implement automatic ssl for tuic-server (like caddy server) #54
Conversation
add config option: hostname, auto_ssl for auto_ssl, if enabled, will ignore `self_sign`. if failed, will fallback to self-sign if both certificate and private_key are set, will be the path to save certificate and key on startup, if this option is a valid domain name, will try to use `instant-acme` crate to issue a cert for it, using letsencrypt CA, then save the cert and key to private_key and certificate specified in config, if not configured, save to the same directory of config file. If acme failed, will leave a warning in log and self sign a cert (generate_simple_self_signed). If acme success, then spawn a process to check if cert is valid every 12 hour and if it is about to expire in 3 days, renew it
|
Thanks for beginning to work on this, I think it's better to replace my current /// Check if a certificate is about to expire (within the specified days)
pub async fn is_certificate_expiring(cert_path: &Path, days_threshold: u64) -> Result<bool> {
let cert_data = fs::read(cert_path)
.await
.context("Failed to read certificate file")?;
// Parse the certificate using x509-parser
let res = parse_x509_pem(&cert_data);
match res {
Ok((rem, pem)) => {
if !rem.is_empty() {
warn!("Extra data after certificate");
}
if pem.label != "CERTIFICATE" {
warn!("Invalid PEM label: {:?}", pem.label);
}
let res_x509 = parse_x509_certificate(&pem.contents);
match res_x509 {
Ok((_, parsed_cert)) => {
// Get current time as seconds since Unix epoch
let now = SystemTime::now()
.duration_since(SystemTime::UNIX_EPOCH)
.context("Failed to get current time")?
.as_secs();
// Get certificate expiration time
let not_after = parsed_cert.tbs_certificate.validity.not_after.timestamp() as u64;
// Calculate threshold time (current time + days_threshold)
let threshold_time = now + (days_threshold * 24 * 60 * 60);
// Certificate is expiring if the expiration time is before our threshold
Ok(not_after <= threshold_time)
}
Err(e) => {
Err(eyre::eyre!("Failed to parse X.509 certificate: {:?}", e))
}
}
}
Err(e) => {
Err(eyre::eyre!("Failed to parse PEM certificate: {:?}", e))
}
}
} |
…ad of panicking Co-authored-by: Copilot <[email protected]>
Co-authored-by: Copilot <[email protected]>
Co-authored-by: Copilot <[email protected]>
…ail instead of empty Co-authored-by: Copilot <[email protected]>
…E provisioning, and enhance expiration checks.
…handling and logging.
|
Have you considered other certificate format? |
|
You mean save the newly provisioned certificate as DER? I think it is enough to save it in PEM format. |
I mean all functions in But i am also about to delete DER support completely. |
|
As you are going to delete DER support, I think no further modifications are necessary. |
|
Is it posssible to setup a ACME server for test-usage ? @fokx |
|
Sorry, I found most acme crates focus on client side: As for the auto-ssl feature, I've deployed tuic-server on several servers with various domains and confirm it works. |
2 participants
add config option: hostname, auto_ssl
for auto_ssl, if enabled, will ignore
self_sign. if failed, will fallback to self-sign if both certificate and private_key are set, will be the path to save certificate and key on startup, if this option is a valid domain name, will try to useinstant-acmecrate to issue a cert for it, using letsencrypt CA, then save the cert and key to private_key and certificate specified in config, if not configured, save to the same directory of config file. If acme failed, will leave a warning in log and self sign a cert (generate_simple_self_signed). If acme success, then spawn a process to check if cert is valid every 12 hour and if it is about to expire in 3 days, renew itP.S. Feel free to modify