Mirrors/libwebsockets
1
0
Fork 0
mirror of https://github.com/warmcat/libwebsockets.git synced 2025-03-09 00:00:04 +01:00
Code Issues Releases Wiki Activity

acme: update for v2

Browse source 
https://github.com/warmcat/libwebsockets/issues/2609

AG: api logging updates
This commit is contained in:
orefkov 2022-04-11 06:04:40 +01:00 committed by Andy Green
parent 93aaaf371c
commit edf670a3e6
2 changed files with 110 additions and 132 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
lib/tls/tls-server.c
View file

@ -113,12 +113,12 @@ lws_context_init_server_ssl(const struct lws_context_creation_info *info,
if (vhost->tls.use_ssl)
lws_context_init_alpn(vhost);
/* check certs once a day */
/* check certs in a few seconds (after protocol init) and then once a day */
context->pt[0].sul_tls.cb = lws_sul_tls_cb;
__lws_sul_insert_us(&context->pt[0].pt_sul_owner[LWSSULLI_MISS_IF_SUSPENDED],
&context->pt[0].sul_tls,
(lws_usec_t)24 * 3600 * LWS_US_PER_SEC);
(lws_usec_t)5 * LWS_US_PER_SEC);
return 0;
}

238
plugins/acme-client/protocol_lws_acme_client.c
View file

@ -1,7 +1,7 @@
/*
* libwebsockets ACME client protocol plugin
*
* Copyright (C) 2010 - 2019 Andy Green <andy@warmcat.com>
* Copyright (C) 2010 - 2022 Andy Green <andy@warmcat.com>
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to
@ -21,16 +21,9 @@
* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
* IN THE SOFTWARE.
*
* Acme is in a big messy transition at the moment from a homebrewed api
* to an IETF one. The old repo for the homebrew api (they currently
* implement) is marked up as deprecated and "not accurate[ly] reflect[ing]"
* what they implement, but the IETF standard, currently at v7 is not yet
* implemented at let's encrypt (ETA Jan 2018).
*
* This implementation follows draft 7 of the IETF standard, and falls back
* to whatever differences exist for Boulder's tls-sni-01 challenge. The
* tls-sni-02 support is there but nothing to test it against at the time of
* writing (Nov 1 2017).
* to whatever differences exist for Boulder's tls-sni-01 challenge.
* tls-sni-02 is also supported.
*/
#if !defined (LWS_PLUGIN_STATIC)
@ -148,11 +141,11 @@ callback_chall_http01(struct lws *wsi, enum lws_callback_reasons reason,
switch (reason) {
case LWS_CALLBACK_HTTP:
lwsl_notice("%s: ca connection received, key_auth %s\n",
__func__, ac->key_auth);
lwsl_wsi_notice(wsi, "CA connection received, key_auth %s",
ac->key_auth);
if (lws_add_http_header_status(wsi, HTTP_STATUS_OK, &p, end)) {
lwsl_notice("%s: add status failed\n", __func__);
lwsl_wsi_warn(wsi, "add status failed");
return -1;
}
@ -160,14 +153,13 @@ callback_chall_http01(struct lws *wsi, enum lws_callback_reasons reason,
WSI_TOKEN_HTTP_CONTENT_TYPE,
(unsigned char *)"text/plain", 10,
&p, end)) {
lwsl_notice("%s: add content_type failed\n", __func__);
lwsl_wsi_warn(wsi, "add content_type failed");
return -1;
}
n = (int)strlen(ac->key_auth);
if (lws_add_http_header_content_length(wsi, (lws_filepos_t)n, &p, end)) {
lwsl_notice("%s: add content_length failed\n",
__func__);
lwsl_wsi_warn(wsi, "add content_length failed");
return -1;
}
@ -175,13 +167,12 @@ callback_chall_http01(struct lws *wsi, enum lws_callback_reasons reason,
WSI_TOKEN_HTTP_CONTENT_DISPOSITION,
(unsigned char *)"attachment", 10,
&p, end)) {
lwsl_notice("%s: add content_dispo failed\n", __func__);
lwsl_wsi_warn(wsi, "add content_dispo failed");
return -1;
}
if (lws_finalize_write_http_header(wsi, start, &p, end)) {
lwsl_notice("%s: finalize http header failed\n",
__func__);
lwsl_wsi_warn(wsi, "finalize http header failed");
return -1;
}
@ -190,10 +181,10 @@ callback_chall_http01(struct lws *wsi, enum lws_callback_reasons reason,
case LWS_CALLBACK_HTTP_WRITEABLE:
p += lws_snprintf((char *)p, lws_ptr_diff_size_t(end, p), "%s", ac->key_auth);
lwsl_notice("%s: len %d\n", __func__, lws_ptr_diff(p, start));
// lwsl_notice("%s: len %d\n", __func__, lws_ptr_diff(p, start));
if (lws_write(wsi, (uint8_t *)start, lws_ptr_diff_size_t(p, start),
LWS_WRITE_HTTP_FINAL) != lws_ptr_diff(p, start)) {
lwsl_err("_write content failed\n");
lwsl_wsi_err(wsi, "_write content failed");
return 1;
}
@ -234,7 +225,7 @@ jws_create_packet(struct lws_jwe *jwe, const char *payload, size_t len,
n = LWS_PRE + 2048;
buf = malloc((unsigned int)n);
if (!buf) {
lwsl_notice("%s: malloc %d failed\n", __func__, n);
lwsl_warn("%s: malloc %d failed\n", __func__, n);
return -1;
}
@ -680,14 +671,14 @@ lws_acme_load_create_auth_keys(struct per_vhost_data__lws_acme_client *vhd,
n = lws_genrsa_new_keypair(vhd->context, &vhd->rsactx, LGRSAM_PKCS1_1_5,
vhd->jwk.e, bits);
if (n) {
lwsl_notice("failed to create keypair\n");
lwsl_vhost_warn(vhd->vhost, "failed to create keypair");
return 1;
}
lwsl_notice("...keypair generated\n");
if (lws_jwk_save(&vhd->jwk, vhd->pvop[LWS_TLS_SET_AUTH_PATH])) {
lwsl_notice("unable to save %s\n",
lwsl_vhost_warn(vhd->vhost, "unable to save %s",
vhd->pvop[LWS_TLS_SET_AUTH_PATH]);
return 1;
}
@ -709,8 +700,8 @@ lws_acme_start_acquisition(struct per_vhost_data__lws_acme_client *vhd,
/*
* ...well... we should try to do something about it then...
*/
lwsl_notice("%s: ACME cert needs creating / updating: "
"vhost %s\n", __func__, lws_get_vhost_name(vhd->vhost));
lwsl_vhost_notice(vhd->vhost, "ACME cert needs creating / updating: "
"vhost %s", lws_get_vhost_name(vhd->vhost));
vhd->ac = malloc(sizeof(*vhd->ac));
memset(vhd->ac, 0, sizeof(*vhd->ac));
@ -795,11 +786,13 @@ callback_acme_client(struct lws *wsi, enum lws_callback_reasons reason,
switch ((int)reason) {
case LWS_CALLBACK_PROTOCOL_INIT:
if (vhd)
return 0;
vhd = lws_protocol_vh_priv_zalloc(lws_get_vhost(wsi),
lws_get_protocol(wsi),
sizeof(struct per_vhost_data__lws_acme_client));
if (vhd)
return 0;
if (!vhd)
return -1;
vhd->context = lws_get_context(wsi);
vhd->protocol = lws_get_protocol(wsi);
@ -867,7 +860,12 @@ callback_acme_client(struct lws *wsi, enum lws_callback_reasons reason,
vhd->pvop[LWS_TLS_SET_CERT_PATH]);
vhd->fd_updated_cert = lws_open(buf,
LWS_O_WRONLY | LWS_O_CREAT |
LWS_O_TRUNC, 0600);
LWS_O_TRUNC
/*do not replace \n to \r\n on Windows */
#ifdef WIN32
| O_BINARY
#endif
, 0600);
if (vhd->fd_updated_cert < 0) {
lwsl_err("unable to create update cert file %s\n", buf);
return -1;
@ -875,9 +873,14 @@ callback_acme_client(struct lws *wsi, enum lws_callback_reasons reason,
lws_snprintf(buf, sizeof(buf) - 1, "%s.upd",
vhd->pvop[LWS_TLS_SET_KEY_PATH]);
vhd->fd_updated_key = lws_open(buf, LWS_O_WRONLY | LWS_O_CREAT |
LWS_O_TRUNC, 0600);
/*do not replace \n to \r\n on Windows */
#ifdef WIN32
O_BINARY |
#endif
LWS_O_TRUNC, 0600);
if (vhd->fd_updated_key < 0) {
lwsl_err("unable to create update key file %s\n", buf);
lwsl_vhost_err(vhd->vhost, "unable to create update key file %s", buf);
return -1;
}
#endif
@ -929,35 +932,18 @@ callback_acme_client(struct lws *wsi, enum lws_callback_reasons reason,
* Client
*/
case LWS_CALLBACK_CLIENT_ESTABLISHED:
lwsl_notice("%s: CLIENT_ESTABLISHED\n", __func__);
break;
case LWS_CALLBACK_CLIENT_CONNECTION_ERROR:
lwsl_notice("%s: CLIENT_CONNECTION_ERROR: %p\n", __func__, wsi);
break;
case LWS_CALLBACK_CLOSED_CLIENT_HTTP:
lwsl_notice("%s: CLOSED_CLIENT_HTTP: %p\n", __func__, wsi);
break;
case LWS_CALLBACK_CLOSED:
lwsl_notice("%s: CLOSED: %p\n", __func__, wsi);
break;
case LWS_CALLBACK_ESTABLISHED_CLIENT_HTTP:
lwsl_notice("%s: ESTABLISHED_CLIENT_HTTP:"
"%p, state:%d, status:%d\n", __func__, wsi,
ac->state, lws_http_client_http_response(wsi));
if (!ac)
break;
ac->resp = (int)lws_http_client_http_response(wsi);
/* we get a new nonce each time */
if (lws_hdr_total_length(wsi, WSI_TOKEN_REPLAY_NONCE) &&
lws_hdr_copy(wsi, ac->replay_nonce,
sizeof(ac->replay_nonce),
WSI_TOKEN_REPLAY_NONCE) < 0) {
lwsl_notice("%s: nonce too large\n", __func__);
lwsl_vhost_warn(vhd->vhost, "nonce too large");
goto failed;
}
@ -967,11 +953,12 @@ callback_acme_client(struct lws *wsi, enum lws_callback_reasons reason,
lejp_construct(&ac->jctx, cb_dir, vhd, jdir_tok,
LWS_ARRAY_SIZE(jdir_tok));
break;
case ACME_STATE_NEW_NONCE:
/*
* we try to * register our keys next.
* It's OK if it ends up * they're already registered,
* this eliminates any * gaps where we stored the key
* we try to register our keys next.
* It's OK if it ends up they're already registered,
* this eliminates any gaps where we stored the key
* but registration did not complete for some reason...
*/
ac->state = ACME_STATE_NEW_ACCOUNT;
@ -981,8 +968,7 @@ callback_acme_client(struct lws *wsi, enum lws_callback_reasons reason,
cwsi = lws_acme_client_connect(vhd->context, vhd->vhost,
&ac->cwsi, &ac->i, buf, "POST");
if (!cwsi) {
lwsl_notice("%s: failed to connect to acme\n",
__func__);
lwsl_vhost_warn(vhd->vhost, "failed to connect to acme");
goto failed;
}
@ -991,28 +977,26 @@ callback_acme_client(struct lws *wsi, enum lws_callback_reasons reason,
case ACME_STATE_NEW_ACCOUNT:
if (!lws_hdr_total_length(wsi,
WSI_TOKEN_HTTP_LOCATION)) {
lwsl_notice("%s: no Location\n", __func__);
lwsl_vhost_warn(vhd->vhost, "no Location");
goto failed;
}
if (lws_hdr_copy(wsi, ac->acct_id, sizeof(ac->acct_id),
WSI_TOKEN_HTTP_LOCATION) < 0) {
lwsl_notice("%s: Location too large\n",
__func__);
lwsl_vhost_warn(vhd->vhost, "Location too large");
goto failed;
}
ac->kid = ac->acct_id;
lwsl_notice("Location: %s\n", ac->acct_id);
lwsl_vhost_notice(vhd->vhost, "Location: %s", ac->acct_id);
break;
case ACME_STATE_NEW_ORDER:
if (lws_hdr_copy(wsi, ac->order_url,
sizeof(ac->order_url),
WSI_TOKEN_HTTP_LOCATION) < 0) {
lwsl_notice("%s: missing cert location:\n",
__func__);
lwsl_vhost_warn(vhd->vhost, "missing cert location");
goto failed;
}
@ -1061,7 +1045,6 @@ callback_acme_client(struct lws *wsi, enum lws_callback_reasons reason,
",\"contact\": [\"mailto:%s\"]}",
vhd->pvop_active[LWS_TLS_REQ_ELEMENT_EMAIL]);
puts(start);
strcpy(ac->active_url, ac->urls[JAD_NEW_ACCOUNT_URL]);
pkt_add_hdrs:
if (lws_gencrypto_jwe_alg_to_definition("RSA1_5",
@ -1096,7 +1079,7 @@ pkt_add_hdrs:
WSI_TOKEN_HTTP_CONTENT_TYPE,
(uint8_t *)content_type, 21, pp,
pend)) {
lwsl_notice("could not add content type\n");
lwsl_vhost_warn(vhd->vhost, "could not add content type");
goto failed;
}
@ -1104,7 +1087,7 @@ pkt_add_hdrs:
if (lws_add_http_header_by_token(wsi,
WSI_TOKEN_HTTP_CONTENT_LENGTH,
(uint8_t *)buf, n, pp, pend)) {
lwsl_notice("could not add content length\n");
lwsl_vhost_warn(vhd->vhost, "could not add content length");
goto failed;
}
@ -1122,12 +1105,10 @@ pkt_add_hdrs:
"}",
vhd->pvop_active[LWS_TLS_REQ_ELEMENT_COMMON_NAME]);
puts(start);
strcpy(ac->active_url, ac->urls[JAD_NEW_ORDER_URL]);
goto pkt_add_hdrs;
case ACME_STATE_AUTHZ:
puts(start);
strcpy(ac->active_url, ac->authz_url);
goto pkt_add_hdrs;
@ -1136,7 +1117,6 @@ pkt_add_hdrs:
end = &buf[sizeof(buf) - 1];
p += lws_snprintf(p, lws_ptr_diff_size_t(end, p), "{}");
puts(start);
strcpy(ac->active_url, ac->challenge_uri);
goto pkt_add_hdrs;
@ -1147,7 +1127,7 @@ pkt_add_hdrs:
case ACME_STATE_POLLING_CSR:
if (ac->goes_around)
break;
lwsl_vhost_notice(vhd->vhost, "Generating ACME CSR... may take a little while");
p += lws_snprintf(p, lws_ptr_diff_size_t(end, p), "{\"csr\":\"");
n = lws_tls_acme_sni_csr_create(vhd->context,
&vhd->pvop_active[0],
@ -1155,12 +1135,11 @@ pkt_add_hdrs:
&ac->alloc_privkey_pem,
&ac->len_privkey_pem);
if (n < 0) {
lwsl_notice("CSR generation failed\n");
lwsl_vhost_warn(vhd->vhost, "CSR generation failed");
goto failed;
}
p += n;
p += lws_snprintf(p, lws_ptr_diff_size_t(end, p), "\"}");
puts(start);
strcpy(ac->active_url, ac->finalize_url);
goto pkt_add_hdrs;
@ -1175,7 +1154,6 @@ pkt_add_hdrs:
break;
case LWS_CALLBACK_CLIENT_HTTP_WRITEABLE:
lwsl_notice("LWS_CALLBACK_CLIENT_HTTP_WRITEABLE\n");
if (!ac)
break;
@ -1187,7 +1165,7 @@ pkt_add_hdrs:
if (lws_write(wsi, (uint8_t *)ac->buf + LWS_PRE,
(size_t)ac->len, LWS_WRITE_HTTP_FINAL) < 0)
return -1;
lwsl_notice("wrote %d\n", ac->len);
ac->pos = ac->len;
lws_client_http_body_pending(wsi, 0);
break;
@ -1204,28 +1182,29 @@ pkt_add_hdrs:
case ACME_STATE_AUTHZ:
case ACME_STATE_NEW_ORDER:
case ACME_STATE_DIRECTORY:
((char *)in)[len] = '\0';
puts(in);
m = lejp_parse(&ac->jctx, (uint8_t *)in, (int)len);
if (m < 0 && m != LEJP_CONTINUE) {
lwsl_notice("lejp parse failed %d\n", m);
goto failed;
}
break;
case ACME_STATE_NEW_ACCOUNT:
((char *)in)[len] = '\0';
puts(in);
break;
case ACME_STATE_DOWNLOAD_CERT:
((char *)in)[len] = '\0';
puts(in);
/* it should be the DER cert! */
if ((unsigned int)ac->cpos + len > sizeof(ac->buf)) {
lwsl_notice("Incoming cert is too large!\n");
goto failed;
/*
* It should be the DER cert...
* ACME 2.0 can send certs chain with 3 certs, store only first bytes
*/
if ((unsigned int)ac->cpos + len > sizeof(ac->buf))
len = sizeof(ac->buf) - (unsigned int)ac->cpos;
if (len) {
memcpy(&ac->buf[ac->cpos], in, len);
ac->cpos += (int)len;
}
memcpy(&ac->buf[ac->cpos], in, len);
ac->cpos += (int)len;
break;
default:
break;
@ -1234,9 +1213,9 @@ pkt_add_hdrs:
/* unchunked content */
case LWS_CALLBACK_RECEIVE_CLIENT_HTTP:
lwsl_notice("%s: LWS_CALLBACK_RECEIVE_CLIENT_HTTP\n", __func__);
if (!ac)
return -1;
switch (ac->state) {
default:
{
@ -1252,7 +1231,6 @@ pkt_add_hdrs:
break;
case LWS_CALLBACK_COMPLETED_CLIENT_HTTP:
lwsl_notice("%s: COMPLETED_CLIENT_HTTP\n", __func__);
if (!ac)
return -1;
@ -1281,7 +1259,7 @@ pkt_add_hdrs:
case ACME_STATE_NEW_ACCOUNT:
if ((ac->resp >= 200 && ac->resp < 299) ||
ac->resp == 409) {
ac->resp == 409) {
/*
* Our account already existed, or exists now.
*
@ -1324,8 +1302,7 @@ pkt_add_hdrs:
vhd->vhost, &ac->cwsi,
&ac->i, buf, "POST");
if (!cwsi)
lwsl_notice("%s: failed to connect\n",
__func__);
lwsl_notice("%s: failed to connect\n", __func__);
return -1; /* close the completed client connection */
@ -1335,13 +1312,12 @@ pkt_add_hdrs:
lws_snprintf(buf, sizeof(buf),
"Auth failed: %s", ac->detail);
failreason = buf;
lwsl_notice("auth failed\n");
lwsl_vhost_warn(vhd->vhost, "auth failed");
goto failed;
}
lwsl_notice("chall: %s (%d)\n", ac->chall_token,
ac->resp);
lwsl_vhost_info(vhd->vhost, "chall: %s (%d)\n", ac->chall_token, ac->resp);
if (!ac->chall_token[0]) {
lwsl_notice("no challenge\n");
lwsl_vhost_warn(vhd->vhost, "no challenge");
goto failed;
}
@ -1362,7 +1338,7 @@ pkt_add_hdrs:
if (n < 0)
goto failed;
lwsl_notice("key_auth: '%s'\n", ac->key_auth);
lwsl_vhost_notice(vhd->vhost, "key_auth: '%s'", ac->key_auth);
lws_snprintf(ac->http01_mountpoint,
sizeof(ac->http01_mountpoint),
@ -1378,8 +1354,7 @@ pkt_add_hdrs:
ac->ci.mounts = &ac->mount;
/* listen on the same port as the vhost that triggered
* us */
/* listen on the same port as the vhost that triggered us */
ac->ci.port = 80;
/* make ourselves protocols[0] for the new vhost */
@ -1396,7 +1371,7 @@ pkt_add_hdrs:
if (!ac->vhost)
goto failed;
lwsl_notice("challenge_uri %s\n", ac->challenge_uri);
lwsl_vhost_notice(vhd->vhost, "challenge_uri %s", ac->challenge_uri);
/*
* The challenge-specific vhost is up... let the ACME
@ -1408,14 +1383,14 @@ pkt_add_hdrs:
ac->challenge_uri,
"POST");
if (!cwsi) {
lwsl_notice("%s: connect failed\n", __func__);
lwsl_vhost_warn(vhd->vhost, "Connect failed");
goto failed;
}
return -1; /* close the completed client connection */
case ACME_STATE_START_CHALL:
lwsl_notice("%s: COMPLETED start chall: %s\n",
__func__, ac->challenge_uri);
lwsl_vhost_notice(vhd->vhost, "COMPLETED start chall: %s",
ac->challenge_uri);
poll_again:
ac->state = ACME_STATE_POLLING;
lws_acme_report_status(vhd->vhost, LWS_CUS_CHALLENGE,
@ -1433,8 +1408,7 @@ poll_again:
&ac->cwsi, &ac->i, buf,
"POST");
if (!cwsi) {
lwsl_notice("%s: failed to connect to acme\n",
__func__);
lwsl_vhost_warn(vhd->vhost, "failed to connect to acme");
goto failed;
}
@ -1443,18 +1417,14 @@ poll_again:
case ACME_STATE_POLLING:
if (ac->resp == 202 && strcmp(ac->status, "invalid") &&
strcmp(ac->status, "valid")) {
lwsl_notice("status: %s\n", ac->status);
strcmp(ac->status, "valid"))
goto poll_again;
}
if (!strcmp(ac->status, "pending")) {
lwsl_notice("status: %s\n", ac->status);
if (!strcmp(ac->status, "pending"))
goto poll_again;
}
if (!strcmp(ac->status, "invalid")) {
lwsl_notice("%s: Challenge failed\n", __func__);
lwsl_vhost_warn(vhd->vhost, "Challenge failed");
lws_snprintf(buf, sizeof(buf),
"Challenge Invalid: %s",
ac->detail);
@ -1462,7 +1432,7 @@ poll_again:
goto failed;
}
lwsl_notice("Challenge passed\n");
lwsl_vhost_notice(vhd->vhost, "ACME challenge passed");
/*
* The challenge was validated... so delete the
@ -1487,8 +1457,7 @@ poll_again:
&ac->cwsi, &ac->i, buf,
"POST");
if (!cwsi) {
lwsl_notice("%s: failed to connect to acme\n",
__func__);
lwsl_vhost_warn(vhd->vhost, "Failed to connect to acme");
goto failed;
}
@ -1503,8 +1472,7 @@ poll_again:
if (ac->resp != 200) {
if (ac->goes_around++ == 30) {
lwsl_notice("%s: too many retries\n",
__func__);
lwsl_vhost_warn(vhd->vhost, "Too many retries");
goto failed;
}
@ -1514,9 +1482,8 @@ poll_again:
&ac->cwsi, &ac->i, buf,
"POST");
if (!cwsi) {
lwsl_notice("%s: "
"failed to connect to acme\n",
__func__);
lwsl_vhost_warn(vhd->vhost,
"Failed to connect to acme");
goto failed;
}
@ -1531,8 +1498,7 @@ poll_again:
&ac->cwsi, &ac->i, buf,
"POST");
if (!cwsi) {
lwsl_notice("%s: failed to connect to acme\n",
__func__);
lwsl_vhost_warn(vhd->vhost, "Failed to connect to acme");
goto failed;
}
@ -1541,11 +1507,11 @@ poll_again:
case ACME_STATE_DOWNLOAD_CERT:
if (ac->resp != 200) {
lwsl_notice("download cert failed on resp %d\n",
lwsl_vhost_warn(vhd->vhost, "Download cert failed on resp %d",
ac->resp);
goto failed;
}
lwsl_notice("The cert was sent..\n");
lwsl_vhost_notice(vhd->vhost, "The cert was sent..");
lws_acme_report_status(vhd->vhost, LWS_CUS_ISSUE, NULL);
@ -1554,13 +1520,25 @@ poll_again:
* ac->buf, length in ac->cpos; and the key in
* ac->alloc_privkey_pem, length in
* ac->len_privkey_pem.
* ACME 2.0 can send certs chain with 3 certs, we need save only first
*/
{
char *end_cert = strstr(ac->buf, "END CERTIFICATE-----");
if (end_cert) {
ac->cpos = (int)(lws_ptr_diff_size_t(end_cert, ac->buf) + sizeof("END CERTIFICATE-----") - 1);
} else {
ac->cpos = 0;
lwsl_vhost_err(vhd->vhost, "Unable to find ACME cert!");
goto failed;
}
}
n = lws_plat_write_cert(vhd->vhost, 0,
vhd->fd_updated_cert,
ac->buf,
(size_t)ac->cpos);
if (n) {
lwsl_err("unable to write ACME cert! %d\n", n);
lwsl_vhost_err(vhd->vhost, "unable to write ACME cert! %d", n);
goto failed;
}
@ -1572,16 +1550,16 @@ poll_again:
vhd->fd_updated_key,
ac->alloc_privkey_pem,
ac->len_privkey_pem)) {
lwsl_err("unable to write ACME key!\n");
lwsl_vhost_err(vhd->vhost, "unable to write ACME key!");
goto failed;
}
/*
* we have written the persistent copies
*/
lwsl_notice("%s: Updated certs written for %s "
"to %s.upd and %s.upd\n", __func__,
vhd->pvop_active[LWS_TLS_REQ_ELEMENT_COMMON_NAME],
lwsl_vhost_notice(vhd->vhost, "Updated certs written for %s "
"to %s.upd and %s.upd",
vhd->pvop_active[LWS_TLS_REQ_ELEMENT_COMMON_NAME],
vhd->pvop_active[LWS_TLS_SET_CERT_PATH],
vhd->pvop_active[LWS_TLS_SET_KEY_PATH]);
@ -1593,7 +1571,7 @@ poll_again:
ac->buf, (size_t)ac->cpos,
ac->alloc_privkey_pem,
ac->len_privkey_pem)) {
lwsl_notice("problem setting certs\n");
lwsl_vhost_warn(vhd->vhost, "problem setting certs");
}
lws_acme_finished(vhd);
@ -1615,7 +1593,7 @@ poll_again:
ac->challenge_uri,
"GET");
if (!cwsi) {
lwsl_notice("%s: failed to connect\n", __func__);
lwsl_vhost_warn(vhd->vhost, "Failed to connect");
goto failed;
}
break;
@ -1627,7 +1605,7 @@ poll_again:
return 0;
failed:
lwsl_notice("%s: failed out\n", __func__);
lwsl_vhost_warn(vhd->vhost, "Failed out");
lws_acme_report_status(vhd->vhost, LWS_CUS_FAILED, failreason);
lws_acme_finished(vhd);