {
-	my ($self) = @_;
-
-	# Open csr file
-	open(my $fh, '<', CERT_DIR.DS.REQUEST_CSR) or die $!;
-
-	# Load csr
-	my $csr = encode_base64url(join('', <$fh>) =~ s/^\0+//r);
-
-	# Close csr file
-	close($fh) or die $!;
-
-	# Post certificate request
-	my $res = $self->_post($self->{'new-cert'}, {resource => 'new-cert', csr => $csr});
-
-	# Handle error
-	unless ($res->is_success) {
-		confess 'POST '.$self->{'new-cert'}.' failed: '.$res->status_line;
-	}
-
-	# Open crt file
-	open($fh, '>', CERT_DIR.DS.SERVER_CRT) or die $!;
-
-	# Convert to pem
-	print $fh '-----BEGIN CERTIFICATE-----'."\n".encode_base64($res->content).'-----END CERTIFICATE-----'."\n";
-
-	# Create a request
-	my $req = HTTP::Request->new(GET => ACME_CERT);
-
-	# Get request
-	$res = $ua->request($req);
-
-	# Handle error
-	unless ($res->is_success) {
-		carp 'GET '.ACME_CERT.' failed: '.$res->status_line if ($self->{debug});
-	}
-
-	# Append content
-	print $fh $res->content;
-
-	# Close file
-	close($fh) or die $!;
-
-	# Print success
-	carp 'Success, pem certificate in '.CERT_DIR.DS.SERVER_CRT if ($self->{debug});
-}
-
-1;
-
-__DATA__
-#
-# OpenSSL configuration file.
-# This is mostly being used for generation of certificate requests.
-#
-
-[ req ]
-default_bits		= 2048
-default_md		= sha256
-prompt			= no
-distinguished_name	= req_distinguished_name
-# The extentions to add to the self signed cert
-x509_extensions	= v3_ca
-# The extensions to add to a certificate request
-req_extensions = v3_req
-
-# This sets a mask for permitted string types. There are several options. 
-# utf8only: only UTF8Strings (PKIX recommendation after 2004).
-# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
-string_mask = utf8only
-
-[ req_distinguished_name ]
-countryName			= US
-stateOrProvinceName		= State or Province Name
-localityName			= Locality Name
-organizationName		= Organization Name
-organizationalUnitName		= Organizational Unit Name
-commonName			= __COMMON_NAME__
-emailAddress			= __EMAIL_ADDRESS__
-
-[ v3_req ]
-basicConstraints = CA:false
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-subjectAltName = email:move
-subjectAltName = @alt_names
-
-[ v3_ca ]
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid:always,issuer
-basicConstraints = CA:true
-
-[alt_names]