anchor-pki 0.6.0 → 0.6.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile.lock +5 -3
- data/README.md +2 -1
- data/lib/anchor/auto_cert/configuration.rb +7 -0
- data/lib/anchor/auto_cert/manager.rb +18 -8
- data/lib/anchor/auto_cert/railtie.rb +3 -0
- data/lib/anchor/version.rb +1 -1
- data/lib/puma/plugin/auto_cert.rb +7 -4
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: f6f3aa56dc5a365db7f3c2b4f255ac538ba455fad1bdf758f19450bca287381e
|
|
4
|
+
data.tar.gz: 6bf38bec006856c4a60246e3b53a119296e9c4557a17f3c4d0f5ef50404102ca
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 5d24d34f6c5448e2ba33ac004e6d2e99a7ff0c3b31840c119f5d0256576d6146e6e13b120251db58ab9d80db4f4927f1c71f2c38397ca434a66ded8124c300e8
|
|
7
|
+
data.tar.gz: 30ba030f48985e35f6d63e1ac02943bf0bed301eba7a36cc6728caa5dbee0395e14d8a4ba3e2d43edf68fca461ee5cb60ae204542b6f4f30c1ffa3655cf68986
|
data/Gemfile.lock
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
PATH
|
|
2
2
|
remote: .
|
|
3
3
|
specs:
|
|
4
|
-
anchor-pki (0.
|
|
4
|
+
anchor-pki (0.6.1)
|
|
5
5
|
acme-client (~> 2.0.13)
|
|
6
6
|
pstore (~> 0.1)
|
|
7
7
|
|
|
@@ -19,7 +19,7 @@ GEM
|
|
|
19
19
|
rexml
|
|
20
20
|
diff-lcs (1.5.0)
|
|
21
21
|
docile (1.4.0)
|
|
22
|
-
faraday (2.7.
|
|
22
|
+
faraday (2.7.12)
|
|
23
23
|
base64
|
|
24
24
|
faraday-net_http (>= 2.0, < 3.1)
|
|
25
25
|
ruby2_keywords (>= 0.0.4)
|
|
@@ -35,7 +35,7 @@ GEM
|
|
|
35
35
|
pstore (0.1.3)
|
|
36
36
|
public_suffix (5.0.1)
|
|
37
37
|
rainbow (3.1.1)
|
|
38
|
-
rake (13.0
|
|
38
|
+
rake (13.1.0)
|
|
39
39
|
regexp_parser (2.8.0)
|
|
40
40
|
rexml (3.2.5)
|
|
41
41
|
rspec (3.12.0)
|
|
@@ -89,7 +89,9 @@ GEM
|
|
|
89
89
|
PLATFORMS
|
|
90
90
|
aarch64-linux
|
|
91
91
|
arm64-darwin-21
|
|
92
|
+
arm64-darwin-23
|
|
92
93
|
x86_64-darwin-22
|
|
94
|
+
x86_64-linux
|
|
93
95
|
|
|
94
96
|
DEPENDENCIES
|
|
95
97
|
anchor-pki!
|
data/README.md
CHANGED
|
@@ -9,9 +9,10 @@ The Following environment variables are available to configure the default
|
|
|
9
9
|
|
|
10
10
|
* `HTTPS_PORT` - the TCP numerical port to bind SSL to.
|
|
11
11
|
* `ACME_ALLOW_IDENTIFIERS` - A comma separated list of hostnames for provisioning certs
|
|
12
|
+
* `ACME_CONTACT` - URL to contact in case of issues with the account
|
|
12
13
|
* `ACME_DIRECTORY_URL` - the ACME provider's directory
|
|
14
|
+
* `ACME_HMAC_KEY` - your External Account Binding (EAB) HMAC_KEY for authenticating with the ACME directory above
|
|
13
15
|
* `ACME_KID` - your External Account Binding (EAB) KID for authenticating with the ACME directory above with an
|
|
14
|
-
* `ACME_HMAC_KEY` - your EAB HMAC_KEY for authenticating with the ACME directory above
|
|
15
16
|
* `ACME_RENEW_BEFORE_SECONDS` - **optional** Start a renewal this number number of seconds before the cert expires. This defaults to 30 days (2592000 seconds)
|
|
16
17
|
* `ACME_RENEW_BEFORE_FRACTION` - **optional** Start the renewal when this fraction of a cert's valid window is left. This defaults to 0.5, which means when the cert is in the last 50% of its lifespan a renewal is attempted.
|
|
17
18
|
* `AUTO_CERT_CHECK_EVERY` - **optional** the number of seconds to wait between checking if the certificate has expired. This defaults to 1 hour (3600 seconds)
|
|
@@ -76,6 +76,7 @@ module Anchor
|
|
|
76
76
|
@allow_identifiers = prepare_allow_identifiers(@allow_identifiers)
|
|
77
77
|
@cache_dir = prepare_directory(dir: @cache_dir, property: 'cache_dir')
|
|
78
78
|
@check_every_seconds = prepare_check_every_seconds(@check_every_seconds)
|
|
79
|
+
@contact = prepare_contact(@contact)
|
|
79
80
|
@directory_url = prepare_directory_url(@directory_url)
|
|
80
81
|
@external_account_binding = prepare_external_account_binding(@external_account_binding)
|
|
81
82
|
@renew_before_fraction = prepare_renew_before_fraction(@renew_before_fraction)
|
|
@@ -136,6 +137,12 @@ module Anchor
|
|
|
136
137
|
ensure_positive_integer(candidates, message)
|
|
137
138
|
end
|
|
138
139
|
|
|
140
|
+
def prepare_contact(contact)
|
|
141
|
+
contact ||= ENV.fetch('ACME_CONTACT', nil)
|
|
142
|
+
|
|
143
|
+
contact
|
|
144
|
+
end
|
|
145
|
+
|
|
139
146
|
def prepare_directory_url(directory_url)
|
|
140
147
|
message = "The '#{name}' #{self.class} instance has a misconfigured `directory_url` value. " \
|
|
141
148
|
'It must be set to a string, or set the ACME_DIRECTORY_URL environment variable.'
|
|
@@ -73,7 +73,9 @@ module Anchor
|
|
|
73
73
|
|
|
74
74
|
# first look and see if its memory
|
|
75
75
|
managed_certificate = @managed_certificates[common_name]
|
|
76
|
-
|
|
76
|
+
if managed_certificate && !needs_renewal?(cert: managed_certificate, now: now)
|
|
77
|
+
return managed_certificate
|
|
78
|
+
end
|
|
77
79
|
|
|
78
80
|
# then look into the disk cache
|
|
79
81
|
if @disk_store
|
|
@@ -97,7 +99,9 @@ module Anchor
|
|
|
97
99
|
**opts
|
|
98
100
|
)
|
|
99
101
|
|
|
100
|
-
managed_certificate = ManagedCertificate.new(
|
|
102
|
+
managed_certificate = ManagedCertificate.new(
|
|
103
|
+
cert_pem: cert_pem, key_pem: key_pem, persist_dir: work_dir
|
|
104
|
+
)
|
|
101
105
|
|
|
102
106
|
@managed_certificates[common_name] = managed_certificate
|
|
103
107
|
|
|
@@ -135,11 +139,15 @@ module Anchor
|
|
|
135
139
|
cert_pem = nil
|
|
136
140
|
key_pem = nil
|
|
137
141
|
begin
|
|
138
|
-
cert_pem, key_pem = provision(
|
|
139
|
-
|
|
142
|
+
cert_pem, key_pem = provision(
|
|
143
|
+
identifiers: identifiers, algorithm: algorithm, common_name: common_name,
|
|
144
|
+
**opts
|
|
145
|
+
)
|
|
140
146
|
rescue StandardError => _e
|
|
141
|
-
cert_pem, key_pem = provision(
|
|
142
|
-
|
|
147
|
+
cert_pem, key_pem = provision(
|
|
148
|
+
identifiers: [], algorithm: algorithm, common_name: fallback_identifier,
|
|
149
|
+
**opts
|
|
150
|
+
)
|
|
143
151
|
end
|
|
144
152
|
[cert_pem, key_pem]
|
|
145
153
|
end
|
|
@@ -148,8 +156,10 @@ module Anchor
|
|
|
148
156
|
identifiers = consolidate_identifiers(common_name: common_name, identifiers: identifiers)
|
|
149
157
|
load_or_build_account
|
|
150
158
|
key_pem ||= new_key(algorithm).to_pem
|
|
151
|
-
csr = Acme::Client::CertificateRequest.new(
|
|
152
|
-
|
|
159
|
+
csr = Acme::Client::CertificateRequest.new(
|
|
160
|
+
common_name: common_name, names: identifiers,
|
|
161
|
+
private_key: parse_key_pem(key_pem)
|
|
162
|
+
)
|
|
153
163
|
|
|
154
164
|
order = @client.new_order(identifiers: identifiers, **opts)
|
|
155
165
|
order.finalize(csr: csr)
|
|
@@ -39,6 +39,9 @@ module Anchor
|
|
|
39
39
|
# to the `config.hosts` then HostAuthorization will be used, and tests
|
|
40
40
|
# will break.
|
|
41
41
|
unless Rails.env.test?
|
|
42
|
+
# load values from ENV
|
|
43
|
+
auto_cert_config&.validate! if Rails.configuration.auto_cert.enabled?
|
|
44
|
+
|
|
42
45
|
auto_cert_config&.allow_identifiers&.each do |identifier|
|
|
43
46
|
# need to convert an identifier into a host matcher, which is just
|
|
44
47
|
# strip off a leading '*' if it exists so that all subdomains match.
|
data/lib/anchor/version.rb
CHANGED
|
@@ -32,10 +32,6 @@ module Puma
|
|
|
32
32
|
@manager = ::Anchor::AutoCert::Manager.new(configuration: configuration)
|
|
33
33
|
|
|
34
34
|
@managed_certificate = manager.managed_certificate(identifiers: identifiers)
|
|
35
|
-
|
|
36
|
-
options = ::Puma::Plugin::AutoCert.ssl_bind_options(managed_certificate: @managed_certificate)
|
|
37
|
-
|
|
38
|
-
dsl.ssl_bind '[::]', port, options
|
|
39
35
|
rescue StandardError => _e
|
|
40
36
|
@manager = nil
|
|
41
37
|
@managed_certificate = nil
|
|
@@ -48,6 +44,11 @@ module Puma
|
|
|
48
44
|
return
|
|
49
45
|
end
|
|
50
46
|
|
|
47
|
+
options = ::Puma::Plugin::AutoCert.ssl_bind_options(managed_certificate: managed_certificate)
|
|
48
|
+
launcher.config.configure do |_user_config, file_config|
|
|
49
|
+
file_config.ssl_bind '[::]', port, options
|
|
50
|
+
end
|
|
51
|
+
|
|
51
52
|
managed_certificate.identifiers.each do |identifier|
|
|
52
53
|
log_writer.log "AutoCert >> Available at https://#{identifier}:#{port}/"
|
|
53
54
|
end
|
|
@@ -73,6 +74,8 @@ module Puma
|
|
|
73
74
|
log_writer.log 'AutoCert >> Restarting Puma in order to renew certificate'
|
|
74
75
|
@launcher.restart
|
|
75
76
|
end
|
|
77
|
+
rescue StandardError => e
|
|
78
|
+
log_writer.log "AutoCert >> Error - #{e.message}"
|
|
76
79
|
end
|
|
77
80
|
|
|
78
81
|
private
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: anchor-pki
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.6.
|
|
4
|
+
version: 0.6.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Anchor Security, Inc
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2023-
|
|
11
|
+
date: 2023-12-08 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: acme-client
|