use self-signed cert instead of TLS-ALPN-01 when DNS not defined

2025-04-24 13:56:57 +00:00 · 2024-02-17 20:59:09 +01:00 · 2024-02-17 20:59:09 +01:00 · 8ba71e4d59
commit 8ba71e4d59
parent 62bff5d1b7
3 changed files with 11 additions and 19 deletions
--- a/server/certificates/acme_client.go
+++ b/server/certificates/acme_client.go
@ -56,11 +56,8 @@ func NewAcmeClient(cfg config.ACMEConfig, enableHTTPServer bool, challengeCache
 		log.Error().Err(err).Msg("Can't create ACME client, continuing with mock certs only")
 	} else {
 		if cfg.DNSProvider == "" {
-			// using mock server, don't use wildcard certs
-			err := mainDomainAcmeClient.Challenge.SetTLSALPN01Provider(AcmeTLSChallengeProvider{challengeCache})
-			if err != nil {
-				log.Error().Err(err).Msg("Can't create TLS-ALPN-01 provider")
-			}
+			// using mock wildcard certs
+			mainDomainAcmeClient = nil
 		} else {
 			// use DNS-Challenge https://go-acme.github.io/lego/dns/
 			provider, err := dns.NewDNSChallengeProviderByName(cfg.DNSProvider)
--- a/server/certificates/certificates.go
+++ b/server/certificates/certificates.go
@ -236,7 +236,15 @@ func (c *AcmeClient) obtainCert(acmeClient *lego.Client, domains []string, renew
 	defer c.obtainLocks.Delete(name)

 	if acmeClient == nil {
-		return mockCert(domains[0], "ACME client uninitialized. This is a server error, please report!", mainDomainSuffix, keyDatabase)
+		if useDnsProvider {
+			mock_domain := domains[0]
+			if name == mainDomainSuffix {
+				mock_domain = "*" + mainDomainSuffix
+			}
+			return mockCert(mock_domain, "DNS ACME client is not defined", mainDomainSuffix, keyDatabase)
+		} else {
+			return mockCert(domains[0], "ACME client uninitialized. This is a server error, please report!", mainDomainSuffix, keyDatabase)
+		}
 	}

 	// request actual cert
--- a/server/database/xorm.go
+++ b/server/database/xorm.go
@ -52,7 +52,6 @@ func (x xDB) Close() error {
 func (x xDB) Put(domain string, cert *certificate.Resource) error {
 	log.Trace().Str("domain", cert.Domain).Msg("inserting cert to db")

-	domain = integrationTestReplacements(domain)
 	c, err := toCert(domain, cert)
 	if err != nil {
 		return err
@ -82,7 +81,6 @@ func (x xDB) Get(domain string) (*certificate.Resource, error) {
 	if domain[:1] == "." {
 		domain = "*" + domain
 	}
-	domain = integrationTestReplacements(domain)

 	cert := new(Cert)
 	log.Trace().Str("domain", domain).Msg("get cert from db")
@ -99,7 +97,6 @@ func (x xDB) Delete(domain string) error {
 	if domain[:1] == "." {
 		domain = "*" + domain
 	}
-	domain = integrationTestReplacements(domain)

 	log.Trace().Str("domain", domain).Msg("delete cert from db")
 	_, err := x.engine.ID(domain).Delete(new(Cert))
@ -139,13 +136,3 @@ func supportedDriver(driver string) bool {
 		return false
 	}
 }
-
-// integrationTestReplacements is needed because integration tests use a single domain cert,
-// while production use a wildcard cert
-// TODO: find a better way to handle this
-func integrationTestReplacements(domainKey string) string {
-	if domainKey == "*.localhost.mock.directory" {
-		return "localhost.mock.directory"
-	}
-	return domainKey
-}