From da92e026f5b36ba728754655b6b9e02071fab56a Mon Sep 17 00:00:00 2001 From: jonne Date: Fri, 27 Feb 2026 21:32:03 +0100 Subject: [PATCH] fixed dns --- pkg/services/ApplyCert.go | 219 +++++++++++++++++++------------------- 1 file changed, 112 insertions(+), 107 deletions(-) diff --git a/pkg/services/ApplyCert.go b/pkg/services/ApplyCert.go index a4588a0..47cafad 100644 --- a/pkg/services/ApplyCert.go +++ b/pkg/services/ApplyCert.go @@ -1,134 +1,139 @@ package services import ( - "SafelineAPI/internal/app/logger" - "crypto" - "crypto/ecdsa" - "crypto/elliptic" - "crypto/rand" - "github.com/go-acme/lego/v4/certcrypto" - "github.com/go-acme/lego/v4/certificate" - "github.com/go-acme/lego/v4/challenge" - "github.com/go-acme/lego/v4/lego" - "github.com/go-acme/lego/v4/registration" - "os" - "path/filepath" + "SafelineAPI/internal/app/logger" + "crypto" + "crypto/ecdsa" + "crypto/elliptic" + "crypto/rand" + "errors" + "os" + "path/filepath" + "strings" + "time" + + "github.com/go-acme/lego/v4/certcrypto" + "github.com/go-acme/lego/v4/certificate" + "github.com/go-acme/lego/v4/challenge" + "github.com/go-acme/lego/v4/challenge/dns01" + "github.com/go-acme/lego/v4/lego" + "github.com/go-acme/lego/v4/registration" ) type MyUser struct { - Email string - Registration *registration.Resource - key crypto.PrivateKey + Email string + Registration *registration.Resource + key crypto.PrivateKey } -func (u *MyUser) GetEmail() string { - return u.Email +func (u MyUser) GetEmail() string { + return u.Email } -func (u *MyUser) GetRegistration() *registration.Resource { - return u.Registration +func (u MyUser) GetRegistration() *registration.Resource { + return u.Registration } -func (u *MyUser) GetPrivateKey() crypto.PrivateKey { - return u.key +func (u MyUser) GetPrivateKey() crypto.PrivateKey { + return u.key } +// ApplyCert requests a certificate using DNS-01. +// Your lego version doesn't have SetChallengePreference, so we enforce "DNS-01 only" by: +// 1) configuring ONLY the DNS-01 provider (no HTTP-01/TLS-ALPN-01 providers anywhere) +// 2) failing fast if the resulting error indicates an HTTP-01 attempt (so you notice another code path/version running). func ApplyCert(domains []string, email, dir string, provider challenge.Provider) bool { - privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) - if err != nil { - logger.Error.Printf( - "Error requesting certificate for %s%s%s: %s%s%s", - logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset, - ) - return true - } + privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + if err != nil { + logger.Error.Printf("Error requesting certificate for %s%v%s: %s%v%s", + logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset) + return true + } - myUser := MyUser{ - Email: email, - key: privateKey, - } + myUser := MyUser{ + Email: email, + key: privateKey, + } - config := lego.NewConfig(&myUser) - config.Certificate.KeyType = certcrypto.RSA2048 + config := lego.NewConfig(&myUser) + config.Certificate.KeyType = certcrypto.RSA2048 - client, err := lego.NewClient(config) - if err != nil { - logger.Error.Printf( - "Error requesting certificate for %s%s%s: %s%s%s", - logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset, - ) - return true - } + client, err := lego.NewClient(config) + if err != nil { + logger.Error.Printf("Error requesting certificate for %s%v%s: %s%v%s", + logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset) + return true + } - // ===================================================== - // 🔒 FORCE DNS-01 ONLY — DISABLE ALL OTHER CHALLENGES - // ===================================================== - client.Challenge.RemoveHTTP01Provider() - client.Challenge.RemoveTLSALPN01Provider() + // DNS-01 provider + force public resolvers (avoids internal/split-horizon DNS issues). + err = client.Challenge.SetDNS01Provider( + provider, + dns01.AddRecursiveNameservers([]string{ + "1.1.1.1:53", + "8.8.8.8:53", + }), + dns01.AddDNSTimeout(180*time.Second), + ) + if err != nil { + logger.Error.Printf("Error requesting certificate for %s%v%s: %s%v%s", + logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset) + return true + } - err = client.Challenge.SetDNS01Provider(provider) - if err != nil { - logger.Error.Printf( - "Error requesting certificate for %s%s%s: %s%s%s", - logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset, - ) - return true - } + reg, err := client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true}) + if err != nil { + logger.Error.Printf("Error requesting certificate for %s%v%s: %s%v%s", + logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset) + return true + } + myUser.Registration = reg - // ===================================================== + request := certificate.ObtainRequest{ + Domains: domains, + Bundle: true, + } - reg, err := client.Registration.Register( - registration.RegisterOptions{TermsOfServiceAgreed: true}, - ) - if err != nil { - logger.Error.Printf( - "Error requesting certificate for %s%s%s: %s%s%s", - logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset, - ) - return true - } + certs, err := client.Certificate.Obtain(request) + if err != nil { + // If you see HTTP-01 URLs here, it means *somewhere* HTTP-01 is still being selected, + // or a different binary/container/version is doing the request. + if looksLikeHTTP01(err) { + logger.Error.Printf("Certificate update failed for domain %v: %v", domains, err) + logger.Error.Printf("Detected HTTP-01 attempt. This should not happen when only DNS-01 is configured.") + logger.Error.Printf("Check for another process/binary calling lego with HTTP-01, or upgrade lego to a version that supports explicit challenge preference.") + return true + } - myUser.Registration = reg + logger.Error.Printf("Error requesting certificate for %s%v%s: %s%v%s", + logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset) + return true + } - request := certificate.ObtainRequest{ - Domains: domains, - Bundle: true, - } + if err := os.WriteFile(filepath.Join(dir, domains[0]+".crt"), certs.Certificate, 0600); err != nil { + logger.Error.Printf("Error saving certificate for %s%v%s: %s%v%s", + logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset) + return true + } - certificates, err := client.Certificate.Obtain(request) - if err != nil { - logger.Error.Printf( - "Error requesting certificate for %s%s%s: %s%s%s", - logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset, - ) - return true - } + if err := os.WriteFile(filepath.Join(dir, domains[0]+".key"), certs.PrivateKey, 0600); err != nil { + logger.Error.Printf("Error saving certificate key for %s%v%s: %s%v%s", + logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset) + return true + } - err = os.WriteFile( - filepath.Join(dir, domains[0]+".crt"), - certificates.Certificate, - os.ModePerm, - ) - if err != nil { - logger.Error.Printf( - "Error saving certificate for %s%s%s: %s%s%s", - logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset, - ) - return true - } - - err = os.WriteFile( - filepath.Join(dir, domains[0]+".key"), - certificates.PrivateKey, - os.ModePerm, - ) - if err != nil { - logger.Error.Printf( - "Error saving certificate key for %s%s%s: %s%s%s", - logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset, - ) - return true - } - - return false + return false } + +func looksLikeHTTP01(err error) bool { + if err == nil { + return false + } + s := err.Error() + return strings.Contains(s, "/.well-known/acme-challenge/") || + strings.Contains(s, "http-01") || + strings.Contains(s, "Invalid response from http://") +} + +// If you *can* upgrade lego, do it. Then you can explicitly prefer DNS-01 (cleanest fix). +// In older versions, there is no SetChallengePreference on the solver manager. +var _ = errors.New