diff --git a/cmd/web_acme.go b/cmd/web_acme.go index bca4ae021217b..5daf0f55f243f 100644 --- a/cmd/web_acme.go +++ b/cmd/web_acme.go @@ -54,6 +54,10 @@ func runACME(listenAddr string, m http.Handler) error { altTLSALPNPort = p } + // FIXME: this path is not right, it uses "AppWorkPath" incorrectly, and writes the data into "AppWorkPath/https" + // Ideally it should migrate to AppDataPath write to "AppDataPath/https" + certmagic.Default.Storage = &certmagic.FileStorage{Path: setting.AcmeLiveDirectory} + magic := certmagic.NewDefault() // Try to use private CA root if provided, otherwise defaults to system's trust var certPool *x509.CertPool if setting.AcmeCARoot != "" { @@ -63,13 +67,7 @@ func runACME(listenAddr string, m http.Handler) error { log.Warn("Failed to parse CA Root certificate, using default CA trust: %v", err) } } - // FIXME: this path is not right, it uses "AppWorkPath" incorrectly, and writes the data into "AppWorkPath/https" - // Ideally it should migrate to AppDataPath write to "AppDataPath/https" - // And one more thing, no idea why we should set the global default variables here - // But it seems that the current ACME code needs these global variables to make renew work. - // Otherwise, "renew" will use incorrect storage path - certmagic.Default.Storage = &certmagic.FileStorage{Path: setting.AcmeLiveDirectory} - certmagic.DefaultACME = certmagic.ACMEIssuer{ + myACME := certmagic.NewACMEIssuer(magic, certmagic.ACMEIssuer{ CA: setting.AcmeURL, TrustedRoots: certPool, Email: setting.AcmeEmail, @@ -79,10 +77,8 @@ func runACME(listenAddr string, m http.Handler) error { ListenHost: setting.HTTPAddr, AltTLSALPNPort: altTLSALPNPort, AltHTTPPort: altHTTPPort, - } + }) - magic := certmagic.NewDefault() - myACME := certmagic.NewACMEIssuer(magic, certmagic.DefaultACME) magic.Issuers = []certmagic.Issuer{myACME} // this obtains certificates or renews them if necessary diff --git a/modules/setting/server.go b/modules/setting/server.go index e15b790906738..d7a71578d4ab6 100644 --- a/modules/setting/server.go +++ b/modules/setting/server.go @@ -169,24 +169,20 @@ func loadServerFrom(rootCfg ConfigProvider) { HTTPAddr = sec.Key("HTTP_ADDR").MustString("0.0.0.0") HTTPPort = sec.Key("HTTP_PORT").MustString("3000") - // DEPRECATED should not be removed because users maybe upgrade from lower version to the latest version - // if these are removed, the warning will not be shown - if sec.HasKey("ENABLE_ACME") { - EnableAcme = sec.Key("ENABLE_ACME").MustBool(false) - } else { - deprecatedSetting(rootCfg, "server", "ENABLE_LETSENCRYPT", "server", "ENABLE_ACME", "v1.19.0") - EnableAcme = sec.Key("ENABLE_LETSENCRYPT").MustBool(false) - } - Protocol = HTTP protocolCfg := sec.Key("PROTOCOL").String() - if protocolCfg != "https" && EnableAcme { - log.Fatal("ACME could only be used with HTTPS protocol") - } - switch protocolCfg { case "https": Protocol = HTTPS + + // DEPRECATED should not be removed because users maybe upgrade from lower version to the latest version + // if these are removed, the warning will not be shown + if sec.HasKey("ENABLE_ACME") { + EnableAcme = sec.Key("ENABLE_ACME").MustBool(false) + } else { + deprecatedSetting(rootCfg, "server", "ENABLE_LETSENCRYPT", "server", "ENABLE_ACME", "v1.19.0") + EnableAcme = sec.Key("ENABLE_LETSENCRYPT").MustBool(false) + } if EnableAcme { AcmeURL = sec.Key("ACME_URL").MustString("") AcmeCARoot = sec.Key("ACME_CA_ROOT").MustString("") @@ -214,9 +210,6 @@ func loadServerFrom(rootCfg ConfigProvider) { deprecatedSetting(rootCfg, "server", "LETSENCRYPT_EMAIL", "server", "ACME_EMAIL", "v1.19.0") AcmeEmail = sec.Key("LETSENCRYPT_EMAIL").MustString("") } - if AcmeEmail == "" { - log.Fatal("ACME Email is not set (ACME_EMAIL).") - } } else { CertFile = sec.Key("CERT_FILE").String() KeyFile = sec.Key("KEY_FILE").String()