2017-05-16 17:01:24 +02:00
|
|
|
#!/usr/bin/env perl
|
|
|
|
# This is a simplified rewrite of acme-tiny in Perl, since Python 3 is 125 MiB
|
|
|
|
# but Perl is everywhere and JSON::PP mostly in default installations.
|
|
|
|
# Depends on curl and openssl.
|
2017-05-16 20:13:29 +02:00
|
|
|
#
|
|
|
|
# TODO: eventually the ACME protocol will stabilize:
|
|
|
|
# https://github.com/ietf-wg-acme/acme/blob/master/draft-ietf-acme-acme.md
|
2017-05-16 17:01:24 +02:00
|
|
|
use strict;
|
|
|
|
use warnings;
|
|
|
|
use MIME::Base64 qw(encode_base64 encode_base64url);
|
|
|
|
use JSON::PP;
|
|
|
|
use Digest::SHA qw(sha256);
|
|
|
|
use IPC::Open2;
|
|
|
|
|
2017-05-16 18:07:37 +02:00
|
|
|
# https://acme-staging.api.letsencrypt.org
|
|
|
|
# https://acme-v01.api.letsencrypt.org
|
|
|
|
my $ca = $ENV{ACME_CA} || die 'ACME_CA not set';
|
|
|
|
my $account_key = $ENV{ACCOUNT_KEY} || die 'ACCOUNT_KEY not set';
|
|
|
|
my $csr_file = shift || die 'no file was given';
|
|
|
|
my $acme_dir = $ENV{ACME_DIR} || die 'ACME_DIR not set';
|
2017-05-16 17:01:24 +02:00
|
|
|
|
|
|
|
# Prepare some values derived from account key for the ACME protocol
|
|
|
|
sub b64 { encode_base64url(shift, '') =~ s/=//gr }
|
2017-05-17 15:19:11 +02:00
|
|
|
my $key_info = `openssl rsa -in '$account_key' -noout -text`;
|
2017-05-16 17:01:24 +02:00
|
|
|
die 'cannot process account key' if $?;
|
|
|
|
|
|
|
|
my ($pub_hex, $pub_exp) =
|
2017-05-17 15:19:11 +02:00
|
|
|
$key_info =~ /modulus:\n\s+00:([a-f\d:\s]+?)\npublicExponent: (\d+)/m;
|
2017-05-16 17:01:24 +02:00
|
|
|
$pub_exp = sprintf("%x", $pub_exp);
|
|
|
|
$pub_exp = "0$pub_exp" if length($pub_exp) % 2;
|
|
|
|
|
|
|
|
my $header = { alg => 'RS256', jwk => { kty => 'RSA',
|
|
|
|
e => b64(pack 'H*', $pub_exp),
|
|
|
|
n => b64(pack 'H*', $pub_hex =~ s/\s|://gr)
|
|
|
|
}};
|
|
|
|
|
2017-06-07 06:35:35 +02:00
|
|
|
my $json = JSON::PP->new->pretty(0)->canonical(1);
|
2017-05-16 17:01:24 +02:00
|
|
|
my $thumbprint = b64(sha256($json->encode($header->{jwk})));
|
|
|
|
|
|
|
|
# Pipe data through an external program, keeping status in $?
|
|
|
|
sub communicate {
|
|
|
|
my $data = pop;
|
|
|
|
my $pid = open2(\*Reader, \*Writer, @_);
|
|
|
|
print Writer $data if defined($data);
|
|
|
|
close Writer;
|
|
|
|
local $/ = undef;
|
|
|
|
my $resp = <Reader>;
|
|
|
|
waitpid $pid, 0;
|
|
|
|
return $resp;
|
|
|
|
}
|
|
|
|
|
2017-05-16 20:13:29 +02:00
|
|
|
# Use cURL to download a file over HTTPS but parse it ourselves (quite silly)
|
2017-05-16 17:01:24 +02:00
|
|
|
sub get {
|
|
|
|
my ($url, $data) = @_;
|
|
|
|
my @args = ('curl', '-sS', '-D-', '-H', 'Expect:');
|
|
|
|
push @args, ('-X', 'POST', '--data-binary', '@-') if defined($data);
|
|
|
|
my $resp = communicate(@args, $url, $data);
|
|
|
|
die 'cannot download' if $? >> 8;
|
|
|
|
my ($code, $headers, $body) =
|
2019-10-02 23:56:30 +02:00
|
|
|
$resp =~ m#\AHTTP/\d(?:\.\d)? (\d+) .*?\r\n(.*?)\r\n\r\n(.*)#sm;
|
2017-05-16 20:13:29 +02:00
|
|
|
return ($code, $body, { $headers =~ /(\S+?): (.*)\r\n/mg })
|
2017-05-16 17:01:24 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
# Make a signed request to an ACME endpoint
|
|
|
|
sub send_signed {
|
|
|
|
my ($url, $payload) = @_;
|
|
|
|
my $protected = { nonce => `curl -sSfI '$ca/directory'`
|
|
|
|
=~ /Replay-Nonce: (\S+)/i, %$header };
|
|
|
|
die 'cannot retrieve nonce' if $?;
|
|
|
|
|
|
|
|
my $b64payload = b64 $json->encode($payload);
|
|
|
|
my $b64protected = b64 $json->encode($protected);
|
2017-05-16 21:31:46 +02:00
|
|
|
my $out = communicate('openssl', 'dgst', '-sha256', '-sign',
|
|
|
|
$account_key, "$b64protected.$b64payload");
|
2017-05-16 17:01:24 +02:00
|
|
|
die 'cannot sign request' if $? >> 8;
|
|
|
|
return get $url, $json->encode({
|
|
|
|
header => $header, protected => $b64protected,
|
|
|
|
payload => $b64payload, signature => b64 $out
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
# Find all domains specified in the certificate request
|
|
|
|
my $csr = `openssl req -in '$csr_file' -noout -text`;
|
|
|
|
die 'cannot parse CSR' if $?;
|
|
|
|
|
|
|
|
my @domains;
|
|
|
|
push @domains, $1 if $csr =~ /Subject:.*? CN *= *([^\s,;\/]+)/;
|
2017-05-16 20:47:12 +02:00
|
|
|
# FIXME: this may not parse correctly anymore, try it out
|
2017-05-16 17:01:24 +02:00
|
|
|
push @domains, map { substr $_, 4 } grep { /^DNS:/ } split(/, /)
|
|
|
|
for $csr =~ /X509v3 Subject Alternative Name: \n +([^\n]+)\n/g;
|
|
|
|
|
|
|
|
# Get certificate domains and expiration
|
2017-05-16 20:13:29 +02:00
|
|
|
my ($code, $result, $headers) = get "$ca/terms";
|
|
|
|
($code, $result) = send_signed("$ca/acme/new-reg", {
|
2017-05-16 17:01:24 +02:00
|
|
|
resource => 'new-reg',
|
2017-05-16 20:13:29 +02:00
|
|
|
agreement => ($code == 302 && exists $headers->{Location})
|
|
|
|
? $headers->{Location}
|
|
|
|
: 'https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf'
|
2017-05-16 17:01:24 +02:00
|
|
|
});
|
2017-06-07 05:47:22 +02:00
|
|
|
die "cannot register: $code\n$result" if $code != 201 && $code != 409;
|
2017-05-16 17:01:24 +02:00
|
|
|
|
2017-05-16 21:31:46 +02:00
|
|
|
# Check if the file is really there, submit an HTTP challenge and wait
|
|
|
|
sub verify_http {
|
|
|
|
my ($checked_url, $key_auth, $challenge_uri) = @_;
|
|
|
|
my ($code, $result) = get $checked_url;
|
|
|
|
die "checking $checked_url failed: $code" if $code != 200;
|
2017-05-16 17:01:24 +02:00
|
|
|
die 'challenge contents differ' if $result ne $key_auth;
|
|
|
|
|
2017-05-16 21:31:46 +02:00
|
|
|
($code, $result) = send_signed($challenge_uri, {
|
|
|
|
resource => 'challenge', keyAuthorization => $key_auth
|
2017-05-16 17:01:24 +02:00
|
|
|
});
|
2017-06-07 05:47:22 +02:00
|
|
|
die "challenge submission failed: $code\n$result" if $code != 202;
|
2017-05-16 17:01:24 +02:00
|
|
|
|
|
|
|
while (1) {
|
2017-05-16 21:31:46 +02:00
|
|
|
($code, $result) = get $challenge_uri;
|
2017-06-07 05:47:22 +02:00
|
|
|
die "challenge verification failed: $code\n$result" if $code >= 400;
|
2017-05-16 17:01:24 +02:00
|
|
|
my $status = $json->decode($result);
|
|
|
|
if ($status->{status} eq 'valid') {
|
|
|
|
last;
|
|
|
|
} elsif ($status->{status} eq 'pending') {
|
|
|
|
sleep 1;
|
|
|
|
} else {
|
2017-05-16 20:47:12 +02:00
|
|
|
die "challenge verification failed: $result";
|
2017-05-16 17:01:24 +02:00
|
|
|
}
|
|
|
|
}
|
2017-05-16 21:31:46 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
for my $domain (@domains) {
|
|
|
|
my ($code, $result) = send_signed("$ca/acme/new-authz", {
|
|
|
|
resource => 'new-authz',
|
|
|
|
identifier => { type => 'dns', value => $domain }
|
|
|
|
});
|
2017-06-07 05:47:22 +02:00
|
|
|
die "cannot request challenge: $code\n$result" if $code != 201;
|
2017-05-16 21:31:46 +02:00
|
|
|
|
|
|
|
my ($challenge) = grep { $_->{type} eq 'http-01' }
|
|
|
|
@{$json->decode($result)->{challenges}};
|
2017-06-07 06:00:33 +02:00
|
|
|
my $token = $challenge->{token} =~ s/[^A-Za-z0-9_-]/_/gr;
|
2017-05-16 21:31:46 +02:00
|
|
|
my $key_auth = "$token.$thumbprint";
|
|
|
|
my $known_path = "$acme_dir/$token";
|
|
|
|
|
|
|
|
open(my $fh, '>', $known_path) or die "cannot write to $known_path: $!";
|
|
|
|
print $fh $key_auth;
|
|
|
|
close $fh;
|
|
|
|
|
|
|
|
eval { verify_http("http://$domain/.well-known/acme-challenge/$token",
|
|
|
|
$key_auth, $challenge->{uri}) };
|
2017-05-16 17:01:24 +02:00
|
|
|
|
|
|
|
unlink $known_path;
|
2017-05-16 21:31:46 +02:00
|
|
|
die "$domain: $@" if $@;
|
2017-05-16 17:01:24 +02:00
|
|
|
}
|
|
|
|
|
2017-05-16 21:31:46 +02:00
|
|
|
# Get the new certificate and convert it to the PEM format
|
2017-05-16 17:01:24 +02:00
|
|
|
my $der = `openssl req -in '$csr_file' -outform DER`;
|
|
|
|
die 'cannot convert CSR' if $?;
|
|
|
|
($code, $result) = send_signed("$ca/acme/new-cert", {
|
2017-05-16 21:31:46 +02:00
|
|
|
resource => 'new-cert', csr => b64 $der
|
2017-05-16 17:01:24 +02:00
|
|
|
});
|
2017-06-07 05:47:22 +02:00
|
|
|
die "cannot sign certificate: $code\n$result" if $code != 201;
|
2017-05-16 17:01:24 +02:00
|
|
|
|
2017-05-16 21:31:46 +02:00
|
|
|
my $pem = join("\n", unpack '(A64)*', encode_base64($result, ''));
|
|
|
|
print "-----BEGIN CERTIFICATE-----\n$pem\n-----END CERTIFICATE-----\n";
|