From 60f203385e6f27fae47f3cc8c5d71309f4fd88dc Mon Sep 17 00:00:00 2001 From: Cristian Le Date: Tue, 8 Feb 2022 14:45:35 +0900 Subject: [PATCH] Support custom ACME provider (#18340) * Added ACMECAURL option to support custom ACME provider. Closes #18306 * Refactor setting.go https settings, renamed options and variables, and documented app.example.ini * Refactored runLetsEncrypt to runACME * Improved documentation --- cmd/web.go | 19 ++--- cmd/{web_letsencrypt.go => web_acme.go} | 43 +++++++++-- custom/conf/app.example.ini | 30 ++++++++ .../doc/advanced/config-cheat-sheet.en-us.md | 15 ++-- docs/content/doc/usage/https-support.md | 30 ++++++-- modules/setting/setting.go | 74 +++++++++++++------ 6 files changed, 160 insertions(+), 51 deletions(-) rename cmd/{web_letsencrypt.go => web_acme.go} (74%) diff --git a/cmd/web.go b/cmd/web.go index 9a8d9dfa73..710c12775f 100644 --- a/cmd/web.go +++ b/cmd/web.go @@ -222,18 +222,19 @@ func listen(m http.Handler, handleRedirector bool) error { } err = runHTTP("tcp", listenAddr, "Web", m) case setting.HTTPS: - if setting.EnableLetsEncrypt { - err = runLetsEncrypt(listenAddr, setting.Domain, setting.LetsEncryptDirectory, setting.LetsEncryptEmail, m) + if setting.EnableAcme { + err = runACME(listenAddr, m) break - } - if handleRedirector { - if setting.RedirectOtherPort { - go runHTTPRedirector() - } else { - NoHTTPRedirector() + } else { + if handleRedirector { + if setting.RedirectOtherPort { + go runHTTPRedirector() + } else { + NoHTTPRedirector() + } } + err = runHTTPS("tcp", listenAddr, "Web", setting.CertFile, setting.KeyFile, m) } - err = runHTTPS("tcp", listenAddr, "Web", setting.CertFile, setting.KeyFile, m) case setting.FCGI: if handleRedirector { NoHTTPRedirector() diff --git a/cmd/web_letsencrypt.go b/cmd/web_acme.go similarity index 74% rename from cmd/web_letsencrypt.go rename to cmd/web_acme.go index 517d71f017..9a04274db5 100644 --- a/cmd/web_letsencrypt.go +++ b/cmd/web_acme.go @@ -5,7 +5,11 @@ package cmd import ( + "crypto/x509" + "encoding/pem" + "fmt" "net/http" + "os" "strconv" "strings" @@ -16,7 +20,25 @@ import ( "github.com/caddyserver/certmagic" ) -func runLetsEncrypt(listenAddr, domain, directory, email string, m http.Handler) error { +func getCARoot(path string) (*x509.CertPool, error) { + r, err := os.ReadFile(path) + if err != nil { + return nil, err + } + block, _ := pem.Decode(r) + if block == nil { + return nil, fmt.Errorf("no PEM found in the file %s", path) + } + caRoot, err := x509.ParseCertificate(block.Bytes) + if err != nil { + return nil, err + } + certPool := x509.NewCertPool() + certPool.AddCert(caRoot) + return certPool, nil +} + +func runACME(listenAddr string, m http.Handler) error { // If HTTP Challenge enabled, needs to be serving on port 80. For TLSALPN needs 443. // Due to docker port mapping this can't be checked programmatically // TODO: these are placeholders until we add options for each in settings with appropriate warning @@ -33,10 +55,21 @@ func runLetsEncrypt(listenAddr, domain, directory, email string, m http.Handler) } magic := certmagic.NewDefault() - magic.Storage = &certmagic.FileStorage{Path: directory} + magic.Storage = &certmagic.FileStorage{Path: setting.AcmeLiveDirectory} + // Try to use private CA root if provided, otherwise defaults to system's trust + var certPool *x509.CertPool + if setting.AcmeCARoot != "" { + var err error + certPool, err = getCARoot(setting.AcmeCARoot) + if err != nil { + log.Warn("Failed to parse CA Root certificate, using default CA trust: %v", err) + } + } myACME := certmagic.NewACMEManager(magic, certmagic.ACMEManager{ - Email: email, - Agreed: setting.LetsEncryptTOS, + CA: setting.AcmeURL, + TrustedRoots: certPool, + Email: setting.AcmeEmail, + Agreed: setting.AcmeTOS, DisableHTTPChallenge: !enableHTTPChallenge, DisableTLSALPNChallenge: !enableTLSALPNChallenge, ListenHost: setting.HTTPAddr, @@ -47,7 +80,7 @@ func runLetsEncrypt(listenAddr, domain, directory, email string, m http.Handler) magic.Issuers = []certmagic.Issuer{myACME} // this obtains certificates or renews them if necessary - err := magic.ManageSync(graceful.GetManager().HammerContext(), []string{domain}) + err := magic.ManageSync(graceful.GetManager().HammerContext(), []string{setting.Domain}) if err != nil { return err } diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini index 8dac6ab3ab..f16b1d6a40 100644 --- a/custom/conf/app.example.ini +++ b/custom/conf/app.example.ini @@ -178,6 +178,36 @@ RUN_MODE = ; prod ;OFFLINE_MODE = false ;DISABLE_ROUTER_LOG = false ;; +;; TLS Settings: Either ACME or manual +;; (Other common TLS configuration are found before) +;ENABLE_ACME = false +;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; ACME automatic TLS settings +;; +;; ACME directory URL (e.g. LetsEncrypt's staging/testing URL: https://acme-staging-v02.api.letsencrypt.org/directory) +;; Leave empty to default to LetsEncrypt's (production) URL +;ACME_URL = +;; +;; Explicitly accept the ACME's TOS. The specific TOS cannot be retrieved at the moment. +;ACME_ACCEPTTOS = false +;; +;; If the ACME CA is not in your system's CA trust chain, it can be manually added here +;ACME_CA_ROOT = +;; +;; Email used for the ACME registration service +;; Can be left blank to initialize at first run and use the cached value +;ACME_EMAIL = +;; +;; ACME live directory (not to be confused with ACME directory URL: ACME_URL) +;; (Refer to caddy's ACME manager https://github.com/caddyserver/certmagic) +;ACME_DIRECTORY = https +;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; Manual TLS settings: (Only applicable if ENABLE_ACME=false) +;; ;; Generate steps: ;; $ ./gitea cert -ca=true -duration=8760h0m0s -host=myhost.example.com ;; diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md index a3999595ab..bc4675da1b 100644 --- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md +++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md @@ -292,8 +292,8 @@ The following configuration set `Content-Type: application/vnd.android.package-a - `MINIMUM_KEY_SIZE_CHECK`: **true**: Indicate whether to check minimum key size with corresponding type. - `OFFLINE_MODE`: **false**: Disables use of CDN for static files and Gravatar for profile pictures. -- `CERT_FILE`: **https/cert.pem**: Cert file path used for HTTPS. When chaining, the server certificate must come first, then intermediate CA certificates (if any). From 1.11 paths are relative to `CUSTOM_PATH`. -- `KEY_FILE`: **https/key.pem**: Key file path used for HTTPS. From 1.11 paths are relative to `CUSTOM_PATH`. +- `CERT_FILE`: **https/cert.pem**: Cert file path used for HTTPS. When chaining, the server certificate must come first, then intermediate CA certificates (if any). This is ignored if `ENABLE_ACME=true`. From 1.11 paths are relative to `CUSTOM_PATH`. +- `KEY_FILE`: **https/key.pem**: Key file path used for HTTPS. This is ignored if `ENABLE_ACME=true`. From 1.11 paths are relative to `CUSTOM_PATH`. - `STATIC_ROOT_PATH`: **./**: Upper level of template and static files path. - `APP_DATA_PATH`: **data** (**/data/gitea** on docker): Default path for application data. - `STATIC_CACHE_TIME`: **6h**: Web browser cache time for static resources on `custom/`, `public/` and all uploaded avatars. Note that this cache is disabled when `RUN_MODE` is "dev". @@ -347,11 +347,12 @@ The following configuration set `Content-Type: application/vnd.android.package-a - Aliased names - "ecdhe_rsa_with_chacha20_poly1305" is an alias for "ecdhe_rsa_with_chacha20_poly1305_sha256" - "ecdhe_ecdsa_with_chacha20_poly1305" is alias for "ecdhe_ecdsa_with_chacha20_poly1305_sha256" -- `ENABLE_LETSENCRYPT`: **false**: If enabled you must set `DOMAIN` to valid internet facing domain (ensure DNS is set and port 80 is accessible by letsencrypt validation server). - By using Lets Encrypt **you must consent** to their [terms of service](https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf). -- `LETSENCRYPT_ACCEPTTOS`: **false**: This is an explicit check that you accept the terms of service for Let's Encrypt. -- `LETSENCRYPT_DIRECTORY`: **https**: Directory that Letsencrypt will use to cache information such as certs and private keys. -- `LETSENCRYPT_EMAIL`: **email@example.com**: Email used by Letsencrypt to notify about problems with issued certificates. (No default) +- `ENABLE_ACME`: **false**: Flag to enable automatic certificate management via an ACME capable Certificate Authority (CA) server (default: Lets Encrypt). If enabled, `CERT_FILE` and `KEY_FILE` are ignored, and the CA must resolve `DOMAIN` to this gitea server. Ensure that DNS records are set and either port `80` or port `443` are accessible by the CA server (the public internet by default), and redirected to the appropriate ports `PORT_TO_REDIRECT` or `HTTP_PORT` respectively. +- `ACME_URL`: **\**: The CA's ACME directory URL, e.g. for a self-hosted [smallstep CA server](https://github.com/smallstep/certificates), it can look like `https://ca.example.com/acme/acme/directory`. If left empty, it defaults to using Let's Encerypt's production CA (check `LETSENCRYPT_ACCEPTTOS` as well). +- `ACME_ACCEPTTOS`: **false**: This is an explicit check that you accept the terms of service of the ACME provider. The default is Lets Encrypt [terms of service](https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf). +- `ACME_DIRECTORY`: **https**: Directory that the certificate manager will use to cache information such as certs and private keys. +- `ACME_EMAIL`: **\**: Email used for the ACME registration. Usually it is to notify about problems with issued certificates. +- `ACME_CA_ROOT`: **\**: The CA's root certificate. If left empty, it defaults to using the system's trust chain. - `ALLOW_GRACEFUL_RESTARTS`: **true**: Perform a graceful restart on SIGHUP - `GRACEFUL_HAMMER_TIME`: **60s**: After a restart the parent process will stop accepting new connections and will allow requests to finish before stopping. Shutdown will be forced if it takes longer than this time. - `STARTUP_TIMEOUT`: **0**: Shutsdown the server if startup takes longer than the provided time. On Windows setting this sends a waithint to the SVC host to tell the SVC host startup may take some time. Please note startup is determined by the opening of the listeners - HTTP/HTTPS/SSH. Indexers may take longer to startup and can have their own timeouts. diff --git a/docs/content/doc/usage/https-support.md b/docs/content/doc/usage/https-support.md index d7563a0f08..756e11fd03 100644 --- a/docs/content/doc/usage/https-support.md +++ b/docs/content/doc/usage/https-support.md @@ -55,20 +55,34 @@ PORT_TO_REDIRECT = 3080 If you are using Docker, make sure that this port is configured in your `docker-compose.yml` file. -## Using Let's Encrypt +## Using ACME (Default: Let's Encrypt) -[Let's Encrypt](https://letsencrypt.org/) is a Certificate Authority that allows you to automatically request and renew SSL/TLS certificates. In addition to starting Gitea on your configured port, to request HTTPS certificates, Gitea will also need to listed on port 80, and will set up an autoredirect to HTTPS for you. Let's Encrypt will need to be able to access Gitea via the Internet to verify your ownership of the domain. - -By using Let's Encrypt **you must consent** to their [terms of service](https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf). +[ACME](https://tools.ietf.org/html/rfc8555) is a Certificate Authority standard protocol that allows you to automatically request and renew SSL/TLS certificates. [Let's Encrypt](https://letsencrypt.org/) is a free publicly trusted Certificate Authority server using this standard. Only `HTTP-01` and `TLS-ALPN-01` challenges are implemented. In order for ACME challenges to pass and verify your domain ownership, external traffic to the gitea domain on port `80` (`HTTP-01`) or port `443` (`TLS-ALPN-01`) has to be served by the gitea instance. Setting up [HTTP redirection](#setting-up-http-redirection) and port-forwards might be needed for external traffic to route correctly. Normal traffic to port `80` will otherwise be automatically redirected to HTTPS. **You must consent** to the ACME provider's terms of service (default Let's Encrypt's [terms of service](https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf)). +Minimum setup using the default Let's Encrypt: ```ini [server] PROTOCOL=https DOMAIN=git.example.com -ENABLE_LETSENCRYPT=true -LETSENCRYPT_ACCEPTTOS=true -LETSENCRYPT_DIRECTORY=https -LETSENCRYPT_EMAIL=email@example.com +ENABLE_ACME=true +ACME_ACCEPTTOS=true +ACME_DIRECTORY=https +;; Email can be omitted here and provided manually at first run, after which it is cached +ACME_EMAIL=email@example.com +``` + +Minimumg setup using a [smallstep CA](https://github.com/smallstep/certificates), refer to [their tutorial](https://smallstep.com/docs/tutorials/acme-challenge) for more information. +```ini +[server] +PROTOCOL=https +DOMAIN=git.example.com +ENABLE_ACME=true +ACME_ACCEPTTOS=true +ACME_URL=https://ca.example.com/acme/acme/directory +;; Can be omitted if using the system's trust is preferred +;ACME_CA_ROOT=/path/to/root_ca.crt +ACME_DIRECTORY=https +ACME_EMAIL=email@example.com ``` To learn more about the config values, please checkout the [Config Cheat Sheet](../config-cheat-sheet#server-server). diff --git a/modules/setting/setting.go b/modules/setting/setting.go index ee2821df07..531d265c3a 100644 --- a/modules/setting/setting.go +++ b/modules/setting/setting.go @@ -108,10 +108,12 @@ var ( UnixSocketPermission uint32 EnablePprof bool PprofDataPath string - EnableLetsEncrypt bool - LetsEncryptTOS bool - LetsEncryptDirectory string - LetsEncryptEmail string + EnableAcme bool + AcmeTOS bool + AcmeLiveDirectory string + AcmeEmail string + AcmeURL string + AcmeCARoot string SSLMinimumVersion string SSLMaximumVersion string SSLCurvePreferences []string @@ -622,14 +624,54 @@ func loadFromConf(allowEmpty bool, extraConfig string) { switch protocolCfg { case "https": Protocol = HTTPS - CertFile = sec.Key("CERT_FILE").String() - KeyFile = sec.Key("KEY_FILE").String() - if !filepath.IsAbs(CertFile) && len(CertFile) > 0 { - CertFile = filepath.Join(CustomPath, CertFile) + // FIXME: DEPRECATED to be removed in v1.18.0 + if sec.HasKey("ENABLE_ACME") { + EnableAcme = sec.Key("ENABLE_ACME").MustBool(false) + } else { + deprecatedSetting("server", "ENABLE_LETSENCRYPT", "server", "ENABLE_ACME") + EnableAcme = sec.Key("ENABLE_LETSENCRYPT").MustBool(false) } - if !filepath.IsAbs(KeyFile) && len(KeyFile) > 0 { - KeyFile = filepath.Join(CustomPath, KeyFile) + if EnableAcme { + AcmeURL = sec.Key("ACME_URL").MustString("") + AcmeCARoot = sec.Key("ACME_CA_ROOT").MustString("") + // FIXME: DEPRECATED to be removed in v1.18.0 + if sec.HasKey("ACME_ACCEPTTOS") { + AcmeTOS = sec.Key("ACME_ACCEPTTOS").MustBool(false) + } else { + deprecatedSetting("server", "LETSENCRYPT_ACCEPTTOS", "server", "ACME_ACCEPTTOS") + AcmeTOS = sec.Key("LETSENCRYPT_ACCEPTTOS").MustBool(false) + } + if !AcmeTOS { + log.Fatal("ACME TOS is not accepted (ACME_ACCEPTTOS).") + } + // FIXME: DEPRECATED to be removed in v1.18.0 + if sec.HasKey("ACME_DIRECTORY") { + AcmeLiveDirectory = sec.Key("ACME_DIRECTORY").MustString("https") + } else { + deprecatedSetting("server", "LETSENCRYPT_DIRECTORY", "server", "ACME_DIRECTORY") + AcmeLiveDirectory = sec.Key("LETSENCRYPT_DIRECTORY").MustString("https") + } + // FIXME: DEPRECATED to be removed in v1.18.0 + if sec.HasKey("ACME_EMAIL") { + AcmeEmail = sec.Key("ACME_EMAIL").MustString("") + } else { + deprecatedSetting("server", "LETSENCRYPT_EMAIL", "server", "ACME_EMAIL") + AcmeEmail = sec.Key("LETSENCRYPT_EMAIL").MustString("") + } + } else { + CertFile = sec.Key("CERT_FILE").String() + KeyFile = sec.Key("KEY_FILE").String() + if len(CertFile) > 0 && !filepath.IsAbs(CertFile) { + CertFile = filepath.Join(CustomPath, CertFile) + } + if len(KeyFile) > 0 && !filepath.IsAbs(KeyFile) { + KeyFile = filepath.Join(CustomPath, KeyFile) + } } + SSLMinimumVersion = sec.Key("SSL_MIN_VERSION").MustString("") + SSLMaximumVersion = sec.Key("SSL_MAX_VERSION").MustString("") + SSLCurvePreferences = sec.Key("SSL_CURVE_PREFERENCES").Strings(",") + SSLCipherSuites = sec.Key("SSL_CIPHER_SUITES").Strings(",") case "fcgi": Protocol = FCGI case "fcgi+unix", "unix", "http+unix": @@ -653,18 +695,6 @@ func loadFromConf(allowEmpty bool, extraConfig string) { HTTPAddr = filepath.Join(AppWorkPath, HTTPAddr) } } - EnableLetsEncrypt = sec.Key("ENABLE_LETSENCRYPT").MustBool(false) - LetsEncryptTOS = sec.Key("LETSENCRYPT_ACCEPTTOS").MustBool(false) - if !LetsEncryptTOS && EnableLetsEncrypt { - log.Warn("Failed to enable Let's Encrypt due to Let's Encrypt TOS not being accepted") - EnableLetsEncrypt = false - } - LetsEncryptDirectory = sec.Key("LETSENCRYPT_DIRECTORY").MustString("https") - LetsEncryptEmail = sec.Key("LETSENCRYPT_EMAIL").MustString("") - SSLMinimumVersion = sec.Key("SSL_MIN_VERSION").MustString("") - SSLMaximumVersion = sec.Key("SSL_MAX_VERSION").MustString("") - SSLCurvePreferences = sec.Key("SSL_CURVE_PREFERENCES").Strings(",") - SSLCipherSuites = sec.Key("SSL_CIPHER_SUITES").Strings(",") GracefulRestartable = sec.Key("ALLOW_GRACEFUL_RESTARTS").MustBool(true) GracefulHammerTime = sec.Key("GRACEFUL_HAMMER_TIME").MustDuration(60 * time.Second) StartupTimeout = sec.Key("STARTUP_TIMEOUT").MustDuration(0 * time.Second)