صفحهٔ اصلی گشت‌و‌گذار راهنما
ثبت نام ورود
lqb
/
nginx-ui
mirrorاز https://github.com/0xJacky/nginx-ui.git
1
0
انشعاب 0
پرونده‌ها مشکلات 0 ویکی
درخت: 824c2d52a2
شاخه‌ها تگ‌ها
nginx-ui
/
server
/
tool
/
cert.go

cert.go 4.3 KB
تاريخچه خام

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183 
  1. package tool
    2. 

  2. 

  3. import (
    4. 

  4. 	"crypto"
    5. 

  5. 	"crypto/ecdsa"
    6. 

  6. 	"crypto/elliptic"
    7. 

  7. 	"crypto/rand"
    8. 

  8. 	"crypto/tls"
    9. 

  9. 	"crypto/x509"
    10. 

  10. 	"github.com/0xJacky/Nginx-UI/server/model"
    11. 

  11. 	"github.com/0xJacky/Nginx-UI/server/settings"
    12. 

  12. 	"github.com/0xJacky/Nginx-UI/server/tool/nginx"
    13. 

  13. 	"github.com/go-acme/lego/v4/certcrypto"
    14. 

  14. 	"github.com/go-acme/lego/v4/certificate"
    15. 

  15. 	"github.com/go-acme/lego/v4/challenge/http01"
    16. 

  16. 	"github.com/go-acme/lego/v4/lego"
    17. 

  17. 	"github.com/go-acme/lego/v4/registration"
    18. 

  18. 	"github.com/pkg/errors"
    19. 

  19. 	"io"
    20. 

  20. 	"io/ioutil"
    21. 

  21. 	"log"
    22. 

  22. 	"net"
    23. 

  23. 	"net/http"
    24. 

  24. 	"os"
    25. 

  25. 	"path/filepath"
    26. 

  26. 	"time"
    27. 

  27. )
    28. 

  28. 

  29. // MyUser You'll need a user or account type that implements acme.User
    30. 

  30. type MyUser struct {
    31. 

  31. 	Email        string
    32. 

  32. 	Registration *registration.Resource
    33. 

  33. 	key          crypto.PrivateKey
    34. 

  34. }
    35. 

  35. 

  36. func (u *MyUser) GetEmail() string {
    37. 

  37. 	return u.Email
    38. 

  38. }
    39. 

  39. func (u MyUser) GetRegistration() *registration.Resource {
    40. 

  40. 	return u.Registration
    41. 

  41. }
    42. 

  42. func (u *MyUser) GetPrivateKey() crypto.PrivateKey {
    43. 

  43. 	return u.key
    44. 

  44. }
    45. 

  45. 

  46. func AutoCert() {
    47. 

  47. 	for {
    48. 

  48. 		log.Println("[AutoCert] Start")
    49. 

  49. 		autoCertList := model.GetAutoCertList()
    50. 

  50. 		for i := range autoCertList {
    51. 

  51. 			domain := autoCertList[i].Domain
    52. 

  52. 			key, err := GetCertInfo(domain)
    53. 

  53. 			if err != nil {
    54. 

  54. 				log.Println("GetCertInfo Err", err)
    55. 

  55. 				// 获取证书信息失败,本次跳过
    56. 

  56. 				continue
    57. 

  57. 			}
    58. 

  58. 			// 未到一个月
    59. 

  59. 			if time.Now().Before(key.NotBefore.AddDate(0, 1, 0)) {
    60. 

  60. 				continue
    61. 

  61. 			}
    62. 

  62. 			// 过一个月了,重新申请证书
    63. 

  63. 			err = IssueCert(domain)
    64. 

  64. 			if err != nil {
    65. 

  65. 				log.Println(err)
    66. 

  66. 			}
    67. 

  67. 		}
    68. 

  68. 		time.Sleep(1 * time.Hour)
    69. 

  69. 	}
    70. 

  70. }
    71. 

  71. 

  72. func GetCertInfo(domain string) (key *x509.Certificate, err error) {
    73. 

  73. 

  74. 	var response *http.Response
    75. 

  75. 

  76. 	client := &http.Client{
    77. 

  77. 		Transport: &http.Transport{
    78. 

  78. 			DialContext: (&net.Dialer{
    79. 

  79. 				Timeout: 5 * time.Second,
    80. 

  80. 			}).DialContext,
    81. 

  81. 			DisableKeepAlives: true,
    82. 

  82. 			TLSClientConfig:   &tls.Config{InsecureSkipVerify: true},
    83. 

  83. 		},
    84. 

  84. 		Timeout: 5 * time.Second,
    85. 

  85. 	}
    86. 

  86. 

  87. 	response, err = client.Get("https://" + domain)
    88. 

  88. 

  89. 	if err != nil {
    90. 

  90. 		err = errors.Wrap(err, "get cert info error")
    91. 

  91. 		return
    92. 

  92. 	}
    93. 

  93. 

  94. 	defer func(Body io.ReadCloser) {
    95. 

  95. 		err = Body.Close()
    96. 

  96. 		if err != nil {
    97. 

  97. 			log.Println(err)
    98. 

  98. 			return
    99. 

  99. 		}
    100. 

  100. 	}(response.Body)
    101. 

  101. 

  102. 	key = response.TLS.PeerCertificates[0]
    103. 

  103. 

  104. 	return
    105. 

  105. }
    106. 

  106. 

  107. func IssueCert(domain string) error {
    108. 

  108. 	// Create a user. New accounts need an email and private key to start.
    109. 

  109. 	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
    110. 

  110. 	if err != nil {
    111. 

  111. 		return errors.Wrap(err, "issue cert generate key error")
    112. 

  112. 	}
    113. 

  113. 

  114. 	myUser := MyUser{
    115. 

  115. 		Email: settings.ServerSettings.Email,
    116. 

  116. 		key:   privateKey,
    117. 

  117. 	}
    118. 

  118. 

  119. 	config := lego.NewConfig(&myUser)
    120. 

  120. 

  121. 	if settings.ServerSettings.Demo {
    122. 

  122. 		config.CADirURL = "https://acme-staging-v02.api.letsencrypt.org/directory"
    123. 

  123. 	}
    124. 

  124. 	config.Certificate.KeyType = certcrypto.RSA2048
    125. 

  125. 

  126. 	// A client facilitates communication with the CA server.
    127. 

  127. 	client, err := lego.NewClient(config)
    128. 

  128. 	if err != nil {
    129. 

  129. 		return errors.Wrap(err, "issue cert new client error")
    130. 

  130. 	}
    131. 

  131. 

  132. 	err = client.Challenge.SetHTTP01Provider(
    133. 

  133. 		http01.NewProviderServer("",
    134. 

  134. 			settings.ServerSettings.HTTPChallengePort,
    135. 

  135. 		),
    136. 

  136. 	)
    137. 

  137. 	if err != nil {
    138. 

  138. 		return errors.Wrap(err, "issue cert challenge fail")
    139. 

  139. 	}
    140. 

  140. 

  141. 	// New users will need to register
    142. 

  142. 	reg, err := client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
    143. 

  143. 	if err != nil {
    144. 

  144. 		log.Println(err)
    145. 

  145. 		return errors.Wrap(err, "issue cert register fail")
    146. 

  146. 	}
    147. 

  147. 	myUser.Registration = reg
    148. 

  148. 

  149. 	request := certificate.ObtainRequest{
    150. 

  150. 		Domains: []string{domain},
    151. 

  151. 		Bundle:  true,
    152. 

  152. 	}
    153. 

  153. 	certificates, err := client.Certificate.Obtain(request)
    154. 

  154. 	if err != nil {
    155. 

  155. 		return errors.Wrap(err, "issue cert fail to obtain")
    156. 

  156. 	}
    157. 

  157. 	saveDir := nginx.GetNginxConfPath("ssl/" + domain)
    158. 

  158. 	if _, err := os.Stat(saveDir); os.IsNotExist(err) {
    159. 

  159. 		err = os.Mkdir(saveDir, 0755)
    160. 

  160. 		if err != nil {
    161. 

  161. 			return errors.Wrap(err, "issue cert fail to create")
    162. 

  162. 		}
    163. 

  163. 	}
    164. 

  164. 

  165. 	// Each certificate comes back with the cert bytes, the bytes of the client's
    166. 

  166. 	// private key, and a certificate URL. SAVE THESE TO DISK.
    167. 

  167. 	err = ioutil.WriteFile(filepath.Join(saveDir, "fullchain.cer"),
    168. 

  168. 		certificates.Certificate, 0644)
    169. 

  169. 	if err != nil {
    170. 

  170. 		log.Println(err)
    171. 

  171. 		return errors.Wrap(err, "issue cert write fullchain.cer fail")
    172. 

  172. 	}
    173. 

  173. 	err = ioutil.WriteFile(filepath.Join(saveDir, domain+".key"),
    174. 

  174. 		certificates.PrivateKey, 0644)
    175. 

  175. 	if err != nil {
    176. 

  176. 		log.Println(err)
    177. 

  177. 		return errors.Wrap(err, "issue cert write key fail")
    178. 

  178. 	}
    179. 

  179. 

  180. 	nginx.ReloadNginx()
    181. 

  181. 

  182. 	return nil
    183. 

  183. }
    184.