public void Install(PrivateKey pk, Crt crt, IEnumerable <PKI.Crt> chain,
IPkiTool cp)
{
AssertNotDisposed();
string pkPem;
using (var ms = new MemoryStream())
{
cp.ExportPrivateKey(pk, EncodingFormat.PEM, ms);
pkPem = Encoding.UTF8.GetString(ms.ToArray());
}
string crtPem;
using (var ms = new MemoryStream())
{
cp.ExportCertificate(crt, EncodingFormat.PEM, ms);
crtPem = Encoding.UTF8.GetString(ms.ToArray());
}
string chainPem = null;
if (chain != null)
{
using (var ms = new MemoryStream())
{
foreach (var c in chain)
{
cp.ExportCertificate(c, EncodingFormat.PEM, ms);
}
chainPem = Encoding.UTF8.GetString(ms.ToArray());
}
}
using (var client = new AmazonIdentityManagementServiceClient(
CommonParams.ResolveCredentials(),
CommonParams.RegionEndpoint))
{
var iamRequ = new UploadServerCertificateRequest
{
PrivateKey = pkPem,
CertificateBody = crtPem,
CertificateChain = chainPem,
ServerCertificateName = this.ServerCertificateName,
Path = this.Path
};
var iamResp = client.UploadServerCertificate(iamRequ);
// TODO: any checks we should do?
}
}
private void EditFile(HttpChallenge httpChallenge, bool delete, TextWriter msg)
{
var filePath = httpChallenge.FilePath;
// We need to strip off any leading '/' in the path or
// else it creates a path with an empty leading segment
if (filePath.StartsWith("/"))
{
filePath = filePath.Substring(1);
}
using (var s3 = new Amazon.S3.AmazonS3Client(
CommonParams.ResolveCredentials(),
CommonParams.RegionEndpoint))
{
if (delete)
{
LOG.Debug("Deleting S3 object at Bucket [{0}] and Key [{1}]", BucketName, filePath);
var s3Requ = new Amazon.S3.Model.DeleteObjectRequest
{
BucketName = BucketName,
Key = filePath,
};
var s3Resp = s3.DeleteObject(s3Requ);
if (LOG.IsDebugEnabled)
{
LOG.Debug("Delete response: [{0}]",
NLog.Targets.DefaultJsonSerializer.Instance.SerializeObject(s3Resp));
}
msg.WriteLine("* Challenge Response has been deleted from S3");
msg.WriteLine(" at Bucket/Key: [{0}/{1}]", BucketName, filePath);
}
else
{
var s3Requ = new Amazon.S3.Model.PutObjectRequest
{
BucketName = BucketName,
Key = filePath,
ContentBody = httpChallenge.FileContent,
ContentType = ContentType,
CannedACL = S3CannedAcl,
};
var s3Resp = s3.PutObject(s3Requ);
msg.WriteLine("* Challenge Response has been written to S3");
msg.WriteLine(" at Bucket/Key: [{0}/{1}]", BucketName, filePath);
msg.WriteLine("* Challenge Response should be accessible with a MIME type of [text/json]");
msg.WriteLine(" at: [{0}]", httpChallenge.FileUrl);
}
}
}
public void Uninstall(PrivateKey pk, Crt crt, IEnumerable <PKI.Crt> chain,
IPkiTool cp)
{
AssertNotDisposed();
using (var client = new AmazonIdentityManagementServiceClient(
CommonParams.ResolveCredentials(),
CommonParams.RegionEndpoint))
{
var iamRequ = new DeleteServerCertificateRequest
{
ServerCertificateName = this.ServerCertificateName,
};
var iamResp = client.DeleteServerCertificate(iamRequ);
// TODO: any checks we should do?
}
}
private void EditFile(HttpChallenge httpChallenge, bool delete)
{
var filePath = httpChallenge.FilePath;
// We need to strip off any leading '/' in the path or
// else it creates a path with an empty leading segment
if (filePath.StartsWith("/"))
{
filePath = filePath.Substring(1);
}
using (var s3 = new Amazon.S3.AmazonS3Client(
CommonParams.ResolveCredentials(),
CommonParams.RegionEndpoint))
{
if (delete)
{
var s3Requ = new Amazon.S3.Model.DeleteObjectRequest
{
BucketName = BucketName,
Key = filePath,
};
var s3Resp = s3.DeleteObject(s3Requ);
}
else
{
var s3Requ = new Amazon.S3.Model.PutObjectRequest
{
BucketName = BucketName,
Key = filePath,
ContentBody = httpChallenge.FileContent,
ContentType = ContentType,
CannedACL = S3CannedAcl,
};
var s3Resp = s3.PutObject(s3Requ);
}
}
}
public void Install(PrivateKey pk, Crt crt, IEnumerable <PKI.Crt> chain,
IPkiTool cp)
{
AssertNotDisposed();
if (CertInstaller != null)
{
CertInstaller.Install(pk, crt, chain, cp);
ExistingServerCertificateName = CertInstaller.ServerCertificateName;
// Now that the cert has been installed in IAM, we need to
// poll to see when it becomes effective because there could
// be a slight delay till it's available for reference
using (var client = new AmazonIdentityManagementServiceClient(
CommonParams.ResolveCredentials(),
CommonParams.RegionEndpoint))
{
var iamRequ = new GetServerCertificateRequest
{
ServerCertificateName = ExistingServerCertificateName,
};
var triesLeft = 10;
string arn = null;
while (triesLeft-- > 0)
{
try
{
var iamResp = client.GetServerCertificate(iamRequ);
arn = iamResp?.ServerCertificate?.ServerCertificateMetadata?.Arn;
if (!string.IsNullOrEmpty(arn))
{
break;
}
}
catch (Exception)
{
// TODO: integrate with logging to log some warnings
}
System.Threading.Thread.Sleep(10 * 1000);
}
if (string.IsNullOrEmpty(arn))
{
throw new InvalidOperationException("unable to resolve uploaded certificate");
}
}
}
string certArn;
using (var client = new AmazonIdentityManagementServiceClient(
CommonParams.ResolveCredentials(),
CommonParams.RegionEndpoint))
{
var iamRequ = new GetServerCertificateRequest
{
ServerCertificateName = ExistingServerCertificateName,
};
var iamResp = client.GetServerCertificate(iamRequ);
certArn = iamResp?.ServerCertificate?.ServerCertificateMetadata?.Arn;
}
if (string.IsNullOrEmpty(certArn))
{
throw new InvalidOperationException("unable to resolve server certificate against IAM store");
}
using (var client = new AmazonElasticLoadBalancingClient(
CommonParams.ResolveCredentials(),
CommonParams.RegionEndpoint))
{
// We've found through experience/experimentation that even if the
// cert is successfully installed and retrievable up above, it can
// still fail here temporarily till the ELB reference can resolve it
int triesLeft = 10;
Exception lastEx = null;
while (triesLeft-- > 0)
{
if (!string.IsNullOrEmpty(LoadBalancerProtocol))
{
var iamRequ = new CreateLoadBalancerListenersRequest
{
LoadBalancerName = this.LoadBalancerName,
Listeners = new List <Listener>
{
new Listener
{
LoadBalancerPort = this.LoadBalancerPort,
Protocol = this.LoadBalancerProtocol,
InstancePort = this.InstancePort,
InstanceProtocol = this.InstanceProtocol,
SSLCertificateId = certArn,
}
}
};
try
{
var iamResp = client.CreateLoadBalancerListeners(iamRequ);
// TODO: any checks we should do?
// Break out of the outer retry loop
lastEx = null;
break;
}
catch (Exception ex)
{
// TODO: integrate with logging to log some warnings
lastEx = ex;
}
}
else
{
var iamRequ = new SetLoadBalancerListenerSSLCertificateRequest
{
LoadBalancerName = this.LoadBalancerName,
LoadBalancerPort = this.LoadBalancerPort,
SSLCertificateId = certArn,
};
try
{
var iamResp = client.SetLoadBalancerListenerSSLCertificate(iamRequ);
// TODO: any checks we should do?
// Break out of the outer retry loop
lastEx = null;
break;
}
catch (Exception ex)
{
// TODO: integrate with logging to log some warnings
lastEx = ex;
}
}
System.Threading.Thread.Sleep(10 * 1000);
}
if (lastEx != null)
{
throw new InvalidOperationException(
"valid to create/update ELB listener with certificate reference", lastEx);
}
}
}