Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Renew LetsEncrypt certificates #641

Merged
merged 15 commits into from
Mar 22, 2023
Merged

Renew LetsEncrypt certificates #641

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
e26d64c
gateway/certs: added API for custom domains...
iulianbarbu Mar 1, 2023
514f456
review-feedback: adjust shuttle admin args...
iulianbarbu Mar 3, 2023
cf948a3
review-feedback: refactored credentials sharing
iulianbarbu Mar 3, 2023
f494f71
shuttle-dev*/Containerfile: copy pem files as well
iulianbarbu Mar 15, 2023
7cf7430
auth/admin: authorize renew certs APIs
iulianbarbu Mar 15, 2023
68b0126
gateway: fixed x509 certificates parsing
iulianbarbu Mar 15, 2023
a39420a
admin/docs: added notes for Pebble setup...
iulianbarbu Mar 16, 2023
56a2632
gateway/acme: bumped instant-acme version
iulianbarbu Mar 16, 2023
4e45ff9
Containerfile: arch agnostic protoc setup
iulianbarbu Mar 21, 2023
ad21636
admin: fix gateway string responses
iulianbarbu Mar 21, 2023
15482cb
Makefile: keep *.pem files for dev images
iulianbarbu Mar 21, 2023
17c51e3
gateway: simplify certificate polling duration
iulianbarbu Mar 21, 2023
3aeb06e
Makefile: remove comment
iulianbarbu Mar 21, 2023
b177ac1
gateway: revert the type coercion for Arc::clone
iulianbarbu Mar 21, 2023
b2f6e60
Containerfile: added comment to explain the addition...
iulianbarbu Mar 22, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
gateway/acme: bumped instant-acme version
  • Loading branch information
@iulianbarbu
iulianbarbu committed Mar 21, 2023
commit 56a26322fd9857d3a31be0425fb81d82cf2014ef
56 changes: 31 additions & 25 deletions Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion gateway/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ http = { workspace = true }
hyper = { workspace = true, features = [ "stream" ] }
# not great, but waiting for WebSocket changes to be merged
hyper-reverse-proxy = { git = "https://github.com/chesedo/hyper-reverse-proxy", branch = "bug/host_header" }
instant-acme = "0.1.1"
instant-acme = "0.2.0"
iulianbarbu marked this conversation as resolved.
Show resolved Hide resolved
lazy_static = "1.4.0"
num_cpus = "1.14.0"
once_cell = { workspace = true }
Expand Down
43 changes: 26 additions & 17 deletions gateway/src/acme.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ use crate::proxy::AsResponderTo;
use crate::{Error, ProjectName};

const MAX_RETRIES: usize = 15;
const MAX_RETRIES_CERTIFICATE_FETCHING: usize = 5;

#[derive(Debug, Eq, PartialEq)]
pub struct CustomDomain {
Expand Down Expand Up @@ -103,7 +104,7 @@ impl AcmeClient {
) -> Result<(String, String), AcmeClientError> {
trace!(identifier, "requesting acme certificate");

let (mut order, state) = AccountWrapper::from(credentials)
let mut order = AccountWrapper::from(credentials)
.0
.new_order(&NewOrder {
identifiers: &[Identifier::Dns(identifier.to_string())],
Expand All @@ -114,14 +115,10 @@ impl AcmeClient {
AcmeClientError::OrderCreation
})?;

let authorizations =
order
.authorizations(&state.authorizations)
.await
.map_err(|error| {
error!(%error, "failed to get authorizations information");
AcmeClientError::AuthorizationCreation
})?;
let authorizations = order.authorizations().await.map_err(|error| {
error!(%error, "failed to get authorizations information");
AcmeClientError::AuthorizationCreation
})?;

// There should only ever be 1 authorization as we only provide 1 domain at a time
debug_assert!(authorizations.len() == 1);
Expand All @@ -145,15 +142,27 @@ impl AcmeClient {
AcmeClientError::CertificateSigning
})?;

let certificate_chain = order
.finalize(&signing_request, &state.finalize)
.await
.map_err(|error| {
error!(%error, "failed to finalize certificate request");
AcmeClientError::OrderFinalizing
order.finalize(&signing_request).await.map_err(|error| {
error!(%error, "failed to finalize certificate request");
AcmeClientError::OrderFinalizing
})?;

// Poll for certificate, do this for few rounds.
let mut res: Option<String> = None;
let mut retries = MAX_RETRIES_CERTIFICATE_FETCHING;
while res.is_none() && retries > 0 {
res = order.certificate().await.map_err(|error| {
error!(%error, "failed to fetch the certificate chain");
AcmeClientError::CertificateCreation
})?;
retries -= 1;
sleep(Duration::new(1, 0)).await;
iulianbarbu marked this conversation as resolved.
Show resolved Hide resolved
}

Ok((certificate_chain, certificate.serialize_private_key_pem()))
Ok((
res.expect("panicked when returning the certificate chain"),
certificate.serialize_private_key_pem(),
))
}

fn find_challenge(
Expand All @@ -176,7 +185,7 @@ impl AcmeClient {
let mut delay = Duration::from_millis(250);
let state = loop {
sleep(delay).await;
let state = order.state().await.map_err(|error| {
let state = order.refresh().await.map_err(|error| {
error!(%error, "got error while fetching state");
AcmeClientError::FetchingState
})?;
Expand Down