X-Git-Url: https://git.rapsys.eu/acme/blobdiff_plain/d23d5963bf50f434805243743d67fb3c39c916cf..e52d27fd32caf42240ec361ae4d8b407d13b3e53:/acme.pm?ds=sidebyside diff --git a/acme.pm b/acme.pm index 144222c..6a17c3c 100644 --- a/acme.pm +++ b/acme.pm @@ -8,11 +8,12 @@ use warnings; # Symbol export use Exporter; our @ISA = qw(Exporter); +our @EXPORT_OK = qw(DS CERT_DIR KEY_DIR REQUEST_CSR ACCOUNT_KEY SERVER_KEY SERVER_CRT CONFIG); # Load dependancies use Carp qw(carp confess); +use Data::Dumper; use Date::Parse qw(str2time); -use DateTime; use Digest::SHA qw(sha256_base64); use Email::Valid; use File::Path qw(make_path); @@ -23,8 +24,8 @@ use JSON qw(encode_json decode_json); use LWP; use MIME::Base64 qw(encode_base64url encode_base64); use Net::Domain::TLD; -use Tie::IxHash; use POSIX qw(EXIT_FAILURE); +use Tie::IxHash; # Documentation links #XXX: see https://letsencrypt.github.io/acme-spec/ (probably based on https://ietf-wg-acme.github.io/acme/) @@ -70,7 +71,10 @@ use constant { ACME_TERMS => 'https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf', # Version - VERSION => 'v0.3' + VERSION => 'v0.4', + + # Config + CONFIG => '/etc/acmepl/config' }; # User agent object @@ -378,6 +382,25 @@ sub _httpCheck { # Create a request my $req = HTTP::Request->new(GET => 'http://'.$domain.'/.well-known/acme-challenge/'.$token); + # Load config if available + my $config = undef; + if ( + #XXX: use eval to workaround a fatal in decode_json + defined eval { + # Check that file exists + -f CONFIG && + # Read it + ($config = read_file(CONFIG)) && + # Decode it + ($config = decode_json($config)) && + # Check defined + $config->{thumbprint} + } + ) { + # Try to write thumbprint + write_file($config->{thumbprint}, $self->{account}{thumbprint}); + } + # Get request my $res = $ua->request($req); @@ -455,10 +478,9 @@ sub authorize { # Read it ($content = read_file($file)) && # Decode it - ($content = decode_json($content)) && - # Check expiration - (DateTime->from_epoch(epoch => str2time($content->{expires})) >= DateTime->now()->add(hours => 1)) - } + ($content = decode_json($content)) + # Check expiration + } || (str2time($content->{expires}) <= time()+3600) ) { # Post new-authz request my $res = $self->_post($self->{'new-authz'}, {resource => 'new-authz', identifier => {type => 'dns', value => $_}, existing => 'accept'}); @@ -505,8 +527,8 @@ sub authorize { } elsif ($challenge->{status} eq 'pending') { # Handle check if ( - ($challenge->{type} =~ /^http-[0-9]+$/ and $self->_httpCheck($_, $challenge->{token})) or - ($challenge->{type} =~ /^dns-[0-9]+$/ and $self->_dnsCheck($_, $challenge->{token})) + ($challenge->{type} =~ /^http-01$/ and $self->_httpCheck($_, $challenge->{token})) or + ($challenge->{type} =~ /^dns-01$/ and $self->_dnsCheck($_, $challenge->{token})) ) { # Post challenge request my $res = $self->_post($challenge->{uri}, {resource => 'challenge', keyAuthorization => $challenge->{token}.'.'.$self->{account}{thumbprint}}); @@ -531,11 +553,18 @@ sub authorize { poll => $content->{uri} }); } - # Print http help - } elsif ($challenge->{type} =~ /^http-[0-9]+$/) { + } + } + } + # Check if check is challenge still in pending and no polls + if ($self->{challenges}{$_}{status} eq 'pending' && scalar @{$self->{challenges}{$_}{polls}} == 0) { + # Loop on all remaining challenges + foreach my $challenge (@{$content->{challenges}}) { + # Display help for http-01 check + if ($challenge->{type} eq 'http-01') { print STDERR 'Create URI http://'.$_.'/.well-known/acme-challenge/'.$challenge->{token}.' with content '.$challenge->{token}.'.'.$self->{account}{thumbprint}."\n"; - # Print dns help - } elsif ($challenge->{type} =~ /^dns-[0-9]+$/) { + # Display help for dns-01 check + } elsif ($challenge->{type} eq 'dns-01') { print STDERR 'Create TXT record _acme-challenge.'.$_.'. with value '.(((sha256_base64($challenge->{token}.'.'.$self->{account}{thumbprint})) =~ s/=+\z//r) =~ tr[+/][-_]r)."\n"; } } @@ -579,6 +608,25 @@ sub authorize { } map { $self->{challenges}{$_}{status} eq 'pending' ? $_ : (); } keys %{$self->{challenges}}; } + # Load config if available + my $config = undef; + if ( + #XXX: use eval to workaround a fatal in decode_json + defined eval { + # Check that file exists + -f CONFIG && + # Read it + ($config = read_file(CONFIG)) && + # Decode it + ($config = decode_json($config)) && + # Check defined + $config->{thumbprint} + } + ) { + # Try to write thumbprint + write_file($config->{thumbprint}, ''); + } + # Stop here with remaining chanllenge if (scalar map { ! defined $_->{status} or $_->{status} ne 'valid' ? 1 : (); } values %{$self->{challenges}}) { # Deactivate all activated domains @@ -595,7 +643,8 @@ sub authorize { # Stop here as a domain of csr list failed authorization if ($self->{debug}) { - confess 'Fix the challenges for domains: '.join(', ', map { ! defined $self->{challenges}{$_}{status} or $self->{challenges}{$_}{status} ne 'valid' ? $_ : (); } keys %{$self->{challenges}}); + my @domains = map { ! defined $self->{challenges}{$_}{status} or $self->{challenges}{$_}{status} ne 'valid' ? $_ : (); } keys %{$self->{challenges}}; + confess 'Fix the challenge'.(scalar @domains > 1?'s':'').' for domain'.(scalar @domains > 1?'s':'').': '.join(', ', @domains); } else { exit EXIT_FAILURE; } @@ -620,6 +669,7 @@ sub issue { # Handle error unless ($res->is_success) { + #print Dumper($res); confess 'POST '.$self->{'new-cert'}.' failed: '.$res->status_line; }