fixed dns
This commit is contained in:
jonne
@@ -6,13 +6,18 @@ import (
|
||||
"crypto/ecdsa"
|
||||
"crypto/elliptic"
|
||||
"crypto/rand"
|
||||
"errors"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/go-acme/lego/v4/certcrypto"
|
||||
"github.com/go-acme/lego/v4/certificate"
|
||||
"github.com/go-acme/lego/v4/challenge"
|
||||
"github.com/go-acme/lego/v4/challenge/dns01"
|
||||
"github.com/go-acme/lego/v4/lego"
|
||||
"github.com/go-acme/lego/v4/registration"
|
||||
"os"
|
||||
"path/filepath"
|
||||
)
|
||||
|
||||
type MyUser struct {
|
||||
@@ -21,25 +26,27 @@ type MyUser struct {
|
||||
key crypto.PrivateKey
|
||||
}
|
||||
|
||||
func (u *MyUser) GetEmail() string {
|
||||
func (u MyUser) GetEmail() string {
|
||||
return u.Email
|
||||
}
|
||||
|
||||
func (u *MyUser) GetRegistration() *registration.Resource {
|
||||
func (u MyUser) GetRegistration() *registration.Resource {
|
||||
return u.Registration
|
||||
}
|
||||
|
||||
func (u *MyUser) GetPrivateKey() crypto.PrivateKey {
|
||||
func (u MyUser) GetPrivateKey() crypto.PrivateKey {
|
||||
return u.key
|
||||
}
|
||||
|
||||
// ApplyCert requests a certificate using DNS-01.
|
||||
// Your lego version doesn't have SetChallengePreference, so we enforce "DNS-01 only" by:
|
||||
// 1) configuring ONLY the DNS-01 provider (no HTTP-01/TLS-ALPN-01 providers anywhere)
|
||||
// 2) failing fast if the resulting error indicates an HTTP-01 attempt (so you notice another code path/version running).
|
||||
func ApplyCert(domains []string, email, dir string, provider challenge.Provider) bool {
|
||||
privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
||||
if err != nil {
|
||||
logger.Error.Printf(
|
||||
"Error requesting certificate for %s%s%s: %s%s%s",
|
||||
logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset,
|
||||
)
|
||||
logger.Error.Printf("Error requesting certificate for %s%v%s: %s%v%s",
|
||||
logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset)
|
||||
return true
|
||||
}
|
||||
|
||||
@@ -53,41 +60,32 @@ func ApplyCert(domains []string, email, dir string, provider challenge.Provider)
|
||||
|
||||
client, err := lego.NewClient(config)
|
||||
if err != nil {
|
||||
logger.Error.Printf(
|
||||
"Error requesting certificate for %s%s%s: %s%s%s",
|
||||
logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset,
|
||||
)
|
||||
logger.Error.Printf("Error requesting certificate for %s%v%s: %s%v%s",
|
||||
logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset)
|
||||
return true
|
||||
}
|
||||
|
||||
// =====================================================
|
||||
// 🔒 FORCE DNS-01 ONLY — DISABLE ALL OTHER CHALLENGES
|
||||
// =====================================================
|
||||
client.Challenge.RemoveHTTP01Provider()
|
||||
client.Challenge.RemoveTLSALPN01Provider()
|
||||
|
||||
err = client.Challenge.SetDNS01Provider(provider)
|
||||
if err != nil {
|
||||
logger.Error.Printf(
|
||||
"Error requesting certificate for %s%s%s: %s%s%s",
|
||||
logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset,
|
||||
)
|
||||
return true
|
||||
}
|
||||
|
||||
// =====================================================
|
||||
|
||||
reg, err := client.Registration.Register(
|
||||
registration.RegisterOptions{TermsOfServiceAgreed: true},
|
||||
// DNS-01 provider + force public resolvers (avoids internal/split-horizon DNS issues).
|
||||
err = client.Challenge.SetDNS01Provider(
|
||||
provider,
|
||||
dns01.AddRecursiveNameservers([]string{
|
||||
"1.1.1.1:53",
|
||||
"8.8.8.8:53",
|
||||
}),
|
||||
dns01.AddDNSTimeout(180*time.Second),
|
||||
)
|
||||
if err != nil {
|
||||
logger.Error.Printf(
|
||||
"Error requesting certificate for %s%s%s: %s%s%s",
|
||||
logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset,
|
||||
)
|
||||
logger.Error.Printf("Error requesting certificate for %s%v%s: %s%v%s",
|
||||
logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset)
|
||||
return true
|
||||
}
|
||||
|
||||
reg, err := client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
|
||||
if err != nil {
|
||||
logger.Error.Printf("Error requesting certificate for %s%v%s: %s%v%s",
|
||||
logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset)
|
||||
return true
|
||||
}
|
||||
myUser.Registration = reg
|
||||
|
||||
request := certificate.ObtainRequest{
|
||||
@@ -95,40 +93,47 @@ func ApplyCert(domains []string, email, dir string, provider challenge.Provider)
|
||||
Bundle: true,
|
||||
}
|
||||
|
||||
certificates, err := client.Certificate.Obtain(request)
|
||||
certs, err := client.Certificate.Obtain(request)
|
||||
if err != nil {
|
||||
logger.Error.Printf(
|
||||
"Error requesting certificate for %s%s%s: %s%s%s",
|
||||
logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset,
|
||||
)
|
||||
// If you see HTTP-01 URLs here, it means *somewhere* HTTP-01 is still being selected,
|
||||
// or a different binary/container/version is doing the request.
|
||||
if looksLikeHTTP01(err) {
|
||||
logger.Error.Printf("Certificate update failed for domain %v: %v", domains, err)
|
||||
logger.Error.Printf("Detected HTTP-01 attempt. This should not happen when only DNS-01 is configured.")
|
||||
logger.Error.Printf("Check for another process/binary calling lego with HTTP-01, or upgrade lego to a version that supports explicit challenge preference.")
|
||||
return true
|
||||
}
|
||||
|
||||
err = os.WriteFile(
|
||||
filepath.Join(dir, domains[0]+".crt"),
|
||||
certificates.Certificate,
|
||||
os.ModePerm,
|
||||
)
|
||||
if err != nil {
|
||||
logger.Error.Printf(
|
||||
"Error saving certificate for %s%s%s: %s%s%s",
|
||||
logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset,
|
||||
)
|
||||
logger.Error.Printf("Error requesting certificate for %s%v%s: %s%v%s",
|
||||
logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset)
|
||||
return true
|
||||
}
|
||||
|
||||
err = os.WriteFile(
|
||||
filepath.Join(dir, domains[0]+".key"),
|
||||
certificates.PrivateKey,
|
||||
os.ModePerm,
|
||||
)
|
||||
if err != nil {
|
||||
logger.Error.Printf(
|
||||
"Error saving certificate key for %s%s%s: %s%s%s",
|
||||
logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset,
|
||||
)
|
||||
if err := os.WriteFile(filepath.Join(dir, domains[0]+".crt"), certs.Certificate, 0600); err != nil {
|
||||
logger.Error.Printf("Error saving certificate for %s%v%s: %s%v%s",
|
||||
logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset)
|
||||
return true
|
||||
}
|
||||
|
||||
if err := os.WriteFile(filepath.Join(dir, domains[0]+".key"), certs.PrivateKey, 0600); err != nil {
|
||||
logger.Error.Printf("Error saving certificate key for %s%v%s: %s%v%s",
|
||||
logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset)
|
||||
return true
|
||||
}
|
||||
|
||||
return false
|
||||
}
|
||||
|
||||
func looksLikeHTTP01(err error) bool {
|
||||
if err == nil {
|
||||
return false
|
||||
}
|
||||
s := err.Error()
|
||||
return strings.Contains(s, "/.well-known/acme-challenge/") ||
|
||||
strings.Contains(s, "http-01") ||
|
||||
strings.Contains(s, "Invalid response from http://")
|
||||
}
|
||||
|
||||
// If you *can* upgrade lego, do it. Then you can explicitly prefer DNS-01 (cleanest fix).
|
||||
// In older versions, there is no SetChallengePreference on the solver manager.
|
||||
var _ = errors.New
|
||||
|
||||
Reference in New Issue
Block a user