2021-12-05 14:25:12 +00:00
|
|
|
package certificates
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"bytes"
|
|
|
|
|
"crypto/rand"
|
|
|
|
|
"crypto/rsa"
|
|
|
|
|
"crypto/tls"
|
|
|
|
|
"crypto/x509"
|
|
|
|
|
"crypto/x509/pkix"
|
|
|
|
|
"encoding/pem"
|
|
|
|
|
"math/big"
|
|
|
|
|
"time"
|
|
|
|
|
|
|
|
|
|
"github.com/go-acme/lego/v4/certcrypto"
|
|
|
|
|
"github.com/go-acme/lego/v4/certificate"
|
2023-02-10 03:00:14 +00:00
|
|
|
"github.com/rs/zerolog/log"
|
2021-12-05 14:25:12 +00:00
|
|
|
|
|
|
|
|
"codeberg.org/codeberg/pages/server/database"
|
|
|
|
|
)
|
|
|
|
|
|
2023-02-10 03:00:14 +00:00
|
|
|
func mockCert(domain, msg, mainDomainSuffix string, keyDatabase database.CertDB) (*tls.Certificate, error) {
|
2021-12-05 14:25:12 +00:00
|
|
|
key, err := certcrypto.GeneratePrivateKey(certcrypto.RSA2048)
|
|
|
|
|
if err != nil {
|
2023-02-10 03:00:14 +00:00
|
|
|
return nil, err
|
2021-12-05 14:25:12 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
template := x509.Certificate{
|
|
|
|
|
SerialNumber: big.NewInt(1),
|
|
|
|
|
Subject: pkix.Name{
|
|
|
|
|
CommonName: domain,
|
|
|
|
|
Organization: []string{"Codeberg Pages Error Certificate (couldn't obtain ACME certificate)"},
|
|
|
|
|
OrganizationalUnit: []string{
|
|
|
|
|
"Will not try again for 6 hours to avoid hitting rate limits for your domain.",
|
|
|
|
|
"Check https://docs.codeberg.org/codeberg-pages/troubleshooting/ for troubleshooting tips, and feel " +
|
|
|
|
|
"free to create an issue at https://codeberg.org/Codeberg/pages-server if you can't solve it.\n",
|
|
|
|
|
"Error message: " + msg,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
// certificates younger than 7 days are renewed, so this enforces the cert to not be renewed for a 6 hours
|
|
|
|
|
NotAfter: time.Now().Add(time.Hour*24*7 + time.Hour*6),
|
|
|
|
|
NotBefore: time.Now(),
|
|
|
|
|
|
|
|
|
|
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
|
|
|
|
|
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
|
|
|
|
|
BasicConstraintsValid: true,
|
|
|
|
|
}
|
|
|
|
|
certBytes, err := x509.CreateCertificate(
|
|
|
|
|
rand.Reader,
|
|
|
|
|
&template,
|
|
|
|
|
&template,
|
|
|
|
|
&key.(*rsa.PrivateKey).PublicKey,
|
|
|
|
|
key,
|
|
|
|
|
)
|
|
|
|
|
if err != nil {
|
2023-02-10 03:00:14 +00:00
|
|
|
return nil, err
|
2021-12-05 14:25:12 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
out := &bytes.Buffer{}
|
|
|
|
|
err = pem.Encode(out, &pem.Block{
|
|
|
|
|
Bytes: certBytes,
|
|
|
|
|
Type: "CERTIFICATE",
|
|
|
|
|
})
|
|
|
|
|
if err != nil {
|
2023-02-10 03:00:14 +00:00
|
|
|
return nil, err
|
2021-12-05 14:25:12 +00:00
|
|
|
}
|
|
|
|
|
outBytes := out.Bytes()
|
|
|
|
|
res := &certificate.Resource{
|
|
|
|
|
PrivateKey: certcrypto.PEMEncode(key),
|
|
|
|
|
Certificate: outBytes,
|
|
|
|
|
IssuerCertificate: outBytes,
|
|
|
|
|
Domain: domain,
|
|
|
|
|
}
|
|
|
|
|
databaseName := domain
|
|
|
|
|
if domain == "*"+mainDomainSuffix || domain == mainDomainSuffix[1:] {
|
|
|
|
|
databaseName = mainDomainSuffix
|
|
|
|
|
}
|
2021-12-05 18:00:57 +00:00
|
|
|
if err := keyDatabase.Put(databaseName, res); err != nil {
|
2023-02-10 03:00:14 +00:00
|
|
|
log.Error().Err(err)
|
2021-12-05 18:00:57 +00:00
|
|
|
}
|
2021-12-05 14:25:12 +00:00
|
|
|
|
|
|
|
|
tlsCertificate, err := tls.X509KeyPair(res.Certificate, res.PrivateKey)
|
|
|
|
|
if err != nil {
|
2023-02-10 03:00:14 +00:00
|
|
|
return nil, err
|
2021-12-05 14:25:12 +00:00
|
|
|
}
|
2023-02-10 03:00:14 +00:00
|
|
|
return &tlsCertificate, nil
|
2021-12-05 14:25:12 +00:00
|
|
|
}
|
