From ec8c608c1c854534ef4b0ad3737a0fe2563d4d79 Mon Sep 17 00:00:00 2001 From: Samuel Nitsche Date: Sun, 12 May 2024 12:47:52 +0200 Subject: [PATCH 1/3] wip: Use cloudflare as resolver --- src/utils/certificates.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/utils/certificates.go b/src/utils/certificates.go index ca75304e..8f74301d 100644 --- a/src/utils/certificates.go +++ b/src/utils/certificates.go @@ -18,6 +18,7 @@ import ( "github.com/go-acme/lego/v4/certcrypto" "github.com/go-acme/lego/v4/certificate" "github.com/go-acme/lego/v4/challenge/http01" + "github.com/go-acme/lego/v4/challenge/dns01" "github.com/go-acme/lego/v4/lego" "github.com/go-acme/lego/v4/registration" "github.com/go-acme/lego/v4/challenge/tlsalpn01" @@ -180,7 +181,7 @@ func DoLetsEncrypt() (string, string) { return "", "" } - err = client.Challenge.SetDNS01Provider(provider) + err = client.Challenge.SetDNS01Provider(provider, dns01.addRecursiveNameservers([]string{"1.1.1.1"})) } else { err = client.Challenge.SetHTTP01Provider(http01.NewProviderServer("", config.HTTPConfig.HTTPPort)) if err != nil { From 7f9c1ce9a72e69a3182d2e93a6c4e07c7f3ae66d Mon Sep 17 00:00:00 2001 From: Samuel Nitsche Date: Sun, 12 May 2024 13:32:47 +0200 Subject: [PATCH 2/3] Add dns challenge resolver fields --- client/src/api/demo.config.json | 1 + client/src/pages/config/users/configman.jsx | 16 ++++++++++++++++ client/src/pages/newInstall/newInstall.jsx | 8 ++++++++ src/newInstall.go | 2 ++ src/utils/certificates.go | 9 ++++++++- src/utils/types.go | 1 + 6 files changed, 36 insertions(+), 1 deletion(-) diff --git a/client/src/api/demo.config.json b/client/src/api/demo.config.json index 96878546..b7814042 100644 --- a/client/src/api/demo.config.json +++ b/client/src/api/demo.config.json @@ -13,6 +13,7 @@ "GenerateMissingAuthCert": true, "HTTPSCertificateMode": "LETSENCRYPT", "DNSChallengeProvider": "", + "DNSChallengeResolver": "", "HTTPPort": "80", "HTTPSPort": "443", "ProxyConfig": { diff --git a/client/src/pages/config/users/configman.jsx b/client/src/pages/config/users/configman.jsx index 36b78d82..0ab3fad4 100644 --- a/client/src/pages/config/users/configman.jsx +++ b/client/src/pages/config/users/configman.jsx @@ -102,6 +102,7 @@ const ConfigManagement = () => { UseWildcardCertificate: config.HTTPConfig.UseWildcardCertificate, HTTPSCertificateMode: config.HTTPConfig.HTTPSCertificateMode, DNSChallengeProvider: config.HTTPConfig.DNSChallengeProvider, + DNSChallengeResolver: config.HTTPConfig.DNSChallengeResolver, DNSChallengeConfig: config.HTTPConfig.DNSChallengeConfig, ForceHTTPSCertificateRenewal: config.HTTPConfig.ForceHTTPSCertificateRenewal, OverrideWildcardDomains: config.HTTPConfig.OverrideWildcardDomains, @@ -185,6 +186,7 @@ const ConfigManagement = () => { UseWildcardCertificate: values.UseWildcardCertificate, HTTPSCertificateMode: values.HTTPSCertificateMode, DNSChallengeProvider: values.DNSChallengeProvider, + DNSChallengeResolver: values.DNSChallengeResolver, DNSChallengeConfig: values.DNSChallengeConfig, ForceHTTPSCertificateRenewal: values.ForceHTTPSCertificateRenewal, OverrideWildcardDomains: values.OverrideWildcardDomains.replace(/\s/g, ''), @@ -811,6 +813,20 @@ const ConfigManagement = () => { /> ) } + + + {formik.values.HTTPSCertificateMode === "LETSENCRYPT" && ( + { + formik.setFieldValue("ForceHTTPSCertificateRenewal", true); + }} + label="DNS Server to use when resolving the letsencrypt challenge" + name="DNSChallengeResolver" + configName="DNSChallengeResolver" + formik={formik} + /> + ) + } { formik.values.HTTPSCertificateMode === "LETSENCRYPT" && ( diff --git a/client/src/pages/newInstall/newInstall.jsx b/client/src/pages/newInstall/newInstall.jsx index e1e7de65..5c8893d9 100644 --- a/client/src/pages/newInstall/newInstall.jsx +++ b/client/src/pages/newInstall/newInstall.jsx @@ -296,6 +296,7 @@ const NewInstall = () => { HTTPSCertificateMode: "", UseWildcardCertificate: false, DNSChallengeProvider: '', + DNSChallengeResolver: '', DNSChallengeConfig: {}, allowHTTPLocalIPAccess: false, __success: false, @@ -332,6 +333,7 @@ const NewInstall = () => { TLSCert: values.HTTPSCertificateMode === "PROVIDED" ? values.TLSCert : '', Hostname: values.Hostname, DNSChallengeProvider: values.DNSChallengeProvider, + DNSChallengeResolver: values.DNSChallengeResolver, DNSChallengeConfig: values.DNSChallengeConfig, allowHTTPLocalIPAccess: values.allowHTTPLocalIPAccess, }); @@ -389,6 +391,12 @@ const NewInstall = () => { placeholder={"email@domain.com"} formik={formik} /> + {formik.values.DNSChallengeProvider && formik.values.DNSChallengeProvider != '' && ( You have enabled the DNS challenge. Make sure you have set the environment variables for your DNS provider. diff --git a/src/newInstall.go b/src/newInstall.go index 0503699d..d8e206f5 100644 --- a/src/newInstall.go +++ b/src/newInstall.go @@ -34,6 +34,7 @@ type NewInstallJSON struct { SSLEmail string `json:"sslEmail",validate:"omitempty,email"` UseWildcardCertificate bool `json:"useWildcardCertificate",validate:"omitempty"` DNSChallengeProvider string `json:"dnsChallengeProvider",validate:"omitempty"` + DNSChallengeResolver string `json:"dnsChallengeResolver",validate:"omitempty"` DNSChallengeConfig map[string]string AllowHTTPLocalIPAccess bool `json:"allowHTTPLocalIPAccess",validate:"omitempty"` } @@ -128,6 +129,7 @@ func NewInstallRoute(w http.ResponseWriter, req *http.Request) { newConfig.HTTPConfig.SSLEmail = request.SSLEmail newConfig.HTTPConfig.UseWildcardCertificate = request.UseWildcardCertificate newConfig.HTTPConfig.DNSChallengeProvider = request.DNSChallengeProvider + newConfig.HTTPConfig.DNSChallengeResolver = request.DNSChallengeResolver newConfig.HTTPConfig.DNSChallengeConfig = request.DNSChallengeConfig newConfig.HTTPConfig.TLSCert = request.TLSCert newConfig.HTTPConfig.TLSKey = request.TLSKey diff --git a/src/utils/certificates.go b/src/utils/certificates.go index 8f74301d..ef56a876 100644 --- a/src/utils/certificates.go +++ b/src/utils/certificates.go @@ -14,6 +14,7 @@ import ( "crypto/ecdsa" "crypto/elliptic" "os" + "strings" "github.com/go-acme/lego/v4/certcrypto" "github.com/go-acme/lego/v4/certificate" @@ -181,7 +182,13 @@ func DoLetsEncrypt() (string, string) { return "", "" } - err = client.Challenge.SetDNS01Provider(provider, dns01.addRecursiveNameservers([]string{"1.1.1.1"})) + if config.HTTPConfig.DNSChallengeResolver != "" { + // Split DNSChallengeResolver by commas to support multiple DNS servers + resolvers := strings.Split(config.HTTPConfig.DNSChallengeResolver, ",") + err = client.Challenge.SetDNS01Provider(provider, dns01.AddRecursiveNameservers(resolvers)) + } else { + err = client.Challenge.SetDNS01Provider(provider) + } } else { err = client.Challenge.SetHTTP01Provider(http01.NewProviderServer("", config.HTTPConfig.HTTPPort)) if err != nil { diff --git a/src/utils/types.go b/src/utils/types.go index 4198b143..79893367 100644 --- a/src/utils/types.go +++ b/src/utils/types.go @@ -156,6 +156,7 @@ type HTTPConfig struct { GenerateMissingAuthCert bool HTTPSCertificateMode string DNSChallengeProvider string + DNSChallengeResolver string ForceHTTPSCertificateRenewal bool HTTPPort string `validate:"required,containsany=0123456789,min=1,max=6"` HTTPSPort string `validate:"required,containsany=0123456789,min=1,max=6"` From 35756d132b6c6e34b8ecab3b26c9b0f88b4c1631 Mon Sep 17 00:00:00 2001 From: Samuel Nitsche Date: Sun, 12 May 2024 13:53:17 +0200 Subject: [PATCH 3/3] Updated .clabot --- .clabot | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.clabot b/.clabot index 7526e4d1..f2c5e0f9 100644 --- a/.clabot +++ b/.clabot @@ -1,4 +1,4 @@ { - "contributors": ["azukaar", "jwr1", "Jogai", "InterN0te", "catmandx", "revam", "Kawanaao", "davis4acca", "george-radu-cs"], + "contributors": ["azukaar", "jwr1", "Jogai", "InterN0te", "catmandx", "revam", "Kawanaao", "davis4acca", "george-radu-cs", "SamuelNitsche"], "message": "We require contributors to sign our [Contributor License Agreement](https://github.com/azukaar/Cosmos-Server/blob/master/cla.md). In order for us to review and merge your code, add yourself to the .clabot file as contributor, as a way of signing the CLA." }