feat(system-security): Add API for Synchronizing System Certificates

Author: zhengkunwang223

agent/app/service/website_ssl.go

@@ -6,6 +6,7 @@ import (
 	"crypto/x509"
 	"encoding/pem"
 	"fmt"
+	http2 "github.com/1Panel-dev/1Panel/agent/utils/http"
 	"log"
 	"os"
 	"path"
@@ -204,6 +205,10 @@ func reloadSystemSSL(websiteSSL *model.WebsiteSSL, logger *log.Logger) {
 			logger.Printf("Failed to update the SSL certificate for 1Panel System domain [%s] , err:%s", websiteSSL.PrimaryDomain, err.Error())
 			return
 		}
+		if err := http2.PostLocalCore("/core/settings/ssl/reload"); err != nil {
+			logger.Printf("Failed to update the SSL certificate for 1Panel System domain [%s] , err:%s", websiteSSL.PrimaryDomain, err.Error())
+			return
+		}
 		printSSLLog(logger, "UpdateSystemSSLSuccess", nil, logger == nil)
 	}
 }

agent/utils/http/core.go

@@ -0,0 +1,38 @@
+package http
+
+import (
+	"bytes"
+	"fmt"
+	"github.com/1Panel-dev/1Panel/agent/app/repo"
+	"net/http"
+)
+
+func PostLocalCore(url string) error {
+	settingRepo := repo.NewISettingRepo()
+	port, err := settingRepo.GetValueByKey("ServerPort")
+	if err != nil {
+		return err
+	}
+	sslStatus, err := settingRepo.GetValueByKey("SSL")
+	if err != nil {
+		return err
+	}
+	var prefix string
+	if sslStatus == "Disable" {
+		prefix = "http://"
+	} else {
+		prefix = "https://"
+	}
+	reloadURL := fmt.Sprintf("%s://127.0.0.1:%s/api/v2%s", prefix, port, url)
+	req, err := http.NewRequest("POST", reloadURL, bytes.NewBuffer([]byte{}))
+	if err != nil {
+		return err
+	}
+	client := &http.Client{}
+	resp, err := client.Do(req)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+	return nil
+}

core/app/api/v2/setting.go

@@ -369,3 +369,16 @@ func (b *BaseApi) MFABind(c *gin.Context) {
 
 	helper.SuccessWithData(c, nil)
 }
+
+func (b *BaseApi) ReloadSSL(c *gin.Context) {
+	clientIP := c.ClientIP()
+	if clientIP != "127.0.0.1" {
+		helper.ErrorWithDetail(c, constant.CodeErrInternalServer, constant.ErrTypeInternalServer, errors.New("only localhost can reload ssl"))
+		return
+	}
+	if err := settingService.UpdateSystemSSL(); err != nil {
+		helper.ErrorWithDetail(c, constant.CodeErrInternalServer, constant.ErrTypeInternalServer, err)
+		return
+	}
+	helper.SuccessWithOutData(c)
+}

core/app/service/setting.go

@@ -40,6 +40,8 @@ type ISettingService interface {
 
 	GetTerminalInfo() (*dto.TerminalInfo, error)
 	UpdateTerminal(req dto.TerminalInfo) error
+
+	UpdateSystemSSL() error
 }
 
 func NewISettingService() ISettingService {
@@ -198,15 +200,6 @@ func (u *SettingService) UpdateSSL(c *gin.Context, req dto.SSLUpdate) error {
 		}
 		_ = os.Remove(path.Join(secretDir, "server.crt"))
 		_ = os.Remove(path.Join(secretDir, "server.key"))
-		sID, _ := c.Cookie(constant.SessionName)
-		c.SetCookie(constant.SessionName, sID, 0, "", "", false, true)
-
-		go func() {
-			_, err := cmd.Exec("systemctl restart 1panel.service")
-			if err != nil {
-				global.LOG.Errorf("restart system failed, err: %v", err)
-			}
-		}()
 		return nil
 	}
 	if _, err := os.Stat(secretDir); err != nil && os.IsNotExist(err) {
@@ -257,17 +250,7 @@ func (u *SettingService) UpdateSSL(c *gin.Context, req dto.SSLUpdate) error {
 	if err := settingRepo.Update("SSL", req.SSL); err != nil {
 		return err
 	}
-
-	sID, _ := c.Cookie(constant.SessionName)
-	c.SetCookie(constant.SessionName, sID, 0, "", "", true, true)
-	go func() {
-		time.Sleep(1 * time.Second)
-		_, err := cmd.Exec("systemctl restart 1panel.service")
-		if err != nil {
-			global.LOG.Errorf("restart system failed, err: %v", err)
-		}
-	}()
-	return nil
+	return u.UpdateSystemSSL()
 }
 
 func (u *SettingService) LoadFromCert() (*dto.SSLInfo, error) {
@@ -394,6 +377,25 @@ func (u *SettingService) UpdatePassword(c *gin.Context, old, new string) error {
 	return nil
 }
 
+func (u *SettingService) UpdateSystemSSL() error {
+	certPath := path.Join(global.CONF.System.BaseDir, "1panel/secret/server.crt")
+	keyPath := path.Join(global.CONF.System.BaseDir, "1panel/secret/server.key")
+	certificate, err := os.ReadFile(certPath)
+	if err != nil {
+		return err
+	}
+	key, err := os.ReadFile(keyPath)
+	if err != nil {
+		return err
+	}
+	cert, err := tls.X509KeyPair(certificate, key)
+	if err != nil {
+		return err
+	}
+	constant.CertStore.Store(&cert)
+	return nil
+}
+
 func loadInfoFromCert() (dto.SSLInfo, error) {
 	var info dto.SSLInfo
 	certFile := path.Join(global.CONF.System.BaseDir, "1panel/secret/server.crt")

core/router/ro_setting.go

@@ -16,6 +16,8 @@ func (s *SettingRouter) InitRouter(Router *gin.RouterGroup) {
 		Use(middleware.JwtAuth()).
 		Use(middleware.SessionAuth()).
 		Use(middleware.PasswordExpired())
+
+	noAuthRouter := Router.Group("settings")
 	baseApi := v2.ApiGroupApp.BaseApi
 	{
 		router.POST("/search", baseApi.GetSettingInfo)
@@ -39,5 +41,7 @@ func (s *SettingRouter) InitRouter(Router *gin.RouterGroup) {
 		settingRouter.POST("/upgrade", baseApi.Upgrade)
 		settingRouter.POST("/upgrade/notes", baseApi.GetNotesByVersion)
 		settingRouter.GET("/upgrade", baseApi.GetUpgradeInfo)
+
+		noAuthRouter.POST("/ssl/reload", baseApi.ReloadSSL)
 	}
 }

core/server/server.go

@@ -73,9 +73,11 @@ func Start() {
 		if err != nil {
 			panic(err)
 		}
+		constant.CertStore.Store(&cert)
+
 		server.TLSConfig = &tls.Config{
 			GetCertificate: func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
-				return &cert, nil
+				return constant.CertStore.Load().(*tls.Certificate), nil
 			},
 		}
 		global.LOG.Infof("listen at https://%s:%s [%s]", global.CONF.System.BindAddress, global.CONF.System.Port, tcpItem)