مراية لـ
https://github.com/postalserver/postal.git
تم المزامنة 2025-12-01 05:43:04 +00:00
complete upgrade of letsencrypt to ACME v2. resolves #674
هذا الالتزام موجود في:
Charlie Smurthwaite
@@ -32,33 +32,50 @@ class TrackCertificate < ApplicationRecord
|
|||||||
end
|
end
|
||||||
|
|
||||||
def get
|
def get
|
||||||
verify && issue
|
order = Postal::LetsEncrypt.client.new_order(identifiers: [self.domain])
|
||||||
end
|
authorization = order.authorizations.first
|
||||||
|
challenge = authorization.http
|
||||||
def verify
|
|
||||||
authorization = Postal::LetsEncrypt.client.authorize(:domain => self.domain)
|
|
||||||
challenge = authorization.http01
|
|
||||||
self.verification_path = challenge.filename
|
self.verification_path = challenge.filename
|
||||||
self.verification_string = challenge.file_content
|
self.verification_string = challenge.file_content
|
||||||
self.save!
|
self.save!
|
||||||
logger.info "Attempting verification of #{self.domain}"
|
logger.info "Attempting verification of #{self.domain}"
|
||||||
challenge.request_verification
|
challenge.request_validation
|
||||||
checks = 0
|
checks = 0
|
||||||
until challenge.verify_status != "pending"
|
until challenge.status != "pending"
|
||||||
checks += 1
|
checks += 1
|
||||||
if checks > 30
|
if checks > 30
|
||||||
logger.info "Status remained at pending for 30 checks"
|
logger.info "Status remained at pending for 30 checks"
|
||||||
return false
|
return false
|
||||||
end
|
end
|
||||||
sleep 1
|
sleep 1
|
||||||
|
challenge.reload
|
||||||
end
|
end
|
||||||
|
|
||||||
unless challenge.verify_status == "valid"
|
unless challenge.status == "valid"
|
||||||
logger.info "Status was not valid (was: #{challenge.verify_status})"
|
logger.info "Status was not valid (was: #{challenge.status})"
|
||||||
return false
|
return false
|
||||||
end
|
end
|
||||||
|
|
||||||
|
csr = OpenSSL::X509::Request.new
|
||||||
|
csr.subject = OpenSSL::X509::Name.new([['CN', self.domain, OpenSSL::ASN1::UTF8STRING]])
|
||||||
|
private_key = OpenSSL::PKey::RSA.new(self.key)
|
||||||
|
csr.public_key = private_key.public_key
|
||||||
|
csr.sign(private_key, OpenSSL::Digest::SHA256.new)
|
||||||
|
logger.info "Getting certificate for #{self.domain}"
|
||||||
|
order.finalize(:csr => csr)
|
||||||
|
|
||||||
|
sleep(1) while order.status == 'processing'
|
||||||
|
https_cert = order.certificate # => PEM-formatted certificate
|
||||||
|
cert, chain = https_cert.split(/\r?\n\r?\n/, 2)
|
||||||
|
|
||||||
|
self.certificate = cert
|
||||||
|
self.intermediaries = chain
|
||||||
|
self.expires_at = certificate_object.not_after
|
||||||
|
self.renew_after = (self.expires_at - 1.month) + rand(10).days
|
||||||
|
self.save!
|
||||||
|
logger.info "Certificate issued (expires on #{self.expires_at}, will renew after #{self.renew_after})"
|
||||||
return true
|
return true
|
||||||
|
|
||||||
rescue Acme::Client::Error => e
|
rescue Acme::Client::Error => e
|
||||||
@retries = 0
|
@retries = 0
|
||||||
if e.is_a?(Acme::Client::Error::BadNonce) && @retries < 5
|
if e.is_a?(Acme::Client::Error::BadNonce) && @retries < 5
|
||||||
@@ -72,33 +89,16 @@ class TrackCertificate < ApplicationRecord
|
|||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
def issue
|
|
||||||
csr = OpenSSL::X509::Request.new
|
|
||||||
csr.subject = OpenSSL::X509::Name.new([['CN', self.domain, OpenSSL::ASN1::UTF8STRING]])
|
|
||||||
private_key = OpenSSL::PKey::RSA.new(self.key)
|
|
||||||
csr.public_key = private_key.public_key
|
|
||||||
csr.sign(private_key, OpenSSL::Digest::SHA256.new)
|
|
||||||
logger.info "Getting certificate for #{self.domain}"
|
|
||||||
https_cert = Postal::LetsEncrypt.client.new_certificate(csr)
|
|
||||||
self.certificate = https_cert.to_pem
|
|
||||||
self.intermediaries = https_cert.chain_to_pem
|
|
||||||
self.expires_at = https_cert.x509.not_after
|
|
||||||
self.renew_after = (self.expires_at - 1.month) + rand(10).days
|
|
||||||
self.save!
|
|
||||||
logger.info "Certificate issued (expires on #{self.expires_at}, will renew after #{self.renew_after})"
|
|
||||||
return true
|
|
||||||
end
|
|
||||||
|
|
||||||
def certificate_object
|
def certificate_object
|
||||||
@certificate_object ||= OpenSSL::X509::Certificate.new(self.certificate)
|
OpenSSL::X509::Certificate.new(self.certificate)
|
||||||
end
|
end
|
||||||
|
|
||||||
def intermediaries_array
|
def intermediaries_array
|
||||||
@intermediaries_array ||= self.intermediaries.to_s.scan(/-----BEGIN CERTIFICATE-----.+?-----END CERTIFICATE-----/m).map{|c| OpenSSL::X509::Certificate.new(c)}
|
self.intermediaries.to_s.scan(/-----BEGIN CERTIFICATE-----.+?-----END CERTIFICATE-----/m).map{|c| OpenSSL::X509::Certificate.new(c)}
|
||||||
end
|
end
|
||||||
|
|
||||||
def key_object
|
def key_object
|
||||||
@key_object ||= OpenSSL::PKey::RSA.new(self.key)
|
OpenSSL::PKey::RSA.new(self.key)
|
||||||
end
|
end
|
||||||
|
|
||||||
def logger
|
def logger
|
||||||
|
|||||||
@@ -16,10 +16,8 @@ module Postal
|
|||||||
end
|
end
|
||||||
|
|
||||||
def self.register_private_key(email_address)
|
def self.register_private_key(email_address)
|
||||||
registration = client.register(:contact => "mailto:#{email_address}")
|
registration = client.new_account(:contact => "mailto:#{email_address}", :terms_of_service_agreed => true)
|
||||||
logger.info "Successfully registered private key with address #{email_address}"
|
logger.info "Successfully registered private key with address #{email_address}"
|
||||||
registration.agree_terms
|
|
||||||
logger.info "Terms have been accepted"
|
|
||||||
true
|
true
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|||||||
المرجع في مشكلة جديدة
حظر مستخدم