mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-14 23:28:52 +00:00
feat(m28+m29+m30): ACME ARI, email digest, and Helm chart
M28: ACME Renewal Information (RFC 9702) — CA-directed renewal timing with cert ID computation, directory endpoint discovery, graceful degradation for non-ARI CAs. 19 tests. M29: Email notifier wiring + scheduled certificate digest — SMTP connector bridged to service layer via NotifierAdapter, DigestService with HTML email template, 7th scheduler loop (24h), digest preview/send API endpoints and GUI card. 21 tests. M30: Production-ready Helm chart — server Deployment, PostgreSQL StatefulSet, agent DaemonSet, ConfigMaps, Secrets, Ingress, security contexts, health probes, example values for dev/prod/ACME scenarios. Also: OpenAPI spec updates, MCP tool additions, CI helm-lint job, documentation updates across 5 doc files and README. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
shankar0123
@@ -0,0 +1,167 @@
|
||||
package acme
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/sha256"
|
||||
"encoding/base64"
|
||||
"encoding/json"
|
||||
"encoding/pem"
|
||||
"fmt"
|
||||
"io"
|
||||
"net/http"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/shankar0123/certctl/internal/connector/issuer"
|
||||
)
|
||||
|
||||
// GetRenewalInfo retrieves ACME Renewal Information (ARI) per RFC 9702 for a certificate.
|
||||
// certPEM is the PEM-encoded certificate. Returns nil, nil if the CA does not support ARI.
|
||||
func (c *Connector) GetRenewalInfo(ctx context.Context, certPEM string) (*issuer.RenewalInfoResult, error) {
|
||||
if !c.config.ARIEnabled {
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
if err := c.ensureClient(ctx); err != nil {
|
||||
return nil, fmt.Errorf("ACME client init: %w", err)
|
||||
}
|
||||
|
||||
// Parse the certificate to compute the ARI certificate ID
|
||||
certID, err := computeARICertID(certPEM)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to compute ARI cert ID: %w", err)
|
||||
}
|
||||
|
||||
c.logger.Debug("retrieving ARI for certificate",
|
||||
"cert_id", certID)
|
||||
|
||||
// Fetch the ACME directory to find the renewalInfo endpoint
|
||||
renewalInfoURL, err := c.getARIEndpoint(ctx, certID)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to construct ARI endpoint: %w", err)
|
||||
}
|
||||
|
||||
c.logger.Debug("querying ARI endpoint", "url", renewalInfoURL)
|
||||
|
||||
// Make GET request to the ARI endpoint
|
||||
req, err := http.NewRequestWithContext(ctx, http.MethodGet, renewalInfoURL, nil)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("create ARI request: %w", err)
|
||||
}
|
||||
|
||||
httpClient := &http.Client{Timeout: 15 * time.Second}
|
||||
resp, err := httpClient.Do(req)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("ARI request failed: %w", err)
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
|
||||
body, err := io.ReadAll(resp.Body)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("read ARI response: %w", err)
|
||||
}
|
||||
|
||||
// 404 means the CA doesn't support ARI or the cert doesn't exist
|
||||
if resp.StatusCode == http.StatusNotFound {
|
||||
c.logger.Debug("ARI not supported by CA or cert not found")
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
// Other non-2xx errors
|
||||
if resp.StatusCode < 200 || resp.StatusCode >= 300 {
|
||||
return nil, fmt.Errorf("ARI endpoint returned status %d: %s", resp.StatusCode, string(body))
|
||||
}
|
||||
|
||||
// Parse the ARI response
|
||||
var ariResp struct {
|
||||
SuggestedWindow struct {
|
||||
Start time.Time `json:"start"`
|
||||
End time.Time `json:"end"`
|
||||
} `json:"suggestedWindow"`
|
||||
RetryAfter time.Time `json:"retryAfter,omitempty"`
|
||||
ExplanationURL string `json:"explanationURL,omitempty"`
|
||||
}
|
||||
|
||||
if err := json.Unmarshal(body, &ariResp); err != nil {
|
||||
return nil, fmt.Errorf("parse ARI response: %w", err)
|
||||
}
|
||||
|
||||
if ariResp.SuggestedWindow.Start.IsZero() || ariResp.SuggestedWindow.End.IsZero() {
|
||||
return nil, fmt.Errorf("invalid ARI response: missing or empty suggestedWindow")
|
||||
}
|
||||
|
||||
c.logger.Info("retrieved ARI",
|
||||
"window_start", ariResp.SuggestedWindow.Start,
|
||||
"window_end", ariResp.SuggestedWindow.End)
|
||||
|
||||
return &issuer.RenewalInfoResult{
|
||||
SuggestedWindowStart: ariResp.SuggestedWindow.Start,
|
||||
SuggestedWindowEnd: ariResp.SuggestedWindow.End,
|
||||
RetryAfter: ariResp.RetryAfter,
|
||||
ExplanationURL: ariResp.ExplanationURL,
|
||||
}, nil
|
||||
}
|
||||
|
||||
// computeARICertID computes the ARI certificate ID as defined in RFC 9702.
|
||||
// The cert ID is base64url(SHA256(DER encoding of the certificate)).
|
||||
func computeARICertID(certPEM string) (string, error) {
|
||||
block, _ := pem.Decode([]byte(certPEM))
|
||||
if block == nil {
|
||||
return "", fmt.Errorf("invalid PEM: no certificate block found")
|
||||
}
|
||||
|
||||
hash := sha256.Sum256(block.Bytes)
|
||||
certID := base64.RawURLEncoding.EncodeToString(hash[:])
|
||||
return certID, nil
|
||||
}
|
||||
|
||||
// getARIEndpoint constructs the ARI endpoint URL from the ACME directory.
|
||||
// It fetches the directory JSON and extracts the "renewalInfo" field if available.
|
||||
// Falls back to a standard URL pattern if the directory doesn't advertise renewalInfo.
|
||||
func (c *Connector) getARIEndpoint(ctx context.Context, certID string) (string, error) {
|
||||
// Try to fetch and parse the directory
|
||||
httpClient := &http.Client{Timeout: 15 * time.Second}
|
||||
req, err := http.NewRequestWithContext(ctx, http.MethodGet, c.config.DirectoryURL, nil)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("create directory request: %w", err)
|
||||
}
|
||||
|
||||
resp, err := httpClient.Do(req)
|
||||
if err != nil {
|
||||
// If we can't fetch the directory, try the standard Let's Encrypt pattern
|
||||
return constructARIURLFallback(c.config.DirectoryURL, certID), nil
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
|
||||
body, err := io.ReadAll(resp.Body)
|
||||
if err != nil {
|
||||
return constructARIURLFallback(c.config.DirectoryURL, certID), nil
|
||||
}
|
||||
|
||||
var dir struct {
|
||||
RenewalInfo string `json:"renewalInfo,omitempty"`
|
||||
}
|
||||
|
||||
if err := json.Unmarshal(body, &dir); err != nil {
|
||||
// Malformed directory; use fallback
|
||||
return constructARIURLFallback(c.config.DirectoryURL, certID), nil
|
||||
}
|
||||
|
||||
if dir.RenewalInfo != "" {
|
||||
// Directory advertises renewalInfo endpoint
|
||||
return dir.RenewalInfo + "/" + certID, nil
|
||||
}
|
||||
|
||||
// No renewalInfo in directory; use standard fallback
|
||||
return constructARIURLFallback(c.config.DirectoryURL, certID), nil
|
||||
}
|
||||
|
||||
// constructARIURLFallback builds an ARI endpoint URL using a standard pattern.
|
||||
// It replaces "/directory" with "/renewalInfo" in the URL.
|
||||
func constructARIURLFallback(directoryURL, certID string) string {
|
||||
// Replace "/directory" with "/renewalInfo/{certID}"
|
||||
// For Let's Encrypt: https://acme-v02.api.letsencrypt.org/directory
|
||||
// becomes: https://acme-v02.api.letsencrypt.org/renewalInfo/{certID}
|
||||
baseURL := strings.TrimSuffix(directoryURL, "/directory")
|
||||
return baseURL + "/renewalInfo/" + certID
|
||||
}
|
||||
Reference in New Issue
Block a user