mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 18:21:32 +00:00
shankar0123
e146b00f0e
First slice of the RFC 8555 ACME server endpoint (master plan at cowork/acme-server-endpoint-prompt.md, per-phase prompts at cowork/acme-server-prompts/). This commit lands the smallest viable end-to-end deployable slice: an ACME client running curl -sk https://certctl/acme/profile/<id>/directory curl -sk -I https://certctl/acme/profile/<id>/new-nonce successfully fetches the directory document and a Replay-Nonce. Account creation, JWS verification, orders, challenges, and revocation are all out of scope for this phase and arrive in Phases 1b–4. Closes the Rank 1 LHF from the 2026-05-03 Infisical deep-research (cowork/infisical-deep-research-results.md). Pre-fix, certctl was an ACME consumer only — no /acme/directory endpoint, no JWS verifier, no challenge validators. K8s customers running cert-manager could not point at certctl as an ACME issuer; they had to deploy a certctl agent on every node. What ships: - internal/api/acme/{directory,nonce,errors}.go (+ tests). - internal/api/handler/acme.go + acme_handler_test.go. - internal/repository/postgres/acme.go (nonce ops only — Phase 1b extends with account CRUD; Phases 2-4 extend with order / authz / challenge CRUD). - internal/service/acme.go (BuildDirectory + IssueNonce stubs; Phase 1b adds VerifyJWS / NewAccount / etc.). - migrations/000025_acme_server.{up,down}.sql ships the full 5-table ACME schema (acme_accounts / acme_orders / acme_authorizations / acme_challenges / acme_nonces) PLUS the per-profile certificate_profiles.acme_auth_mode column. Phase 1a actively uses only acme_nonces; remaining tables are empty until Phases 1b-4 plug in. - internal/config/config.go: ACMEServerConfig struct + ACMEServer field on Config. Env vars use CERTCTL_ACME_SERVER_* prefix to avoid colliding with the existing consumer-side ACMEConfig at config.go:1746 (CERTCTL_ACME_DIRECTORY_URL / PROFILE / CHALLENGE_TYPE etc.). Phase 1a wires Enabled + DefaultAuthMode + DefaultProfileID + NonceTTL + DirectoryMeta; Order/Authz TTLs + per-challenge-type concurrency caps + DNS01 resolver are reserved fields parsed in 1a so operators can set them ahead of Phases 2/3. - cmd/server/main.go: wire ACMEHandler into the HandlerRegistry literal alongside the existing certificate / EST / SCEP / etc. handlers. - internal/api/router/router.go: HandlerRegistry.ACME field + 6 Register calls (3 per-profile + 3 shorthand). - internal/api/router/openapi_parity_test.go: 6 new entries in SpecParityExceptions. ACME is a wire-protocol surface (JWS-signed JSON over HTTPS per RFC 7515) whose semantics are dictated by RFC 8555 + RFC 9773 rather than by an OpenAPI document, same precedent as SCEP/EST. The canonical reference is docs/acme-server.md. - docs/acme-server.md: Phase-1a-shaped reference. Configuration table for every CERTCTL_ACME_SERVER_* env var. Per-profile auth-mode decision tree skeleton. TLS trust bootstrap section flagging cert-manager's ClusterIssuer.spec.acme.caBundle requirement (the single biggest first-time-deploy footgun; the full cert-manager walkthrough lands in Phase 6 but the requirement is documented up front). Architecture decisions baked in: - URL family is /acme/profile/<id>/* (per-profile, canonical) with /acme/* shorthand active when CERTCTL_ACME_SERVER_DEFAULT_PROFILE_ID is set. Path matches existing per-profile precedent in EST + SCEP. - Auth mode is per-profile (acme_auth_mode column on certificate_profiles), NOT server-wide. One certctl-server can serve trust_authenticated for an internal-PKI profile and challenge for a public-trust-style profile simultaneously. The column is read at request time, not cached at server start — operators flipping a profile's mode via SQL take effect on the next order without restart. - Nonces are DB-backed (acme_nonces table). Survive server restart. The RFC 8555 §6.5 replay defense requires the store to outlast the client's nonce caching window; an in-memory-only nonce store would lose every in-flight order on restart. - Per-op atomic counters on service.ACMEService.Metrics() — certctl_acme_directory_total, certctl_acme_directory_failures_total, certctl_acme_new_nonce_total, certctl_acme_new_nonce_failures_total. Naming follows certctl frozen decision 0.10 cardinality discipline. Phase 1b will extend with new_account counters; Phase 2 with order / finalize / cert; Phase 3 with per-challenge-type counters. Audit fixes #11 + #12 (cowork/acme-server-prompts/audit-additions.md) applied: - #11: CERTCTL_ACME_SERVER_* prefix avoids the consumer-side CERTCTL_ACME_* namespace collision. - #12: prior-attempt WIP from two failed Phase-1 dispatches was discarded at phase start; this commit starts from a clean tree. Tests: - 14 unit tests in internal/api/acme/ (directory, nonce, errors). - 7 handler-level tests via httptest.NewServer + mockACMEService (mirrors the mockSCEPService pattern at scep_handler_test.go). - 7 service-layer tests with mocked repo + injected profileLookup. - All pass under -race -count=1 -short. Deferred to Phase 1b: - JWS verification (go-jose v4 — see master-prompt §8a for the API surface and audit doc for the speculation pitfalls). - new-account / account/<id> endpoints + AccountService. - Nonce *consumption* path (issue path is in this commit; consume is only invoked by JWS-verified POSTs which Phase 1b adds). Engineering history: cowork/WORKSPACE-CHANGELOG.md "ACME-Server-1a". Per-phase implementation plan: cowork/acme-server-prompts/. Master plan + audit fixes: cowork/acme-server-endpoint-prompt.md + cowork/acme-server-prompt-audit.md + cowork/acme-server-prompts/audit-additions.md.
171 lines
6.4 KiB
Go
171 lines
6.4 KiB
Go
// Copyright (c) certctl
|
|
// SPDX-License-Identifier: BSL-1.1
|
|
|
|
package handler
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"errors"
|
|
"net/http"
|
|
|
|
"github.com/shankar0123/certctl/internal/api/acme"
|
|
"github.com/shankar0123/certctl/internal/service"
|
|
)
|
|
|
|
// ACMEService is the handler-facing surface for the ACME server. The
|
|
// service-layer concrete type is *service.ACMEService; the interface
|
|
// definition lives here to keep the handler import-direction
|
|
// canonical (handler imports service, not the reverse). Phase 1a
|
|
// pins two methods; Phase 1b extends with VerifyJWS, NewAccount,
|
|
// LookupAccount, UpdateAccount, DeactivateAccount.
|
|
type ACMEService interface {
|
|
BuildDirectory(ctx context.Context, profileID, baseURL string) (*acme.Directory, error)
|
|
IssueNonce(ctx context.Context) (string, error)
|
|
}
|
|
|
|
// ACMEHandler exposes the ACME server's RFC 8555 endpoints under the
|
|
// per-profile path /acme/profile/<id>/* and (optionally) the
|
|
// /acme/* shorthand when CERTCTL_ACME_SERVER_DEFAULT_PROFILE_ID is
|
|
// set. Phase 1a wires:
|
|
//
|
|
// - GET /acme/profile/{id}/directory
|
|
// - HEAD /acme/profile/{id}/new-nonce
|
|
// - GET /acme/profile/{id}/new-nonce
|
|
// - GET /acme/directory (shorthand)
|
|
// - HEAD /acme/new-nonce (shorthand)
|
|
// - GET /acme/new-nonce (shorthand)
|
|
//
|
|
// Phase 1b adds new-account + account/<id>; Phase 2 adds new-order +
|
|
// order/<id>(/finalize) + authz/<id> + cert/<id>; Phase 3 adds
|
|
// challenge/<id>; Phase 4 adds key-change + revoke-cert + renewal-info.
|
|
//
|
|
// Handler shape mirrors internal/api/handler/scep.go:73-91 (struct
|
|
// holding the service interface, factory function returning the
|
|
// struct value).
|
|
type ACMEHandler struct {
|
|
svc ACMEService
|
|
}
|
|
|
|
// NewACMEHandler constructs an ACMEHandler. Returns the value (not a
|
|
// pointer) — same convention as NewSCEPHandler at scep.go:89.
|
|
func NewACMEHandler(svc ACMEService) ACMEHandler {
|
|
return ACMEHandler{svc: svc}
|
|
}
|
|
|
|
// Directory handles GET requests to the directory URL. The Go 1.22+
|
|
// stdlib router parses the {id} path parameter via r.PathValue("id").
|
|
// When the path is /acme/directory (no profile in URL), PathValue
|
|
// returns ""; the service layer applies the
|
|
// CERTCTL_ACME_SERVER_DEFAULT_PROFILE_ID fallback (or returns
|
|
// userActionRequired if unset).
|
|
func (h ACMEHandler) Directory(w http.ResponseWriter, r *http.Request) {
|
|
profileID := r.PathValue("id")
|
|
baseURL := h.directoryBaseURL(r, profileID)
|
|
|
|
dir, err := h.svc.BuildDirectory(r.Context(), profileID, baseURL)
|
|
if err != nil {
|
|
writeServiceError(w, err)
|
|
return
|
|
}
|
|
|
|
// RFC 8555 §6.5: every successful response carries Replay-Nonce.
|
|
// The directory endpoint is not JWS-authenticated but ACME clients
|
|
// expect the header so they can use it on the very next POST.
|
|
if nonce, err := h.svc.IssueNonce(r.Context()); err == nil {
|
|
w.Header().Set("Replay-Nonce", nonce)
|
|
}
|
|
w.Header().Set("Cache-Control", "public, max-age=0, no-cache")
|
|
w.Header().Set("Content-Type", "application/json")
|
|
_ = json.NewEncoder(w).Encode(dir)
|
|
}
|
|
|
|
// NewNonce handles HEAD and GET on the new-nonce URL.
|
|
//
|
|
// RFC 8555 §7.2:
|
|
// - HEAD MUST return 200 with Replay-Nonce + zero-length body.
|
|
// - GET MUST return 204 No Content with Replay-Nonce + zero-length body.
|
|
//
|
|
// Both verbs MUST set Cache-Control: no-store so middleboxes don't
|
|
// inadvertently re-serve a stale nonce.
|
|
//
|
|
// We resolve the profile here (rather than passing it through the
|
|
// service) only to validate it exists — the nonce itself is global
|
|
// to the server (one acme_nonces table), but if the operator hits
|
|
// /acme/profile/<bogus>/new-nonce we return 404 so the path-shape
|
|
// failure is operator-visible.
|
|
func (h ACMEHandler) NewNonce(w http.ResponseWriter, r *http.Request) {
|
|
profileID := r.PathValue("id")
|
|
// Same profile-resolution path as Directory — go through
|
|
// BuildDirectory only to leverage its profile-not-found / user-
|
|
// action-required mapping. The directory document is not used.
|
|
baseURL := h.directoryBaseURL(r, profileID)
|
|
if _, err := h.svc.BuildDirectory(r.Context(), profileID, baseURL); err != nil {
|
|
writeServiceError(w, err)
|
|
return
|
|
}
|
|
|
|
nonce, err := h.svc.IssueNonce(r.Context())
|
|
if err != nil {
|
|
acme.WriteProblem(w, acme.ServerInternal("nonce issuance failed"))
|
|
return
|
|
}
|
|
|
|
w.Header().Set("Replay-Nonce", nonce)
|
|
w.Header().Set("Cache-Control", "no-store")
|
|
if r.Method == http.MethodHead {
|
|
w.WriteHeader(http.StatusOK)
|
|
return
|
|
}
|
|
w.WriteHeader(http.StatusNoContent)
|
|
}
|
|
|
|
// directoryBaseURL composes the per-profile base URL the directory's
|
|
// inner URLs are built against. The composition lives in the handler
|
|
// (NOT the service) because it depends on the inbound request's
|
|
// scheme + host + observed path; the service layer would need to
|
|
// import net/http to do this.
|
|
//
|
|
// For requests on /acme/profile/<id>/* we strip the trailing path
|
|
// element to produce the base. For shorthand /acme/* requests we
|
|
// strip the trailing element from /acme — the result is just the
|
|
// scheme://host/acme prefix, which the service then uses to build
|
|
// /acme/new-nonce, /acme/new-account, etc.
|
|
func (h ACMEHandler) directoryBaseURL(r *http.Request, profileID string) string {
|
|
scheme := "https"
|
|
if r.TLS == nil {
|
|
// HTTPS-only architecture decision (CLAUDE.md): the listener
|
|
// is TLS 1.3 pinned. r.TLS == nil only happens in tests with
|
|
// httptest.NewServer (non-TLS); honor http: for those.
|
|
scheme = "http"
|
|
}
|
|
if profileID != "" {
|
|
return scheme + "://" + r.Host + "/acme/profile/" + profileID
|
|
}
|
|
return scheme + "://" + r.Host + "/acme"
|
|
}
|
|
|
|
// writeServiceError maps service-layer sentinels to RFC 7807 + RFC
|
|
// 8555 §6.7 problem responses. Centralized so every handler method
|
|
// gets identical mapping; future Phase 1b/2/3/4 sentinels extend
|
|
// the switch.
|
|
func writeServiceError(w http.ResponseWriter, err error) {
|
|
switch {
|
|
case errors.Is(err, service.ErrACMEUserActionRequired):
|
|
acme.WriteProblem(w, acme.UserActionRequired(
|
|
"this server requires the per-profile path /acme/profile/<id>/* — "+
|
|
"set CERTCTL_ACME_SERVER_DEFAULT_PROFILE_ID for /acme/* shorthand"))
|
|
case errors.Is(err, service.ErrACMEProfileNotFound):
|
|
acme.WriteProblem(w, acme.Problem{
|
|
Type: "urn:ietf:params:acme:error:userActionRequired",
|
|
Detail: "profile not found",
|
|
Status: http.StatusNotFound,
|
|
})
|
|
default:
|
|
// Avoid leaking internal error text per master-prompt
|
|
// criterion #10 (operator-actionable errors with no info
|
|
// leak). The detail is operator-facing but generic.
|
|
acme.WriteProblem(w, acme.ServerInternal("ACME server error"))
|
|
}
|
|
}
|