refactor: auto certificate options

1. Add OCSP Must Staple options #292
2. Add LEGO_DISABLE_CNAME_SUPPORT options #407

internal/cert/auto_cert.go

@@ -71,12 +71,14 @@ func autoCert(certModel *model.Cert) {
 
 	// support SAN certification
 	payload := &ConfigPayload{
-		CertID:          certModel.ID,
-		ServerName:      certModel.Domains,
-		ChallengeMethod: certModel.ChallengeMethod,
-		DNSCredentialID: certModel.DnsCredentialID,
-		KeyType:         certModel.GetKeyType(),
-		NotBefore:       certInfo.NotBefore,
+		CertID:                  certModel.ID,
+		ServerName:              certModel.Domains,
+		ChallengeMethod:         certModel.ChallengeMethod,
+		DNSCredentialID:         certModel.DnsCredentialID,
+		KeyType:                 certModel.GetKeyType(),
+		NotBefore:               certInfo.NotBefore,
+		MustStaple:              certModel.MustStaple,
+		LegoDisableCNAMESupport: certModel.LegoDisableCNAMESupport,
 	}
 
 	if certModel.Resource != nil {

internal/cert/cert.go

@@ -130,7 +130,6 @@ func IssueCert(payload *ConfigPayload, logChan chan string, errChan chan error)
 			errChan <- errors.Wrap(err, "environment configuration is empty")
 			return
 		}
-
 	}
 
 	if err != nil {
@@ -138,6 +137,18 @@ func IssueCert(payload *ConfigPayload, logChan chan string, errChan chan error)
 		return
 	}
 
+	// fix #407
+	if payload.LegoDisableCNAMESupport {
+		err = os.Setenv("LEGO_DISABLE_CNAME_SUPPORT", "true")
+		if err != nil {
+			errChan <- errors.Wrap(err, "set env flag to disable lego CNAME support error")
+			return
+		}
+		defer func() {
+			_ = os.Unsetenv("LEGO_DISABLE_CNAME_SUPPORT")
+		}()
+	}
+
 	if time.Now().Sub(payload.NotBefore).Hours()/24 <= 21 &&
 		payload.Resource != nil && payload.Resource.Certificate != nil {
 		renew(payload, client, l, errChan)

internal/cert/obtain.go

@@ -10,8 +10,9 @@ import (
 
 func obtain(payload *ConfigPayload, client *lego.Client, l *log.Logger, errChan chan error) {
 	request := certificate.ObtainRequest{
-		Domains: payload.ServerName,
-		Bundle:  true,
+		Domains:    payload.ServerName,
+		Bundle:     true,
+		MustStaple: payload.MustStaple,
 	}
 
 	l.Println("[INFO] [Nginx UI] Obtaining certificate")

internal/cert/payload.go

@@ -16,17 +16,19 @@ import (
 )
 
 type ConfigPayload struct {
-	CertID                int                        `json:"cert_id"`
-	ServerName            []string                   `json:"server_name"`
-	ChallengeMethod       string                     `json:"challenge_method"`
-	DNSCredentialID       int                        `json:"dns_credential_id"`
-	ACMEUserID            int                        `json:"acme_user_id"`
-	KeyType               certcrypto.KeyType         `json:"key_type"`
-	Resource              *model.CertificateResource `json:"resource,omitempty"`
-	NotBefore             time.Time                  `json:"-"`
-	CertificateDir        string                     `json:"-"`
-	SSLCertificatePath    string                     `json:"-"`
-	SSLCertificateKeyPath string                     `json:"-"`
+	CertID                  int                        `json:"cert_id"`
+	ServerName              []string                   `json:"server_name"`
+	ChallengeMethod         string                     `json:"challenge_method"`
+	DNSCredentialID         int                        `json:"dns_credential_id"`
+	ACMEUserID              int                        `json:"acme_user_id"`
+	KeyType                 certcrypto.KeyType         `json:"key_type"`
+	Resource                *model.CertificateResource `json:"resource,omitempty"`
+	MustStaple              bool                       `json:"must_staple"`
+	LegoDisableCNAMESupport bool                       `json:"lego_disable_cname_support"`
+	NotBefore               time.Time                  `json:"-"`
+	CertificateDir          string                     `json:"-"`
+	SSLCertificatePath      string                     `json:"-"`
+	SSLCertificateKeyPath   string                     `json:"-"`
 }
 
 func (c *ConfigPayload) GetACMEUser() (user *model.AcmeUser, err error) {

internal/cert/renew.go

@@ -1,38 +1,39 @@
 package cert
 
 import (
-    "github.com/0xJacky/Nginx-UI/model"
-    "github.com/go-acme/lego/v4/certificate"
-    "github.com/go-acme/lego/v4/lego"
-    "github.com/pkg/errors"
-    "log"
+	"github.com/0xJacky/Nginx-UI/model"
+	"github.com/go-acme/lego/v4/certificate"
+	"github.com/go-acme/lego/v4/lego"
+	"github.com/pkg/errors"
+	"log"
 )
 
 func renew(payload *ConfigPayload, client *lego.Client, l *log.Logger, errChan chan error) {
-    if payload.Resource == nil {
-        errChan <- errors.New("resource is nil")
-        return
-    }
+	if payload.Resource == nil {
+		errChan <- errors.New("resource is nil")
+		return
+	}
 
-    options := &certificate.RenewOptions{
-        Bundle: true,
-    }
+	options := &certificate.RenewOptions{
+		Bundle:     true,
+		MustStaple: payload.MustStaple,
+	}
 
-    cert, err := client.Certificate.RenewWithOptions(payload.Resource.GetResource(), options)
-    if err != nil {
-        errChan <- errors.Wrap(err, "renew cert error")
-        return
-    }
+	cert, err := client.Certificate.RenewWithOptions(payload.Resource.GetResource(), options)
+	if err != nil {
+		errChan <- errors.Wrap(err, "renew cert error")
+		return
+	}
 
-    payload.Resource = &model.CertificateResource{
-        Resource:          cert,
-        PrivateKey:        cert.PrivateKey,
-        Certificate:       cert.Certificate,
-        IssuerCertificate: cert.IssuerCertificate,
-        CSR:               cert.CSR,
-    }
+	payload.Resource = &model.CertificateResource{
+		Resource:          cert,
+		PrivateKey:        cert.PrivateKey,
+		Certificate:       cert.Certificate,
+		IssuerCertificate: cert.IssuerCertificate,
+		CSR:               cert.CSR,
+	}
 
-    payload.WriteFile(l, errChan)
+	payload.WriteFile(l, errChan)
 
-    l.Println("[INFO] [Nginx UI] Certificate renewed successfully")
+	l.Println("[INFO] [Nginx UI] Certificate renewed successfully")
 }