diff options
author | Andrew Cady <d@jerkface.net> | 2016-04-10 19:52:53 -0400 |
---|---|---|
committer | Andrew Cady <d@jerkface.net> | 2016-04-10 19:52:53 -0400 |
commit | ed569c0a0adcddb95658a4ef88aa6db4d4145f98 (patch) | |
tree | 9eba9ee7dcea48967aeda9a09f3555ba716c4f78 | |
parent | c2dbb32adf34a9bcef54e913f9bc025d846f056e (diff) |
canProvision will not check TLS cert validity
-rw-r--r-- | acme-certify.cabal | 2 | ||||
-rw-r--r-- | src/Network/ACME.hs | 18 |
2 files changed, 18 insertions, 2 deletions
diff --git a/acme-certify.cabal b/acme-certify.cabal index 364e269..ac6427a 100644 --- a/acme-certify.cabal +++ b/acme-certify.cabal | |||
@@ -18,7 +18,7 @@ library | |||
18 | cryptonite, aeson, bytestring, base64-bytestring, SHA, | 18 | cryptonite, aeson, bytestring, base64-bytestring, SHA, |
19 | mtl, text, HsOpenSSL, wreq, lens, lens-aeson, time, | 19 | mtl, text, HsOpenSSL, wreq, lens, lens-aeson, time, |
20 | email-validate, pipes, directory, network-uri, errors, | 20 | email-validate, pipes, directory, network-uri, errors, |
21 | resourcet, file-embed | 21 | resourcet, file-embed, http-conduit, connection |
22 | default-language: Haskell2010 | 22 | default-language: Haskell2010 |
23 | 23 | ||
24 | executable acme | 24 | executable acme |
diff --git a/src/Network/ACME.hs b/src/Network/ACME.hs index 97e6e10..4b96afc 100644 --- a/src/Network/ACME.hs +++ b/src/Network/ACME.hs | |||
@@ -31,6 +31,9 @@ import qualified Data.Text as T | |||
31 | import Data.Text.Encoding (decodeUtf8, encodeUtf8) | 31 | import Data.Text.Encoding (decodeUtf8, encodeUtf8) |
32 | import Data.Time.Clock.POSIX (getPOSIXTime) | 32 | import Data.Time.Clock.POSIX (getPOSIXTime) |
33 | import Network.ACME.Encoding | 33 | import Network.ACME.Encoding |
34 | import Network.Connection | ||
35 | import Network.HTTP.Conduit (Manager, mkManagerSettings, | ||
36 | newManager) | ||
34 | import Network.URI | 37 | import Network.URI |
35 | import Network.Wreq (Response, checkStatus, defaults, | 38 | import Network.Wreq (Response, checkStatus, defaults, |
36 | responseBody, responseHeader, | 39 | responseBody, responseHeader, |
@@ -120,11 +123,24 @@ ensureWritableDir file name = do | |||
120 | canProvision :: DomainName -> HttpProvisioner -> IO Bool | 123 | canProvision :: DomainName -> HttpProvisioner -> IO Bool |
121 | canProvision domain provision = do | 124 | canProvision domain provision = do |
122 | token <- (".test." ++) . show <$> getPOSIXTime | 125 | token <- (".test." ++) . show <$> getPOSIXTime |
126 | clientManager <- noSSLVerifyManager | ||
127 | let opts = defaults & W.manager .~ Right clientManager | ||
123 | r <- runResourceT $ do | 128 | r <- runResourceT $ do |
124 | provision (fromString token) (fromString token) | 129 | provision (fromString token) (fromString token) |
125 | liftIO $ W.get $ show $ acmeChallengeURI domain (fromString token) | 130 | liftIO $ W.getWith opts $ show $ acmeChallengeURI domain (fromString token) |
126 | return $ r ^. responseBody == fromString token | 131 | return $ r ^. responseBody == fromString token |
127 | 132 | ||
133 | -- From http://stackoverflow.com/questions/21310690/ | ||
134 | -- disable-ssl-tls-certificate-validation-in-network-http-conduit/21310691#21310691 | ||
135 | noSSLVerifyManager :: IO Manager | ||
136 | noSSLVerifyManager = newManager $ mkManagerSettings tlsSettings Nothing | ||
137 | where | ||
138 | tlsSettings = TLSSettingsSimple | ||
139 | { settingDisableCertificateValidation = True | ||
140 | , settingDisableSession = False | ||
141 | , settingUseServerName = True | ||
142 | } | ||
143 | |||
128 | canProvisionDir :: WritableDir -> DomainName -> IO Bool | 144 | canProvisionDir :: WritableDir -> DomainName -> IO Bool |
129 | canProvisionDir challengeDir domain = canProvision domain (provisionViaFile challengeDir) | 145 | canProvisionDir challengeDir domain = canProvision domain (provisionViaFile challengeDir) |
130 | 146 | ||