feat: First steps towards using wildcard certificates
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
This commit is contained in:
parent
2d4ecc40cb
commit
3692168346
@ -38,7 +38,7 @@ func RenewCertificate(old *CertificateWrapper, acmeClient *lego.Client) (Certifi
|
||||
}
|
||||
wrapper := CertificateWrapper{
|
||||
TlsCertificate: &tlsCert,
|
||||
Domain: old.Domain,
|
||||
DomainKey: old.DomainKey,
|
||||
NotAfter: time.Now().Add(time.Hour * 24 * 60),
|
||||
PrivateKeyEncoded: base64.StdEncoding.EncodeToString(new.PrivateKey),
|
||||
Certificate: new.Certificate,
|
||||
@ -47,7 +47,7 @@ func RenewCertificate(old *CertificateWrapper, acmeClient *lego.Client) (Certifi
|
||||
return wrapper, nil
|
||||
}
|
||||
|
||||
func ObtainNewCertificate(domains []string, acmeClient *lego.Client) (CertificateWrapper, error) {
|
||||
func ObtainNewCertificate(domains []string, domainKey string, acmeClient *lego.Client) (CertificateWrapper, error) {
|
||||
req := certificate.ObtainRequest{
|
||||
Domains: domains,
|
||||
Bundle: true,
|
||||
@ -64,7 +64,7 @@ func ObtainNewCertificate(domains []string, acmeClient *lego.Client) (Certificat
|
||||
|
||||
wrapper := CertificateWrapper{
|
||||
TlsCertificate: &tlsCert,
|
||||
Domain: cert.Domain,
|
||||
DomainKey: domainKey,
|
||||
//NotAfter: tlsCert.Leaf.NotAfter,
|
||||
NotAfter: time.Now().Add(time.Hour * 24 * 60),
|
||||
PrivateKeyEncoded: base64.StdEncoding.EncodeToString(cert.PrivateKey),
|
||||
@ -127,7 +127,7 @@ func MakeFallbackCertificate(pagesDomain string) (*CertificateWrapper, error) {
|
||||
}
|
||||
return &CertificateWrapper{
|
||||
TlsCertificate: &tlsCertificate,
|
||||
Domain: pagesDomain,
|
||||
DomainKey: "*." + pagesDomain,
|
||||
NotAfter: notAfter,
|
||||
PrivateKeyEncoded: base64.StdEncoding.EncodeToString(certcrypto.PEMEncode(key)),
|
||||
Certificate: outBytes,
|
||||
|
@ -14,11 +14,22 @@ import (
|
||||
|
||||
// A convenience wrapper around a TLS certificate
|
||||
type CertificateWrapper struct {
|
||||
// The parsed TLS certificate we can pass to the tls listener
|
||||
TlsCertificate *tls.Certificate `json:"-"`
|
||||
Domain string `json:"domain"`
|
||||
|
||||
// Key identifying for which domain(s) this certificate is valid.
|
||||
DomainKey string `json:"domain"`
|
||||
|
||||
// Indicates at which point in time this certificate is no longer valid.
|
||||
NotAfter time.Time `json:"not_after"`
|
||||
|
||||
// The encoded private key.
|
||||
PrivateKeyEncoded string `json:"private_key"`
|
||||
|
||||
// The PEM-encoded certificate.
|
||||
Certificate []byte `json:"certificate"`
|
||||
|
||||
// The CSR provided when we requested the certificate.
|
||||
CSR []byte `json:"csr"`
|
||||
}
|
||||
|
||||
@ -27,7 +38,7 @@ type CertificatesCache struct {
|
||||
// The certificate to use as a fallback if all else fails.
|
||||
FallbackCertificate *CertificateWrapper
|
||||
|
||||
// Mapping of domain name to certificate.
|
||||
// Mapping of a domain's domain key to the certificate.
|
||||
Certificates map[string]CertificateWrapper
|
||||
}
|
||||
|
||||
@ -83,7 +94,7 @@ func (c *CertificatesCache) FlushToDisk(path string) {
|
||||
}
|
||||
|
||||
func (c *CertificatesCache) AddCert(cert CertificateWrapper, path string) {
|
||||
c.Certificates[cert.Domain] = cert
|
||||
c.Certificates[cert.DomainKey] = cert
|
||||
c.FlushToDisk(path)
|
||||
}
|
||||
|
||||
@ -105,7 +116,7 @@ func CertificateCacheFromFile(path string) (CertificatesCache, error) {
|
||||
certs := make(map[string]CertificateWrapper)
|
||||
for _, cert := range store.Certificates {
|
||||
cert.initTlsCertificate()
|
||||
certs[cert.Domain] = cert
|
||||
certs[cert.DomainKey] = cert
|
||||
}
|
||||
cache.Certificates = certs
|
||||
|
||||
|
@ -43,10 +43,30 @@ func unlockDomain(domain string) {
|
||||
delete(workingDomains, domain)
|
||||
}
|
||||
|
||||
func buildDomainList(domain, pagesDomain string) []string {
|
||||
if domain == pagesDomain || strings.HasSuffix(domain, pagesDomain) {
|
||||
return []string{
|
||||
pagesDomain,
|
||||
"*." + pagesDomain,
|
||||
}
|
||||
}
|
||||
|
||||
return []string{domain}
|
||||
}
|
||||
|
||||
func getDomainKey(domain, pagesDomain string) string {
|
||||
if domain == pagesDomain || strings.HasSuffix(domain, pagesDomain) {
|
||||
return "*." + pagesDomain
|
||||
}
|
||||
|
||||
return domain
|
||||
}
|
||||
|
||||
func MakeTlsConfig(pagesDomain, cachePath string, cache *certificates.CertificatesCache, acmeClient *lego.Client, giteaClient *gitea.Client) *tls.Config {
|
||||
return &tls.Config{
|
||||
GetCertificate: func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
||||
// Validate that we should even care about this domain
|
||||
isPagesDomain := info.ServerName == pagesDomain
|
||||
cname := ""
|
||||
if !strings.HasSuffix(info.ServerName, pagesDomain) {
|
||||
// Note: We do not check err here because err != nil
|
||||
@ -59,33 +79,27 @@ func MakeTlsConfig(pagesDomain, cachePath string, cache *certificates.Certificat
|
||||
}
|
||||
}
|
||||
|
||||
// If we want to access <user>.<pages domain>, then we can just
|
||||
// use a wildcard certificate.
|
||||
domain := info.ServerName
|
||||
/*if strings.HasSuffix(info.ServerName, pagesDomain) {
|
||||
domain = "*." + pagesDomain
|
||||
}*/
|
||||
|
||||
// Figure out a username for later username checks
|
||||
username := ""
|
||||
if cname == "" {
|
||||
// domain ends on pagesDomain
|
||||
username = strings.Split(domain, ".")[0]
|
||||
username = strings.Split(info.ServerName, ".")[0]
|
||||
} else {
|
||||
// cname ends on pagesDomain
|
||||
username = strings.Split(cname, ".")[0]
|
||||
}
|
||||
|
||||
// Find the correct certificate
|
||||
cert, found := cache.Certificates[info.ServerName]
|
||||
domainKey := getDomainKey(info.ServerName, pagesDomain)
|
||||
cert, found := cache.Certificates[domainKey]
|
||||
if found {
|
||||
if cert.IsValid() {
|
||||
return cert.TlsCertificate, nil
|
||||
} else {
|
||||
if !repo.CanRequestCertificate(username, giteaClient) {
|
||||
if !isPagesDomain && !repo.CanRequestCertificate(username, giteaClient) {
|
||||
log.Warnf(
|
||||
"Cannot renew certificate for %s because CanRequestCertificate(%s) returned false",
|
||||
domain,
|
||||
info.ServerName,
|
||||
username,
|
||||
)
|
||||
return cert.TlsCertificate, nil
|
||||
@ -93,16 +107,16 @@ func MakeTlsConfig(pagesDomain, cachePath string, cache *certificates.Certificat
|
||||
|
||||
// If we're already working on the domain,
|
||||
// return the old certificate
|
||||
if lockIfUnlockedDomain(domain) {
|
||||
if lockIfUnlockedDomain(domainKey) {
|
||||
return cert.TlsCertificate, nil
|
||||
}
|
||||
defer unlockDomain(domain)
|
||||
defer unlockDomain(domainKey)
|
||||
|
||||
// Renew the certificate
|
||||
log.Infof("Certificate for %s expired, renewing", domain)
|
||||
log.Infof("Certificate for %s expired, renewing", info.ServerName)
|
||||
newCert, err := certificates.RenewCertificate(&cert, acmeClient)
|
||||
if err != nil {
|
||||
log.Errorf("Failed to renew certificate for %s: %v", domain, err)
|
||||
log.Errorf("Failed to renew certificate for %s: %v", info.ServerName, err)
|
||||
return cert.TlsCertificate, nil
|
||||
}
|
||||
|
||||
@ -111,31 +125,33 @@ func MakeTlsConfig(pagesDomain, cachePath string, cache *certificates.Certificat
|
||||
return newCert.TlsCertificate, nil
|
||||
}
|
||||
} else {
|
||||
if !repo.CanRequestCertificate(username, giteaClient) {
|
||||
if !isPagesDomain && !repo.CanRequestCertificate(username, giteaClient) {
|
||||
log.Warnf(
|
||||
"Cannot request certificate for %s because CanRequestCertificate(%s) returned false",
|
||||
domain,
|
||||
info.ServerName,
|
||||
username,
|
||||
)
|
||||
return cache.FallbackCertificate.TlsCertificate, nil
|
||||
}
|
||||
|
||||
// Don't request if we're already requesting.
|
||||
if lockIfUnlockedDomain(domain) {
|
||||
key := getDomainKey(info.ServerName, pagesDomain)
|
||||
if lockIfUnlockedDomain(domainKey) {
|
||||
return cache.FallbackCertificate.TlsCertificate, nil
|
||||
}
|
||||
defer unlockDomain(domain)
|
||||
defer unlockDomain(key)
|
||||
|
||||
// Request new certificate
|
||||
log.Infof("Obtaining new certificate for %s...", domain)
|
||||
log.Infof("Obtaining new certificate for %s...", info.ServerName)
|
||||
cert, err := certificates.ObtainNewCertificate(
|
||||
[]string{domain},
|
||||
buildDomainList(info.ServerName, pagesDomain),
|
||||
domainKey,
|
||||
acmeClient,
|
||||
)
|
||||
if err != nil {
|
||||
log.Errorf(
|
||||
"Failed to get certificate for %s: %v",
|
||||
domain,
|
||||
info.ServerName,
|
||||
err,
|
||||
)
|
||||
return cache.FallbackCertificate.TlsCertificate, nil
|
||||
|
69
internal/server/tls_test.go
Normal file
69
internal/server/tls_test.go
Normal file
@ -0,0 +1,69 @@
|
||||
package server
|
||||
|
||||
import (
|
||||
"testing"
|
||||
)
|
||||
|
||||
const (
|
||||
pagesDomain = "pages.local"
|
||||
pagesDomainWildcard = "*.pages.local"
|
||||
)
|
||||
|
||||
func equals(a, b []string) bool {
|
||||
if len(a) != len(b) {
|
||||
return false
|
||||
}
|
||||
|
||||
for i, _ := range a {
|
||||
if a[i] != b[i] {
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
||||
return true
|
||||
}
|
||||
|
||||
func TestDomainListBare(t *testing.T) {
|
||||
expect := []string{pagesDomain, pagesDomainWildcard}
|
||||
res := buildDomainList(pagesDomain, pagesDomain)
|
||||
if !equals(res, expect) {
|
||||
t.Fatalf("%v != %v", res, expect)
|
||||
}
|
||||
}
|
||||
|
||||
func TestDomainListSubdomain(t *testing.T) {
|
||||
expect := []string{pagesDomain, pagesDomainWildcard}
|
||||
res := buildDomainList("user."+pagesDomain, pagesDomain)
|
||||
if !equals(res, expect) {
|
||||
t.Fatalf("%v != %v", res, expect)
|
||||
}
|
||||
}
|
||||
|
||||
func TestDomainListCNAME(t *testing.T) {
|
||||
expect := []string{"testdomain.example"}
|
||||
res := buildDomainList("testdomain.example", pagesDomain)
|
||||
if !equals(res, expect) {
|
||||
t.Fatalf("%v != %v", res, expect)
|
||||
}
|
||||
}
|
||||
|
||||
func TestDomainKeyBare(t *testing.T) {
|
||||
res := getDomainKey(pagesDomain, pagesDomain)
|
||||
if res != pagesDomainWildcard {
|
||||
t.Fatalf("%s != %s", res, pagesDomainWildcard)
|
||||
}
|
||||
}
|
||||
|
||||
func TestDomainKeySubdomain(t *testing.T) {
|
||||
res := getDomainKey("user."+pagesDomain, pagesDomain)
|
||||
if res != pagesDomainWildcard {
|
||||
t.Fatalf("%s != %s", res, pagesDomainWildcard)
|
||||
}
|
||||
}
|
||||
|
||||
func TestDomainKeyCNAME(t *testing.T) {
|
||||
res := getDomainKey("testdomain.example", pagesDomain)
|
||||
if res != "testdomain.example" {
|
||||
t.Fatalf("%s != %s", res, "testdomain.example")
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue
Block a user