| 
									
										
										
										
											2019-04-01 01:56:41 -06:00
										 |  |  | 'use strict'; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2019-04-08 00:14:28 -06:00
										 |  |  | var os = require("os"); | 
					
						
							| 
									
										
										
										
											2019-04-01 01:56:41 -06:00
										 |  |  | var fs = require('fs'); | 
					
						
							|  |  |  | var path = require('path'); | 
					
						
							|  |  |  | var sfs = require('safe-replace'); | 
					
						
							| 
									
										
										
										
											2019-04-08 00:14:28 -06:00
										 |  |  | var PromiseA = getPromise(); | 
					
						
							|  |  |  | var readFileAsync = PromiseA.promisify(fs.readFile); | 
					
						
							|  |  |  | var writeFileAsync = PromiseA.promisify(fs.writeFile); | 
					
						
							|  |  |  | // TODO replace with zero-depenency version
 | 
					
						
							| 
									
										
										
										
											2019-04-15 23:43:17 -06:00
										 |  |  | var mkdirpAsync = PromiseA.promisify(require('@root/mkdirp')); | 
					
						
							| 
									
										
										
										
											2019-04-08 00:14:28 -06:00
										 |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | // How Storage Works in Greenlock: High-Level Call Stack
 | 
					
						
							|  |  |  | //
 | 
					
						
							|  |  |  | // nested === skipped if parent succeeds (or has cached result)
 | 
					
						
							|  |  |  | //
 | 
					
						
							|  |  |  | // tls.SNICallback()                                      // TLS connection with SNI kicks of the request
 | 
					
						
							|  |  |  | //
 | 
					
						
							|  |  |  | //   greenlock.approveDomains(opts)                       // Greenlokc does some housekeeping, checks for a cert in
 | 
					
						
							|  |  |  | //                                                        // an internal cash, and only asks you to approve new
 | 
					
						
							|  |  |  | //                                                        // certificate // registration if it doesn't find anything.
 | 
					
						
							|  |  |  | //                                                        // In `opts` you'll receive `domain` and a few other things.
 | 
					
						
							|  |  |  | //                                                        // You should return { subject: '...', altnames: ['...'] }
 | 
					
						
							|  |  |  | //                                                        // Anything returned by approveDomains() will be received
 | 
					
						
							|  |  |  | //                                                        // by all plugins at all stages
 | 
					
						
							|  |  |  | //
 | 
					
						
							|  |  |  | //     greenlock.store.certificates.check()               // Certificate checking happens after approval for several
 | 
					
						
							|  |  |  | //                                                        // reasons, including preventing duplicate registrations
 | 
					
						
							|  |  |  | //                                                        // but most importantly because you can dynamically swap the
 | 
					
						
							|  |  |  | //                                                        // storage plugin right from approveDomains().
 | 
					
						
							|  |  |  | //     greenlock.store.certificates.checkKeypair()        // Check for a keypair associated with the domain
 | 
					
						
							|  |  |  | //
 | 
					
						
							|  |  |  | //     greenlock.store.accounts.check()                   // Optional. If you need it, look at other Greenlock docs
 | 
					
						
							|  |  |  | //
 | 
					
						
							|  |  |  | //     greenlock.store.accounts.checkKeypair()            // Check storage for registered account key
 | 
					
						
							|  |  |  | //       (opts.generateKeypair||RSA.generateKeypair)()    // Generates a new keypair
 | 
					
						
							|  |  |  | //       greenlock.core.accounts.register()               // Registers the keypair as an ACME account
 | 
					
						
							|  |  |  | //       greenlock.store.accounts.setKeypair()            // Saves the keypair of the registered account
 | 
					
						
							|  |  |  | //       greenlock.store.accounts.set()                   // Optional. Saves superfluous ACME account metadata
 | 
					
						
							|  |  |  | //
 | 
					
						
							|  |  |  | //     greenlock.core.certificates.register()             // Begin certificate registration process & housekeeping
 | 
					
						
							|  |  |  | //       (opts.generateKeypair||RSA.generateKeypair)()    // Generates a new certificate keypair
 | 
					
						
							|  |  |  | //       greenlock.acme.certificates.register()           // Performs the ACME challenge processes
 | 
					
						
							|  |  |  | //       greenlock.store.certificates.setKeypair()        // Saves the keypair for the valid certificate
 | 
					
						
							|  |  |  | //       greenlock.store.certificates.set()               // Saves the valid certificate
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | ////////////////////////////////////////////
 | 
					
						
							|  |  |  | // Recap of the high-level overview above //
 | 
					
						
							|  |  |  | ////////////////////////////////////////////
 | 
					
						
							|  |  |  | //
 | 
					
						
							|  |  |  | //  None of this ever gets called except if there's not a cert already cached.
 | 
					
						
							|  |  |  | //  That only happens on service boot, and about every 75 days for each cert's renewal.
 | 
					
						
							|  |  |  | //
 | 
					
						
							|  |  |  | //  Therefore, none of this needs to be fast, fancy, or clever
 | 
					
						
							|  |  |  | //
 | 
					
						
							|  |  |  | //  For any type of customization, whatever is set in `approveDomains()` is available everywhere else.
 | 
					
						
							| 
									
										
										
										
											2019-04-01 01:56:41 -06:00
										 |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2019-04-08 00:14:28 -06:00
										 |  |  | 
 | 
					
						
							|  |  |  | // Either your user calls create with specific options, or greenlock calls it for you with a big options blob
 | 
					
						
							|  |  |  | module.exports.create = function (config) { | 
					
						
							| 
									
										
										
										
											2019-04-02 22:24:07 -06:00
										 |  |  |   // Bear in mind that the only time any of this gets called is on first access after startup, new registration, and
 | 
					
						
							|  |  |  |   // renewal - so none of this needs to be particularly fast. It may need to be memory efficient, however - if you have
 | 
					
						
							|  |  |  |   // more than 10,000 domains, for example.
 | 
					
						
							| 
									
										
										
										
											2019-04-01 01:56:41 -06:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2019-04-08 00:14:28 -06:00
										 |  |  |   // basic setup
 | 
					
						
							|  |  |  |   var store = { accounts: {}, certificates: {} }; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   // For you store.options should probably start empty and get a minimal set of options copied from `config` above.
 | 
					
						
							|  |  |  |   // Example:
 | 
					
						
							|  |  |  |   //store.options = {};
 | 
					
						
							|  |  |  |   //store.options.databaseUrl = config.databaseUrl;
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   // In the case of greenlock-store-fs there's a bunch of legacy stuff that goes on, so we just clobber it all on.
 | 
					
						
							|  |  |  |   // Don't be like greenlock-store-fs (see note above).
 | 
					
						
							| 
									
										
										
										
											2019-04-01 01:56:41 -06:00
										 |  |  |   store.options = mergeOptions(config); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2019-04-08 00:14:28 -06:00
										 |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   // Certificates.check
 | 
					
						
							| 
									
										
										
										
											2019-04-01 01:56:41 -06:00
										 |  |  |   //
 | 
					
						
							| 
									
										
										
										
											2019-04-08 00:14:28 -06:00
										 |  |  |   // Use certificate.id, or subject, if id hasn't been set, to find a certificate.
 | 
					
						
							|  |  |  |   // Return an object with string PEMs for cert and chain (or null, not undefined)
 | 
					
						
							|  |  |  |   store.certificates.check = function (opts) { | 
					
						
							|  |  |  |     // { certificate.id, subject, ... }
 | 
					
						
							| 
									
										
										
										
											2019-04-02 22:24:07 -06:00
										 |  |  |     var id = opts.certificate && opts.certificate.id || opts.subject; | 
					
						
							| 
									
										
										
										
											2019-04-08 00:14:28 -06:00
										 |  |  |     //console.log('certificates.check for', opts.certificate, opts.subject);
 | 
					
						
							| 
									
										
										
										
											2019-04-02 22:24:07 -06:00
										 |  |  |     //console.log(opts);
 | 
					
						
							| 
									
										
										
										
											2019-04-01 01:56:41 -06:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2019-04-08 00:14:28 -06:00
										 |  |  |     // For advanced use cases:
 | 
					
						
							|  |  |  |     // This just goes to show that any options set in approveDomains() will be available here
 | 
					
						
							| 
									
										
										
										
											2019-04-01 01:56:41 -06:00
										 |  |  |     // (the same is true for all of the hooks in this file)
 | 
					
						
							| 
									
										
										
										
											2019-04-03 21:34:21 -06:00
										 |  |  |     if (opts.exampleThrowError) { return PromiseA.reject(new Error("You want an error? You got it!")); } | 
					
						
							|  |  |  |     if (opts.exampleReturnNull) { return PromiseA.resolve(null); } | 
					
						
							|  |  |  |     if (opts.exampleReturnCerts) { return PromiseA.resolve(opts.exampleReturnCerts); } | 
					
						
							| 
									
										
										
										
											2019-04-01 01:56:41 -06:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2019-04-08 00:14:28 -06:00
										 |  |  | 
 | 
					
						
							|  |  |  |     // Ignore this first bit, it's just file system template / compatibility stuff
 | 
					
						
							| 
									
										
										
										
											2019-04-01 01:56:41 -06:00
										 |  |  |     var liveDir = opts.liveDir || path.join(opts.configDir, 'live', opts.subject); | 
					
						
							|  |  |  |     var privkeyPath = opts.privkeyPath || opts.domainKeyPath || path.join(liveDir, 'privkey.pem'); | 
					
						
							|  |  |  |     var certPath = opts.certPath || path.join(liveDir, 'cert.pem'); | 
					
						
							|  |  |  |     var chainPath = opts.chainPath || path.join(liveDir, 'chain.pem'); | 
					
						
							|  |  |  |     return PromiseA.all([ | 
					
						
							| 
									
										
										
										
											2019-04-08 00:14:28 -06:00
										 |  |  |       readFileAsync(tameWild(privkeyPath, id), 'ascii')   // 0 // all other PEM types are just
 | 
					
						
							|  |  |  |     , readFileAsync(tameWild(certPath, id), 'ascii')      // 1 // some arrangement of these 3
 | 
					
						
							|  |  |  |     , readFileAsync(tameWild(chainPath, id), 'ascii')     // 2 // (bundle, combined, fullchain, etc)
 | 
					
						
							| 
									
										
										
										
											2019-04-01 01:56:41 -06:00
										 |  |  |     ]).then(function (all) { | 
					
						
							| 
									
										
										
										
											2019-04-08 00:14:28 -06:00
										 |  |  | 
 | 
					
						
							|  |  |  |       ////////////////////////
 | 
					
						
							|  |  |  |       // PAY ATTENTION HERE //
 | 
					
						
							|  |  |  |       ////////////////////////
 | 
					
						
							|  |  |  |       // This is all you have to return: cert, chain
 | 
					
						
							| 
									
										
										
										
											2019-04-01 01:56:41 -06:00
										 |  |  |       return { | 
					
						
							| 
									
										
										
										
											2019-04-08 00:14:28 -06:00
										 |  |  |         cert: all[1]      // string PEM. the bare cert, half of the concatonated fullchain.pem you need
 | 
					
						
							|  |  |  |       , chain: all[2]     // string PEM. the bare chain, the second half of the fullchain.pem
 | 
					
						
							|  |  |  |       , privkey: all[0]   // string PEM. optional, allows checkKeypair to be skipped
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |       // These can be useful to store in your database,
 | 
					
						
							|  |  |  |       // but otherwise they're easy to derive from the cert.
 | 
					
						
							| 
									
										
										
										
											2019-04-02 22:24:07 -06:00
										 |  |  |       // (when not available they'll be generated from cert-info)
 | 
					
						
							| 
									
										
										
										
											2019-04-08 00:14:28 -06:00
										 |  |  |       //, subject: certinfo.subject     // string domain name
 | 
					
						
							|  |  |  |       //, altnames: certinfo.altnames   // array of domain name strings
 | 
					
						
							|  |  |  |       //, issuedAt: certinfo.issuedAt   // number in ms (a.k.a. NotBefore)
 | 
					
						
							|  |  |  |       //, expiresAt: certinfo.expiresAt // number in ms (a.k.a. NotAfter)
 | 
					
						
							| 
									
										
										
										
											2019-04-01 01:56:41 -06:00
										 |  |  |       }; | 
					
						
							|  |  |  |     }).catch(function (err) { | 
					
						
							| 
									
										
										
										
											2019-04-08 00:14:28 -06:00
										 |  |  |       // Treat non-exceptional failures as null returns (not undefined)
 | 
					
						
							| 
									
										
										
										
											2019-04-01 01:56:41 -06:00
										 |  |  |       if ('ENOENT' === err.code) { return null; } | 
					
						
							| 
									
										
										
										
											2019-04-08 00:14:28 -06:00
										 |  |  |       throw err; // True exceptions should be thrown
 | 
					
						
							| 
									
										
										
										
											2019-04-01 01:56:41 -06:00
										 |  |  |     }); | 
					
						
							|  |  |  |   }; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2019-04-08 00:14:28 -06:00
										 |  |  | 
 | 
					
						
							|  |  |  |   // Implement if you need the ACME account metadata elsewhere in the chain of events
 | 
					
						
							|  |  |  |   //store.accounts.check = function (opts) {
 | 
					
						
							|  |  |  |   //  console.log('accounts.check for', opts.account, opts.email);
 | 
					
						
							|  |  |  |   //  return PromiseA.resolve(null);
 | 
					
						
							|  |  |  |   //};
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   // Accounts.checkKeypair
 | 
					
						
							| 
									
										
										
										
											2019-04-01 01:56:41 -06:00
										 |  |  |   //
 | 
					
						
							| 
									
										
										
										
											2019-04-08 00:14:28 -06:00
										 |  |  |   // Use account.id, or email, if id hasn't been set, to find an account keypair.
 | 
					
						
							|  |  |  |   // Return an object with string privateKeyPem and/or object privateKeyJwk (or null, not undefined)
 | 
					
						
							|  |  |  |   store.accounts.checkKeypair = function (opts) { | 
					
						
							|  |  |  |     var id = opts.account.id || opts.email || 'single-user'; | 
					
						
							|  |  |  |     //console.log('accounts.checkKeypair for', id);
 | 
					
						
							| 
									
										
										
										
											2019-04-01 01:56:41 -06:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2019-04-01 22:27:39 -06:00
										 |  |  |     var pathname = path.join(tameWild(opts.accountsDir, opts.subject), sanitizeFilename(id) + '.json'); | 
					
						
							|  |  |  |     return readFileAsync(tameWild(pathname, opts.subject), 'utf8').then(function (blob) { | 
					
						
							| 
									
										
										
										
											2019-04-08 00:14:28 -06:00
										 |  |  |       // keypair can treated as an opaque object and just passed along,
 | 
					
						
							|  |  |  |       // but just to show you what it is...
 | 
					
						
							|  |  |  |       var keypair = JSON.parse(blob); | 
					
						
							|  |  |  |       return { | 
					
						
							|  |  |  |         privateKeyPem: keypair.privateKeyPem // string PEM private key
 | 
					
						
							|  |  |  |       , privateKeyJwk: keypair.privateKeyJwk // object JWK private key
 | 
					
						
							|  |  |  |       }; | 
					
						
							| 
									
										
										
										
											2019-04-01 01:56:41 -06:00
										 |  |  |     }).catch(function (err) { | 
					
						
							|  |  |  |       if ('ENOENT' === err.code) { return null; } | 
					
						
							|  |  |  |       throw err; | 
					
						
							|  |  |  |     }); | 
					
						
							|  |  |  |   }; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2019-04-08 00:14:28 -06:00
										 |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   // Accounts.setKeypair({ account, email, keypair, ... }):
 | 
					
						
							| 
									
										
										
										
											2019-04-01 01:56:41 -06:00
										 |  |  |   //
 | 
					
						
							| 
									
										
										
										
											2019-04-08 00:14:28 -06:00
										 |  |  |   // Use account.id (or email if no id is present) to save an account keypair
 | 
					
						
							|  |  |  |   // Return null (not undefined) on success, or throw on error
 | 
					
						
							|  |  |  |   store.accounts.setKeypair = function (opts) { | 
					
						
							|  |  |  |     //console.log('accounts.setKeypair for', opts.account, opts.email, opts.keypair);
 | 
					
						
							| 
									
										
										
										
											2019-04-08 01:43:42 -06:00
										 |  |  |     var id = opts.account.id || opts.email || 'single-user'; | 
					
						
							| 
									
										
										
										
											2019-04-08 00:14:28 -06:00
										 |  |  | 
 | 
					
						
							|  |  |  |     // you can just treat the keypair as opaque and save and retrieve it as JSON
 | 
					
						
							|  |  |  |     var keyblob = JSON.stringify({ | 
					
						
							|  |  |  |       privateKeyPem: opts.keypair.privateKeyPem // string PEM
 | 
					
						
							|  |  |  |     , privateKeyJwk: opts.keypair.privateKeyJwk // object JWK
 | 
					
						
							|  |  |  |     }); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     // Ignore.
 | 
					
						
							|  |  |  |     // Just implementation specific details here.
 | 
					
						
							| 
									
										
										
										
											2019-04-01 22:27:39 -06:00
										 |  |  |     return mkdirpAsync(tameWild(opts.accountsDir, opts.subject)).then(function () { | 
					
						
							|  |  |  |       var pathname = tameWild(path.join(opts.accountsDir, sanitizeFilename(id) + '.json'), opts.subject); | 
					
						
							| 
									
										
										
										
											2019-04-08 00:14:28 -06:00
										 |  |  |       return writeFileAsync(tameWild(pathname, opts.subject), keyblob, 'utf8'); | 
					
						
							|  |  |  |     }).then(function () { | 
					
						
							|  |  |  |       // This is your job: return null, not undefined
 | 
					
						
							|  |  |  |       return null; | 
					
						
							| 
									
										
										
										
											2019-04-01 01:56:41 -06:00
										 |  |  |     }); | 
					
						
							|  |  |  |   }; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2019-04-08 00:14:28 -06:00
										 |  |  | 
 | 
					
						
							|  |  |  |   // Implement if you need the ACME account metadata elsewhere in the chain of events
 | 
					
						
							|  |  |  |   //store.accounts.set = function (opts) {
 | 
					
						
							|  |  |  |   //  console.log('account.set:', opts.account, opts.email, opts.receipt);
 | 
					
						
							|  |  |  |   //  return PromiseA.resolve(null);
 | 
					
						
							|  |  |  |   //};
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   // Certificates.checkKeypair
 | 
					
						
							| 
									
										
										
										
											2019-04-01 01:56:41 -06:00
										 |  |  |   //
 | 
					
						
							| 
									
										
										
										
											2019-04-08 00:14:28 -06:00
										 |  |  |   // Use certificate.kid, certificate.id, or subject to find a certificate keypair
 | 
					
						
							|  |  |  |   // Return an object with string privateKeyPem and/or object privateKeyJwk (or null, not undefined)
 | 
					
						
							|  |  |  |   store.certificates.checkKeypair = function (opts) { | 
					
						
							|  |  |  |     //console.log('certificates.checkKeypair:', opts.certificate, opts.subject);
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     // Ignore this. It's just special stuff for file system compat with the old le-store-certbot
 | 
					
						
							| 
									
										
										
										
											2019-04-01 01:56:41 -06:00
										 |  |  |     var liveDir = opts.liveDir || path.join(opts.configDir, 'live', opts.subject); | 
					
						
							|  |  |  |     var privkeyPath = opts.privkeyPath || opts.domainKeyPath || path.join(liveDir, 'privkey.pem'); | 
					
						
							| 
									
										
										
										
											2019-04-01 22:27:39 -06:00
										 |  |  |     return readFileAsync(tameWild(privkeyPath, opts.subject), 'ascii').then(function (key) { | 
					
						
							| 
									
										
										
										
											2019-04-08 00:14:28 -06:00
										 |  |  |       ////////////////////////
 | 
					
						
							|  |  |  |       // PAY ATTENTION HERE //
 | 
					
						
							|  |  |  |       ////////////////////////
 | 
					
						
							|  |  |  |       return { | 
					
						
							|  |  |  |         privateKeyPem: key      // In this case we only saved privateKeyPem, so we only return it
 | 
					
						
							|  |  |  |       //privateKeyJwk: null     // (but it's fine, just different encodings of the same thing)
 | 
					
						
							|  |  |  |       }; | 
					
						
							| 
									
										
										
										
											2019-04-01 01:56:41 -06:00
										 |  |  |     }).catch(function (err) { | 
					
						
							|  |  |  |       if ('ENOENT' === err.code) { return null; } | 
					
						
							|  |  |  |       throw err; | 
					
						
							|  |  |  |     }); | 
					
						
							|  |  |  |   }; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2019-04-08 00:14:28 -06:00
										 |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   // Certificates.setKeypair({ certificate, subject, keypair, ... }):
 | 
					
						
							| 
									
										
										
										
											2019-04-01 01:56:41 -06:00
										 |  |  |   //
 | 
					
						
							| 
									
										
										
										
											2019-04-08 00:14:28 -06:00
										 |  |  |   // Use certificate.kid (or certificate.id or subject if no kid is present) to find a certificate keypair
 | 
					
						
							|  |  |  |   // Return null (not undefined) on success, or throw on error
 | 
					
						
							|  |  |  |   store.certificates.setKeypair = function (opts) { | 
					
						
							|  |  |  |     var keypair = opts.keypair || keypair; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     // Ignore.
 | 
					
						
							|  |  |  |     // Just specific implementation details.
 | 
					
						
							| 
									
										
										
										
											2019-04-01 01:56:41 -06:00
										 |  |  |     var liveDir = opts.liveDir || path.join(opts.configDir, 'live', opts.subject); | 
					
						
							|  |  |  |     var privkeyPath = opts.privkeyPath || opts.domainKeyPath || path.join(liveDir, 'privkey.pem'); | 
					
						
							| 
									
										
										
										
											2019-04-01 22:27:39 -06:00
										 |  |  |     return mkdirpAsync(tameWild(path.dirname(privkeyPath), opts.subject)).then(function () { | 
					
						
							| 
									
										
										
										
											2019-04-08 00:14:28 -06:00
										 |  |  |       // keypair is normally an opaque object, but here it's a PEM for the FS (for things like Apache and Nginx)
 | 
					
						
							| 
									
										
										
										
											2019-04-01 22:27:39 -06:00
										 |  |  |       return writeFileAsync(tameWild(privkeyPath, opts.subject), keypair.privateKeyPem, 'ascii').then(function () { | 
					
						
							| 
									
										
										
										
											2019-04-01 01:56:41 -06:00
										 |  |  |         return null; | 
					
						
							|  |  |  |       }); | 
					
						
							|  |  |  |     }); | 
					
						
							|  |  |  |   }; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2019-04-08 00:14:28 -06:00
										 |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   // Certificates.set({ subject, pems, ... }):
 | 
					
						
							| 
									
										
										
										
											2019-04-01 01:56:41 -06:00
										 |  |  |   //
 | 
					
						
							| 
									
										
										
										
											2019-04-08 00:14:28 -06:00
										 |  |  |   // Use certificate.id (or subject if no ki is present) to save a certificate
 | 
					
						
							|  |  |  |   // Return null (not undefined) on success, or throw on error
 | 
					
						
							|  |  |  |   store.certificates.set = function (opts) { | 
					
						
							|  |  |  |     //console.log('certificates.set:', opts.subject, opts.pems);
 | 
					
						
							| 
									
										
										
										
											2019-04-01 01:56:41 -06:00
										 |  |  |     var pems = { | 
					
						
							| 
									
										
										
										
											2019-04-08 00:14:28 -06:00
										 |  |  |       cert: opts.pems.cert        // string PEM the first half of the concatonated fullchain.pem cert
 | 
					
						
							|  |  |  |     , chain: opts.pems.chain      // string PEM the second half (yes, you need this too)
 | 
					
						
							|  |  |  |     , privkey: opts.pems.privkey  // Ignore. string PEM, useful if you have to create bundle.pem
 | 
					
						
							| 
									
										
										
										
											2019-04-01 01:56:41 -06:00
										 |  |  |     }; | 
					
						
							| 
									
										
										
										
											2019-04-08 00:14:28 -06:00
										 |  |  | 
 | 
					
						
							|  |  |  |     // Ignore
 | 
					
						
							|  |  |  |     // Just implementation specific details (writing lots of combinatons of files)
 | 
					
						
							| 
									
										
										
										
											2019-04-01 01:56:41 -06:00
										 |  |  |     var liveDir = opts.liveDir || path.join(opts.configDir, 'live', opts.subject); | 
					
						
							|  |  |  |     var certPath = opts.certPath || path.join(liveDir, 'cert.pem'); | 
					
						
							|  |  |  |     var fullchainPath = opts.fullchainPath || path.join(liveDir, 'fullchain.pem'); | 
					
						
							|  |  |  |     var chainPath = opts.chainPath || path.join(liveDir, 'chain.pem'); | 
					
						
							|  |  |  |     var bundlePath = opts.bundlePath || path.join(liveDir, 'bundle.pem'); | 
					
						
							| 
									
										
										
										
											2019-04-01 22:27:39 -06:00
										 |  |  |     return mkdirpAsync(path.dirname(tameWild(certPath, opts.subject))).then(function () { | 
					
						
							|  |  |  |       return mkdirpAsync(path.dirname(tameWild(chainPath, opts.subject))).then(function () { | 
					
						
							|  |  |  |         return mkdirpAsync(path.dirname(tameWild(fullchainPath, opts.subject))).then(function () { | 
					
						
							|  |  |  |           return mkdirpAsync(path.dirname(tameWild(bundlePath, opts.subject))).then(function () { | 
					
						
							|  |  |  |             var fullchainPem = [ pems.cert, pems.chain ].join('\n'); // for Apache, Nginx, etc
 | 
					
						
							|  |  |  |             var bundlePem = [ pems.privkey, pems.cert, pems.chain ].join('\n'); // for HAProxy
 | 
					
						
							| 
									
										
										
										
											2019-04-01 01:56:41 -06:00
										 |  |  |             return PromiseA.all([ | 
					
						
							| 
									
										
										
										
											2019-04-01 22:27:39 -06:00
										 |  |  |               sfs.writeFileAsync(tameWild(certPath, opts.subject), pems.cert, 'ascii') | 
					
						
							|  |  |  |             , sfs.writeFileAsync(tameWild(chainPath, opts.subject), pems.chain, 'ascii') | 
					
						
							|  |  |  |               // Most web servers need these two
 | 
					
						
							|  |  |  |             , sfs.writeFileAsync(tameWild(fullchainPath, opts.subject), fullchainPem, 'ascii') | 
					
						
							| 
									
										
										
										
											2019-04-01 01:56:41 -06:00
										 |  |  |               // HAProxy needs "bundle.pem" aka "combined.pem"
 | 
					
						
							| 
									
										
										
										
											2019-04-01 22:27:39 -06:00
										 |  |  |             , sfs.writeFileAsync(tameWild(bundlePath, opts.subject), bundlePem, 'ascii') | 
					
						
							| 
									
										
										
										
											2019-04-01 01:56:41 -06:00
										 |  |  |             ]); | 
					
						
							|  |  |  |           }); | 
					
						
							|  |  |  |         }); | 
					
						
							|  |  |  |       }); | 
					
						
							|  |  |  |     }).then(function () { | 
					
						
							| 
									
										
										
										
											2019-04-08 00:14:28 -06:00
										 |  |  |       // That's your job: return null
 | 
					
						
							| 
									
										
										
										
											2019-04-01 01:56:41 -06:00
										 |  |  |       return null; | 
					
						
							|  |  |  |     }); | 
					
						
							|  |  |  |   }; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2019-04-08 00:14:28 -06:00
										 |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2019-04-01 01:56:41 -06:00
										 |  |  |   return store; | 
					
						
							|  |  |  | }; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2019-04-08 00:14:28 -06:00
										 |  |  | ///////////////////////////////////////////////////////////////////////////////
 | 
					
						
							|  |  |  | //                                  Ignore                                   //
 | 
					
						
							|  |  |  | ///////////////////////////////////////////////////////////////////////////////
 | 
					
						
							|  |  |  | //
 | 
					
						
							|  |  |  | // Everything below this line is just implementation specific
 | 
					
						
							| 
									
										
										
										
											2019-04-01 01:56:41 -06:00
										 |  |  | var defaults = { | 
					
						
							|  |  |  |   configDir: path.join(os.homedir(), 'acme', 'etc') | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | , accountsDir: path.join(':configDir', 'accounts', ':serverDir') | 
					
						
							|  |  |  | , serverDirGet: function (copy) { | 
					
						
							|  |  |  |     return (copy.server || '').replace('https://', '').replace(/(\/)$/, '').replace(/\//g, path.sep); | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | , privkeyPath: path.join(':configDir', 'live', ':hostname', 'privkey.pem') | 
					
						
							|  |  |  | , fullchainPath: path.join(':configDir', 'live', ':hostname', 'fullchain.pem') | 
					
						
							|  |  |  | , certPath: path.join(':configDir', 'live', ':hostname', 'cert.pem') | 
					
						
							|  |  |  | , chainPath: path.join(':configDir', 'live', ':hostname', 'chain.pem') | 
					
						
							|  |  |  | , bundlePath: path.join(':configDir', 'live', ':hostname', 'bundle.pem') | 
					
						
							|  |  |  | }; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | function mergeOptions(configs) { | 
					
						
							|  |  |  |   if (!configs.domainKeyPath) { | 
					
						
							|  |  |  |     configs.domainKeyPath = configs.privkeyPath || defaults.privkeyPath; | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   Object.keys(defaults).forEach(function (key) { | 
					
						
							|  |  |  |     if (!configs[key]) { | 
					
						
							|  |  |  |       configs[key] = defaults[key]; | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |   }); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   return configs; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | function sanitizeFilename(id) { | 
					
						
							|  |  |  |   return id.replace(/(\.\.)|\\|\//g, '_').replace(/[^!-~]/g, '_'); | 
					
						
							|  |  |  | } | 
					
						
							| 
									
										
										
										
											2019-04-01 22:27:39 -06:00
										 |  |  | 
 | 
					
						
							|  |  |  | // because not all file systems like '*' in a name (and they're scary)
 | 
					
						
							|  |  |  | function tameWild(path, wild) { | 
					
						
							|  |  |  |   var tame = wild.replace(/\*/g, '_'); | 
					
						
							|  |  |  |   return path.replace(wild, tame); | 
					
						
							|  |  |  | } | 
					
						
							| 
									
										
										
										
											2019-04-08 00:14:28 -06:00
										 |  |  | 
 | 
					
						
							|  |  |  | function getPromise() { | 
					
						
							|  |  |  |   var util = require('util'); | 
					
						
							|  |  |  |   var PromiseA; | 
					
						
							|  |  |  |   if (util.promisify && global.Promise) { | 
					
						
							|  |  |  |     PromiseA = global.Promise; | 
					
						
							|  |  |  |     PromiseA.promisify = util.promisify; | 
					
						
							|  |  |  |   } else { | 
					
						
							|  |  |  |     try { | 
					
						
							|  |  |  |       PromiseA = require('bluebird'); | 
					
						
							|  |  |  |     } catch(e) { | 
					
						
							|  |  |  |       console.error("Your version of node is missing Promise. Please run `npm install --save bluebird` in your project to fix"); | 
					
						
							|  |  |  |       process.exit(10); | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  |   return PromiseA; | 
					
						
							|  |  |  | } |