caprover · ZeekoZhu · Feb 20, 2024 · Feb 20, 2024 · Feb 20, 2024 · Feb 20, 2024
diff --git a/src/user/system/CertbotManager.ts b/src/user/system/CertbotManager.ts
@@ -1,6 +1,6 @@
 import ApiStatusCodes from '../../api/ApiStatusCodes'
 import DockerApi from '../../docker/DockerApi'
-import CaptainConstants from '../../utils/CaptainConstants'
+import CaptainConstants, { type CertbotCertCommandRule } from '../../utils/CaptainConstants'
 import Logger from '../../utils/Logger'
 import Utils from '../../utils/Utils'
 import fs = require('fs-extra')
@@ -12,8 +12,36 @@ const WEBROOT_PATH_IN_CAPTAIN =
 
 const shouldUseStaging = false // CaptainConstants.isDebug;
 
+function isCertCommandSuccess(output: string) {
+ // https://github.com/certbot/certbot/blob/099c6c8b240400b928d6b349e023e5e8414611e6/certbot/certbot/_internal/main.py#L516
+ if (
+ output.indexOf(
+ 'Congratulations! Your certificate and chain have been saved',
+ ) >= 0
+ ) {
+ return true
+ }
+
+ // https://github.com/certbot/certbot/blob/f4e031f5055fc6bf8c87eb0b18f927f7f5ba36a8/certbot/certbot/_internal/main.py#L632
+ if (output.indexOf('Successfully received certificate') >= 0) {
+ return true
+ }
+
+ // https://github.com/certbot/certbot/blob/f4e031f5055fc6bf8c87eb0b18f927f7f5ba36a8/certbot/certbot/_internal/main.py#L1596
+ if (
+ output.indexOf(
+ 'Certificate not yet due for renewal; no action taken',
+ ) >= 0
+ ) {
+ return true
+ }
+
+ return false
+}
+
 class CertbotManager {
  private isOperationInProcess: boolean
+ private certCommandGenerator = new CertCommandGenerator(CaptainConstants.configs.certbotCertCommand ?? [], ['certbot', 'certonly', '--webroot', '-w', '${webroot}', '-d', '${domain}'])
 
  constructor(private dockerApi: DockerApi) {
  this.dockerApi = dockerApi
@@ -46,7 +74,6 @@ class CertbotManager {
 
  return `/live/${domainName}/privkey.pem`
  }
-
  enableSsl(domainName: string) {
  const self = this
 
@@ -58,15 +85,10 @@ class CertbotManager {
  return self.ensureDomainHasDirectory(domainName)
  })
  .then(function () {
- const cmd = [
- 'certbot',
- 'certonly',
- '--webroot',
- '-w',
- `${WEBROOT_PATH_IN_CERTBOT}/${domainName}`,
- '-d',
- domainName,
- ]
+ const cmd = self.certCommandGenerator.getCertbotCertCommand(domainName, {
+ domain: domainName,
+ webroot: WEBROOT_PATH_IN_CERTBOT + '/' + domainName
+ })
 
  if (shouldUseStaging) {
  cmd.push('--staging')
@@ -75,19 +97,7 @@ class CertbotManager {
  return self.runCommand(cmd).then(function (output) {
  Logger.d(output)
 
- if (
- output.indexOf(
- 'Congratulations! Your certificate and chain have been saved'
- ) >= 0
- ) {
- return true
- }
-
- if (
- output.indexOf(
- 'Certificate not yet due for renewal; no action taken'
- ) >= 0
- ) {
+ if (isCertCommandSuccess(output)) {
  return true
  }
 
@@ -295,7 +305,7 @@ class CertbotManager {
 
  return dockerApi
  .createServiceOnNodeId(
- CaptainConstants.certbotImageName,
+ CaptainConstants.configs.certbotImageName,
  CaptainConstants.certbotServiceName,
  undefined,
  nodeId,
@@ -373,7 +383,7 @@ class CertbotManager {
 
  return dockerApi.updateService(
  CaptainConstants.certbotServiceName,
- CaptainConstants.certbotImageName,
+ CaptainConstants.configs.certbotImageName,
  [
  {
  hostPath: CaptainConstants.letsEncryptEtcPath,
@@ -410,3 +420,24 @@ class CertbotManager {
 }
 
 export default CertbotManager
+
+export class CertCommandGenerator {
+ constructor(private rules: CertbotCertCommandRule[], private defaultCommand: string[]) {
+ }
+
+ private getCertbotCertCommandTemplate(domainName: string): string[] {
+ for (const rule of this.rules) {
+ if (rule.domain === '*'
+ || domainName === rule.domain
+ || domainName.endsWith('.' + rule.domain)
+ ) {
+ return rule.command ?? this.defaultCommand
+ }
+ }
+ return this.defaultCommand
+ }
+ getCertbotCertCommand(domainName: string, variables: Record<string, string> = {}): string[] {
+ const command = this.getCertbotCertCommandTemplate(domainName)
+ return command.map(c => c.replace(/\$\{(\w+)}/g, (match, p1) => variables[p1] ?? match))
+ }
+}
diff --git a/src/utils/CaptainConstants.ts b/src/utils/CaptainConstants.ts
@@ -54,6 +54,21 @@ const configs = {
  proApiDomains: ['https://pro.caprover.com'],
 
  analyticsDomain: 'https://analytics-v1.caprover.com',
+
+ certbotImageName: 'caprover/certbot-sleeping:v1.6.0',
+
+ certbotCertCommand: undefined as CertbotCertCommandRule[] | undefined,
+}
+
+export interface CertbotCertCommandRule {
+ /**
+ * Matches both *.<domain> and <domain>, use '*' to match all domains
+ */
+ domain: string;
+ /**
+ * The Certbot command to execute, in Docker exec form, uses `${domain}` as the placeholder for the actual domain name
+ */
+ command?: string[];
 }
 
 const data = {
@@ -133,8 +148,6 @@ const data = {
 
  // ********************* Local Docker Constants ************************
 
- certbotImageName: 'caprover/certbot-sleeping:v1.6.0',
-
  captainSaltSecretKey: 'captain-salt',
 
  nginxServiceName: 'captain-nginx',

diff --git a/src/utils/CaptainInstaller.ts b/src/utils/CaptainInstaller.ts
@@ -279,7 +279,7 @@ export function install() {
  return DockerApi.get().pullImage(imageName, undefined)
  })
  .then(function () {
- const imageName = CaptainConstants.certbotImageName
+ const imageName = CaptainConstants.configs.certbotImageName
  console.log(`Pulling: ${imageName}`)
  return DockerApi.get().pullImage(imageName, undefined)
  })

diff --git a/tests/CertCommandGenerator.test.ts b/tests/CertCommandGenerator.test.ts
@@ -0,0 +1,55 @@
+import { CertCommandGenerator } from '../src/user/system/CertbotManager'
+
+const defaultCommand = [ 'certbot', 'certonly', '--domain', '${domain}' ]
+const exampleRule = {
+ domain: 'example.com',
+ command: [ 'certbot', 'certonly', '--manual', '--preferred-challenges=dns', '--domain', '${domain}' ],
+}
+const wildcardRule = {
+ domain: '*',
+ command: [ 'certbot', 'renew' ],
+}
+const nullCommandRule = {
+ domain: 'fallback.com',
+}
+
+test('uses default command when no rules match', () => {
+ const generator = new CertCommandGenerator([], defaultCommand)
+ expect(generator.getCertbotCertCommand('nonmatching.com')).toEqual(defaultCommand)
+})
+
+test('uses specific rule when domain matches exactly', () => {
+ const generator = new CertCommandGenerator([ exampleRule ], defaultCommand)
+ expect(generator.getCertbotCertCommand('example.com')).toEqual(exampleRule.command)
+})
+
+test('uses wildcard rule for any domain', () => {
+ const generator = new CertCommandGenerator([ wildcardRule ], defaultCommand)
+ expect(generator.getCertbotCertCommand('anything.com')).toEqual(wildcardRule.command)
+})
+
+test('matches subdomain to rule', () => {
+ const generator = new CertCommandGenerator([ exampleRule ], defaultCommand)
+ expect(generator.getCertbotCertCommand('sub.example.com')).toEqual(exampleRule.command)
+})
+
+test('replaces variables in command template', () => {
+ const generator = new CertCommandGenerator([], defaultCommand)
+ expect(generator.getCertbotCertCommand('example.com', { 'domain': 'example.com' }))
+ .toEqual([ 'certbot', 'certonly', '--domain', 'example.com' ])
+})
+
+test('leaves unreplaced placeholders unchanged', () => {
+ const generator = new CertCommandGenerator([], [ 'echo', '${missing}' ])
+ expect(generator.getCertbotCertCommand('example.com')).toEqual([ 'echo', '${missing}' ])
+})
+
+test('first matching rule is used when multiple rules could apply', () => {
+ const generator = new CertCommandGenerator([ exampleRule, wildcardRule ], defaultCommand)
+ expect(generator.getCertbotCertCommand('example.com')).toEqual(exampleRule.command)
+})
+
+test('falls back to default command when rule command is null', () => {
+ const generator = new CertCommandGenerator([ nullCommandRule ], defaultCommand)
+ expect(generator.getCertbotCertCommand('nullcommand.com')).toEqual(defaultCommand)
+})