apartment_acme_client 0.0.3 → 0.0.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e9e32d511e21e812a21bae30429bb7d11a0cdc62c878df8a73ffad85d0f38821
-  data.tar.gz: 1b33b1bf1e99fdc674198994b76acec4fe302f625a59a712051c28b2c6a0ab50
+  metadata.gz: 66eaebf9ae761526e149a5bedd237deee499a95107edb9ce3c1e3916e29c058b
+  data.tar.gz: 4ab90728f136c38b453a24f54b760c84539c4333ae0cb24ba4122dcb54c124b6
 SHA512:
-  metadata.gz: 52706bcc1e28859eeb2ce40391a31512d3382c4cc00726f4deb9cd9d974f464e7aca378b0a68974dadccc3f660ede923740c87938dd54a7b2200962c89f44db8
-  data.tar.gz: 12dc42f69d30fba1d42bdb5415249730b9e57c61a5159a25249a1db519266c3f702a53fea6c6f93fcb1136a1071ff8818ffa34e6b0acf4ae34e3c2f1541b7e63
+  metadata.gz: ff22698eadfef2b8b2e6d0c25793ad5bb1228ff66262c039ef01b969aabb42458caf4d3e6f0f8485a4eca5273b878328661437fe4591f6d809317a44811f1ae1
+  data.tar.gz: 870ed58bb9befb87b788fa1976f4fd73b052982cc1b57be889c2783a1ec55372ce24d155b286fd5937c24bb910bbb69ece5cf101b3e7e298d8117adc51d7f100

data/README.md

@@ -15,29 +15,27 @@ The goal of this gem is to solve the following problems:
 
 1) Make it easy to start using let's encrypt for multiple domains on one server
 1) Make it easy to periodically refresh a certificate which handles many domains
-1) Make it possible to add a new DNS entry which refers to the server, and request a cert which now also covers that new domain.
+1) Make it possible to add a new custom DNS entry which refers to the server, and request a cert which now also covers that new domain.
+1) Make it easy to request a wildcard cert as well as individual domain certs
 1) Make it resilient, if a DNS record is removed, handle that by removing that domain from list requested for the cert.
 
 **Example Situation**:
 
-- Your application is known as example.com
+- Your application is known as site.example.com
 - You allow users to create new accounts, and assign each account a separate subdomain,
-  - e.g. alice.example.com, bob.example.com, charlie.example.com
+  - e.g. alice.site.example.com, bob.site.example.com, charlie.site.example.com
 - You allow users to also whitelabel the service by buying their own domains, and setting up CNAME records:
-  - e.g. www.alice.com -> CNAME: alice.example.com
-  - e.g. bobrocks.com -> CNAME: bob.example.com
+  - e.g. www.alice.com -> CNAME: alice.site.example.com
+  - e.g. bobrocks.com -> CNAME: bob.site.example.com
 
 **What can ApartmentAcmeClient do?**
 
 - Create a single Let's Encrypt SSL Certificate which covers all of:
-  - example.com
-  - alice.example.com
-  - bob.example.com
-  - charlie.example.com
+  - site.example.com
+  - *.site.example.com (which covers alice.site.example.com, bob.site.example.com, charlie.site.example.com)
   - www.alice.com
   - bobrocks.com
 
-
 SSL Certificates
 ----------------
 
@@ -70,6 +68,8 @@ See below for a detailed explanation of "First Time Setup"
 
 When setting this up the first time, it is recommended that you enable test-mode:
 ```ruby
+# in config/initializers/apartment_acme_client.rb
+
 ApartmentAcmeClient.lets_encrypt_test_server_enabled = true
 ```
 
@@ -131,12 +131,27 @@ Define the code which will list the domains to check.
 # Should return an array of domains (without http/https prefixes)
 
 # It can be a straight array, or a callable object
-ApartmentAcmeClient.domains_to_check = -> { SomeModel.all.map(&:subdomain) }
+# These should be all of the domains which are NOT
+# covered by the wildcard settings
+ApartmentAcmeClient.domains_to_check = -> { SomeModel.all.map(&:custom_domain) }
+ApartmentAcmeClient.wildcard_domain = "site.example.com" # optional element
 
 # e.g.
 # ApartmentAcmeClient.domains_to_check = ["example.com", "alice.example.com", "alice.com"]
 ```
 
+#### Wildcard domain
+
+You can request a wildcard certificate for a domain (or a subdomain). In order to do this, the system must be able to write to the DNS provider.
+
+Currently, only Route53 is supported as a DNS provider, and we use an `upsert` to write a TXT record to the system, in order to prove that we control the DNS for the domain.
+
+If you specify `wildcard_domain` (the domain on which to request a wildcard cert), we will request a wilcard cert for `*.<wildcard_domain>`, and use AWS Route53 API to perform the domain-authorization.
+
+The necessary permissions to be able to update the Route53 records for wildcard-cert update are:
+- route53:ListHostedZones
+- route53:ChangeResourceRecordSets
+
 #### Specify the common-name domain
 
 This is used to identify the certificate requested, and should be the same from week-to-week.
@@ -254,15 +269,14 @@ At this point, the only thing necessary is to run `rake encryption:renew_and_upd
 
 Each week, the certificates should be renewed. We have provided 2 ways to do this.
 
-a rake task:
+straight invocation:
 ```ruby
-rake "encryption:renew_and_update_certificate"
+  ApartmentAcmeClient::RenewalService.run!
 ```
 
-straight invocation:
-
+we provide a helper rake task:
 ```ruby
-ApartmentAcmeClient::RenewalService.run!
+rake "encryption:renew_and_update_certificate"
 ```
 
 Please use whatever scheduling service you wish in order to ensure that this runs periodically.

data/Rakefile

@@ -17,7 +17,6 @@ end
 APP_RAKEFILE = File.expand_path("../spec/dummy/Rakefile", __FILE__)
 load 'rails/tasks/engine.rake'
 
-
 load 'rails/tasks/statistics.rake'
 
 require 'bundler/gem_tasks'

data/lib/apartment_acme_client.rb

@@ -7,6 +7,9 @@ require "apartment_acme_client/acme_client/proxy"
 require "apartment_acme_client/acme_client/real_client"
 require "apartment_acme_client/certificate_storage/proxy"
 require "apartment_acme_client/certificate_storage/s3"
+require "apartment_acme_client/dns_api/check_dns"
+require "apartment_acme_client/dns_api/fake"
+require "apartment_acme_client/dns_api/route53"
 require "apartment_acme_client/nginx_configuration/proxy"
 require "apartment_acme_client/nginx_configuration/real"
 require "apartment_acme_client/file_manipulation/proxy"
@@ -27,6 +30,9 @@ module ApartmentAcmeClient
     end
   end
 
+  # An optional domain which will we request a wildcard certificate for
+  mattr_accessor :wildcard_domain
+
   # The base domain, a domain which is always going to be accessible.
   # because we need a common domain to be used on each request.
   # if not defined, the first 'domain_to_check' which succeeds will be used

data/lib/apartment_acme_client/acme_client/real_client.rb

@@ -1,21 +1,23 @@
+# frozen_string_literal: true
+
 require 'acme-client'
 
 module ApartmentAcmeClient
   module AcmeClient
     class RealClient
-      def initialize(private_key:)
+      attr_reader :csr_private_key
+      def initialize(acme_client_private_key:, csr_private_key:)
         @client = Acme::Client.new(
-          private_key: private_key,
-          endpoint: server_endpoint,
+          private_key: acme_client_private_key,
+          directory: server_directory
         )
+        @csr_private_key = csr_private_key
       end
 
       def register(email)
         # If the private key is not known to the server, we need to register it for the first time.
-        registration = @client.register(contact: "mailto:#{email}")
-
-        # You may need to agree to the terms of service (that's up the to the server to require it or not but boulder does by default)
-        registration.agree_terms
+        account = @client.new_account(contact: "mailto:#{email}", terms_of_service_agreed: true)
+        Rollbar.info("New Let's Encrypt Account created with KID: #{account.kid}")
 
         true
       end
@@ -24,31 +26,35 @@ module ApartmentAcmeClient
         @client.authorize(domain: domain)
       end
 
+      def new_order(identifiers:)
+        @client.new_order(identifiers: identifiers)
+      end
+
       # Create a Certificate for our new set of domain names
       # returns that certificate
-      def request_certificate(common_name:, domains:)
+      def request_certificate(common_name:, names:, order:)
         # We're going to need a certificate signing request. If not explicitly
         # specified, the first name listed becomes the common name.
-        csr = Acme::Client::CertificateRequest.new(common_name: common_name, names: domains)
-
-        # We can now request a certificate. You can pass anything that returns
-        # a valid DER encoded CSR when calling to_der on it. For example an
-        # OpenSSL::X509::Request should work too.
-        certificate = @client.new_certificate(csr) # => #<Acme::Client::Certificate ....>
+        csr = Acme::Client::CertificateRequest.new(private_key: csr_private_key, common_name: common_name, names: names)
+        order.finalize(csr: csr)
+        while order.status == 'processing'
+          sleep(1)
+          order.reload
+        end
 
-        certificate
+        order.certificate
       end
 
       private
 
-      def server_endpoint
+      def server_directory
         # We need an ACME server to talk to, see github.com/letsencrypt/boulder
         # WARNING: This endpoint is the production endpoint, which is rate limited and will produce valid certificates.
         # You should probably use the staging endpoint for all your experimentation:
         if ApartmentAcmeClient.lets_encrypt_test_server_enabled
-          'https://acme-staging.api.letsencrypt.org/'
+          'https://acme-staging-v02.api.letsencrypt.org/directory'
         else
-          'https://acme-v01.api.letsencrypt.org/'
+          'https://acme-v02.api.letsencrypt.org/directory'
         end
       end
     end

data/lib/apartment_acme_client/certificate_storage/s3.rb

@@ -1,36 +1,36 @@
+# frozen_string_literal: true
+
 require 'aws-sdk-s3'
 
 module ApartmentAcmeClient
   module CertificateStorage
     class S3
       def initialize
-        @base_prefix = if ApartmentAcmeClient::lets_encrypt_test_server_enabled
-          TEST_PREFIX
-        else
-          ""
-        end
+        @base_prefix = if ApartmentAcmeClient.lets_encrypt_test_server_enabled
+                         TEST_PREFIX
+                       else
+                         ''
+                       end
       end
 
-      ENCRYPTION_S3_NAME = 'server_encryption_client_private_key.der'.freeze
+      ENCRYPTION_S3_NAME = 'server_encryption_client_private_key.der'
+      CSR_ENCRYPTION_S3_NAME = 'csr_server_encryption_client_private_key.der'
 
-      def store_certificate(certificate)
-        # Save the certificate and the private key to files
-        File.write(cert_path("privkey.pem"), certificate.request.private_key.to_pem)
-        File.write(cert_path("cert.pem"), certificate.to_pem)
-        File.write(cert_path("chain.pem"), certificate.chain_to_pem)
-        File.write(cert_path("fullchain.pem"), certificate.fullchain_to_pem)
+      def store_certificate_string(certificate_string)
+        File.write(cert_path('cert.pem'), certificate_string)
+        store_s3_file(derived_filename('cert.pem'), certificate_string)
+      end
 
-        store_s3_file(derived_filename("privkey.pem"), certificate.request.private_key.to_pem)
-        store_s3_file(derived_filename("cert.pem"), certificate.to_pem)
-        store_s3_file(derived_filename("chain.pem"), certificate.chain_to_pem)
-        store_s3_file(derived_filename("fullchain.pem"), certificate.fullchain_to_pem)
+      def store_csr_private_key_string(csr_private_key_string)
+        File.write(cert_path('privkey.pem'), csr_private_key_string)
+        store_s3_file(derived_filename('privkey.pem'), csr_private_key_string)
       end
 
       # do we have a certificate on this server?
       # We cannot start nginx when it is pointing at a non-existing certificate,
       # so we need to check
       def cert_exists?
-        File.exist?(cert_path("privkey.pem"))
+        File.exist?(cert_path('privkey.pem'))
       end
 
       def private_key
@@ -40,17 +40,32 @@ module ApartmentAcmeClient
         s3_object.get.body.read
       end
 
+      def csr_private_key
+        s3_object = s3_file(csr_private_key_s3_filename)
+        return nil unless s3_object.exists?
+
+        s3_object.get.body.read
+      end
+
       # saves a private key to s3
       def save_private_key(private_key)
         store_s3_file(private_key_s3_filename, private_key.to_der)
       end
 
+      def save_csr_private_key(private_key)
+        store_s3_file(csr_private_key_s3_filename, private_key.to_der)
+      end
+
       private
 
       def private_key_s3_filename
         derived_filename(ENCRYPTION_S3_NAME)
       end
 
+      def csr_private_key_s3_filename
+        derived_filename(CSR_ENCRYPTION_S3_NAME)
+      end
+
       def derived_filename(filename)
         "#{@base_prefix}#{filename}"
       end

data/lib/apartment_acme_client/dns_api/check_dns.rb

@@ -0,0 +1,65 @@
+module ApartmentAcmeClient
+  module DnsApi
+    # Check to see if a particular DNS record is
+    # present.
+    class CheckDns
+      attr_reader :root_domain, :dns_record
+
+      def initialize(root_domain, dns_record)
+        # ensure we only have the TLD, not a subdomain
+        @root_domain = root_domain.split(".").last(2).join(".")
+        @dns_record = dns_record
+      end
+
+      # Search DNS recodrs for any entries which are TXT and include
+      # the text 'value'
+      def check_dns(value)
+        valid = true
+
+        nameservers.each do |nameserver|
+          begin
+            records = Resolv::DNS.open(nameserver: nameserver) do |dns|
+              dns.getresources(
+                dns_record,
+                Resolv::DNS::Resource::IN::TXT
+              )
+            end
+            records = records.map(&:strings).flatten
+            valid = records.include?(value)
+          rescue Resolv::ResolvError
+            return false
+          end
+          return false unless valid
+        end
+
+        valid
+      end
+
+      def nameservers
+        return @nameservers if defined?(@nameservers)
+
+        @nameservers = []
+        Resolv::DNS.open(nameserver: '8.8.8.8') do |dns|
+          while nameservers.empty?
+            @nameservers = dns.getresources(
+              root_domain,
+              Resolv::DNS::Resource::IN::NS
+            ).map(&:name).map(&:to_s)
+          end
+        end
+
+        @nameservers
+      end
+
+      def wait_for_present(value, timeout_seconds: 60)
+        time = 1
+        until check_dns(value)
+          puts "Waiting for DNS to update"
+          sleep 1
+          time += 1
+          break if time > timeout_seconds
+        end
+      end
+    end
+  end
+end

data/lib/apartment_acme_client/dns_api/fake.rb

@@ -0,0 +1,6 @@
+module ApartmentAcmeClient
+  module DnsApi
+    class Fake
+    end
+  end
+end

data/lib/apartment_acme_client/dns_api/route53.rb

@@ -0,0 +1,90 @@
+require 'aws-sdk-route53'
+
+module ApartmentAcmeClient
+  module DnsApi
+    # based on https://www.petekeen.net/lets-encrypt-without-certbot
+    class Route53
+      # The domain being requested for DNS update
+      # e.g. "site.example.com"
+      attr_reader :requested_domain
+
+      # the DNS TXT record label (full label, including domain)
+      attr_reader :label
+
+      # will be TXT
+      attr_reader :record_type
+
+      # array of value keys to be written
+      # (for wildcard certs, you'll have one for *.example.com, and one for example.com)
+      # e.g. ["One", "Two"]
+      attr_reader :values
+
+      def initialize(requested_domain:, dns_record_label:, record_type:, values:)
+        @requested_domain = requested_domain
+        @label = dns_record_label
+        @record_type = record_type
+        @values = values
+      end
+
+      # NOTE:
+      # if you get error like:
+      #
+      # "Invalid Resource Record: FATAL problem:
+      # InvalidCharacterString
+      # (Value should be enclosed in quotation marks) encountered with <value>"
+      #
+      # this means that the "Value" should include escape quotes.
+      # e.g. values: ["\"Something\"", "\"Other Thing\""]
+      def write_record
+        route53.change_resource_record_sets(options)
+      end
+
+      private
+
+      def options
+        change = {
+          action: 'UPSERT',
+          resource_record_set: {
+            name: label,
+            type: record_type,
+            ttl: 1,
+            resource_records: resource_record_values
+          }
+        }
+
+        {
+          hosted_zone_id: zone.id,
+          change_batch: {
+            changes: [change]
+          }
+        }
+      end
+
+      def root_domain
+        requested_domain.split(".").last(2).join(".")
+      end
+
+      def zone
+        @zone = route53.list_hosted_zones(max_items: 100)
+                       .hosted_zones
+                       .detect { |z| z.name = "#{root_domain}." }
+      end
+
+      def route53
+        # Note: The `region` doesn't matter, because Route53 is global.
+        @route53 ||= Aws::Route53::Client.new(region: 'us-east-1')
+      end
+
+      # createt an AwsRoute53 upsert with multiple value entries
+      def resource_record_values
+        values.map do |value|
+          if value.include?("\"")
+            { value: value }
+          else
+            { value: "\"#{value}\"" }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/apartment_acme_client/encryption.rb

@@ -1,11 +1,11 @@
+# frozen_string_literal: true
+
 require 'openssl'
 
 # Initially, the system is only accessible via subdomain.example.com
 # But, as we add more Conventions, we want to be able to access those also,
 # thus we will need:
-# - a.subdomain.example.com
-# - b.subdomain.example.com
-# - c.subdomain.example.com
+# - *.subdomain.example.com
 #
 # Also, each convention may add an "alias" for their convention, like:
 # - www.naucc.com
@@ -21,20 +21,21 @@ require 'openssl'
 #
 # Manage the encryption of the website (https).
 module ApartmentAcmeClient
-  class Encryption
+  class Encryption # rubocop:disable Metrics/ClassLength
     def initialize
       @certificate_storage = ApartmentAcmeClient::CertificateStorage::Proxy.singleton
     end
 
     # Largely based on https://github.com/unixcharles/acme-client documentation
     def register_new(email)
-      raise StandardError.new("Private key already exists") unless @certificate_storage.private_key.nil?
+      raise StandardError.new('Private key already exists') unless @certificate_storage.private_key.nil?
 
       private_key = create_private_key
 
       # Initialize the client
       new_client = ApartmentAcmeClient::AcmeClient::Proxy.singleton(
-        private_key: private_key,
+        acme_client_private_key: private_key,
+        csr_private_key: nil, # not needed for 'register' call
       )
 
       new_client.register(email)
@@ -42,22 +43,75 @@ module ApartmentAcmeClient
       @certificate_storage.save_private_key(private_key)
     end
 
-    def authorize_domains(domains)
-      successful_domains = domains.select {|domain| authorize_domain(domain) }
-      successful_domains
+    # Authorize a wildcard cert domain.
+    # to do this, we have to write to the Amazon Route53 DNS entry
+    # params:
+    #  - authorizations - a list of authorizations, which may be http or dns based (ignore the non-wildcard ones)
+    #  - wildcard_domain - the url of the wildcard's base domain (e.g. "site.example.com")
+    def authorize_domains_with_dns(authorizations, wildcard_domain:) # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
+      label = nil
+      record_type = nil
+      values = []
+
+      dns_authorizations = []
+      authorizations.each do |domain_authorization|
+        next unless domain_authorization.wildcard || domain_authorization.http.nil?
+
+        dns_authorizations << domain_authorization.dns
+      end
+
+      dns_authorizations.each do |authorization|
+        label         = "#{authorization.record_name}.#{wildcard_domain}"
+        record_type   = authorization.record_type
+        value         = authorization.record_content
+        values << value
+      end
+
+      return unless values.any?
+
+      route53 = ApartmentAcmeClient::DnsApi::Route53.new(
+        requested_domain: wildcard_domain,
+        dns_record_label: label,
+        record_type: record_type,
+        values: values
+      )
+
+      route53.write_record
+
+      check_dns = ApartmentAcmeClient::DnsApi::CheckDns.new(wildcard_domain, label)
+
+      check_dns.wait_for_present(values.first)
+
+      if check_dns.check_dns(values.first)
+        # DNS is updated, proceed with cert request
+        dns_authorizations.each do |domain_authorization|
+          domain_authorization.request_validation
+
+          30.times do
+            # may be 'pending' initially
+            break if domain_authorization.status == 'valid'
+
+            puts "Waiting for LetsEncrypt to authorize the domain. Status #{domain_authorization.status}"
+
+            # Wait a bit for the server to make the request, or just blink. It should be fast.
+            sleep(2)
+            domain_authorization.reload
+          end
+        end
+      else
+        # ERROR, DNS not updated in time
+        Rollbar.error("DNS Entry not found in timeout")
+      end
     end
 
-    # authorizes a domain with letsencrypt server
+    # authorizes a single domain with letsencrypt server
     # returns true on success, false otherwise.
     #
     # from https://github.com/unixcharles/acme-client/tree/master#authorize-for-domain
-    def authorize_domain(domain)
-      authorization = client.authorize(domain: domain)
+    def authorize_domain_with_http(domain_authorization)
+      challenge = domain_authorization.http
 
-      # This example is using the http-01 challenge type. Other challenges are dns-01 or tls-sni-01.
-      challenge = authorization.http01
-
-      # The http-01 method will require you to respond to a HTTP request.
+      # The http method will require you to respond to a HTTP request.
 
       # You can retrieve the challenge token
       challenge.token # => "some_token"
@@ -90,43 +144,81 @@ module ApartmentAcmeClient
       #  challenge = client.challenge_from_hash(JSON.parse(File.read('challenge')))
 
       # Once you are ready to serve the confirmation request you can proceed.
-      challenge.request_verification # => true
+      challenge.request_validation # => true
 
-      success = false
-      10.times do
-        if challenge.verify_status == 'valid' # may be 'pending' initially
-          success = true
-          break
-        end
+      30.times do
+        # may be 'pending' initially
+        break if challenge.status == 'valid'
+
+        puts "Waiting for letsencrypt to authorize the single domain. Status: #{challenge.status}"
 
         # Wait a bit for the server to make the request, or just blink. It should be fast.
-        sleep(1)
+        sleep(2)
+        challenge.reload
       end
       File.delete(full_challenge_filename)
 
-      success
+      challenge.status == 'valid'
+    end
+
+    # Create an order, perform authorization for each domain, and then
+    # request the certificate.
+    # - common name is used so that there is continuity of requests over time
+    # - domains are the list of individual http-based domains to be authorized
+    # - wildcard_domain is an optional wildcard domain to be authorized via DNS Record
+    #
+    # Returns the certificate
+    def request_certificate(common_name:, domains:, wildcard_domain: nil)
+      domain_names_requested = domains
+      domain_names_requested += [wildcard_domain, "*.#{wildcard_domain}"] if wildcard_domain.present?
+      order = client.new_order(identifiers: domain_names_requested)
+
+      # Do the HTTP authorizations
+      order.authorizations.each do |authorization|
+        next if authorization.wildcard || authorization.http.nil?
+
+        authorize_domain_with_http(authorization)
+      end
+      # Do the DNS (wildcard) authorizations
+      authorize_domains_with_dns(order.authorizations, wildcard_domain: wildcard_domain)
+
+      client.request_certificate(common_name: common_name, names: domain_names_requested, order: order)
     end
 
-    def request_certificate(common_name:, domains:)
-      client.request_certificate(common_name: common_name, domains: domains)
+    # for use in order to store this on the machine for NGINX use
+    def csr_private_key_string
+      csr_private_key.to_s
     end
 
     private
 
     def client
       @client ||= ApartmentAcmeClient::AcmeClient::Proxy.singleton(
-        private_key: private_key,
+        acme_client_private_key: acme_client_private_key,
+        csr_private_key: csr_private_key,
       )
     end
 
     # Returns a private key
-    def private_key
+    def acme_client_private_key
       private_key = @certificate_storage.private_key
       return nil unless private_key
 
       OpenSSL::PKey::RSA.new(private_key)
     end
 
+    def csr_private_key
+      private_key = @certificate_storage.csr_private_key
+
+      # create a new private key if one is not found
+      if private_key.nil?
+        private_key = create_private_key
+        @certificate_storage.save_csr_private_key(private_key)
+      end
+
+      OpenSSL::PKey::RSA.new(private_key)
+    end
+
     def create_private_key
       OpenSSL::PKey::RSA.new(4096)
     end

data/lib/apartment_acme_client/nginx_configuration/real.rb

@@ -30,10 +30,10 @@ module ApartmentAcmeClient
 
       def filled_template
         return nil unless check_configuration
+
         fill_template(read_template, @options)
       end
 
-
       def default_options
         result = {}
         result[:public_folder] = ApartmentAcmeClient.public_folder
@@ -59,62 +59,60 @@ module ApartmentAcmeClient
 
       def default_template
         <<~THE_END
-        #
-        # A virtual host using mix of IP-, name-, and port-based configuration
-        #
+          #
+          # A virtual host using mix of IP-, name-, and port-based configuration
+          #
 
-        upstream app {
-            # Path to Unicorn SOCK file, as defined previously
-            server unix:<%= options[:socket_path] %> fail_timeout=0;
-        }
+          upstream app {
+              # Path to Unicorn SOCK file, as defined previously
+              server unix:<%= options[:socket_path] %> fail_timeout=0;
+          }
 
-        server {
+          server {
 
-            # FOR HTTP
-            listen 80;
+              # FOR HTTP
+              listen 80;
 
-            gzip on;
+              gzip on;
 
-            # Application root, as defined previously
-            root <%= options[:public_folder] %>;
-            server_name  <%= options[:base_domain] %> *.<%= options[:base_domain] %>;
+              # Application root, as defined previously
+              root <%= options[:public_folder] %>;
+              server_name  <%= options[:base_domain] %> *.<%= options[:base_domain] %>;
 
-            try_files $uri/index.html $uri @app;
+              try_files $uri/index.html $uri @app;
 
-            location @app {
-                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-                proxy_set_header X-FORWARDED-PROTO $scheme;
-                proxy_set_header Host $http_host;
-                proxy_redirect off;
-                proxy_pass http://app;
-            }
+              location @app {
+                  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+                  proxy_set_header X-FORWARDED-PROTO $scheme;
+                  proxy_set_header Host $http_host;
+                  proxy_redirect off;
+                  proxy_pass http://app;
+              }
 
-            error_page 500 502 503 504 /500.html;
-            client_max_body_size 4G;
-            keepalive_timeout 10;
+              error_page 500 502 503 504 /500.html;
+              client_max_body_size 4G;
+              keepalive_timeout 10;
 
-            # BELOW THIS LINE FOR HTTPS
-            <% if options[:include_ssl] %>
-            listen 443 default_server ssl;
+              # BELOW THIS LINE FOR HTTPS
+              <% if options[:include_ssl] %>
+              listen 443 default_server ssl;
 
-            # The following should be enabled once everything is SSL
-            # ssl on;
+              # The following should be enabled once everything is SSL
+              # ssl on;
 
-            ssl_certificate <%= options[:certificate_storage_folder] %>/<%= options[:cert_prefix] %>cert.pem;
-            ssl_certificate_key <%= options[:certificate_storage_folder] %>/<%= options[:cert_prefix] %>privkey.pem;
+              ssl_certificate <%= options[:certificate_storage_folder] %>/<%= options[:cert_prefix] %>cert.pem;
+              ssl_certificate_key <%= options[:certificate_storage_folder] %>/<%= options[:cert_prefix] %>privkey.pem;
 
-            ssl_stapling on;
-            ssl_stapling_verify on;
-            ssl_trusted_certificate <%= options[:certificate_storage_folder] %>/<%= options[:cert_prefix] %>fullchain.pem;
+              ssl_stapling on;
+              ssl_stapling_verify on;
 
-            ssl_session_timeout 5m;
-            <% end %>
-        }
+              ssl_session_timeout 5m;
+              <% end %>
+          }
         THE_END
       end
 
       def fill_template(template, options)
-
         # scope defined for use in binding to ERB
         def opts(options)
           options

data/lib/apartment_acme_client/renewal_service.rb

@@ -1,22 +1,27 @@
+# frozen_string_literal: true
+
 module ApartmentAcmeClient
   class RenewalService
     def self.run!
-
       good_domains, rejected_domains = ApartmentAcmeClient::DomainChecker.new.accessible_domains
       puts "All domains to be requested: #{good_domains}, invalid domains: #{rejected_domains}"
 
-      domains = ApartmentAcmeClient::Encryption.new.authorize_domains(good_domains)
-      puts "authorized-domains list: #{domains}"
+      common_name = ApartmentAcmeClient.common_name || good_domains.first
 
-      common_name = ApartmentAcmeClient.common_name ? ApartmentAcmeClient.common_name : good_domains.first
-      certificate = ApartmentAcmeClient::Encryption.new.request_certificate(common_name: common_name, domains: domains)
+      encryptor = ApartmentAcmeClient::Encryption.new
+      certificate = encryptor.request_certificate(
+        common_name: common_name,
+        domains: good_domains,
+        wildcard_domain: ApartmentAcmeClient.wildcard_domain
+      )
 
-      ApartmentAcmeClient::CertificateStorage::Proxy.singleton.store_certificate(certificate)
+      ApartmentAcmeClient::CertificateStorage::Proxy.singleton.store_certificate_string(certificate)
+      ApartmentAcmeClient::CertificateStorage::Proxy.singleton.store_csr_private_key_string(encryptor.csr_private_key_string)
 
-      puts "Restarting nginx with new certificate"
-      ApartmentAcmeClient::FileManipulation::Proxy.singleton.restart_service("nginx")
+      puts 'Restarting nginx with new certificate'
+      ApartmentAcmeClient::FileManipulation::Proxy.singleton.restart_service('nginx')
 
-      puts "done."
+      puts 'done.'
     end
   end
 end

data/lib/apartment_acme_client/version.rb

@@ -1,3 +1,3 @@
 module ApartmentAcmeClient
-  VERSION = '0.0.3'
+  VERSION = '0.0.5'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: apartment_acme_client
 version: !ruby/object:Gem::Version
-  version: 0.0.3
+  version: 0.0.5
 platform: ruby
 authors:
 - Robin Dunlop
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-01-13 00:00:00.000000000 Z
+date: 2020-01-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -36,16 +36,16 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.3.1
+        version: 2.0.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.3.1
+        version: 2.0.0
 - !ruby/object:Gem::Dependency
-  name: aws-sdk-s3
+  name: aws-sdk-route53
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
@@ -59,19 +59,19 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '1'
 - !ruby/object:Gem::Dependency
-  name: sqlite3
+  name: aws-sdk-s3
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
+        version: '1'
+  type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '1'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -86,6 +86,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.15'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -129,7 +143,21 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: pry
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: sqlite3
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -170,6 +198,9 @@ files:
 - lib/apartment_acme_client/acme_client/real_client.rb
 - lib/apartment_acme_client/certificate_storage/proxy.rb
 - lib/apartment_acme_client/certificate_storage/s3.rb
+- lib/apartment_acme_client/dns_api/check_dns.rb
+- lib/apartment_acme_client/dns_api/fake.rb
+- lib/apartment_acme_client/dns_api/route53.rb
 - lib/apartment_acme_client/domain_checker.rb
 - lib/apartment_acme_client/encryption.rb
 - lib/apartment_acme_client/engine.rb
@@ -201,7 +232,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.7.8
+rubygems_version: 2.7.6
 signing_key: 
 specification_version: 4
 summary: Let's Encrypt interface for Multi-tenancy applications (like Apartment)