mirrors/coyote
1
0
Fork 0
mirror of https://github.com/zerotier/coyote.git synced 2024-11-25 04:33:52 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
coyote/examples/acmed.rs
Erik Hollensbe e940f7eac8
move acmed to examples so it isn't automatically installed 
Signed-off-by: Erik Hollensbe <git@hollensbe.org>
2022-02-17 02:56:38 -08:00

146 lines
4.4 KiB
Rust
Raw Blame History

use std::{
io::Write,
ops::Add,
time::{Duration, SystemTime},
};
use openssl::{
error::ErrorStack,
pkey::{PKey, Private},
rsa::Rsa,
x509::{X509Extension, X509Name, X509Req},
};
use coyote::{
acme::{
ca::{CACollector, CA},
challenge::Challenger,
handlers::{configure_routes, ServiceState},
PostgresNonceValidator,
},
models::Postgres,
};
use ratpack::prelude::*;
const CHALLENGE_EXPIRATION: i64 = 600;
#[tokio::main]
async fn main() -> Result<(), ServerError> {
// set HOSTNAME in your environment to something your webserver or certbot can hit; otherwise
// it will be 'localhost'. a cert will be generated with this name to serve the service with.
// This is really important.
let dnsname = &std::env::var("HOSTNAME").unwrap_or("localhost".to_string());
env_logger::builder()
.filter_level(log::LevelFilter::Info)
.init();
//
// to start a database to work with me:
//
// make postgres
//
let pg = Postgres::new("host=localhost dbname=coyote user=postgres", 10)
.await
.unwrap();
pg.migrate().await.unwrap();
let c = Challenger::new(Some(chrono::Duration::seconds(CHALLENGE_EXPIRATION)));
let ca = CACollector::new(Duration::MAX);
let pg2 = pg.clone();
let c2 = c.clone();
// FIXME probably need something magical with signals here to manage shutdown that I don't want to think about yet
tokio::spawn(async move {
loop {
// FIXME whitelist all challenge requests. This is not how ACME is supposed to work. You have to write this.
c2.tick(|_c| Some(())).await;
// NOTE this will explode violently if it unwraps to error, e.g. if the db goes down.
c2.reconcile(pg2.clone()).await.unwrap();
tokio::time::sleep(Duration::new(1, 0)).await;
}
});
let mut ca2 = ca.clone();
let (csr, key) = generate_csr(dnsname)?;
let test_ca = CA::new_test_ca().unwrap();
let cert = test_ca.generate_and_sign_cert(
csr,
SystemTime::now(),
SystemTime::now().add(Duration::from_secs(365 * 24 * 60 * 60)),
)?;
let test_ca2 = test_ca.clone();
tokio::spawn(async move {
// after CA generation, write out the key and certificate
let mut buf = std::fs::File::create("ca.key").unwrap();
let private = test_ca
.clone()
.private_key()
.private_key_to_pem_pkcs8()
.unwrap();
buf.write(&private).unwrap();
let mut buf = std::fs::File::create("ca.pem").unwrap();
let cert = test_ca.clone().certificate().to_pem().unwrap();
buf.write(&cert).unwrap();
ca2.spawn_collector(|| -> Result<CA, ErrorStack> { Ok(test_ca.clone()) })
.await
});
let validator = PostgresNonceValidator::new(pg.clone());
let ss = ServiceState::new(
format!("https://{}:8000", dnsname),
pg.clone(),
c,
ca,
validator,
)?;
let mut app = App::with_state(ss);
configure_routes(&mut app, None);
let key = key.private_key_to_der()?;
let config = rustls::ServerConfig::builder()
.with_safe_defaults()
.with_no_client_auth()
.with_single_cert(
vec![
rustls::Certificate(cert.to_der()?),
rustls::Certificate(test_ca2.certificate().to_der()?),
],
rustls::PrivateKey(key),
)?;
Ok(app.serve_tls("0.0.0.0:8000", config).await?)
}
fn generate_csr(dnsname: &str) -> Result<(X509Req, Rsa<Private>), ErrorStack> {
log::info!("hostname: {}", dnsname);
let mut namebuilder = X509Name::builder().unwrap();
namebuilder.append_entry_by_text("CN", dnsname).unwrap();
let mut req = X509Req::builder().unwrap();
req.set_subject_name(&namebuilder.build()).unwrap();
let mut extensions = openssl::stack::Stack::new()?;
extensions.push(X509Extension::new(
None,
Some(&req.x509v3_context(None)),
"subjectAltName",
&format!("DNS:{}", dnsname),
)?)?;
req.add_extensions(&extensions)?;
req.set_version(2)?;
let key = Rsa::generate(4096).unwrap();
// FIXME there has to be a much better way of doing this!
let pubkey = PKey::public_key_from_pem(&key.public_key_to_pem().unwrap()).unwrap();
req.set_pubkey(&pubkey).unwrap();
Ok((req.build(), key))
}
Reference in a new issue View git blame Copy permalink