all repos — website @ b3ebf0776138bfb76b5304736a09c752fa0515f9

My website

fix certificate acquisition when listen sockets are passed
Alan Pearce alan@alanpearce.eu
Sat, 29 Jun 2024 11:59:12 +0200
commit

b3ebf0776138bfb76b5304736a09c752fa0515f9

parent

b0621bf7f6d2909b8573430b9a10326db586909f

1 files changed, 28 insertions(+), 18 deletions(-)

jump to
M internal/server/tls.gointernal/server/tls.go
@@ -25,12 +25,38 @@ KeyPrefix     string `conf:"default:certmagic"` }
 
 func (s *Server) serveTLS() (err error) {
+	var issuer *certmagic.ACMEIssuer
+
 	cfg := certmagic.NewDefault()
 	cfg.DefaultServerName = s.config.Domains[0]
 
+	issuer = &certmagic.DefaultACME
 	certmagic.DefaultACME.Agreed = true
 	certmagic.DefaultACME.Email = s.config.Email
 
+	ln, err := listenfd.GetListener(
+		1,
+		net.JoinHostPort(s.runtimeConfig.ListenAddress, strconv.Itoa(s.runtimeConfig.Port)),
+	)
+	if err != nil {
+		return errors.Wrap(err, "could not bind plain socket")
+	}
+
+	go func(ln net.Listener) {
+		redirecter := http.NewServeMux()
+		redirecter.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+			if certmagic.LooksLikeHTTPChallenge(r) {
+				issuer.HandleHTTPChallenge(w, r)
+			} else {
+				s.redirectHandler(w, r)
+			}
+		})
+		err := http.Serve(ln, redirecter)
+		if err != nil && !errors.Is(err, http.ErrServerClosed) {
+			log.Error("error in http handler", "error", err)
+		}
+	}(ln)
+
 	if s.runtimeConfig.Development {
 		ca := s.runtimeConfig.ACMECA
 		if ca == "" {
@@ -55,7 +81,7 @@ if listenAddress[0] == '[' { 			listenAddress = listenAddress[1 : len(listenAddress)-1]
 		}
 
-		cfg.Issuers[0] = certmagic.NewACMEIssuer(cfg, certmagic.ACMEIssuer{
+		issuer = certmagic.NewACMEIssuer(cfg, certmagic.ACMEIssuer{
 			CA:                      s.runtimeConfig.ACMECA,
 			TrustedRoots:            cp,
 			DisableTLSALPNChallenge: true,
@@ -63,6 +89,7 @@ ListenHost:              listenAddress, 			AltHTTPPort:             s.runtimeConfig.Port,
 			AltTLSALPNPort:          s.runtimeConfig.TLSPort,
 		})
+		cfg.Issuers[0] = issuer
 	} else {
 		rc := &redisConfig{}
 		_, err = conf.Parse("REDIS", rc)
@@ -108,23 +135,6 @@ ) 	if err != nil {
 		return errors.Wrap(err, "could not bind tls socket")
 	}
-
-	ln, err := listenfd.GetListener(
-		1,
-		net.JoinHostPort(s.runtimeConfig.ListenAddress, strconv.Itoa(s.runtimeConfig.Port)),
-	)
-	if err != nil {
-		return errors.Wrap(err, "could not bind plain socket")
-	}
-
-	go func(ln net.Listener) {
-		redirecter := http.NewServeMux()
-		redirecter.HandleFunc("/", s.redirectHandler)
-		err := http.Serve(ln, redirecter)
-		if err != nil && !errors.Is(err, http.ErrServerClosed) {
-			log.Error("error in http handler", "error", err)
-		}
-	}(ln)
 
 	return s.Serve(sln)
 }