itsi 0.1.4 → 0.1.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e3af10f03274d8f16b8ef964b4c97825c85f89898c136c9d105405b46581cfdb
-  data.tar.gz: 3254b73a71c5c56e6f1cf30249b1edbd865d9ee22dc9ae350e4e93adea778c81
+  metadata.gz: 43c8c15592c8e8e749938e5c5c4b5e481ba3ea88d82bac63059a612e35bf2213
+  data.tar.gz: e57ab7eacc32f7a0ac702be2e15ac9a36d48aff27aaa3705f77c428df2acf0f8
 SHA512:
-  metadata.gz: e7c3e0561e32e4dfcf5b06e7a0a860f715b0cc9faf8f0f52da73e7051141617d4945cabaa2acce7fed74ae110dc1591bd9b38d035d0db75d538e063254478948
-  data.tar.gz: 7065897feb5a41ffe7cb5e2e0d7ca38790ed26498e2a0ed203a2575c95895ca6c9d22a9f2a45ba66ed599399ad6f0b4b50f229f34b074a1994ae560ab5774e2a
+  metadata.gz: 1ea20d0e8d9d82cb4b095674192ead9837334c5472761cce1dc093d43d829c2d71ecb74d06a667f4c8274607791bd1cd1ad12f005bf1bc8a3fa5179499a61d8f
+  data.tar.gz: c1aa8a84ebd694f3f39d287fd67e320c69f89dd35315af3203e09259c500404825790e925abd8b9a6ee26d5a97638a1d7442a9bb369653398922a42a08742498

data/Cargo.lock

@@ -434,7 +434,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "33d852cb9b869c2a9b3df2f71a3074817f01e1844f839a144f5fcef059a4eb5d"
 dependencies = [
  "libc",
- "windows-sys 0.52.0",
+ "windows-sys 0.59.0",
 ]
 
 [[package]]
@@ -479,6 +479,16 @@ dependencies = [
  "percent-encoding",
 ]
 
+[[package]]
+name = "fs2"
+version = "0.4.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9564fc758e15025b46aa6643b1b77d047d1a56a1aea6e01002ac0c7026876213"
+dependencies = [
+ "libc",
+ "winapi",
+]
+
 [[package]]
 name = "fs_extra"
 version = "1.3.0"
@@ -974,10 +984,12 @@ name = "itsi-server"
 version = "0.1.0"
 dependencies = [
  "async-channel",
+ "async-trait",
  "base64",
  "bytes",
  "crossbeam",
  "derive_more",
+ "fs2",
  "futures",
  "http",
  "http-body-util",
@@ -993,6 +1005,7 @@ dependencies = [
  "pin-project",
  "rb-sys",
  "rcgen",
+ "ring",
  "rustls",
  "rustls-pemfile",
  "socket2",
@@ -1480,7 +1493,7 @@ dependencies = [
  "once_cell",
  "socket2",
  "tracing",
- "windows-sys 0.52.0",
+ "windows-sys 0.59.0",
 ]
 
 [[package]]
@@ -1684,9 +1697,9 @@ dependencies = [
 
 [[package]]
 name = "ring"
-version = "0.17.11"
+version = "0.17.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "da5349ae27d3887ca812fb375b45a4fbb36d8d12d2df394968cd86e35683fe73"
+checksum = "a4689e6c2294d81e88dc6261c768b63bc4fcdb852be6d1352498b114f61383b7"
 dependencies = [
  "cc",
  "cfg-if",
@@ -1733,7 +1746,7 @@ dependencies = [
  "errno",
  "libc",
  "linux-raw-sys 0.4.15",
- "windows-sys 0.52.0",
+ "windows-sys 0.59.0",
 ]
 
 [[package]]
@@ -1746,7 +1759,7 @@ dependencies = [
  "errno",
  "libc",
  "linux-raw-sys 0.9.2",
- "windows-sys 0.52.0",
+ "windows-sys 0.59.0",
 ]
 
 [[package]]
@@ -1997,7 +2010,7 @@ dependencies = [
  "getrandom 0.3.1",
  "once_cell",
  "rustix 1.0.1",
- "windows-sys 0.52.0",
+ "windows-sys 0.59.0",
 ]
 
 [[package]]

data/crates/itsi_server/Cargo.toml

@@ -41,3 +41,6 @@ tempfile = "3.18.0"
 sysinfo = "0.33.1"
 tokio-rustls-acme = "0.6.0"
 rustls = "0.23.23"
+fs2 = "0.4.3"
+ring = "0.17.14"
+async-trait = "0.1.87"

data/crates/itsi_server/src/server/listener.rs

@@ -78,8 +78,9 @@ impl TokioListener {
         {
             let mut state = state.lock().await;
             loop {
-                if let Some(event) = StreamExt::next(&mut *state).await {
-                    info!("Received acme event: {:?}", event)
+                match StreamExt::next(&mut *state).await {
+                    Some(event) => info!("Received acme event: {:?}", event),
+                    None => error!("Received no acme event"),
                 }
             }
         }
@@ -96,19 +97,19 @@ impl TokioListener {
             }
             ItsiTlsAcceptor::Automatic(acme_acceptor, _, rustls_config) => {
                 let accept_future = acme_acceptor.accept(tcp_stream.0);
-                match accept_future.await.unwrap() {
-                    None => Err(ItsiError::Pass()),
-                    Some(start_handshake) => {
-                        let tls_stream = start_handshake
-                            .into_stream(rustls_config.clone())
-                            .await
-                            .unwrap();
-                        // Wrap in your IoStream::TcpTls variant
+                match accept_future.await {
+                    Ok(None) => Err(ItsiError::Pass()),
+                    Ok(Some(start_handshake)) => {
+                        let tls_stream = start_handshake.into_stream(rustls_config.clone()).await?;
                         Ok(IoStream::TcpTls {
                             stream: tls_stream,
                             addr: SockAddr::Tcp(Arc::new(tcp_stream.1)),
                         })
                     }
+                    Err(error) => {
+                        error!(error = format!("{:?}", error));
+                        Err(ItsiError::Pass())
+                    }
                 }
             }
         }

data/crates/itsi_server/src/server/serve_strategy/single_mode.rs

@@ -83,7 +83,7 @@ impl SingleMode {
         Ok(())
     }
 
-    #[instrument(parent=None, skip(self))]
+    #[instrument(parent=None, skip(self), fields(pid=format!("{}", Pid::this())))]
     pub fn run(self: Arc<Self>) -> Result<()> {
         let mut listener_task_set = JoinSet::new();
         let self_ref = Arc::new(self);

data/crates/itsi_server/src/server/tls/locked_dir_cache.rs

@@ -0,0 +1,132 @@
+use async_trait::async_trait;
+use fs2::FileExt;
+use parking_lot::Mutex;
+use std::env;
+use std::fs::{self, OpenOptions};
+use std::io::Error as IoError;
+use std::path::{Path, PathBuf};
+use tokio_rustls_acme::caches::DirCache;
+use tokio_rustls_acme::{AccountCache, CertCache};
+
+/// A wrapper around DirCache that locks a file before writing cert/account data.
+pub struct LockedDirCache<P: AsRef<Path> + Send + Sync> {
+    inner: DirCache<P>,
+    lock_path: PathBuf,
+    current_lock: Mutex<Option<std::fs::File>>,
+}
+
+impl<P: AsRef<Path> + Send + Sync> LockedDirCache<P> {
+    pub fn new(dir: P) -> Self {
+        let dir_path = dir.as_ref().to_path_buf();
+        std::fs::create_dir_all(&dir_path).unwrap();
+        let lock_path =
+            dir_path.join(env::var("ITSI_ACME_LOCK_FILE_NAME").unwrap_or(".acme.lock".to_string()));
+        Self::touch_file(&lock_path).expect("Failed to create lock file");
+
+        Self {
+            inner: DirCache::new(dir),
+            lock_path,
+            current_lock: Mutex::new(None),
+        }
+    }
+
+    fn touch_file(path: &PathBuf) -> std::io::Result<()> {
+        if let Some(parent) = path.parent() {
+            fs::create_dir_all(parent)?;
+        }
+        fs::OpenOptions::new()
+            .create(true)
+            .write(true)
+            .truncate(true)
+            .open(path)?;
+        Ok(())
+    }
+
+    fn lock_exclusive(&self) -> Result<(), IoError> {
+        if self.current_lock.lock().is_some() {
+            return Ok(());
+        }
+
+        if let Some(parent) = self.lock_path.parent() {
+            std::fs::create_dir_all(parent)?;
+        }
+        let lockfile = OpenOptions::new()
+            .create(true)
+            .write(true)
+            .truncate(true)
+            .open(&self.lock_path)?;
+        lockfile.lock_exclusive()?;
+        *self.current_lock.lock() = Some(lockfile);
+        Ok(())
+    }
+
+    fn unlock(&self) -> Result<(), IoError> {
+        self.current_lock.lock().take();
+        Ok(())
+    }
+}
+
+#[async_trait]
+impl<P: AsRef<Path> + Send + Sync> CertCache for LockedDirCache<P> {
+    type EC = IoError;
+
+    async fn load_cert(
+        &self,
+        domains: &[String],
+        directory_url: &str,
+    ) -> Result<Option<Vec<u8>>, Self::EC> {
+        self.lock_exclusive()?;
+        let result = self.inner.load_cert(domains, directory_url).await;
+
+        if let Ok(Some(_)) = result {
+            self.unlock()?;
+        }
+
+        result
+    }
+
+    async fn store_cert(
+        &self,
+        domains: &[String],
+        directory_url: &str,
+        cert: &[u8],
+    ) -> Result<(), Self::EC> {
+        // Acquire the lock before storing
+        self.lock_exclusive()?;
+
+        // Perform the store operation
+        let result = self.inner.store_cert(domains, directory_url, cert).await;
+
+        if let Ok(()) = result {
+            self.unlock()?;
+        }
+        result
+    }
+}
+
+#[async_trait]
+impl<P: AsRef<Path> + Send + Sync> AccountCache for LockedDirCache<P> {
+    type EA = IoError;
+
+    async fn load_account(
+        &self,
+        contact: &[String],
+        directory_url: &str,
+    ) -> Result<Option<Vec<u8>>, Self::EA> {
+        self.lock_exclusive()?;
+        self.inner.load_account(contact, directory_url).await
+    }
+
+    async fn store_account(
+        &self,
+        contact: &[String],
+        directory_url: &str,
+        account: &[u8],
+    ) -> Result<(), Self::EA> {
+        self.lock_exclusive()?;
+
+        self.inner
+            .store_account(contact, directory_url, account)
+            .await
+    }
+}

data/crates/itsi_server/src/server/tls.rs

@@ -1,8 +1,12 @@
 use base64::{engine::general_purpose, Engine as _};
 use itsi_error::Result;
 use itsi_tracing::info;
+use locked_dir_cache::LockedDirCache;
 use rcgen::{CertificateParams, DnType, KeyPair, SanType};
-use rustls::pki_types::{CertificateDer, PrivateKeyDer};
+use rustls::{
+    pki_types::{CertificateDer, PrivateKeyDer},
+    ClientConfig, RootCertStore,
+};
 use rustls_pemfile::{certs, pkcs8_private_keys};
 use std::{
     collections::HashMap,
@@ -12,8 +16,8 @@ use std::{
 };
 use tokio::sync::Mutex;
 use tokio_rustls::{rustls::ServerConfig, TlsAcceptor};
-use tokio_rustls_acme::{caches::DirCache, AcmeAcceptor, AcmeConfig, AcmeState};
-
+use tokio_rustls_acme::{AcmeAcceptor, AcmeConfig, AcmeState};
+mod locked_dir_cache;
 const ITS_CA_CERT: &str = include_str!("./itsi_ca/itsi_ca.crt");
 const ITS_CA_KEY: &str = include_str!("./itsi_ca/itsi_ca.key");
 
@@ -48,10 +52,41 @@ pub fn configure_tls(
                 domains = format!("{:?}", domains),
                 directory_url, "Requesting acme cert"
             );
+
+            let mut root_cert_store = RootCertStore::empty();
+            if let Ok(ca_pem_path) = env::var("ITSI_ACME_CA_PEM_PATH") {
+                let ca_pem = fs::read(ca_pem_path).expect("failed to read CA pem file");
+                let mut ca_reader = BufReader::new(&ca_pem[..]);
+                let der_certs: Vec<CertificateDer> = certs(&mut ca_reader)
+                    .collect::<std::result::Result<Vec<CertificateDer>, _>>()
+                    .map_err(|e| {
+                        itsi_error::ItsiError::ArgumentError(format!(
+                            "Invalid ACME CA Pem path {:?}",
+                            e
+                        ))
+                    })?;
+                root_cert_store.add_parsable_certificates(der_certs);
+            }
+
+            let client_config = ClientConfig::builder()
+                .with_root_certificates(root_cert_store)
+                .with_no_client_auth();
+
+            let contact_email = env::var("ITSI_ACME_CONTACT_EMAIL").map_err(|_| {
+                itsi_error::ItsiError::ArgumentError(
+                    "ITSI_ACME_CONTACT_EMAIL must be set before you can auto-generate production certificates"
+                        .to_string(),
+                )
+            })?;
+
+            let cache_dir = env::var("ITSI_ACME_CACHE_DIR")
+                .unwrap_or_else(|_| "./.rustls_acme_cache".to_string());
+
             let acme_state = AcmeConfig::new(domains)
-                .contact(["mailto:wc@pico.net.nz"])
-                .cache(DirCache::new("./rustls_acme_cache"))
+                .contact([format!("mailto:{}", contact_email)])
+                .cache(LockedDirCache::new(cache_dir))
                 .directory(directory_url)
+                .client_tls_config(Arc::new(client_config))
                 .state();
             let rustls_config = ServerConfig::builder()
                 .with_no_client_auth()

data/gems/scheduler/ext/itsi_server/Cargo.toml

@@ -41,3 +41,6 @@ tempfile = "3.18.0"
 sysinfo = "0.33.1"
 tokio-rustls-acme = "0.6.0"
 rustls = "0.23.23"
+fs2 = "0.4.3"
+ring = "0.17.14"
+async-trait = "0.1.87"

data/gems/scheduler/ext/itsi_server/src/server/listener.rs

@@ -78,8 +78,9 @@ impl TokioListener {
         {
             let mut state = state.lock().await;
             loop {
-                if let Some(event) = StreamExt::next(&mut *state).await {
-                    info!("Received acme event: {:?}", event)
+                match StreamExt::next(&mut *state).await {
+                    Some(event) => info!("Received acme event: {:?}", event),
+                    None => error!("Received no acme event"),
                 }
             }
         }
@@ -96,19 +97,19 @@ impl TokioListener {
             }
             ItsiTlsAcceptor::Automatic(acme_acceptor, _, rustls_config) => {
                 let accept_future = acme_acceptor.accept(tcp_stream.0);
-                match accept_future.await.unwrap() {
-                    None => Err(ItsiError::Pass()),
-                    Some(start_handshake) => {
-                        let tls_stream = start_handshake
-                            .into_stream(rustls_config.clone())
-                            .await
-                            .unwrap();
-                        // Wrap in your IoStream::TcpTls variant
+                match accept_future.await {
+                    Ok(None) => Err(ItsiError::Pass()),
+                    Ok(Some(start_handshake)) => {
+                        let tls_stream = start_handshake.into_stream(rustls_config.clone()).await?;
                         Ok(IoStream::TcpTls {
                             stream: tls_stream,
                             addr: SockAddr::Tcp(Arc::new(tcp_stream.1)),
                         })
                     }
+                    Err(error) => {
+                        error!(error = format!("{:?}", error));
+                        Err(ItsiError::Pass())
+                    }
                 }
             }
         }

data/gems/scheduler/ext/itsi_server/src/server/serve_strategy/single_mode.rs

@@ -83,7 +83,7 @@ impl SingleMode {
         Ok(())
     }
 
-    #[instrument(parent=None, skip(self))]
+    #[instrument(parent=None, skip(self), fields(pid=format!("{}", Pid::this())))]
     pub fn run(self: Arc<Self>) -> Result<()> {
         let mut listener_task_set = JoinSet::new();
         let self_ref = Arc::new(self);

data/gems/scheduler/ext/itsi_server/src/server/tls/locked_dir_cache.rs

@@ -0,0 +1,132 @@
+use async_trait::async_trait;
+use fs2::FileExt;
+use parking_lot::Mutex;
+use std::env;
+use std::fs::{self, OpenOptions};
+use std::io::Error as IoError;
+use std::path::{Path, PathBuf};
+use tokio_rustls_acme::caches::DirCache;
+use tokio_rustls_acme::{AccountCache, CertCache};
+
+/// A wrapper around DirCache that locks a file before writing cert/account data.
+pub struct LockedDirCache<P: AsRef<Path> + Send + Sync> {
+    inner: DirCache<P>,
+    lock_path: PathBuf,
+    current_lock: Mutex<Option<std::fs::File>>,
+}
+
+impl<P: AsRef<Path> + Send + Sync> LockedDirCache<P> {
+    pub fn new(dir: P) -> Self {
+        let dir_path = dir.as_ref().to_path_buf();
+        std::fs::create_dir_all(&dir_path).unwrap();
+        let lock_path =
+            dir_path.join(env::var("ITSI_ACME_LOCK_FILE_NAME").unwrap_or(".acme.lock".to_string()));
+        Self::touch_file(&lock_path).expect("Failed to create lock file");
+
+        Self {
+            inner: DirCache::new(dir),
+            lock_path,
+            current_lock: Mutex::new(None),
+        }
+    }
+
+    fn touch_file(path: &PathBuf) -> std::io::Result<()> {
+        if let Some(parent) = path.parent() {
+            fs::create_dir_all(parent)?;
+        }
+        fs::OpenOptions::new()
+            .create(true)
+            .write(true)
+            .truncate(true)
+            .open(path)?;
+        Ok(())
+    }
+
+    fn lock_exclusive(&self) -> Result<(), IoError> {
+        if self.current_lock.lock().is_some() {
+            return Ok(());
+        }
+
+        if let Some(parent) = self.lock_path.parent() {
+            std::fs::create_dir_all(parent)?;
+        }
+        let lockfile = OpenOptions::new()
+            .create(true)
+            .write(true)
+            .truncate(true)
+            .open(&self.lock_path)?;
+        lockfile.lock_exclusive()?;
+        *self.current_lock.lock() = Some(lockfile);
+        Ok(())
+    }
+
+    fn unlock(&self) -> Result<(), IoError> {
+        self.current_lock.lock().take();
+        Ok(())
+    }
+}
+
+#[async_trait]
+impl<P: AsRef<Path> + Send + Sync> CertCache for LockedDirCache<P> {
+    type EC = IoError;
+
+    async fn load_cert(
+        &self,
+        domains: &[String],
+        directory_url: &str,
+    ) -> Result<Option<Vec<u8>>, Self::EC> {
+        self.lock_exclusive()?;
+        let result = self.inner.load_cert(domains, directory_url).await;
+
+        if let Ok(Some(_)) = result {
+            self.unlock()?;
+        }
+
+        result
+    }
+
+    async fn store_cert(
+        &self,
+        domains: &[String],
+        directory_url: &str,
+        cert: &[u8],
+    ) -> Result<(), Self::EC> {
+        // Acquire the lock before storing
+        self.lock_exclusive()?;
+
+        // Perform the store operation
+        let result = self.inner.store_cert(domains, directory_url, cert).await;
+
+        if let Ok(()) = result {
+            self.unlock()?;
+        }
+        result
+    }
+}
+
+#[async_trait]
+impl<P: AsRef<Path> + Send + Sync> AccountCache for LockedDirCache<P> {
+    type EA = IoError;
+
+    async fn load_account(
+        &self,
+        contact: &[String],
+        directory_url: &str,
+    ) -> Result<Option<Vec<u8>>, Self::EA> {
+        self.lock_exclusive()?;
+        self.inner.load_account(contact, directory_url).await
+    }
+
+    async fn store_account(
+        &self,
+        contact: &[String],
+        directory_url: &str,
+        account: &[u8],
+    ) -> Result<(), Self::EA> {
+        self.lock_exclusive()?;
+
+        self.inner
+            .store_account(contact, directory_url, account)
+            .await
+    }
+}

data/gems/scheduler/ext/itsi_server/src/server/tls.rs

@@ -1,8 +1,12 @@
 use base64::{engine::general_purpose, Engine as _};
 use itsi_error::Result;
 use itsi_tracing::info;
+use locked_dir_cache::LockedDirCache;
 use rcgen::{CertificateParams, DnType, KeyPair, SanType};
-use rustls::pki_types::{CertificateDer, PrivateKeyDer};
+use rustls::{
+    pki_types::{CertificateDer, PrivateKeyDer},
+    ClientConfig, RootCertStore,
+};
 use rustls_pemfile::{certs, pkcs8_private_keys};
 use std::{
     collections::HashMap,
@@ -12,8 +16,8 @@ use std::{
 };
 use tokio::sync::Mutex;
 use tokio_rustls::{rustls::ServerConfig, TlsAcceptor};
-use tokio_rustls_acme::{caches::DirCache, AcmeAcceptor, AcmeConfig, AcmeState};
-
+use tokio_rustls_acme::{AcmeAcceptor, AcmeConfig, AcmeState};
+mod locked_dir_cache;
 const ITS_CA_CERT: &str = include_str!("./itsi_ca/itsi_ca.crt");
 const ITS_CA_KEY: &str = include_str!("./itsi_ca/itsi_ca.key");
 
@@ -48,10 +52,41 @@ pub fn configure_tls(
                 domains = format!("{:?}", domains),
                 directory_url, "Requesting acme cert"
             );
+
+            let mut root_cert_store = RootCertStore::empty();
+            if let Ok(ca_pem_path) = env::var("ITSI_ACME_CA_PEM_PATH") {
+                let ca_pem = fs::read(ca_pem_path).expect("failed to read CA pem file");
+                let mut ca_reader = BufReader::new(&ca_pem[..]);
+                let der_certs: Vec<CertificateDer> = certs(&mut ca_reader)
+                    .collect::<std::result::Result<Vec<CertificateDer>, _>>()
+                    .map_err(|e| {
+                        itsi_error::ItsiError::ArgumentError(format!(
+                            "Invalid ACME CA Pem path {:?}",
+                            e
+                        ))
+                    })?;
+                root_cert_store.add_parsable_certificates(der_certs);
+            }
+
+            let client_config = ClientConfig::builder()
+                .with_root_certificates(root_cert_store)
+                .with_no_client_auth();
+
+            let contact_email = env::var("ITSI_ACME_CONTACT_EMAIL").map_err(|_| {
+                itsi_error::ItsiError::ArgumentError(
+                    "ITSI_ACME_CONTACT_EMAIL must be set before you can auto-generate production certificates"
+                        .to_string(),
+                )
+            })?;
+
+            let cache_dir = env::var("ITSI_ACME_CACHE_DIR")
+                .unwrap_or_else(|_| "./.rustls_acme_cache".to_string());
+
             let acme_state = AcmeConfig::new(domains)
-                .contact(["mailto:wc@pico.net.nz"])
-                .cache(DirCache::new("./rustls_acme_cache"))
+                .contact([format!("mailto:{}", contact_email)])
+                .cache(LockedDirCache::new(cache_dir))
                 .directory(directory_url)
+                .client_tls_config(Arc::new(client_config))
                 .state();
             let rustls_config = ServerConfig::builder()
                 .with_no_client_auth()

data/gems/scheduler/lib/itsi/scheduler/version.rb

@@ -2,6 +2,6 @@
 
 module Itsi
   class Scheduler
-    VERSION = "0.1.4"
+    VERSION = "0.1.6"
   end
 end

data/gems/server/ext/itsi_server/Cargo.toml

@@ -41,3 +41,6 @@ tempfile = "3.18.0"
 sysinfo = "0.33.1"
 tokio-rustls-acme = "0.6.0"
 rustls = "0.23.23"
+fs2 = "0.4.3"
+ring = "0.17.14"
+async-trait = "0.1.87"

data/gems/server/ext/itsi_server/src/server/listener.rs

@@ -78,8 +78,9 @@ impl TokioListener {
         {
             let mut state = state.lock().await;
             loop {
-                if let Some(event) = StreamExt::next(&mut *state).await {
-                    info!("Received acme event: {:?}", event)
+                match StreamExt::next(&mut *state).await {
+                    Some(event) => info!("Received acme event: {:?}", event),
+                    None => error!("Received no acme event"),
                 }
             }
         }
@@ -96,19 +97,19 @@ impl TokioListener {
             }
             ItsiTlsAcceptor::Automatic(acme_acceptor, _, rustls_config) => {
                 let accept_future = acme_acceptor.accept(tcp_stream.0);
-                match accept_future.await.unwrap() {
-                    None => Err(ItsiError::Pass()),
-                    Some(start_handshake) => {
-                        let tls_stream = start_handshake
-                            .into_stream(rustls_config.clone())
-                            .await
-                            .unwrap();
-                        // Wrap in your IoStream::TcpTls variant
+                match accept_future.await {
+                    Ok(None) => Err(ItsiError::Pass()),
+                    Ok(Some(start_handshake)) => {
+                        let tls_stream = start_handshake.into_stream(rustls_config.clone()).await?;
                         Ok(IoStream::TcpTls {
                             stream: tls_stream,
                             addr: SockAddr::Tcp(Arc::new(tcp_stream.1)),
                         })
                     }
+                    Err(error) => {
+                        error!(error = format!("{:?}", error));
+                        Err(ItsiError::Pass())
+                    }
                 }
             }
         }

data/gems/server/ext/itsi_server/src/server/serve_strategy/single_mode.rs

@@ -83,7 +83,7 @@ impl SingleMode {
         Ok(())
     }
 
-    #[instrument(parent=None, skip(self))]
+    #[instrument(parent=None, skip(self), fields(pid=format!("{}", Pid::this())))]
     pub fn run(self: Arc<Self>) -> Result<()> {
         let mut listener_task_set = JoinSet::new();
         let self_ref = Arc::new(self);

data/gems/server/ext/itsi_server/src/server/tls/locked_dir_cache.rs

@@ -0,0 +1,132 @@
+use async_trait::async_trait;
+use fs2::FileExt;
+use parking_lot::Mutex;
+use std::env;
+use std::fs::{self, OpenOptions};
+use std::io::Error as IoError;
+use std::path::{Path, PathBuf};
+use tokio_rustls_acme::caches::DirCache;
+use tokio_rustls_acme::{AccountCache, CertCache};
+
+/// A wrapper around DirCache that locks a file before writing cert/account data.
+pub struct LockedDirCache<P: AsRef<Path> + Send + Sync> {
+    inner: DirCache<P>,
+    lock_path: PathBuf,
+    current_lock: Mutex<Option<std::fs::File>>,
+}
+
+impl<P: AsRef<Path> + Send + Sync> LockedDirCache<P> {
+    pub fn new(dir: P) -> Self {
+        let dir_path = dir.as_ref().to_path_buf();
+        std::fs::create_dir_all(&dir_path).unwrap();
+        let lock_path =
+            dir_path.join(env::var("ITSI_ACME_LOCK_FILE_NAME").unwrap_or(".acme.lock".to_string()));
+        Self::touch_file(&lock_path).expect("Failed to create lock file");
+
+        Self {
+            inner: DirCache::new(dir),
+            lock_path,
+            current_lock: Mutex::new(None),
+        }
+    }
+
+    fn touch_file(path: &PathBuf) -> std::io::Result<()> {
+        if let Some(parent) = path.parent() {
+            fs::create_dir_all(parent)?;
+        }
+        fs::OpenOptions::new()
+            .create(true)
+            .write(true)
+            .truncate(true)
+            .open(path)?;
+        Ok(())
+    }
+
+    fn lock_exclusive(&self) -> Result<(), IoError> {
+        if self.current_lock.lock().is_some() {
+            return Ok(());
+        }
+
+        if let Some(parent) = self.lock_path.parent() {
+            std::fs::create_dir_all(parent)?;
+        }
+        let lockfile = OpenOptions::new()
+            .create(true)
+            .write(true)
+            .truncate(true)
+            .open(&self.lock_path)?;
+        lockfile.lock_exclusive()?;
+        *self.current_lock.lock() = Some(lockfile);
+        Ok(())
+    }
+
+    fn unlock(&self) -> Result<(), IoError> {
+        self.current_lock.lock().take();
+        Ok(())
+    }
+}
+
+#[async_trait]
+impl<P: AsRef<Path> + Send + Sync> CertCache for LockedDirCache<P> {
+    type EC = IoError;
+
+    async fn load_cert(
+        &self,
+        domains: &[String],
+        directory_url: &str,
+    ) -> Result<Option<Vec<u8>>, Self::EC> {
+        self.lock_exclusive()?;
+        let result = self.inner.load_cert(domains, directory_url).await;
+
+        if let Ok(Some(_)) = result {
+            self.unlock()?;
+        }
+
+        result
+    }
+
+    async fn store_cert(
+        &self,
+        domains: &[String],
+        directory_url: &str,
+        cert: &[u8],
+    ) -> Result<(), Self::EC> {
+        // Acquire the lock before storing
+        self.lock_exclusive()?;
+
+        // Perform the store operation
+        let result = self.inner.store_cert(domains, directory_url, cert).await;
+
+        if let Ok(()) = result {
+            self.unlock()?;
+        }
+        result
+    }
+}
+
+#[async_trait]
+impl<P: AsRef<Path> + Send + Sync> AccountCache for LockedDirCache<P> {
+    type EA = IoError;
+
+    async fn load_account(
+        &self,
+        contact: &[String],
+        directory_url: &str,
+    ) -> Result<Option<Vec<u8>>, Self::EA> {
+        self.lock_exclusive()?;
+        self.inner.load_account(contact, directory_url).await
+    }
+
+    async fn store_account(
+        &self,
+        contact: &[String],
+        directory_url: &str,
+        account: &[u8],
+    ) -> Result<(), Self::EA> {
+        self.lock_exclusive()?;
+
+        self.inner
+            .store_account(contact, directory_url, account)
+            .await
+    }
+}

data/gems/server/ext/itsi_server/src/server/tls.rs

@@ -1,8 +1,12 @@
 use base64::{engine::general_purpose, Engine as _};
 use itsi_error::Result;
 use itsi_tracing::info;
+use locked_dir_cache::LockedDirCache;
 use rcgen::{CertificateParams, DnType, KeyPair, SanType};
-use rustls::pki_types::{CertificateDer, PrivateKeyDer};
+use rustls::{
+    pki_types::{CertificateDer, PrivateKeyDer},
+    ClientConfig, RootCertStore,
+};
 use rustls_pemfile::{certs, pkcs8_private_keys};
 use std::{
     collections::HashMap,
@@ -12,8 +16,8 @@ use std::{
 };
 use tokio::sync::Mutex;
 use tokio_rustls::{rustls::ServerConfig, TlsAcceptor};
-use tokio_rustls_acme::{caches::DirCache, AcmeAcceptor, AcmeConfig, AcmeState};
-
+use tokio_rustls_acme::{AcmeAcceptor, AcmeConfig, AcmeState};
+mod locked_dir_cache;
 const ITS_CA_CERT: &str = include_str!("./itsi_ca/itsi_ca.crt");
 const ITS_CA_KEY: &str = include_str!("./itsi_ca/itsi_ca.key");
 
@@ -48,10 +52,41 @@ pub fn configure_tls(
                 domains = format!("{:?}", domains),
                 directory_url, "Requesting acme cert"
             );
+
+            let mut root_cert_store = RootCertStore::empty();
+            if let Ok(ca_pem_path) = env::var("ITSI_ACME_CA_PEM_PATH") {
+                let ca_pem = fs::read(ca_pem_path).expect("failed to read CA pem file");
+                let mut ca_reader = BufReader::new(&ca_pem[..]);
+                let der_certs: Vec<CertificateDer> = certs(&mut ca_reader)
+                    .collect::<std::result::Result<Vec<CertificateDer>, _>>()
+                    .map_err(|e| {
+                        itsi_error::ItsiError::ArgumentError(format!(
+                            "Invalid ACME CA Pem path {:?}",
+                            e
+                        ))
+                    })?;
+                root_cert_store.add_parsable_certificates(der_certs);
+            }
+
+            let client_config = ClientConfig::builder()
+                .with_root_certificates(root_cert_store)
+                .with_no_client_auth();
+
+            let contact_email = env::var("ITSI_ACME_CONTACT_EMAIL").map_err(|_| {
+                itsi_error::ItsiError::ArgumentError(
+                    "ITSI_ACME_CONTACT_EMAIL must be set before you can auto-generate production certificates"
+                        .to_string(),
+                )
+            })?;
+
+            let cache_dir = env::var("ITSI_ACME_CACHE_DIR")
+                .unwrap_or_else(|_| "./.rustls_acme_cache".to_string());
+
             let acme_state = AcmeConfig::new(domains)
-                .contact(["mailto:wc@pico.net.nz"])
-                .cache(DirCache::new("./rustls_acme_cache"))
+                .contact([format!("mailto:{}", contact_email)])
+                .cache(LockedDirCache::new(cache_dir))
                 .directory(directory_url)
+                .client_tls_config(Arc::new(client_config))
                 .state();
             let rustls_config = ServerConfig::builder()
                 .with_no_client_auth()

data/gems/server/lib/itsi/server/version.rb

@@ -2,6 +2,6 @@
 
 module Itsi
   class Server
-    VERSION = "0.1.4"
+    VERSION = "0.1.6"
   end
 end

data/lib/itsi/version.rb

@@ -1,3 +1,3 @@
 module Itsi
-  VERSION = "0.1.4"
+  VERSION = "0.1.6"
 end

data/tasks.txt

@@ -1,5 +1,3 @@
-- Release v0.1.3
-- Autocert (Hard. And dev certs use local CA)
 - Test on MOD
 - Filters (Medium)
 - Static File Serve (Medium).error pages

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: itsi
 version: !ruby/object:Gem::Version
-  version: 0.1.4
+  version: 0.1.6
 platform: ruby
 authors:
 - Wouter Coppieters
@@ -15,28 +15,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.1.4
+        version: 0.1.6
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.1.4
+        version: 0.1.6
 - !ruby/object:Gem::Dependency
   name: itsi-scheduler
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.1.4
+        version: 0.1.6
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.1.4
+        version: 0.1.6
 description: Wrapper Gem for both the Itsi server and it's Fiber scheduler
 email:
 - wc@pico.net.nz
@@ -91,6 +91,7 @@ files:
 - crates/itsi_server/src/server/signal.rs
 - crates/itsi_server/src/server/thread_worker.rs
 - crates/itsi_server/src/server/tls.rs
+- crates/itsi_server/src/server/tls/locked_dir_cache.rs
 - crates/itsi_tracing/Cargo.lock
 - crates/itsi_tracing/Cargo.toml
 - crates/itsi_tracing/src/lib.rs
@@ -148,6 +149,7 @@ files:
 - gems/scheduler/ext/itsi_server/src/server/signal.rs
 - gems/scheduler/ext/itsi_server/src/server/thread_worker.rs
 - gems/scheduler/ext/itsi_server/src/server/tls.rs
+- gems/scheduler/ext/itsi_server/src/server/tls/locked_dir_cache.rs
 - gems/scheduler/ext/itsi_tracing/Cargo.lock
 - gems/scheduler/ext/itsi_tracing/Cargo.toml
 - gems/scheduler/ext/itsi_tracing/src/lib.rs
@@ -218,6 +220,7 @@ files:
 - gems/server/ext/itsi_server/src/server/signal.rs
 - gems/server/ext/itsi_server/src/server/thread_worker.rs
 - gems/server/ext/itsi_server/src/server/tls.rs
+- gems/server/ext/itsi_server/src/server/tls/locked_dir_cache.rs
 - gems/server/ext/itsi_tracing/Cargo.lock
 - gems/server/ext/itsi_tracing/Cargo.toml
 - gems/server/ext/itsi_tracing/src/lib.rs