From ee1f7ba551c245db25b35dc354f18f948e9629ca Mon Sep 17 00:00:00 2001 From: Jamie Curnow Date: Mon, 18 May 2026 16:55:41 +1000 Subject: [PATCH] Fall back to error code 500 when not set in error object --- backend/app.js | 2 +- backend/internal/certificate.js | 317 +++++++++++++++++++++++--------- 2 files changed, 233 insertions(+), 86 deletions(-) diff --git a/backend/app.js b/backend/app.js index 3039bbb8..b1f04766 100644 --- a/backend/app.js +++ b/backend/app.js @@ -62,7 +62,7 @@ app.use("/", mainRoutes); app.use((err, req, res, _) => { const payload = { error: { - code: err.status, + code: err.status || 500, message: err.public ? err.message : "Internal Error", }, }; diff --git a/backend/internal/certificate.js b/backend/internal/certificate.js index 82a47b92..0c2e546e 100644 --- a/backend/internal/certificate.js +++ b/backend/internal/certificate.js @@ -1,9 +1,9 @@ import fs from "node:fs"; import https from "node:https"; -import path from "path"; import { ZipArchive } from "archiver"; import _ from "lodash"; import moment from "moment"; +import path from "path"; import { ProxyAgent } from "proxy-agent"; import tempWrite from "temp-write"; import dnsPlugins from "../certbot/dns-plugins.json" with { type: "json" }; @@ -29,7 +29,11 @@ const omissions = () => { }; const internalCertificate = { - allowedSslFiles: ["certificate", "certificate_key", "intermediate_certificate"], + allowedSslFiles: [ + "certificate", + "certificate_key", + "intermediate_certificate", + ], intervalTimeout: 1000 * 60 * 60, // 1 hour interval: null, intervalProcessing: false, @@ -56,7 +60,10 @@ const internalCertificate = { ); const expirationThreshold = moment() - .add(internalCertificate.renewBeforeExpirationBy[0], internalCertificate.renewBeforeExpirationBy[1]) + .add( + internalCertificate.renewBeforeExpirationBy[0], + internalCertificate.renewBeforeExpirationBy[1], + ) .format("YYYY-MM-DD HH:mm:ss"); // Fetch all the letsencrypt certs from the db that will expire within the configured threshold @@ -137,12 +144,18 @@ const internalCertificate = { // 6. Re-instate previously disabled hosts // 1. Find out any hosts that are using any of the hostnames in this cert - const inUseResult = await internalHost.getHostsWithDomains(certificate.domain_names); + const inUseResult = await internalHost.getHostsWithDomains( + certificate.domain_names, + ); // 2. Disable them in nginx temporarily await internalCertificate.disableInUseHosts(inUseResult); - const user = await userModel.query().where("is_deleted", 0).andWhere("id", data.owner_user_id).first(); + const user = await userModel + .query() + .where("is_deleted", 0) + .andWhere("id", data.owner_user_id) + .first(); if (!user?.email) { throw new error.ValidationError( "A valid email address must be set on your user account to use Let's Encrypt", @@ -154,7 +167,10 @@ const internalCertificate = { try { await internalNginx.reload(); // 4. Request cert - await internalCertificate.requestLetsEncryptSslWithDnsChallenge(certificate, user.email); + await internalCertificate.requestLetsEncryptSslWithDnsChallenge( + certificate, + user.email, + ); await internalNginx.reload(); // 6. Re-instate previously disabled hosts await internalCertificate.enableInUseHosts(inUseResult); @@ -171,7 +187,10 @@ const internalCertificate = { await internalNginx.reload(); setTimeout(() => {}, 5000); // 4. Request cert - await internalCertificate.requestLetsEncryptSsl(certificate, user.email); + await internalCertificate.requestLetsEncryptSsl( + certificate, + user.email, + ); // 5. Remove LE config await internalNginx.deleteLetsEncryptRequestConfig(certificate); await internalNginx.reload(); @@ -195,7 +214,9 @@ const internalCertificate = { const savedRow = await certificateModel .query() .patchAndFetchById(certificate.id, { - expires_on: moment(certInfo.dates.to, "X").format("YYYY-MM-DD HH:mm:ss"), + expires_on: moment(certInfo.dates.to, "X").format( + "YYYY-MM-DD HH:mm:ss", + ), }) .then(utils.omitRow(omissions())); @@ -204,7 +225,11 @@ const internalCertificate = { letsencrypt_certificate: certInfo, }); - await internalCertificate.addCreatedAuditLog(access, certificate.id, savedRow); + await internalCertificate.addCreatedAuditLog( + access, + certificate.id, + savedRow, + ); return savedRow; } catch (err) { @@ -222,7 +247,11 @@ const internalCertificate = { data.meta = _.assign({}, data.meta || {}, certificate.meta); // Add to audit log - await internalCertificate.addCreatedAuditLog(access, certificate.id, utils.omitRow(omissions())(data)); + await internalCertificate.addCreatedAuditLog( + access, + certificate.id, + utils.omitRow(omissions())(data), + ); return utils.omitRow(omissions())(certificate); }, @@ -321,7 +350,9 @@ const internalCertificate = { row.proxy_hosts = utils.omitRows(["is_deleted"])(row.proxy_hosts); } if (typeof row.redirection_hosts !== "undefined") { - row.redirection_hosts = utils.omitRows(["is_deleted"])(row.redirection_hosts); + row.redirection_hosts = utils.omitRows(["is_deleted"])( + row.redirection_hosts, + ); } if (typeof row.dead_hosts !== "undefined") { row.dead_hosts = utils.omitRows(["is_deleted"])(row.dead_hosts); @@ -344,7 +375,9 @@ const internalCertificate = { if (certificate.provider === "letsencrypt") { const zipDirectory = internalCertificate.getLiveCertPath(data.id); if (!fs.existsSync(zipDirectory)) { - throw new error.ItemNotFoundError(`Certificate ${certificate.nice_name} does not exists`); + throw new error.ItemNotFoundError( + `Certificate ${certificate.nice_name} does not exists`, + ); } const certFiles = fs @@ -361,7 +394,9 @@ const internalCertificate = { fileName: opName, }; } - throw new error.ValidationError("Only Let'sEncrypt certificates can be downloaded"); + throw new error.ValidationError( + "Only Let'sEncrypt certificates can be downloaded", + ); }, /** @@ -470,7 +505,10 @@ const internalCertificate = { * @returns {Promise} */ getCount: async (userId, visibility) => { - const query = certificateModel.query().count("id as count").where("is_deleted", 0); + const query = certificateModel + .query() + .count("id as count") + .where("is_deleted", 0); if (visibility !== "all") { query.andWhere("owner_user_id", userId); @@ -518,13 +556,17 @@ const internalCertificate = { }); }).then(() => { return new Promise((resolve, reject) => { - fs.writeFile(`${dir}/privkey.pem`, certificate.meta.certificate_key, (err) => { - if (err) { - reject(err); - } else { - resolve(); - } - }); + fs.writeFile( + `${dir}/privkey.pem`, + certificate.meta.certificate_key, + (err) => { + if (err) { + reject(err); + } else { + resolve(); + } + }, + ); }); }); }, @@ -597,7 +639,9 @@ const internalCertificate = { upload: async (access, data) => { const row = await internalCertificate.get(access, { id: data.id }); if (row.provider !== "other") { - throw new error.ValidationError("Cannot upload certificates for this type of provider"); + throw new error.ValidationError( + "Cannot upload certificates for this type of provider", + ); } const validations = await internalCertificate.validate(data); @@ -613,8 +657,12 @@ const internalCertificate = { const certificate = await internalCertificate.update(access, { id: data.id, - expires_on: moment(validations.certificate.dates.to, "X").format("YYYY-MM-DD HH:mm:ss"), - domain_names: validations.certificate.cn ? [validations.certificate.cn] : [], + expires_on: moment(validations.certificate.dates.to, "X").format( + "YYYY-MM-DD HH:mm:ss", + ), + domain_names: validations.certificate.cn + ? [validations.certificate.cn] + : [], meta: _.clone(row.meta), // Prevent the update method from changing this value that we'll use later }); @@ -638,7 +686,9 @@ const internalCertificate = { }, 10000); try { - const result = await utils.exec(`openssl pkey -in ${filepath} -check -noout 2>&1 `); + const result = await utils.exec( + `openssl pkey -in ${filepath} -check -noout 2>&1 `, + ); clearTimeout(failTimeout); if (!result.toLowerCase().includes("key is valid")) { throw new error.ValidationError(`Result Validation Error: ${result}`); @@ -648,7 +698,10 @@ const internalCertificate = { } catch (err) { clearTimeout(failTimeout); fs.unlinkSync(filepath); - throw new error.ValidationError(`Certificate Key is not valid (${err.message})`, err); + throw new error.ValidationError( + `Certificate Key is not valid (${err.message})`, + err, + ); } }, @@ -662,7 +715,10 @@ const internalCertificate = { getCertificateInfo: async (certificate, throwExpired) => { const filepath = await tempWrite(certificate); try { - const certData = await internalCertificate.getCertificateInfoFromFile(filepath, throwExpired); + const certData = await internalCertificate.getCertificateInfoFromFile( + filepath, + throwExpired, + ); fs.unlinkSync(filepath); return certData; } catch (err) { @@ -682,7 +738,13 @@ const internalCertificate = { const certData = {}; try { - const result = await utils.execFile("openssl", ["x509", "-in", certificateFile, "-subject", "-noout"]); + const result = await utils.execFile("openssl", [ + "x509", + "-in", + certificateFile, + "-subject", + "-noout", + ]); console.log("openssl result: ", result); // Examples: // subject=CN = *.jc21.com @@ -694,7 +756,13 @@ const internalCertificate = { certData.cn = match[1].trim(); } - const result2 = await utils.execFile("openssl", ["x509", "-in", certificateFile, "-issuer", "-noout"]); + const result2 = await utils.execFile("openssl", [ + "x509", + "-in", + certificateFile, + "-issuer", + "-noout", + ]); // Examples: // issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 // issuer=C = US, O = Let's Encrypt, CN = E5 @@ -705,7 +773,13 @@ const internalCertificate = { certData.issuer = match2[1]; } - const result3 = await utils.execFile("openssl", ["x509", "-in", certificateFile, "-dates", "-noout"]); + const result3 = await utils.execFile("openssl", [ + "x509", + "-in", + certificateFile, + "-dates", + "-noout", + ]); // notBefore=Jul 14 04:04:29 2018 GMT // notAfter=Oct 12 04:04:29 2018 GMT let validFrom = null; @@ -717,7 +791,10 @@ const internalCertificate = { const match = regex.exec(str.trim()); if (match && typeof match[2] !== "undefined") { - const date = Number.parseInt(moment(match[2], "MMM DD HH:mm:ss YYYY z").format("X"), 10); + const date = Number.parseInt( + moment(match[2], "MMM DD HH:mm:ss YYYY z").format("X"), + 10, + ); if (match[1].toLowerCase() === "notbefore") { validFrom = date; @@ -729,10 +806,15 @@ const internalCertificate = { }); if (!validFrom || !validTo) { - throw new error.ValidationError(`Could not determine dates from certificate: ${result}`); + throw new error.ValidationError( + `Could not determine dates from certificate: ${result}`, + ); } - if (throw_expired && validTo < Number.parseInt(moment().format("X"), 10)) { + if ( + throw_expired && + validTo < Number.parseInt(moment().format("X"), 10) + ) { throw new error.ValidationError("Certificate has expired"); } @@ -743,7 +825,10 @@ const internalCertificate = { return certData; } catch (err) { - throw new error.ValidationError(`Certificate is not valid (${err.message})`, err); + throw new error.ValidationError( + `Certificate is not valid (${err.message})`, + err, + ); } }, @@ -781,6 +866,7 @@ const internalCertificate = { const args = [ "certonly", + "-n", // non-interactive "--config", letsencryptConfig, "--work-dir", @@ -829,13 +915,18 @@ const internalCertificate = { const credentialsLocation = `/etc/letsencrypt/credentials/credentials-${certificate.id}`; fs.mkdirSync("/etc/letsencrypt/credentials", { recursive: true }); - fs.writeFileSync(credentialsLocation, certificate.meta.dns_provider_credentials, { mode: 0o600 }); + fs.writeFileSync( + credentialsLocation, + certificate.meta.dns_provider_credentials, + { mode: 0o600 }, + ); // Whether the plugin has a ---credentials argument const hasConfigArg = certificate.meta.dns_provider !== "route53"; const args = [ "certonly", + "-n", // non-interactive "--config", letsencryptConfig, "--work-dir", @@ -856,7 +947,10 @@ const internalCertificate = { ]; if (hasConfigArg) { - args.push(`--${dnsPlugin.full_plugin_name}-credentials`, credentialsLocation); + args.push( + `--${dnsPlugin.full_plugin_name}-credentials`, + credentialsLocation, + ); } if (certificate.meta.propagation_seconds !== undefined) { args.push( @@ -870,7 +964,10 @@ const internalCertificate = { args.push("--key-type", certificate.meta.key_type); } - const adds = internalCertificate.getAdditionalCertbotArgs(certificate.id, certificate.meta.dns_provider); + const adds = internalCertificate.getAdditionalCertbotArgs( + certificate.id, + certificate.meta.dns_provider, + ); args.push(...adds.args); logger.info(`Command: ${certbotCommand} ${args ? args.join(" ") : ""}`); @@ -906,9 +1003,13 @@ const internalCertificate = { `${internalCertificate.getLiveCertPath(certificate.id)}/fullchain.pem`, ); - const updatedCertificate = await certificateModel.query().patchAndFetchById(certificate.id, { - expires_on: moment(certInfo.dates.to, "X").format("YYYY-MM-DD HH:mm:ss"), - }); + const updatedCertificate = await certificateModel + .query() + .patchAndFetchById(certificate.id, { + expires_on: moment(certInfo.dates.to, "X").format( + "YYYY-MM-DD HH:mm:ss", + ), + }); // Add to audit log await internalAuditLog.add(access, { @@ -921,7 +1022,9 @@ const internalCertificate = { return updatedCertificate; } - throw new error.ValidationError("Only Let'sEncrypt certificates can be renewed"); + throw new error.ValidationError( + "Only Let'sEncrypt certificates can be renewed", + ); }, /** @@ -955,7 +1058,10 @@ const internalCertificate = { args.push("--key-type", certificate.meta.key_type); } - const adds = internalCertificate.getAdditionalCertbotArgs(certificate.id, certificate.meta.dns_provider); + const adds = internalCertificate.getAdditionalCertbotArgs( + certificate.id, + certificate.meta.dns_provider, + ); args.push(...adds.args); logger.info(`Command: ${certbotCommand} ${args ? args.join(" ") : ""}`); @@ -1001,7 +1107,10 @@ const internalCertificate = { args.push("--key-type", certificate.meta.key_type); } - const adds = internalCertificate.getAdditionalCertbotArgs(certificate.id, certificate.meta.dns_provider); + const adds = internalCertificate.getAdditionalCertbotArgs( + certificate.id, + certificate.meta.dns_provider, + ); args.push(...adds.args); logger.info(`Command: ${certbotCommand} ${args ? args.join(" ") : ""}`); @@ -1041,7 +1150,9 @@ const internalCertificate = { try { const result = await utils.execFile(certbotCommand, args, adds.opts); - await utils.exec(`rm -f '/etc/letsencrypt/credentials/credentials-${certificate.id}' || true`); + await utils.exec( + `rm -f '/etc/letsencrypt/credentials/credentials-${certificate.id}' || true`, + ); logger.info(result); return result; } catch (err) { @@ -1058,7 +1169,10 @@ const internalCertificate = { */ hasLetsEncryptSslCerts: (certificate) => { const letsencryptPath = internalCertificate.getLiveCertPath(certificate.id); - return fs.existsSync(`${letsencryptPath}/fullchain.pem`) && fs.existsSync(`${letsencryptPath}/privkey.pem`); + return ( + fs.existsSync(`${letsencryptPath}/fullchain.pem`) && + fs.existsSync(`${letsencryptPath}/privkey.pem`) + ); }, /** @@ -1072,15 +1186,24 @@ const internalCertificate = { disableInUseHosts: async (inUseResult) => { if (inUseResult?.total_count) { if (inUseResult?.proxy_hosts.length) { - await internalNginx.bulkDeleteConfigs("proxy_host", inUseResult.proxy_hosts); + await internalNginx.bulkDeleteConfigs( + "proxy_host", + inUseResult.proxy_hosts, + ); } if (inUseResult?.redirection_hosts.length) { - await internalNginx.bulkDeleteConfigs("redirection_host", inUseResult.redirection_hosts); + await internalNginx.bulkDeleteConfigs( + "redirection_host", + inUseResult.redirection_hosts, + ); } if (inUseResult?.dead_hosts.length) { - await internalNginx.bulkDeleteConfigs("dead_host", inUseResult.dead_hosts); + await internalNginx.bulkDeleteConfigs( + "dead_host", + inUseResult.dead_hosts, + ); } } }, @@ -1096,15 +1219,24 @@ const internalCertificate = { enableInUseHosts: async (inUseResult) => { if (inUseResult.total_count) { if (inUseResult.proxy_hosts.length) { - await internalNginx.bulkGenerateConfigs("proxy_host", inUseResult.proxy_hosts); + await internalNginx.bulkGenerateConfigs( + "proxy_host", + inUseResult.proxy_hosts, + ); } if (inUseResult.redirection_hosts.length) { - await internalNginx.bulkGenerateConfigs("redirection_host", inUseResult.redirection_hosts); + await internalNginx.bulkGenerateConfigs( + "redirection_host", + inUseResult.redirection_hosts, + ); } if (inUseResult.dead_hosts.length) { - await internalNginx.bulkGenerateConfigs("dead_host", inUseResult.dead_hosts); + await internalNginx.bulkGenerateConfigs( + "dead_host", + inUseResult.dead_hosts, + ); } } }, @@ -1119,7 +1251,8 @@ const internalCertificate = { await access.can("certificates:list"); // Create a test challenge file - const testChallengeDir = "/data/letsencrypt-acme-challenge/.well-known/acme-challenge"; + const testChallengeDir = + "/data/letsencrypt-acme-challenge/.well-known/acme-challenge"; const testChallengeFile = `${testChallengeDir}/test-challenge`; fs.mkdirSync(testChallengeDir, { recursive: true }); fs.writeFileSync(testChallengeFile, "Success", { encoding: "utf8" }); @@ -1151,38 +1284,42 @@ const internalCertificate = { }; const result = await new Promise((resolve) => { - const req = https.request("https://www.site24x7.com/tools/restapi-tester", options, (res) => { - let responseBody = ""; + const req = https.request( + "https://www.site24x7.com/tools/restapi-tester", + options, + (res) => { + let responseBody = ""; - res.on("data", (chunk) => { - responseBody = responseBody + chunk; - }); + res.on("data", (chunk) => { + responseBody = responseBody + chunk; + }); - res.on("end", () => { - try { - const parsedBody = JSON.parse(`${responseBody}`); - if (res.statusCode !== 200) { - logger.warn( - `Failed to test HTTP challenge for domain ${domain} because HTTP status code ${res.statusCode} was returned: ${parsedBody.message}`, - ); + res.on("end", () => { + try { + const parsedBody = JSON.parse(`${responseBody}`); + if (res.statusCode !== 200) { + logger.warn( + `Failed to test HTTP challenge for domain ${domain} because HTTP status code ${res.statusCode} was returned: ${parsedBody.message}`, + ); + resolve(undefined); + } else { + resolve(parsedBody); + } + } catch (err) { + if (res.statusCode !== 200) { + logger.warn( + `Failed to test HTTP challenge for domain ${domain} because HTTP status code ${res.statusCode} was returned`, + ); + } else { + logger.warn( + `Failed to test HTTP challenge for domain ${domain} because response failed to be parsed: ${err.message}`, + ); + } resolve(undefined); - } else { - resolve(parsedBody); } - } catch (err) { - if (res.statusCode !== 200) { - logger.warn( - `Failed to test HTTP challenge for domain ${domain} because HTTP status code ${res.statusCode} was returned`, - ); - } else { - logger.warn( - `Failed to test HTTP challenge for domain ${domain} because response failed to be parsed: ${err.message}`, - ); - } - resolve(undefined); - } - }); - }); + }); + }, + ); // Make sure to write the request body. req.write(formBody); @@ -1203,7 +1340,10 @@ const internalCertificate = { ); return `other:${result.error.msg}`; } - if (`${result.responsecode}` === "200" && result.htmlresponse === "Success") { + if ( + `${result.responsecode}` === "200" && + result.htmlresponse === "Success" + ) { // Server exists and has responded with the correct data return "ok"; } @@ -1217,19 +1357,26 @@ const internalCertificate = { } if (`${result.responsecode}` === "404") { // Server exists but responded with a 404 - logger.info(`HTTP challenge test failed for domain ${domain} because code 404 was returned`); + logger.info( + `HTTP challenge test failed for domain ${domain} because code 404 was returned`, + ); return "404"; } if ( `${result.responsecode}` === "0" || - (typeof result.reason === "string" && result.reason.toLowerCase() === "host unavailable") + (typeof result.reason === "string" && + result.reason.toLowerCase() === "host unavailable") ) { // Server does not exist at domain - logger.info(`HTTP challenge test failed for domain ${domain} the host was not found`); + logger.info( + `HTTP challenge test failed for domain ${domain} the host was not found`, + ); return "no-host"; } // Other errors - logger.info(`HTTP challenge test failed for domain ${domain} because code ${result.responsecode} was returned`); + logger.info( + `HTTP challenge test failed for domain ${domain} because code ${result.responsecode} was returned`, + ); return `other:${result.responsecode}`; },