Made CSR not required for LE certs, fixed cert encoding

lib/go-tc/deliveryservice_ssl_keys.go

@@ -132,7 +132,7 @@ func (r *DeliveryServiceAddSSLKeysReq) Validate(tx *sql.Tx) error {
 		if r.Certificate.Crt == "" {
 			errs = append(errs, "certificate.crt required")
 		}
-		if r.Certificate.CSR == "" {
+		if r.Certificate.CSR == "" && *r.AuthType != LetsEncryptAuthType {
 			errs = append(errs, "certificate.csr required")
 		}
 	}

traffic_ops/etc/cron.d/autorenew_certs

@@ -1 +1 @@
-*/5 * * * * root export PERL5LIB=/opt/traffic_ops/app/local/lib/perl5:/opt/traffic_ops/app/lib; /opt/traffic_ops/app/bin/checks/ToAutorenewCerts.pl -c '{ "base_url": "https://127.0.0.1" }' -l 1 >> /var/log/traffic_ops/autorenew.log 2>&1
+*/5 * * * * trafops export PERL5LIB=/opt/traffic_ops/app/local/lib/perl5:/opt/traffic_ops/app/lib; /opt/traffic_ops/app/bin/checks/ToAutorenewCerts.pl -c '{ "base_url": "https://127.0.0.1" }' -l 1 >> /var/log/traffic_ops/autorenew.log 2>&1

traffic_ops/traffic_ops_golang/deliveryservice/letsencryptcert.go

@@ -203,9 +203,15 @@ func GetLetsEncryptCertificates(cfg *config.Config, req tc.DeliveryServiceLetsEn
 	}
 	myUser.Registration = reg
 
+	priv, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		log.Errorf(deliveryService + ": Error generating private key")
+		return err
+	}
 	request := certificate.ObtainRequest{
-		Domains: []string{domainName},
-		Bundle:  true,
+		Domains:    []string{domainName},
+		Bundle:     true,
+		PrivateKey: priv,
 	}
 	certificates, err := client.Certificate.Obtain(request)
 	if err != nil {
@@ -238,21 +244,17 @@ func GetLetsEncryptCertificates(cfg *config.Config, req tc.DeliveryServiceLetsEn
 		Expiration:      expiration,
 	}
 
-	crtBuf := bytes.Buffer{}
-	if err := pem.Encode(&crtBuf, &pem.Block{Type: "CERTIFICATE", Bytes: certificates.Certificate}); err != nil {
-		log.Errorf(deliveryService + ": pem-encoding certificate: " + err.Error())
-		return errors.New(deliveryService + ": pem-encoding certificate: " + err.Error())
+	keyDer := x509.MarshalPKCS1PrivateKey(priv)
+	if keyDer == nil {
+		return errors.New("marshalling private key: nil der")
 	}
-	crtPem := crtBuf.Bytes()
-
 	keyBuf := bytes.Buffer{}
-	if err := pem.Encode(&keyBuf, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: certificates.PrivateKey}); err != nil {
-		log.Errorf(deliveryService + ": pem-encoding key: " + err.Error())
-		return errors.New(deliveryService + ": pem-encoding key: " + err.Error())
+	if err := pem.Encode(&keyBuf, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: keyDer}); err != nil {
+		return errors.New("pem-encoding private key: " + err.Error())
 	}
 	keyPem := keyBuf.Bytes()
 
-	dsSSLKeys.Certificate = tc.DeliveryServiceSSLKeysCertificate{Crt: string(EncodePEMToLegacyPerlRiakFormat(crtPem)), Key: string(EncodePEMToLegacyPerlRiakFormat(keyPem)), CSR: "Not Applicable"}
+	dsSSLKeys.Certificate = tc.DeliveryServiceSSLKeysCertificate{Crt: string(EncodePEMToLegacyPerlRiakFormat(certificates.Certificate)), Key: string(EncodePEMToLegacyPerlRiakFormat(keyPem)), CSR: ""}
 	if err := riaksvc.PutDeliveryServiceSSLKeysObj(dsSSLKeys, tx.Tx, cfg.RiakAuthOptions, cfg.RiakPort); err != nil {
 		log.Errorf("Error posting lets encrypt certificate to riak: %s", err.Error())
 		return errors.New(deliveryService + ": putting riak keys: " + err.Error())

traffic_portal/app/src/common/modules/form/deliveryServiceSslKeys/FormDeliveryServiceSslKeysController.js

@@ -39,6 +39,19 @@ var FormDeliveryServiceSslKeysController = function(deliveryService, sslKeys, $s
         $scope.sslKeys.authType = 'Self Signed';
     }
 
+	$scope.requiresCrs = function() {
+	  return $scope.sslKeys.authType !== 'Lets Encrypt';
+    };
+    $scope.toggleCsrRequirement = function() {
+	    if ($scope.requiresCrs() && document.getElementById('certificateSigningRequest') !== null) {
+            document.getElementById('certificateSigningRequest').setAttribute('required', '');
+        } else if (document.getElementById('certificateSigningRequest') !== null) {
+            document.getElementById('certificateSigningRequest').removeAttribute('required');
+        }
+    };
+
+	$scope.toggleCsrRequirement();
+
 	$scope.hasError = formUtils.hasError;
 	$scope.hasPropertyError = formUtils.hasPropertyError;
 	$scope.navigateToPath = locationUtils.navigateToPath;

traffic_portal/app/src/common/modules/form/deliveryServiceSslKeys/form.deliveryServiceSslKeys.tpl.html

@@ -60,12 +60,12 @@
 					<input name="version" type="text" class="form-control" ng-model="sslKeys.expiration" readonly>
 				</div>
 			</div>
-			<div class="form-group" ng-class="{'has-error': hasError(dsSslKeyForm.hostname), 'has-feedback': hasError(dsSslKeyForm.hostname)}">
+			<div class="form-group" ng-class="{'has-error': hasError(dsSslKeyForm.authType), 'has-feedback': hasError(dsSslKeyForm.authType)}">
 				<label class="control-label col-md-2 col-sm-2 col-xs-12">Certificate Source (Self Signed, CA, etc) *</label>
 				<div class="col-md-10 col-sm-10 col-xs-12">
-					<input name="hostname" type="text" class="form-control" ng-model="sslKeys.authType" required autofocus>
-					<small class="input-error" ng-show="hasPropertyError(dsSslKeyForm.hostname, 'required')">Required</small>
-					<span ng-show="hasError(dsSslKeyForm.hostname)" class="form-control-feedback"><i class="fa fa-times"></i></span>
+					<input name="authType" type="text" class="form-control" ng-model="sslKeys.authType" ng-change="toggleCsrRequirement()" required autofocus>
+					<small class="input-error" ng-show="hasPropertyError(dsSslKeyForm.authType, 'required')">Required</small>
+					<span ng-show="hasError(dsSslKeyForm.authType)" class="form-control-feedback"><i class="fa fa-times"></i></span>
 				</div>
 			</div>
             <div class="form-group" ng-class="{'has-error': hasError(dsSslKeyForm.privateKey), 'has-feedback': hasError(dsSslKeyForm.privateKey)}">
@@ -76,12 +76,12 @@
                     <span ng-show="hasError(dsSslKeyForm.privateKey)" class="form-control-feedback"><i class="fa fa-times"></i></span>
                 </div>
             </div>
-            <div class="form-group" ng-class="{'has-error': hasError(dsSslKeyForm.certificateSigningRequest), 'has-feedback': hasError(dsSslKeyForm.certificateSigningRequest)}">
+            <div class="form-group" ng-class="{'has-error': hasError(dsSslKeyForm.certificateSigningRequest) && requiresCrs(), 'has-feedback': hasError(dsSslKeyForm.certificateSigningRequest) && requiresCrs()}" ng-if="requiresCrs()">
                 <label class="control-label col-md-2 col-sm-2 col-xs-12">Certificate Signing Request *</label>
                 <div class="col-md-10 col-sm-10 col-xs-12">
-                    <textarea name="certificateSigningRequest" type="text" class="form-control" ng-model="sslKeys.certificate.csr" rows="25" required autofocus></textarea>
-                    <small class="input-error" ng-show="hasPropertyError(dsSslKeyForm.certificateSigningRequest, 'required')">Required</small>
-                    <span ng-show="hasError(dsSslKeyForm.certificateSigningRequest)" class="form-control-feedback"><i class="fa fa-times"></i></span>
+                    <textarea id="certificateSigningRequest" name="certificateSigningRequest" type="text" class="form-control" ng-model="sslKeys.certificate.csr" rows="25" autofocus required></textarea>
+                    <small class="input-error" ng-show="hasPropertyError(dsSslKeyForm.certificateSigningRequest, 'required') && requiresCrs()">Required</small>
+                    <span ng-show="hasError(dsSslKeyForm.certificateSigningRequest) && requiresCrs()" class="form-control-feedback"><i class="fa fa-times"></i></span>
                 </div>
             </div>
             <div class="form-group" ng-class="{'has-error': hasError(dsSslKeyForm.certificate), 'has-feedback': hasError(dsSslKeyForm.certificate)}">