Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use caddy's certmagic library for extensible/robust ACME handling #14177

Merged
merged 17 commits into from
Jan 24, 2021

Conversation

techknowlogick
Copy link
Member

Also bumps minimum required version of go.

By using certmagic we can use the same ACME library that Caddy uses. This also allows us to increase the number of ACME challenges that we can run. This PR adds TLSAPLN challenge, but in a later PR could be extended to use DNS challenges.

Additional things that could be added in a later PR are storing certs using different storage managers (such as minio, or redis).

@techknowlogick techknowlogick added the type/feature Completely new functionality. Can only be merged if feature freeze is not active. label Dec 29, 2020
@techknowlogick techknowlogick added this to the 1.14.0 milestone Dec 29, 2020
@codecov-io
Copy link

codecov-io commented Dec 29, 2020

Codecov Report

Merging #14177 (02e8c2e) into master (1722299) will increase coverage by 0.01%.
The diff coverage is 0.00%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master   #14177      +/-   ##
==========================================
+ Coverage   41.85%   41.87%   +0.01%     
==========================================
  Files         745      746       +1     
  Lines       79816    79827      +11     
==========================================
+ Hits        33410    33429      +19     
+ Misses      40885    40879       -6     
+ Partials     5521     5519       -2     
Impacted Files Coverage Δ
cmd/web.go 0.00% <ø> (ø)
cmd/web_letsencrypt.go 0.00% <0.00%> (ø)
modules/avatar/avatar.go 50.00% <0.00%> (-4.77%) ⬇️
services/pull/pull.go 42.15% <0.00%> (ø)
modules/queue/workerpool.go 59.59% <0.00%> (+0.81%) ⬆️
modules/log/file.go 75.20% <0.00%> (+1.60%) ⬆️
services/gitdiff/gitdiff.go 70.93% <0.00%> (+1.93%) ⬆️
modules/charset/charset.go 70.78% <0.00%> (+2.24%) ⬆️
models/unit.go 49.31% <0.00%> (+2.73%) ⬆️
... and 1 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 1722299...02e8c2e. Read the comment docs.

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Dec 29, 2020
@lafriks lafriks added the pr/breaking Merging this PR means builds will break. Needs a description what exactly breaks, and how to fix it! label Jan 11, 2021
@lafriks
Copy link
Member

lafriks commented Jan 11, 2021

How would you use it on docker/k8s?

@techknowlogick
Copy link
Member Author

How would you use it on docker/k8s?

In k8s you would use cert-manager to request LE certs, but for standard docker installs you'd set it up as before with -p 443:3000 -p 80:3080 assuming you have the redirect_port setup to be 3080

@lafriks lafriks removed the pr/breaking Merging this PR means builds will break. Needs a description what exactly breaks, and how to fix it! label Jan 11, 2021
@lafriks
Copy link
Member

lafriks commented Jan 11, 2021

How would you use it on docker/k8s?

In k8s you would use cert-manager to request LE certs, but for standard docker installs you'd set it up as before with -p 443:3000 -p 80:3080 assuming you have the redirect_port setup to be 3080

Nevermind, I somehow thought you moved out letsencrypt to other command 😅

@zeripath
Copy link
Contributor

OK, so this seems great except:

  • it adds a whole DNS implementation
  • and another logging framework (zap)

likely other things too in the >400 files changed.

Now I think we could reasonably drop modules/log and switch to Zap and consider using the DNS implementation elsewhere for things like libravatar but we should be careful we're not adding way too much code here.

@techknowlogick
Copy link
Member Author

libdns is a library for working with APIs of various DNS providers (for updating DNS records for the DNS-01 ACME challenge), so not for resolving anything. In terms of adding too much code, I agree. I'd prefer if zap weren't included at all, but most of the other code added is either golang.org/x/net/... and golang.org/x/crypto/... It sucks because technically zap isn't being used at all, as certmagic doesn't log unless it is passed the logger.

Copy link
Contributor

@zeripath zeripath left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we have to approve - it might be reasonable in future to provide a build tag that removes this functionality to reduce and remove these dependencies.

@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Jan 24, 2021
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Jan 24, 2021
@lafriks lafriks merged commit d2ea21d into go-gitea:master Jan 24, 2021
@lafriks lafriks added type/enhancement An improvement of existing functionality and removed type/feature Completely new functionality. Can only be merged if feature freeze is not active. labels Jan 24, 2021
@techknowlogick techknowlogick deleted the certmagic branch January 25, 2021 00:20
a1012112796 added a commit to a1012112796/gitea that referenced this pull request Jan 25, 2021
* master: (358 commits)
  [skip ci] Updated translations via Crowdin
  Use caddy's certmagic library for extensible/robust ACME handling (go-gitea#14177)
  Redirect on changed user and org name (go-gitea#11649)
  chore: bump minio to RELEASE.2021-01-16T02-19-44Z (go-gitea#14445)
  [skip ci] Updated translations via Crowdin
  CI: skip build steps for cron update works (go-gitea#14443)
  [skip ci] Updated licenses and gitignores
  [skip ci] Updated translations via Crowdin
  just overload to not get it by mistake again ... (go-gitea#14440)
  [skip ci] Updated translations via Crowdin
  Add link to packages in openSUSE build service (go-gitea#14439)
  Improve Description in new/ edit Project template (go-gitea#14429)
  Don't show "Reference in new issue" when issues unit is globally disabled (go-gitea#14437)
  CI: Update license & gitignore by cron (go-gitea#14419)
  Fix close/reopen with comment (go-gitea#14436)
  Add german translation guidelines (go-gitea#14283)
  [skip ci] Updated translations via Crowdin
  Fix lfs preview bug (go-gitea#14428)
  [skip ci] Updated translations via Crowdin
  Bump gsap from 3.5.1 to 3.6.0 (go-gitea#14410)
  ...
a1012112796 added a commit to a1012112796/gitea that referenced this pull request Jan 25, 2021
* master: (542 commits)
  [skip ci] Updated translations via Crowdin
  Use caddy's certmagic library for extensible/robust ACME handling (go-gitea#14177)
  Redirect on changed user and org name (go-gitea#11649)
  chore: bump minio to RELEASE.2021-01-16T02-19-44Z (go-gitea#14445)
  [skip ci] Updated translations via Crowdin
  CI: skip build steps for cron update works (go-gitea#14443)
  [skip ci] Updated licenses and gitignores
  [skip ci] Updated translations via Crowdin
  just overload to not get it by mistake again ... (go-gitea#14440)
  [skip ci] Updated translations via Crowdin
  Add link to packages in openSUSE build service (go-gitea#14439)
  Improve Description in new/ edit Project template (go-gitea#14429)
  Don't show "Reference in new issue" when issues unit is globally disabled (go-gitea#14437)
  CI: Update license & gitignore by cron (go-gitea#14419)
  Fix close/reopen with comment (go-gitea#14436)
  Add german translation guidelines (go-gitea#14283)
  [skip ci] Updated translations via Crowdin
  Fix lfs preview bug (go-gitea#14428)
  [skip ci] Updated translations via Crowdin
  Bump gsap from 3.5.1 to 3.6.0 (go-gitea#14410)
  ...
@go-gitea go-gitea locked and limited conversation to collaborators Mar 11, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. type/enhancement An improvement of existing functionality
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants