updated EAB

2025-06-06 07:37:21 +02:00 · 2023-08-20 22:29:15 -07:00 · 2023-08-20 22:29:15 -07:00 · 9369237229
commit 9369237229
parent d42ac8a146
4 changed files with 40 additions and 9 deletions
--- a/.gitignore
+++ b/.gitignore
@ -32,3 +32,5 @@ src/README.md
 docker/ContainerTester.sh
 docker/ImagePublisher.sh
 src/mod/acme/test/stackoverflow.pem
+src/sys.uuid
+src/sys.db.lock
--- a/src/acme.go
+++ b/src/acme.go
@ -38,7 +38,7 @@ func initACME() *acme.ACMEHandler {
 		port = getRandomPort(30000)
 	}

-	return acme.NewACME("https://acme-staging-v02.api.letsencrypt.org/directory", strconv.Itoa(port))
+	return acme.NewACME("https://acme-staging-v02.api.letsencrypt.org/directory", strconv.Itoa(port), "", "")
 }

 // create the special routing rule for ACME
--- a/src/mod/acme/acme.go
+++ b/src/mod/acme/acme.go
@ -54,18 +54,22 @@ func (u *ACMEUser) GetPrivateKey() crypto.PrivateKey {
 type ACMEHandler struct {
 	DefaultAcmeServer string
 	Port              string
+	Kid               string
+	HmacEncoded       string
 }

 // NewACME creates a new ACMEHandler instance.
-func NewACME(acmeServer string, port string) *ACMEHandler {
+func NewACME(acmeServer string, port string, kid string, hmacEncoded string) *ACMEHandler {
 	return &ACMEHandler{
 		DefaultAcmeServer: acmeServer,
 		Port:              port,
+		Kid:               kid,
+		HmacEncoded:       hmacEncoded,
 	}
 }

 // ObtainCert obtains a certificate for the specified domains.
-func (a *ACMEHandler) ObtainCert(domains []string, certificateName string, email string, ca string) (bool, error) {
+func (a *ACMEHandler) ObtainCert(domains []string, certificateName string, email string, ca string, kid string, hmacEncoded string) (bool, error) {
 	log.Println("[ACME] Obtaining certificate...")

 	// generate private key
@ -113,12 +117,37 @@ func (a *ACMEHandler) ObtainCert(domains []string, certificateName string, email
 		return false, err
 	}

+	var reg *registration.Resource
 	// New users will need to register
-	reg, err := client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
-	if err != nil {
-		log.Println(err)
-		return false, err
+	if client.GetExternalAccountRequired() {
+		log.Println("External Account Required for this ACME Provider.")
+		// IF KID and HmacEncoded is overidden
+		if kid != "" && hmacEncoded != "" {
+			reg, err = client.Registration.RegisterWithExternalAccountBinding(registration.RegisterEABOptions{
+				TermsOfServiceAgreed: true,
+				Kid:                  kid,
+				HmacEncoded:          hmacEncoded,
+			})
+		} else {
+			reg, err = client.Registration.RegisterWithExternalAccountBinding(registration.RegisterEABOptions{
+				TermsOfServiceAgreed: true,
+				Kid:                  a.Kid,
+				HmacEncoded:          a.HmacEncoded,
+			})
+		}
+		if err != nil {
+			log.Println(err)
+			return false, err
+		}
+		//return false, errors.New("External Account Required for this ACME Provider.")
+	} else {
+		reg, err = client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
+		if err != nil {
+			log.Println(err)
+			return false, err
+		}
 	}
+
 	adminUser.Registration = reg

 	// obtain the certificate
--- a/src/mod/acme/autorenew.go
+++ b/src/mod/acme/autorenew.go
@ -355,7 +355,7 @@ func (a *AutoRenewer) renewExpiredDomains(certs []*ExpiredCerts) ([]string, erro
 		log.Println("Renewing " + expiredCert.Filepath + " (Might take a few minutes)")
 		fileName := filepath.Base(expiredCert.Filepath)
 		certName := fileName[:len(fileName)-len(filepath.Ext(fileName))]
-		_, err := a.AcmeHandler.ObtainCert(expiredCert.Domains, certName, a.RenewerConfig.Email, expiredCert.CA)
+		_, err := a.AcmeHandler.ObtainCert(expiredCert.Domains, certName, a.RenewerConfig.Email, expiredCert.CA, "", "")
 		if err != nil {
 			log.Println("Renew " + fileName + "(" + strings.Join(expiredCert.Domains, ",") + ") failed: " + err.Error())
 		} else {