Try

package-lock.json

@@ -8,11 +8,17 @@
       "version": "1.0.0",
       "license": "ISC",
       "dependencies": {
+        "await-lock": "^2.1.0",
         "axios": "^0.21.1",
         "jose-node-cjs-runtime": "^3.12.2",
         "pem": "^1.14.4"
       }
     },
+    "node_modules/await-lock": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/await-lock/-/await-lock-2.1.0.tgz",
+      "integrity": "sha512-t7Zm5YGgEEc/3eYAicF32m/TNvL+XOeYZy9CvBUeJY/szM7frLolFylhrlZNWV/ohWhcUXygrBGjYmoQdxF4CQ=="
+    },
     "node_modules/axios": {
       "version": "0.21.1",
       "resolved": "https://registry.npmjs.org/axios/-/axios-0.21.1.tgz",
@@ -127,6 +133,11 @@
     }
   },
   "dependencies": {
+    "await-lock": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/await-lock/-/await-lock-2.1.0.tgz",
+      "integrity": "sha512-t7Zm5YGgEEc/3eYAicF32m/TNvL+XOeYZy9CvBUeJY/szM7frLolFylhrlZNWV/ohWhcUXygrBGjYmoQdxF4CQ=="
+    },
     "axios": {
       "version": "0.21.1",
       "resolved": "https://registry.npmjs.org/axios/-/axios-0.21.1.tgz",

package.json

@@ -10,6 +10,7 @@
   "author": "",
   "license": "ISC",
   "dependencies": {
+    "await-lock": "^2.1.0",
     "axios": "^0.21.1",
     "jose-node-cjs-runtime": "^3.12.2",
     "pem": "^1.14.4"

src/certnode/lib/client.js

@@ -1,12 +1,24 @@
 const fs = require('fs')
 const http = require('http')
 const path = require('path')
-const { promisify } = require('util')
+const {
-const { fromKeyLike } = require('jose-node-cjs-runtime/jwk/from_key_like')
+  promisify
-const { generateKeyPair } = require('jose-node-cjs-runtime/util/generate_key_pair')
+} = require('util')
-const { calculateThumbprint } = require('jose-node-cjs-runtime/jwk/thumbprint')
+const {
-const { SignJWT } = require('jose-node-cjs-runtime/jwt/sign')
+  fromKeyLike
-const { CompactSign } = require('jose-node-cjs-runtime/jws/compact/sign')
+} = require('jose-node-cjs-runtime/jwk/from_key_like')
+const {
+  generateKeyPair
+} = require('jose-node-cjs-runtime/util/generate_key_pair')
+const {
+  calculateThumbprint
+} = require('jose-node-cjs-runtime/jwk/thumbprint')
+const {
+  SignJWT
+} = require('jose-node-cjs-runtime/jwt/sign')
+const {
+  CompactSign
+} = require('jose-node-cjs-runtime/jws/compact/sign')
 const pem = require('pem')
 const common = require('./common')
 const request = require('./request')
@@ -27,7 +39,7 @@ class Client {
     this.accountPublicJwk = null
     this.accountPublicKey = null
     this.directoryUrl = directoryUrl
-    this.challengeCallbacks = {}
+    this.challengeCallbacks = null
     this.hasDirectory = false
     this.myAccountUrl = ''
     this.newAccountUrl = ''
@@ -61,7 +73,10 @@ class Client {
    * @return {Promise}
    */
   async generateAccountKeyPair() {
-    const { privateKey, publicKey } = await generateKeyPair(common.ACCOUNT_KEY_ALGORITHM)
+    const {
+      privateKey,
+      publicKey
+    } = await generateKeyPair(common.ACCOUNT_KEY_ALGORITHM)
 
     this.accountPrivateKey = privateKey
     this.accountPublicKey = publicKey
@@ -82,14 +97,29 @@ class Client {
     await this.newNonce()
     await this.newAccount(email)
 
-    const { authzUrls, finalizeUrl } = await this.newOrder(domain)
+    const {
-    const { challenge } = await this.authz(authzUrls[0])
+      authzUrls,
+      finalizeUrl
+    } = await this.newOrder(domain)
+    const {
+      challenge
+    } = await this.authz(authzUrls[0])
 
+    console.log('step 1');
     await this.completeChallenge(challenge)
+    console.log('step 2');
     await this.pollAuthz(authzUrls[0])
-    const { certificate, privateKeyData } = await this.finalizeOrder(finalizeUrl, domain, email)
+    console.log('step 3');
+    const {
+      certificate,
+      privateKeyData
+    } = await this.finalizeOrder(finalizeUrl, domain, email)
+    console.log('step 4');
 
-    return { certificate, privateKeyData }
+    return {
+      certificate,
+      privateKeyData
+    }
   }
 
   /**
@@ -113,13 +143,11 @@ class Client {
   }
 
   async authz(authzUrl) {
-    const data = await this.sign(
+    const data = await this.sign({
-      {
       kid: this.myAccountUrl,
       nonce: this.replayNonce,
       url: authzUrl
-      }
+    })
-    )
 
     const res = await request(authzUrl, {
       method: 'POST',
@@ -137,8 +165,14 @@ class Client {
       throw new Error(`authz() Status Code: ${res.statusCode} Data: ${res.data}`)
     }
 
-    const { challenges, identifier, ...rest } = res.data
+    const {
-    const challenge = challenges.find(({ type }) => type === 'http-01')
+      challenges,
+      identifier,
+      ...rest
+    } = res.data
+    const challenge = challenges.find(({
+      type
+    }) => type === 'http-01')
 
     return {
       challenge,
@@ -147,9 +181,9 @@ class Client {
     }
   }
 
-  async completeChallenge (challenge, cb) {
+  async completeChallenge(challenge) {
     await this.readyChallenge(challenge)
-    await this.receiveServerRequest(challenge, cb)
+    await this.receiveServerRequest(challenge)
   }
 
   async directory() {
@@ -197,9 +231,17 @@ class Client {
   }
 
   async finalizeOrder(finalizeUrl, domain, email) {
-    const { privateKey } = await generateKeyPair(common.CERTIFICATE_KEY_ALGORITHM)
+    const {
+      privateKey
+    } = await generateKeyPair(common.CERTIFICATE_KEY_ALGORITHM)
     const clientKey = common.exportPrivateKey(privateKey)
-    let { csr } = await createCsr({ clientKey, commonName: domain, email })
+    let {
+      csr
+    } = await createCsr({
+      clientKey,
+      commonName: domain,
+      email
+    })
 
     // "The CSR is sent in the base64url-encoded version of the DER format.
     // (Note: Because this field uses base64url, and does not include headers,
@@ -213,16 +255,13 @@ class Client {
       .replace(/\//g, '_')
       .replace(/=/g, '')
 
-    const data = await this.sign(
+    const data = await this.sign({
-      {
       kid: this.myAccountUrl,
       nonce: this.replayNonce,
       url: finalizeUrl
-      },
+    }, {
-      {
       csr
-      }
+    })
-    )
 
     const res = await request(finalizeUrl, {
       method: 'POST',
@@ -242,7 +281,10 @@ class Client {
 
     const certificate = await this.fetchCertificate(res.data.certificate)
 
-    return { certificate, privateKeyData: clientKey }
+    return {
+      certificate,
+      privateKeyData: clientKey
+    }
   }
 
   async initAccountJwks() {
@@ -257,17 +299,14 @@ class Client {
   }
 
   async newAccount(...emails) {
-    const data = await this.sign(
+    const data = await this.sign({
-      {
       jwk: this.accountPublicJwk,
       nonce: this.replayNonce,
       url: this.newAccountUrl
-      },
+    }, {
-      {
       contact: emails.map(email => 'mailto:' + email),
       termsOfServiceAgreed: true
-      }
+    })
-    )
 
     const res = await request(this.newAccountUrl, {
       method: 'POST',
@@ -293,7 +332,9 @@ class Client {
   async newNonce() {
     if (this.replayNonce) return false
 
-    const res = await request(this.newNonceUrl, { method: 'HEAD' })
+    const res = await request(this.newNonceUrl, {
+      method: 'HEAD'
+    })
 
     if (res.statusCode !== 200) {
       throw new Error(`newNonce() Status Code: ${res.statusCode} Data: ${res.data}`)
@@ -305,18 +346,18 @@ class Client {
   }
 
   async newOrder(...domains) {
-    const identifiers = domains.map(domain => ({ type: 'dns', value: domain }))
+    const identifiers = domains.map(domain => ({
+      type: 'dns',
+      value: domain
+    }))
 
-    const data = await this.sign(
+    const data = await this.sign({
-      {
       kid: this.myAccountUrl,
       nonce: this.replayNonce,
       url: this.newOrderUrl
-      },
+    }, {
-      {
       identifiers
-      }
+    })
-    )
 
     const res = await request(this.newOrderUrl, {
       method: 'POST',
@@ -335,7 +376,10 @@ class Client {
     }
 
     const orderUrl = res.headers.location
-    const { authorizations: authzUrls, finalize: finalizeUrl } = res.data
+    const {
+      authorizations: authzUrls,
+      finalize: finalizeUrl
+    } = res.data
 
     return {
       authzUrls,
@@ -365,14 +409,11 @@ class Client {
   }
 
   async readyChallenge(challenge) {
-    const data = await this.sign(
+    const data = await this.sign({
-      {
       kid: this.myAccountUrl,
       nonce: this.replayNonce,
       url: challenge.url
-      },
+    }, {})
-      {}
-    )
 
     const res = await request(challenge.url, {
       method: 'POST',
@@ -391,15 +432,19 @@ class Client {
     }
   }
 
-  receiveServerRequest (challenge, cb) {
+  receiveServerRequest(challenge) {
     return new Promise((resolve, reject) => {
       const time = setTimeout(() => {
         reject(new Error('Timed out waiting for server request'))
       }, 10e3);
-      this.challengeCallbacks[challenge.token] = function () {
+      let hasResolved = false;
-        setTimeout(cb, 100);
+      this.challengeCallbacks = function () {
+        if (!hasResolved)
+          setTimeout(resolve, 100);
+        else
+          return challenge.token + '.' + this.thumbprint;
+        hasResolved = true;
         clearTimeout(time);
-        resolve();
         return challenge.token + '.' + this.thumbprint;
       }
     });
@@ -420,13 +465,19 @@ class Client {
 
     if (payload) {
       data = await new SignJWT(payload)
-        .setProtectedHeader({ alg: common.ACCOUNT_KEY_ALGORITHM, ...header })
+        .setProtectedHeader({
+          alg: common.ACCOUNT_KEY_ALGORITHM,
+          ...header
+        })
         .sign(this.accountPrivateKey)
     } else {
       // SignJWT constructor only accepts object but RFC8555 requires empty payload
       // Workaround: manually pass empty Uint8Array to CompactSign constructor
       const sig = new CompactSign(new Uint8Array())
-      sig.setProtectedHeader({ alg: common.ACCOUNT_KEY_ALGORITHM, ...header })
+      sig.setProtectedHeader({
+        alg: common.ACCOUNT_KEY_ALGORITHM,
+        ...header
+      })
       data = await sig.sign(this.accountPrivateKey)
     }
 

src/client.js

@@ -34,9 +34,11 @@ const acme_prefix = '/.well-known/acme-challenge/';
 const listener = async function (/** @type {import('http').IncomingMessage} */ req, /** @type {import('http').ServerResponse} */ res) {
     try {
         if (req.url.startsWith(acme_prefix)) {
-            const token = req.url.slice(acme_prefix.length);
+            if (client.challengeCallbacks) {
-            if (client.challengeCallbacks[token]) {
+                res.writeHead(200, {
-                res.write(client.challengeCallbacks[token]());
+                    'content-type': 'application/octet-stream'
+                });
+                res.write(client.challengeCallbacks());
             } else {
                 res.writeHead(404)
             }

src/sni.js

@@ -7,6 +7,7 @@ const {
     ensureDir,
     findTxtRecord
 } = require('./util');
+const { default: AwaitLock } = require('await-lock');
 const record_email_prefix = 'forward-domain-cert-maintainer=';
 const client = new certnode.Client();
 const certsDir = path.join(__dirname, '.certs');
@@ -37,7 +38,7 @@ async function buildCache(host) {
         await fs.promises.access(extP, fs.constants.R_OK | fs.constants.W_OK);
         const expire = parseInt((await fs.promises.readFile(extP)).toString('utf8'));
         if (Date.now() > expire)
-            throw null; // expired
+            throw new Error('expired'); // expired
         const cert = await fs.promises.readFile(certP, 'utf8');
         const key = await fs.promises.readFile(keyP, 'utf8')
         return {
@@ -76,13 +77,18 @@ async function getKeyCert(servername) {
     }
 }
 
+let lock = new AwaitLock();
 
 const SniListener = async (servername, ctx) => {
     // Generate fresh account keys for Let's Encrypt
+    await lock.acquireAsync();
     try {
         ctx(null, tls.createSecureContext(await getKeyCert(servername)));
     } catch (error) {
+        console.log(JSON.stringify(error));
         ctx(error, null);
+    } finally {
+        lock.release();
     }
 }