acme_nsupdate 0.2.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 7c52e0be82cd56ce8fb4c5bcd48b1e29f42a4cb0
+  data.tar.gz: ae6a8c0739c5ac9a2eea8565930b3d67eb02e853
+SHA512:
+  metadata.gz: d6a7904ea0ede7ef6abf02d175e7ffa6640399c0ed526a27a737d1ffcdfe1686003b73983b9dbc0f5e902e14a127aefdc9f80a8c59ee8d1e71a962f23a4b3ba0
+  data.tar.gz: 6b6067511ab4f30165182030da025b176b3b4d8da59dc686cb41de2c89edb8941f585182f9258a4c5f08f72febe8233b817e3d5e12e40b5fc808fcf836b2cee8

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2015 Jonne Haß
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,36 @@
+# ACME nsupdate [![Gem Version](https://badge.fury.io/rb/acme_nsupdate.svg)](https://rubygems.org/gems/acme_nsupdate)
+
+ACME (Let's Encrypt) client with nsupdate (DDNS) integration.
+
+CLI tool to obtain certificates via ACME and update the matching TLSA records.
+The primary authentication method is http-01 via webroot for now, but dns-01 is supported too.
+
+*Don't actually trust this, I wrote it for myself. Read and understand the code if you want to
+actually use it. **There are no tests!***
+
+## Installation
+
+Install the gem:
+
+```
+$ gem install acme_nsupdate
+```
+
+## Usage
+
+See the help:
+
+```
+$ acme_nsupdate --help
+```
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/jhass/acme_nsupdate.
+Feature contributions are welcome too, feature requests will most likely not be fulfilled.
+
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
+

data/bin/acme_nsupdate

@@ -0,0 +1,6 @@
+#!/usr/bin/env ruby
+$LOAD_PATH.unshift(File.expand_path(File.join(__dir__, "..", "lib")))
+
+require "acme_nsupdate/cli"
+
+AcmeNsupdate::Cli.new(ARGV).run

data/lib/acme_nsupdate.rb

@@ -0,0 +1 @@
+require "acme_nsupdate/client"

data/lib/acme_nsupdate/cli.rb

@@ -0,0 +1,90 @@
+require "slop"
+
+require "acme_nsupdate/version"
+require "acme_nsupdate/client"
+
+module AcmeNsupdate
+  class Cli
+    def initialize argv=ARGV
+      @options = Slop.parse(argv) do |o|
+        o.array   "-d", "--domains",   "The FQDNs to request a certificate for, multiple should be comma separated."
+        o.string  "-m", "--master",    "The nameserver to use to provision the TXT and TLSA records to. Defaults to the primary nameserver specifed in the SOA record."
+        o.string  "-t", "--ttl",       "The TTLs of the TXT and TLSA records created, separated by a comma. Defaults to 60,43200", default: "60,43200"
+        o.bool    "-k", "--keep",      "Skip removing any kind of temporary data after successfully obtaining the certificate."
+        o.string  "-K", "--tsig",      "TSIG key to use for DNS updates. Expected format is name:key."
+        o.string  "-e", "--endpoint",  "ACME API endpoint. Defaults to: https://acme-v01.api.letsencrypt.org", default: "https://acme-v01.api.letsencrypt.org"
+        o.string  "-D", "--datadir",   "Base directory for certificates and account keys. Defaults to: /etc/letsencrypt", default: "/etc/letsencrypt"
+        o.string  "-c", "--contact",   "Contact mail address."
+        o.integer "-l", "--keylength", "Length of the generated RSA keys. Defaults to 2048.", default: 2048
+        o.bool    "-T", "--notlsa",    "Do not publish TLSA records (publishing them drops all old ones). Defaults to no.", default: false
+        o.array   "-p", "--tlsaports", "Ports to publish TLSA records for. A plain port publishes for all FQDNs given, fqdn:port publishes for a single FQDN, [fqdn1 fqdn2]:port publishes for a subset. Multiple values should be comma separated. Defaults to 443.", default: ["443"]
+        o.string  "-C", "--challenge", "Challenge to use, either http-01 or dns-01. http-01 requires the webroot option. Defaults to http-01.", default: "http-01"
+        o.string  "-w", "--webroot",   "Webroot to save http-01 challenges to."
+        o.bool    "-V", "--verbose",   "Enable debug logging.", default: false
+        o.bool    "-q", "--quiet",     "Only print error messages.", default: false
+        o.bool    "-f", "--force",     "Force, even if cert is still valid.", default: false
+
+        o.on "-v", "--version", "Display version." do
+          puts "ACME nsupdate #{AcmeNsupdate::VERSION}"
+          exit
+        end
+
+        o.on "-h", "--help", "Display this help." do
+          puts o
+          exit
+        end
+      end
+
+      abort "Unexpected extra arguments #{@options.arguments}" unless @options.arguments.empty?
+
+      @options = @options.to_h
+
+      abort "You need to provide a domain!"                                   unless domain_given?
+      abort "A domain was given more than once!"                              unless domains_unique?
+      abort "You need to provide a contact mail address!"                     unless contact_given?
+      abort "Invalid TSIG key: name or key missing!"                          unless valid_tsig?
+      abort "No webroot given or not writable!"                               unless valid_webroot?
+      abort "Invalid TTL specification"                                       unless valid_ttl?
+      abort "Can't silence output and enable debug logging at the same time." unless valid_verbosity?
+
+      @options[:txt_ttl], @options[:tlsa_ttl] = @options[:ttl].split(",")
+    end
+
+    def run
+      Client.new(@options).run
+    end
+
+    private
+
+    def domain_given?
+      !@options[:domains].empty?
+    end
+
+    def domains_unique?
+      @options[:domains] == @options[:domains].uniq
+    end
+
+    def contact_given?
+      !@options[:contact].nil?
+    end
+
+    def valid_tsig?
+      @options[:tsig].nil? ||
+      @options[:tsig].include?(":")
+    end
+
+    def valid_webroot?
+      @options[:challenge] != "http-01" ||
+      !@options[:webroot].nil? ||
+      File.writable?(@options[:webroot])
+    end
+
+    def valid_ttl?
+      !@options[:ttl][/\A\d+,\d+\z/].nil?
+    end
+
+    def valid_verbosity?
+      !(@options[:verbose] && @options[:quiet])
+    end
+  end
+end

data/lib/acme_nsupdate/client.rb

@@ -0,0 +1,186 @@
+require "openssl"
+require "pathname"
+require "logger"
+
+require "acme-client"
+require "faraday/detailed_logger"
+
+require "acme_nsupdate/strategy"
+require "acme_nsupdate/nsupdate"
+
+module AcmeNsupdate
+  class Client
+    class Error < RuntimeError
+    end
+
+    RENEWAL_THRESHOLD = 2_592_000 # 30*24*60*60, 30 days
+
+    attr_reader :options, :logger
+
+    def initialize options
+      @options = options
+      @logger = Logger.new(STDOUT)
+      @logger.level = Logger::INFO
+      @logger.level = Logger::FATAL if @options[:quiet]
+      @logger.level = Logger::DEBUG if @options[:verbose]
+      @verification_strategy = Strategy.for(@options[:challenge]).new(self)
+    end
+
+    def run
+      unless renewal_needed?
+        logger.info "Existing certificate is still valid long enough."
+        return
+      end
+
+      register_account
+      challenges = @verification_strategy.verify_domains
+      logger.info "Requesting certificate"
+      certificate = client.new_certificate csr
+      write_files live_path, certificate, private_key
+      write_files archive_path, certificate, private_key
+      @verification_strategy.cleanup challenges unless @options[:keep]
+      publish_tlsa_records certificate.x509
+    rescue Nsupdate::Error
+      abort "nsupdate failed." # detail logged in Nsupdate
+    end
+
+    def register_account
+      return if account_key_path.exist?
+
+      logger.debug "No key found at #{account_key_path}, registering"
+      registration = client.register contact: "mailto:#{@options[:contact]}"
+      registration.agree_terms
+    end
+
+    def client
+      @client ||= Acme::Client.new(private_key: account_key, endpoint: @options[:endpoint]).tap do |client|
+        client.connection.response :detailed_logger, @logger if @options[:verbose]
+      end
+    end
+
+    def account_key_path
+      @account_key_path ||= datadir.join ".#{@options[:contact]}.pem"
+    end
+
+    def datadir
+      @datadir ||= Pathname.new(@options[:datadir]).tap(&:mkpath)
+    end
+
+    def account_key
+      @account_key ||= read_or_create_key account_key_path
+    end
+
+    def read_or_create_key path
+      logger.debug "Creating or reading #{path}"
+      path.write OpenSSL::PKey::RSA.new @options[:keylength] unless path.exist?
+      OpenSSL::PKey::RSA.new path.read
+    end
+
+    def renewal_needed?
+      return true if @options[:force]
+
+      cert_path = live_path.join("cert.pem")
+      return true unless cert_path.exist?
+
+      cert = OpenSSL::X509::Certificate.new(cert_path.read)
+      (cert.not_after - Time.now) <= RENEWAL_THRESHOLD
+    end
+
+    def build_nsupdate
+      Nsupdate.new(logger).tap do |nsupdate|
+        nsupdate.server @options[:master] if @options[:master]
+        nsupdate.tsig(*@options[:tsig].split(":")) if @options[:tsig]
+      end
+    end
+
+    def csr
+      logger.debug "Generating CSR"
+      Acme::Client::CertificateRequest.new(names: @options[:domains], private_key: private_key)
+    end
+
+    def private_key
+      @private_key ||= read_or_create_key private_key_path
+    end
+
+    def private_key_path
+      @private_key_path ||= live_path.join("privkey.pem")
+    end
+
+    def live_path
+      @live_path ||= datadir.join("live").join(@options[:domains].first).tap(&:mkpath)
+    end
+
+    def archive_path
+      @archive_path ||= datadir.join("archive")
+                               .join(Time.now.strftime("%Y%m%d%H%M%S"))
+                               .join(@options[:domains].first)
+                               .tap(&:mkpath)
+    end
+
+    def write_files path, certificate, key
+      logger.info "Writing files to #{path}"
+      logger.debug "Writing #{path.join("key.pem")}"
+      path.join("privkey.pem").write key.to_pem
+      path.join("privkey.pem").chmod(0600)
+      logger.debug "Writing #{path.join("cert.pem")}"
+      path.join("cert.pem").write certificate.to_pem
+      logger.debug "Writing #{path.join("chain.pem")}"
+      path.join("chain.pem").write certificate.chain_to_pem
+      logger.debug "Writing #{path.join("fullchain.pem")}"
+      path.join("fullchain.pem").write certificate.fullchain_to_pem
+    end
+
+    def publish_tlsa_records certificate
+      return if @options[:notlsa]
+
+      logger.info "Publishing TLSA records"
+      old_contents = outdated_certificates.map {|certificate|
+        "3 1 1 #{OpenSSL::Digest::SHA256.hexdigest(certificate.public_key.to_der)}"
+      }.uniq
+      content = "3 1 1 #{OpenSSL::Digest::SHA256.hexdigest(certificate.public_key.to_der)}"
+      old_contents.delete(content)
+
+      @options[:domains].each do |domain|
+        nsupdate = build_nsupdate
+
+        @options[:tlsaports].each do |port|
+          restriction, port = port.split(":")
+          restriction, port = port, restriction unless port
+          label = "_#{port}._tcp.#{domain}"
+
+          if restriction
+            restrictions = restriction.delete("[]").split(" ")
+            unless restrictions.include? domain
+              logger.debug "Not publishing TLSA record for #{label}, not one of #{restrictions.join(" ")}"
+              next
+            end
+          end
+
+          old_contents.each do |old_content|
+            nsupdate.del label, "TLSA", old_content unless @options[:keep]
+          end
+          nsupdate.del label, "TLSA", content
+          nsupdate.add label, "TLSA", content, @options[:tlsa_ttl]
+        end
+
+        begin
+          nsupdate.send
+        rescue Nsupdate::Error
+          # Continue trying other zones, errors logged in Nsupdate
+        end
+      end
+    end
+
+    def outdated_certificates
+      domain = @options[:domains].first
+      @outdated_certificates ||= datadir
+        .join("archive")
+        .children
+        .select {|dir| dir.join(domain, "cert.pem").exist? }
+        .sort_by(&:basename)
+        .map {|path| OpenSSL::X509::Certificate.new path.join(domain, "cert.pem").read }
+        .tap(&:pop) # keep current
+        .tap(&:pop) # keep previous
+    end
+  end
+end

data/lib/acme_nsupdate/nsupdate.rb

@@ -0,0 +1,55 @@
+require "open3"
+
+module AcmeNsupdate
+  class Nsupdate
+    class Error < RuntimeError
+    end
+
+    def initialize(logger)
+      @logger = logger
+      @commands = []
+    end
+
+    def server server
+      @commands << "server #{server}"
+    end
+
+    def tsig name, key
+      @commands << "key #{name} #{key}"
+    end
+
+    def add label, type, data, ttl
+      @commands << "update add #{label} #{ttl} #{type} #{data}"
+    end
+
+    def del label, type=nil, data=nil
+      @commands << "update del #{label}#{" #{type}" if type}#{" #{data}" if data}"
+    end
+
+    def send
+      @logger.debug("Starting nsupdate:")
+      Open3.popen3("nsupdate") do |stdin, stdout, stderr, wait_thr|
+        @commands.each do |command|
+          @logger.debug "  #{command}"
+          stdin.puts command
+        end
+        @logger.debug("  send")
+        stdin.puts "send"
+        stdin.close
+        errors = stdout.readlines.map {|line| line[/^>\s*(.*)$/, 1].strip }.reject(&:empty?)
+        errors.concat stderr.readlines.map(&:strip).reject(&:empty?)
+        stdout.close
+        stderr.close
+        unless errors.empty?
+          errors = errors.join(" ")
+          @logger.error "DNS update transaction failed: #{errors}"
+          @logger.info "Transaction:"
+          @commands.each do |command|
+            @logger.info "  #{command}"
+          end
+          raise Error.new errors
+        end
+      end
+    end
+  end
+end

data/lib/acme_nsupdate/strategies/dns01.rb

@@ -0,0 +1,54 @@
+require "acme_nsupdate/strategy"
+
+module AcmeNsupdate
+  module Strategies
+    class Dns01
+      IDENTIFIER = "dns-01"
+
+      include Strategy
+
+      def initialize client
+        @client = client
+      end
+
+      def publish_challenges
+        @client.logger.debug "Publishing challenges for #{@client.options[:domains].join(", ")}"
+
+        challenges = @client.options[:domains].map {|domain|
+          nsupdate = @client.build_nsupdate
+
+          authorization = @client.client.authorize domain: domain
+          challenge = authorization.dns01
+          abort "Challenge dns-01 not supported by the given ACME server" unless challenge
+          nsupdate.del(*record(domain, challenge, true)) unless @client.options[:keep]
+          nsupdate.add(*record(domain, challenge), @client.options[:txt_ttl])
+          nsupdate.send
+
+          [domain, challenge]
+        }.to_h
+
+        @client.logger.info "Waiting 120 seconds for the DNS updates to go live"
+        sleep 120 # We wait some time to give the slaves time to update
+
+        challenges
+      end
+
+      def cleanup challenges
+        @client.logger.info("Cleaning up challenges")
+        challenges.each do |domain, challenge|
+          nsupdate = @client.build_nsupdate
+          nsupdate.del(*record(domain, challenge))
+          nsupdate.send
+        end
+      end
+
+      private
+
+      def record domain, challenge, nodata=false
+        ["#{challenge.record_name}.#{domain}", challenge.record_type].tap do |record|
+          record << %("#{challenge.record_content}") unless nodata
+        end
+      end
+    end
+  end
+end

data/lib/acme_nsupdate/strategies/http01.rb

@@ -0,0 +1,46 @@
+require "fileutils"
+
+require "acme_nsupdate/strategy"
+
+module AcmeNsupdate
+  module Strategies
+    class Http01
+      IDENTIFIER = "http-01"
+
+      include Strategy
+
+      def initialize client
+        @client = client
+      end
+
+      def publish_challenges
+        @client.logger.debug "Publishing challenges for #{@client.options[:domains].join(", ")}"
+        @client.options[:domains].map {|domain|
+          authorization = @client.client.authorize domain: domain
+          challenge = authorization.http01
+          abort "Challenge http-01 not supported by this ACME server" unless challenge
+          path = path challenge
+          @client.logger.debug "Writing #{path} for #{domain}"
+          FileUtils.mkdir_p File.dirname path
+          File.write path, challenge.file_content
+          [domain, challenge]
+        }.to_h
+      end
+
+      def cleanup challenges
+        @client.logger.info("Cleaning up challenges")
+        challenges.each_value do |challenge|
+          path = path challenge
+          @client.logger.debug("Removing #{path}")
+          File.delete path if File.exist? path
+        end
+      end
+
+      private
+
+      def path challenge
+        File.join(@client.options[:webroot], challenge.filename)
+      end
+    end
+  end
+end

data/lib/acme_nsupdate/strategy.rb

@@ -0,0 +1,39 @@
+module AcmeNsupdate
+  module Strategy
+    class << self
+      def strategies
+        @strategies ||= {}
+      end
+
+      def for identifier
+        strategies.fetch(identifier) { raise ArgumentError.new "Unknown strategy #{identifier}!" }
+      end
+
+      def included base
+        strategies[base::IDENTIFIER] = base
+      end
+    end
+
+    def verify_domains
+      @client.logger.info("Validating domains")
+      publish_challenges.tap do |challenges|
+        wait_for_verification challenges
+      end
+    end
+
+    private
+
+    def wait_for_verification challenges
+      @client.logger.debug("Requesting verification")
+      challenges.each_value(&:request_verification)
+      @client.logger.debug("Waiting for verification")
+      challenges.map {|_, challenge| Thread.new { sleep(5) while challenge.verify_status == "pending" } }.each(&:join)
+      challenges.each do |domain, challenge|
+        raise "Verification of #{domain} failed: #{challenge.error}" unless challenge.status == "valid"
+      end
+    end
+  end
+end
+
+require "acme_nsupdate/strategies/http01.rb"
+require "acme_nsupdate/strategies/dns01.rb"

data/lib/acme_nsupdate/version.rb

@@ -0,0 +1,3 @@
+module AcmeNsupdate
+  VERSION = "0.2.0"
+end

metadata

@@ -0,0 +1,128 @@
+--- !ruby/object:Gem::Specification
+name: acme_nsupdate
+version: !ruby/object:Gem::Version
+  version: 0.2.0
+platform: ruby
+authors:
+- Jonne Haß
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2016-08-10 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: slop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.0'
+- !ruby/object:Gem::Dependency
+  name: acme-client
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.4.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.4.0
+- !ruby/object:Gem::Dependency
+  name: faraday-detailed_logger
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.10'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.10'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: |-
+  CLI tool to obtain certificates via ACME and update the matching TLSA records.
+      The primary authentication method is http-01 via webroot for now, but dns-01 is supported too.
+email:
+- me@jhass.eu
+executables:
+- acme_nsupdate
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENSE.txt
+- README.md
+- bin/acme_nsupdate
+- lib/acme_nsupdate.rb
+- lib/acme_nsupdate/cli.rb
+- lib/acme_nsupdate/client.rb
+- lib/acme_nsupdate/nsupdate.rb
+- lib/acme_nsupdate/strategies/dns01.rb
+- lib/acme_nsupdate/strategies/http01.rb
+- lib/acme_nsupdate/strategy.rb
+- lib/acme_nsupdate/version.rb
+homepage: https://github.com/jhass/acme_nsupdate
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.5.1
+signing_key: 
+specification_version: 4
+summary: ACME (Let's Encrypt) client with nsupdate (DDNS) integration.
+test_files: []