incusd/acme: Use lego for HTTP-01

Signed-off-by: Matthew Gibbons <[email protected]>

Author: accuser

cmd/incusd/acme.go cmd/incusd/api_acme.go

@@ -2,10 +2,10 @@ package main
 
 import (
 	"context"
+	"io"
+	"net"
 	"net/http"
-	"net/url"
-
-	"github.com/gorilla/mux"
+	"strings"
 
 	"github.com/lxc/incus/v6/internal/server/acme"
 	"github.com/lxc/incus/v6/internal/server/cluster"
@@ -32,11 +32,7 @@ var acmeChallengeCmd = APIEndpoint{
 func acmeProvideChallenge(d *Daemon, r *http.Request) response.Response {
 	s := d.State()
 
-	token, err := url.PathUnescape(mux.Vars(r)["token"])
-	if err != nil {
-		return response.SmartError(err)
-	}
-
+	// Redirect to the leader when clustered.
 	if s.ServerClustered {
 		leader, err := s.Cluster.LeaderAddress()
 		if err != nil {
@@ -57,14 +53,44 @@ func acmeProvideChallenge(d *Daemon, r *http.Request) response.Response {
 		}
 	}
 
-	if d.http01Provider == nil || d.http01Provider.Token() != token {
-		return response.NotFound(nil)
+	// Forward to the lego listener.
+	addr := s.GlobalConfig.ACMEHTTP()
+	if strings.HasPrefix(addr, ":") {
+		addr = "127.0.0.1" + addr
+	}
+
+	domain, _, _, _, _ := s.GlobalConfig.ACME()
+
+	client := http.Client{}
+	client.Transport = &http.Transport{
+		DialContext: func(_ context.Context, _, _ string) (net.Conn, error) {
+			return net.Dial("tcp", addr)
+		},
+	}
+
+	req, err := http.NewRequest("GET", "http://"+domain+r.URL.String(), nil)
+	if err != nil {
+		return response.InternalError(err)
+	}
+
+	req.Header = r.Header
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return response.InternalError(err)
+	}
+
+	defer resp.Body.Close()
+
+	challenge, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return response.InternalError(err)
 	}
 
 	return response.ManualResponse(func(w http.ResponseWriter) error {
 		w.Header().Set("Content-Type", "text/plain")
 
-		_, err := w.Write([]byte(d.http01Provider.KeyAuth()))
+		_, err = w.Write(challenge)
 		if err != nil {
 			return err
 		}
@@ -98,7 +124,7 @@ func autoRenewCertificate(ctx context.Context, d *Daemon, force bool) error {
 	}
 
 	opRun := func(op *operations.Operation) error {
-		newCert, err := acme.UpdateCertificate(s, challengeType, d.http01Provider, s.ServerClustered, domain, email, caURL, force)
+		newCert, err := acme.UpdateCertificate(s, challengeType, s.ServerClustered, domain, email, caURL, force)
 		if err != nil {
 			return err
 		}

cmd/incusd/daemon.go

@@ -30,7 +30,6 @@ import (
 	internalIO "github.com/lxc/incus/v6/internal/io"
 	"github.com/lxc/incus/v6/internal/linux"
 	"github.com/lxc/incus/v6/internal/rsync"
-	"github.com/lxc/incus/v6/internal/server/acme"
 	"github.com/lxc/incus/v6/internal/server/apparmor"
 	"github.com/lxc/incus/v6/internal/server/auth"
 	"github.com/lxc/incus/v6/internal/server/auth/oidc"
@@ -156,9 +155,6 @@ type Daemon struct {
 
 	lokiClient *loki.Client
 
-	// HTTP-01 challenge provider for ACME
-	http01Provider acme.HTTP01Provider
-
 	// Authorization.
 	authorizer auth.Authorizer
 
@@ -198,7 +194,6 @@ func newDaemon(config *DaemonConfig, os *sys.OS) *Daemon {
 		devIncusEvents: devIncusEvents,
 		events:         incusEvents,
 		db:             &db.DB{},
-		http01Provider: acme.NewHTTP01Provider(),
 		os:             os,
 		setupChan:      make(chan struct{}),
 		waitReady:      cancel.New(context.Background()),

internal/server/acme/acme.go

@@ -2,22 +2,13 @@ package acme
 
 import (
 	"context"
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rand"
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
 	"os"
 	"slices"
 	"time"
 
-	"github.com/go-acme/lego/v4/acme"
-	"github.com/go-acme/lego/v4/certcrypto"
-	"github.com/go-acme/lego/v4/certificate"
-	"github.com/go-acme/lego/v4/lego"
-	"github.com/go-acme/lego/v4/registration"
-
 	"github.com/lxc/incus/v6/internal/server/state"
 	internalUtil "github.com/lxc/incus/v6/internal/util"
 	"github.com/lxc/incus/v6/shared/logger"
@@ -36,14 +27,20 @@ const retries = 5
 // certificate at a later stage.
 const ClusterCertFilename = "cluster.crt.new"
 
+// CertKeyPair describes a certificate and its private key.
+type CertKeyPair struct {
+	Certificate []byte `json:"-"`
+	PrivateKey  []byte `json:"-"`
+}
+
 // certificateNeedsUpdate returns true if the domain doesn't match the certificate's DNS names
 // or it's valid for less than 30 days.
 func certificateNeedsUpdate(domain string, cert *x509.Certificate) bool {
 	return !slices.Contains(cert.DNSNames, domain) || time.Now().After(cert.NotAfter.Add(-30*24*time.Hour))
 }
 
 // UpdateCertificate updates the certificate.
-func UpdateCertificate(s *state.State, challengeType string, provider ChallengeProvider, clustered bool, domain string, email string, caURL string, force bool) (*certificate.Resource, error) {
+func UpdateCertificate(s *state.State, challengeType string, clustered bool, domain string, email string, caURL string, force bool) (*CertKeyPair, error) {
 	clusterCertFilename := internalUtil.VarPath(ClusterCertFilename)
 
 	l := logger.AddContext(logger.Ctx{"domain": domain, "caURL": caURL, "challenge": challengeType})
@@ -75,7 +72,7 @@ func UpdateCertificate(s *state.State, challengeType string, provider ChallengeP
 		}
 
 		if !certificateNeedsUpdate(domain, cert) {
-			return &certificate.Resource{
+			return &CertKeyPair{
 				Certificate: clusterCert,
 				PrivateKey:  key,
 			}, nil
@@ -102,148 +99,66 @@ func UpdateCertificate(s *state.State, challengeType string, provider ChallengeP
 		return nil, nil
 	}
 
+	tmpDir, err := os.MkdirTemp("", "lego")
+	if err != nil {
+		return nil, fmt.Errorf("Failed to create temporary directory: %w", err)
+	}
+
+	defer func() {
+		err := os.RemoveAll(tmpDir)
+		if err != nil {
+			logger.Warn("Failed to remove temporary directory", logger.Ctx{"err": err})
+		}
+	}()
+
+	env := os.Environ()
+
+	args := []string{
+		"--accept-tos",
+		"--domains", domain,
+		"--email", email,
+		"--path", tmpDir,
+		"--server", caURL,
+	}
+
 	if challengeType == "DNS-01" {
 		provider, environment, resolvers := s.GlobalConfig.ACMEDNS()
 
+		env = append(env, environment...)
+
 		if provider == "" {
 			return nil, fmt.Errorf("DNS-01 challenge type requires acme.dns.provider configuration key to be set")
 		}
 
-		tmpDir, err := os.MkdirTemp("", "lego")
-		if err != nil {
-			return nil, fmt.Errorf("Failed to create temporary directory: %w", err)
-		}
-
-		defer func() {
-			err := os.RemoveAll(tmpDir)
-			if err != nil {
-				logger.Warn("Failed to remove temporary directory", logger.Ctx{"err": err})
-			}
-		}()
-
-		args := []string{
-			"--accept-tos",
-			"--dns", provider,
-			"--domains", domain,
-			"--email", email,
-			"--path", tmpDir,
-			"--server", caURL,
-		}
-
+		args = append(args, "--dns", provider)
 		if len(resolvers) > 0 {
 			for _, resolver := range resolvers {
 				args = append(args, "--dns.resolvers", resolver)
 			}
 		}
+	} else if challengeType == "HTTP-01" {
+		args = append(args, "--http")
 
-		args = append(args, "run")
-
-		_, _, err = subprocess.RunCommandSplit(context.TODO(), append(os.Environ(), environment...), nil, "lego", args...)
-		if err != nil {
-			return nil, fmt.Errorf("Failed to run lego command: %w", err)
+		port := s.GlobalConfig.ACMEHTTP()
+		if port != "" {
+			args = append(args, "--http.port", port)
 		}
-
-		certInfo, err = localtls.KeyPairAndCA(tmpDir+"/certificates", domain, localtls.CertServer, true)
-		if err != nil {
-			return nil, fmt.Errorf("Failed to load certificate and key file: %w", err)
-		}
-
-		return &certificate.Resource{
-			Certificate: certInfo.PublicKey(),
-			PrivateKey:  certInfo.PrivateKey(),
-		}, nil
-	}
-
-	// Generate new private key for user. This key needs to be different from the server's private key.
-	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	if err != nil {
-		return nil, fmt.Errorf("Failed generating private key for user account: %w", err)
-	}
-
-	user := user{
-		Email: email,
-		Key:   privateKey,
 	}
 
-	config := lego.NewConfig(&user)
+	args = append(args, "run")
 
-	if caURL != "" {
-		config.CADirURL = caURL
-	} else {
-		// Default URL for Let's Encrypt
-		config.CADirURL = "https://acme-v02.api.letsencrypt.org/directory"
-	}
-
-	config.Certificate.KeyType = certcrypto.RSA2048
-
-	client, err := lego.NewClient(config)
+	_, _, err = subprocess.RunCommandSplit(context.TODO(), env, nil, "lego", args...)
 	if err != nil {
-		return nil, fmt.Errorf("Failed to create new client: %w", err)
+		return nil, fmt.Errorf("Failed to run lego command: %w", err)
 	}
 
-	err = provider.RegisterWithSolver(client.Challenge)
+	certInfo, err = localtls.KeyPairAndCA(tmpDir+"/certificates", domain, localtls.CertServer, true)
 	if err != nil {
-		return nil, fmt.Errorf("Failed setting challenge provider: %w", err)
-	}
-
-	var reg *registration.Resource
-
-	// Registration might fail randomly (as seen in manual tests), so retry in that case.
-	for i := 0; i < retries; i++ {
-		reg, err = client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
-		if err == nil {
-			break
-		}
-
-		// In case we were rate limited, don't try again.
-		details, ok := err.(*acme.ProblemDetails)
-		if ok && details.Type == "urn:ietf:params:acme:error:rateLimited" {
-			break
-		}
-
-		l.Warn("Failed to register user, retrying in 10 seconds", logger.Ctx{"err": err})
-		time.Sleep(10 * time.Second)
-	}
-
-	if err != nil {
-		return nil, fmt.Errorf("Failed to register user: %w", err)
-	}
-
-	user.Registration = reg
-
-	request := certificate.ObtainRequest{
-		Domains:    []string{domain},
-		Bundle:     true,
-		PrivateKey: certInfo.KeyPair().PrivateKey,
-	}
-
-	var certificates *certificate.Resource
-
-	l.Info("Issuing certificate")
-
-	// Get new certificate.
-	// This might fail randomly (as seen in manual tests), so retry in that case.
-	for i := 0; i < retries; i++ {
-		certificates, err = client.Certificate.Obtain(request)
-		if err == nil {
-			break
-		}
-
-		// In case we were rate limited, don't try again.
-		details, ok := err.(*acme.ProblemDetails)
-		if ok && details.Type == "urn:ietf:params:acme:error:rateLimited" {
-			break
-		}
-
-		l.Warn("Failed to obtain certificate, retrying in 10 seconds", logger.Ctx{"err": err})
-		time.Sleep(10 * time.Second)
-	}
-
-	if err != nil {
-		return nil, fmt.Errorf("Failed to obtain certificate: %w", err)
+		return nil, fmt.Errorf("Failed to load certificate and key file: %w", err)
 	}
 
-	l.Info("Finished issuing certificate")
-
-	return certificates, nil
+	return &CertKeyPair{
+		Certificate: certInfo.PublicKey(),
+		PrivateKey:  certInfo.PrivateKey(),
+	}, nil
 }