Added ability to force renew a LE cert, and also fix revoking certs

2025-11-03 01:03:34 +00:00 · 2019-05-08 15:25:48 +10:00
parent feaa0e51bd
commit 4d5adefa41
7 changed files with 141 additions and 59 deletions
--- a/src/backend/internal/certificate.js
+++ b/src/backend/internal/certificate.js
@@ -1,5 +1,3 @@
-'use strict';
-
 const fs               = require('fs');
 const _                = require('lodash');
 const logger           = require('../logger').ssl;
@@ -9,7 +7,7 @@ const internalAuditLog = require('./audit-log');
 const tempWrite        = require('temp-write');
 const utils            = require('../lib/utils');
 const moment           = require('moment');
-const debug_mode       = process.env.NODE_ENV !== 'production';
+const debug_mode       = process.env.NODE_ENV !== 'production' || !!process.env.DEBUG ;
 const internalNginx    = require('./nginx');
 const internalHost     = require('./host');
 const certbot_command  = '/usr/bin/certbot';
@@ -21,7 +19,7 @@ function omissions () {
 const internalCertificate = {

    allowed_ssl_files:   ['certificate', 'certificate_key', 'intermediate_certificate'],
-    interval_timeout:    1000 * 60 * 60 * 12, // 12 hours
+    interval_timeout:    1000 * 60 * 60, // 1 hour
    interval:            null,
    interval_processing: false,

@@ -205,7 +203,7 @@ const internalCertificate = {
    /**
     * @param  {Access}  access
     * @param  {Object}  data
-     * @param  {Integer} data.id
+     * @param  {Number}  data.id
     * @param  {String}  [data.email]
     * @param  {String}  [data.name]
     * @return {Promise}
@@ -251,7 +249,7 @@ const internalCertificate = {
    /**
     * @param  {Access}   access
     * @param  {Object}   data
-     * @param  {Integer}  data.id
+     * @param  {Number}   data.id
     * @param  {Array}    [data.expand]
     * @param  {Array}    [data.omit]
     * @return {Promise}
@@ -297,7 +295,7 @@ const internalCertificate = {
    /**
     * @param {Access}  access
     * @param {Object}  data
-     * @param {Integer} data.id
+     * @param {Number}  data.id
     * @param {String}  [data.reason]
     * @returns {Promise}
     */
@@ -381,7 +379,7 @@ const internalCertificate = {
    /**
     * Report use
     *
-     * @param   {Integer} user_id
+     * @param   {Number}  user_id
     * @param   {String}  visibility
     * @returns {Promise}
     */
@@ -522,7 +520,7 @@ const internalCertificate = {
    /**
     * @param   {Access}  access
     * @param   {Object}  data
-     * @param   {Integer} data.id
+     * @param   {Number}  data.id
     * @param   {Object}  data.files
     * @returns {Promise}
     */
@@ -734,6 +732,36 @@ const internalCertificate = {
            });
    },

+    /**
+     * @param   {Access}  access
+     * @param   {Object}  data
+     * @param   {Number}  data.id
+     * @returns {Promise}
+     */
+    renew: (access, data) => {
+        return access.can('certificates:update', data)
+            .then(() => {
+                return internalCertificate.get(access, data);
+            })
+            .then((certificate) => {
+                if (certificate.provider === 'letsencrypt') {
+                    return internalCertificate.renewLetsEncryptSsl(certificate)
+                        .then(() => {
+                            return internalCertificate.getCertificateInfoFromFile('/etc/letsencrypt/live/npm-' + certificate.id + '/fullchain.pem')
+                        })
+                        .then(cert_info => {
+                            return certificateModel
+                                .query()
+                                .patchAndFetchById(certificate.id, {
+                                    expires_on: certificateModel.raw('FROM_UNIXTIME(' + cert_info.dates.to + ')')
+                                });
+                        });
+                } else {
+                    throw new error.ValidationError('Only Let\'sEncrypt certificates can be renewed');
+                }
+            })
+    },
+
    /**
     * @param   {Object}  certificate   the certificate row
     * @returns {Promise}
@@ -762,17 +790,29 @@ const internalCertificate = {
    revokeLetsEncryptSsl: (certificate, throw_errors) => {
        logger.info('Revoking Let\'sEncrypt certificates for Cert #' + certificate.id + ': ' + certificate.domain_names.join(', '));

-        let cmd = certbot_command + ' revoke --cert-path "/etc/letsencrypt/live/npm-' + certificate.id + '/fullchain.pem" ' + (debug_mode ? '--staging' : '');
+        let revoke_cmd = certbot_command + ' revoke --cert-path "/etc/letsencrypt/live/npm-' + certificate.id + '/fullchain.pem" ' + (debug_mode ? '--staging' : '');
+        let delete_cmd = certbot_command + ' delete --cert-name "npm-' + certificate.id + '" ' + (debug_mode ? '--staging' : '');

        if (debug_mode) {
-            logger.info('Command:', cmd);
+            logger.info('Command:', revoke_cmd);
        }

-        return utils.exec(cmd)
-            .then(result => {
+        return utils.exec(revoke_cmd)
+            .then((result) => {
                logger.info(result);
                return result;
            })
+            .then(() => {
+                if (debug_mode) {
+                    logger.info('Command:', delete_cmd);
+                }
+
+                return utils.exec(delete_cmd)
+                    .then((result) => {
+                        logger.info(result);
+                        return result;
+                    })
+            })
            .catch(err => {
                if (debug_mode) {
                    logger.error(err.message);
@@ -796,7 +836,7 @@ const internalCertificate = {

    /**
     * @param {Object}  in_use_result
-     * @param {Integer} in_use_result.total_count
+     * @param {Number}  in_use_result.total_count
     * @param {Array}   in_use_result.proxy_hosts
     * @param {Array}   in_use_result.redirection_hosts
     * @param {Array}   in_use_result.dead_hosts
@@ -826,7 +866,7 @@ const internalCertificate = {

    /**
     * @param {Object}  in_use_result
-     * @param {Integer} in_use_result.total_count
+     * @param {Number}  in_use_result.total_count
     * @param {Array}   in_use_result.proxy_hosts
     * @param {Array}   in_use_result.redirection_hosts
     * @param {Array}   in_use_result.dead_hosts
--- a/src/backend/routes/api/nginx/certificates.js
+++ b/src/backend/routes/api/nginx/certificates.js
@@ -1,5 +1,3 @@
-'use strict';
-
 const express             = require('express');
 const validator           = require('../../../lib/validator');
 const jwtdecode           = require('../../../lib/express/jwt-decode');
@@ -94,13 +92,13 @@ router
                certificate_id: {
                    $ref: 'definitions#/definitions/id'
                },
-                expand:  {
+                expand:         {
                    $ref: 'definitions#/definitions/expand'
                }
            }
        }, {
            certificate_id: req.params.certificate_id,
-            expand:  (typeof req.query.expand === 'string' ? req.query.expand.split(',') : null)
+            expand:         (typeof req.query.expand === 'string' ? req.query.expand.split(',') : null)
        })
            .then(data => {
                return internalCertificate.get(res.locals.access, {
@@ -181,6 +179,34 @@ router
        }
    });

+/**
+ * Renew LE Certs
+ *
+ * /api/nginx/certificates/123/renew
+ */
+router
+    .route('/:certificate_id/renew')
+    .options((req, res) => {
+        res.sendStatus(204);
+    })
+    .all(jwtdecode())
+
+    /**
+     * POST /api/nginx/certificates/123/renew
+     *
+     * Renew certificate
+     */
+    .post((req, res, next) => {
+        internalCertificate.renew(res.locals.access, {
+            id: parseInt(req.params.certificate_id, 10)
+        })
+            .then(result => {
+                res.status(200)
+                    .send(result);
+            })
+            .catch(next);
+    });
+
 /**
 * Validate Certs before saving
 *