Added ACMECAURL option to support custom ACME provider

LecrisUT · LecrisUT · commit eb2dc85016f2 · 2022-01-21T15:16:50.000+09:00
Closes #18306 Signed-off-by: Cristian Le <git@lecris.me>
diff --git a/cmd/web_letsencrypt.go b/cmd/web_letsencrypt.go
@@ -5,6 +5,9 @@
 package cmd
 
 import (
+	"crypto/x509"
+	"encoding/pem"
+	"io/ioutil"
 	"net/http"
 	"strconv"
 	"strings"
@@ -34,7 +37,26 @@ func runLetsEncrypt(listenAddr, domain, directory, email string, m http.Handler)
 
 	magic := certmagic.NewDefault()
 	magic.Storage = &certmagic.FileStorage{Path: directory}
+	// Try to use private CA root if provided, otherwise defaults to system's trust
+	var CertPool *x509.CertPool = nil
+	if setting.ACMECARoot != "" {
+		r, err := ioutil.ReadFile(setting.ACMECARoot)
+		if err != nil {
+			log.Warn("Failed to read CARoot certificate, using default CA trust: %v", err)
+		} else {
+			block, _ := pem.Decode(r)
+			CARoot, err := x509.ParseCertificate(block.Bytes)
+			if err != nil {
+				log.Warn("Failed to parse CARoot certificate, using default CA trust: %v", err)
+			} else {
+				CertPool = x509.NewCertPool()
+				CertPool.AddCert(CARoot)
+			}
+		}
+	}
 	myACME := certmagic.NewACMEManager(magic, certmagic.ACMEManager{
+		CA:                      setting.ACMECAURL,
+		TrustedRoots:            CertPool,
 		Email:                   email,
 		Agreed:                  setting.LetsEncryptTOS,
 		DisableHTTPChallenge:    !enableHTTPChallenge,
diff --git a/modules/setting/setting.go b/modules/setting/setting.go
@@ -113,6 +113,8 @@ var (
 	LetsEncryptTOS       bool
 	LetsEncryptDirectory string
 	LetsEncryptEmail     string
+	ACMECAURL            string
+	ACMECARoot           string
 	SSLMinimumVersion    string
 	SSLMaximumVersion    string
 	SSLCurvePreferences  []string
@@ -654,6 +656,8 @@ func loadFromConf(allowEmpty bool, extraConfig string) {
 		}
 	}
 	EnableLetsEncrypt = sec.Key("ENABLE_LETSENCRYPT").MustBool(false)
+	ACMECAURL = sec.Key("ACME_CAURL").MustString("")
+	ACMECARoot = sec.Key("ACME_CARoot").MustString("")
 	LetsEncryptTOS = sec.Key("LETSENCRYPT_ACCEPTTOS").MustBool(false)
 	if !LetsEncryptTOS && EnableLetsEncrypt {
 		log.Warn("Failed to enable Let's Encrypt due to Let's Encrypt TOS not being accepted")
