From 22b4255fac2ffddbf415cf75b7eaff84cccbcca1 Mon Sep 17 00:00:00 2001 From: Rob Ede Date: Mon, 11 Sep 2023 00:45:01 +0100 Subject: [PATCH] migrate acme example to acme-rfc8555 (#635) --- Cargo.lock | 554 +++++++++--------- Cargo.toml | 2 +- https-tls/acme-letsencrypt/Cargo.toml | 17 + https-tls/acme-letsencrypt/README.md | 5 + .../src/main.rs | 133 +++-- https-tls/openssl-auto-le/Cargo.toml | 15 - https-tls/openssl-auto-le/README.md | 5 - 7 files changed, 374 insertions(+), 357 deletions(-) create mode 100644 https-tls/acme-letsencrypt/Cargo.toml create mode 100644 https-tls/acme-letsencrypt/README.md rename https-tls/{openssl-auto-le => acme-letsencrypt}/src/main.rs (56%) delete mode 100644 https-tls/openssl-auto-le/Cargo.toml delete mode 100644 https-tls/openssl-auto-le/README.md diff --git a/Cargo.lock b/Cargo.lock index e072780..9a461e7 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -13,20 +13,29 @@ dependencies = [ ] [[package]] -name = "acme-micro" -version = "0.12.0" +name = "acme-rfc8555" +version = "0.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a18fb402a32ddc56ef7015df8d575c326ea911887ba9b7661ce18786282e89a3" +checksum = "b1ef0bec8aa6034a79b590c2f41321e4123933ef688ed6b12fa9872c7d1d7a86" dependencies = [ - "anyhow", - "base64 0.13.1", - "lazy_static", + "base64 0.21.3", + "der", + "ecdsa", + "eyre", "log", - "openssl", + "p256", + "parking_lot 0.12.1", + "pem-rfc7468", + "pkcs8", + "rand 0.8.5", + "reqwest 0.11.20", "serde", "serde_json", - "time 0.1.45", - "ureq", + "sha2", + "time 0.3.28", + "tokio 1.32.0", + "x509-cert", + "zeroize", ] [[package]] @@ -161,7 +170,7 @@ dependencies = [ "percent-encoding", "pin-project-lite 0.2.13", "rand 0.8.5", - "sha1 0.10.5", + "sha1", "smallvec 1.11.0", "tokio 1.32.0", "tokio-util 0.7.8", @@ -405,9 +414,11 @@ dependencies = [ "rustls-webpki", "tokio 1.32.0", "tokio-openssl", + "tokio-rustls 0.23.4", "tokio-rustls 0.24.1", "tokio-util 0.7.8", "tracing", + "webpki-roots 0.22.6", "webpki-roots 0.25.2", ] @@ -441,7 +452,7 @@ dependencies = [ "bytes 1.4.0", "bytestring", "cfg-if 1.0.0", - "cookie 0.16.2", + "cookie", "derive_more", "encoding_rs", "futures-core", @@ -1118,7 +1129,7 @@ dependencies = [ "base64 0.21.3", "bytes 1.4.0", "cfg-if 1.0.0", - "cookie 0.16.2", + "cookie", "derive_more", "futures-core", "futures-util", @@ -1376,7 +1387,7 @@ dependencies = [ "http-body 0.4.5", "md-5", "pin-project-lite 0.2.13", - "sha1 0.10.5", + "sha1", "sha2", "tracing", ] @@ -1556,10 +1567,10 @@ dependencies = [ ] [[package]] -name = "base-x" -version = "0.2.11" +name = "base16ct" +version = "0.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4cbbc9d0964165b47557570cce6c952866c2678457aca742aafc9fb771d30270" +checksum = "4c7f02d4ea65f2c1853089ffd8d2787bdbc63de2f0d29dedbcf8ccdfa0ccd4cf" [[package]] name = "base64" @@ -1984,12 +1995,6 @@ dependencies = [ "phf_codegen 0.11.2", ] -[[package]] -name = "chunked_transfer" -version = "1.4.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cca491388666e04d7248af3f60f0c40cfb0991c72205595d7c396e3510207d1a" - [[package]] name = "cipher" version = "0.4.4" @@ -2070,6 +2075,33 @@ dependencies = [ "cc", ] +[[package]] +name = "color-eyre" +version = "0.6.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5a667583cca8c4f8436db8de46ea8233c42a7d9ae424a82d338f2e4675229204" +dependencies = [ + "backtrace", + "color-spantrace", + "eyre", + "indenter", + "once_cell", + "owo-colors", + "tracing-error", +] + +[[package]] +name = "color-spantrace" +version = "0.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1ba75b3d9449ecdccb27ecbc479fdc0b87fa2dd43d2f8298f9bf0e59aacc8dce" +dependencies = [ + "once_cell", + "owo-colors", + "tracing-core", + "tracing-error", +] + [[package]] name = "colorchoice" version = "1.0.0" @@ -2159,12 +2191,6 @@ dependencies = [ "tiny-keccak", ] -[[package]] -name = "const_fn" -version = "0.4.9" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fbdcdcb6d86f71c5e97409ad45898af11cbc995b4ee8112d59095a28d376c935" - [[package]] name = "constant_time_eq" version = "0.2.6" @@ -2183,17 +2209,6 @@ version = "0.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "6245d59a3e82a7fc217c5828a6692dbc6dfb63a0c8c90495621f7b9d79704a0e" -[[package]] -name = "cookie" -version = "0.14.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "03a5d7b21829bc7b4bf4754a978a241ae54ea55a40f92bb20216e54096f4b951" -dependencies = [ - "percent-encoding", - "time 0.2.27", - "version_check", -] - [[package]] name = "cookie" version = "0.16.2" @@ -2233,22 +2248,6 @@ dependencies = [ "log", ] -[[package]] -name = "cookie_store" -version = "0.12.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3818dfca4b0cb5211a659bbcbb94225b7127407b2b135e650d717bfb78ab10d3" -dependencies = [ - "cookie 0.14.4", - "idna 0.2.3", - "log", - "publicsuffix", - "serde", - "serde_json", - "time 0.2.27", - "url", -] - [[package]] name = "core-foundation" version = "0.9.3" @@ -2450,6 +2449,18 @@ version = "0.2.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7a81dae078cea95a014a339291cec439d2f232ebe854a9d672b796c6afafa9b7" +[[package]] +name = "crypto-bigint" +version = "0.5.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "cf4c2f4e1afd912bc40bfd6fed5d9dc1f288e0ba01bfcc835cc5bc3eb13efe15" +dependencies = [ + "generic-array", + "rand_core 0.6.4", + "subtle", + "zeroize", +] + [[package]] name = "crypto-common" version = "0.1.6" @@ -2680,10 +2691,24 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "fffa369a668c8af7dbf8b5e56c9f744fbd399949ed171606040001947de40b1c" dependencies = [ "const-oid", + "der_derive", + "flagset", "pem-rfc7468", + "time 0.3.28", "zeroize", ] +[[package]] +name = "der_derive" +version = "0.7.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5fe87ce4529967e0ba1dcf8450bab64d97dfd5010a6256187ffe2e43e6f0e049" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.29", +] + [[package]] name = "deranged" version = "0.3.8" @@ -2806,12 +2831,6 @@ dependencies = [ "subtle", ] -[[package]] -name = "discard" -version = "1.0.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "212d0f5754cb6769937f4501cc0e67f4f4483c8d2c3e1e922ee9edbe4ab4c7c0" - [[package]] name = "displaydoc" version = "0.2.4" @@ -2862,6 +2881,20 @@ version = "1.0.9" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "dcbb2bf8e87535c23f7a8a321e364ce21462d0ff10cb6407820e8e96dfff6653" +[[package]] +name = "ecdsa" +version = "0.16.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a4b1e0c257a9e9f25f90ff76d7a68360ed497ee519c8e428d1825ef0000799d4" +dependencies = [ + "der", + "digest", + "elliptic-curve", + "rfc6979", + "signature", + "spki", +] + [[package]] name = "either" version = "1.9.0" @@ -2871,6 +2904,26 @@ dependencies = [ "serde", ] +[[package]] +name = "elliptic-curve" +version = "0.13.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "968405c8fdc9b3bf4df0a6638858cc0b52462836ab6b1c87377785dd09cf1c0b" +dependencies = [ + "base16ct", + "crypto-bigint", + "digest", + "ff", + "generic-array", + "group", + "pem-rfc7468", + "pkcs8", + "rand_core 0.6.4", + "sec1", + "subtle", + "zeroize", +] + [[package]] name = "encoding_rs" version = "0.8.33" @@ -2960,6 +3013,16 @@ version = "2.5.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0206175f82b8d6bf6652ff7d71a1e27fd2e4efde587fd368662814d6ec1d9ce0" +[[package]] +name = "eyre" +version = "0.6.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4c2b6b5a29c02cdc822728b7d7b8ae1bab3e3b05d44522770ddd49722eeac7eb" +dependencies = [ + "indenter", + "once_cell", +] + [[package]] name = "fallible-iterator" version = "0.2.0" @@ -2996,6 +3059,16 @@ version = "2.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "6999dc1837253364c2ebb0704ba97994bd874e8f195d665c50b7548f6ea92764" +[[package]] +name = "ff" +version = "0.13.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ded41244b729663b1e574f1b4fb731469f69f79c17667b5d776b16cda0479449" +dependencies = [ + "rand_core 0.6.4", + "subtle", +] + [[package]] name = "filetime" version = "0.2.22" @@ -3008,6 +3081,12 @@ dependencies = [ "windows-sys 0.48.0", ] +[[package]] +name = "flagset" +version = "0.4.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "cda653ca797810c02f7ca4b804b40b8b95ae046eb989d356bce17919a8c25499" + [[package]] name = "flate2" version = "1.0.27" @@ -3392,6 +3471,7 @@ checksum = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a" dependencies = [ "typenum", "version_check", + "zeroize", ] [[package]] @@ -3483,6 +3563,17 @@ dependencies = [ "thiserror", ] +[[package]] +name = "group" +version = "0.13.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f0f9ef7462f7c099f518d754361858f86d8a07af53ba9af0fe635bbccb151a63" +dependencies = [ + "ff", + "rand_core 0.6.4", + "subtle", +] + [[package]] name = "guards" version = "1.0.0" @@ -3919,6 +4010,12 @@ version = "0.1.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "206ca75c9c03ba3d4ace2460e57b189f39f43de612c2f85836e65c929701bb2d" +[[package]] +name = "indenter" +version = "0.3.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ce23b50ad8242c51a442f3ff322d56b02f08852c77e4c0b4d3fd684abc89c683" + [[package]] name = "indexmap" version = "1.9.3" @@ -4893,7 +4990,7 @@ dependencies = [ "saturating", "serde", "serde_json", - "sha1 0.10.5", + "sha1", "sha2", "smallvec 1.11.0", "subprocess", @@ -5088,20 +5185,6 @@ dependencies = [ "openssl-sys", ] -[[package]] -name = "openssl-auto-le" -version = "1.0.0" -dependencies = [ - "acme-micro", - "actix-files", - "actix-web", - "anyhow", - "env_logger", - "log", - "openssl", - "reqwest 0.11.20", -] - [[package]] name = "openssl-macros" version = "0.1.1" @@ -5147,6 +5230,24 @@ version = "0.5.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4030760ffd992bef45b0ae3f10ce1aba99e33464c90d14dd7c039884963ddc7a" +[[package]] +name = "owo-colors" +version = "3.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c1b04fb49957986fdce4d6ee7a65027d55d4b6d2265e5848bbb507b58ccfdb6f" + +[[package]] +name = "p256" +version = "0.13.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c9863ad85fa8f4460f9c48cb909d38a0d689dba1f6f6988a5e3e0d31071bcd4b" +dependencies = [ + "ecdsa", + "elliptic-curve", + "primeorder", + "sha2", +] + [[package]] name = "parking" version = "2.1.0" @@ -5552,6 +5653,15 @@ dependencies = [ "syn 1.0.109", ] +[[package]] +name = "primeorder" +version = "0.13.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3c2fcef82c0ec6eefcc179b978446c399b3cdf73c392c35604e399eee6df1ee3" +dependencies = [ + "elliptic-curve", +] + [[package]] name = "proc-macro-crate" version = "0.1.5" @@ -5664,25 +5774,6 @@ dependencies = [ "syn 1.0.109", ] -[[package]] -name = "publicsuffix" -version = "1.5.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "95b4ce31ff0a27d93c8de1849cf58162283752f065a90d508f1105fa6c9a213f" -dependencies = [ - "idna 0.2.3", - "url", -] - -[[package]] -name = "qstring" -version = "0.7.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d464fae65fff2680baf48019211ce37aaec0c78e9264c84a3e484717f965104e" -dependencies = [ - "percent-encoding", -] - [[package]] name = "quick-error" version = "1.2.3" @@ -6012,6 +6103,16 @@ version = "0.1.9" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4389f1d5789befaf6029ebd9f7dac4af7f7e3d61b69d4f30e2ac02b57e7712b0" +[[package]] +name = "rfc6979" +version = "0.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f8dd2a808d456c4a54e300a23e9f5a67e122c3024119acbfd73e3bf664491cb2" +dependencies = [ + "hmac", + "subtle", +] + [[package]] name = "rhai" version = "1.15.1" @@ -6239,19 +6340,6 @@ dependencies = [ "windows-sys 0.48.0", ] -[[package]] -name = "rustls" -version = "0.19.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "35edb675feee39aec9c99fa5ff985081995a06d594114ae14cbe797ad7b7a6d7" -dependencies = [ - "base64 0.13.1", - "log", - "ring", - "sct 0.6.1", - "webpki 0.21.4", -] - [[package]] name = "rustls" version = "0.20.9" @@ -6260,8 +6348,8 @@ checksum = "1b80e3dec595989ea8510028f30c408a4630db12c9cbb8de34203b89d6577e99" dependencies = [ "log", "ring", - "sct 0.7.0", - "webpki 0.22.0", + "sct", + "webpki", ] [[package]] @@ -6273,7 +6361,7 @@ dependencies = [ "log", "ring", "rustls-webpki", - "sct 0.7.0", + "sct", ] [[package]] @@ -6430,16 +6518,6 @@ version = "1.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49" -[[package]] -name = "sct" -version = "0.6.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b362b83898e0e69f38515b82ee15aa80636befe47c3b6d3d89a911e78fc228ce" -dependencies = [ - "ring", - "untrusted", -] - [[package]] name = "sct" version = "0.7.0" @@ -6456,6 +6534,20 @@ version = "4.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1c107b6f4780854c8b126e228ea8869f4d7b71260f962fefb57b996b8959ba6b" +[[package]] +name = "sec1" +version = "0.7.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d3e97a565f76233a6003f9f5c54be1d9c5bdfa3eccfb189469f11ec4901c47dc" +dependencies = [ + "base16ct", + "der", + "generic-array", + "pkcs8", + "subtle", + "zeroize", +] + [[package]] name = "security-framework" version = "2.9.2" @@ -6641,15 +6733,6 @@ dependencies = [ "digest", ] -[[package]] -name = "sha1" -version = "0.6.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c1da05c97445caa12d05e848c4a4fcbbea29e748ac28f7e80e9b010392063770" -dependencies = [ - "sha1_smol", -] - [[package]] name = "sha1" version = "0.10.5" @@ -6678,6 +6761,15 @@ dependencies = [ "digest", ] +[[package]] +name = "sharded-slab" +version = "0.1.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "900fba806f70c630b0a382d0d825e17a0f19fcd059a2ade1ff237bcddf446b31" +dependencies = [ + "lazy_static", +] + [[package]] name = "shlex" version = "1.1.0" @@ -7025,7 +7117,7 @@ dependencies = [ "rand 0.8.5", "rsa", "serde", - "sha1 0.10.5", + "sha1", "sha2", "smallvec 1.11.0", "sqlx-core", @@ -7064,7 +7156,7 @@ dependencies = [ "rand 0.8.5", "serde", "serde_json", - "sha1 0.10.5", + "sha1", "sha2", "smallvec 1.11.0", "sqlx-core", @@ -7096,15 +7188,6 @@ dependencies = [ "url", ] -[[package]] -name = "standback" -version = "0.2.17" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e113fb6f3de07a243d434a56ec6f186dfd51cb08448239fe7bcae73f87ff28ff" -dependencies = [ - "version_check", -] - [[package]] name = "state" version = "1.0.0" @@ -7130,55 +7213,6 @@ version = "1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a2eb9349b6444b326872e140eb1cf5e7c522154d69e7a0ffb0fb81c06b37543f" -[[package]] -name = "stdweb" -version = "0.4.20" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d022496b16281348b52d0e30ae99e01a73d737b2f45d38fed4edf79f9325a1d5" -dependencies = [ - "discard", - "rustc_version 0.2.3", - "stdweb-derive", - "stdweb-internal-macros", - "stdweb-internal-runtime", - "wasm-bindgen", -] - -[[package]] -name = "stdweb-derive" -version = "0.5.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c87a60a40fccc84bef0652345bbbbbe20a605bf5d0ce81719fc476f5c03b50ef" -dependencies = [ - "proc-macro2", - "quote", - "serde", - "serde_derive", - "syn 1.0.109", -] - -[[package]] -name = "stdweb-internal-macros" -version = "0.2.9" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "58fa5ff6ad0d98d1ffa8cb115892b6e69d67799f6763e162a1c9db421dc22e11" -dependencies = [ - "base-x", - "proc-macro2", - "quote", - "serde", - "serde_derive", - "serde_json", - "sha1 0.6.1", - "syn 1.0.109", -] - -[[package]] -name = "stdweb-internal-runtime" -version = "0.1.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "213701ba3370744dcd1a12960caa4843b3d68b4d1c0a5d575e0d65b2ee9d16c0" - [[package]] name = "string_cache" version = "0.8.7" @@ -7479,21 +7513,6 @@ dependencies = [ "winapi 0.3.9", ] -[[package]] -name = "time" -version = "0.2.27" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4752a97f8eebd6854ff91f1c1824cd6160626ac4bd44287f7f4ea2035a02a242" -dependencies = [ - "const_fn", - "libc", - "standback", - "stdweb", - "time-macros 0.1.1", - "version_check", - "winapi 0.3.9", -] - [[package]] name = "time" version = "0.3.28" @@ -7504,7 +7523,7 @@ dependencies = [ "itoa 1.0.9", "serde", "time-core", - "time-macros 0.2.14", + "time-macros", ] [[package]] @@ -7513,16 +7532,6 @@ version = "0.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7300fbefb4dadc1af235a9cef3737cea692a9d97e1b9cbcd4ebdae6f8868e6fb" -[[package]] -name = "time-macros" -version = "0.1.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "957e9c6e26f12cb6d0dd7fc776bb67a706312e7299aed74c8dd5b17ebb27e2f1" -dependencies = [ - "proc-macro-hack", - "time-macros-impl", -] - [[package]] name = "time-macros" version = "0.2.14" @@ -7532,19 +7541,6 @@ dependencies = [ "time-core", ] -[[package]] -name = "time-macros-impl" -version = "0.1.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fd3c141a1b43194f3f56a1411225df8646c55781d5f26db825b3d98507eb482f" -dependencies = [ - "proc-macro-hack", - "proc-macro2", - "quote", - "standback", - "syn 1.0.109", -] - [[package]] name = "tiny-keccak" version = "2.0.2" @@ -7588,6 +7584,23 @@ version = "0.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20" +[[package]] +name = "tls-acme" +version = "1.0.0" +dependencies = [ + "acme-rfc8555", + "actix-files", + "actix-web", + "color-eyre", + "env_logger", + "eyre", + "log", + "reqwest 0.11.20", + "rustls 0.21.7", + "rustls-pemfile", + "tokio 1.32.0", +] + [[package]] name = "tls-openssl" version = "1.0.0" @@ -7844,7 +7857,7 @@ checksum = "c43ee83903113e03984cb9e5cebe6c04a5116269e900e3ddba8f068a62adda59" dependencies = [ "rustls 0.20.9", "tokio 1.32.0", - "webpki 0.22.0", + "webpki", ] [[package]] @@ -8096,6 +8109,17 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0955b8137a1df6f1a2e9a37d8a6656291ff0297c1a97c24e0d8425fe2312f79a" dependencies = [ "once_cell", + "valuable", +] + +[[package]] +name = "tracing-error" +version = "0.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d686ec1c0f384b1277f097b2f279a2ecc11afe8c133c1aabf036a27cb4cd206e" +dependencies = [ + "tracing", + "tracing-subscriber", ] [[package]] @@ -8109,6 +8133,17 @@ dependencies = [ "tracing", ] +[[package]] +name = "tracing-subscriber" +version = "0.3.17" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "30a651bc37f915e81f087d86e62a18eec5f79550c7faff886f7090b4ea757c77" +dependencies = [ + "sharded-slab", + "thread_local", + "tracing-core", +] + [[package]] name = "trust-dns-proto" version = "0.21.2" @@ -8402,25 +8437,6 @@ version = "0.7.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a" -[[package]] -name = "ureq" -version = "1.5.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2b8b063c2d59218ae09f22b53c42eaad0d53516457905f5235ca4bc9e99daa71" -dependencies = [ - "base64 0.13.1", - "chunked_transfer", - "cookie 0.14.4", - "cookie_store", - "log", - "once_cell", - "qstring", - "rustls 0.19.1", - "url", - "webpki 0.21.4", - "webpki-roots 0.21.1", -] - [[package]] name = "url" version = "2.4.1" @@ -8528,6 +8544,12 @@ dependencies = [ "syn 1.0.109", ] +[[package]] +name = "valuable" +version = "0.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "830b7e5d4d90034032940e4ace0d9a9a057e7a45cd94e6c007832e39edb82f6d" + [[package]] name = "vcpkg" version = "0.2.15" @@ -8686,16 +8708,6 @@ dependencies = [ "wasm-bindgen", ] -[[package]] -name = "webpki" -version = "0.21.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b8e38c0608262c46d4a56202ebabdeb094cef7e560ca7a226c6bf055188aa4ea" -dependencies = [ - "ring", - "untrusted", -] - [[package]] name = "webpki" version = "0.22.0" @@ -8706,22 +8718,13 @@ dependencies = [ "untrusted", ] -[[package]] -name = "webpki-roots" -version = "0.21.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "aabe153544e473b775453675851ecc86863d2a81d786d741f6b76778f2a48940" -dependencies = [ - "webpki 0.21.4", -] - [[package]] name = "webpki-roots" version = "0.22.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b6c71e40d7d2c34a5106301fb632274ca37242cd0c9d3e64dbece371a40a2d87" dependencies = [ - "webpki 0.22.0", + "webpki", ] [[package]] @@ -9088,6 +9091,19 @@ dependencies = [ "tap", ] +[[package]] +name = "x509-cert" +version = "0.2.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "25eefca1d99701da3a57feb07e5079fc62abba059fc139e98c13bbb250f3ef29" +dependencies = [ + "const-oid", + "der", + "sha1", + "signature", + "spki", +] + [[package]] name = "xmlparser" version = "0.13.5" diff --git a/Cargo.toml b/Cargo.toml index 416d49e..f9985bd 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -30,8 +30,8 @@ members = [ "graphql/juniper", "guards", "http-proxy", + "https-tls/acme-letsencrypt", "https-tls/awc-https", - "https-tls/openssl-auto-le", "https-tls/openssl", "https-tls/rustls-client-cert", "https-tls/rustls", diff --git a/https-tls/acme-letsencrypt/Cargo.toml b/https-tls/acme-letsencrypt/Cargo.toml new file mode 100644 index 0000000..56393b6 --- /dev/null +++ b/https-tls/acme-letsencrypt/Cargo.toml @@ -0,0 +1,17 @@ +[package] +name = "tls-acme" +version = "1.0.0" +edition = "2021" + +[dependencies] +acme-rfc8555 = "0.1" +actix-files.workspace = true +actix-web = { workspace = true, features = ["rustls"] } +color-eyre = "0.6" +env_logger.workspace = true +eyre = "0.6" +log.workspace = true +reqwest = "0.11" +rustls = "0.21" +rustls-pemfile = "1" +tokio = { workspace = true, feature = ["fs"] } diff --git a/https-tls/acme-letsencrypt/README.md b/https-tls/acme-letsencrypt/README.md new file mode 100644 index 0000000..1eea3e9 --- /dev/null +++ b/https-tls/acme-letsencrypt/README.md @@ -0,0 +1,5 @@ +# Automatic Let's Encrypt TLS/HTTPS using OpenSSL + +We use [`an ACME client library`](https://github.com/x52dev/acme-rfc8555) to auto-generate TLS/HTTPS certificates for a given domain and then start our real web server with the obtained certificate. + +Process is explained in code. diff --git a/https-tls/openssl-auto-le/src/main.rs b/https-tls/acme-letsencrypt/src/main.rs similarity index 56% rename from https-tls/openssl-auto-le/src/main.rs rename to https-tls/acme-letsencrypt/src/main.rs index 7291c50..fe22efe 100644 --- a/https-tls/openssl-auto-le/src/main.rs +++ b/https-tls/acme-letsencrypt/src/main.rs @@ -1,35 +1,30 @@ -use std::{fs, time::Duration}; +use std::time::Duration; -use acme_micro::{create_p384_key, Certificate, Directory, DirectoryUrl}; +use acme::{create_p256_key, Certificate, Directory, DirectoryUrl}; use actix_files::Files; use actix_web::{rt, web, App, HttpRequest, HttpServer, Responder}; -use anyhow::anyhow; -use openssl::{ - pkey::PKey, - ssl::{SslAcceptor, SslMethod}, - x509::X509, -}; +use eyre::eyre; +use tokio::fs; -pub async fn gen_tls_cert(user_email: &str, user_domain: &str) -> anyhow::Result { +const CHALLENGE_DIR: &str = "./acme-challenges"; +const DOMAIN_NAME: &str = "example.org"; +const CONTACT_EMAIL: &str = "contact@example.org"; + +pub async fn gen_tls_cert(user_domain: &str, contact_email: &str) -> eyre::Result { // Create acme-challenge dir. - fs::create_dir("./acme-challenge").unwrap(); + fs::create_dir(CHALLENGE_DIR).await?; let domain = user_domain.to_owned(); // Create temporary Actix Web server for ACME challenge. let srv = HttpServer::new(|| { App::new().service( - Files::new( - // HTTP route - "/.well-known/acme-challenge", - // Server's dir - "acme-challenge", - ) - .show_files_listing(), + Files::new("/.well-known/acme-challenge", "acme-challenge").show_files_listing(), ) }) .bind((domain, 80))? .shutdown_timeout(0) + .disable_signals() .run(); let srv_handle = srv.handle(); @@ -39,22 +34,22 @@ pub async fn gen_tls_cert(user_email: &str, user_domain: &str) -> anyhow::Result let url = DirectoryUrl::LetsEncrypt; // Create a directory entrypoint. - let dir = Directory::from_url(url)?; + let dir = Directory::fetch(url).await?; // Our contact addresses; note the `mailto:` - let user_email_mailto: String = "mailto:{email}".replace("{email}", user_email); + let user_email_mailto = format!("mailto:{contact_email}"); let contact = vec![user_email_mailto]; // Generate a private key and register an account with our ACME provider. // We should write it to disk any use `load_account` afterwards. - let acc = dir.register_account(contact.clone())?; + let acc = dir.register_account(Some(contact.clone())).await?; // Load an account from string - let privkey = acc.acme_private_key_pem()?; - let acc = dir.load_account(&privkey, contact)?; + let priv_key = acc.acme_private_key_pem()?; + let acc = dir.load_account(&priv_key, Some(contact)).await?; // Order a new TLS certificate for the domain. - let mut ord_new = acc.new_order(user_domain, &[])?; + let mut ord_new = acc.new_order(user_domain, &[]).await?; // If the ownership of the domain have already been // authorized in a previous order, we might be able to @@ -67,31 +62,31 @@ pub async fn gen_tls_cert(user_email: &str, user_domain: &str) -> anyhow::Result // Get the possible authorizations (for a single domain // this will only be one element). - let auths = ord_new.authorizations()?; + let auths = ord_new.authorizations().await?; - // For HTTP, the challenge is a text file that needs to - // be placed in our web server's root: + // For HTTP, the challenge is a text file that needs to be placed so it + // is accessible to our web server: // - // /acme-challenge/ + // ./acme-challenge/ // // The important thing is that it's accessible over the // web for the domain we are trying to get a // certificate for: // - // http://mydomain.io/.well-known/acme-challenge/ - let chall = auths[0] + // http://example.org/.well-known/acme-challenge/ + let challenge = auths[0] .http_challenge() - .ok_or_else(|| anyhow!("no HTTP challenge accessible"))?; + .ok_or_else(|| eyre!("no HTTP challenge accessible"))?; // The token is the filename. - let token = chall.http_token(); + let token = challenge.http_token(); // The proof is the contents of the file - let proof = chall.http_proof()?; + let proof = challenge.http_proof()?; // Place the file/contents in the correct place. let path = format!("acme-challenge/{token}"); - fs::write(&path, &proof)?; + fs::write(&path, &proof).await?; // After the file is accessible from the web, the calls // this to tell the ACME API to start checking the @@ -101,33 +96,35 @@ pub async fn gen_tls_cert(user_email: &str, user_domain: &str) -> anyhow::Result // confirm ownership of the domain, or fail due to the // not finding the proof. To see the change, we poll // the API with 5000 milliseconds wait between. - chall.validate(Duration::from_millis(5000))?; + challenge.validate(Duration::from_millis(5000)).await?; // Update the state against the ACME API. - ord_new.refresh()?; + ord_new.refresh().await?; }; // Ownership is proven. Create a private key for // the certificate. These are provided for convenience; we // could provide our own keypair instead if we want. - let pkey_pri = create_p384_key()?; + let signing_key = create_p256_key(); // Submit the CSR. This causes the ACME provider to enter a // state of "processing" that must be polled until the // certificate is either issued or rejected. Again we poll // for the status change. - let ord_cert = ord_csr.finalize_pkey(pkey_pri, Duration::from_millis(5000))?; + let ord_cert = ord_csr + .finalize(signing_key, Duration::from_millis(5000)) + .await?; // Now download the certificate. Also stores the cert in // the persistence. - let cert = ord_cert.download_cert()?; + let cert = ord_cert.download_cert().await?; // Stop temporary server for ACME challenge srv_handle.stop(true).await; srv_task.await??; // Delete acme-challenge dir - fs::remove_dir_all("./acme-challenge")?; + fs::remove_dir_all(CHALLENGE_DIR).await?; Ok(cert) } @@ -138,13 +135,9 @@ async fn index(_req: HttpRequest) -> impl Responder { } #[actix_web::main] -async fn main() -> anyhow::Result<()> { +async fn main() -> eyre::Result<()> { env_logger::init_from_env(env_logger::Env::new().default_filter_or("info")); - // IMPORTANT: Use your own email and domain! - let email = "example@example.com"; - let domain = "mydomain.io"; - // Load keys // ============================================== // = IMPORTANT: = @@ -152,39 +145,26 @@ async fn main() -> anyhow::Result<()> { // = before the certificate expires (< 90 days) = // ============================================== // Obtain TLS certificate - let cert = gen_tls_cert(email, domain).await?; - let mut ssl_builder = SslAcceptor::mozilla_intermediate(SslMethod::tls())?; + // + // NOTE: Persisting the private key and certificate chain somewhere is + // recommended in order to avoid unnecessarily regenerating of TLS certs. + let cert = gen_tls_cert(DOMAIN_NAME, CONTACT_EMAIL).await?; - // Get and add private key - let pkey_der = PKey::private_key_from_der(&cert.private_key_der()?)?; - ssl_builder.set_private_key(&pkey_der)?; + let rustls_config = load_rustls_config(cert)?; - // Get and add certificate - let cert_der = X509::from_der(&cert.certificate_der()?)?; - ssl_builder.set_certificate(&cert_der)?; - - // Get and add intermediate certificate to the chain - let icert_url = "https://letsencrypt.org/certs/lets-encrypt-r3.der"; - let icert_bytes = reqwest::get(icert_url).await?.bytes().await?; - let intermediate_cert = X509::from_der(&icert_bytes)?; - ssl_builder.add_extra_chain_cert(intermediate_cert)?; - - // NOTE: - // Storing pkey_der, cert_der and intermediate_cert somewhere - // (in order to avoid unnecessarily regeneration of TLS/SSL) is recommended - - log::info!("starting HTTP server at https://localhost:443"); + log::info!("starting HTTP server at https://{DOMAIN_NAME}:443"); // Start HTTP server! let srv = HttpServer::new(|| App::new().route("/", web::get().to(index))) - .bind_openssl((domain, 443), ssl_builder)? + .bind_rustls_021(("0.0.0.0", 443), rustls_config)? .run(); let srv_handle = srv.handle(); let _auto_shutdown_task = rt::spawn(async move { - // Shutdown server every 4 weeks so that TLS certs can be regenerated if needed. - // This is only appropriate in contexts like Kubernetes which can orchestrate restarts. + // Shutdown server every 4 weeks so that TLS certs can be regenerated if + // needed. This is only appropriate in contexts like Kubernetes which + // can orchestrate restarts. rt::time::sleep(Duration::from_secs(60 * 60 * 24 * 28)).await; srv_handle.stop(true).await; }); @@ -193,3 +173,22 @@ async fn main() -> anyhow::Result<()> { Ok(()) } + +fn load_rustls_config(cert: Certificate) -> eyre::Result { + // init server config builder with safe defaults + let config = rustls::ServerConfig::builder() + .with_safe_defaults() + .with_no_client_auth(); + + // convert ACME-obtained private key + let private_key = rustls::PrivateKey(cert.private_key_der()?.to_owned()); + + // convert ACME-obtained certificate chain + let cert_chain = + rustls_pemfile::certs(&mut std::io::BufReader::new(cert.certificate().as_bytes()))? + .into_iter() + .map(rustls::Certificate) + .collect(); + + Ok(config.with_single_cert(cert_chain, private_key)?) +} diff --git a/https-tls/openssl-auto-le/Cargo.toml b/https-tls/openssl-auto-le/Cargo.toml deleted file mode 100644 index 0617c4a..0000000 --- a/https-tls/openssl-auto-le/Cargo.toml +++ /dev/null @@ -1,15 +0,0 @@ -[package] -name = "openssl-auto-le" -version = "1.0.0" -edition = "2021" - -[dependencies] -actix-web = { workspace = true, features = ["openssl"] } -actix-files.workspace = true - -acme-micro = "0.12" -anyhow = "1" -env_logger.workspace = true -log.workspace = true -openssl.workspace = true -reqwest = "0.11" diff --git a/https-tls/openssl-auto-le/README.md b/https-tls/openssl-auto-le/README.md deleted file mode 100644 index b0fd259..0000000 --- a/https-tls/openssl-auto-le/README.md +++ /dev/null @@ -1,5 +0,0 @@ -# Automatic Let's Encrypt TLS/HTTPS using OpenSSL - -We use [`acme-micro`](https://github.com/kpcyrd/acme-micro) to auto-generate TLS/HTTPS certificates using OpenSSL for a given domain. - -Process is explained in code.