Skip to content

Commit

Permalink
Adds custom ACME providers joohoi#310
Browse files Browse the repository at this point in the history
  • Loading branch information
tjmullicani committed Mar 22, 2023
1 parent bb086da commit 64147e3
Show file tree
Hide file tree
Showing 4 changed files with 50 additions and 49 deletions.
12 changes: 7 additions & 5 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -228,7 +228,7 @@ $ dig -t txt @auth.example.org d420c923-bbd7-4056-ab64-c3ca54c9b3cf.auth.example

## Configuration

```bash
```toml
[general]
# DNS interface. Note that systemd-resolved may reserve port 53 on 127.0.0.53
# In this case acme-dns will error out and you will need to define the listening interface
Expand All @@ -240,7 +240,7 @@ protocol = "both"
domain = "auth.example.org"
# zone name server
nsname = "auth.example.org"
# admin email address, where @ is substituted with .
# admin email address, where @ is substituted with .
nsadmin = "admin.example.org"
# predefined records served in addition to the TXT
records = [
Expand All @@ -267,13 +267,15 @@ ip = "0.0.0.0"
disable_registration = false
# listen port, eg. 443 for default HTTPS
port = "443"
# possible values: "letsencrypt", "letsencryptstaging", "cert", "none"
# possible values: "letsencrypt", "letsencryptstaging", "custom", "cert", "none"
tls = "letsencryptstaging"
# only used if tls = "cert"
tls_cert_privkey = "/etc/tls/example.org/privkey.pem"
tls_cert_fullchain = "/etc/tls/example.org/fullchain.pem"
# only used if tls = "letsencrypt"
# only used if tls = "letsencrypt", "letsencryptstaging", or "custom"
acme_cache_dir = "api-certs"
# only used if tls = "custom"
acme_dir = "https://acme-v02.example.com/directory"
# optional e-mail address to which Let's Encrypt will send expiration notices for the API's cert
notification_email = ""
# CORS AllowOrigins, wildcards can be used
Expand Down Expand Up @@ -397,4 +399,4 @@ If you have an idea for improvement, please open an new issue or feel free to wr

## License

acme-dns is released under the [MIT License](http://www.opensource.org/licenses/MIT).
acme-dns is released under the [MIT License](http://www.opensource.org/licenses/MIT).
6 changes: 4 additions & 2 deletions config.cfg
Original file line number Diff line number Diff line change
Expand Up @@ -36,15 +36,17 @@ ip = "0.0.0.0"
disable_registration = false
# listen port, eg. 443 for default HTTPS
port = "443"
# possible values: "letsencrypt", "letsencryptstaging", "cert", "custom", "none"
# possible values: "letsencrypt", "letsencryptstaging", "custom", "cert", "none"
tls = "letsencryptstaging"
# only used if tls = "cert"
tls_cert_privkey = "/etc/tls/example.org/privkey.pem"
tls_cert_fullchain = "/etc/tls/example.org/fullchain.pem"
# only used if tls = "custom"
acme_server = "https://my.acme.server"
# only used if tls = "letsencrypt" or "custom"
# only used if tls = "letsencrypt", "letsencryptstaging" or "custom"
acme_cache_dir = "api-certs"
# only used if tls = "custom"
acme_dir = "https://acme-v02.example.com/directory"
# optional e-mail address to which Let's Encrypt will send expiration notices for the API's cert
notification_email = ""
# CORS AllowOrigins, wildcards can be used
Expand Down
39 changes: 13 additions & 26 deletions main.go
Original file line number Diff line number Diff line change
Expand Up @@ -153,15 +153,16 @@ func startHTTPAPI(errChan chan error, config DNSConfig, dnsservers []*DNSServer)
// Set up certmagic for getting certificate for acme-dns api
certmagic.DefaultACME.DNS01Solver = &provider
certmagic.DefaultACME.Agreed = true
if Config.API.TLS == "letsencrypt" {
switch config.API.TLS {
case TlsTypeLetsEncrypt:
certmagic.DefaultACME.CA = certmagic.LetsEncryptProductionCA
} else {
case TlsTypeAcmeCustom:
certmagic.DefaultACME.CA = config.API.ACMEDir
case TlsTypeLetsEncryptStaging:
default:
certmagic.DefaultACME.CA = certmagic.LetsEncryptStagingCA
}
if Config.API.TLS == "custom" {
certmagic.DefaultACME.CA = Config.API.ACMEDomain
}
certmagic.DefaultACME.Email = Config.API.NotificationEmail
certmagic.DefaultACME.Email = Config.API.ACMENotificationEmail
magicConf := certmagic.NewDefault()
magicConf.Storage = &storage
magicConf.DefaultServerName = Config.General.Domain
Expand All @@ -174,24 +175,10 @@ func startHTTPAPI(errChan chan error, config DNSConfig, dnsservers []*DNSServer)

magic := certmagic.New(magicCache, *magicConf)
var err error
switch Config.API.TLS {
case "letsencryptstaging":
err = magic.ManageAsync(context.Background(), []string{Config.General.Domain})
if err != nil {
errChan <- err
return
}
cfg.GetCertificate = magic.GetCertificate

srv := &http.Server{
Addr: host,
Handler: c.Handler(api),
TLSConfig: cfg,
ErrorLog: stdlog.New(logwriter, "", 0),
}
log.WithFields(log.Fields{"host": host, "domain": Config.General.Domain}).Info("Listening HTTPS")
err = srv.ListenAndServeTLS("", "")
case "letsencrypt", "custom":
switch config.API.TLS {
case TlsTypeLetsEncrypt:
case TlsTypeLetsEncryptStaging:
case TlsTypeAcmeCustom:
err = magic.ManageAsync(context.Background(), []string{Config.General.Domain})
if err != nil {
errChan <- err
Expand All @@ -206,15 +193,15 @@ func startHTTPAPI(errChan chan error, config DNSConfig, dnsservers []*DNSServer)
}
log.WithFields(log.Fields{"host": host, "domain": Config.General.Domain}).Info("Listening HTTPS")
err = srv.ListenAndServeTLS("", "")
case "cert":
case TlsTypeCert:
srv := &http.Server{
Addr: host,
Handler: c.Handler(api),
TLSConfig: cfg,
ErrorLog: stdlog.New(logwriter, "", 0),
}
log.WithFields(log.Fields{"host": host}).Info("Listening HTTPS")
err = srv.ListenAndServeTLS(Config.API.TLSCertFullchain, Config.API.TLSCertPrivkey)
err = srv.ListenAndServeTLS(config.API.TLSCertFullchain, config.API.TLSCertPrivkey)
default:
log.WithFields(log.Fields{"host": host}).Info("Listening HTTP")
err = http.ListenAndServe(host, c.Handler(api))
Expand Down
42 changes: 26 additions & 16 deletions types.go
Original file line number Diff line number Diff line change
Expand Up @@ -37,22 +37,30 @@ type dbsettings struct {
Connection string
}

const (
TlsTypeLetsEncrypt = "letsencrypt"
TlsTypeLetsEncryptStaging = "letsencryptstaging"
TlsTypeAcmeCustom = "custom"
TlsTypeCert = "cert"
TlsTypeNone = "none"
)

// API config
type httpapi struct {
Domain string `toml:"api_domain"`
IP string
DisableRegistration bool `toml:"disable_registration"`
AutocertPort string `toml:"autocert_port"`
Port string `toml:"port"`
TLS string
TLSCertPrivkey string `toml:"tls_cert_privkey"`
TLSCertFullchain string `toml:"tls_cert_fullchain"`
ACMEDomain string `toml:"acme_domain"`
ACMECacheDir string `toml:"acme_cache_dir"`
NotificationEmail string `toml:"notification_email"`
CorsOrigins []string
UseHeader bool `toml:"use_header"`
HeaderName string `toml:"header_name"`
Domain string `toml:"api_domain"`
IP string
DisableRegistration bool `toml:"disable_registration"`
AutocertPort string `toml:"autocert_port"`
Port string `toml:"port"`
TLS string
TLSCertPrivkey string `toml:"tls_cert_privkey"`
TLSCertFullchain string `toml:"tls_cert_fullchain"`
ACMECacheDir string `toml:"acme_cache_dir"`
ACMEDir string `toml:"acme_dir"`
ACMENotificationEmail string `toml:"notification_email"`
CorsOrigins []string
UseHeader bool `toml:"use_header"`
HeaderName string `toml:"header_name"`
}

// Logging config
Expand All @@ -64,7 +72,7 @@ type logconfig struct {
}

type acmedb struct {
Mutex sync.Mutex
sync.Mutex
DB *sql.DB
}

Expand All @@ -77,4 +85,6 @@ type database interface {
GetBackend() *sql.DB
SetBackend(*sql.DB)
Close()
}
Lock()
Unlock()
}

0 comments on commit 64147e3

Please sign in to comment.