2021-06-08 14:50:24 -07:00
// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package cli
import (
2021-08-18 08:18:53 -07:00
"bytes"
2021-06-08 14:50:24 -07:00
"context"
2021-08-17 15:03:28 -07:00
"crypto/tls"
"flag"
2021-06-08 14:50:24 -07:00
"fmt"
"log"
2021-08-17 15:03:28 -07:00
"net/http"
2021-08-18 08:18:53 -07:00
"os"
2021-08-18 10:05:05 -07:00
"strings"
2021-06-08 14:50:24 -07:00
2021-08-19 11:10:27 -07:00
"github.com/peterbourgon/ff/v3/ffcli"
2021-08-18 08:18:53 -07:00
"tailscale.com/atomicfile"
2021-06-08 14:50:24 -07:00
"tailscale.com/client/tailscale"
2021-09-29 14:35:00 -07:00
"tailscale.com/ipn"
2021-10-04 12:11:18 -07:00
"tailscale.com/version"
2021-06-08 14:50:24 -07:00
)
2021-08-17 15:03:28 -07:00
var certCmd = & ffcli . Command {
Name : "cert" ,
Exec : runCert ,
ShortHelp : "get TLS certs" ,
ShortUsage : "cert [flags] <domain>" ,
FlagSet : ( func ( ) * flag . FlagSet {
2021-10-27 13:57:05 -07:00
fs := newFlagSet ( "cert" )
2021-10-04 12:11:18 -07:00
fs . StringVar ( & certArgs . certFile , "cert-file" , "" , "output cert file or \"-\" for stdout; defaults to DOMAIN.crt if --cert-file and --key-file are both unset" )
fs . StringVar ( & certArgs . keyFile , "key-file" , "" , "output cert file or \"-\" for stdout; defaults to DOMAIN.key if --cert-file and --key-file are both unset" )
2021-08-17 15:03:28 -07:00
fs . BoolVar ( & certArgs . serve , "serve-demo" , false , "if true, serve on port :443 using the cert as a demo, instead of writing out the files to disk" )
return fs
} ) ( ) ,
2021-06-08 14:50:24 -07:00
}
2021-08-17 15:03:28 -07:00
var certArgs struct {
certFile string
keyFile string
serve bool
2021-08-16 10:45:05 -07:00
}
2021-08-17 15:03:28 -07:00
func runCert ( ctx context . Context , args [ ] string ) error {
if certArgs . serve {
s := & http . Server {
TLSConfig : & tls . Config {
GetCertificate : tailscale . GetCertificate ,
} ,
Handler : http . HandlerFunc ( func ( w http . ResponseWriter , r * http . Request ) {
2021-08-18 10:05:05 -07:00
if r . TLS != nil && ! strings . Contains ( r . Host , "." ) && r . Method == "GET" {
if v , ok := tailscale . ExpandSNIName ( r . Context ( ) , r . Host ) ; ok {
http . Redirect ( w , r , "https://" + v + r . URL . Path , http . StatusTemporaryRedirect )
return
}
}
2021-08-17 15:03:28 -07:00
fmt . Fprintf ( w , "<h1>Hello from Tailscale</h1>It works." )
} ) ,
2021-06-08 14:50:24 -07:00
}
2021-08-17 15:03:28 -07:00
log . Printf ( "running TLS server on :443 ..." )
return s . ListenAndServeTLS ( "" , "" )
2021-06-08 14:50:24 -07:00
}
2021-08-17 15:03:28 -07:00
if len ( args ) != 1 {
2021-09-29 14:35:00 -07:00
var hint bytes . Buffer
if st , err := tailscale . Status ( ctx ) ; err == nil {
if st . BackendState != ipn . Running . String ( ) {
fmt . Fprintf ( & hint , "\nTailscale is not running.\n" )
} else if len ( st . CertDomains ) == 0 {
2021-09-30 21:23:18 -07:00
fmt . Fprintf ( & hint , "\nHTTPS cert support is not enabled/configured for your tailnet.\n" )
2021-09-29 14:35:00 -07:00
} else if len ( st . CertDomains ) == 1 {
fmt . Fprintf ( & hint , "\nFor domain, use %q.\n" , st . CertDomains [ 0 ] )
} else {
fmt . Fprintf ( & hint , "\nValid domain options: %q.\n" , st . CertDomains )
}
}
return fmt . Errorf ( "Usage: tailscale cert [flags] <domain>%s" , hint . Bytes ( ) )
2021-06-08 14:50:24 -07:00
}
2021-08-17 15:03:28 -07:00
domain := args [ 0 ]
2021-06-08 14:50:24 -07:00
2021-10-04 12:11:18 -07:00
printf := func ( format string , a ... interface { } ) {
2021-10-27 14:53:46 -07:00
printf ( format , a ... )
2021-10-04 12:11:18 -07:00
}
if certArgs . certFile == "-" || certArgs . keyFile == "-" {
printf = log . Printf
log . SetFlags ( 0 )
2021-06-08 14:50:24 -07:00
}
2021-10-04 12:11:18 -07:00
if certArgs . certFile == "" && certArgs . keyFile == "" {
certArgs . certFile = domain + ".crt"
2021-08-17 15:03:28 -07:00
certArgs . keyFile = domain + ".key"
2021-06-08 14:50:24 -07:00
}
2021-08-17 15:03:28 -07:00
certPEM , keyPEM , err := tailscale . CertPair ( ctx , domain )
2021-06-08 14:50:24 -07:00
if err != nil {
return err
}
2021-10-04 12:11:18 -07:00
needMacWarning := version . IsSandboxedMacOS ( )
macWarn := func ( ) {
if ! needMacWarning {
return
}
needMacWarning = false
dir := "io.tailscale.ipn.macos"
if version . IsMacSysExt ( ) {
dir = "io.tailscale.ipn.macsys"
}
2022-01-06 07:43:24 -08:00
printf ( "Warning: the macOS CLI runs in a sandbox; this binary's filesystem writes go to $HOME/Library/Containers/%s/Data\n" , dir )
2021-08-18 08:18:53 -07:00
}
2021-10-04 12:11:18 -07:00
if certArgs . certFile != "" {
certChanged , err := writeIfChanged ( certArgs . certFile , certPEM , 0644 )
if err != nil {
return err
}
if certArgs . certFile != "-" {
macWarn ( )
if certChanged {
printf ( "Wrote public cert to %v\n" , certArgs . certFile )
} else {
printf ( "Public cert unchanged at %v\n" , certArgs . certFile )
}
}
2021-06-08 14:50:24 -07:00
}
2021-10-04 12:11:18 -07:00
if certArgs . keyFile != "" {
keyChanged , err := writeIfChanged ( certArgs . keyFile , keyPEM , 0600 )
if err != nil {
return err
}
if certArgs . keyFile != "-" {
macWarn ( )
if keyChanged {
printf ( "Wrote private key to %v\n" , certArgs . keyFile )
} else {
printf ( "Private key unchanged at %v\n" , certArgs . keyFile )
}
}
2021-08-18 08:18:53 -07:00
}
2021-06-08 14:50:24 -07:00
return nil
}
2021-08-18 08:18:53 -07:00
func writeIfChanged ( filename string , contents [ ] byte , mode os . FileMode ) ( changed bool , err error ) {
2021-10-04 12:11:18 -07:00
if filename == "-" {
2021-10-27 14:53:46 -07:00
Stdout . Write ( contents )
2021-10-04 12:11:18 -07:00
return false , nil
}
2021-08-18 08:18:53 -07:00
if old , err := os . ReadFile ( filename ) ; err == nil && bytes . Equal ( contents , old ) {
return false , nil
}
if err := atomicfile . WriteFile ( filename , contents , mode ) ; err != nil {
return false , err
}
return true , nil
}
