mirror of
https://github.com/warmcat/libwebsockets.git
synced 2025-03-09 00:00:04 +01:00
acme: update for v2
https://github.com/warmcat/libwebsockets/issues/2609 AG: api logging updates
This commit is contained in:
parent
93aaaf371c
commit
edf670a3e6
2 changed files with 110 additions and 132 deletions
|
@ -113,12 +113,12 @@ lws_context_init_server_ssl(const struct lws_context_creation_info *info,
|
|||
if (vhost->tls.use_ssl)
|
||||
lws_context_init_alpn(vhost);
|
||||
|
||||
/* check certs once a day */
|
||||
/* check certs in a few seconds (after protocol init) and then once a day */
|
||||
|
||||
context->pt[0].sul_tls.cb = lws_sul_tls_cb;
|
||||
__lws_sul_insert_us(&context->pt[0].pt_sul_owner[LWSSULLI_MISS_IF_SUSPENDED],
|
||||
&context->pt[0].sul_tls,
|
||||
(lws_usec_t)24 * 3600 * LWS_US_PER_SEC);
|
||||
(lws_usec_t)5 * LWS_US_PER_SEC);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
/*
|
||||
* libwebsockets ACME client protocol plugin
|
||||
*
|
||||
* Copyright (C) 2010 - 2019 Andy Green <andy@warmcat.com>
|
||||
* Copyright (C) 2010 - 2022 Andy Green <andy@warmcat.com>
|
||||
*
|
||||
* Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
* of this software and associated documentation files (the "Software"), to
|
||||
|
@ -21,16 +21,9 @@
|
|||
* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
|
||||
* IN THE SOFTWARE.
|
||||
*
|
||||
* Acme is in a big messy transition at the moment from a homebrewed api
|
||||
* to an IETF one. The old repo for the homebrew api (they currently
|
||||
* implement) is marked up as deprecated and "not accurate[ly] reflect[ing]"
|
||||
* what they implement, but the IETF standard, currently at v7 is not yet
|
||||
* implemented at let's encrypt (ETA Jan 2018).
|
||||
*
|
||||
* This implementation follows draft 7 of the IETF standard, and falls back
|
||||
* to whatever differences exist for Boulder's tls-sni-01 challenge. The
|
||||
* tls-sni-02 support is there but nothing to test it against at the time of
|
||||
* writing (Nov 1 2017).
|
||||
* to whatever differences exist for Boulder's tls-sni-01 challenge.
|
||||
* tls-sni-02 is also supported.
|
||||
*/
|
||||
|
||||
#if !defined (LWS_PLUGIN_STATIC)
|
||||
|
@ -148,11 +141,11 @@ callback_chall_http01(struct lws *wsi, enum lws_callback_reasons reason,
|
|||
|
||||
switch (reason) {
|
||||
case LWS_CALLBACK_HTTP:
|
||||
lwsl_notice("%s: ca connection received, key_auth %s\n",
|
||||
__func__, ac->key_auth);
|
||||
lwsl_wsi_notice(wsi, "CA connection received, key_auth %s",
|
||||
ac->key_auth);
|
||||
|
||||
if (lws_add_http_header_status(wsi, HTTP_STATUS_OK, &p, end)) {
|
||||
lwsl_notice("%s: add status failed\n", __func__);
|
||||
lwsl_wsi_warn(wsi, "add status failed");
|
||||
return -1;
|
||||
}
|
||||
|
||||
|
@ -160,14 +153,13 @@ callback_chall_http01(struct lws *wsi, enum lws_callback_reasons reason,
|
|||
WSI_TOKEN_HTTP_CONTENT_TYPE,
|
||||
(unsigned char *)"text/plain", 10,
|
||||
&p, end)) {
|
||||
lwsl_notice("%s: add content_type failed\n", __func__);
|
||||
lwsl_wsi_warn(wsi, "add content_type failed");
|
||||
return -1;
|
||||
}
|
||||
|
||||
n = (int)strlen(ac->key_auth);
|
||||
if (lws_add_http_header_content_length(wsi, (lws_filepos_t)n, &p, end)) {
|
||||
lwsl_notice("%s: add content_length failed\n",
|
||||
__func__);
|
||||
lwsl_wsi_warn(wsi, "add content_length failed");
|
||||
return -1;
|
||||
}
|
||||
|
||||
|
@ -175,13 +167,12 @@ callback_chall_http01(struct lws *wsi, enum lws_callback_reasons reason,
|
|||
WSI_TOKEN_HTTP_CONTENT_DISPOSITION,
|
||||
(unsigned char *)"attachment", 10,
|
||||
&p, end)) {
|
||||
lwsl_notice("%s: add content_dispo failed\n", __func__);
|
||||
lwsl_wsi_warn(wsi, "add content_dispo failed");
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (lws_finalize_write_http_header(wsi, start, &p, end)) {
|
||||
lwsl_notice("%s: finalize http header failed\n",
|
||||
__func__);
|
||||
lwsl_wsi_warn(wsi, "finalize http header failed");
|
||||
return -1;
|
||||
}
|
||||
|
||||
|
@ -190,10 +181,10 @@ callback_chall_http01(struct lws *wsi, enum lws_callback_reasons reason,
|
|||
|
||||
case LWS_CALLBACK_HTTP_WRITEABLE:
|
||||
p += lws_snprintf((char *)p, lws_ptr_diff_size_t(end, p), "%s", ac->key_auth);
|
||||
lwsl_notice("%s: len %d\n", __func__, lws_ptr_diff(p, start));
|
||||
// lwsl_notice("%s: len %d\n", __func__, lws_ptr_diff(p, start));
|
||||
if (lws_write(wsi, (uint8_t *)start, lws_ptr_diff_size_t(p, start),
|
||||
LWS_WRITE_HTTP_FINAL) != lws_ptr_diff(p, start)) {
|
||||
lwsl_err("_write content failed\n");
|
||||
lwsl_wsi_err(wsi, "_write content failed");
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
@ -234,7 +225,7 @@ jws_create_packet(struct lws_jwe *jwe, const char *payload, size_t len,
|
|||
n = LWS_PRE + 2048;
|
||||
buf = malloc((unsigned int)n);
|
||||
if (!buf) {
|
||||
lwsl_notice("%s: malloc %d failed\n", __func__, n);
|
||||
lwsl_warn("%s: malloc %d failed\n", __func__, n);
|
||||
return -1;
|
||||
}
|
||||
|
||||
|
@ -680,14 +671,14 @@ lws_acme_load_create_auth_keys(struct per_vhost_data__lws_acme_client *vhd,
|
|||
n = lws_genrsa_new_keypair(vhd->context, &vhd->rsactx, LGRSAM_PKCS1_1_5,
|
||||
vhd->jwk.e, bits);
|
||||
if (n) {
|
||||
lwsl_notice("failed to create keypair\n");
|
||||
lwsl_vhost_warn(vhd->vhost, "failed to create keypair");
|
||||
return 1;
|
||||
}
|
||||
|
||||
lwsl_notice("...keypair generated\n");
|
||||
|
||||
if (lws_jwk_save(&vhd->jwk, vhd->pvop[LWS_TLS_SET_AUTH_PATH])) {
|
||||
lwsl_notice("unable to save %s\n",
|
||||
lwsl_vhost_warn(vhd->vhost, "unable to save %s",
|
||||
vhd->pvop[LWS_TLS_SET_AUTH_PATH]);
|
||||
return 1;
|
||||
}
|
||||
|
@ -709,8 +700,8 @@ lws_acme_start_acquisition(struct per_vhost_data__lws_acme_client *vhd,
|
|||
/*
|
||||
* ...well... we should try to do something about it then...
|
||||
*/
|
||||
lwsl_notice("%s: ACME cert needs creating / updating: "
|
||||
"vhost %s\n", __func__, lws_get_vhost_name(vhd->vhost));
|
||||
lwsl_vhost_notice(vhd->vhost, "ACME cert needs creating / updating: "
|
||||
"vhost %s", lws_get_vhost_name(vhd->vhost));
|
||||
|
||||
vhd->ac = malloc(sizeof(*vhd->ac));
|
||||
memset(vhd->ac, 0, sizeof(*vhd->ac));
|
||||
|
@ -795,11 +786,13 @@ callback_acme_client(struct lws *wsi, enum lws_callback_reasons reason,
|
|||
|
||||
switch ((int)reason) {
|
||||
case LWS_CALLBACK_PROTOCOL_INIT:
|
||||
if (vhd)
|
||||
return 0;
|
||||
vhd = lws_protocol_vh_priv_zalloc(lws_get_vhost(wsi),
|
||||
lws_get_protocol(wsi),
|
||||
sizeof(struct per_vhost_data__lws_acme_client));
|
||||
if (vhd)
|
||||
return 0;
|
||||
if (!vhd)
|
||||
return -1;
|
||||
|
||||
vhd->context = lws_get_context(wsi);
|
||||
vhd->protocol = lws_get_protocol(wsi);
|
||||
|
@ -867,7 +860,12 @@ callback_acme_client(struct lws *wsi, enum lws_callback_reasons reason,
|
|||
vhd->pvop[LWS_TLS_SET_CERT_PATH]);
|
||||
vhd->fd_updated_cert = lws_open(buf,
|
||||
LWS_O_WRONLY | LWS_O_CREAT |
|
||||
LWS_O_TRUNC, 0600);
|
||||
LWS_O_TRUNC
|
||||
/*do not replace \n to \r\n on Windows */
|
||||
#ifdef WIN32
|
||||
| O_BINARY
|
||||
#endif
|
||||
, 0600);
|
||||
if (vhd->fd_updated_cert < 0) {
|
||||
lwsl_err("unable to create update cert file %s\n", buf);
|
||||
return -1;
|
||||
|
@ -875,9 +873,14 @@ callback_acme_client(struct lws *wsi, enum lws_callback_reasons reason,
|
|||
lws_snprintf(buf, sizeof(buf) - 1, "%s.upd",
|
||||
vhd->pvop[LWS_TLS_SET_KEY_PATH]);
|
||||
vhd->fd_updated_key = lws_open(buf, LWS_O_WRONLY | LWS_O_CREAT |
|
||||
LWS_O_TRUNC, 0600);
|
||||
/*do not replace \n to \r\n on Windows */
|
||||
#ifdef WIN32
|
||||
O_BINARY |
|
||||
#endif
|
||||
LWS_O_TRUNC, 0600);
|
||||
if (vhd->fd_updated_key < 0) {
|
||||
lwsl_err("unable to create update key file %s\n", buf);
|
||||
lwsl_vhost_err(vhd->vhost, "unable to create update key file %s", buf);
|
||||
|
||||
return -1;
|
||||
}
|
||||
#endif
|
||||
|
@ -929,35 +932,18 @@ callback_acme_client(struct lws *wsi, enum lws_callback_reasons reason,
|
|||
* Client
|
||||
*/
|
||||
|
||||
case LWS_CALLBACK_CLIENT_ESTABLISHED:
|
||||
lwsl_notice("%s: CLIENT_ESTABLISHED\n", __func__);
|
||||
break;
|
||||
|
||||
case LWS_CALLBACK_CLIENT_CONNECTION_ERROR:
|
||||
lwsl_notice("%s: CLIENT_CONNECTION_ERROR: %p\n", __func__, wsi);
|
||||
break;
|
||||
|
||||
case LWS_CALLBACK_CLOSED_CLIENT_HTTP:
|
||||
lwsl_notice("%s: CLOSED_CLIENT_HTTP: %p\n", __func__, wsi);
|
||||
break;
|
||||
|
||||
case LWS_CALLBACK_CLOSED:
|
||||
lwsl_notice("%s: CLOSED: %p\n", __func__, wsi);
|
||||
break;
|
||||
|
||||
case LWS_CALLBACK_ESTABLISHED_CLIENT_HTTP:
|
||||
lwsl_notice("%s: ESTABLISHED_CLIENT_HTTP:"
|
||||
"%p, state:%d, status:%d\n", __func__, wsi,
|
||||
ac->state, lws_http_client_http_response(wsi));
|
||||
if (!ac)
|
||||
break;
|
||||
|
||||
ac->resp = (int)lws_http_client_http_response(wsi);
|
||||
|
||||
/* we get a new nonce each time */
|
||||
if (lws_hdr_total_length(wsi, WSI_TOKEN_REPLAY_NONCE) &&
|
||||
lws_hdr_copy(wsi, ac->replay_nonce,
|
||||
sizeof(ac->replay_nonce),
|
||||
WSI_TOKEN_REPLAY_NONCE) < 0) {
|
||||
lwsl_notice("%s: nonce too large\n", __func__);
|
||||
lwsl_vhost_warn(vhd->vhost, "nonce too large");
|
||||
|
||||
goto failed;
|
||||
}
|
||||
|
@ -967,11 +953,12 @@ callback_acme_client(struct lws *wsi, enum lws_callback_reasons reason,
|
|||
lejp_construct(&ac->jctx, cb_dir, vhd, jdir_tok,
|
||||
LWS_ARRAY_SIZE(jdir_tok));
|
||||
break;
|
||||
|
||||
case ACME_STATE_NEW_NONCE:
|
||||
/*
|
||||
* we try to * register our keys next.
|
||||
* It's OK if it ends up * they're already registered,
|
||||
* this eliminates any * gaps where we stored the key
|
||||
* we try to register our keys next.
|
||||
* It's OK if it ends up they're already registered,
|
||||
* this eliminates any gaps where we stored the key
|
||||
* but registration did not complete for some reason...
|
||||
*/
|
||||
ac->state = ACME_STATE_NEW_ACCOUNT;
|
||||
|
@ -981,8 +968,7 @@ callback_acme_client(struct lws *wsi, enum lws_callback_reasons reason,
|
|||
cwsi = lws_acme_client_connect(vhd->context, vhd->vhost,
|
||||
&ac->cwsi, &ac->i, buf, "POST");
|
||||
if (!cwsi) {
|
||||
lwsl_notice("%s: failed to connect to acme\n",
|
||||
__func__);
|
||||
lwsl_vhost_warn(vhd->vhost, "failed to connect to acme");
|
||||
goto failed;
|
||||
}
|
||||
|
||||
|
@ -991,28 +977,26 @@ callback_acme_client(struct lws *wsi, enum lws_callback_reasons reason,
|
|||
case ACME_STATE_NEW_ACCOUNT:
|
||||
if (!lws_hdr_total_length(wsi,
|
||||
WSI_TOKEN_HTTP_LOCATION)) {
|
||||
lwsl_notice("%s: no Location\n", __func__);
|
||||
lwsl_vhost_warn(vhd->vhost, "no Location");
|
||||
goto failed;
|
||||
}
|
||||
|
||||
if (lws_hdr_copy(wsi, ac->acct_id, sizeof(ac->acct_id),
|
||||
WSI_TOKEN_HTTP_LOCATION) < 0) {
|
||||
lwsl_notice("%s: Location too large\n",
|
||||
__func__);
|
||||
lwsl_vhost_warn(vhd->vhost, "Location too large");
|
||||
goto failed;
|
||||
}
|
||||
|
||||
ac->kid = ac->acct_id;
|
||||
|
||||
lwsl_notice("Location: %s\n", ac->acct_id);
|
||||
lwsl_vhost_notice(vhd->vhost, "Location: %s", ac->acct_id);
|
||||
break;
|
||||
|
||||
case ACME_STATE_NEW_ORDER:
|
||||
if (lws_hdr_copy(wsi, ac->order_url,
|
||||
sizeof(ac->order_url),
|
||||
WSI_TOKEN_HTTP_LOCATION) < 0) {
|
||||
lwsl_notice("%s: missing cert location:\n",
|
||||
__func__);
|
||||
lwsl_vhost_warn(vhd->vhost, "missing cert location");
|
||||
|
||||
goto failed;
|
||||
}
|
||||
|
@ -1061,7 +1045,6 @@ callback_acme_client(struct lws *wsi, enum lws_callback_reasons reason,
|
|||
",\"contact\": [\"mailto:%s\"]}",
|
||||
vhd->pvop_active[LWS_TLS_REQ_ELEMENT_EMAIL]);
|
||||
|
||||
puts(start);
|
||||
strcpy(ac->active_url, ac->urls[JAD_NEW_ACCOUNT_URL]);
|
||||
pkt_add_hdrs:
|
||||
if (lws_gencrypto_jwe_alg_to_definition("RSA1_5",
|
||||
|
@ -1096,7 +1079,7 @@ pkt_add_hdrs:
|
|||
WSI_TOKEN_HTTP_CONTENT_TYPE,
|
||||
(uint8_t *)content_type, 21, pp,
|
||||
pend)) {
|
||||
lwsl_notice("could not add content type\n");
|
||||
lwsl_vhost_warn(vhd->vhost, "could not add content type");
|
||||
goto failed;
|
||||
}
|
||||
|
||||
|
@ -1104,7 +1087,7 @@ pkt_add_hdrs:
|
|||
if (lws_add_http_header_by_token(wsi,
|
||||
WSI_TOKEN_HTTP_CONTENT_LENGTH,
|
||||
(uint8_t *)buf, n, pp, pend)) {
|
||||
lwsl_notice("could not add content length\n");
|
||||
lwsl_vhost_warn(vhd->vhost, "could not add content length");
|
||||
goto failed;
|
||||
}
|
||||
|
||||
|
@ -1122,12 +1105,10 @@ pkt_add_hdrs:
|
|||
"}",
|
||||
vhd->pvop_active[LWS_TLS_REQ_ELEMENT_COMMON_NAME]);
|
||||
|
||||
puts(start);
|
||||
strcpy(ac->active_url, ac->urls[JAD_NEW_ORDER_URL]);
|
||||
goto pkt_add_hdrs;
|
||||
|
||||
case ACME_STATE_AUTHZ:
|
||||
puts(start);
|
||||
strcpy(ac->active_url, ac->authz_url);
|
||||
goto pkt_add_hdrs;
|
||||
|
||||
|
@ -1136,7 +1117,6 @@ pkt_add_hdrs:
|
|||
end = &buf[sizeof(buf) - 1];
|
||||
|
||||
p += lws_snprintf(p, lws_ptr_diff_size_t(end, p), "{}");
|
||||
puts(start);
|
||||
strcpy(ac->active_url, ac->challenge_uri);
|
||||
goto pkt_add_hdrs;
|
||||
|
||||
|
@ -1147,7 +1127,7 @@ pkt_add_hdrs:
|
|||
case ACME_STATE_POLLING_CSR:
|
||||
if (ac->goes_around)
|
||||
break;
|
||||
|
||||
lwsl_vhost_notice(vhd->vhost, "Generating ACME CSR... may take a little while");
|
||||
p += lws_snprintf(p, lws_ptr_diff_size_t(end, p), "{\"csr\":\"");
|
||||
n = lws_tls_acme_sni_csr_create(vhd->context,
|
||||
&vhd->pvop_active[0],
|
||||
|
@ -1155,12 +1135,11 @@ pkt_add_hdrs:
|
|||
&ac->alloc_privkey_pem,
|
||||
&ac->len_privkey_pem);
|
||||
if (n < 0) {
|
||||
lwsl_notice("CSR generation failed\n");
|
||||
lwsl_vhost_warn(vhd->vhost, "CSR generation failed");
|
||||
goto failed;
|
||||
}
|
||||
p += n;
|
||||
p += lws_snprintf(p, lws_ptr_diff_size_t(end, p), "\"}");
|
||||
puts(start);
|
||||
strcpy(ac->active_url, ac->finalize_url);
|
||||
goto pkt_add_hdrs;
|
||||
|
||||
|
@ -1175,7 +1154,6 @@ pkt_add_hdrs:
|
|||
break;
|
||||
|
||||
case LWS_CALLBACK_CLIENT_HTTP_WRITEABLE:
|
||||
lwsl_notice("LWS_CALLBACK_CLIENT_HTTP_WRITEABLE\n");
|
||||
|
||||
if (!ac)
|
||||
break;
|
||||
|
@ -1187,7 +1165,7 @@ pkt_add_hdrs:
|
|||
if (lws_write(wsi, (uint8_t *)ac->buf + LWS_PRE,
|
||||
(size_t)ac->len, LWS_WRITE_HTTP_FINAL) < 0)
|
||||
return -1;
|
||||
lwsl_notice("wrote %d\n", ac->len);
|
||||
|
||||
ac->pos = ac->len;
|
||||
lws_client_http_body_pending(wsi, 0);
|
||||
break;
|
||||
|
@ -1204,28 +1182,29 @@ pkt_add_hdrs:
|
|||
case ACME_STATE_AUTHZ:
|
||||
case ACME_STATE_NEW_ORDER:
|
||||
case ACME_STATE_DIRECTORY:
|
||||
((char *)in)[len] = '\0';
|
||||
puts(in);
|
||||
|
||||
m = lejp_parse(&ac->jctx, (uint8_t *)in, (int)len);
|
||||
if (m < 0 && m != LEJP_CONTINUE) {
|
||||
lwsl_notice("lejp parse failed %d\n", m);
|
||||
goto failed;
|
||||
}
|
||||
break;
|
||||
|
||||
case ACME_STATE_NEW_ACCOUNT:
|
||||
((char *)in)[len] = '\0';
|
||||
puts(in);
|
||||
break;
|
||||
|
||||
case ACME_STATE_DOWNLOAD_CERT:
|
||||
((char *)in)[len] = '\0';
|
||||
puts(in);
|
||||
/* it should be the DER cert! */
|
||||
if ((unsigned int)ac->cpos + len > sizeof(ac->buf)) {
|
||||
lwsl_notice("Incoming cert is too large!\n");
|
||||
goto failed;
|
||||
/*
|
||||
* It should be the DER cert...
|
||||
* ACME 2.0 can send certs chain with 3 certs, store only first bytes
|
||||
*/
|
||||
if ((unsigned int)ac->cpos + len > sizeof(ac->buf))
|
||||
len = sizeof(ac->buf) - (unsigned int)ac->cpos;
|
||||
|
||||
if (len) {
|
||||
memcpy(&ac->buf[ac->cpos], in, len);
|
||||
ac->cpos += (int)len;
|
||||
}
|
||||
memcpy(&ac->buf[ac->cpos], in, len);
|
||||
ac->cpos += (int)len;
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
|
@ -1234,9 +1213,9 @@ pkt_add_hdrs:
|
|||
|
||||
/* unchunked content */
|
||||
case LWS_CALLBACK_RECEIVE_CLIENT_HTTP:
|
||||
lwsl_notice("%s: LWS_CALLBACK_RECEIVE_CLIENT_HTTP\n", __func__);
|
||||
if (!ac)
|
||||
return -1;
|
||||
|
||||
switch (ac->state) {
|
||||
default:
|
||||
{
|
||||
|
@ -1252,7 +1231,6 @@ pkt_add_hdrs:
|
|||
break;
|
||||
|
||||
case LWS_CALLBACK_COMPLETED_CLIENT_HTTP:
|
||||
lwsl_notice("%s: COMPLETED_CLIENT_HTTP\n", __func__);
|
||||
|
||||
if (!ac)
|
||||
return -1;
|
||||
|
@ -1281,7 +1259,7 @@ pkt_add_hdrs:
|
|||
|
||||
case ACME_STATE_NEW_ACCOUNT:
|
||||
if ((ac->resp >= 200 && ac->resp < 299) ||
|
||||
ac->resp == 409) {
|
||||
ac->resp == 409) {
|
||||
/*
|
||||
* Our account already existed, or exists now.
|
||||
*
|
||||
|
@ -1324,8 +1302,7 @@ pkt_add_hdrs:
|
|||
vhd->vhost, &ac->cwsi,
|
||||
&ac->i, buf, "POST");
|
||||
if (!cwsi)
|
||||
lwsl_notice("%s: failed to connect\n",
|
||||
__func__);
|
||||
lwsl_notice("%s: failed to connect\n", __func__);
|
||||
|
||||
return -1; /* close the completed client connection */
|
||||
|
||||
|
@ -1335,13 +1312,12 @@ pkt_add_hdrs:
|
|||
lws_snprintf(buf, sizeof(buf),
|
||||
"Auth failed: %s", ac->detail);
|
||||
failreason = buf;
|
||||
lwsl_notice("auth failed\n");
|
||||
lwsl_vhost_warn(vhd->vhost, "auth failed");
|
||||
goto failed;
|
||||
}
|
||||
lwsl_notice("chall: %s (%d)\n", ac->chall_token,
|
||||
ac->resp);
|
||||
lwsl_vhost_info(vhd->vhost, "chall: %s (%d)\n", ac->chall_token, ac->resp);
|
||||
if (!ac->chall_token[0]) {
|
||||
lwsl_notice("no challenge\n");
|
||||
lwsl_vhost_warn(vhd->vhost, "no challenge");
|
||||
goto failed;
|
||||
}
|
||||
|
||||
|
@ -1362,7 +1338,7 @@ pkt_add_hdrs:
|
|||
if (n < 0)
|
||||
goto failed;
|
||||
|
||||
lwsl_notice("key_auth: '%s'\n", ac->key_auth);
|
||||
lwsl_vhost_notice(vhd->vhost, "key_auth: '%s'", ac->key_auth);
|
||||
|
||||
lws_snprintf(ac->http01_mountpoint,
|
||||
sizeof(ac->http01_mountpoint),
|
||||
|
@ -1378,8 +1354,7 @@ pkt_add_hdrs:
|
|||
|
||||
ac->ci.mounts = &ac->mount;
|
||||
|
||||
/* listen on the same port as the vhost that triggered
|
||||
* us */
|
||||
/* listen on the same port as the vhost that triggered us */
|
||||
ac->ci.port = 80;
|
||||
|
||||
/* make ourselves protocols[0] for the new vhost */
|
||||
|
@ -1396,7 +1371,7 @@ pkt_add_hdrs:
|
|||
if (!ac->vhost)
|
||||
goto failed;
|
||||
|
||||
lwsl_notice("challenge_uri %s\n", ac->challenge_uri);
|
||||
lwsl_vhost_notice(vhd->vhost, "challenge_uri %s", ac->challenge_uri);
|
||||
|
||||
/*
|
||||
* The challenge-specific vhost is up... let the ACME
|
||||
|
@ -1408,14 +1383,14 @@ pkt_add_hdrs:
|
|||
ac->challenge_uri,
|
||||
"POST");
|
||||
if (!cwsi) {
|
||||
lwsl_notice("%s: connect failed\n", __func__);
|
||||
lwsl_vhost_warn(vhd->vhost, "Connect failed");
|
||||
goto failed;
|
||||
}
|
||||
return -1; /* close the completed client connection */
|
||||
|
||||
case ACME_STATE_START_CHALL:
|
||||
lwsl_notice("%s: COMPLETED start chall: %s\n",
|
||||
__func__, ac->challenge_uri);
|
||||
lwsl_vhost_notice(vhd->vhost, "COMPLETED start chall: %s",
|
||||
ac->challenge_uri);
|
||||
poll_again:
|
||||
ac->state = ACME_STATE_POLLING;
|
||||
lws_acme_report_status(vhd->vhost, LWS_CUS_CHALLENGE,
|
||||
|
@ -1433,8 +1408,7 @@ poll_again:
|
|||
&ac->cwsi, &ac->i, buf,
|
||||
"POST");
|
||||
if (!cwsi) {
|
||||
lwsl_notice("%s: failed to connect to acme\n",
|
||||
__func__);
|
||||
lwsl_vhost_warn(vhd->vhost, "failed to connect to acme");
|
||||
|
||||
goto failed;
|
||||
}
|
||||
|
@ -1443,18 +1417,14 @@ poll_again:
|
|||
case ACME_STATE_POLLING:
|
||||
|
||||
if (ac->resp == 202 && strcmp(ac->status, "invalid") &&
|
||||
strcmp(ac->status, "valid")) {
|
||||
lwsl_notice("status: %s\n", ac->status);
|
||||
strcmp(ac->status, "valid"))
|
||||
goto poll_again;
|
||||
}
|
||||
|
||||
if (!strcmp(ac->status, "pending")) {
|
||||
lwsl_notice("status: %s\n", ac->status);
|
||||
if (!strcmp(ac->status, "pending"))
|
||||
goto poll_again;
|
||||
}
|
||||
|
||||
if (!strcmp(ac->status, "invalid")) {
|
||||
lwsl_notice("%s: Challenge failed\n", __func__);
|
||||
lwsl_vhost_warn(vhd->vhost, "Challenge failed");
|
||||
lws_snprintf(buf, sizeof(buf),
|
||||
"Challenge Invalid: %s",
|
||||
ac->detail);
|
||||
|
@ -1462,7 +1432,7 @@ poll_again:
|
|||
goto failed;
|
||||
}
|
||||
|
||||
lwsl_notice("Challenge passed\n");
|
||||
lwsl_vhost_notice(vhd->vhost, "ACME challenge passed");
|
||||
|
||||
/*
|
||||
* The challenge was validated... so delete the
|
||||
|
@ -1487,8 +1457,7 @@ poll_again:
|
|||
&ac->cwsi, &ac->i, buf,
|
||||
"POST");
|
||||
if (!cwsi) {
|
||||
lwsl_notice("%s: failed to connect to acme\n",
|
||||
__func__);
|
||||
lwsl_vhost_warn(vhd->vhost, "Failed to connect to acme");
|
||||
|
||||
goto failed;
|
||||
}
|
||||
|
@ -1503,8 +1472,7 @@ poll_again:
|
|||
|
||||
if (ac->resp != 200) {
|
||||
if (ac->goes_around++ == 30) {
|
||||
lwsl_notice("%s: too many retries\n",
|
||||
__func__);
|
||||
lwsl_vhost_warn(vhd->vhost, "Too many retries");
|
||||
|
||||
goto failed;
|
||||
}
|
||||
|
@ -1514,9 +1482,8 @@ poll_again:
|
|||
&ac->cwsi, &ac->i, buf,
|
||||
"POST");
|
||||
if (!cwsi) {
|
||||
lwsl_notice("%s: "
|
||||
"failed to connect to acme\n",
|
||||
__func__);
|
||||
lwsl_vhost_warn(vhd->vhost,
|
||||
"Failed to connect to acme");
|
||||
|
||||
goto failed;
|
||||
}
|
||||
|
@ -1531,8 +1498,7 @@ poll_again:
|
|||
&ac->cwsi, &ac->i, buf,
|
||||
"POST");
|
||||
if (!cwsi) {
|
||||
lwsl_notice("%s: failed to connect to acme\n",
|
||||
__func__);
|
||||
lwsl_vhost_warn(vhd->vhost, "Failed to connect to acme");
|
||||
|
||||
goto failed;
|
||||
}
|
||||
|
@ -1541,11 +1507,11 @@ poll_again:
|
|||
case ACME_STATE_DOWNLOAD_CERT:
|
||||
|
||||
if (ac->resp != 200) {
|
||||
lwsl_notice("download cert failed on resp %d\n",
|
||||
lwsl_vhost_warn(vhd->vhost, "Download cert failed on resp %d",
|
||||
ac->resp);
|
||||
goto failed;
|
||||
}
|
||||
lwsl_notice("The cert was sent..\n");
|
||||
lwsl_vhost_notice(vhd->vhost, "The cert was sent..");
|
||||
|
||||
lws_acme_report_status(vhd->vhost, LWS_CUS_ISSUE, NULL);
|
||||
|
||||
|
@ -1554,13 +1520,25 @@ poll_again:
|
|||
* ac->buf, length in ac->cpos; and the key in
|
||||
* ac->alloc_privkey_pem, length in
|
||||
* ac->len_privkey_pem.
|
||||
* ACME 2.0 can send certs chain with 3 certs, we need save only first
|
||||
*/
|
||||
{
|
||||
char *end_cert = strstr(ac->buf, "END CERTIFICATE-----");
|
||||
|
||||
if (end_cert) {
|
||||
ac->cpos = (int)(lws_ptr_diff_size_t(end_cert, ac->buf) + sizeof("END CERTIFICATE-----") - 1);
|
||||
} else {
|
||||
ac->cpos = 0;
|
||||
lwsl_vhost_err(vhd->vhost, "Unable to find ACME cert!");
|
||||
goto failed;
|
||||
}
|
||||
}
|
||||
n = lws_plat_write_cert(vhd->vhost, 0,
|
||||
vhd->fd_updated_cert,
|
||||
ac->buf,
|
||||
(size_t)ac->cpos);
|
||||
if (n) {
|
||||
lwsl_err("unable to write ACME cert! %d\n", n);
|
||||
lwsl_vhost_err(vhd->vhost, "unable to write ACME cert! %d", n);
|
||||
goto failed;
|
||||
}
|
||||
|
||||
|
@ -1572,16 +1550,16 @@ poll_again:
|
|||
vhd->fd_updated_key,
|
||||
ac->alloc_privkey_pem,
|
||||
ac->len_privkey_pem)) {
|
||||
lwsl_err("unable to write ACME key!\n");
|
||||
lwsl_vhost_err(vhd->vhost, "unable to write ACME key!");
|
||||
goto failed;
|
||||
}
|
||||
|
||||
/*
|
||||
* we have written the persistent copies
|
||||
*/
|
||||
lwsl_notice("%s: Updated certs written for %s "
|
||||
"to %s.upd and %s.upd\n", __func__,
|
||||
vhd->pvop_active[LWS_TLS_REQ_ELEMENT_COMMON_NAME],
|
||||
lwsl_vhost_notice(vhd->vhost, "Updated certs written for %s "
|
||||
"to %s.upd and %s.upd",
|
||||
vhd->pvop_active[LWS_TLS_REQ_ELEMENT_COMMON_NAME],
|
||||
vhd->pvop_active[LWS_TLS_SET_CERT_PATH],
|
||||
vhd->pvop_active[LWS_TLS_SET_KEY_PATH]);
|
||||
|
||||
|
@ -1593,7 +1571,7 @@ poll_again:
|
|||
ac->buf, (size_t)ac->cpos,
|
||||
ac->alloc_privkey_pem,
|
||||
ac->len_privkey_pem)) {
|
||||
lwsl_notice("problem setting certs\n");
|
||||
lwsl_vhost_warn(vhd->vhost, "problem setting certs");
|
||||
}
|
||||
|
||||
lws_acme_finished(vhd);
|
||||
|
@ -1615,7 +1593,7 @@ poll_again:
|
|||
ac->challenge_uri,
|
||||
"GET");
|
||||
if (!cwsi) {
|
||||
lwsl_notice("%s: failed to connect\n", __func__);
|
||||
lwsl_vhost_warn(vhd->vhost, "Failed to connect");
|
||||
goto failed;
|
||||
}
|
||||
break;
|
||||
|
@ -1627,7 +1605,7 @@ poll_again:
|
|||
return 0;
|
||||
|
||||
failed:
|
||||
lwsl_notice("%s: failed out\n", __func__);
|
||||
lwsl_vhost_warn(vhd->vhost, "Failed out");
|
||||
lws_acme_report_status(vhd->vhost, LWS_CUS_FAILED, failreason);
|
||||
lws_acme_finished(vhd);
|
||||
|
||||
|
|
Loading…
Add table
Reference in a new issue