2021-06-08 14:50:24 -07:00
|
|
|
// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
|
|
|
|
|
// Use of this source code is governed by a BSD-style
|
|
|
|
|
// license that can be found in the LICENSE file.
|
|
|
|
|
|
|
|
|
|
package cli
|
|
|
|
|
|
|
|
|
|
import (
|
2021-08-18 08:18:53 -07:00
|
|
|
"bytes"
|
2021-06-08 14:50:24 -07:00
|
|
|
"context"
|
2021-08-17 15:03:28 -07:00
|
|
|
"crypto/tls"
|
|
|
|
|
"flag"
|
2021-06-08 14:50:24 -07:00
|
|
|
"fmt"
|
|
|
|
|
"log"
|
2021-08-17 15:03:28 -07:00
|
|
|
"net/http"
|
2021-08-18 08:18:53 -07:00
|
|
|
"os"
|
2021-08-18 10:05:05 -07:00
|
|
|
"strings"
|
2021-06-08 14:50:24 -07:00
|
|
|
|
2021-08-19 11:10:27 -07:00
|
|
|
"github.com/peterbourgon/ff/v3/ffcli"
|
2021-08-18 08:18:53 -07:00
|
|
|
"tailscale.com/atomicfile"
|
2021-06-08 14:50:24 -07:00
|
|
|
"tailscale.com/client/tailscale"
|
2021-09-29 14:35:00 -07:00
|
|
|
"tailscale.com/ipn"
|
2021-06-08 14:50:24 -07:00
|
|
|
)
|
|
|
|
|
|
2021-08-17 15:03:28 -07:00
|
|
|
var certCmd = &ffcli.Command{
|
|
|
|
|
Name: "cert",
|
|
|
|
|
Exec: runCert,
|
|
|
|
|
ShortHelp: "get TLS certs",
|
|
|
|
|
ShortUsage: "cert [flags] <domain>",
|
|
|
|
|
FlagSet: (func() *flag.FlagSet {
|
|
|
|
|
fs := flag.NewFlagSet("cert", flag.ExitOnError)
|
|
|
|
|
fs.StringVar(&certArgs.certFile, "cert-file", "", "output cert file; defaults to DOMAIN.crt")
|
|
|
|
|
fs.StringVar(&certArgs.keyFile, "key-file", "", "output cert file; defaults to DOMAIN.key")
|
|
|
|
|
fs.BoolVar(&certArgs.serve, "serve-demo", false, "if true, serve on port :443 using the cert as a demo, instead of writing out the files to disk")
|
|
|
|
|
return fs
|
|
|
|
|
})(),
|
2021-06-08 14:50:24 -07:00
|
|
|
}
|
|
|
|
|
|
2021-08-17 15:03:28 -07:00
|
|
|
var certArgs struct {
|
|
|
|
|
certFile string
|
|
|
|
|
keyFile string
|
|
|
|
|
serve bool
|
2021-08-16 10:45:05 -07:00
|
|
|
}
|
|
|
|
|
|
2021-08-17 15:03:28 -07:00
|
|
|
func runCert(ctx context.Context, args []string) error {
|
|
|
|
|
if certArgs.serve {
|
|
|
|
|
s := &http.Server{
|
|
|
|
|
TLSConfig: &tls.Config{
|
|
|
|
|
GetCertificate: tailscale.GetCertificate,
|
|
|
|
|
},
|
|
|
|
|
Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
2021-08-18 10:05:05 -07:00
|
|
|
if r.TLS != nil && !strings.Contains(r.Host, ".") && r.Method == "GET" {
|
|
|
|
|
if v, ok := tailscale.ExpandSNIName(r.Context(), r.Host); ok {
|
|
|
|
|
http.Redirect(w, r, "https://"+v+r.URL.Path, http.StatusTemporaryRedirect)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
}
|
2021-08-17 15:03:28 -07:00
|
|
|
fmt.Fprintf(w, "<h1>Hello from Tailscale</h1>It works.")
|
|
|
|
|
}),
|
2021-06-08 14:50:24 -07:00
|
|
|
}
|
2021-08-17 15:03:28 -07:00
|
|
|
log.Printf("running TLS server on :443 ...")
|
|
|
|
|
return s.ListenAndServeTLS("", "")
|
2021-06-08 14:50:24 -07:00
|
|
|
}
|
|
|
|
|
|
2021-08-17 15:03:28 -07:00
|
|
|
if len(args) != 1 {
|
2021-09-29 14:35:00 -07:00
|
|
|
var hint bytes.Buffer
|
|
|
|
|
if st, err := tailscale.Status(ctx); err == nil {
|
|
|
|
|
if st.BackendState != ipn.Running.String() {
|
|
|
|
|
fmt.Fprintf(&hint, "\nTailscale is not running.\n")
|
|
|
|
|
} else if len(st.CertDomains) == 0 {
|
|
|
|
|
fmt.Fprintf(&hint, "\nHTTPS cert support is not enabled/configurfed for your tailnet.\n")
|
|
|
|
|
} else if len(st.CertDomains) == 1 {
|
|
|
|
|
fmt.Fprintf(&hint, "\nFor domain, use %q.\n", st.CertDomains[0])
|
|
|
|
|
} else {
|
|
|
|
|
fmt.Fprintf(&hint, "\nValid domain options: %q.\n", st.CertDomains)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return fmt.Errorf("Usage: tailscale cert [flags] <domain>%s", hint.Bytes())
|
2021-06-08 14:50:24 -07:00
|
|
|
}
|
2021-08-17 15:03:28 -07:00
|
|
|
domain := args[0]
|
2021-06-08 14:50:24 -07:00
|
|
|
|
2021-08-17 15:03:28 -07:00
|
|
|
if certArgs.certFile == "" {
|
|
|
|
|
certArgs.certFile = domain + ".crt"
|
2021-06-08 14:50:24 -07:00
|
|
|
}
|
2021-08-17 15:03:28 -07:00
|
|
|
if certArgs.keyFile == "" {
|
|
|
|
|
certArgs.keyFile = domain + ".key"
|
2021-06-08 14:50:24 -07:00
|
|
|
}
|
2021-08-17 15:03:28 -07:00
|
|
|
certPEM, keyPEM, err := tailscale.CertPair(ctx, domain)
|
2021-06-08 14:50:24 -07:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2021-08-18 08:18:53 -07:00
|
|
|
certChanged, err := writeIfChanged(certArgs.certFile, certPEM, 0644)
|
|
|
|
|
if err != nil {
|
2021-06-08 14:50:24 -07:00
|
|
|
return err
|
|
|
|
|
}
|
2021-08-18 08:18:53 -07:00
|
|
|
if certChanged {
|
|
|
|
|
fmt.Printf("Wrote public cert to %v\n", certArgs.certFile)
|
|
|
|
|
} else {
|
|
|
|
|
fmt.Printf("Public cert unchanged at %v\n", certArgs.certFile)
|
|
|
|
|
}
|
|
|
|
|
keyChanged, err := writeIfChanged(certArgs.keyFile, keyPEM, 0600)
|
|
|
|
|
if err != nil {
|
2021-06-08 14:50:24 -07:00
|
|
|
return err
|
|
|
|
|
}
|
2021-08-18 08:18:53 -07:00
|
|
|
if keyChanged {
|
|
|
|
|
fmt.Printf("Wrote private key to %v\n", certArgs.keyFile)
|
|
|
|
|
} else {
|
|
|
|
|
fmt.Printf("Private key unchanged at %v\n", certArgs.keyFile)
|
|
|
|
|
}
|
2021-06-08 14:50:24 -07:00
|
|
|
return nil
|
|
|
|
|
}
|
2021-08-18 08:18:53 -07:00
|
|
|
|
|
|
|
|
func writeIfChanged(filename string, contents []byte, mode os.FileMode) (changed bool, err error) {
|
|
|
|
|
if old, err := os.ReadFile(filename); err == nil && bytes.Equal(contents, old) {
|
|
|
|
|
return false, nil
|
|
|
|
|
}
|
|
|
|
|
if err := atomicfile.WriteFile(filename, contents, mode); err != nil {
|
|
|
|
|
return false, err
|
|
|
|
|
}
|
|
|
|
|
return true, nil
|
|
|
|
|
}
|
