fixed dns

pkg/services/ApplyCert.go

@@ -1,134 +1,139 @@
 package services
 
 import (
-	"SafelineAPI/internal/app/logger"
-	"crypto"
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rand"
-	"github.com/go-acme/lego/v4/certcrypto"
-	"github.com/go-acme/lego/v4/certificate"
-	"github.com/go-acme/lego/v4/challenge"
-	"github.com/go-acme/lego/v4/lego"
-	"github.com/go-acme/lego/v4/registration"
-	"os"
-	"path/filepath"
+    "SafelineAPI/internal/app/logger"
+    "crypto"
+    "crypto/ecdsa"
+    "crypto/elliptic"
+    "crypto/rand"
+    "errors"
+    "os"
+    "path/filepath"
+    "strings"
+    "time"
+
+    "github.com/go-acme/lego/v4/certcrypto"
+    "github.com/go-acme/lego/v4/certificate"
+    "github.com/go-acme/lego/v4/challenge"
+    "github.com/go-acme/lego/v4/challenge/dns01"
+    "github.com/go-acme/lego/v4/lego"
+    "github.com/go-acme/lego/v4/registration"
 )
 
 type MyUser struct {
-	Email        string
-	Registration *registration.Resource
-	key          crypto.PrivateKey
+    Email        string
+    Registration *registration.Resource
+    key          crypto.PrivateKey
 }
 
-func (u *MyUser) GetEmail() string {
-	return u.Email
+func (u MyUser) GetEmail() string {
+    return u.Email
 }
 
-func (u *MyUser) GetRegistration() *registration.Resource {
-	return u.Registration
+func (u MyUser) GetRegistration() *registration.Resource {
+    return u.Registration
 }
 
-func (u *MyUser) GetPrivateKey() crypto.PrivateKey {
-	return u.key
+func (u MyUser) GetPrivateKey() crypto.PrivateKey {
+    return u.key
 }
 
+// ApplyCert requests a certificate using DNS-01.
+// Your lego version doesn't have SetChallengePreference, so we enforce "DNS-01 only" by:
+//   1) configuring ONLY the DNS-01 provider (no HTTP-01/TLS-ALPN-01 providers anywhere)
+//   2) failing fast if the resulting error indicates an HTTP-01 attempt (so you notice another code path/version running).
 func ApplyCert(domains []string, email, dir string, provider challenge.Provider) bool {
-	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	if err != nil {
-		logger.Error.Printf(
-			"Error requesting certificate for %s%s%s: %s%s%s",
-			logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset,
-		)
-		return true
-	}
+    privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+    if err != nil {
+        logger.Error.Printf("Error requesting certificate for %s%v%s: %s%v%s",
+            logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset)
+        return true
+    }
 
-	myUser := MyUser{
-		Email: email,
-		key:   privateKey,
-	}
+    myUser := MyUser{
+        Email: email,
+        key:   privateKey,
+    }
 
-	config := lego.NewConfig(&myUser)
-	config.Certificate.KeyType = certcrypto.RSA2048
+    config := lego.NewConfig(&myUser)
+    config.Certificate.KeyType = certcrypto.RSA2048
 
-	client, err := lego.NewClient(config)
-	if err != nil {
-		logger.Error.Printf(
-			"Error requesting certificate for %s%s%s: %s%s%s",
-			logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset,
-		)
-		return true
-	}
+    client, err := lego.NewClient(config)
+    if err != nil {
+        logger.Error.Printf("Error requesting certificate for %s%v%s: %s%v%s",
+            logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset)
+        return true
+    }
 
-	// =====================================================
-	// 🔒 FORCE DNS-01 ONLY — DISABLE ALL OTHER CHALLENGES
-	// =====================================================
-	client.Challenge.RemoveHTTP01Provider()
-	client.Challenge.RemoveTLSALPN01Provider()
+    // DNS-01 provider + force public resolvers (avoids internal/split-horizon DNS issues).
+    err = client.Challenge.SetDNS01Provider(
+        provider,
+        dns01.AddRecursiveNameservers([]string{
+            "1.1.1.1:53",
+            "8.8.8.8:53",
+        }),
+        dns01.AddDNSTimeout(180*time.Second),
+    )
+    if err != nil {
+        logger.Error.Printf("Error requesting certificate for %s%v%s: %s%v%s",
+            logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset)
+        return true
+    }
 
-	err = client.Challenge.SetDNS01Provider(provider)
-	if err != nil {
-		logger.Error.Printf(
-			"Error requesting certificate for %s%s%s: %s%s%s",
-			logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset,
-		)
-		return true
-	}
+    reg, err := client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
+    if err != nil {
+        logger.Error.Printf("Error requesting certificate for %s%v%s: %s%v%s",
+            logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset)
+        return true
+    }
+    myUser.Registration = reg
 
-	// =====================================================
+    request := certificate.ObtainRequest{
+        Domains: domains,
+        Bundle:  true,
+    }
 
-	reg, err := client.Registration.Register(
-		registration.RegisterOptions{TermsOfServiceAgreed: true},
-	)
-	if err != nil {
-		logger.Error.Printf(
-			"Error requesting certificate for %s%s%s: %s%s%s",
-			logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset,
-		)
-		return true
-	}
+    certs, err := client.Certificate.Obtain(request)
+    if err != nil {
+        // If you see HTTP-01 URLs here, it means *somewhere* HTTP-01 is still being selected,
+        // or a different binary/container/version is doing the request.
+        if looksLikeHTTP01(err) {
+            logger.Error.Printf("Certificate update failed for domain %v: %v", domains, err)
+            logger.Error.Printf("Detected HTTP-01 attempt. This should not happen when only DNS-01 is configured.")
+            logger.Error.Printf("Check for another process/binary calling lego with HTTP-01, or upgrade lego to a version that supports explicit challenge preference.")
+            return true
+        }
 
-	myUser.Registration = reg
+        logger.Error.Printf("Error requesting certificate for %s%v%s: %s%v%s",
+            logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset)
+        return true
+    }
 
-	request := certificate.ObtainRequest{
-		Domains: domains,
-		Bundle:  true,
-	}
+    if err := os.WriteFile(filepath.Join(dir, domains[0]+".crt"), certs.Certificate, 0600); err != nil {
+        logger.Error.Printf("Error saving certificate for %s%v%s: %s%v%s",
+            logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset)
+        return true
+    }
 
-	certificates, err := client.Certificate.Obtain(request)
-	if err != nil {
-		logger.Error.Printf(
-			"Error requesting certificate for %s%s%s: %s%s%s",
-			logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset,
-		)
-		return true
-	}
+    if err := os.WriteFile(filepath.Join(dir, domains[0]+".key"), certs.PrivateKey, 0600); err != nil {
+        logger.Error.Printf("Error saving certificate key for %s%v%s: %s%v%s",
+            logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset)
+        return true
+    }
 
-	err = os.WriteFile(
-		filepath.Join(dir, domains[0]+".crt"),
-		certificates.Certificate,
-		os.ModePerm,
-	)
-	if err != nil {
-		logger.Error.Printf(
-			"Error saving certificate for %s%s%s: %s%s%s",
-			logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset,
-		)
-		return true
-	}
-
-	err = os.WriteFile(
-		filepath.Join(dir, domains[0]+".key"),
-		certificates.PrivateKey,
-		os.ModePerm,
-	)
-	if err != nil {
-		logger.Error.Printf(
-			"Error saving certificate key for %s%s%s: %s%s%s",
-			logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset,
-		)
-		return true
-	}
-
-	return false
+    return false
 }
+
+func looksLikeHTTP01(err error) bool {
+    if err == nil {
+        return false
+    }
+    s := err.Error()
+    return strings.Contains(s, "/.well-known/acme-challenge/") ||
+        strings.Contains(s, "http-01") ||
+        strings.Contains(s, "Invalid response from http://")
+}
+
+// If you *can* upgrade lego, do it. Then you can explicitly prefer DNS-01 (cleanest fix).
+// In older versions, there is no SetChallengePreference on the solver manager.
+var _ = errors.New