public DockerHostService(string name, bool isNative, bool stopWhenDisposed = false, string dockerUri = null, string certificatePath = null, bool isWindowsHost = false) : base(name) { _isWindowsHost = isWindowsHost; _stopWhenDisposed = stopWhenDisposed; IsNative = isNative; if (IsNative) { var uri = dockerUri ?? DockerUri.GetDockerHostEnvronmentPathOrDefault(); var certPath = certificatePath ?? Environment.GetEnvironmentVariable(DockerCertPath); if (!string.IsNullOrEmpty(certPath)) { Certificates = new CertificatePaths { CaCertificate = Path.Combine(certPath, DefaultCaCertName), ClientCertificate = Path.Combine(certPath, DefaultClientCertName), ClientKey = Path.Combine(certPath, DefaultClientKeyName) } } ; Host = string.IsNullOrEmpty(uri) ? null : new DockerUri(uri); RequireTls = Environment.GetEnvironmentVariable(DockerTlsVerify) == "1"; State = ServiceRunningState.Running; return; } // Machine - do inspect & get url MachineSetup(name); }
public static void Initialize(TestContext ctx) { if (CommandExtensions.IsNative() || CommandExtensions.IsEmulatedNative()) { _docker.LinuxMode(); return; } var machineName = "test-machine"; var machines = Machine.Ls(); if (machines.Success && machines.Data.Any(x => x.Name == "default")) { machineName = "default"; } else { machineName.Create(1024, 20000, 1); _createdTestMachine = true; } machineName.Start(); var inspect = machineName.Inspect().Data; _docker = machineName.Uri(); _certificates = new CertificatePaths { CaCertificate = inspect.AuthConfig.CaCertPath, ClientCertificate = inspect.AuthConfig.ClientCertPath, ClientKey = inspect.AuthConfig.ClientKeyPath }; _docker.LinuxMode(_certificates); }
/// <inheritdoc cref="IAcmeSharpProvider"/> public CertificatePaths DownloadCertificate( string certificatename, string mainhost, string certificatePath, List <string> alternatehosts = null) { var result = new CertificatePaths(); // Creating the self-signed certificate already enrolls it in the local certificate store this.Logger.LogInfo(true, "Generating self signed certificate."); var tmpPfx = Path.GetTempFileName(); UtilsCertificate.CreateSelfSignedCertificateAsPfx(this.Domain, tmpPfx, string.Empty, null, this.Logger, 90); result.pfxPemFile = tmpPfx; return(result); }
/// <summary> /// Provisions a certificate in the central store /// </summary> /// <param name="hostName">Domain to register</param> /// <param name="email">Registration e-mail</param> /// <param name="bindingInfo">IIS binding info</param> /// <param name="ownerSiteName">The site that owns the binding, used to assign identity and application pool permissions.</param> /// <param name="forceSelfSigned">Force a self-signed certificate</param> /// <param name="forceRenewal">Force renewal, even if renewal conditions are not met</param> /// <returns>The certificate's friendly name, ready to be bound in IIS</returns> public void ProvisionCertificateInIis( string hostName, string email, string bindingInfo, string ownerSiteName, bool forceSelfSigned = false, bool forceRenewal = false) { if (hostName.Contains("*")) { throw new Exception($"Provisioning certificates for wildcard host name '{hostName}' is not supported."); } var currentCertificate = UtilsIis.FindCertificateInCentralCertificateStore(hostName, this.Logger, out _); double remainingCertificateDays = (currentCertificate?.NotAfter - DateTime.Now)?.TotalDays ?? 0; this.Logger.LogInfo(true, "Total days remaining for certificate expiration: '{0}'", (int)Math.Floor(remainingCertificateDays)); // Trigger renovation. Do this differently on mock/prod environment. // Next renewal attempt is calculated based on previous renewal attempt var renewalState = this.GetCertificateRenewalState(hostName); // Legacy apps don't have this set, or when a certificate has been manually placed if (renewalState.NextRenewal == null && remainingCertificateDays > 1) { renewalState.NextRenewal = this.CalculateNextRenewalAttempt(hostName, (int)remainingCertificateDays); this.StoreCertificateRenewalState(renewalState); } int remainingDaysForNextRenewal = renewalState.NextRenewal == null ? 0 : (int)(renewalState.NextRenewal - DateTime.UtcNow).Value.TotalDays; int certificateTotalDuration = currentCertificate == null ? 0 : (int)(currentCertificate.NotAfter - currentCertificate.NotBefore).TotalDays; this.Logger.LogInfo(true, "Next renewal attempt for this site SSL targeted in '{0}' days.", remainingDaysForNextRenewal); // Check that the validationfailed request rate is not exceeded for this domain if (!forceRenewal && renewalState.FailedValidations.AsIterable().Count(i => (DateTime.UtcNow - i).TotalHours < 48) >= 2) { // Make this message verbos so that it will not flood the logs, the failed validation message will get logged // anyways and is sufficient. this.Logger.LogWarning(true, "The hostname '{0}' has reached the limit of two failed validations in the last 48 hours.", hostName); return; } if (!forceRenewal && !forceSelfSigned && remainingDaysForNextRenewal > 0 && remainingCertificateDays > 0) { this.Logger.LogWarning(true, "Next renewal attempt date not reached, skipping SSL provisioning."); return; } if (!forceRenewal && remainingDaysForNextRenewal > 0 && (remainingDaysForNextRenewal > certificateTotalDuration * 0.5) && certificateTotalDuration > 0) { this.Logger.LogWarning(false, "Certificate has not yet been through at least 50% of it's lifetime so it will not be renewed.'"); renewalState.NextRenewal = this.CalculateNextRenewalAttempt(hostName, (int)remainingCertificateDays); this.StoreCertificateRenewalState(renewalState); return; } // Check the general too many requests rate exceeded if (!forceRenewal && this.SimpleStoreRenewalStatus.Get <bool>("ssl-certificate-provider-too-many-requests", out var tooManyRequests)) { this.Logger.LogWarning(false, "Certificate provisioning temporarily disabled due to a Too Many Requests ACME error. Flag stored in {0}", tooManyRequests.StorePath); return; } this.Logger.LogInfo(false, "Attempting SSL certificate renewal for site '{0}' and host '{1}'", ownerSiteName, hostName); // Clear old validation failed requests if (renewalState.FailedValidations?.Any() == true) { // Only keep failed validations that happen in the last 5 days renewalState.FailedValidations = renewalState.FailedValidations .Where((i) => (DateTime.UtcNow - i).TotalDays < 5).ToList(); } // This is a little bit inconvenient but... the most reliable and compatible // way to do this is to setup a custom IIS website that uses the binding during // provisioning. long tempSiteId; List <Site> haltedSites = new List <Site>(); var tempSiteName = "cert-" + this.AppId; var tempSiteAppId = "cert-" + this.AppId; string tempHostName = "localcert-" + hostName; this.Logger.LogInfo(true, "Preparing temp site: " + tempSiteName); List <Site> conflictingSites; // Prepare the site using (ServerManager sm = new ServerManager()) { // Query the sites in a resilient way... conflictingSites = UtilsSystem.QueryEnumerable( sm.Sites, (s) => s.State == ObjectState.Started && s.Bindings.Any((i) => i.Host.Equals(hostName)), (s) => s, (s) => s.Name, this.Logger); } // Stop the sites that might prevent this one from starting foreach (var s in conflictingSites) { this.Logger.LogInfo(true, "Stopping site {0} to avoid binding collision.", s.Name); this.AppPoolUtils.WebsiteAction(s.Name, AppPoolActionType.Stop, skipApplicationPools: true); haltedSites.Add(s); } using (ServerManager sm = new ServerManager()) { // Make sure there is no other site (might be stuck?) var existingSite = (from p in sm.Sites where p.Name == tempSiteName select p).FirstOrDefault(); var tempSite = existingSite ?? sm.Sites.Add(tempSiteName, this.GetAcmeTemporarySiteRootForApplication(), 80); // Propagate application pool usage so that permissions are properly handled. var ownerSite = sm.Sites.First((i) => i.Name == ownerSiteName); tempSite.Applications.First().ApplicationPoolName = ownerSite.Applications.First().ApplicationPoolName; // Delete all bindings tempSite.Bindings.Clear(); tempSite.Bindings.Add(bindingInfo, "http"); tempSite.Bindings.Add($"{UtilsIis.LOCALHOST_ADDRESS}:80:" + tempHostName, "http"); tempSiteId = tempSite.Id; this.UtilsHosts.AddHostsMapping(UtilsIis.LOCALHOST_ADDRESS, tempHostName, tempSiteAppId); // Prepare the website contents var sourceDir = UtilsSystem.FindResourcePhysicalPath(typeof(IISDeployer), ".well-known"); UtilsSystem.CopyFilesRecursively(new DirectoryInfo(sourceDir), new DirectoryInfo(this.GetWellKnownSharedPathForApplication()), true); UtilsIis.CommitChanges(sm); } UtilsIis.WaitForSiteToBeAvailable(tempSiteName, this.Logger); UtilsIis.ConfigureAnonymousAuthForIisApplication(tempSiteName, this.Deployment.WindowsUsernameFqdn(), this.Deployment.GetWindowsPassword()); IAcmeSharpProvider provider = null; try { this.AppPoolUtils.WebsiteAction(tempSiteName, AppPoolActionType.Start); // Check that the site does work using the local binding var testDataUrl = $"http://{tempHostName}/.well-known/acme-challenge/test.html"; this.Logger.LogInfo(true, "Validating local challenge setup at: {0}", testDataUrl); if (!string.Equals(UtilsSystem.DownloadUriAsText(testDataUrl), "test data")) { throw new Exception($"Could not locally validate acme challenge site setup at {testDataUrl}"); } // Ssl registration configuration only depends on the e-mail and is signed as such string sslSignerAndRegistrationStoragePath = UtilsSystem.EnsureDirectoryExists( UtilsSystem.CombinePaths(this.StoragePath, "_ssl_config", StringFormating.Instance.ExtremeClean(email)), true); // Initialize the provider bool useMockProvider = this.MockEnvironment || forceSelfSigned; provider = useMockProvider ? (IAcmeSharpProvider) new AcmeSharpProviderMock(this.Logger, tempHostName) : this.GetAcmeProvider(this.Logger, hostName); var signerPath = Path.Combine(this.StoragePath, "_signer.xml"); var registrationPath = Path.Combine(sslSignerAndRegistrationStoragePath, "registration.json"); provider.InitRegistration(signerPath, registrationPath, email); string challengeUrl; string challengeContent; string challengeFilePath; try { provider.GenerateHttpChallenge( out challengeUrl, out challengeContent, out challengeFilePath); } catch (AcmeClient.AcmeWebException acmeException) { if (acmeException.Message.Contains("429")) { int waitHours = 1; this.SimpleStoreRenewalStatus.Set("ssl-certificate-provider-too-many-requests", true, 60 * waitHours); this.Logger.LogError("Let's encrypt too many requests issue. Certificate provisioning disabled for the next {0} hours.", waitHours); this.Logger.LogException(acmeException, EventLogEntryType.Warning); return; } throw; } // Write the challanege contents string challengeFullPath = Path.Combine(this.GetAcmeTemporarySiteRootForApplication(), challengeFilePath); File.WriteAllText( challengeFullPath, challengeContent); this.Logger.LogInfo(false, $"Veryfing challenge at '{challengeUrl}'"); try { // Validate that we can actually access the challenge ourselves! string contents = UtilsSystem.DownloadUriAsText(challengeUrl, false); if (!string.Equals(contents, challengeContent)) { throw new Exception( $"Could not validate ACME challenge, retrieved challenge '{contents}' does not match '{challengeContent}'"); } } catch (Exception e) { this.Logger.LogWarning(true, "Cannot self-verify auth challenge, this can sometimes happeen under some DNS setups. {0}", e.Message + Environment.NewLine + e.InnerException?.Message); } var challengeValidated = false; try { challengeValidated = provider.ValidateChallenge(); } catch (Exception e) { this.Logger.LogException(e, EventLogEntryType.Warning); } this.Logger.LogWarning(true, "Remote challenge validation success: " + (challengeValidated ? "Yes" : "No")); // Download the certificates to this temp location string temporaryCertificatePath = UtilsSystem.EnsureDirectoryExists(UtilsSystem.CombinePaths(this.StoragePath, this.AppId, "ssl_certificates", hostName), true); CertificatePaths certificatepaths = null; // This is here for testing purposes if (Environment.GetEnvironmentVariable("TEST_FAIL_CHALLENGE_VALIDATION") == true.ToString()) { challengeValidated = false; } if (!challengeValidated) { // There is a Failed Validation limit of 5 failures per account, per hostname, per hour. renewalState.FailedValidations = renewalState.FailedValidations ?? new List <DateTime>(); renewalState.FailedValidations.Add(DateTime.UtcNow); this.Logger.LogError( "Challenge could not be validated at '{0}'. If behind a load balancer, make sure that the site is deployed in ALL nodes, remove the self-signed certificate from the store and redeploy the application.", challengeUrl); this.StoreCertificateRenewalState(renewalState); } else { try { certificatepaths = provider.DownloadCertificate( UtilsEncryption.GetMD5(hostName), hostName, temporaryCertificatePath); } catch (AcmeClient.AcmeWebException acmeException) { this.Logger.LogException(acmeException, EventLogEntryType.Warning); } catch (WebException webException) { this.Logger.LogException(webException, EventLogEntryType.Warning); } catch (Exception e) { this.Logger.LogException(e, EventLogEntryType.Warning); } } if (certificatepaths == null && currentCertificate == null) { this.Logger.LogWarning(false, "Unable to acquire certificate and site does not have a valid existing one, using self-signed fallback."); provider = new AcmeSharpProviderMock(this.Logger, hostName); certificatepaths = provider.DownloadCertificate( UtilsEncryption.GetMD5(hostName), hostName, temporaryCertificatePath); } // Save this, use a fixed name certificate file if (certificatepaths != null) { string certificateFilePath = Path.Combine(UtilsIis.CentralStorePath(this.Logger), hostName + ".pfx"); UtilsSystem.RetryWhile( () => { File.Copy(certificatepaths.pfxPemFile, certificateFilePath, true); }, (e) => true, 2500, this.Logger); this.Logger.LogInfo(false, "Certificate file writen to '{0}'", certificateFilePath); // TODO: Activate this refreshing when it's prooved to work // UtilsIis.EnsureCertificateInCentralCertificateStoreIsRebound(hostName, this.Logger); } // Remove temporary certificates UtilsSystem.DeleteDirectory(temporaryCertificatePath, this.Logger); // Remove the already used challenge if it was validated. Otherwise keep it // for debugging purposes. if (challengeValidated && File.Exists(challengeFullPath)) { File.Delete(challengeFullPath); } // In the end, we always have a certificate. Program a renewal date according to the remaining expiration. currentCertificate = UtilsIis.FindCertificateInCentralCertificateStore(hostName, this.Logger, out _); remainingCertificateDays = (currentCertificate?.NotAfter - DateTime.Now)?.TotalDays ?? 0; // Add some randomness in renewal dates to avoid all certificates being renewed at once and reaching api limits renewalState.LastRenewal = DateTime.UtcNow; renewalState.NextRenewal = this.CalculateNextRenewalAttempt(hostName, (int)remainingCertificateDays); this.StoreCertificateRenewalState(renewalState); } finally { this.Logger.LogInfo(true, "Disposing temporary verification setup"); provider?.Dispose(); this.UtilsHosts.RemoveHostsMapping(tempSiteAppId); // Restore the original state of IIS!!! using (ServerManager sm = new ServerManager()) { var site = sm.Sites.Single(i => i.Id == tempSiteId); UtilsIis.RemoveSite(site, sm, this.Logger); UtilsIis.CommitChanges(sm); } // Give IIS some time to reconfigure itself and free resources. Thread.Sleep(1000); // Start the sites foreach (var site in haltedSites) { // Add some retry logic here because bringing the original sites online is critical UtilsSystem.RetryWhile(() => { this.AppPoolUtils.WebsiteAction(site.Name, AppPoolActionType.Start); }, (e) => true, 5000, this.Logger); } } }
/// <summary> /// Generate a certificate request /// </summary> /// <param name="certificatename"></param> /// <param name="mainhost">Main host: www.google.com</param> /// <param name="certificatePath">Path to store the generated certificates</param> /// <param name="alternatehosts">Alterante hosts: list of alterante hosts for this certificate</param> /// <returns></returns> public CertificatePaths DownloadCertificate( string certificatename, string mainhost, string certificatePath, List <string> alternatehosts = null) { if (alternatehosts != null && alternatehosts.Any()) { throw new NotSupportedException("Alternate host provisioning not supported yet."); } List <string> allDnsIdentifiers = new List <string>() { mainhost }; if (alternatehosts != null) { allDnsIdentifiers.AddRange(alternatehosts); } // Tomado de app.config var rsaKeyBits = 2048; // 1024;// if (Environment.Is64BitProcess) { CertificateProvider.RegisterProvider(typeof(ACMESharp.PKI.Providers.OpenSslLib64Provider)); } else { CertificateProvider.RegisterProvider(typeof(ACMESharp.PKI.Providers.OpenSslLib32Provider)); } var cp = CertificateProvider.GetProvider(); var rsaPkp = new RsaPrivateKeyParams(); try { if (rsaKeyBits >= 1024) { rsaPkp.NumBits = rsaKeyBits; // Log.Debug("RSAKeyBits: {RSAKeyBits}", Properties.Settings.Default.RSAKeyBits); } else { // Log.Warning( // "RSA Key Bits less than 1024 is not secure. Letting ACMESharp default key bits. http://openssl.org/docs/manmaster/crypto/RSA_generate_key_ex.html"); } } catch (Exception ex) { this.Logger.LogInfo(true, $"Unable to set RSA Key Bits, Letting ACMESharp default key bits, Error: {ex.Message.ToString()}"); } var rsaKeys = cp.GeneratePrivateKey(rsaPkp); var csrDetails = new CsrDetails { CommonName = allDnsIdentifiers[0] }; if (alternatehosts != null) { if (alternatehosts.Count > 0) { csrDetails.AlternativeNames = alternatehosts; } } var csrParams = new CsrParams { Details = csrDetails, }; var csr = cp.GenerateCsr(csrParams, rsaKeys, Crt.MessageDigest.SHA256); byte[] derRaw; using (var bs = new MemoryStream()) { cp.ExportCsr(csr, EncodingFormat.DER, bs); derRaw = bs.ToArray(); } var derB64U = JwsHelper.Base64UrlEncode(derRaw); this.Logger.LogInfo(true, $"Requesting Certificate"); // Log.Information("Requesting Certificate"); var certRequ = this.AcmeClient.RequestCertificate(derB64U); // Log.Debug("certRequ {@certRequ}", certRequ); this.Logger.LogInfo(true, $"Request Status: {certRequ.StatusCode}"); if (certRequ.StatusCode != System.Net.HttpStatusCode.Created) { throw new Exception($"Could not create certificate request, response code: = {certRequ.StatusCode}"); } var keyGenFile = Path.Combine(certificatePath, $"{certificatename}-gen-key.json"); var keyPemFile = Path.Combine(certificatePath, $"{certificatename}-key.pem"); var csrGenFile = Path.Combine(certificatePath, $"{certificatename}-gen-csr.json"); var csrPemFile = Path.Combine(certificatePath, $"{certificatename}-csr.pem"); var crtDerFile = Path.Combine(certificatePath, $"{certificatename}-crt.der"); var crtPemFile = Path.Combine(certificatePath, $"{certificatename}-crt.pem"); var chainPemFile = Path.Combine(certificatePath, $"{certificatename}-chain.pem"); var pfxPemFile = Path.Combine(certificatePath, $"{certificatename}.pfx"); using (var fs = new FileStream(keyGenFile, FileMode.Create)) { cp.SavePrivateKey(rsaKeys, fs); } using (var fs = new FileStream(keyPemFile, FileMode.Create)) { cp.ExportPrivateKey(rsaKeys, EncodingFormat.PEM, fs); } using (var fs = new FileStream(csrGenFile, FileMode.Create)) { cp.SaveCsr(csr, fs); } using (var fs = new FileStream(csrPemFile, FileMode.Create)) { cp.ExportCsr(csr, EncodingFormat.PEM, fs); } this.Logger.LogInfo(true, $"Saving Certificate to {crtDerFile}"); // Log.Information("Saving Certificate to {crtDerFile}", crtDerFile); using (var file = File.Create(crtDerFile)) { certRequ.SaveCertificate(file); } Crt crt; using (FileStream source = new FileStream(crtDerFile, FileMode.Open), target = new FileStream(crtPemFile, FileMode.Create)) { crt = cp.ImportCertificate(EncodingFormat.DER, source); cp.ExportCertificate(crt, EncodingFormat.PEM, target); } cp.Dispose(); var ret = new CertificatePaths() { chainPemFile = chainPemFile, crtDerFile = crtDerFile, crtPemFile = crtPemFile, csrGenFile = csrGenFile, csrPemFile = csrPemFile, keyGenFile = keyGenFile, keyPemFile = keyPemFile, name = certificatename, pfxPemFile = pfxPemFile }; // Generate the PFX version manually UtilsCertificate.CreatePfXfromPem(ret.crtPemFile, ret.keyPemFile, ret.pfxPemFile, null); return(ret); }