mirror of
https://codeberg.org/Codeberg/pages-server.git
synced 2025-04-24 22:06:57 +00:00
improve
This commit is contained in:
6543
parent
1c5561231b
commit
aa21b81586
5 changed files with 26 additions and 24 deletions
|
|
@ -85,11 +85,11 @@ func migrateCerts(ctx *cli.Context) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
func listCerts(ctx *cli.Context) error {
|
func listCerts(ctx *cli.Context) error {
|
||||||
certDB, close, err := openCertDB(ctx)
|
certDB, closeFn, err := openCertDB(ctx)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
defer close()
|
defer closeFn()
|
||||||
|
|
||||||
items, err := certDB.Items(0, 0)
|
items, err := certDB.Items(0, 0)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
@ -115,11 +115,11 @@ func removeCert(ctx *cli.Context) error {
|
||||||
|
|
||||||
domains := ctx.Args().Slice()
|
domains := ctx.Args().Slice()
|
||||||
|
|
||||||
certDB, close, err := openCertDB(ctx)
|
certDB, closeFn, err := openCertDB(ctx)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
defer close()
|
defer closeFn()
|
||||||
|
|
||||||
for _, domain := range domains {
|
for _, domain := range domains {
|
||||||
fmt.Printf("Removing domain %s from the database...\n", domain)
|
fmt.Printf("Removing domain %s from the database...\n", domain)
|
||||||
|
|
|
||||||
|
|
@ -74,11 +74,11 @@ func Serve(ctx *cli.Context) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
// Init ssl cert database
|
// Init ssl cert database
|
||||||
certDB, close, err := openCertDB(ctx)
|
certDB, closeFn, err := openCertDB(ctx)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
defer close()
|
defer closeFn()
|
||||||
|
|
||||||
keyCache := cache.NewKeyValueCache()
|
keyCache := cache.NewKeyValueCache()
|
||||||
challengeCache := cache.NewKeyValueCache()
|
challengeCache := cache.NewKeyValueCache()
|
||||||
|
|
|
||||||
|
|
@ -9,7 +9,7 @@ import (
|
||||||
"codeberg.org/codeberg/pages/server/database"
|
"codeberg.org/codeberg/pages/server/database"
|
||||||
)
|
)
|
||||||
|
|
||||||
func openCertDB(ctx *cli.Context) (certDB database.CertDB, close func(), err error) {
|
func openCertDB(ctx *cli.Context) (certDB database.CertDB, closeFn func(), err error) {
|
||||||
if ctx.String("db-type") != "" {
|
if ctx.String("db-type") != "" {
|
||||||
log.Trace().Msg("use xorm mode")
|
log.Trace().Msg("use xorm mode")
|
||||||
certDB, err = database.NewXormDB(ctx.String("db-type"), ctx.String("db-conn"))
|
certDB, err = database.NewXormDB(ctx.String("db-type"), ctx.String("db-conn"))
|
||||||
|
|
@ -35,11 +35,11 @@ The simplest way is, to use './pages certs migrate' and set environment var DB_T
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
close = func() {
|
closeFn = func() {
|
||||||
if err := certDB.Close(); err != nil {
|
if err := certDB.Close(); err != nil {
|
||||||
log.Error().Err(err)
|
log.Error().Err(err)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return certDB, close, nil
|
return certDB, closeFn, nil
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -208,7 +208,7 @@ func retrieveCertFromDB(sni, mainDomainSuffix, dnsProvider string, acmeUseRateLi
|
||||||
|
|
||||||
tlsCertificate, err := tls.X509KeyPair(res.Certificate, res.PrivateKey)
|
tlsCertificate, err := tls.X509KeyPair(res.Certificate, res.PrivateKey)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
panic(err)
|
log.Error().Err(err).Msgf("could not create tlsCert from key pair: %v", res)
|
||||||
}
|
}
|
||||||
|
|
||||||
// TODO: document & put into own function
|
// TODO: document & put into own function
|
||||||
|
|
@ -423,7 +423,7 @@ func SetupCertificates(mainDomainSuffix, dnsProvider string, acmeConfig *lego.Co
|
||||||
// getting main cert before ACME account so that we can fail here without hitting rate limits
|
// getting main cert before ACME account so that we can fail here without hitting rate limits
|
||||||
mainCertBytes, err := certDB.Get(mainDomainSuffix)
|
mainCertBytes, err := certDB.Get(mainDomainSuffix)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("cert database is not working")
|
return fmt.Errorf("cert database is not working: %w", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
acmeClient, err = lego.NewClient(acmeConfig)
|
acmeClient, err = lego.NewClient(acmeConfig)
|
||||||
|
|
@ -477,7 +477,7 @@ func SetupCertificates(mainDomainSuffix, dnsProvider string, acmeConfig *lego.Co
|
||||||
func MaintainCertDB(ctx context.Context, interval time.Duration, mainDomainSuffix, dnsProvider string, acmeUseRateLimits bool, certDB database.CertDB) {
|
func MaintainCertDB(ctx context.Context, interval time.Duration, mainDomainSuffix, dnsProvider string, acmeUseRateLimits bool, certDB database.CertDB) {
|
||||||
for {
|
for {
|
||||||
// delete expired certs that will be invalid until next clean up
|
// delete expired certs that will be invalid until next clean up
|
||||||
threshold := time.Now().Add(-interval)
|
threshold := time.Now().Add(interval)
|
||||||
expiredCertCount := 0
|
expiredCertCount := 0
|
||||||
|
|
||||||
certs, err := certDB.Items(0, 0)
|
certs, err := certDB.Items(0, 0)
|
||||||
|
|
@ -515,15 +515,18 @@ func MaintainCertDB(ctx context.Context, interval time.Duration, mainDomainSuffi
|
||||||
log.Error().Msgf("Couldn't renew certificate for main domain %q expected main domain cert to exist, but it's missing - seems like the database is corrupted", mainDomainSuffix)
|
log.Error().Msgf("Couldn't renew certificate for main domain %q expected main domain cert to exist, but it's missing - seems like the database is corrupted", mainDomainSuffix)
|
||||||
} else {
|
} else {
|
||||||
tlsCertificates, err := certcrypto.ParsePEMBundle(res.Certificate)
|
tlsCertificates, err := certcrypto.ParsePEMBundle(res.Certificate)
|
||||||
|
if err != nil {
|
||||||
// renew main certificate 30 days before it expires
|
log.Error().Err(fmt.Errorf("could not parse cert for mainDomainSuffix: %w", err))
|
||||||
if tlsCertificates[0].NotAfter.Before(time.Now().Add(30 * 24 * time.Hour)) {
|
} else {
|
||||||
go (func() {
|
// renew main certificate 30 days before it expires
|
||||||
_, err = obtainCert(mainDomainAcmeClient, []string{"*" + mainDomainSuffix, mainDomainSuffix[1:]}, res, "", dnsProvider, mainDomainSuffix, acmeUseRateLimits, certDB)
|
if tlsCertificates[0].NotAfter.Before(time.Now().Add(30 * 24 * time.Hour)) {
|
||||||
if err != nil {
|
go (func() {
|
||||||
log.Error().Err(err).Msg("Couldn't renew certificate for main domain")
|
_, err = obtainCert(mainDomainAcmeClient, []string{"*" + mainDomainSuffix, mainDomainSuffix[1:]}, res, "", dnsProvider, mainDomainSuffix, acmeUseRateLimits, certDB)
|
||||||
}
|
if err != nil {
|
||||||
})()
|
log.Error().Err(err).Msg("Couldn't renew certificate for main domain")
|
||||||
|
}
|
||||||
|
})()
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -67,10 +67,9 @@ func (x xDB) Get(domain string) (*certificate.Resource, error) {
|
||||||
|
|
||||||
cert := new(Cert)
|
cert := new(Cert)
|
||||||
log.Trace().Str("domain", domain).Msg("get cert from db")
|
log.Trace().Str("domain", domain).Msg("get cert from db")
|
||||||
if _, err := x.engine.ID(domain).Get(&cert); err != nil {
|
if found, err := x.engine.ID(domain).Get(cert); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
} else if !found {
|
||||||
if cert == nil {
|
|
||||||
return nil, fmt.Errorf("%w: name='%s'", ErrNotFound, domain)
|
return nil, fmt.Errorf("%w: name='%s'", ErrNotFound, domain)
|
||||||
}
|
}
|
||||||
return cert.Raw(), nil
|
return cert.Raw(), nil
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue