[GitHub] [trafficcontrol] srijeet0406 commented on a change in pull request #5466: ACME integration and external account binding

[GitBox <gi...@apache.org>]

srijeet0406 commented on a change in pull request #5466:
URL: https://github.com/apache/trafficcontrol/pull/5466#discussion_r566486271



##########
File path: traffic_ops/traffic_ops_golang/deliveryservice/acme.go
##########
@@ -0,0 +1,363 @@
+package deliveryservice
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import (
+	"bytes"
+	"context"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"database/sql"
+	"encoding/pem"
+	"errors"
+	"github.com/go-acme/lego/certcrypto"
+	"github.com/go-acme/lego/challenge"
+	"github.com/go-acme/lego/lego"
+	"github.com/go-acme/lego/registration"
+	"net/http"
+	"strconv"
+
+	"github.com/apache/trafficcontrol/lib/go-log"
+	"github.com/apache/trafficcontrol/lib/go-tc"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/api"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/auth"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/config"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/riaksvc"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/tenant"
+
+	"github.com/go-acme/lego/certificate"

Review comment:
       These might need to be rearranged.

##########
File path: traffic_ops/traffic_ops_golang/config/config.go
##########
@@ -48,8 +48,9 @@ type Config struct {
 	SMTP                   *ConfigSMTP `json:"smtp"`
 	ConfigPortal           `json:"portal"`
 	ConfigLetsEncrypt      `json:"lets_encrypt"`
-	DB                     ConfigDatabase `json:"db"`
-	Secrets                []string       `json:"secrets"`
+	AcmeAccounts           []ConfigAcmeAccount `json:"acme_accounts"`

Review comment:
       The formatting seems a little bit wonky here, the `json` tags dont seem to be aligned.

##########
File path: traffic_ops/traffic_ops_golang/deliveryservice/acme.go
##########
@@ -0,0 +1,363 @@
+package deliveryservice
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import (
+	"bytes"
+	"context"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"database/sql"
+	"encoding/pem"
+	"errors"
+	"github.com/go-acme/lego/certcrypto"
+	"github.com/go-acme/lego/challenge"
+	"github.com/go-acme/lego/lego"
+	"github.com/go-acme/lego/registration"
+	"net/http"
+	"strconv"
+
+	"github.com/apache/trafficcontrol/lib/go-log"
+	"github.com/apache/trafficcontrol/lib/go-tc"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/api"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/auth"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/config"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/riaksvc"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/tenant"
+
+	"github.com/go-acme/lego/certificate"
+	"github.com/jmoiron/sqlx"
+)
+
+func RenewAcmeCertificate(w http.ResponseWriter, r *http.Request) {
+	inf, userErr, sysErr, errCode := api.NewInfo(r, []string{"xmlid"}, nil)
+	if userErr != nil || sysErr != nil {
+		api.HandleErr(w, r, inf.Tx.Tx, errCode, userErr, sysErr)
+		return
+	}
+	defer inf.Close()
+	if inf.Config.RiakEnabled == false {
+		api.HandleErr(w, r, inf.Tx.Tx, http.StatusInternalServerError, userErr, errors.New("deliveryservice.DeleteSSLKeys: Riak is not configured"))
+		return
+	}
+	xmlID := inf.Params["xmlid"]
+
+	if userErr, sysErr, errCode := tenant.Check(inf.User, xmlID, inf.Tx.Tx); userErr != nil || sysErr != nil {
+		api.HandleErr(w, r, inf.Tx.Tx, errCode, userErr, sysErr)
+		return
+	}
+
+	ctx, _ := context.WithTimeout(r.Context(), LetsEncryptTimeout)
+
+	err := renewAcmeCerts(inf.Config, xmlID, ctx, inf.User)
+	if err != nil {
+		api.HandleErr(w, r, inf.Tx.Tx, http.StatusInternalServerError, nil, err)
+	}
+
+	api.WriteRespAlert(w, r, tc.SuccessLevel, "Certificate for "+xmlID+" successfully renewed.")
+
+}
+
+func renewAcmeCerts(cfg *config.Config, dsName string, ctx context.Context, currentUser *auth.CurrentUser) error {
+	db, err := api.GetDB(ctx)
+	if err != nil {
+		log.Errorf(dsName+": Error getting db: %s", err.Error())
+		return err
+	}
+
+	tx, err := db.Begin()
+	if err != nil {
+		log.Errorf(dsName+": Error getting tx: %s", err.Error())
+		return err
+	}
+
+	userTx, err := db.Begin()
+	if err != nil {
+		log.Errorf(dsName+": Error getting userTx: %s", err.Error())
+		return err
+	}
+	defer userTx.Commit()
+
+	logTx, err := db.Begin()
+	if err != nil {
+		log.Errorf(dsName+": Error getting logTx: %s", err.Error())
+		return err
+	}
+	defer logTx.Commit()
+
+	dsID, certVersion, err := getDSIdAndVersionFromName(db, dsName)
+	if err != nil {
+		return errors.New("querying DS info: " + err.Error())
+	}
+	if dsID == nil || *dsID == 0 {
+		return errors.New("DS id for " + dsName + " was nil or 0")
+	}
+	if certVersion == nil || *certVersion == 0 {
+		return errors.New("certificate for " + dsName + " could not be renewed because version was nil or 0")
+	}
+
+	keyObj, ok, err := riaksvc.GetDeliveryServiceSSLKeysObjV15(dsName, strconv.Itoa(int(*certVersion)), tx, cfg.RiakAuthOptions, cfg.RiakPort)
+	if err != nil {
+		return errors.New("getting ssl keys for xmlId: " + dsName + " and version: " + strconv.Itoa(int(*certVersion)) + " :" + err.Error())
+	}
+	if !ok {
+		return errors.New("no object found for the specified key with xmlId: " + dsName + " and version: " + strconv.Itoa(int(*certVersion)))
+	}
+
+	err = base64DecodeCertificate(&keyObj.Certificate)
+	if err != nil {
+		return errors.New("decoding cert for XMLID " + dsName + " : " + err.Error())
+	}
+
+	acmeAccount := getAcmeAccountConfig(cfg, keyObj.AuthType)
+	if acmeAccount == nil {
+		return errors.New("No acme account information in cdn.conf for " + keyObj.AuthType)
+	}
+
+	client, err := GetAcmeClient(acmeAccount, userTx, db)
+	if err != nil {
+		log.Errorf(dsName+": Error getting acme client: %s", err.Error())
+		api.CreateChangeLogRawTx(api.ApiChange, "DS: "+dsName+", ID: "+strconv.Itoa(*dsID)+", ACTION: FAILED to add SSL keys with "+acmeAccount.AcmeProvider, currentUser, logTx)
+		return errors.New("getting acme client: " + err.Error())
+	}
+
+	renewRequest := certificate.Resource{
+		Certificate: []byte(keyObj.Certificate.Crt),
+	}
+
+	cert, err := client.Certificate.Renew(renewRequest, true, false)
+	if err != nil {
+		log.Errorf("Error obtaining acme certificate: %s", err.Error())
+		return err
+	}
+
+	newCertObj := tc.DeliveryServiceSSLKeys{
+		AuthType:        keyObj.AuthType,
+		CDN:             keyObj.CDN,
+		DeliveryService: keyObj.DeliveryService,
+		Key:             keyObj.DeliveryService,
+		Hostname:        keyObj.Hostname,
+		Version:         keyObj.Version + 1,
+	}
+
+	newCertObj.Certificate = tc.DeliveryServiceSSLKeysCertificate{Crt: string(EncodePEMToLegacyPerlRiakFormat(cert.Certificate)), Key: string(EncodePEMToLegacyPerlRiakFormat(cert.PrivateKey)), CSR: string(EncodePEMToLegacyPerlRiakFormat([]byte("ACME Generated")))}
+	if err := riaksvc.PutDeliveryServiceSSLKeysObj(newCertObj, tx, cfg.RiakAuthOptions, cfg.RiakPort); err != nil {
+		log.Errorf("Error posting acme certificate to riak: %s", err.Error())
+		api.CreateChangeLogRawTx(api.ApiChange, "DS: "+dsName+", ID: "+strconv.Itoa(*dsID)+", ACTION: FAILED to add SSL keys with "+acmeAccount.AcmeProvider, currentUser, logTx)
+		return errors.New(dsName + ": putting riak keys: " + err.Error())
+	}
+
+	tx2, err := db.Begin()
+	if err != nil {
+		log.Errorf("starting sql transaction for delivery service " + dsName + ": " + err.Error())
+		return errors.New("starting sql transaction for delivery service " + dsName + ": " + err.Error())
+	}
+
+	if err := updateSSLKeyVersion(dsName, *certVersion+1, tx2); err != nil {
+		log.Errorf("updating SSL key version for delivery service '" + dsName + "': " + err.Error())
+		return errors.New("updating SSL key version for delivery service '" + dsName + "': " + err.Error())
+	}
+	tx2.Commit()
+
+	api.CreateChangeLogRawTx(api.ApiChange, "DS: "+dsName+", ID: "+strconv.Itoa(*dsID)+", ACTION: Added SSL keys with "+acmeAccount.AcmeProvider, currentUser, logTx)
+
+	return nil
+}
+
+func getAcmeAccountConfig(cfg *config.Config, acmeProvider string) *config.ConfigAcmeAccount {
+	for _, acmeCfg := range cfg.AcmeAccounts {
+		if acmeCfg.AcmeProvider == acmeProvider {
+			return &acmeCfg
+		}
+	}
+	return nil
+}
+
+func getDSIdAndVersionFromName(db *sqlx.DB, xmlId string) (*int, *int64, error) {
+	var dsID int
+	var certVersion int64
+
+	if err := db.QueryRow(`SELECT id, ssl_key_version FROM deliveryservice WHERE xml_id = $1`, xmlId).Scan(&dsID, &certVersion); err != nil {
+		return nil, nil, err
+	}
+
+	return &dsID, &certVersion, nil
+}
+
+func GetAcmeClient(acmeAccount *config.ConfigAcmeAccount, userTx *sql.Tx, db *sqlx.DB) (*lego.Client, error) {
+	if acmeAccount.UserEmail == "" {

Review comment:
       Do we need a `nil` check for `acmeAccount` here?

##########
File path: traffic_ops/traffic_ops_golang/deliveryservice/acme.go
##########
@@ -0,0 +1,363 @@
+package deliveryservice
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import (
+	"bytes"
+	"context"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"database/sql"
+	"encoding/pem"
+	"errors"
+	"github.com/go-acme/lego/certcrypto"
+	"github.com/go-acme/lego/challenge"
+	"github.com/go-acme/lego/lego"
+	"github.com/go-acme/lego/registration"
+	"net/http"
+	"strconv"
+
+	"github.com/apache/trafficcontrol/lib/go-log"
+	"github.com/apache/trafficcontrol/lib/go-tc"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/api"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/auth"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/config"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/riaksvc"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/tenant"
+
+	"github.com/go-acme/lego/certificate"
+	"github.com/jmoiron/sqlx"
+)
+
+func RenewAcmeCertificate(w http.ResponseWriter, r *http.Request) {
+	inf, userErr, sysErr, errCode := api.NewInfo(r, []string{"xmlid"}, nil)
+	if userErr != nil || sysErr != nil {
+		api.HandleErr(w, r, inf.Tx.Tx, errCode, userErr, sysErr)
+		return
+	}
+	defer inf.Close()
+	if inf.Config.RiakEnabled == false {
+		api.HandleErr(w, r, inf.Tx.Tx, http.StatusInternalServerError, userErr, errors.New("deliveryservice.DeleteSSLKeys: Riak is not configured"))
+		return
+	}
+	xmlID := inf.Params["xmlid"]
+
+	if userErr, sysErr, errCode := tenant.Check(inf.User, xmlID, inf.Tx.Tx); userErr != nil || sysErr != nil {
+		api.HandleErr(w, r, inf.Tx.Tx, errCode, userErr, sysErr)
+		return
+	}
+
+	ctx, _ := context.WithTimeout(r.Context(), LetsEncryptTimeout)
+
+	err := renewAcmeCerts(inf.Config, xmlID, ctx, inf.User)
+	if err != nil {
+		api.HandleErr(w, r, inf.Tx.Tx, http.StatusInternalServerError, nil, err)
+	}
+
+	api.WriteRespAlert(w, r, tc.SuccessLevel, "Certificate for "+xmlID+" successfully renewed.")
+
+}
+
+func renewAcmeCerts(cfg *config.Config, dsName string, ctx context.Context, currentUser *auth.CurrentUser) error {
+	db, err := api.GetDB(ctx)
+	if err != nil {
+		log.Errorf(dsName+": Error getting db: %s", err.Error())
+		return err
+	}
+
+	tx, err := db.Begin()
+	if err != nil {
+		log.Errorf(dsName+": Error getting tx: %s", err.Error())
+		return err
+	}
+
+	userTx, err := db.Begin()
+	if err != nil {
+		log.Errorf(dsName+": Error getting userTx: %s", err.Error())
+		return err
+	}
+	defer userTx.Commit()
+
+	logTx, err := db.Begin()
+	if err != nil {
+		log.Errorf(dsName+": Error getting logTx: %s", err.Error())
+		return err
+	}
+	defer logTx.Commit()
+
+	dsID, certVersion, err := getDSIdAndVersionFromName(db, dsName)
+	if err != nil {
+		return errors.New("querying DS info: " + err.Error())
+	}
+	if dsID == nil || *dsID == 0 {
+		return errors.New("DS id for " + dsName + " was nil or 0")
+	}
+	if certVersion == nil || *certVersion == 0 {
+		return errors.New("certificate for " + dsName + " could not be renewed because version was nil or 0")
+	}
+
+	keyObj, ok, err := riaksvc.GetDeliveryServiceSSLKeysObjV15(dsName, strconv.Itoa(int(*certVersion)), tx, cfg.RiakAuthOptions, cfg.RiakPort)
+	if err != nil {
+		return errors.New("getting ssl keys for xmlId: " + dsName + " and version: " + strconv.Itoa(int(*certVersion)) + " :" + err.Error())
+	}
+	if !ok {
+		return errors.New("no object found for the specified key with xmlId: " + dsName + " and version: " + strconv.Itoa(int(*certVersion)))
+	}
+
+	err = base64DecodeCertificate(&keyObj.Certificate)
+	if err != nil {
+		return errors.New("decoding cert for XMLID " + dsName + " : " + err.Error())
+	}
+
+	acmeAccount := getAcmeAccountConfig(cfg, keyObj.AuthType)
+	if acmeAccount == nil {
+		return errors.New("No acme account information in cdn.conf for " + keyObj.AuthType)
+	}
+
+	client, err := GetAcmeClient(acmeAccount, userTx, db)
+	if err != nil {
+		log.Errorf(dsName+": Error getting acme client: %s", err.Error())
+		api.CreateChangeLogRawTx(api.ApiChange, "DS: "+dsName+", ID: "+strconv.Itoa(*dsID)+", ACTION: FAILED to add SSL keys with "+acmeAccount.AcmeProvider, currentUser, logTx)
+		return errors.New("getting acme client: " + err.Error())
+	}
+
+	renewRequest := certificate.Resource{
+		Certificate: []byte(keyObj.Certificate.Crt),
+	}
+
+	cert, err := client.Certificate.Renew(renewRequest, true, false)
+	if err != nil {
+		log.Errorf("Error obtaining acme certificate: %s", err.Error())
+		return err
+	}
+
+	newCertObj := tc.DeliveryServiceSSLKeys{
+		AuthType:        keyObj.AuthType,
+		CDN:             keyObj.CDN,
+		DeliveryService: keyObj.DeliveryService,
+		Key:             keyObj.DeliveryService,
+		Hostname:        keyObj.Hostname,
+		Version:         keyObj.Version + 1,
+	}
+
+	newCertObj.Certificate = tc.DeliveryServiceSSLKeysCertificate{Crt: string(EncodePEMToLegacyPerlRiakFormat(cert.Certificate)), Key: string(EncodePEMToLegacyPerlRiakFormat(cert.PrivateKey)), CSR: string(EncodePEMToLegacyPerlRiakFormat([]byte("ACME Generated")))}
+	if err := riaksvc.PutDeliveryServiceSSLKeysObj(newCertObj, tx, cfg.RiakAuthOptions, cfg.RiakPort); err != nil {
+		log.Errorf("Error posting acme certificate to riak: %s", err.Error())
+		api.CreateChangeLogRawTx(api.ApiChange, "DS: "+dsName+", ID: "+strconv.Itoa(*dsID)+", ACTION: FAILED to add SSL keys with "+acmeAccount.AcmeProvider, currentUser, logTx)
+		return errors.New(dsName + ": putting riak keys: " + err.Error())
+	}
+
+	tx2, err := db.Begin()
+	if err != nil {
+		log.Errorf("starting sql transaction for delivery service " + dsName + ": " + err.Error())
+		return errors.New("starting sql transaction for delivery service " + dsName + ": " + err.Error())
+	}
+
+	if err := updateSSLKeyVersion(dsName, *certVersion+1, tx2); err != nil {
+		log.Errorf("updating SSL key version for delivery service '" + dsName + "': " + err.Error())
+		return errors.New("updating SSL key version for delivery service '" + dsName + "': " + err.Error())
+	}
+	tx2.Commit()
+
+	api.CreateChangeLogRawTx(api.ApiChange, "DS: "+dsName+", ID: "+strconv.Itoa(*dsID)+", ACTION: Added SSL keys with "+acmeAccount.AcmeProvider, currentUser, logTx)
+
+	return nil
+}
+
+func getAcmeAccountConfig(cfg *config.Config, acmeProvider string) *config.ConfigAcmeAccount {
+	for _, acmeCfg := range cfg.AcmeAccounts {
+		if acmeCfg.AcmeProvider == acmeProvider {
+			return &acmeCfg
+		}
+	}
+	return nil
+}
+
+func getDSIdAndVersionFromName(db *sqlx.DB, xmlId string) (*int, *int64, error) {
+	var dsID int
+	var certVersion int64
+
+	if err := db.QueryRow(`SELECT id, ssl_key_version FROM deliveryservice WHERE xml_id = $1`, xmlId).Scan(&dsID, &certVersion); err != nil {
+		return nil, nil, err
+	}
+
+	return &dsID, &certVersion, nil
+}
+
+func GetAcmeClient(acmeAccount *config.ConfigAcmeAccount, userTx *sql.Tx, db *sqlx.DB) (*lego.Client, error) {
+	if acmeAccount.UserEmail == "" {
+		log.Errorf("An email address must be provided to use ACME with %v", acmeAccount.AcmeProvider)
+		return nil, errors.New("An email address must be provided to use ACME with " + acmeAccount.AcmeProvider)
+	}
+	storedAcmeInfo, err := getStoredAcmeAccountInfo(userTx, acmeAccount.UserEmail, acmeAccount.AcmeProvider)
+	if err != nil {
+		log.Errorf("Error finding stored ACME information: %s", err.Error())
+		return nil, err
+	}
+
+	myUser := MyUser{}
+	foundPreviousAccount := false
+	userPrivateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		log.Errorf("Error generating private key: %s", err.Error())
+		return nil, err
+	}
+
+	if storedAcmeInfo == nil || acmeAccount.UserEmail == "" {
+		myUser = MyUser{
+			key:   userPrivateKey,
+			Email: acmeAccount.UserEmail,
+		}
+	} else {
+		foundPreviousAccount = true
+		myUser = MyUser{
+			key:   &storedAcmeInfo.PrivateKey,
+			Email: storedAcmeInfo.Email,
+			Registration: &registration.Resource{
+				URI: storedAcmeInfo.URI,
+			},
+		}
+	}
+
+	config := lego.NewConfig(&myUser)
+	config.CADirURL = acmeAccount.AcmeUrl
+	config.Certificate.KeyType = certcrypto.RSA2048
+
+	client, err := lego.NewClient(config)
+	if err != nil {
+		log.Errorf("Error creating acme client: %s", err.Error())
+		return nil, err
+	}
+
+	if acmeAccount.AcmeProvider == tc.LetsEncryptAuthType {
+		client.Challenge.Remove(challenge.HTTP01)
+		client.Challenge.Remove(challenge.TLSALPN01)
+		trafficRouterDns := NewDNSProviderTrafficRouter()
+		trafficRouterDns.db = db
+		if err != nil {
+			log.Errorf("Error creating Traffic Router DNS provider: %s", err.Error())
+			return nil, err
+		}
+		client.Challenge.SetDNS01Provider(trafficRouterDns)
+	}
+
+	if foundPreviousAccount {
+		log.Debugf("Found existing account with %s", acmeAccount.AcmeProvider)
+		reg, err := client.Registration.QueryRegistration()
+		if err != nil {
+			log.Errorf("Error querying %s for existing account: %s", acmeAccount.AcmeProvider, err.Error())
+			return nil, err
+		}
+		myUser.Registration = reg

Review comment:
       Not sure if reg can be `nil` without an error?

##########
File path: traffic_ops/traffic_ops_golang/deliveryservice/acme.go
##########
@@ -0,0 +1,363 @@
+package deliveryservice
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import (
+	"bytes"
+	"context"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"database/sql"
+	"encoding/pem"
+	"errors"
+	"github.com/go-acme/lego/certcrypto"
+	"github.com/go-acme/lego/challenge"
+	"github.com/go-acme/lego/lego"
+	"github.com/go-acme/lego/registration"
+	"net/http"
+	"strconv"
+
+	"github.com/apache/trafficcontrol/lib/go-log"
+	"github.com/apache/trafficcontrol/lib/go-tc"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/api"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/auth"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/config"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/riaksvc"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/tenant"
+
+	"github.com/go-acme/lego/certificate"
+	"github.com/jmoiron/sqlx"
+)
+
+func RenewAcmeCertificate(w http.ResponseWriter, r *http.Request) {
+	inf, userErr, sysErr, errCode := api.NewInfo(r, []string{"xmlid"}, nil)
+	if userErr != nil || sysErr != nil {
+		api.HandleErr(w, r, inf.Tx.Tx, errCode, userErr, sysErr)
+		return
+	}
+	defer inf.Close()
+	if inf.Config.RiakEnabled == false {
+		api.HandleErr(w, r, inf.Tx.Tx, http.StatusInternalServerError, userErr, errors.New("deliveryservice.DeleteSSLKeys: Riak is not configured"))
+		return
+	}
+	xmlID := inf.Params["xmlid"]
+
+	if userErr, sysErr, errCode := tenant.Check(inf.User, xmlID, inf.Tx.Tx); userErr != nil || sysErr != nil {
+		api.HandleErr(w, r, inf.Tx.Tx, errCode, userErr, sysErr)
+		return
+	}
+
+	ctx, _ := context.WithTimeout(r.Context(), LetsEncryptTimeout)
+
+	err := renewAcmeCerts(inf.Config, xmlID, ctx, inf.User)
+	if err != nil {
+		api.HandleErr(w, r, inf.Tx.Tx, http.StatusInternalServerError, nil, err)
+	}
+
+	api.WriteRespAlert(w, r, tc.SuccessLevel, "Certificate for "+xmlID+" successfully renewed.")
+
+}
+
+func renewAcmeCerts(cfg *config.Config, dsName string, ctx context.Context, currentUser *auth.CurrentUser) error {
+	db, err := api.GetDB(ctx)
+	if err != nil {
+		log.Errorf(dsName+": Error getting db: %s", err.Error())
+		return err
+	}
+
+	tx, err := db.Begin()
+	if err != nil {
+		log.Errorf(dsName+": Error getting tx: %s", err.Error())
+		return err
+	}
+
+	userTx, err := db.Begin()
+	if err != nil {
+		log.Errorf(dsName+": Error getting userTx: %s", err.Error())
+		return err
+	}
+	defer userTx.Commit()
+
+	logTx, err := db.Begin()
+	if err != nil {
+		log.Errorf(dsName+": Error getting logTx: %s", err.Error())
+		return err
+	}
+	defer logTx.Commit()
+
+	dsID, certVersion, err := getDSIdAndVersionFromName(db, dsName)
+	if err != nil {
+		return errors.New("querying DS info: " + err.Error())
+	}
+	if dsID == nil || *dsID == 0 {
+		return errors.New("DS id for " + dsName + " was nil or 0")
+	}
+	if certVersion == nil || *certVersion == 0 {
+		return errors.New("certificate for " + dsName + " could not be renewed because version was nil or 0")
+	}
+
+	keyObj, ok, err := riaksvc.GetDeliveryServiceSSLKeysObjV15(dsName, strconv.Itoa(int(*certVersion)), tx, cfg.RiakAuthOptions, cfg.RiakPort)
+	if err != nil {
+		return errors.New("getting ssl keys for xmlId: " + dsName + " and version: " + strconv.Itoa(int(*certVersion)) + " :" + err.Error())
+	}
+	if !ok {
+		return errors.New("no object found for the specified key with xmlId: " + dsName + " and version: " + strconv.Itoa(int(*certVersion)))
+	}
+
+	err = base64DecodeCertificate(&keyObj.Certificate)
+	if err != nil {
+		return errors.New("decoding cert for XMLID " + dsName + " : " + err.Error())
+	}
+
+	acmeAccount := getAcmeAccountConfig(cfg, keyObj.AuthType)
+	if acmeAccount == nil {
+		return errors.New("No acme account information in cdn.conf for " + keyObj.AuthType)
+	}
+
+	client, err := GetAcmeClient(acmeAccount, userTx, db)
+	if err != nil {
+		log.Errorf(dsName+": Error getting acme client: %s", err.Error())
+		api.CreateChangeLogRawTx(api.ApiChange, "DS: "+dsName+", ID: "+strconv.Itoa(*dsID)+", ACTION: FAILED to add SSL keys with "+acmeAccount.AcmeProvider, currentUser, logTx)
+		return errors.New("getting acme client: " + err.Error())
+	}
+
+	renewRequest := certificate.Resource{
+		Certificate: []byte(keyObj.Certificate.Crt),
+	}
+
+	cert, err := client.Certificate.Renew(renewRequest, true, false)
+	if err != nil {

Review comment:
       Could we add a `nil` check for `cert` here?

##########
File path: traffic_ops/traffic_ops_golang/deliveryservice/letsencryptcert.go
##########
@@ -228,88 +226,22 @@ func GetLetsEncryptCertificates(cfg *config.Config, req tc.DeliveryServiceLetsEn
 	}
 	tx.Commit()
 

Review comment:
       Could we add a nil check for `cfg` before dereferencing it?

##########
File path: traffic_ops/traffic_ops_golang/deliveryservice/acme.go
##########
@@ -0,0 +1,363 @@
+package deliveryservice
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import (
+	"bytes"
+	"context"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"database/sql"
+	"encoding/pem"
+	"errors"
+	"github.com/go-acme/lego/certcrypto"
+	"github.com/go-acme/lego/challenge"
+	"github.com/go-acme/lego/lego"
+	"github.com/go-acme/lego/registration"
+	"net/http"
+	"strconv"
+
+	"github.com/apache/trafficcontrol/lib/go-log"
+	"github.com/apache/trafficcontrol/lib/go-tc"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/api"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/auth"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/config"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/riaksvc"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/tenant"
+
+	"github.com/go-acme/lego/certificate"
+	"github.com/jmoiron/sqlx"
+)
+
+func RenewAcmeCertificate(w http.ResponseWriter, r *http.Request) {
+	inf, userErr, sysErr, errCode := api.NewInfo(r, []string{"xmlid"}, nil)
+	if userErr != nil || sysErr != nil {
+		api.HandleErr(w, r, inf.Tx.Tx, errCode, userErr, sysErr)
+		return
+	}
+	defer inf.Close()
+	if inf.Config.RiakEnabled == false {
+		api.HandleErr(w, r, inf.Tx.Tx, http.StatusInternalServerError, userErr, errors.New("deliveryservice.DeleteSSLKeys: Riak is not configured"))
+		return
+	}
+	xmlID := inf.Params["xmlid"]
+
+	if userErr, sysErr, errCode := tenant.Check(inf.User, xmlID, inf.Tx.Tx); userErr != nil || sysErr != nil {
+		api.HandleErr(w, r, inf.Tx.Tx, errCode, userErr, sysErr)
+		return
+	}
+
+	ctx, _ := context.WithTimeout(r.Context(), LetsEncryptTimeout)
+
+	err := renewAcmeCerts(inf.Config, xmlID, ctx, inf.User)
+	if err != nil {
+		api.HandleErr(w, r, inf.Tx.Tx, http.StatusInternalServerError, nil, err)
+	}
+
+	api.WriteRespAlert(w, r, tc.SuccessLevel, "Certificate for "+xmlID+" successfully renewed.")
+
+}
+
+func renewAcmeCerts(cfg *config.Config, dsName string, ctx context.Context, currentUser *auth.CurrentUser) error {
+	db, err := api.GetDB(ctx)
+	if err != nil {
+		log.Errorf(dsName+": Error getting db: %s", err.Error())
+		return err
+	}
+
+	tx, err := db.Begin()
+	if err != nil {
+		log.Errorf(dsName+": Error getting tx: %s", err.Error())
+		return err
+	}
+
+	userTx, err := db.Begin()
+	if err != nil {
+		log.Errorf(dsName+": Error getting userTx: %s", err.Error())
+		return err
+	}
+	defer userTx.Commit()
+
+	logTx, err := db.Begin()
+	if err != nil {
+		log.Errorf(dsName+": Error getting logTx: %s", err.Error())
+		return err
+	}
+	defer logTx.Commit()
+
+	dsID, certVersion, err := getDSIdAndVersionFromName(db, dsName)
+	if err != nil {
+		return errors.New("querying DS info: " + err.Error())
+	}
+	if dsID == nil || *dsID == 0 {
+		return errors.New("DS id for " + dsName + " was nil or 0")
+	}
+	if certVersion == nil || *certVersion == 0 {
+		return errors.New("certificate for " + dsName + " could not be renewed because version was nil or 0")
+	}
+
+	keyObj, ok, err := riaksvc.GetDeliveryServiceSSLKeysObjV15(dsName, strconv.Itoa(int(*certVersion)), tx, cfg.RiakAuthOptions, cfg.RiakPort)
+	if err != nil {
+		return errors.New("getting ssl keys for xmlId: " + dsName + " and version: " + strconv.Itoa(int(*certVersion)) + " :" + err.Error())
+	}
+	if !ok {
+		return errors.New("no object found for the specified key with xmlId: " + dsName + " and version: " + strconv.Itoa(int(*certVersion)))
+	}
+
+	err = base64DecodeCertificate(&keyObj.Certificate)
+	if err != nil {
+		return errors.New("decoding cert for XMLID " + dsName + " : " + err.Error())
+	}
+
+	acmeAccount := getAcmeAccountConfig(cfg, keyObj.AuthType)
+	if acmeAccount == nil {
+		return errors.New("No acme account information in cdn.conf for " + keyObj.AuthType)
+	}
+
+	client, err := GetAcmeClient(acmeAccount, userTx, db)
+	if err != nil {
+		log.Errorf(dsName+": Error getting acme client: %s", err.Error())
+		api.CreateChangeLogRawTx(api.ApiChange, "DS: "+dsName+", ID: "+strconv.Itoa(*dsID)+", ACTION: FAILED to add SSL keys with "+acmeAccount.AcmeProvider, currentUser, logTx)
+		return errors.New("getting acme client: " + err.Error())
+	}
+
+	renewRequest := certificate.Resource{
+		Certificate: []byte(keyObj.Certificate.Crt),
+	}
+
+	cert, err := client.Certificate.Renew(renewRequest, true, false)
+	if err != nil {
+		log.Errorf("Error obtaining acme certificate: %s", err.Error())
+		return err
+	}
+
+	newCertObj := tc.DeliveryServiceSSLKeys{
+		AuthType:        keyObj.AuthType,
+		CDN:             keyObj.CDN,
+		DeliveryService: keyObj.DeliveryService,
+		Key:             keyObj.DeliveryService,
+		Hostname:        keyObj.Hostname,
+		Version:         keyObj.Version + 1,
+	}
+
+	newCertObj.Certificate = tc.DeliveryServiceSSLKeysCertificate{Crt: string(EncodePEMToLegacyPerlRiakFormat(cert.Certificate)), Key: string(EncodePEMToLegacyPerlRiakFormat(cert.PrivateKey)), CSR: string(EncodePEMToLegacyPerlRiakFormat([]byte("ACME Generated")))}

Review comment:
       nit: For better readability, could we split this struct initialization into multiple lines?

##########
File path: traffic_ops/traffic_ops_golang/deliveryservice/acme.go
##########
@@ -0,0 +1,363 @@
+package deliveryservice
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import (
+	"bytes"
+	"context"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"database/sql"
+	"encoding/pem"
+	"errors"
+	"github.com/go-acme/lego/certcrypto"
+	"github.com/go-acme/lego/challenge"
+	"github.com/go-acme/lego/lego"
+	"github.com/go-acme/lego/registration"
+	"net/http"
+	"strconv"
+
+	"github.com/apache/trafficcontrol/lib/go-log"
+	"github.com/apache/trafficcontrol/lib/go-tc"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/api"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/auth"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/config"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/riaksvc"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/tenant"
+
+	"github.com/go-acme/lego/certificate"
+	"github.com/jmoiron/sqlx"
+)
+
+func RenewAcmeCertificate(w http.ResponseWriter, r *http.Request) {
+	inf, userErr, sysErr, errCode := api.NewInfo(r, []string{"xmlid"}, nil)
+	if userErr != nil || sysErr != nil {
+		api.HandleErr(w, r, inf.Tx.Tx, errCode, userErr, sysErr)
+		return
+	}
+	defer inf.Close()
+	if inf.Config.RiakEnabled == false {
+		api.HandleErr(w, r, inf.Tx.Tx, http.StatusInternalServerError, userErr, errors.New("deliveryservice.DeleteSSLKeys: Riak is not configured"))
+		return
+	}
+	xmlID := inf.Params["xmlid"]
+
+	if userErr, sysErr, errCode := tenant.Check(inf.User, xmlID, inf.Tx.Tx); userErr != nil || sysErr != nil {
+		api.HandleErr(w, r, inf.Tx.Tx, errCode, userErr, sysErr)
+		return
+	}
+
+	ctx, _ := context.WithTimeout(r.Context(), LetsEncryptTimeout)
+
+	err := renewAcmeCerts(inf.Config, xmlID, ctx, inf.User)
+	if err != nil {
+		api.HandleErr(w, r, inf.Tx.Tx, http.StatusInternalServerError, nil, err)
+	}
+
+	api.WriteRespAlert(w, r, tc.SuccessLevel, "Certificate for "+xmlID+" successfully renewed.")
+
+}
+
+func renewAcmeCerts(cfg *config.Config, dsName string, ctx context.Context, currentUser *auth.CurrentUser) error {
+	db, err := api.GetDB(ctx)
+	if err != nil {
+		log.Errorf(dsName+": Error getting db: %s", err.Error())
+		return err
+	}
+
+	tx, err := db.Begin()
+	if err != nil {
+		log.Errorf(dsName+": Error getting tx: %s", err.Error())
+		return err
+	}
+
+	userTx, err := db.Begin()
+	if err != nil {
+		log.Errorf(dsName+": Error getting userTx: %s", err.Error())
+		return err
+	}
+	defer userTx.Commit()
+
+	logTx, err := db.Begin()
+	if err != nil {
+		log.Errorf(dsName+": Error getting logTx: %s", err.Error())
+		return err
+	}
+	defer logTx.Commit()
+
+	dsID, certVersion, err := getDSIdAndVersionFromName(db, dsName)
+	if err != nil {
+		return errors.New("querying DS info: " + err.Error())
+	}
+	if dsID == nil || *dsID == 0 {
+		return errors.New("DS id for " + dsName + " was nil or 0")
+	}
+	if certVersion == nil || *certVersion == 0 {
+		return errors.New("certificate for " + dsName + " could not be renewed because version was nil or 0")
+	}
+
+	keyObj, ok, err := riaksvc.GetDeliveryServiceSSLKeysObjV15(dsName, strconv.Itoa(int(*certVersion)), tx, cfg.RiakAuthOptions, cfg.RiakPort)
+	if err != nil {
+		return errors.New("getting ssl keys for xmlId: " + dsName + " and version: " + strconv.Itoa(int(*certVersion)) + " :" + err.Error())
+	}
+	if !ok {
+		return errors.New("no object found for the specified key with xmlId: " + dsName + " and version: " + strconv.Itoa(int(*certVersion)))
+	}
+
+	err = base64DecodeCertificate(&keyObj.Certificate)
+	if err != nil {
+		return errors.New("decoding cert for XMLID " + dsName + " : " + err.Error())
+	}
+
+	acmeAccount := getAcmeAccountConfig(cfg, keyObj.AuthType)
+	if acmeAccount == nil {
+		return errors.New("No acme account information in cdn.conf for " + keyObj.AuthType)
+	}
+
+	client, err := GetAcmeClient(acmeAccount, userTx, db)
+	if err != nil {
+		log.Errorf(dsName+": Error getting acme client: %s", err.Error())
+		api.CreateChangeLogRawTx(api.ApiChange, "DS: "+dsName+", ID: "+strconv.Itoa(*dsID)+", ACTION: FAILED to add SSL keys with "+acmeAccount.AcmeProvider, currentUser, logTx)
+		return errors.New("getting acme client: " + err.Error())
+	}
+
+	renewRequest := certificate.Resource{
+		Certificate: []byte(keyObj.Certificate.Crt),
+	}
+
+	cert, err := client.Certificate.Renew(renewRequest, true, false)
+	if err != nil {
+		log.Errorf("Error obtaining acme certificate: %s", err.Error())
+		return err
+	}
+
+	newCertObj := tc.DeliveryServiceSSLKeys{
+		AuthType:        keyObj.AuthType,
+		CDN:             keyObj.CDN,
+		DeliveryService: keyObj.DeliveryService,
+		Key:             keyObj.DeliveryService,
+		Hostname:        keyObj.Hostname,
+		Version:         keyObj.Version + 1,
+	}
+
+	newCertObj.Certificate = tc.DeliveryServiceSSLKeysCertificate{Crt: string(EncodePEMToLegacyPerlRiakFormat(cert.Certificate)), Key: string(EncodePEMToLegacyPerlRiakFormat(cert.PrivateKey)), CSR: string(EncodePEMToLegacyPerlRiakFormat([]byte("ACME Generated")))}
+	if err := riaksvc.PutDeliveryServiceSSLKeysObj(newCertObj, tx, cfg.RiakAuthOptions, cfg.RiakPort); err != nil {
+		log.Errorf("Error posting acme certificate to riak: %s", err.Error())
+		api.CreateChangeLogRawTx(api.ApiChange, "DS: "+dsName+", ID: "+strconv.Itoa(*dsID)+", ACTION: FAILED to add SSL keys with "+acmeAccount.AcmeProvider, currentUser, logTx)
+		return errors.New(dsName + ": putting riak keys: " + err.Error())
+	}
+
+	tx2, err := db.Begin()
+	if err != nil {
+		log.Errorf("starting sql transaction for delivery service " + dsName + ": " + err.Error())
+		return errors.New("starting sql transaction for delivery service " + dsName + ": " + err.Error())
+	}
+
+	if err := updateSSLKeyVersion(dsName, *certVersion+1, tx2); err != nil {
+		log.Errorf("updating SSL key version for delivery service '" + dsName + "': " + err.Error())
+		return errors.New("updating SSL key version for delivery service '" + dsName + "': " + err.Error())
+	}
+	tx2.Commit()
+
+	api.CreateChangeLogRawTx(api.ApiChange, "DS: "+dsName+", ID: "+strconv.Itoa(*dsID)+", ACTION: Added SSL keys with "+acmeAccount.AcmeProvider, currentUser, logTx)
+
+	return nil
+}
+
+func getAcmeAccountConfig(cfg *config.Config, acmeProvider string) *config.ConfigAcmeAccount {
+	for _, acmeCfg := range cfg.AcmeAccounts {
+		if acmeCfg.AcmeProvider == acmeProvider {
+			return &acmeCfg
+		}
+	}
+	return nil
+}
+
+func getDSIdAndVersionFromName(db *sqlx.DB, xmlId string) (*int, *int64, error) {
+	var dsID int
+	var certVersion int64
+
+	if err := db.QueryRow(`SELECT id, ssl_key_version FROM deliveryservice WHERE xml_id = $1`, xmlId).Scan(&dsID, &certVersion); err != nil {
+		return nil, nil, err
+	}
+
+	return &dsID, &certVersion, nil
+}
+
+func GetAcmeClient(acmeAccount *config.ConfigAcmeAccount, userTx *sql.Tx, db *sqlx.DB) (*lego.Client, error) {

Review comment:
       Could you pls add a godoc comment to this function?

##########
File path: traffic_ops/traffic_ops_golang/deliveryservice/acme.go
##########
@@ -0,0 +1,363 @@
+package deliveryservice
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import (
+	"bytes"
+	"context"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"database/sql"
+	"encoding/pem"
+	"errors"
+	"github.com/go-acme/lego/certcrypto"
+	"github.com/go-acme/lego/challenge"
+	"github.com/go-acme/lego/lego"
+	"github.com/go-acme/lego/registration"
+	"net/http"
+	"strconv"
+
+	"github.com/apache/trafficcontrol/lib/go-log"
+	"github.com/apache/trafficcontrol/lib/go-tc"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/api"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/auth"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/config"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/riaksvc"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/tenant"
+
+	"github.com/go-acme/lego/certificate"
+	"github.com/jmoiron/sqlx"
+)
+
+func RenewAcmeCertificate(w http.ResponseWriter, r *http.Request) {
+	inf, userErr, sysErr, errCode := api.NewInfo(r, []string{"xmlid"}, nil)
+	if userErr != nil || sysErr != nil {
+		api.HandleErr(w, r, inf.Tx.Tx, errCode, userErr, sysErr)
+		return
+	}
+	defer inf.Close()
+	if inf.Config.RiakEnabled == false {
+		api.HandleErr(w, r, inf.Tx.Tx, http.StatusInternalServerError, userErr, errors.New("deliveryservice.DeleteSSLKeys: Riak is not configured"))
+		return
+	}
+	xmlID := inf.Params["xmlid"]
+
+	if userErr, sysErr, errCode := tenant.Check(inf.User, xmlID, inf.Tx.Tx); userErr != nil || sysErr != nil {
+		api.HandleErr(w, r, inf.Tx.Tx, errCode, userErr, sysErr)
+		return
+	}
+
+	ctx, _ := context.WithTimeout(r.Context(), LetsEncryptTimeout)
+
+	err := renewAcmeCerts(inf.Config, xmlID, ctx, inf.User)
+	if err != nil {
+		api.HandleErr(w, r, inf.Tx.Tx, http.StatusInternalServerError, nil, err)
+	}
+
+	api.WriteRespAlert(w, r, tc.SuccessLevel, "Certificate for "+xmlID+" successfully renewed.")
+
+}
+
+func renewAcmeCerts(cfg *config.Config, dsName string, ctx context.Context, currentUser *auth.CurrentUser) error {
+	db, err := api.GetDB(ctx)
+	if err != nil {
+		log.Errorf(dsName+": Error getting db: %s", err.Error())
+		return err
+	}
+
+	tx, err := db.Begin()
+	if err != nil {
+		log.Errorf(dsName+": Error getting tx: %s", err.Error())
+		return err
+	}
+
+	userTx, err := db.Begin()
+	if err != nil {
+		log.Errorf(dsName+": Error getting userTx: %s", err.Error())
+		return err
+	}
+	defer userTx.Commit()
+
+	logTx, err := db.Begin()
+	if err != nil {
+		log.Errorf(dsName+": Error getting logTx: %s", err.Error())
+		return err
+	}
+	defer logTx.Commit()
+
+	dsID, certVersion, err := getDSIdAndVersionFromName(db, dsName)
+	if err != nil {
+		return errors.New("querying DS info: " + err.Error())
+	}
+	if dsID == nil || *dsID == 0 {
+		return errors.New("DS id for " + dsName + " was nil or 0")
+	}
+	if certVersion == nil || *certVersion == 0 {
+		return errors.New("certificate for " + dsName + " could not be renewed because version was nil or 0")
+	}
+
+	keyObj, ok, err := riaksvc.GetDeliveryServiceSSLKeysObjV15(dsName, strconv.Itoa(int(*certVersion)), tx, cfg.RiakAuthOptions, cfg.RiakPort)

Review comment:
       Could you add a quick nil check for `cfg` before dereferencing it here?

##########
File path: traffic_ops/traffic_ops_golang/deliveryservice/acme.go
##########
@@ -0,0 +1,363 @@
+package deliveryservice
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import (
+	"bytes"
+	"context"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"database/sql"
+	"encoding/pem"
+	"errors"
+	"github.com/go-acme/lego/certcrypto"
+	"github.com/go-acme/lego/challenge"
+	"github.com/go-acme/lego/lego"
+	"github.com/go-acme/lego/registration"
+	"net/http"
+	"strconv"
+
+	"github.com/apache/trafficcontrol/lib/go-log"
+	"github.com/apache/trafficcontrol/lib/go-tc"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/api"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/auth"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/config"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/riaksvc"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/tenant"
+
+	"github.com/go-acme/lego/certificate"
+	"github.com/jmoiron/sqlx"
+)
+
+func RenewAcmeCertificate(w http.ResponseWriter, r *http.Request) {
+	inf, userErr, sysErr, errCode := api.NewInfo(r, []string{"xmlid"}, nil)
+	if userErr != nil || sysErr != nil {
+		api.HandleErr(w, r, inf.Tx.Tx, errCode, userErr, sysErr)
+		return
+	}
+	defer inf.Close()
+	if inf.Config.RiakEnabled == false {
+		api.HandleErr(w, r, inf.Tx.Tx, http.StatusInternalServerError, userErr, errors.New("deliveryservice.DeleteSSLKeys: Riak is not configured"))
+		return
+	}
+	xmlID := inf.Params["xmlid"]
+
+	if userErr, sysErr, errCode := tenant.Check(inf.User, xmlID, inf.Tx.Tx); userErr != nil || sysErr != nil {
+		api.HandleErr(w, r, inf.Tx.Tx, errCode, userErr, sysErr)
+		return
+	}
+
+	ctx, _ := context.WithTimeout(r.Context(), LetsEncryptTimeout)
+
+	err := renewAcmeCerts(inf.Config, xmlID, ctx, inf.User)
+	if err != nil {
+		api.HandleErr(w, r, inf.Tx.Tx, http.StatusInternalServerError, nil, err)

Review comment:
       Rookie ACME question: Could this error not result due to a user error/ bad request? If so, we should send back the appropriate error code.

##########
File path: traffic_ops/traffic_ops_golang/deliveryservice/letsencryptcert.go
##########
@@ -358,7 +290,7 @@ func GetLetsEncryptCertificates(cfg *config.Config, req tc.DeliveryServiceLetsEn
 	// remove extra line if LE returns it
 	trimmedCert := bytes.ReplaceAll(certificates.Certificate, []byte("\n\n"), []byte("\n"))
 
-	dsSSLKeys.Certificate = tc.DeliveryServiceSSLKeysCertificate{Crt: string(EncodePEMToLegacyPerlRiakFormat(trimmedCert)), Key: string(EncodePEMToLegacyPerlRiakFormat(keyPem)), CSR: ""}
+	dsSSLKeys.Certificate = tc.DeliveryServiceSSLKeysCertificate{Crt: string(EncodePEMToLegacyPerlRiakFormat(trimmedCert)), Key: string(EncodePEMToLegacyPerlRiakFormat(keyPem)), CSR: string(EncodePEMToLegacyPerlRiakFormat([]byte("Lets Encrypt Generated")))}

Review comment:
       same comment about splitting this into multiple lines for better readability.

##########
File path: docs/source/api/v3/deliveryservices_xmlid_xmlid_sslkeys_renew.rst
##########
@@ -0,0 +1,54 @@
+..
+..
+.. Licensed under the Apache License, Version 2.0 (the "License");
+.. you may not use this file except in compliance with the License.
+.. You may obtain a copy of the License at
+..
+..     http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS,
+.. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+.. See the License for the specific language governing permissions and
+.. limitations under the License.
+..
+
+.. _to-api-deliveryservices-xmlid-xmlid-sslkeys-renew:
+
+**************************************************
+``deliveryservices/xmlId/{{XMLID}}/sslkeys/renew``
+**************************************************
+
+``POST``
+========
+Uses :abbr:`ACME (Automatic Certificate Management Environment)` protocol to renew SSL keys for a :term:`Delivery Service`.
+
+:Auth. Required: Yes

Review comment:
       Indentation seems a bit off here.

##########
File path: docs/source/admin/traffic_ops.rst
##########
@@ -306,6 +306,16 @@ cdn.conf
 """"""""
 This file deals with the configuration parameters of running Traffic Ops itself. It is a JSON-format set of options and their respective values. For the `Legacy Perl Script`_ to work with this file, it must be in its default location at :file:`/opt/traffic_ops/app/conf/cdn.conf`, but `traffic_ops_golang`_ will use whatever file is specified by its :option:`--cfg` option. The keys of the file are described below.
 
+:acme_accounts: This is an optional array of objects to define External Account Binding information to an existing :abbr:`ACME (Automatic Certificate Management Environment)` account.  The `acme_provider` and `user_email` combination must be unique.

Review comment:
       nit: Does `External Account Binding` need to be capitalized?

##########
File path: traffic_ops/traffic_ops_golang/deliveryservice/acme.go
##########
@@ -0,0 +1,363 @@
+package deliveryservice
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import (
+	"bytes"
+	"context"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"database/sql"
+	"encoding/pem"
+	"errors"
+	"github.com/go-acme/lego/certcrypto"
+	"github.com/go-acme/lego/challenge"
+	"github.com/go-acme/lego/lego"
+	"github.com/go-acme/lego/registration"
+	"net/http"
+	"strconv"
+
+	"github.com/apache/trafficcontrol/lib/go-log"
+	"github.com/apache/trafficcontrol/lib/go-tc"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/api"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/auth"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/config"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/riaksvc"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/tenant"
+
+	"github.com/go-acme/lego/certificate"
+	"github.com/jmoiron/sqlx"
+)
+
+func RenewAcmeCertificate(w http.ResponseWriter, r *http.Request) {
+	inf, userErr, sysErr, errCode := api.NewInfo(r, []string{"xmlid"}, nil)
+	if userErr != nil || sysErr != nil {
+		api.HandleErr(w, r, inf.Tx.Tx, errCode, userErr, sysErr)
+		return
+	}
+	defer inf.Close()
+	if inf.Config.RiakEnabled == false {
+		api.HandleErr(w, r, inf.Tx.Tx, http.StatusInternalServerError, userErr, errors.New("deliveryservice.DeleteSSLKeys: Riak is not configured"))
+		return
+	}
+	xmlID := inf.Params["xmlid"]
+
+	if userErr, sysErr, errCode := tenant.Check(inf.User, xmlID, inf.Tx.Tx); userErr != nil || sysErr != nil {
+		api.HandleErr(w, r, inf.Tx.Tx, errCode, userErr, sysErr)
+		return
+	}
+
+	ctx, _ := context.WithTimeout(r.Context(), LetsEncryptTimeout)
+
+	err := renewAcmeCerts(inf.Config, xmlID, ctx, inf.User)
+	if err != nil {
+		api.HandleErr(w, r, inf.Tx.Tx, http.StatusInternalServerError, nil, err)
+	}
+
+	api.WriteRespAlert(w, r, tc.SuccessLevel, "Certificate for "+xmlID+" successfully renewed.")
+
+}
+
+func renewAcmeCerts(cfg *config.Config, dsName string, ctx context.Context, currentUser *auth.CurrentUser) error {
+	db, err := api.GetDB(ctx)
+	if err != nil {
+		log.Errorf(dsName+": Error getting db: %s", err.Error())
+		return err
+	}
+
+	tx, err := db.Begin()
+	if err != nil {
+		log.Errorf(dsName+": Error getting tx: %s", err.Error())
+		return err
+	}
+
+	userTx, err := db.Begin()
+	if err != nil {
+		log.Errorf(dsName+": Error getting userTx: %s", err.Error())
+		return err
+	}
+	defer userTx.Commit()
+
+	logTx, err := db.Begin()
+	if err != nil {
+		log.Errorf(dsName+": Error getting logTx: %s", err.Error())
+		return err
+	}
+	defer logTx.Commit()
+
+	dsID, certVersion, err := getDSIdAndVersionFromName(db, dsName)
+	if err != nil {
+		return errors.New("querying DS info: " + err.Error())
+	}
+	if dsID == nil || *dsID == 0 {
+		return errors.New("DS id for " + dsName + " was nil or 0")
+	}
+	if certVersion == nil || *certVersion == 0 {
+		return errors.New("certificate for " + dsName + " could not be renewed because version was nil or 0")
+	}
+
+	keyObj, ok, err := riaksvc.GetDeliveryServiceSSLKeysObjV15(dsName, strconv.Itoa(int(*certVersion)), tx, cfg.RiakAuthOptions, cfg.RiakPort)
+	if err != nil {
+		return errors.New("getting ssl keys for xmlId: " + dsName + " and version: " + strconv.Itoa(int(*certVersion)) + " :" + err.Error())

Review comment:
       nit: could we add a space after the `:` and before the `err.Error()` part?

##########
File path: traffic_ops/traffic_ops_golang/deliveryservice/acme.go
##########
@@ -0,0 +1,363 @@
+package deliveryservice
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import (
+	"bytes"
+	"context"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"database/sql"
+	"encoding/pem"
+	"errors"
+	"github.com/go-acme/lego/certcrypto"
+	"github.com/go-acme/lego/challenge"
+	"github.com/go-acme/lego/lego"
+	"github.com/go-acme/lego/registration"
+	"net/http"
+	"strconv"
+
+	"github.com/apache/trafficcontrol/lib/go-log"
+	"github.com/apache/trafficcontrol/lib/go-tc"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/api"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/auth"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/config"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/riaksvc"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/tenant"
+
+	"github.com/go-acme/lego/certificate"
+	"github.com/jmoiron/sqlx"
+)
+
+func RenewAcmeCertificate(w http.ResponseWriter, r *http.Request) {
+	inf, userErr, sysErr, errCode := api.NewInfo(r, []string{"xmlid"}, nil)
+	if userErr != nil || sysErr != nil {
+		api.HandleErr(w, r, inf.Tx.Tx, errCode, userErr, sysErr)
+		return
+	}
+	defer inf.Close()
+	if inf.Config.RiakEnabled == false {
+		api.HandleErr(w, r, inf.Tx.Tx, http.StatusInternalServerError, userErr, errors.New("deliveryservice.DeleteSSLKeys: Riak is not configured"))
+		return
+	}
+	xmlID := inf.Params["xmlid"]
+
+	if userErr, sysErr, errCode := tenant.Check(inf.User, xmlID, inf.Tx.Tx); userErr != nil || sysErr != nil {
+		api.HandleErr(w, r, inf.Tx.Tx, errCode, userErr, sysErr)
+		return
+	}
+
+	ctx, _ := context.WithTimeout(r.Context(), LetsEncryptTimeout)
+
+	err := renewAcmeCerts(inf.Config, xmlID, ctx, inf.User)
+	if err != nil {
+		api.HandleErr(w, r, inf.Tx.Tx, http.StatusInternalServerError, nil, err)
+	}
+
+	api.WriteRespAlert(w, r, tc.SuccessLevel, "Certificate for "+xmlID+" successfully renewed.")
+
+}
+
+func renewAcmeCerts(cfg *config.Config, dsName string, ctx context.Context, currentUser *auth.CurrentUser) error {
+	db, err := api.GetDB(ctx)
+	if err != nil {
+		log.Errorf(dsName+": Error getting db: %s", err.Error())
+		return err
+	}
+
+	tx, err := db.Begin()
+	if err != nil {
+		log.Errorf(dsName+": Error getting tx: %s", err.Error())
+		return err
+	}
+
+	userTx, err := db.Begin()
+	if err != nil {
+		log.Errorf(dsName+": Error getting userTx: %s", err.Error())
+		return err
+	}
+	defer userTx.Commit()
+
+	logTx, err := db.Begin()
+	if err != nil {
+		log.Errorf(dsName+": Error getting logTx: %s", err.Error())
+		return err
+	}
+	defer logTx.Commit()
+
+	dsID, certVersion, err := getDSIdAndVersionFromName(db, dsName)
+	if err != nil {
+		return errors.New("querying DS info: " + err.Error())
+	}
+	if dsID == nil || *dsID == 0 {
+		return errors.New("DS id for " + dsName + " was nil or 0")
+	}
+	if certVersion == nil || *certVersion == 0 {
+		return errors.New("certificate for " + dsName + " could not be renewed because version was nil or 0")
+	}
+
+	keyObj, ok, err := riaksvc.GetDeliveryServiceSSLKeysObjV15(dsName, strconv.Itoa(int(*certVersion)), tx, cfg.RiakAuthOptions, cfg.RiakPort)
+	if err != nil {
+		return errors.New("getting ssl keys for xmlId: " + dsName + " and version: " + strconv.Itoa(int(*certVersion)) + " :" + err.Error())
+	}
+	if !ok {
+		return errors.New("no object found for the specified key with xmlId: " + dsName + " and version: " + strconv.Itoa(int(*certVersion)))
+	}
+
+	err = base64DecodeCertificate(&keyObj.Certificate)
+	if err != nil {
+		return errors.New("decoding cert for XMLID " + dsName + " : " + err.Error())
+	}
+
+	acmeAccount := getAcmeAccountConfig(cfg, keyObj.AuthType)
+	if acmeAccount == nil {
+		return errors.New("No acme account information in cdn.conf for " + keyObj.AuthType)
+	}
+
+	client, err := GetAcmeClient(acmeAccount, userTx, db)
+	if err != nil {
+		log.Errorf(dsName+": Error getting acme client: %s", err.Error())
+		api.CreateChangeLogRawTx(api.ApiChange, "DS: "+dsName+", ID: "+strconv.Itoa(*dsID)+", ACTION: FAILED to add SSL keys with "+acmeAccount.AcmeProvider, currentUser, logTx)
+		return errors.New("getting acme client: " + err.Error())
+	}
+
+	renewRequest := certificate.Resource{
+		Certificate: []byte(keyObj.Certificate.Crt),
+	}
+
+	cert, err := client.Certificate.Renew(renewRequest, true, false)
+	if err != nil {
+		log.Errorf("Error obtaining acme certificate: %s", err.Error())
+		return err
+	}
+
+	newCertObj := tc.DeliveryServiceSSLKeys{
+		AuthType:        keyObj.AuthType,
+		CDN:             keyObj.CDN,
+		DeliveryService: keyObj.DeliveryService,
+		Key:             keyObj.DeliveryService,
+		Hostname:        keyObj.Hostname,
+		Version:         keyObj.Version + 1,
+	}
+
+	newCertObj.Certificate = tc.DeliveryServiceSSLKeysCertificate{Crt: string(EncodePEMToLegacyPerlRiakFormat(cert.Certificate)), Key: string(EncodePEMToLegacyPerlRiakFormat(cert.PrivateKey)), CSR: string(EncodePEMToLegacyPerlRiakFormat([]byte("ACME Generated")))}
+	if err := riaksvc.PutDeliveryServiceSSLKeysObj(newCertObj, tx, cfg.RiakAuthOptions, cfg.RiakPort); err != nil {
+		log.Errorf("Error posting acme certificate to riak: %s", err.Error())
+		api.CreateChangeLogRawTx(api.ApiChange, "DS: "+dsName+", ID: "+strconv.Itoa(*dsID)+", ACTION: FAILED to add SSL keys with "+acmeAccount.AcmeProvider, currentUser, logTx)
+		return errors.New(dsName + ": putting riak keys: " + err.Error())
+	}
+
+	tx2, err := db.Begin()
+	if err != nil {
+		log.Errorf("starting sql transaction for delivery service " + dsName + ": " + err.Error())
+		return errors.New("starting sql transaction for delivery service " + dsName + ": " + err.Error())
+	}
+
+	if err := updateSSLKeyVersion(dsName, *certVersion+1, tx2); err != nil {
+		log.Errorf("updating SSL key version for delivery service '" + dsName + "': " + err.Error())
+		return errors.New("updating SSL key version for delivery service '" + dsName + "': " + err.Error())
+	}
+	tx2.Commit()
+
+	api.CreateChangeLogRawTx(api.ApiChange, "DS: "+dsName+", ID: "+strconv.Itoa(*dsID)+", ACTION: Added SSL keys with "+acmeAccount.AcmeProvider, currentUser, logTx)
+
+	return nil
+}
+
+func getAcmeAccountConfig(cfg *config.Config, acmeProvider string) *config.ConfigAcmeAccount {
+	for _, acmeCfg := range cfg.AcmeAccounts {
+		if acmeCfg.AcmeProvider == acmeProvider {
+			return &acmeCfg
+		}
+	}
+	return nil
+}
+
+func getDSIdAndVersionFromName(db *sqlx.DB, xmlId string) (*int, *int64, error) {
+	var dsID int
+	var certVersion int64
+
+	if err := db.QueryRow(`SELECT id, ssl_key_version FROM deliveryservice WHERE xml_id = $1`, xmlId).Scan(&dsID, &certVersion); err != nil {
+		return nil, nil, err
+	}
+
+	return &dsID, &certVersion, nil
+}
+
+func GetAcmeClient(acmeAccount *config.ConfigAcmeAccount, userTx *sql.Tx, db *sqlx.DB) (*lego.Client, error) {
+	if acmeAccount.UserEmail == "" {
+		log.Errorf("An email address must be provided to use ACME with %v", acmeAccount.AcmeProvider)
+		return nil, errors.New("An email address must be provided to use ACME with " + acmeAccount.AcmeProvider)
+	}
+	storedAcmeInfo, err := getStoredAcmeAccountInfo(userTx, acmeAccount.UserEmail, acmeAccount.AcmeProvider)
+	if err != nil {
+		log.Errorf("Error finding stored ACME information: %s", err.Error())
+		return nil, err
+	}
+
+	myUser := MyUser{}
+	foundPreviousAccount := false
+	userPrivateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		log.Errorf("Error generating private key: %s", err.Error())
+		return nil, err
+	}
+
+	if storedAcmeInfo == nil || acmeAccount.UserEmail == "" {
+		myUser = MyUser{
+			key:   userPrivateKey,
+			Email: acmeAccount.UserEmail,
+		}
+	} else {
+		foundPreviousAccount = true
+		myUser = MyUser{
+			key:   &storedAcmeInfo.PrivateKey,
+			Email: storedAcmeInfo.Email,
+			Registration: &registration.Resource{
+				URI: storedAcmeInfo.URI,
+			},
+		}
+	}
+
+	config := lego.NewConfig(&myUser)
+	config.CADirURL = acmeAccount.AcmeUrl
+	config.Certificate.KeyType = certcrypto.RSA2048
+
+	client, err := lego.NewClient(config)
+	if err != nil {
+		log.Errorf("Error creating acme client: %s", err.Error())
+		return nil, err
+	}
+
+	if acmeAccount.AcmeProvider == tc.LetsEncryptAuthType {
+		client.Challenge.Remove(challenge.HTTP01)
+		client.Challenge.Remove(challenge.TLSALPN01)
+		trafficRouterDns := NewDNSProviderTrafficRouter()
+		trafficRouterDns.db = db
+		if err != nil {
+			log.Errorf("Error creating Traffic Router DNS provider: %s", err.Error())
+			return nil, err
+		}
+		client.Challenge.SetDNS01Provider(trafficRouterDns)
+	}
+
+	if foundPreviousAccount {
+		log.Debugf("Found existing account with %s", acmeAccount.AcmeProvider)
+		reg, err := client.Registration.QueryRegistration()
+		if err != nil {
+			log.Errorf("Error querying %s for existing account: %s", acmeAccount.AcmeProvider, err.Error())
+			return nil, err
+		}
+		myUser.Registration = reg
+		if reg.Body.Status != "valid" {

Review comment:
       Could we add a constant for "valid" ?

##########
File path: docs/source/admin/traffic_ops.rst
##########
@@ -306,6 +306,16 @@ cdn.conf
 """"""""
 This file deals with the configuration parameters of running Traffic Ops itself. It is a JSON-format set of options and their respective values. For the `Legacy Perl Script`_ to work with this file, it must be in its default location at :file:`/opt/traffic_ops/app/conf/cdn.conf`, but `traffic_ops_golang`_ will use whatever file is specified by its :option:`--cfg` option. The keys of the file are described below.
 
+:acme_accounts: This is an optional array of objects to define External Account Binding information to an existing :abbr:`ACME (Automatic Certificate Management Environment)` account.  The `acme_provider` and `user_email` combination must be unique.

Review comment:
       Should we put a reference to the actual definition of external account binding here? `external_account_binding`

##########
File path: docs/source/admin/traffic_ops.rst
##########
@@ -306,6 +306,16 @@ cdn.conf
 """"""""
 This file deals with the configuration parameters of running Traffic Ops itself. It is a JSON-format set of options and their respective values. For the `Legacy Perl Script`_ to work with this file, it must be in its default location at :file:`/opt/traffic_ops/app/conf/cdn.conf`, but `traffic_ops_golang`_ will use whatever file is specified by its :option:`--cfg` option. The keys of the file are described below.
 
+:acme_accounts: This is an optional array of objects to define External Account Binding information to an existing :abbr:`ACME (Automatic Certificate Management Environment)` account.  The `acme_provider` and `user_email` combination must be unique.
+
+    .. versionadded:: 5.1
+
+	:acme_provider: The certificate provider. This field needs to correlate to the AuthType field for each certificate so the renewal functionality knows which provider to use.

Review comment:
       Looks like the indentation is off here.

##########
File path: traffic_ops/traffic_ops_golang/deliveryservice/acme.go
##########
@@ -0,0 +1,363 @@
+package deliveryservice
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import (
+	"bytes"
+	"context"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"database/sql"
+	"encoding/pem"
+	"errors"
+	"github.com/go-acme/lego/certcrypto"
+	"github.com/go-acme/lego/challenge"
+	"github.com/go-acme/lego/lego"
+	"github.com/go-acme/lego/registration"
+	"net/http"
+	"strconv"
+
+	"github.com/apache/trafficcontrol/lib/go-log"
+	"github.com/apache/trafficcontrol/lib/go-tc"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/api"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/auth"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/config"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/riaksvc"
+	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/tenant"
+
+	"github.com/go-acme/lego/certificate"
+	"github.com/jmoiron/sqlx"
+)
+
+func RenewAcmeCertificate(w http.ResponseWriter, r *http.Request) {
+	inf, userErr, sysErr, errCode := api.NewInfo(r, []string{"xmlid"}, nil)
+	if userErr != nil || sysErr != nil {
+		api.HandleErr(w, r, inf.Tx.Tx, errCode, userErr, sysErr)
+		return
+	}
+	defer inf.Close()
+	if inf.Config.RiakEnabled == false {
+		api.HandleErr(w, r, inf.Tx.Tx, http.StatusInternalServerError, userErr, errors.New("deliveryservice.DeleteSSLKeys: Riak is not configured"))
+		return
+	}
+	xmlID := inf.Params["xmlid"]
+
+	if userErr, sysErr, errCode := tenant.Check(inf.User, xmlID, inf.Tx.Tx); userErr != nil || sysErr != nil {
+		api.HandleErr(w, r, inf.Tx.Tx, errCode, userErr, sysErr)
+		return
+	}
+
+	ctx, _ := context.WithTimeout(r.Context(), LetsEncryptTimeout)
+
+	err := renewAcmeCerts(inf.Config, xmlID, ctx, inf.User)
+	if err != nil {
+		api.HandleErr(w, r, inf.Tx.Tx, http.StatusInternalServerError, nil, err)
+	}
+
+	api.WriteRespAlert(w, r, tc.SuccessLevel, "Certificate for "+xmlID+" successfully renewed.")
+
+}
+
+func renewAcmeCerts(cfg *config.Config, dsName string, ctx context.Context, currentUser *auth.CurrentUser) error {
+	db, err := api.GetDB(ctx)
+	if err != nil {
+		log.Errorf(dsName+": Error getting db: %s", err.Error())
+		return err
+	}
+
+	tx, err := db.Begin()
+	if err != nil {
+		log.Errorf(dsName+": Error getting tx: %s", err.Error())
+		return err
+	}
+
+	userTx, err := db.Begin()
+	if err != nil {
+		log.Errorf(dsName+": Error getting userTx: %s", err.Error())
+		return err
+	}
+	defer userTx.Commit()
+
+	logTx, err := db.Begin()
+	if err != nil {
+		log.Errorf(dsName+": Error getting logTx: %s", err.Error())
+		return err
+	}
+	defer logTx.Commit()
+
+	dsID, certVersion, err := getDSIdAndVersionFromName(db, dsName)
+	if err != nil {
+		return errors.New("querying DS info: " + err.Error())
+	}
+	if dsID == nil || *dsID == 0 {
+		return errors.New("DS id for " + dsName + " was nil or 0")
+	}
+	if certVersion == nil || *certVersion == 0 {
+		return errors.New("certificate for " + dsName + " could not be renewed because version was nil or 0")
+	}
+
+	keyObj, ok, err := riaksvc.GetDeliveryServiceSSLKeysObjV15(dsName, strconv.Itoa(int(*certVersion)), tx, cfg.RiakAuthOptions, cfg.RiakPort)
+	if err != nil {
+		return errors.New("getting ssl keys for xmlId: " + dsName + " and version: " + strconv.Itoa(int(*certVersion)) + " :" + err.Error())
+	}
+	if !ok {
+		return errors.New("no object found for the specified key with xmlId: " + dsName + " and version: " + strconv.Itoa(int(*certVersion)))
+	}
+
+	err = base64DecodeCertificate(&keyObj.Certificate)
+	if err != nil {
+		return errors.New("decoding cert for XMLID " + dsName + " : " + err.Error())
+	}
+
+	acmeAccount := getAcmeAccountConfig(cfg, keyObj.AuthType)
+	if acmeAccount == nil {
+		return errors.New("No acme account information in cdn.conf for " + keyObj.AuthType)
+	}
+
+	client, err := GetAcmeClient(acmeAccount, userTx, db)
+	if err != nil {
+		log.Errorf(dsName+": Error getting acme client: %s", err.Error())
+		api.CreateChangeLogRawTx(api.ApiChange, "DS: "+dsName+", ID: "+strconv.Itoa(*dsID)+", ACTION: FAILED to add SSL keys with "+acmeAccount.AcmeProvider, currentUser, logTx)
+		return errors.New("getting acme client: " + err.Error())
+	}
+
+	renewRequest := certificate.Resource{
+		Certificate: []byte(keyObj.Certificate.Crt),
+	}
+
+	cert, err := client.Certificate.Renew(renewRequest, true, false)
+	if err != nil {
+		log.Errorf("Error obtaining acme certificate: %s", err.Error())
+		return err
+	}
+
+	newCertObj := tc.DeliveryServiceSSLKeys{
+		AuthType:        keyObj.AuthType,
+		CDN:             keyObj.CDN,
+		DeliveryService: keyObj.DeliveryService,
+		Key:             keyObj.DeliveryService,
+		Hostname:        keyObj.Hostname,
+		Version:         keyObj.Version + 1,
+	}
+
+	newCertObj.Certificate = tc.DeliveryServiceSSLKeysCertificate{Crt: string(EncodePEMToLegacyPerlRiakFormat(cert.Certificate)), Key: string(EncodePEMToLegacyPerlRiakFormat(cert.PrivateKey)), CSR: string(EncodePEMToLegacyPerlRiakFormat([]byte("ACME Generated")))}
+	if err := riaksvc.PutDeliveryServiceSSLKeysObj(newCertObj, tx, cfg.RiakAuthOptions, cfg.RiakPort); err != nil {
+		log.Errorf("Error posting acme certificate to riak: %s", err.Error())
+		api.CreateChangeLogRawTx(api.ApiChange, "DS: "+dsName+", ID: "+strconv.Itoa(*dsID)+", ACTION: FAILED to add SSL keys with "+acmeAccount.AcmeProvider, currentUser, logTx)
+		return errors.New(dsName + ": putting riak keys: " + err.Error())
+	}
+
+	tx2, err := db.Begin()
+	if err != nil {
+		log.Errorf("starting sql transaction for delivery service " + dsName + ": " + err.Error())
+		return errors.New("starting sql transaction for delivery service " + dsName + ": " + err.Error())
+	}
+
+	if err := updateSSLKeyVersion(dsName, *certVersion+1, tx2); err != nil {
+		log.Errorf("updating SSL key version for delivery service '" + dsName + "': " + err.Error())
+		return errors.New("updating SSL key version for delivery service '" + dsName + "': " + err.Error())
+	}
+	tx2.Commit()
+
+	api.CreateChangeLogRawTx(api.ApiChange, "DS: "+dsName+", ID: "+strconv.Itoa(*dsID)+", ACTION: Added SSL keys with "+acmeAccount.AcmeProvider, currentUser, logTx)
+
+	return nil
+}
+
+func getAcmeAccountConfig(cfg *config.Config, acmeProvider string) *config.ConfigAcmeAccount {
+	for _, acmeCfg := range cfg.AcmeAccounts {
+		if acmeCfg.AcmeProvider == acmeProvider {
+			return &acmeCfg
+		}
+	}
+	return nil
+}
+
+func getDSIdAndVersionFromName(db *sqlx.DB, xmlId string) (*int, *int64, error) {
+	var dsID int
+	var certVersion int64
+
+	if err := db.QueryRow(`SELECT id, ssl_key_version FROM deliveryservice WHERE xml_id = $1`, xmlId).Scan(&dsID, &certVersion); err != nil {
+		return nil, nil, err
+	}
+
+	return &dsID, &certVersion, nil
+}
+
+func GetAcmeClient(acmeAccount *config.ConfigAcmeAccount, userTx *sql.Tx, db *sqlx.DB) (*lego.Client, error) {
+	if acmeAccount.UserEmail == "" {
+		log.Errorf("An email address must be provided to use ACME with %v", acmeAccount.AcmeProvider)
+		return nil, errors.New("An email address must be provided to use ACME with " + acmeAccount.AcmeProvider)
+	}
+	storedAcmeInfo, err := getStoredAcmeAccountInfo(userTx, acmeAccount.UserEmail, acmeAccount.AcmeProvider)
+	if err != nil {
+		log.Errorf("Error finding stored ACME information: %s", err.Error())
+		return nil, err
+	}
+
+	myUser := MyUser{}
+	foundPreviousAccount := false
+	userPrivateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		log.Errorf("Error generating private key: %s", err.Error())
+		return nil, err
+	}
+
+	if storedAcmeInfo == nil || acmeAccount.UserEmail == "" {
+		myUser = MyUser{
+			key:   userPrivateKey,
+			Email: acmeAccount.UserEmail,
+		}
+	} else {
+		foundPreviousAccount = true
+		myUser = MyUser{
+			key:   &storedAcmeInfo.PrivateKey,
+			Email: storedAcmeInfo.Email,
+			Registration: &registration.Resource{
+				URI: storedAcmeInfo.URI,
+			},
+		}
+	}
+
+	config := lego.NewConfig(&myUser)
+	config.CADirURL = acmeAccount.AcmeUrl
+	config.Certificate.KeyType = certcrypto.RSA2048
+
+	client, err := lego.NewClient(config)
+	if err != nil {
+		log.Errorf("Error creating acme client: %s", err.Error())
+		return nil, err
+	}
+
+	if acmeAccount.AcmeProvider == tc.LetsEncryptAuthType {
+		client.Challenge.Remove(challenge.HTTP01)
+		client.Challenge.Remove(challenge.TLSALPN01)
+		trafficRouterDns := NewDNSProviderTrafficRouter()
+		trafficRouterDns.db = db
+		if err != nil {
+			log.Errorf("Error creating Traffic Router DNS provider: %s", err.Error())
+			return nil, err
+		}
+		client.Challenge.SetDNS01Provider(trafficRouterDns)
+	}
+
+	if foundPreviousAccount {
+		log.Debugf("Found existing account with %s", acmeAccount.AcmeProvider)
+		reg, err := client.Registration.QueryRegistration()
+		if err != nil {
+			log.Errorf("Error querying %s for existing account: %s", acmeAccount.AcmeProvider, err.Error())
+			return nil, err
+		}
+		myUser.Registration = reg
+		if reg.Body.Status != "valid" {
+			log.Debugf("Account found with %s is not valid.", acmeAccount.AcmeProvider)
+			foundPreviousAccount = false
+		}
+	}
+	if !foundPreviousAccount {
+		if acmeAccount.Kid != "" && acmeAccount.HmacEncoded != "" {
+			reg, err := client.Registration.RegisterWithExternalAccountBinding(registration.RegisterEABOptions{
+				TermsOfServiceAgreed: true,
+				Kid:                  acmeAccount.Kid,
+				HmacEncoded:          acmeAccount.HmacEncoded,
+			})
+			if err != nil {
+				log.Errorf("Error registering acme client with external account binding: %s", err.Error())
+				return nil, err
+			}
+			myUser.Registration = reg
+			log.Debugf("Creating a new account with %s", acmeAccount.AcmeProvider)
+		} else {
+			reg, err := client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
+			if err != nil {
+				log.Errorf("Error registering acme client: %s", err.Error())
+				return nil, err
+			}
+			myUser.Registration = reg
+			log.Debugf("Creating a new account with %s", acmeAccount.AcmeProvider)
+		}
+
+		// save account info
+		userKeyDer := x509.MarshalPKCS1PrivateKey(userPrivateKey)

Review comment:
       Do you think we should separate the key generation/ renewal part into its own function? 




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org