Disable ACME when using custom ports

LetsEncrypt currently only supports ports 80/443 for ACME, so if custom ports are used we need to disable automatically getting certs. Also changed it to only emit a warning when ports aren't reachable from the internet, rather than failing.
2025-02-25 18:55:29 -06:00 · 2022-01-01 16:32:51 -07:00 · 2022-01-01 16:32:51 -07:00 · 46bb670b8f
commit 46bb670b8f
parent ec6739ea63
2 changed files with 42 additions and 24 deletions
--- a/boringproxy.go
+++ b/boringproxy.go
@ -25,6 +25,7 @@ type Config struct {
 	SshServerPort  int    `json:"ssh_server_port"`
 	PublicIp       string `json:"public_ip"`
 	namedropClient *namedrop.Client
+	autoCerts      bool
 }

 type SmtpConfig struct {
@ -71,12 +72,18 @@ func Listen() {

 	err = namedrop.CheckPublicAddress(ip, *httpPort)
 	if err != nil {
-		log.Fatal(err)
+		fmt.Printf("WARNING: Failed to access port %d from the internet\n", *httpPort)
 	}

 	err = namedrop.CheckPublicAddress(ip, *httpsPort)
 	if err != nil {
-		log.Fatal(err)
+		fmt.Printf("WARNING: Failed to access port %d from the internet\n", *httpsPort)
+	}
+
+	autoCerts := true
+	if *httpPort != 80 || *httpsPort != 443 {
+		fmt.Printf("WARNING: LetsEncrypt only supports HTTP/HTTPS ports 80/443. You are using %d/%d. Disabling automatic certificate management\n", *httpPort, *httpsPort)
+		autoCerts = false
 	}

 	if *certDir != "" {
@ -95,16 +102,18 @@ func Listen() {

 	if adminDomain == "" {

-		err = setAdminDomain(certConfig, db, namedropClient)
+		err = setAdminDomain(certConfig, db, namedropClient, autoCerts)
 		if err != nil {
 			log.Fatal(err)
 		}
 	} else {
-		err = certConfig.ManageSync(context.Background(), []string{adminDomain})
-		if err != nil {
-			log.Fatal(err)
+		if autoCerts {
+			err = certConfig.ManageSync(context.Background(), []string{adminDomain})
+			if err != nil {
+				log.Fatal(err)
+			}
+			log.Print(fmt.Sprintf("Successfully acquired certificate for admin domain (%s)", adminDomain))
 		}
-		log.Print(fmt.Sprintf("Successfully acquired certificate for admin domain (%s)", adminDomain))
 	}

 	// Add admin user if it doesn't already exist
@ -133,6 +142,7 @@ func Listen() {
 		SshServerPort:  *sshServerPort,
 		PublicIp:       ip,
 		namedropClient: namedropClient,
+		autoCerts:      autoCerts,
 	}

 	tunMan := NewTunnelManager(config, db, certConfig)
@ -206,10 +216,12 @@ func Listen() {
 				db.SetAdminDomain(fqdn)
 				namedropClient.SetDomain(fqdn)

-				// TODO: Might want to get all certs here, not just the admin domain
-				err := certConfig.ManageSync(r.Context(), []string{fqdn})
-				if err != nil {
-					log.Fatal(err)
+				if autoCerts {
+					// TODO: Might want to get all certs here, not just the admin domain
+					err := certConfig.ManageSync(r.Context(), []string{fqdn})
+					if err != nil {
+						log.Fatal(err)
+					}
 				}

 				http.Redirect(w, r, fmt.Sprintf("https://%s", fqdn), 303)
@ -342,15 +354,17 @@ func (p *Server) passthroughRequest(conn net.Conn, tunnel Tunnel) {
 	wg.Wait()
 }

-func setAdminDomain(certConfig *certmagic.Config, db *Database, namedropClient *namedrop.Client) error {
+func setAdminDomain(certConfig *certmagic.Config, db *Database, namedropClient *namedrop.Client, autoCerts bool) error {
 	action := prompt("\nNo admin domain set. Enter '1' to input manually, or '2' to configure through TakingNames.io\n")
 	switch action {
 	case "1":
 		adminDomain := prompt("\nEnter admin domain:\n")

-		err := certConfig.ManageSync(context.Background(), []string{adminDomain})
-		if err != nil {
-			log.Fatal(err)
+		if autoCerts {
+			err := certConfig.ManageSync(context.Background(), []string{adminDomain})
+			if err != nil {
+				log.Fatal(err)
+			}
 		}

 		db.SetAdminDomain(adminDomain)
--- a/tunnel_manager.go
+++ b/tunnel_manager.go
@ -33,12 +33,14 @@ func NewTunnelManager(config *Config, db *Database, certConfig *certmagic.Config
 		log.Fatalf("Unable to get current user: %v", err)
 	}

-	for domainName, tun := range db.GetTunnels() {
-		if tun.TlsTermination == "server" {
-			err = certConfig.ManageSync(context.Background(), []string{domainName})
-			if err != nil {
-				log.Println("CertMagic error at startup")
-				log.Println(err)
+	if config.autoCerts {
+		for domainName, tun := range db.GetTunnels() {
+			if tun.TlsTermination == "server" {
+				err = certConfig.ManageSync(context.Background(), []string{domainName})
+				if err != nil {
+					log.Println("CertMagic error at startup")
+					log.Println(err)
+				}
 			}
 		}
 	}
@ -62,9 +64,11 @@ func (m *TunnelManager) RequestCreateTunnel(tunReq Tunnel) (Tunnel, error) {
 	}

 	if tunReq.TlsTermination == "server" {
-		err := m.certConfig.ManageSync(context.Background(), []string{tunReq.Domain})
-		if err != nil {
-			return Tunnel{}, errors.New("Failed to get cert")
+		if m.config.autoCerts {
+			err := m.certConfig.ManageSync(context.Background(), []string{tunReq.Domain})
+			if err != nil {
+				return Tunnel{}, errors.New("Failed to get cert")
+			}
 		}
 	}