diff options
| author | Andrew Cady <d@jerkface.net> | 2016-04-10 19:52:53 -0400 |
|---|---|---|
| committer | Andrew Cady <d@jerkface.net> | 2016-04-10 19:52:53 -0400 |
| commit | ed569c0a0adcddb95658a4ef88aa6db4d4145f98 (patch) | |
| tree | 9eba9ee7dcea48967aeda9a09f3555ba716c4f78 | |
| parent | c2dbb32adf34a9bcef54e913f9bc025d846f056e (diff) | |
canProvision will not check TLS cert validity
| -rw-r--r-- | acme-certify.cabal | 2 | ||||
| -rw-r--r-- | src/Network/ACME.hs | 18 |
2 files changed, 18 insertions, 2 deletions
diff --git a/acme-certify.cabal b/acme-certify.cabal index 364e269..ac6427a 100644 --- a/acme-certify.cabal +++ b/acme-certify.cabal | |||
| @@ -18,7 +18,7 @@ library | |||
| 18 | cryptonite, aeson, bytestring, base64-bytestring, SHA, | 18 | cryptonite, aeson, bytestring, base64-bytestring, SHA, |
| 19 | mtl, text, HsOpenSSL, wreq, lens, lens-aeson, time, | 19 | mtl, text, HsOpenSSL, wreq, lens, lens-aeson, time, |
| 20 | email-validate, pipes, directory, network-uri, errors, | 20 | email-validate, pipes, directory, network-uri, errors, |
| 21 | resourcet, file-embed | 21 | resourcet, file-embed, http-conduit, connection |
| 22 | default-language: Haskell2010 | 22 | default-language: Haskell2010 |
| 23 | 23 | ||
| 24 | executable acme | 24 | executable acme |
diff --git a/src/Network/ACME.hs b/src/Network/ACME.hs index 97e6e10..4b96afc 100644 --- a/src/Network/ACME.hs +++ b/src/Network/ACME.hs | |||
| @@ -31,6 +31,9 @@ import qualified Data.Text as T | |||
| 31 | import Data.Text.Encoding (decodeUtf8, encodeUtf8) | 31 | import Data.Text.Encoding (decodeUtf8, encodeUtf8) |
| 32 | import Data.Time.Clock.POSIX (getPOSIXTime) | 32 | import Data.Time.Clock.POSIX (getPOSIXTime) |
| 33 | import Network.ACME.Encoding | 33 | import Network.ACME.Encoding |
| 34 | import Network.Connection | ||
| 35 | import Network.HTTP.Conduit (Manager, mkManagerSettings, | ||
| 36 | newManager) | ||
| 34 | import Network.URI | 37 | import Network.URI |
| 35 | import Network.Wreq (Response, checkStatus, defaults, | 38 | import Network.Wreq (Response, checkStatus, defaults, |
| 36 | responseBody, responseHeader, | 39 | responseBody, responseHeader, |
| @@ -120,11 +123,24 @@ ensureWritableDir file name = do | |||
| 120 | canProvision :: DomainName -> HttpProvisioner -> IO Bool | 123 | canProvision :: DomainName -> HttpProvisioner -> IO Bool |
| 121 | canProvision domain provision = do | 124 | canProvision domain provision = do |
| 122 | token <- (".test." ++) . show <$> getPOSIXTime | 125 | token <- (".test." ++) . show <$> getPOSIXTime |
| 126 | clientManager <- noSSLVerifyManager | ||
| 127 | let opts = defaults & W.manager .~ Right clientManager | ||
| 123 | r <- runResourceT $ do | 128 | r <- runResourceT $ do |
| 124 | provision (fromString token) (fromString token) | 129 | provision (fromString token) (fromString token) |
| 125 | liftIO $ W.get $ show $ acmeChallengeURI domain (fromString token) | 130 | liftIO $ W.getWith opts $ show $ acmeChallengeURI domain (fromString token) |
| 126 | return $ r ^. responseBody == fromString token | 131 | return $ r ^. responseBody == fromString token |
| 127 | 132 | ||
| 133 | -- From http://stackoverflow.com/questions/21310690/ | ||
| 134 | -- disable-ssl-tls-certificate-validation-in-network-http-conduit/21310691#21310691 | ||
| 135 | noSSLVerifyManager :: IO Manager | ||
| 136 | noSSLVerifyManager = newManager $ mkManagerSettings tlsSettings Nothing | ||
| 137 | where | ||
| 138 | tlsSettings = TLSSettingsSimple | ||
| 139 | { settingDisableCertificateValidation = True | ||
| 140 | , settingDisableSession = False | ||
| 141 | , settingUseServerName = True | ||
| 142 | } | ||
| 143 | |||
| 128 | canProvisionDir :: WritableDir -> DomainName -> IO Bool | 144 | canProvisionDir :: WritableDir -> DomainName -> IO Bool |
| 129 | canProvisionDir challengeDir domain = canProvision domain (provisionViaFile challengeDir) | 145 | canProvisionDir challengeDir domain = canProvision domain (provisionViaFile challengeDir) |
| 130 | 146 | ||