mirror of
https://codeberg.org/Codeberg/pages-server.git
synced 2025-04-25 06:16:58 +00:00
add option to avoid using dns wildcard cert
This commit is contained in:
Jean-Marie 'Histausse' Mineau
parent
7e80ade24b
commit
83b1c4f9e4
7 changed files with 28 additions and 4 deletions
|
|
@ -178,6 +178,11 @@ var (
|
||||||
Usage: "Use DNS-Challenge for main domain. Read more at: https://go-acme.github.io/lego/dns/",
|
Usage: "Use DNS-Challenge for main domain. Read more at: https://go-acme.github.io/lego/dns/",
|
||||||
EnvVars: []string{"DNS_PROVIDER"},
|
EnvVars: []string{"DNS_PROVIDER"},
|
||||||
},
|
},
|
||||||
|
&cli.BoolFlag{
|
||||||
|
Name: "no-dns-01",
|
||||||
|
Usage: "Always use individual certificats instead of a DNS-01 wild card certificate",
|
||||||
|
EnvVars: []string{"NO_DNS_01"},
|
||||||
|
},
|
||||||
&cli.StringFlag{
|
&cli.StringFlag{
|
||||||
Name: "acme-account-config",
|
Name: "acme-account-config",
|
||||||
Usage: "json file of acme account",
|
Usage: "json file of acme account",
|
||||||
|
|
|
||||||
|
|
@ -42,5 +42,6 @@ type ACMEConfig struct {
|
||||||
EAB_HMAC string
|
EAB_HMAC string
|
||||||
EAB_KID string
|
EAB_KID string
|
||||||
DNSProvider string
|
DNSProvider string
|
||||||
|
NoDNS01 bool `default:"false"`
|
||||||
AccountConfigFile string `default:"acme-account.json"`
|
AccountConfigFile string `default:"acme-account.json"`
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -141,6 +141,9 @@ func mergeACMEConfig(ctx *cli.Context, config *ACMEConfig) {
|
||||||
if ctx.IsSet("dns-provider") {
|
if ctx.IsSet("dns-provider") {
|
||||||
config.DNSProvider = ctx.String("dns-provider")
|
config.DNSProvider = ctx.String("dns-provider")
|
||||||
}
|
}
|
||||||
|
if ctx.IsSet("no-dns-01") {
|
||||||
|
config.NoDNS01 = ctx.Bool("no-dns-01")
|
||||||
|
}
|
||||||
if ctx.IsSet("acme-account-config") {
|
if ctx.IsSet("acme-account-config") {
|
||||||
config.AccountConfigFile = ctx.String("acme-account-config")
|
config.AccountConfigFile = ctx.String("acme-account-config")
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -166,6 +166,7 @@ func TestMergeConfigShouldReplaceAllExistingValuesGivenAllArgsExist(t *testing.T
|
||||||
EAB_HMAC: "original",
|
EAB_HMAC: "original",
|
||||||
EAB_KID: "original",
|
EAB_KID: "original",
|
||||||
DNSProvider: "original",
|
DNSProvider: "original",
|
||||||
|
NoDNS01: false,
|
||||||
AccountConfigFile: "original",
|
AccountConfigFile: "original",
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
@ -205,6 +206,7 @@ func TestMergeConfigShouldReplaceAllExistingValuesGivenAllArgsExist(t *testing.T
|
||||||
EAB_HMAC: "changed",
|
EAB_HMAC: "changed",
|
||||||
EAB_KID: "changed",
|
EAB_KID: "changed",
|
||||||
DNSProvider: "changed",
|
DNSProvider: "changed",
|
||||||
|
NoDNS01: true,
|
||||||
AccountConfigFile: "changed",
|
AccountConfigFile: "changed",
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
@ -243,6 +245,7 @@ func TestMergeConfigShouldReplaceAllExistingValuesGivenAllArgsExist(t *testing.T
|
||||||
"--acme-eab-hmac", "changed",
|
"--acme-eab-hmac", "changed",
|
||||||
"--acme-eab-kid", "changed",
|
"--acme-eab-kid", "changed",
|
||||||
"--dns-provider", "changed",
|
"--dns-provider", "changed",
|
||||||
|
"--no-dns-01",
|
||||||
"--acme-account-config", "changed",
|
"--acme-account-config", "changed",
|
||||||
},
|
},
|
||||||
)
|
)
|
||||||
|
|
@ -517,6 +520,7 @@ func TestMergeACMEConfigShouldReplaceAllExistingValuesGivenAllArgsExist(t *testi
|
||||||
EAB_HMAC: "original",
|
EAB_HMAC: "original",
|
||||||
EAB_KID: "original",
|
EAB_KID: "original",
|
||||||
DNSProvider: "original",
|
DNSProvider: "original",
|
||||||
|
NoDNS01: false,
|
||||||
AccountConfigFile: "original",
|
AccountConfigFile: "original",
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -530,6 +534,7 @@ func TestMergeACMEConfigShouldReplaceAllExistingValuesGivenAllArgsExist(t *testi
|
||||||
EAB_HMAC: "changed",
|
EAB_HMAC: "changed",
|
||||||
EAB_KID: "changed",
|
EAB_KID: "changed",
|
||||||
DNSProvider: "changed",
|
DNSProvider: "changed",
|
||||||
|
NoDNS01: true,
|
||||||
AccountConfigFile: "changed",
|
AccountConfigFile: "changed",
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -545,6 +550,7 @@ func TestMergeACMEConfigShouldReplaceAllExistingValuesGivenAllArgsExist(t *testi
|
||||||
"--acme-eab-hmac", "changed",
|
"--acme-eab-hmac", "changed",
|
||||||
"--acme-eab-kid", "changed",
|
"--acme-eab-kid", "changed",
|
||||||
"--dns-provider", "changed",
|
"--dns-provider", "changed",
|
||||||
|
"--no-dns-01",
|
||||||
"--acme-account-config", "changed",
|
"--acme-account-config", "changed",
|
||||||
},
|
},
|
||||||
)
|
)
|
||||||
|
|
@ -563,6 +569,7 @@ func TestMergeACMEConfigShouldReplaceOnlyOneValueExistingValueGivenOnlyOneArgExi
|
||||||
{args: []string{"--acme-eab-hmac", "changed"}, callback: func(gc *ACMEConfig) { gc.EAB_HMAC = "changed" }},
|
{args: []string{"--acme-eab-hmac", "changed"}, callback: func(gc *ACMEConfig) { gc.EAB_HMAC = "changed" }},
|
||||||
{args: []string{"--acme-eab-kid", "changed"}, callback: func(gc *ACMEConfig) { gc.EAB_KID = "changed" }},
|
{args: []string{"--acme-eab-kid", "changed"}, callback: func(gc *ACMEConfig) { gc.EAB_KID = "changed" }},
|
||||||
{args: []string{"--dns-provider", "changed"}, callback: func(gc *ACMEConfig) { gc.DNSProvider = "changed" }},
|
{args: []string{"--dns-provider", "changed"}, callback: func(gc *ACMEConfig) { gc.DNSProvider = "changed" }},
|
||||||
|
{args: []string{"--no-dns-01"}, callback: func(gc *ACMEConfig) { gc.NoDNS01 = true }},
|
||||||
{args: []string{"--acme-account-config", "changed"}, callback: func(gc *ACMEConfig) { gc.AccountConfigFile = "changed" }},
|
{args: []string{"--acme-account-config", "changed"}, callback: func(gc *ACMEConfig) { gc.AccountConfigFile = "changed" }},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -13,8 +13,8 @@ var ErrAcmeMissConfig = errors.New("ACME client has wrong config")
|
||||||
|
|
||||||
func CreateAcmeClient(cfg config.ACMEConfig, enableHTTPServer bool, challengeCache cache.ICache) (*certificates.AcmeClient, error) {
|
func CreateAcmeClient(cfg config.ACMEConfig, enableHTTPServer bool, challengeCache cache.ICache) (*certificates.AcmeClient, error) {
|
||||||
// check config
|
// check config
|
||||||
if (!cfg.AcceptTerms || cfg.DNSProvider == "") && cfg.APIEndpoint != "https://acme.mock.directory" {
|
if (!cfg.AcceptTerms || (cfg.DNSProvider == "" && !cfg.NoDNS01)) && cfg.APIEndpoint != "https://acme.mock.directory" {
|
||||||
return nil, fmt.Errorf("%w: you must set $ACME_ACCEPT_TERMS and $DNS_PROVIDER, unless $ACME_API is set to https://acme.mock.directory", ErrAcmeMissConfig)
|
return nil, fmt.Errorf("%w: you must set $ACME_ACCEPT_TERMS and $DNS_PROVIDER or $NO_DNS_01, unless $ACME_API is set to https://acme.mock.directory", ErrAcmeMissConfig)
|
||||||
}
|
}
|
||||||
if cfg.EAB_HMAC != "" && cfg.EAB_KID == "" {
|
if cfg.EAB_HMAC != "" && cfg.EAB_KID == "" {
|
||||||
return nil, fmt.Errorf("%w: ACME_EAB_HMAC also needs ACME_EAB_KID to be set", ErrAcmeMissConfig)
|
return nil, fmt.Errorf("%w: ACME_EAB_HMAC also needs ACME_EAB_KID to be set", ErrAcmeMissConfig)
|
||||||
|
|
|
||||||
|
|
@ -33,6 +33,7 @@ func TLSConfig(mainDomainSuffix string,
|
||||||
firstDefaultBranch string,
|
firstDefaultBranch string,
|
||||||
keyCache, challengeCache, dnsLookupCache, canonicalDomainCache cache.ICache,
|
keyCache, challengeCache, dnsLookupCache, canonicalDomainCache cache.ICache,
|
||||||
certDB database.CertDB,
|
certDB database.CertDB,
|
||||||
|
noDNS01 bool,
|
||||||
) *tls.Config {
|
) *tls.Config {
|
||||||
return &tls.Config{
|
return &tls.Config{
|
||||||
// check DNS name & get certificate from Let's Encrypt
|
// check DNS name & get certificate from Let's Encrypt
|
||||||
|
|
@ -64,9 +65,15 @@ func TLSConfig(mainDomainSuffix string,
|
||||||
|
|
||||||
targetOwner := ""
|
targetOwner := ""
|
||||||
mayObtainCert := true
|
mayObtainCert := true
|
||||||
|
|
||||||
if strings.HasSuffix(domain, mainDomainSuffix) || strings.EqualFold(domain, mainDomainSuffix[1:]) {
|
if strings.HasSuffix(domain, mainDomainSuffix) || strings.EqualFold(domain, mainDomainSuffix[1:]) {
|
||||||
|
if noDNS01 {
|
||||||
|
//TODO check if the domain is served to avoid DOSing ourseflve
|
||||||
|
mayObtainCert = true
|
||||||
|
} else {
|
||||||
// deliver default certificate for the main domain (*.codeberg.page)
|
// deliver default certificate for the main domain (*.codeberg.page)
|
||||||
domain = mainDomainSuffix
|
domain = mainDomainSuffix
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
var targetRepo, targetBranch string
|
var targetRepo, targetBranch string
|
||||||
targetOwner, targetRepo, targetBranch = dnsutils.GetTargetFromDNS(domain, mainDomainSuffix, firstDefaultBranch, dnsLookupCache)
|
targetOwner, targetRepo, targetBranch = dnsutils.GetTargetFromDNS(domain, mainDomainSuffix, firstDefaultBranch, dnsLookupCache)
|
||||||
|
|
|
||||||
|
|
@ -110,6 +110,7 @@ func Serve(ctx *cli.Context) error {
|
||||||
cfg.Server.PagesBranches[0],
|
cfg.Server.PagesBranches[0],
|
||||||
keyCache, challengeCache, dnsLookupCache, canonicalDomainCache,
|
keyCache, challengeCache, dnsLookupCache, canonicalDomainCache,
|
||||||
certDB,
|
certDB,
|
||||||
|
cfg.ACME.NoDNS01,
|
||||||
))
|
))
|
||||||
|
|
||||||
interval := 12 * time.Hour
|
interval := 12 * time.Hour
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue