Merge pull request #1102 from mritd/master

feat(acme): add acme dns-01 challenge support

app/cmd/server.go

@@ -16,6 +16,12 @@ import (
 	"time"
 
 	"github.com/caddyserver/certmagic"
+	"github.com/libdns/cloudflare"
+	"github.com/libdns/duckdns"
+	"github.com/libdns/gandi"
+	"github.com/libdns/godaddy"
+	"github.com/libdns/namedotcom"
+	"github.com/libdns/vultr"
 	"github.com/mholt/acmez/acme"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
@@ -79,15 +85,38 @@ type serverConfigTLS struct {
 }
 
 type serverConfigACME struct {
-	Domains        []string `mapstructure:"domains"`
-	Email          string   `mapstructure:"email"`
-	CA             string   `mapstructure:"ca"`
-	DisableHTTP    bool     `mapstructure:"disableHTTP"`
-	DisableTLSALPN bool     `mapstructure:"disableTLSALPN"`
-	ListenHost     string   `mapstructure:"listenHost"`
-	AltHTTPPort    int      `mapstructure:"altHTTPPort"`
-	AltTLSALPNPort int      `mapstructure:"altTLSALPNPort"`
-	Dir            string   `mapstructure:"dir"`
+	// Common fields
+	Domains    []string `mapstructure:"domains"`
+	Email      string   `mapstructure:"email"`
+	CA         string   `mapstructure:"ca"`
+	ListenHost string   `mapstructure:"listenHost"`
+	Dir        string   `mapstructure:"dir"`
+
+	// Type selection
+	Type string               `mapstructure:"type"`
+	HTTP serverConfigACMEHTTP `mapstructure:"http"`
+	TLS  serverConfigACMETLS  `mapstructure:"tls"`
+	DNS  serverConfigACMEDNS  `mapstructure:"dns"`
+
+	// Legacy fields for backwards compatibility
+	// Only applicable when Type is empty
+	DisableHTTP    bool `mapstructure:"disableHTTP"`
+	DisableTLSALPN bool `mapstructure:"disableTLSALPN"`
+	AltHTTPPort    int  `mapstructure:"altHTTPPort"`
+	AltTLSALPNPort int  `mapstructure:"altTLSALPNPort"`
+}
+
+type serverConfigACMEHTTP struct {
+	AltPort int `mapstructure:"altPort"`
+}
+
+type serverConfigACMETLS struct {
+	AltPort int `mapstructure:"altPort"`
+}
+
+type serverConfigACMEDNS struct {
+	Name   string            `mapstructure:"name"`
+	Config map[string]string `mapstructure:"config"`
 }
 
 type serverConfigQUIC struct {
@@ -292,14 +321,10 @@ func (c *serverConfig) fillTLSConfig(hyConfig *server.Config) error {
 			Logger:             logger,
 		}
 		cmIssuer := certmagic.NewACMEIssuer(cmCfg, certmagic.ACMEIssuer{
-			Email:                   c.ACME.Email,
-			Agreed:                  true,
-			DisableHTTPChallenge:    c.ACME.DisableHTTP,
-			DisableTLSALPNChallenge: c.ACME.DisableTLSALPN,
-			ListenHost:              c.ACME.ListenHost,
-			AltHTTPPort:             c.ACME.AltHTTPPort,
-			AltTLSALPNPort:          c.ACME.AltTLSALPNPort,
-			Logger:                  logger,
+			Email:      c.ACME.Email,
+			Agreed:     true,
+			ListenHost: c.ACME.ListenHost,
+			Logger:     logger,
 		})
 		switch strings.ToLower(c.ACME.CA) {
 		case "letsencrypt", "le", "":
@@ -313,8 +338,82 @@ func (c *serverConfig) fillTLSConfig(hyConfig *server.Config) error {
 			}
 			cmIssuer.ExternalAccount = eab
 		default:
-			return configError{Field: "acme.ca", Err: errors.New("unknown CA")}
+			return configError{Field: "acme.ca", Err: errors.New("unsupported CA")}
+		}
+
+		switch strings.ToLower(c.ACME.Type) {
+		case "http":
+			cmIssuer.DisableHTTPChallenge = false
+			cmIssuer.DisableTLSALPNChallenge = true
+			cmIssuer.DNS01Solver = nil
+			cmIssuer.AltHTTPPort = c.ACME.HTTP.AltPort
+		case "tls":
+			cmIssuer.DisableHTTPChallenge = true
+			cmIssuer.DisableTLSALPNChallenge = false
+			cmIssuer.DNS01Solver = nil
+			cmIssuer.AltTLSALPNPort = c.ACME.TLS.AltPort
+		case "dns":
+			cmIssuer.DisableHTTPChallenge = true
+			cmIssuer.DisableTLSALPNChallenge = true
+			if c.ACME.DNS.Name == "" {
+				return configError{Field: "acme.dns.name", Err: errors.New("empty DNS provider name")}
+			}
+			if c.ACME.DNS.Config == nil {
+				return configError{Field: "acme.dns.config", Err: errors.New("empty DNS provider config")}
+			}
+			switch strings.ToLower(c.ACME.DNS.Name) {
+			case "cloudflare":
+				cmIssuer.DNS01Solver = &certmagic.DNS01Solver{
+					DNSProvider: &cloudflare.Provider{
+						APIToken: c.ACME.DNS.Config["cloudflare_api_token"],
+					},
+				}
+			case "duckdns":
+				cmIssuer.DNS01Solver = &certmagic.DNS01Solver{
+					DNSProvider: &duckdns.Provider{
+						APIToken:       c.ACME.DNS.Config["duckdns_api_token"],
+						OverrideDomain: c.ACME.DNS.Config["duckdns_override_domain"],
+					},
+				}
+			case "gandi":
+				cmIssuer.DNS01Solver = &certmagic.DNS01Solver{
+					DNSProvider: &gandi.Provider{
+						BearerToken: c.ACME.DNS.Config["gandi_api_token"],
+					},
+				}
+			case "godaddy":
+				cmIssuer.DNS01Solver = &certmagic.DNS01Solver{
+					DNSProvider: &godaddy.Provider{
+						APIToken: c.ACME.DNS.Config["godaddy_api_token"],
+					},
+				}
+			case "namedotcom":
+				cmIssuer.DNS01Solver = &certmagic.DNS01Solver{
+					DNSProvider: &namedotcom.Provider{
+						Token:  c.ACME.DNS.Config["namedotcom_token"],
+						User:   c.ACME.DNS.Config["namedotcom_user"],
+						Server: c.ACME.DNS.Config["namedotcom_server"],
+					},
+				}
+			case "vultr":
+				cmIssuer.DNS01Solver = &certmagic.DNS01Solver{
+					DNSProvider: &vultr.Provider{
+						APIToken: c.ACME.DNS.Config["vultr_api_token"],
+					},
+				}
+			default:
+				return configError{Field: "acme.dns.name", Err: errors.New("unsupported DNS provider")}
+			}
+		case "":
+			// Legacy compatibility mode
+			cmIssuer.DisableHTTPChallenge = c.ACME.DisableHTTP
+			cmIssuer.DisableTLSALPNChallenge = c.ACME.DisableTLSALPN
+			cmIssuer.AltHTTPPort = c.ACME.AltHTTPPort
+			cmIssuer.AltTLSALPNPort = c.ACME.AltTLSALPNPort
+		default:
+			return configError{Field: "acme.type", Err: errors.New("unsupported ACME type")}
 		}
+
 		cmCfg.Issuers = []certmagic.Issuer{cmIssuer}
 		cmCache := certmagic.NewCache(certmagic.CacheOptions{
 			GetConfigForCert: func(cert certmagic.Certificate) (*certmagic.Config, error) {

app/cmd/server_test.go

@@ -34,13 +34,28 @@ func TestServerConfig(t *testing.T) {
 				"sub1.example.com",
 				"sub2.example.com",
 			},
-			Email:          "[email protected]",
-			CA:             "zero",
+			Email:      "[email protected]",
+			CA:         "zero",
+			ListenHost: "127.0.0.9",
+			Dir:        "random_dir",
+			Type:       "dns",
+			HTTP: serverConfigACMEHTTP{
+				AltPort: 8888,
+			},
+			TLS: serverConfigACMETLS{
+				AltPort: 44333,
+			},
+			DNS: serverConfigACMEDNS{
+				Name: "gomommy",
+				Config: map[string]string{
+					"key1": "value1",
+					"key2": "value2",
+				},
+			},
 			DisableHTTP:    true,
 			DisableTLSALPN: true,
-			AltHTTPPort:    9980,
-			AltTLSALPNPort: 9443,
-			Dir:            "random_dir",
+			AltHTTPPort:    8080,
+			AltTLSALPNPort: 4433,
 		},
 		QUIC: serverConfigQUIC{
 			InitStreamReceiveWindow:     77881,

app/cmd/server_test.yaml

@@ -15,11 +15,22 @@ acme:
     - sub2.example.com
   email: [email protected]
   ca: zero
+  listenHost: 127.0.0.9
+  dir: random_dir
+  type: dns
+  http:
+    altPort: 8888
+  tls:
+    altPort: 44333
+  dns:
+    name: gomommy
+    config:
+      key1: value1
+      key2: value2
   disableHTTP: true
   disableTLSALPN: true
-  altHTTPPort: 9980
-  altTLSALPNPort: 9443
-  dir: random_dir
+  altHTTPPort: 8080
+  altTLSALPNPort: 4433
 
 quic:
   initStreamReceiveWindow: 77881

app/go.mod

@@ -8,12 +8,18 @@ require (
 	github.com/apernet/hysteria/extras/v2 v2.0.0-00010101000000-000000000000
 	github.com/apernet/sing-tun v0.2.6-0.20240323130332-b9f6511036ad
 	github.com/caddyserver/certmagic v0.17.2
+	github.com/libdns/cloudflare v0.1.1
+	github.com/libdns/duckdns v0.2.0
+	github.com/libdns/gandi v1.0.3
+	github.com/libdns/godaddy v1.0.3
+	github.com/libdns/namedotcom v0.3.3
+	github.com/libdns/vultr v1.0.0
 	github.com/mdp/qrterminal/v3 v3.1.1
 	github.com/mholt/acmez v1.0.4
 	github.com/sagernet/sing v0.3.2
 	github.com/spf13/cobra v1.7.0
 	github.com/spf13/viper v1.15.0
-	github.com/stretchr/testify v1.8.4
+	github.com/stretchr/testify v1.9.0
 	github.com/txthinking/socks5 v0.0.0-20230325130024-4230056ae301
 	go.uber.org/zap v1.24.0
 	golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842
@@ -27,41 +33,51 @@ require (
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
 	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
+	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.6 // indirect
 	github.com/hashicorp/golang-lru/v2 v2.0.5 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/klauspost/cpuid/v2 v2.1.1 // indirect
-	github.com/libdns/libdns v0.2.1 // indirect
+	github.com/kr/pretty v0.3.1 // indirect
+	github.com/libdns/libdns v0.2.2 // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
-	github.com/miekg/dns v1.1.55 // indirect
+	github.com/miekg/dns v1.1.59 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/onsi/ginkgo/v2 v2.9.5 // indirect
 	github.com/patrickmn/go-cache v2.1.0+incompatible // indirect
 	github.com/pelletier/go-toml/v2 v2.0.6 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/quic-go/qpack v0.4.0 // indirect
+	github.com/rogpeppe/go-internal v1.12.0 // indirect
 	github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97 // indirect
 	github.com/scjalliance/comshim v0.0.0-20230315213746-5e51f40bd3b9 // indirect
 	github.com/spf13/afero v1.9.3 // indirect
 	github.com/spf13/cast v1.5.0 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/stretchr/objx v0.5.0 // indirect
+	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/subosito/gotenv v1.4.2 // indirect
 	github.com/txthinking/runnergroup v0.0.0-20210608031112-152c7c4432bf // indirect
 	github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 // indirect
+	github.com/vultr/govultr/v3 v3.6.4 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
 	go.uber.org/mock v0.4.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba // indirect
 	golang.org/x/crypto v0.23.0 // indirect
 	golang.org/x/mod v0.17.0 // indirect
 	golang.org/x/net v0.25.0 // indirect
+	golang.org/x/oauth2 v0.20.0 // indirect
 	golang.org/x/sync v0.7.0 // indirect
 	golang.org/x/text v0.15.0 // indirect
 	golang.org/x/tools v0.21.0 // indirect
-	google.golang.org/protobuf v1.33.0 // indirect
+	google.golang.org/protobuf v1.34.1 // indirect
+	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	rsc.io/qr v0.2.0 // indirect