1 // Copyright 2016 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
4 5 // Package autocert provides automatic access to certificates from Let's Encrypt
6 // and any other ACME-based CA.
7 //
8 // This package is a work in progress and makes no API stability promises.
9 package autocert
10 11 import (
12 "bytes"
13 "context"
14 "crypto"
15 "crypto/ecdsa"
16 "crypto/elliptic"
17 "crypto/rand"
18 "crypto/rsa"
19 "crypto/tls"
20 "crypto/x509"
21 "crypto/x509/pkix"
22 "encoding/pem"
23 "errors"
24 "fmt"
25 "io"
26 mathrand "math/rand"
27 "net"
28 "net/http"
29 "path"
30 "strings"
31 "sync"
32 "time"
33 34 "golang.org/x/crypto/acme"
35 "golang.org/x/net/idna"
36 )
37 38 // DefaultACMEDirectory is the default ACME Directory URL used when the Manager's Client is nil.
39 const DefaultACMEDirectory = "https://acme-v02.api.letsencrypt.org/directory"
40 41 // createCertRetryAfter is how much time to wait before removing a failed state
42 // entry due to an unsuccessful createCert call.
43 // This is a variable instead of a const for testing.
44 // TODO: Consider making it configurable or an exp backoff?
45 var createCertRetryAfter = time.Minute
46 47 // pseudoRand is safe for concurrent use.
48 var pseudoRand *lockedMathRand
49 50 var errPreRFC = errors.New("autocert: ACME server doesn't support RFC 8555")
51 52 func init() {
53 src := mathrand.NewSource(time.Now().UnixNano())
54 pseudoRand = &lockedMathRand{rnd: mathrand.New(src)}
55 }
56 57 // AcceptTOS is a Manager.Prompt function that always returns true to
58 // indicate acceptance of the CA's Terms of Service during account
59 // registration.
60 func AcceptTOS(tosURL string) bool { return true }
61 62 // HostPolicy specifies which host names the Manager is allowed to respond to.
63 // It returns a non-nil error if the host should be rejected.
64 // The returned error is accessible via tls.Conn.Handshake and its callers.
65 // See Manager's HostPolicy field and GetCertificate method docs for more details.
66 type HostPolicy func(ctx context.Context, host string) error
67 68 // HostWhitelist returns a policy where only the specified host names are allowed.
69 // Only exact matches are currently supported. Subdomains, regexp or wildcard
70 // will not match.
71 //
72 // Note that all hosts will be converted to Punycode via idna.Lookup.ToASCII so that
73 // Manager.GetCertificate can handle the Unicode IDN and mixedcase hosts correctly.
74 // Invalid hosts will be silently ignored.
75 func HostWhitelist(hosts ...string) HostPolicy {
76 whitelist := make(map[string]bool, len(hosts))
77 for _, h := range hosts {
78 if h, err := idna.Lookup.ToASCII(h); err == nil {
79 whitelist[h] = true
80 }
81 }
82 return func(_ context.Context, host string) error {
83 if !whitelist[host] {
84 return fmt.Errorf("acme/autocert: host %q not configured in HostWhitelist", host)
85 }
86 return nil
87 }
88 }
89 90 // defaultHostPolicy is used when Manager.HostPolicy is not set.
91 func defaultHostPolicy(context.Context, string) error {
92 return nil
93 }
94 95 // Manager is a stateful certificate manager built on top of acme.Client.
96 // It obtains and refreshes certificates automatically using "tls-alpn-01"
97 // or "http-01" challenge types, as well as providing them to a TLS server
98 // via tls.Config.
99 //
100 // You must specify a cache implementation, such as DirCache,
101 // to reuse obtained certificates across program restarts.
102 // Otherwise your server is very likely to exceed the certificate
103 // issuer's request rate limits.
104 type Manager struct {
105 // Prompt specifies a callback function to conditionally accept a CA's Terms of Service (TOS).
106 // The registration may require the caller to agree to the CA's TOS.
107 // If so, Manager calls Prompt with a TOS URL provided by the CA. Prompt should report
108 // whether the caller agrees to the terms.
109 //
110 // To always accept the terms, the callers can use AcceptTOS.
111 Prompt func(tosURL string) bool
112 113 // Cache optionally stores and retrieves previously-obtained certificates
114 // and other state. If nil, certs will only be cached for the lifetime of
115 // the Manager. Multiple Managers can share the same Cache.
116 //
117 // Using a persistent Cache, such as DirCache, is strongly recommended.
118 Cache Cache
119 120 // HostPolicy controls which domains the Manager will attempt
121 // to retrieve new certificates for. It does not affect cached certs.
122 //
123 // If non-nil, HostPolicy is called before requesting a new cert.
124 // If nil, all hosts are currently allowed. This is not recommended,
125 // as it opens a potential attack where clients connect to a server
126 // by IP address and pretend to be asking for an incorrect host name.
127 // Manager will attempt to obtain a certificate for that host, incorrectly,
128 // eventually reaching the CA's rate limit for certificate requests
129 // and making it impossible to obtain actual certificates.
130 //
131 // See GetCertificate for more details.
132 HostPolicy HostPolicy
133 134 // RenewBefore optionally specifies how early certificates should
135 // be renewed before they expire.
136 //
137 // If zero, they're renewed at the lesser of 30 days or
138 // 1/3 of the certificate lifetime.
139 RenewBefore time.Duration
140 141 // Client is used to perform low-level operations, such as account registration
142 // and requesting new certificates.
143 //
144 // If Client is nil, a zero-value acme.Client is used with DefaultACMEDirectory
145 // as the directory endpoint.
146 // If the Client.Key is nil, a new ECDSA P-256 key is generated and,
147 // if Cache is not nil, stored in cache.
148 //
149 // Mutating the field after the first call of GetCertificate method will have no effect.
150 Client *acme.Client
151 152 // Email optionally specifies a contact email address.
153 // This is used by CAs, such as Let's Encrypt, to notify about problems
154 // with issued certificates.
155 //
156 // If the Client's account key is already registered, Email is not used.
157 Email string
158 159 // ForceRSA used to make the Manager generate RSA certificates. It is now ignored.
160 //
161 // Deprecated: the Manager will request the correct type of certificate based
162 // on what each client supports.
163 ForceRSA bool
164 165 // ExtraExtensions are used when generating a new CSR (Certificate Request),
166 // thus allowing customization of the resulting certificate.
167 // For instance, TLS Feature Extension (RFC 7633) can be used
168 // to prevent an OCSP downgrade attack.
169 //
170 // The field value is passed to crypto/x509.CreateCertificateRequest
171 // in the template's ExtraExtensions field as is.
172 ExtraExtensions []pkix.Extension
173 174 // ExternalAccountBinding optionally represents an arbitrary binding to an
175 // account of the CA to which the ACME server is tied.
176 // See RFC 8555, Section 7.3.4 for more details.
177 ExternalAccountBinding *acme.ExternalAccountBinding
178 179 clientMu sync.Mutex
180 client *acme.Client // initialized by acmeClient method
181 182 stateMu sync.Mutex
183 state map[certKey]*certState
184 185 // renewal tracks the set of domains currently running renewal timers.
186 renewalMu sync.Mutex
187 renewal map[certKey]*domainRenewal
188 189 // challengeMu guards tryHTTP01, certTokens and httpTokens.
190 challengeMu sync.RWMutex
191 // tryHTTP01 indicates whether the Manager should try "http-01" challenge type
192 // during the authorization flow.
193 tryHTTP01 bool
194 // httpTokens contains response body values for http-01 challenges
195 // and is keyed by the URL path at which a challenge response is expected
196 // to be provisioned.
197 // The entries are stored for the duration of the authorization flow.
198 httpTokens map[string][]byte
199 // certTokens contains temporary certificates for tls-alpn-01 challenges
200 // and is keyed by the domain name which matches the ClientHello server name.
201 // The entries are stored for the duration of the authorization flow.
202 certTokens map[string]*tls.Certificate
203 204 // nowFunc, if not nil, returns the current time. This may be set for
205 // testing purposes.
206 nowFunc func() time.Time
207 }
208 209 // certKey is the key by which certificates are tracked in state, renewal and cache.
210 type certKey struct {
211 domain string // without trailing dot
212 isRSA bool // RSA cert for legacy clients (as opposed to default ECDSA)
213 isToken bool // tls-based challenge token cert; key type is undefined regardless of isRSA
214 }
215 216 func (c certKey) String() string {
217 if c.isToken {
218 return c.domain + "+token"
219 }
220 if c.isRSA {
221 return c.domain + "+rsa"
222 }
223 return c.domain
224 }
225 226 // TLSConfig creates a new TLS config suitable for net/http.Server servers,
227 // supporting HTTP/2 and the tls-alpn-01 ACME challenge type.
228 func (m *Manager) TLSConfig() *tls.Config {
229 return &tls.Config{
230 GetCertificate: m.GetCertificate,
231 NextProtos: []string{
232 "h2", "http/1.1", // enable HTTP/2
233 acme.ALPNProto, // enable tls-alpn ACME challenges
234 },
235 }
236 }
237 238 // GetCertificate implements the tls.Config.GetCertificate hook.
239 // It provides a TLS certificate for hello.ServerName host, including answering
240 // tls-alpn-01 challenges.
241 // All other fields of hello are ignored.
242 //
243 // If m.HostPolicy is non-nil, GetCertificate calls the policy before requesting
244 // a new cert. A non-nil error returned from m.HostPolicy halts TLS negotiation.
245 // The error is propagated back to the caller of GetCertificate and is user-visible.
246 // This does not affect cached certs. See HostPolicy field description for more details.
247 //
248 // If GetCertificate is used directly, instead of via Manager.TLSConfig, package users will
249 // also have to add acme.ALPNProto to NextProtos for tls-alpn-01, or use HTTPHandler for http-01.
250 func (m *Manager) GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
251 if m.Prompt == nil {
252 return nil, errors.New("acme/autocert: Manager.Prompt not set")
253 }
254 255 name := hello.ServerName
256 if name == "" {
257 return nil, errors.New("acme/autocert: missing server name")
258 }
259 if !strings.Contains(strings.Trim(name, "."), ".") {
260 return nil, errors.New("acme/autocert: server name component count invalid")
261 }
262 263 // Note that this conversion is necessary because some server names in the handshakes
264 // started by some clients (such as cURL) are not converted to Punycode, which will
265 // prevent us from obtaining certificates for them. In addition, we should also treat
266 // example.com and EXAMPLE.COM as equivalent and return the same certificate for them.
267 // Fortunately, this conversion also helped us deal with this kind of mixedcase problems.
268 //
269 // Due to the "σςΣ" problem (see https://unicode.org/faq/idn.html#22), we can't use
270 // idna.Punycode.ToASCII (or just idna.ToASCII) here.
271 name, err := idna.Lookup.ToASCII(name)
272 if err != nil {
273 return nil, errors.New("acme/autocert: server name contains invalid character")
274 }
275 276 // In the worst-case scenario, the timeout needs to account for caching, host policy,
277 // domain ownership verification and certificate issuance.
278 ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
279 defer cancel()
280 281 // Check whether this is a token cert requested for TLS-ALPN challenge.
282 if wantsTokenCert(hello) {
283 m.challengeMu.RLock()
284 defer m.challengeMu.RUnlock()
285 if cert := m.certTokens[name]; cert != nil {
286 return cert, nil
287 }
288 if cert, err := m.cacheGet(ctx, certKey{domain: name, isToken: true}); err == nil {
289 return cert, nil
290 }
291 // TODO: cache error results?
292 return nil, fmt.Errorf("acme/autocert: no token cert for %q", name)
293 }
294 295 // regular domain
296 if err := m.hostPolicy()(ctx, name); err != nil {
297 return nil, err
298 }
299 300 ck := certKey{
301 domain: strings.TrimSuffix(name, "."), // golang.org/issue/18114
302 isRSA: !supportsECDSA(hello),
303 }
304 cert, err := m.cert(ctx, ck)
305 if err == nil {
306 return cert, nil
307 }
308 if err != ErrCacheMiss {
309 return nil, err
310 }
311 312 // first-time
313 cert, err = m.createCert(ctx, ck)
314 if err != nil {
315 return nil, err
316 }
317 m.cachePut(ctx, ck, cert)
318 return cert, nil
319 }
320 321 // wantsTokenCert reports whether a TLS request with SNI is made by a CA server
322 // for a challenge verification.
323 func wantsTokenCert(hello *tls.ClientHelloInfo) bool {
324 // tls-alpn-01
325 if len(hello.SupportedProtos) == 1 && hello.SupportedProtos[0] == acme.ALPNProto {
326 return true
327 }
328 return false
329 }
330 331 func supportsECDSA(hello *tls.ClientHelloInfo) bool {
332 // The "signature_algorithms" extension, if present, limits the key exchange
333 // algorithms allowed by the cipher suites. See RFC 5246, section 7.4.1.4.1.
334 if hello.SignatureSchemes != nil {
335 ecdsaOK := false
336 schemeLoop:
337 for _, scheme := range hello.SignatureSchemes {
338 const tlsECDSAWithSHA1 tls.SignatureScheme = 0x0203 // constant added in Go 1.10
339 switch scheme {
340 case tlsECDSAWithSHA1, tls.ECDSAWithP256AndSHA256,
341 tls.ECDSAWithP384AndSHA384, tls.ECDSAWithP521AndSHA512:
342 ecdsaOK = true
343 break schemeLoop
344 }
345 }
346 if !ecdsaOK {
347 return false
348 }
349 }
350 if hello.SupportedCurves != nil {
351 ecdsaOK := false
352 for _, curve := range hello.SupportedCurves {
353 if curve == tls.CurveP256 {
354 ecdsaOK = true
355 break
356 }
357 }
358 if !ecdsaOK {
359 return false
360 }
361 }
362 for _, suite := range hello.CipherSuites {
363 switch suite {
364 case tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
365 tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
366 tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
367 tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
368 tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
369 tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
370 tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305:
371 return true
372 }
373 }
374 return false
375 }
376 377 // HTTPHandler configures the Manager to provision ACME "http-01" challenge responses.
378 // It returns an http.Handler that responds to the challenges and must be
379 // running on port 80. If it receives a request that is not an ACME challenge,
380 // it delegates the request to the optional fallback handler.
381 //
382 // If fallback is nil, the returned handler redirects all GET and HEAD requests
383 // to the default TLS port 443 with 302 Found status code, preserving the original
384 // request path and query. It responds with 400 Bad Request to all other HTTP methods.
385 // The fallback is not protected by the optional HostPolicy.
386 //
387 // Because the fallback handler is run with unencrypted port 80 requests,
388 // the fallback should not serve TLS-only requests.
389 //
390 // If HTTPHandler is never called, the Manager will only use the "tls-alpn-01"
391 // challenge for domain verification.
392 func (m *Manager) HTTPHandler(fallback http.Handler) http.Handler {
393 m.challengeMu.Lock()
394 defer m.challengeMu.Unlock()
395 m.tryHTTP01 = true
396 397 if fallback == nil {
398 fallback = http.HandlerFunc(handleHTTPRedirect)
399 }
400 return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
401 if !strings.HasPrefix(r.URL.Path, "/.well-known/acme-challenge/") {
402 fallback.ServeHTTP(w, r)
403 return
404 }
405 // A reasonable context timeout for cache and host policy only,
406 // because we don't wait for a new certificate issuance here.
407 ctx, cancel := context.WithTimeout(r.Context(), time.Minute)
408 defer cancel()
409 if err := m.hostPolicy()(ctx, r.Host); err != nil {
410 http.Error(w, err.Error(), http.StatusForbidden)
411 return
412 }
413 data, err := m.httpToken(ctx, r.URL.Path)
414 if err != nil {
415 http.Error(w, err.Error(), http.StatusNotFound)
416 return
417 }
418 w.Write(data)
419 })
420 }
421 422 func handleHTTPRedirect(w http.ResponseWriter, r *http.Request) {
423 if r.Method != "GET" && r.Method != "HEAD" {
424 http.Error(w, "Use HTTPS", http.StatusBadRequest)
425 return
426 }
427 target := "https://" + stripPort(r.Host) + r.URL.RequestURI()
428 http.Redirect(w, r, target, http.StatusFound)
429 }
430 431 func stripPort(hostport string) string {
432 host, _, err := net.SplitHostPort(hostport)
433 if err != nil {
434 return hostport
435 }
436 return net.JoinHostPort(host, "443")
437 }
438 439 // cert returns an existing certificate either from m.state or cache.
440 // If a certificate is found in cache but not in m.state, the latter will be filled
441 // with the cached value.
442 func (m *Manager) cert(ctx context.Context, ck certKey) (*tls.Certificate, error) {
443 m.stateMu.Lock()
444 if s, ok := m.state[ck]; ok {
445 m.stateMu.Unlock()
446 s.RLock()
447 defer s.RUnlock()
448 return s.tlscert()
449 }
450 defer m.stateMu.Unlock()
451 cert, err := m.cacheGet(ctx, ck)
452 if err != nil {
453 return nil, err
454 }
455 signer, ok := cert.PrivateKey.(crypto.Signer)
456 if !ok {
457 return nil, errors.New("acme/autocert: private key cannot sign")
458 }
459 if m.state == nil {
460 m.state = make(map[certKey]*certState)
461 }
462 s := &certState{
463 key: signer,
464 cert: cert.Certificate,
465 leaf: cert.Leaf,
466 }
467 m.state[ck] = s
468 m.startRenew(ck, s.key, s.leaf.NotBefore, s.leaf.NotAfter)
469 return cert, nil
470 }
471 472 // cacheGet always returns a valid certificate, or an error otherwise.
473 // If a cached certificate exists but is not valid, ErrCacheMiss is returned.
474 func (m *Manager) cacheGet(ctx context.Context, ck certKey) (*tls.Certificate, error) {
475 if m.Cache == nil {
476 return nil, ErrCacheMiss
477 }
478 data, err := m.Cache.Get(ctx, ck.String())
479 if err != nil {
480 return nil, err
481 }
482 483 // private
484 priv, pub := pem.Decode(data)
485 if priv == nil || !strings.Contains(priv.Type, "PRIVATE") {
486 return nil, ErrCacheMiss
487 }
488 privKey, err := parsePrivateKey(priv.Bytes)
489 if err != nil {
490 return nil, err
491 }
492 493 // public
494 var pubDER [][]byte
495 for len(pub) > 0 {
496 var b *pem.Block
497 b, pub = pem.Decode(pub)
498 if b == nil {
499 break
500 }
501 pubDER = append(pubDER, b.Bytes)
502 }
503 if len(pub) > 0 {
504 // Leftover content not consumed by pem.Decode. Corrupt. Ignore.
505 return nil, ErrCacheMiss
506 }
507 508 // verify and create TLS cert
509 leaf, err := validCert(ck, pubDER, privKey, m.now())
510 if err != nil {
511 return nil, ErrCacheMiss
512 }
513 tlscert := &tls.Certificate{
514 Certificate: pubDER,
515 PrivateKey: privKey,
516 Leaf: leaf,
517 }
518 return tlscert, nil
519 }
520 521 func (m *Manager) cachePut(ctx context.Context, ck certKey, tlscert *tls.Certificate) error {
522 if m.Cache == nil {
523 return nil
524 }
525 526 // contains PEM-encoded data
527 var buf bytes.Buffer
528 529 // private
530 switch key := tlscert.PrivateKey.(type) {
531 case *ecdsa.PrivateKey:
532 if err := encodeECDSAKey(&buf, key); err != nil {
533 return err
534 }
535 case *rsa.PrivateKey:
536 b := x509.MarshalPKCS1PrivateKey(key)
537 pb := &pem.Block{Type: "RSA PRIVATE KEY", Bytes: b}
538 if err := pem.Encode(&buf, pb); err != nil {
539 return err
540 }
541 default:
542 return errors.New("acme/autocert: unknown private key type")
543 }
544 545 // public
546 for _, b := range tlscert.Certificate {
547 pb := &pem.Block{Type: "CERTIFICATE", Bytes: b}
548 if err := pem.Encode(&buf, pb); err != nil {
549 return err
550 }
551 }
552 553 return m.Cache.Put(ctx, ck.String(), buf.Bytes())
554 }
555 556 func encodeECDSAKey(w io.Writer, key *ecdsa.PrivateKey) error {
557 b, err := x509.MarshalECPrivateKey(key)
558 if err != nil {
559 return err
560 }
561 pb := &pem.Block{Type: "EC PRIVATE KEY", Bytes: b}
562 return pem.Encode(w, pb)
563 }
564 565 // createCert starts the domain ownership verification and returns a certificate
566 // for that domain upon success.
567 //
568 // If the domain is already being verified, it waits for the existing verification to complete.
569 // Either way, createCert blocks for the duration of the whole process.
570 func (m *Manager) createCert(ctx context.Context, ck certKey) (*tls.Certificate, error) {
571 // TODO: maybe rewrite this whole piece using sync.Once
572 state, err := m.certState(ck)
573 if err != nil {
574 return nil, err
575 }
576 // state may exist if another goroutine is already working on it
577 // in which case just wait for it to finish
578 if !state.locked {
579 state.RLock()
580 defer state.RUnlock()
581 return state.tlscert()
582 }
583 584 // We are the first; state is locked.
585 // Unblock the readers when domain ownership is verified
586 // and we got the cert or the process failed.
587 defer state.Unlock()
588 state.locked = false
589 590 der, leaf, err := m.authorizedCert(ctx, state.key, ck)
591 if err != nil {
592 // Remove the failed state after some time,
593 // making the manager call createCert again on the following TLS hello.
594 didRemove := testDidRemoveState // The lifetime of this timer is untracked, so copy mutable local state to avoid races.
595 time.AfterFunc(createCertRetryAfter, func() {
596 defer didRemove(ck)
597 m.stateMu.Lock()
598 defer m.stateMu.Unlock()
599 // Verify the state hasn't changed and it's still invalid
600 // before deleting.
601 s, ok := m.state[ck]
602 if !ok {
603 return
604 }
605 if _, err := validCert(ck, s.cert, s.key, m.now()); err == nil {
606 return
607 }
608 delete(m.state, ck)
609 })
610 return nil, err
611 }
612 state.cert = der
613 state.leaf = leaf
614 m.startRenew(ck, state.key, state.leaf.NotBefore, state.leaf.NotAfter)
615 return state.tlscert()
616 }
617 618 // certState returns a new or existing certState.
619 // If a new certState is returned, state.exist is false and the state is locked.
620 // The returned error is non-nil only in the case where a new state could not be created.
621 func (m *Manager) certState(ck certKey) (*certState, error) {
622 m.stateMu.Lock()
623 defer m.stateMu.Unlock()
624 if m.state == nil {
625 m.state = make(map[certKey]*certState)
626 }
627 // existing state
628 if state, ok := m.state[ck]; ok {
629 return state, nil
630 }
631 632 // new locked state
633 var (
634 err error
635 key crypto.Signer
636 )
637 if ck.isRSA {
638 key, err = rsa.GenerateKey(rand.Reader, 2048)
639 } else {
640 key, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
641 }
642 if err != nil {
643 return nil, err
644 }
645 646 state := &certState{
647 key: key,
648 locked: true,
649 }
650 state.Lock() // will be unlocked by m.certState caller
651 m.state[ck] = state
652 return state, nil
653 }
654 655 // authorizedCert starts the domain ownership verification process and requests a new cert upon success.
656 // The key argument is the certificate private key.
657 func (m *Manager) authorizedCert(ctx context.Context, key crypto.Signer, ck certKey) (der [][]byte, leaf *x509.Certificate, err error) {
658 csr, err := certRequest(key, ck.domain, m.ExtraExtensions)
659 if err != nil {
660 return nil, nil, err
661 }
662 663 client, err := m.acmeClient(ctx)
664 if err != nil {
665 return nil, nil, err
666 }
667 dir, err := client.Discover(ctx)
668 if err != nil {
669 return nil, nil, err
670 }
671 if dir.OrderURL == "" {
672 return nil, nil, errPreRFC
673 }
674 675 o, err := m.verifyRFC(ctx, client, ck.domain)
676 if err != nil {
677 return nil, nil, err
678 }
679 chain, _, err := client.CreateOrderCert(ctx, o.FinalizeURL, csr, true)
680 if err != nil {
681 return nil, nil, err
682 }
683 684 leaf, err = validCert(ck, chain, key, m.now())
685 if err != nil {
686 return nil, nil, err
687 }
688 return chain, leaf, nil
689 }
690 691 // verifyRFC runs the identifier (domain) order-based authorization flow for RFC compliant CAs
692 // using each applicable ACME challenge type.
693 func (m *Manager) verifyRFC(ctx context.Context, client *acme.Client, domain string) (*acme.Order, error) {
694 // Try each supported challenge type starting with a new order each time.
695 // The nextTyp index of the next challenge type to try is shared across
696 // all order authorizations: if we've tried a challenge type once and it didn't work,
697 // it will most likely not work on another order's authorization either.
698 challengeTypes := m.supportedChallengeTypes()
699 nextTyp := 0 // challengeTypes index
700 AuthorizeOrderLoop:
701 for {
702 o, err := client.AuthorizeOrder(ctx, acme.DomainIDs(domain))
703 if err != nil {
704 return nil, err
705 }
706 // Remove all hanging authorizations to reduce rate limit quotas
707 // after we're done.
708 defer func(urls []string) {
709 go m.deactivatePendingAuthz(urls)
710 }(o.AuthzURLs)
711 712 // Check if there's actually anything we need to do.
713 switch o.Status {
714 case acme.StatusReady:
715 // Already authorized.
716 return o, nil
717 case acme.StatusPending:
718 // Continue normal Order-based flow.
719 default:
720 return nil, fmt.Errorf("acme/autocert: invalid new order status %q; order URL: %q", o.Status, o.URI)
721 }
722 723 // Satisfy all pending authorizations.
724 for _, zurl := range o.AuthzURLs {
725 z, err := client.GetAuthorization(ctx, zurl)
726 if err != nil {
727 return nil, err
728 }
729 if z.Status != acme.StatusPending {
730 // We are interested only in pending authorizations.
731 continue
732 }
733 // Pick the next preferred challenge.
734 var chal *acme.Challenge
735 for chal == nil && nextTyp < len(challengeTypes) {
736 chal = pickChallenge(challengeTypes[nextTyp], z.Challenges)
737 nextTyp++
738 }
739 if chal == nil {
740 return nil, fmt.Errorf("acme/autocert: unable to satisfy %q for domain %q: no viable challenge type found", z.URI, domain)
741 }
742 // Respond to the challenge and wait for validation result.
743 cleanup, err := m.fulfill(ctx, client, chal, domain)
744 if err != nil {
745 continue AuthorizeOrderLoop
746 }
747 defer cleanup()
748 if _, err := client.Accept(ctx, chal); err != nil {
749 continue AuthorizeOrderLoop
750 }
751 if _, err := client.WaitAuthorization(ctx, z.URI); err != nil {
752 continue AuthorizeOrderLoop
753 }
754 }
755 756 // All authorizations are satisfied.
757 // Wait for the CA to update the order status.
758 o, err = client.WaitOrder(ctx, o.URI)
759 if err != nil {
760 continue AuthorizeOrderLoop
761 }
762 return o, nil
763 }
764 }
765 766 func pickChallenge(typ string, chal []*acme.Challenge) *acme.Challenge {
767 for _, c := range chal {
768 if c.Type == typ {
769 return c
770 }
771 }
772 return nil
773 }
774 775 func (m *Manager) supportedChallengeTypes() []string {
776 m.challengeMu.RLock()
777 defer m.challengeMu.RUnlock()
778 typ := []string{"tls-alpn-01"}
779 if m.tryHTTP01 {
780 typ = append(typ, "http-01")
781 }
782 return typ
783 }
784 785 // deactivatePendingAuthz relinquishes all authorizations identified by the elements
786 // of the provided uri slice which are in "pending" state.
787 // It ignores revocation errors.
788 //
789 // deactivatePendingAuthz takes no context argument and instead runs with its own
790 // "detached" context because deactivations are done in a goroutine separate from
791 // that of the main issuance or renewal flow.
792 func (m *Manager) deactivatePendingAuthz(uri []string) {
793 ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
794 defer cancel()
795 client, err := m.acmeClient(ctx)
796 if err != nil {
797 return
798 }
799 for _, u := range uri {
800 z, err := client.GetAuthorization(ctx, u)
801 if err == nil && z.Status == acme.StatusPending {
802 client.RevokeAuthorization(ctx, u)
803 }
804 }
805 }
806 807 // fulfill provisions a response to the challenge chal.
808 // The cleanup is non-nil only if provisioning succeeded.
809 func (m *Manager) fulfill(ctx context.Context, client *acme.Client, chal *acme.Challenge, domain string) (cleanup func(), err error) {
810 switch chal.Type {
811 case "tls-alpn-01":
812 cert, err := client.TLSALPN01ChallengeCert(chal.Token, domain)
813 if err != nil {
814 return nil, err
815 }
816 m.putCertToken(ctx, domain, &cert)
817 return func() { go m.deleteCertToken(domain) }, nil
818 case "http-01":
819 resp, err := client.HTTP01ChallengeResponse(chal.Token)
820 if err != nil {
821 return nil, err
822 }
823 p := client.HTTP01ChallengePath(chal.Token)
824 m.putHTTPToken(ctx, p, resp)
825 return func() { go m.deleteHTTPToken(p) }, nil
826 }
827 return nil, fmt.Errorf("acme/autocert: unknown challenge type %q", chal.Type)
828 }
829 830 // putCertToken stores the token certificate with the specified name
831 // in both m.certTokens map and m.Cache.
832 func (m *Manager) putCertToken(ctx context.Context, name string, cert *tls.Certificate) {
833 m.challengeMu.Lock()
834 defer m.challengeMu.Unlock()
835 if m.certTokens == nil {
836 m.certTokens = make(map[string]*tls.Certificate)
837 }
838 m.certTokens[name] = cert
839 m.cachePut(ctx, certKey{domain: name, isToken: true}, cert)
840 }
841 842 // deleteCertToken removes the token certificate with the specified name
843 // from both m.certTokens map and m.Cache.
844 func (m *Manager) deleteCertToken(name string) {
845 m.challengeMu.Lock()
846 defer m.challengeMu.Unlock()
847 delete(m.certTokens, name)
848 if m.Cache != nil {
849 ck := certKey{domain: name, isToken: true}
850 m.Cache.Delete(context.Background(), ck.String())
851 }
852 }
853 854 // httpToken retrieves an existing http-01 token value from an in-memory map
855 // or the optional cache.
856 func (m *Manager) httpToken(ctx context.Context, tokenPath string) ([]byte, error) {
857 m.challengeMu.RLock()
858 defer m.challengeMu.RUnlock()
859 if v, ok := m.httpTokens[tokenPath]; ok {
860 return v, nil
861 }
862 if m.Cache == nil {
863 return nil, fmt.Errorf("acme/autocert: no token at %q", tokenPath)
864 }
865 return m.Cache.Get(ctx, httpTokenCacheKey(tokenPath))
866 }
867 868 // putHTTPToken stores an http-01 token value using tokenPath as key
869 // in both in-memory map and the optional Cache.
870 //
871 // It ignores any error returned from Cache.Put.
872 func (m *Manager) putHTTPToken(ctx context.Context, tokenPath, val string) {
873 m.challengeMu.Lock()
874 defer m.challengeMu.Unlock()
875 if m.httpTokens == nil {
876 m.httpTokens = make(map[string][]byte)
877 }
878 b := []byte(val)
879 m.httpTokens[tokenPath] = b
880 if m.Cache != nil {
881 m.Cache.Put(ctx, httpTokenCacheKey(tokenPath), b)
882 }
883 }
884 885 // deleteHTTPToken removes an http-01 token value from both in-memory map
886 // and the optional Cache, ignoring any error returned from the latter.
887 //
888 // If m.Cache is non-nil, it blocks until Cache.Delete returns without a timeout.
889 func (m *Manager) deleteHTTPToken(tokenPath string) {
890 m.challengeMu.Lock()
891 defer m.challengeMu.Unlock()
892 delete(m.httpTokens, tokenPath)
893 if m.Cache != nil {
894 m.Cache.Delete(context.Background(), httpTokenCacheKey(tokenPath))
895 }
896 }
897 898 // httpTokenCacheKey returns a key at which an http-01 token value may be stored
899 // in the Manager's optional Cache.
900 func httpTokenCacheKey(tokenPath string) string {
901 return path.Base(tokenPath) + "+http-01"
902 }
903 904 // startRenew starts a cert renewal timer loop, one per domain.
905 //
906 // The loop is scheduled in two cases:
907 // - a cert was fetched from cache for the first time (wasn't in m.state)
908 // - a new cert was created by m.createCert
909 //
910 // The key argument is a certificate private key.
911 // The exp argument is the cert expiration time (NotAfter).
912 func (m *Manager) startRenew(ck certKey, key crypto.Signer, notBefore, notAfter time.Time) {
913 m.renewalMu.Lock()
914 defer m.renewalMu.Unlock()
915 if m.renewal[ck] != nil {
916 // another goroutine is already on it
917 return
918 }
919 if m.renewal == nil {
920 m.renewal = make(map[certKey]*domainRenewal)
921 }
922 dr := &domainRenewal{m: m, ck: ck, key: key}
923 m.renewal[ck] = dr
924 dr.start(notBefore, notAfter)
925 }
926 927 // stopRenew stops all currently running cert renewal timers.
928 // The timers are not restarted during the lifetime of the Manager.
929 func (m *Manager) stopRenew() {
930 m.renewalMu.Lock()
931 defer m.renewalMu.Unlock()
932 for name, dr := range m.renewal {
933 delete(m.renewal, name)
934 dr.stop()
935 }
936 }
937 938 func (m *Manager) accountKey(ctx context.Context) (crypto.Signer, error) {
939 const keyName = "acme_account+key"
940 941 // Previous versions of autocert stored the value under a different key.
942 const legacyKeyName = "acme_account.key"
943 944 genKey := func() (*ecdsa.PrivateKey, error) {
945 return ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
946 }
947 948 if m.Cache == nil {
949 return genKey()
950 }
951 952 data, err := m.Cache.Get(ctx, keyName)
953 if err == ErrCacheMiss {
954 data, err = m.Cache.Get(ctx, legacyKeyName)
955 }
956 if err == ErrCacheMiss {
957 key, err := genKey()
958 if err != nil {
959 return nil, err
960 }
961 var buf bytes.Buffer
962 if err := encodeECDSAKey(&buf, key); err != nil {
963 return nil, err
964 }
965 if err := m.Cache.Put(ctx, keyName, buf.Bytes()); err != nil {
966 return nil, err
967 }
968 return key, nil
969 }
970 if err != nil {
971 return nil, err
972 }
973 974 priv, _ := pem.Decode(data)
975 if priv == nil || !strings.Contains(priv.Type, "PRIVATE") {
976 return nil, errors.New("acme/autocert: invalid account key found in cache")
977 }
978 return parsePrivateKey(priv.Bytes)
979 }
980 981 func (m *Manager) acmeClient(ctx context.Context) (*acme.Client, error) {
982 m.clientMu.Lock()
983 defer m.clientMu.Unlock()
984 if m.client != nil {
985 return m.client, nil
986 }
987 988 client := m.Client
989 if client == nil {
990 client = &acme.Client{DirectoryURL: DefaultACMEDirectory}
991 }
992 if client.Key == nil {
993 var err error
994 client.Key, err = m.accountKey(ctx)
995 if err != nil {
996 return nil, err
997 }
998 }
999 if client.UserAgent == "" {
1000 client.UserAgent = "autocert"
1001 }
1002 var contact []string
1003 if m.Email != "" {
1004 contact = []string{"mailto:" + m.Email}
1005 }
1006 a := &acme.Account{Contact: contact, ExternalAccountBinding: m.ExternalAccountBinding}
1007 _, err := client.Register(ctx, a, m.Prompt)
1008 if err == nil || isAccountAlreadyExist(err) {
1009 m.client = client
1010 err = nil
1011 }
1012 return m.client, err
1013 }
1014 1015 // isAccountAlreadyExist reports whether the err, as returned from acme.Client.Register,
1016 // indicates the account has already been registered.
1017 func isAccountAlreadyExist(err error) bool {
1018 if err == acme.ErrAccountAlreadyExists {
1019 return true
1020 }
1021 ae, ok := err.(*acme.Error)
1022 return ok && ae.StatusCode == http.StatusConflict
1023 }
1024 1025 func (m *Manager) hostPolicy() HostPolicy {
1026 if m.HostPolicy != nil {
1027 return m.HostPolicy
1028 }
1029 return defaultHostPolicy
1030 }
1031 1032 func (m *Manager) now() time.Time {
1033 if m.nowFunc != nil {
1034 return m.nowFunc()
1035 }
1036 return time.Now()
1037 }
1038 1039 // certState is ready when its mutex is unlocked for reading.
1040 type certState struct {
1041 sync.RWMutex
1042 locked bool // locked for read/write
1043 key crypto.Signer // private key for cert
1044 cert [][]byte // DER encoding
1045 leaf *x509.Certificate // parsed cert[0]; always non-nil if cert != nil
1046 }
1047 1048 // tlscert creates a tls.Certificate from s.key and s.cert.
1049 // Callers should wrap it in s.RLock() and s.RUnlock().
1050 func (s *certState) tlscert() (*tls.Certificate, error) {
1051 if s.key == nil {
1052 return nil, errors.New("acme/autocert: missing signer")
1053 }
1054 if len(s.cert) == 0 {
1055 return nil, errors.New("acme/autocert: missing certificate")
1056 }
1057 return &tls.Certificate{
1058 PrivateKey: s.key,
1059 Certificate: s.cert,
1060 Leaf: s.leaf,
1061 }, nil
1062 }
1063 1064 // certRequest generates a CSR for the given common name.
1065 func certRequest(key crypto.Signer, name string, ext []pkix.Extension) ([]byte, error) {
1066 req := &x509.CertificateRequest{
1067 Subject: pkix.Name{CommonName: name},
1068 DNSNames: []string{name},
1069 ExtraExtensions: ext,
1070 }
1071 return x509.CreateCertificateRequest(rand.Reader, req, key)
1072 }
1073 1074 // Attempt to parse the given private key DER block. OpenSSL 0.9.8 generates
1075 // PKCS#1 private keys by default, while OpenSSL 1.0.0 generates PKCS#8 keys.
1076 // OpenSSL ecparam generates SEC1 EC private keys for ECDSA. We try all three.
1077 //
1078 // Inspired by parsePrivateKey in crypto/tls/tls.go.
1079 func parsePrivateKey(der []byte) (crypto.Signer, error) {
1080 if key, err := x509.ParsePKCS1PrivateKey(der); err == nil {
1081 return key, nil
1082 }
1083 if key, err := x509.ParsePKCS8PrivateKey(der); err == nil {
1084 switch key := key.(type) {
1085 case *rsa.PrivateKey:
1086 return key, nil
1087 case *ecdsa.PrivateKey:
1088 return key, nil
1089 default:
1090 return nil, errors.New("acme/autocert: unknown private key type in PKCS#8 wrapping")
1091 }
1092 }
1093 if key, err := x509.ParseECPrivateKey(der); err == nil {
1094 return key, nil
1095 }
1096 1097 return nil, errors.New("acme/autocert: failed to parse private key")
1098 }
1099 1100 // validCert parses a cert chain provided as der argument and verifies the leaf and der[0]
1101 // correspond to the private key, the domain and key type match, and expiration dates
1102 // are valid. It doesn't do any revocation checking.
1103 //
1104 // The returned value is the verified leaf cert.
1105 func validCert(ck certKey, der [][]byte, key crypto.Signer, now time.Time) (leaf *x509.Certificate, err error) {
1106 // parse public part(s)
1107 var n int
1108 for _, b := range der {
1109 n += len(b)
1110 }
1111 pub := make([]byte, n)
1112 n = 0
1113 for _, b := range der {
1114 n += copy(pub[n:], b)
1115 }
1116 x509Cert, err := x509.ParseCertificates(pub)
1117 if err != nil || len(x509Cert) == 0 {
1118 return nil, errors.New("acme/autocert: no public key found")
1119 }
1120 // verify the leaf is not expired and matches the domain name
1121 leaf = x509Cert[0]
1122 if now.Before(leaf.NotBefore) {
1123 return nil, errors.New("acme/autocert: certificate is not valid yet")
1124 }
1125 if now.After(leaf.NotAfter) {
1126 return nil, errors.New("acme/autocert: expired certificate")
1127 }
1128 if err := leaf.VerifyHostname(ck.domain); err != nil {
1129 return nil, err
1130 }
1131 // renew certificates revoked by Let's Encrypt in January 2022
1132 if isRevokedLetsEncrypt(leaf) {
1133 return nil, errors.New("acme/autocert: certificate was probably revoked by Let's Encrypt")
1134 }
1135 // ensure the leaf corresponds to the private key and matches the certKey type
1136 switch pub := leaf.PublicKey.(type) {
1137 case *rsa.PublicKey:
1138 prv, ok := key.(*rsa.PrivateKey)
1139 if !ok {
1140 return nil, errors.New("acme/autocert: private key type does not match public key type")
1141 }
1142 if pub.N.Cmp(prv.N) != 0 {
1143 return nil, errors.New("acme/autocert: private key does not match public key")
1144 }
1145 if !ck.isRSA && !ck.isToken {
1146 return nil, errors.New("acme/autocert: key type does not match expected value")
1147 }
1148 case *ecdsa.PublicKey:
1149 prv, ok := key.(*ecdsa.PrivateKey)
1150 if !ok {
1151 return nil, errors.New("acme/autocert: private key type does not match public key type")
1152 }
1153 if pub.X.Cmp(prv.X) != 0 || pub.Y.Cmp(prv.Y) != 0 {
1154 return nil, errors.New("acme/autocert: private key does not match public key")
1155 }
1156 if ck.isRSA && !ck.isToken {
1157 return nil, errors.New("acme/autocert: key type does not match expected value")
1158 }
1159 default:
1160 return nil, errors.New("acme/autocert: unknown public key algorithm")
1161 }
1162 return leaf, nil
1163 }
1164 1165 // https://community.letsencrypt.org/t/2022-01-25-issue-with-tls-alpn-01-validation-method/170450
1166 var letsEncryptFixDeployTime = time.Date(2022, time.January, 26, 00, 48, 0, 0, time.UTC)
1167 1168 // isRevokedLetsEncrypt returns whether the certificate is likely to be part of
1169 // a batch of certificates revoked by Let's Encrypt in January 2022. This check
1170 // can be safely removed from May 2022.
1171 func isRevokedLetsEncrypt(cert *x509.Certificate) bool {
1172 O := cert.Issuer.Organization
1173 return len(O) == 1 && O[0] == "Let's Encrypt" &&
1174 cert.NotBefore.Before(letsEncryptFixDeployTime)
1175 }
1176 1177 type lockedMathRand struct {
1178 sync.Mutex
1179 rnd *mathrand.Rand
1180 }
1181 1182 func (r *lockedMathRand) int63n(max int64) int64 {
1183 r.Lock()
1184 n := r.rnd.Int63n(max)
1185 r.Unlock()
1186 return n
1187 }
1188 1189 // For easier testing.
1190 var (
1191 // Called when a state is removed.
1192 testDidRemoveState = func(certKey) {}
1193 )
1194