From 562d7cbad406e374599ebec70e040faa8fc659d3 Mon Sep 17 00:00:00 2001
From: Joona Hoikkala <joohoi@users.noreply.github.com>
Date: Thu, 1 Feb 2018 10:53:34 +0200
Subject: [PATCH] Make autocert use HTTP-01 challenge instead of TLS-SNI (#36)

---
 README.md  | 3 +++
 config.cfg | 2 ++
 main.go    | 5 ++++-
 types.go   | 1 +
 4 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index af4deaf..ef6aa36 100644
--- a/README.md
+++ b/README.md
@@ -186,6 +186,8 @@ connection = "acme-dns.db"
 [api]
 # domain name to listen requests for, mandatory if using tls = "letsencrypt"
 api_domain = ""
+# autocert HTTP port, eg. 80 for answering Let's Encrypt HTTP-01 challenges. Mandatory if using tls = "letsencrypt".
+autocert_port = "80"
 # listen port, eg. 443 for default HTTPS
 port = "8080"
 # possible values: "letsencrypt", "cert", "none"
@@ -214,6 +216,7 @@ header_name = "X-Forwarded-For"
 ```
 
 ## Changelog
+- v0.3 Changed autocert to use HTTP-01 challenges, as TLS-SNI is disabled by Let's Encrypt
 - v0.2 Now powered by httprouter, support wildcard certificates, Docker images
 - v0.1 Initial release
 
diff --git a/config.cfg b/config.cfg
index 3996c61..f8e9146 100644
--- a/config.cfg
+++ b/config.cfg
@@ -36,6 +36,8 @@ connection = "/var/lib/acme-dns/acme-dns.db"
 api_domain = ""
 # listen ip eg. 127.0.0.1
 ip = "0.0.0.0"
+# autocert HTTP port, eg. 80 for answering Let's Encrypt HTTP-01 challenges. Mandatory if using tls = "letsencrypt".
+autocert_port = "80"
 # listen port, eg. 443 for default HTTPS
 port = "80"
 # possible values: "letsencrypt", "cert", "none"
diff --git a/main.go b/main.go
index 036818b..d1cbbd1 100644
--- a/main.go
+++ b/main.go
@@ -83,6 +83,9 @@ func startHTTPAPI() {
 			Prompt:     autocert.AcceptTOS,
 			HostPolicy: autocert.HostWhitelist(Config.API.Domain),
 		}
+		autocerthost := Config.API.IP + ":" + Config.API.AutocertPort
+		log.WithFields(log.Fields{"autocerthost": autocerthost, "domain": Config.API.Domain}).Debug("Opening HTTP port for autocert")
+		go http.ListenAndServe(autocerthost, m.HTTPHandler(nil))
 		cfg.GetCertificate = m.GetCertificate
 		srv := &http.Server{
 			Addr:      host,
@@ -90,7 +93,7 @@ func startHTTPAPI() {
 			TLSConfig: cfg,
 			ErrorLog:  stdlog.New(logwriter, "", 0),
 		}
-		log.WithFields(log.Fields{"host": host, "domain": Config.API.Domain}).Info("Listening HTTPS autocert")
+		log.WithFields(log.Fields{"host": host, "domain": Config.API.Domain}).Info("Listening HTTPS, using certificate from autocert")
 		log.Fatal(srv.ListenAndServeTLS("", ""))
 	case "cert":
 		srv := &http.Server{
diff --git a/types.go b/types.go
index 961de47..1f5c420 100644
--- a/types.go
+++ b/types.go
@@ -52,6 +52,7 @@ type dbsettings struct {
 type httpapi struct {
 	Domain           string `toml:"api_domain"`
 	IP               string
+	AutocertPort     string `toml:"autocert_port"`
 	Port             string `toml:"port"`
 	TLS              string
 	TLSCertPrivkey   string `toml:"tls_cert_privkey"`
-- 
GitLab