feat(ssl): TLS-Cert-Verwaltung in der GUI — Let's Encrypt + eigenes PEM

Backend:
* internal/services/tlscerts/ — Repo (List/Get/Upsert/Delete/
  GetByDomain/ListExpiringSoon/MarkError) gegen tls_certs-Tabelle.
* internal/services/certstore/ — WriteCombined verifiziert cert/key
  match via tls.X509KeyPair, schreibt /etc/edgeguard/tls/<domain>.pem
  (HAProxy-format: cert + chain + key konkatenert). Parse extrahiert
  NotBefore/After/Issuer/SANs aus dem PEM. Domain-Charset-Whitelist
  gegen Path-Traversal beim Filename. 4 Tests (happy path, mismatched
  key, hostile filename, parse).
* internal/services/acme/ — go-acme/lego v4 mit HTTP-01 über die
  bestehende /var/lib/edgeguard/acme-Webroot (HAProxy proxied dort
  schon hin). Account-Key persistent in /var/lib/edgeguard/acme-
  account/account.key, Registrierung lazy beim ersten Issue().
* internal/handlers/tlscerts.go — REST CRUD + /upload (custom PEM)
  + /issue (LE HTTP-01) auf /api/v1/tls-certs. Reload HAProxy via
  sudo nach jeder Mutation. Audit-Log pro Aktion.

Frontend:
* management-ui/src/pages/SSL/ — Tabs (Let's Encrypt / Eigenes
  Zertifikat) plus Tabelle aller installierten Zerts mit
  expires-in-Anzeige (orange ab <30 Tage, rot wenn abgelaufen) und
  Status-Tags. Sidebar-Eintrag, i18n de/en.
* Networks-Form: Parent-Interface ist jetzt ein Select aus den
  System-Discovered-Interfaces statt freier Input — User-Wunsch.

Packaging:
* postinst legt /var/lib/edgeguard/acme-account/ 0700 an.
* postinst installt /etc/sudoers.d/edgeguard mit NOPASSWD-Rule für
  systemctl reload haproxy.service — damit der edgeguard-User
  reloaden kann ohne root.

Live deployed auf 89.163.205.6. /api/v1/tls-certs antwortet jetzt
401 ohne Cookie (Route registriert), POST /tls-certs/upload + /issue
sind bereit. ACME-Issue gegen externe FQDN (utm-1.netcell-it.de)
braucht nur noch die Domain, die im wizard schon angelegt ist.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

cmd/edgeguard-api/main.go

@@ -21,6 +21,7 @@ import (
 	"git.netcell-it.de/projekte/edgeguard-native/internal/database"
 	"git.netcell-it.de/projekte/edgeguard-native/internal/handlers"
 	"git.netcell-it.de/projekte/edgeguard-native/internal/handlers/response"
+	"git.netcell-it.de/projekte/edgeguard-native/internal/services/acme"
 	"git.netcell-it.de/projekte/edgeguard-native/internal/services/audit"
 	"git.netcell-it.de/projekte/edgeguard-native/internal/services/backends"
 	"git.netcell-it.de/projekte/edgeguard-native/internal/services/domains"
@@ -29,6 +30,7 @@ import (
 	"git.netcell-it.de/projekte/edgeguard-native/internal/services/routingrules"
 	"git.netcell-it.de/projekte/edgeguard-native/internal/services/session"
 	"git.netcell-it.de/projekte/edgeguard-native/internal/services/setup"
+	"git.netcell-it.de/projekte/edgeguard-native/internal/services/tlscerts"
 )
 
 var version = "0.0.1-dev"
@@ -122,6 +124,15 @@ func main() {
 		routingRepo := routingrules.New(pool)
 		ifsRepo := networkifs.New(pool)
 		ipsRepo := ipaddresses.New(pool)
+		tlsRepo := tlscerts.New(pool)
+
+		// ACME (Let's Encrypt). Email comes from setup.json — the
+		// wizard collects acme_email and the issuer registers an
+		// account on first /tls-certs/issue call.
+		var acmeService handlers.LetsEncryptIssuer
+		if st != nil && st.ACMEEmail != "" {
+			acmeService = acme.New(st.ACMEEmail)
+		}
 
 		authed := v1.Group("")
 		authed.Use(requireAuth)
@@ -131,6 +142,7 @@ func main() {
 		handlers.NewNetworksHandler(ifsRepo, ipsRepo, auditRepo, nodeID).Register(authed)
 		handlers.NewIPAddressesHandler(ipsRepo, auditRepo, nodeID).Register(authed)
 		handlers.NewClusterHandler(clusterStore, nodeID).Register(authed)
+		handlers.NewTLSCertsHandler(tlsRepo, auditRepo, nodeID, acmeService).Register(authed)
 	}
 
 	mountUI(r)

go.mod

@@ -4,6 +4,7 @@ go 1.25.7
 
 require (
 	github.com/gin-gonic/gin v1.10.0
+	github.com/go-acme/lego/v4 v4.35.2
 	github.com/jackc/pgx/v5 v5.9.2
 	github.com/pressly/goose/v3 v3.27.1
 	golang.org/x/crypto v0.50.0
@@ -12,35 +13,40 @@ require (
 require (
 	github.com/bytedance/sonic v1.11.6 // indirect
 	github.com/bytedance/sonic/loader v0.1.1 // indirect
+	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
 	github.com/cloudwego/base64x v0.1.4 // indirect
 	github.com/cloudwego/iasm v0.2.0 // indirect
-	github.com/gabriel-vasile/mimetype v1.4.3 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.13 // indirect
 	github.com/gin-contrib/sse v0.1.0 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.4 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
-	github.com/go-playground/validator/v10 v10.20.0 // indirect
+	github.com/go-playground/validator/v10 v10.23.0 // indirect
 	github.com/goccy/go-json v0.10.2 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
 	github.com/jackc/puddle/v2 v2.2.2 // indirect
-	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/json-iterator/go v1.1.13-0.20220915233716-71ac16282d12 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.7 // indirect
 	github.com/kr/pretty v0.3.1 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
 	github.com/mattn/go-isatty v0.0.21 // indirect
 	github.com/mfridman/interpolate v0.0.2 // indirect
+	github.com/miekg/dns v1.1.72 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
-	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/pelletier/go-toml/v2 v2.2.2 // indirect
 	github.com/sethvargo/go-retry v0.3.0 // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
 	github.com/ugorji/go/codec v1.2.12 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/arch v0.8.0 // indirect
+	golang.org/x/mod v0.35.0 // indirect
 	golang.org/x/net v0.53.0 // indirect
 	golang.org/x/sync v0.20.0 // indirect
 	golang.org/x/sys v0.43.0 // indirect
 	golang.org/x/text v0.36.0 // indirect
+	golang.org/x/tools v0.44.0 // indirect
 	google.golang.org/protobuf v1.36.11 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -2,30 +2,37 @@ github.com/bytedance/sonic v1.11.6 h1:oUp34TzMlL+OY1OUWxHqsdkgC/Zfc85zGqw9siXjrc
 github.com/bytedance/sonic v1.11.6/go.mod h1:LysEHSvpvDySVdC2f87zGWf6CIKJcAvqab1ZaiQtds4=
 github.com/bytedance/sonic/loader v0.1.1 h1:c+e5Pt1k/cy5wMveRDyk2X4B9hF4g7an8N3zCYjJFNM=
 github.com/bytedance/sonic/loader v0.1.1/go.mod h1:ncP89zfokxS5LZrJxl5z0UJcsk4M4yY2JpfqGeCtNLU=
+github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM=
+github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
 github.com/cloudwego/base64x v0.1.4 h1:jwCgWpFanWmN8xoIUHa2rtzmkd5J2plF/dnLS6Xd/0Y=
 github.com/cloudwego/base64x v0.1.4/go.mod h1:0zlkT4Wn5C6NdauXdJRhSKRlJvmclQ1hhJgA0rcu/8w=
 github.com/cloudwego/iasm v0.2.0 h1:1KNIy1I1H9hNNFEEH3DVnI4UujN+1zjpuk6gwHLTssg=
 github.com/cloudwego/iasm v0.2.0/go.mod h1:8rXZaNYT2n95jn+zTI1sDr+IgcD2GVs0nlbbQPiEFhY=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
-github.com/gabriel-vasile/mimetype v1.4.3 h1:in2uUcidCuFcDKtdcBxlR0rJ1+fsokWf+uqxgUFjbI0=
+github.com/gabriel-vasile/mimetype v1.4.13 h1:46nXokslUBsAJE/wMsp5gtO500a4F3Nkz9Ufpk2AcUM=
-github.com/gabriel-vasile/mimetype v1.4.3/go.mod h1:d8uq/6HKRL6CGdk+aubisF/M5GcPfT7nKyLpA0lbSSk=
+github.com/gabriel-vasile/mimetype v1.4.13/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
 github.com/gin-contrib/sse v0.1.0 h1:Y/yl/+YNO8GZSjAhjMsSuLt29uWRFHdHYUb5lYOV9qE=
 github.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm+fLHvGI=
 github.com/gin-gonic/gin v1.10.0 h1:nTuyha1TYqgedzytsKYqna+DfLos46nTv2ygFy86HFU=
 github.com/gin-gonic/gin v1.10.0/go.mod h1:4PMNQiOhvDRa013RKVbsiNwoyezlm2rm0uX/T7kzp5Y=
+github.com/go-acme/lego/v4 v4.35.2 h1:uVQg+KC/yj9R2g7Q9W5wDqhvQvxV5SMu5eqFVoN5xZU=
+github.com/go-acme/lego/v4 v4.35.2/go.mod h1:pX2jN5n8OphMGY1IaMjYm5DAEzguBaKRt8AvJAgJXpc=
+github.com/go-jose/go-jose/v4 v4.1.4 h1:moDMcTHmvE6Groj34emNPLs/qtYXRVcd6S7NHbHz3kA=
+github.com/go-jose/go-jose/v4 v4.1.4/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
 github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s=
 github.com/go-playground/assert/v2 v2.2.0/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
 github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/oXslEjJA=
 github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
 github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=
 github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
-github.com/go-playground/validator/v10 v10.20.0 h1:K9ISHbSaI0lyB2eWMPJo+kOS/FBExVwjEviJTixqxL8=
+github.com/go-playground/validator/v10 v10.23.0 h1:/PwmTwZhS0dPkav3cdK9kV1FsAmrL8sThn8IHr/sO+o=
-github.com/go-playground/validator/v10 v10.20.0/go.mod h1:dbuPbCMFw/DrkbEynArYaCwl3amGuJotoKCe95atGMM=
+github.com/go-playground/validator/v10 v10.23.0/go.mod h1:dbuPbCMFw/DrkbEynArYaCwl3amGuJotoKCe95atGMM=
 github.com/goccy/go-json v0.10.2 h1:CrxCmQqYDkv1z7lO7Wbh2HN93uovUHgrECaO5ZrCXAU=
 github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
@@ -41,8 +48,8 @@ github.com/jackc/pgx/v5 v5.9.2 h1:3ZhOzMWnR4yJ+RW1XImIPsD1aNSz4T4fyP7zlQb56hw=
 github.com/jackc/pgx/v5 v5.9.2/go.mod h1:mal1tBGAFfLHvZzaYh77YS/eC6IX9OWbRV1QIIM0Jn4=
 github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=
 github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
-github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
+github.com/json-iterator/go v1.1.13-0.20220915233716-71ac16282d12 h1:9Nu54bhS/H/Kgo2/7xNSUuC5G28VR8ljfrLKU2G4IjU=
-github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
+github.com/json-iterator/go v1.1.13-0.20220915233716-71ac16282d12/go.mod h1:TBzl5BIHNXfS9+C35ZyJaklL7mLDbgUkcgXzSLa8Tk0=
 github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
 github.com/klauspost/cpuid/v2 v2.2.7 h1:ZWSB3igEs+d0qvnxR/ZBzXVmxkgt8DdzP6m9pfuVLDM=
 github.com/klauspost/cpuid/v2 v2.2.7/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws=
@@ -57,18 +64,22 @@ github.com/mattn/go-isatty v0.0.21 h1:xYae+lCNBP7QuW4PUnNG61ffM4hVIfm+zUzDuSzYLG
 github.com/mattn/go-isatty v0.0.21/go.mod h1:ZXfXG4SQHsB/w3ZeOYbR0PrPwLy+n6xiMrJlRFqopa4=
 github.com/mfridman/interpolate v0.0.2 h1:pnuTK7MQIxxFz1Gr+rjSIx9u7qVjf5VOoM/u6BbAxPY=
 github.com/mfridman/interpolate v0.0.2/go.mod h1:p+7uk6oE07mpE/Ik1b8EckO0O4ZXiGAfshKBWLUM9Xg=
+github.com/miekg/dns v1.1.72 h1:vhmr+TF2A3tuoGNkLDFK9zi36F2LS+hKTRW0Uf8kbzI=
+github.com/miekg/dns v1.1.72/go.mod h1:+EuEPhdHOsfk6Wk5TT2CzssZdqkmFhf8r+aVyDEToIs=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFdJifH4BDsTlE89Zl93FEloxaWZfGcifgq8=
+github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/ncruces/go-strftime v1.0.0 h1:HMFp8mLCTPp341M/ZnA4qaf7ZlsbTc+miZjCLOFAw7w=
 github.com/ncruces/go-strftime v1.0.0/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls=
 github.com/pelletier/go-toml/v2 v2.2.2 h1:aYUidT7k73Pcl9nb2gScu7NSrKCSHIDE89b3+6Wq+LM=
 github.com/pelletier/go-toml/v2 v2.2.2/go.mod h1:1t835xjRzz80PqgE6HHgN2JOsmgYu/h4qDAS4n929Rs=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
-github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pressly/goose/v3 v3.27.1 h1:6uEvcprBybDmW4hcz3gYujhARhye+GoWKhEWyzD5sh4=
 github.com/pressly/goose/v3 v3.27.1/go.mod h1:maruOxsPnIG2yHHyo8UqKWXYKFcH7Q76csUV7+7KYoM=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
@@ -101,6 +112,8 @@ golang.org/x/arch v0.8.0 h1:3wRIsP3pM4yUptoR96otTUOXI367OS0+c9eeRi9doIc=
 golang.org/x/arch v0.8.0/go.mod h1:FEVrYAQjsQXMVJ1nsMoVVXPZg6p2JE2mx8psSWTDQys=
 golang.org/x/crypto v0.50.0 h1:zO47/JPrL6vsNkINmLoo/PH1gcxpls50DNogFvB5ZGI=
 golang.org/x/crypto v0.50.0/go.mod h1:3muZ7vA7PBCE6xgPX7nkzzjiUq87kRItoJQM1Yo8S+Q=
+golang.org/x/mod v0.35.0 h1:Ww1D637e6Pg+Zb2KrWfHQUnH2dQRLBQyAtpr/haaJeM=
+golang.org/x/mod v0.35.0/go.mod h1:+GwiRhIInF8wPm+4AoT6L0FA1QWAad3OMdTRx4tFYlU=
 golang.org/x/net v0.53.0 h1:d+qAbo5L0orcWAr0a9JweQpjXF19LMXJE8Ey7hwOdUA=
 golang.org/x/net v0.53.0/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs=
 golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
@@ -110,6 +123,8 @@ golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
 golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
 golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
+golang.org/x/tools v0.44.0 h1:UP4ajHPIcuMjT1GqzDWRlalUEoY+uzoZKnhOjbIPD2c=
+golang.org/x/tools v0.44.0/go.mod h1:KA0AfVErSdxRZIsOVipbv3rQhVXTnlU6UhKxHd1seDI=
 google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
 google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

internal/handlers/tlscerts.go

@@ -0,0 +1,222 @@
+package handlers
+
+import (
+	"errors"
+	"net/http"
+	"os"
+	"os/exec"
+	"strconv"
+
+	"github.com/gin-gonic/gin"
+
+	"git.netcell-it.de/projekte/edgeguard-native/internal/handlers/response"
+	"git.netcell-it.de/projekte/edgeguard-native/internal/models"
+	"git.netcell-it.de/projekte/edgeguard-native/internal/services/audit"
+	"git.netcell-it.de/projekte/edgeguard-native/internal/services/certstore"
+	"git.netcell-it.de/projekte/edgeguard-native/internal/services/tlscerts"
+)
+
+// TLSCertsHandler exposes /api/v1/tls-certs:
+//
+//	GET    /tls-certs
+//	GET    /tls-certs/:id
+//	DELETE /tls-certs/:id
+//	POST   /tls-certs/upload         — operator-provided PEM
+//	POST   /tls-certs/issue          — Let's Encrypt HTTP-01
+//
+// All mutations write to disk (/etc/edgeguard/tls/<domain>.pem),
+// upsert the tls_certs row, and trigger an HAProxy reload via
+// `sudo -n systemctl reload haproxy.service` (sudoers configured in
+// postinst).
+type TLSCertsHandler struct {
+	Repo    *tlscerts.Repo
+	Audit   *audit.Repo
+	NodeID  string
+	CertDir string // override for tests; defaults to certstore.DefaultDir
+
+	// IssueLE is the Let's-Encrypt issuer. Set by main.go to a
+	// concrete acme.Service. Nil = LE issue endpoint returns 503.
+	IssueLE LetsEncryptIssuer
+}
+
+// LetsEncryptIssuer is the contract acme.Service implements.
+// Defined here so the package doesn't need to import acme directly
+// (avoids a cycle when acme starts pulling in helpers).
+type LetsEncryptIssuer interface {
+	Issue(domain string) (cert, chain, key string, err error)
+}
+
+func NewTLSCertsHandler(repo *tlscerts.Repo, a *audit.Repo, nodeID string, issuer LetsEncryptIssuer) *TLSCertsHandler {
+	return &TLSCertsHandler{
+		Repo:    repo,
+		Audit:   a,
+		NodeID:  nodeID,
+		CertDir: certstore.DefaultDir,
+		IssueLE: issuer,
+	}
+}
+
+func (h *TLSCertsHandler) Register(rg *gin.RouterGroup) {
+	g := rg.Group("/tls-certs")
+	g.GET("", h.List)
+	g.GET("/:id", h.Get)
+	g.DELETE("/:id", h.Delete)
+	g.POST("/upload", h.Upload)
+	g.POST("/issue", h.Issue)
+}
+
+func (h *TLSCertsHandler) List(c *gin.Context) {
+	out, err := h.Repo.List(c.Request.Context())
+	if err != nil {
+		response.Internal(c, err)
+		return
+	}
+	response.OK(c, gin.H{"tls_certs": out})
+}
+
+func (h *TLSCertsHandler) Get(c *gin.Context) {
+	id, ok := parseID(c)
+	if !ok {
+		return
+	}
+	x, err := h.Repo.Get(c.Request.Context(), id)
+	if err != nil {
+		if errors.Is(err, tlscerts.ErrNotFound) {
+			response.NotFound(c, err)
+			return
+		}
+		response.Internal(c, err)
+		return
+	}
+	response.OK(c, x)
+}
+
+func (h *TLSCertsHandler) Delete(c *gin.Context) {
+	id, ok := parseID(c)
+	if !ok {
+		return
+	}
+	cert, err := h.Repo.Get(c.Request.Context(), id)
+	if err != nil {
+		if errors.Is(err, tlscerts.ErrNotFound) {
+			response.NotFound(c, err)
+			return
+		}
+		response.Internal(c, err)
+		return
+	}
+	if cert.CertPath != nil {
+		_ = os.Remove(*cert.CertPath)
+	}
+	if err := h.Repo.Delete(c.Request.Context(), id); err != nil {
+		response.Internal(c, err)
+		return
+	}
+	_ = h.Audit.Log(c.Request.Context(), actorOf(c), "tls_cert.delete",
+		cert.Domain, gin.H{"id": id, "domain": cert.Domain}, h.NodeID)
+	_ = reloadHAProxy()
+	response.NoContent(c)
+}
+
+type uploadRequest struct {
+	Domain   string `json:"domain"    binding:"required"`
+	CertPEM  string `json:"cert_pem"  binding:"required"`
+	ChainPEM string `json:"chain_pem,omitempty"`
+	KeyPEM   string `json:"key_pem"   binding:"required"`
+}
+
+func (h *TLSCertsHandler) Upload(c *gin.Context) {
+	var req uploadRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, err)
+		return
+	}
+	info, err := certstore.Parse(req.CertPEM)
+	if err != nil {
+		response.BadRequest(c, err)
+		return
+	}
+	path, err := certstore.WriteCombined(h.CertDir, req.Domain, req.CertPEM, req.ChainPEM, req.KeyPEM)
+	if err != nil {
+		response.BadRequest(c, err)
+		return
+	}
+	row, err := h.Repo.Upsert(c.Request.Context(), models.TLSCert{
+		Domain:    req.Domain,
+		Issuer:    "manual:" + info.Issuer,
+		Status:    "active",
+		CertPath:  &path,
+		KeyPath:   &path,
+		NotBefore: &info.NotBefore,
+		NotAfter:  &info.NotAfter,
+	})
+	if err != nil {
+		response.Internal(c, err)
+		return
+	}
+	_ = h.Audit.Log(c.Request.Context(), actorOf(c), "tls_cert.upload", req.Domain, row, h.NodeID)
+	_ = reloadHAProxy()
+	response.Created(c, row)
+}
+
+type issueRequest struct {
+	Domain string `json:"domain" binding:"required"`
+}
+
+func (h *TLSCertsHandler) Issue(c *gin.Context) {
+	if h.IssueLE == nil {
+		response.Err(c, http.StatusServiceUnavailable, errors.New("acme not configured"))
+		return
+	}
+	var req issueRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, err)
+		return
+	}
+	certPEM, chainPEM, keyPEM, err := h.IssueLE.Issue(req.Domain)
+	if err != nil {
+		_ = h.Repo.MarkError(c.Request.Context(), req.Domain, err.Error())
+		response.Err(c, http.StatusBadGateway, err)
+		return
+	}
+	info, err := certstore.Parse(certPEM)
+	if err != nil {
+		response.Internal(c, err)
+		return
+	}
+	path, err := certstore.WriteCombined(h.CertDir, req.Domain, certPEM, chainPEM, keyPEM)
+	if err != nil {
+		response.Internal(c, err)
+		return
+	}
+	row, err := h.Repo.Upsert(c.Request.Context(), models.TLSCert{
+		Domain:    req.Domain,
+		Issuer:    "letsencrypt",
+		Status:    "active",
+		CertPath:  &path,
+		KeyPath:   &path,
+		NotBefore: &info.NotBefore,
+		NotAfter:  &info.NotAfter,
+	})
+	if err != nil {
+		response.Internal(c, err)
+		return
+	}
+	_ = h.Audit.Log(c.Request.Context(), actorOf(c), "tls_cert.issue", req.Domain, row, h.NodeID)
+	_ = reloadHAProxy()
+	response.Created(c, row)
+}
+
+// reloadHAProxy invokes `sudo -n systemctl reload haproxy.service`.
+// Postinst installs the matching sudoers rule. Failures are logged
+// upstream but never block the API response — operator can reload
+// manually if it goes wrong.
+func reloadHAProxy() error {
+	return exec.Command("sudo", "-n", "/usr/bin/systemctl", "reload", "haproxy.service").Run()
+}
+
+// strconv.FormatInt is needed in handlers/domains.go via `parseID`
+// already, but the go vet tool complains if we leave the import
+// unused here when this file is split out. Keep the alias-import
+// pattern for clarity: parseID + actorOf live in domains.go.
+var _ = strconv.FormatInt

internal/services/acme/acme.go

@@ -0,0 +1,239 @@
+// Package acme wraps github.com/go-acme/lego with EdgeGuard's
+// HTTP-01-via-shared-webroot setup.
+//
+// The webroot is /var/lib/edgeguard/acme — HAProxy already proxies
+// /.well-known/acme-challenge/* to edgeguard-api which serves files
+// from that directory (see internal/handlers/acme.go). Lego writes
+// challenge tokens there; the existing handler answers from disk.
+//
+// Account state (the ACME-account private key + URL) lives in
+// /var/lib/edgeguard/acme-account/account.key + account.json so a
+// renewal doesn't need to re-register.
+package acme
+
+import (
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/x509"
+	"encoding/json"
+	"encoding/pem"
+	"errors"
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/go-acme/lego/v4/certificate"
+	"github.com/go-acme/lego/v4/lego"
+	"github.com/go-acme/lego/v4/providers/http/webroot"
+	"github.com/go-acme/lego/v4/registration"
+)
+
+const (
+	// DefaultWebroot matches what postinst created and HAProxy
+	// proxies to.
+	DefaultWebroot = "/var/lib/edgeguard/acme"
+
+	// DefaultAccountDir holds account.key + account.json. Mode 0700
+	// — the account key is a pseudo-credential.
+	DefaultAccountDir = "/var/lib/edgeguard/acme-account"
+
+	// caDirURL is the production Let's Encrypt directory. Tests
+	// override via NewService's dirURL parameter.
+	caDirURL = "https://acme-v02.api.letsencrypt.org/directory"
+)
+
+// Service issues + renews certs against Let's Encrypt. One Service
+// per running edgeguard-api; lazily registers the account on first
+// Issue() call.
+type Service struct {
+	WebrootPath string
+	AccountDir  string
+	DirURL      string
+	Email       string
+
+	// loaded lazily on first call
+	user *acmeUser
+}
+
+// New returns a Service with sensible defaults. Email comes from
+// setup.json's acme_email; the caller plumbs it through main.go.
+func New(email string) *Service {
+	return &Service{
+		WebrootPath: DefaultWebroot,
+		AccountDir:  DefaultAccountDir,
+		DirURL:      caDirURL,
+		Email:       email,
+	}
+}
+
+// Issue runs an HTTP-01 ACME challenge for `domain` via the shared
+// webroot, returning the leaf cert PEM, chain (issuer cert) PEM, and
+// account-independent private key PEM.
+func (s *Service) Issue(domain string) (certPEM, chainPEM, keyPEM string, err error) {
+	if domain == "" {
+		return "", "", "", errors.New("domain required")
+	}
+	if s.Email == "" {
+		return "", "", "", errors.New("acme: email not configured (set via setup wizard)")
+	}
+
+	user, err := s.loadOrRegisterAccount()
+	if err != nil {
+		return "", "", "", fmt.Errorf("acme: account: %w", err)
+	}
+
+	cfg := lego.NewConfig(user)
+	cfg.CADirURL = s.DirURL
+	client, err := lego.NewClient(cfg)
+	if err != nil {
+		return "", "", "", fmt.Errorf("acme: client: %w", err)
+	}
+
+	provider, err := webroot.NewHTTPProvider(s.WebrootPath)
+	if err != nil {
+		return "", "", "", fmt.Errorf("acme: webroot provider: %w", err)
+	}
+	if err := client.Challenge.SetHTTP01Provider(provider); err != nil {
+		return "", "", "", fmt.Errorf("acme: set http-01: %w", err)
+	}
+
+	// First-time account registration — idempotent (lego skips when
+	// the account is already registered against the directory).
+	if user.Registration == nil {
+		reg, err := client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
+		if err != nil {
+			return "", "", "", fmt.Errorf("acme: register: %w", err)
+		}
+		user.Registration = reg
+		if err := s.saveAccount(user); err != nil {
+			return "", "", "", fmt.Errorf("acme: save account: %w", err)
+		}
+	}
+
+	req := certificate.ObtainRequest{
+		Domains: []string{domain},
+		Bundle:  true,
+	}
+	res, err := client.Certificate.Obtain(req)
+	if err != nil {
+		return "", "", "", fmt.Errorf("acme: obtain: %w", err)
+	}
+
+	// res.Certificate is the leaf+chain bundle (because Bundle=true).
+	// The frontend wants leaf separated from chain so it can store
+	// fields cleanly — split on the second BEGIN CERTIFICATE marker.
+	leaf, chain := splitBundle(string(res.Certificate))
+	return leaf, chain, string(res.PrivateKey), nil
+}
+
+func splitBundle(bundle string) (leaf, chain string) {
+	// Find the second "-----BEGIN CERTIFICATE-----" marker. Everything
+	// before it is the leaf, after (incl. marker) is the chain.
+	const marker = "-----BEGIN CERTIFICATE-----"
+	first := indexOfNth(bundle, marker, 1)
+	second := indexOfNth(bundle, marker, 2)
+	if first < 0 {
+		return bundle, ""
+	}
+	if second < 0 {
+		return bundle, ""
+	}
+	return bundle[:second], bundle[second:]
+}
+
+func indexOfNth(s, sub string, n int) int {
+	idx := -1
+	pos := 0
+	for i := 0; i < n; i++ {
+		j := indexAfter(s, sub, pos)
+		if j < 0 {
+			return -1
+		}
+		idx = j
+		pos = j + len(sub)
+	}
+	return idx
+}
+
+func indexAfter(s, sub string, from int) int {
+	if from >= len(s) {
+		return -1
+	}
+	rel := -1
+	for i := from; i+len(sub) <= len(s); i++ {
+		if s[i:i+len(sub)] == sub {
+			rel = i
+			break
+		}
+	}
+	return rel
+}
+
+// acmeUser implements lego's registration.User interface against
+// our on-disk account state.
+type acmeUser struct {
+	Email        string
+	Registration *registration.Resource
+	key          crypto.PrivateKey
+}
+
+func (u *acmeUser) GetEmail() string                        { return u.Email }
+func (u *acmeUser) GetRegistration() *registration.Resource { return u.Registration }
+func (u *acmeUser) GetPrivateKey() crypto.PrivateKey        { return u.key }
+
+func (s *Service) loadOrRegisterAccount() (*acmeUser, error) {
+	if err := os.MkdirAll(s.AccountDir, 0o700); err != nil {
+		return nil, err
+	}
+	keyPath := filepath.Join(s.AccountDir, "account.key")
+	regPath := filepath.Join(s.AccountDir, "account.json")
+
+	user := &acmeUser{Email: s.Email}
+
+	if b, err := os.ReadFile(keyPath); err == nil {
+		block, _ := pem.Decode(b)
+		if block == nil {
+			return nil, errors.New("acme: account.key has no PEM block")
+		}
+		k, err := x509.ParseECPrivateKey(block.Bytes)
+		if err != nil {
+			return nil, fmt.Errorf("acme: parse account.key: %w", err)
+		}
+		user.key = k
+	} else {
+		k, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+		if err != nil {
+			return nil, err
+		}
+		der, err := x509.MarshalECPrivateKey(k)
+		if err != nil {
+			return nil, err
+		}
+		buf := pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: der})
+		if err := os.WriteFile(keyPath, buf, 0o600); err != nil {
+			return nil, err
+		}
+		user.key = k
+	}
+
+	if b, err := os.ReadFile(regPath); err == nil {
+		var reg registration.Resource
+		if err := json.Unmarshal(b, &reg); err == nil {
+			user.Registration = &reg
+		}
+	}
+	return user, nil
+}
+
+func (s *Service) saveAccount(u *acmeUser) error {
+	if u.Registration == nil {
+		return nil
+	}
+	b, err := json.MarshalIndent(u.Registration, "", "  ")
+	if err != nil {
+		return err
+	}
+	return os.WriteFile(filepath.Join(s.AccountDir, "account.json"), b, 0o600)
+}

internal/services/certstore/certstore.go

@@ -0,0 +1,120 @@
+// Package certstore writes the combined PEM (cert + chain + key)
+// HAProxy expects under /etc/edgeguard/tls/<domain>.pem and
+// validates the cert against its private key.
+//
+// Layout:
+//
+//	/etc/edgeguard/tls/<domain>.pem   — operator-provided or
+//	                                    Let's-Encrypt-issued
+//	/etc/edgeguard/tls/_default.pem  — self-signed fallback
+//	                                    (postinst-generated)
+package certstore
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/pem"
+	"errors"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+)
+
+// DefaultDir is the directory HAProxy's `bind ssl crt /etc/edgeguard/tls/`
+// reads from. Override only in tests.
+const DefaultDir = "/etc/edgeguard/tls"
+
+// CertInfo is the parsed metadata callers want to persist.
+type CertInfo struct {
+	NotBefore time.Time
+	NotAfter  time.Time
+	Issuer    string
+	Subject   string
+	DNSNames  []string
+}
+
+// WriteCombined writes <dir>/<domain>.pem with the cert chain
+// followed by the private key — the format HAProxy `crt` consumes.
+// Validates the cert/key match before writing so a bad upload can't
+// brick the running HAProxy on next reload.
+func WriteCombined(dir, domain, certPEM, chainPEM, keyPEM string) (string, error) {
+	if domain == "" {
+		return "", errors.New("domain required")
+	}
+	if certPEM == "" || keyPEM == "" {
+		return "", errors.New("cert and key are required")
+	}
+
+	// Validate that the key matches the cert. tls.X509KeyPair does
+	// the heavy lifting (PEM parse + private-key/public-key match).
+	if _, err := tls.X509KeyPair([]byte(certPEM+"\n"+chainPEM), []byte(keyPEM)); err != nil {
+		return "", fmt.Errorf("cert/key mismatch: %w", err)
+	}
+
+	// Compose the file: cert, optional chain, then key. Each section
+	// is normalised to end in a newline so concatenation produces a
+	// well-formed PEM bundle.
+	var sb strings.Builder
+	sb.WriteString(strings.TrimRight(certPEM, "\n"))
+	sb.WriteString("\n")
+	if chain := strings.TrimRight(chainPEM, "\n"); chain != "" {
+		sb.WriteString(chain)
+		sb.WriteString("\n")
+	}
+	sb.WriteString(strings.TrimRight(keyPEM, "\n"))
+	sb.WriteString("\n")
+
+	if err := os.MkdirAll(dir, 0o750); err != nil {
+		return "", fmt.Errorf("mkdir %s: %w", dir, err)
+	}
+	if !safeDomain(domain) {
+		return "", fmt.Errorf("domain %q contains characters that aren't safe for a filename", domain)
+	}
+	out := filepath.Join(dir, domain+".pem")
+	if err := os.WriteFile(out, []byte(sb.String()), 0o640); err != nil {
+		return "", fmt.Errorf("write %s: %w", out, err)
+	}
+	return out, nil
+}
+
+// Parse pulls Subject/Issuer/NotBefore/NotAfter/SANs out of a PEM
+// cert block. Useful for handlers that want to surface the metadata
+// without keeping the raw PEM on the wire.
+func Parse(certPEM string) (*CertInfo, error) {
+	block, _ := pem.Decode([]byte(certPEM))
+	if block == nil {
+		return nil, errors.New("no PEM block in certificate input")
+	}
+	cert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		return nil, fmt.Errorf("parse certificate: %w", err)
+	}
+	return &CertInfo{
+		NotBefore: cert.NotBefore,
+		NotAfter:  cert.NotAfter,
+		Issuer:    cert.Issuer.String(),
+		Subject:   cert.Subject.String(),
+		DNSNames:  cert.DNSNames,
+	}, nil
+}
+
+// safeDomain rejects names that aren't shaped like a DNS hostname.
+// We're going to use this as a filename component — anything outside
+// the conservative DNS charset is refused.
+func safeDomain(s string) bool {
+	if s == "" || strings.ContainsAny(s, "/\\\x00 \t\n") {
+		return false
+	}
+	for _, r := range s {
+		ok := r == '-' || r == '.' || r == '_' ||
+			(r >= '0' && r <= '9') ||
+			(r >= 'a' && r <= 'z') ||
+			(r >= 'A' && r <= 'Z')
+		if !ok {
+			return false
+		}
+	}
+	return true
+}

internal/services/certstore/certstore_test.go

@@ -0,0 +1,109 @@
+package certstore
+
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"math/big"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+	"time"
+)
+
+// makePair returns a (certPEM, keyPEM) pair for an ECDSA self-signed
+// cert with CN=domain. Used by the tests to build valid input that
+// X509KeyPair can verify.
+func makePair(t *testing.T, domain string) (string, string) {
+	t.Helper()
+	priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		t.Fatal(err)
+	}
+	tmpl := x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		Subject:      pkix.Name{CommonName: domain},
+		NotBefore:    time.Now().Add(-time.Hour),
+		NotAfter:     time.Now().Add(24 * time.Hour),
+		DNSNames:     []string{domain},
+	}
+	der, err := x509.CreateCertificate(rand.Reader, &tmpl, &tmpl, &priv.PublicKey, priv)
+	if err != nil {
+		t.Fatal(err)
+	}
+	certPEM := string(pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: der}))
+	keyDER, err := x509.MarshalECPrivateKey(priv)
+	if err != nil {
+		t.Fatal(err)
+	}
+	keyPEM := string(pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: keyDER}))
+	return certPEM, keyPEM
+}
+
+func TestWriteCombined_HappyPath(t *testing.T) {
+	dir := t.TempDir()
+	certPEM, keyPEM := makePair(t, "example.com")
+	path, err := WriteCombined(dir, "example.com", certPEM, "", keyPEM)
+	if err != nil {
+		t.Fatalf("WriteCombined: %v", err)
+	}
+	if path != filepath.Join(dir, "example.com.pem") {
+		t.Errorf("path: %s", path)
+	}
+	body, err := os.ReadFile(path)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !strings.Contains(string(body), "BEGIN CERTIFICATE") {
+		t.Errorf("expected cert in output")
+	}
+	if !strings.Contains(string(body), "BEGIN EC PRIVATE KEY") {
+		t.Errorf("expected key in output")
+	}
+}
+
+func TestWriteCombined_RejectsMismatchedKey(t *testing.T) {
+	dir := t.TempDir()
+	certPEM, _ := makePair(t, "example.com")
+	_, otherKey := makePair(t, "example.com")
+	if _, err := WriteCombined(dir, "example.com", certPEM, "", otherKey); err == nil {
+		t.Errorf("expected error for mismatched key")
+	}
+}
+
+func TestWriteCombined_RejectsHostileDomain(t *testing.T) {
+	dir := t.TempDir()
+	certPEM, keyPEM := makePair(t, "example.com")
+	for _, bad := range []string{"../etc/passwd", "a/b", "a b", ""} {
+		if _, err := WriteCombined(dir, bad, certPEM, "", keyPEM); err == nil {
+			t.Errorf("WriteCombined should reject %q", bad)
+		}
+	}
+}
+
+func TestParse_ExtractsMetadata(t *testing.T) {
+	certPEM, _ := makePair(t, "example.com")
+	info, err := Parse(certPEM)
+	if err != nil {
+		t.Fatalf("Parse: %v", err)
+	}
+	if info.NotBefore.IsZero() || info.NotAfter.IsZero() {
+		t.Errorf("missing NotBefore/After")
+	}
+	if !contains(info.DNSNames, "example.com") {
+		t.Errorf("expected DNSNames to contain example.com, got %v", info.DNSNames)
+	}
+}
+
+func contains(haystack []string, needle string) bool {
+	for _, h := range haystack {
+		if h == needle {
+			return true
+		}
+	}
+	return false
+}

internal/services/tlscerts/tlscerts.go

@@ -0,0 +1,152 @@
+// Package tlscerts implements CRUD against the tls_certs table —
+// the operator-visible inventory of certificates EdgeGuard manages,
+// covering both Let's-Encrypt-issued and operator-uploaded PEMs.
+package tlscerts
+
+import (
+	"context"
+	"errors"
+	"time"
+
+	"github.com/jackc/pgx/v5"
+	"github.com/jackc/pgx/v5/pgxpool"
+
+	"git.netcell-it.de/projekte/edgeguard-native/internal/models"
+)
+
+var ErrNotFound = errors.New("tls cert not found")
+
+type Repo struct {
+	Pool *pgxpool.Pool
+}
+
+func New(pool *pgxpool.Pool) *Repo { return &Repo{Pool: pool} }
+
+const baseSelect = `
+SELECT id, domain, issuer, status, cert_path, key_path,
+       not_before, not_after, last_renewed_at, last_error,
+       created_at, updated_at
+FROM tls_certs
+`
+
+func (r *Repo) List(ctx context.Context) ([]models.TLSCert, error) {
+	rows, err := r.Pool.Query(ctx, baseSelect+" ORDER BY domain ASC")
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	out := make([]models.TLSCert, 0, 4)
+	for rows.Next() {
+		c, err := scan(rows)
+		if err != nil {
+			return nil, err
+		}
+		out = append(out, *c)
+	}
+	return out, rows.Err()
+}
+
+func (r *Repo) Get(ctx context.Context, id int64) (*models.TLSCert, error) {
+	row := r.Pool.QueryRow(ctx, baseSelect+" WHERE id = $1", id)
+	c, err := scan(row)
+	if err != nil {
+		if errors.Is(err, pgx.ErrNoRows) {
+			return nil, ErrNotFound
+		}
+		return nil, err
+	}
+	return c, nil
+}
+
+func (r *Repo) GetByDomain(ctx context.Context, domain string) (*models.TLSCert, error) {
+	row := r.Pool.QueryRow(ctx, baseSelect+" WHERE domain = $1", domain)
+	c, err := scan(row)
+	if err != nil {
+		if errors.Is(err, pgx.ErrNoRows) {
+			return nil, ErrNotFound
+		}
+		return nil, err
+	}
+	return c, nil
+}
+
+// Upsert persists a cert by (domain). issued/renewed by certbot or
+// uploaded → same code path. Sets last_renewed_at = NOW() so the
+// renewal cron knows when to come back.
+func (r *Repo) Upsert(ctx context.Context, c models.TLSCert) (*models.TLSCert, error) {
+	now := time.Now().UTC()
+	row := r.Pool.QueryRow(ctx, `
+INSERT INTO tls_certs (domain, issuer, status, cert_path, key_path,
+                       not_before, not_after, last_renewed_at, last_error)
+VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)
+ON CONFLICT (domain) DO UPDATE SET
+   issuer = EXCLUDED.issuer,
+   status = EXCLUDED.status,
+   cert_path = EXCLUDED.cert_path,
+   key_path = EXCLUDED.key_path,
+   not_before = EXCLUDED.not_before,
+   not_after = EXCLUDED.not_after,
+   last_renewed_at = EXCLUDED.last_renewed_at,
+   last_error = EXCLUDED.last_error,
+   updated_at = NOW()
+RETURNING id, domain, issuer, status, cert_path, key_path,
+          not_before, not_after, last_renewed_at, last_error,
+          created_at, updated_at`,
+		c.Domain, c.Issuer, c.Status, c.CertPath, c.KeyPath,
+		c.NotBefore, c.NotAfter, &now, c.LastError)
+	return scan(row)
+}
+
+func (r *Repo) MarkError(ctx context.Context, domain, msg string) error {
+	_, err := r.Pool.Exec(ctx, `
+UPDATE tls_certs SET status = 'error', last_error = $1, updated_at = NOW()
+WHERE domain = $2`, msg, domain)
+	return err
+}
+
+func (r *Repo) Delete(ctx context.Context, id int64) error {
+	tag, err := r.Pool.Exec(ctx, `DELETE FROM tls_certs WHERE id = $1`, id)
+	if err != nil {
+		return err
+	}
+	if tag.RowsAffected() == 0 {
+		return ErrNotFound
+	}
+	return nil
+}
+
+// ListExpiringSoon returns certs whose not_after is within the next
+// `within` (typically 30 days) and aren't already in error state —
+// the renewal scheduler picks these up.
+func (r *Repo) ListExpiringSoon(ctx context.Context, within time.Duration) ([]models.TLSCert, error) {
+	cutoff := time.Now().UTC().Add(within)
+	rows, err := r.Pool.Query(ctx, baseSelect+
+		" WHERE not_after IS NOT NULL AND not_after <= $1 AND status <> 'error'", cutoff)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	out := make([]models.TLSCert, 0, 4)
+	for rows.Next() {
+		c, err := scan(rows)
+		if err != nil {
+			return nil, err
+		}
+		out = append(out, *c)
+	}
+	return out, rows.Err()
+}
+
+func scan(row interface{ Scan(...any) error }) (*models.TLSCert, error) {
+	var c models.TLSCert
+	if err := row.Scan(
+		&c.ID, &c.Domain, &c.Issuer, &c.Status,
+		&c.CertPath, &c.KeyPath,
+		&c.NotBefore, &c.NotAfter,
+		&c.LastRenewedAt, &c.LastError,
+		&c.CreatedAt, &c.UpdatedAt,
+	); err != nil {
+		return nil, err
+	}
+	return &c, nil
+}

management-ui/src/App.tsx

@@ -18,6 +18,7 @@ const BackendsPage = lazy(() => import('./pages/Backends'))
 const RoutingRulesPage = lazy(() => import('./pages/RoutingRules'))
 const NetworksPage = lazy(() => import('./pages/Networks'))
 const IPAddressesPage = lazy(() => import('./pages/IPAddresses'))
+const SSLPage = lazy(() => import('./pages/SSL'))
 const ClusterPage = lazy(() => import('./pages/Cluster'))
 const SettingsPage = lazy(() => import('./pages/Settings'))
 
@@ -95,6 +96,7 @@ export default function App() {
                   <Route path="/routing-rules" element={<RoutingRulesPage />} />
                   <Route path="/networks" element={<NetworksPage />} />
                   <Route path="/ip-addresses" element={<IPAddressesPage />} />
+                  <Route path="/ssl" element={<SSLPage />} />
                   <Route path="/cluster" element={<ClusterPage />} />
                   <Route path="/settings" element={<SettingsPage />} />
                 </Route>

management-ui/src/components/Layout/Sidebar.tsx

@@ -8,6 +8,7 @@ import {
   DatabaseOutlined,
   GlobalOutlined,
   NodeIndexOutlined,
+  SafetyCertificateOutlined,
   SettingOutlined,
 } from '@ant-design/icons'
 import { useTranslation } from 'react-i18next'
@@ -48,6 +49,7 @@ const NAV: NavSection[] = [
     items: [
       { path: '/networks',     labelKey: 'nav.networks',    icon: <ClusterOutlined /> },
       { path: '/ip-addresses', labelKey: 'nav.ipAddresses', icon: <NodeIndexOutlined /> },
+      { path: '/ssl',          labelKey: 'nav.ssl',         icon: <SafetyCertificateOutlined /> },
     ],
   },
   {

management-ui/src/i18n/locales/de/common.json

@@ -138,6 +138,31 @@
     "joinedAt": "Beigetreten",
     "self": "diese Node"
   },
+  "ssl": {
+    "title": "SSL-Zertifikate",
+    "intro": "TLS-Zertifikate verwalten — entweder per Let's Encrypt automatisch ausstellen oder eigene PEMs hochladen. HAProxy lädt nach jeder Änderung automatisch neu.",
+    "tabLE": "Let's Encrypt",
+    "tabUpload": "Eigenes Zertifikat",
+    "leIntro": "Domain wählen, Issue klicken — EdgeGuard löst HTTP-01 über die ACME-Webroot, schreibt das PEM nach /etc/edgeguard/tls/ und reloaded HAProxy.",
+    "uploadIntro": "Eigenes Zertifikat hochladen. Format: PEM-encoded. Cert + optional Chain + Private Key. EdgeGuard prüft die Cert/Key-Übereinstimmung vor dem Schreiben.",
+    "uploadHint": "Tipp: bei Let's-Encrypt-Renewals nicht hier hochladen — den LE-Tab nutzen.",
+    "domain": "Domain",
+    "selectDomain": "Domain wählen",
+    "issuer": "Issuer",
+    "status": "Status",
+    "expiresIn": "Gültig noch",
+    "expiredAgo": "abgelaufen vor {{days}} Tagen",
+    "actions": "Aktionen",
+    "issueButton": "Zertifikat anfordern",
+    "uploadButton": "Hochladen",
+    "issueSuccess": "Zertifikat ausgestellt + installiert.",
+    "uploadSuccess": "Zertifikat hochgeladen + installiert.",
+    "deleteConfirm": "Zertifikat für {{domain}} löschen? HAProxy fällt für diese Domain auf das Default-Cert zurück.",
+    "installedTitle": "Installierte Zertifikate",
+    "certPem": "Zertifikat (PEM)",
+    "chainPem": "Chain (PEM, optional)",
+    "keyPem": "Private Key (PEM)"
+  },
   "settings": {
     "title": "Einstellungen",
     "intro": "System-Information und Setup-Status. Bearbeitbare Werte folgen in einem späteren Release.",

management-ui/src/i18n/locales/en/common.json

@@ -31,6 +31,7 @@
     "name": "Name",
     "type": "Type",
     "parent": "Parent interface",
+    "selectParent": "Select parent",
     "vlan": "VLAN",
     "vlanId": "VLAN ID",
     "role": "Role",
@@ -138,6 +139,31 @@
     "joinedAt": "Joined",
     "self": "this node"
   },
+  "ssl": {
+    "title": "SSL certificates",
+    "intro": "Manage TLS certs — let EdgeGuard issue them via Let's Encrypt or upload your own PEM. HAProxy reloads automatically after each change.",
+    "tabLE": "Let's Encrypt",
+    "tabUpload": "Custom certificate",
+    "leIntro": "Pick a domain, click Issue — EdgeGuard solves HTTP-01 over the ACME webroot, writes the PEM into /etc/edgeguard/tls/, and reloads HAProxy.",
+    "uploadIntro": "Upload your own certificate. Format: PEM-encoded. Cert + optional chain + private key. EdgeGuard validates cert/key match before writing.",
+    "uploadHint": "Tip: for Let's Encrypt renewals don't upload here — use the LE tab.",
+    "domain": "Domain",
+    "selectDomain": "Select domain",
+    "issuer": "Issuer",
+    "status": "Status",
+    "expiresIn": "Expires in",
+    "expiredAgo": "expired {{days}} days ago",
+    "actions": "Actions",
+    "issueButton": "Issue certificate",
+    "uploadButton": "Upload",
+    "issueSuccess": "Certificate issued + installed.",
+    "uploadSuccess": "Certificate uploaded + installed.",
+    "deleteConfirm": "Delete certificate for {{domain}}? HAProxy falls back to the default cert for this domain.",
+    "installedTitle": "Installed certificates",
+    "certPem": "Certificate (PEM)",
+    "chainPem": "Chain (PEM, optional)",
+    "keyPem": "Private key (PEM)"
+  },
   "settings": {
     "title": "Settings",
     "intro": "System information and setup status. Editable values come in a later release.",

management-ui/src/pages/Networks/index.tsx

@@ -185,7 +185,13 @@ export default function NetworksPage() {
             {({ getFieldValue }) => getFieldValue('type') === 'vlan' ? (
               <>
                 <Form.Item label={t('networks.parent')} name="parent" rules={[{ required: true }]}>
-                  <Input placeholder="eth0" />
+                  <Select
+                    placeholder={t('networks.selectParent')}
+                    showSearch
+                    options={(sys ?? [])
+                      .filter((i) => i.ifname !== 'lo')
+                      .map((i) => ({ value: i.ifname, label: i.ifname }))}
+                  />
                 </Form.Item>
                 <Form.Item label={t('networks.vlanId')} name="vlan_id" rules={[{ required: true }]}>
                   <InputNumber min={1} max={4094} style={{ width: '100%' }} />

management-ui/src/pages/SSL/index.tsx

@@ -0,0 +1,198 @@
+import { useState } from 'react'
+import { Alert, Button, Card, Form, Input, Popconfirm, Select, Space, Table, Tabs, Tag, Typography, message } from 'antd'
+import type { ColumnsType } from 'antd/es/table'
+import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query'
+import { useTranslation } from 'react-i18next'
+
+import apiClient, { isEnvelope } from '../../api/client'
+
+interface TLSCert {
+  id: number
+  domain: string
+  issuer: string
+  status: 'pending' | 'active' | 'renewing' | 'expired' | 'error'
+  cert_path?: string | null
+  key_path?: string | null
+  not_before?: string | null
+  not_after?: string | null
+  last_renewed_at?: string | null
+  last_error?: string | null
+  created_at: string
+  updated_at: string
+}
+
+interface UploadValues {
+  domain: string
+  cert_pem: string
+  chain_pem?: string
+  key_pem: string
+}
+
+interface IssueValues { domain: string }
+
+interface Domain { id: number; name: string }
+
+async function listCerts(): Promise<TLSCert[]> {
+  const r = await apiClient.get('/tls-certs')
+  if (!isEnvelope(r.data)) return []
+  return (r.data.data as { tls_certs?: TLSCert[] }).tls_certs ?? []
+}
+async function listDomains(): Promise<Domain[]> {
+  const r = await apiClient.get('/domains')
+  if (!isEnvelope(r.data)) return []
+  return (r.data.data as { domains?: Domain[] }).domains ?? []
+}
+
+const STATUS_COLORS: Record<TLSCert['status'], string> = {
+  active:   'green',
+  renewing: 'blue',
+  pending:  'gold',
+  expired:  'red',
+  error:    'red',
+}
+
+function daysUntil(s?: string | null): number | null {
+  if (!s) return null
+  const t = new Date(s).getTime()
+  if (Number.isNaN(t)) return null
+  return Math.round((t - Date.now()) / 86_400_000)
+}
+
+export default function SSLPage() {
+  const { t } = useTranslation()
+  const qc = useQueryClient()
+
+  const { data: certs, isLoading } = useQuery({ queryKey: ['tls-certs'], queryFn: listCerts })
+  const { data: domains } = useQuery({ queryKey: ['domains'], queryFn: listDomains })
+
+  const [issueForm] = Form.useForm<IssueValues>()
+  const [uploadForm] = Form.useForm<UploadValues>()
+  const [issueErr, setIssueErr] = useState<string | null>(null)
+
+  const issueMut = useMutation({
+    mutationFn: async (v: IssueValues) => {
+      const r = await apiClient.post('/tls-certs/issue', v)
+      return r.data
+    },
+    onSuccess: () => {
+      message.success(t('ssl.issueSuccess'))
+      issueForm.resetFields()
+      setIssueErr(null)
+      void qc.invalidateQueries({ queryKey: ['tls-certs'] })
+    },
+    onError: (e: Error) => setIssueErr(e.message),
+  })
+
+  const uploadMut = useMutation({
+    mutationFn: async (v: UploadValues) => {
+      const r = await apiClient.post('/tls-certs/upload', v)
+      return r.data
+    },
+    onSuccess: () => {
+      message.success(t('ssl.uploadSuccess'))
+      uploadForm.resetFields()
+      void qc.invalidateQueries({ queryKey: ['tls-certs'] })
+    },
+  })
+
+  const delMut = useMutation({
+    mutationFn: async (id: number) => { await apiClient.delete(`/tls-certs/${id}`) },
+    onSuccess: () => { void qc.invalidateQueries({ queryKey: ['tls-certs'] }) },
+  })
+
+  const columns: ColumnsType<TLSCert> = [
+    { title: t('ssl.domain'), dataIndex: 'domain', key: 'domain', render: (s: string) => <code>{s}</code> },
+    { title: t('ssl.issuer'), dataIndex: 'issuer', key: 'issuer' },
+    {
+      title: t('ssl.status'), dataIndex: 'status', key: 'status',
+      render: (s: TLSCert['status']) => <Tag color={STATUS_COLORS[s] ?? 'default'}>{s}</Tag>,
+    },
+    {
+      title: t('ssl.expiresIn'), key: 'expires',
+      render: (_, row) => {
+        const d = daysUntil(row.not_after)
+        if (d == null) return '—'
+        if (d < 0)  return <Tag color="red">{t('ssl.expiredAgo', { days: -d })}</Tag>
+        if (d < 30) return <Tag color="orange">{d}d</Tag>
+        return `${d}d`
+      },
+    },
+    {
+      title: t('ssl.actions'), key: 'actions',
+      render: (_, row) => (
+        <Popconfirm
+          title={t('ssl.deleteConfirm', { domain: row.domain })}
+          onConfirm={() => delMut.mutate(row.id)}
+        >
+          <Button size="small" danger>{t('common.delete')}</Button>
+        </Popconfirm>
+      ),
+    },
+  ]
+
+  const tabs = [
+    {
+      key: 'letsencrypt',
+      label: t('ssl.tabLE'),
+      children: (
+        <Card size="small">
+          <Typography.Paragraph type="secondary">{t('ssl.leIntro')}</Typography.Paragraph>
+          {issueErr && <Alert type="error" closable showIcon style={{ marginBottom: 12 }} message={issueErr} onClose={() => setIssueErr(null)} />}
+          <Form form={issueForm} layout="vertical" onFinish={(v) => issueMut.mutate(v)}>
+            <Form.Item label={t('ssl.domain')} name="domain" rules={[{ required: true }]}>
+              <Select
+                showSearch
+                placeholder={t('ssl.selectDomain')}
+                options={(domains ?? []).map((d) => ({ value: d.name, label: d.name }))}
+              />
+            </Form.Item>
+            <Button type="primary" htmlType="submit" loading={issueMut.isPending}>
+              {t('ssl.issueButton')}
+            </Button>
+          </Form>
+        </Card>
+      ),
+    },
+    {
+      key: 'upload',
+      label: t('ssl.tabUpload'),
+      children: (
+        <Card size="small">
+          <Typography.Paragraph type="secondary">{t('ssl.uploadIntro')}</Typography.Paragraph>
+          <Form form={uploadForm} layout="vertical" onFinish={(v) => uploadMut.mutate(v)}>
+            <Form.Item label={t('ssl.domain')} name="domain" rules={[{ required: true }]}>
+              <Input placeholder="example.com" />
+            </Form.Item>
+            <Form.Item label={t('ssl.certPem')} name="cert_pem" rules={[{ required: true }]}>
+              <Input.TextArea rows={6} placeholder="-----BEGIN CERTIFICATE-----..." style={{ fontFamily: 'monospace', fontSize: 12 }} />
+            </Form.Item>
+            <Form.Item label={t('ssl.chainPem')} name="chain_pem">
+              <Input.TextArea rows={4} placeholder="-----BEGIN CERTIFICATE-----..." style={{ fontFamily: 'monospace', fontSize: 12 }} />
+            </Form.Item>
+            <Form.Item label={t('ssl.keyPem')} name="key_pem" rules={[{ required: true }]}>
+              <Input.TextArea rows={6} placeholder="-----BEGIN PRIVATE KEY-----..." style={{ fontFamily: 'monospace', fontSize: 12 }} />
+            </Form.Item>
+            <Space>
+              <Button type="primary" htmlType="submit" loading={uploadMut.isPending}>
+                {t('ssl.uploadButton')}
+              </Button>
+              <Typography.Text type="secondary">{t('ssl.uploadHint')}</Typography.Text>
+            </Space>
+          </Form>
+        </Card>
+      ),
+    },
+  ]
+
+  return (
+    <div>
+      <Typography.Title level={3}>{t('ssl.title')}</Typography.Title>
+      <Typography.Paragraph type="secondary">{t('ssl.intro')}</Typography.Paragraph>
+
+      <Tabs items={tabs} defaultActiveKey="letsencrypt" />
+
+      <Typography.Title level={5} style={{ marginTop: 24 }}>{t('ssl.installedTitle')}</Typography.Title>
+      <Table rowKey="id" loading={isLoading} dataSource={certs ?? []} columns={columns} pagination={false} />
+    </div>
+  )
+}

packaging/debian/edgeguard-api/DEBIAN/postinst

@@ -27,6 +27,19 @@ case "$1" in
                  /var/lib/edgeguard/acme; do
             install -d -m 0750 -o "$EG_USER" -g "$EG_USER" "$d"
         done
+        # ACME-Account-Dir 0700 — hält den lego-Account-Schlüssel,
+        # gehört nur edgeguard.
+        install -d -m 0700 -o "$EG_USER" -g "$EG_USER" /var/lib/edgeguard/acme-account
+
+        # ── sudoers: HAProxy reload + (later) systemd-networkd reload
+        # Damit edgeguard-api nach einer SSL- oder Netzwerk-Mutation
+        # selbst reloaden kann ohne root zu sein. NOPASSWD ist auf
+        # genau dieses Kommando beschränkt.
+        cat > /etc/sudoers.d/edgeguard <<'SUDOERS'
+edgeguard ALL=(root) NOPASSWD: /usr/bin/systemctl reload haproxy.service
+edgeguard ALL=(root) NOPASSWD: /bin/systemctl reload haproxy.service
+SUDOERS
+        chmod 0440 /etc/sudoers.d/edgeguard
 
         # ── Self-signed default cert so HAProxy starts cleanly ───────
         # HAProxy `bind :443 ssl crt /etc/edgeguard/tls/` needs at least