From f96f2061ae31396e68646c9cef14616ec7d841cc Mon Sep 17 00:00:00 2001 From: Cristian Le Date: Mon, 31 Jan 2022 12:00:30 +0900 Subject: [PATCH] Changed setting to `ACME_ACCEPTTOS` and improved CA root reading Signed-off-by: Cristian Le --- cmd/web_acme.go | 35 +++++++++++++++++++++++------------ modules/setting/setting.go | 15 ++++++++++----- 2 files changed, 33 insertions(+), 17 deletions(-) diff --git a/cmd/web_acme.go b/cmd/web_acme.go index f6f2de1660d6..9a04274db580 100644 --- a/cmd/web_acme.go +++ b/cmd/web_acme.go @@ -7,6 +7,7 @@ package cmd import ( "crypto/x509" "encoding/pem" + "fmt" "net/http" "os" "strconv" @@ -19,6 +20,24 @@ import ( "github.com/caddyserver/certmagic" ) +func getCARoot(path string) (*x509.CertPool, error) { + r, err := os.ReadFile(path) + if err != nil { + return nil, err + } + block, _ := pem.Decode(r) + if block == nil { + return nil, fmt.Errorf("no PEM found in the file %s", path) + } + caRoot, err := x509.ParseCertificate(block.Bytes) + if err != nil { + return nil, err + } + certPool := x509.NewCertPool() + certPool.AddCert(caRoot) + return certPool, nil +} + func runACME(listenAddr string, m http.Handler) error { // If HTTP Challenge enabled, needs to be serving on port 80. For TLSALPN needs 443. // Due to docker port mapping this can't be checked programmatically @@ -40,25 +59,17 @@ func runACME(listenAddr string, m http.Handler) error { // Try to use private CA root if provided, otherwise defaults to system's trust var certPool *x509.CertPool if setting.AcmeCARoot != "" { - r, err := os.ReadFile(setting.AcmeCARoot) + var err error + certPool, err = getCARoot(setting.AcmeCARoot) if err != nil { - log.Warn("Failed to read CA Root certificate, using default CA trust: %v", err) - } else { - block, _ := pem.Decode(r) - caRoot, err := x509.ParseCertificate(block.Bytes) - if err != nil { - log.Warn("Failed to parse CA Root certificate, using default CA trust: %v", err) - } else { - certPool = x509.NewCertPool() - certPool.AddCert(caRoot) - } + log.Warn("Failed to parse CA Root certificate, using default CA trust: %v", err) } } myACME := certmagic.NewACMEManager(magic, certmagic.ACMEManager{ CA: setting.AcmeURL, TrustedRoots: certPool, Email: setting.AcmeEmail, - Agreed: setting.LetsEncryptTOS, + Agreed: setting.AcmeTOS, DisableHTTPChallenge: !enableHTTPChallenge, DisableTLSALPNChallenge: !enableTLSALPNChallenge, ListenHost: setting.HTTPAddr, diff --git a/modules/setting/setting.go b/modules/setting/setting.go index df0c92f7163d..d2ae789bab02 100644 --- a/modules/setting/setting.go +++ b/modules/setting/setting.go @@ -110,7 +110,7 @@ var ( EnablePprof bool PprofDataPath string EnableAcme bool - LetsEncryptTOS bool + AcmeTOS bool AcmeLiveDirectory string AcmeEmail string AcmeURL string @@ -634,10 +634,15 @@ func loadFromConf(allowEmpty bool, extraConfig string) { if EnableAcme { AcmeURL = sec.Key("ACME_URL").MustString("") AcmeCARoot = sec.Key("ACME_CA_ROOT").MustString("") - LetsEncryptTOS = sec.Key("LETSENCRYPT_ACCEPTTOS").MustBool(false) - // The TOS is only required when using LetsEncrypt - if AcmeURL == "" && !LetsEncryptTOS { - log.Fatal("Let's Encrypt TOS (LETSENCRYPT_ACCEPTTOS) is not accepted. Either accept it or configure a different ACME provider (ACME_URL)") + // FIXME: DEPRECATED to be removed in v1.18.0 + if sec.HasKey("ACME_ACCEPTTOS") { + AcmeTOS = sec.Key("ACME_ACCEPTTOS").MustBool(false) + } else { + deprecatedSetting("server", "LETSENCRYPT_ACCEPTTOS", "server", "ACME_ACCEPTTOS") + AcmeTOS = sec.Key("LETSENCRYPT_ACCEPTTOS").MustBool(false) + } + if !AcmeTOS { + log.Fatal("ACME TOS is not accepted (ACME_ACCEPTTOS).") } // FIXME: DEPRECATED to be removed in v1.18.0 if sec.HasKey("ACME_DIRECTORY") {