add skipTLS for custom acme server

2025-06-23 07:53:05 +02:00 · 2023-08-28 03:31:33 +00:00 · 2023-08-28 03:31:33 +00:00 · 6a0c7cf499
commit 6a0c7cf499
parent 415838ad39
3 changed files with 45 additions and 3 deletions
--- a/src/mod/acme/acme.go
+++ b/src/mod/acme/acme.go
@ -5,6 +5,7 @@ import (
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
+	"crypto/tls"
 	"crypto/x509"
 	"encoding/json"
 	"encoding/pem"
@ -30,6 +31,7 @@ import (
 type CertificateInfoJSON struct {
 	AcmeName string `json:"acme_name"`
 	AcmeUrl  string `json:"acme_url"`
+	SkipTLS  bool   `json:"skip_tls"`
 }

 // ACMEUser represents a user in the ACME system.
@ -69,7 +71,7 @@ func NewACME(acmeServer string, port string) *ACMEHandler {
 }

 // ObtainCert obtains a certificate for the specified domains.
-func (a *ACMEHandler) ObtainCert(domains []string, certificateName string, email string, caName string, caUrl string) (bool, error) {
+func (a *ACMEHandler) ObtainCert(domains []string, certificateName string, email string, caName string, caUrl string, skipTLS bool) (bool, error) {
 	log.Println("[ACME] Obtaining certificate...")

 	// generate private key
@ -88,6 +90,24 @@ func (a *ACMEHandler) ObtainCert(domains []string, certificateName string, email
 	// create config
 	config := lego.NewConfig(&adminUser)

+	// skip TLS verify if need
+	// Ref: https://github.com/go-acme/lego/blob/6af2c756ac73a9cb401621afca722d0f4112b1b8/lego/client_config.go#L74
+	if skipTLS {
+		log.Println("[INFO] Ignore TLS/SSL Verification Error for ACME Server")
+		config.HTTPClient.Transport = &http.Transport{
+			Proxy: http.ProxyFromEnvironment,
+			DialContext: (&net.Dialer{
+				Timeout:   30 * time.Second,
+				KeepAlive: 30 * time.Second,
+			}).DialContext,
+			TLSHandshakeTimeout:   30 * time.Second,
+			ResponseHeaderTimeout: 30 * time.Second,
+			TLSClientConfig: &tls.Config{
+				InsecureSkipVerify: true,
+			},
+		}
+	}
+
 	// setup the custom ACME url endpoint.
 	if caUrl != "" {
 		config.CADirURL = caUrl
@ -159,6 +179,7 @@ func (a *ACMEHandler) ObtainCert(domains []string, certificateName string, email
 	certInfo := &CertificateInfoJSON{
 		AcmeName: caName,
 		AcmeUrl:  caUrl,
+		SkipTLS:  skipTLS,
 	}

 	certInfoBytes, err := json.Marshal(certInfo)
@ -294,8 +315,18 @@ func (a *ACMEHandler) HandleRenewCertificate(w http.ResponseWriter, r *http.Requ
 		}
 	}

+	var skipTLS bool
+
+	if skipTLSString, err := utils.PostPara(r, "skipTLS"); err != nil {
+		skipTLS = false
+	} else if skipTLSString != "true" {
+		skipTLS = false
+	} else {
+		skipTLS = true
+	}
+
 	domains := strings.Split(domainPara, ",")
-	result, err := a.ObtainCert(domains, filename, email, ca, caUrl)
+	result, err := a.ObtainCert(domains, filename, email, ca, caUrl, skipTLS)
 	if err != nil {
 		utils.SendErrorResponse(w, jsonEscape(err.Error()))
 		return
--- a/src/mod/acme/autorenew.go
+++ b/src/mod/acme/autorenew.go
@ -365,7 +365,7 @@ func (a *AutoRenewer) renewExpiredDomains(certs []*ExpiredCerts) ([]string, erro
 			certInfo = &CertificateInfoJSON{}
 		}

-		_, err = a.AcmeHandler.ObtainCert(expiredCert.Domains, certName, a.RenewerConfig.Email, certInfo.AcmeName, certInfo.AcmeUrl)
+		_, err = a.AcmeHandler.ObtainCert(expiredCert.Domains, certName, a.RenewerConfig.Email, certInfo.AcmeName, certInfo.AcmeUrl, certInfo.SkipTLS)
 		if err != nil {
 			log.Println("Renew " + fileName + "(" + strings.Join(expiredCert.Domains, ",") + ") failed: " + err.Error())
 		} else {
--- a/src/web/snippet/acme.html
+++ b/src/web/snippet/acme.html
@ -118,6 +118,12 @@
      <label>ACME Server URL</label>
      <input id="caurl" type="text" placeholder="https://example.com/acme/dictionary">
    </div>
+    <div class="field" id="skipTLS" style="display:none;">
+      <div class="ui checkbox">
+        <input type="checkbox" id="skipTLSCheckbox">
+        <label>Ignore TLS/SSL Verification Error<br><small>E.g. self-signed, expired certificate (Not Recommended)</small></label>
+      </div>
+    </div>
    <button id="obtainButton" class="ui basic button" type="submit"><i class="yellow refresh icon"></i> Renew Certificate</button>
  </div>
  <div class="ui divider"></div>
@ -303,8 +309,10 @@
    $("input[name=ca]").on('change', function() {
      if(this.value == "Custom ACME Server") {
        $("#customca").show();
+        $("#skipTLS").show();
      } else {
        $("#customca").hide();
+        $("#skipTLS").hide();
      }
    })

@ -337,6 +345,8 @@
        ca_url = $("#caurl").val();
      }

+      var skipTLSValue = $("#skipTLSCheckbox")[0].checked;
+
      $.ajax({
        url: "/api/acme/obtainCert",
        method: "GET",
@ -346,6 +356,7 @@
          email: email,
          ca: ca,
          ca_url: ca_url,
+          skipTLS: skipTLSValue,
        },
        success: function(response) {
          $("#obtainButton").removeClass("loading").removeClass("disabled");