pages/pages-server
1
0
Fork 0
mirror of https://codeberg.org/Codeberg/pages-server.git synced 2025-04-24 13:56:57 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Allow to use certificate even if domain validation fails

Browse source 
- Currently if the canonical domain validations fails(either for
legitimate reasons or for bug reasons like the request to Gitea/Forgejo
failing) it will use main domain certificate, which in the case for
custom domains will warrant a security error as the certificate isn't
issued to the custom domain.
- This patch handles this situation more gracefully and instead only
disallow obtaining a certificate if the domain validation fails, so in
the case that a certificate still exists it can still be used even if
the canonical domain validation fails. There's a small side effect,
legitimate users that remove domains from `.domain` will still be able
to use the removed domain(as long as the DNS records exists) as long as
the certificate currently hold by pages-server isn't expired.
- Given the increased usage in custom domains that are resulting in
errors, I think it ways more than the side effect.
This commit is contained in:
Gusted 2023-01-15 23:30:03 +01:00
parent bd538abd37
commit 0ca3377e68
No known key found for this signature in database
GPG key ID: FD821B732837125F
1 changed files with 8 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

9
server/certificates/certificates.go
View file

@ -70,6 +70,7 @@ func TLSConfig(mainDomainSuffix string,
}
targetOwner := ""
mayObtainCert := true
if strings.HasSuffix(sni, mainDomainSuffix) || strings.EqualFold(sni, mainDomainSuffix[1:]) {
// deliver default certificate for the main domain (*.codeberg.page)
sni = mainDomainSuffix
@ -87,7 +88,9 @@ func TLSConfig(mainDomainSuffix string,
}
_, valid := targetOpt.CheckCanonicalDomain(giteaClient, sni, mainDomainSuffix, canonicalDomainCache)
if !valid {
sni = mainDomainSuffix
// We shouldn't obtain a certificate when we cannot check if the
// repository has specified this domain in the `.domains` file.
mayObtainCert = false
}
}
}
@ -106,6 +109,10 @@ func TLSConfig(mainDomainSuffix string,
return nil, errors.New("won't request certificate for main domain, something really bad has happened")
}
if !mayObtainCert {
return nil, fmt.Errorf("won't request certificate for %q", sni)
}
tlsCertificate, err = obtainCert(acmeClient, []string{sni}, nil, targetOwner, dnsProvider, mainDomainSuffix, acmeUseRateLimits, certDB)
if err != nil {
return nil, err