Mercurial Hosting > luan
changeset 2104:9ba91823980e ssltesting
minor
| author | Violet7 |
|---|---|
| date | Tue, 16 Dec 2025 17:18:37 -0800 |
| parents | 8c30779427ae |
| children | 3dc3fc1aa563 |
| files | src/luan/host/Https.luan |
| diffstat | 1 files changed, 81 insertions(+), 79 deletions(-) [+] |
line wrap: on
line diff
diff -r 8c30779427ae -r 9ba91823980e src/luan/host/Https.luan --- a/src/luan/host/Https.luan Tue Dec 16 17:14:55 2025 -0800 +++ b/src/luan/host/Https.luan Tue Dec 16 17:18:37 2025 -0800 @@ -79,6 +79,87 @@ files.nginx_file.write(nginx) end end +function Https.set_https(is_https) + if Http.did_init() then + logger.error(new_error("set_https called outside of init.luan")) + return + end + local domain = Http.domain + local site_dir = uri("site:").parent() + local luanhost_dir = uri("file:.") + + -- use for testing, so as to not hit rate limits + -- on the real letsencrypt servers + local dry_run = false + + if not try_synchronized( function() + do_set_https(is_https,domain,site_dir,luanhost_dir,dry_run) + end, domain..".lock", 0 )() then + logger.info("set_https already running for "..domain..", skipping") + end +end + +function Issue_cert(domain, site_dir, luanhost_dir, dry_run, files) + local luanhost_dir_str = luanhost_dir.canonical().to_string() + local csr_file_str = files.csr_file_str.canonical().to_string() + + -- Finally, get our cert from letsencrypt. + local cmd = luanhost_dir_str..[[/acme_tiny \ + --account-key ]]..luanhost_dir_str..[[/local/tiny_account.key \ + --csr ]]..csr_file_str..[[ \ + --acme-dir ]]..files.acme_challenges.canonical().to_string()..[[ \ + ]] + + -- Problems here are probably from letsencrypt + -- leaving this comment here in case its not + if dry_run then + local dry_run_dir_url = "https://acme-staging-v02.api.letsencrypt.org/directory" + cmd = cmd.." --directory-url "..dry_run_dir_url + end + + local tmp_out_str = files.tmp_cert_out.canonical().to_string() + cmd = cmd.." > "..tmp_out_str + logger.info("acme-tiny commandline:\n"..cmd) + + local s = uri("bash:"..cmd).read_text() + logger.info("get cert signed by letsencrypt\n"..s) + + -- Empty stdout from acme-tiny is a failure. + if files.tmp_cert_out.length() == 0 then + -- TODO: this should fail non-gracefully, + -- all failures here are almost certainly bugs. + logger.error("FAILED getting cert from letsencrypt.\nSee previous output.\nNot writing to fullchain.cer") + else + -- Success! Move the temp output to the real fullchain. + local local_cer_file_str = files.local_cer_file.canonical().to_string() + if files.local_cer_file_str.exists() then + local cmd = "mv "..local_cer_file_str.." "..local_cer_file_str..".old" + local s = uri("bash:"..cmd).read_text() + logger.info("moving old fullchain to fullchain.cer.old\n"..s) + end + + local cmd = "mv "..tmp_out_str.." "..local_cer_file_str + local s = uri("bash:"..cmd).read_text() + logger.info("move temp output to fullchain.cer\n"..s) + end + + local cmd = `%> +sudo $(which nginx) -t -c "<%=luanhost_dir_str%>/local/nginx.conf" && \ +sudo $(which nginx) -s reload -c "<%=luanhost_dir_str%>/local/nginx.conf"; +<%` + local s = uri("bash:"..cmd).read_text() + logger.info("reload_nginx "..s) +end + + +function Https.renew_ssl(renewal_period,domain,site_dir,luanhost_dir,dry_run) + files.csr_file.exists() or error "no CSR file, assuming local https cert" + if time_now() - files.csr_file.last_modified() < renewal_period then + Issue_cert(domain, site_dir, luanhost_dir, dry_run, files) + return + end +end + local function do_set_https(is_https,domain,site_dir,luanhost_dir,dry_run) local files = get_files(domain,site_dir) @@ -178,84 +259,5 @@ end Https.do_set_https = do_set_https -- for testing -function Https.set_https(is_https) - if Http.did_init() then - logger.error(new_error("set_https called outside of init.luan")) - return - end - local domain = Http.domain - local site_dir = uri("site:").parent() - local luanhost_dir = uri("file:.") - - -- use for testing, so as to not hit rate limits - -- on the real letsencrypt servers - local dry_run = false - - if not try_synchronized( function() - do_set_https(is_https,domain,site_dir,luanhost_dir,dry_run) - end, domain..".lock", 0 )() then - logger.info("set_https already running for "..domain..", skipping") - end -end - -function Https.renew_ssl(renewal_period,domain,site_dir,luanhost_dir,dry_run) - files.csr_file.exists() or error "no CSR file, assuming local https cert" - if time_now() - files.csr_file.last_modified() < renewal_period then - Issue_cert(domain, site_dir, luanhost_dir, dry_run, files) - return - end -end - -function Issue_cert(domain, site_dir, luanhost_dir, dry_run, files) - local luanhost_dir_str = luanhost_dir.canonical().to_string() - local csr_file_str = files.csr_file_str.canonical().to_string() - - -- Finally, get our cert from letsencrypt. - local cmd = luanhost_dir_str..[[/acme_tiny \ - --account-key ]]..luanhost_dir_str..[[/local/tiny_account.key \ - --csr ]]..csr_file_str..[[ \ - --acme-dir ]]..files.acme_challenges.canonical().to_string()..[[ \ - ]] - - -- Problems here are probably from letsencrypt - -- leaving this comment here in case its not - if dry_run then - local dry_run_dir_url = "https://acme-staging-v02.api.letsencrypt.org/directory" - cmd = cmd.." --directory-url "..dry_run_dir_url - end - - local tmp_out_str = files.tmp_cert_out.canonical().to_string() - cmd = cmd.." > "..tmp_out_str - logger.info("acme-tiny commandline:\n"..cmd) - - local s = uri("bash:"..cmd).read_text() - logger.info("get cert signed by letsencrypt\n"..s) - - -- Empty stdout from acme-tiny is a failure. - if files.tmp_cert_out.length() == 0 then - -- TODO: this should fail non-gracefully, - -- all failures here are almost certainly bugs. - logger.error("FAILED getting cert from letsencrypt.\nSee previous output.\nNot writing to fullchain.cer") - else - -- Success! Move the temp output to the real fullchain. - local local_cer_file_str = files.local_cer_file.canonical().to_string() - if files.local_cer_file_str.exists() then - local cmd = "mv "..local_cer_file_str.." "..local_cer_file_str..".old" - local s = uri("bash:"..cmd).read_text() - logger.info("moving old fullchain to fullchain.cer.old\n"..s) - end - - local cmd = "mv "..tmp_out_str.." "..local_cer_file_str - local s = uri("bash:"..cmd).read_text() - logger.info("move temp output to fullchain.cer\n"..s) - end - - local cmd = `%> -sudo $(which nginx) -t -c "<%=luanhost_dir_str%>/local/nginx.conf" && \ -sudo $(which nginx) -s reload -c "<%=luanhost_dir_str%>/local/nginx.conf"; -<%` - local s = uri("bash:"..cmd).read_text() - logger.info("reload_nginx "..s) -end return Https