anchor-pki 0.5.0 → 0.6.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c07e54ede7ccff887e6023fe9842989720fdf9d63f159e4a5a3b4ba1a92c6c1a
-  data.tar.gz: dc0ba249f2125b9cc9d6a4a2dfda9fb042e86c0c7691d45fd6f7b432c5aa2d43
+  metadata.gz: f6f3aa56dc5a365db7f3c2b4f255ac538ba455fad1bdf758f19450bca287381e
+  data.tar.gz: 6bf38bec006856c4a60246e3b53a119296e9c4557a17f3c4d0f5ef50404102ca
 SHA512:
-  metadata.gz: e074e115e1035f8ed0b2289859073516b9cad04f9452f5dd8aa8dc070b8cdd119db2abf26b5bf2540a410818948fd4dfff4ca854cdc579b457bf15ae4065428a
-  data.tar.gz: 916f262c31580a3f92ca909bd0900d979a9ccb7a93d3f2cdb9e538bc9b29e8215db96468b5fe21c49c16ed836260857cc392f697772f032e6f76c28540af0653
+  metadata.gz: 5d24d34f6c5448e2ba33ac004e6d2e99a7ff0c3b31840c119f5d0256576d6146e6e13b120251db58ab9d80db4f4927f1c71f2c38397ca434a66ded8124c300e8
+  data.tar.gz: 30ba030f48985e35f6d63e1ac02943bf0bed301eba7a36cc6728caa5dbee0395e14d8a4ba3e2d43edf68fca461ee5cb60ae204542b6f4f30c1ffa3655cf68986

data/Gemfile.lock

@@ -1,22 +1,26 @@
 PATH
   remote: .
   specs:
-    anchor-pki (0.2.1)
+    anchor-pki (0.6.1)
       acme-client (~> 2.0.13)
+      pstore (~> 0.1)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    acme-client (2.0.13)
+    acme-client (2.0.15)
       faraday (>= 1.0, < 3.0.0)
       faraday-retry (>= 1.0, < 3.0.0)
     addressable (2.8.4)
       public_suffix (>= 2.0.2, < 6.0)
     ast (2.4.2)
+    base64 (0.2.0)
     crack (0.4.5)
       rexml
     diff-lcs (1.5.0)
-    faraday (2.7.5)
+    docile (1.4.0)
+    faraday (2.7.12)
+      base64
       faraday-net_http (>= 2.0, < 3.1)
       ruby2_keywords (>= 0.0.4)
     faraday-net_http (3.0.2)
@@ -28,9 +32,10 @@ GEM
     parallel (1.23.0)
     parser (3.2.2.1)
       ast (~> 2.4.1)
+    pstore (0.1.3)
     public_suffix (5.0.1)
     rainbow (3.1.1)
-    rake (13.0.6)
+    rake (13.1.0)
     regexp_parser (2.8.0)
     rexml (3.2.5)
     rspec (3.12.0)
@@ -68,6 +73,12 @@ GEM
       rubocop-factory_bot (~> 2.22)
     ruby-progressbar (1.13.0)
     ruby2_keywords (0.0.5)
+    simplecov (0.22.0)
+      docile (~> 1.1)
+      simplecov-html (~> 0.11)
+      simplecov_json_formatter (~> 0.1)
+    simplecov-html (0.12.3)
+    simplecov_json_formatter (0.1.4)
     unicode-display_width (2.4.2)
     vcr (6.1.0)
     webmock (3.18.1)
@@ -78,7 +89,9 @@ GEM
 PLATFORMS
   aarch64-linux
   arm64-darwin-21
+  arm64-darwin-23
   x86_64-darwin-22
+  x86_64-linux
 
 DEPENDENCIES
   anchor-pki!
@@ -87,6 +100,7 @@ DEPENDENCIES
   rspec (~> 3.9)
   rubocop (~> 1.50)
   rubocop-rspec (~> 2.22)
+  simplecov (~> 0.22)
   vcr (~> 6.1)
   webmock (~> 3.8)
 

data/README.md

@@ -9,9 +9,10 @@ The Following environment variables are available to configure the default
 
 * `HTTPS_PORT` - the TCP numerical port to bind SSL to.
 * `ACME_ALLOW_IDENTIFIERS` - A comma separated list of hostnames for provisioning certs
+* `ACME_CONTACT` - URL to contact in case of issues with the account
 * `ACME_DIRECTORY_URL` - the ACME provider's directory
+* `ACME_HMAC_KEY` - your External Account Binding (EAB) HMAC_KEY for authenticating with the ACME directory above
 * `ACME_KID` - your External Account Binding (EAB) KID for authenticating with the ACME directory above with an
-* `ACME_HMAC_KEY` - your EAB HMAC_KEY for authenticating with the ACME directory above
 * `ACME_RENEW_BEFORE_SECONDS` - **optional** Start a renewal this number number of seconds before the cert expires. This defaults to 30 days (2592000 seconds)
 * `ACME_RENEW_BEFORE_FRACTION` - **optional** Start the renewal when this fraction of a cert's valid window is left. This defaults to 0.5, which means when the cert is in the last 50% of its lifespan a renewal is attempted.
 * `AUTO_CERT_CHECK_EVERY` - **optional** the number of seconds to wait between checking if the certificate has expired. This defaults to 1 hour (3600 seconds)
@@ -58,7 +59,8 @@ regenerated periodically.
         export ACME_DIRECTORY_URL='https://anchor.dev/autocert-cab3bc/development/x509/ca/acme'
         export ACME_KID=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
         export ACME_HMAC_KEY=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-
+1. Update the [./spec/spec_helper.rb](spec/spec_helper.rb) file with these
+   values as the respective `VCR_KID` and `VCR_HMAC_KEY`.
 1. on the command line execute:
 
         $ . .env

data/lib/anchor/auto_cert/configuration.rb

@@ -5,8 +5,9 @@ module Anchor
     # AutoCert Configuration provides a way to configure the AutoCert Manager.
     #
     class Configuration
-      DEFAULT_BEFORE_SECONDS  = 60 * 60 * 24 * 30 # 30 days in seconds
-      DEFAULT_BEFORE_FRACTION = 0.5 # when in the last 50% of the validity window, renew
+      DEFAULT_RENEW_BEFORE_SECONDS  = 60 * 60 * 24 * 30 # 30 days in seconds
+      DEFAULT_RENEW_BEFORE_FRACTION = 0.5 # when in the last 50% of the validity window, renew
+      DEFAULT_CHECK_EVERY_SECONDS   = 60 * 60 # 1 day in seconds
 
       # Note - although it is possible to set change the name of a config, it is
       # not recommended. The name is used as the key in the Registry, and if a
@@ -14,7 +15,8 @@ module Anchor
       # change its registry key.
       attr_accessor :name,
                     :allow_identifiers,
-                    :cache,
+                    :cache_dir,
+                    :check_every_seconds,
                     :contact,
                     :directory_url,
                     :external_account_binding,
@@ -30,19 +32,21 @@ module Anchor
       #
       def initialize(name:,
                      allow_identifiers: nil,
-                     cache: nil,
+                     cache_dir: nil,
+                     check_every_seconds: nil,
                      contact: nil,
                      directory_url: nil,
                      external_account_binding: nil,
-                     renew_before_fraction: DEFAULT_BEFORE_FRACTION,
-                     renew_before_seconds: DEFAULT_BEFORE_SECONDS,
+                     renew_before_fraction: nil,
+                     renew_before_seconds: nil,
                      tos_acceptors: nil,
                      work_dir: nil)
 
         @name                     = name
 
         @allow_identifiers        = allow_identifiers
-        @cache                    = cache
+        @cache_dir                = cache_dir
+        @check_every_seconds      = check_every_seconds
         @contact                  = contact
         @directory_url            = directory_url
         @external_account_binding = external_account_binding
@@ -70,17 +74,32 @@ module Anchor
 
       def validate!
         @allow_identifiers        = prepare_allow_identifiers(@allow_identifiers)
-        @cache                    = prepare_cache(@cache)
+        @cache_dir                = prepare_directory(dir: @cache_dir, property: 'cache_dir')
+        @check_every_seconds      = prepare_check_every_seconds(@check_every_seconds)
+        @contact                  = prepare_contact(@contact)
         @directory_url            = prepare_directory_url(@directory_url)
         @external_account_binding = prepare_external_account_binding(@external_account_binding)
         @renew_before_fraction    = prepare_renew_before_fraction(@renew_before_fraction)
         @renew_before_seconds     = prepare_renew_before_seconds(@renew_before_seconds)
         @tos_acceptors            = prepare_tos_acceptors(@tos_acceptors)
-        @work_dir                 = prepare_work_dir(@work_dir)
-
+        @work_dir                 = prepare_directory(dir: @work_dir, property: 'work_dir')
         self
       end
 
+      # Return the fallback identifer for this configuration
+
+      # look at all the identifiers, strip a leading wildcard off of all of
+      # them and then pick the one that has the fewest '.' in it, if there are
+      # ties for fewest, pick the first one in the list of ties. A minimum of
+      # 2 '.' is required.
+      #
+      def fallback_identifier
+        de_wildcarded = allow_identifiers.map { |i| i.sub(/^\*\./, '') }
+        not_tld = de_wildcarded.select { |i| i.count('.') >= 2 }
+        ordered = not_tld.sort_by { |i| i.count('.') }
+        ordered[0]
+      end
+
       private
 
       def prepare_allow_identifiers(allow_identifiers)
@@ -95,33 +114,42 @@ module Anchor
 
         if prepared.nil? || prepared.empty?
           raise ConfigurationError,
-                "The '#{name}' #{self.class} instance has a misconfigured `allow_identifiers` value. " \
-                'Set it to a string, or an array of strings, ' \
-                'or set the ACME_ALLOW_IDENTIFIERS environment variable to a comma separated list of identifiers.'
+                "The '#{name}' #{self.class} instance has a misconfigured " \
+                '`allow_identifiers` value. Set it to a string, or an array of strings, ' \
+                'or set the ACME_ALLOW_IDENTIFIERS environment variable ' \
+                'to a comma separated list of identifiers.'
         end
 
         prepared
       end
 
-      def prepare_cache(cache)
-        return nil if cache.nil?
+      def prepare_check_every_seconds(check_every_seconds)
+        message = "The '#{name}' #{self.class} instance has a misconfigured " \
+                  '`check_every_seconds` value. It must be set to an integer > 0, ' \
+                  'or set the AUTO_CERT_CHECK_EVERY environment variable.'
 
-        unless cache.respond_to?(:read) && cache.respond_to?(:write) && cache.respond_to?(:fetch)
-          raise ConfigurationError,
-                "The '#{name}' #{self.class} instance has a misconfigured `cache` value. " \
-                'It must be set to an object that responds to `read`, `write`, and `fetch`.'
-        end
+        candidates = [
+          check_every_seconds,
+          ENV.fetch('AUTO_CERT_CHECK_EVERY', nil),
+          DEFAULT_CHECK_EVERY_SECONDS
+        ]
+
+        ensure_positive_integer(candidates, message)
+      end
 
-        cache
+      def prepare_contact(contact)
+        contact ||= ENV.fetch('ACME_CONTACT', nil)
+
+        contact
       end
 
       def prepare_directory_url(directory_url)
+        message = "The '#{name}' #{self.class} instance has a misconfigured `directory_url` value. " \
+                  'It must be set to a string, or set the ACME_DIRECTORY_URL environment variable.'
+
         directory_url ||= ENV.fetch('ACME_DIRECTORY_URL', nil)
-        if directory_url.nil?
-          raise ConfigurationError,
-                "The '#{name}' #{self.class} instance has a misconfigured `directory_url` value. " \
-                'It must be set to a string, or set the ACME_DIRECTORY_URL environment variable.'
-        end
+
+        raise ConfigurationError, message if directory_url.nil?
 
         directory_url
       end
@@ -130,39 +158,47 @@ module Anchor
         kid = ENV.fetch('ACME_KID', nil)
         hmac_key = ENV.fetch('ACME_HMAC_KEY', nil)
 
-        if kid && hmac_key
-          external_account_binding = {
-            kid: kid,
-            hmac_key: hmac_key
-          }
+        if external_account_binding && external_account_binding[:kid] && external_account_binding[:hmac_key]
+          return external_account_binding
         end
-        external_account_binding
+
+        { kid: kid, hmac_key: hmac_key }
       end
 
       def prepare_renew_before_seconds(renew_before_seconds)
-        renew_before_seconds ||= ENV.fetch('ACME_RENEW_BEFORE_SECONDS', nil)
-        if renew_before_seconds
-          renew_before_seconds = renew_before_seconds.to_i
-          unless renew_before_seconds.positive?
-            raise ConfigurationError,
-                  "The '#{name}' #{self.class} instance has a misconfigured `before_seconds` value. " \
-                  'It must be set to an integer > 0, or set the ACME_RENEW_BEFORE_SECONDS environment variable.'
-          end
-        end
-        renew_before_seconds
+        message = "The '#{name}' #{self.class} instance has a misconfigured " \
+                  '`before_seconds` value. It must be set to an integer > 0, ' \
+                  'or set the ACME_RENEW_BEFORE_SECONDS environment variable.'
+
+        candidates = [
+          renew_before_seconds,
+          ENV.fetch('ACME_RENEW_BEFORE_SECONDS', nil),
+          DEFAULT_RENEW_BEFORE_SECONDS
+        ]
+        ensure_positive_integer(candidates, message)
       end
 
       def prepare_renew_before_fraction(renew_before_fraction)
-        renew_before_fraction ||= ENV.fetch('ACME_RENEW_BEFORE_FRACTION', nil)
-        if renew_before_fraction
-          renew_before_fraction = renew_before_fraction.to_f
-          unless (0..1).cover?(renew_before_fraction)
-            raise ConfigurationError,
-                  "The '#{name}' #{self.class} instance has a misconfigured `before_fraction` value. " \
-                  'It must be set to a float > 0 and < 1, or set the ACME_RENEW_BEFORE_FRACTION environment variable.'
-          end
+        message = "The '#{name}' #{self.class} instance has a misconfigured " \
+                  '`before_fraction` value. It must be set to a float > 0 and < 1, ' \
+                  'or set the ACME_RENEW_BEFORE_FRACTION environment variable.'
+
+        candidates = [
+          renew_before_fraction,
+          ENV.fetch('ACME_RENEW_BEFORE_FRACTION', nil),
+          DEFAULT_RENEW_BEFORE_FRACTION
+        ]
+
+        candidates.each do |candidate|
+          next if candidate.nil?
+
+          as_float = candidate.to_f
+          return as_float if (0..1).cover?(as_float)
         end
-        renew_before_fraction
+
+        # this should really never happen as DEFAULT_RENEW_BEFORE_FRACTION is
+        # valid
+        raise ConfigurationError, message
       end
 
       def prepare_tos_acceptors(tos_acceptors)
@@ -170,29 +206,40 @@ module Anchor
 
         if tos_acceptors.empty? || tos_acceptors.any? { |tos| !tos.respond_to?(:accept?) }
           raise ConfigurationError,
-                "The '#{name}' #{self.class} instance has a misconfigured `tos_acceptors` value. " \
-                'It must be set to an object or an array of objects that respond to `accept?`.'
+                "The '#{name}' #{self.class} instance has a misconfigured " \
+                '`tos_acceptors` value. It must be set to an object ' \
+                'or an array of objects that respond to `accept?`.'
         end
 
         tos_acceptors
       end
 
-      def prepare_work_dir(work_dir)
-        return nil if work_dir.nil?
+      def prepare_directory(dir:, property:)
+        return nil if dir.nil?
 
-        work_dir = Pathname.new(work_dir) unless work_dir.is_a?(Pathname)
+        dir = Pathname.new(dir) unless dir.is_a?(Pathname)
+        message = "The '#{name}' #{self.class} instance has a misconfigured " \
+                  "`#{property}` value, it resolves to (#{dir}). " \
+                  'It must be set to a directory, or a path that can be created.'
 
         begin
-          work_dir.mkpath
-        rescue StandardError => e
-          raise ConfigurationError, "#{self.class}#work_dir : #{e.message}"
+          dir.mkpath
+        rescue StandardError => _e
+          raise ConfigurationError, message
         end
 
-        unless work_dir.directory? && work_dir.writable?
-          raise ConfigurationError, "#{self.class}#work_dir '#{work_dir}' must be a writable directory."
+        dir
+      end
+
+      def ensure_positive_integer(candidates, message)
+        candidates.each do |candidate|
+          next if candidate.nil?
+
+          as_int = candidate.to_i
+          return as_int if as_int.positive?
         end
 
-        work_dir
+        raise ConfigurationError, message
       end
     end
   end

data/lib/anchor/auto_cert/identifier_policy.rb

@@ -47,7 +47,10 @@ module Anchor
         check_klass = self.class.policy_checks.find do |klass|
           klass.handles?(description)
         end
-        raise UnknownPolicyCheckError, "Unable to create a policy check based upon '#{description}'" if check_klass.nil?
+        if check_klass.nil?
+          raise UnknownPolicyCheckError,
+                "Unable to create a policy check based upon '#{description}'"
+        end
 
         @description = description
         @check = check_klass.new(description)

data/lib/anchor/auto_cert/managed_certificate.rb

@@ -4,32 +4,26 @@ require 'forwardable'
 
 module Anchor
   module AutoCert
-    # ManagedCertificate is a class that represents a certificate and its manager
+    # ManagedCertificate is a class that represents a certificate
     # for renewal
     class ManagedCertificate
-      attr_reader :cert_pem, :cert_path, :key_pem, :key_path, :key, :manager, :x509
+      attr_reader :cert_pem, :key_pem, :x509, :persist_dir, :cert_path, :private_key_path
 
       extend Forwardable
-      def_delegators :@manager, :enabled?
-      def_delegators :@x509, :not_after, :not_before, :serial
+      def_delegators :@x509, :not_after, :not_before
 
-      def self.from(manager:, cert_path:, key_path:)
-        cert_pem = File.read(cert_path)
-        key_pem  = File.read(key_path)
-        new(manager: manager, cert_pem: cert_pem, key_pem: key_pem)
+      def initialize(cert_pem:, key_pem:, persist_dir: nil)
+        @cert_pem         = cert_pem
+        @key_pem          = key_pem
+        @persist_dir      = Pathname.new(persist_dir) if persist_dir
+        @x509             = OpenSSL::X509::Certificate.new(cert_pem)
+        @cert_path        = nil
+        @private_key_path = nil
+        persist_pems
       end
 
-      def initialize(manager:, cert_pem:, key_pem:)
-        @manager   = manager
-        @cert_pem  = cert_pem
-        @key_pem   = key_pem
-        @x509      = OpenSSL::X509::Certificate.new(cert_pem)
-
-        hex_serial_basename = hex_serial('-')
-        @cert_path = manager.work_dir / "#{hex_serial_basename}.crt"
-        @key_path  = manager.work_dir / "#{hex_serial_basename}.key"
-
-        write_working_files
+      def serial
+        x509.serial.to_i
       end
 
       def hex_serial(joiner = ':')
@@ -40,27 +34,43 @@ module Anchor
         not_after <= now
       end
 
-      def needs_renewal?(now = Time.now.utc)
-        manager.needs_renewal?(cert: x509, now: now)
-      end
-
+      # For the moment, the only items in subjectAltName we care about are DNS:
+      # entries.
       def identifiers
         alt_names = x509&.extensions&.find { |ext| ext.oid == 'subjectAltName' }&.value&.split(', ') || []
-        alt_names.map { |name| name.sub(/^DNS:/, '') }
+        alt_names.select { |name| name.start_with?('DNS:') }
+                 .map { |name| name.sub(/^DNS:/, '') }
       end
 
       def common_name
         x509.subject.to_a.find { |name, _, _| name == 'CN' }[1]
       end
 
-      def write_working_files
-        cert_path.open('w') { |f| f << cert_pem }
-        key_path.open('w') { |f| f << key_pem }
+      def all_names
+        non_common_identifiers = identifiers.reject { |name| name == common_name }
+        [common_name, *non_common_identifiers.sort]
+      end
+
+      def persist_pems
+        return unless persist_dir
+        return nil unless persist_dir.directory? && persist_dir.writable?
+
+        @cert_path = persist_dir.join("#{serial}.crt")
+        @cert_path.write(cert_pem)
+
+        @private_key_path = persist_dir.join("#{serial}.key")
+        @private_key_path.write(key_pem)
       end
 
       def purge_working_files
-        cert_path.delete if cert_path.exist?
-        key_path.delete if key_path.exist?
+        return unless persist_dir
+        return nil unless persist_dir.directory? && persist_dir.writable?
+
+        [@cert_path, @private_key_path].each do |path|
+          next unless path&.exist? && path&.writable?
+
+          path.delete
+        end
       end
     end
   end

data/lib/anchor/auto_cert/manager.rb

@@ -15,19 +15,22 @@ module Anchor
 
       extend Forwardable
       def_delegators :@configuration,
-                     :cache,
+                     :check_every_seconds,
+                     :cache_dir,
                      :contact,
                      :directory,
                      :external_account_binding,
+                     :fallback_identifier,
                      :renew_before_fraction,
-                     :renew_before_seconds
+                     :renew_before_seconds,
+                     :work_dir
 
-      attr_reader :client,
+      attr_reader :disk_store,
+                  :client,
                   :configuration,
                   :directory_url,
                   :identifier_policies,
-                  :tos_acceptors,
-                  :work_dir
+                  :tos_acceptors
 
       def self.for(configuration)
         new(configuration: configuration)
@@ -37,10 +40,12 @@ module Anchor
         configuration.validate!
         @configuration = configuration
 
+        # disk store early since other things may use it
+        @disk_store = DiskStore.new(dir: @configuration.cache_dir, basename: 'autocert-manager')
+
         @identifier_policies = IdentifierPolicy.build(@configuration.allow_identifiers)
         @tos_acceptors = Array(@configuration.tos_acceptors)
         @directory_url = URI.parse(@configuration.directory_url)
-        @work_dir      = Pathname.new(@configuration.work_dir || Dir.mktmpdir)
 
         @account_opts = {
           contact: @configuration.contact,
@@ -49,30 +54,63 @@ module Anchor
 
         @client = client || new_client(contact: @configuration.contact)
         @enabled = true
+        @managed_certificates = {}
       end
 
       # It is currently assumed that the common name is the first of the
       # `identifiers` passed into this method. If that is not the case, then
       # the `common_name` parameter needs to be set explicitly
-      def managed_certificate(identifiers:, algorithm: :ecdsa, common_name: Array(identifiers).first, **opts)
-        if (arr = denied_identifiers(identifiers)).size.positive?
-          raise IdentifierNotAllowedError, "denied identifiers'#{arr.join(',')}'"
+      def managed_certificate(identifiers:, algorithm: :ecdsa, common_name: Array(identifiers).first,
+                              now: Time.now.utc, **opts)
+        full_ids = consolidate_identifiers(common_name: common_name, identifiers: identifiers)
+        denied_ids = denied_identifiers(full_ids)
+
+        # Fallback to a configured identifier if the requested one(s) are denied
+        if denied_ids.any?
+          common_name = fallback_identifier
+          identifiers = []
         end
 
-        key_pem = cache&.read("#{common_name}+#{algorithm}")
-        cert_pem = cache&.read(common_name)
+        # first look and see if its memory
+        managed_certificate = @managed_certificates[common_name]
+        if managed_certificate && !needs_renewal?(cert: managed_certificate, now: now)
+          return managed_certificate
+        end
+
+        # then look into the disk cache
+        if @disk_store
+          key_pem = @disk_store["#{common_name}.key.pem"]
+          cert_pem = @disk_store["#{common_name}.cert.pem"]
+        end
 
         if !key_pem.nil? && !cert_pem.nil?
-          managed_cert = ManagedCertificate.new(manager: self, cert_pem: cert_pem, key_pem: key_pem)
-          return managed_cert unless managed_cert.expired?
+          managed_certificate = ManagedCertificate.new(cert_pem: cert_pem,
+                                                       key_pem: key_pem,
+                                                       persist_dir: work_dir)
+          if managed_certificate && !needs_renewal?(cert: managed_certificate, now: now)
+            return managed_certificate
+          end
         end
 
-        cert_pem, key_pem = provision(identifiers: identifiers, algorithm: algorithm, common_name: common_name, **opts)
+        # and then provision a new one
+        cert_pem, key_pem = provision_or_fallback(
+          identifiers: identifiers, algorithm: algorithm,
+          common_name: common_name,
+          **opts
+        )
+
+        managed_certificate = ManagedCertificate.new(
+          cert_pem: cert_pem, key_pem: key_pem, persist_dir: work_dir
+        )
 
-        cache&.write("#{common_name}+#{algorithm}", key_pem)
-        cache&.write(common_name, cert_pem)
+        @managed_certificates[common_name] = managed_certificate
 
-        ManagedCertificate.new(manager: self, cert_pem: cert_pem, key_pem: key_pem)
+        if @disk_store
+          @disk_store["#{common_name}.key.pem"] = key_pem
+          @disk_store["#{common_name}.cert.pem"] = cert_pem
+        end
+
+        managed_certificate
       end
 
       def needs_renewal?(cert:, now: Time.now.utc)
@@ -97,12 +135,31 @@ module Anchor
 
       private
 
+      def provision_or_fallback(identifiers:, algorithm:, common_name:, **opts)
+        cert_pem = nil
+        key_pem = nil
+        begin
+          cert_pem, key_pem = provision(
+            identifiers: identifiers, algorithm: algorithm, common_name: common_name,
+            **opts
+          )
+        rescue StandardError => _e
+          cert_pem, key_pem = provision(
+            identifiers: [], algorithm: algorithm, common_name: fallback_identifier,
+            **opts
+          )
+        end
+        [cert_pem, key_pem]
+      end
+
       def provision(identifiers:, algorithm:, common_name:, **opts)
-        identifiers = Array(identifiers)
+        identifiers = consolidate_identifiers(common_name: common_name, identifiers: identifiers)
         load_or_build_account
         key_pem ||= new_key(algorithm).to_pem
-        csr = Acme::Client::CertificateRequest.new(private_key: parse_key_pem(key_pem), common_name: common_name,
-                                                   names: identifiers)
+        csr = Acme::Client::CertificateRequest.new(
+          common_name: common_name, names: identifiers,
+          private_key: parse_key_pem(key_pem)
+        )
 
         order = @client.new_order(identifiers: identifiers, **opts)
         order.finalize(csr: csr)
@@ -154,12 +211,13 @@ module Anchor
       end
 
       def new_client(account_key: nil, contact: nil, **)
-        account_key ||= fetch_account_key(contact) { new_key(:ecdsa) }
+        account_key ||= account_key_for(contact)
 
         Acme::Client.new(private_key: account_key, directory: @directory_url)
       end
 
-      def new_key(algorithm)
+      # currently only using ecdsa algorithm
+      def new_key(algorithm = :ecdsa)
         case algorithm
         when :ecdsa then OpenSSL::PKey::EC.generate('prime256v1')
         else
@@ -167,25 +225,19 @@ module Anchor
         end
       end
 
-      def fetch_account_key(contact)
-        id = "#{contact || 'default'}+#{@directory_url.host}+key"
-        parse_key_pem(cache&.fetch(id) { parse_key_pem(yield.to_pem) } || yield.to_pem)
-      end
+      def account_key_for(contact)
+        return new_key unless @disk_store
 
-      def parse_key_pem(data)
-        key_pem = parse_rsa_pem(data) || parse_ecdsa_pem(data)
-        raise UnknownKeyFormatError unless key_pem
+        account_key_id = "#{contact || 'default'}+#{@directory_url}+key"
+        pem = @disk_store[account_key_id]
+        return parse_key_pem(pem) if pem
 
-        key_pem
+        raw_key = new_key
+        @disk_store[account_key_id] = raw_key.to_pem
+        raw_key
       end
 
-      def parse_rsa_pem(data)
-        OpenSSL::PKey::RSA.new(data)
-      rescue StandardError
-        nil
-      end
-
-      def parse_ecdsa_pem(data)
+      def parse_key_pem(data)
         OpenSSL::PKey::EC.new(data)
       rescue StandardError
         nil
@@ -197,6 +249,12 @@ module Anchor
           @identifier_policies.any? { |policy| policy.allow?(identifier) }
         end
       end
+
+      # return a list of identifiers with duplicates removed
+      #  preserving order with the common_name first
+      def consolidate_identifiers(common_name:, identifiers: [])
+        [common_name, *identifiers].compact.uniq
+      end
     end
   end
 end

data/lib/anchor/auto_cert/railtie.rb

@@ -39,6 +39,9 @@ module Anchor
         # to the `config.hosts` then HostAuthorization will be used, and tests
         # will break.
         unless Rails.env.test?
+          # load values from ENV
+          auto_cert_config&.validate! if Rails.configuration.auto_cert.enabled?
+
           auto_cert_config&.allow_identifiers&.each do |identifier|
             # need to convert an identifier into a host matcher, which is just
             # strip off a leading '*' if it exists so that all subdomains match.
@@ -67,7 +70,7 @@ module Anchor
         # set explicitly.
         acme_scratch_dir = app.root / 'tmp' / 'acme'
         acme_scratch_dir.mkpath
-        auto_cert_config.cache ||= ActiveSupport::Cache::FileStore.new(acme_scratch_dir / 'cache')
+        auto_cert_config.cache_dir ||= (acme_scratch_dir / 'cache')
         auto_cert_config.work_dir ||= (acme_scratch_dir / 'work')
 
         auto_cert_config

data/lib/anchor/auto_cert/renewal_busy_wait.rb

@@ -16,19 +16,20 @@ module Anchor
     class RenewalBusyWait
       ONE_HOUR = 60 * 60
 
-      def self.wait_for_it(managed_certificate:, check_every: ONE_HOUR, &keep_going)
-        waiter = new(managed_certificate: managed_certificate, check_every: check_every)
+      def self.wait_for_it(manager:, managed_certificate:, check_every: ONE_HOUR, &keep_going)
+        waiter = new(manager: manager, managed_certificate: managed_certificate, check_every: check_every)
         waiter.wait_for_it(&keep_going)
       end
 
-      def initialize(managed_certificate:, check_every: ONE_HOUR)
+      def initialize(manager:, managed_certificate:, check_every: ONE_HOUR)
+        @manager = manager
         @managed_certificate = managed_certificate
         @check_every = check_every
       end
 
       def wait_for_it
         loop do
-          break if @managed_certificate.needs_renewal?
+          break if @manager.needs_renewal?(cert: @managed_certificate)
           break unless yield
 
           sleep @check_every

data/lib/anchor/disk_store.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+require 'pstore'
+require 'tempfile'
+
+module Anchor
+  # DiskStore is a simple key/value store that persists to disk using PStore.
+  #
+  class DiskStore
+    def initialize(dir: nil, basename: 'anchor-disk-store')
+      @dir = dir || Dir.mktmpdir
+      @basename = basename
+      @path = File.join(@dir, @basename)
+      @pstore = PStore.new(@path, true)
+    end
+
+    def [](key)
+      data = nil
+      @pstore.transaction do
+        data = @pstore[key]
+      end
+      data
+    end
+
+    def []=(key, value)
+      @pstore.transaction do
+        @pstore[key] = value
+      end
+    end
+  end
+end

data/lib/anchor/pem_bundle.rb

@@ -0,0 +1,79 @@
+# frozen_string_literal: true
+
+module Anchor
+  # PEMBundle is a collection of PEM encoded certificates. It can be written
+  # to a temporarly file on disk as a bundle if needed.
+  #
+  # This temp file to disk is needed for some other libraries that require a
+  # path to a pem file, and not a string of pem encoded certificates.
+  #
+  class PemBundle
+    DEFAULT_BASENAME = 'bundle.pem'
+
+    def initialize(pems: [])
+      @pems = pems || []
+      @path = nil
+      @temp_dir = nil
+      @basename = DEFAULT_BASENAME
+    end
+
+    def pems
+      @pems.dup
+    end
+
+    def path
+      write
+      @path
+    end
+
+    def with_path
+      yield(path)
+    ensure
+      remove_path
+    end
+
+    def add_cert(cert)
+      @pems << cert
+      remove_path
+    end
+
+    def to_s
+      @pems.join("\n")
+    end
+
+    def clear
+      @pems.clear
+      remove_path
+    end
+
+    private
+
+    def temp_path
+      @temp_dir = Dir.mktmpdir
+      File.join(@temp_dir, @basename)
+    end
+
+    def ensure_path
+      return @path if @path
+
+      @path = temp_path
+    end
+
+    def write
+      remove_path
+      ensure_path
+      File.open(@path, 'w+', 0o400) do |io|
+        io.write(to_s)
+      end
+    end
+
+    def remove_path
+      File.unlink(@path) if @path && File.exist?(@path)
+
+      if @temp_dir && Dir.exist?(@temp_dir)
+        FileUtils.remove_entry_secure(@temp_dir)
+        @temp_dir = nil
+      end
+    end
+  end
+end

data/lib/anchor/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Anchor
-  VERSION = '0.5.0'
+  VERSION = '0.6.1'
 end

data/lib/anchor.rb

@@ -22,3 +22,5 @@ end
 require_relative 'anchor/version'
 require_relative 'anchor/auto_cert'
 require_relative 'anchor/oid'
+require_relative 'anchor/pem_bundle'
+require_relative 'anchor/disk_store'

data/lib/puma/plugin/auto_cert.rb

@@ -13,7 +13,7 @@ module Puma
         def ssl_bind_options(managed_certificate:)
           {
             cert: managed_certificate.cert_path,
-            key: managed_certificate.key_path
+            key: managed_certificate.private_key_path
           }
         end
       end
@@ -22,32 +22,34 @@ module Puma
       # a plugin is created
       module PluginInstanceMethods
         attr_accessor :managed_certificate
-        attr_reader :port
+        attr_reader :manager, :port
 
         def config(dsl)
           @port         = dsl.auto_cert_port || ENV.fetch('HTTPS_PORT', nil)
           name          = dsl.auto_cert_name || ENV.fetch('AUTO_CERT_NAME', 'default')
           configuration = ::Anchor::AutoCert::Registry.fetch(name)
           identifiers   = configuration.allow_identifiers
-          manager       = ::Anchor::AutoCert::Manager.new(configuration: configuration)
+          @manager      = ::Anchor::AutoCert::Manager.new(configuration: configuration)
 
           @managed_certificate = manager.managed_certificate(identifiers: identifiers)
-
-          options = ::Puma::Plugin::AutoCert.ssl_bind_options(managed_certificate: @managed_certificate)
-
-          dsl.ssl_bind '[::]', port, options
-        rescue StandardError
+        rescue StandardError => _e
+          @manager = nil
           @managed_certificate = nil
         end
 
         def start(launcher)
           @launcher = launcher
-          unless managed_certificate&.enabled?
+          unless manager&.enabled? && managed_certificate
             log_writer.log 'AutoCert >> Not enabled - skipping certificate renewal process'
             return
           end
 
-          @managed_certificate.identifiers.each do |identifier|
+          options = ::Puma::Plugin::AutoCert.ssl_bind_options(managed_certificate: managed_certificate)
+          launcher.config.configure do |_user_config, file_config|
+            file_config.ssl_bind '[::]', port, options
+          end
+
+          managed_certificate.identifiers.each do |identifier|
             log_writer.log "AutoCert >> Available at https://#{identifier}:#{port}/"
           end
 
@@ -56,7 +58,8 @@ module Puma
                         ::Anchor::AutoCert::RenewalBusyWait::ONE_HOUR
 
           in_background do
-            Anchor::AutoCert::RenewalBusyWait.wait_for_it(managed_certificate: managed_certificate,
+            Anchor::AutoCert::RenewalBusyWait.wait_for_it(manager: manager,
+                                                          managed_certificate: managed_certificate,
                                                           check_every: check_every) do
               dump_cert_info
 
@@ -71,6 +74,8 @@ module Puma
             log_writer.log 'AutoCert >> Restarting Puma in order to renew certificate'
             @launcher.restart
           end
+        rescue StandardError => e
+          log_writer.log "AutoCert >> Error - #{e.message}"
         end
 
         private

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: anchor-pki
 version: !ruby/object:Gem::Version
-  version: 0.5.0
+  version: 0.6.1
 platform: ruby
 authors:
 - Anchor Security, Inc
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-09-18 00:00:00.000000000 Z
+date: 2023-12-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: acme-client
@@ -24,6 +24,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 2.0.13
+- !ruby/object:Gem::Dependency
+  name: pstore
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
 - !ruby/object:Gem::Dependency
   name: minitest
   requirement: !ruby/object:Gem::Requirement
@@ -94,6 +108,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.22'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.22'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.22'
 - !ruby/object:Gem::Dependency
   name: vcr
   requirement: !ruby/object:Gem::Requirement
@@ -152,7 +180,9 @@ files:
 - lib/anchor/auto_cert/registry.rb
 - lib/anchor/auto_cert/renewal_busy_wait.rb
 - lib/anchor/auto_cert/terms_of_service_acceptor.rb
+- lib/anchor/disk_store.rb
 - lib/anchor/oid.rb
+- lib/anchor/pem_bundle.rb
 - lib/anchor/version.rb
 - lib/puma/dsl.rb
 - lib/puma/plugin/auto_cert.rb