Module: HerokuSsl

Defined in:: lib/heroku_ssl.rb,
lib/heroku_ssl/ssl.rb,
lib/heroku_ssl/engine.rb,
lib/heroku_ssl/version.rb,
app/jobs/heroku_ssl/application_job.rb,
app/helpers/heroku_ssl/heroku_ssl_helper.rb,
app/models/heroku_ssl/application_record.rb,
app/helpers/heroku_ssl/application_helper.rb,
app/mailers/heroku_ssl/application_mailer.rb,
app/controllers/heroku_ssl/heroku_ssl_controller.rb,
app/controllers/heroku_ssl/application_controller.rb

Defined Under Namespace

Modules: ApplicationHelper, HerokuSslHelper Classes: ApplicationController, ApplicationJob, ApplicationMailer, ApplicationRecord, Engine, HerokuSslController

Constant Summary collapse

VERSION =

'0.8.1'

Class Method Summary collapse

.authorize(domain) ⇒ Object
.cert_directory ⇒ Object

Where the certificates are stored.
.client ⇒ Object
.create_dh_params ⇒ Object
.endpoint ⇒ Object
.gen_unless_exists(filename) ⇒ Object
.private_key ⇒ Object

returns any existing account private key; only generates a new one if none exist.
.read(filename) ⇒ Object
.redis_instance ⇒ Object
.regenerate_private_key ⇒ Object

forcibly regenerates the account private key.
.register(email) ⇒ Object

adds a contact for a domain.
.request_certificate(domain) ⇒ Object
.try_authorize(domain, retries = 1) ⇒ Object
.write(filename, content) ⇒ Object

Class Method Details

.authorize(domain) ⇒ `Object`

# File 'lib/heroku_ssl/ssl.rb', line 102

def authorize(domain)
  if domain.is_a? Array
    domain.each do |dom|
      authorize dom
    end

    return
  end

  authorization = client.authorize(domain: domain)

  return if authorization.status == 'valid'

  # This example is using the http-01 challenge type. Other challenges are dns-01 or tls-sni-01.
  challenge = authorization.http01

  redis_instance.set("ssl-challenge-#{challenge.filename.split('/').last}", challenge.file_content)
  redis_instance.expire("ssl-challenge-#{challenge.filename.split('/').last}", 5.minutes)

  challenge.request_verification

  # Wait a bit for the server to make the request, or just blink. It should be fast.
  sleep(1)

  status = nil
  begin
    # May sometimes give an error, for mysterious reasons
    status = challenge.authorization.verify_status
  rescue
  end

  #alternate method to read authorization status
  status = client.authorize(domain: domain).status if status == 'pending' || status.blank?

  unless status == 'valid'
    puts challenge.error
    raise "Did not verify client. Status is still #{status}"
  end
end

.cert_directory ⇒ `Object`

Where the certificates are stored



25
26
27

# File 'lib/heroku_ssl/ssl.rb', line 25

def cert_directory
  Rails.root.join('certs')
end

.client ⇒ `Object`

# File 'lib/heroku_ssl/ssl.rb', line 74

def client
  @client ||= Acme::Client.new(
      private_key: private_key,
      endpoint: endpoint,
      connection_options: {
          request: {
              open_timeout: 5,
              timeout: 5
          }
      }
  )
end

.create_dh_params ⇒ `Object`

# File 'lib/heroku_ssl/ssl.rb', line 180

def create_dh_params
  gen_unless_exists 'dhparam.pem' do |filename|
    `openssl dhparam -out #{filename} 4096`
  end
end

.endpoint ⇒ `Object`

# File 'lib/heroku_ssl/ssl.rb', line 8

def endpoint
  # Use 'https://acme-staging.api.letsencrypt.org/' for development

  'https://acme-v01.api.letsencrypt.org/'
end

.gen_unless_exists(filename) ⇒ `Object`

# File 'lib/heroku_ssl/ssl.rb', line 43

def gen_unless_exists(filename)
  existing = read filename
  return existing if existing.present?

  created = yield filename
  write filename, created

  created
end

.private_key ⇒ `Object`

returns any existing account private key; only generates a new one if none exist

# File 'lib/heroku_ssl/ssl.rb', line 62

def private_key
  return @private_key if @private_key.present?

  pem = read "#{Rails.env}/account.pem"
  if pem.present?
    @private_key = OpenSSL::PKey::RSA.new(pem)
  else
    regenerate_private_key
  end
end

.read(filename) ⇒ `Object`

# File 'lib/heroku_ssl/ssl.rb', line 35

def read(filename)
  FileUtils.mkdir_p cert_directory

  return nil unless File.exists? cert_directory.join(filename)

  File.read cert_directory.join(filename)
end

.redis_instance ⇒ `Object`

# File 'lib/heroku_ssl/ssl.rb', line 14

def redis_instance

  return $redis if $redis.present?
  return $heroku_ssl_redis if $heroku_ssl_redis.present?

  redis_url = ENV['REDIS_URL'] || ENV['HEROKU_REDIS_URL'] || 'redis://127.0.0.1:6379/0'
  $heroku_ssl_redis = Redis.new(:url => redis_url)

end

.regenerate_private_key ⇒ `Object`

forcibly regenerates the account private key

# File 'lib/heroku_ssl/ssl.rb', line 54

def regenerate_private_key
  @private_key = OpenSSL::PKey::RSA.new(4096)
  write('account.pem', @private_key.export)

  @private_key
end

.register(email) ⇒ `Object`

adds a contact for a domain

# File 'lib/heroku_ssl/ssl.rb', line 88

def register(email)
  # If the private key is not known to the server, we need to register it for the first time.
  registration = client.register(contact: "mailto:#{email}")

  # You may need to agree to the terms of service (that's up the to the server to require it or not but boulder does by default)
  registration.agree_terms
rescue Acme::Client::Error::Malformed => e
  if e.message == 'Registration key is already in use'
    puts 'Already registered'
  else
    raise e
  end
end

.request_certificate(domain) ⇒ `Object`

# File 'lib/heroku_ssl/ssl.rb', line 158

def request_certificate(domain)
  unless try_authorize domain
    puts 'Domain authorization failed. Aborting operation'
    return
  end

  csr = Acme::Client::CertificateRequest.new(names: [*domain])

  # We can now request a certificate. You can pass anything that returns
  # a valid DER encoded CSR when calling to_der on it. For example an
  # OpenSSL::X509::Request should work too.
  certificate = client.new_certificate(csr)

  {
      privkey: certificate.request.private_key.to_pem,
      cert: certificate.to_pem,
      chain: certificate.chain_to_pem,
      fullchain: certificate.fullchain_to_pem
  }

end

.try_authorize(domain, retries = 1) ⇒ `Object`

# File 'lib/heroku_ssl/ssl.rb', line 142

def try_authorize(domain, retries=1)
  begin
    authorize domain
    return true
  rescue RuntimeError => e
    puts e.message

    if retries > 0
      puts 'Retrying domain authorization...'
      return try_authorize domain, retries-1
    else
      return false
    end
  end
end

.write(filename, content) ⇒ `Object`

# File 'lib/heroku_ssl/ssl.rb', line 29

def write(filename, content)
  FileUtils.mkdir_p cert_directory

  File.write(cert_directory.join(filename), content)
end

Module: HerokuSsl

Defined Under Namespace

Constant Summary collapse

Class Method Summary collapse

Class Method Details

.authorize(domain) ⇒ Object

.cert_directory ⇒ Object

.client ⇒ Object

.create_dh_params ⇒ Object

.endpoint ⇒ Object

.gen_unless_exists(filename) ⇒ Object

.private_key ⇒ Object

.read(filename) ⇒ Object

.redis_instance ⇒ Object

.regenerate_private_key ⇒ Object

.register(email) ⇒ Object

.request_certificate(domain) ⇒ Object

.try_authorize(domain, retries = 1) ⇒ Object

.write(filename, content) ⇒ Object

.authorize(domain) ⇒ `Object`

.cert_directory ⇒ `Object`

.client ⇒ `Object`

.create_dh_params ⇒ `Object`

.endpoint ⇒ `Object`

.gen_unless_exists(filename) ⇒ `Object`

.private_key ⇒ `Object`

.read(filename) ⇒ `Object`

.redis_instance ⇒ `Object`

.regenerate_private_key ⇒ `Object`

.register(email) ⇒ `Object`

.request_certificate(domain) ⇒ `Object`

.try_authorize(domain, retries = 1) ⇒ `Object`

.write(filename, content) ⇒ `Object`