From 60f203385e6f27fae47f3cc8c5d71309f4fd88dc Mon Sep 17 00:00:00 2001 From: Cristian Le Date: Tue, 8 Feb 2022 14:45:35 +0900 Subject: Support custom ACME provider (#18340) * Added ACMECAURL option to support custom ACME provider. Closes #18306 * Refactor setting.go https settings, renamed options and variables, and documented app.example.ini * Refactored runLetsEncrypt to runACME * Improved documentation --- modules/setting/setting.go | 74 ++++++++++++++++++++++++++++++++-------------- 1 file changed, 52 insertions(+), 22 deletions(-) (limited to 'modules/setting/setting.go') diff --git a/modules/setting/setting.go b/modules/setting/setting.go index ee2821df07..531d265c3a 100644 --- a/modules/setting/setting.go +++ b/modules/setting/setting.go @@ -108,10 +108,12 @@ var ( UnixSocketPermission uint32 EnablePprof bool PprofDataPath string - EnableLetsEncrypt bool - LetsEncryptTOS bool - LetsEncryptDirectory string - LetsEncryptEmail string + EnableAcme bool + AcmeTOS bool + AcmeLiveDirectory string + AcmeEmail string + AcmeURL string + AcmeCARoot string SSLMinimumVersion string SSLMaximumVersion string SSLCurvePreferences []string @@ -622,14 +624,54 @@ func loadFromConf(allowEmpty bool, extraConfig string) { switch protocolCfg { case "https": Protocol = HTTPS - CertFile = sec.Key("CERT_FILE").String() - KeyFile = sec.Key("KEY_FILE").String() - if !filepath.IsAbs(CertFile) && len(CertFile) > 0 { - CertFile = filepath.Join(CustomPath, CertFile) + // FIXME: DEPRECATED to be removed in v1.18.0 + if sec.HasKey("ENABLE_ACME") { + EnableAcme = sec.Key("ENABLE_ACME").MustBool(false) + } else { + deprecatedSetting("server", "ENABLE_LETSENCRYPT", "server", "ENABLE_ACME") + EnableAcme = sec.Key("ENABLE_LETSENCRYPT").MustBool(false) } - if !filepath.IsAbs(KeyFile) && len(KeyFile) > 0 { - KeyFile = filepath.Join(CustomPath, KeyFile) + if EnableAcme { + AcmeURL = sec.Key("ACME_URL").MustString("") + AcmeCARoot = sec.Key("ACME_CA_ROOT").MustString("") + // FIXME: DEPRECATED to be removed in v1.18.0 + if sec.HasKey("ACME_ACCEPTTOS") { + AcmeTOS = sec.Key("ACME_ACCEPTTOS").MustBool(false) + } else { + deprecatedSetting("server", "LETSENCRYPT_ACCEPTTOS", "server", "ACME_ACCEPTTOS") + AcmeTOS = sec.Key("LETSENCRYPT_ACCEPTTOS").MustBool(false) + } + if !AcmeTOS { + log.Fatal("ACME TOS is not accepted (ACME_ACCEPTTOS).") + } + // FIXME: DEPRECATED to be removed in v1.18.0 + if sec.HasKey("ACME_DIRECTORY") { + AcmeLiveDirectory = sec.Key("ACME_DIRECTORY").MustString("https") + } else { + deprecatedSetting("server", "LETSENCRYPT_DIRECTORY", "server", "ACME_DIRECTORY") + AcmeLiveDirectory = sec.Key("LETSENCRYPT_DIRECTORY").MustString("https") + } + // FIXME: DEPRECATED to be removed in v1.18.0 + if sec.HasKey("ACME_EMAIL") { + AcmeEmail = sec.Key("ACME_EMAIL").MustString("") + } else { + deprecatedSetting("server", "LETSENCRYPT_EMAIL", "server", "ACME_EMAIL") + AcmeEmail = sec.Key("LETSENCRYPT_EMAIL").MustString("") + } + } else { + CertFile = sec.Key("CERT_FILE").String() + KeyFile = sec.Key("KEY_FILE").String() + if len(CertFile) > 0 && !filepath.IsAbs(CertFile) { + CertFile = filepath.Join(CustomPath, CertFile) + } + if len(KeyFile) > 0 && !filepath.IsAbs(KeyFile) { + KeyFile = filepath.Join(CustomPath, KeyFile) + } } + SSLMinimumVersion = sec.Key("SSL_MIN_VERSION").MustString("") + SSLMaximumVersion = sec.Key("SSL_MAX_VERSION").MustString("") + SSLCurvePreferences = sec.Key("SSL_CURVE_PREFERENCES").Strings(",") + SSLCipherSuites = sec.Key("SSL_CIPHER_SUITES").Strings(",") case "fcgi": Protocol = FCGI case "fcgi+unix", "unix", "http+unix": @@ -653,18 +695,6 @@ func loadFromConf(allowEmpty bool, extraConfig string) { HTTPAddr = filepath.Join(AppWorkPath, HTTPAddr) } } - EnableLetsEncrypt = sec.Key("ENABLE_LETSENCRYPT").MustBool(false) - LetsEncryptTOS = sec.Key("LETSENCRYPT_ACCEPTTOS").MustBool(false) - if !LetsEncryptTOS && EnableLetsEncrypt { - log.Warn("Failed to enable Let's Encrypt due to Let's Encrypt TOS not being accepted") - EnableLetsEncrypt = false - } - LetsEncryptDirectory = sec.Key("LETSENCRYPT_DIRECTORY").MustString("https") - LetsEncryptEmail = sec.Key("LETSENCRYPT_EMAIL").MustString("") - SSLMinimumVersion = sec.Key("SSL_MIN_VERSION").MustString("") - SSLMaximumVersion = sec.Key("SSL_MAX_VERSION").MustString("") - SSLCurvePreferences = sec.Key("SSL_CURVE_PREFERENCES").Strings(",") - SSLCipherSuites = sec.Key("SSL_CIPHER_SUITES").Strings(",") GracefulRestartable = sec.Key("ALLOW_GRACEFUL_RESTARTS").MustBool(true) GracefulHammerTime = sec.Key("GRACEFUL_HAMMER_TIME").MustDuration(60 * time.Second) StartupTimeout = sec.Key("STARTUP_TIMEOUT").MustDuration(0 * time.Second) -- cgit v1.2.3