sam/SafelineAPI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 3 Wiki Activity

Merge pull request 'jonne-test-no-http01' (#3) from jonne-test-no-http01 into master
All checks were successful
Build and Release / build-and-release (386, linux, linux-386) (push) Successful in 1m47s
Details
Build and Release / build-and-release (386, windows, windows-386) (push) Successful in 43s
Details
Build and Release / build-and-release (amd64, linux, linux-amd64) (push) Successful in 45s
Details
Build and Release / build-and-release (amd64, windows, windows-amd64) (push) Successful in 47s
Details
Build and Release / build-and-release (arm, 7, linux, linux-armv7) (push) Successful in 50s
Details
Build and Release / build-and-release (arm64, linux, linux-arm64) (push) Successful in 50s
Details
Build and Release / build-and-release (ppc64le, linux, linux-ppc64le) (push) Successful in 57s
Details

Browse Source 
Reviewed-on: #3
This commit was merged in pull request #3.
This commit is contained in:
Sam Geyskens
2026-02-27 20:41:35 +00:00
parent 8f450aa809 da92e026f5
commit 99ada65742
1 changed files with 126 additions and 70 deletions
Download Patch File Download Diff File Expand all files Collapse all files

196
pkg/services/ApplyCert.go
View File

@@ -1,83 +1,139 @@
package services
import (
"SafelineAPI/internal/app/logger"
"crypto"
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"github.com/go-acme/lego/v4/certcrypto"
"github.com/go-acme/lego/v4/certificate"
"github.com/go-acme/lego/v4/challenge"
"github.com/go-acme/lego/v4/lego"
"github.com/go-acme/lego/v4/registration"
"os"
"path/filepath"
"SafelineAPI/internal/app/logger"
"crypto"
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"errors"
"os"
"path/filepath"
"strings"
"time"
"github.com/go-acme/lego/v4/certcrypto"
"github.com/go-acme/lego/v4/certificate"
"github.com/go-acme/lego/v4/challenge"
"github.com/go-acme/lego/v4/challenge/dns01"
"github.com/go-acme/lego/v4/lego"
"github.com/go-acme/lego/v4/registration"
)
type MyUser struct {
Email string
Registration *registration.Resource
key crypto.PrivateKey
Email string
Registration *registration.Resource
key crypto.PrivateKey
}
func (u *MyUser) GetEmail() string {
return u.Email
}
func (u *MyUser) GetRegistration() *registration.Resource {
return u.Registration
}
func (u *MyUser) GetPrivateKey() crypto.PrivateKey {
return u.key
func (u MyUser) GetEmail() string {
return u.Email
}
func (u MyUser) GetRegistration() *registration.Resource {
return u.Registration
}
func (u MyUser) GetPrivateKey() crypto.PrivateKey {
return u.key
}
// ApplyCert requests a certificate using DNS-01.
// Your lego version doesn't have SetChallengePreference, so we enforce "DNS-01 only" by:
// 1) configuring ONLY the DNS-01 provider (no HTTP-01/TLS-ALPN-01 providers anywhere)
// 2) failing fast if the resulting error indicates an HTTP-01 attempt (so you notice another code path/version running).
func ApplyCert(domains []string, email, dir string, provider challenge.Provider) bool {
privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
logger.Error.Printf("Error requesting certificate for %s%s%s: %s%s%s", logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset)
return true
}
myUser := MyUser{
Email: email,
key: privateKey,
}
config := lego.NewConfig(&myUser)
config.Certificate.KeyType = certcrypto.RSA2048
client, err := lego.NewClient(config)
if err != nil {
logger.Error.Printf("Error requesting certificate for %s%s%s: %s%s%s", logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset)
return true
}
err = client.Challenge.SetDNS01Provider(provider)
if err != nil {
logger.Error.Printf("Error requesting certificate for %s%s%s: %s%s%s", logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset)
return true
}
privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
logger.Error.Printf("Error requesting certificate for %s%v%s: %s%v%s",
logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset)
return true
}
reg, err := client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
if err != nil {
logger.Error.Printf("Error requesting certificate for %s%s%s: %s%s%s", logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset)
return true
}
myUser.Registration = reg
request := certificate.ObtainRequest{
Domains: domains,
Bundle: true,
}
certificates, err := client.Certificate.Obtain(request)
if err != nil {
logger.Error.Printf("Error requesting certificate for %s%s%s: %s%s%s", logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset)
return true
}
err = os.WriteFile(filepath.Join(dir, domains[0]+".crt"), certificates.Certificate, os.ModePerm)
if err != nil {
logger.Error.Printf("Error saving certificate for %s%s%s: %s%s%s", logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset)
return true
}
err = os.WriteFile(filepath.Join(dir, domains[0]+".key"), certificates.PrivateKey, os.ModePerm)
if err != nil {
logger.Error.Printf("Error saving certificate key for %s%s%s: %s%s%s", logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset)
return true
}
return false
myUser := MyUser{
Email: email,
key: privateKey,
}
config := lego.NewConfig(&myUser)
config.Certificate.KeyType = certcrypto.RSA2048
client, err := lego.NewClient(config)
if err != nil {
logger.Error.Printf("Error requesting certificate for %s%v%s: %s%v%s",
logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset)
return true
}
// DNS-01 provider + force public resolvers (avoids internal/split-horizon DNS issues).
err = client.Challenge.SetDNS01Provider(
provider,
dns01.AddRecursiveNameservers([]string{
"1.1.1.1:53",
"8.8.8.8:53",
}),
dns01.AddDNSTimeout(180*time.Second),
)
if err != nil {
logger.Error.Printf("Error requesting certificate for %s%v%s: %s%v%s",
logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset)
return true
}
reg, err := client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
if err != nil {
logger.Error.Printf("Error requesting certificate for %s%v%s: %s%v%s",
logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset)
return true
}
myUser.Registration = reg
request := certificate.ObtainRequest{
Domains: domains,
Bundle: true,
}
certs, err := client.Certificate.Obtain(request)
if err != nil {
// If you see HTTP-01 URLs here, it means *somewhere* HTTP-01 is still being selected,
// or a different binary/container/version is doing the request.
if looksLikeHTTP01(err) {
logger.Error.Printf("Certificate update failed for domain %v: %v", domains, err)
logger.Error.Printf("Detected HTTP-01 attempt. This should not happen when only DNS-01 is configured.")
logger.Error.Printf("Check for another process/binary calling lego with HTTP-01, or upgrade lego to a version that supports explicit challenge preference.")
return true
}
logger.Error.Printf("Error requesting certificate for %s%v%s: %s%v%s",
logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset)
return true
}
if err := os.WriteFile(filepath.Join(dir, domains[0]+".crt"), certs.Certificate, 0600); err != nil {
logger.Error.Printf("Error saving certificate for %s%v%s: %s%v%s",
logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset)
return true
}
if err := os.WriteFile(filepath.Join(dir, domains[0]+".key"), certs.PrivateKey, 0600); err != nil {
logger.Error.Printf("Error saving certificate key for %s%v%s: %s%v%s",
logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset)
return true
}
return false
}
func looksLikeHTTP01(err error) bool {
if err == nil {
return false
}
s := err.Error()
return strings.Contains(s, "/.well-known/acme-challenge/") ||
strings.Contains(s, "http-01") ||
strings.Contains(s, "Invalid response from http://")
}
// If you *can* upgrade lego, do it. Then you can explicitly prefer DNS-01 (cleanest fix).
// In older versions, there is no SetChallengePreference on the solver manager.
var _ = errors.New