93
// changeCertListener wraps a TLS net.Listener.
94
// It allows connection handshakes to be
95
// blocked while the TLS certificate is updated.
96
type changeCertListener struct {
100
// A mutex used to block accept operations.
103
// A channel used to pass in new certificate information.
104
certChanged <-chan params.StateServingInfo
106
// The config to update with any new certificate.
110
func newChangeCertListener(lis net.Listener, certChanged <-chan params.StateServingInfo, config *tls.Config) *changeCertListener {
111
cl := &changeCertListener{
113
certChanged: certChanged,
118
cl.tomb.Kill(cl.processCertChanges())
123
// Accept waits for and returns the next connection to the listener.
124
func (cl *changeCertListener) Accept() (net.Conn, error) {
125
conn, err := cl.Listener.Accept()
132
// make a copy of cl.config so that update certificate does not mutate
133
// the config passed to the tls.Server for this conn.
135
return tls.Server(conn, &config), nil
138
// Close closes the listener.
139
func (cl *changeCertListener) Close() error {
141
return cl.Listener.Close()
144
// processCertChanges receives new certificate information and
145
// calls a method to update the listener's certificate.
146
func (cl *changeCertListener) processCertChanges() error {
149
case info := <-cl.certChanged:
151
cl.updateCertificate([]byte(info.Cert), []byte(info.PrivateKey))
153
case <-cl.tomb.Dying():
159
// updateCertificate generates a new TLS certificate and assigns it
160
// to the TLS listener.
161
func (cl *changeCertListener) updateCertificate(cert, key []byte) {
164
if tlsCert, err := tls.X509KeyPair(cert, key); err != nil {
165
logger.Errorf("cannot create new TLS certificate: %v", err)
167
logger.Infof("updating api server certificate")
168
x509Cert, err := x509.ParseCertificate(tlsCert.Certificate[0])
171
for _, ip := range x509Cert.IPAddresses {
172
addr = append(addr, ip.String())
174
logger.Infof("new certificate addresses: %v", strings.Join(addr, ", "))
176
cl.config.Certificates = []tls.Certificate{tlsCert}
180
110
// NewServer serves the given state by accepting requests on the given
181
111
// listener, using the given certificate and key (in PEM format) for
182
112
// authentication.
192
122
// server needs to run before mongo upgrades have happened and
193
123
// any state manipulation may be be relying on features of the
194
124
// database added by upgrades. Here be dragons.
195
l, ok := lis.(*net.TCPListener)
197
return nil, errors.Errorf("listener is not of type *net.TCPListener: %T", lis)
199
srv, err := newServer(s, l, cfg)
125
srv, err := newServer(s, lis, cfg)
201
127
// There is no running server around to close the listener.
208
func newServer(s *state.State, lis *net.TCPListener, cfg ServerConfig) (_ *Server, err error) {
209
tlsCert, err := tls.X509KeyPair(cfg.Cert, cfg.Key)
213
// TODO(rog) check that *srvRoot is a valid type for using
215
tlsConfig := utils.SecureTLSConfig()
216
tlsConfig.Certificates = []tls.Certificate{tlsCert}
134
func newServer(s *state.State, lis net.Listener, cfg ServerConfig) (_ *Server, err error) {
218
135
stPool := cfg.StatePool
219
136
if stPool == nil {
220
137
stPool = state.NewStatePool(s)
224
143
newObserver: cfg.NewObserver,
226
145
statePool: stPool,
227
lis: newChangeCertListener(lis, cfg.CertChanged, tlsConfig),
229
147
dataDir: cfg.DataDir,
230
148
logDir: cfg.LogDir,
233
151
adminAPIFactories: map[int]adminAPIFactory{
234
152
3: newAdminAPIV3,
154
certChanged: cfg.CertChanged,
157
srv.tlsConfig = srv.newTLSConfig()
158
srv.lis = tls.NewListener(lis, srv.tlsConfig)
237
160
srv.authCtxt, err = newAuthContext(s)
239
162
return nil, errors.Trace(err)
164
if err := srv.updateCertificate(cfg.Cert, cfg.Key); err != nil {
165
return nil, errors.Annotatef(err, "cannot set initial certificate")
171
func (srv *Server) newTLSConfig() *tls.Config {
172
m := autocert.Manager{
173
Prompt: autocert.AcceptTOS,
174
Cache: srv.state.AutocertCache(),
175
// TODO(rogpeppe): use whitelist policy for HostPolicy.
176
// TODO(rogpeppe): allow a different URL to be specified (for example
177
// to use the letencrypt staging endpoint).
179
tlsConfig := utils.SecureTLSConfig()
180
tlsConfig.GetCertificate = func(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
181
// Get the locally created certificate and whether it's appropriate
182
// for the SNI name. If not, we'll try to get an acme cert and
183
// fall back to the local certificate if that fails.
184
cert, shouldUse := srv.localCertificate(clientHello.ServerName)
188
acmeCert, err := m.GetCertificate(clientHello)
192
logger.Errorf("cannot get autocert certificate for %q: %v", clientHello.ServerName, err)
245
198
func (srv *Server) ConnectionCount() int64 {
246
199
return atomic.LoadInt64(&srv.connCount)
307
addr := srv.lis.Addr() // not valid after addr closed
308
logger.Debugf("Starting API http server on address %q", addr)
309
err := http.Serve(srv.lis, mux)
310
// normally logging an error at debug level would be grounds for a beating,
266
logger.Debugf("Starting API http server on address %q", srv.lis.Addr())
267
httpSrv := &http.Server{
269
TLSConfig: srv.tlsConfig,
271
err := httpSrv.Serve(srv.lis)
272
// Normally logging an error at debug level would be grounds for a beating,
311
273
// however in this case the error is *expected* to be non nil, and does not
312
274
// affect the operation of the apiserver, but for completeness log it anyway.
313
275
logger.Debugf("API http server exited, final error was: %v", err)
589
551
func (srv *Server) mongoPinger() error {
590
// TODO(fwereade): 2016-03-17 lp:1558657
591
timer := time.NewTimer(0)
592
552
session := srv.state.MongoSession().Copy()
593
553
defer session.Close()
597
case <-srv.tomb.Dying():
600
555
if err := session.Ping(); err != nil {
601
556
logger.Infof("got error pinging mongo: %v", err)
602
557
return errors.Annotate(err, "error pinging mongo")
604
timer.Reset(mongoPingInterval)
560
case <-srv.clock.After(mongoPingInterval):
561
case <-srv.tomb.Dying():
567
// localCertificate returns the local server certificate and reports
568
// whether it should be used to serve a connection addressed to the
569
// given server name.
570
func (srv *Server) localCertificate(serverName string) (*tls.Certificate, bool) {
572
defer srv.mu.Unlock()
573
if net.ParseIP(serverName) != nil {
574
// IP address connections always use the local certificate.
575
return srv.cert, true
577
if !strings.Contains(serverName, ".") {
578
// If the server name doesn't contain a period there's no
579
// way we can obtain a certificate for it.
580
// This applies to the common case where "juju-apiserver" is
581
// used as the server name.
582
return srv.cert, true
584
// Perhaps the server name is explicitly mentioned by the server certificate.
585
for _, name := range srv.certDNSNames {
586
if name == serverName {
587
return srv.cert, true
590
return srv.cert, false
593
// processCertChanges receives new certificate information and
594
// calls a method to update the listener's certificate.
595
func (srv *Server) processCertChanges() error {
598
case info := <-srv.certChanged:
602
logger.Infof("received API server certificate")
603
if err := srv.updateCertificate(info.Cert, info.PrivateKey); err != nil {
604
logger.Errorf("cannot update certificate: %v", err)
606
case <-srv.tomb.Dying():
612
// updateCertificate updates the current CA certificate and key
613
// from the given cert and key.
614
func (srv *Server) updateCertificate(cert, key string) error {
616
defer srv.mu.Unlock()
617
tlsCert, err := tls.X509KeyPair([]byte(cert), []byte(key))
619
return errors.Annotatef(err, "cannot create new TLS certificate")
621
x509Cert, err := x509.ParseCertificate(tlsCert.Certificate[0])
623
return errors.Annotatef(err, "parsing x509 cert")
626
for _, ip := range x509Cert.IPAddresses {
627
addr = append(addr, ip.String())
629
logger.Infof("new certificate addresses: %v", strings.Join(addr, ", "))
631
srv.certDNSNames = x509Cert.DNSNames
608
635
func serverError(err error) error {