Example 1 with REQUEST_FAILED
use of org.carapaceproxy.server.certificates.DynamicCertificateState.REQUEST_FAILED in project carapaceproxy by diennea.
the class DynamicCertificatesManager method certificatesLifecycle.
private void certificatesLifecycle() {
boolean flushCache = false;
List<CertificateData> _certificates = certificates.entrySet().stream().filter(e -> !e.getValue().isManual()).sorted((e1, e2) -> e1.getKey().compareTo(e2.getKey())).map(e -> e.getValue()).collect(Collectors.toList());
for (CertificateData cert : _certificates) {
boolean updateCertificate = true;
final String domain = cert.getDomain();
try {
switch(cert.getState()) {
// certificate waiting to be issues/renew
case WAITING:
case DOMAIN_UNREACHABLE:
{
// certificate domain reported as unreachable for issuing/renewing
LOG.log(Level.INFO, "WAITING for certificate issuing process start for domain: {0}.", domain);
if (cert.isWildcard() || checkDomain(domain)) {
Order order = createOrderForCertificate(cert);
createChallengeForCertificateOrder(cert, order);
} else {
cert.setState(DOMAIN_UNREACHABLE);
}
break;
}
case DNS_CHALLENGE_WAIT:
{
// waiting for full dns propagation
LOG.log(Level.INFO, "DNS CHALLENGE WAITING for domain {0}.", domain);
Dns01Challenge pendingChallenge = (Dns01Challenge) getChallengeFromCertificate(cert);
checkDnsChallengeReachabilityForCertificate(pendingChallenge, cert);
break;
}
case VERIFYING:
{
// challenge verification by LE pending
LOG.log(Level.INFO, "VERIFYING certificate for domain {0}.", domain);
Challenge pendingChallenge = getChallengeFromCertificate(cert);
checkChallengeResponseForCertificate(pendingChallenge, cert);
break;
}
case VERIFIED:
{
// challenge succeded
LOG.log(Level.INFO, "Certificate for domain {0} VERIFIED.", domain);
Order pendingOrder = acmeClient.getLogin().bindOrder(new URL(cert.getPendingOrderLocation()));
if (pendingOrder.getStatus() != Status.VALID) {
// whether the order is already valid we have to skip finalization
try {
KeyPair keys = loadOrCreateKeyPairForDomain(domain);
acmeClient.orderCertificate(pendingOrder, keys);
} catch (AcmeException ex) {
// order finalization failed
LOG.log(Level.SEVERE, "Certificate order finalization for domain {0} FAILED.", domain);
cert.setState(REQUEST_FAILED);
break;
}
}
cert.setState(ORDERING);
break;
}
case ORDERING:
{
// certificate ordering
LOG.log(Level.INFO, "ORDERING certificate for domain {0}.", domain);
Order order = acmeClient.getLogin().bindOrder(new URL(cert.getPendingOrderLocation()));
Status status = acmeClient.checkResponseForOrder(order);
if (status == Status.VALID) {
List<X509Certificate> certificateChain = acmeClient.fetchCertificateForOrder(order).getCertificateChain();
PrivateKey key = loadOrCreateKeyPairForDomain(domain).getPrivate();
String chain = base64EncodeCertificateChain(certificateChain.toArray(new Certificate[0]), key);
cert.setChain(chain);
cert.setState(AVAILABLE);
LOG.log(Level.INFO, "Certificate issuing for domain: {0} SUCCEED. Certificate AVAILABLE.", domain);
} else if (status == Status.INVALID) {
cert.setState(REQUEST_FAILED);
}
break;
}
case REQUEST_FAILED:
{
// challenge/order failed
LOG.log(Level.INFO, "Certificate issuing for domain: {0} current status is FAILED, setting status=WAITING again.", domain);
cert.setState(WAITING);
break;
}
case AVAILABLE:
{
// certificate saved/available/not expired
if (isCertificateExpired(cert.getExpiringDate(), cert.getDaysBeforeRenewal())) {
cert.setState(EXPIRED);
} else {
updateCertificate = false;
}
break;
}
case EXPIRED:
{
// certificate expired
LOG.log(Level.INFO, "Certificate for domain: {0} EXPIRED.", domain);
cert.setState(WAITING);
break;
}
default:
throw new IllegalStateException();
}
if (updateCertificate) {
LOG.log(Level.INFO, "Save certificate request status for domain {0}", domain);
store.saveCertificate(cert);
flushCache = true;
}
} catch (AcmeException | IOException | GeneralSecurityException | IllegalStateException ex) {
LOG.log(Level.SEVERE, "Error while handling dynamic certificate for domain " + domain, ex);
}
}
if (flushCache) {
groupMembershipHandler.fireEvent(EVENT_CERTIFICATES_STATE_CHANGED);
// remember that events are not delivered to the local JVM
reloadCertificatesFromDB();
}
}
Also used :
X509Certificate(java.security.cert.X509Certificate)
KeyPair(java.security.KeyPair)
DOMAIN_UNREACHABLE(org.carapaceproxy.server.certificates.DynamicCertificateState.DOMAIN_UNREACHABLE)
ScheduledFuture(java.util.concurrent.ScheduledFuture)
CertificatesUtils.readChainFromKeystore(org.carapaceproxy.utils.CertificatesUtils.readChainFromKeystore)
Http01Challenge(org.shredzone.acme4j.challenge.Http01Challenge)
URL(java.net.URL)
VERIFIED(org.carapaceproxy.server.certificates.DynamicCertificateState.VERIFIED)
ConfigurationStore(org.carapaceproxy.configstore.ConfigurationStore)
ConfigurationNotValidException(org.carapaceproxy.server.config.ConfigurationNotValidException)
Order(org.shredzone.acme4j.Order)
InetAddress(java.net.InetAddress)
GeneralSecurityException(java.security.GeneralSecurityException)
Challenge(org.shredzone.acme4j.challenge.Challenge)
Map(java.util.Map)
RuntimeServerConfiguration(org.carapaceproxy.core.RuntimeServerConfiguration)
MANUAL(org.carapaceproxy.server.config.SSLCertificateConfiguration.CertificateMode.MANUAL)
VERIFYING(org.carapaceproxy.server.certificates.DynamicCertificateState.VERIFYING)
ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap)
Set(java.util.Set)
Logger(java.util.logging.Logger)
Collectors(java.util.stream.Collectors)
Executors(java.util.concurrent.Executors)
List(java.util.List)
Base64(java.util.Base64)
Certificate(java.security.cert.Certificate)
PrivateKey(java.security.PrivateKey)
HttpProxyServer(org.carapaceproxy.core.HttpProxyServer)
Entry(java.util.Map.Entry)
KeyPairUtils(org.shredzone.acme4j.util.KeyPairUtils)
ThreadFactoryBuilder(org.glassfish.jersey.internal.guava.ThreadFactoryBuilder)
EXPIRED(org.carapaceproxy.server.certificates.DynamicCertificateState.EXPIRED)
Level(java.util.logging.Level)
CertificatesUtils.isCertificateExpired(org.carapaceproxy.utils.CertificatesUtils.isCertificateExpired)
Status(org.shredzone.acme4j.Status)
JSON(org.shredzone.acme4j.toolbox.JSON)
CertificateData(org.carapaceproxy.configstore.CertificateData)
ScheduledExecutorService(java.util.concurrent.ScheduledExecutorService)
REQUEST_FAILED(org.carapaceproxy.server.certificates.DynamicCertificateState.REQUEST_FAILED)
SSLCertificateConfiguration(org.carapaceproxy.server.config.SSLCertificateConfiguration)
DNS_CHALLENGE_WAIT(org.carapaceproxy.server.certificates.DynamicCertificateState.DNS_CHALLENGE_WAIT)
MalformedURLException(java.net.MalformedURLException)
IOException(java.io.IOException)
ORDERING(org.carapaceproxy.server.certificates.DynamicCertificateState.ORDERING)
WAITING(org.carapaceproxy.server.certificates.DynamicCertificateState.WAITING)
TimeUnit(java.util.concurrent.TimeUnit)
ConfigurationStoreUtils.base64EncodeCertificateChain(org.carapaceproxy.configstore.ConfigurationStoreUtils.base64EncodeCertificateChain)
GroupMembershipHandler(org.carapaceproxy.cluster.GroupMembershipHandler)
Dns01Challenge(org.shredzone.acme4j.challenge.Dns01Challenge)
AVAILABLE(org.carapaceproxy.server.certificates.DynamicCertificateState.AVAILABLE)
AcmeException(org.shredzone.acme4j.exception.AcmeException)
VisibleForTesting(com.google.common.annotations.VisibleForTesting)
Order(org.shredzone.acme4j.Order)
Status(org.shredzone.acme4j.Status)
KeyPair(java.security.KeyPair)
PrivateKey(java.security.PrivateKey)
AcmeException(org.shredzone.acme4j.exception.AcmeException)
GeneralSecurityException(java.security.GeneralSecurityException)
IOException(java.io.IOException)
URL(java.net.URL)
Http01Challenge(org.shredzone.acme4j.challenge.Http01Challenge)
Challenge(org.shredzone.acme4j.challenge.Challenge)
Dns01Challenge(org.shredzone.acme4j.challenge.Dns01Challenge)
CertificateData(org.carapaceproxy.configstore.CertificateData)
Dns01Challenge(org.shredzone.acme4j.challenge.Dns01Challenge)
List(java.util.List)
Aggregations
VisibleForTesting (com.google.common.annotations.VisibleForTesting)1
IOException (java.io.IOException)1
InetAddress (java.net.InetAddress)1
MalformedURLException (java.net.MalformedURLException)1
URL (java.net.URL)1
GeneralSecurityException (java.security.GeneralSecurityException)1
KeyPair (java.security.KeyPair)1
PrivateKey (java.security.PrivateKey)1
Certificate (java.security.cert.Certificate)1
X509Certificate (java.security.cert.X509Certificate)1
Base64 (java.util.Base64)1
List (java.util.List)1
Map (java.util.Map)1
Entry (java.util.Map.Entry)1
Set (java.util.Set)1
ConcurrentHashMap (java.util.concurrent.ConcurrentHashMap)1
Executors (java.util.concurrent.Executors)1
ScheduledExecutorService (java.util.concurrent.ScheduledExecutorService)1
ScheduledFuture (java.util.concurrent.ScheduledFuture)1
TimeUnit (java.util.concurrent.TimeUnit)1
