Changed setting to ACME_ACCEPTTOS and improved CA root reading

LecrisUT · LecrisUT · commit f96f2061ae31 · 2022-01-31T12:06:09.000+09:00
Signed-off-by: Cristian Le &lt;git@lecris.me&gt;
diff --git a/cmd/web_acme.go b/cmd/web_acme.go
@@ -7,6 +7,7 @@ package cmd
 import (
 	"crypto/x509"
 	"encoding/pem"
+	"fmt"
 	"net/http"
 	"os"
 	"strconv"
@@ -19,6 +20,24 @@ import (
 	"github.com/caddyserver/certmagic"
 )
 
+func getCARoot(path string) (*x509.CertPool, error) {
+	r, err := os.ReadFile(path)
+	if err != nil {
+		return nil, err
+	}
+	block, _ := pem.Decode(r)
+	if block == nil {
+		return nil, fmt.Errorf("no PEM found in the file %s", path)
+	}
+	caRoot, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		return nil, err
+	}
+	certPool := x509.NewCertPool()
+	certPool.AddCert(caRoot)
+	return certPool, nil
+}
+
 func runACME(listenAddr string, m http.Handler) error {
 	// If HTTP Challenge enabled, needs to be serving on port 80. For TLSALPN needs 443.
 	// Due to docker port mapping this can't be checked programmatically
@@ -40,25 +59,17 @@ func runACME(listenAddr string, m http.Handler) error {
 	// Try to use private CA root if provided, otherwise defaults to system's trust
 	var certPool *x509.CertPool
 	if setting.AcmeCARoot != "" {
-		r, err := os.ReadFile(setting.AcmeCARoot)
+		var err error
+		certPool, err = getCARoot(setting.AcmeCARoot)
 		if err != nil {
-			log.Warn("Failed to read CA Root certificate, using default CA trust: %v", err)
-		} else {
-			block, _ := pem.Decode(r)
-			caRoot, err := x509.ParseCertificate(block.Bytes)
-			if err != nil {
-				log.Warn("Failed to parse CA Root certificate, using default CA trust: %v", err)
-			} else {
-				certPool = x509.NewCertPool()
-				certPool.AddCert(caRoot)
-			}
+			log.Warn("Failed to parse CA Root certificate, using default CA trust: %v", err)
 		}
 	}
 	myACME := certmagic.NewACMEManager(magic, certmagic.ACMEManager{
 		CA:                      setting.AcmeURL,
 		TrustedRoots:            certPool,
 		Email:                   setting.AcmeEmail,
-		Agreed:                  setting.LetsEncryptTOS,
+		Agreed:                  setting.AcmeTOS,
 		DisableHTTPChallenge:    !enableHTTPChallenge,
 		DisableTLSALPNChallenge: !enableTLSALPNChallenge,
 		ListenHost:              setting.HTTPAddr,
diff --git a/modules/setting/setting.go b/modules/setting/setting.go
@@ -110,7 +110,7 @@ var (
 	EnablePprof          bool
 	PprofDataPath        string
 	EnableAcme           bool
-	LetsEncryptTOS       bool
+	AcmeTOS              bool
 	AcmeLiveDirectory    string
 	AcmeEmail            string
 	AcmeURL              string
@@ -634,10 +634,15 @@ func loadFromConf(allowEmpty bool, extraConfig string) {
 		if EnableAcme {
 			AcmeURL = sec.Key("ACME_URL").MustString("")
 			AcmeCARoot = sec.Key("ACME_CA_ROOT").MustString("")
-			LetsEncryptTOS = sec.Key("LETSENCRYPT_ACCEPTTOS").MustBool(false)
-			// The TOS is only required when using LetsEncrypt
-			if AcmeURL == "" && !LetsEncryptTOS {
-				log.Fatal("Let's Encrypt TOS (LETSENCRYPT_ACCEPTTOS) is not accepted. Either accept it or configure a different ACME provider (ACME_URL)")
+			// FIXME: DEPRECATED to be removed in v1.18.0
+			if sec.HasKey("ACME_ACCEPTTOS") {
+				AcmeTOS = sec.Key("ACME_ACCEPTTOS").MustBool(false)
+			} else {
+				deprecatedSetting("server", "LETSENCRYPT_ACCEPTTOS", "server", "ACME_ACCEPTTOS")
+				AcmeTOS = sec.Key("LETSENCRYPT_ACCEPTTOS").MustBool(false)
+			}
+			if !AcmeTOS {
+				log.Fatal("ACME TOS is not accepted (ACME_ACCEPTTOS).")
 			}
 			// FIXME: DEPRECATED to be removed in v1.18.0
 			if sec.HasKey("ACME_DIRECTORY") {
