diff --git a/letsEncrypt.js b/letsEncrypt.js index e9448414..5a1e0b07 100644 --- a/letsEncrypt.js +++ b/letsEncrypt.js @@ -12,58 +12,90 @@ /*jshint node: true */ /*jshint strict: false */ /*jshint esversion: 6 */ -"use strict"; +'use strict'; -module.exports.CreateLetsEncrypt = function (parent) { +module.exports.CreateLetsEncrypt = function(parent) { try { + parent.debug('cert', "Initializing Let's Encrypt support"); + + // Check the current node version + if (Number(process.version.match(/^v(\d+\.\d+)/)[1]) < 8) { return null; } + // Try to delete the "./ursa-optional" or "./node_modules/ursa-optional" folder if present. // This is an optional module that GreenLock uses that causes issues. try { const fs = require('fs'); - if (fs.existsSync(obj.path.join(__dirname, 'ursa-optional'))) { fs.unlinkSync(obj.path.join(__dirname, 'ursa-optional')); } - if (fs.existsSync(obj.path.join(__dirname, 'node_modules', 'ursa-optional'))) { fs.unlinkSync(obj.path.join(__dirname, 'node_modules', 'ursa-optional')); } + if (fs.existsSync(parent.path.join(__dirname, 'ursa-optional'))) { fs.unlinkSync(obj.path.join(__dirname, 'ursa-optional')); } + if (fs.existsSync(parent.path.join(__dirname, 'node_modules', 'ursa-optional'))) { fs.unlinkSync(obj.path.join(__dirname, 'node_modules', 'ursa-optional')); } } catch (ex) { } // Get GreenLock setup and running. const greenlock = require('greenlock'); var obj = {}; obj.parent = parent; + obj.path = require('path'); obj.redirWebServerHooked = false; obj.leDomains = null; obj.leResults = null; + obj.performRestart = false; // Setup the certificate storage paths - obj.configPath = obj.parent.path.join(obj.parent.datapath, 'letsencrypt'); - obj.webrootPath = obj.parent.path.join(obj.parent.datapath, 'letsencrypt', 'webroot'); + obj.configPath = obj.path.join(obj.parent.datapath, 'letsencrypt'); try { obj.parent.fs.mkdirSync(obj.configPath); } catch (e) { } - try { obj.parent.fs.mkdirSync(obj.webrootPath); } catch (e) { } - // Storage Backend, store data in the "meshcentral-data/letencrypt" folder. - var leStore = require('le-store-certbot').create({ configDir: obj.configPath, webrootPath: obj.webrootPath, debug: obj.parent.args.debug > 0 }); - - // ACME Challenge Handlers - var leHttpChallenge = require('le-challenge-fs').create({ webrootPath: obj.webrootPath, debug: obj.parent.args.debug > 0 }); - - // Function to agree to terms of service - function leAgree(opts, agreeCb) { agreeCb(null, opts.tosUrl); } + // Setup Let's Encrypt default configuration + obj.leDefaults = { + agreeToTerms: true, + //serverKeyType: 'RSA-2048', // Seems like only "RSA-2048" or "P-256" is supported. + store: { + module: 'greenlock-store-fs', + basePath: obj.configPath + } + }; + // Get package and maintainer email + const pkg = require('./package.json'); + var maintainerEmail = null; + if (typeof pkg.author == 'string') { + // Older NodeJS + maintainerEmail = pkg.author; + var i = maintainerEmail.indexOf('<'); + if (i >= 0) { maintainerEmail = maintainerEmail.substring(i + 1); } + var i = maintainerEmail.indexOf('>'); + if (i >= 0) { maintainerEmail = maintainerEmail.substring(0, i); } + } else if (typeof pkg.author == 'object') { + // Latest NodeJS + maintainerEmail = pkg.author.email; + } + // Create the main GreenLock code module. var greenlockargs = { - version: 'draft-12', - server: (obj.parent.config.letsencrypt.production === true) ? 'https://acme-v02.api.letsencrypt.org/directory' : 'https://acme-staging-v02.api.letsencrypt.org/directory', - store: leStore, - challenges: { 'http-01': leHttpChallenge }, - challengeType: 'http-01', - agreeToTerms: leAgree, - debug: obj.parent.args.debug > 0 + parent: obj, + packageRoot: __dirname, + packageAgent: pkg.name + '/' + pkg.version, + manager: obj.path.join(__dirname, 'letsencrypt.js'), + maintainerEmail: maintainerEmail, + notify: function (ev, args) { if (typeof args == 'string') { parent.debug('cert', ev + ': ' + args); } else { parent.debug('cert', ev + ': ' + JSON.stringify(args)); } }, + staging: (obj.parent.config.letsencrypt.production !== true), + debug: (obj.parent.args.debug > 0) }; + if (obj.parent.args.debug == null) { greenlockargs.log = function (debug) { }; } // If not in debug mode, ignore all console output from greenlock (makes things clean). obj.le = greenlock.create(greenlockargs); // Hook up GreenLock to the redirection server - if (obj.parent.redirserver.port == 80) { obj.parent.redirserver.app.use('/', obj.le.middleware()); obj.redirWebServerHooked = true; } + if (obj.parent.redirserver.port == 80) { obj.redirWebServerHooked = true; } + + // Respond to a challenge + obj.challenge = function (token, hostname, func) { + parent.debug('cert', "Challenge " + hostname + "/" + token); + obj.le.challenges.get({ type: 'http-01', servername: hostname, token: token }) + .then(function (results) { func(results.keyAuthorization); }) + .catch(function (e) { console.log('LE-ERROR', e); func(null); }); // unexpected error, not related to renewal + } obj.getCertificate = function (certs, func) { + parent.debug('cert', "Getting certs from local store"); if (certs.CommonName.indexOf('.') == -1) { console.log("ERROR: Use --cert to setup the default server name before using Let's Encrypt."); func(certs); return; } if (obj.parent.config.letsencrypt == null) { func(certs); return; } if (obj.parent.config.letsencrypt.email == null) { console.log("ERROR: Let's Encrypt email address not specified."); func(certs); return; } @@ -72,7 +104,7 @@ module.exports.CreateLetsEncrypt = function (parent) { if ((obj.parent.config.letsencrypt.rsakeysize != null) && (obj.parent.config.letsencrypt.rsakeysize !== 2048) && (obj.parent.config.letsencrypt.rsakeysize !== 3072)) { console.log("ERROR: Invalid Let's Encrypt certificate key size, must be 2048 or 3072."); func(certs); return; } // Get the list of domains - obj.leDomains = [certs.CommonName]; + obj.leDomains = [ certs.CommonName ]; if (obj.parent.config.letsencrypt.names != null) { if (typeof obj.parent.config.letsencrypt.names == 'string') { obj.parent.config.letsencrypt.names = obj.parent.config.letsencrypt.names.split(','); } obj.parent.config.letsencrypt.names.map(function (s) { return s.trim(); }); // Trim each name @@ -81,67 +113,95 @@ module.exports.CreateLetsEncrypt = function (parent) { obj.leDomains.sort(); // Sort the array so it's always going to be in the same order. } - obj.le.check({ domains: obj.leDomains }).then(function (results) { - if (results) { - obj.leResults = results; + // Get altnames + obj.altnames = []; + obj.servername = certs.CommonName; + for (var i in obj.leDomains) { if (obj.leDomains[i] != certs.CommonName) { obj.altnames.push(obj.leDomains[i]); } } + // Get the Let's Encrypt certificate from our own storage + obj.le.get({ servername: certs.CommonName }) + .then(function (results) { // If we already have real certificates, use them. - if (results.altnames.indexOf(certs.CommonName) >= 0) { - certs.web.cert = results.cert; - certs.web.key = results.privkey; - certs.web.ca = [results.chain]; - } - for (var i in obj.parent.config.domains) { - if ((obj.parent.config.domains[i].dns != null) && (obj.parent.certificateOperations.compareCertificateNames(results.altnames, obj.parent.config.domains[i].dns))) { - certs.dns[i].cert = results.cert; - certs.dns[i].key = results.privkey; - certs.dns[i].ca = [results.chain]; + if (results) { + if (results.site.altnames.indexOf(certs.CommonName) >= 0) { + certs.web.cert = results.pems.cert; + certs.web.key = results.pems.privkey; + certs.web.ca = [results.pems.chain]; + } + for (var i in obj.parent.config.domains) { + if ((obj.parent.config.domains[i].dns != null) && (obj.parent.certificateOperations.compareCertificateNames(results.site.altnames, obj.parent.config.domains[i].dns))) { + certs.dns[i].cert = results.pems.cert; + certs.dns[i].key = results.pems.privkey; + certs.dns[i].ca = [results.pems.chain]; + } } } + parent.debug('cert', "Got certs from local store"); func(certs); // Check if the Let's Encrypt certificate needs to be renewed. setTimeout(obj.checkRenewCertificate, 60000); // Check in 1 minute. setInterval(obj.checkRenewCertificate, 86400000); // Check again in 24 hours and every 24 hours. return; - } else { - // Otherwise return default certificates and try to get a real one + }) + .catch(function (e) { + parent.debug('cert', "Unable to get certs from local store"); + setTimeout(obj.checkRenewCertificate, 10000); // Check the certificate in 10 seconds. func(certs); - } - console.log("Attempting to get Let's Encrypt certificate, may take a few minutes..."); - - // Figure out the RSA key size - var rsaKeySize = (obj.parent.config.letsencrypt.rsakeysize === 2048) ? 2048 : 3072; - - // TODO: Only register on one of the peers if multi-peers are active. - // Register Certificate manually - obj.le.register({ - domains: obj.leDomains, - email: obj.parent.config.letsencrypt.email, - agreeTos: true, - rsaKeySize: rsaKeySize, - challengeType: 'http-01', - renewWithin: 45 * 24 * 60 * 60 * 1000, // Certificate renewal may begin at this time (45 days) - renewBy: 60 * 24 * 60 * 60 * 1000 // Certificate renewal should happen by this time (60 days) - }).then(function (xresults) { - obj.parent.performServerCertUpdate(); // Reset the server, TODO: Reset all peers - }, function (err) { - console.error("ERROR: Let's encrypt error: ", err); }); - }); - }; + } // Check if we need to renew the certificate, call this every day. obj.checkRenewCertificate = function () { - if (obj.leResults == null) { return; } - // TODO: Only renew on one of the peers if multi-peers are active. - // Check if we need to renew the certificate - obj.le.renew({ duplicate: false, domains: obj.leDomains, email: obj.parent.config.letsencrypt.email }, obj.leResults).then(function (xresults) { - obj.parent.performServerCertUpdate(); // Reset the server, TODO: Reset all peers - }, function (err) { }); // If we can't renew, ignore. - }; + parent.debug('cert', "Checking certs"); + + // Setup renew options + var renewOptions = { servername: obj.servername }; + if (obj.altnames.length > 0) { renewOptions.altnames = obj.altnames; } + obj.le.renew(renewOptions) + .then(function (results) { + parent.debug('cert', "Checks completed"); + if (obj.performRestart === true) { parent.debug('cert', "Certs changed, restarting..."); obj.parent.performServerCertUpdate(); } // Reset the server, TODO: Reset all peers + }) + .catch(function (e) { console.log(e); func(certs); }); + } return obj; } catch (ex) { console.log(ex); } // Unable to start Let's Encrypt return null; +}; + +// GreenLock v3 Manager +module.exports.create = function (options) { + var manager = { parent: options.parent }; + manager.find = async function (options) { + //console.log('LE-FIND', options); + return Promise.resolve([ { subject: options.servername, altnames: options.altnames } ]); + }; + + manager.set = function (options) { + manager.parent.parent.debug('cert', "Certificate has been set"); + manager.parent.performRestart = true; + return null; + }; + + manager.remove = function (options) { + manager.parent.parent.debug('cert', "Certificate has been removed"); + manager.parent.performRestart = true; + return null; + }; + + // set the global config + manager.defaults = async function (options) { + //console.log('LE-DEFAULTS', options); + if (options != null) { for (var i in options) { if (manager.parent.leDefaults[i] == null) { manager.parent.leDefaults[i] = options[i]; } } } + var r = manager.parent.leDefaults; + var mainsite = { subject: manager.parent.servername }; + if (manager.parent.altnames.length > 0) { mainsite.altnames = manager.parent.altnames; } + r.subscriberEmail = manager.parent.parent.config.letsencrypt.email; + r.sites = { mainsite: mainsite }; + return r; + }; + + return manager; }; \ No newline at end of file diff --git a/meshcentral.js b/meshcentral.js index bc2b363b..35a8cc74 100644 --- a/meshcentral.js +++ b/meshcentral.js @@ -1935,7 +1935,14 @@ function InstallModules(modules, func) { // Modules may contain a version tag (foobar@1.0.0), remove it so the module can be found using require var moduleName = modules[i].split("@", 1)[0]; try { - require(moduleName); + if (moduleName == 'greenlock') { + // Check if we have GreenLock v3 + delete require.cache[require.resolve('greenlock')]; // Clear the require cache + if (typeof require('greenlock').challengeType == 'string') { missingModules.push(modules[i]); } + } else { + // For all other modules, do the check here. + require(moduleName); + } } catch (e) { if (previouslyInstalledModules[modules[i]] !== true) { missingModules.push(modules[i]); } } @@ -2001,20 +2008,21 @@ function mainStart() { if (config.domains[i].auth == 'ldap') { ldap = true; } } + // Get the current node version + var nodeVersion = Number(process.version.match(/^v(\d+\.\d+)/)[1]); + // Build the list of required modules var modules = ['ws', 'cbor', 'nedb', 'https', 'yauzl', 'xmldom', 'ipcheck', 'express', 'archiver', 'multiparty', 'node-forge', 'express-ws', 'compression', 'body-parser', 'connect-redis', 'cookie-session', 'express-handlebars']; if (require('os').platform() == 'win32') { modules.push('node-windows'); if (sspi == true) { modules.push('node-sspi'); } } // Add Windows modules if (ldap == true) { modules.push('ldapauth-fork'); } - if (config.letsencrypt != null) { modules.push('greenlock@2.8.8'); modules.push('le-store-certbot'); modules.push('le-challenge-fs'); modules.push('le-acme-core'); } // Add Greenlock Modules + //if (config.letsencrypt != null) { modules.push('greenlock@2.8.8'); modules.push('le-store-certbot'); modules.push('le-challenge-fs'); modules.push('le-acme-core'); } // Add Greenlock Modules + if (config.letsencrypt != null) { if (nodeVersion < 8) { console.log("WARNING: Let's Encrypt support requires Node v8 or higher."); } else { modules.push('greenlock'); } } // Add Greenlock Module if (config.settings.mqtt != null) { modules.push('aedes'); } // Add MQTT Modules if (config.settings.mongodb != null) { modules.push('mongodb'); } // Add MongoDB, official driver. if (config.settings.vault != null) { modules.push('node-vault'); } // Add official HashiCorp's Vault module. else if (config.settings.xmongodb != null) { modules.push('mongojs'); } // Add MongoJS, old driver. if (config.smtp != null) { modules.push('nodemailer'); } // Add SMTP support - // Get the current node version - var nodeVersion = Number(process.version.match(/^v(\d+\.\d+)/)[1]); - // If running NodeJS < 8, install "util.promisify" if (nodeVersion < 8) { modules.push('util.promisify'); } @@ -2027,7 +2035,7 @@ function mainStart() { if (yubikey == true) { modules.push('yubikeyotp'); } // Add YubiKey OTP support if (allsspi == false) { modules.push('otplib'); } // Google Authenticator support } - + // Install any missing modules and launch the server InstallModules(modules, function () { meshserver = CreateMeshCentralServer(config, args); meshserver.Start(); }); diff --git a/package.json b/package.json index 36f67ed9..92f1c684 100644 --- a/package.json +++ b/package.json @@ -1,10 +1,6 @@ { "name": "meshcentral", -<<<<<<< HEAD - "version": "0.4.3-t", -======= - "version": "0.4.3-w", ->>>>>>> b8ca6da3db12bf23b94068970eaf63ec22cb391e + "version": "0.4.3-z", "keywords": [ "Remote Management", "Intel AMT", @@ -34,7 +30,7 @@ "dependencies": { "archiver": "^3.0.0", "body-parser": "^1.19.0", - "cbor": "4.1.5", + "cbor": "^4.1.5", "compression": "^1.7.4", "connect-redis": "^3.4.1", "cookie-session": "^2.0.0-beta.3", diff --git a/redirserver.js b/redirserver.js index 56fb019d..9b9e3da5 100644 --- a/redirserver.js +++ b/redirserver.js @@ -23,11 +23,12 @@ module.exports.CreateRedirServer = function (parent, db, args, func) { obj.db = db; obj.args = args; obj.certificates = null; - obj.express = require("express"); - obj.net = require("net"); + obj.express = require('express'); + obj.net = require('net'); obj.app = obj.express(); obj.tcpServer = null; obj.port = null; + const leChallengePrefix = '/.well-known/acme-challenge/'; // Perform an HTTP to HTTPS redirection function performRedirection(req, res) { @@ -49,14 +50,14 @@ module.exports.CreateRedirServer = function (parent, db, args, func) { */ // Renter the terms of service. - obj.app.get("/MeshServerRootCert.cer", function (req, res) { + obj.app.get('/MeshServerRootCert.cer', function (req, res) { // The redirection server starts before certificates are loaded, make sure to handle the case where no certificate is loaded now. if (obj.certificates != null) { - res.set({ "Cache-Control": "no-cache, no-store, must-revalidate", "Pragma": "no-cache", "Expires": "0", "Content-Type": "application/octet-stream", "Content-Disposition": "attachment; filename=\"" + obj.certificates.RootName + ".cer\"" }); + res.set({ 'Cache-Control': "no-cache, no-store, must-revalidate", "Pragma": "no-cache", "Expires": "0", "Content-Type": "application/octet-stream", "Content-Disposition": "attachment; filename=\"" + obj.certificates.RootName + ".cer\"" }); var rootcert = obj.certificates.root.cert; - var i = rootcert.indexOf("-----BEGIN CERTIFICATE-----\r\n"); + var i = rootcert.indexOf('-----BEGIN CERTIFICATE-----\r\n'); if (i >= 0) { rootcert = rootcert.substring(i + 29); } - i = rootcert.indexOf("-----END CERTIFICATE-----"); + i = rootcert.indexOf('-----END CERTIFICATE-----'); if (i >= 0) { rootcert = rootcert.substring(i, 0); } res.send(Buffer.from(rootcert, "base64")); } else { @@ -66,9 +67,17 @@ module.exports.CreateRedirServer = function (parent, db, args, func) { // Add HTTP security headers to all responses obj.app.use(function (req, res, next) { - res.removeHeader("X-Powered-By"); - res.set({ "strict-transport-security": "max-age=60000; includeSubDomains", "Referrer-Policy": "no-referrer", "x-frame-options": "SAMEORIGIN", "X-XSS-Protection": "1; mode=block", "X-Content-Type-Options": "nosniff", "Content-Security-Policy": "default-src http: ws: \"self\" \"unsafe-inline\"" }); - return next(); + parent.debug('webrequest', req.url + ' (RedirServer)'); + res.removeHeader('X-Powered-By'); + + if ((parent.letsencrypt != null) && (req.url.startsWith(leChallengePrefix))) { + // Let's Encrypt Support + parent.letsencrypt.challenge(req.url.slice(leChallengePrefix.length), getCleanHostname(req), function (response) { if (response == null) { res.sendStatus(404); } else { res.send(response); } }); + } else { + // Everything else + res.set({ 'strict-transport-security': "max-age=60000; includeSubDomains", "Referrer-Policy": "no-referrer", "x-frame-options": "SAMEORIGIN", "X-XSS-Protection": "1; mode=block", "X-Content-Type-Options": "nosniff", "Content-Security-Policy": "default-src http: ws: \"self\" \"unsafe-inline\"" }); + return next(); + } }); // Once the main web server is started, call this to hookup additional handlers @@ -125,6 +134,17 @@ module.exports.CreateRedirServer = function (parent, db, args, func) { }); } + // Get the remote hostname correctly + const servernameRe = /^[a-z0-9\.\-]+$/i; + function getHostname(req) { return req.hostname || req.headers['x-forwarded-host'] || (req.headers.host || ''); }; + function getCleanHostname(req) { + var servername = getHostname(req).toLowerCase().replace(/:.*/, ''); + try { req.hostname = servername; } catch (e) { } // read-only express property + if (req.headers['x-forwarded-host']) { req.headers['x-forwarded-host'] = servername; } + try { req.headers.host = servername; } catch (e) { } + return (servernameRe.test(servername) && -1 === servername.indexOf('..') && servername) || ''; + }; + CheckListenPort(args.redirport, StartRedirServer); return obj;