feat: First steps towards using wildcard certificates

internal/certificates/certificate.go

@@ -38,7 +38,7 @@ func RenewCertificate(old *CertificateWrapper, acmeClient *lego.Client) (Certifi
 	}
 	wrapper := CertificateWrapper{
 		TlsCertificate:    &tlsCert,
-		Domain:            old.Domain,
+		DomainKey:         old.DomainKey,
 		NotAfter:          time.Now().Add(time.Hour * 24 * 60),
 		PrivateKeyEncoded: base64.StdEncoding.EncodeToString(new.PrivateKey),
 		Certificate:       new.Certificate,
@@ -47,7 +47,7 @@ func RenewCertificate(old *CertificateWrapper, acmeClient *lego.Client) (Certifi
 	return wrapper, nil
 }
 
-func ObtainNewCertificate(domains []string, acmeClient *lego.Client) (CertificateWrapper, error) {
+func ObtainNewCertificate(domains []string, domainKey string, acmeClient *lego.Client) (CertificateWrapper, error) {
 	req := certificate.ObtainRequest{
 		Domains: domains,
 		Bundle:  true,
@@ -64,7 +64,7 @@ func ObtainNewCertificate(domains []string, acmeClient *lego.Client) (Certificat
 
 	wrapper := CertificateWrapper{
 		TlsCertificate: &tlsCert,
-		Domain:         cert.Domain,
+		DomainKey:      domainKey,
 		//NotAfter:        tlsCert.Leaf.NotAfter,
 		NotAfter:          time.Now().Add(time.Hour * 24 * 60),
 		PrivateKeyEncoded: base64.StdEncoding.EncodeToString(cert.PrivateKey),
@@ -127,7 +127,7 @@ func MakeFallbackCertificate(pagesDomain string) (*CertificateWrapper, error) {
 	}
 	return &CertificateWrapper{
 		TlsCertificate:    &tlsCertificate,
-		Domain:            pagesDomain,
+		DomainKey:         "*." + pagesDomain,
 		NotAfter:          notAfter,
 		PrivateKeyEncoded: base64.StdEncoding.EncodeToString(certcrypto.PEMEncode(key)),
 		Certificate:       outBytes,

internal/certificates/store.go

@@ -14,12 +14,23 @@ import (
 
 // A convenience wrapper around a TLS certificate
 type CertificateWrapper struct {
-	TlsCertificate    *tls.Certificate `json:"-"`
-	Domain            string           `json:"domain"`
-	NotAfter          time.Time        `json:"not_after"`
-	PrivateKeyEncoded string           `json:"private_key"`
-	Certificate       []byte           `json:"certificate"`
-	CSR               []byte           `json:"csr"`
+	// The parsed TLS certificate we can pass to the tls listener
+	TlsCertificate *tls.Certificate `json:"-"`
+
+	// Key identifying for which domain(s) this certificate is valid.
+	DomainKey string `json:"domain"`
+
+	// Indicates at which point in time this certificate is no longer valid.
+	NotAfter time.Time `json:"not_after"`
+
+	// The encoded private key.
+	PrivateKeyEncoded string `json:"private_key"`
+
+	// The PEM-encoded certificate.
+	Certificate []byte `json:"certificate"`
+
+	// The CSR provided when we requested the certificate.
+	CSR []byte `json:"csr"`
 }
 
 // A structure to store all the certificates we know of in.
@@ -27,7 +38,7 @@ type CertificatesCache struct {
 	// The certificate to use as a fallback if all else fails.
 	FallbackCertificate *CertificateWrapper
 
-	// Mapping of domain name to certificate.
+	// Mapping of a domain's domain key to the certificate.
 	Certificates map[string]CertificateWrapper
 }
 
@@ -83,7 +94,7 @@ func (c *CertificatesCache) FlushToDisk(path string) {
 }
 
 func (c *CertificatesCache) AddCert(cert CertificateWrapper, path string) {
-	c.Certificates[cert.Domain] = cert
+	c.Certificates[cert.DomainKey] = cert
 	c.FlushToDisk(path)
 }
 
@@ -105,7 +116,7 @@ func CertificateCacheFromFile(path string) (CertificatesCache, error) {
 	certs := make(map[string]CertificateWrapper)
 	for _, cert := range store.Certificates {
 		cert.initTlsCertificate()
-		certs[cert.Domain] = cert
+		certs[cert.DomainKey] = cert
 	}
 	cache.Certificates = certs