Public/Submit-ChallengeValidation.ps1
|
function Submit-ChallengeValidation { [CmdletBinding()] param( [Parameter(ValueFromPipeline)] [PSTypeName('PoshACME.PAOrder')]$Order ) # Here's the overview of this function's purpose: # - publish challenges for any pending authorizations in the Order # - notify ACME server to validate those challenges # - wait until the validations are complete (good or bad) # - unpublish the challenges that were published # - return the updated order if successful, otherwise throw Begin { try { # make sure an account exists if (-not ($acct = Get-PAAccount)) { throw "No ACME account configured. Run Set-PAAccount or New-PAAccount first." } # make sure it's valid if ($acct.status -ne 'valid') { throw "Account status is $($acct.status)." } } catch { $PSCmdlet.ThrowTerminatingError($_) } } Process { # make sure any order passed in is actually associated with the account # or if no order was specified, that there's a current order. if (-not $Order) { if (-not ($Order = Get-PAOrder)) { try { throw "No Order parameter specified and no current order selected. Try running Set-PAOrder first." } catch { $PSCmdlet.ThrowTerminatingError($_) } } } elseif ($Order.MainDomain -notin (Get-PAOrder -List).MainDomain) { Write-Error "Order for $($Order.MainDomain) was not found in the current account's order list." return } # make sure the order has a valid state for this function if ($Order.status -eq 'invalid') { Write-Error "Order status is invalid for $($Order.MainDomain). Unable to continue." return } elseif ($Order.status -in 'valid','processing') { Write-Warning "The server has already issued or is processing a certificate for order $($Order.MainDomain)." return } elseif ($Order.status -eq 'ready') { Write-Warning "The order $($Order.MainDomain) has already completed challenge validation and is awaiting finalization." return } # The only order status left is 'pending'. This means that at least one # authorization hasn't been validated yet according to # https://tools.ietf.org/html/rfc8555#section-7.1.6 # So we're going to check all of the authorization statuses and publish # records for any that are still pending. $allAuths = @($Order | Get-PAAuthorization) $published = @() # fill out the order's Plugin attribute so there's a value for each authorization if (-not $Order.Plugin) { Write-Warning "No plugin found associated with order. Defaulting to Manual." $Order.Plugin = @('Manual') * $allAuths.Count } elseif ($Order.Plugin.Count -lt $allAuths.Count) { $lastPlugin = $Order.Plugin[-1] Write-Warning "Fewer Plugin values than names in the order. Using $lastPlugin for the rest." $Order.Plugin += @($lastPlugin) * ($allAuths.Count-$Order.Plugin.Count) } Write-Debug "Plugin: $($Order.Plugin -join ',')" # fill out the order's DnsAlias attribute so there's a value for each authorization if (-not $Order.DnsAlias) { # no alias means they should all just be empty $Order.DnsAlias = @('') * $allAuths.Count } elseif ($Order.DnsAlias.Count -lt $allAuths.Count) { $lastAlias = $Order.DnsAlias[-1] Write-Warning "Fewer DnsAlias values than names in the order. Using $lastAlias for the rest." $Order.DnsAlias += @($lastAlias) * ($allAuths.Count-$Order.DnsAlias.Count) } Write-Debug "DnsAlias: $($Order.DnsAlias -join ',')" # import existing args $PluginArgs = Get-PAPluginArgs $Order.MainDomain # loop through the authorizations looking for challenges to validate for ($i=0; $i -lt $allAuths.Count; $i++) { $auth = $allAuths[$i] if ($auth.status -eq 'pending') { # Determine which challenge to publish based on the plugin type $chalType = $script:Plugins.($Order.Plugin[$i]).ChallengeType $challenge = $auth.challenges | Where-Object { $_.type -eq $chalType } if (-not $challenge) { throw "$($auth.fqdn) authorization contains no challenges that match $($Order.Plugin[$i]) plugin type, $chalType" } if ($Order.UseSerialValidation) { # Publish and validate each challenge separately try { Publish-Challenge $auth.DNSId $acct $challenge.token $Order.Plugin[$i] $PluginArgs -DnsAlias $Order.DnsAlias[$i] Save-Challenge $Order.Plugin[$i] $PluginArgs # sleep while DNS changes propagate if it was a DNS challenge that was published if ($Order.DnsSleep -gt 0 -and 'dns-01' -eq $chalType) { Write-Verbose "Sleeping for $($Order.DnsSleep) seconds while DNS change(s) propagate" Start-SleepProgress $Order.DnsSleep -Activity "Waiting for DNS to propagate" } # ask the server to validate the challenge Write-Verbose "Requesting challenge validation" $challenge.url | Send-ChallengeAck -Account $acct # and wait for it to succeed or fail Wait-AuthValidation $auth.location $Order.ValidationTimeout } catch { $PSCmdlet.ThrowTerminatingError($_) } finally { Unpublish-Challenge $auth.DNSId $acct $challenge.token $Order.Plugin[$i] $PluginArgs -DnsAlias $Order.DnsAlias[$i] Save-Challenge $Order.Plugin[$i] $PluginArgs } } else { try { # Publish each challenge Publish-Challenge $auth.DNSId $acct $challenge.token $Order.Plugin[$i] $PluginArgs -DnsAlias $Order.DnsAlias[$i] # save the details of what we published for validation and cleanup later $published += @{ identifier = $auth.DNSId fqdn = $auth.fqdn authUrl = $auth.location plugin = $Order.Plugin[$i] chalType = $chalType chalToken = $challenge.token chalUrl = $challenge.url DNSAlias = $Order.DnsAlias[$i] } } catch { $PSCmdlet.ThrowTerminatingError($_) } } } elseif ($auth.status -eq 'valid') { # skip ones that are already valid Write-Verbose "$($auth.fqdn) authorization is already valid" continue } else { #status invalid, revoked, deactivated, or expired throw "$($auth.fqdn) authorization status is '$($auth.status)'. Create a new order and try again." } } if (-not $Order.UseSerialValidation) { try { # if we published any records, now we need to save them, wait for DNS # to propagate, and notify the server it can perform the validation if ($published.Count -gt 0) { # grab the set of unique plugins that were used to publish challenges $uniquePluginsUsed = $published.plugin | Sort-Object -Unique # call the Save function for each plugin used $uniquePluginsUsed | ForEach-Object { Save-Challenge $_ $PluginArgs } # sleep while DNS changes propagate if there were DNS challenges published $uniqueChalTypes = $script:Plugins[$uniquePluginsUsed].ChallengeType if ($Order.DnsSleep -gt 0 -and 'dns-01' -in $uniqueChalTypes) { Write-Verbose "Sleeping for $($Order.DnsSleep) seconds while DNS change(s) propagate" Start-SleepProgress $Order.DnsSleep -Activity "Waiting for DNS to propagate" } # ask the server to validate the challenges Write-Verbose "Requesting challenge validations" $published.chalUrl | Send-ChallengeAck -Account $acct # and wait for them to succeed or fail Wait-AuthValidation @($published.authUrl) $Order.ValidationTimeout } } catch { $PSCmdlet.ThrowTerminatingError($_) } finally { # always cleanup the challenges that were published $published | ForEach-Object { Unpublish-Challenge $_.identifier $acct $_.chalToken $_.plugin $PluginArgs -DnsAlias $_.DNSAlias } # save the cleanup changes $published.plugin | Sort-Object -Unique | ForEach-Object { Save-Challenge $_ $PluginArgs } } } } <# .SYNOPSIS Respond to authorization challenges for an ACME order and wait for the ACME server to validate them. .DESCRIPTION An ACME order contains an authorization object for each domain in the order. The client must complete at least one of a set of challenges for each authorization in order to prove they own the domain. Once complete, the client asks the server to validate each challenge and waits for the server to do so and update the authorization status. .PARAMETER Order The ACME order to perform the validations against. The order object must be associated with the currently active ACME account. .EXAMPLE Submit-ChallengeValidation Begin challenge validation on the current order. .EXAMPLE Get-PAOrder 111 | Submit-ChallengeValidation Begin challenge validation on the specified order. .LINK Project: https://github.com/rmbolger/Posh-ACME .LINK Get-PAOrder .LINK New-PAOrder #> } |