Adds custom ACME providers joohoi#310

tjmullicani · tjmullicani · commit 64147e39be17 · 2023-03-22T09:57:32.000-05:00
diff --git a/README.md b/README.md
@@ -228,7 +228,7 @@ $ dig -t txt @auth.example.org d420c923-bbd7-4056-ab64-c3ca54c9b3cf.auth.example
 
 ## Configuration
 
-```bash
+```toml
 [general]
 # DNS interface. Note that systemd-resolved may reserve port 53 on 127.0.0.53
 # In this case acme-dns will error out and you will need to define the listening interface
@@ -240,7 +240,7 @@ protocol = "both"
 domain = "auth.example.org"
 # zone name server
 nsname = "auth.example.org"
-# admin email address, where @ is substituted with .
+# admin email address, where @ is substituted with .
 nsadmin = "admin.example.org"
 # predefined records served in addition to the TXT
 records = [
@@ -267,13 +267,15 @@ ip = "0.0.0.0"
 disable_registration = false
 # listen port, eg. 443 for default HTTPS
 port = "443"
-# possible values: "letsencrypt", "letsencryptstaging", "cert", "none"
+# possible values: "letsencrypt", "letsencryptstaging", "custom", "cert", "none"
 tls = "letsencryptstaging"
 # only used if tls = "cert"
 tls_cert_privkey = "/etc/tls/example.org/privkey.pem"
 tls_cert_fullchain = "/etc/tls/example.org/fullchain.pem"
-# only used if tls = "letsencrypt"
+# only used if tls = "letsencrypt", "letsencryptstaging", or "custom"
 acme_cache_dir = "api-certs"
+# only used if tls = "custom"
+acme_dir = "https://acme-v02.example.com/directory"
 # optional e-mail address to which Let's Encrypt will send expiration notices for the API's cert
 notification_email = ""
 # CORS AllowOrigins, wildcards can be used
@@ -397,4 +399,4 @@ If you have an idea for improvement, please open an new issue or feel free to wr
 
 ## License
 
-acme-dns is released under the [MIT License](http://www.opensource.org/licenses/MIT).
+acme-dns is released under the [MIT License](http://www.opensource.org/licenses/MIT).
diff --git a/config.cfg b/config.cfg
@@ -36,15 +36,17 @@ ip = "0.0.0.0"
 disable_registration = false
 # listen port, eg. 443 for default HTTPS
 port = "443"
-# possible values: "letsencrypt", "letsencryptstaging", "cert", "custom", "none"
+# possible values: "letsencrypt", "letsencryptstaging", "custom", "cert", "none"
 tls = "letsencryptstaging"
 # only used if tls = "cert"
 tls_cert_privkey = "/etc/tls/example.org/privkey.pem"
 tls_cert_fullchain = "/etc/tls/example.org/fullchain.pem"
 # only used if tls = "custom"
 acme_server = "https://my.acme.server"
-# only used if tls = "letsencrypt" or "custom"
+# only used if tls = "letsencrypt", "letsencryptstaging" or "custom"
 acme_cache_dir = "api-certs"
+# only used if tls = "custom"
+acme_dir = "https://acme-v02.example.com/directory"
 # optional e-mail address to which Let's Encrypt will send expiration notices for the API's cert
 notification_email = ""
 # CORS AllowOrigins, wildcards can be used
diff --git a/main.go b/main.go
@@ -153,15 +153,16 @@ func startHTTPAPI(errChan chan error, config DNSConfig, dnsservers []*DNSServer)
 	// Set up certmagic for getting certificate for acme-dns api
 	certmagic.DefaultACME.DNS01Solver = &provider
 	certmagic.DefaultACME.Agreed = true
-	if Config.API.TLS == "letsencrypt" {
+	switch config.API.TLS {
+	case TlsTypeLetsEncrypt:
 		certmagic.DefaultACME.CA = certmagic.LetsEncryptProductionCA
-	} else {
+	case TlsTypeAcmeCustom:
+		certmagic.DefaultACME.CA = config.API.ACMEDir
+	case TlsTypeLetsEncryptStaging:
+	default:
 		certmagic.DefaultACME.CA = certmagic.LetsEncryptStagingCA
 	}
-	if Config.API.TLS == "custom" {
-		certmagic.DefaultACME.CA = Config.API.ACMEDomain
-	}
-	certmagic.DefaultACME.Email = Config.API.NotificationEmail
+	certmagic.DefaultACME.Email = Config.API.ACMENotificationEmail
 	magicConf := certmagic.NewDefault()
 	magicConf.Storage = &storage
 	magicConf.DefaultServerName = Config.General.Domain
@@ -174,24 +175,10 @@ func startHTTPAPI(errChan chan error, config DNSConfig, dnsservers []*DNSServer)
 
 	magic := certmagic.New(magicCache, *magicConf)
 	var err error
-	switch Config.API.TLS {
-	case "letsencryptstaging":
-		err = magic.ManageAsync(context.Background(), []string{Config.General.Domain})
-		if err != nil {
-			errChan <- err
-			return
-		}
-		cfg.GetCertificate = magic.GetCertificate
-
-		srv := &http.Server{
-			Addr:      host,
-			Handler:   c.Handler(api),
-			TLSConfig: cfg,
-			ErrorLog:  stdlog.New(logwriter, "", 0),
-		}
-		log.WithFields(log.Fields{"host": host, "domain": Config.General.Domain}).Info("Listening HTTPS")
-		err = srv.ListenAndServeTLS("", "")
-	case "letsencrypt", "custom":
+	switch config.API.TLS {
+	case TlsTypeLetsEncrypt:
+	case TlsTypeLetsEncryptStaging:
+	case TlsTypeAcmeCustom:
 		err = magic.ManageAsync(context.Background(), []string{Config.General.Domain})
 		if err != nil {
 			errChan <- err
@@ -206,15 +193,15 @@ func startHTTPAPI(errChan chan error, config DNSConfig, dnsservers []*DNSServer)
 		}
 		log.WithFields(log.Fields{"host": host, "domain": Config.General.Domain}).Info("Listening HTTPS")
 		err = srv.ListenAndServeTLS("", "")
-	case "cert":
+	case TlsTypeCert:
 		srv := &http.Server{
 			Addr:      host,
 			Handler:   c.Handler(api),
 			TLSConfig: cfg,
 			ErrorLog:  stdlog.New(logwriter, "", 0),
 		}
 		log.WithFields(log.Fields{"host": host}).Info("Listening HTTPS")
-		err = srv.ListenAndServeTLS(Config.API.TLSCertFullchain, Config.API.TLSCertPrivkey)
+		err = srv.ListenAndServeTLS(config.API.TLSCertFullchain, config.API.TLSCertPrivkey)
 	default:
 		log.WithFields(log.Fields{"host": host}).Info("Listening HTTP")
 		err = http.ListenAndServe(host, c.Handler(api))
diff --git a/types.go b/types.go
@@ -37,22 +37,30 @@ type dbsettings struct {
 	Connection string
 }
 
+const (
+	TlsTypeLetsEncrypt        = "letsencrypt"
+	TlsTypeLetsEncryptStaging = "letsencryptstaging"
+	TlsTypeAcmeCustom         = "custom"
+	TlsTypeCert               = "cert"
+	TlsTypeNone               = "none"
+)
+
 // API config
 type httpapi struct {
-	Domain              string `toml:"api_domain"`
-	IP                  string
-	DisableRegistration bool   `toml:"disable_registration"`
-	AutocertPort        string `toml:"autocert_port"`
-	Port                string `toml:"port"`
-	TLS                 string
-	TLSCertPrivkey      string `toml:"tls_cert_privkey"`
-	TLSCertFullchain    string `toml:"tls_cert_fullchain"`
-	ACMEDomain          string `toml:"acme_domain"`
-	ACMECacheDir        string `toml:"acme_cache_dir"`
-	NotificationEmail   string `toml:"notification_email"`
-	CorsOrigins         []string
-	UseHeader           bool   `toml:"use_header"`
-	HeaderName          string `toml:"header_name"`
+	Domain                string `toml:"api_domain"`
+	IP                    string
+	DisableRegistration   bool   `toml:"disable_registration"`
+	AutocertPort          string `toml:"autocert_port"`
+	Port                  string `toml:"port"`
+	TLS                   string
+	TLSCertPrivkey        string `toml:"tls_cert_privkey"`
+	TLSCertFullchain      string `toml:"tls_cert_fullchain"`
+	ACMECacheDir          string `toml:"acme_cache_dir"`
+	ACMEDir               string `toml:"acme_dir"`
+	ACMENotificationEmail string `toml:"notification_email"`
+	CorsOrigins           []string
+	UseHeader             bool   `toml:"use_header"`
+	HeaderName            string `toml:"header_name"`
 }
 
 // Logging config
@@ -64,7 +72,7 @@ type logconfig struct {
 }
 
 type acmedb struct {
-	Mutex sync.Mutex
+	sync.Mutex
 	DB *sql.DB
 }
 
@@ -77,4 +85,6 @@ type database interface {
 	GetBackend() *sql.DB
 	SetBackend(*sql.DB)
 	Close()
-}
+	Lock()
+	Unlock()
+}
