use of org.carapaceproxy.server.certificates.DynamicCertificateState.REQUEST_FAILED in project carapaceproxy by diennea.
the class DynamicCertificatesManager method certificatesLifecycle.
private void certificatesLifecycle() {
boolean flushCache = false;
List<CertificateData> _certificates = certificates.entrySet().stream().filter(e -> !e.getValue().isManual()).sorted((e1, e2) -> e1.getKey().compareTo(e2.getKey())).map(e -> e.getValue()).collect(Collectors.toList());
for (CertificateData cert : _certificates) {
boolean updateCertificate = true;
final String domain = cert.getDomain();
try {
switch(cert.getState()) {
// certificate waiting to be issues/renew
case WAITING:
case DOMAIN_UNREACHABLE:
{
// certificate domain reported as unreachable for issuing/renewing
LOG.log(Level.INFO, "WAITING for certificate issuing process start for domain: {0}.", domain);
if (cert.isWildcard() || checkDomain(domain)) {
Order order = createOrderForCertificate(cert);
createChallengeForCertificateOrder(cert, order);
} else {
cert.setState(DOMAIN_UNREACHABLE);
}
break;
}
case DNS_CHALLENGE_WAIT:
{
// waiting for full dns propagation
LOG.log(Level.INFO, "DNS CHALLENGE WAITING for domain {0}.", domain);
Dns01Challenge pendingChallenge = (Dns01Challenge) getChallengeFromCertificate(cert);
checkDnsChallengeReachabilityForCertificate(pendingChallenge, cert);
break;
}
case VERIFYING:
{
// challenge verification by LE pending
LOG.log(Level.INFO, "VERIFYING certificate for domain {0}.", domain);
Challenge pendingChallenge = getChallengeFromCertificate(cert);
checkChallengeResponseForCertificate(pendingChallenge, cert);
break;
}
case VERIFIED:
{
// challenge succeded
LOG.log(Level.INFO, "Certificate for domain {0} VERIFIED.", domain);
Order pendingOrder = acmeClient.getLogin().bindOrder(new URL(cert.getPendingOrderLocation()));
if (pendingOrder.getStatus() != Status.VALID) {
// whether the order is already valid we have to skip finalization
try {
KeyPair keys = loadOrCreateKeyPairForDomain(domain);
acmeClient.orderCertificate(pendingOrder, keys);
} catch (AcmeException ex) {
// order finalization failed
LOG.log(Level.SEVERE, "Certificate order finalization for domain {0} FAILED.", domain);
cert.setState(REQUEST_FAILED);
break;
}
}
cert.setState(ORDERING);
break;
}
case ORDERING:
{
// certificate ordering
LOG.log(Level.INFO, "ORDERING certificate for domain {0}.", domain);
Order order = acmeClient.getLogin().bindOrder(new URL(cert.getPendingOrderLocation()));
Status status = acmeClient.checkResponseForOrder(order);
if (status == Status.VALID) {
List<X509Certificate> certificateChain = acmeClient.fetchCertificateForOrder(order).getCertificateChain();
PrivateKey key = loadOrCreateKeyPairForDomain(domain).getPrivate();
String chain = base64EncodeCertificateChain(certificateChain.toArray(new Certificate[0]), key);
cert.setChain(chain);
cert.setState(AVAILABLE);
LOG.log(Level.INFO, "Certificate issuing for domain: {0} SUCCEED. Certificate AVAILABLE.", domain);
} else if (status == Status.INVALID) {
cert.setState(REQUEST_FAILED);
}
break;
}
case REQUEST_FAILED:
{
// challenge/order failed
LOG.log(Level.INFO, "Certificate issuing for domain: {0} current status is FAILED, setting status=WAITING again.", domain);
cert.setState(WAITING);
break;
}
case AVAILABLE:
{
// certificate saved/available/not expired
if (isCertificateExpired(cert.getExpiringDate(), cert.getDaysBeforeRenewal())) {
cert.setState(EXPIRED);
} else {
updateCertificate = false;
}
break;
}
case EXPIRED:
{
// certificate expired
LOG.log(Level.INFO, "Certificate for domain: {0} EXPIRED.", domain);
cert.setState(WAITING);
break;
}
default:
throw new IllegalStateException();
}
if (updateCertificate) {
LOG.log(Level.INFO, "Save certificate request status for domain {0}", domain);
store.saveCertificate(cert);
flushCache = true;
}
} catch (AcmeException | IOException | GeneralSecurityException | IllegalStateException ex) {
LOG.log(Level.SEVERE, "Error while handling dynamic certificate for domain " + domain, ex);
}
}
if (flushCache) {
groupMembershipHandler.fireEvent(EVENT_CERTIFICATES_STATE_CHANGED);
// remember that events are not delivered to the local JVM
reloadCertificatesFromDB();
}
}
Aggregations