mirror of
https://codeberg.org/Codeberg/pages-server.git
synced 2025-04-25 06:16:58 +00:00
pass down acme config
This commit is contained in:
crapStone
parent
6e797b8115
commit
7401846261
3 changed files with 21 additions and 30 deletions
|
|
@ -22,16 +22,5 @@ func CreateAcmeClient(cfg config.ACMEConfig, enableHTTPServer bool, challengeCac
|
||||||
return nil, fmt.Errorf("%w: ACME_EAB_KID also needs ACME_EAB_HMAC to be set", ErrAcmeMissConfig)
|
return nil, fmt.Errorf("%w: ACME_EAB_KID also needs ACME_EAB_HMAC to be set", ErrAcmeMissConfig)
|
||||||
}
|
}
|
||||||
|
|
||||||
return certificates.NewAcmeClient(
|
return certificates.NewAcmeClient(cfg, enableHTTPServer, challengeCache)
|
||||||
cfg.AccountConfigFile,
|
|
||||||
cfg.APIEndpoint,
|
|
||||||
cfg.Email,
|
|
||||||
cfg.EAB_HMAC,
|
|
||||||
cfg.EAB_KID,
|
|
||||||
cfg.DNSProvider,
|
|
||||||
cfg.AcceptTerms,
|
|
||||||
enableHTTPServer,
|
|
||||||
cfg.UseRateLimits,
|
|
||||||
challengeCache,
|
|
||||||
)
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -10,6 +10,7 @@ import (
|
||||||
"github.com/reugn/equalizer"
|
"github.com/reugn/equalizer"
|
||||||
"github.com/rs/zerolog/log"
|
"github.com/rs/zerolog/log"
|
||||||
|
|
||||||
|
"codeberg.org/codeberg/pages/config"
|
||||||
"codeberg.org/codeberg/pages/server/cache"
|
"codeberg.org/codeberg/pages/server/cache"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
@ -28,8 +29,8 @@ type AcmeClient struct {
|
||||||
acmeClientCertificateLimitPerUser map[string]*equalizer.TokenBucket
|
acmeClientCertificateLimitPerUser map[string]*equalizer.TokenBucket
|
||||||
}
|
}
|
||||||
|
|
||||||
func NewAcmeClient(acmeAccountConf, acmeAPI, acmeMail, acmeEabHmac, acmeEabKID, dnsProvider string, acmeAcceptTerms, enableHTTPServer, acmeUseRateLimits bool, challengeCache cache.ICache) (*AcmeClient, error) {
|
func NewAcmeClient(cfg config.ACMEConfig, enableHTTPServer bool, challengeCache cache.ICache) (*AcmeClient, error) {
|
||||||
acmeConfig, err := setupAcmeConfig(acmeAccountConf, acmeAPI, acmeMail, acmeEabHmac, acmeEabKID, acmeAcceptTerms)
|
acmeConfig, err := setupAcmeConfig(cfg)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
@ -54,7 +55,7 @@ func NewAcmeClient(acmeAccountConf, acmeAPI, acmeMail, acmeEabHmac, acmeEabKID,
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Error().Err(err).Msg("Can't create ACME client, continuing with mock certs only")
|
log.Error().Err(err).Msg("Can't create ACME client, continuing with mock certs only")
|
||||||
} else {
|
} else {
|
||||||
if dnsProvider == "" {
|
if cfg.DNSProvider == "" {
|
||||||
// using mock server, don't use wildcard certs
|
// using mock server, don't use wildcard certs
|
||||||
err := mainDomainAcmeClient.Challenge.SetTLSALPN01Provider(AcmeTLSChallengeProvider{challengeCache})
|
err := mainDomainAcmeClient.Challenge.SetTLSALPN01Provider(AcmeTLSChallengeProvider{challengeCache})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
@ -62,7 +63,7 @@ func NewAcmeClient(acmeAccountConf, acmeAPI, acmeMail, acmeEabHmac, acmeEabKID,
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
// use DNS-Challenge https://go-acme.github.io/lego/dns/
|
// use DNS-Challenge https://go-acme.github.io/lego/dns/
|
||||||
provider, err := dns.NewDNSChallengeProviderByName(dnsProvider)
|
provider, err := dns.NewDNSChallengeProviderByName(cfg.DNSProvider)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("can not create DNS Challenge provider: %w", err)
|
return nil, fmt.Errorf("can not create DNS Challenge provider: %w", err)
|
||||||
}
|
}
|
||||||
|
|
@ -76,7 +77,7 @@ func NewAcmeClient(acmeAccountConf, acmeAPI, acmeMail, acmeEabHmac, acmeEabKID,
|
||||||
legoClient: acmeClient,
|
legoClient: acmeClient,
|
||||||
dnsChallengerLegoClient: mainDomainAcmeClient,
|
dnsChallengerLegoClient: mainDomainAcmeClient,
|
||||||
|
|
||||||
acmeUseRateLimits: acmeUseRateLimits,
|
acmeUseRateLimits: cfg.UseRateLimits,
|
||||||
|
|
||||||
obtainLocks: sync.Map{},
|
obtainLocks: sync.Map{},
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -8,6 +8,7 @@ import (
|
||||||
"fmt"
|
"fmt"
|
||||||
"os"
|
"os"
|
||||||
|
|
||||||
|
"codeberg.org/codeberg/pages/config"
|
||||||
"github.com/go-acme/lego/v4/certcrypto"
|
"github.com/go-acme/lego/v4/certcrypto"
|
||||||
"github.com/go-acme/lego/v4/lego"
|
"github.com/go-acme/lego/v4/lego"
|
||||||
"github.com/go-acme/lego/v4/registration"
|
"github.com/go-acme/lego/v4/registration"
|
||||||
|
|
@ -16,12 +17,12 @@ import (
|
||||||
|
|
||||||
const challengePath = "/.well-known/acme-challenge/"
|
const challengePath = "/.well-known/acme-challenge/"
|
||||||
|
|
||||||
func setupAcmeConfig(configFile, acmeAPI, acmeMail, acmeEabHmac, acmeEabKID string, acmeAcceptTerms bool) (*lego.Config, error) {
|
func setupAcmeConfig(cfg config.ACMEConfig) (*lego.Config, error) {
|
||||||
var myAcmeAccount AcmeAccount
|
var myAcmeAccount AcmeAccount
|
||||||
var myAcmeConfig *lego.Config
|
var myAcmeConfig *lego.Config
|
||||||
|
|
||||||
if account, err := os.ReadFile(configFile); err == nil {
|
if account, err := os.ReadFile(cfg.AccountConfigFile); err == nil {
|
||||||
log.Info().Msgf("found existing acme account config file '%s'", configFile)
|
log.Info().Msgf("found existing acme account config file '%s'", cfg.AccountConfigFile)
|
||||||
if err := json.Unmarshal(account, &myAcmeAccount); err != nil {
|
if err := json.Unmarshal(account, &myAcmeAccount); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
@ -30,7 +31,7 @@ func setupAcmeConfig(configFile, acmeAPI, acmeMail, acmeEabHmac, acmeEabKID stri
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
myAcmeConfig = lego.NewConfig(&myAcmeAccount)
|
myAcmeConfig = lego.NewConfig(&myAcmeAccount)
|
||||||
myAcmeConfig.CADirURL = acmeAPI
|
myAcmeConfig.CADirURL = cfg.APIEndpoint
|
||||||
myAcmeConfig.Certificate.KeyType = certcrypto.RSA2048
|
myAcmeConfig.Certificate.KeyType = certcrypto.RSA2048
|
||||||
|
|
||||||
// Validate Config
|
// Validate Config
|
||||||
|
|
@ -51,20 +52,20 @@ func setupAcmeConfig(configFile, acmeAPI, acmeMail, acmeEabHmac, acmeEabKID stri
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
myAcmeAccount = AcmeAccount{
|
myAcmeAccount = AcmeAccount{
|
||||||
Email: acmeMail,
|
Email: cfg.Email,
|
||||||
Key: privateKey,
|
Key: privateKey,
|
||||||
KeyPEM: string(certcrypto.PEMEncode(privateKey)),
|
KeyPEM: string(certcrypto.PEMEncode(privateKey)),
|
||||||
}
|
}
|
||||||
myAcmeConfig = lego.NewConfig(&myAcmeAccount)
|
myAcmeConfig = lego.NewConfig(&myAcmeAccount)
|
||||||
myAcmeConfig.CADirURL = acmeAPI
|
myAcmeConfig.CADirURL = cfg.APIEndpoint
|
||||||
myAcmeConfig.Certificate.KeyType = certcrypto.RSA2048
|
myAcmeConfig.Certificate.KeyType = certcrypto.RSA2048
|
||||||
tempClient, err := lego.NewClient(myAcmeConfig)
|
tempClient, err := lego.NewClient(myAcmeConfig)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Error().Err(err).Msg("Can't create ACME client, continuing with mock certs only")
|
log.Error().Err(err).Msg("Can't create ACME client, continuing with mock certs only")
|
||||||
} else {
|
} else {
|
||||||
// accept terms & log in to EAB
|
// accept terms & log in to EAB
|
||||||
if acmeEabKID == "" || acmeEabHmac == "" {
|
if cfg.EAB_KID == "" || cfg.EAB_HMAC == "" {
|
||||||
reg, err := tempClient.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: acmeAcceptTerms})
|
reg, err := tempClient.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: cfg.AcceptTerms})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Error().Err(err).Msg("Can't register ACME account, continuing with mock certs only")
|
log.Error().Err(err).Msg("Can't register ACME account, continuing with mock certs only")
|
||||||
} else {
|
} else {
|
||||||
|
|
@ -72,9 +73,9 @@ func setupAcmeConfig(configFile, acmeAPI, acmeMail, acmeEabHmac, acmeEabKID stri
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
reg, err := tempClient.Registration.RegisterWithExternalAccountBinding(registration.RegisterEABOptions{
|
reg, err := tempClient.Registration.RegisterWithExternalAccountBinding(registration.RegisterEABOptions{
|
||||||
TermsOfServiceAgreed: acmeAcceptTerms,
|
TermsOfServiceAgreed: cfg.AcceptTerms,
|
||||||
Kid: acmeEabKID,
|
Kid: cfg.EAB_KID,
|
||||||
HmacEncoded: acmeEabHmac,
|
HmacEncoded: cfg.EAB_HMAC,
|
||||||
})
|
})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Error().Err(err).Msg("Can't register ACME account, continuing with mock certs only")
|
log.Error().Err(err).Msg("Can't register ACME account, continuing with mock certs only")
|
||||||
|
|
@ -89,8 +90,8 @@ func setupAcmeConfig(configFile, acmeAPI, acmeMail, acmeEabHmac, acmeEabKID stri
|
||||||
log.Error().Err(err).Msg("json.Marshalfailed, waiting for manual restart to avoid rate limits")
|
log.Error().Err(err).Msg("json.Marshalfailed, waiting for manual restart to avoid rate limits")
|
||||||
select {}
|
select {}
|
||||||
}
|
}
|
||||||
log.Info().Msgf("new acme account created. write to config file '%s'", configFile)
|
log.Info().Msgf("new acme account created. write to config file '%s'", cfg.AccountConfigFile)
|
||||||
err = os.WriteFile(configFile, acmeAccountJSON, 0o600)
|
err = os.WriteFile(cfg.AccountConfigFile, acmeAccountJSON, 0o600)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Error().Err(err).Msg("os.WriteFile failed, waiting for manual restart to avoid rate limits")
|
log.Error().Err(err).Msg("os.WriteFile failed, waiting for manual restart to avoid rate limits")
|
||||||
select {}
|
select {}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue