decouple certs from ssl

api/controllers/certificates.go

@@ -0,0 +1,61 @@
+package controllers
+
+import (
+	"net/http"
+	"sort"
+	"strings"
+
+	"github.com/convox/rack/api/httperr"
+	"github.com/convox/rack/api/provider"
+	"github.com/gorilla/mux"
+)
+
+func CertificateCreate(rw http.ResponseWriter, r *http.Request) *httperr.Error {
+	pub := r.FormValue("public")
+	key := r.FormValue("private")
+	chain := r.FormValue("chain")
+
+	cert, err := provider.CertificateCreate(pub, key, chain)
+
+	if err != nil {
+		return httperr.Server(err)
+	}
+
+	return RenderJson(rw, cert)
+}
+
+func CertificateDelete(rw http.ResponseWriter, r *http.Request) *httperr.Error {
+	id := mux.Vars(r)["id"]
+
+	err := provider.CertificateDelete(id)
+
+	if err != nil {
+		return httperr.Server(err)
+	}
+
+	return RenderSuccess(rw)
+}
+
+func CertificateGenerate(rw http.ResponseWriter, r *http.Request) *httperr.Error {
+	domains := strings.Split(r.FormValue("domains"), ",")
+
+	cert, err := provider.CertificateGenerate(domains)
+
+	if err != nil {
+		return httperr.Server(err)
+	}
+
+	return RenderJson(rw, cert)
+}
+
+func CertificateList(rw http.ResponseWriter, r *http.Request) *httperr.Error {
+	certs, err := provider.CertificateList()
+
+	if err != nil {
+		return httperr.Server(err)
+	}
+
+	sort.Sort(certs)
+
+	return RenderJson(rw, certs)
+}

api/controllers/routes.go

@@ -41,6 +41,10 @@ func NewRouter() (router *mux.Router) {
 	router.HandleFunc("/apps/{app}/ssl", api("ssl.list", SSLList)).Methods("GET")
 	router.HandleFunc("/apps/{app}/ssl/{process}/{port}", api("ssl.update", SSLUpdate)).Methods("PUT")
 	router.HandleFunc("/auth", api("auth", Auth)).Methods("GET")
+	router.HandleFunc("/certificates", api("certificate.list", CertificateList)).Methods("GET")
+	router.HandleFunc("/certificates", api("certificate.create", CertificateCreate)).Methods("POST")
+	router.HandleFunc("/certificates/generate", api("certificate.generate", CertificateGenerate)).Methods("POST")
+	router.HandleFunc("/certificates/{id}", api("certificate.delete", CertificateDelete)).Methods("DELETE")
 	router.HandleFunc("/index/diff", api("index.diff", IndexDiff)).Methods("POST")
 	router.HandleFunc("/index/file/{hash}", api("index.upload", IndexUpload)).Methods("POST")
 	router.HandleFunc("/instances", api("instances.get", InstancesList)).Methods("GET")

api/controllers/ssl.go

@@ -3,7 +3,6 @@ package controllers
 import (
 	"net/http"
 	"strconv"
-	"strings"
 
 	"github.com/convox/rack/api/httperr"
 	"github.com/convox/rack/api/models"
@@ -31,10 +30,7 @@ func SSLUpdate(rw http.ResponseWriter, r *http.Request) *httperr.Error {
 	a := vars["app"]
 	process := vars["process"]
 	port := vars["port"]
-	arn := GetForm(r, "arn")
-	chain := GetForm(r, "chain")
-	body := GetForm(r, "body")
-	key := GetForm(r, "key")
+	id := GetForm(r, "id")
 
 	if process == "" {
 		return httperr.Errorf(403, "must specify a process")
@@ -46,11 +42,7 @@ func SSLUpdate(rw http.ResponseWriter, r *http.Request) *httperr.Error {
 		return httperr.Errorf(403, "port must be numeric")
 	}
 
-	if (arn != "") && !validateARNFormat(arn) {
-		return httperr.Errorf(403, "arn must follow the AWS ARN format")
-	}
-
-	ssl, err := models.UpdateSSL(a, process, portn, arn, body, key, chain)
+	ssl, err := models.UpdateSSL(a, process, portn, id)
 
 	if awsError(err) == "ValidationError" {
 		return httperr.Errorf(404, "%s", err)
@@ -62,7 +54,3 @@ func SSLUpdate(rw http.ResponseWriter, r *http.Request) *httperr.Error {
 
 	return RenderJson(rw, ssl)
 }
-
-func validateARNFormat(arn string) bool {
-	return strings.HasPrefix(strings.ToLower(arn), "arn:")
-}

api/dist/kernel.json

@@ -28,6 +28,10 @@
       "Condition": "Development",
       "Value": { "Fn::If": [ "Autoscale", "true", "false" ] }
     },
+    "AwsAccount": {
+      "Condition": "Development",
+      "Value": { "Ref": "AWS::AccountId" }
+    },
     "AwsRegion": {
       "Condition": "Development",
       "Value": { "Ref": "AWS::Region" }
@@ -1397,6 +1401,7 @@
             "Command": "api/bin/web",
             "CPU": "128",
             "Environment": {
+              "AWS_ACCOUNT": { "Ref": "AWS::AccountId" },
               "AWS_REGION": { "Ref": "AWS::Region" },
               "AWS_ACCESS": { "Ref": "KernelAccess" },
               "AWS_SECRET": { "Fn::GetAtt": [ "KernelAccess", "SecretAccessKey" ] },

api/manifest.yml

@@ -612,6 +612,79 @@ paths:
           description: invalid password
           schema:
             type: string
+  /certificates:
+    get:
+      description: List certificates
+      responses:
+        200:
+          description: certificate list
+          schema:
+            type: array
+            items:
+              $ref: '#/definitions/certificate'
+    post:
+      description: Upload a certificate
+      parameters:
+      - name: public
+        description: public key
+        type: string
+        in: formData
+        required: true
+      - name: private
+        description: private key
+        type: string
+        in: formData
+        required: true
+      - name: chain
+        description: intermediate chain
+        type: string
+        in: formData
+        required: false
+      responses:
+        200:
+          description: certificate
+          schema:
+            $ref: '#/definitions/certificate'
+        403:
+          description: invalid certificate
+          schema:
+            $ref: '#/definitions/error'
+  /certificates/generate:
+    post:
+      description: Request a certificate
+      parameters:
+      - name: domains
+        description: public key
+        type: array
+        items:
+          type: string
+      responses:
+        200:
+          description: certificate
+          schema:
+            $ref: '#/definitions/certificate'
+        403:
+          description: invalid domains
+          schema:
+            $ref: '#/definitions/error'
+  /certificates/{id}:
+    delete:
+      description: Remove a certificate
+      parameters:
+      - name: id
+        description: certificate id
+        type: string
+        in: path
+        required: true
+      responses:
+        200:
+          description: success
+          schema:
+            $ref: '#/definitions/success'
+        404:
+          description: not found
+          schema:
+            $ref: '#/definitions/error'
   /instances:
     get:
       description: List instances.
@@ -825,6 +898,13 @@ definitions:
         type: integer
       process-width:
         type: integer
+  certificate:
+      domain:
+        type: string
+      expiration:
+        type: date
+      id:
+        type: string
   error:
     properties:
       error:
@@ -915,6 +995,8 @@ definitions:
         type: string
   ssl:
     properties:
+      certificate:
+        type: string
       domain:
         type: string
       expiration:

api/models/models.go

@@ -11,6 +11,7 @@ import (
 	"github.com/aws/aws-sdk-go/aws/awserr"
 	"github.com/aws/aws-sdk-go/aws/credentials"
 	"github.com/aws/aws-sdk-go/aws/session"
+	"github.com/aws/aws-sdk-go/service/acm"
 	"github.com/aws/aws-sdk-go/service/autoscaling"
 	"github.com/aws/aws-sdk-go/service/cloudformation"
 	"github.com/aws/aws-sdk-go/service/cloudwatch"
@@ -58,6 +59,10 @@ func awsConfig() *aws.Config {
 	return config
 }
 
+func ACM() *acm.ACM {
+	return acm.New(session.New(), awsConfig())
+}
+
 func AutoScaling() *autoscaling.AutoScaling {
 	return autoscaling.New(session.New(), awsConfig())
 }

api/models/release.go

@@ -213,8 +213,7 @@ func (r *Release) Promote() error {
 			switch app.Parameters[protoParam] {
 			case "https", "tls":
 				if app.Parameters[certParam] == "" {
-					timestamp := time.Now().Format("20060102150405")
-					name := fmt.Sprintf("%s%s%s-%s", UpperName(app.StackName()), UpperName(entry.Name), mapping.Balancer, timestamp)
+					name := fmt.Sprintf("cert-%d", time.Now().Unix())
 
 					body, key, err := GenerateSelfSignedCertificate("*.*.elb.amazonaws.com")