Search in sources :

Example 1 with REQUEST_FAILED

use of org.carapaceproxy.server.certificates.DynamicCertificateState.REQUEST_FAILED in project carapaceproxy by diennea.

the class DynamicCertificatesManager method certificatesLifecycle.

private void certificatesLifecycle() {
    boolean flushCache = false;
    List<CertificateData> _certificates = certificates.entrySet().stream().filter(e -> !e.getValue().isManual()).sorted((e1, e2) -> e1.getKey().compareTo(e2.getKey())).map(e -> e.getValue()).collect(Collectors.toList());
    for (CertificateData cert : _certificates) {
        boolean updateCertificate = true;
        final String domain = cert.getDomain();
        try {
            switch(cert.getState()) {
                // certificate waiting to be issues/renew
                case WAITING:
                case DOMAIN_UNREACHABLE:
                    {
                        // certificate domain reported as unreachable for issuing/renewing
                        LOG.log(Level.INFO, "WAITING for certificate issuing process start for domain: {0}.", domain);
                        if (cert.isWildcard() || checkDomain(domain)) {
                            Order order = createOrderForCertificate(cert);
                            createChallengeForCertificateOrder(cert, order);
                        } else {
                            cert.setState(DOMAIN_UNREACHABLE);
                        }
                        break;
                    }
                case DNS_CHALLENGE_WAIT:
                    {
                        // waiting for full dns propagation
                        LOG.log(Level.INFO, "DNS CHALLENGE WAITING for domain {0}.", domain);
                        Dns01Challenge pendingChallenge = (Dns01Challenge) getChallengeFromCertificate(cert);
                        checkDnsChallengeReachabilityForCertificate(pendingChallenge, cert);
                        break;
                    }
                case VERIFYING:
                    {
                        // challenge verification by LE pending
                        LOG.log(Level.INFO, "VERIFYING certificate for domain {0}.", domain);
                        Challenge pendingChallenge = getChallengeFromCertificate(cert);
                        checkChallengeResponseForCertificate(pendingChallenge, cert);
                        break;
                    }
                case VERIFIED:
                    {
                        // challenge succeded
                        LOG.log(Level.INFO, "Certificate for domain {0} VERIFIED.", domain);
                        Order pendingOrder = acmeClient.getLogin().bindOrder(new URL(cert.getPendingOrderLocation()));
                        if (pendingOrder.getStatus() != Status.VALID) {
                            // whether the order is already valid we have to skip finalization
                            try {
                                KeyPair keys = loadOrCreateKeyPairForDomain(domain);
                                acmeClient.orderCertificate(pendingOrder, keys);
                            } catch (AcmeException ex) {
                                // order finalization failed
                                LOG.log(Level.SEVERE, "Certificate order finalization for domain {0} FAILED.", domain);
                                cert.setState(REQUEST_FAILED);
                                break;
                            }
                        }
                        cert.setState(ORDERING);
                        break;
                    }
                case ORDERING:
                    {
                        // certificate ordering
                        LOG.log(Level.INFO, "ORDERING certificate for domain {0}.", domain);
                        Order order = acmeClient.getLogin().bindOrder(new URL(cert.getPendingOrderLocation()));
                        Status status = acmeClient.checkResponseForOrder(order);
                        if (status == Status.VALID) {
                            List<X509Certificate> certificateChain = acmeClient.fetchCertificateForOrder(order).getCertificateChain();
                            PrivateKey key = loadOrCreateKeyPairForDomain(domain).getPrivate();
                            String chain = base64EncodeCertificateChain(certificateChain.toArray(new Certificate[0]), key);
                            cert.setChain(chain);
                            cert.setState(AVAILABLE);
                            LOG.log(Level.INFO, "Certificate issuing for domain: {0} SUCCEED. Certificate AVAILABLE.", domain);
                        } else if (status == Status.INVALID) {
                            cert.setState(REQUEST_FAILED);
                        }
                        break;
                    }
                case REQUEST_FAILED:
                    {
                        // challenge/order failed
                        LOG.log(Level.INFO, "Certificate issuing for domain: {0} current status is FAILED, setting status=WAITING again.", domain);
                        cert.setState(WAITING);
                        break;
                    }
                case AVAILABLE:
                    {
                        // certificate saved/available/not expired
                        if (isCertificateExpired(cert.getExpiringDate(), cert.getDaysBeforeRenewal())) {
                            cert.setState(EXPIRED);
                        } else {
                            updateCertificate = false;
                        }
                        break;
                    }
                case EXPIRED:
                    {
                        // certificate expired
                        LOG.log(Level.INFO, "Certificate for domain: {0} EXPIRED.", domain);
                        cert.setState(WAITING);
                        break;
                    }
                default:
                    throw new IllegalStateException();
            }
            if (updateCertificate) {
                LOG.log(Level.INFO, "Save certificate request status for domain {0}", domain);
                store.saveCertificate(cert);
                flushCache = true;
            }
        } catch (AcmeException | IOException | GeneralSecurityException | IllegalStateException ex) {
            LOG.log(Level.SEVERE, "Error while handling dynamic certificate for domain " + domain, ex);
        }
    }
    if (flushCache) {
        groupMembershipHandler.fireEvent(EVENT_CERTIFICATES_STATE_CHANGED);
        // remember that events  are not delivered to the local JVM
        reloadCertificatesFromDB();
    }
}
Also used : X509Certificate(java.security.cert.X509Certificate) KeyPair(java.security.KeyPair) DOMAIN_UNREACHABLE(org.carapaceproxy.server.certificates.DynamicCertificateState.DOMAIN_UNREACHABLE) ScheduledFuture(java.util.concurrent.ScheduledFuture) CertificatesUtils.readChainFromKeystore(org.carapaceproxy.utils.CertificatesUtils.readChainFromKeystore) Http01Challenge(org.shredzone.acme4j.challenge.Http01Challenge) URL(java.net.URL) VERIFIED(org.carapaceproxy.server.certificates.DynamicCertificateState.VERIFIED) ConfigurationStore(org.carapaceproxy.configstore.ConfigurationStore) ConfigurationNotValidException(org.carapaceproxy.server.config.ConfigurationNotValidException) Order(org.shredzone.acme4j.Order) InetAddress(java.net.InetAddress) GeneralSecurityException(java.security.GeneralSecurityException) Challenge(org.shredzone.acme4j.challenge.Challenge) Map(java.util.Map) RuntimeServerConfiguration(org.carapaceproxy.core.RuntimeServerConfiguration) MANUAL(org.carapaceproxy.server.config.SSLCertificateConfiguration.CertificateMode.MANUAL) VERIFYING(org.carapaceproxy.server.certificates.DynamicCertificateState.VERIFYING) ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap) Set(java.util.Set) Logger(java.util.logging.Logger) Collectors(java.util.stream.Collectors) Executors(java.util.concurrent.Executors) List(java.util.List) Base64(java.util.Base64) Certificate(java.security.cert.Certificate) PrivateKey(java.security.PrivateKey) HttpProxyServer(org.carapaceproxy.core.HttpProxyServer) Entry(java.util.Map.Entry) KeyPairUtils(org.shredzone.acme4j.util.KeyPairUtils) ThreadFactoryBuilder(org.glassfish.jersey.internal.guava.ThreadFactoryBuilder) EXPIRED(org.carapaceproxy.server.certificates.DynamicCertificateState.EXPIRED) Level(java.util.logging.Level) CertificatesUtils.isCertificateExpired(org.carapaceproxy.utils.CertificatesUtils.isCertificateExpired) Status(org.shredzone.acme4j.Status) JSON(org.shredzone.acme4j.toolbox.JSON) CertificateData(org.carapaceproxy.configstore.CertificateData) ScheduledExecutorService(java.util.concurrent.ScheduledExecutorService) REQUEST_FAILED(org.carapaceproxy.server.certificates.DynamicCertificateState.REQUEST_FAILED) SSLCertificateConfiguration(org.carapaceproxy.server.config.SSLCertificateConfiguration) DNS_CHALLENGE_WAIT(org.carapaceproxy.server.certificates.DynamicCertificateState.DNS_CHALLENGE_WAIT) MalformedURLException(java.net.MalformedURLException) IOException(java.io.IOException) ORDERING(org.carapaceproxy.server.certificates.DynamicCertificateState.ORDERING) WAITING(org.carapaceproxy.server.certificates.DynamicCertificateState.WAITING) TimeUnit(java.util.concurrent.TimeUnit) ConfigurationStoreUtils.base64EncodeCertificateChain(org.carapaceproxy.configstore.ConfigurationStoreUtils.base64EncodeCertificateChain) GroupMembershipHandler(org.carapaceproxy.cluster.GroupMembershipHandler) Dns01Challenge(org.shredzone.acme4j.challenge.Dns01Challenge) AVAILABLE(org.carapaceproxy.server.certificates.DynamicCertificateState.AVAILABLE) AcmeException(org.shredzone.acme4j.exception.AcmeException) VisibleForTesting(com.google.common.annotations.VisibleForTesting) Order(org.shredzone.acme4j.Order) Status(org.shredzone.acme4j.Status) KeyPair(java.security.KeyPair) PrivateKey(java.security.PrivateKey) AcmeException(org.shredzone.acme4j.exception.AcmeException) GeneralSecurityException(java.security.GeneralSecurityException) IOException(java.io.IOException) URL(java.net.URL) Http01Challenge(org.shredzone.acme4j.challenge.Http01Challenge) Challenge(org.shredzone.acme4j.challenge.Challenge) Dns01Challenge(org.shredzone.acme4j.challenge.Dns01Challenge) CertificateData(org.carapaceproxy.configstore.CertificateData) Dns01Challenge(org.shredzone.acme4j.challenge.Dns01Challenge) List(java.util.List)

Aggregations

VisibleForTesting (com.google.common.annotations.VisibleForTesting)1 IOException (java.io.IOException)1 InetAddress (java.net.InetAddress)1 MalformedURLException (java.net.MalformedURLException)1 URL (java.net.URL)1 GeneralSecurityException (java.security.GeneralSecurityException)1 KeyPair (java.security.KeyPair)1 PrivateKey (java.security.PrivateKey)1 Certificate (java.security.cert.Certificate)1 X509Certificate (java.security.cert.X509Certificate)1 Base64 (java.util.Base64)1 List (java.util.List)1 Map (java.util.Map)1 Entry (java.util.Map.Entry)1 Set (java.util.Set)1 ConcurrentHashMap (java.util.concurrent.ConcurrentHashMap)1 Executors (java.util.concurrent.Executors)1 ScheduledExecutorService (java.util.concurrent.ScheduledExecutorService)1 ScheduledFuture (java.util.concurrent.ScheduledFuture)1 TimeUnit (java.util.concurrent.TimeUnit)1