From fcccd6435a503f30039a2217fe156ec24690e254 Mon Sep 17 00:00:00 2001 From: Moritz Marquardt Date: Sat, 20 Nov 2021 15:37:36 +0100 Subject: [PATCH] Add EAB for ACME --- README.md | 1 + certificates.go | 20 ++++++++++++++++---- handler.go | 2 +- 3 files changed, 18 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 70d4ebe..3849f8f 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,7 @@ - `REDIRECT_RAW_INFO` (default: https://docs.codeberg.org/pages/raw-content/): info page for raw resources, shown if no resource is provided. - `ACME_API` (default: https://acme.zerossl.com/v2/DV90): set this to https://acme.mock.director to use invalid certificates without any verification (great for debugging). ZeroSSL is used as it doesn't have rate limits and doesn't clash with the official Codeberg certificates (which are using Let's Encrypt). - `ACME_EMAIL` (default: `noreply@example.email`): Set this to "true" to accept the Terms of Service of your ACME provider. +- `ACME_EAB_KID` & `ACME_EAB_HMAC` (default: don't use EAB): EAB credentials, for example for ZeroSSL. - `ACME_ACCEPT_TERMS` (default: use self-signed certificate): Set this to "true" to accept the Terms of Service of your ACME provider. - `DNS_PROVIDER` (default: use self-signed certificate): Code of the ACME DNS provider for the main domain wildcard. See https://go-acme.github.io/lego/dns/ for available values & additional environment variables. diff --git a/certificates.go b/certificates.go index 3ba6f9e..80edc34 100644 --- a/certificates.go +++ b/certificates.go @@ -204,11 +204,23 @@ func newAcmeClient(configureChallenge func(*resolver.SolverManager) error) *lego } // accept terms - reg, err := acmeClient.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: os.Getenv("ACME_ACCEPT_TERMS") == "true"}) - if err != nil { - panic(err) + if os.Getenv("ACME_EAB_KID") == "" || os.Getenv("ACME_EAB_HMAC") == "" { + reg, err := acmeClient.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: os.Getenv("ACME_ACCEPT_TERMS") == "true"}) + if err != nil { + panic(err) + } + myUser.Registration = reg + } else { + reg, err := acmeClient.Registration.RegisterWithExternalAccountBinding(registration.RegisterEABOptions{ + TermsOfServiceAgreed: os.Getenv("ACME_ACCEPT_TERMS") == "true", + Kid: os.Getenv("ACME_EAB_KID"), + HmacEncoded: os.Getenv("ACME_EAB_HMAC"), + }) + if err != nil { + panic(err) + } + myUser.Registration = reg } - myUser.Registration = reg return acmeClient } diff --git a/handler.go b/handler.go index 53bdba6..662809a 100644 --- a/handler.go +++ b/handler.go @@ -148,7 +148,7 @@ func handler(ctx *fasthttp.RequestCtx) { targetOwner = pathElements[0] targetRepo = pathElements[1] - // raw.codeberg.page/example/myrepo/@main/index.html + // raw.codeberg.org/example/myrepo/@main/index.html if len(pathElements) > 2 && strings.HasPrefix(pathElements[2], "@") { s.Step("raw domain preparations, now trying with specified branch") if tryBranch(targetRepo, pathElements[2][1:], pathElements[3:],