2019-09-20 11:36:31 +02:00
|
|
|
%%%----------------------------------------------------------------------
|
2021-01-27 16:55:25 +01:00
|
|
|
%%% ejabberd, Copyright (C) 2002-2021 ProcessOne
|
2019-09-20 11:36:31 +02:00
|
|
|
%%%
|
|
|
|
%%% This program is free software; you can redistribute it and/or
|
|
|
|
%%% modify it under the terms of the GNU General Public License as
|
|
|
|
%%% published by the Free Software Foundation; either version 2 of the
|
|
|
|
%%% License, or (at your option) any later version.
|
|
|
|
%%%
|
|
|
|
%%% This program is distributed in the hope that it will be useful,
|
|
|
|
%%% but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
%%% MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
%%% General Public License for more details.
|
|
|
|
%%%
|
|
|
|
%%% You should have received a copy of the GNU General Public License along
|
|
|
|
%%% with this program; if not, write to the Free Software Foundation, Inc.,
|
|
|
|
%%% 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
|
|
%%%
|
|
|
|
%%%----------------------------------------------------------------------
|
|
|
|
-module(ejabberd_acme).
|
2017-11-17 09:59:40 +01:00
|
|
|
-behaviour(gen_server).
|
2017-06-09 14:49:27 +02:00
|
|
|
|
2019-09-20 11:36:31 +02:00
|
|
|
%% API
|
|
|
|
-export([start_link/0]).
|
|
|
|
-export([default_directory_url/0]).
|
|
|
|
%% HTTP API
|
|
|
|
-export([process/2]).
|
|
|
|
%% Hooks
|
|
|
|
-export([ejabberd_started/0, register_certfiles/0, cert_expired/2]).
|
|
|
|
%% ejabberd commands
|
2021-08-23 11:51:01 +02:00
|
|
|
-export([get_commands_spec/0, request_certificate/1,
|
|
|
|
revoke_certificate/1, list_certificates/0]).
|
2017-11-17 09:59:40 +01:00
|
|
|
%% gen_server callbacks
|
|
|
|
-export([init/1, handle_call/3, handle_cast/2, handle_info/2,
|
2019-09-20 11:36:31 +02:00
|
|
|
terminate/2, code_change/3, format_status/2]).
|
2017-06-09 14:49:27 +02:00
|
|
|
|
|
|
|
-include("logger.hrl").
|
2017-11-17 10:50:27 +01:00
|
|
|
-include("ejabberd_commands.hrl").
|
2017-06-09 14:49:27 +02:00
|
|
|
-include_lib("public_key/include/public_key.hrl").
|
2019-09-20 11:36:31 +02:00
|
|
|
-include_lib("stdlib/include/ms_transform.hrl").
|
2017-06-09 14:49:27 +02:00
|
|
|
|
2019-09-20 11:36:31 +02:00
|
|
|
-define(CALL_TIMEOUT, timer:minutes(10)).
|
2017-08-19 10:35:15 +02:00
|
|
|
|
2017-11-17 09:59:40 +01:00
|
|
|
-record(state, {}).
|
2017-06-12 14:31:48 +02:00
|
|
|
|
2019-09-20 11:36:31 +02:00
|
|
|
-type state() :: #state{}.
|
|
|
|
-type priv_key() :: public_key:private_key().
|
|
|
|
-type cert() :: #'OTPCertificate'{}.
|
|
|
|
-type cert_type() :: ec | rsa.
|
|
|
|
-type io_error() :: file:posix().
|
2019-09-25 12:10:47 +02:00
|
|
|
-type issue_result() :: ok | p1_acme:issue_return() |
|
2019-09-22 10:04:38 +02:00
|
|
|
{error, {file, io_error()} |
|
|
|
|
{idna_failed, binary()}}.
|
2019-09-20 11:36:31 +02:00
|
|
|
|
|
|
|
%%%===================================================================
|
|
|
|
%%% API
|
|
|
|
%%%===================================================================
|
2017-11-17 09:59:40 +01:00
|
|
|
start_link() ->
|
|
|
|
gen_server:start_link({local, ?MODULE}, ?MODULE, [], []).
|
2017-11-14 13:12:33 +01:00
|
|
|
|
2019-09-20 11:36:31 +02:00
|
|
|
-spec register_certfiles() -> ok.
|
|
|
|
register_certfiles() ->
|
|
|
|
lists:foreach(fun ejabberd_pkix:add_certfile/1,
|
|
|
|
list_certfiles()).
|
|
|
|
|
|
|
|
-spec process([binary()], _) -> {integer(), [{binary(), binary()}], binary()}.
|
|
|
|
process([Token], _) ->
|
2019-09-23 14:17:20 +02:00
|
|
|
?DEBUG("Received ACME challenge request for token: ~ts", [Token]),
|
2019-09-20 11:36:31 +02:00
|
|
|
try ets:lookup_element(acme_challenge, Token, 2) of
|
|
|
|
Key -> {200, [{<<"Content-Type">>,
|
|
|
|
<<"application/octet-stream">>}],
|
|
|
|
Key}
|
|
|
|
catch _:_ ->
|
|
|
|
{404, [], <<>>}
|
|
|
|
end;
|
|
|
|
process(_, _) ->
|
|
|
|
{404, [], <<>>}.
|
|
|
|
|
|
|
|
-spec cert_expired(_, pkix:cert_info()) -> ok | stop.
|
|
|
|
cert_expired(_, #{domains := Domains, files := Files}) ->
|
|
|
|
CertFiles = list_certfiles(),
|
|
|
|
case lists:any(
|
|
|
|
fun({File, _}) ->
|
|
|
|
lists:member(File, CertFiles)
|
|
|
|
end, Files) of
|
|
|
|
true ->
|
|
|
|
gen_server:cast(?MODULE, {request, Domains}),
|
|
|
|
stop;
|
|
|
|
false ->
|
|
|
|
ok
|
|
|
|
end.
|
|
|
|
|
|
|
|
-spec ejabberd_started() -> ok.
|
|
|
|
ejabberd_started() ->
|
|
|
|
gen_server:cast(?MODULE, ejabberd_started).
|
|
|
|
|
|
|
|
default_directory_url() ->
|
|
|
|
<<"https://acme-v02.api.letsencrypt.org/directory">>.
|
|
|
|
|
2017-11-17 09:59:40 +01:00
|
|
|
%%%===================================================================
|
|
|
|
%%% gen_server callbacks
|
|
|
|
%%%===================================================================
|
|
|
|
init([]) ->
|
2019-09-20 11:36:31 +02:00
|
|
|
ets:new(acme_challenge, [named_table, public]),
|
|
|
|
process_flag(trap_exit, true),
|
2019-09-25 12:10:47 +02:00
|
|
|
ejabberd:start_app(p1_acme),
|
2019-09-22 00:14:29 +02:00
|
|
|
delete_obsolete_data(),
|
|
|
|
ejabberd_hooks:add(cert_expired, ?MODULE, cert_expired, 60),
|
|
|
|
ejabberd_hooks:add(config_reloaded, ?MODULE, register_certfiles, 40),
|
|
|
|
ejabberd_hooks:add(ejabberd_started, ?MODULE, ejabberd_started, 110),
|
|
|
|
ejabberd_hooks:add(config_reloaded, ?MODULE, ejabberd_started, 110),
|
|
|
|
ejabberd_commands:register_commands(get_commands_spec()),
|
|
|
|
register_certfiles(),
|
|
|
|
{ok, #state{}}.
|
2017-11-17 09:59:40 +01:00
|
|
|
|
2019-09-20 11:36:31 +02:00
|
|
|
handle_call({request, [_|_] = Domains}, _From, State) ->
|
2019-09-23 14:17:20 +02:00
|
|
|
?INFO_MSG("Requesting new certificate for ~ts from ~ts",
|
2019-09-20 11:36:31 +02:00
|
|
|
[misc:format_hosts_list(Domains), directory_url()]),
|
|
|
|
{Ret, State1} = issue_request(State, Domains),
|
|
|
|
{reply, Ret, State1};
|
|
|
|
handle_call({revoke, Cert, Key, Path}, _From, State) ->
|
2019-09-22 19:11:54 +02:00
|
|
|
?INFO_MSG("Revoking certificate from file ~ts", [Path]),
|
2019-09-20 11:36:31 +02:00
|
|
|
{Ret, State1} = revoke_request(State, Cert, Key, Path),
|
|
|
|
{reply, Ret, State1};
|
2019-07-12 10:55:36 +02:00
|
|
|
handle_call(Request, From, State) ->
|
|
|
|
?WARNING_MSG("Unexpected call from ~p: ~p", [From, Request]),
|
|
|
|
{noreply, State}.
|
2017-11-17 09:59:40 +01:00
|
|
|
|
2019-09-20 11:36:31 +02:00
|
|
|
handle_cast(ejabberd_started, State) ->
|
|
|
|
case request_on_start() of
|
|
|
|
{true, Domains} ->
|
2019-09-23 14:17:20 +02:00
|
|
|
?INFO_MSG("Requesting new certificate for ~ts from ~ts",
|
2019-09-20 11:36:31 +02:00
|
|
|
[misc:format_hosts_list(Domains), directory_url()]),
|
|
|
|
{_, State1} = issue_request(State, Domains),
|
|
|
|
{noreply, State1};
|
|
|
|
false ->
|
|
|
|
{noreply, State}
|
|
|
|
end;
|
|
|
|
handle_cast({request, [_|_] = Domains}, State) ->
|
2019-09-23 14:17:20 +02:00
|
|
|
?INFO_MSG("Requesting renewal of certificate for ~ts from ~ts",
|
2019-09-20 11:36:31 +02:00
|
|
|
[misc:format_hosts_list(Domains), directory_url()]),
|
|
|
|
{_, State1} = issue_request(State, Domains),
|
|
|
|
{noreply, State1};
|
|
|
|
handle_cast(Request, State) ->
|
|
|
|
?WARNING_MSG("Unexpected cast: ~p", [Request]),
|
2017-11-17 09:59:40 +01:00
|
|
|
{noreply, State}.
|
|
|
|
|
2019-09-20 11:36:31 +02:00
|
|
|
handle_info(Info, State) ->
|
|
|
|
?WARNING_MSG("Unexpected info: ~p", [Info]),
|
2017-11-17 09:59:40 +01:00
|
|
|
{noreply, State}.
|
|
|
|
|
|
|
|
terminate(_Reason, _State) ->
|
2019-09-20 11:36:31 +02:00
|
|
|
ejabberd_hooks:delete(cert_expired, ?MODULE, cert_expired, 60),
|
2017-11-19 07:56:05 +01:00
|
|
|
ejabberd_hooks:delete(config_reloaded, ?MODULE, register_certfiles, 40),
|
2019-09-20 11:36:31 +02:00
|
|
|
ejabberd_hooks:delete(ejabberd_started, ?MODULE, ejabberd_started, 110),
|
|
|
|
ejabberd_hooks:delete(config_reloaded, ?MODULE, ejabberd_started, 110),
|
2017-11-17 10:50:27 +01:00
|
|
|
ejabberd_commands:unregister_commands(get_commands_spec()).
|
2017-11-17 09:59:40 +01:00
|
|
|
|
|
|
|
code_change(_OldVsn, State, _Extra) ->
|
|
|
|
{ok, State}.
|
2017-07-07 16:37:44 +02:00
|
|
|
|
2019-09-20 11:36:31 +02:00
|
|
|
format_status(_Opt, Status) ->
|
|
|
|
Status.
|
2017-07-07 16:37:44 +02:00
|
|
|
|
2019-09-20 11:36:31 +02:00
|
|
|
%%%===================================================================
|
|
|
|
%%% Internal functions
|
|
|
|
%%%===================================================================
|
|
|
|
%%%===================================================================
|
|
|
|
%%% Challenge callback
|
|
|
|
%%%===================================================================
|
2019-09-25 12:10:47 +02:00
|
|
|
-spec register_challenge(p1_acme:challenge_data(), reference()) -> true.
|
2019-09-20 11:36:31 +02:00
|
|
|
register_challenge(Auth, Ref) ->
|
|
|
|
?DEBUG("Registering ACME challenge ~p -> ~p", [Ref, Auth]),
|
|
|
|
ejabberd_hooks:run(acme_challenge, [{start, Auth, Ref}]),
|
|
|
|
ets:insert(
|
|
|
|
acme_challenge,
|
|
|
|
lists:map(
|
|
|
|
fun(#{token := Token, key := Key}) ->
|
|
|
|
{Token, Key, Ref}
|
|
|
|
end, Auth)).
|
|
|
|
|
|
|
|
-spec unregister_challenge(reference()) -> non_neg_integer().
|
|
|
|
unregister_challenge(Ref) ->
|
|
|
|
?DEBUG("Unregistering ACME challenge ~p", [Ref]),
|
|
|
|
ejabberd_hooks:run(acme_challenge, [{stop, Ref}]),
|
|
|
|
ets:select_delete(
|
|
|
|
acme_challenge,
|
|
|
|
ets:fun2ms(
|
|
|
|
fun({_, _, Ref1}) ->
|
|
|
|
Ref1 == Ref
|
|
|
|
end)).
|
2018-12-13 11:45:45 +01:00
|
|
|
|
2019-09-20 11:36:31 +02:00
|
|
|
%%%===================================================================
|
|
|
|
%%% Issuance
|
|
|
|
%%%===================================================================
|
|
|
|
-spec issue_request(state(), [binary(),...]) -> {issue_result(), state()}.
|
|
|
|
issue_request(State, Domains) ->
|
2019-09-22 10:04:38 +02:00
|
|
|
case check_idna(Domains) of
|
2019-09-22 11:44:31 +02:00
|
|
|
{ok, AsciiDomains} ->
|
2019-09-22 10:04:38 +02:00
|
|
|
case read_account_key() of
|
|
|
|
{ok, AccKey} ->
|
|
|
|
Config = ejabberd_option:acme(),
|
|
|
|
DirURL = maps:get(ca_url, Config, default_directory_url()),
|
|
|
|
Contact = maps:get(contact, Config, []),
|
|
|
|
CertType = maps:get(cert_type, Config, rsa),
|
2019-09-22 11:44:31 +02:00
|
|
|
issue_request(State, DirURL, Domains, AsciiDomains, AccKey, CertType, Contact);
|
2019-09-22 10:04:38 +02:00
|
|
|
{error, Reason} = Err ->
|
2019-09-22 19:11:54 +02:00
|
|
|
?ERROR_MSG("Failed to request certificate for ~ts: ~ts",
|
2019-09-22 10:04:38 +02:00
|
|
|
[misc:format_hosts_list(Domains),
|
|
|
|
format_error(Reason)]),
|
|
|
|
{Err, State}
|
|
|
|
end;
|
2019-09-22 10:30:20 +02:00
|
|
|
{error, Reason} = Err ->
|
2019-09-22 19:11:54 +02:00
|
|
|
?ERROR_MSG("Failed to request certificate for ~ts: ~ts",
|
2019-09-22 10:30:20 +02:00
|
|
|
[misc:format_hosts_list(Domains),
|
|
|
|
format_error(Reason)]),
|
2019-09-20 11:36:31 +02:00
|
|
|
{Err, State}
|
|
|
|
end.
|
|
|
|
|
2019-09-22 11:44:31 +02:00
|
|
|
-spec issue_request(state(), binary(), [binary(),...], [string(), ...], priv_key(),
|
2019-09-20 11:36:31 +02:00
|
|
|
cert_type(), [binary()]) -> {issue_result(), state()}.
|
2019-09-22 11:44:31 +02:00
|
|
|
issue_request(State, DirURL, Domains, AsciiDomains, AccKey, CertType, Contact) ->
|
2019-09-20 11:36:31 +02:00
|
|
|
Ref = make_ref(),
|
|
|
|
ChallengeFun = fun(Auth) -> register_challenge(Auth, Ref) end,
|
2019-09-25 12:10:47 +02:00
|
|
|
Ret = case p1_acme:issue(DirURL, AsciiDomains, AccKey,
|
2019-09-20 11:36:31 +02:00
|
|
|
[{cert_type, CertType},
|
|
|
|
{contact, Contact},
|
|
|
|
{debug_fun, debug_fun()},
|
|
|
|
{challenge_fun, ChallengeFun}]) of
|
|
|
|
{ok, #{cert_key := CertKey,
|
|
|
|
cert_chain := Certs}} ->
|
|
|
|
case store_cert(CertKey, Certs, CertType, Domains) of
|
|
|
|
{ok, Path} ->
|
|
|
|
ejabberd_pkix:add_certfile(Path),
|
|
|
|
ejabberd_pkix:commit(),
|
2019-09-22 19:11:54 +02:00
|
|
|
?INFO_MSG("Certificate for ~ts has been received, "
|
2019-09-20 11:36:31 +02:00
|
|
|
"stored and loaded successfully",
|
|
|
|
[misc:format_hosts_list(Domains)]),
|
|
|
|
{ok, State};
|
|
|
|
{error, Reason} = Err ->
|
2019-09-22 19:11:54 +02:00
|
|
|
?ERROR_MSG("Failed to store certificate for ~ts: ~ts",
|
2019-09-20 11:36:31 +02:00
|
|
|
[misc:format_hosts_list(Domains),
|
|
|
|
format_error(Reason)]),
|
|
|
|
{Err, State}
|
|
|
|
end;
|
|
|
|
{error, Reason} = Err ->
|
2019-09-22 19:11:54 +02:00
|
|
|
?ERROR_MSG("Failed to request certificate for ~ts: ~ts",
|
2019-09-20 11:36:31 +02:00
|
|
|
[misc:format_hosts_list(Domains),
|
|
|
|
format_error(Reason)]),
|
|
|
|
{Err, State}
|
|
|
|
end,
|
|
|
|
unregister_challenge(Ref),
|
|
|
|
Ret.
|
2017-07-17 12:40:53 +02:00
|
|
|
|
2019-09-20 11:36:31 +02:00
|
|
|
%%%===================================================================
|
|
|
|
%%% Revocation
|
|
|
|
%%%===================================================================
|
|
|
|
revoke_request(State, Cert, Key, Path) ->
|
2019-09-25 12:10:47 +02:00
|
|
|
case p1_acme:revoke(directory_url(), Cert, Key,
|
2019-09-20 11:36:31 +02:00
|
|
|
[{debug_fun, debug_fun()}]) of
|
|
|
|
ok ->
|
2019-09-22 19:11:54 +02:00
|
|
|
?INFO_MSG("Certificate from file ~ts has been "
|
2019-09-20 11:36:31 +02:00
|
|
|
"revoked successfully", [Path]),
|
|
|
|
case delete_file(Path) of
|
|
|
|
ok ->
|
|
|
|
ejabberd_pkix:del_certfile(Path),
|
|
|
|
ejabberd_pkix:commit(),
|
|
|
|
{ok, State};
|
|
|
|
Err ->
|
|
|
|
{Err, State}
|
2017-11-17 10:50:27 +01:00
|
|
|
end;
|
2019-09-20 11:36:31 +02:00
|
|
|
{error, Reason} = Err ->
|
2019-09-22 19:11:54 +02:00
|
|
|
?ERROR_MSG("Failed to revoke certificate from file ~ts: ~ts",
|
2019-09-20 11:36:31 +02:00
|
|
|
[Path, format_error(Reason)]),
|
|
|
|
{Err, State}
|
2017-07-07 16:37:44 +02:00
|
|
|
end.
|
|
|
|
|
2019-09-20 11:36:31 +02:00
|
|
|
%%%===================================================================
|
|
|
|
%%% File management
|
|
|
|
%%%===================================================================
|
|
|
|
-spec acme_dir() -> file:filename_all().
|
|
|
|
acme_dir() ->
|
|
|
|
MnesiaDir = mnesia:system_info(directory),
|
|
|
|
filename:join(MnesiaDir, "acme").
|
|
|
|
|
|
|
|
-spec acme_certs_dir(atom()) -> file:filename_all().
|
|
|
|
acme_certs_dir(Tag) ->
|
|
|
|
filename:join(acme_dir(), Tag).
|
|
|
|
|
|
|
|
-spec account_file() -> file:filename_all().
|
|
|
|
account_file() ->
|
|
|
|
filename:join(acme_dir(), "account.key").
|
|
|
|
|
|
|
|
-spec cert_file(cert_type(), [binary()]) -> file:filename_all().
|
|
|
|
cert_file(CertType, Domains) ->
|
|
|
|
L = [erlang:atom_to_binary(CertType, latin1)|Domains],
|
|
|
|
Hash = str:sha(str:join(L, <<0>>)),
|
|
|
|
filename:join(acme_certs_dir(live), Hash).
|
|
|
|
|
|
|
|
-spec prep_path(file:filename_all()) -> binary().
|
|
|
|
prep_path(Path) ->
|
|
|
|
unicode:characters_to_binary(Path).
|
|
|
|
|
|
|
|
-spec list_certfiles() -> [binary()].
|
|
|
|
list_certfiles() ->
|
|
|
|
filelib:fold_files(
|
|
|
|
acme_certs_dir(live), "^[0-9a-f]{40}$", false,
|
|
|
|
fun(F, Fs) -> [prep_path(F)|Fs] end, []).
|
|
|
|
|
|
|
|
-spec read_account_key() -> {ok, #'ECPrivateKey'{}} | {error, {file, io_error()}}.
|
|
|
|
read_account_key() ->
|
|
|
|
Path = account_file(),
|
|
|
|
case pkix:read_file(Path) of
|
|
|
|
{ok, _, KeyMap} ->
|
|
|
|
case maps:keys(KeyMap) of
|
|
|
|
[#'ECPrivateKey'{} = Key|_] -> {ok, Key};
|
|
|
|
_ ->
|
2019-09-22 19:11:54 +02:00
|
|
|
?WARNING_MSG("File ~ts doesn't contain ACME account key. "
|
2019-09-20 11:36:31 +02:00
|
|
|
"Trying to create a new one...",
|
2019-09-22 19:11:54 +02:00
|
|
|
[Path]),
|
2019-09-20 11:36:31 +02:00
|
|
|
create_account_key()
|
2017-11-17 10:50:27 +01:00
|
|
|
end;
|
2017-07-03 12:37:32 +02:00
|
|
|
{error, enoent} ->
|
2019-09-20 11:36:31 +02:00
|
|
|
create_account_key();
|
|
|
|
{error, {bad_cert, _, _} = Reason} ->
|
2019-09-23 14:17:20 +02:00
|
|
|
?WARNING_MSG("ACME account key from '~ts' is corrupted: ~ts. "
|
2019-09-20 11:36:31 +02:00
|
|
|
"Trying to create a new one...",
|
2019-09-22 19:11:54 +02:00
|
|
|
[Path, pkix:format_error(Reason)]),
|
2019-09-20 11:36:31 +02:00
|
|
|
create_account_key();
|
2017-07-03 12:37:32 +02:00
|
|
|
{error, Reason} ->
|
2019-09-23 14:17:20 +02:00
|
|
|
?ERROR_MSG("Failed to read ACME account from ~ts: ~ts. "
|
2019-09-20 11:36:31 +02:00
|
|
|
"Try to fix permissions or delete the file completely",
|
2019-09-22 19:11:54 +02:00
|
|
|
[Path, pkix:format_error(Reason)]),
|
2019-09-20 11:36:31 +02:00
|
|
|
{error, {file, Reason}}
|
|
|
|
end.
|
|
|
|
|
|
|
|
-spec create_account_key() -> {ok, #'ECPrivateKey'{}} | {error, {file, io_error()}}.
|
|
|
|
create_account_key() ->
|
|
|
|
Path = account_file(),
|
2019-09-22 19:11:54 +02:00
|
|
|
?DEBUG("Creating ACME account key in ~ts", [Path]),
|
2019-09-25 12:10:47 +02:00
|
|
|
Key = p1_acme:generate_key(ec),
|
2019-09-20 11:36:31 +02:00
|
|
|
DER = public_key:der_encode(element(1, Key), Key),
|
|
|
|
PEM = public_key:pem_encode([{element(1, Key), DER, not_encrypted}]),
|
|
|
|
case write_file(Path, PEM) of
|
|
|
|
ok ->
|
2019-09-22 19:11:54 +02:00
|
|
|
?DEBUG("ACME account key has been created successfully in ~ts",
|
|
|
|
[Path]),
|
2019-09-20 11:36:31 +02:00
|
|
|
{ok, Key};
|
2017-07-03 12:37:32 +02:00
|
|
|
{error, Reason} ->
|
2019-09-20 11:36:31 +02:00
|
|
|
{error, {file, Reason}}
|
|
|
|
end.
|
|
|
|
|
|
|
|
-spec store_cert(priv_key(), [cert()], cert_type(), [binary()]) -> {ok, file:filename_all()} |
|
|
|
|
{error, {file, io_error()}}.
|
|
|
|
store_cert(Key, Chain, CertType, Domains) ->
|
|
|
|
DerKey = public_key:der_encode(element(1, Key), Key),
|
|
|
|
PemKey = [{element(1, Key), DerKey, not_encrypted}],
|
|
|
|
PemChain = lists:map(
|
|
|
|
fun(Cert) ->
|
|
|
|
DerCert = public_key:pkix_encode(
|
|
|
|
element(1, Cert), Cert, otp),
|
|
|
|
{'Certificate', DerCert, not_encrypted}
|
|
|
|
end, Chain),
|
|
|
|
PEM = public_key:pem_encode(PemChain ++ PemKey),
|
|
|
|
Path = cert_file(CertType, Domains),
|
2019-09-22 19:11:54 +02:00
|
|
|
?DEBUG("Storing certificate for ~ts in ~ts",
|
|
|
|
[misc:format_hosts_list(Domains), Path]),
|
2019-09-20 11:36:31 +02:00
|
|
|
case write_file(Path, PEM) of
|
2017-07-11 10:11:00 +02:00
|
|
|
ok ->
|
2019-09-20 11:36:31 +02:00
|
|
|
{ok, Path};
|
2017-07-11 10:11:00 +02:00
|
|
|
{error, Reason} ->
|
2019-09-20 11:36:31 +02:00
|
|
|
{error, {file, Reason}}
|
|
|
|
end.
|
|
|
|
|
|
|
|
-spec read_cert(file:filename_all()) -> {ok, [cert()], priv_key()} |
|
|
|
|
{error, {file, io_error()} |
|
|
|
|
{bad_cert, _, _} |
|
|
|
|
unexpected_certfile}.
|
|
|
|
read_cert(Path) ->
|
2019-09-22 19:11:54 +02:00
|
|
|
?DEBUG("Reading certificate from ~ts", [Path]),
|
2019-09-20 11:36:31 +02:00
|
|
|
case pkix:read_file(Path) of
|
|
|
|
{ok, CertsMap, KeysMap} ->
|
|
|
|
case {maps:to_list(CertsMap), maps:keys(KeysMap)} of
|
|
|
|
{[_|_] = Certs, [CertKey]} ->
|
|
|
|
{ok, [Cert || {Cert, _} <- lists:keysort(2, Certs)], CertKey};
|
|
|
|
_ ->
|
|
|
|
{error, unexpected_certfile}
|
|
|
|
end;
|
|
|
|
{error, Why} when is_atom(Why) ->
|
|
|
|
{error, {file, Why}};
|
|
|
|
{error, _} = Err ->
|
|
|
|
Err
|
2017-07-07 16:37:44 +02:00
|
|
|
end.
|
|
|
|
|
2019-09-20 11:36:31 +02:00
|
|
|
-spec write_file(file:filename_all(), iodata()) -> ok | {error, io_error()}.
|
|
|
|
write_file(Path, Data) ->
|
|
|
|
case ensure_dir(Path) of
|
2017-07-17 09:42:09 +02:00
|
|
|
ok ->
|
2019-09-20 11:36:31 +02:00
|
|
|
case file:write_file(Path, Data) of
|
|
|
|
ok ->
|
|
|
|
case file:change_mode(Path, 8#600) of
|
|
|
|
ok -> ok;
|
|
|
|
{error, Why} ->
|
2019-09-23 14:17:20 +02:00
|
|
|
?WARNING_MSG("Failed to change permissions of ~ts: ~ts",
|
2019-09-22 19:11:54 +02:00
|
|
|
[Path, file:format_error(Why)])
|
2019-09-20 11:36:31 +02:00
|
|
|
end;
|
|
|
|
{error, Why} = Err ->
|
2019-09-23 14:17:20 +02:00
|
|
|
?ERROR_MSG("Failed to write file ~ts: ~ts",
|
2019-09-22 19:11:54 +02:00
|
|
|
[Path, file:format_error(Why)]),
|
2019-09-20 11:36:31 +02:00
|
|
|
Err
|
2019-06-14 11:33:26 +02:00
|
|
|
end;
|
2019-09-20 11:36:31 +02:00
|
|
|
Err ->
|
|
|
|
Err
|
2017-07-17 09:42:09 +02:00
|
|
|
end.
|
|
|
|
|
2019-09-20 11:36:31 +02:00
|
|
|
-spec delete_file(file:filename_all()) -> ok | {error, io_error()}.
|
|
|
|
delete_file(Path) ->
|
|
|
|
case file:delete(Path) of
|
|
|
|
ok -> ok;
|
|
|
|
{error, Why} = Err ->
|
2019-09-23 14:17:20 +02:00
|
|
|
?WARNING_MSG("Failed to delete file ~ts: ~ts",
|
2019-09-22 19:11:54 +02:00
|
|
|
[Path, file:format_error(Why)]),
|
2019-09-20 11:36:31 +02:00
|
|
|
Err
|
2017-07-03 12:37:32 +02:00
|
|
|
end.
|
|
|
|
|
2019-09-20 11:36:31 +02:00
|
|
|
-spec ensure_dir(file:filename_all()) -> ok | {error, io_error()}.
|
|
|
|
ensure_dir(Path) ->
|
|
|
|
case filelib:ensure_dir(Path) of
|
|
|
|
ok -> ok;
|
|
|
|
{error, Why} = Err ->
|
2019-09-23 14:17:20 +02:00
|
|
|
?ERROR_MSG("Failed to create directory ~ts: ~ts",
|
2019-09-22 19:11:54 +02:00
|
|
|
[filename:dirname(Path),
|
2019-09-20 11:36:31 +02:00
|
|
|
file:format_error(Why)]),
|
|
|
|
Err
|
|
|
|
end.
|
|
|
|
|
|
|
|
-spec delete_obsolete_data() -> ok.
|
|
|
|
delete_obsolete_data() ->
|
|
|
|
Path = filename:join(ejabberd_pkix:certs_dir(), "acme"),
|
|
|
|
case filelib:is_dir(Path) of
|
|
|
|
true ->
|
2019-09-22 19:11:54 +02:00
|
|
|
?INFO_MSG("Deleting obsolete directory ~ts", [Path]),
|
2019-09-20 11:36:31 +02:00
|
|
|
_ = misc:delete_dir(Path),
|
|
|
|
ok;
|
|
|
|
false ->
|
|
|
|
ok
|
2017-08-12 14:59:54 +02:00
|
|
|
end.
|
|
|
|
|
2019-09-20 11:36:31 +02:00
|
|
|
%%%===================================================================
|
|
|
|
%%% ejabberd commands
|
|
|
|
%%%===================================================================
|
|
|
|
get_commands_spec() ->
|
|
|
|
[#ejabberd_commands{name = request_certificate, tags = [acme],
|
|
|
|
desc = "Requests certificates for all or the specified "
|
|
|
|
"domains: all | domain1,domain2,...",
|
|
|
|
module = ?MODULE, function = request_certificate,
|
|
|
|
args_desc = ["Domains for which to acquire a certificate"],
|
2019-09-22 00:03:08 +02:00
|
|
|
args_example = ["all | domain.tld,conference.domain.tld,..."],
|
2019-09-20 11:36:31 +02:00
|
|
|
args = [{domains, string}],
|
|
|
|
result = {res, restuple}},
|
|
|
|
#ejabberd_commands{name = list_certificates, tags = [acme],
|
|
|
|
desc = "Lists all ACME certificates",
|
|
|
|
module = ?MODULE, function = list_certificates,
|
|
|
|
args = [],
|
|
|
|
result = {certificates,
|
|
|
|
{list, {certificate,
|
|
|
|
{tuple, [{domain, string},
|
|
|
|
{file, string},
|
|
|
|
{used, string}]}}}}},
|
|
|
|
#ejabberd_commands{name = revoke_certificate, tags = [acme],
|
|
|
|
desc = "Revokes the selected ACME certificate",
|
|
|
|
module = ?MODULE, function = revoke_certificate,
|
|
|
|
args_desc = ["Filename of the certificate"],
|
|
|
|
args = [{file, string}],
|
|
|
|
result = {res, restuple}}].
|
2017-07-03 12:37:32 +02:00
|
|
|
|
2019-09-20 11:36:31 +02:00
|
|
|
-spec request_certificate(iodata()) -> {ok | error, string()}.
|
|
|
|
request_certificate(Arg) ->
|
|
|
|
Ret = case lists:filter(
|
|
|
|
fun(S) -> S /= <<>> end,
|
|
|
|
re:split(Arg, "[\\h,;]+", [{return, binary}])) of
|
|
|
|
[<<"all">>] ->
|
2019-09-21 23:53:03 +02:00
|
|
|
case auto_domains() of
|
|
|
|
[] -> {error, no_auto_hosts};
|
|
|
|
Domains ->
|
|
|
|
gen_server:call(?MODULE, {request, Domains}, ?CALL_TIMEOUT)
|
|
|
|
end;
|
2019-09-20 11:36:31 +02:00
|
|
|
[_|_] = Domains ->
|
|
|
|
case lists:dropwhile(
|
|
|
|
fun(D) ->
|
2019-09-21 23:53:03 +02:00
|
|
|
try ejabberd_router:is_my_route(D) of
|
|
|
|
true -> not is_ip_or_localhost(D);
|
|
|
|
false -> false
|
2019-09-20 11:36:31 +02:00
|
|
|
catch _:{invalid_domain, _} -> false
|
|
|
|
end
|
|
|
|
end, Domains) of
|
|
|
|
[Bad|_] ->
|
2019-09-21 23:53:03 +02:00
|
|
|
{error, {invalid_host, Bad}};
|
2019-09-20 11:36:31 +02:00
|
|
|
[] ->
|
|
|
|
gen_server:call(?MODULE, {request, Domains}, ?CALL_TIMEOUT)
|
|
|
|
end;
|
|
|
|
[] ->
|
|
|
|
{error, invalid_argument}
|
|
|
|
end,
|
|
|
|
case Ret of
|
|
|
|
ok -> {ok, ""};
|
|
|
|
{error, Why} -> {error, format_error(Why)}
|
|
|
|
end.
|
|
|
|
|
|
|
|
-spec revoke_certificate(iodata()) -> {ok | error, string()}.
|
|
|
|
revoke_certificate(Path0) ->
|
|
|
|
Path = prep_path(Path0),
|
|
|
|
Ret = case read_cert(Path) of
|
|
|
|
{ok, [Cert|_], Key} ->
|
|
|
|
gen_server:call(?MODULE, {revoke, Cert, Key, Path}, ?CALL_TIMEOUT);
|
|
|
|
{error, _} = Err ->
|
|
|
|
Err
|
|
|
|
end,
|
|
|
|
case Ret of
|
|
|
|
ok -> {ok, ""};
|
|
|
|
{error, Reason} -> {error, format_error(Reason)}
|
|
|
|
end.
|
|
|
|
|
|
|
|
-spec list_certificates() -> [{binary(), binary(), boolean()}].
|
|
|
|
list_certificates() ->
|
|
|
|
Known = lists:flatmap(
|
|
|
|
fun(Path) ->
|
|
|
|
try
|
|
|
|
{ok, [Cert|_], _} = read_cert(Path),
|
|
|
|
Domains = pkix:extract_domains(Cert),
|
|
|
|
[{Domain, Path} || Domain <- Domains]
|
|
|
|
catch _:{badmatch, _} ->
|
|
|
|
[]
|
|
|
|
end
|
|
|
|
end, list_certfiles()),
|
|
|
|
Used = lists:foldl(
|
|
|
|
fun(Domain, S) ->
|
|
|
|
try
|
|
|
|
{ok, Path} = ejabberd_pkix:get_certfile_no_default(Domain),
|
|
|
|
{ok, [Cert|_], _} = read_cert(Path),
|
|
|
|
{ok, #{files := Files}} = pkix:get_cert_info(Cert),
|
|
|
|
lists:foldl(fun sets:add_element/2,
|
|
|
|
S, [{Domain, File} || {File, _} <- Files])
|
|
|
|
catch _:{badmatch, _} ->
|
2019-09-20 13:04:00 +02:00
|
|
|
S
|
2019-09-20 11:36:31 +02:00
|
|
|
end
|
|
|
|
end, sets:new(), all_domains()),
|
|
|
|
lists:sort(
|
|
|
|
lists:map(
|
|
|
|
fun({Domain, Path} = E) ->
|
|
|
|
{Domain, Path, sets:is_element(E, Used)}
|
|
|
|
end, Known)).
|
2017-06-12 14:31:48 +02:00
|
|
|
|
2019-09-20 11:36:31 +02:00
|
|
|
%%%===================================================================
|
|
|
|
%%% Other stuff
|
|
|
|
%%%===================================================================
|
|
|
|
-spec all_domains() -> [binary(),...].
|
|
|
|
all_domains() ->
|
|
|
|
ejabberd_option:hosts() ++ ejabberd_router:get_all_routes().
|
|
|
|
|
2019-09-21 23:53:03 +02:00
|
|
|
-spec auto_domains() -> [binary()].
|
|
|
|
auto_domains() ->
|
|
|
|
lists:filter(
|
|
|
|
fun(Host) ->
|
|
|
|
not is_ip_or_localhost(Host)
|
|
|
|
end, all_domains()).
|
|
|
|
|
2019-09-20 11:36:31 +02:00
|
|
|
-spec directory_url() -> binary().
|
|
|
|
directory_url() ->
|
|
|
|
maps:get(ca_url, ejabberd_option:acme(), default_directory_url()).
|
|
|
|
|
|
|
|
-spec debug_fun() -> fun((string(), list()) -> ok).
|
|
|
|
debug_fun() ->
|
|
|
|
fun(Fmt, Args) -> ?DEBUG(Fmt, Args) end.
|
|
|
|
|
|
|
|
-spec request_on_start() -> false | {true, [binary()]}.
|
|
|
|
request_on_start() ->
|
|
|
|
Config = ejabberd_option:acme(),
|
|
|
|
case maps:get(auto, Config, true) of
|
|
|
|
false -> false;
|
|
|
|
true ->
|
|
|
|
case ejabberd_listener:tls_listeners() of
|
|
|
|
[] -> false;
|
|
|
|
_ ->
|
|
|
|
case lists:filter(
|
|
|
|
fun(Host) ->
|
2019-09-20 12:03:25 +02:00
|
|
|
not (have_cert_for_domain(Host)
|
|
|
|
orelse is_ip_or_localhost(Host))
|
2019-09-21 23:53:03 +02:00
|
|
|
end, auto_domains()) of
|
2019-09-20 11:36:31 +02:00
|
|
|
[] -> false;
|
|
|
|
Hosts ->
|
|
|
|
case have_acme_listener() of
|
|
|
|
true -> {true, Hosts};
|
|
|
|
false ->
|
2019-09-21 23:21:12 +02:00
|
|
|
?WARNING_MSG(
|
|
|
|
"No HTTP listeners for ACME challenges "
|
|
|
|
"are configured, automatic "
|
|
|
|
"certificate requests are aborted. Hint: "
|
|
|
|
"configure the listener and restart/reload "
|
|
|
|
"ejabberd. Or set acme->auto option to "
|
|
|
|
"`false` to suppress this warning.",
|
|
|
|
[]),
|
2019-09-20 11:36:31 +02:00
|
|
|
false
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end.
|
|
|
|
|
|
|
|
well_known() ->
|
|
|
|
[<<".well-known">>, <<"acme-challenge">>].
|
|
|
|
|
|
|
|
-spec have_cert_for_domain(binary()) -> boolean().
|
|
|
|
have_cert_for_domain(Host) ->
|
|
|
|
ejabberd_pkix:get_certfile_no_default(Host) /= error.
|
|
|
|
|
2019-09-20 12:03:25 +02:00
|
|
|
-spec is_ip_or_localhost(binary()) -> boolean().
|
|
|
|
is_ip_or_localhost(Host) ->
|
|
|
|
Parts = binary:split(Host, <<".">>),
|
|
|
|
TLD = binary_to_list(lists:last(Parts)),
|
|
|
|
case inet:parse_address(TLD) of
|
|
|
|
{ok, _} -> true;
|
|
|
|
_ -> TLD == "localhost"
|
|
|
|
end.
|
|
|
|
|
2019-09-20 11:36:31 +02:00
|
|
|
-spec have_acme_listener() -> boolean().
|
|
|
|
have_acme_listener() ->
|
|
|
|
lists:any(
|
|
|
|
fun({_, ejabberd_http, #{tls := false,
|
|
|
|
request_handlers := Handlers}}) ->
|
|
|
|
lists:keymember(well_known(), 1, Handlers);
|
|
|
|
(_) ->
|
|
|
|
false
|
|
|
|
end, ejabberd_option:listen()).
|
|
|
|
|
2019-09-22 11:44:31 +02:00
|
|
|
-spec check_idna([binary()]) -> {ok, [string()]} | {error, {idna_failed, binary()}}.
|
|
|
|
check_idna(Domains) ->
|
|
|
|
lists:foldl(
|
|
|
|
fun(D, {ok, Ds}) ->
|
|
|
|
try {ok, [idna:utf8_to_ascii(D)|Ds]}
|
|
|
|
catch _:_ -> {error, {idna_failed, D}}
|
|
|
|
end;
|
|
|
|
(_, Err) ->
|
|
|
|
Err
|
|
|
|
end, {ok, []}, Domains).
|
2019-09-22 10:04:38 +02:00
|
|
|
|
2019-09-20 11:36:31 +02:00
|
|
|
-spec format_error(term()) -> string().
|
|
|
|
format_error({file, Reason}) ->
|
|
|
|
"I/O error: " ++ file:format_error(Reason);
|
2019-09-21 23:53:03 +02:00
|
|
|
format_error({invalid_host, Domain}) ->
|
|
|
|
"Unknown or unacceptable virtual host: " ++ binary_to_list(Domain);
|
|
|
|
format_error(no_auto_hosts) ->
|
|
|
|
"You have no virtual hosts acceptable for ACME certification";
|
2019-09-20 11:36:31 +02:00
|
|
|
format_error(invalid_argument) ->
|
|
|
|
"Invalid argument";
|
|
|
|
format_error(unexpected_certfile) ->
|
|
|
|
"The certificate file was not obtained using ACME";
|
2019-09-22 10:04:38 +02:00
|
|
|
format_error({idna_failed, Domain}) ->
|
|
|
|
"Not an IDN hostname: " ++ binary_to_list(Domain);
|
2019-09-20 11:36:31 +02:00
|
|
|
format_error({bad_cert, _, _} = Reason) ->
|
|
|
|
"Malformed certificate file: " ++ pkix:format_error(Reason);
|
|
|
|
format_error(Reason) ->
|
2019-09-25 12:10:47 +02:00
|
|
|
p1_acme:format_error(Reason).
|