/// <summary>
/// Get the password. This is generated realtime as a hash of the
/// username itself using the installation salt.
/// </summary>
/// <returns></returns>
public string GetWindowsPassword()
{
// On some setups there is policy enforcement...
// https://technet.microsoft.com/en-us/library/hh994562(v=ws.11).aspx
var pwd = "#" + UtilsEncryption.GetMD5(this.windowsUsername + this.globalSettings.installationSalt).Substring(0, 10)
+ UtilsEncryption.GetMD5(this.windowsUsername + this.globalSettings.installationSalt).Substring(10, 10).ToUpper();
return(pwd);
}
/// <inheritdoc cref="IDownloaderInterface"/>
public string GetNextId(string buildId = null)
{
// We won't limit build id's for local path downloader during
// testing process.
var istest = this.GlobalSettings.options.Contains("testenvironment");
if (!string.IsNullOrWhiteSpace(buildId) && !istest)
{
throw new Exception("LocalPathDownloader does not support deploying from a specific buildId.");
}
if (this.Settings.monitorChangesTo != null && this.Settings.monitorChangesTo.Any())
{
StringBuilder signature = new StringBuilder();
var difo = new DirectoryInfo(this.Settings.path);
foreach (var p in this.Settings.monitorChangesTo)
{
var files = difo.EnumerateFiles(p);
foreach (var f in files)
{
signature.AppendLine(f.FullName + ":" + f.LastWriteTimeUtc.ToUnixTimestamp());
}
}
// Si cambia alguno de los ficheros esta firma cambiará.
return("monitorchanges:" + UtilsEncryption.GetMD5(signature.ToString()));
}
// Por defecto usa el lastwritetime del directorio... esto en Windows es una mierda
// porque no hay propagación vertical de esta información (i.e. si modificar un fichero
// dentro del directorio la fecha del directorio no cambia).
return("lastwritetime:" + (new DirectoryInfo(this.Settings.path)).LastWriteTimeUtc.ToUnixTimestamp());
}
/// <summary>
/// Cause initialization of Certes
/// </summary>
/// <param name="signerPath"></param>
/// <param name="registrationPath"></param>
/// <param name="email"></param>
public void InitRegistration(string signerPath, string registrationPath, string email)
{
// Signer path y registrationpath son específicos de la librería vieja, pero usamos el directorio que indican
// para guardar la configuración del registro de cuenta de certes. Como el registration depende del entorno, ponemos la AcmeUri en el hash del propio
// nombre del fichero.
string settingsFilePath = Path.Combine(Path.GetDirectoryName(signerPath), UtilsEncryption.GetMD5(email + "::" + this.AcmeUri), "certes.json");
UtilsSystem.EnsureDirectoryExists(settingsFilePath);
// Initialization and renewal/revocation handling
// We get the CertesWrapper object, that will do most of the job.
// RS256 Let's generate a new key (RSA is good enough IMHO)
var serviceUri = new Uri(this.AcmeUri);
this.Logger.LogInfo(true, "Using Acme URI: " + serviceUri);
CertesSettings settings;
this.HttpClient = new HttpClient();
this.AcmeHttpClient = new AcmeHttpClient(serviceUri, this.HttpClient);
if (File.Exists(settingsFilePath))
{
// Si ya teníamos unos settings, siginifica que la cuenta ya está registrada
settings =
JsonConvert.DeserializeObject <CertesSettings>(File.ReadAllText(settingsFilePath));
this.AcmeContext = new AcmeContext(serviceUri, KeyFactory.FromDer(settings.Key), this.AcmeHttpClient);
}
else
{
// Hay que crear una nueva cuenta con su clave, y registrarla en ACME
settings = new CertesSettings()
{
AccountEmail = email,
ServiceUri = serviceUri,
Key = KeyFactory.NewKey(KeyAlgorithm.RS256).ToDer()
};
// Register the account
this.AcmeContext = new AcmeContext(serviceUri, KeyFactory.FromDer(settings.Key), this.AcmeHttpClient);
IAccountContext accountCtx = this.AcmeContext.NewAccount(settings.AccountEmail, true).Result;
File.WriteAllText(settingsFilePath, JsonConvert.SerializeObject(settings));
Certes.Acme.Resource.Directory directory = this.AcmeContext.GetDirectory().Result;
this.Logger.LogInfo(true, $"Successfully registered account {settings.AccountEmail} with certificate authority {serviceUri.AbsoluteUri}");
if ((directory.Meta != null) && (directory.Meta.TermsOfService != null))
{
this.Logger.LogInfo(true, $"Please check the ACME Service ToS at: {directory.Meta.TermsOfService}");
}
}
this.CertesSettings = settings;
}
/// <summary>
/// Execute the opreation...
/// </summary>
/// <param name="destination"></param>
/// <param name="forceDownload"></param>
protected void DoExecute(
string destination,
bool forceDownload = false)
{
var uri = this.Config.uri;
var maps = this.Config.maps;
var filename = Path.GetFileName(uri);
var tmpDir = UtilsSystem.GetTempPath("iischef_cache", UtilsEncryption.GetMD5(uri));
var tmpFile = UtilsSystem.CombinePaths(UtilsSystem.GetTempPath(), UtilsEncryption.GetMD5(uri) + "_" + filename);
if (forceDownload && Directory.Exists(tmpDir))
{
Directory.Delete(tmpDir, true);
}
if (Directory.Exists(tmpDir))
{
var difo = new DirectoryInfo(tmpDir);
if (!difo.EnumerateFiles("*", SearchOption.AllDirectories).Any())
{
Directory.Delete(tmpDir, true);
}
}
if (!Directory.Exists(tmpDir))
{
var parsedUri = new Uri(uri);
if (parsedUri.Scheme.Equals("file", StringComparison.CurrentCultureIgnoreCase))
{
var path = Path.Combine(this.LocalArtifactPath, parsedUri.LocalPath.TrimStart("\\".ToCharArray()));
File.Copy(path, tmpFile);
}
else
{
using (var wc = new WebClient())
{
try
{
wc.Headers.Add(
"User-Agent",
"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.33 Safari/537.36");
wc.DownloadFile(uri, tmpFile);
}
catch (Exception ex)
{
throw new Exception("Could not download file: " + uri, ex);
}
}
}
UtilsSystem.EnsureDirectoryExists(tmpDir, true);
if (tmpFile.EndsWith(".zip"))
{
ZipFile.ExtractToDirectory(tmpFile, tmpDir);
}
else
{
File.Move(tmpFile, UtilsSystem.CombinePaths(tmpDir, filename));
}
File.Delete(tmpFile);
}
// Move the files according to the maps
foreach (var map in maps)
{
var files = (new DirectoryInfo(tmpDir)).GetFiles(map.Key, SearchOption.AllDirectories);
if (!files.Any())
{
throw new Exception(
string.Format(
"No matching files found for pattern: {0} in package {1} ['{2}']",
map.Key,
uri,
tmpDir));
}
if (files.Count() == 1)
{
var dest = UtilsSystem.CombinePaths(destination, map.Value);
UtilsSystem.EnsureDirectoryExists(dest);
File.Copy(files.First().FullName, dest);
}
else
{
foreach (var f in files)
{
var subpath = f.FullName.Replace((new DirectoryInfo(tmpDir)).FullName, string.Empty);
var dest = UtilsSystem.CombinePaths(destination, map.Value, subpath);
UtilsSystem.EnsureDirectoryExists(dest);
try
{
File.Copy(f.FullName, dest);
}
catch (Exception e)
{
throw new Exception($"Error copying file '{f.FullName}' to '{dest}'");
}
}
}
}
}
/// <summary>
/// Provisions a certificate in the central store
/// </summary>
/// <param name="hostName">Domain to register</param>
/// <param name="email">Registration e-mail</param>
/// <param name="bindingInfo">IIS binding info</param>
/// <param name="ownerSiteName">The site that owns the binding, used to assign identity and application pool permissions.</param>
/// <param name="forceSelfSigned">Force a self-signed certificate</param>
/// <param name="forceRenewal">Force renewal, even if renewal conditions are not met</param>
/// <returns>The certificate's friendly name, ready to be bound in IIS</returns>
public void ProvisionCertificateInIis(
string hostName,
string email,
string bindingInfo,
string ownerSiteName,
bool forceSelfSigned = false,
bool forceRenewal = false)
{
if (hostName.Contains("*"))
{
throw new Exception($"Provisioning certificates for wildcard host name '{hostName}' is not supported.");
}
var currentCertificate = UtilsIis.FindCertificateInCentralCertificateStore(hostName, this.Logger, out _);
double remainingCertificateDays = (currentCertificate?.NotAfter - DateTime.Now)?.TotalDays ?? 0;
this.Logger.LogInfo(true, "Total days remaining for certificate expiration: '{0}'", (int)Math.Floor(remainingCertificateDays));
// Trigger renovation. Do this differently on mock/prod environment.
// Next renewal attempt is calculated based on previous renewal attempt
var renewalState = this.GetCertificateRenewalState(hostName);
// Legacy apps don't have this set, or when a certificate has been manually placed
if (renewalState.NextRenewal == null && remainingCertificateDays > 1)
{
renewalState.NextRenewal = this.CalculateNextRenewalAttempt(hostName, (int)remainingCertificateDays);
this.StoreCertificateRenewalState(renewalState);
}
int remainingDaysForNextRenewal = renewalState.NextRenewal == null ? 0 : (int)(renewalState.NextRenewal - DateTime.UtcNow).Value.TotalDays;
int certificateTotalDuration = currentCertificate == null ? 0 : (int)(currentCertificate.NotAfter - currentCertificate.NotBefore).TotalDays;
this.Logger.LogInfo(true, "Next renewal attempt for this site SSL targeted in '{0}' days.", remainingDaysForNextRenewal);
// Check that the validationfailed request rate is not exceeded for this domain
if (!forceRenewal && renewalState.FailedValidations.AsIterable().Count(i => (DateTime.UtcNow - i).TotalHours < 48) >= 2)
{
// Make this message verbos so that it will not flood the logs, the failed validation message will get logged
// anyways and is sufficient.
this.Logger.LogWarning(true, "The hostname '{0}' has reached the limit of two failed validations in the last 48 hours.", hostName);
return;
}
if (!forceRenewal && !forceSelfSigned && remainingDaysForNextRenewal > 0 && remainingCertificateDays > 0)
{
this.Logger.LogWarning(true, "Next renewal attempt date not reached, skipping SSL provisioning.");
return;
}
if (!forceRenewal && remainingDaysForNextRenewal > 0 && (remainingDaysForNextRenewal > certificateTotalDuration * 0.5) && certificateTotalDuration > 0)
{
this.Logger.LogWarning(false, "Certificate has not yet been through at least 50% of it's lifetime so it will not be renewed.'");
renewalState.NextRenewal = this.CalculateNextRenewalAttempt(hostName, (int)remainingCertificateDays);
this.StoreCertificateRenewalState(renewalState);
return;
}
// Check the general too many requests rate exceeded
if (!forceRenewal && this.SimpleStoreRenewalStatus.Get <bool>("ssl-certificate-provider-too-many-requests", out var tooManyRequests))
{
this.Logger.LogWarning(false, "Certificate provisioning temporarily disabled due to a Too Many Requests ACME error. Flag stored in {0}", tooManyRequests.StorePath);
return;
}
this.Logger.LogInfo(false, "Attempting SSL certificate renewal for site '{0}' and host '{1}'", ownerSiteName, hostName);
// Clear old validation failed requests
if (renewalState.FailedValidations?.Any() == true)
{
// Only keep failed validations that happen in the last 5 days
renewalState.FailedValidations = renewalState.FailedValidations
.Where((i) => (DateTime.UtcNow - i).TotalDays < 5).ToList();
}
// This is a little bit inconvenient but... the most reliable and compatible
// way to do this is to setup a custom IIS website that uses the binding during
// provisioning.
long tempSiteId;
List <Site> haltedSites = new List <Site>();
var tempSiteName = "cert-" + this.AppId;
var tempSiteAppId = "cert-" + this.AppId;
string tempHostName = "localcert-" + hostName;
this.Logger.LogInfo(true, "Preparing temp site: " + tempSiteName);
List <Site> conflictingSites;
// Prepare the site
using (ServerManager sm = new ServerManager())
{
// Query the sites in a resilient way...
conflictingSites = UtilsSystem.QueryEnumerable(
sm.Sites,
(s) => s.State == ObjectState.Started && s.Bindings.Any((i) => i.Host.Equals(hostName)),
(s) => s,
(s) => s.Name,
this.Logger);
}
// Stop the sites that might prevent this one from starting
foreach (var s in conflictingSites)
{
this.Logger.LogInfo(true, "Stopping site {0} to avoid binding collision.", s.Name);
this.AppPoolUtils.WebsiteAction(s.Name, AppPoolActionType.Stop, skipApplicationPools: true);
haltedSites.Add(s);
}
using (ServerManager sm = new ServerManager())
{
// Make sure there is no other site (might be stuck?)
var existingSite = (from p in sm.Sites
where p.Name == tempSiteName
select p).FirstOrDefault();
var tempSite = existingSite ?? sm.Sites.Add(tempSiteName, this.GetAcmeTemporarySiteRootForApplication(), 80);
// Propagate application pool usage so that permissions are properly handled.
var ownerSite = sm.Sites.First((i) => i.Name == ownerSiteName);
tempSite.Applications.First().ApplicationPoolName = ownerSite.Applications.First().ApplicationPoolName;
// Delete all bindings
tempSite.Bindings.Clear();
tempSite.Bindings.Add(bindingInfo, "http");
tempSite.Bindings.Add($"{UtilsIis.LOCALHOST_ADDRESS}:80:" + tempHostName, "http");
tempSiteId = tempSite.Id;
this.UtilsHosts.AddHostsMapping(UtilsIis.LOCALHOST_ADDRESS, tempHostName, tempSiteAppId);
// Prepare the website contents
var sourceDir = UtilsSystem.FindResourcePhysicalPath(typeof(IISDeployer), ".well-known");
UtilsSystem.CopyFilesRecursively(new DirectoryInfo(sourceDir), new DirectoryInfo(this.GetWellKnownSharedPathForApplication()), true);
UtilsIis.CommitChanges(sm);
}
UtilsIis.WaitForSiteToBeAvailable(tempSiteName, this.Logger);
UtilsIis.ConfigureAnonymousAuthForIisApplication(tempSiteName, this.Deployment.WindowsUsernameFqdn(), this.Deployment.GetWindowsPassword());
IAcmeSharpProvider provider = null;
try
{
this.AppPoolUtils.WebsiteAction(tempSiteName, AppPoolActionType.Start);
// Check that the site does work using the local binding
var testDataUrl = $"http://{tempHostName}/.well-known/acme-challenge/test.html";
this.Logger.LogInfo(true, "Validating local challenge setup at: {0}", testDataUrl);
if (!string.Equals(UtilsSystem.DownloadUriAsText(testDataUrl), "test data"))
{
throw new Exception($"Could not locally validate acme challenge site setup at {testDataUrl}");
}
// Ssl registration configuration only depends on the e-mail and is signed as such
string sslSignerAndRegistrationStoragePath = UtilsSystem.EnsureDirectoryExists(
UtilsSystem.CombinePaths(this.StoragePath, "_ssl_config", StringFormating.Instance.ExtremeClean(email)), true);
// Initialize the provider
bool useMockProvider = this.MockEnvironment || forceSelfSigned;
provider = useMockProvider
? (IAcmeSharpProvider) new AcmeSharpProviderMock(this.Logger, tempHostName)
: this.GetAcmeProvider(this.Logger, hostName);
var signerPath = Path.Combine(this.StoragePath, "_signer.xml");
var registrationPath = Path.Combine(sslSignerAndRegistrationStoragePath, "registration.json");
provider.InitRegistration(signerPath, registrationPath, email);
string challengeUrl;
string challengeContent;
string challengeFilePath;
try
{
provider.GenerateHttpChallenge(
out challengeUrl,
out challengeContent,
out challengeFilePath);
}
catch (AcmeClient.AcmeWebException acmeException)
{
if (acmeException.Message.Contains("429"))
{
int waitHours = 1;
this.SimpleStoreRenewalStatus.Set("ssl-certificate-provider-too-many-requests", true, 60 * waitHours);
this.Logger.LogError("Let's encrypt too many requests issue. Certificate provisioning disabled for the next {0} hours.", waitHours);
this.Logger.LogException(acmeException, EventLogEntryType.Warning);
return;
}
throw;
}
// Write the challanege contents
string challengeFullPath =
Path.Combine(this.GetAcmeTemporarySiteRootForApplication(), challengeFilePath);
File.WriteAllText(
challengeFullPath,
challengeContent);
this.Logger.LogInfo(false, $"Veryfing challenge at '{challengeUrl}'");
try
{
// Validate that we can actually access the challenge ourselves!
string contents = UtilsSystem.DownloadUriAsText(challengeUrl, false);
if (!string.Equals(contents, challengeContent))
{
throw new Exception(
$"Could not validate ACME challenge, retrieved challenge '{contents}' does not match '{challengeContent}'");
}
}
catch (Exception e)
{
this.Logger.LogWarning(true, "Cannot self-verify auth challenge, this can sometimes happeen under some DNS setups. {0}", e.Message + Environment.NewLine + e.InnerException?.Message);
}
var challengeValidated = false;
try
{
challengeValidated = provider.ValidateChallenge();
}
catch (Exception e)
{
this.Logger.LogException(e, EventLogEntryType.Warning);
}
this.Logger.LogWarning(true, "Remote challenge validation success: " + (challengeValidated ? "Yes" : "No"));
// Download the certificates to this temp location
string temporaryCertificatePath = UtilsSystem.EnsureDirectoryExists(UtilsSystem.CombinePaths(this.StoragePath, this.AppId, "ssl_certificates", hostName), true);
CertificatePaths certificatepaths = null;
// This is here for testing purposes
if (Environment.GetEnvironmentVariable("TEST_FAIL_CHALLENGE_VALIDATION") == true.ToString())
{
challengeValidated = false;
}
if (!challengeValidated)
{
// There is a Failed Validation limit of 5 failures per account, per hostname, per hour.
renewalState.FailedValidations = renewalState.FailedValidations ?? new List <DateTime>();
renewalState.FailedValidations.Add(DateTime.UtcNow);
this.Logger.LogError(
"Challenge could not be validated at '{0}'. If behind a load balancer, make sure that the site is deployed in ALL nodes, remove the self-signed certificate from the store and redeploy the application.",
challengeUrl);
this.StoreCertificateRenewalState(renewalState);
}
else
{
try
{
certificatepaths = provider.DownloadCertificate(
UtilsEncryption.GetMD5(hostName),
hostName,
temporaryCertificatePath);
}
catch (AcmeClient.AcmeWebException acmeException)
{
this.Logger.LogException(acmeException, EventLogEntryType.Warning);
}
catch (WebException webException)
{
this.Logger.LogException(webException, EventLogEntryType.Warning);
}
catch (Exception e)
{
this.Logger.LogException(e, EventLogEntryType.Warning);
}
}
if (certificatepaths == null && currentCertificate == null)
{
this.Logger.LogWarning(false, "Unable to acquire certificate and site does not have a valid existing one, using self-signed fallback.");
provider = new AcmeSharpProviderMock(this.Logger, hostName);
certificatepaths = provider.DownloadCertificate(
UtilsEncryption.GetMD5(hostName),
hostName,
temporaryCertificatePath);
}
// Save this, use a fixed name certificate file
if (certificatepaths != null)
{
string certificateFilePath = Path.Combine(UtilsIis.CentralStorePath(this.Logger), hostName + ".pfx");
UtilsSystem.RetryWhile(
() => { File.Copy(certificatepaths.pfxPemFile, certificateFilePath, true); },
(e) => true,
2500,
this.Logger);
this.Logger.LogInfo(false, "Certificate file writen to '{0}'", certificateFilePath);
// TODO: Activate this refreshing when it's prooved to work
// UtilsIis.EnsureCertificateInCentralCertificateStoreIsRebound(hostName, this.Logger);
}
// Remove temporary certificates
UtilsSystem.DeleteDirectory(temporaryCertificatePath, this.Logger);
// Remove the already used challenge if it was validated. Otherwise keep it
// for debugging purposes.
if (challengeValidated && File.Exists(challengeFullPath))
{
File.Delete(challengeFullPath);
}
// In the end, we always have a certificate. Program a renewal date according to the remaining expiration.
currentCertificate = UtilsIis.FindCertificateInCentralCertificateStore(hostName, this.Logger, out _);
remainingCertificateDays = (currentCertificate?.NotAfter - DateTime.Now)?.TotalDays ?? 0;
// Add some randomness in renewal dates to avoid all certificates being renewed at once and reaching api limits
renewalState.LastRenewal = DateTime.UtcNow;
renewalState.NextRenewal = this.CalculateNextRenewalAttempt(hostName, (int)remainingCertificateDays);
this.StoreCertificateRenewalState(renewalState);
}
finally
{
this.Logger.LogInfo(true, "Disposing temporary verification setup");
provider?.Dispose();
this.UtilsHosts.RemoveHostsMapping(tempSiteAppId);
// Restore the original state of IIS!!!
using (ServerManager sm = new ServerManager())
{
var site = sm.Sites.Single(i => i.Id == tempSiteId);
UtilsIis.RemoveSite(site, sm, this.Logger);
UtilsIis.CommitChanges(sm);
}
// Give IIS some time to reconfigure itself and free resources.
Thread.Sleep(1000);
// Start the sites
foreach (var site in haltedSites)
{
// Add some retry logic here because bringing the original sites online is critical
UtilsSystem.RetryWhile(() => { this.AppPoolUtils.WebsiteAction(site.Name, AppPoolActionType.Start); }, (e) => true, 5000, this.Logger);
}
}
}
