.gitlab-ci.yml

-include: "https://git.autistici.org/ai3/build-deb/raw/master/ci-buster-backports.yml"
+include:
+  - "https://git.autistici.org/pipelines/debian/raw/master/common.yml"
+  - "https://git.autistici.org/pipelines/images/test/golang/raw/master/ci.yml"

acme.go

@@ -137,6 +137,12 @@ func (a *ACME) acmeClient(ctx context.Context) (*acme.Client, error) {
 		a.client = client
 		err = nil
 	}
+
+	// Fetch account info and display it.
+	if acct, err := client.GetReg(ctx, ""); err == nil {
+		log.Printf("ACME account %s", acct.URI)
+	}
+
 	return a.client, err
 }
 
@@ -207,6 +213,7 @@ func (a *ACME) verifyAll(ctx context.Context, client *acme.Client, c *certConfig
 			return nil, fmt.Errorf("challenge type '%s' is not available", chal.Type)
 		}
 
+		log.Printf("attempting fulfillment for %q (identifier: %+v)", c.Names, z.Identifier)
 		for _, domain := range c.Names {
 			cleanup, err := v.Fulfill(ctx, client, domain, chal)
 			if err != nil {

cmd/acmeserver/acmeserver.go

@@ -3,16 +3,15 @@ package main
 import (
 	"context"
 	"flag"
-	"io/ioutil"
 	"log"
 	"net/http"
 	"os"
 	"os/signal"
 	"syscall"
 
-	"git.autistici.org/ai3/tools/acmeserver"
 	"git.autistici.org/ai3/go-common/serverutil"
-	"gopkg.in/yaml.v2"
+	"git.autistici.org/ai3/tools/acmeserver"
+	"gopkg.in/yaml.v3"
 )
 
 var (
@@ -29,12 +28,13 @@ type Config struct {
 
 func loadConfig(path string) (*Config, error) {
 	// Read YAML config.
-	data, err := ioutil.ReadFile(path) // nolint: gosec
+	f, err := os.Open(path)
 	if err != nil {
 		return nil, err
 	}
+	defer f.Close()
 	var config Config
-	if err := yaml.Unmarshal(data, &config); err != nil {
+	if err := yaml.NewDecoder(f).Decode(&config); err != nil {
 		return nil, err
 	}
 	return &config, nil

config.go

@@ -3,11 +3,11 @@ package acmeserver
 import (
 	"errors"
 	"fmt"
-	"io/ioutil"
 	"log"
+	"os"
 	"path/filepath"
 
-	"gopkg.in/yaml.v2"
+	"gopkg.in/yaml.v3"
 
 	"git.autistici.org/ai3/go-common/clientutil"
 )
@@ -77,12 +77,13 @@ func (c *certConfig) check() error {
 }
 
 func readCertConfigs(path string) ([]*certConfig, error) {
-	data, err := ioutil.ReadFile(path) // nolint: gosec
+	f, err := os.Open(path)
 	if err != nil {
 		return nil, err
 	}
+	defer f.Close()
 	var cc []*certConfig
-	if err := yaml.Unmarshal(data, &cc); err != nil {
+	if err := yaml.NewDecoder(f).Decode(&cc); err != nil {
 		return nil, err
 	}
 	return cc, nil

debian/changelog

@@ -2,4 +2,4 @@ acmeserver (2.0) unstable; urgency=medium
 
   * Initial Release.
 
- -- Autistici/Inventati <debian@autistici.org>  Sat, 15 Jun 2018 09:23:40 +0000
+ -- Autistici/Inventati <debian@autistici.org>  Fri, 15 Jun 2018 09:23:40 +0000

debian/compat

-10

debian/control

@@ -2,12 +2,12 @@ Source: acmeserver
 Section: admin
 Priority: optional
 Maintainer: Autistici/Inventati <debian@autistici.org>
-Build-Depends: debhelper (>=9), golang-any (>=1.11), dh-golang
+Build-Depends: debhelper-compat (= 13), golang-any (>= 1.11), dh-golang
 Standards-Version: 3.9.6
 
 Package: acmeserver
 Architecture: any
 Depends: ${shlibs:Depends}, ${misc:Depends}
+Built-Using: ${misc:Built-Using}
 Description: ACME server
  Automatically manages and renews public SSL certificates.
-

debian/rules

@@ -2,17 +2,17 @@
 
 export DH_GOPKG = git.autistici.org/ai3/tools/acmeserver
 export DH_GOLANG_EXCLUDES = vendor
+export DH_GOLANG_INSTALL_ALL := 1
 
 
 %:
-	dh $@ --with systemd --with golang --buildsystem golang
+	dh $@ --with golang --buildsystem golang
 
 override_dh_auto_install:
 	dh_auto_install -- --no-source
 
-override_dh_systemd_enable:
-	dh_systemd_enable --no-enable
-
-override_dh_systemd_start:
-	dh_systemd_start --no-start
+override_dh_installsystemd:
+	dh_installsystemd --no-enable
 
+override_dh_installsystemd:
+	dh_installsystemd --no-start

dns_challenge.go

@@ -10,6 +10,7 @@ import (
 
 	"github.com/miekg/dns"
 	"golang.org/x/crypto/acme"
+	"golang.org/x/net/publicsuffix"
 )
 
 const (
@@ -87,8 +88,16 @@ func (d *dnsValidator) client() *dns.Client {
 }
 
 func (d *dnsValidator) Fulfill(ctx context.Context, client *acme.Client, domain string, chal *acme.Challenge) (func(), error) {
-	zone := domain[strings.Index(domain, ".")+1:]
-	fqdn := dns.Fqdn(domain)
+	domain = strings.TrimPrefix(domain, "*.")
+
+	zone, err := publicsuffix.EffectiveTLDPlusOne(domain)
+	if err != nil {
+		return nil, fmt.Errorf("could not determine effective tld: %w", err)
+	}
+
+	zone = dns.Fqdn(zone)
+	fqdn := dns.Fqdn("_acme-challenge." + domain)
+
 	value, err := client.DNS01ChallengeRecord(chal.Token)
 	if err != nil {
 		return nil, err
@@ -109,6 +118,7 @@ func (d *dnsValidator) Fulfill(ctx context.Context, client *acme.Client, domain
 }
 
 func (d *dnsValidator) updateNS(ctx context.Context, ns, zone, fqdn, value string, remove bool) error {
+	log.Printf("updateNS(%s, %s, %s, %s, %v)", ns, zone, fqdn, value, remove)
 	rrs := d.makeRR(fqdn, value, rfc2136Timeout)
 	m := d.makeMsg(zone, rrs, remove)
 	c := d.client()

go.mod

 module git.autistici.org/ai3/tools/acmeserver
 
-go 1.14
+go 1.19
 
 require (
-	git.autistici.org/ai3/go-common v0.0.0-20210110180225-a05c683cfe23
-	git.autistici.org/ai3/tools/replds v0.0.0-20210117164327-f8f2820a3407
-	github.com/miekg/dns v1.0.14
-	github.com/prometheus/client_golang v1.9.0
-	golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad
-	gopkg.in/yaml.v2 v2.3.0
+	git.autistici.org/ai3/go-common v0.0.0-20230816213645-b3aa3fb514d6
+	git.autistici.org/ai3/tools/replds v0.0.0-20230923170339-b6e6e3cc032b
+	github.com/miekg/dns v1.1.50
+	github.com/prometheus/client_golang v1.12.2
+	golang.org/x/crypto v0.24.0
+	golang.org/x/net v0.26.0
+	gopkg.in/yaml.v3 v3.0.1
+)
+
+require (
+	github.com/NYTimes/gziphandler v1.1.1 // indirect
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/cenkalti/backoff/v4 v4.1.3 // indirect
+	github.com/cespare/xxhash/v2 v2.1.2 // indirect
+	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
+	github.com/felixge/httpsnoop v1.0.3 // indirect
+	github.com/go-logr/logr v1.2.3 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
+	github.com/openzipkin/zipkin-go v0.4.0 // indirect
+	github.com/prometheus/client_model v0.2.0 // indirect
+	github.com/prometheus/common v0.32.1 // indirect
+	github.com/prometheus/procfs v0.7.3 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.34.0 // indirect
+	go.opentelemetry.io/contrib/propagators/b3 v1.9.0 // indirect
+	go.opentelemetry.io/otel v1.10.0 // indirect
+	go.opentelemetry.io/otel/exporters/zipkin v1.9.0 // indirect
+	go.opentelemetry.io/otel/metric v0.31.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.10.0 // indirect
+	go.opentelemetry.io/otel/trace v1.10.0 // indirect
+	golang.org/x/mod v0.4.2 // indirect
+	golang.org/x/sync v0.3.0 // indirect
+	golang.org/x/sys v0.21.0 // indirect
+	golang.org/x/tools v0.1.6-0.20210726203631-07bc1bf47fb2 // indirect
+	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
+	google.golang.org/protobuf v1.27.1 // indirect
 )

manager.go

@@ -20,6 +20,11 @@ import (
 	"github.com/prometheus/client_golang/prometheus"
 )
 
+var (
+	defaultRenewalDays = 21
+	updateInterval     = 1 * time.Minute
+)
+
 // certInfo represents what we know about the state of the certificate
 // at runtime.
 type certInfo struct {
@@ -71,18 +76,19 @@ type CertGenerator interface {
 	GetCertificate(context.Context, crypto.Signer, *certConfig) ([][]byte, *x509.Certificate, error)
 }
 
-// Manager periodically renews certificates before they expire, and
-// responds to http-01 validation requests.
+// Manager periodically renews certificates before they expire.
 type Manager struct {
 	configDirs  []string
 	useRSA      bool
 	storage     certStorage
-	certs       []*certInfo
 	certGen     CertGenerator
 	renewalDays int
 
 	configCh chan []*certConfig
 	doneCh   chan bool
+
+	mx    sync.Mutex
+	certs []*certInfo
 }
 
 // NewManager creates a new Manager with the given configuration.
@@ -94,6 +100,9 @@ func NewManager(config *Config, certGen CertGenerator) (*Manager, error) {
 	if config.Output.Path == "" {
 		return nil, errors.New("'output.path' is unset")
 	}
+	if config.RenewalDays <= 0 {
+		config.RenewalDays = defaultRenewalDays
+	}
 
 	m := &Manager{
 		useRSA:      config.UseRSA,
@@ -103,9 +112,6 @@ func NewManager(config *Config, certGen CertGenerator) (*Manager, error) {
 		certGen:     certGen,
 		renewalDays: config.RenewalDays,
 	}
-	if m.renewalDays <= 0 {
-		m.renewalDays = 15
-	}
 
 	ds := &dirStorage{root: config.Output.Path}
 	if config.Output.ReplDS == nil {
@@ -158,7 +164,7 @@ func (m *Manager) Reload() {
 
 var (
 	renewalTimeout    = 10 * time.Minute
-	errorRetryTimeout = 10 * time.Minute
+	errorRetryTimeout = 6 * time.Hour
 )
 
 func (m *Manager) updateAllCerts(ctx context.Context, certs []*certInfo) {
@@ -241,55 +247,41 @@ func (m *Manager) loadConfig(certs []*certConfig) []*certInfo {
 	return out
 }
 
+func (m *Manager) getCerts() []*certInfo {
+	m.mx.Lock()
+	defer m.mx.Unlock()
+	return m.certs
+}
+
+func (m *Manager) setCerts(certs []*certInfo) {
+	m.mx.Lock()
+	m.certs = certs
+	m.mx.Unlock()
+}
+
 // This channel is used by the testing code to trigger an update,
 // without having to wait for the timer to tick.
 var testUpdateCh = make(chan bool)
 
 func (m *Manager) loop(ctx context.Context) {
-	// Updates are long-term jobs, so they should be
-	// interruptible. We run updates in a separate goroutine, and
-	// cancel them when the configuration is reloaded or on exit.
-	var upCancel context.CancelFunc
-	var wg sync.WaitGroup
-
-	startUpdate := func(certs []*certInfo) context.CancelFunc {
-		// Ensure the previous update has finished.
-		wg.Wait()
-
-		upCtx, cancel := context.WithCancel(ctx)
-		wg.Add(1)
-		go func() {
-			m.updateAllCerts(upCtx, certs)
-			wg.Done()
-		}()
-		return cancel
-	}
-
-	// Cancel the running update, if any. Called on config
-	// updates, when exiting.
-	cancelUpdate := func() {
-		if upCancel != nil {
-			upCancel()
+	reloadCh := make(chan interface{}, 1)
+	go func() {
+		for config := range m.configCh {
+			certs := m.loadConfig(config)
+			m.setCerts(certs)
+			reloadCh <- certs
 		}
-		wg.Wait()
-	}
-	defer cancelUpdate()
+	}()
 
-	tick := time.NewTicker(5 * time.Minute)
-	defer tick.Stop()
-	for {
-		select {
-		case <-tick.C:
-			upCancel = startUpdate(m.certs)
-		case <-testUpdateCh:
-			upCancel = startUpdate(m.certs)
-		case certDomains := <-m.configCh:
-			cancelUpdate()
-			m.certs = m.loadConfig(certDomains)
-		case <-ctx.Done():
-			return
-		}
-	}
+	runWithUpdates(
+		ctx,
+		func(ctx context.Context, value interface{}) {
+			certs := value.([]*certInfo)
+			m.updateAllCerts(ctx, certs)
+		},
+		reloadCh,
+		updateInterval,
+	)
 }
 
 func concatDER(der [][]byte) []byte {
@@ -308,10 +300,8 @@ func concatDER(der [][]byte) []byte {
 
 func certRequest(key crypto.Signer, domains []string) ([]byte, error) {
 	req := &x509.CertificateRequest{
-		Subject: pkix.Name{CommonName: domains[0]},
-	}
-	if len(domains) > 1 {
-		req.DNSNames = domains[1:]
+		Subject:  pkix.Name{CommonName: domains[0]},
+		DNSNames: domains,
 	}
 	return x509.CreateCertificateRequest(rand.Reader, req, key)
 }

manager_test.go

@@ -77,36 +77,44 @@ func TestManager_Reload(t *testing.T) {
 	defer cleanup()
 
 	// Data race: we read data owned by another goroutine!
-	if len(m.certs) < 1 {
+	certs := m.getCerts()
+	if len(certs) < 1 {
 		t.Fatal("configuration not loaded?")
 	}
-	if m.certs[0].cn() != "example.com" {
-		t.Fatalf("certs[0].cn() is %s, expected example.com", m.certs[0].cn())
+	if certs[0].cn() != "example.com" {
+		t.Fatalf("certs[0].cn() is %s, expected example.com", certs[0].cn())
 	}
 
 	// Try a reload, catch obvious errors.
 	m.Reload()
 	time.Sleep(50 * time.Millisecond)
+	certs = m.getCerts()
 
-	if len(m.certs) != 1 {
+	if len(certs) != 1 {
 		t.Fatalf("certs count is %d, expected 1", len(m.certs))
 	}
-	if m.certs[0].cn() != "example.com" {
-		t.Fatalf("certs[0].cn() is %s, expected example.com", m.certs[0].cn())
+	if certs[0].cn() != "example.com" {
+		t.Fatalf("certs[0].cn() is %s, expected example.com", certs[0].cn())
 	}
 }
 
 func TestManager_NewCert(t *testing.T) {
+	var oldUpdateInterval time.Duration
+	oldUpdateInterval, updateInterval = updateInterval, 50*time.Millisecond
+	defer func() {
+		updateInterval = oldUpdateInterval
+	}()
+
 	cleanup, _, m := newTestManager(t, NewSelfSignedCertGenerator())
 	defer cleanup()
 
 	now := time.Now()
-	ci := m.certs[0]
+	certs := m.getCerts()
+	ci := certs[0]
 	if ci.retryDeadline.After(now) {
 		t.Fatalf("retry deadline is in the future: %v", ci.retryDeadline)
 	}
 
-	testUpdateCh <- true
 	time.Sleep(100 * time.Millisecond)
 
 	// Verify that the retry/renewal timestamp is in the future.
@@ -135,7 +143,7 @@ func TestManager_NewCert(t *testing.T) {
 	m.Reload()
 	time.Sleep(50 * time.Millisecond)
 
-	ci = m.certs[0]
+	ci = m.getCerts()[0]
 	if !ci.valid {
 		t.Fatal("certificate is invalid after a reload")
 	}

renovate.json

+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:base"
+  ]
+}

storage.go

@@ -112,7 +112,7 @@ func (d *replStorage) PutCert(cn string, der [][]byte, key crypto.Signer) error
 	now := time.Now()
 	var req replds.SetNodesRequest
 	for path, data := range filemap {
-		req.Nodes = append(req.Nodes, replds.Node{
+		req.Nodes = append(req.Nodes, &replds.Node{
 			Path:      path,
 			Value:     data,
 			Timestamp: now,

util.go

+package acmeserver
+
+import (
+	"context"
+	"sync"
+	"time"
+)
+
+// Updates are long-term jobs, so they should be interruptible. We run
+// updates in a separate goroutine, and cancel them when the
+// configuration is reloaded or on exit. A semaphore ensures that only
+// one update goroutine will be running at any given time (without
+// other ones piling up).
+func runWithUpdates(ctx context.Context, fn func(context.Context, interface{}), reloadCh <-chan interface{}, updateInterval time.Duration) {
+	// Function to cancel the current update, and the associated
+	// WaitGroup to wait for its termination.
+	var upCancel context.CancelFunc
+	var wg sync.WaitGroup
+	sem := make(chan struct{}, 1)
+
+	startUpdate := func(value interface{}) context.CancelFunc {
+		// Acquire the semaphore, return if we fail to.
+		// Equivalent to a 'try-lock' construct.
+		select {
+		case sem <- struct{}{}:
+		default:
+			return nil
+		}
+		defer func() {
+			<-sem
+		}()
+
+		ctx, cancel := context.WithCancel(ctx)
+		wg.Add(1)
+		go func() {
+			fn(ctx, value)
+			wg.Done()
+		}()
+		return cancel
+	}
+
+	// Cancel the running update, if any. Called on config
+	// updates, when exiting.
+	cancelUpdate := func() {
+		if upCancel != nil {
+			upCancel()
+			upCancel = nil
+		}
+		wg.Wait()
+	}
+	defer cancelUpdate()
+
+	var cur interface{}
+	tick := time.NewTicker(updateInterval)
+	defer tick.Stop()
+	for {
+		select {
+		case <-tick.C:
+			// Do not cancel running update when running the ticker.
+			if cancel := startUpdate(cur); cancel != nil {
+				upCancel = cancel
+			}
+		case value := <-reloadCh:
+			// Cancel the running update when configuration is reloaded.
+			cancelUpdate()
+			cur = value
+		case <-ctx.Done():
+			return
+		}
+	}
+}

vendor/contrib.go.opencensus.io/exporter/zipkin/.travis.yml

-language: go
-
-go_import_path: contrib.go.opencensus.io
-
-go:
-  - 1.11.x
-
-env:
-  global:
-    GO111MODULE=on
-
-before_script:
-  - make install-tools
-
-script:
-  - make travis-ci
-

vendor/contrib.go.opencensus.io/exporter/zipkin/Makefile

-# TODO: Fix this on windows.
-ALL_SRC := $(shell find . -name '*.go' \
-								-not -path './vendor/*' \
-								-not -path '*/gen-go/*' \
-								-type f | sort)
-ALL_PKGS := $(shell go list $(sort $(dir $(ALL_SRC))))
-
-GOTEST_OPT?=-v -race -timeout 30s
-GOTEST_OPT_WITH_COVERAGE = $(GOTEST_OPT) -coverprofile=coverage.txt -covermode=atomic
-GOTEST=go test
-GOFMT=gofmt
-GOLINT=golint
-GOVET=go vet
-EMBEDMD=embedmd
-# TODO decide if we need to change these names.
-README_FILES := $(shell find . -name '*README.md' | sort | tr '\n' ' ')
-
-
-.DEFAULT_GOAL := fmt-lint-vet-embedmd-test
-
-.PHONY: fmt-lint-vet-embedmd-test
-fmt-lint-vet-embedmd-test: fmt lint vet embedmd test
-
-# TODO enable test-with-coverage in tavis
-.PHONY: travis-ci
-travis-ci: fmt lint vet embedmd test test-386
-
-all-pkgs:
-	@echo $(ALL_PKGS) | tr ' ' '\n' | sort
-
-all-srcs:
-	@echo $(ALL_SRC) | tr ' ' '\n' | sort
-
-.PHONY: test
-test:
-	$(GOTEST) $(GOTEST_OPT) $(ALL_PKGS)
-
-.PHONY: test-386
-test-386:
-	GOARCH=386 $(GOTEST) -v -timeout 30s $(ALL_PKGS)
-
-.PHONY: test-with-coverage
-test-with-coverage:
-	$(GOTEST) $(GOTEST_OPT_WITH_COVERAGE) $(ALL_PKGS)
-
-.PHONY: fmt
-fmt:
-	@FMTOUT=`$(GOFMT) -s -l $(ALL_SRC) 2>&1`; \
-	if [ "$$FMTOUT" ]; then \
-		echo "$(GOFMT) FAILED => gofmt the following files:\n"; \
-		echo "$$FMTOUT\n"; \
-		exit 1; \
-	else \
-	    echo "Fmt finished successfully"; \
-	fi
-
-.PHONY: lint
-lint:
-	@LINTOUT=`$(GOLINT) $(ALL_PKGS) 2>&1`; \
-	if [ "$$LINTOUT" ]; then \
-		echo "$(GOLINT) FAILED => clean the following lint errors:\n"; \
-		echo "$$LINTOUT\n"; \
-		exit 1; \
-	else \
-	    echo "Lint finished successfully"; \
-	fi
-
-.PHONY: vet
-vet:
-    # TODO: Understand why go vet downloads "github.com/google/go-cmp v0.2.0"
-	@VETOUT=`$(GOVET) ./... | grep -v "go: downloading" 2>&1`; \
-	if [ "$$VETOUT" ]; then \
-		echo "$(GOVET) FAILED => go vet the following files:\n"; \
-		echo "$$VETOUT\n"; \
-		exit 1; \
-	else \
-	    echo "Vet finished successfully"; \
-	fi
-	
-.PHONY: embedmd
-embedmd:
-	@EMBEDMDOUT=`$(EMBEDMD) -d $(README_FILES) 2>&1`; \
-	if [ "$$EMBEDMDOUT" ]; then \
-		echo "$(EMBEDMD) FAILED => embedmd the following files:\n"; \
-		echo "$$EMBEDMDOUT\n"; \
-		exit 1; \
-	else \
-	    echo "Embedmd finished successfully"; \
-	fi
-
-.PHONY: install-tools
-install-tools:
-	go get -u golang.org/x/tools/cmd/cover
-	go get -u golang.org/x/lint/golint
-	go get -u github.com/rakyll/embedmd

vendor/contrib.go.opencensus.io/exporter/zipkin/README.md

-# OpenCensus Go Zipkin Exporter
-
-[![Build Status](https://travis-ci.org/census-ecosystem/opencensus-go-exporter-zipkin.svg?branch=master)](https://travis-ci.org/census-ecosystem/opencensus-go-exporter-zipkin) [![GoDoc][godoc-image]][godoc-url]
-
-Provides OpenCensus exporter support for Zipkin.
-
-## Installation
-
-```
-$ go get -u contrib.go.opencensus.io/exporter/zipkin
-```
-
-[godoc-image]: https://godoc.org/contrib.go.opencensus.io/exporter/zipkin?status.svg
-[godoc-url]: https://godoc.org/contrib.go.opencensus.io/exporter/zipkin

vendor/contrib.go.opencensus.io/exporter/zipkin/go.mod

-module contrib.go.opencensus.io/exporter/zipkin
-
-require (
-	github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e // indirect
-	github.com/openzipkin/zipkin-go v0.2.2
-	go.opencensus.io v0.22.4
-)