mirror of
https://github.com/0xJacky/nginx-ui.git
synced 2026-06-19 07:36:59 +00:00
Jacky
69cfa82b1d
* feat(cert): add self-signed certificate type and config to model Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(cert): generate self-signed leaf certificates Add GenerateSelfSigned / SelfSignedOptions plus five new error codes (50032-50036) and a full TDD test suite covering valid cert output, multiple key types, empty-SAN rejection, and invalid-IP rejection. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(cert): regenerate self-signed certificates with key reuse Add RegenerateSelfSigned, SelfSignedOptionsFromModel, deriveSelfSignedCommonName, loadSelfSignedKey, and parsePrivateKeyPEM to support re-issuing self-signed certificates for the auto-renewal job, reusing the on-disk private key when possible. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(cert): add self-signed certificate renewal worker Add auto-renewal worker for self-signed certificates that mirrors the ACME renewal logic, using a dedicated shouldRenewSelfSignedCert threshold function verified with TDD. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(cron): schedule self-signed certificate renewal Register setupSelfSignedCertRenewalJob as a periodic cron job (every 30 minutes) in InitCronJobs, mirroring the existing setupAutoCertJob pattern. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(api): add self-signed certificate generation endpoints Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(cert): add self-signed certificate frontend API Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(cert): add shared self-signed certificate fields component Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(cert): add self-signed certificate generation modal and list entry Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(cert): support self-signed certificates in the editor Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(site): generate self-signed certificates from the site editor Extract hasTLSListen/ensureDirective/ensureTLSDirectives into a shared useTLSDirectives composable, refactor ObtainCert.vue to use it, and add SelfSignedCert.vue to the site cert tab so users can generate and apply a self-signed certificate directly from the site editor. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(cert): validate self-signed key type and name IP-only renewals Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * refactor(cert): apply code-review cleanup - reuse certcrypto.ParsePEMPrivateKey instead of a hand-rolled PEM private-key parser - stop exporting the unused ensureDirective from useTLSDirectives - use the AutoCertState enum instead of integer literals in certColumns - allocate the renewal Logger only when renewal is attempted, avoiding a per-tick goroutine and empty-log database write for non-due certificates Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(cert): address PR #1688 review feedback - clean up the partial certificate directory when the initial write fails, not just the database row - log a warning when the existing self-signed private key cannot be reused so operators notice the public-key fingerprint has changed - defensively copy the model's Domains and IPAddresses slices in SelfSignedOptionsFromModel - require an explicit "Save now" confirmation after generating from the site editor, and write the directives into the editor first so the user can review the diff before saving Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(cert): harden self-signed certificate lifecycle Reuse private keys on manual self-signed edits, make certificate writes safer, clean managed self-signed files on delete, and guard renewal against missing config. * fix(cert): harden self-signed frontend handling Avoid undefined certificate redirects, rely on payload defaults for self-signed fields, and parse TLS listen directives precisely. * fix(site): satisfy strict listen regex lint Escape the IPv6 listen closing bracket explicitly so the strict regexp lint rule accepts TLS listen parsing. * fix(cert): harden self-signed key handling Co-authored-by: Jacky <me@jackyu.cn> * docs(cert): design merging self-signed entry into issue dialog Spec for collapsing the Certificate list header from three actions to two by adding a Self-signed option inside the existing Issue Certificate dialog. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs(cert): plan merging self-signed into issue dialog Step-by-step plan that turns the spec into two scoped commits: extend DNSIssueCertificate with a self-signed type, then drop the standalone header button from the certificate list view. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(cert): add self-signed option in issue certificate dialog Extend the Issue Certificate dialog's Certificate Type select with a "Self-signed" option that swaps the form body to SelfSignedCertFields and routes submission through cert.generate_self_signed(). ACME paths (Wildcard / Custom Domains) are unchanged. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * refactor(cert): drop standalone self-signed button from list header Certificate creation is now consolidated under the Issue Certificate dialog (which exposes Self-signed as a Certificate Type option), so the duplicate header entry, its ref, handler, and modal mount are removed. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs(cert): design self-signed UX enhancements Adds a reusable StringListInput, renewal-policy hint in the self-signed form, and a required Name field (frontend + backend). Builds on the prior merge spec. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs(cert): plan self-signed UX enhancements Six-task plan: extract StringListInput, require Name backend + test, refactor SelfSignedCertFields with renewal hint, hide duplicate alert in editor, seed/filter payloads with Name validation, and adopt StringListInput in the ACME Custom Domains branch. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(ui): add StringListInput component Reusable multi-row text input with Add/Remove buttons. Used in the upcoming refactor of Custom Domains and self-signed Domains / IP Addresses editors so all three share a single editor pattern. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(ui): simplify StringListInput model write and add a11y label Replace the captured-index update closure with v-model:value on items[index] so input events are guaranteed to write to the array slot currently bound to the DOM input. Add an aria-label suffix on the Remove button so screen readers can distinguish rows. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(cert): require Name when generating self-signed certificates Adds binding:"required" to SelfSignedCertRequest.Name so an empty name is rejected at the request boundary, and covers the contract with a new API-level test. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(cert): unify self-signed editor and surface renewal hint Switch Domains and IP Addresses to the shared StringListInput so all self-signed field editors match the Custom Domains pattern. Add an auto-renewal hint (suppressible via hideRenewalNote) and mark Name as required to match the new backend contract. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * chore(cert): suppress duplicate renewal alert in cert editor SelfSignedCertManagement already has its own renewal-status alert; pass hide-renewal-note to SelfSignedCertFields to avoid showing two adjacent alerts saying the same thing. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(cert): seed and filter self-signed payloads, validate Name StringListInput preserves empty placeholder rows for editing; seed arrays with [''] in toSelfSignedPayload / emptySelfSignedPayload / emptyForm so the editor always renders an empty row to type into. Each submit/save path trims and filters the arrays before sending and now rejects an empty Name client-side to match the new server contract. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * refactor(cert): make SelfSignedCertPayload.name required Every factory already seeds name as ''; the optional marker forced defensive (name ?? '').trim() at three call sites. Align the type with reality. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * refactor(cert): use StringListInput for Custom Domains Drop the inline multi-row template + add/remove helpers in favour of the shared StringListInput component, matching the editor used by the self-signed branch. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * chore(ui): regenerate components.d.ts for StringListInput Auto-generated by unplugin-vue-components after the new component was added under app/src/components/StringListInput/. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(cert): render key_type for both legacy and canonical forms The backend's helper.GetKeyType normalizes key_type to its canonical form (EC256, RSA2048…) on every write — self-signed generation as well as the ModifyCert BeforeExecuteHook. The frontend PrivateKeyTypeMask was keyed only by the legacy form (P256, 2048…), so maskRender returned "/" for every cert that took a write path through normalization. Two reported symptoms with the same root cause: - New self-signed cert always shows "/" in the Key Type column - Editing any ACME cert (issue #1697) flips its column to "/" after save Add formatPrivateKeyType / normalizePrivateKeyType helpers that map both forms to the frontend's legacy key. Use them in the list column renderer and when loading certs into the self-signed and ACME editor forms so the ASelect highlights the correct option. Fixes #1697. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * style(cert): cap self-signed fields width at 600px The fields stretched full-width inside the certificate editor page; cap the form at 600px to match AutoCertManagement and keep the editing area readable. Modal consumers were already bounded by their own width, so the change is invisible there. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * chore: update translations --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: Hintay <hintay@me.com>
181 lines
5.7 KiB
Go
181 lines
5.7 KiB
Go
package model
|
|
|
|
import (
|
|
"os"
|
|
"time"
|
|
|
|
"github.com/0xJacky/Nginx-UI/internal/helper"
|
|
"github.com/0xJacky/Nginx-UI/internal/nginx"
|
|
"github.com/go-acme/lego/v5/certcrypto"
|
|
"github.com/go-acme/lego/v5/certificate"
|
|
"gorm.io/gorm/clause"
|
|
)
|
|
|
|
const (
|
|
AutoCertSync = 2
|
|
AutoCertEnabled = 1
|
|
AutoCertDisabled = -1
|
|
AutoCertSelfSigned = 3
|
|
CertChallengeMethodHTTP01 = "http01"
|
|
CertChallengeMethodDNS01 = "dns01"
|
|
|
|
// CertStatus values track the most recent issuance attempt outcome.
|
|
// Empty string represents pre-migration / imported certificates.
|
|
CertStatusPending = "pending"
|
|
CertStatusSuccess = "success"
|
|
CertStatusFailure = "failure"
|
|
)
|
|
|
|
type CertDomains []string
|
|
|
|
type CertificateResource struct {
|
|
*certificate.Resource
|
|
Domain string `json:"domain,omitempty"`
|
|
PrivateKey []byte `json:"private_key"`
|
|
Certificate []byte `json:"certificate"`
|
|
IssuerCertificate []byte `json:"issuerCertificate"`
|
|
CSR []byte `json:"csr"`
|
|
}
|
|
|
|
// SelfSignedCertConfig stores self-signed-specific generation parameters so the
|
|
// auto-renewal job can regenerate a certificate with the same settings.
|
|
type SelfSignedCertConfig struct {
|
|
IPAddresses []string `json:"ip_addresses"`
|
|
ValidityDays int `json:"validity_days"`
|
|
}
|
|
|
|
type Cert struct {
|
|
Model
|
|
Name string `json:"name"`
|
|
Domains []string `json:"domains" gorm:"serializer:json"`
|
|
Filename string `json:"filename"`
|
|
SSLCertificatePath string `json:"ssl_certificate_path"`
|
|
SSLCertificateKeyPath string `json:"ssl_certificate_key_path"`
|
|
AutoCert int `json:"auto_cert"`
|
|
ChallengeMethod string `json:"challenge_method"`
|
|
DnsCredentialID uint64 `json:"dns_credential_id"`
|
|
DnsCredential *DnsCredential `json:"dns_credential,omitempty"`
|
|
ACMEUserID uint64 `json:"acme_user_id"`
|
|
ACMEUser *AcmeUser `json:"acme_user,omitempty"`
|
|
KeyType certcrypto.KeyType `json:"key_type"`
|
|
Log string `json:"log"`
|
|
Resource *CertificateResource `json:"-" gorm:"serializer:json[aes]"`
|
|
SyncNodeIds []uint64 `json:"sync_node_ids" gorm:"serializer:json"`
|
|
MustStaple bool `json:"must_staple"`
|
|
LegoDisableCNAMESupport bool `json:"lego_disable_cname_support"`
|
|
RevokeOld bool `json:"revoke_old"`
|
|
SelfSignedConfig *SelfSignedCertConfig `json:"self_signed_config,omitempty" gorm:"serializer:json"`
|
|
LastAutoRenewAt *time.Time `json:"-"`
|
|
LastAutoRenewError string `json:"-"`
|
|
Status string `json:"status"`
|
|
LastError string `json:"last_error"`
|
|
LastAttemptAt *time.Time `json:"last_attempt_at"`
|
|
}
|
|
|
|
func FirstCert(confName string) (c Cert, err error) {
|
|
err = db.Limit(1).Where(&Cert{
|
|
Filename: confName,
|
|
}).Find(&c).Error
|
|
|
|
return
|
|
}
|
|
|
|
func FirstOrCreateCert(confName string, keyType certcrypto.KeyType) (c Cert, err error) {
|
|
normalizedKeyType := helper.GetKeyType(keyType)
|
|
|
|
// Filename is used to check whether this site is enabled
|
|
err = db.Where("name = ? AND filename = ? AND key_type IN ?", confName, confName,
|
|
helper.GetKeyTypeAliasStrings(normalizedKeyType)).
|
|
Assign(&Cert{KeyType: normalizedKeyType}).
|
|
FirstOrCreate(&c, &Cert{Name: confName, Filename: confName, KeyType: normalizedKeyType}).Error
|
|
return
|
|
}
|
|
|
|
func FirstOrInit(confName string, keyType certcrypto.KeyType) (c Cert, err error) {
|
|
normalizedKeyType := helper.GetKeyType(keyType)
|
|
err = db.Where("name = ? AND filename = ? AND key_type IN ?", confName, confName,
|
|
helper.GetKeyTypeAliasStrings(normalizedKeyType)).
|
|
FirstOrInit(&c, &Cert{Name: confName, Filename: confName, KeyType: normalizedKeyType}).Error
|
|
c.KeyType = normalizedKeyType
|
|
return
|
|
}
|
|
|
|
func (c *Cert) Insert() error {
|
|
return db.Create(c).Error
|
|
}
|
|
|
|
func GetAutoCertList() (c []*Cert) {
|
|
var t []*Cert
|
|
if db == nil {
|
|
return
|
|
}
|
|
db.Where("auto_cert", AutoCertEnabled).Find(&t)
|
|
|
|
// check if this domain is enabled
|
|
enabledConfig, err := os.ReadDir(nginx.GetConfPath("sites-enabled"))
|
|
|
|
if err != nil {
|
|
return
|
|
}
|
|
|
|
enabledConfigMap := make(map[string]bool)
|
|
for i := range enabledConfig {
|
|
enabledConfigMap[enabledConfig[i].Name()] = true
|
|
}
|
|
|
|
for _, v := range t {
|
|
if v.ChallengeMethod == CertChallengeMethodDNS01 || enabledConfigMap[v.Filename] == true {
|
|
c = append(c, v)
|
|
}
|
|
}
|
|
|
|
return
|
|
}
|
|
|
|
func (c *Cert) Updates(n *Cert) error {
|
|
return db.Model(c).Clauses(clause.Returning{}).
|
|
Where("id", c.ID).Updates(n).Error
|
|
}
|
|
|
|
func (c *Cert) Remove() error {
|
|
if c.Filename == "" {
|
|
return db.Delete(c).Error
|
|
}
|
|
|
|
return db.Where("filename", c.Filename).Delete(c).Error
|
|
}
|
|
|
|
func (c *Cert) GetKeyType() certcrypto.KeyType {
|
|
return helper.GetKeyType(c.KeyType)
|
|
}
|
|
|
|
func (c *CertificateResource) GetResource() certificate.Resource {
|
|
domains := c.Resource.Domains
|
|
if len(domains) == 0 && c.Domain != "" {
|
|
domains = []string{c.Domain}
|
|
}
|
|
|
|
return certificate.Resource{
|
|
ID: c.Resource.ID,
|
|
Domains: domains,
|
|
KeyType: c.Resource.KeyType,
|
|
PreferredChain: c.Resource.PreferredChain,
|
|
Profile: c.Resource.Profile,
|
|
CertURL: c.Resource.CertURL,
|
|
CertStableURL: c.Resource.CertStableURL,
|
|
PrivateKey: c.PrivateKey,
|
|
Certificate: c.Certificate,
|
|
IssuerCertificate: c.IssuerCertificate,
|
|
CSR: c.CSR,
|
|
}
|
|
}
|
|
|
|
// GetCertList returns all certificates
|
|
func GetCertList() (c []*Cert) {
|
|
if db == nil {
|
|
return
|
|
}
|
|
db.Find(&c)
|
|
return
|
|
}
|