use of org.carapaceproxy.configstore.CertificateData in project carapaceproxy by diennea.
the class CertificatesTest method testUploadTypedCertificatesWithDaysBeforeRenewal.
@Test
@Parameters({ "acme", "manual" })
public void testUploadTypedCertificatesWithDaysBeforeRenewal(String type) throws Exception {
configureAndStartServer();
int port = server.getLocalPort();
DynamicCertificatesManager dynCertsMan = server.getDynamicCertificatesManager();
KeyPair endUserKeyPair = KeyPairUtils.createKeyPair(DEFAULT_KEYPAIRS_SIZE);
Certificate[] chain = generateSampleChain(endUserKeyPair, false);
byte[] chainData = createKeystore(chain, endUserKeyPair.getPrivate());
try (RawHttpClient client = new RawHttpClient("localhost", DEFAULT_ADMIN_PORT)) {
// Create
HttpResponse resp = uploadCertificate("localhost2", "type=" + type + "&daysbeforerenewal=10", chainData, client, credentials);
if (type.equals("manual")) {
assertTrue(resp.getBodyString().contains("ERROR: param 'daysbeforerenewal' available for type 'acme' only"));
} else {
CertificateData data = dynCertsMan.getCertificateDataForDomain("localhost2");
assertNotNull(data);
assertEquals(10, data.getDaysBeforeRenewal());
}
// negative value
resp = uploadCertificate("localhost-negative", "type=" + type + "&daysbeforerenewal=-10", chainData, client, credentials);
if (type.equals("manual")) {
assertTrue(resp.getBodyString().contains("ERROR: param 'daysbeforerenewal' available for type 'acme' only"));
} else {
assertTrue(resp.getBodyString().contains("ERROR: param 'daysbeforerenewal' has to be a positive number"));
}
// default value
uploadCertificate("localhost-default", "type=" + type, chainData, client, credentials);
CertificateData data = dynCertsMan.getCertificateDataForDomain("localhost-default");
assertNotNull(data);
assertEquals(type.equals("manual") ? 0 : DEFAULT_DAYS_BEFORE_RENEWAL, data.getDaysBeforeRenewal());
// Update
uploadCertificate("localhost2", "type=" + type + "&daysbeforerenewal=45", chainData, client, credentials);
if (type.equals("manual")) {
assertTrue(resp.getBodyString().contains("ERROR: param 'daysbeforerenewal' available for type 'acme' only"));
} else {
data = dynCertsMan.getCertificateDataForDomain("localhost2");
assertNotNull(data);
assertEquals(45, data.getDaysBeforeRenewal());
}
// negative value
resp = uploadCertificate("localhost2", "type=" + type + "&daysbeforerenewal=-10", chainData, client, credentials);
if (type.equals("manual")) {
assertTrue(resp.getBodyString().contains("ERROR: param 'daysbeforerenewal' available for type 'acme' only"));
} else {
assertTrue(resp.getBodyString().contains("ERROR: param 'daysbeforerenewal' has to be a positive number"));
}
// default value
uploadCertificate("localhost2", "type=" + type, chainData, client, credentials);
data = dynCertsMan.getCertificateDataForDomain("localhost2");
assertNotNull(data);
assertEquals(type.equals("manual") ? 0 : DEFAULT_DAYS_BEFORE_RENEWAL, data.getDaysBeforeRenewal());
// changing the type (acme <-> manual)
String other = type.equals("manual") ? "acme" : "manual";
uploadCertificate("localhost2", "type=" + other, chainData, client, credentials);
data = dynCertsMan.getCertificateDataForDomain("localhost2");
assertNotNull(data);
assertEquals(other.equals("manual") ? 0 : DEFAULT_DAYS_BEFORE_RENEWAL, data.getDaysBeforeRenewal());
SSLCertificateConfiguration config = server.getCurrentConfiguration().getCertificates().get("localhost2");
assertEquals(other.equals("manual") ? 0 : DEFAULT_DAYS_BEFORE_RENEWAL, config.getDaysBeforeRenewal());
// checking for "certificate.X.daysbeforerenewal" property delete
ConfigurationStore store = server.getDynamicConfigurationStore();
assertEquals(other.equals("acme"), store.anyPropertyMatches((k, v) -> {
if (k.matches("certificate\\.[0-9]+\\.hostname") && v.equals("localhost2")) {
return store.getProperty(k.replace("hostname", "daysbeforerenewal"), null) != null;
}
return false;
}));
}
}
use of org.carapaceproxy.configstore.CertificateData in project carapaceproxy by diennea.
the class DynamicCertificatesManagerTest method testWidlcardCertificateStateManagement.
@Test
// E) challenge failed -> record deleted
@Parameters({ "challenge_creation_failed", "challenge_check_limit_expired", "challenge_ready", "challenge_verified", "challenge_failed" })
public void testWidlcardCertificateStateManagement(String runCase) throws Exception {
System.setProperty("carapace.acme.dnschallengereachabilitycheck.limit", "2");
// ACME mocking
ACMEClient ac = mock(ACMEClient.class);
Order o = mock(Order.class);
when(o.getLocation()).thenReturn(new URL("https://localhost/index"));
Login login = mock(Login.class);
when(login.bindOrder(any())).thenReturn(o);
when(ac.getLogin()).thenReturn(login);
when(ac.createOrderForDomain(any())).thenReturn(o);
Session session = mock(Session.class);
Connection conn = mock(Connection.class);
when(conn.readJsonResponse()).thenReturn(JSON.parse("{\"url\": \"https://localhost/index\", \"type\": \"dns-01\"}"));
when(session.connect()).thenReturn(conn);
when(login.getSession()).thenReturn(session);
when(login.getKeyPair()).thenReturn(KeyPairUtils.createKeyPair(DEFAULT_KEYPAIRS_SIZE));
Dns01Challenge c = mock(Dns01Challenge.class);
when(c.getDigest()).thenReturn("");
when(c.getJSON()).thenReturn(JSON.parse("{\"url\": \"https://localhost/index\", \"type\": \"dns-01\", \"token\": \"mytoken\"}"));
when(ac.getChallengeForOrder(any(), eq(true))).thenReturn(c);
when(ac.checkResponseForChallenge(any())).thenReturn(runCase.equals("challenge_failed") ? INVALID : VALID);
KeyPair keyPair = KeyPairUtils.createKeyPair(DEFAULT_KEYPAIRS_SIZE);
Certificate cert = mock(Certificate.class);
X509Certificate _cert = (X509Certificate) generateSampleChain(keyPair, false)[0];
when(cert.getCertificateChain()).thenReturn(Arrays.asList(_cert));
when(ac.fetchCertificateForOrder(any())).thenReturn(cert);
HttpProxyServer parent = mock(HttpProxyServer.class);
when(parent.getListeners()).thenReturn(mock(Listeners.class));
DynamicCertificatesManager man = new DynamicCertificatesManager(parent);
man.attachGroupMembershipHandler(new NullGroupMembershipHandler());
Whitebox.setInternalState(man, ac);
// Route53Cliente mocking
man.initAWSClient("access", "secret");
Route53Client r53Client = mock(Route53Client.class);
when(r53Client.createDnsChallengeForDomain(any(), any())).thenReturn(!runCase.startsWith("challenge_creation_failed"));
when(r53Client.isDnsChallengeForDomainAvailable(any(), any())).thenReturn(!(runCase.equals("challenge_creation_failed_n_reboot") || runCase.equals("challenge_check_limit_expired")));
Whitebox.setInternalState(man, r53Client);
// Store mocking
ConfigurationStore store = mock(ConfigurationStore.class);
when(store.loadKeyPairForDomain(anyString())).thenReturn(keyPair);
// certificate to order
String domain = "*.localhost";
CertificateData cd1 = new CertificateData(domain, "", "", WAITING, "", "");
when(store.loadCertificateForDomain(eq(domain))).thenReturn(cd1);
man.setConfigurationStore(store);
// Manager setup
Properties props = new Properties();
props.setProperty("certificate.1.hostname", domain);
props.setProperty("certificate.1.mode", "acme");
props.setProperty("certificate.1.daysbeforerenewal", "0");
props.setProperty("dynamiccertificatesmanager.domainschecker.ipaddresses", "127.0.0.1, 0:0:0:0:0:0:0:1");
ConfigurationStore configStore = new PropertiesConfigurationStore(props);
RuntimeServerConfiguration conf = new RuntimeServerConfiguration();
conf.configure(configStore);
man.reloadConfiguration(conf);
CertificateData certData = man.getCertificateDataForDomain(domain);
assertThat(certData.isWildcard(), is(true));
// at every run the certificate has to be saved to the db (whether not AVAILABLE).
int saveCounter = 0;
// WAITING
assertCertificateState(domain, WAITING, man);
man.run();
verify(store, times(++saveCounter)).saveCertificate(any());
if (runCase.equals("challenge_creation_failed")) {
// WAITING
assertCertificateState(domain, WAITING, man);
} else {
// DNS_CHALLENGE_WAIT
assertCertificateState(domain, DNS_CHALLENGE_WAIT, man);
man.run();
verify(store, times(++saveCounter)).saveCertificate(any());
if (runCase.equals("challenge_check_limit_expired")) {
assertCertificateState(domain, DNS_CHALLENGE_WAIT, man);
man.run();
verify(store, times(++saveCounter)).saveCertificate(any());
assertCertificateState(domain, REQUEST_FAILED, man);
// check dns-challenge-record deleted
verify(r53Client, times(1)).deleteDnsChallengeForDomain(any(), any());
} else {
// VERIFYING
assertCertificateState(domain, VERIFYING, man);
man.run();
verify(store, times(++saveCounter)).saveCertificate(any());
if (runCase.equals("challenge_failed")) {
// REQUEST_FAILED
assertCertificateState(domain, REQUEST_FAILED, man);
// check dns-challenge-record deleted
verify(r53Client, times(1)).deleteDnsChallengeForDomain(any(), any());
} else if (runCase.equals("challenge_verified")) {
// VERIFIED
assertCertificateState(domain, VERIFIED, man);
// check dns-challenge-record deleted
verify(r53Client, times(1)).deleteDnsChallengeForDomain(any(), any());
}
}
}
}
use of org.carapaceproxy.configstore.CertificateData in project carapaceproxy by diennea.
the class StartAPIServerTest method testCertificates.
@Test
public void testCertificates() throws Exception {
final String dynDomain = "dynamic.test.tld";
Properties properties = new Properties(HTTP_ADMIN_SERVER_CONFIG);
KeyPair endUserKeyPair = KeyPairUtils.createKeyPair(DEFAULT_KEYPAIRS_SIZE);
Certificate[] originalChain = generateSampleChain(endUserKeyPair, false);
X509Certificate certificate = (X509Certificate) originalChain[0];
String serialNumber1 = certificate.getSerialNumber().toString(16).toUpperCase();
String expiringDate1 = certificate.getNotAfter().toString();
byte[] keystoreData = createKeystore(originalChain, endUserKeyPair.getPrivate());
File mock1 = tmpFolder.newFile("mock1.p12");
Files.write(mock1.toPath(), keystoreData);
properties.put("certificate.1.hostname", "localhost");
properties.put("certificate.1.file", mock1.getAbsolutePath());
properties.put("certificate.1.password", KEYSTORE_PW);
endUserKeyPair = KeyPairUtils.createKeyPair(DEFAULT_KEYPAIRS_SIZE);
originalChain = generateSampleChain(endUserKeyPair, true);
certificate = (X509Certificate) originalChain[0];
String serialNumber2 = certificate.getSerialNumber().toString(16).toUpperCase();
String expiringDate2 = certificate.getNotAfter().toString();
keystoreData = createKeystore(originalChain, endUserKeyPair.getPrivate());
File mock2 = tmpFolder.newFile("mock2.p12");
Files.write(mock2.toPath(), keystoreData);
properties.put("certificate.2.hostname", "127.0.0.1");
properties.put("certificate.2.file", mock2.getAbsolutePath());
properties.put("certificate.2.password", KEYSTORE_PW);
// Acme certificate
properties.put("certificate.3.hostname", dynDomain);
properties.put("certificate.3.mode", "acme");
startServer(properties);
DynamicCertificatesManager man = server.getDynamicCertificatesManager();
// need to explicitly add 'cause DynamicCertificatesManager never run
ConfigurationStore store = server.getDynamicConfigurationStore();
endUserKeyPair = KeyPairUtils.createKeyPair(DEFAULT_KEYPAIRS_SIZE);
originalChain = generateSampleChain(endUserKeyPair, false);
certificate = (X509Certificate) originalChain[0];
String serialNumber = certificate.getSerialNumber().toString(16).toUpperCase();
String expiringDate = certificate.getNotAfter().toString();
String dynChain = Base64.getEncoder().encodeToString(createKeystore(originalChain, endUserKeyPair.getPrivate()));
store.saveCertificate(new CertificateData(dynDomain, "", dynChain, WAITING, "", ""));
// this reloads certificates from the store
man.setStateOfCertificate(dynDomain, WAITING);
// Static certificates
try (RawHttpClient client = new RawHttpClient("localhost", 8761)) {
// full list request
RawHttpClient.HttpResponse response = client.get("/api/certificates", credentials);
String json = response.getBodyString();
assertThat(json, containsString("localhost"));
assertThat(json, containsString("\"mode\":\"static\""));
assertThat(json, containsString("\"dynamic\":false"));
assertThat(json, containsString("\"status\":\"available\""));
assertThat(json, containsString("\"sslCertificateFile\":\"" + mock1.getAbsolutePath() + "\""));
assertThat(json, containsString("\"serialNumber\":\"" + serialNumber1 + "\""));
assertThat(json, containsString("\"expiringDate\":\"" + expiringDate1 + "\""));
assertThat(json, containsString("127.0.0.1"));
assertThat(json, containsString("\"mode\":\"static\""));
assertThat(json, containsString("\"dynamic\":false"));
assertThat(json, containsString("\"status\":\"expired\""));
assertThat(json, containsString("\"sslCertificateFile\":\"" + mock2.getAbsolutePath() + "\""));
assertThat(json, containsString("\"serialNumber\":\"" + serialNumber2 + "\""));
assertThat(json, containsString("\"expiringDate\":\"" + expiringDate2 + "\""));
// single cert request to /{certId}
response = client.get("/api/certificates/127.0.0.1", credentials);
json = response.getBodyString();
assertThat(json, not(containsString("localhost")));
assertThat(json, containsString("\"mode\":\"static\""));
assertThat(json, containsString("\"dynamic\":false"));
assertThat(json, containsString("\"status\":\"expired\""));
assertThat(json, containsString("\"sslCertificateFile\":\"" + mock2.getAbsolutePath() + "\""));
assertThat(json, containsString("\"serialNumber\":\"" + serialNumber2 + "\""));
assertThat(json, containsString("\"expiringDate\":\"" + expiringDate2 + "\""));
}
// Acme certificate
try (RawHttpClient client = new RawHttpClient("localhost", 8761)) {
// full list request
RawHttpClient.HttpResponse response = client.get("/api/certificates", credentials);
String json = response.getBodyString();
assertThat(json, containsString(dynDomain));
assertThat(json, containsString("\"mode\":\"acme\""));
assertThat(json, containsString("\"dynamic\":true"));
assertThat(json, containsString("\"status\":\"waiting\""));
assertThat(json, containsString("\"serialNumber\":\"" + serialNumber + "\""));
assertThat(json, containsString("\"expiringDate\":\"" + expiringDate + "\""));
// single cert request to /{certId}
response = client.get("/api/certificates/" + dynDomain, credentials);
json = response.getBodyString();
assertThat(json, containsString(dynDomain));
assertThat(json, containsString("\"mode\":\"acme\""));
assertThat(json, containsString("\"dynamic\":true"));
assertThat(json, containsString("\"status\":\"waiting\""));
assertThat(json, containsString("\"serialNumber\":\"" + serialNumber + "\""));
assertThat(json, containsString("\"expiringDate\":\"" + expiringDate + "\""));
// Changing dynamic certificate state
for (DynamicCertificateState state : DynamicCertificateState.values()) {
man.setStateOfCertificate(dynDomain, state);
response = client.get("/api/certificates", credentials);
json = response.getBodyString();
assertThat(json, containsString(dynDomain));
assertThat(json, containsString("\"mode\":\"acme\""));
assertThat(json, containsString("\"dynamic\":true"));
assertThat(json, containsString("\"status\":\"" + certificateStateToString(state) + "\""));
response = client.get("/api/certificates/" + dynDomain, credentials);
json = response.getBodyString();
assertThat(json, containsString(dynDomain));
assertThat(json, containsString("\"mode\":\"acme\""));
assertThat(json, containsString("\"dynamic\":true"));
assertThat(json, containsString("\"status\":\"" + certificateStateToString(state) + "\""));
}
// Downloading
CertificateData cert = store.loadCertificateForDomain(dynDomain);
byte[] newKeystore = createKeystore(generateSampleChain(endUserKeyPair, false), KeyPairUtils.createKeyPair(DEFAULT_KEYPAIRS_SIZE).getPrivate());
cert.setChain(Base64.getEncoder().encodeToString(newKeystore));
store.saveCertificate(cert);
man.setStateOfCertificate(dynDomain, DynamicCertificateState.AVAILABLE);
response = client.get("/api/certificates/" + dynDomain + "/download", credentials);
assertTrue(Arrays.equals(newKeystore, response.getBody()));
}
// Manual certificate
try (RawHttpClient client = new RawHttpClient("localhost", 8761)) {
String manualDomain = "manual.test.tld";
int certsCount = server.getCurrentConfiguration().getCertificates().size();
// Uploading trash-stuff
RawHttpClient.HttpResponse resp = uploadCertificate(manualDomain, null, "fake-chain".getBytes(), client, credentials);
String s = resp.getBodyString();
assertTrue(s.contains("ERROR"));
// Uploading real certificate
endUserKeyPair = KeyPairUtils.createKeyPair(DEFAULT_KEYPAIRS_SIZE);
originalChain = generateSampleChain(endUserKeyPair, false);
certificate = (X509Certificate) originalChain[0];
serialNumber = certificate.getSerialNumber().toString(16).toUpperCase();
expiringDate = certificate.getNotAfter().toString();
byte[] chain1 = createKeystore(originalChain, endUserKeyPair.getPrivate());
resp = uploadCertificate(manualDomain, null, chain1, client, credentials);
s = resp.getBodyString();
assertTrue(s.contains("SUCCESS"));
int certsCount2 = server.getCurrentConfiguration().getCertificates().size();
assertEquals(certsCount + 1, certsCount2);
// full list request
RawHttpClient.HttpResponse response = client.get("/api/certificates", credentials);
String json = response.getBodyString();
assertThat(json, containsString(manualDomain));
assertThat(json, containsString("\"mode\":\"manual\""));
assertThat(json, containsString("\"dynamic\":true"));
assertThat(json, containsString("\"status\":\"available\""));
assertThat(json, containsString("\"serialNumber\":\"" + serialNumber + "\""));
assertThat(json, containsString("\"expiringDate\":\"" + expiringDate + "\""));
// single cert request to /{certId}
response = client.get("/api/certificates/" + manualDomain, credentials);
json = response.getBodyString();
assertThat(json, containsString(manualDomain));
assertThat(json, containsString("\"mode\":\"manual\""));
assertThat(json, containsString("\"dynamic\":true"));
assertThat(json, containsString("\"status\":\"available\""));
assertThat(json, containsString("\"serialNumber\":\"" + serialNumber + "\""));
assertThat(json, containsString("\"expiringDate\":\"" + expiringDate + "\""));
// Downloading
response = client.get("/api/certificates/" + manualDomain + "/download", credentials);
assertTrue(Arrays.equals(chain1, response.getBody()));
// Certificate updating
// Uploading
endUserKeyPair = KeyPairUtils.createKeyPair(DEFAULT_KEYPAIRS_SIZE);
originalChain = generateSampleChain(endUserKeyPair, true);
certificate = (X509Certificate) originalChain[0];
serialNumber = certificate.getSerialNumber().toString(16).toUpperCase();
expiringDate = certificate.getNotAfter().toString();
byte[] chain2 = createKeystore(originalChain, endUserKeyPair.getPrivate());
assertFalse(Arrays.equals(chain1, chain2));
resp = uploadCertificate(manualDomain, null, chain2, client, credentials);
s = resp.getBodyString();
assertTrue(s.contains("SUCCESS"));
// check properties (certificate) not duplicated
int certsCount3 = server.getCurrentConfiguration().getCertificates().size();
assertEquals(certsCount2, certsCount3);
// full list request
response = client.get("/api/certificates", credentials);
json = response.getBodyString();
assertThat(json, containsString(manualDomain));
assertThat(json, containsString("\"mode\":\"manual\""));
assertThat(json, containsString("\"dynamic\":true"));
assertThat(json, containsString("\"status\":\"expired\""));
assertThat(json, containsString("\"serialNumber\":\"" + serialNumber + "\""));
assertThat(json, containsString("\"expiringDate\":\"" + expiringDate + "\""));
// single cert request to /{certId}
response = client.get("/api/certificates/" + manualDomain, credentials);
json = response.getBodyString();
assertThat(json, containsString(manualDomain));
assertThat(json, containsString("\"mode\":\"manual\""));
assertThat(json, containsString("\"dynamic\":true"));
assertThat(json, containsString("\"status\":\"expired\""));
assertThat(json, containsString("\"serialNumber\":\"" + serialNumber + "\""));
assertThat(json, containsString("\"expiringDate\":\"" + expiringDate + "\""));
// Downloading
response = client.get("/api/certificates/" + manualDomain + "/download", credentials);
assertTrue(Arrays.equals(chain2, response.getBody()));
}
}
use of org.carapaceproxy.configstore.CertificateData in project carapaceproxy by diennea.
the class DynamicCertificatesManager method certificatesLifecycle.
private void certificatesLifecycle() {
boolean flushCache = false;
List<CertificateData> _certificates = certificates.entrySet().stream().filter(e -> !e.getValue().isManual()).sorted((e1, e2) -> e1.getKey().compareTo(e2.getKey())).map(e -> e.getValue()).collect(Collectors.toList());
for (CertificateData cert : _certificates) {
boolean updateCertificate = true;
final String domain = cert.getDomain();
try {
switch(cert.getState()) {
// certificate waiting to be issues/renew
case WAITING:
case DOMAIN_UNREACHABLE:
{
// certificate domain reported as unreachable for issuing/renewing
LOG.log(Level.INFO, "WAITING for certificate issuing process start for domain: {0}.", domain);
if (cert.isWildcard() || checkDomain(domain)) {
Order order = createOrderForCertificate(cert);
createChallengeForCertificateOrder(cert, order);
} else {
cert.setState(DOMAIN_UNREACHABLE);
}
break;
}
case DNS_CHALLENGE_WAIT:
{
// waiting for full dns propagation
LOG.log(Level.INFO, "DNS CHALLENGE WAITING for domain {0}.", domain);
Dns01Challenge pendingChallenge = (Dns01Challenge) getChallengeFromCertificate(cert);
checkDnsChallengeReachabilityForCertificate(pendingChallenge, cert);
break;
}
case VERIFYING:
{
// challenge verification by LE pending
LOG.log(Level.INFO, "VERIFYING certificate for domain {0}.", domain);
Challenge pendingChallenge = getChallengeFromCertificate(cert);
checkChallengeResponseForCertificate(pendingChallenge, cert);
break;
}
case VERIFIED:
{
// challenge succeded
LOG.log(Level.INFO, "Certificate for domain {0} VERIFIED.", domain);
Order pendingOrder = acmeClient.getLogin().bindOrder(new URL(cert.getPendingOrderLocation()));
if (pendingOrder.getStatus() != Status.VALID) {
// whether the order is already valid we have to skip finalization
try {
KeyPair keys = loadOrCreateKeyPairForDomain(domain);
acmeClient.orderCertificate(pendingOrder, keys);
} catch (AcmeException ex) {
// order finalization failed
LOG.log(Level.SEVERE, "Certificate order finalization for domain {0} FAILED.", domain);
cert.setState(REQUEST_FAILED);
break;
}
}
cert.setState(ORDERING);
break;
}
case ORDERING:
{
// certificate ordering
LOG.log(Level.INFO, "ORDERING certificate for domain {0}.", domain);
Order order = acmeClient.getLogin().bindOrder(new URL(cert.getPendingOrderLocation()));
Status status = acmeClient.checkResponseForOrder(order);
if (status == Status.VALID) {
List<X509Certificate> certificateChain = acmeClient.fetchCertificateForOrder(order).getCertificateChain();
PrivateKey key = loadOrCreateKeyPairForDomain(domain).getPrivate();
String chain = base64EncodeCertificateChain(certificateChain.toArray(new Certificate[0]), key);
cert.setChain(chain);
cert.setState(AVAILABLE);
LOG.log(Level.INFO, "Certificate issuing for domain: {0} SUCCEED. Certificate AVAILABLE.", domain);
} else if (status == Status.INVALID) {
cert.setState(REQUEST_FAILED);
}
break;
}
case REQUEST_FAILED:
{
// challenge/order failed
LOG.log(Level.INFO, "Certificate issuing for domain: {0} current status is FAILED, setting status=WAITING again.", domain);
cert.setState(WAITING);
break;
}
case AVAILABLE:
{
// certificate saved/available/not expired
if (isCertificateExpired(cert.getExpiringDate(), cert.getDaysBeforeRenewal())) {
cert.setState(EXPIRED);
} else {
updateCertificate = false;
}
break;
}
case EXPIRED:
{
// certificate expired
LOG.log(Level.INFO, "Certificate for domain: {0} EXPIRED.", domain);
cert.setState(WAITING);
break;
}
default:
throw new IllegalStateException();
}
if (updateCertificate) {
LOG.log(Level.INFO, "Save certificate request status for domain {0}", domain);
store.saveCertificate(cert);
flushCache = true;
}
} catch (AcmeException | IOException | GeneralSecurityException | IllegalStateException ex) {
LOG.log(Level.SEVERE, "Error while handling dynamic certificate for domain " + domain, ex);
}
}
if (flushCache) {
groupMembershipHandler.fireEvent(EVENT_CERTIFICATES_STATE_CHANGED);
// remember that events are not delivered to the local JVM
reloadCertificatesFromDB();
}
}
use of org.carapaceproxy.configstore.CertificateData in project carapaceproxy by diennea.
the class HttpProxyServer method updateDynamicCertificateForDomain.
public void updateDynamicCertificateForDomain(CertificateData cert) throws Exception {
// Certificate saving on db
dynamicConfigurationStore.saveCertificate(cert);
// Configuration updating
Properties props = dynamicConfigurationStore.asProperties(null);
boolean newCertificate = !dynamicConfigurationStore.anyPropertyMatches((k, v) -> {
if (k.matches("certificate\\.[0-9]+\\.hostname") && v.equals(cert.getDomain())) {
// updating existing certificate
performUpdate(props, k, cert);
return true;
}
return false;
});
if (newCertificate) {
performCreate(props, cert);
}
// Configuration reloading
applyDynamicConfigurationFromAPI(new PropertiesConfigurationStore(props));
}
Aggregations