Adds custom ACME providers

Ports joohoi#283

Author: t0xicCode

config.cfg

@@ -36,13 +36,15 @@ ip = "0.0.0.0"
 disable_registration = false
 # listen port, eg. 443 for default HTTPS
 port = "443"
-# possible values: "letsencrypt", "letsencryptstaging", "cert", "none"
+# possible values: "letsencrypt", "letsencryptstaging", "custom", "cert", "none"
 tls = "letsencryptstaging"
 # only used if tls = "cert"
 tls_cert_privkey = "/etc/tls/example.org/privkey.pem"
 tls_cert_fullchain = "/etc/tls/example.org/fullchain.pem"
-# only used if tls = "letsencrypt"
+# only used if tls = "letsencrypt", "letsencryptstaging", or "custom"
 acme_cache_dir = "api-certs"
+# only used if tls = "custom"
+acme_dir = "https://acme-v02.example.com/directory"
 # optional e-mail address to which Let's Encrypt will send expiration notices for the API's cert
 notification_email = ""
 # CORS AllowOrigins, wildcards can be used

main.go

@@ -114,42 +114,47 @@ func startHTTPAPI(errChan chan error, config DNSConfig, dnsservers []*DNSServer)
 
 	api := httprouter.New()
 	c := cors.New(cors.Options{
-		AllowedOrigins:     Config.API.CorsOrigins,
+		AllowedOrigins:     config.API.CorsOrigins,
 		AllowedMethods:     []string{"GET", "POST"},
 		OptionsPassthrough: false,
-		Debug:              Config.General.Debug,
+		Debug:              config.General.Debug,
 	})
-	if Config.General.Debug {
+	if config.General.Debug {
 		// Logwriter for saner log output
 		c.Log = stdlog.New(logwriter, "", 0)
 	}
-	if !Config.API.DisableRegistration {
+	if !config.API.DisableRegistration {
 		api.POST("/register", webRegisterPost)
 	}
 	api.POST("/update", Auth(webUpdatePost))
 	api.GET("/health", healthCheck)
 
-	host := Config.API.IP + ":" + Config.API.Port
+	host := config.API.IP + ":" + config.API.Port
 
 	// TLS specific general settings
 	cfg := &tls.Config{
 		MinVersion: tls.VersionTLS12,
 	}
 	provider := NewChallengeProvider(dnsservers)
-	storage := certmagic.FileStorage{Path: Config.API.ACMECacheDir}
+	storage := certmagic.FileStorage{Path: config.API.ACMECacheDir}
 
 	// Set up certmagic for getting certificate for acme-dns api
 	certmagic.DefaultACME.DNS01Solver = &provider
 	certmagic.DefaultACME.Agreed = true
-	if Config.API.TLS == "letsencrypt" {
+	switch config.API.TLS {
+	case TlsTypeLetsEncrypt:
 		certmagic.DefaultACME.CA = certmagic.LetsEncryptProductionCA
-	} else {
+	case TlsTypeAcmeCustom:
+		certmagic.DefaultACME.CA = config.API.ACMEDir
+	case TlsTypeLetsEncryptStaging:
+	default:
 		certmagic.DefaultACME.CA = certmagic.LetsEncryptStagingCA
+
 	}
-	certmagic.DefaultACME.Email = Config.API.NotificationEmail
+	certmagic.DefaultACME.Email = config.API.ACMENotificationEmail
 	magicConf := certmagic.NewDefault()
 	magicConf.Storage = &storage
-	magicConf.DefaultServerName = Config.General.Domain
+	magicConf.DefaultServerName = config.General.Domain
 
 	magicCache := certmagic.NewCache(certmagic.CacheOptions{
 		GetConfigForCert: func(cert certmagic.Certificate) (*certmagic.Config, error) {
@@ -159,25 +164,11 @@ func startHTTPAPI(errChan chan error, config DNSConfig, dnsservers []*DNSServer)
 
 	magic := certmagic.New(magicCache, *magicConf)
 	var err error
-	switch Config.API.TLS {
-	case "letsencryptstaging":
-		err = magic.ManageAsync(context.Background(), []string{Config.General.Domain})
-		if err != nil {
-			errChan <- err
-			return
-		}
-		cfg.GetCertificate = magic.GetCertificate
-
-		srv := &http.Server{
-			Addr:      host,
-			Handler:   c.Handler(api),
-			TLSConfig: cfg,
-			ErrorLog:  stdlog.New(logwriter, "", 0),
-		}
-		log.WithFields(log.Fields{"host": host, "domain": Config.General.Domain}).Info("Listening HTTPS")
-		err = srv.ListenAndServeTLS("", "")
-	case "letsencrypt":
-		err = magic.ManageAsync(context.Background(), []string{Config.General.Domain})
+	switch config.API.TLS {
+	case TlsTypeLetsEncrypt:
+	case TlsTypeLetsEncryptStaging:
+	case TlsTypeAcmeCustom:
+		err = magic.ManageAsync(context.Background(), []string{config.General.Domain})
 		if err != nil {
 			errChan <- err
 			return
@@ -189,17 +180,17 @@ func startHTTPAPI(errChan chan error, config DNSConfig, dnsservers []*DNSServer)
 			TLSConfig: cfg,
 			ErrorLog:  stdlog.New(logwriter, "", 0),
 		}
-		log.WithFields(log.Fields{"host": host, "domain": Config.General.Domain}).Info("Listening HTTPS")
+		log.WithFields(log.Fields{"host": host, "domain": config.General.Domain}).Info("Listening HTTPS")
 		err = srv.ListenAndServeTLS("", "")
-	case "cert":
+	case TlsTypeCert:
 		srv := &http.Server{
 			Addr:      host,
 			Handler:   c.Handler(api),
 			TLSConfig: cfg,
 			ErrorLog:  stdlog.New(logwriter, "", 0),
 		}
 		log.WithFields(log.Fields{"host": host}).Info("Listening HTTPS")
-		err = srv.ListenAndServeTLS(Config.API.TLSCertFullchain, Config.API.TLSCertPrivkey)
+		err = srv.ListenAndServeTLS(config.API.TLSCertFullchain, config.API.TLSCertPrivkey)
 	default:
 		log.WithFields(log.Fields{"host": host}).Info("Listening HTTP")
 		err = http.ListenAndServe(host, c.Handler(api))

types.go

@@ -37,21 +37,30 @@ type dbsettings struct {
 	Connection string
 }
 
+const (
+	TlsTypeLetsEncrypt        = "letsencrypt"
+	TlsTypeLetsEncryptStaging = "letsencryptstaging"
+	TlsTypeAcmeCustom         = "custom"
+	TlsTypeCert               = "cert"
+	TlsTypeNone               = "none"
+)
+
 // API config
 type httpapi struct {
-	Domain              string `toml:"api_domain"`
-	IP                  string
-	DisableRegistration bool   `toml:"disable_registration"`
-	AutocertPort        string `toml:"autocert_port"`
-	Port                string `toml:"port"`
-	TLS                 string
-	TLSCertPrivkey      string `toml:"tls_cert_privkey"`
-	TLSCertFullchain    string `toml:"tls_cert_fullchain"`
-	ACMECacheDir        string `toml:"acme_cache_dir"`
-	NotificationEmail   string `toml:"notification_email"`
-	CorsOrigins         []string
-	UseHeader           bool   `toml:"use_header"`
-	HeaderName          string `toml:"header_name"`
+	Domain                string `toml:"api_domain"`
+	IP                    string
+	DisableRegistration   bool   `toml:"disable_registration"`
+	AutocertPort          string `toml:"autocert_port"`
+	Port                  string `toml:"port"`
+	TLS                   string
+	TLSCertPrivkey        string `toml:"tls_cert_privkey"`
+	TLSCertFullchain      string `toml:"tls_cert_fullchain"`
+	ACMECacheDir          string `toml:"acme_cache_dir"`
+	ACMEDir               string `toml:"acme_dir"`
+	ACMENotificationEmail string `toml:"notification_email"`
+	CorsOrigins           []string
+	UseHeader             bool   `toml:"use_header"`
+	HeaderName            string `toml:"header_name"`
 }
 
 // Logging config