envoy: support autocert (#695)

* envoy: support autocert

* envoy: fallback to http host routing if sni fails to match

* update comment

* envoy: renew certs when necessary

* fix tests
This commit is contained in:
Caleb Doxsey 2020-05-13 13:07:04 -06:00 committed by Travis Groth
parent 0c1ac5a575
commit dccec1e646
18 changed files with 689 additions and 391 deletions

View file

@ -1,103 +1,51 @@
package cryptutil
import (
"context"
"crypto/tls"
"fmt"
"net/http"
"crypto/x509"
"github.com/caddyserver/certmagic"
"github.com/go-acme/lego/v3/challenge/tlsalpn01"
)
// NewAutocert automatically retrieves public certificates from the free
// certificate authority Let's Encrypt using HTTP-01 and TLS-ALPN-01 challenges.
// To complete the challenges, the server must be accessible from the internet
// by port 80 or 443 .
//
// https://letsencrypt.org/docs/challenge-types/#http-01-challenge
// https://letsencrypt.org/docs/challenge-types/#tls-alpn-01
func NewAutocert(tlsConfig *tls.Config, hostnames []string, useStaging bool, path string) (*tls.Config, func(h http.Handler) http.Handler, error) {
certmagic.DefaultACME.Agreed = true
if useStaging {
certmagic.DefaultACME.CA = certmagic.LetsEncryptStagingCA
}
cm := certmagic.NewDefault()
tlsConfig = newTLSConfigIfEmpty(tlsConfig)
// add existing certs to the cache, and staple OCSP
for _, cert := range tlsConfig.Certificates {
if err := cm.CacheUnmanagedTLSCertificate(cert, nil); err != nil {
return nil, nil, fmt.Errorf("cryptutil: failed caching cert: %w", err)
// GetCertificateForDomain returns the tls Certificate which matches the given domain name.
// It should handle both exact matches and wildcard matches. If none of those match, the first certificate will be used.
// Finally if there are no matching certificates one will be generated.
func GetCertificateForDomain(certificates []tls.Certificate, domain string) (*tls.Certificate, error) {
// first try a direct name match
for _, cert := range certificates {
if matchesDomain(&cert, domain) {
return &cert, nil
}
}
cm.Storage = &certmagic.FileStorage{Path: path}
acmeConfig := certmagic.NewACMEManager(cm, certmagic.DefaultACME)
cm.Issuer = acmeConfig
// todo(bdd) : add cancellation context?
if err := cm.ManageAsync(context.TODO(), hostnames); err != nil {
return nil, nil, fmt.Errorf("cryptutil: sync failed: %w", err)
// next use the first cert
if len(certificates) > 0 {
return &certificates[0], nil
}
tlsConfig.GetCertificate = cm.GetCertificate
tlsConfig.NextProtos = append(tlsConfig.NextProtos, tlsalpn01.ACMETLS1Protocol)
tlsConfig.BuildNameToCertificate()
return tlsConfig, acmeConfig.HTTPChallengeHandler, nil
// finally fall back to a generated, self-signed certificate
return GenerateSelfSignedCertificate(domain)
}
// TLSConfigFromBase64 returns an tls configuration from a base64 encoded blob.
func TLSConfigFromBase64(tlsConfig *tls.Config, cert, key string) (*tls.Config, error) {
tlsConfig = newTLSConfigIfEmpty(tlsConfig)
c, err := CertifcateFromBase64(cert, key)
func matchesDomain(cert *tls.Certificate, domain string) bool {
if cert == nil || len(cert.Certificate) == 0 {
return false
}
xcert, err := x509.ParseCertificate(cert.Certificate[0])
if err != nil {
return nil, err
return false
}
tlsConfig.Certificates = append(tlsConfig.Certificates, *c)
tlsConfig.BuildNameToCertificate()
return tlsConfig, nil
}
// TLSConfigFromFile returns an tls configuration from a certificate and
// key file .
func TLSConfigFromFile(tlsConfig *tls.Config, cert, key string) (*tls.Config, error) {
tlsConfig = newTLSConfigIfEmpty(tlsConfig)
c, err := CertificateFromFile(cert, key)
if err != nil {
return nil, err
if certmagic.MatchWildcard(domain, xcert.Subject.CommonName) {
return true
}
tlsConfig.Certificates = append(tlsConfig.Certificates, *c)
tlsConfig.BuildNameToCertificate()
return tlsConfig, nil
}
// newTLSConfigIfEmpty returns an opinionated TLS configuration if config is nil.
// See :
// https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
// https://blog.cloudflare.com/exposing-go-on-the-internet/
// https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices
// https://github.com/golang/go/blob/df91b8044dbe790c69c16058330f545be069cc1f/src/crypto/tls/common.go#L919
func newTLSConfigIfEmpty(tlsConfig *tls.Config) *tls.Config {
if tlsConfig != nil {
return tlsConfig
}
return &tls.Config{
MinVersion: tls.VersionTLS12,
// Prioritize cipher suites sped up by AES-NI (AES-GCM)
CipherSuites: []uint16{
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
},
PreferServerCipherSuites: true,
// Use curves which have assembly implementations
CurvePreferences: []tls.CurveID{
tls.X25519,
tls.CurveP256,
},
// HTTP/2 must be enabled manually when using http.Serve
NextProtos: []string{"h2", "http/1.1"},
for _, san := range xcert.DNSNames {
if certmagic.MatchWildcard(domain, san) {
return true
}
}
return false
}