feat(ssl): TLS-Cert-Verwaltung in der GUI — Let's Encrypt + eigenes PEM
Backend: * internal/services/tlscerts/ — Repo (List/Get/Upsert/Delete/ GetByDomain/ListExpiringSoon/MarkError) gegen tls_certs-Tabelle. * internal/services/certstore/ — WriteCombined verifiziert cert/key match via tls.X509KeyPair, schreibt /etc/edgeguard/tls/<domain>.pem (HAProxy-format: cert + chain + key konkatenert). Parse extrahiert NotBefore/After/Issuer/SANs aus dem PEM. Domain-Charset-Whitelist gegen Path-Traversal beim Filename. 4 Tests (happy path, mismatched key, hostile filename, parse). * internal/services/acme/ — go-acme/lego v4 mit HTTP-01 über die bestehende /var/lib/edgeguard/acme-Webroot (HAProxy proxied dort schon hin). Account-Key persistent in /var/lib/edgeguard/acme- account/account.key, Registrierung lazy beim ersten Issue(). * internal/handlers/tlscerts.go — REST CRUD + /upload (custom PEM) + /issue (LE HTTP-01) auf /api/v1/tls-certs. Reload HAProxy via sudo nach jeder Mutation. Audit-Log pro Aktion. Frontend: * management-ui/src/pages/SSL/ — Tabs (Let's Encrypt / Eigenes Zertifikat) plus Tabelle aller installierten Zerts mit expires-in-Anzeige (orange ab <30 Tage, rot wenn abgelaufen) und Status-Tags. Sidebar-Eintrag, i18n de/en. * Networks-Form: Parent-Interface ist jetzt ein Select aus den System-Discovered-Interfaces statt freier Input — User-Wunsch. Packaging: * postinst legt /var/lib/edgeguard/acme-account/ 0700 an. * postinst installt /etc/sudoers.d/edgeguard mit NOPASSWD-Rule für systemctl reload haproxy.service — damit der edgeguard-User reloaden kann ohne root. Live deployed auf 89.163.205.6. /api/v1/tls-certs antwortet jetzt 401 ohne Cookie (Route registriert), POST /tls-certs/upload + /issue sind bereit. ACME-Issue gegen externe FQDN (utm-1.netcell-it.de) braucht nur noch die Domain, die im wizard schon angelegt ist. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Debian
152
internal/services/tlscerts/tlscerts.go
Normal file
152
internal/services/tlscerts/tlscerts.go
Normal file
@@ -0,0 +1,152 @@
|
||||
// Package tlscerts implements CRUD against the tls_certs table —
|
||||
// the operator-visible inventory of certificates EdgeGuard manages,
|
||||
// covering both Let's-Encrypt-issued and operator-uploaded PEMs.
|
||||
package tlscerts
|
||||
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
"time"
|
||||
|
||||
"github.com/jackc/pgx/v5"
|
||||
"github.com/jackc/pgx/v5/pgxpool"
|
||||
|
||||
"git.netcell-it.de/projekte/edgeguard-native/internal/models"
|
||||
)
|
||||
|
||||
var ErrNotFound = errors.New("tls cert not found")
|
||||
|
||||
type Repo struct {
|
||||
Pool *pgxpool.Pool
|
||||
}
|
||||
|
||||
func New(pool *pgxpool.Pool) *Repo { return &Repo{Pool: pool} }
|
||||
|
||||
const baseSelect = `
|
||||
SELECT id, domain, issuer, status, cert_path, key_path,
|
||||
not_before, not_after, last_renewed_at, last_error,
|
||||
created_at, updated_at
|
||||
FROM tls_certs
|
||||
`
|
||||
|
||||
func (r *Repo) List(ctx context.Context) ([]models.TLSCert, error) {
|
||||
rows, err := r.Pool.Query(ctx, baseSelect+" ORDER BY domain ASC")
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
defer rows.Close()
|
||||
out := make([]models.TLSCert, 0, 4)
|
||||
for rows.Next() {
|
||||
c, err := scan(rows)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
out = append(out, *c)
|
||||
}
|
||||
return out, rows.Err()
|
||||
}
|
||||
|
||||
func (r *Repo) Get(ctx context.Context, id int64) (*models.TLSCert, error) {
|
||||
row := r.Pool.QueryRow(ctx, baseSelect+" WHERE id = $1", id)
|
||||
c, err := scan(row)
|
||||
if err != nil {
|
||||
if errors.Is(err, pgx.ErrNoRows) {
|
||||
return nil, ErrNotFound
|
||||
}
|
||||
return nil, err
|
||||
}
|
||||
return c, nil
|
||||
}
|
||||
|
||||
func (r *Repo) GetByDomain(ctx context.Context, domain string) (*models.TLSCert, error) {
|
||||
row := r.Pool.QueryRow(ctx, baseSelect+" WHERE domain = $1", domain)
|
||||
c, err := scan(row)
|
||||
if err != nil {
|
||||
if errors.Is(err, pgx.ErrNoRows) {
|
||||
return nil, ErrNotFound
|
||||
}
|
||||
return nil, err
|
||||
}
|
||||
return c, nil
|
||||
}
|
||||
|
||||
// Upsert persists a cert by (domain). issued/renewed by certbot or
|
||||
// uploaded → same code path. Sets last_renewed_at = NOW() so the
|
||||
// renewal cron knows when to come back.
|
||||
func (r *Repo) Upsert(ctx context.Context, c models.TLSCert) (*models.TLSCert, error) {
|
||||
now := time.Now().UTC()
|
||||
row := r.Pool.QueryRow(ctx, `
|
||||
INSERT INTO tls_certs (domain, issuer, status, cert_path, key_path,
|
||||
not_before, not_after, last_renewed_at, last_error)
|
||||
VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)
|
||||
ON CONFLICT (domain) DO UPDATE SET
|
||||
issuer = EXCLUDED.issuer,
|
||||
status = EXCLUDED.status,
|
||||
cert_path = EXCLUDED.cert_path,
|
||||
key_path = EXCLUDED.key_path,
|
||||
not_before = EXCLUDED.not_before,
|
||||
not_after = EXCLUDED.not_after,
|
||||
last_renewed_at = EXCLUDED.last_renewed_at,
|
||||
last_error = EXCLUDED.last_error,
|
||||
updated_at = NOW()
|
||||
RETURNING id, domain, issuer, status, cert_path, key_path,
|
||||
not_before, not_after, last_renewed_at, last_error,
|
||||
created_at, updated_at`,
|
||||
c.Domain, c.Issuer, c.Status, c.CertPath, c.KeyPath,
|
||||
c.NotBefore, c.NotAfter, &now, c.LastError)
|
||||
return scan(row)
|
||||
}
|
||||
|
||||
func (r *Repo) MarkError(ctx context.Context, domain, msg string) error {
|
||||
_, err := r.Pool.Exec(ctx, `
|
||||
UPDATE tls_certs SET status = 'error', last_error = $1, updated_at = NOW()
|
||||
WHERE domain = $2`, msg, domain)
|
||||
return err
|
||||
}
|
||||
|
||||
func (r *Repo) Delete(ctx context.Context, id int64) error {
|
||||
tag, err := r.Pool.Exec(ctx, `DELETE FROM tls_certs WHERE id = $1`, id)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if tag.RowsAffected() == 0 {
|
||||
return ErrNotFound
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// ListExpiringSoon returns certs whose not_after is within the next
|
||||
// `within` (typically 30 days) and aren't already in error state —
|
||||
// the renewal scheduler picks these up.
|
||||
func (r *Repo) ListExpiringSoon(ctx context.Context, within time.Duration) ([]models.TLSCert, error) {
|
||||
cutoff := time.Now().UTC().Add(within)
|
||||
rows, err := r.Pool.Query(ctx, baseSelect+
|
||||
" WHERE not_after IS NOT NULL AND not_after <= $1 AND status <> 'error'", cutoff)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
defer rows.Close()
|
||||
out := make([]models.TLSCert, 0, 4)
|
||||
for rows.Next() {
|
||||
c, err := scan(rows)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
out = append(out, *c)
|
||||
}
|
||||
return out, rows.Err()
|
||||
}
|
||||
|
||||
func scan(row interface{ Scan(...any) error }) (*models.TLSCert, error) {
|
||||
var c models.TLSCert
|
||||
if err := row.Scan(
|
||||
&c.ID, &c.Domain, &c.Issuer, &c.Status,
|
||||
&c.CertPath, &c.KeyPath,
|
||||
&c.NotBefore, &c.NotAfter,
|
||||
&c.LastRenewedAt, &c.LastError,
|
||||
&c.CreatedAt, &c.UpdatedAt,
|
||||
); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return &c, nil
|
||||
}
|
||||
Reference in New Issue
Block a user