2020-02-23 21:58:11 +13:00
|
|
|
<?php
|
|
|
|
|
2020-06-12 07:36:10 +12:00
|
|
|
use Appwrite\Network\Validator\CNAME;
|
2021-06-12 02:20:18 +12:00
|
|
|
use Appwrite\Resque\Worker;
|
|
|
|
use Utopia\App;
|
|
|
|
use Utopia\CLI\Console;
|
2021-07-16 09:14:52 +12:00
|
|
|
use Utopia\Database\Document;
|
|
|
|
use Utopia\Database\Query;
|
|
|
|
use Utopia\Database\Validator\Authorization;
|
2021-06-12 02:20:18 +12:00
|
|
|
use Utopia\Domains\Domain;
|
2020-02-23 21:58:11 +13:00
|
|
|
|
2021-08-13 20:39:46 +12:00
|
|
|
require_once __DIR__.'/../init.php';
|
2020-02-23 21:58:11 +13:00
|
|
|
|
2021-01-15 19:02:48 +13:00
|
|
|
Console::title('Certificates V1 Worker');
|
2021-09-01 21:13:23 +12:00
|
|
|
Console::success(APP_NAME . ' certificates worker v1 has started');
|
2020-02-23 21:58:11 +13:00
|
|
|
|
2021-06-12 02:20:18 +12:00
|
|
|
class CertificatesV1 extends Worker
|
2020-02-23 21:58:11 +13:00
|
|
|
{
|
2021-06-12 02:20:18 +12:00
|
|
|
public function init(): void
|
2020-02-23 21:58:11 +13:00
|
|
|
{
|
|
|
|
}
|
|
|
|
|
2021-06-12 02:20:18 +12:00
|
|
|
public function run(): void
|
2020-02-23 21:58:11 +13:00
|
|
|
{
|
2021-07-27 04:37:29 +12:00
|
|
|
$dbForConsole = $this->getConsoleDB();
|
2021-07-20 04:46:34 +12:00
|
|
|
|
|
|
|
/**
|
|
|
|
* 1. Get new domain document - DONE
|
|
|
|
* 1.1. Validate domain is valid, public suffix is known and CNAME records are verified - DONE
|
|
|
|
* 2. Check if a certificate already exists - DONE
|
|
|
|
* 3. Check if certificate is about to expire, if not - skip it
|
|
|
|
* 3.1. Create / renew certificate
|
|
|
|
* 3.2. Update loadblancer
|
|
|
|
* 3.3. Update database (domains, change date, expiry)
|
|
|
|
* 3.4. Set retry on failure
|
|
|
|
* 3.5. Schedule to renew certificate in 60 days
|
|
|
|
*/
|
|
|
|
|
|
|
|
Authorization::disable();
|
|
|
|
|
|
|
|
// Args
|
|
|
|
$document = $this->args['document'];
|
|
|
|
$domain = $this->args['domain'];
|
|
|
|
|
|
|
|
// Validation Args
|
|
|
|
$validateTarget = $this->args['validateTarget'] ?? true;
|
|
|
|
$validateCNAME = $this->args['validateCNAME'] ?? true;
|
2021-09-01 21:13:23 +12:00
|
|
|
|
2021-07-20 04:46:34 +12:00
|
|
|
// Options
|
|
|
|
$domain = new Domain((!empty($domain)) ? $domain : '');
|
|
|
|
$expiry = 60 * 60 * 24 * 30 * 2; // 60 days
|
|
|
|
$safety = 60 * 60; // 1 hour
|
|
|
|
$renew = (\time() + $expiry);
|
2020-02-23 21:58:11 +13:00
|
|
|
|
2021-09-01 21:13:23 +12:00
|
|
|
if (empty($domain->get())) {
|
2021-07-20 04:46:34 +12:00
|
|
|
throw new Exception('Missing domain');
|
|
|
|
}
|
2020-02-23 21:58:11 +13:00
|
|
|
|
2021-09-01 21:13:23 +12:00
|
|
|
if (!$domain->isKnown() || $domain->isTest()) {
|
2021-07-20 04:46:34 +12:00
|
|
|
throw new Exception('Unknown public suffix for domain');
|
|
|
|
}
|
2020-02-23 21:58:11 +13:00
|
|
|
|
2021-09-01 21:13:23 +12:00
|
|
|
if ($validateTarget) {
|
2021-07-20 04:46:34 +12:00
|
|
|
$target = new Domain(App::getEnv('_APP_DOMAIN_TARGET', ''));
|
2020-03-02 01:04:29 +13:00
|
|
|
|
2021-07-20 04:46:34 +12:00
|
|
|
if(!$target->isKnown() || $target->isTest()) {
|
|
|
|
throw new Exception('Unreachable CNAME target ('.$target->get().'), please use a domain with a public suffix.');
|
2021-07-16 09:14:52 +12:00
|
|
|
}
|
2021-07-20 04:46:34 +12:00
|
|
|
}
|
2020-02-23 21:58:11 +13:00
|
|
|
|
2021-09-01 21:13:23 +12:00
|
|
|
if ($validateCNAME) {
|
2021-07-20 04:46:34 +12:00
|
|
|
$validator = new CNAME($target->get()); // Verify Domain with DNS records
|
2020-02-24 06:45:51 +13:00
|
|
|
|
2021-07-20 04:46:34 +12:00
|
|
|
if(!$validator->isValid($domain->get())) {
|
|
|
|
throw new Exception('Failed to verify domain DNS records');
|
2021-07-16 09:14:52 +12:00
|
|
|
}
|
2021-07-20 04:46:34 +12:00
|
|
|
}
|
2021-02-19 05:48:11 +13:00
|
|
|
|
2021-08-04 08:22:03 +12:00
|
|
|
$certificate = $dbForConsole->findOne('certificates', [
|
2021-07-20 04:46:34 +12:00
|
|
|
new Query('domain', QUERY::TYPE_EQUAL, [$domain->get()])
|
2021-08-04 08:22:03 +12:00
|
|
|
]);
|
2021-02-19 05:48:11 +13:00
|
|
|
|
2021-07-20 04:46:34 +12:00
|
|
|
// $condition = ($certificate
|
|
|
|
// && $certificate instanceof Document
|
|
|
|
// && isset($certificate['issueDate'])
|
|
|
|
// && (($certificate['issueDate'] + ($expiry)) > time())) ? 'true' : 'false';
|
2020-02-23 21:58:11 +13:00
|
|
|
|
2021-07-20 04:46:34 +12:00
|
|
|
// throw new Exception('cert issued at'.date('d.m.Y H:i', $certificate['issueDate']).' | renew date is: '.date('d.m.Y H:i', ($certificate['issueDate'] + ($expiry))).' | condition is '.$condition);
|
2020-02-25 22:21:56 +13:00
|
|
|
|
2021-07-20 04:46:34 +12:00
|
|
|
$certificate = (!empty($certificate) && $certificate instanceof $certificate) ? $certificate->getArrayCopy() : [];
|
2020-02-25 22:21:56 +13:00
|
|
|
|
2021-09-01 21:13:23 +12:00
|
|
|
if (
|
|
|
|
!empty($certificate)
|
2021-07-20 04:46:34 +12:00
|
|
|
&& isset($certificate['issueDate'])
|
2021-09-01 21:13:23 +12:00
|
|
|
&& (($certificate['issueDate'] + ($expiry)) > \time())
|
|
|
|
) { // Check last issue time
|
|
|
|
throw new Exception('Renew isn\'t required');
|
2021-07-20 04:46:34 +12:00
|
|
|
}
|
2021-07-16 09:14:52 +12:00
|
|
|
|
2021-07-20 04:46:34 +12:00
|
|
|
$staging = (App::isProduction()) ? '' : ' --dry-run';
|
|
|
|
$email = App::getEnv('_APP_SYSTEM_SECURITY_EMAIL_ADDRESS');
|
2021-07-16 09:14:52 +12:00
|
|
|
|
2021-09-01 21:13:23 +12:00
|
|
|
if (empty($email)) {
|
2021-07-20 04:46:34 +12:00
|
|
|
throw new Exception('You must set a valid security email address (_APP_SYSTEM_SECURITY_EMAIL_ADDRESS) to issue an SSL certificate');
|
|
|
|
}
|
2021-07-16 09:14:52 +12:00
|
|
|
|
2021-07-20 04:46:34 +12:00
|
|
|
$stdout = '';
|
|
|
|
$stderr = '';
|
2021-07-16 09:14:52 +12:00
|
|
|
|
2021-07-20 04:46:34 +12:00
|
|
|
$exit = Console::execute("certbot certonly --webroot --noninteractive --agree-tos{$staging}"
|
2021-09-01 21:13:23 +12:00
|
|
|
. " --email " . $email
|
|
|
|
. " -w " . APP_STORAGE_CERTIFICATES
|
|
|
|
. " -d {$domain->get()}", '', $stdout, $stderr);
|
2021-07-16 09:14:52 +12:00
|
|
|
|
2021-09-01 21:13:23 +12:00
|
|
|
if ($exit !== 0) {
|
|
|
|
throw new Exception('Failed to issue a certificate with message: ' . $stderr);
|
2021-07-20 04:46:34 +12:00
|
|
|
}
|
2021-07-16 09:14:52 +12:00
|
|
|
|
2021-09-01 21:13:23 +12:00
|
|
|
$path = APP_STORAGE_CERTIFICATES . '/' . $domain->get();
|
2021-07-16 09:14:52 +12:00
|
|
|
|
2021-09-01 21:13:23 +12:00
|
|
|
if (!\is_readable($path)) {
|
2021-07-20 04:46:34 +12:00
|
|
|
if (!\mkdir($path, 0755, true)) {
|
|
|
|
throw new Exception('Failed to create path...');
|
2021-07-16 09:14:52 +12:00
|
|
|
}
|
2021-07-20 04:46:34 +12:00
|
|
|
}
|
|
|
|
|
|
|
|
if(!@\rename('/etc/letsencrypt/live/'.$domain->get().'/cert.pem', APP_STORAGE_CERTIFICATES.'/'.$domain->get().'/cert.pem')) {
|
|
|
|
throw new Exception('Failed to rename certificate cert.pem: '.\json_encode($stdout));
|
|
|
|
}
|
|
|
|
|
2021-09-01 21:13:23 +12:00
|
|
|
if (!@\rename('/etc/letsencrypt/live/' . $domain->get() . '/chain.pem', APP_STORAGE_CERTIFICATES . '/' . $domain->get() . '/chain.pem')) {
|
|
|
|
throw new Exception('Failed to rename certificate chain.pem: ' . \json_encode($stdout));
|
2021-07-20 04:46:34 +12:00
|
|
|
}
|
|
|
|
|
2021-09-01 21:13:23 +12:00
|
|
|
if (!@\rename('/etc/letsencrypt/live/' . $domain->get() . '/fullchain.pem', APP_STORAGE_CERTIFICATES . '/' . $domain->get() . '/fullchain.pem')) {
|
|
|
|
throw new Exception('Failed to rename certificate fullchain.pem: ' . \json_encode($stdout));
|
2021-07-20 04:46:34 +12:00
|
|
|
}
|
|
|
|
|
2021-09-01 21:13:23 +12:00
|
|
|
if (!@\rename('/etc/letsencrypt/live/' . $domain->get() . '/privkey.pem', APP_STORAGE_CERTIFICATES . '/' . $domain->get() . '/privkey.pem')) {
|
|
|
|
throw new Exception('Failed to rename certificate privkey.pem: ' . \json_encode($stdout));
|
2021-07-20 04:46:34 +12:00
|
|
|
}
|
|
|
|
|
|
|
|
$certificate = new Document(\array_merge($certificate, [
|
|
|
|
'domain' => $domain->get(),
|
|
|
|
'issueDate' => \time(),
|
|
|
|
'renewDate' => $renew,
|
|
|
|
'attempts' => 0,
|
|
|
|
'log' => \json_encode($stdout),
|
|
|
|
]));
|
|
|
|
|
|
|
|
$certificate = $dbForConsole->createDocument('certificates', $certificate);
|
|
|
|
|
2021-09-01 21:13:23 +12:00
|
|
|
if (!$certificate) {
|
2021-07-20 04:46:34 +12:00
|
|
|
throw new Exception('Failed saving certificate to DB');
|
|
|
|
}
|
|
|
|
|
|
|
|
if(!empty($document)) {
|
|
|
|
$certificate = new Document(\array_merge($document, [
|
|
|
|
'updated' => \time(),
|
|
|
|
'certificateId' => $certificate->getId(),
|
|
|
|
]));
|
2021-07-16 09:14:52 +12:00
|
|
|
|
2021-07-20 04:46:34 +12:00
|
|
|
$certificate = $dbForConsole->updateDocument('certificates', $certificate->getId(), $certificate);
|
2021-07-16 09:14:52 +12:00
|
|
|
|
2021-07-20 04:46:34 +12:00
|
|
|
if(!$certificate) {
|
|
|
|
throw new Exception('Failed saving domain to DB');
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
$config =
|
|
|
|
"tls:
|
|
|
|
certificates:
|
|
|
|
- certFile: /storage/certificates/{$domain->get()}/fullchain.pem
|
|
|
|
keyFile: /storage/certificates/{$domain->get()}/privkey.pem";
|
|
|
|
|
2021-09-01 21:13:23 +12:00
|
|
|
if (!\file_put_contents(APP_STORAGE_CONFIG . '/' . $domain->get() . '.yml', $config)) {
|
2021-07-20 04:46:34 +12:00
|
|
|
throw new Exception('Failed to save SSL configuration');
|
|
|
|
}
|
|
|
|
|
|
|
|
ResqueScheduler::enqueueAt($renew + $safety, 'v1-certificates', 'CertificatesV1', [
|
|
|
|
'document' => [],
|
|
|
|
'domain' => $domain->get(),
|
|
|
|
'validateTarget' => $validateTarget,
|
|
|
|
'validateCNAME' => $validateCNAME,
|
|
|
|
]); // Async task rescheduale
|
|
|
|
|
|
|
|
Authorization::reset();
|
2020-02-23 21:58:11 +13:00
|
|
|
}
|
|
|
|
|
2021-06-12 02:20:18 +12:00
|
|
|
public function shutdown(): void
|
2020-02-23 21:58:11 +13:00
|
|
|
{
|
|
|
|
}
|
2021-09-01 21:13:23 +12:00
|
|
|
}
|