Don't handle ACME root certs
They are volatile, and issued certs are already bundled nowadays.
This commit is contained in:
parent
e40e65bd62
commit
4392e65f3f
5 changed files with 14 additions and 82 deletions
|
|
@ -1,12 +1,11 @@
|
|||
use crate::command_runner::{SetuidCommandRunner, StdCommandRunner};
|
||||
use crate::resources::{
|
||||
AcmeAccountKey, AcmeChallengesDir, AcmeChallengesNginxSnippet, AcmeRootCert, AcmeUser, Cert,
|
||||
AcmeAccountKey, AcmeChallengesDir, AcmeChallengesNginxSnippet, AcmeUser, Cert,
|
||||
CertChain, Cron, Csr, DefaultServer, Dir, File, GitCheckout, Key, KeyAndCertBundle,
|
||||
LoadedDirectory, MariaDbDatabase, MariaDbUser, NpmInstall, Owner, PhpFpmPool, PostgresqlDatabase,
|
||||
Resource, ServeCustom, ServePhp, ServeRedir, ServeService, ServeStatic, StoredDirectory,
|
||||
SystemdSocketService, User, UserForDomain, WordpressPlugin, WordpressTranslation,
|
||||
};
|
||||
use crate::static_files::LETS_ENCRYPT_R3;
|
||||
use crate::storage::SimpleStorage;
|
||||
use crate::storage::Storage;
|
||||
use crate::symbols::acme::Cert as CertSymbol;
|
||||
|
|
@ -99,7 +98,6 @@ impl<D: Clone> ImplementationBuilder<Csr<D>> for DefaultBuilder {
|
|||
impl<D: Clone> ImplementationBuilder<Cert<D>> for DefaultBuilder {
|
||||
type Prerequisites = (
|
||||
Csr<D>,
|
||||
AcmeRootCert,
|
||||
AcmeAccountKey,
|
||||
AcmeChallengesDir,
|
||||
AcmeUser,
|
||||
|
|
@ -108,7 +106,6 @@ impl<D: Clone> ImplementationBuilder<Cert<D>> for DefaultBuilder {
|
|||
fn prerequisites(resource: &Cert<D>) -> Self::Prerequisites {
|
||||
(
|
||||
Csr(resource.0.clone()),
|
||||
AcmeRootCert,
|
||||
AcmeAccountKey,
|
||||
AcmeChallengesDir,
|
||||
AcmeUser,
|
||||
|
|
@ -121,12 +118,11 @@ impl<D: Clone> ImplementationBuilder<Cert<D>> for DefaultBuilder {
|
|||
fn create(
|
||||
resource: &Cert<D>,
|
||||
target: &<Cert<D> as Resource>::Artifact,
|
||||
(csr, root_cert, account_key, challenges_dir, (user_name, _), _): <Self::Prerequisites as ToArtifact>::Artifact,
|
||||
(csr, account_key, challenges_dir, (user_name, _), _): <Self::Prerequisites as ToArtifact>::Artifact,
|
||||
) -> Self::Implementation {
|
||||
CertSymbol::new(
|
||||
resource.0.clone(),
|
||||
SetuidCommandRunner::new(user_name.0),
|
||||
root_cert.clone_rc(),
|
||||
account_key.clone_rc(),
|
||||
challenges_dir.clone_rc(),
|
||||
csr.clone_rc(),
|
||||
|
|
@ -136,18 +132,18 @@ impl<D: Clone> ImplementationBuilder<Cert<D>> for DefaultBuilder {
|
|||
}
|
||||
|
||||
impl<D: Clone> ImplementationBuilder<CertChain<D>> for DefaultBuilder {
|
||||
type Prerequisites = (Cert<D>, AcmeRootCert);
|
||||
type Prerequisites = Cert<D>;
|
||||
fn prerequisites(resource: &CertChain<D>) -> Self::Prerequisites {
|
||||
(Cert(resource.0.clone()), AcmeRootCert)
|
||||
Cert(resource.0.clone())
|
||||
}
|
||||
|
||||
type Implementation = ConcatSymbol<[Rc<Path>; 2], Rc<Path>, Rc<Path>>;
|
||||
type Implementation = ConcatSymbol<[Rc<Path>; 1], Rc<Path>, Rc<Path>>;
|
||||
fn create(
|
||||
_resource: &CertChain<D>,
|
||||
target: &<CertChain<D> as Resource>::Artifact,
|
||||
(cert, root_cert): <Self::Prerequisites as ToArtifact>::Artifact,
|
||||
cert: <Self::Prerequisites as ToArtifact>::Artifact,
|
||||
) -> Self::Implementation {
|
||||
ConcatSymbol::new([cert.clone_rc(), root_cert.clone_rc()], target.clone_rc())
|
||||
ConcatSymbol::new([cert.clone_rc()], target.clone_rc())
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -667,20 +663,6 @@ impl ImplementationBuilder<AcmeAccountKey> for DefaultBuilder {
|
|||
}
|
||||
}
|
||||
|
||||
impl ImplementationBuilder<AcmeRootCert> for DefaultBuilder {
|
||||
type Prerequisites = ();
|
||||
fn prerequisites(_resource: &AcmeRootCert) -> Self::Prerequisites {}
|
||||
|
||||
type Implementation = FileSymbol<Rc<Path>, &'static str>;
|
||||
fn create(
|
||||
_resource: &AcmeRootCert,
|
||||
target: &<AcmeRootCert as Resource>::Artifact,
|
||||
(): <Self::Prerequisites as ToArtifact>::Artifact,
|
||||
) -> Self::Implementation {
|
||||
FileSymbol::new(target.clone_rc(), LETS_ENCRYPT_R3)
|
||||
}
|
||||
}
|
||||
|
||||
impl<D> ImplementationBuilder<MariaDbUser<D>> for DefaultBuilder {
|
||||
type Prerequisites = ();
|
||||
fn prerequisites(_resource: &MariaDbUser<D>) -> Self::Prerequisites {}
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@ use crate::artifacts::{
|
|||
UserName as UserNameArtifact,
|
||||
};
|
||||
use crate::resources::{
|
||||
AcmeAccountKey, AcmeChallengesDir, AcmeChallengesNginxSnippet, AcmeRootCert, AcmeUser, Cert,
|
||||
AcmeAccountKey, AcmeChallengesDir, AcmeChallengesNginxSnippet, AcmeUser, Cert,
|
||||
CertChain, Cron, Csr, DefaultServer, Dir, File, GitCheckout, Key, KeyAndCertBundle,
|
||||
LoadedDirectory, MariaDbDatabase, MariaDbUser, NpmInstall, Owner, PhpFpmPool, PostgresqlDatabase,
|
||||
Resource, ServeCustom, ServePhp, ServeRedir, ServeService, ServeStatic, StoredDirectory,
|
||||
|
|
@ -237,20 +237,6 @@ impl<P: Policy> ResourceLocator<AcmeChallengesNginxSnippet> for DefaultLocator<P
|
|||
}
|
||||
}
|
||||
|
||||
impl<P: Policy> ResourceLocator<AcmeRootCert> for DefaultLocator<P> {
|
||||
type Prerequisites = Dir<Rc<Path>>;
|
||||
fn locate(
|
||||
_resource: &AcmeRootCert,
|
||||
) -> (<AcmeRootCert as Resource>::Artifact, Self::Prerequisites) {
|
||||
let acme_user = P::acme_user();
|
||||
let home = P::user_home(acme_user);
|
||||
(
|
||||
PathArtifact::from(home.join("lets_encrypt_r3.pem")),
|
||||
Dir(home),
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
impl<P: Policy, D: AsRef<str>> ResourceLocator<UserForDomain<D>> for DefaultLocator<P> {
|
||||
type Prerequisites = ();
|
||||
fn locate(
|
||||
|
|
|
|||
|
|
@ -94,12 +94,6 @@ impl Resource for AcmeUser {
|
|||
type Artifact = (UserNameArtifact, PathArtifact);
|
||||
}
|
||||
|
||||
#[derive(Debug, Hash, PartialEq, Eq)]
|
||||
pub struct AcmeRootCert;
|
||||
impl Resource for AcmeRootCert {
|
||||
type Artifact = PathArtifact;
|
||||
}
|
||||
|
||||
#[derive(Debug, Hash, PartialEq, Eq)]
|
||||
pub struct AcmeChallengesDir;
|
||||
impl Resource for AcmeChallengesDir {
|
||||
|
|
@ -348,7 +342,6 @@ default_resources!(
|
|||
AcmeAccountKey: AcmeAccountKey,
|
||||
AcmeChallengesDir: AcmeChallengesDir,
|
||||
AcmeChallengesNginxSnippet: AcmeChallengesNginxSnippet,
|
||||
AcmeRootCert: AcmeRootCert,
|
||||
AcmeUser: AcmeUser,
|
||||
Cert: Cert<D>,
|
||||
CertChain: CertChain<D>,
|
||||
|
|
|
|||
|
|
@ -12,7 +12,6 @@ use std::path::Path;
|
|||
pub struct Cert<_C, C, D, P> {
|
||||
domain: D,
|
||||
command_runner: C,
|
||||
root_cert_path: P,
|
||||
account_key_path: P,
|
||||
challenges_path: P,
|
||||
csr_path: P,
|
||||
|
|
@ -24,7 +23,6 @@ impl<_C, C, D, P> Cert<_C, C, D, P> {
|
|||
pub fn new(
|
||||
domain: D,
|
||||
command_runner: C,
|
||||
root_cert_path: P,
|
||||
account_key_path: P,
|
||||
challenges_path: P,
|
||||
csr_path: P,
|
||||
|
|
@ -33,7 +31,6 @@ impl<_C, C, D, P> Cert<_C, C, D, P> {
|
|||
Self {
|
||||
domain,
|
||||
command_runner,
|
||||
root_cert_path,
|
||||
account_key_path,
|
||||
challenges_path,
|
||||
csr_path,
|
||||
|
|
@ -84,8 +81,12 @@ impl<_C: CommandRunner, C: Borrow<_C>, D: AsRef<str>, P: AsRef<Path>> Symbol for
|
|||
"openssl",
|
||||
args![
|
||||
"verify",
|
||||
"--untrusted",
|
||||
self.root_cert_path.as_ref(),
|
||||
// Since the cert file includes the intermediate,
|
||||
// this pulls the intermediate into the verification chain
|
||||
// without trusting it
|
||||
"-untrusted",
|
||||
self.cert_path.as_ref(),
|
||||
// Only the first cert in the cert file is verified
|
||||
self.cert_path.as_ref(),
|
||||
],
|
||||
)
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue