- This specific message will [already be generated](974229681f/html/error.go (L44)) when `http.StatusMisdirectedRequest` is set as status with [an empty message](974229681f/html/error.go (L25-L28)). - Resolves #228 Co-authored-by: Gusted <postmaster@gusted.xyz> Reviewed-on: #230 Reviewed-by: 6543 <6543@obermui.de> Co-authored-by: Gusted <gusted@noreply.codeberg.org> Co-committed-by: Gusted <gusted@noreply.codeberg.org>
A database bug in xorm.go prevents the pages-server from saving a renewed certificate for a domain that already has one in the database. Co-authored-by: crystal <crystal@noreply.codeberg.org> Co-authored-by: 6543 <6543@obermui.de> Reviewed-on: #209 Reviewed-by: 6543 <6543@obermui.de> Co-authored-by: Crystal <crystal@noreply.codeberg.org> Co-committed-by: Crystal <crystal@noreply.codeberg.org>
I forgot to update the name of this function in the CI log so it looks like it's running the same test twice even though it's not. Co-authored-by: crystal <crystal@noreply.codeberg.org> Reviewed-on: #210 Reviewed-by: 6543 <6543@obermui.de> Co-authored-by: Crystal <crystal@noreply.codeberg.org> Co-committed-by: Crystal <crystal@noreply.codeberg.org>
get rid of gobal vars and make make functions with less args :) tldr: collect funcs and create a own ACME client to manage that stuff Reviewed-on: #179
- Currently if the canonical domain validations fails(either for legitimate reasons or for bug reasons like the request to Gitea/Forgejo failing) it will use main domain certificate, which in the case for custom domains will warrant a security error as the certificate isn't issued to the custom domain. - This patch handles this situation more gracefully and instead only disallow obtaining a certificate if the domain validation fails, so in the case that a certificate still exists it can still be used even if the canonical domain validation fails. There's a small side effect, legitimate users that remove domains from `.domain` will still be able to use the removed domain(as long as the DNS records exists) as long as the certificate currently hold by pages-server isn't expired. - Given the increased usage in custom domains that are resulting in errors, I think it ways more than the side effect. - In order to future-proof against future slowdowns of instances, add a retry mechanism to the domain validation function, such that it's more likely to succeed even if the instance is not responding. - Refactor the code a bit and add some comments. Co-authored-by: Gusted <postmaster@gusted.xyz> Co-authored-by: 6543 <6543@obermui.de> Reviewed-on: #160 Reviewed-by: 6543 <6543@obermui.de> Co-authored-by: Gusted <gusted@noreply.codeberg.org> Co-committed-by: Gusted <gusted@noreply.codeberg.org>
- Currently any error generated by requesting the `.domains` file of a repository would be logged under the info log level, which isn't the correct log level when we exclude the not found error. - Use warn log level if the error isn't the not found error. Co-authored-by: Gusted <postmaster@gusted.xyz> Reviewed-on: #162 Reviewed-by: Otto <otto@codeberg.org>
Added new TockenBucket named `acmeClientFailLimit` to avoid being banned because of the [Failed validation limit](https://letsencrypt.org/docs/failed-validation-limit/) of Let's Encrypt. The behaviour is similar to the other limiters blocking the `obtainCert` func ensuring rate under limit. Co-authored-by: fsologureng <sologuren@estudiohum.cl> Co-authored-by: 6543 <6543@obermui.de> Reviewed-on: #151 Reviewed-by: 6543 <6543@obermui.de> Co-authored-by: Felipe Leopoldo Sologuren Gutiérrez <fsologureng@noreply.codeberg.org> Co-committed-by: Felipe Leopoldo Sologuren Gutiérrez <fsologureng@noreply.codeberg.org>
- It's not guaranteed that `tls.X509KeyPair` will set `c.Leaf`. - This patch fixes this by using a wrapper that parses the leaf certificate(in bytes) if `c.Leaf` wasn't set. - Resolves#149 Co-authored-by: Gusted <postmaster@gusted.xyz> Reviewed-on: #150 Reviewed-by: 6543 <6543@obermui.de> Co-authored-by: Gusted <gusted@noreply.codeberg.org> Co-committed-by: Gusted <gusted@noreply.codeberg.org>
If no repository is found the user expects a 404 status code instead of a dependency failed status code (as it was before). Signed-off-by: Jan Klippel <c0d3b3rg@kl1pp3l.de> Fixes: Codeberg/Community#809 Co-authored-by: Jan Klippel <c0d3b3rg@kl1pp3l.de> Co-authored-by: 6543 <6543@obermui.de> Reviewed-on: #141 Reviewed-by: 6543 <6543@obermui.de> Co-authored-by: jklippel <jklippel@noreply.codeberg.org> Co-committed-by: jklippel <jklippel@noreply.codeberg.org>
As per [the documentation](https://pkg.go.dev/net/http#Serve), it doesn't enable HTTP2 by-default, unless we enable it via the `NextProtos` option. Co-authored-by: Gusted <williamzijl7@hotmail.com> Reviewed-on: #137 Reviewed-by: 6543 <6543@obermui.de> Co-authored-by: Gusted <gusted@noreply.codeberg.org> Co-committed-by: Gusted <gusted@noreply.codeberg.org>
we have big functions that handle all stuff ... we should split this into smaler chuncks so we could test them seperate and make clear cuts in what happens where Reviewed-on: #135
- For production(*cough* Codeberg *cough*), it's important to not use mock certs. So fail right from the start if this is the case and not try to "handle it gracefully", as it would break production. - Resolves#131 CC @6543 Co-authored-by: Gusted <williamzijl7@hotmail.com> Reviewed-on: #133 Reviewed-by: 6543 <6543@obermui.de> Co-authored-by: Gusted <gusted@noreply.codeberg.org> Co-committed-by: Gusted <gusted@noreply.codeberg.org>
