diff --git a/cmd/flags.go b/cmd/flags.go index 47866ee..1e6fea0 100644 --- a/cmd/flags.go +++ b/cmd/flags.go @@ -148,5 +148,11 @@ var ( Usage: "Use DNS-Challenge for main domain\n\nRead more at: https://go-acme.github.io/lego/dns/", EnvVars: []string{"DNS_PROVIDER"}, }, + &cli.StringFlag{ + Name: "acme-account-config", + Usage: "json file of acme account", + Value: "acme-account.json", + EnvVars: []string{"ACME_ACCOUNT_CONFIG"}, + }, }...) ) diff --git a/cmd/setup.go b/cmd/setup.go index a25b2d5..1079cb2 100644 --- a/cmd/setup.go +++ b/cmd/setup.go @@ -57,6 +57,7 @@ func createAcmeClient(ctx *cli.Context, enableHTTPServer bool, challengeCache ca acmeAcceptTerms := ctx.Bool("acme-accept-terms") dnsProvider := ctx.String("dns-provider") acmeUseRateLimits := ctx.Bool("acme-use-rate-limits") + acmeAccountConf := ctx.String("acme-account-config") // check config if (!acmeAcceptTerms || dnsProvider == "") && acmeAPI != "https://acme.mock.directory" { @@ -64,6 +65,7 @@ func createAcmeClient(ctx *cli.Context, enableHTTPServer bool, challengeCache ca } return certificates.NewAcmeClient( + acmeAccountConf, acmeAPI, acmeMail, acmeEabHmac, diff --git a/server/certificates/acme_client.go b/server/certificates/acme_client.go index 8e63c84..b380420 100644 --- a/server/certificates/acme_client.go +++ b/server/certificates/acme_client.go @@ -27,8 +27,8 @@ type AcmeClient struct { acmeClientCertificateLimitPerUser map[string]*equalizer.TokenBucket } -func NewAcmeClient(acmeAPI, acmeMail, acmeEabHmac, acmeEabKID, dnsProvider string, acmeAcceptTerms, enableHTTPServer, acmeUseRateLimits bool, challengeCache cache.SetGetKey) (*AcmeClient, error) { - acmeConfig, err := SetupAcmeConfig(acmeAPI, acmeMail, acmeEabHmac, acmeEabKID, acmeAcceptTerms) +func NewAcmeClient(acmeAccountConf, acmeAPI, acmeMail, acmeEabHmac, acmeEabKID, dnsProvider string, acmeAcceptTerms, enableHTTPServer, acmeUseRateLimits bool, challengeCache cache.SetGetKey) (*AcmeClient, error) { + acmeConfig, err := setupAcmeConfig(acmeAccountConf, acmeAPI, acmeMail, acmeEabHmac, acmeEabKID, acmeAcceptTerms) if err != nil { return nil, err } diff --git a/server/certificates/certificates.go b/server/certificates/certificates.go index a84d083..21787bd 100644 --- a/server/certificates/certificates.go +++ b/server/certificates/certificates.go @@ -331,13 +331,12 @@ func (c *AcmeClient) obtainCert(acmeClient *lego.Client, domains []string, renew return &tlsCertificate, nil } -func SetupAcmeConfig(acmeAPI, acmeMail, acmeEabHmac, acmeEabKID string, acmeAcceptTerms bool) (*lego.Config, error) { - // TODO: make it a config flag - const configFile = "acme-account.json" +func setupAcmeConfig(configFile, acmeAPI, acmeMail, acmeEabHmac, acmeEabKID string, acmeAcceptTerms bool) (*lego.Config, error) { var myAcmeAccount AcmeAccount var myAcmeConfig *lego.Config if account, err := os.ReadFile(configFile); err == nil { + log.Info().Msgf("found existing acme account config file '%s'", configFile) if err := json.Unmarshal(account, &myAcmeAccount); err != nil { return nil, err } @@ -360,6 +359,8 @@ func SetupAcmeConfig(acmeAPI, acmeMail, acmeEabHmac, acmeEabKID string, acmeAcce return nil, err } + log.Info().Msgf("no existing acme account config found, try to create a new one") + privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) if err != nil { return nil, err @@ -403,6 +404,7 @@ func SetupAcmeConfig(acmeAPI, acmeMail, acmeEabHmac, acmeEabKID string, acmeAcce log.Error().Err(err).Msg("json.Marshalfailed, waiting for manual restart to avoid rate limits") select {} } + log.Info().Msgf("new acme account created. write to config file '%s'", configFile) err = os.WriteFile(configFile, acmeAccountJSON, 0o600) if err != nil { log.Error().Err(err).Msg("os.WriteFile failed, waiting for manual restart to avoid rate limits")