package services import ( "SafelineAPI/internal/app/logger" "crypto" "crypto/ecdsa" "crypto/elliptic" "crypto/rand" "errors" "os" "path/filepath" "strings" "time" "github.com/go-acme/lego/v4/certcrypto" "github.com/go-acme/lego/v4/certificate" "github.com/go-acme/lego/v4/challenge" "github.com/go-acme/lego/v4/challenge/dns01" "github.com/go-acme/lego/v4/lego" "github.com/go-acme/lego/v4/registration" ) type MyUser struct { Email string Registration *registration.Resource key crypto.PrivateKey } func (u MyUser) GetEmail() string { return u.Email } func (u MyUser) GetRegistration() *registration.Resource { return u.Registration } func (u MyUser) GetPrivateKey() crypto.PrivateKey { return u.key } // ApplyCert requests a certificate using DNS-01. // Your lego version doesn't have SetChallengePreference, so we enforce "DNS-01 only" by: // 1) configuring ONLY the DNS-01 provider (no HTTP-01/TLS-ALPN-01 providers anywhere) // 2) failing fast if the resulting error indicates an HTTP-01 attempt (so you notice another code path/version running). func ApplyCert(domains []string, email, dir string, provider challenge.Provider) bool { privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) if err != nil { logger.Error.Printf("Error requesting certificate for %s%v%s: %s%v%s", logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset) return true } myUser := MyUser{ Email: email, key: privateKey, } config := lego.NewConfig(&myUser) config.Certificate.KeyType = certcrypto.RSA2048 client, err := lego.NewClient(config) if err != nil { logger.Error.Printf("Error requesting certificate for %s%v%s: %s%v%s", logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset) return true } // DNS-01 provider + force public resolvers (avoids internal/split-horizon DNS issues). err = client.Challenge.SetDNS01Provider( provider, dns01.AddRecursiveNameservers([]string{ "1.1.1.1:53", "8.8.8.8:53", }), dns01.AddDNSTimeout(180*time.Second), ) if err != nil { logger.Error.Printf("Error requesting certificate for %s%v%s: %s%v%s", logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset) return true } reg, err := client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true}) if err != nil { logger.Error.Printf("Error requesting certificate for %s%v%s: %s%v%s", logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset) return true } myUser.Registration = reg request := certificate.ObtainRequest{ Domains: domains, Bundle: true, } certs, err := client.Certificate.Obtain(request) if err != nil { // If you see HTTP-01 URLs here, it means *somewhere* HTTP-01 is still being selected, // or a different binary/container/version is doing the request. if looksLikeHTTP01(err) { logger.Error.Printf("Certificate update failed for domain %v: %v", domains, err) logger.Error.Printf("Detected HTTP-01 attempt. This should not happen when only DNS-01 is configured.") logger.Error.Printf("Check for another process/binary calling lego with HTTP-01, or upgrade lego to a version that supports explicit challenge preference.") return true } logger.Error.Printf("Error requesting certificate for %s%v%s: %s%v%s", logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset) return true } if err := os.WriteFile(filepath.Join(dir, domains[0]+".crt"), certs.Certificate, 0600); err != nil { logger.Error.Printf("Error saving certificate for %s%v%s: %s%v%s", logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset) return true } if err := os.WriteFile(filepath.Join(dir, domains[0]+".key"), certs.PrivateKey, 0600); err != nil { logger.Error.Printf("Error saving certificate key for %s%v%s: %s%v%s", logger.Cyan, domains, logger.Reset, logger.Red, err, logger.Reset) return true } return false } func looksLikeHTTP01(err error) bool { if err == nil { return false } s := err.Error() return strings.Contains(s, "/.well-known/acme-challenge/") || strings.Contains(s, "http-01") || strings.Contains(s, "Invalid response from http://") } // If you *can* upgrade lego, do it. Then you can explicitly prefer DNS-01 (cleanest fix). // In older versions, there is no SetChallengePreference on the solver manager. var _ = errors.New