1// Package autotls automatically configures TLS (for SMTP, IMAP, HTTP) by
2// requesting certificates with ACME, typically from Let's Encrypt.
3package autotls
4
5// We do tls-alpn-01, and also http-01. For DNS we would need a third party tool
6// with an API that can make the DNS changes, as we don't want to link in dozens of
7// bespoke API's for DNS record manipulation into mox.
8
9import (
10 "bytes"
11 "context"
12 "crypto"
13 "crypto/ecdsa"
14 "crypto/elliptic"
15 cryptorand "crypto/rand"
16 "crypto/rsa"
17 "crypto/tls"
18 "crypto/x509"
19 "encoding/pem"
20 "errors"
21 "fmt"
22 "io"
23 "log/slog"
24 "net"
25 "os"
26 "path/filepath"
27 "sort"
28 "strings"
29 "sync"
30 "time"
31
32 "golang.org/x/crypto/acme"
33
34 "github.com/prometheus/client_golang/prometheus"
35 "github.com/prometheus/client_golang/prometheus/promauto"
36
37 "github.com/mjl-/autocert"
38
39 "github.com/mjl-/mox/dns"
40 "github.com/mjl-/mox/mlog"
41 "github.com/mjl-/mox/moxvar"
42)
43
44var (
45 metricCertput = promauto.NewCounter(
46 prometheus.CounterOpts{
47 Name: "mox_autotls_certput_total",
48 Help: "Number of certificate store puts.",
49 },
50 )
51)
52
53// Manager is in charge of a single ACME identity, and automatically requests
54// certificates for allowlisted hosts.
55type Manager struct {
56 ACMETLSConfig *tls.Config // For serving HTTPS on port 443, which is required for certificate requests to succeed.
57 Manager *autocert.Manager
58
59 shutdown <-chan struct{}
60
61 sync.Mutex
62 hosts map[dns.Domain]struct{}
63}
64
65// Load returns an initialized autotls manager for "name" (used for the ACME key
66// file and requested certs and their keys). All files are stored within acmeDir.
67//
68// contactEmail must be a valid email address to which notifications about ACME can
69// be sent. directoryURL is the ACME starting point.
70//
71// eabKeyID and eabKey are for external account binding when making a new account,
72// which some ACME providers require.
73//
74// getPrivateKey is called to get the private key for the host and key type. It
75// can be used to deliver a specific (e.g. always the same) private key for a
76// host, or a newly generated key.
77//
78// When shutdown is closed, no new TLS connections can be created.
79func Load(name, acmeDir, contactEmail, directoryURL string, eabKeyID string, eabKey []byte, getPrivateKey func(host string, keyType autocert.KeyType) (crypto.Signer, error), shutdown <-chan struct{}) (*Manager, error) {
80 if directoryURL == "" {
81 return nil, fmt.Errorf("empty ACME directory URL")
82 }
83 if contactEmail == "" {
84 return nil, fmt.Errorf("empty contact email")
85 }
86
87 // Load identity key if it exists. Otherwise, create a new key.
88 p := filepath.Join(acmeDir, name+".key")
89 var key crypto.Signer
90 f, err := os.Open(p)
91 if f != nil {
92 defer f.Close()
93 }
94 if err != nil && os.IsNotExist(err) {
95 key, err = ecdsa.GenerateKey(elliptic.P256(), cryptorand.Reader)
96 if err != nil {
97 return nil, fmt.Errorf("generating ecdsa identity key: %s", err)
98 }
99 der, err := x509.MarshalPKCS8PrivateKey(key)
100 if err != nil {
101 return nil, fmt.Errorf("marshal identity key: %s", err)
102 }
103 block := &pem.Block{
104 Type: "PRIVATE KEY",
105 Headers: map[string]string{
106 "Note": fmt.Sprintf("PEM PKCS8 ECDSA private key generated for ACME provider %s by mox", name),
107 },
108 Bytes: der,
109 }
110 b := &bytes.Buffer{}
111 if err := pem.Encode(b, block); err != nil {
112 return nil, fmt.Errorf("pem encode: %s", err)
113 } else if err := os.WriteFile(p, b.Bytes(), 0660); err != nil {
114 return nil, fmt.Errorf("writing identity key: %s", err)
115 }
116 } else if err != nil {
117 return nil, fmt.Errorf("open identity key file: %s", err)
118 } else {
119 var privKey any
120 if buf, err := io.ReadAll(f); err != nil {
121 return nil, fmt.Errorf("reading identity key: %s", err)
122 } else if p, _ := pem.Decode(buf); p == nil {
123 return nil, fmt.Errorf("no pem data")
124 } else if p.Type != "PRIVATE KEY" {
125 return nil, fmt.Errorf("got PEM block %q, expected \"PRIVATE KEY\"", p.Type)
126 } else if privKey, err = x509.ParsePKCS8PrivateKey(p.Bytes); err != nil {
127 return nil, fmt.Errorf("parsing PKCS8 private key: %s", err)
128 }
129 switch k := privKey.(type) {
130 case *ecdsa.PrivateKey:
131 key = k
132 case *rsa.PrivateKey:
133 key = k
134 default:
135 return nil, fmt.Errorf("unsupported private key type %T", key)
136 }
137 }
138
139 m := &autocert.Manager{
140 Cache: dirCache(filepath.Join(acmeDir, "keycerts", name)),
141 Prompt: autocert.AcceptTOS,
142 Email: contactEmail,
143 Client: &acme.Client{
144 DirectoryURL: directoryURL,
145 Key: key,
146 UserAgent: "mox/" + moxvar.Version,
147 },
148 GetPrivateKey: getPrivateKey,
149 // HostPolicy set below.
150 }
151 // If external account binding key is provided, use it for registering a new account.
152 // todo: ideally the key and its id are provided temporarily by the admin when registering a new account. but we don't do that interactive setup yet. in the future, an interactive setup/quickstart would ask for the key once to register a new acme account.
153 if eabKeyID != "" {
154 m.ExternalAccountBinding = &acme.ExternalAccountBinding{
155 KID: eabKeyID,
156 Key: eabKey,
157 }
158 }
159
160 a := &Manager{
161 Manager: m,
162 shutdown: shutdown,
163 hosts: map[dns.Domain]struct{}{},
164 }
165 m.HostPolicy = a.HostPolicy
166 acmeTLSConfig := *m.TLSConfig()
167 acmeTLSConfig.GetCertificate = func(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
168 return a.loggingGetCertificate(hello, dns.Domain{}, false, false)
169 }
170 a.ACMETLSConfig = &acmeTLSConfig
171 return a, nil
172}
173
174// logigngGetCertificate is a helper to implement crypto/tls.Config.GetCertificate,
175// optionally falling back to a certificate for fallbackHostname in case SNI is
176// absent or for an unknown hostname.
177func (m *Manager) loggingGetCertificate(hello *tls.ClientHelloInfo, fallbackHostname dns.Domain, fallbackNoSNI, fallbackUnknownSNI bool) (*tls.Certificate, error) {
178 log := mlog.New("autotls", nil).WithContext(hello.Context())
179
180 // If we can't find a certificate (depending on fallback parameters), we return a
181 // nil certificate and nil error, which crypto/tls turns into a TLS alert
182 // "unrecognized name", which can be interpreted by clients as a hint that they are
183 // using the wrong hostname, or a certificate is missing.
184
185 if hello.ServerName == "" && fallbackNoSNI {
186 hello.ServerName = fallbackHostname.ASCII
187 }
188
189 // Handle missing SNI to prevent logging an error below.
190 if hello.ServerName == "" {
191 log.Debug("tls request without sni servername, rejecting", slog.Any("localaddr", hello.Conn.LocalAddr()), slog.Any("supportedprotos", hello.SupportedProtos))
192 return nil, nil
193 }
194
195 cert, err := m.Manager.GetCertificate(hello)
196 if err != nil && errors.Is(err, errHostNotAllowed) {
197 if !fallbackUnknownSNI {
198 log.Debugx("requesting certificate", err, slog.String("host", hello.ServerName))
199 return nil, nil
200 }
201
202 log.Debug("certificate for unknown hostname, using fallback hostname", slog.String("host", hello.ServerName))
203 hello.ServerName = fallbackHostname.ASCII
204 cert, err = m.Manager.GetCertificate(hello)
205 if err != nil {
206 log.Errorx("requesting certificate for fallback hostname", err, slog.String("host", hello.ServerName))
207 } else {
208 log.Debugx("requesting certificate for fallback hostname", err, slog.String("host", hello.ServerName))
209 }
210 return cert, err
211 } else if err != nil {
212 log.Errorx("requesting certificate", err, slog.String("host", hello.ServerName))
213 }
214 return cert, err
215}
216
217// TLSConfig returns a TLS server config that optionally returns a certificate for
218// fallbackHostname if no SNI was done, or for an unknown hostname.
219//
220// If fallbackNoSNI is set, TLS connections without SNI will use a certificate for
221// fallbackHostname. Otherwise, connections without SNI will fail with a message
222// that no TLS certificate is available.
223//
224// If fallbackUnknownSNI is set, TLS connections with an SNI hostname that is not
225// allowlisted will instead use a certificate for fallbackHostname. Otherwise, such
226// TLS connections will fail.
227func (m *Manager) TLSConfig(fallbackHostname dns.Domain, fallbackNoSNI, fallbackUnknownSNI bool) *tls.Config {
228 return &tls.Config{
229 GetCertificate: func(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
230 return m.loggingGetCertificate(hello, fallbackHostname, fallbackNoSNI, fallbackUnknownSNI)
231 },
232 }
233}
234
235// CertAvailable checks whether a non-expired ECDSA certificate is available in the
236// cache for host. No other checks than expiration are done.
237func (m *Manager) CertAvailable(ctx context.Context, log mlog.Log, host dns.Domain) (bool, error) {
238 ck := host.ASCII // Would be "+rsa" for rsa keys.
239 data, err := m.Manager.Cache.Get(ctx, ck)
240 if err != nil && errors.Is(err, autocert.ErrCacheMiss) {
241 return false, nil
242 } else if err != nil {
243 return false, fmt.Errorf("attempt to get certificate from cache: %v", err)
244 }
245
246 // The cached keycert is of the form: private key, leaf certificate, intermediate certificates...
247 privb, rem := pem.Decode(data)
248 if privb == nil {
249 return false, fmt.Errorf("missing private key in cached keycert file")
250 }
251 pubb, _ := pem.Decode(rem)
252 if pubb == nil {
253 return false, fmt.Errorf("missing certificate in cached keycert file")
254 } else if pubb.Type != "CERTIFICATE" {
255 return false, fmt.Errorf("second pem block is %q, expected CERTIFICATE", pubb.Type)
256 }
257 cert, err := x509.ParseCertificate(pubb.Bytes)
258 if err != nil {
259 return false, fmt.Errorf("parsing certificate from cached keycert file: %v", err)
260 }
261 // We assume the certificate has a matching hostname, and is properly CA-signed. We
262 // only check the expiration time.
263 if time.Until(cert.NotBefore) > 0 || time.Since(cert.NotAfter) > 0 {
264 return false, nil
265 }
266 return true, nil
267}
268
269// SetAllowedHostnames sets a new list of allowed hostnames for automatic TLS.
270// After setting the host names, a goroutine is start to check that new host names
271// are fully served by publicIPs (only if non-empty and there is no unspecified
272// address in the list). If no, log an error with a warning that ACME validation
273// may fail.
274func (m *Manager) SetAllowedHostnames(log mlog.Log, resolver dns.Resolver, hostnames map[dns.Domain]struct{}, publicIPs []string, checkHosts bool) {
275 m.Lock()
276 defer m.Unlock()
277
278 // Log as slice, sorted.
279 l := make([]dns.Domain, 0, len(hostnames))
280 for d := range hostnames {
281 l = append(l, d)
282 }
283 sort.Slice(l, func(i, j int) bool {
284 return l[i].Name() < l[j].Name()
285 })
286
287 log.Debug("autotls setting allowed hostnames", slog.Any("hostnames", l), slog.Any("publicips", publicIPs))
288 var added []dns.Domain
289 for h := range hostnames {
290 if _, ok := m.hosts[h]; !ok {
291 added = append(added, h)
292 }
293 }
294 m.hosts = hostnames
295
296 if checkHosts && len(added) > 0 && len(publicIPs) > 0 {
297 for _, ip := range publicIPs {
298 if net.ParseIP(ip).IsUnspecified() {
299 return
300 }
301 }
302 go func() {
303 ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
304 defer cancel()
305
306 publicIPstrs := map[string]struct{}{}
307 for _, ip := range publicIPs {
308 publicIPstrs[ip] = struct{}{}
309 }
310
311 log.Debug("checking ips of hosts configured for acme tls cert validation")
312 for _, h := range added {
313 ips, _, err := resolver.LookupIP(ctx, "ip", h.ASCII+".")
314 if err != nil {
315 log.Errorx("warning: acme tls cert validation for host may fail due to dns lookup error", err, slog.Any("host", h))
316 continue
317 }
318 for _, ip := range ips {
319 if _, ok := publicIPstrs[ip.String()]; !ok {
320 log.Error("warning: acme tls cert validation for host is likely to fail because not all its ips are being listened on",
321 slog.Any("hostname", h),
322 slog.Any("listenedips", publicIPs),
323 slog.Any("hostips", ips),
324 slog.Any("missingip", ip))
325 }
326 }
327 }
328 }()
329 }
330}
331
332// Hostnames returns the allowed host names for use with ACME.
333func (m *Manager) Hostnames() []dns.Domain {
334 m.Lock()
335 defer m.Unlock()
336 var l []dns.Domain
337 for h := range m.hosts {
338 l = append(l, h)
339 }
340 return l
341}
342
343var errHostNotAllowed = errors.New("autotls: host not in allowlist")
344
345// HostPolicy decides if a host is allowed for use with ACME, i.e. whether a
346// certificate will be returned if present and/or will be requested if not yet
347// present. Only hosts added with SetAllowedHostnames are allowed. During shutdown,
348// no new connections are allowed.
349func (m *Manager) HostPolicy(ctx context.Context, host string) (rerr error) {
350 log := mlog.New("autotls", nil).WithContext(ctx)
351 defer func() {
352 log.Debugx("autotls hostpolicy result", rerr, slog.String("host", host))
353 }()
354
355 // Don't request new TLS certs when we are shutting down.
356 select {
357 case <-m.shutdown:
358 return fmt.Errorf("shutting down")
359 default:
360 }
361
362 xhost, _, err := net.SplitHostPort(host)
363 if err == nil {
364 // For http-01, host may include a port number.
365 host = xhost
366 }
367
368 d, err := dns.ParseDomain(host)
369 if err != nil {
370 return fmt.Errorf("invalid host: %v", err)
371 }
372
373 m.Lock()
374 defer m.Unlock()
375 if _, ok := m.hosts[d]; !ok {
376 return fmt.Errorf("%w: %q", errHostNotAllowed, d)
377 }
378 return nil
379}
380
381type dirCache autocert.DirCache
382
383func (d dirCache) Delete(ctx context.Context, name string) (rerr error) {
384 log := mlog.New("autotls", nil).WithContext(ctx)
385 defer func() {
386 log.Debugx("dircache delete result", rerr, slog.String("name", name))
387 }()
388 err := autocert.DirCache(d).Delete(ctx, name)
389 if err != nil {
390 log.Errorx("deleting cert from dir cache", err, slog.String("name", name))
391 } else if !strings.HasSuffix(name, "+token") {
392 log.Info("autotls cert delete", slog.String("name", name))
393 }
394 return err
395}
396
397func (d dirCache) Get(ctx context.Context, name string) (rbuf []byte, rerr error) {
398 log := mlog.New("autotls", nil).WithContext(ctx)
399 defer func() {
400 log.Debugx("dircache get result", rerr, slog.String("name", name))
401 }()
402 buf, err := autocert.DirCache(d).Get(ctx, name)
403 if err != nil && errors.Is(err, autocert.ErrCacheMiss) {
404 log.Infox("getting cert from dir cache", err, slog.String("name", name))
405 } else if err != nil {
406 log.Errorx("getting cert from dir cache", err, slog.String("name", name))
407 } else if !strings.HasSuffix(name, "+token") {
408 log.Debug("autotls cert get", slog.String("name", name))
409 }
410 return buf, err
411}
412
413func (d dirCache) Put(ctx context.Context, name string, data []byte) (rerr error) {
414 log := mlog.New("autotls", nil).WithContext(ctx)
415 defer func() {
416 log.Debugx("dircache put result", rerr, slog.String("name", name))
417 }()
418 metricCertput.Inc()
419 err := autocert.DirCache(d).Put(ctx, name, data)
420 if err != nil {
421 log.Errorx("storing cert in dir cache", err, slog.String("name", name))
422 } else if !strings.HasSuffix(name, "+token") {
423 log.Info("autotls cert store", slog.String("name", name))
424 }
425 return err
426}
427