querysub 0.437.0 → 0.438.0

package/src/-e-certs/certAuthority.ts

@@ -1,201 +1,201 @@
-import acme from "acme-client";
-import { generateRSAKeyPair, parseCert, privateKeyToPem } from "../-a-auth/certs";
-import { cache, lazy } from "socket-function/src/caching";
-import { hasDNSWritePermissions, setRecord } from "../-b-authorities/dnsAuthority";
-import { magenta } from "socket-function/src/formatting/logColors";
-import { createKeyStore } from "../persistentLocalStore";
-import { getArchives } from "../-a-archives/archives";
-import { isNoNetwork } from "../config";
-import { formatDateTime, formatTime } from "socket-function/src/formatting/format";
-import { delay } from "socket-function/src/batching";
-import { timeInMinute } from "socket-function/src/misc";
-
-const archives = lazy(() => getArchives(`https_certs_3/`));
-// Expire EXPIRATION_THRESHOLD% of the way through the certificate's lifetime
-const EXPIRATION_THRESHOLD = 0.4;
-
-export const getHTTPSKeyCert = cache(async (domain: string): Promise<{ key: string; cert: string }> => {
-    if (!await hasDNSWritePermissions()) {
-        throw new Error(`Cannot generate HTTPS key and cert unless we have DNS write permissions (need credentials in archives, at b2:/keys/cloudflare.json)`);
-    }
-    if (!domain.endsWith(".")) {
-        domain = domain + ".";
-    }
-    let keyCert: { key: string; cert: string } | undefined;
-
-    try {
-        let keyCertJSON = await archives().get(domain);
-        if (keyCertJSON) {
-            keyCert = JSON.parse(keyCertJSON.toString());
-        }
-    } catch { }
-    if (keyCert) {
-        // If 40% of the lifetime has passed, renew it (has to be < the threshold
-        //  in EdgeCertController).
-        let certObj = parseCert(keyCert.cert);
-        let expirationTime = +new Date(certObj.validity.notAfter);
-        let createTime = +new Date(certObj.validity.notBefore);
-        let renewDate = createTime + (expirationTime - createTime) * EXPIRATION_THRESHOLD;
-        if (renewDate < Date.now()) {
-            console.log(magenta(`Renewing domain ${domain} (renew target is ${formatDateTime(renewDate)}).`));
-            keyCert = undefined;
-        }
-        if (keyCert) {
-            let timeUntilRenew = renewDate - Date.now();
-            setTimeout(() => {
-                console.log(magenta(`Clearing getHTTPSKeyCert to try to renew ${domain} (renew target is ${formatDateTime(renewDate)}).`));
-                getHTTPSKeyCert.clear(domain);
-                void getHTTPSKeyCert(domain);
-            }, Math.min(Math.floor(timeUntilRenew * 1.1), 2 ** 30));
-        }
-    } else {
-        console.log(magenta(`No cert found for domain ${domain}, generating shortly.`));
-    }
-    if (keyCert) {
-        return keyCert;
-    }
-
-    const accountKey = getAccountKey();
-    let altDomains: string[] = [];
-
-    // // NOTE: Allowing local access is just an optimization, not to avoid having to forward ports
-    // //  (unless you type 127-0-0-1.domain into the browser... then I guess you don't have to forward ports?)
-    // altDomains.push("127-0-0-1." + domain);
-
-    // NOTE: I forget why we were not allowing wildcard domains. I think it was to prevent
-    //  any HTTPS domains from impersonating servers. But... servers have two levels, so that isn't
-    //  an issue. And even if they didn't they store their public key in their domain, so you
-    //  can't really impersonate them anyways...
-    //  - AND, we need this for IP type A records, which... we need to pick the server we want
-    //      to connect to.
-    altDomains.push("*." + domain);
-
-    let isPending = await archives().getInfo(domain + "_pending");
-    if (isPending && isPending.writeTime > Date.now() - timeInMinute * 10) {
-        let pendingTime = +isPending.toString();
-        // Wait 2 minutes
-        let waitTime = Math.max(0, pendingTime - Date.now() + timeInMinute * 2);
-        if (waitTime) {
-            console.log(`getHTTPSKeyCert pending in another process, waiting ${formatTime(waitTime)} for other process to create certificate`);
-            await delay(waitTime);
-            return await getHTTPSKeyCert(domain);
-        }
-    }
-    let pendingTime = Date.now().toString();
-    await archives().set(domain + "_pending", Buffer.from(pendingTime));
-    // Wait a bit, and then make sure we are the last to write to pending. This helps a lot with
-    //      race conditions (although they can still happen).
-    {
-        await delay(10 * 1000);
-        let pendingValue = await archives().get(domain + "_pending");
-        if (pendingValue && pendingValue.toString() !== pendingTime) {
-            return await getHTTPSKeyCert(domain);
-        }
-    }
-    try {
-        keyCert = await generateCert({ accountKey, domain, altDomains });
-        await archives().del(domain + "_pending");
-    } catch (e) {
-        if (String(e).includes("authorization must be pending")) {
-            console.log(`Authorization appears to be pending, waiting 2 minutes for other process to create certificate`);
-            await delay(timeInMinute * 2);
-            return await getHTTPSKeyCert(domain);
-        }
-        throw e;
-    }
-    await archives().set(domain, Buffer.from(JSON.stringify(keyCert)));
-    return keyCert;
-});
-
-let accountKeyCache = createKeyStore<{ key: string }>("letsEncryptAccountKey_1");
-let getAccountKey: () => string = lazy(() => {
-    let keyCache = accountKeyCache.value;
-    if (!keyCache) {
-        console.log(`Generating new letsencrypt account key`);
-        const keyPair = generateRSAKeyPair();
-        keyCache = { key: privateKeyToPem(keyPair.privateKey) };
-        accountKeyCache.value = keyCache;
-    }
-    return keyCache.key;
-});
-
-async function generateCert(config: {
-    accountKey: string;
-    domain: string;
-    altDomains?: string[];
-}): Promise<{
-    domains: string[];
-    key: string;
-    cert: string;
-}> {
-    let { accountKey, domain } = config;
-
-    console.log(magenta(`Generating new cert for ${domain}`));
-
-    let domainList = [domain, ...config.altDomains || []];
-    // Strip trailing "."
-    domainList = domainList.map(x => x.endsWith(".") ? x.slice(0, -1) : x);
-
-    const [certificateKey, certificateCsr] = await acme.forge.createCsr({
-        commonName: domainList[0],
-        altNames: domainList.slice(1),
-    });
-
-    // So... acme-client is fine. Just re-implement the "auto" mode ourselves, to have more control over it.
-    const client = new acme.Client({
-        directoryUrl: acme.directory.letsencrypt.production,
-        accountKey: accountKey,
-    });
-
-    const accountPayload = {
-        termsOfServiceAgreed: true,
-        contact: [`mailto:sliftist@gmail.com`],
-    };
-
-    try {
-        await client.getAccountUrl();
-    } catch {
-        await client.createAccount(accountPayload);
-    }
-
-    const orderPayload = {
-        identifiers: domainList.map(domain => ({ type: "dns", value: domain })),
-    };
-    const order = await client.createOrder(orderPayload);
-    const authorizations = await client.getAuthorizations(order);
-
-    for (let auth of authorizations) {
-        if (auth.status === "valid") {
-            console.log(`Authorization already valid for ${auth.identifier.value}`);
-            continue;
-        }
-        console.log(`Starting authorization for ${auth.identifier.value}`);
-
-        // Only use DNS authorization
-        let challenge = auth.challenges.find(x => x.type === "dns-01");
-        if (!challenge) {
-            throw new Error("No DNS challenge found");
-        }
-        const keyAuthorization = await client.getChallengeKeyAuthorization(challenge);
-
-        let hostname = auth.identifier.value;
-        let challengeRecordName = "_acme-challenge." + hostname + ".";
-        await setRecord("TXT", challengeRecordName, keyAuthorization);
-
-        await client.completeChallenge(challenge);
-        console.log(`Challenge completed`);
-
-        await client.waitForValidStatus(challenge);
-        console.log(`Status of order is valid`);
-    }
-
-    const finalized = await client.finalizeOrder(order, certificateCsr);
-    console.log(`Order finalized`);
-
-    let cert = await client.getCertificate(finalized);
-    return {
-        domains: domainList,
-        key: certificateKey.toString(),
-        cert: cert,
-    };
-}
+import acme from "acme-client";
+import { generateRSAKeyPair, parseCert, privateKeyToPem } from "../-a-auth/certs";
+import { cache, lazy } from "socket-function/src/caching";
+import { hasDNSWritePermissions, setRecord } from "../-b-authorities/dnsAuthority";
+import { magenta } from "socket-function/src/formatting/logColors";
+import { createKeyStore } from "../persistentLocalStore";
+import { getArchives } from "../-a-archives/archives";
+import { isNoNetwork } from "../config";
+import { formatDateTime, formatTime } from "socket-function/src/formatting/format";
+import { delay } from "socket-function/src/batching";
+import { timeInMinute } from "socket-function/src/misc";
+
+const archives = lazy(() => getArchives(`https_certs_3/`));
+// Expire EXPIRATION_THRESHOLD% of the way through the certificate's lifetime
+const EXPIRATION_THRESHOLD = 0.4;
+
+export const getHTTPSKeyCert = cache(async (domain: string): Promise<{ key: string; cert: string }> => {
+    if (!await hasDNSWritePermissions()) {
+        throw new Error(`Cannot generate HTTPS key and cert unless we have DNS write permissions (need credentials in archives, at b2:/keys/cloudflare.json)`);
+    }
+    if (!domain.endsWith(".")) {
+        domain = domain + ".";
+    }
+    let keyCert: { key: string; cert: string } | undefined;
+
+    try {
+        let keyCertJSON = await archives().get(domain);
+        if (keyCertJSON) {
+            keyCert = JSON.parse(keyCertJSON.toString());
+        }
+    } catch { }
+    if (keyCert) {
+        // If 40% of the lifetime has passed, renew it (has to be < the threshold
+        //  in EdgeCertController).
+        let certObj = parseCert(keyCert.cert);
+        let expirationTime = +new Date(certObj.validity.notAfter);
+        let createTime = +new Date(certObj.validity.notBefore);
+        let renewDate = createTime + (expirationTime - createTime) * EXPIRATION_THRESHOLD;
+        if (renewDate < Date.now()) {
+            console.log(magenta(`Renewing domain ${domain} (renew target is ${formatDateTime(renewDate)}).`));
+            keyCert = undefined;
+        }
+        if (keyCert) {
+            let timeUntilRenew = renewDate - Date.now();
+            setTimeout(() => {
+                console.log(magenta(`Clearing getHTTPSKeyCert to try to renew ${domain} (renew target is ${formatDateTime(renewDate)}).`));
+                getHTTPSKeyCert.clear(domain);
+                void getHTTPSKeyCert(domain);
+            }, Math.min(Math.floor(timeUntilRenew * 1.1), 2 ** 30));
+        }
+    } else {
+        console.log(magenta(`No cert found for domain ${domain}, generating shortly.`));
+    }
+    if (keyCert) {
+        return keyCert;
+    }
+
+    const accountKey = getAccountKey();
+    let altDomains: string[] = [];
+
+    // // NOTE: Allowing local access is just an optimization, not to avoid having to forward ports
+    // //  (unless you type 127-0-0-1.domain into the browser... then I guess you don't have to forward ports?)
+    // altDomains.push("127-0-0-1." + domain);
+
+    // NOTE: I forget why we were not allowing wildcard domains. I think it was to prevent
+    //  any HTTPS domains from impersonating servers. But... servers have two levels, so that isn't
+    //  an issue. And even if they didn't they store their public key in their domain, so you
+    //  can't really impersonate them anyways...
+    //  - AND, we need this for IP type A records, which... we need to pick the server we want
+    //      to connect to.
+    altDomains.push("*." + domain);
+
+    let isPending = await archives().getInfo(domain + "_pending");
+    if (isPending && isPending.writeTime > Date.now() - timeInMinute * 10) {
+        let pendingTime = +isPending.toString();
+        // Wait 2 minutes
+        let waitTime = Math.max(0, pendingTime - Date.now() + timeInMinute * 2);
+        if (waitTime) {
+            console.log(`getHTTPSKeyCert pending in another process, waiting ${formatTime(waitTime)} for other process to create certificate`);
+            await delay(waitTime);
+            return await getHTTPSKeyCert(domain);
+        }
+    }
+    let pendingTime = Date.now().toString();
+    await archives().set(domain + "_pending", Buffer.from(pendingTime));
+    // Wait a bit, and then make sure we are the last to write to pending. This helps a lot with
+    //      race conditions (although they can still happen).
+    {
+        await delay(10 * 1000);
+        let pendingValue = await archives().get(domain + "_pending");
+        if (pendingValue && pendingValue.toString() !== pendingTime) {
+            return await getHTTPSKeyCert(domain);
+        }
+    }
+    try {
+        keyCert = await generateCert({ accountKey, domain, altDomains });
+        await archives().del(domain + "_pending");
+    } catch (e) {
+        if (String(e).includes("authorization must be pending")) {
+            console.log(`Authorization appears to be pending, waiting 2 minutes for other process to create certificate`);
+            await delay(timeInMinute * 2);
+            return await getHTTPSKeyCert(domain);
+        }
+        throw e;
+    }
+    await archives().set(domain, Buffer.from(JSON.stringify(keyCert)));
+    return keyCert;
+});
+
+let accountKeyCache = createKeyStore<{ key: string }>("letsEncryptAccountKey_1");
+let getAccountKey: () => string = lazy(() => {
+    let keyCache = accountKeyCache.value;
+    if (!keyCache) {
+        console.log(`Generating new letsencrypt account key`);
+        const keyPair = generateRSAKeyPair();
+        keyCache = { key: privateKeyToPem(keyPair.privateKey) };
+        accountKeyCache.value = keyCache;
+    }
+    return keyCache.key;
+});
+
+async function generateCert(config: {
+    accountKey: string;
+    domain: string;
+    altDomains?: string[];
+}): Promise<{
+    domains: string[];
+    key: string;
+    cert: string;
+}> {
+    let { accountKey, domain } = config;
+
+    console.log(magenta(`Generating new cert for ${domain}`));
+
+    let domainList = [domain, ...config.altDomains || []];
+    // Strip trailing "."
+    domainList = domainList.map(x => x.endsWith(".") ? x.slice(0, -1) : x);
+
+    const [certificateKey, certificateCsr] = await acme.forge.createCsr({
+        commonName: domainList[0],
+        altNames: domainList.slice(1),
+    });
+
+    // So... acme-client is fine. Just re-implement the "auto" mode ourselves, to have more control over it.
+    const client = new acme.Client({
+        directoryUrl: acme.directory.letsencrypt.production,
+        accountKey: accountKey,
+    });
+
+    const accountPayload = {
+        termsOfServiceAgreed: true,
+        contact: [`mailto:sliftist@gmail.com`],
+    };
+
+    try {
+        await client.getAccountUrl();
+    } catch {
+        await client.createAccount(accountPayload);
+    }
+
+    const orderPayload = {
+        identifiers: domainList.map(domain => ({ type: "dns", value: domain })),
+    };
+    const order = await client.createOrder(orderPayload);
+    const authorizations = await client.getAuthorizations(order);
+
+    for (let auth of authorizations) {
+        if (auth.status === "valid") {
+            console.log(`Authorization already valid for ${auth.identifier.value}`);
+            continue;
+        }
+        console.log(`Starting authorization for ${auth.identifier.value}`);
+
+        // Only use DNS authorization
+        let challenge = auth.challenges.find(x => x.type === "dns-01");
+        if (!challenge) {
+            throw new Error("No DNS challenge found");
+        }
+        const keyAuthorization = await client.getChallengeKeyAuthorization(challenge);
+
+        let hostname = auth.identifier.value;
+        let challengeRecordName = "_acme-challenge." + hostname + ".";
+        await setRecord("TXT", challengeRecordName, keyAuthorization);
+
+        await client.completeChallenge(challenge);
+        console.log(`Challenge completed`);
+
+        await client.waitForValidStatus(challenge);
+        console.log(`Status of order is valid`);
+    }
+
+    const finalized = await client.finalizeOrder(order, certificateCsr);
+    console.log(`Order finalized`);
+
+    let cert = await client.getCertificate(finalized);
+    return {
+        domains: domainList,
+        key: certificateKey.toString(),
+        cert: cert,
+    };
+}