alexvanin/distribution
1
0
Fork 0
forked from TrueCloudLab/distribution
Code Pull requests Activity

Merge pull request #3942 from lavalleeale-forks/main

Browse source 
Added support for specifying ACME-server by using REGISTRY_HTTP_TLS_LETSENCRYPT_DIRECTORYURL
This commit is contained in:
Milos Gajdos 2023-07-14 16:28:34 +01:00 committed by GitHub
commit 003dd5aaa1
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 29 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
configuration/configuration.go
View file

@ -131,6 +131,10 @@ type Configuration struct {
// Hosts specifies the hosts which are allowed to obtain Let's // Hosts specifies the hosts which are allowed to obtain Let's
// Encrypt certificates. // Encrypt certificates.
Hosts []string `yaml:"hosts,omitempty"` Hosts []string `yaml:"hosts,omitempty"`
// DirectoryURL points to the CA directory endpoint.
// If empty, LetsEncrypt is used.
DirectoryURL string `yaml:"directoryurl,omitempty"`
} `yaml:"letsencrypt,omitempty"` } `yaml:"letsencrypt,omitempty"`
} `yaml:"tls,omitempty"` } `yaml:"tls,omitempty"`

14
configuration/configuration_test.go
View file

@ -89,9 +89,10 @@ var configStruct = Configuration{
MinimumTLS string `yaml:"minimumtls,omitempty"` MinimumTLS string `yaml:"minimumtls,omitempty"`
CipherSuites []string `yaml:"ciphersuites,omitempty"` CipherSuites []string `yaml:"ciphersuites,omitempty"`
LetsEncrypt struct { LetsEncrypt struct {
CacheFile string `yaml:"cachefile,omitempty"` CacheFile string `yaml:"cachefile,omitempty"`
Email string `yaml:"email,omitempty"` Email string `yaml:"email,omitempty"`
Hosts []string `yaml:"hosts,omitempty"` Hosts []string `yaml:"hosts,omitempty"`
DirectoryURL string `yaml:"directoryurl,omitempty"`
} `yaml:"letsencrypt,omitempty"` } `yaml:"letsencrypt,omitempty"`
} `yaml:"tls,omitempty"` } `yaml:"tls,omitempty"`
Headers http.Header `yaml:"headers,omitempty"` Headers http.Header `yaml:"headers,omitempty"`
@ -113,9 +114,10 @@ var configStruct = Configuration{
MinimumTLS string `yaml:"minimumtls,omitempty"` MinimumTLS string `yaml:"minimumtls,omitempty"`
CipherSuites []string `yaml:"ciphersuites,omitempty"` CipherSuites []string `yaml:"ciphersuites,omitempty"`
LetsEncrypt struct { LetsEncrypt struct {
CacheFile string `yaml:"cachefile,omitempty"` CacheFile string `yaml:"cachefile,omitempty"`
Email string `yaml:"email,omitempty"` Email string `yaml:"email,omitempty"`
Hosts []string `yaml:"hosts,omitempty"` Hosts []string `yaml:"hosts,omitempty"`
DirectoryURL string `yaml:"directoryurl,omitempty"`
} `yaml:"letsencrypt,omitempty"` } `yaml:"letsencrypt,omitempty"`
}{ }{
ClientCAs: []string{"/path/to/ca.pem"}, ClientCAs: []string{"/path/to/ca.pem"},

13
docs/configuration.md
View file

@ -242,6 +242,7 @@ http:
cachefile: /path/to/cache-file cachefile: /path/to/cache-file
email: emailused@letsencrypt.com email: emailused@letsencrypt.com
hosts: [myregistryaddress.org] hosts: [myregistryaddress.org]
directoryurl: https://acme-v02.api.letsencrypt.org/directory
debug: debug:
addr: localhost:5001 addr: localhost:5001
prometheus: prometheus:
@ -826,6 +827,7 @@ http:
cachefile: /path/to/cache-file cachefile: /path/to/cache-file
email: emailused@letsencrypt.com email: emailused@letsencrypt.com
hosts: [myregistryaddress.org] hosts: [myregistryaddress.org]
directoryurl: https://acme-v02.api.letsencrypt.org/directory
debug: debug:
addr: localhost:5001 addr: localhost:5001
headers: headers:
@ -917,11 +919,12 @@ TLS certificates provided by
> ensure that you have the `ca-certificates` package installed in order to verify > ensure that you have the `ca-certificates` package installed in order to verify
> letsencrypt certificates. > letsencrypt certificates.
| Parameter | Required | Description | | Parameter | Required | Description |
|-----------|----------|-------------------------------------------------------| |----------------|----------|-----------------------------------------------------------------------|
| `cachefile` | yes | Absolute path to a file where the Let's Encrypt agent can cache data. | | `cachefile` | yes | Absolute path to a file where the Let's Encrypt agent can cache data. |
| `email` | yes | The email address used to register with Let's Encrypt. | | `email` | yes | The email address used to register with Let's Encrypt. |
| `hosts` | no | The hostnames allowed for Let's Encrypt certificates. | | `hosts` | no | The hostnames allowed for Let's Encrypt certificates. |
| `directoryurl` | no | The url to use for the ACME server. |
### `debug` ### `debug`

9
registry/registry.go
View file

@ -202,6 +202,14 @@ func getCipherSuiteNames(ids []uint16) []string {
return names return names
} }
// set ACME-server/DirectoryURL, if provided
func setDirectoryURL(directoryurl string) *acme.Client {
if len(directoryurl) > 0 {
return &acme.Client{DirectoryURL: directoryurl}
}
return nil
}
// ListenAndServe runs the registry's HTTP server. // ListenAndServe runs the registry's HTTP server.
func (registry *Registry) ListenAndServe() error { func (registry *Registry) ListenAndServe() error {
config := registry.config config := registry.config
@ -250,6 +258,7 @@ func (registry *Registry) ListenAndServe() error {
Cache: autocert.DirCache(config.HTTP.TLS.LetsEncrypt.CacheFile), Cache: autocert.DirCache(config.HTTP.TLS.LetsEncrypt.CacheFile),
Email: config.HTTP.TLS.LetsEncrypt.Email, Email: config.HTTP.TLS.LetsEncrypt.Email,
Prompt: autocert.AcceptTOS, Prompt: autocert.AcceptTOS,
Client: setDirectoryURL(config.HTTP.TLS.LetsEncrypt.DirectoryURL),
} }
tlsConf.GetCertificate = m.GetCertificate tlsConf.GetCertificate = m.GetCertificate
tlsConf.NextProtos = append(tlsConf.NextProtos, acme.ALPNProto) tlsConf.NextProtos = append(tlsConf.NextProtos, acme.ALPNProto)