2023-01-29 15:27:11 +08:00
|
|
|
|
/**
|
|
|
|
|
|
* ACME challenge verification
|
|
|
|
|
|
*/
|
|
|
|
|
|
|
2024-11-12 12:15:06 +08:00
|
|
|
|
import dnsSdk from "dns"
|
|
|
|
|
|
import https from 'https'
|
|
|
|
|
|
import {log} from './logger.js'
|
|
|
|
|
|
import axios from './axios.js'
|
|
|
|
|
|
import * as util from './util.js'
|
|
|
|
|
|
import {isAlpnCertificateAuthorizationValid} from './crypto/index.js'
|
2023-01-29 15:27:11 +08:00
|
|
|
|
|
2024-11-12 12:15:06 +08:00
|
|
|
|
|
|
|
|
|
|
const dns = dnsSdk.promises
|
2023-01-29 15:27:11 +08:00
|
|
|
|
/**
|
|
|
|
|
|
* Verify ACME HTTP challenge
|
|
|
|
|
|
*
|
2024-02-03 19:24:11 +00:00
|
|
|
|
* https://datatracker.ietf.org/doc/html/rfc8555#section-8.3
|
2023-01-29 15:27:11 +08:00
|
|
|
|
*
|
|
|
|
|
|
* @param {object} authz Identifier authorization
|
|
|
|
|
|
* @param {object} challenge Authorization challenge
|
|
|
|
|
|
* @param {string} keyAuthorization Challenge key authorization
|
|
|
|
|
|
* @param {string} [suffix] URL suffix
|
|
|
|
|
|
* @returns {Promise<boolean>}
|
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
|
|
async function verifyHttpChallenge(authz, challenge, keyAuthorization, suffix = `/.well-known/acme-challenge/${challenge.token}`) {
|
|
|
|
|
|
const httpPort = axios.defaults.acmeSettings.httpChallengePort || 80;
|
|
|
|
|
|
const challengeUrl = `http://${authz.identifier.value}:${httpPort}${suffix}`;
|
|
|
|
|
|
|
2024-01-22 19:24:37 +00:00
|
|
|
|
/* May redirect to HTTPS with invalid/self-signed cert - https://letsencrypt.org/docs/challenge-types/#http-01-challenge */
|
|
|
|
|
|
const httpsAgent = new https.Agent({ rejectUnauthorized: false });
|
|
|
|
|
|
|
2023-01-29 15:27:11 +08:00
|
|
|
|
log(`Sending HTTP query to ${authz.identifier.value}, suffix: ${suffix}, port: ${httpPort}`);
|
2024-01-22 19:24:37 +00:00
|
|
|
|
const resp = await axios.get(challengeUrl, { httpsAgent });
|
2023-01-29 15:27:11 +08:00
|
|
|
|
const data = (resp.data || '').replace(/\s+$/, '');
|
|
|
|
|
|
|
|
|
|
|
|
log(`Query successful, HTTP status code: ${resp.status}`);
|
|
|
|
|
|
|
|
|
|
|
|
if (!data || (data !== keyAuthorization)) {
|
|
|
|
|
|
throw new Error(`Authorization not found in HTTP response from ${authz.identifier.value}`);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
log(`Key authorization match for ${challenge.type}/${authz.identifier.value}, ACME challenge verified`);
|
|
|
|
|
|
return true;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
|
* Walk DNS until TXT records are found
|
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
|
|
async function walkDnsChallengeRecord(recordName, resolver = dns) {
|
|
|
|
|
|
/* Resolve CNAME record first */
|
2024-07-03 23:36:06 +08:00
|
|
|
|
// try {
|
|
|
|
|
|
// log(`Checking name for CNAME records: ${recordName}`);
|
|
|
|
|
|
// const cnameRecords = await resolver.resolveCname(recordName);
|
|
|
|
|
|
//
|
|
|
|
|
|
// if (cnameRecords.length) {
|
|
|
|
|
|
// log(`CNAME record found at ${recordName}, new challenge record name: ${cnameRecords[0]}`);
|
|
|
|
|
|
// return walkDnsChallengeRecord(cnameRecords[0]);
|
|
|
|
|
|
// }
|
|
|
|
|
|
// }
|
|
|
|
|
|
// catch (e) {
|
|
|
|
|
|
// log(`No CNAME records found for name: ${recordName}`);
|
|
|
|
|
|
// }
|
2023-01-29 15:27:11 +08:00
|
|
|
|
|
|
|
|
|
|
/* Resolve TXT records */
|
|
|
|
|
|
try {
|
|
|
|
|
|
log(`Checking name for TXT records: ${recordName}`);
|
|
|
|
|
|
const txtRecords = await resolver.resolveTxt(recordName);
|
|
|
|
|
|
|
2024-10-10 02:15:05 +08:00
|
|
|
|
if (txtRecords && txtRecords.length) {
|
2023-01-29 15:27:11 +08:00
|
|
|
|
log(`Found ${txtRecords.length} TXT records at ${recordName}`);
|
2024-10-07 03:21:16 +08:00
|
|
|
|
log(`TXT records: ${JSON.stringify(txtRecords)}`);
|
2023-01-29 15:27:11 +08:00
|
|
|
|
return [].concat(...txtRecords);
|
|
|
|
|
|
}
|
2024-10-10 02:15:05 +08:00
|
|
|
|
return [];
|
2023-01-29 15:27:11 +08:00
|
|
|
|
}
|
|
|
|
|
|
catch (e) {
|
2024-10-10 02:15:05 +08:00
|
|
|
|
log(`Resolve TXT records error, ${recordName} :${e.message}`);
|
|
|
|
|
|
throw e;
|
2023-01-29 15:27:11 +08:00
|
|
|
|
}
|
2024-10-10 02:15:05 +08:00
|
|
|
|
}
|
2023-01-29 15:27:11 +08:00
|
|
|
|
|
2024-11-12 12:15:06 +08:00
|
|
|
|
export async function walkTxtRecord(recordName) {
|
2024-10-10 02:15:05 +08:00
|
|
|
|
try {
|
|
|
|
|
|
/* Default DNS resolver first */
|
|
|
|
|
|
log('Attempting to resolve TXT with default DNS resolver first');
|
|
|
|
|
|
const res = await walkDnsChallengeRecord(recordName);
|
|
|
|
|
|
if (res && res.length > 0) {
|
|
|
|
|
|
return res;
|
|
|
|
|
|
}
|
|
|
|
|
|
throw new Error('No TXT records found');
|
|
|
|
|
|
}
|
|
|
|
|
|
catch (e) {
|
|
|
|
|
|
/* Authoritative DNS resolver */
|
|
|
|
|
|
log(`Error using default resolver, attempting to resolve TXT with authoritative NS: ${e.message}`);
|
|
|
|
|
|
const authoritativeResolver = await util.getAuthoritativeDnsResolver(recordName);
|
|
|
|
|
|
return await walkDnsChallengeRecord(recordName, authoritativeResolver);
|
|
|
|
|
|
}
|
2023-01-29 15:27:11 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
|
* Verify ACME DNS challenge
|
|
|
|
|
|
*
|
2024-02-03 19:24:11 +00:00
|
|
|
|
* https://datatracker.ietf.org/doc/html/rfc8555#section-8.4
|
2023-01-29 15:27:11 +08:00
|
|
|
|
*
|
|
|
|
|
|
* @param {object} authz Identifier authorization
|
|
|
|
|
|
* @param {object} challenge Authorization challenge
|
|
|
|
|
|
* @param {string} keyAuthorization Challenge key authorization
|
|
|
|
|
|
* @param {string} [prefix] DNS prefix
|
|
|
|
|
|
* @returns {Promise<boolean>}
|
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
|
|
async function verifyDnsChallenge(authz, challenge, keyAuthorization, prefix = '_acme-challenge.') {
|
|
|
|
|
|
const recordName = `${prefix}${authz.identifier.value}`;
|
2025-03-24 00:05:19 +08:00
|
|
|
|
log(`Resolving DNS TXT from record(解析DNS TXT记录): ${recordName}`);
|
2024-10-10 02:15:05 +08:00
|
|
|
|
const recordValues = await walkTxtRecord(recordName);
|
2025-03-24 00:05:19 +08:00
|
|
|
|
log(`DNS query finished successfully(DNS查询成功), found ${recordValues.length} TXT records`);
|
2023-01-29 15:27:11 +08:00
|
|
|
|
if (!recordValues.length || !recordValues.includes(keyAuthorization)) {
|
2025-03-24 00:05:19 +08:00
|
|
|
|
throw new Error(`Authorization not found in DNS TXT record(没有找到需要的DNS TXT记录): ${recordName},need:${keyAuthorization},found:${recordValues}`);
|
2023-01-29 15:27:11 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2025-03-24 00:05:19 +08:00
|
|
|
|
log(`Key authorization match for ${challenge.type}/${recordName}, ACME challenge verified(域名所有权校验成功)`);
|
2023-01-29 15:27:11 +08:00
|
|
|
|
return true;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2024-01-30 19:24:20 +00:00
|
|
|
|
/**
|
|
|
|
|
|
* Verify ACME TLS ALPN challenge
|
|
|
|
|
|
*
|
2024-02-03 19:24:11 +00:00
|
|
|
|
* https://datatracker.ietf.org/doc/html/rfc8737
|
2024-01-30 19:24:20 +00:00
|
|
|
|
*
|
|
|
|
|
|
* @param {object} authz Identifier authorization
|
|
|
|
|
|
* @param {object} challenge Authorization challenge
|
|
|
|
|
|
* @param {string} keyAuthorization Challenge key authorization
|
|
|
|
|
|
* @returns {Promise<boolean>}
|
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
|
|
async function verifyTlsAlpnChallenge(authz, challenge, keyAuthorization) {
|
|
|
|
|
|
const tlsAlpnPort = axios.defaults.acmeSettings.tlsAlpnChallengePort || 443;
|
|
|
|
|
|
const host = authz.identifier.value;
|
|
|
|
|
|
log(`Establishing TLS connection with host: ${host}:${tlsAlpnPort}`);
|
|
|
|
|
|
|
|
|
|
|
|
const certificate = await util.retrieveTlsAlpnCertificate(host, tlsAlpnPort);
|
|
|
|
|
|
log('Certificate received from server successfully, matching key authorization in ALPN');
|
|
|
|
|
|
|
|
|
|
|
|
if (!isAlpnCertificateAuthorizationValid(certificate, keyAuthorization)) {
|
|
|
|
|
|
throw new Error(`Authorization not found in certificate from ${authz.identifier.value}`);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
log(`Key authorization match for ${challenge.type}/${authz.identifier.value}, ACME challenge verified`);
|
|
|
|
|
|
return true;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2023-01-29 15:27:11 +08:00
|
|
|
|
/**
|
|
|
|
|
|
* Export API
|
|
|
|
|
|
*/
|
|
|
|
|
|
|
2024-11-12 12:15:06 +08:00
|
|
|
|
export default {
|
2023-01-29 15:27:11 +08:00
|
|
|
|
'http-01': verifyHttpChallenge,
|
2024-01-30 19:24:20 +00:00
|
|
|
|
'dns-01': verifyDnsChallenge,
|
2024-05-22 19:24:07 +00:00
|
|
|
|
'tls-alpn-01': verifyTlsAlpnChallenge,
|
2023-01-29 15:27:11 +08:00
|
|
|
|
};
|
