Let's Encrypt auto certificate HTTP-01 challenge #16

src/tls/acme.rs

@@ -0,0 +1,2 @@
+pub mod account;
+pub mod order;

src/tls/acme/account.rs

@@ -0,0 +1,58 @@
+use instant_acme::{Account, AccountCredentials, LetsEncrypt, NewAccount};
+use log::info;
+use std::fs;
+use std::path::Path;
+use std::sync::OnceLock;
+
+static ACCOUNT: OnceLock<Account> = OnceLock::new();
+
+pub async fn get_account(file: &str) -> Result<&'static Account, Box<dyn std::error::Error>> {
+    if let Some(account) = ACCOUNT.get() {
+        return Ok(account);
+    }
+    if let Some(credentials) = load_credentials(file) {
+        let acc_builder = Account::builder()?;
+        let account = acc_builder.from_credentials(credentials).await?;
+        let _ = ACCOUNT.set(account);
+        info!("Loaded existing ACME account");
+    } else {
+        info!("No existing credentials found, creating new account");
+        create_account(file).await?;
+    }
+
+    ACCOUNT.get().ok_or("Failed to initialize account".into())
+}
+
+async fn create_account(file: &str) -> Result<(), Box<dyn std::error::Error>> {
+    let new_account = NewAccount {
+        contact: &[],
+        terms_of_service_agreed: true,
+        only_return_existing: false,
+    };
+    let acc_builder = Account::builder()?;
+    let (account, credentials) = acc_builder.create(&new_account, LetsEncrypt::Production.url().to_string(), None).await?;
+    // let (account, credentials) = acc_builder.create(&new_account, LetsEncrypt::Staging.url().to_string(), None).await?;
+    info!("Account created: {:?}", account.id());
+    save_credentials(&credentials, file)?;
+    let _ = ACCOUNT.set(account);
+    Ok(())
+}
+
+pub async fn load_or_create(file: &str) -> Result<String, Box<dyn std::error::Error>> {
+    let account = get_account(file).await?;
+    Ok(account.id().to_string() + "\n")
+}
+
+fn save_credentials(credentials: &AccountCredentials, file: &str) -> Result<(), Box<dyn std::error::Error>> {
+    let json = serde_json::to_string_pretty(credentials)?;
+    fs::write(file, json)?;
+    info!("ACME credentials saved to {}", file);
+    Ok(())
+}
+fn load_credentials(file: &str) -> Option<AccountCredentials> {
+    if !Path::new(file).exists() {
+        return None;
+    }
+    let json = fs::read_to_string(file).ok()?;
+    serde_json::from_str(&json).ok()
+}

src/tls/acme/order.rs

@@ -0,0 +1,94 @@
+use crate::tls::acme::account::get_account;
+use crate::utils::parceyaml::DOMAINS;
+use instant_acme::{ChallengeType, Identifier, NewOrder, RetryPolicy};
+use log::{error, info};
+use pingora::prelude::sleep;
+use rcgen::{CertificateParams, DistinguishedName, KeyPair};
+use std::collections::HashMap;
+use std::fs;
+use std::sync::{LazyLock, RwLock};
+use std::time::Duration;
+use x509_parser::prelude::*;
+
+pub static CHALLENGES: LazyLock<RwLock<HashMap<String, String>>> = LazyLock::new(|| RwLock::new(HashMap::new()));
+
+pub async fn refresh_order(certs_dir: String, autoconf_dir: String) {
+    let credsfile = autoconf_dir + "/acme_credentials.json";
+    loop {
+        for item in DOMAINS.iter() {
+            let _what = order(item.key(), credsfile.as_str(), certs_dir.clone()).await;
+        }
+        sleep(Duration::from_secs(12 * 3600)).await;
+    }
+}
+pub async fn order(domain: &str, credsfile: &str, certs_dir: String) -> Result<String, Box<dyn std::error::Error>> {
+    let crt = certs_dir.clone() + "/" + domain + ".crt";
+    let key = certs_dir.clone() + "/" + domain + ".key";
+
+    if let None = DOMAINS.get(domain) {
+        DOMAINS.insert(domain.to_string(), true);
+        let mut newlist: Vec<String> = Vec::new();
+        for item in DOMAINS.iter() {
+            newlist.push(item.key().to_string());
+        }
+        if let Ok(json_content) = serde_json::to_string_pretty(&newlist) {
+            let autocfg_file = credsfile.replace("/acme_credentials.json", "/domains.json");
+            if let Err(err) = std::fs::write(&autocfg_file, json_content) {
+                error!("Error Updating domains for certificates: {} : {}", domain, err);
+                return Err(Box::from(err));
+            }
+        }
+    }
+
+    let _ = match cert_expiry(crt.as_str()) {
+        Ok(expiry) => {
+            let now = std::time::SystemTime::now().duration_since(std::time::UNIX_EPOCH)?.as_secs();
+            if expiry > now + 30 * 24 * 3600 {
+                // println!("Fresh certificate exists. Not renewing !");
+                return Ok("Fresh certificate exists. Not renewing ! \n".to_string());
+            }
+        }
+        Err(_) => {}
+    };
+
+    let account = get_account(credsfile).await?;
+    let mut order = account.new_order(&NewOrder::new(&[Identifier::Dns(domain.to_string())])).await?;
+
+    let mut authorizations = order.authorizations();
+    while let Some(auth) = authorizations.next().await {
+        let mut auth = auth?;
+        let mut challenge_handle = auth.challenge(ChallengeType::Http01).ok_or("no http01 challenge found")?;
+        let key_auth = challenge_handle.key_authorization();
+        let key_auth_str = key_auth.as_str().to_string();
+        let token = key_auth_str.split('.').next().ok_or("invalid key authorization")?.to_string();
+        CHALLENGES.write().unwrap().insert(token, key_auth_str);
+        challenge_handle.set_ready().await?;
+    }
+
+    let status = order.poll_ready(&RetryPolicy::default()).await?;
+    info!("ACME poll_ready status: {:?}", status);
+
+    let mut params = CertificateParams::new(vec![domain.to_owned()])?;
+    params.distinguished_name = DistinguishedName::new();
+    let private_key = KeyPair::generate()?;
+    let signing_request = params.serialize_request(&private_key)?;
+    let csr_der = signing_request.der();
+    order.finalize_csr(&csr_der).await?;
+
+    // poll for certificate
+    let cert_chain_pem = order.poll_certificate(&RetryPolicy::default()).await?;
+    CHALLENGES.write().unwrap().clear();
+    let private_key_pem = private_key.serialize_pem();
+
+    fs::write(crt, cert_chain_pem)?;
+    fs::write(key, private_key_pem)?;
+    Ok("Certificate is successfully generated \n".to_string())
+}
+
+fn cert_expiry(path: &str) -> Result<u64, Box<dyn std::error::Error>> {
+    let pem = fs::read(path)?;
+    let (_, pem) = parse_x509_pem(&pem)?;
+    let (_, cert) = parse_x509_certificate(&pem.contents)?;
+    let expiry = cert.validity().not_after.timestamp() as u64;
+    Ok(expiry)
+}

src/tls/load.rs

@@ -17,14 +17,14 @@ pub struct CertificateConfig {
 }
 
 #[derive(Debug)]
-struct CertificateInfo {
-    common_names: Vec<String>,
-    alt_names: Vec<String>,
-    ssl_context: SslContext,
+pub struct CertificateInfo {
+    pub common_names: Vec<String>,
+    pub alt_names: Vec<String>,
+    pub ssl_context: SslContext,
     #[allow(dead_code)]
-    cert_path: String, // Only used for logging
+    pub cert_path: String, // Only used for logging
     #[allow(dead_code)]
-    key_path: String, // Only used for logging
+    pub key_path: String, // Only used for logging
 }
 
 #[derive(Debug)]
@@ -105,7 +105,7 @@ impl Certificates {
     }
 }
 
-fn load_cert_info(cert_path: &str, key_path: &str, _grade: &str) -> Option<CertificateInfo> {
+pub fn load_cert_info(cert_path: &str, key_path: &str, _grade: &str) -> Option<CertificateInfo> {
     let mut common_names = HashSet::new();
     let mut alt_names = HashSet::new();