diff --git a/MeshCentralServer.njsproj b/MeshCentralServer.njsproj
index a4ae82ff..37074514 100644
--- a/MeshCentralServer.njsproj
+++ b/MeshCentralServer.njsproj
@@ -316,6 +316,7 @@
+
@@ -325,6 +326,7 @@
+
diff --git a/letsEncrypt.js b/letsEncrypt.js
index 52bda2b8..6d1ece11 100644
--- a/letsEncrypt.js
+++ b/letsEncrypt.js
@@ -14,8 +14,8 @@
/*jshint esversion: 6 */
'use strict';
+// GreenLock Implementation
var globalLetsEncrypt = null;
-
module.exports.CreateLetsEncrypt = function (parent) {
try {
// Get the GreenLock version
@@ -44,6 +44,7 @@ module.exports.CreateLetsEncrypt = function (parent) {
var obj = {};
globalLetsEncrypt = obj;
obj.parent = parent;
+ obj.lib = 'greenlock';
obj.path = require('path');
obj.redirWebServerHooked = false;
obj.leDomains = null;
@@ -322,4 +323,197 @@ module.exports.create = function (options) {
};
return manager;
-};
\ No newline at end of file
+};
+
+
+// ACME-Client Implementation
+var globalLetsEncrypt = null;
+module.exports.CreateLetsEncrypt2 = function (parent) {
+ const acme = require('acme-client');
+
+ var obj = {};
+ obj.lib = 'acme-client';
+ obj.fs = require('fs');
+ obj.path = require('path');
+ obj.parent = parent;
+ obj.forge = obj.parent.certificateOperations.forge;
+ obj.leDomains = null;
+ obj.challenges = {};
+ obj.runAsProduction = false;
+ obj.redirWebServerHooked = false;
+
+ // Setup the certificate storage paths
+ obj.certPath = obj.path.join(obj.parent.datapath, 'letsencrypt-certs');
+ try { obj.parent.fs.mkdirSync(obj.certPath); } catch (e) { }
+
+ // Hook up GreenLock to the redirection server
+ if (obj.parent.config.settings.rediraliasport === 80) { obj.redirWebServerHooked = true; }
+ else if ((obj.parent.config.settings.rediraliasport == null) && (obj.parent.redirserver.port == 80)) { obj.redirWebServerHooked = true; }
+
+ // Deal with HTTP challenges
+ function challengeCreateFn(authz, challenge, keyAuthorization) { if (challenge.type === 'http-01') { obj.challenges[challenge.token] = keyAuthorization; } }
+ function challengeRemoveFn(authz, challenge, keyAuthorization) { if (challenge.type === 'http-01') { delete obj.challenges[challenge.token]; } }
+ obj.challenge = function (token, hostname, func) { func(obj.challenges[token]); }
+
+ // Get the current certificate
+ obj.getCertificate = function(certs, func) {
+ obj.runAsProduction = (obj.parent.config.letsencrypt.production === true);
+ parent.debug('cert', "LE: Getting certs from local store (" + (obj.runAsProduction ? "Production" : "Staging") + ")");
+ if (certs.CommonName.indexOf('.') == -1) { console.log("ERROR: Use --cert to setup the default server name before using Let's Encrypt."); func(certs); return; }
+ if (obj.parent.config.letsencrypt == null) { func(certs); return; }
+ if (obj.parent.config.letsencrypt.email == null) { console.log("ERROR: Let's Encrypt email address not specified."); func(certs); return; }
+ if ((obj.parent.redirserver == null) || ((typeof obj.parent.config.settings.rediraliasport === 'number') && (obj.parent.config.settings.rediraliasport !== 80)) || ((obj.parent.config.settings.rediraliasport == null) && (obj.parent.redirserver.port !== 80))) { console.log("ERROR: Redirection web server must be active on port 80 for Let's Encrypt to work."); func(certs); return; }
+ if (obj.redirWebServerHooked !== true) { console.log("ERROR: Redirection web server not setup for Let's Encrypt to work."); func(certs); return; }
+ if ((obj.parent.config.letsencrypt.rsakeysize != null) && (obj.parent.config.letsencrypt.rsakeysize !== 2048) && (obj.parent.config.letsencrypt.rsakeysize !== 3072)) { console.log("ERROR: Invalid Let's Encrypt certificate key size, must be 2048 or 3072."); func(certs); return; }
+
+ // Get the list of domains
+ obj.leDomains = [ certs.CommonName ];
+ if (obj.parent.config.letsencrypt.names != null) {
+ if (typeof obj.parent.config.letsencrypt.names == 'string') { obj.parent.config.letsencrypt.names = obj.parent.config.letsencrypt.names.split(','); }
+ obj.parent.config.letsencrypt.names.map(function (s) { return s.trim(); }); // Trim each name
+ if ((typeof obj.parent.config.letsencrypt.names != 'object') || (obj.parent.config.letsencrypt.names.length == null)) { console.log("ERROR: Let's Encrypt names must be an array in config.json."); func(certs); return; }
+ obj.leDomains = obj.parent.config.letsencrypt.names;
+ }
+
+ // Read TLS certificate from the configPath
+ var certFile = obj.path.join(obj.certPath, (obj.runAsProduction ? 'production.crt' : 'staging.crt'));
+ var keyFile = obj.path.join(obj.certPath, (obj.runAsProduction ? 'production.key' : 'staging.key'));
+ if (obj.fs.existsSync(certFile) && obj.fs.existsSync(keyFile)) {
+ parent.debug('cert', "LE: Reading certificate files");
+
+ // Read the certificate and private key
+ var certPem = obj.fs.readFileSync(certFile).toString('utf8');
+ var cert = obj.forge.pki.certificateFromPem(certPem);
+ var keyPem = obj.fs.readFileSync(keyFile).toString('utf8');
+ var key = obj.forge.pki.privateKeyFromPem(keyPem);
+
+ // Decode the certificate common and alt names
+ obj.certNames = [cert.subject.getField('CN').value];
+ var altNames = cert.getExtension('subjectAltName');
+ if (altNames) { for (i = 0; i < altNames.altNames.length; i++) { var acn = altNames.altNames[i].value.toLowerCase(); if (obj.certNames.indexOf(acn) == -1) { obj.certNames.push(acn); } } }
+
+ // Decode the certificate expire time
+ obj.certExpire = cert.validity.notAfter;
+
+ // Use this certificate when possible on any domain
+ if (obj.certNames.indexOf(certs.CommonName) >= 0) {
+ certs.web.cert = certPem;
+ certs.web.key = keyPem;
+ //certs.web.ca = [results.pems.chain];
+ }
+ for (var i in obj.parent.config.domains) {
+ if ((obj.parent.config.domains[i].dns != null) && (obj.parent.certificateOperations.compareCertificateNames(obj.certNames, obj.parent.config.domains[i].dns))) {
+ certs.dns[i].cert = certPem;
+ certs.dns[i].key = keyPem;
+ //certs.dns[i].ca = [results.pems.chain];
+ }
+ }
+ } else {
+ parent.debug('cert', "LE: No certificate files found");
+ }
+ func(certs);
+ obj.checkRenewCertificate();
+ }
+
+ // Check if we need to get a new certificate
+ // Return 0 = CertOK, 1 = Request:NoCert, 2 = Request:Expire, 3 = Request:MissingNames
+ obj.checkRenewCertificate = function () {
+ parent.debug('cert', "LE: Checking certificate");
+ if (obj.certNames == null) {
+ parent.debug('cert', "LE: Got no certificates, asking for one now.");
+ obj.requestCertificate();
+ return 1;
+ } else {
+ // Look at the existing certificate to see if we need to renew it
+ var daysLeft = Math.floor((obj.certExpire - new Date()) / 86400000);
+ parent.debug('cert', "LE: Certificate has " + daysLeft + " day(s) left.");
+ if (daysLeft < 45) {
+ parent.debug('cert', "LE: Asking for new certificate because of expire time.");
+ obj.requestCertificate();
+ return 2;
+ } else {
+ var missingDomain = false;
+ for (var i in obj.leDomains) {
+ if (obj.parent.certificateOperations.compareCertificateNames(obj.certNames, obj.leDomains[i]) == false) {
+ parent.debug('cert', "LE: Missing name " + obj.leDomains[i] + ".");
+ missingDomain = true;
+ }
+ }
+ if (missingDomain) {
+ parent.debug('cert', "LE: Asking for new certificate because of missing names.");
+ obj.requestCertificate();
+ return 3;
+ } else {
+ parent.debug('cert', "LE: Certificate is ok.");
+ }
+ }
+ }
+ return 0;
+ }
+
+ obj.requestCertificate = function () {
+ // Create a private key
+ parent.debug('cert', "LE: Generating private key...");
+ acme.forge.createPrivateKey().then(function (accountKey) {
+ // Create the ACME client
+ parent.debug('cert', "LE: Setting up ACME client...");
+ obj.client = new acme.Client({
+ directoryUrl: obj.runAsProduction ? acme.directory.letsencrypt.production : acme.directory.letsencrypt.staging,
+ accountKey: accountKey
+ });
+
+ // Create Certificate Request (CSR)
+ parent.debug('cert', "LE: Creating certificate request...");
+ acme.forge.createCsr({
+ commonName: obj.leDomains[0],
+ altNames: obj.leDomains
+ }).then(function (r) {
+ var csr = r[1];
+ obj.tempPrivateKey = r[0];
+ parent.debug('cert', "LE: Requesting certificate from Let's Encrypt...");
+ obj.client.auto({
+ csr,
+ email: obj.parent.config.letsencrypt.email,
+ termsOfServiceAgreed: true,
+ challengeCreateFn,
+ challengeRemoveFn
+ }).then(function (cert) {
+ parent.debug('cert', "LE: Got certificate.");
+
+ // Save certificate and private key to PEM files
+ var certFile = obj.path.join(obj.certPath, (obj.runAsProduction ? 'production.crt' : 'staging.crt'));
+ var keyFile = obj.path.join(obj.certPath, (obj.runAsProduction ? 'production.key' : 'staging.key'));
+ obj.fs.writeFileSync(certFile, cert);
+ obj.fs.writeFileSync(keyFile, obj.tempPrivateKey);
+ delete obj.tempPrivateKey;
+
+ // Cause a server restart
+ parent.debug('cert', "LE: Performing server restart...");
+ obj.parent.performServerCertUpdate();
+ }, function (err) {
+ parent.debug('cert', "LE: Failed to obtain certificate: " + err.message);
+ });
+ }, function (err) {
+ parent.debug('cert', "LE: Failed to generate certificate request: " + err.message);
+ });
+ }, function (err) {
+ parent.debug('cert', "LE: Failed to generate private key: " + err.message);
+ });
+ }
+
+ // Return the status of this module
+ obj.getStats = function () {
+ var r = {
+ lib: 'acme-client',
+ leDomains: obj.leDomains,
+ challenges: obj.challenges,
+ production: obj.runAsProduction,
+ webServer: obj.redirWebServerHooked,
+ certPath: obj.certPath,
+ };
+ if (obj.certExpire) { r.daysLeft = Math.floor((obj.certExpire - new Date()) / 86400000); }
+ return r;
+ }
+
+ return obj;
+}
\ No newline at end of file
diff --git a/meshcentral.js b/meshcentral.js
index c4f6ac3e..16d19bba 100644
--- a/meshcentral.js
+++ b/meshcentral.js
@@ -1072,7 +1072,11 @@ function CreateMeshCentralServer(config, args) {
obj.StartEx3(certs); // Just use the configured certificates
} else if ((obj.config.letsencrypt != null) && (obj.config.letsencrypt.nochecks == true)) {
// Use Let's Encrypt with no checking
- obj.letsencrypt = require('./letsencrypt.js').CreateLetsEncrypt(obj);
+ if (obj.config.letsencrypt.lib == 'acme-client') {
+ obj.letsencrypt = require('./letsencrypt.js').CreateLetsEncrypt2(obj);
+ } else {
+ obj.letsencrypt = require('./letsencrypt.js').CreateLetsEncrypt(obj);
+ }
obj.letsencrypt.getCertificate(certs, obj.StartEx3); // Use Let's Encrypt with no checking, use at your own risk.
} else {
// Check Let's Encrypt settings
@@ -1084,7 +1088,13 @@ function CreateMeshCentralServer(config, args) {
else if (obj.config.letsencrypt.email.trim() !== obj.config.letsencrypt.email) { leok = false; addServerWarning("Invalid Let's Encrypt email address."); }
else {
var le = require('./letsencrypt.js');
- try { obj.letsencrypt = le.CreateLetsEncrypt(obj); } catch (ex) { }
+ try {
+ if (obj.config.letsencrypt.lib == 'acme-client') {
+ obj.letsencrypt = le.CreateLetsEncrypt2(obj);
+ } else {
+ obj.letsencrypt = le.CreateLetsEncrypt(obj);
+ }
+ } catch (ex) { console.log(ex); }
if (obj.letsencrypt == null) { addServerWarning("Unable to setup GreenLock module."); leok = false; }
}
if (leok == true) {
@@ -2379,7 +2389,7 @@ function mainStart() {
if (require('os').platform() == 'win32') { modules.push('node-windows'); if (sspi == true) { modules.push('node-sspi'); } } // Add Windows modules
if (ldap == true) { modules.push('ldapauth-fork'); }
if (recordingIndex == true) { modules.push('image-size'); } // Need to get the remote desktop JPEG sizes to index the recodring file.
- if (config.letsencrypt != null) { if ((nodeVersion < 10) || (require('crypto').generateKeyPair == null)) { addServerWarning("Let's Encrypt support requires Node v10.12 or higher.", !args.launch); } else { modules.push('greenlock@4.0.4'); } } // Add Greenlock Module
+ if (config.letsencrypt != null) { if ((nodeVersion < 10) || (require('crypto').generateKeyPair == null)) { addServerWarning("Let's Encrypt support requires Node v10.12 or higher.", !args.launch); } else { modules.push((config.letsencrypt.lib == 'acme-client') ? 'acme-client' : 'greenlock@4.0.4'); } } // Add Greenlock Module or acme-client module
if (config.settings.mqtt != null) { modules.push('aedes'); } // Add MQTT Modules
if (config.settings.mysql != null) { modules.push('mysql'); } // Add MySQL, official driver.
if (config.settings.mongodb != null) { modules.push('mongodb'); } // Add MongoDB, official driver.
diff --git a/meshuser.js b/meshuser.js
index 45789e60..9bf2d2d8 100644
--- a/meshuser.js
+++ b/meshuser.js
@@ -704,20 +704,26 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
if (parent.parent.letsencrypt == null) {
r = "Let's Encrypt not in use.";
} else {
- var leinfo = {};
- var greenLockVersion = null;
- try { greenLockVersion = require('greenlock/package.json').version; } catch (ex) { }
- if (greenLockVersion) { leinfo.greenLockVer = greenLockVersion; }
- leinfo.redirWebServerHooked = parent.parent.letsencrypt.redirWebServerHooked;
- leinfo.leDomains = parent.parent.letsencrypt.leDomains;
- leinfo.leResults = parent.parent.letsencrypt.leResults;
- leinfo.leResultsStaging = parent.parent.letsencrypt.leResultsStaging;
- leinfo.performRestart = parent.parent.letsencrypt.performRestart;
- leinfo.performMoveToProduction = parent.parent.letsencrypt.performMoveToProduction;
- leinfo.runAsProduction = parent.parent.letsencrypt.runAsProduction;
- leinfo.leDefaults = parent.parent.letsencrypt.leDefaults;
- leinfo.leDefaultsStaging = parent.parent.letsencrypt.leDefaultsStaging;
- r = JSON.stringify(leinfo, null, 4);
+ if (parent.parent.letsencrypt.lib == 'greenlock') {
+ var leinfo = {};
+ var greenLockVersion = null;
+ try { greenLockVersion = require('greenlock/package.json').version; } catch (ex) { }
+ if (greenLockVersion) { leinfo.greenLockVer = greenLockVersion; }
+ leinfo.redirWebServerHooked = parent.parent.letsencrypt.redirWebServerHooked;
+ leinfo.leDomains = parent.parent.letsencrypt.leDomains;
+ leinfo.leResults = parent.parent.letsencrypt.leResults;
+ leinfo.leResultsStaging = parent.parent.letsencrypt.leResultsStaging;
+ leinfo.performRestart = parent.parent.letsencrypt.performRestart;
+ leinfo.performMoveToProduction = parent.parent.letsencrypt.performMoveToProduction;
+ leinfo.runAsProduction = parent.parent.letsencrypt.runAsProduction;
+ leinfo.leDefaults = parent.parent.letsencrypt.leDefaults;
+ leinfo.leDefaultsStaging = parent.parent.letsencrypt.leDefaultsStaging;
+ r = JSON.stringify(leinfo, null, 4);
+ } else if (parent.parent.letsencrypt.lib == 'acme-client') {
+ r = JSON.stringify(parent.parent.letsencrypt.getStats(), null, 4);
+ } else {
+ r = 'Unknown module';
+ }
}
break;
}
@@ -725,8 +731,14 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
if (parent.parent.letsencrypt == null) {
r = "Let's Encrypt not in use.";
} else {
- var err = parent.parent.letsencrypt.checkRenewCertificate();
- if (err == null) { r = "Called Let's Encrypt certificate check."; } else { r = err; }
+ if (parent.parent.letsencrypt.lib == 'greenlock') {
+ var err = parent.parent.letsencrypt.checkRenewCertificate();
+ if (err == null) { r = "Called Let's Encrypt certificate check."; } else { r = err; }
+ } else if (parent.parent.letsencrypt.lib == 'acme-client') {
+ r = ["CertOK", "Request:NoCert", "Request:Expire", "Request:MissingNames"][parent.parent.letsencrypt.checkRenewCertificate()];
+ } else {
+ r = 'Unknown module';
+ }
}
break;
}
diff --git a/package.json b/package.json
index 9cdb2225..296d1ba6 100644
--- a/package.json
+++ b/package.json
@@ -28,8 +28,10 @@
"sample-config.json"
],
"dependencies": {
+ "acme-client": "^3.3.1",
"aedes": "^0.40.1",
"archiver": "^3.0.0",
+ "archiver-zip-encrypted": "^1.0.8",
"body-parser": "^1.19.0",
"cbor": "^4.1.5",
"compression": "^1.7.4",
@@ -42,11 +44,15 @@
"ipcheck": "^0.1.0",
"minimist": "^1.2.0",
"multiparty": "^4.2.1",
+ "nacme": "^2.3.8",
"nedb": "^1.8.0",
"node-forge": "^0.8.4",
+ "node-windows": "^1.0.0-beta.1",
+ "otplib": "^12.0.1",
"ws": "^6.2.1",
"xmldom": "^0.1.27",
- "yauzl": "^2.10.0"
+ "yauzl": "^2.10.0",
+ "yubikeyotp": "^0.2.0"
},
"devDependencies": {},
"repository": {