POC DNS Challenge with Dynu

2025-06-06 23:57:21 +02:00 · 2024-05-02 21:39:34 +02:00 · 2024-05-02 21:39:34 +02:00 · 73c0ea0896
commit 73c0ea0896
parent 7dad7c7305
4 changed files with 57 additions and 25 deletions
--- a/src/acme.go
+++ b/src/acme.go
@ -85,6 +85,8 @@ func acmeRegisterSpecialRoutingRule() {
 // This function check if the renew setup is satisfied. If not, toggle them automatically
 func AcmeCheckAndHandleRenewCertificate(w http.ResponseWriter, r *http.Request) {
 	isForceHttpsRedirectEnabledOriginally := false
+	dnsPara, _ := utils.PostPara(r, "dns")
+	if dnsPara == "false" {
 		if dynamicProxyRouter.Option.Port == 443 {
 			//Enable port 80 to 443 redirect
 			if !dynamicProxyRouter.Option.ForceHttpsRedirect {
@ -103,6 +105,7 @@ func AcmeCheckAndHandleRenewCertificate(w http.ResponseWriter, r *http.Request)
 			utils.SendErrorResponse(w, "ACME renew only support web server listening on port 80 (http) or 443 (https)")
 			return
 		}
+	}

 	//Add a 3 second delay to make sure everything is settle down
 	time.Sleep(3 * time.Second)
@ -114,7 +117,7 @@ func AcmeCheckAndHandleRenewCertificate(w http.ResponseWriter, r *http.Request)
 	tlsCertManager.UpdateLoadedCertList()

 	//Restore original settings
-	if dynamicProxyRouter.Option.Port == 443 {
+	if dynamicProxyRouter.Option.Port == 443 && dnsPara == "false"  {
 		if !isForceHttpsRedirectEnabledOriginally {
 			//Default is off. Turn the redirection off
 			SystemWideLogger.PrintAndLog("ACME", "Restoring HTTP to HTTPS redirect settings", nil)
--- a/src/mod/acme/acme.go
+++ b/src/mod/acme/acme.go
@ -24,6 +24,7 @@ import (
 	"github.com/go-acme/lego/v4/certificate"
 	"github.com/go-acme/lego/v4/challenge/http01"
 	"github.com/go-acme/lego/v4/lego"
+	"github.com/go-acme/lego/v4/providers/dns/dynu"
 	"github.com/go-acme/lego/v4/registration"
 	"imuslab.com/zoraxy/mod/database"
 	"imuslab.com/zoraxy/mod/utils"
@ -33,6 +34,7 @@ type CertificateInfoJSON struct {
 	AcmeName string `json:"acme_name"`
 	AcmeUrl  string `json:"acme_url"`
 	SkipTLS  bool   `json:"skip_tls"`
+	DNS      bool   `json:"dns"`
 }

 // ACMEUser represents a user in the ACME system.
@ -79,7 +81,7 @@ func NewACME(acmeServer string, port string, database *database.Database) *ACMEH
 }

 // ObtainCert obtains a certificate for the specified domains.
-func (a *ACMEHandler) ObtainCert(domains []string, certificateName string, email string, caName string, caUrl string, skipTLS bool) (bool, error) {
+func (a *ACMEHandler) ObtainCert(domains []string, certificateName string, email string, caName string, caUrl string, skipTLS bool, dns bool) (bool, error) {
 	log.Println("[ACME] Obtaining certificate...")

 	// generate private key
@ -145,11 +147,27 @@ func (a *ACMEHandler) ObtainCert(domains []string, certificateName string, email
 	}

 	// setup how to receive challenge
+	if dns {
+		dynuConfig := dynu.NewDefaultConfig()
+		dynuConfig.APIKey = "yourApiKey"
+
+		provider, err := dynu.NewDNSProviderConfig(dynuConfig)
+		if err != nil {
+			log.Fatal(err)
+		}
+
+		err = client.Challenge.SetDNS01Provider(provider)
+		if err != nil {
+			log.Println(err)
+			return false, err
+		}
+	} else {
 		err = client.Challenge.SetHTTP01Provider(http01.NewProviderServer("", a.Port))
 		if err != nil {
 			log.Println(err)
 			return false, err
 		}
+	}

 	// New users will need to register
 	/*
@ -241,6 +259,7 @@ func (a *ACMEHandler) ObtainCert(domains []string, certificateName string, email
 		AcmeName: caName,
 		AcmeUrl:  caUrl,
 		SkipTLS:  skipTLS,
+		DNS:      dns,
 	}

 	certInfoBytes, err := json.Marshal(certInfo)
@ -391,8 +410,18 @@ func (a *ACMEHandler) HandleRenewCertificate(w http.ResponseWriter, r *http.Requ
 		skipTLS = true
 	}

+	var dns bool
+
+	if dnsString, err := utils.PostPara(r, "dns"); err != nil {
+		dns = false
+	} else if dnsString != "true" {
+		dns = false
+	} else {
+		dns = true
+	}
+
 	domains := strings.Split(domainPara, ",")
-	result, err := a.ObtainCert(domains, filename, email, ca, caUrl, skipTLS)
+	result, err := a.ObtainCert(domains, filename, email, ca, caUrl, skipTLS, dns)
 	if err != nil {
 		utils.SendErrorResponse(w, jsonEscape(err.Error()))
 		return
--- a/src/mod/acme/autorenew.go
+++ b/src/mod/acme/autorenew.go
@ -356,7 +356,7 @@ func (a *AutoRenewer) renewExpiredDomains(certs []*ExpiredCerts) ([]string, erro
 			}
 		}

-		_, err = a.AcmeHandler.ObtainCert(expiredCert.Domains, certName, a.RenewerConfig.Email, certInfo.AcmeName, certInfo.AcmeUrl, certInfo.SkipTLS)
+		_, err = a.AcmeHandler.ObtainCert(expiredCert.Domains, certName, a.RenewerConfig.Email, certInfo.AcmeName, certInfo.AcmeUrl, certInfo.SkipTLS, certInfo.DNS)
 		if err != nil {
 			log.Println("Renew " + fileName + "(" + strings.Join(expiredCert.Domains, ",") + ") failed: " + err.Error())
 		} else {
--- a/src/web/snippet/acme.html
+++ b/src/web/snippet/acme.html
@ -463,6 +463,8 @@
      var dnsProvider = "";
      var dnsCredentials = "";
      if (dns) {
+        //Filename cannot contain wildcards, and wildcards are possible with DNS challenges
+        filename = filename.replace("*", "_");
        dnsProvider = $("#dnsProvider").dropdown("get value");
        dnsCredentials = $("#dnsCredentials").val();
      }
@ -480,8 +482,6 @@
          caURL: caURL,
          skipTLS: skipTLSValue,
          dns: dns,
-          dnsProvider: dnsProvider,
-          dnsCredentials: dnsCredentials,
        },
        success: function(response) {
          $("#obtainButton").removeClass("loading").removeClass("disabled");