Sami
f61e85d9a7
Full codebase including API server (32 modules + routes), dashboard frontend, DashCA certificate distribution, installer script, and deployment skills.
289 lines
12 KiB
JavaScript
289 lines
12 KiB
JavaScript
const express = require('express');
|
|
const fs = require('fs');
|
|
const fsp = require('fs').promises;
|
|
const path = require('path');
|
|
const { execSync } = require('child_process');
|
|
const { exists } = require('../fs-helpers');
|
|
const platformPaths = require('../platform-paths');
|
|
|
|
module.exports = function(ctx) {
|
|
const router = express.Router();
|
|
|
|
// Get CA certificate information
|
|
router.get('/info', ctx.asyncHandler(async (req, res) => {
|
|
const certInfoPath = '/app/ca/cert-info.json';
|
|
const fallbackCertInfoPath = path.join(platformPaths.caCertDir, 'cert-info.json');
|
|
|
|
let certInfoFile;
|
|
if (await exists(certInfoPath)) {
|
|
certInfoFile = certInfoPath;
|
|
} else if (await exists(fallbackCertInfoPath)) {
|
|
certInfoFile = fallbackCertInfoPath;
|
|
} else {
|
|
const { NotFoundError } = require('../errors');
|
|
throw new NotFoundError('CA certificate information');
|
|
}
|
|
|
|
const certInfo = JSON.parse(await fsp.readFile(certInfoFile, 'utf8'));
|
|
const expirationDate = new Date(certInfo.validUntil);
|
|
const daysUntilExpiration = Math.floor((expirationDate - new Date()) / (1000 * 60 * 60 * 24));
|
|
|
|
res.json({
|
|
success: true,
|
|
certificate: {
|
|
name: certInfo.name,
|
|
fingerprint: certInfo.fingerprint,
|
|
validFrom: certInfo.validFrom,
|
|
validUntil: certInfo.validUntil,
|
|
daysUntilExpiration,
|
|
algorithm: certInfo.algorithm || 'ECDSA P-256 with SHA-256',
|
|
serialNumber: certInfo.serialNumber,
|
|
downloadUrl: `https://ca${ctx.siteConfig.tld}/root.crt`
|
|
}
|
|
});
|
|
}, 'ca-info'));
|
|
|
|
// Serve root CA certificate directly (works even without DashCA deployed)
|
|
router.get('/root.crt', ctx.asyncHandler(async (req, res) => {
|
|
const pkiCertPath = '/app/pki/root.crt';
|
|
const hostCertPath = platformPaths.pkiRootCert;
|
|
const dashcaCertPath = path.join(platformPaths.caCertDir, 'root.crt');
|
|
|
|
let certPath;
|
|
if (await exists(pkiCertPath)) certPath = pkiCertPath;
|
|
else if (await exists(dashcaCertPath)) certPath = dashcaCertPath;
|
|
else if (await exists(hostCertPath)) certPath = hostCertPath;
|
|
else {
|
|
const { NotFoundError } = require('../errors');
|
|
throw new NotFoundError('Root CA certificate');
|
|
}
|
|
|
|
res.setHeader('Content-Type', 'application/x-x509-ca-cert');
|
|
res.setHeader('Content-Disposition', 'attachment; filename="dashcaddy-root-ca.crt"');
|
|
res.sendFile(path.resolve(certPath));
|
|
}, 'ca-root-crt'));
|
|
|
|
// Generate a platform-specific install script with real cert info injected
|
|
router.get('/install-script', ctx.asyncHandler(async (req, res) => {
|
|
const platform = (req.query.platform || 'windows').toLowerCase();
|
|
if (!['windows', 'linux', 'macos'].includes(platform)) {
|
|
return ctx.errorResponse(res, 400, 'Invalid platform. Use: windows, linux, or macos');
|
|
}
|
|
|
|
// Load cert info to get the fingerprint
|
|
const certInfoPath = '/app/ca/cert-info.json';
|
|
const fallbackCertInfoPath2 = path.join(platformPaths.caCertDir, 'cert-info.json');
|
|
|
|
let certInfoFile;
|
|
if (await exists(certInfoPath)) certInfoFile = certInfoPath;
|
|
else if (await exists(fallbackCertInfoPath2)) certInfoFile = fallbackCertInfoPath2;
|
|
else {
|
|
const { NotFoundError } = require('../errors');
|
|
throw new NotFoundError('CA certificate information. Deploy DashCA first or ensure cert-info.json exists.');
|
|
}
|
|
|
|
const certInfo = JSON.parse(await fsp.readFile(certInfoFile, 'utf8'));
|
|
const fingerprint = certInfo.fingerprint; // e.g. "08:98:A5:63:..."
|
|
|
|
// Build the cert download URL — use DashCA if available, fall back to API endpoint
|
|
const tld = ctx.siteConfig.tld || '.home';
|
|
const dashcaUrl = `https://ca${tld}/root.crt`;
|
|
const apiUrl = `https://dashcaddy${tld}/api/ca/root.crt`;
|
|
|
|
// Prefer DashCA URL, but the script's TLS bypass means either will work
|
|
const certUrl = dashcaUrl;
|
|
|
|
// Load and populate the template
|
|
const templateName = platform === 'windows' ? 'install-ca.ps1.template' : 'install-ca.sh.template';
|
|
|
|
// Look for template in multiple locations (packaged app vs dev)
|
|
const templatePaths = [
|
|
path.join(__dirname, '..', 'scripts', templateName),
|
|
path.join('/app', 'scripts', templateName)
|
|
];
|
|
|
|
let templateContent;
|
|
for (const tp of templatePaths) {
|
|
if (await exists(tp)) {
|
|
templateContent = await fsp.readFile(tp, 'utf8');
|
|
break;
|
|
}
|
|
}
|
|
|
|
if (!templateContent) {
|
|
const { NotFoundError } = require('../errors');
|
|
throw new NotFoundError(`Install script template (${templateName})`);
|
|
}
|
|
|
|
// Inject real values
|
|
const script = templateContent
|
|
.replace('{{CERT_URL}}', certUrl)
|
|
.replace('{{CERT_FINGERPRINT}}', fingerprint);
|
|
|
|
const filename = platform === 'windows' ? 'install-dashcaddy-ca.ps1' : 'install-dashcaddy-ca.sh';
|
|
const contentType = platform === 'windows' ? 'text/plain; charset=utf-8' : 'text/x-shellscript; charset=utf-8';
|
|
|
|
res.setHeader('Content-Type', contentType);
|
|
res.setHeader('Content-Disposition', `attachment; filename="${filename}"`);
|
|
res.send(script);
|
|
}, 'ca-install-script'));
|
|
|
|
// Generate and download SSL certificate for a service
|
|
router.get('/cert/:domain', ctx.asyncHandler(async (req, res) => {
|
|
const { domain } = req.params;
|
|
const { password = 'dashcaddy', format = 'pfx' } = req.query;
|
|
|
|
if (!/^[a-zA-Z0-9!@#%^_+=,.:-]{1,64}$/.test(password)) {
|
|
return ctx.errorResponse(res, 400, 'Invalid password. Use only letters, numbers, and basic symbols (max 64 chars).');
|
|
}
|
|
|
|
if (!domain || !/^[a-z0-9]([a-z0-9-]*[a-z0-9])?(\.[a-z0-9]([a-z0-9-]*[a-z0-9])?)*$/i.test(domain)) {
|
|
return ctx.errorResponse(res, 400, `Invalid domain name. Must be a valid hostname (e.g., dns1${ctx.siteConfig.tld})`);
|
|
}
|
|
|
|
const pkiPath = '/app/pki';
|
|
const certsDir = '/app/generated-certs';
|
|
const domainDir = path.join(certsDir, domain);
|
|
|
|
const intermediateCert = path.join(pkiPath, 'intermediate.crt');
|
|
const intermediateKey = path.join(pkiPath, 'intermediate.key');
|
|
const rootCert = path.join(pkiPath, 'root.crt');
|
|
|
|
if (!await exists(intermediateCert) || !await exists(intermediateKey)) {
|
|
return ctx.errorResponse(res, 500, 'CA certificates not found. Ensure Caddy PKI is initialized.');
|
|
}
|
|
|
|
if (!await exists(certsDir)) await fsp.mkdir(certsDir, { recursive: true });
|
|
if (!await exists(domainDir)) await fsp.mkdir(domainDir, { recursive: true });
|
|
|
|
const keyFile = path.join(domainDir, 'server.key');
|
|
const csrFile = path.join(domainDir, 'server.csr');
|
|
const certFile = path.join(domainDir, 'server.crt');
|
|
const pfxFile = path.join(domainDir, 'server.pfx');
|
|
const pemFile = path.join(domainDir, 'server.pem');
|
|
const fullChainFile = path.join(domainDir, 'fullchain.pem');
|
|
|
|
let needsRegeneration = true;
|
|
if (await exists(certFile)) {
|
|
try {
|
|
const certDates = execSync(`openssl x509 -in "${certFile}" -noout -dates`).toString();
|
|
const notAfter = certDates.match(/notAfter=(.*)/)[1].trim();
|
|
const expirationDate = new Date(notAfter);
|
|
const daysUntilExpiration = Math.floor((expirationDate - new Date()) / (1000 * 60 * 60 * 24));
|
|
if (daysUntilExpiration > 30) needsRegeneration = false;
|
|
} catch {
|
|
needsRegeneration = true;
|
|
}
|
|
}
|
|
|
|
if (needsRegeneration) {
|
|
execSync(`openssl genrsa -out "${keyFile}" 2048`, { stdio: 'pipe' });
|
|
|
|
const subject = `/CN=${domain}`;
|
|
execSync(`openssl req -new -key "${keyFile}" -out "${csrFile}" -subj "${subject}"`, { stdio: 'pipe' });
|
|
|
|
const configContent = `[req]
|
|
distinguished_name = req_distinguished_name
|
|
req_extensions = v3_req
|
|
prompt = no
|
|
|
|
[req_distinguished_name]
|
|
CN = ${domain}
|
|
|
|
[v3_req]
|
|
keyUsage = keyEncipherment, dataEncipherment, digitalSignature
|
|
extendedKeyUsage = serverAuth
|
|
subjectAltName = @alt_names
|
|
|
|
[alt_names]
|
|
DNS.1 = ${domain}
|
|
${domain.includes('.') ? `DNS.2 = *.${domain}` : ''}`;
|
|
|
|
const configFile = path.join(domainDir, 'openssl.cnf');
|
|
await fsp.writeFile(configFile, configContent);
|
|
|
|
const serialFile = path.join(domainDir, 'ca.srl');
|
|
execSync(`openssl x509 -req -in "${csrFile}" -CA "${intermediateCert}" -CAkey "${intermediateKey}" -CAserial "${serialFile}" -CAcreateserial -out "${certFile}" -days 365 -sha256 -extfile "${configFile}" -extensions v3_req`, { stdio: 'pipe' });
|
|
|
|
const serverCertContent = await fsp.readFile(certFile, 'utf8');
|
|
const intermediateCertContent = await fsp.readFile(intermediateCert, 'utf8');
|
|
const rootCertContent = await fsp.readFile(rootCert, 'utf8');
|
|
await fsp.writeFile(fullChainFile, serverCertContent + '\n' + intermediateCertContent + '\n' + rootCertContent);
|
|
|
|
execSync(`openssl pkcs12 -export -out "${pfxFile}" -inkey "${keyFile}" -in "${certFile}" -certfile "${intermediateCert}" -password "pass:${password}"`, { stdio: 'pipe' });
|
|
|
|
const keyContent = await fsp.readFile(keyFile, 'utf8');
|
|
await fsp.writeFile(pemFile, keyContent + '\n' + serverCertContent + '\n' + intermediateCertContent);
|
|
}
|
|
|
|
if (format === 'pfx') {
|
|
res.setHeader('Content-Type', 'application/x-pkcs12');
|
|
res.setHeader('Content-Disposition', `attachment; filename="${domain}.pfx"`);
|
|
res.sendFile(pfxFile);
|
|
} else if (format === 'pem') {
|
|
res.setHeader('Content-Type', 'application/x-pem-file');
|
|
res.setHeader('Content-Disposition', `attachment; filename="${domain}.pem"`);
|
|
res.sendFile(pemFile);
|
|
} else if (format === 'crt') {
|
|
res.setHeader('Content-Type', 'application/x-x509-ca-cert');
|
|
res.setHeader('Content-Disposition', `attachment; filename="${domain}.crt"`);
|
|
res.sendFile(certFile);
|
|
} else if (format === 'key') {
|
|
res.setHeader('Content-Type', 'application/x-pem-file');
|
|
res.setHeader('Content-Disposition', `attachment; filename="${domain}.key"`);
|
|
res.sendFile(keyFile);
|
|
} else if (format === 'fullchain') {
|
|
res.setHeader('Content-Type', 'application/x-pem-file');
|
|
res.setHeader('Content-Disposition', `attachment; filename="${domain}-fullchain.pem"`);
|
|
res.sendFile(fullChainFile);
|
|
} else {
|
|
ctx.errorResponse(res, 400, 'Invalid format. Use: pfx, pem, crt, key, or fullchain');
|
|
}
|
|
}, 'ca-cert'));
|
|
|
|
// List generated certificates
|
|
router.get('/certs', ctx.asyncHandler(async (req, res) => {
|
|
const certsDir = '/app/generated-certs';
|
|
|
|
if (!await exists(certsDir)) {
|
|
return res.json({ success: true, certificates: [] });
|
|
}
|
|
|
|
const dirEntries = await fsp.readdir(certsDir);
|
|
const domains = [];
|
|
for (const f of dirEntries) {
|
|
const stat = await fsp.stat(path.join(certsDir, f));
|
|
if (stat.isDirectory()) domains.push(f);
|
|
}
|
|
|
|
const certificates = (await Promise.all(domains.map(async (domain) => {
|
|
const certFile = path.join(certsDir, domain, 'server.crt');
|
|
if (!await exists(certFile)) return null;
|
|
|
|
try {
|
|
const certInfo = execSync(`openssl x509 -in "${certFile}" -noout -subject -dates -fingerprint -sha256`).toString();
|
|
const subject = certInfo.match(/subject=(.*)/) ? certInfo.match(/subject=(.*)/)[1].trim() : domain;
|
|
const notBefore = certInfo.match(/notBefore=(.*)/) ? certInfo.match(/notBefore=(.*)/)[1].trim() : '';
|
|
const notAfter = certInfo.match(/notAfter=(.*)/) ? certInfo.match(/notAfter=(.*)/)[1].trim() : '';
|
|
const fingerprint = certInfo.match(/Fingerprint=(.*)/) ? certInfo.match(/Fingerprint=(.*)/)[1].trim() : '';
|
|
|
|
const expirationDate = new Date(notAfter);
|
|
const daysUntilExpiration = Math.floor((expirationDate - new Date()) / (1000 * 60 * 60 * 24));
|
|
|
|
return {
|
|
domain, subject,
|
|
validFrom: notBefore, validUntil: notAfter,
|
|
daysUntilExpiration, fingerprint,
|
|
status: daysUntilExpiration < 0 ? 'expired' : daysUntilExpiration < 30 ? 'expiring-soon' : 'valid'
|
|
};
|
|
} catch {
|
|
return null;
|
|
}
|
|
}))).filter(Boolean);
|
|
|
|
res.json({ success: true, certificates });
|
|
}, 'ca-certs'));
|
|
|
|
return router;
|
|
};
|