@certd/acme-client 1.26.9 → 1.26.11

package/package.json

@@ -3,7 +3,7 @@
     "description": "Simple and unopinionated ACME client",
     "private": false,
     "author": "nmorsman",
-    "version": "1.26.9",
+    "version": "1.26.11",
     "main": "src/index.js",
     "types": "types/index.d.ts",
     "license": "MIT",
@@ -20,6 +20,7 @@
         "asn1js": "^3.0.5",
         "axios": "^1.7.2",
         "debug": "^4.3.5",
+        "http-proxy-agent": "^7.0.2",
         "https-proxy-agent": "^7.0.5",
         "node-forge": "^1.3.1"
     },
@@ -59,5 +60,5 @@
     "bugs": {
         "url": "https://github.com/publishlab/node-acme-client/issues"
     },
-    "gitHead": "f36b6e382484ba8d07fa1718c438b097ad04c8da"
+    "gitHead": "3a78cb9929fd63bb72f0e00f4389e775c926c789"
 }

package/src/agents.js

@@ -0,0 +1,101 @@
+const nodeHttp = require('node:http');
+const https = require('node:https');
+const { HttpProxyAgent } = require('http-proxy-agent');
+const { HttpsProxyAgent } = require('https-proxy-agent');
+const { log } = require('./logger');
+
+function createAgent(opts = {}) {
+    let httpAgent;
+    let
+        httpsAgent;
+    const httpProxy = process.env.HTTP_PROXY || process.env.http_proxy;
+    if (httpProxy) {
+        log(`acme use httpProxy:${httpProxy}`);
+        httpAgent = new HttpProxyAgent(httpProxy, opts);
+    }
+    else {
+        httpAgent = new nodeHttp.Agent(opts);
+    }
+    const httpsProxy = process.env.HTTPS_PROXY || process.env.https_proxy;
+    if (httpsProxy) {
+        log(`acme use httpsProxy:${httpsProxy}`);
+        httpsAgent = new HttpsProxyAgent(httpsProxy, opts);
+    }
+    else {
+        httpsAgent = new https.Agent(opts);
+    }
+    return {
+        httpAgent,
+        httpsAgent,
+    };
+}
+
+let defaultAgents = createAgent();
+
+function getGlobalAgents() {
+    return defaultAgents;
+}
+
+function setGlobalProxy(opts) {
+    log('acme setGlobalProxy:', opts);
+    if (opts.httpProxy) {
+        process.env.HTTP_PROXY = opts.httpProxy;
+    }
+    if (opts.httpsProxy) {
+        process.env.HTTPS_PROXY = opts.httpsProxy;
+    }
+
+    defaultAgents = createAgent();
+}
+
+class HttpError extends Error {
+    constructor(error) {
+        super(error || error.message);
+        if (!error) {
+            return;
+        }
+
+        if (error.message.indexOf('ssl3_get_record:wrong version number') >= 0) {
+            this.message = 'http协议错误，服务端要求http协议，请检查是否使用了https请求';
+        }
+
+        this.name = error.name;
+        this.code = error.code;
+        this.cause = error.cause;
+
+        if (error.response) {
+            this.status = error.response.status;
+            this.statusText = error.response.statusText;
+            this.response = {
+                data: error.response.data,
+            };
+        }
+
+        let url = '';
+        if (error.config) {
+            this.request = {
+                baseURL: error.config.baseURL,
+                url: error.config.url,
+                method: error.config.method,
+                params: error.config.params,
+                data: error.config.data,
+            };
+            url = error.config.baseURL + error.config.url;
+        }
+        if (url) {
+            this.message = `${this.message}:${url}`;
+        }
+
+        delete error.response;
+        delete error.config;
+        delete error.request;
+        // logger.error(error);
+    }
+}
+
+module.exports = {
+    setGlobalProxy,
+    createAgent,
+    getGlobalAgents,
+    HttpError,
+};

package/src/api.js

@@ -30,6 +30,7 @@ class AcmeApi {
                 }
             }
         }
+        console.log(locationUrl, mapping);
         return locationUrl;
     }
 

package/src/auto.js

@@ -182,12 +182,19 @@ module.exports = async (client, userOpts) => {
 
     authorizations.forEach((authz) => {
         const d = authz.identifier.value;
+        log(`authorization:domain = ${d}, value = ${JSON.stringify(authz)}`);
+
+        if (authz.status === 'valid') {
+            log(`[auto] [${d}] Authorization already has valid status, no need to complete challenges`);
+            return;
+        }
         let setd = false;
         // eslint-disable-next-line no-restricted-syntax
         for (const group of domainSets) {
             if (!group[d]) {
                 group[d] = authz;
                 setd = true;
+                break;
             }
         }
         if (!setd) {
@@ -197,6 +204,8 @@ module.exports = async (client, userOpts) => {
         }
     });
 
+    // log(`domainSets:${JSON.stringify(domainSets)}`);
+
     const allChallengePromises = [];
     // eslint-disable-next-line no-restricted-syntax
     for (const domainSet of domainSets) {
@@ -233,28 +242,52 @@ module.exports = async (client, userOpts) => {
         return Promise.all(results);
     }
 
-    log(`开始challenge，共${allChallengePromises.length}组`);
-    let i = 0;
-    // eslint-disable-next-line no-restricted-syntax
-    for (const challengePromises of allChallengePromises) {
-        i += 1;
-        log(`开始第${i}组`);
-        if (opts.signal && opts.signal.aborted) {
-            throw new Error('用户取消');
-        }
+    try {
+        log(`开始challenge，共${allChallengePromises.length}组`);
+        let i = 0;
+        // eslint-disable-next-line no-restricted-syntax
+        for (const challengePromises of allChallengePromises) {
+            i += 1;
+            log(`开始第${i}组`);
+            if (opts.signal && opts.signal.aborted) {
+                throw new Error('用户取消');
+            }
 
-        try {
-            // eslint-disable-next-line no-await-in-loop
-            await runPromisePa(challengePromises);
-        }
-        catch (e) {
-            log(`证书申请失败${e.message}`);
-            throw e;
+            try {
+                // eslint-disable-next-line no-await-in-loop
+                await runPromisePa(challengePromises);
+            }
+            catch (e) {
+                log(`证书申请失败${e.message}`);
+                throw e;
+            }
+            finally {
+                if (client.opts.sslProvider !== 'google') {
+                    // letsencrypt 如果同时检出两个TXT记录，会以第一个为准，就会校验失败，所以需要提前删除
+                    // zerossl 此方式测试无问题
+                    log(`清理challenge痕迹，length:${clearTasks.length}`);
+                    try {
+                        // eslint-disable-next-line no-await-in-loop
+                        await runAllPromise(clearTasks);
+                    }
+                    catch (e) {
+                        log('清理challenge失败');
+                        log(e);
+                    }
+                }
+            }
         }
-        finally {
+    }
+    finally {
+        if (client.opts.sslProvider === 'google') {
+            // google 相同的域名txt记录是一样的，不能提前删除，否则校验失败，报错如下
+            //  Error: The TXT record retrieved from _acme-challenge.bbc.handsfree.work.
+            //  at the time the challenge was validated did not contain JshHVu7dt_DT6uYILWhokHefFVad2Q6Mw1L-fNZFcq8
+            //  (the base64url-encoded SHA-256 digest of RlJZNBR0LWnxNK_xd2zqtYVvCiNJOKJ3J1NmCjU_9BjaUJgL3k-qSpIhQ-uF4FBS.NRyqT8fRiq6THzzrvkgzgR5Xai2LsA2SyGLAq_wT3qc).
+            //  See https://tools.ietf.org/html/rfc8555#section-8.4 for more information.
             log(`清理challenge痕迹，length:${clearTasks.length}`);
             try {
-                // eslint-disable-next-line no-await-in-loop
+            // eslint-disable-next-line no-await-in-loop
                 await runAllPromise(clearTasks);
             }
             catch (e) {
@@ -263,6 +296,7 @@ module.exports = async (client, userOpts) => {
             }
         }
     }
+
     log('challenge结束');
 
     // log('[auto] Waiting for challenge valid status');

package/src/axios.js

@@ -1,11 +1,11 @@
 /**
  * Axios instance
  */
-
 const axios = require('axios');
 const { parseRetryAfterHeader } = require('./util');
 const { log } = require('./logger');
 const pkg = require('./../package.json');
+const Agents = require('./agents');
 
 const { AxiosError } = axios;
 
@@ -24,8 +24,8 @@ instance.defaults.acmeSettings = {
     httpsChallengePort: 443,
     tlsAlpnChallengePort: 443,
 
-    retryMaxAttempts: 5,
-    retryDefaultDelay: 5,
+    retryMaxAttempts: 3,
+    retryDefaultDelay: 3,
 };
 // instance.defaults.proxy = {
 //     host: '192.168.34.139',
@@ -56,19 +56,26 @@ function isRetryableError(error) {
 
 /* https://github.com/axios/axios/blob/main/lib/core/settle.js */
 function validateStatus(response) {
-    const validator = response.config.retryValidateStatus;
-
+    if (!response) {
+        return new Error('Response is undefined');
+    }
+    let validator = null;
+    if (response.config) {
+        validator = response.config.retryValidateStatus;
+    }
     if (!response.status || !validator || validator(response.status)) {
         return response;
     }
 
-    throw new AxiosError(
+    const err = new AxiosError(
         `Request failed with status code ${response.status}`,
         (Math.floor(response.status / 100) === 4) ? AxiosError.ERR_BAD_REQUEST : AxiosError.ERR_BAD_RESPONSE,
         response.config,
         response.request,
         response,
     );
+
+    throw new Agents.HttpError(err);
 }
 
 /* Pass all responses through the error interceptor */
@@ -76,8 +83,17 @@ instance.interceptors.request.use((config) => {
     if (!('retryValidateStatus' in config)) {
         config.retryValidateStatus = config.validateStatus;
     }
-
     config.validateStatus = () => false;
+
+    const agents = Agents.getGlobalAgents();
+    // if (config.skipSslVerify) {
+    //     logger.info('跳过SSL验证');
+    //     agents = createAgent({ rejectUnauthorized: false } as any);
+    // }
+    // delete config.skipSslVerify;
+    config.httpsAgent = agents.httpsAgent;
+    config.httpAgent = agents.httpAgent;
+    config.proxy = false; // 必须 否则还会走一层代理，
     return config;
 });
 
@@ -86,7 +102,7 @@ instance.interceptors.response.use(null, async (error) => {
     const { config, response } = error;
 
     if (!config) {
-        return Promise.reject(error);
+        return Promise.reject(new Agents.HttpError(error));
     }
 
     /* Pick up errors we want to retry */
@@ -115,6 +131,9 @@ instance.interceptors.response.use(null, async (error) => {
         }
     }
 
+    if (!response) {
+        return Promise.reject(new Agents.HttpError(error));
+    }
     /* Validate and return response */
     return validateStatus(response);
 });

package/src/client.js

@@ -558,6 +558,7 @@ class AcmeClient {
 
         const verifyFn = async (abort) => {
             if (this.opts.signal && this.opts.signal.aborted) {
+                abort();
                 throw new Error('用户取消');
             }
 

package/src/http.js

@@ -3,21 +3,9 @@
  */
 
 const { createHmac, createSign, constants: { RSA_PKCS1_PADDING } } = require('crypto');
-const { HttpsProxyAgent } = require('https-proxy-agent');
 const { getJwk } = require('./crypto');
 const { log } = require('./logger');
-const axios1 = require('./axios');
-
-const httpsProxy = process.env.HTTPS_PROXY || process.env.https_proxy;
-let httpsAgent = null;
-if (httpsProxy) {
-    httpsAgent = new HttpsProxyAgent(httpsProxy);
-    log(`use https_proxy:${httpsProxy}`);
-}
-const axios = axios1.create({
-    proxy: false,
-    httpsAgent,
-});
+const axios = require('./axios');
 
 /**
  * ACME HTTP client

package/src/index.js

@@ -39,6 +39,7 @@ exports.forge = require('./crypto/forge');
  */
 
 exports.axios = require('./axios');
+exports.agents = require('./agents');
 
 /**
  * Logger

package/src/logger.js

@@ -22,7 +22,7 @@ exports.setLogger = (fn) => {
  * @param {string} msg Message
  */
 
-exports.log = (msg) => {
-    debug(msg);
-    logger(msg);
+exports.log = (...msg) => {
+    debug(...msg);
+    logger(...msg);
 };

package/types/index.d.ts

@@ -37,6 +37,7 @@ export type UrlMapping={
  */
 
 export interface ClientOptions {
+    sslProvider:string;
     directoryUrl: string;
     accountKey: PrivateKeyBuffer | PrivateKeyString;
     accountUrl?: string;
@@ -192,6 +193,7 @@ export const forge: CryptoLegacyInterface;
 
 export const axios: AxiosInstance;
 
+export const agents: any;
 /**
  * Logger
  */