Migrate over to certmagic from using autocert (#190)

* Use certmagic for challenge validation * WIP * Get the correct key * Override preflight check logic * Fix logging for imported packages and tidy config.cfg * Fix test and add docstrings * Update README
joohoi · Oct 20, 2019 · aa3e7e1 · aa3e7e1
1 parent af542b4
commit aa3e7e1
Show file tree

Hide file tree

Showing 8 changed files with 465 additions and 44 deletions.
diff --git a/README.md b/README.md
@@ -238,7 +238,7 @@ $ dig -t txt @auth.example.org d420c923-bbd7-4056-ab64-c3ca54c9b3cf.auth.example
 # DNS interface. Note that systemd-resolved may reserve port 53 on 127.0.0.53
 # In this case acme-dns will error out and you will need to define the listening interface
 # for example: listen = "127.0.0.1:53"
-listen = ":53"
+listen = "127.0.0.1:53"
 # protocol, "both", "both4", "both6", "udp", "udp4", "udp6" or "tcp", "tcp4", "tcp6"
 protocol = "both"
 # domain name to serve the requests off of
@@ -249,7 +249,7 @@ nsname = "auth.example.org"
 nsadmin = "admin.example.org"
 # predefined records served in addition to the TXT
 records = [
- # domain pointing to the public IP of your acme-dns server
+ # domain pointing to the public IP of your acme-dns server 
  "auth.example.org. A 198.51.100.1",
  # specify that auth.example.org will resolve any *.auth.example.org records
  "auth.example.org. NS auth.example.org.",
@@ -261,22 +261,19 @@ debug = false
 # Database engine to use, sqlite3 or postgres
 engine = "sqlite3"
 # Connection string, filename for sqlite3 and postgres:https://$username:$password@$host/$db_name for postgres
+# Please note that the default Docker image uses path /var/lib/acme-dns/acme-dns.db for sqlite3
 connection = "/var/lib/acme-dns/acme-dns.db"
 # connection = "postgres:https://user:password@localhost/acmedns_db"
 
 [api]
-# domain name to listen requests for, mandatory if using tls = "letsencrypt"
-api_domain = ""
+# listen ip eg. 127.0.0.1
+ip = "0.0.0.0"
 # disable registration endpoint
 disable_registration = false
-# autocert HTTP port, eg. 80 for answering Let's Encrypt HTTP-01 challenges. Mandatory if using tls = "letsencrypt".
-autocert_port = "80"
-# listen ip, default "" listens on all interfaces/addresses
-ip = "127.0.0.1"
 # listen port, eg. 443 for default HTTPS
-port = "8080"
-# possible values: "letsencrypt", "cert", "none"
-tls = "none"
+port = "443"
+# possible values: "letsencrypt", "letsencryptstaging", "cert", "none"
+tls = "letsencryptstaging"
 # only used if tls = "cert"
 tls_cert_privkey = "/etc/tls/example.org/privkey.pem"
 tls_cert_fullchain = "/etc/tls/example.org/fullchain.pem"
@@ -346,8 +343,13 @@ use for the renewal.
 ## Changelog
 
 - v0.8
+ - NOTE: configuration option: "api_domain" deprecated!
+ - New
+ - Automatic HTTP API certificate provisioning using DNS challenges making acme-dns able to acquire certificates even with HTTP api not being accessible from public internet.
+ - Configuration value for "tls": "letsencryptstaging". Setting it will help you to debug possible issues with HTTP API certificate acquiring process. This is the new default value.
  - Changed
  - Fixed: EDNS0 support
+ - Migrated from autocert to [certmagic](https://github.com/mholt/certmagic) for HTTP API certificate handling
 - v0.7.2
  - Changed
  - Fixed: Regression error of not being able to answer to incoming random-case requests.

diff --git a/challengeprovider.go b/challengeprovider.go
@@ -0,0 +1,30 @@
+package main
+
+import "github.com/go-acme/lego/challenge/dns01"
+
+// ChallengeProvider implements go-acme/lego Provider interface which is used for ACME DNS challenge handling
+type ChallengeProvider struct {
+ servers []*DNSServer
+}
+
+// NewChallengeProvider creates a new instance of ChallengeProvider
+func NewChallengeProvider(servers []*DNSServer) ChallengeProvider {
+ return ChallengeProvider{servers: servers}
+}
+
+// Present is used for making the ACME DNS challenge token available for DNS
+func (c *ChallengeProvider) Present(_, _, keyAuth string) error {
+ _, token := dns01.GetRecord("whatever", keyAuth)
+ for _, s := range c.servers {
+ s.PersonalKeyAuth = token
+ }
+ return nil
+}
+
+// CleanUp is called after the run to remove the ACME DNS challenge tokens from DNS records
+func (c *ChallengeProvider) CleanUp(_, _, _ string) error {
+ for _, s := range c.servers {
+ s.PersonalKeyAuth = ""
+ }
+ return nil
+}
diff --git a/config.cfg b/config.cfg
@@ -30,18 +30,14 @@ connection = "/var/lib/acme-dns/acme-dns.db"
 # connection = "postgres:https://user:password@localhost/acmedns_db"
 
 [api]
-# domain name to listen requests for, mandatory if using tls = "letsencrypt"
-api_domain = ""
 # listen ip eg. 127.0.0.1
 ip = "0.0.0.0"
 # disable registration endpoint
 disable_registration = false
-# autocert HTTP port, eg. 80 for answering Let's Encrypt HTTP-01 challenges. Mandatory if using tls = "letsencrypt".
-autocert_port = "80"
 # listen port, eg. 443 for default HTTPS
-port = "80"
-# possible values: "letsencrypt", "cert", "none"
-tls = "none"
+port = "443"
+# possible values: "letsencrypt", "letsencryptstaging", "cert", "none"
+tls = "letsencryptstaging"
 # only used if tls = "cert"
 tls_cert_privkey = "/etc/tls/example.org/privkey.pem"
 tls_cert_fullchain = "/etc/tls/example.org/fullchain.pem"

diff --git a/dns.go b/dns.go
@@ -15,17 +15,24 @@ type Records struct {
 
 // DNSServer is the main struct for acme-dns DNS server
 type DNSServer struct {
- DB database
- Server *dns.Server
- SOA dns.RR
- Domains map[string]Records
+ DB database
+ Domain string
+ Server *dns.Server
+ SOA dns.RR
+ PersonalKeyAuth string
+ Domains map[string]Records
 }
 
 // NewDNSServer parses the DNS records from config and returns a new DNSServer struct
-func NewDNSServer(db database, addr string, proto string) *DNSServer {
+func NewDNSServer(db database, addr string, proto string, domain string) *DNSServer {
  var server DNSServer
  server.Server = &dns.Server{Addr: addr, Net: proto}
+ if !strings.HasSuffix(domain, ".") {
+ domain = domain + "."
+ }
+ server.Domain = strings.ToLower(domain)
  server.DB = db
+ server.PersonalKeyAuth = ""
  server.Domains = make(map[string]Records)
  return &server
 }
@@ -148,6 +155,9 @@ func (d *DNSServer) getRecord(q dns.Question) ([]dns.RR, error) {
 
 // answeringForDomain checks if we have any records for a domain
 func (d *DNSServer) answeringForDomain(name string) bool {
+ if d.Domain == strings.ToLower(name) {
+ return true
+ }
  _, ok := d.Domains[strings.ToLower(name)]
  return ok
 }
@@ -165,15 +175,38 @@ func (d *DNSServer) isAuthoritative(q dns.Question) bool {
  return false
 }
 
+// isOwnChallenge checks if the query is for the domain of this acme-dns instance. Used for answering its own ACME challenges
+func (d *DNSServer) isOwnChallenge(name string) bool {
+ domainParts := strings.SplitN(name, ".", 2)
+ if len(domainParts) == 2 {
+ if strings.ToLower(domainParts[0]) == "_acme-challenge" {
+ domain := strings.ToLower(domainParts[1])
+ if !strings.HasSuffix(domain, ".") {
+ domain = domain + "."
+ }
+ if domain == d.Domain {
+ return true
+ }
+ }
+ }
+ return false
+}
+
 func (d *DNSServer) answer(q dns.Question) ([]dns.RR, int, bool, error) {
  var rcode int
+ var err error
+ var txtRRs []dns.RR
  var authoritative = d.isAuthoritative(q)
- if !d.answeringForDomain(q.Name) {
+ if !d.isOwnChallenge(q.Name) && !d.answeringForDomain(q.Name) {
  rcode = dns.RcodeNameError
  }
  r, _ := d.getRecord(q)
  if q.Qtype == dns.TypeTXT {
- txtRRs, err := d.answerTXT(q)
+ if d.isOwnChallenge(q.Name) {
+ txtRRs, err = d.answerOwnChallenge(q)
+ } else {
+ txtRRs, err = d.answerTXT(q)
+ }
  if err == nil {
  for _, txtRR := range txtRRs {
  r = append(r, txtRR)
@@ -206,3 +239,11 @@ func (d *DNSServer) answerTXT(q dns.Question) ([]dns.RR, error) {
  }
  return ra, nil
 }
+
+// answerOwnChallenge answers to ACME challenge for acme-dns own certificate
+func (d *DNSServer) answerOwnChallenge(q dns.Question) ([]dns.RR, error) {
+ r := new(dns.TXT)
+ r.Hdr = dns.RR_Header{Name: q.Name, Rrtype: dns.TypeTXT, Class: dns.ClassINET, Ttl: 1}
+ r.Txt = append(r.Txt, d.PersonalKeyAuth)
+ return []dns.RR{r}, nil
+}
diff --git a/go.mod b/go.mod
@@ -6,17 +6,21 @@ require (
  github.com/BurntSushi/toml v0.3.1
  github.com/DATA-DOG/go-sqlmock v1.3.3
  github.com/ajg/form v1.5.1 // indirect
+ github.com/cenkalti/backoff v2.2.1+incompatible // indirect
  github.com/erikstmartin/go-testdb v0.0.0-20160219214506-8d10e4a1bae5
- github.com/fatih/structs v1.1.0 // indirect
+ github.com/fasthttp-contrib/websocket v0.0.0-20160511215533-1f3b11f56072 // indirect
  github.com/gavv/httpexpect v2.0.0+incompatible
- github.com/google/go-querystring v1.0.0 // indirect
+ github.com/go-acme/lego v2.7.2+incompatible
+ github.com/go-acme/lego/v3 v3.1.0
  github.com/google/uuid v1.1.1
  github.com/gorilla/websocket v1.4.1 // indirect
  github.com/imkira/go-interpol v1.1.0 // indirect
  github.com/julienschmidt/httprouter v1.3.0
- github.com/konsorten/go-windows-terminal-sequences v1.0.2 // indirect
+ github.com/k0kubun/colorstring v0.0.0-20150214042306-9440f1994b88 // indirect
  github.com/lib/pq v1.2.0
+ github.com/mattn/go-colorable v0.1.4 // indirect
  github.com/mattn/go-sqlite3 v1.11.0
+ github.com/mholt/certmagic v0.8.1-0.20191019173955-6f9f0e6dd0e8
  github.com/miekg/dns v1.1.22
  github.com/moul/http2curl v1.0.0 // indirect
  github.com/rs/cors v1.7.0
@@ -27,6 +31,7 @@ require (
  github.com/yalp/jsonpath v0.0.0-20180802001716-5cc68e5049a0 // indirect
  github.com/yudai/gojsondiff v1.0.0 // indirect
  github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82 // indirect
+ github.com/yudai/pp v2.0.1+incompatible // indirect
  golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550
  golang.org/x/net v0.0.0-20191014212845-da9a3fd4c582 // indirect
  golang.org/x/sys v0.0.0-20191010194322-b09406accb47 // indirect