1// Package autotls automatically configures TLS (for SMTP, IMAP, HTTP) by

2// requesting certificates with ACME, typically from Let's Encrypt.

3package autotls

4

5// We do tls-alpn-01, and also http-01. For DNS we would need a third party tool

6// with an API that can make the DNS changes, as we don't want to link in dozens of

7// bespoke API's for DNS record manipulation into mox.

8

9import (

10 "bytes"

11 "context"

12 "crypto"

13 "crypto/ecdsa"

14 "crypto/elliptic"

15 cryptorand "crypto/rand"

16 "crypto/rsa"

17 "crypto/tls"

18 "crypto/x509"

19 "encoding/pem"

20 "errors"

21 "fmt"

22 "io"

23 "log/slog"

24 "net"

25 "os"

26 "path/filepath"

27 "sort"

28 "strings"

29 "sync"

30 "time"

31

32 "golang.org/x/crypto/acme"

33

34 "github.com/prometheus/client_golang/prometheus"

35 "github.com/prometheus/client_golang/prometheus/promauto"

36

37 "github.com/mjl-/autocert"

38

39 "github.com/mjl-/mox/dns"

40 "github.com/mjl-/mox/mlog"

41 "github.com/mjl-/mox/moxvar"

42)

43

44var (

45 metricCertput = promauto.NewCounter(

46 prometheus.CounterOpts{

47 Name: "mox_autotls_certput_total",

48 Help: "Number of certificate store puts.",

49 },

50 )

51)

52

53// Manager is in charge of a single ACME identity, and automatically requests

54// certificates for allowlisted hosts.

55type Manager struct {

56 ACMETLSConfig *tls.Config // For serving HTTPS on port 443, which is required for certificate requests to succeed.

57 Manager *autocert.Manager

58

59 shutdown <-chan struct{}

60

61 sync.Mutex

62 hosts map[dns.Domain]struct{}

63}

64

65// Load returns an initialized autotls manager for "name" (used for the ACME key

66// file and requested certs and their keys). All files are stored within acmeDir.

67//

68// contactEmail must be a valid email address to which notifications about ACME can

69// be sent. directoryURL is the ACME starting point.

70//

71// eabKeyID and eabKey are for external account binding when making a new account,

72// which some ACME providers require.

73//

74// getPrivateKey is called to get the private key for the host and key type. It

75// can be used to deliver a specific (e.g. always the same) private key for a

76// host, or a newly generated key.

77//

78// When shutdown is closed, no new TLS connections can be created.

79func Load(name, acmeDir, contactEmail, directoryURL string, eabKeyID string, eabKey []byte, getPrivateKey func(host string, keyType autocert.KeyType) (crypto.Signer, error), shutdown <-chan struct{}) (*Manager, error) {

80 if directoryURL == "" {

81 return nil, fmt.Errorf("empty ACME directory URL")

82 }

83 if contactEmail == "" {

84 return nil, fmt.Errorf("empty contact email")

85 }

86

87 // Load identity key if it exists. Otherwise, create a new key.

88 p := filepath.Join(acmeDir, name+".key")

89 var key crypto.Signer

90 f, err := os.Open(p)

91 if f != nil {

92 defer f.Close()

93 }

94 if err != nil && os.IsNotExist(err) {

95 key, err = ecdsa.GenerateKey(elliptic.P256(), cryptorand.Reader)

96 if err != nil {

97 return nil, fmt.Errorf("generating ecdsa identity key: %s", err)

98 }

99 der, err := x509.MarshalPKCS8PrivateKey(key)

100 if err != nil {

101 return nil, fmt.Errorf("marshal identity key: %s", err)

102 }

103 block := &pem.Block{

104 Type: "PRIVATE KEY",

105 Headers: map[string]string{

106 "Note": fmt.Sprintf("PEM PKCS8 ECDSA private key generated for ACME provider %s by mox", name),

107 },

108 Bytes: der,

109 }

110 b := &bytes.Buffer{}

111 if err := pem.Encode(b, block); err != nil {

112 return nil, fmt.Errorf("pem encode: %s", err)

113 } else if err := os.WriteFile(p, b.Bytes(), 0660); err != nil {

114 return nil, fmt.Errorf("writing identity key: %s", err)

115 }

116 } else if err != nil {

117 return nil, fmt.Errorf("open identity key file: %s", err)

118 } else {

119 var privKey any

120 if buf, err := io.ReadAll(f); err != nil {

121 return nil, fmt.Errorf("reading identity key: %s", err)

122 } else if p, _ := pem.Decode(buf); p == nil {

123 return nil, fmt.Errorf("no pem data")

124 } else if p.Type != "PRIVATE KEY" {

125 return nil, fmt.Errorf("got PEM block %q, expected \"PRIVATE KEY\"", p.Type)

126 } else if privKey, err = x509.ParsePKCS8PrivateKey(p.Bytes); err != nil {

127 return nil, fmt.Errorf("parsing PKCS8 private key: %s", err)

128 }

129 switch k := privKey.(type) {

130 case *ecdsa.PrivateKey:

131 key = k

132 case *rsa.PrivateKey:

133 key = k

134 default:

135 return nil, fmt.Errorf("unsupported private key type %T", key)

136 }

137 }

138

139 m := &autocert.Manager{

140 Cache: dirCache(filepath.Join(acmeDir, "keycerts", name)),

141 Prompt: autocert.AcceptTOS,

142 Email: contactEmail,

143 Client: &acme.Client{

144 DirectoryURL: directoryURL,

145 Key: key,

146 UserAgent: "mox/" + moxvar.Version,

147 },

148 GetPrivateKey: getPrivateKey,

149 // HostPolicy set below.

150 }

151 // If external account binding key is provided, use it for registering a new account.

152 // todo: ideally the key and its id are provided temporarily by the admin when registering a new account. but we don't do that interactive setup yet. in the future, an interactive setup/quickstart would ask for the key once to register a new acme account.

153 if eabKeyID != "" {

154 m.ExternalAccountBinding = &acme.ExternalAccountBinding{

155 KID: eabKeyID,

156 Key: eabKey,

157 }

158 }

159

160 a := &Manager{

161 Manager: m,

162 shutdown: shutdown,

163 hosts: map[dns.Domain]struct{}{},

164 }

165 m.HostPolicy = a.HostPolicy

166 acmeTLSConfig := *m.TLSConfig()

167 acmeTLSConfig.GetCertificate = func(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {

168 return a.loggingGetCertificate(hello, dns.Domain{}, false, false)

169 }

170 a.ACMETLSConfig = &acmeTLSConfig

171 return a, nil

172}

173

174// logigngGetCertificate is a helper to implement crypto/tls.Config.GetCertificate,

175// optionally falling back to a certificate for fallbackHostname in case SNI is

176// absent or for an unknown hostname.

177func (m *Manager) loggingGetCertificate(hello *tls.ClientHelloInfo, fallbackHostname dns.Domain, fallbackNoSNI, fallbackUnknownSNI bool) (*tls.Certificate, error) {

178 log := mlog.New("autotls", nil).WithContext(hello.Context())

179

180 // If we can't find a certificate (depending on fallback parameters), we return a

181 // nil certificate and nil error, which crypto/tls turns into a TLS alert

182 // "unrecognized name", which can be interpreted by clients as a hint that they are

183 // using the wrong hostname, or a certificate is missing.

184

185 if hello.ServerName == "" && fallbackNoSNI {

186 hello.ServerName = fallbackHostname.ASCII

187 }

188

189 // Handle missing SNI to prevent logging an error below.

190 if hello.ServerName == "" {

191 log.Debug("tls request without sni servername, rejecting", slog.Any("localaddr", hello.Conn.LocalAddr()), slog.Any("supportedprotos", hello.SupportedProtos))

192 return nil, nil

193 }

194

195 cert, err := m.Manager.GetCertificate(hello)

196 if err != nil && errors.Is(err, errHostNotAllowed) {

197 if !fallbackUnknownSNI {

198 log.Debugx("requesting certificate", err, slog.String("host", hello.ServerName))

199 return nil, nil

200 }

201

202 log.Debug("certificate for unknown hostname, using fallback hostname", slog.String("host", hello.ServerName))

203 hello.ServerName = fallbackHostname.ASCII

204 cert, err = m.Manager.GetCertificate(hello)

205 if err != nil {

206 log.Errorx("requesting certificate for fallback hostname", err, slog.String("host", hello.ServerName))

207 } else {

208 log.Debugx("requesting certificate for fallback hostname", err, slog.String("host", hello.ServerName))

209 }

210 return cert, err

211 } else if err != nil {

212 log.Errorx("requesting certificate", err, slog.String("host", hello.ServerName))

213 }

214 return cert, err

215}

216

217// TLSConfig returns a TLS server config that optionally returns a certificate for

218// fallbackHostname if no SNI was done, or for an unknown hostname.

219//

220// If fallbackNoSNI is set, TLS connections without SNI will use a certificate for

221// fallbackHostname. Otherwise, connections without SNI will fail with a message

222// that no TLS certificate is available.

223//

224// If fallbackUnknownSNI is set, TLS connections with an SNI hostname that is not

225// allowlisted will instead use a certificate for fallbackHostname. Otherwise, such

226// TLS connections will fail.

227func (m *Manager) TLSConfig(fallbackHostname dns.Domain, fallbackNoSNI, fallbackUnknownSNI bool) *tls.Config {

228 return &tls.Config{

229 GetCertificate: func(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {

230 return m.loggingGetCertificate(hello, fallbackHostname, fallbackNoSNI, fallbackUnknownSNI)

231 },

232 }

233}

234

235// CertAvailable checks whether a non-expired ECDSA certificate is available in the

236// cache for host. No other checks than expiration are done.

237func (m *Manager) CertAvailable(ctx context.Context, log mlog.Log, host dns.Domain) (bool, error) {

238 ck := host.ASCII // Would be "+rsa" for rsa keys.

239 data, err := m.Manager.Cache.Get(ctx, ck)

240 if err != nil && errors.Is(err, autocert.ErrCacheMiss) {

241 return false, nil

242 } else if err != nil {

243 return false, fmt.Errorf("attempt to get certificate from cache: %v", err)

244 }

245

246 // The cached keycert is of the form: private key, leaf certificate, intermediate certificates...

247 privb, rem := pem.Decode(data)

248 if privb == nil {

249 return false, fmt.Errorf("missing private key in cached keycert file")

250 }

251 pubb, _ := pem.Decode(rem)

252 if pubb == nil {

253 return false, fmt.Errorf("missing certificate in cached keycert file")

254 } else if pubb.Type != "CERTIFICATE" {

255 return false, fmt.Errorf("second pem block is %q, expected CERTIFICATE", pubb.Type)

256 }

257 cert, err := x509.ParseCertificate(pubb.Bytes)

258 if err != nil {

259 return false, fmt.Errorf("parsing certificate from cached keycert file: %v", err)

260 }

261 // We assume the certificate has a matching hostname, and is properly CA-signed. We

262 // only check the expiration time.

263 if time.Until(cert.NotBefore) > 0 || time.Since(cert.NotAfter) > 0 {

264 return false, nil

265 }

266 return true, nil

267}

268

269// SetAllowedHostnames sets a new list of allowed hostnames for automatic TLS.

270// After setting the host names, a goroutine is start to check that new host names

271// are fully served by publicIPs (only if non-empty and there is no unspecified

272// address in the list). If no, log an error with a warning that ACME validation

273// may fail.

274func (m *Manager) SetAllowedHostnames(log mlog.Log, resolver dns.Resolver, hostnames map[dns.Domain]struct{}, publicIPs []string, checkHosts bool) {

275 m.Lock()

276 defer m.Unlock()

277

278 // Log as slice, sorted.

279 l := make([]dns.Domain, 0, len(hostnames))

280 for d := range hostnames {

281 l = append(l, d)

282 }

283 sort.Slice(l, func(i, j int) bool {

284 return l[i].Name() < l[j].Name()

285 })

286

287 log.Debug("autotls setting allowed hostnames", slog.Any("hostnames", l), slog.Any("publicips", publicIPs))

288 var added []dns.Domain

289 for h := range hostnames {

290 if _, ok := m.hosts[h]; !ok {

291 added = append(added, h)

292 }

293 }

294 m.hosts = hostnames

295

296 if checkHosts && len(added) > 0 && len(publicIPs) > 0 {

297 for _, ip := range publicIPs {

298 if net.ParseIP(ip).IsUnspecified() {

299 return

300 }

301 }

302 go func() {

303 ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)

304 defer cancel()

305

306 publicIPstrs := map[string]struct{}{}

307 for _, ip := range publicIPs {

308 publicIPstrs[ip] = struct{}{}

309 }

310

311 log.Debug("checking ips of hosts configured for acme tls cert validation")

312 for _, h := range added {

313 ips, _, err := resolver.LookupIP(ctx, "ip", h.ASCII+".")

314 if err != nil {

315 log.Errorx("warning: acme tls cert validation for host may fail due to dns lookup error", err, slog.Any("host", h))

316 continue

317 }

318 for _, ip := range ips {

319 if _, ok := publicIPstrs[ip.String()]; !ok {

320 log.Error("warning: acme tls cert validation for host is likely to fail because not all its ips are being listened on",

321 slog.Any("hostname", h),

322 slog.Any("listenedips", publicIPs),

323 slog.Any("hostips", ips),

324 slog.Any("missingip", ip))

325 }

326 }

327 }

328 }()

329 }

330}

331

332// Hostnames returns the allowed host names for use with ACME.

333func (m *Manager) Hostnames() []dns.Domain {

334 m.Lock()

335 defer m.Unlock()

336 var l []dns.Domain

337 for h := range m.hosts {

338 l = append(l, h)

339 }

340 return l

341}

342

343var errHostNotAllowed = errors.New("autotls: host not in allowlist")

344

345// HostPolicy decides if a host is allowed for use with ACME, i.e. whether a

346// certificate will be returned if present and/or will be requested if not yet

347// present. Only hosts added with SetAllowedHostnames are allowed. During shutdown,

348// no new connections are allowed.

349func (m *Manager) HostPolicy(ctx context.Context, host string) (rerr error) {

350 log := mlog.New("autotls", nil).WithContext(ctx)

351 defer func() {

352 log.Debugx("autotls hostpolicy result", rerr, slog.String("host", host))

353 }()

354

355 // Don't request new TLS certs when we are shutting down.

356 select {

357 case <-m.shutdown:

358 return fmt.Errorf("shutting down")

359 default:

360 }

361

362 xhost, _, err := net.SplitHostPort(host)

363 if err == nil {

364 // For http-01, host may include a port number.

365 host = xhost

366 }

367

368 d, err := dns.ParseDomain(host)

369 if err != nil {

370 return fmt.Errorf("invalid host: %v", err)

371 }

372

373 m.Lock()

374 defer m.Unlock()

375 if _, ok := m.hosts[d]; !ok {

376 return fmt.Errorf("%w: %q", errHostNotAllowed, d)

377 }

378 return nil

379}

380

381type dirCache autocert.DirCache

382

383func (d dirCache) Delete(ctx context.Context, name string) (rerr error) {

384 log := mlog.New("autotls", nil).WithContext(ctx)

385 defer func() {

386 log.Debugx("dircache delete result", rerr, slog.String("name", name))

387 }()

388 err := autocert.DirCache(d).Delete(ctx, name)

389 if err != nil {

390 log.Errorx("deleting cert from dir cache", err, slog.String("name", name))

391 } else if !strings.HasSuffix(name, "+token") {

392 log.Info("autotls cert delete", slog.String("name", name))

393 }

394 return err

395}

396

397func (d dirCache) Get(ctx context.Context, name string) (rbuf []byte, rerr error) {

398 log := mlog.New("autotls", nil).WithContext(ctx)

399 defer func() {

400 log.Debugx("dircache get result", rerr, slog.String("name", name))

401 }()

402 buf, err := autocert.DirCache(d).Get(ctx, name)

403 if err != nil && errors.Is(err, autocert.ErrCacheMiss) {

404 log.Infox("getting cert from dir cache", err, slog.String("name", name))

405 } else if err != nil {

406 log.Errorx("getting cert from dir cache", err, slog.String("name", name))

407 } else if !strings.HasSuffix(name, "+token") {

408 log.Debug("autotls cert get", slog.String("name", name))

409 }

410 return buf, err

411}

412

413func (d dirCache) Put(ctx context.Context, name string, data []byte) (rerr error) {

414 log := mlog.New("autotls", nil).WithContext(ctx)

415 defer func() {

416 log.Debugx("dircache put result", rerr, slog.String("name", name))

417 }()

418 metricCertput.Inc()

419 err := autocert.DirCache(d).Put(ctx, name, data)

420 if err != nil {

421 log.Errorx("storing cert in dir cache", err, slog.String("name", name))

422 } else if !strings.HasSuffix(name, "+token") {

423 log.Info("autotls cert store", slog.String("name", name))

424 }

425 return err

426}

427