Support custom ACME provider (#18340)

* Added ACMECAURL option to support custom ACME provider. Closes #18306 * Refactor setting.go https settings, renamed options and variables, and documented app.example.ini * Refactored runLetsEncrypt to runACME * Improved documentation
2022-02-08 14:45:35 +09:00 · 2022-02-08 14:45:35 +09:00 · 60f203385e
commit 60f203385e
parent a60e8be8d1
6 changed files with 160 additions and 51 deletions
--- a/modules/setting/setting.go
+++ b/modules/setting/setting.go
@ -108,10 +108,12 @@ var (
 	UnixSocketPermission uint32
 	EnablePprof          bool
 	PprofDataPath        string
-	EnableLetsEncrypt    bool
-	LetsEncryptTOS       bool
-	LetsEncryptDirectory string
-	LetsEncryptEmail     string
+	EnableAcme           bool
+	AcmeTOS              bool
+	AcmeLiveDirectory    string
+	AcmeEmail            string
+	AcmeURL              string
+	AcmeCARoot           string
 	SSLMinimumVersion    string
 	SSLMaximumVersion    string
 	SSLCurvePreferences  []string
@ -622,14 +624,54 @@ func loadFromConf(allowEmpty bool, extraConfig string) {
 	switch protocolCfg {
 	case "https":
 		Protocol = HTTPS
-		CertFile = sec.Key("CERT_FILE").String()
-		KeyFile = sec.Key("KEY_FILE").String()
-		if !filepath.IsAbs(CertFile) && len(CertFile) > 0 {
-			CertFile = filepath.Join(CustomPath, CertFile)
+		// FIXME: DEPRECATED to be removed in v1.18.0
+		if sec.HasKey("ENABLE_ACME") {
+			EnableAcme = sec.Key("ENABLE_ACME").MustBool(false)
+		} else {
+			deprecatedSetting("server", "ENABLE_LETSENCRYPT", "server", "ENABLE_ACME")
+			EnableAcme = sec.Key("ENABLE_LETSENCRYPT").MustBool(false)
 		}
-		if !filepath.IsAbs(KeyFile) && len(KeyFile) > 0 {
-			KeyFile = filepath.Join(CustomPath, KeyFile)
+		if EnableAcme {
+			AcmeURL = sec.Key("ACME_URL").MustString("")
+			AcmeCARoot = sec.Key("ACME_CA_ROOT").MustString("")
+			// FIXME: DEPRECATED to be removed in v1.18.0
+			if sec.HasKey("ACME_ACCEPTTOS") {
+				AcmeTOS = sec.Key("ACME_ACCEPTTOS").MustBool(false)
+			} else {
+				deprecatedSetting("server", "LETSENCRYPT_ACCEPTTOS", "server", "ACME_ACCEPTTOS")
+				AcmeTOS = sec.Key("LETSENCRYPT_ACCEPTTOS").MustBool(false)
+			}
+			if !AcmeTOS {
+				log.Fatal("ACME TOS is not accepted (ACME_ACCEPTTOS).")
+			}
+			// FIXME: DEPRECATED to be removed in v1.18.0
+			if sec.HasKey("ACME_DIRECTORY") {
+				AcmeLiveDirectory = sec.Key("ACME_DIRECTORY").MustString("https")
+			} else {
+				deprecatedSetting("server", "LETSENCRYPT_DIRECTORY", "server", "ACME_DIRECTORY")
+				AcmeLiveDirectory = sec.Key("LETSENCRYPT_DIRECTORY").MustString("https")
+			}
+			// FIXME: DEPRECATED to be removed in v1.18.0
+			if sec.HasKey("ACME_EMAIL") {
+				AcmeEmail = sec.Key("ACME_EMAIL").MustString("")
+			} else {
+				deprecatedSetting("server", "LETSENCRYPT_EMAIL", "server", "ACME_EMAIL")
+				AcmeEmail = sec.Key("LETSENCRYPT_EMAIL").MustString("")
+			}
+		} else {
+			CertFile = sec.Key("CERT_FILE").String()
+			KeyFile = sec.Key("KEY_FILE").String()
+			if len(CertFile) > 0 && !filepath.IsAbs(CertFile) {
+				CertFile = filepath.Join(CustomPath, CertFile)
+			}
+			if len(KeyFile) > 0 && !filepath.IsAbs(KeyFile) {
+				KeyFile = filepath.Join(CustomPath, KeyFile)
+			}
 		}
+		SSLMinimumVersion = sec.Key("SSL_MIN_VERSION").MustString("")
+		SSLMaximumVersion = sec.Key("SSL_MAX_VERSION").MustString("")
+		SSLCurvePreferences = sec.Key("SSL_CURVE_PREFERENCES").Strings(",")
+		SSLCipherSuites = sec.Key("SSL_CIPHER_SUITES").Strings(",")
 	case "fcgi":
 		Protocol = FCGI
 	case "fcgi+unix", "unix", "http+unix":
@ -653,18 +695,6 @@ func loadFromConf(allowEmpty bool, extraConfig string) {
 			HTTPAddr = filepath.Join(AppWorkPath, HTTPAddr)
 		}
 	}
-	EnableLetsEncrypt = sec.Key("ENABLE_LETSENCRYPT").MustBool(false)
-	LetsEncryptTOS = sec.Key("LETSENCRYPT_ACCEPTTOS").MustBool(false)
-	if !LetsEncryptTOS && EnableLetsEncrypt {
-		log.Warn("Failed to enable Let's Encrypt due to Let's Encrypt TOS not being accepted")
-		EnableLetsEncrypt = false
-	}
-	LetsEncryptDirectory = sec.Key("LETSENCRYPT_DIRECTORY").MustString("https")
-	LetsEncryptEmail = sec.Key("LETSENCRYPT_EMAIL").MustString("")
-	SSLMinimumVersion = sec.Key("SSL_MIN_VERSION").MustString("")
-	SSLMaximumVersion = sec.Key("SSL_MAX_VERSION").MustString("")
-	SSLCurvePreferences = sec.Key("SSL_CURVE_PREFERENCES").Strings(",")
-	SSLCipherSuites = sec.Key("SSL_CIPHER_SUITES").Strings(",")
 	GracefulRestartable = sec.Key("ALLOW_GRACEFUL_RESTARTS").MustBool(true)
 	GracefulHammerTime = sec.Key("GRACEFUL_HAMMER_TIME").MustDuration(60 * time.Second)
 	StartupTimeout = sec.Key("STARTUP_TIMEOUT").MustDuration(0 * time.Second)