feat: disable default certificate creation by default (#1157)

2024-11-22 16:32:48 +01:00 · 2024-10-12 19:07:26 +02:00 · 2024-10-12 19:07:26 +02:00 · 3cb7df6fdd
commit 3cb7df6fdd
parent 904b5e38b1
12 changed files with 15 additions and 140 deletions
--- a/app/cleanup_test_artifacts
+++ b/app/cleanup_test_artifacts
@ -7,14 +7,6 @@ while [[ $# -gt 0 ]]; do
    flag="$1"

    case $flag in
-        --default-cert)
-        for filename in default.crt default.key; do
-            filepath="/etc/nginx/certs/$filename"
-            [[ -f "$filepath" ]] && rm -rf "$filepath"
-        done
-        shift
-        ;;
-
        --location-config)
        for domain in 'le1.wtf' '*.example.com' 'test.*' 'le3.pizza' 'subdomain.example.com' 'test.domain.tld'; do
            [[ -f "/etc/nginx/vhost.d/$domain" ]] && rm -f "/etc/nginx/vhost.d/$domain"
--- a/app/entrypoint.sh
+++ b/app/entrypoint.sh
@ -110,7 +110,9 @@ function check_dh_group {
 }

 function check_default_cert_key {
-    local cn='letsencrypt-nginx-proxy-companion'
+    local cn='acme-companion'
+
+    echo "Warning: there is no future support planned for the self signed default certificate creation feature and it might be removed in a future release."

    if [[ -e /etc/nginx/certs/default.crt && -e /etc/nginx/certs/default.key ]]; then
        default_cert_cn="$(openssl x509 -noout -subject -in /etc/nginx/certs/default.crt)"
@ -179,7 +181,7 @@ if [[ "$*" == "/bin/bash /app/start.sh" ]]; then
        check_writable_directory '/etc/nginx/vhost.d'
        check_writable_directory '/etc/nginx/conf.d'
    fi
-    check_default_cert_key
+    parse_true "${CREATE_DEFAULT_CERTIFICATE:=false}" && check_default_cert_key
    check_dh_group
    reload_nginx
    check_default_account
--- a/docs/Let's-Encrypt-and-ACME.md
+++ b/docs/Let's-Encrypt-and-ACME.md
@ -153,3 +153,7 @@ Reusing private keys can help if you intend to use [HPKP](https://developer.mozi
    1. The container will use the special purpose `staging` configuration directory.
    1. The directory URI is forced to The Let's Encrypt v2 staging one (`ACME_CA_URI` is ignored)
    2. The account email address is forced empty (`DEFAULT_EMAIL` and `LETSENCRYPT_EMAIL` are ignored)
+
+#### Self signed default certificate
+
+If you want **acme-companio** to create a self signed certificate as default certificate for **nginx-proxy**, you can set the `CREATE_DEFAULT_CERTIFICATE` environment variable to `true`. This will generate a self signed cert / key pair to `/etc/nginx/certs/default.crt` and `/etc/nginx/certs/default.key`, with `acme-companion` as Common Name. Please note that no future support is planned for this feature and it might be removed in a future release.
--- a/docs/Persistent-data.md
+++ b/docs/Persistent-data.md
@ -65,8 +65,6 @@ By default, the **acme-companion** container will enforce the following ownershi
 ```
 [drwxr-xr-x]  /etc/nginx/certs
 ├── [-rw-r--r-- root root]  dhparam.pem
-├── [-rw-r--r-- root root]  default.crt
-├── [-rw------- root root]  default.key
 ├── [drwxr-xr-x root root]  domain.tld
 │   ├── [-rw-r--r-- root root]  cert.pem
 │   ├── [-rw-r--r-- root root]  chain.pem
@ -90,8 +88,6 @@ For example, `FILES_UID=1000`, `FILES_PERMS=644` and `FOLDERS_PERMS=700` will re
 ```
 [drwxr-xr-x]  /etc/nginx/certs
 ├── [-rw-r--r-- 1000 1000]  dhparam.pem
-├── [-rw-r--r-- 1000 1000]  default.crt
-├── [-rw-r--r-- 1000 1000]  default.key
 ├── [drwx------ 1000 1000]  domain.tld
 │   ├── [-rw-r--r-- 1000 1000]  cert.pem
 │   ├── [-rw-r--r-- 1000 1000]  chain.pem
--- a/test/config.sh
+++ b/test/config.sh
@ -5,7 +5,6 @@ globalTests+=(
 	docker_api
 	docker_api_legacy
 	location_config
-	default_cert
 	certs_single
 	certs_san
 	certs_single_domain
--- a/test/tests/certs_single_domain/run.sh
+++ b/test/tests/certs_single_domain/run.sh
@ -96,7 +96,6 @@ for hosts in "${letsencrypt_hosts[@]}"; do
  done

  docker stop "$container" &> /dev/null
-  docker exec "$le_container_name" /app/cleanup_test_artifacts --default-cert
  i=$(( i + 1 ))

 done
--- a/test/tests/default_cert/expected-std-out.txt
+++ b/test/tests/default_cert/expected-std-out.txt
@ -1 +0,0 @@
-
--- a/test/tests/default_cert/run.sh
+++ b/test/tests/default_cert/run.sh
@ -1,105 +0,0 @@
-#!/bin/bash
-
-## Test for default certificate creation.
-
-if [[ -z $GITHUB_ACTIONS ]]; then
-  le_container_name="$(basename "${0%/*}")_$(date "+%Y-%m-%d_%H.%M.%S")"
-else
-  le_container_name="$(basename "${0%/*}")"
-fi
-run_le_container "${1:?}" "$le_container_name"
-
-# Create the $domains array from comma separated domains in TEST_DOMAINS.
-IFS=',' read -r -a domains <<< "$TEST_DOMAINS"
-
-# Cleanup function with EXIT trap
-function cleanup {
-  # Cleanup the files created by this run of the test to avoid foiling following test(s).
-  docker exec "$le_container_name" /app/cleanup_test_artifacts --default-cert
-  docker stop "$le_container_name" > /dev/null
-}
-trap cleanup EXIT
-
-function check_default_cert_existence {
-  docker exec "$le_container_name" [[ -f "/etc/nginx/certs/default.crt" ]]
-}
-
-function default_cert_fingerprint {
-  if check_default_cert_existence; then
-    docker exec "$le_container_name" openssl x509 -in "/etc/nginx/certs/default.crt" -fingerprint -noout
-  fi
-}
-
-function default_cert_subject {
-  if check_default_cert_existence; then
-    docker exec "$le_container_name" openssl x509 -in "/etc/nginx/certs/default.crt" -subject -noout
-  fi
-}
-
-user_cn="user-provided"
-
-timeout="$(date +%s)"
-timeout="$((timeout + 120))"
-until docker exec "$le_container_name" [[ -f /etc/nginx/certs/default.crt ]]; do
-  if [[ "$(date +%s)" -gt "$timeout" ]]; then
-    echo "Default cert wasn't created under one minute at container first launch."
-    break
-  fi
-  sleep 0.1
-done
-
-# Connection test to unconfigured domains
-for domain in "${domains[@]}"; do
-  wait_for_conn --domain "$domain" --default-cert
-done
-
-# Test if the default certificate get re-created when
-# the certificate or private key file are deleted
-for file in 'default.key' 'default.crt'; do
-  old_default_cert_fingerprint="$(default_cert_fingerprint)"
-  docker exec "$le_container_name" /app/cleanup_test_artifacts --default-cert
-  docker restart "$le_container_name" > /dev/null
-  timeout="$(date +%s)"
-  timeout="$((timeout + 120))"
-  while [[ "$(default_cert_fingerprint)" == "$old_default_cert_fingerprint" ]]; do
-    if [[ "$(date +%s)" -gt "$timeout" ]]; then
-      echo "Default cert wasn't re-created under one minute after $file deletion."
-      break
-    fi
-    sleep 0.1
-  done
-done
-
-# Test if the default certificate get re-created when
-# the certificate expire in less than three months
-docker exec "$le_container_name" bash -c 'rm -rf /etc/nginx/certs/default.*'
-docker exec "$le_container_name" openssl req -x509 \
-  -newkey rsa:4096 -sha256 -nodes -days 60 \
-  -subj "/CN=letsencrypt-nginx-proxy-companion" \
-  -keyout /etc/nginx/certs/default.key \
-  -out /etc/nginx/certs/default.crt &> /dev/null
-old_default_cert_fingerprint="$(default_cert_fingerprint)"
-docker restart "$le_container_name" > /dev/null && sleep 10
-timeout="$(date +%s)"
-timeout="$((timeout + 110))"
-while [[ "$(default_cert_fingerprint)" == "$old_default_cert_fingerprint" ]]; do
-  if [[ "$(date +%s)" -gt "$timeout" ]]; then
-    echo "Default cert wasn't re-created under one minute when the certificate expire in less than three months."
-    break
-  fi
-  sleep 0.1
-done
-
-# Test that a user provided default certificate isn't overwrited
-docker exec "$le_container_name" bash -c 'rm -rf /etc/nginx/certs/default.*'
-docker exec "$le_container_name" openssl req -x509 \
-  -newkey rsa:4096 -sha256 -nodes -days 60 \
-  -subj "/CN=$user_cn" \
-  -keyout /etc/nginx/certs/default.key \
-  -out /etc/nginx/certs/default.crt &> /dev/null
-docker restart "$le_container_name" > /dev/null
-
-# Connection test to unconfigured domains
-for domain in "${domains[@]}"; do
-  wait_for_conn --domain "$domain" --subject-match "$user_cn"
-done
--- a/test/tests/permissions_custom/run.sh
+++ b/test/tests/permissions_custom/run.sh
@ -66,9 +66,8 @@ done

 # Array of private file paths to test
 private_files=( \
-  [0]="/etc/nginx/certs/default.key" \
-  [1]="/etc/nginx/certs/${domains[0]}/key.pem" \
-  [2]="/etc/acme.sh/default/${domains[0]}/${domains[0]}.key" \
+  [0]="/etc/nginx/certs/${domains[0]}/key.pem" \
+  [1]="/etc/acme.sh/default/${domains[0]}/${domains[0]}.key" \
  )

 # Test private file paths
@ -85,8 +84,7 @@ public_files=( \
  [1]="/etc/nginx/certs/${domains[0]}/cert.pem" \
  [2]="/etc/nginx/certs/${domains[0]}/chain.pem" \
  [3]="/etc/nginx/certs/${domains[0]}/fullchain.pem" \
-  [4]="/etc/nginx/certs/default.crt" \
-  [5]="/etc/nginx/certs/dhparam.pem" \
+  [4]="/etc/nginx/certs/dhparam.pem" \
  )

 # Test public file paths
--- a/test/tests/permissions_default/run.sh
+++ b/test/tests/permissions_default/run.sh
@ -60,9 +60,8 @@ done

 # Array of private file paths to test
 private_files=( \
-  [0]="/etc/nginx/certs/default.key" \
-  [1]="/etc/nginx/certs/${domains[0]}/key.pem" \
-  [2]="/etc/acme.sh/default/${domains[0]}/${domains[0]}.key" \
+  [0]="/etc/nginx/certs/${domains[0]}/key.pem" \
+  [1]="/etc/acme.sh/default/${domains[0]}/${domains[0]}.key" \
  )

 # Test private file paths
@ -79,8 +78,7 @@ public_files=( \
  [1]="/etc/nginx/certs/${domains[0]}/cert.pem" \
  [2]="/etc/nginx/certs/${domains[0]}/chain.pem" \
  [3]="/etc/nginx/certs/${domains[0]}/fullchain.pem" \
-  [4]="/etc/nginx/certs/default.crt" \
-  [5]="/etc/nginx/certs/dhparam.pem" \
+  [4]="/etc/nginx/certs/dhparam.pem" \
  )

 # Test public file paths
--- a/test/tests/symlinks/run.sh
+++ b/test/tests/symlinks/run.sh
@ -47,8 +47,7 @@ docker exec "$le_container_name" cp /etc/nginx/certs/le1.wtf/key.pem /etc/nginx/
 docker exec "$le_container_name" bash -c 'cd /etc/nginx/certs; ln -s ./le4.wtf/fullchain.pem ./le4.wtf.crt'
 docker exec "$le_container_name" bash -c 'cd /etc/nginx/certs; ln -s ./le4.wtf/key.pem ./le4.wtf.key'

-# symlink default certificate to le1.wtf certificate
-docker exec "$le_container_name" rm -f /etc/nginx/certs/default.crt /etc/nginx/certs/default.key
+# Symlink default certificate to le1.wtf certificate
 docker exec "$le_container_name" bash -c 'cd /etc/nginx/certs; ln -s ./le1.wtf/fullchain.pem ./default.crt'
 docker exec "$le_container_name" bash -c 'cd /etc/nginx/certs; ln -s ./le1.wtf/key.pem ./default.key'

--- a/test/tests/test-functions.sh
+++ b/test/tests/test-functions.sh
@ -263,7 +263,6 @@ export -f check_cert_subj

 # Wait for a successful https connection to domain passed with -d/--domain then wait
 #   - until the served certificate isn't the default one (default behavior)
-#   - until the served certificate is the default one (--default-cert)
 #   - until the served certificate subject match a string (--subject-match)
 function wait_for_conn {
  local action
@ -280,11 +279,6 @@ function wait_for_conn {
      shift
      ;;

-      --default-cert)
-      action='--match'
-      shift
-      ;;
-
      --subject-match)
      action='--match'
      string="$2"