feat: let's encrypt

server/core/letsencrypt.js

@@ -0,0 +1,125 @@
+const ACME = require('acme')
+const Keypairs = require('@root/keypairs')
+const _ = require('lodash')
+const moment = require('moment')
+const CSR = require('@root/csr')
+const PEM = require('@root/pem')
+// eslint-disable-next-line node/no-deprecated-api
+const punycode = require('punycode')
+
+/* global WIKI */
+
+module.exports = {
+  apiDirectory: WIKI.dev ? 'https://acme-staging-v02.api.letsencrypt.org/directory' : 'https://acme-v02.api.letsencrypt.org/directory',
+  acme: null,
+  async init () {
+    if (!_.get(WIKI.config, 'letsencrypt.payload', false)) {
+      await this.requestCertificate()
+    } else if (WIKI.config.letsencrypt.domain !== WIKI.config.ssl.domain) {
+      WIKI.logger.info(`(LETSENCRYPT) Domain has changed. Requesting new certificates...`)
+      await this.requestCertificate()
+    } else if (moment(WIKI.config.letsencrypt.payload.expires).isSameOrBefore(moment().add(5, 'days'))) {
+      WIKI.logger.info(`(LETSENCRYPT) Certificate is about to or has expired, requesting a new one...`)
+      await this.requestCertificate()
+    } else {
+      WIKI.logger.info(`(LETSENCRYPT) Using existing certificate for ${WIKI.config.ssl.domain}, expires on ${WIKI.config.letsencrypt.payload.expires}: [ OK ]`)
+    }
+    WIKI.config.ssl.format = 'pem'
+    WIKI.config.ssl.inline = true
+    WIKI.config.ssl.key = WIKI.config.letsencrypt.serverKey
+    WIKI.config.ssl.cert = WIKI.config.letsencrypt.payload.cert + '\n' + WIKI.config.letsencrypt.payload.chain
+    WIKI.config.ssl.passphrase = null
+    WIKI.config.ssl.dhparam = null
+  },
+  async requestCertificate () {
+    try {
+      WIKI.logger.info(`(LETSENCRYPT) Initializing Let's Encrypt client...`)
+      this.acme = ACME.create({
+        maintainerEmail: WIKI.config.ssl.maintainerEmail,
+        packageAgent: `wikijs/${WIKI.version}`,
+        notify: (ev, msg) => {
+          if (_.includes(['warning', 'error'], ev)) {
+            WIKI.logger.warn(`${ev}: ${msg}`)
+          } else {
+            WIKI.logger.debug(`${ev}: ${JSON.stringify(msg)}`)
+          }
+        }
+      })
+
+      await this.acme.init(this.apiDirectory)
+
+      // -> Create ACME Subscriber account
+
+      if (!_.get(WIKI.config, 'letsencrypt.account', false)) {
+        WIKI.logger.info(`(LETSENCRYPT) Setting up account for the first time...`)
+        const accountKeypair = await Keypairs.generate({ kty: 'EC', format: 'jwk' })
+        const account = await this.acme.accounts.create({
+          subscriberEmail: WIKI.config.ssl.maintainerEmail,
+          agreeToTerms: true,
+          accountKey: accountKeypair.private
+        })
+        WIKI.config.letsencrypt = {
+          accountKeypair: accountKeypair,
+          account: account,
+          domain: WIKI.config.ssl.domain
+        }
+        await WIKI.configSvc.saveToDb(['letsencrypt'])
+        WIKI.logger.info(`(LETSENCRYPT) Account was setup successfully [ OK ]`)
+      }
+
+      // -> Create Server Keypair
+
+      if (!WIKI.config.letsencrypt.serverKey) {
+        WIKI.logger.info(`(LETSENCRYPT) Generating server keypairs...`)
+        const serverKeypair = await Keypairs.generate({ kty: 'RSA', format: 'jwk' })
+        WIKI.config.letsencrypt.serverKey = await Keypairs.export({ jwk: serverKeypair.private })
+        WIKI.logger.info(`(LETSENCRYPT) Server keypairs generated successfully [ OK ]`)
+      }
+
+      // -> Create CSR
+
+      WIKI.logger.info(`(LETSENCRYPT) Generating certificate signing request (CSR)...`)
+      const domains = [ punycode.toASCII(WIKI.config.ssl.domain) ]
+      const serverKey = await Keypairs.import({ pem: WIKI.config.letsencrypt.serverKey })
+      const csrDer = await CSR.csr({ jwk: serverKey, domains, encoding: 'der' })
+      const csr = PEM.packBlock({ type: 'CERTIFICATE REQUEST', bytes: csrDer })
+      WIKI.logger.info(`(LETSENCRYPT) CSR generated successfully [ OK ]`)
+
+      // -> Verify Domain + Get Certificate
+
+      WIKI.logger.info(`(LETSENCRYPT) Requesting certificate from Let's Encrypt...`)
+      const certResp = await this.acme.certificates.create({
+        account: WIKI.config.letsencrypt.account,
+        accountKey: WIKI.config.letsencrypt.accountKeypair.private,
+        csr,
+        domains,
+        challenges: {
+          'http-01': {
+            init () {},
+            set (data) {
+              WIKI.logger.info(`(LETSENCRYPT) Setting HTTP challenge for ${data.challenge.hostname}: [ READY ]`)
+              WIKI.config.letsencrypt.challenge = data.challenge
+              WIKI.logger.info(`(LETSENCRYPT) Waiting for challenge to complete...`)
+              return null // <- this is needed, cannot be undefined
+            },
+            get (data) {
+              return WIKI.config.letsencrypt.challenge
+            },
+            async remove (data) {
+              WIKI.logger.info(`(LETSENCRYPT) Removing HTTP challenge: [ OK ]`)
+              WIKI.config.letsencrypt.challenge = null
+              return null // <- this is needed, cannot be undefined
+            }
+          }
+        }
+      })
+      WIKI.logger.info(`(LETSENCRYPT) New certifiate received successfully: [ COMPLETED ]`)
+      WIKI.config.letsencrypt.payload = certResp
+      WIKI.config.letsencrypt.domain = WIKI.config.ssl.domain
+      await WIKI.configSvc.saveToDb(['letsencrypt'])
+    } catch (err) {
+      WIKI.logger.warn(`(LETSENCRYPT) ${err}`)
+      throw err
+    }
+  }
+}