local-ip.sh/certs/certs.go

package certs

import (
	"encoding/json"
	"fmt"
	"log"
	"os"
	"strings"
	"time"

	"github.com/go-acme/lego/v4/certcrypto"
	"github.com/go-acme/lego/v4/certificate"
	"github.com/go-acme/lego/v4/challenge/dns01"
	"github.com/go-acme/lego/v4/lego"
	"local-ip.sh/xip"
)

type certsClient struct {
	legoClient              *lego.Client
	lastWildcardCertificate *certificate.Resource
	lastRootCertificate     *certificate.Resource
}

func (c *certsClient) RequestCertificates() {
	c.requestCertificate("wildcard")
	c.requestCertificate("root")
}

func (c *certsClient) requestCertificate(certType string) {
	var lastCertificate *certificate.Resource
	var domains []string
	if certType == "wildcard" {
		lastCertificate = c.lastWildcardCertificate
		domains = []string{"*.local-ip.sh"}
	} else if certType == "root" {
		lastCertificate = c.lastRootCertificate
		domains = []string{"local-ip.sh"}
	} else {
		log.Fatalf("Unexpected certType %s. Only \"wildcard\" and \"root\" are supported", certType)
	}

	log.Printf("requesting %s certificate\n", certType)
	if lastCertificate != nil {
		certificates, err := certcrypto.ParsePEMBundle(c.lastWildcardCertificate.Certificate)
		if err != nil {
			log.Fatal(err)
		}

		x509Cert := certificates[0]
		timeLeft := x509Cert.NotAfter.Sub(time.Now().UTC())
		if timeLeft > time.Hour*24*30 {
			log.Printf("%d days left before expiration, will not renew", int(timeLeft.Hours()/24))
			return
		}

		c.renewCertificates()
		return
	}

	certificates, err := c.legoClient.Certificate.Obtain(certificate.ObtainRequest{
		Domains: domains,
		Bundle:  true,
	})
	if err != nil {
		log.Fatal(err)
	}

	if certType == "wildcard" {
		c.lastWildcardCertificate = certificates
	} else if certType == "root" {
		c.lastRootCertificate = certificates
	}

	persistFiles(certificates, certType)

}

func (c *certsClient) renewCertificates() {
	log.Println("renewing currently existing certificate")
	wildcardCertificate, err := c.legoClient.Certificate.Renew(*c.lastWildcardCertificate, true, false, "")
	if err != nil {
		log.Fatal(err)
	}
	c.lastWildcardCertificate = wildcardCertificate
	persistFiles(wildcardCertificate, "wildcard")

	rootCertificate, err := c.legoClient.Certificate.Renew(*c.lastRootCertificate, true, false, "")
	if err != nil {
		log.Fatal(err)
	}
	c.lastRootCertificate = rootCertificate
	persistFiles(rootCertificate, "root")

}

func persistFiles(certificates *certificate.Resource, certType string) {
	os.MkdirAll(fmt.Sprintf("/certs/%s", certType), 0o755)
	os.WriteFile(fmt.Sprintf("/certs/%s/server.pem", certType), certificates.Certificate, 0o644)
	os.WriteFile(fmt.Sprintf("/certs/%s/server.key", certType), certificates.PrivateKey, 0o644)
	jsonBytes, err := json.MarshalIndent(certificates, "", "\t")
	if err != nil {
		log.Fatal(err)
	}
	os.WriteFile(fmt.Sprintf("/certs/%s/output.json", certType), jsonBytes, 0o644)
}

func NewCertsClient(xip *xip.Xip, user *Account) *certsClient {
	config := lego.NewConfig(user)
	config.CADirURL = caDirUrl
	legoClient, err := lego.NewClient(config)
	if err != nil {
		log.Fatal(err)
	}

	provider := newProviderLocalIp(xip)
	legoClient.Challenge.SetDNS01Provider(provider, dns01.AddRecursiveNameservers([]string{"1.1.1.1:53", "8.8.8.8:53"}), dns01.DisableCompletePropagationRequirement())

	lastWildcardCertificate := getLastCertificate(legoClient, "wildcard")
	lastRootCertificate := getLastCertificate(legoClient, "root")

	return &certsClient{
		legoClient,
		lastWildcardCertificate,
		lastRootCertificate,
	}
}

func getLastCertificate(legoClient *lego.Client, certType string) *certificate.Resource {
	jsonBytes, err := os.ReadFile(fmt.Sprintf("/certs/%s/output.json", certType))
	if err != nil {
		if strings.Contains(err.Error(), "no such file or directory") {
			return nil
		}
		log.Println(err)
		log.Println("falling back to getting a brand new cert")
		return nil
	}

	lastCertificate := &certificate.Resource{}
	err = json.Unmarshal(jsonBytes, lastCertificate)
	if err != nil {
		log.Println(err)
		log.Println("falling back to getting a brand new cert")
		return nil
	}

	lastCertificate, err = legoClient.Certificate.Get(lastCertificate.CertURL, true)
	if err != nil {
		log.Println(err)
		log.Println("falling back to getting a brand new cert")
		return nil
	}

	return lastCertificate
}
first iteration to automate certificate generation 2023-02-26 10:02:30 +00:00			`package certs`

			`import (`
got the certificate request working 2023-02-26 13:06:15 +00:00			`"encoding/json"`
https server 2024-07-09 23:09:18 +00:00			`"fmt"`
first iteration to automate certificate generation 2023-02-26 10:02:30 +00:00			`"log"`
got the certificate request working 2023-02-26 13:06:15 +00:00			`"os"`
			`"strings"`
dont renew unless timeleft < 30 days 2023-02-26 13:35:07 +00:00			`"time"`
first iteration to automate certificate generation 2023-02-26 10:02:30 +00:00
dont renew unless timeleft < 30 days 2023-02-26 13:35:07 +00:00			`"github.com/go-acme/lego/v4/certcrypto"`
first iteration to automate certificate generation 2023-02-26 10:02:30 +00:00			`"github.com/go-acme/lego/v4/certificate"`
			`"github.com/go-acme/lego/v4/challenge/dns01"`
			`"github.com/go-acme/lego/v4/lego"`
			`"local-ip.sh/xip"`
			`)`

			`type certsClient struct {`
https server 2024-07-09 23:09:18 +00:00			`legoClient *lego.Client`
			`lastWildcardCertificate *certificate.Resource`
			`lastRootCertificate *certificate.Resource`
first iteration to automate certificate generation 2023-02-26 10:02:30 +00:00			`}`

https server 2024-07-09 23:09:18 +00:00			`func (c *certsClient) RequestCertificates() {`
			`c.requestCertificate("wildcard")`
			`c.requestCertificate("root")`
			`}`

			`func (c *certsClient) requestCertificate(certType string) {`
			`var lastCertificate *certificate.Resource`
			`var domains []string`
			`if certType == "wildcard" {`
			`lastCertificate = c.lastWildcardCertificate`
			`domains = []string{"*.local-ip.sh"}`
			`} else if certType == "root" {`
			`lastCertificate = c.lastRootCertificate`
			`domains = []string{"local-ip.sh"}`
			`} else {`
			`log.Fatalf("Unexpected certType %s. Only \"wildcard\" and \"root\" are supported", certType)`
			`}`

			`log.Printf("requesting %s certificate\n", certType)`
			`if lastCertificate != nil {`
			`certificates, err := certcrypto.ParsePEMBundle(c.lastWildcardCertificate.Certificate)`
dont renew unless timeleft < 30 days 2023-02-26 13:35:07 +00:00			`if err != nil {`
			`log.Fatal(err)`
			`}`

			`x509Cert := certificates[0]`
			`timeLeft := x509Cert.NotAfter.Sub(time.Now().UTC())`
			`if timeLeft > time.Hour2430 {`
			`log.Printf("%d days left before expiration, will not renew", int(timeLeft.Hours()/24))`
			`return`
			`}`

https server 2024-07-09 23:09:18 +00:00			`c.renewCertificates()`
got the certificate request working 2023-02-26 13:06:15 +00:00			`return`
			`}`

first iteration to automate certificate generation 2023-02-26 10:02:30 +00:00			`certificates, err := c.legoClient.Certificate.Obtain(certificate.ObtainRequest{`
https server 2024-07-09 23:09:18 +00:00			`Domains: domains,`
first iteration to automate certificate generation 2023-02-26 10:02:30 +00:00			`Bundle: true,`
			`})`
			`if err != nil {`
			`log.Fatal(err)`
			`}`

https server 2024-07-09 23:09:18 +00:00			`if certType == "wildcard" {`
			`c.lastWildcardCertificate = certificates`
			`} else if certType == "root" {`
			`c.lastRootCertificate = certificates`
			`}`

			`persistFiles(certificates, certType)`
got the certificate request working 2023-02-26 13:06:15 +00:00
			`}`

https server 2024-07-09 23:09:18 +00:00			`func (c *certsClient) renewCertificates() {`
got the certificate request working 2023-02-26 13:06:15 +00:00			`log.Println("renewing currently existing certificate")`
https server 2024-07-09 23:09:18 +00:00			`wildcardCertificate, err := c.legoClient.Certificate.Renew(*c.lastWildcardCertificate, true, false, "")`
got the certificate request working 2023-02-26 13:06:15 +00:00			`if err != nil {`
			`log.Fatal(err)`
			`}`
https server 2024-07-09 23:09:18 +00:00			`c.lastWildcardCertificate = wildcardCertificate`
			`persistFiles(wildcardCertificate, "wildcard")`
got the certificate request working 2023-02-26 13:06:15 +00:00
https server 2024-07-09 23:09:18 +00:00			`rootCertificate, err := c.legoClient.Certificate.Renew(*c.lastRootCertificate, true, false, "")`
			`if err != nil {`
			`log.Fatal(err)`
			`}`
			`c.lastRootCertificate = rootCertificate`
			`persistFiles(rootCertificate, "root")`
got the certificate request working 2023-02-26 13:06:15 +00:00
			`}`

https server 2024-07-09 23:09:18 +00:00			`func persistFiles(certificates *certificate.Resource, certType string) {`
			`os.MkdirAll(fmt.Sprintf("/certs/%s", certType), 0o755)`
			`os.WriteFile(fmt.Sprintf("/certs/%s/server.pem", certType), certificates.Certificate, 0o644)`
			`os.WriteFile(fmt.Sprintf("/certs/%s/server.key", certType), certificates.PrivateKey, 0o644)`
got the certificate request working 2023-02-26 13:06:15 +00:00			`jsonBytes, err := json.MarshalIndent(certificates, "", "\t")`
			`if err != nil {`
			`log.Fatal(err)`
			`}`
https server 2024-07-09 23:09:18 +00:00			`os.WriteFile(fmt.Sprintf("/certs/%s/output.json", certType), jsonBytes, 0o644)`
first iteration to automate certificate generation 2023-02-26 10:02:30 +00:00			`}`

			`func NewCertsClient(xip xip.Xip, user Account) *certsClient {`
			`config := lego.NewConfig(user)`
			`config.CADirURL = caDirUrl`
			`legoClient, err := lego.NewClient(config)`
			`if err != nil {`
			`log.Fatal(err)`
			`}`

			`provider := newProviderLocalIp(xip)`
got the certificate request working 2023-02-26 13:06:15 +00:00			`legoClient.Challenge.SetDNS01Provider(provider, dns01.AddRecursiveNameservers([]string{"1.1.1.1:53", "8.8.8.8:53"}), dns01.DisableCompletePropagationRequirement())`

https server 2024-07-09 23:09:18 +00:00			`lastWildcardCertificate := getLastCertificate(legoClient, "wildcard")`
			`lastRootCertificate := getLastCertificate(legoClient, "root")`
first iteration to automate certificate generation 2023-02-26 10:02:30 +00:00
			`return &certsClient{`
			`legoClient,`
https server 2024-07-09 23:09:18 +00:00			`lastWildcardCertificate,`
			`lastRootCertificate,`
first iteration to automate certificate generation 2023-02-26 10:02:30 +00:00			`}`
			`}`
got the certificate request working 2023-02-26 13:06:15 +00:00
https server 2024-07-09 23:09:18 +00:00			`func getLastCertificate(legoClient lego.Client, certType string) certificate.Resource {`
			`jsonBytes, err := os.ReadFile(fmt.Sprintf("/certs/%s/output.json", certType))`
got the certificate request working 2023-02-26 13:06:15 +00:00			`if err != nil {`
			`if strings.Contains(err.Error(), "no such file or directory") {`
			`return nil`
			`}`
			`log.Println(err)`
			`log.Println("falling back to getting a brand new cert")`
			`return nil`
			`}`

housekeeping 2023-12-12 21:25:39 +00:00			`lastCertificate := &certificate.Resource{}`
got the certificate request working 2023-02-26 13:06:15 +00:00			`err = json.Unmarshal(jsonBytes, lastCertificate)`
			`if err != nil {`
			`log.Println(err)`
			`log.Println("falling back to getting a brand new cert")`
			`return nil`
			`}`

			`lastCertificate, err = legoClient.Certificate.Get(lastCertificate.CertURL, true)`
			`if err != nil {`
			`log.Println(err)`
			`log.Println("falling back to getting a brand new cert")`
			`return nil`
			`}`

			`return lastCertificate`
			`}`