2023-09-11 00:45:01 +01:00
|
|
|
use std::time::Duration;
|
2022-02-06 16:31:44 +00:00
|
|
|
|
2023-09-11 00:45:01 +01:00
|
|
|
use acme::{create_p256_key, Certificate, Directory, DirectoryUrl};
|
2022-02-06 16:31:44 +00:00
|
|
|
use actix_files::Files;
|
|
|
|
|
use actix_web::{rt, web, App, HttpRequest, HttpServer, Responder};
|
2023-09-11 00:45:01 +01:00
|
|
|
use eyre::eyre;
|
|
|
|
|
use tokio::fs;
|
|
|
|
|
|
|
|
|
|
const CHALLENGE_DIR: &str = "./acme-challenges";
|
|
|
|
|
const DOMAIN_NAME: &str = "example.org";
|
|
|
|
|
const CONTACT_EMAIL: &str = "contact@example.org";
|
|
|
|
|
|
|
|
|
|
pub async fn gen_tls_cert(user_domain: &str, contact_email: &str) -> eyre::Result<Certificate> {
|
2022-02-06 16:31:44 +00:00
|
|
|
// Create acme-challenge dir.
|
2023-09-11 00:45:01 +01:00
|
|
|
fs::create_dir(CHALLENGE_DIR).await?;
|
2022-02-06 16:31:44 +00:00
|
|
|
|
2023-07-09 03:32:47 +01:00
|
|
|
let domain = user_domain.to_owned();
|
2022-02-06 16:31:44 +00:00
|
|
|
|
|
|
|
|
// Create temporary Actix Web server for ACME challenge.
|
|
|
|
|
let srv = HttpServer::new(|| {
|
|
|
|
|
App::new().service(
|
2023-09-11 00:45:01 +01:00
|
|
|
Files::new("/.well-known/acme-challenge", "acme-challenge").show_files_listing(),
|
2022-02-06 16:31:44 +00:00
|
|
|
)
|
|
|
|
|
})
|
|
|
|
|
.bind((domain, 80))?
|
|
|
|
|
.shutdown_timeout(0)
|
2023-09-11 00:45:01 +01:00
|
|
|
.disable_signals()
|
2022-02-06 16:31:44 +00:00
|
|
|
.run();
|
|
|
|
|
|
|
|
|
|
let srv_handle = srv.handle();
|
|
|
|
|
let srv_task = rt::spawn(srv);
|
|
|
|
|
|
|
|
|
|
// Use DirectoryUrl::LetsEncryptStaging for dev/testing.
|
|
|
|
|
let url = DirectoryUrl::LetsEncrypt;
|
|
|
|
|
|
|
|
|
|
// Create a directory entrypoint.
|
2023-09-11 00:45:01 +01:00
|
|
|
let dir = Directory::fetch(url).await?;
|
2022-02-06 16:31:44 +00:00
|
|
|
|
|
|
|
|
// Our contact addresses; note the `mailto:`
|
2023-09-11 00:45:01 +01:00
|
|
|
let user_email_mailto = format!("mailto:{contact_email}");
|
2022-02-06 16:31:44 +00:00
|
|
|
let contact = vec![user_email_mailto];
|
|
|
|
|
|
|
|
|
|
// Generate a private key and register an account with our ACME provider.
|
|
|
|
|
// We should write it to disk any use `load_account` afterwards.
|
2023-09-11 00:45:01 +01:00
|
|
|
let acc = dir.register_account(Some(contact.clone())).await?;
|
2022-02-06 16:31:44 +00:00
|
|
|
|
|
|
|
|
// Load an account from string
|
2023-09-11 00:45:01 +01:00
|
|
|
let priv_key = acc.acme_private_key_pem()?;
|
|
|
|
|
let acc = dir.load_account(&priv_key, Some(contact)).await?;
|
2022-02-06 16:31:44 +00:00
|
|
|
|
|
|
|
|
// Order a new TLS certificate for the domain.
|
2023-09-11 00:45:01 +01:00
|
|
|
let mut ord_new = acc.new_order(user_domain, &[]).await?;
|
2022-02-06 16:31:44 +00:00
|
|
|
|
|
|
|
|
// If the ownership of the domain have already been
|
|
|
|
|
// authorized in a previous order, we might be able to
|
|
|
|
|
// skip validation. The ACME API provider decides.
|
|
|
|
|
let ord_csr = loop {
|
|
|
|
|
// Are we done?
|
|
|
|
|
if let Some(ord_csr) = ord_new.confirm_validations() {
|
|
|
|
|
break ord_csr;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Get the possible authorizations (for a single domain
|
|
|
|
|
// this will only be one element).
|
2023-09-11 00:45:01 +01:00
|
|
|
let auths = ord_new.authorizations().await?;
|
2022-02-06 16:31:44 +00:00
|
|
|
|
2023-09-11 00:45:01 +01:00
|
|
|
// For HTTP, the challenge is a text file that needs to be placed so it
|
|
|
|
|
// is accessible to our web server:
|
2022-02-06 16:31:44 +00:00
|
|
|
//
|
2023-09-11 00:45:01 +01:00
|
|
|
// ./acme-challenge/<token>
|
2022-02-06 16:31:44 +00:00
|
|
|
//
|
|
|
|
|
// The important thing is that it's accessible over the
|
|
|
|
|
// web for the domain we are trying to get a
|
|
|
|
|
// certificate for:
|
|
|
|
|
//
|
2023-09-11 00:45:01 +01:00
|
|
|
// http://example.org/.well-known/acme-challenge/<token>
|
|
|
|
|
let challenge = auths[0]
|
2022-02-06 16:31:44 +00:00
|
|
|
.http_challenge()
|
2023-09-11 00:45:01 +01:00
|
|
|
.ok_or_else(|| eyre!("no HTTP challenge accessible"))?;
|
2022-02-06 16:31:44 +00:00
|
|
|
|
|
|
|
|
// The token is the filename.
|
2023-09-11 00:45:01 +01:00
|
|
|
let token = challenge.http_token();
|
2022-02-06 16:31:44 +00:00
|
|
|
|
|
|
|
|
// The proof is the contents of the file
|
2023-09-11 00:45:01 +01:00
|
|
|
let proof = challenge.http_proof()?;
|
2022-02-06 16:31:44 +00:00
|
|
|
|
|
|
|
|
// Place the file/contents in the correct place.
|
2022-06-07 22:53:38 -04:00
|
|
|
let path = format!("acme-challenge/{token}");
|
2023-09-11 00:45:01 +01:00
|
|
|
fs::write(&path, &proof).await?;
|
2022-02-06 16:31:44 +00:00
|
|
|
|
|
|
|
|
// After the file is accessible from the web, the calls
|
|
|
|
|
// this to tell the ACME API to start checking the
|
|
|
|
|
// existence of the proof.
|
|
|
|
|
//
|
|
|
|
|
// The order at ACME will change status to either
|
|
|
|
|
// confirm ownership of the domain, or fail due to the
|
|
|
|
|
// not finding the proof. To see the change, we poll
|
|
|
|
|
// the API with 5000 milliseconds wait between.
|
2023-09-11 00:45:01 +01:00
|
|
|
challenge.validate(Duration::from_millis(5000)).await?;
|
2022-02-06 16:31:44 +00:00
|
|
|
|
|
|
|
|
// Update the state against the ACME API.
|
2023-09-11 00:45:01 +01:00
|
|
|
ord_new.refresh().await?;
|
2022-02-06 16:31:44 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
// Ownership is proven. Create a private key for
|
|
|
|
|
// the certificate. These are provided for convenience; we
|
|
|
|
|
// could provide our own keypair instead if we want.
|
2023-09-11 00:45:01 +01:00
|
|
|
let signing_key = create_p256_key();
|
2022-02-06 16:31:44 +00:00
|
|
|
|
|
|
|
|
// Submit the CSR. This causes the ACME provider to enter a
|
|
|
|
|
// state of "processing" that must be polled until the
|
|
|
|
|
// certificate is either issued or rejected. Again we poll
|
|
|
|
|
// for the status change.
|
2023-09-11 00:45:01 +01:00
|
|
|
let ord_cert = ord_csr
|
|
|
|
|
.finalize(signing_key, Duration::from_millis(5000))
|
|
|
|
|
.await?;
|
2022-02-06 16:31:44 +00:00
|
|
|
|
|
|
|
|
// Now download the certificate. Also stores the cert in
|
|
|
|
|
// the persistence.
|
2023-09-11 00:45:01 +01:00
|
|
|
let cert = ord_cert.download_cert().await?;
|
2022-02-06 16:31:44 +00:00
|
|
|
|
|
|
|
|
// Stop temporary server for ACME challenge
|
|
|
|
|
srv_handle.stop(true).await;
|
|
|
|
|
srv_task.await??;
|
|
|
|
|
|
|
|
|
|
// Delete acme-challenge dir
|
2023-09-11 00:45:01 +01:00
|
|
|
fs::remove_dir_all(CHALLENGE_DIR).await?;
|
2022-02-06 16:31:44 +00:00
|
|
|
|
|
|
|
|
Ok(cert)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// "Hello world" example
|
|
|
|
|
async fn index(_req: HttpRequest) -> impl Responder {
|
|
|
|
|
"Hello world!"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#[actix_web::main]
|
2023-09-11 00:45:01 +01:00
|
|
|
async fn main() -> eyre::Result<()> {
|
2022-02-06 16:31:44 +00:00
|
|
|
env_logger::init_from_env(env_logger::Env::new().default_filter_or("info"));
|
2023-09-11 00:50:09 +01:00
|
|
|
color_eyre::install()?;
|
2022-02-06 16:31:44 +00:00
|
|
|
|
|
|
|
|
// Load keys
|
|
|
|
|
// ==============================================
|
|
|
|
|
// = IMPORTANT: =
|
|
|
|
|
// = This process has to be repeated =
|
|
|
|
|
// = before the certificate expires (< 90 days) =
|
|
|
|
|
// ==============================================
|
|
|
|
|
// Obtain TLS certificate
|
2023-09-11 00:45:01 +01:00
|
|
|
//
|
|
|
|
|
// NOTE: Persisting the private key and certificate chain somewhere is
|
|
|
|
|
// recommended in order to avoid unnecessarily regenerating of TLS certs.
|
|
|
|
|
let cert = gen_tls_cert(DOMAIN_NAME, CONTACT_EMAIL).await?;
|
2022-02-06 16:31:44 +00:00
|
|
|
|
2023-09-11 00:45:01 +01:00
|
|
|
let rustls_config = load_rustls_config(cert)?;
|
2022-02-06 16:31:44 +00:00
|
|
|
|
2023-09-11 00:45:01 +01:00
|
|
|
log::info!("starting HTTP server at https://{DOMAIN_NAME}:443");
|
2022-02-06 16:31:44 +00:00
|
|
|
|
|
|
|
|
// Start HTTP server!
|
|
|
|
|
let srv = HttpServer::new(|| App::new().route("/", web::get().to(index)))
|
2023-09-11 00:45:01 +01:00
|
|
|
.bind_rustls_021(("0.0.0.0", 443), rustls_config)?
|
2022-02-06 16:31:44 +00:00
|
|
|
.run();
|
|
|
|
|
|
|
|
|
|
let srv_handle = srv.handle();
|
|
|
|
|
|
|
|
|
|
let _auto_shutdown_task = rt::spawn(async move {
|
2023-09-11 00:45:01 +01:00
|
|
|
// Shutdown server every 4 weeks so that TLS certs can be regenerated if
|
|
|
|
|
// needed. This is only appropriate in contexts like Kubernetes which
|
|
|
|
|
// can orchestrate restarts.
|
2022-02-06 16:31:44 +00:00
|
|
|
rt::time::sleep(Duration::from_secs(60 * 60 * 24 * 28)).await;
|
|
|
|
|
srv_handle.stop(true).await;
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
srv.await?;
|
|
|
|
|
|
|
|
|
|
Ok(())
|
|
|
|
|
}
|
2023-09-11 00:45:01 +01:00
|
|
|
|
|
|
|
|
fn load_rustls_config(cert: Certificate) -> eyre::Result<rustls::ServerConfig> {
|
|
|
|
|
// init server config builder with safe defaults
|
|
|
|
|
let config = rustls::ServerConfig::builder()
|
|
|
|
|
.with_safe_defaults()
|
|
|
|
|
.with_no_client_auth();
|
|
|
|
|
|
|
|
|
|
// convert ACME-obtained private key
|
|
|
|
|
let private_key = rustls::PrivateKey(cert.private_key_der()?.to_owned());
|
|
|
|
|
|
|
|
|
|
// convert ACME-obtained certificate chain
|
|
|
|
|
let cert_chain =
|
|
|
|
|
rustls_pemfile::certs(&mut std::io::BufReader::new(cert.certificate().as_bytes()))?
|
|
|
|
|
.into_iter()
|
|
|
|
|
.map(rustls::Certificate)
|
|
|
|
|
.collect();
|
|
|
|
|
|
|
|
|
|
Ok(config.with_single_cert(cert_chain, private_key)?)
|
|
|
|
|
}
|
