From 1e463c6638a05a237d660f458f5a147353be3fc1 Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 26 May 2017 16:41:51 -0700 Subject: static - support for renewing certs with let's encrypt for static sites --- lib/leap_cli/commands/cert.rb | 54 +++++++++++++--------- provider_base/common.json | 3 +- provider_base/services/static.rb | 2 + provider_base/services/webapp.json | 3 -- provider_base/services/webapp.rb | 2 + puppet/modules/site_static/manifests/domain.pp | 13 ++++-- .../modules/site_static/templates/apache.conf.erb | 10 +++- 7 files changed, 55 insertions(+), 32 deletions(-) create mode 100644 provider_base/services/static.rb create mode 100644 provider_base/services/webapp.rb diff --git a/lib/leap_cli/commands/cert.rb b/lib/leap_cli/commands/cert.rb index 1c67ae67..81f45eb5 100644 --- a/lib/leap_cli/commands/cert.rb +++ b/lib/leap_cli/commands/cert.rb @@ -337,31 +337,41 @@ module LeapCli; module Commands # This method will bail if any checks fail. # def domain_ready_for_acme!(domain) - begin - uri = URI("https://#{domain}/.well-known/acme-challenge/ok") - options = { - use_ssl: true, - open_timeout: 5, - verify_mode: OpenSSL::SSL::VERIFY_NONE - } - Net::HTTP.start(uri.host, uri.port, options) do |http| - http.request(Net::HTTP::Get.new(uri)) do |response| - if !response.is_a?(Net::HTTPSuccess) - bail!(:error, "Could not GET %s" % uri) do - log "%s %s" % [response.code, response.message] - log "You may need to run `leap deploy`" - end + uri = URI("https://#{domain}/.well-known/acme-challenge/ok") + options = { + use_ssl: true, + open_timeout: 5, + verify_mode: OpenSSL::SSL::VERIFY_NONE + } + http_get(uri, options) + end + + private + + def http_get(uri, options, limit = 10) + raise ArgumentError, "HTTP redirect too deep (#{uri})" if limit == 0 + Net::HTTP.start(uri.host, uri.port, options) do |http| + http.request(Net::HTTP::Get.new(uri)) do |response| + case response + when Net::HTTPSuccess then + return response + when Net::HTTPRedirection then + return http_get(URI(response['location']), options, limit - 1) + else + bail!(:error, "Could not GET %s" % uri) do + log "%s %s" % [response.code, response.message] + log "You may need to run `leap deploy`" end end end - rescue Errno::ETIMEDOUT, Net::OpenTimeout - bail! :error, "Connection attempt timed out: %s" % uri - rescue Interrupt - bail! - rescue StandardError => exc - bail!(:error, "Could not GET %s" % uri) do - log exc.to_s - end + end + rescue Errno::ETIMEDOUT, Net::OpenTimeout + bail! :error, "Connection attempt timed out: %s" % uri + rescue Interrupt + bail! + rescue StandardError => exc + bail!(:error, "Could not GET %s" % uri) do + log exc.to_s end end diff --git a/provider_base/common.json b/provider_base/common.json index 41e1daa3..97519950 100644 --- a/provider_base/common.json +++ b/provider_base/common.json @@ -12,7 +12,8 @@ "name": "= node.name + '.' + (dns.public ? domain.full_suffix : domain.internal_suffix)" }, "dns": { - "public": "= service_type != 'internal_service'" + "public": "= service_type != 'internal_service'", + "aliases": [] }, "ssh": { "authorized_keys": "= authorized_keys", diff --git a/provider_base/services/static.rb b/provider_base/services/static.rb new file mode 100644 index 00000000..d020ba26 --- /dev/null +++ b/provider_base/services/static.rb @@ -0,0 +1,2 @@ +self['dns']['aliases'] += self.static.domains.keys +self['dns']['aliases'].uniq! diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index 36f161b1..ac58ac12 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -71,9 +71,6 @@ }, "port": 6425 }, - "dns": { - "aliases": "= [domain.full, webapp.domain, api.domain, nickserver.domain]" - }, "x509": { "use": true, "use_commercial": true, diff --git a/provider_base/services/webapp.rb b/provider_base/services/webapp.rb new file mode 100644 index 00000000..a5f10a2d --- /dev/null +++ b/provider_base/services/webapp.rb @@ -0,0 +1,2 @@ +self['dns']['aliases'] += [domain.full, webapp.domain, api.domain, nickserver.domain] +self['dns']['aliases'].uniq! diff --git a/puppet/modules/site_static/manifests/domain.pp b/puppet/modules/site_static/manifests/domain.pp index 6cf2c653..e456c94e 100644 --- a/puppet/modules/site_static/manifests/domain.pp +++ b/puppet/modules/site_static/manifests/domain.pp @@ -1,25 +1,30 @@ # configure static service for domain define site_static::domain ( - $ca_cert, + $ca_cert=undef, $key, $cert, $tls_only=true, $use_hidden_service=false, $locations=undef, $aliases=undef, - $apache_config=undef) { + $apache_config=undef, + $www_alias=false) { $domain = $name $base_dir = '/srv/static' - $cafile = "${cert}\n${ca_cert}" + if ($ca_cert) { + $certfile = "${cert}\n${ca_cert}" + } else { + $certfile = $cert + } if is_hash($locations) { create_resources(site_static::location, $locations) } x509::cert { $domain: - content => $cafile, + content => $certfile, notify => Service[apache] } x509::key { $domain: diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb index dd04ca43..eb21e4c9 100644 --- a/puppet/modules/site_static/templates/apache.conf.erb +++ b/puppet/modules/site_static/templates/apache.conf.erb @@ -80,7 +80,9 @@ ## ServerName <%= @tor_domain %> +<%- if @www_alias -%> ServerAlias www.<%= @tor_domain %> +<%- end -%> Header set X-Frame-Options "deny" @@ -102,7 +104,9 @@ ## ServerName <%= @domain %> - ServerAlias www.<%= @domain %> +<%- if @www_alias -%> + ServerAlias www.<%= @tor_domain %> +<%- end -%> <%- @aliases && @aliases.each do |domain_alias| -%> ServerAlias <%= domain_alias %> <%- end -%> @@ -122,7 +126,9 @@ ## ServerName <%= @domain %> - ServerAlias www.<%= @domain %> +<%- if @www_alias -%> + ServerAlias www.<%= @tor_domain %> +<%- end -%> <%- @aliases && @aliases.each do |domain_alias| -%> ServerAlias <%= domain_alias %> <%- end -%> -- cgit v1.2.3