Skip to content

Commit

Permalink
Changed setting to ACME_ACCEPTTOS and improved CA root reading
Browse files Browse the repository at this point in the history
Signed-off-by: Cristian Le <git@lecris.me>
  • Loading branch information
LecrisUT committed Jan 31, 2022
1 parent 572c88a commit f96f206
Show file tree
Hide file tree
Showing 2 changed files with 33 additions and 17 deletions.
35 changes: 23 additions & 12 deletions cmd/web_acme.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ package cmd
import (
"crypto/x509"
"encoding/pem"
"fmt"
"net/http"
"os"
"strconv"
Expand All @@ -19,6 +20,24 @@ import (
"github.com/caddyserver/certmagic"
)

func getCARoot(path string) (*x509.CertPool, error) {
r, err := os.ReadFile(path)
if err != nil {
return nil, err
}
block, _ := pem.Decode(r)
if block == nil {
return nil, fmt.Errorf("no PEM found in the file %s", path)
}
caRoot, err := x509.ParseCertificate(block.Bytes)
if err != nil {
return nil, err
}
certPool := x509.NewCertPool()
certPool.AddCert(caRoot)
return certPool, nil
}

func runACME(listenAddr string, m http.Handler) error {
// If HTTP Challenge enabled, needs to be serving on port 80. For TLSALPN needs 443.
// Due to docker port mapping this can't be checked programmatically
Expand All @@ -40,25 +59,17 @@ func runACME(listenAddr string, m http.Handler) error {
// Try to use private CA root if provided, otherwise defaults to system's trust
var certPool *x509.CertPool
if setting.AcmeCARoot != "" {
r, err := os.ReadFile(setting.AcmeCARoot)
var err error
certPool, err = getCARoot(setting.AcmeCARoot)
if err != nil {
log.Warn("Failed to read CA Root certificate, using default CA trust: %v", err)
} else {
block, _ := pem.Decode(r)
caRoot, err := x509.ParseCertificate(block.Bytes)
if err != nil {
log.Warn("Failed to parse CA Root certificate, using default CA trust: %v", err)
} else {
certPool = x509.NewCertPool()
certPool.AddCert(caRoot)
}
log.Warn("Failed to parse CA Root certificate, using default CA trust: %v", err)
}
}
myACME := certmagic.NewACMEManager(magic, certmagic.ACMEManager{
CA: setting.AcmeURL,
TrustedRoots: certPool,
Email: setting.AcmeEmail,
Agreed: setting.LetsEncryptTOS,
Agreed: setting.AcmeTOS,
DisableHTTPChallenge: !enableHTTPChallenge,
DisableTLSALPNChallenge: !enableTLSALPNChallenge,
ListenHost: setting.HTTPAddr,
Expand Down
15 changes: 10 additions & 5 deletions modules/setting/setting.go
Original file line number Diff line number Diff line change
Expand Up @@ -110,7 +110,7 @@ var (
EnablePprof bool
PprofDataPath string
EnableAcme bool
LetsEncryptTOS bool
AcmeTOS bool
AcmeLiveDirectory string
AcmeEmail string
AcmeURL string
Expand Down Expand Up @@ -634,10 +634,15 @@ func loadFromConf(allowEmpty bool, extraConfig string) {
if EnableAcme {
AcmeURL = sec.Key("ACME_URL").MustString("")
AcmeCARoot = sec.Key("ACME_CA_ROOT").MustString("")
LetsEncryptTOS = sec.Key("LETSENCRYPT_ACCEPTTOS").MustBool(false)
// The TOS is only required when using LetsEncrypt
if AcmeURL == "" && !LetsEncryptTOS {
log.Fatal("Let's Encrypt TOS (LETSENCRYPT_ACCEPTTOS) is not accepted. Either accept it or configure a different ACME provider (ACME_URL)")
// FIXME: DEPRECATED to be removed in v1.18.0
if sec.HasKey("ACME_ACCEPTTOS") {
AcmeTOS = sec.Key("ACME_ACCEPTTOS").MustBool(false)
} else {
deprecatedSetting("server", "LETSENCRYPT_ACCEPTTOS", "server", "ACME_ACCEPTTOS")
AcmeTOS = sec.Key("LETSENCRYPT_ACCEPTTOS").MustBool(false)
}
if !AcmeTOS {
log.Fatal("ACME TOS is not accepted (ACME_ACCEPTTOS).")
}
// FIXME: DEPRECATED to be removed in v1.18.0
if sec.HasKey("ACME_DIRECTORY") {
Expand Down

0 comments on commit f96f206

Please sign in to comment.