Merge pull request 'jonne-test-no-http01' (#3) from jonne-test-no-http01 into master

Reviewed-on: #3

pkg/services/ApplyCert.go

@@ -1,83 +1,139 @@
 package services
 
 import (
-	"SafelineAPI/internal/app/logger"
+    "SafelineAPI/internal/app/logger"
-	"crypto"
+    "crypto"
-	"crypto/ecdsa"
+    "crypto/ecdsa"
-	"crypto/elliptic"
+    "crypto/elliptic"
-	"crypto/rand"
+    "crypto/rand"
-	"github.com/go-acme/lego/v4/certcrypto"
+    "errors"
-	"github.com/go-acme/lego/v4/certificate"
+    "os"
-	"github.com/go-acme/lego/v4/challenge"
+    "path/filepath"
-	"github.com/go-acme/lego/v4/lego"
+    "strings"
-	"github.com/go-acme/lego/v4/registration"
+    "time"
-	"os"
+
-	"path/filepath"
+    "github.com/go-acme/lego/v4/certcrypto"
+    "github.com/go-acme/lego/v4/certificate"
+    "github.com/go-acme/lego/v4/challenge"
+    "github.com/go-acme/lego/v4/challenge/dns01"
+    "github.com/go-acme/lego/v4/lego"
+    "github.com/go-acme/lego/v4/registration"
 )
 
 type MyUser struct {
-	Email        string
+    Email        string
-	Registration *registration.Resource
+    Registration *registration.Resource
-	key          crypto.PrivateKey
+    key          crypto.PrivateKey
 }
 
-func (u *MyUser) GetEmail() string {
+func (u MyUser) GetEmail() string {
-	return u.Email
+    return u.Email
-}
-func (u *MyUser) GetRegistration() *registration.Resource {
-	return u.Registration
-}
-func (u *MyUser) GetPrivateKey() crypto.PrivateKey {
-	return u.key
 }
 
+func (u MyUser) GetRegistration() *registration.Resource {
+    return u.Registration
+}
+
+func (u MyUser) GetPrivateKey() crypto.PrivateKey {
+    return u.key
+}
+
+// ApplyCert requests a certificate using DNS-01.
+// Your lego version doesn't have SetChallengePreference, so we enforce "DNS-01 only" by:
+//   1) configuring ONLY the DNS-01 provider (no HTTP-01/TLS-ALPN-01 providers anywhere)
+//   2) failing fast if the resulting error indicates an HTTP-01 attempt (so you notice another code path/version running).
 func ApplyCert(domains []string, email, dir string, provider challenge.Provider) bool {
-	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+    privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	if err != nil {
+    if err != nil {
-		logger.Error.Printf("Error requesting certificate for %s%s%s: %s%s%s", logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset)
+        logger.Error.Printf("Error requesting certificate for %s%v%s: %s%v%s",
-		return true
+            logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset)
-	}
+        return true
-	myUser := MyUser{
+    }
-		Email: email,
-		key:   privateKey,
-	}
-	config := lego.NewConfig(&myUser)
-	config.Certificate.KeyType = certcrypto.RSA2048
-	client, err := lego.NewClient(config)
-	if err != nil {
-		logger.Error.Printf("Error requesting certificate for %s%s%s: %s%s%s", logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset)
-		return true
-	}
-	err = client.Challenge.SetDNS01Provider(provider)
-	if err != nil {
-		logger.Error.Printf("Error requesting certificate for %s%s%s: %s%s%s", logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset)
-		return true
-	}
 
-	reg, err := client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
+    myUser := MyUser{
-	if err != nil {
+        Email: email,
-		logger.Error.Printf("Error requesting certificate for %s%s%s: %s%s%s", logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset)
+        key:   privateKey,
-		return true
+    }
-	}
+
-	myUser.Registration = reg
+    config := lego.NewConfig(&myUser)
-	request := certificate.ObtainRequest{
+    config.Certificate.KeyType = certcrypto.RSA2048
-		Domains: domains,
+
-		Bundle:  true,
+    client, err := lego.NewClient(config)
-	}
+    if err != nil {
-	certificates, err := client.Certificate.Obtain(request)
+        logger.Error.Printf("Error requesting certificate for %s%v%s: %s%v%s",
-	if err != nil {
+            logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset)
-		logger.Error.Printf("Error requesting certificate for %s%s%s: %s%s%s", logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset)
+        return true
-		return true
+    }
-	}
+
-	err = os.WriteFile(filepath.Join(dir, domains[0]+".crt"), certificates.Certificate, os.ModePerm)
+    // DNS-01 provider + force public resolvers (avoids internal/split-horizon DNS issues).
-	if err != nil {
+    err = client.Challenge.SetDNS01Provider(
-		logger.Error.Printf("Error saving certificate for %s%s%s: %s%s%s", logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset)
+        provider,
-		return true
+        dns01.AddRecursiveNameservers([]string{
-	}
+            "1.1.1.1:53",
-	err = os.WriteFile(filepath.Join(dir, domains[0]+".key"), certificates.PrivateKey, os.ModePerm)
+            "8.8.8.8:53",
-	if err != nil {
+        }),
-		logger.Error.Printf("Error saving certificate key for %s%s%s: %s%s%s", logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset)
+        dns01.AddDNSTimeout(180*time.Second),
-		return true
+    )
-	}
+    if err != nil {
-	return false
+        logger.Error.Printf("Error requesting certificate for %s%v%s: %s%v%s",
+            logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset)
+        return true
+    }
+
+    reg, err := client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
+    if err != nil {
+        logger.Error.Printf("Error requesting certificate for %s%v%s: %s%v%s",
+            logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset)
+        return true
+    }
+    myUser.Registration = reg
+
+    request := certificate.ObtainRequest{
+        Domains: domains,
+        Bundle:  true,
+    }
+
+    certs, err := client.Certificate.Obtain(request)
+    if err != nil {
+        // If you see HTTP-01 URLs here, it means *somewhere* HTTP-01 is still being selected,
+        // or a different binary/container/version is doing the request.
+        if looksLikeHTTP01(err) {
+            logger.Error.Printf("Certificate update failed for domain %v: %v", domains, err)
+            logger.Error.Printf("Detected HTTP-01 attempt. This should not happen when only DNS-01 is configured.")
+            logger.Error.Printf("Check for another process/binary calling lego with HTTP-01, or upgrade lego to a version that supports explicit challenge preference.")
+            return true
+        }
+
+        logger.Error.Printf("Error requesting certificate for %s%v%s: %s%v%s",
+            logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset)
+        return true
+    }
+
+    if err := os.WriteFile(filepath.Join(dir, domains[0]+".crt"), certs.Certificate, 0600); err != nil {
+        logger.Error.Printf("Error saving certificate for %s%v%s: %s%v%s",
+            logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset)
+        return true
+    }
+
+    if err := os.WriteFile(filepath.Join(dir, domains[0]+".key"), certs.PrivateKey, 0600); err != nil {
+        logger.Error.Printf("Error saving certificate key for %s%v%s: %s%v%s",
+            logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset)
+        return true
+    }
+
+    return false
 }
+
+func looksLikeHTTP01(err error) bool {
+    if err == nil {
+        return false
+    }
+    s := err.Error()
+    return strings.Contains(s, "/.well-known/acme-challenge/") ||
+        strings.Contains(s, "http-01") ||
+        strings.Contains(s, "Invalid response from http://")
+}
+
+// If you *can* upgrade lego, do it. Then you can explicitly prefer DNS-01 (cleanest fix).
+// In older versions, there is no SetChallengePreference on the solver manager.
+var _ = errors.New