Mercurial Hosting > luan
annotate src/luan/host/https.luan @ 2039:aa0910b07953 acme-tiny
use real servers instead of staging
| author | Violet7 |
|---|---|
| date | Sun, 09 Nov 2025 00:53:36 -0800 |
| parents | b4b3017ac28d |
| children | 389f30ed66ea |
| rev | line source |
|---|---|
| 1630 | 1 local Luan = require "luan:Luan.luan" |
| 2 local error = Luan.error | |
|
2005
fe45d2c967f1
set_https only in init.luan
Franklin Schmidt <fschmidt@gmail.com>
parents:
1798
diff
changeset
|
3 local new_error = Luan.new_error or error() |
| 1630 | 4 local load_file = Luan.load_file or error() |
| 5 local ipairs = Luan.ipairs or error() | |
| 6 local Boot = require "luan:Boot.luan" | |
| 7 local Io = require "luan:Io.luan" | |
| 8 local ip = Io.ip or error() | |
| 9 local uri = Io.uri or error() | |
| 10 local String = require "luan:String.luan" | |
| 1716 | 11 local starts_with = String.starts_with or error() |
| 1630 | 12 local Http = require "luan:http/Http.luan" |
| 13 local Hosted = require "luan:host/Hosted.luan" | |
| 14 local Logging = require "luan:logging/Logging.luan" | |
| 15 local logger = Logging.logger "https" | |
| 16 | |
|
2015
61b0cc7db09c
Manually specify letsencrypt server due to acme default server change (to zerossl)
Violet7
parents:
2009
diff
changeset
|
17 logger.info("Hello test") |
| 1630 | 18 |
| 19 function Hosted.set_https(is_https) | |
|
2005
fe45d2c967f1
set_https only in init.luan
Franklin Schmidt <fschmidt@gmail.com>
parents:
1798
diff
changeset
|
20 if Http.did_init() then |
|
fe45d2c967f1
set_https only in init.luan
Franklin Schmidt <fschmidt@gmail.com>
parents:
1798
diff
changeset
|
21 logger.error(new_error("set_https called outside of init.luan")) |
|
fe45d2c967f1
set_https only in init.luan
Franklin Schmidt <fschmidt@gmail.com>
parents:
1798
diff
changeset
|
22 return |
|
fe45d2c967f1
set_https only in init.luan
Franklin Schmidt <fschmidt@gmail.com>
parents:
1798
diff
changeset
|
23 end |
| 1630 | 24 local domain = Http.domain |
|
2036
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
25 local site_dir = uri("site:").parent() |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
26 local nginx_file = site_dir.child("nginx.ssl.conf") |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
27 local key_file = site_dir.child(domain..".key") |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
28 local key_file_str = key_file.canonical().to_string() |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
29 local csr_file = site_dir.child(domain..".csr") |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
30 local csr_file_str = csr_file.canonical().to_string() |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
31 local local_cer_file = site_dir.child("fullchain.cer") |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
32 local local_cer_file_str = local_cer_file.canonical().to_string() |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
33 local local_ca_file = site_dir.child("ca.cer") |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
34 -- luan/host |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
35 local luanhost_dir = uri("file:.").canonical().to_string() |
| 1630 | 36 local changed = false |
|
2036
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
37 -- use for testing, so as to not hit rate limits |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
38 -- on the real letsencrypt servers |
| 2039 | 39 local dry_run = false |
|
2036
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
40 local dry_run_dir_url = "https://acme-staging-v02.api.letsencrypt.org/directory" |
| 2034 | 41 |
| 1630 | 42 if is_https then -- https |
| 43 if not key_file.exists() then | |
| 44 local is_local = ip(domain) == "127.0.0.1" | |
| 45 logger.info("is_local "..is_local) | |
| 2034 | 46 |
|
2036
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
47 -- Use openssl directly to make a self-signed cert, |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
48 -- no external cert authority involved |
| 1630 | 49 if is_local then |
|
2036
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
50 local cmd = [[ |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
51 ./local_https.sh "]]..domain..[[" |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
52 ]] |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
53 local s = uri("bash:"..cmd).read_text() |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
54 logger.info("issue local certificate") |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
55 else |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
56 -- set up a temporary barebones nginx conf |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
57 -- to serve acme challenges on the domain |
| 2034 | 58 |
|
2036
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
59 local temp_dir_string = "/tmp/acme_setup/"..domain |
| 2034 | 60 |
|
2036
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
61 -- recursion guard, must have this to prevent |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
62 -- the http request from invoking this code |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
63 -- and causing an infinite recursion. |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
64 local cmd = "mkdir -p /tmp/acme_setup_locks/" |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
65 local s = uri("bash:"..cmd).read_text() |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
66 local guard_file = "/tmp/acme_setup_locks/"..domain..".lock" |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
67 local guard_uri = uri("file:"..guard_file) |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
68 if guard_uri.exists() then |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
69 logger.info("set_https already running for "..domain..", skipping") |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
70 return |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
71 end |
| 2034 | 72 |
|
2036
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
73 -- Clean out old temp files |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
74 local cmd = "rm -rf "..temp_dir_string |
| 2034 | 75 local s = uri("bash:"..cmd).read_text() |
| 76 | |
|
2036
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
77 -- create all needed dirs at once by using |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
78 -- mkdir -p on the deepest nested dir (acme-challenge) |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
79 local webroot = temp_dir_string.."/webroot" |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
80 local acme_challenges = webroot.."/.well-known/acme-challenge" |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
81 local cmd = "mkdir -p "..acme_challenges |
| 2034 | 82 local s = uri("bash:"..cmd).read_text() |
| 83 | |
|
2036
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
84 guard_uri.write("this is a recursion guard, see https.luan") |
| 2034 | 85 |
| 86 | |
|
2036
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
87 -- Create the nginx config from the template |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
88 local temp_dir = uri("file:"..temp_dir_string) |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
89 -- The *output* file, where the generated config is stored |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
90 local acme_nginx_file = temp_dir.child("nginx.acme_setup.conf") |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
91 local conf = load_file "file:startup/nginx/nginx.acme_setup.conf.luan" |
| 2034 | 92 local acme_nginx = ` conf(webroot,domain) ` |
| 93 acme_nginx_file.write(acme_nginx) | |
| 94 | |
|
2036
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
95 -- Create an index.html to search for in the logs |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
96 -- to verify everything is working |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
97 local index_file = webroot.."/index.html" |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
98 local cmd = "echo 'hi, testing' > "..index_file |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
99 local s = uri("bash:"..cmd).read_text() |
| 2034 | 100 |
|
2036
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
101 -- The config in ./local/nginx.conf has a directive to |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
102 -- glob include confs in /tmp/acme_setup/*/nginx.acme_setup.conf |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
103 -- so we just need to reload it so it can find the one we just made |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
104 local cmd = [[ |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
105 sudo $(which nginx) -t -c "]]..luanhost_dir..[[/local/nginx.conf" && sudo $(which nginx) -s reload; |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
106 ]] |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
107 local s = uri("bash:"..cmd).read_text() |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
108 logger.info("reload_nginx "..s) |
| 2034 | 109 |
|
2036
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
110 -- We've set up nginx to serve from our temp root, now we need to |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
111 -- create a *domain key*, which we then use to sign our cert. |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
112 local cmd = "openssl genrsa 4096 > "..key_file_str |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
113 local s = uri("bash:"..cmd).read_text() |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
114 logger.info("create domain key\n"..s) |
| 2034 | 115 |
|
2036
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
116 -- create the cert, signed with the key we just made |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
117 local cmd = 'openssl req -new -sha256 -key '..key_file_str..' -subj "/CN='..domain..'" > '..csr_file_str |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
118 local s = uri("bash:"..cmd).read_text() |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
119 logger.info("create cert\n"..s) |
| 2034 | 120 |
|
2036
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
121 -- Finally, get our cert signed by letsencrypt. |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
122 local cmd = [[ |
| 2037 | 123 python3 acme_tiny.py --account-key ./local/tiny_account.key \ |
|
2036
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
124 --csr ]]..csr_file_str..[[ \ |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
125 --acme-dir ]]..acme_challenges..[[ \ |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
126 ]] |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
127 if dry_run then |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
128 cmd = cmd.." --directory-url "..dry_run_dir_url |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
129 end |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
130 cmd = cmd.."> "..local_cer_file_str |
| 2034 | 131 |
| 132 local s = uri("bash:"..cmd).read_text() | |
|
2036
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
133 logger.info("get cert signed by letsencrypt\n"..s) |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
134 |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
135 -- The above http requests made by acme_tiny are the only thing |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
136 -- that could cause a recursion so it is safe to delete the guard here. |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
137 guard_uri.delete() |
| 2034 | 138 |
| 2038 | 139 -- Don't forget to delete the files so the nginx config |
| 140 -- doesn't have 2 server blocks for the same site. | |
| 141 | |
| 142 local cmd = "rm -rf /tmp/acme_setup/"..domain | |
| 143 local s = uri("bash:"..cmd).read_text() | |
| 144 logger.info("get cert signed by letsencrypt\n"..s) | |
| 145 | |
| 146 | |
|
2036
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
147 -- We now have our certificate! |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
148 -- Now we just need to generate the nginx config |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
149 -- that uses it, place it in luan/host/sites/*/nginx.ssl.conf |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
150 -- and tell luan-host to reload nginx. |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
151 |
| 1630 | 152 logger.info("issue certificate "..s) |
| 153 end | |
| 154 if key_file.exists() and local_cer_file.exists() then | |
| 155 changed = true | |
|
2036
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
156 -- the nginx config only requires 2 files: |
|
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
157 -- fullchain.cer and DOMAIN.key |
| 1632 | 158 local conf = load_file "file:startup/nginx/nginx.ssl.conf.luan" |
|
2036
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
159 local nginx = ` conf(luanhost_dir,domain) ` |
| 1630 | 160 nginx_file.write(nginx) |
| 161 end | |
| 162 end | |
| 163 else -- http | |
| 164 if key_file.exists() or nginx_file.exists() then | |
| 165 changed = true | |
| 166 nginx_file.delete() | |
| 167 local_cer_file.delete() | |
| 168 local_ca_file.delete() | |
| 1716 | 169 local ptn = domain.."." |
|
2036
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
170 for _, file in ipairs(site_dir.children()) do |
| 1716 | 171 if starts_with(file.name(),ptn) then |
| 1630 | 172 file.delete() |
| 173 end | |
| 174 end | |
| 175 end | |
| 176 end | |
| 177 if changed then | |
| 178 local cmd = [[ | |
|
2036
2740f8a9ba3a
First test prototype (also convert spaces to tabs and remove *.orig files)
Violet7
parents:
2034
diff
changeset
|
179 sudo $(which nginx) -t -c "]]..luanhost_dir..[[/local/nginx.conf" && sudo $(which nginx) -s reload; |
| 1630 | 180 ]] |
| 181 local s = uri("bash:"..cmd).read_text() | |
| 182 logger.info("reload_nginx "..s) | |
| 183 end | |
| 184 --logger.info "done" | |
| 185 end | |
| 186 Hosted.set_https = Boot.no_security(Hosted.set_https) |