Skip to content

Commit

Permalink
feat: disable default certificate creation by default (#1157)
Browse files Browse the repository at this point in the history
  • Loading branch information
buchdag authored Oct 12, 2024
1 parent 904b5e3 commit 3cb7df6
Show file tree
Hide file tree
Showing 12 changed files with 15 additions and 140 deletions.
8 changes: 0 additions & 8 deletions app/cleanup_test_artifacts
Original file line number Diff line number Diff line change
Expand Up @@ -7,14 +7,6 @@ while [[ $# -gt 0 ]]; do
flag="$1"

case $flag in
--default-cert)
for filename in default.crt default.key; do
filepath="/etc/nginx/certs/$filename"
[[ -f "$filepath" ]] && rm -rf "$filepath"
done
shift
;;

--location-config)
for domain in 'le1.wtf' '*.example.com' 'test.*' 'le3.pizza' 'subdomain.example.com' 'test.domain.tld'; do
[[ -f "/etc/nginx/vhost.d/$domain" ]] && rm -f "/etc/nginx/vhost.d/$domain"
Expand Down
6 changes: 4 additions & 2 deletions app/entrypoint.sh
Original file line number Diff line number Diff line change
Expand Up @@ -110,7 +110,9 @@ function check_dh_group {
}

function check_default_cert_key {
local cn='letsencrypt-nginx-proxy-companion'
local cn='acme-companion'

echo "Warning: there is no future support planned for the self signed default certificate creation feature and it might be removed in a future release."

if [[ -e /etc/nginx/certs/default.crt && -e /etc/nginx/certs/default.key ]]; then
default_cert_cn="$(openssl x509 -noout -subject -in /etc/nginx/certs/default.crt)"
Expand Down Expand Up @@ -179,7 +181,7 @@ if [[ "$*" == "/bin/bash /app/start.sh" ]]; then
check_writable_directory '/etc/nginx/vhost.d'
check_writable_directory '/etc/nginx/conf.d'
fi
check_default_cert_key
parse_true "${CREATE_DEFAULT_CERTIFICATE:=false}" && check_default_cert_key
check_dh_group
reload_nginx
check_default_account
Expand Down
4 changes: 4 additions & 0 deletions docs/Let's-Encrypt-and-ACME.md
Original file line number Diff line number Diff line change
Expand Up @@ -153,3 +153,7 @@ Reusing private keys can help if you intend to use [HPKP](https://developer.mozi
1. The container will use the special purpose `staging` configuration directory.
1. The directory URI is forced to The Let's Encrypt v2 staging one (`ACME_CA_URI` is ignored)
2. The account email address is forced empty (`DEFAULT_EMAIL` and `LETSENCRYPT_EMAIL` are ignored)

#### Self signed default certificate

If you want **acme-companio** to create a self signed certificate as default certificate for **nginx-proxy**, you can set the `CREATE_DEFAULT_CERTIFICATE` environment variable to `true`. This will generate a self signed cert / key pair to `/etc/nginx/certs/default.crt` and `/etc/nginx/certs/default.key`, with `acme-companion` as Common Name. Please note that no future support is planned for this feature and it might be removed in a future release.
4 changes: 0 additions & 4 deletions docs/Persistent-data.md
Original file line number Diff line number Diff line change
Expand Up @@ -65,8 +65,6 @@ By default, the **acme-companion** container will enforce the following ownershi
```
[drwxr-xr-x] /etc/nginx/certs
├── [-rw-r--r-- root root] dhparam.pem
├── [-rw-r--r-- root root] default.crt
├── [-rw------- root root] default.key
├── [drwxr-xr-x root root] domain.tld
│ ├── [-rw-r--r-- root root] cert.pem
│ ├── [-rw-r--r-- root root] chain.pem
Expand All @@ -90,8 +88,6 @@ For example, `FILES_UID=1000`, `FILES_PERMS=644` and `FOLDERS_PERMS=700` will re
```
[drwxr-xr-x] /etc/nginx/certs
├── [-rw-r--r-- 1000 1000] dhparam.pem
├── [-rw-r--r-- 1000 1000] default.crt
├── [-rw-r--r-- 1000 1000] default.key
├── [drwx------ 1000 1000] domain.tld
│ ├── [-rw-r--r-- 1000 1000] cert.pem
│ ├── [-rw-r--r-- 1000 1000] chain.pem
Expand Down
1 change: 0 additions & 1 deletion test/config.sh
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@ globalTests+=(
docker_api
docker_api_legacy
location_config
default_cert
certs_single
certs_san
certs_single_domain
Expand Down
1 change: 0 additions & 1 deletion test/tests/certs_single_domain/run.sh
Original file line number Diff line number Diff line change
Expand Up @@ -96,7 +96,6 @@ for hosts in "${letsencrypt_hosts[@]}"; do
done

docker stop "$container" &> /dev/null
docker exec "$le_container_name" /app/cleanup_test_artifacts --default-cert
i=$(( i + 1 ))

done
1 change: 0 additions & 1 deletion test/tests/default_cert/expected-std-out.txt

This file was deleted.

105 changes: 0 additions & 105 deletions test/tests/default_cert/run.sh

This file was deleted.

8 changes: 3 additions & 5 deletions test/tests/permissions_custom/run.sh
Original file line number Diff line number Diff line change
Expand Up @@ -66,9 +66,8 @@ done

# Array of private file paths to test
private_files=( \
[0]="/etc/nginx/certs/default.key" \
[1]="/etc/nginx/certs/${domains[0]}/key.pem" \
[2]="/etc/acme.sh/default/${domains[0]}/${domains[0]}.key" \
[0]="/etc/nginx/certs/${domains[0]}/key.pem" \
[1]="/etc/acme.sh/default/${domains[0]}/${domains[0]}.key" \
)

# Test private file paths
Expand All @@ -85,8 +84,7 @@ public_files=( \
[1]="/etc/nginx/certs/${domains[0]}/cert.pem" \
[2]="/etc/nginx/certs/${domains[0]}/chain.pem" \
[3]="/etc/nginx/certs/${domains[0]}/fullchain.pem" \
[4]="/etc/nginx/certs/default.crt" \
[5]="/etc/nginx/certs/dhparam.pem" \
[4]="/etc/nginx/certs/dhparam.pem" \
)

# Test public file paths
Expand Down
8 changes: 3 additions & 5 deletions test/tests/permissions_default/run.sh
Original file line number Diff line number Diff line change
Expand Up @@ -60,9 +60,8 @@ done

# Array of private file paths to test
private_files=( \
[0]="/etc/nginx/certs/default.key" \
[1]="/etc/nginx/certs/${domains[0]}/key.pem" \
[2]="/etc/acme.sh/default/${domains[0]}/${domains[0]}.key" \
[0]="/etc/nginx/certs/${domains[0]}/key.pem" \
[1]="/etc/acme.sh/default/${domains[0]}/${domains[0]}.key" \
)

# Test private file paths
Expand All @@ -79,8 +78,7 @@ public_files=( \
[1]="/etc/nginx/certs/${domains[0]}/cert.pem" \
[2]="/etc/nginx/certs/${domains[0]}/chain.pem" \
[3]="/etc/nginx/certs/${domains[0]}/fullchain.pem" \
[4]="/etc/nginx/certs/default.crt" \
[5]="/etc/nginx/certs/dhparam.pem" \
[4]="/etc/nginx/certs/dhparam.pem" \
)

# Test public file paths
Expand Down
3 changes: 1 addition & 2 deletions test/tests/symlinks/run.sh
Original file line number Diff line number Diff line change
Expand Up @@ -47,8 +47,7 @@ docker exec "$le_container_name" cp /etc/nginx/certs/le1.wtf/key.pem /etc/nginx/
docker exec "$le_container_name" bash -c 'cd /etc/nginx/certs; ln -s ./le4.wtf/fullchain.pem ./le4.wtf.crt'
docker exec "$le_container_name" bash -c 'cd /etc/nginx/certs; ln -s ./le4.wtf/key.pem ./le4.wtf.key'

# symlink default certificate to le1.wtf certificate
docker exec "$le_container_name" rm -f /etc/nginx/certs/default.crt /etc/nginx/certs/default.key
# Symlink default certificate to le1.wtf certificate
docker exec "$le_container_name" bash -c 'cd /etc/nginx/certs; ln -s ./le1.wtf/fullchain.pem ./default.crt'
docker exec "$le_container_name" bash -c 'cd /etc/nginx/certs; ln -s ./le1.wtf/key.pem ./default.key'

Expand Down
6 changes: 0 additions & 6 deletions test/tests/test-functions.sh
Original file line number Diff line number Diff line change
Expand Up @@ -263,7 +263,6 @@ export -f check_cert_subj

# Wait for a successful https connection to domain passed with -d/--domain then wait
# - until the served certificate isn't the default one (default behavior)
# - until the served certificate is the default one (--default-cert)
# - until the served certificate subject match a string (--subject-match)
function wait_for_conn {
local action
Expand All @@ -280,11 +279,6 @@ function wait_for_conn {
shift
;;

--default-cert)
action='--match'
shift
;;

--subject-match)
action='--match'
string="$2"
Expand Down

0 comments on commit 3cb7df6

Please sign in to comment.