mirror of
https://codeberg.org/Codeberg/pages-server.git
synced 2024-11-26 05:55:27 +00:00
Fix timeout for HTTP-01, bug in HTTP challenge response & only count domains towards user limit after acquiring locks
This commit is contained in:
parent
f22cd6c4e0
commit
eae4513b96
@ -95,12 +95,7 @@ var tlsConfig = &tls.Config{
|
|||||||
return nil, errors.New("won't request certificate for main domain, something really bad has happened")
|
return nil, errors.New("won't request certificate for main domain, something really bad has happened")
|
||||||
}
|
}
|
||||||
|
|
||||||
err = CheckUserLimit(targetOwner)
|
tlsCertificate, err = obtainCert(acmeClient, []string{sni}, nil, targetOwner)
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
tlsCertificate, err = obtainCert(acmeClient, []string{sni}, nil)
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
@ -241,7 +236,7 @@ func retrieveCertFromDB(sni []byte) (tls.Certificate, bool) {
|
|||||||
// renew certificates 7 days before they expire
|
// renew certificates 7 days before they expire
|
||||||
if !tlsCertificate.Leaf.NotAfter.After(time.Now().Add(-7 * 24 * time.Hour)) {
|
if !tlsCertificate.Leaf.NotAfter.After(time.Now().Add(-7 * 24 * time.Hour)) {
|
||||||
go (func() {
|
go (func() {
|
||||||
tlsCertificate, err = obtainCert(acmeClient, []string{string(sni)}, res)
|
tlsCertificate, err = obtainCert(acmeClient, []string{string(sni)}, res, "")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Printf("Couldn't renew certificate for %s: %s", sni, err)
|
log.Printf("Couldn't renew certificate for %s: %s", sni, err)
|
||||||
}
|
}
|
||||||
@ -253,7 +248,7 @@ func retrieveCertFromDB(sni []byte) (tls.Certificate, bool) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
var obtainLocks = sync.Map{}
|
var obtainLocks = sync.Map{}
|
||||||
func obtainCert(acmeClient *lego.Client, domains []string, renew *certificate.Resource) (tls.Certificate, error) {
|
func obtainCert(acmeClient *lego.Client, domains []string, renew *certificate.Resource, user string) (tls.Certificate, error) {
|
||||||
name := strings.TrimPrefix(domains[0], "*")
|
name := strings.TrimPrefix(domains[0], "*")
|
||||||
if os.Getenv("DNS_PROVIDER") == "" && len(domains[0]) > 0 && domains[0][0] == '*' {
|
if os.Getenv("DNS_PROVIDER") == "" && len(domains[0]) > 0 && domains[0][0] == '*' {
|
||||||
domains = domains[1:]
|
domains = domains[1:]
|
||||||
@ -284,6 +279,12 @@ func obtainCert(acmeClient *lego.Client, domains []string, renew *certificate.Re
|
|||||||
log.Printf("Renewing certificate for %v", domains)
|
log.Printf("Renewing certificate for %v", domains)
|
||||||
res, err = acmeClient.Certificate.Renew(*renew, true, false, "")
|
res, err = acmeClient.Certificate.Renew(*renew, true, false, "")
|
||||||
} else {
|
} else {
|
||||||
|
if user != "" {
|
||||||
|
if err := CheckUserLimit(user); err != nil {
|
||||||
|
return tls.Certificate{}, err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if os.Getenv("ACME_USE_RATE_LIMITS") != "false" {
|
if os.Getenv("ACME_USE_RATE_LIMITS") != "false" {
|
||||||
acmeClientOrderLimit.Take()
|
acmeClientOrderLimit.Take()
|
||||||
acmeClientRequestLimit.Take()
|
acmeClientRequestLimit.Take()
|
||||||
@ -422,7 +423,7 @@ func setupCertificates() {
|
|||||||
// key database is not working
|
// key database is not working
|
||||||
panic(err)
|
panic(err)
|
||||||
} else if resBytes == nil {
|
} else if resBytes == nil {
|
||||||
_, err = obtainCert(mainDomainAcmeClient, []string{"*" + string(MainDomainSuffix), string(MainDomainSuffix[1:])}, nil)
|
_, err = obtainCert(mainDomainAcmeClient, []string{"*" + string(MainDomainSuffix), string(MainDomainSuffix[1:])}, nil, "")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Fatalf("Couldn't renew certificate for *%s: %s", MainDomainSuffix, err)
|
log.Fatalf("Couldn't renew certificate for *%s: %s", MainDomainSuffix, err)
|
||||||
}
|
}
|
||||||
@ -495,7 +496,7 @@ func setupCertificates() {
|
|||||||
// renew main certificate 30 days before it expires
|
// renew main certificate 30 days before it expires
|
||||||
if !tlsCertificates[0].NotAfter.After(time.Now().Add(-30 * 24 * time.Hour)) {
|
if !tlsCertificates[0].NotAfter.After(time.Now().Add(-30 * 24 * time.Hour)) {
|
||||||
go (func() {
|
go (func() {
|
||||||
_, err = obtainCert(mainDomainAcmeClient, []string{"*" + string(MainDomainSuffix), string(MainDomainSuffix[1:])}, res)
|
_, err = obtainCert(mainDomainAcmeClient, []string{"*" + string(MainDomainSuffix), string(MainDomainSuffix[1:])}, res, "")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Printf("Couldn't renew certificate for *%s: %s", MainDomainSuffix, err)
|
log.Printf("Couldn't renew certificate for *%s: %s", MainDomainSuffix, err)
|
||||||
}
|
}
|
||||||
|
4
main.go
4
main.go
@ -91,7 +91,7 @@ func main() {
|
|||||||
MaxRequestBodySize: 0,
|
MaxRequestBodySize: 0,
|
||||||
NoDefaultServerHeader: true,
|
NoDefaultServerHeader: true,
|
||||||
NoDefaultDate: true,
|
NoDefaultDate: true,
|
||||||
ReadTimeout: 10 * time.Second,
|
ReadTimeout: 30 * time.Second, // needs to be this high for ACME certificates with ZeroSSL & HTTP-01 challenge
|
||||||
Concurrency: 1024 * 32, // TODO: adjust bottlenecks for best performance with Gitea!
|
Concurrency: 1024 * 32, // TODO: adjust bottlenecks for best performance with Gitea!
|
||||||
MaxConnsPerIP: 100,
|
MaxConnsPerIP: 100,
|
||||||
}
|
}
|
||||||
@ -110,7 +110,7 @@ func main() {
|
|||||||
err := fasthttp.ListenAndServe("[::]:80", func(ctx *fasthttp.RequestCtx) {
|
err := fasthttp.ListenAndServe("[::]:80", func(ctx *fasthttp.RequestCtx) {
|
||||||
if bytes.HasPrefix(ctx.Path(), challengePath) {
|
if bytes.HasPrefix(ctx.Path(), challengePath) {
|
||||||
challenge, ok := challengeCache.Get(string(TrimHostPort(ctx.Host())) + "/" + string(bytes.TrimPrefix(ctx.Path(), challengePath)))
|
challenge, ok := challengeCache.Get(string(TrimHostPort(ctx.Host())) + "/" + string(bytes.TrimPrefix(ctx.Path(), challengePath)))
|
||||||
if !ok {
|
if !ok || challenge == nil {
|
||||||
ctx.SetStatusCode(http.StatusNotFound)
|
ctx.SetStatusCode(http.StatusNotFound)
|
||||||
ctx.SetBodyString("no challenge for this token")
|
ctx.SetBodyString("no challenge for this token")
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user