feat: disable default certificate creation by default (#1157)

buchdag · web-flow · commit 3cb7df6fdda5 · 2024-10-12T19:07:26.000+02:00
diff --git a/app/cleanup_test_artifacts b/app/cleanup_test_artifacts
@@ -7,14 +7,6 @@ while [[ $# -gt 0 ]]; do
     flag="$1"
 
     case $flag in
-        --default-cert)
-        for filename in default.crt default.key; do
-            filepath="/etc/nginx/certs/$filename"
-            [[ -f "$filepath" ]] && rm -rf "$filepath"
-        done
-        shift
-        ;;
-
         --location-config)
         for domain in 'le1.wtf' '*.example.com' 'test.*' 'le3.pizza' 'subdomain.example.com' 'test.domain.tld'; do
             [[ -f "/etc/nginx/vhost.d/$domain" ]] && rm -f "/etc/nginx/vhost.d/$domain"
diff --git a/app/entrypoint.sh b/app/entrypoint.sh
@@ -110,7 +110,9 @@ function check_dh_group {
 }
 
 function check_default_cert_key {
-    local cn='letsencrypt-nginx-proxy-companion'
+    local cn='acme-companion'
+
+    echo "Warning: there is no future support planned for the self signed default certificate creation feature and it might be removed in a future release."
 
     if [[ -e /etc/nginx/certs/default.crt && -e /etc/nginx/certs/default.key ]]; then
         default_cert_cn="$(openssl x509 -noout -subject -in /etc/nginx/certs/default.crt)"
@@ -179,7 +181,7 @@ if [[ "$*" == "/bin/bash /app/start.sh" ]]; then
         check_writable_directory '/etc/nginx/vhost.d'
         check_writable_directory '/etc/nginx/conf.d'
     fi
-    check_default_cert_key
+    parse_true "${CREATE_DEFAULT_CERTIFICATE:=false}" && check_default_cert_key
     check_dh_group
     reload_nginx
     check_default_account
diff --git a/docs/Let's-Encrypt-and-ACME.md b/docs/Let's-Encrypt-and-ACME.md
@@ -153,3 +153,7 @@ Reusing private keys can help if you intend to use [HPKP](https://developer.mozi
     1. The container will use the special purpose `staging` configuration directory.
     1. The directory URI is forced to The Let's Encrypt v2 staging one (`ACME_CA_URI` is ignored)
     2. The account email address is forced empty (`DEFAULT_EMAIL` and `LETSENCRYPT_EMAIL` are ignored)
+
+#### Self signed default certificate
+
+If you want **acme-companio** to create a self signed certificate as default certificate for **nginx-proxy**, you can set the `CREATE_DEFAULT_CERTIFICATE` environment variable to `true`. This will generate a self signed cert / key pair to `/etc/nginx/certs/default.crt` and `/etc/nginx/certs/default.key`, with `acme-companion` as Common Name. Please note that no future support is planned for this feature and it might be removed in a future release.
diff --git a/docs/Persistent-data.md b/docs/Persistent-data.md
@@ -65,8 +65,6 @@ By default, the **acme-companion** container will enforce the following ownershi
 ```
 [drwxr-xr-x]  /etc/nginx/certs
 ├── [-rw-r--r-- root root]  dhparam.pem
-├── [-rw-r--r-- root root]  default.crt
-├── [-rw------- root root]  default.key
 ├── [drwxr-xr-x root root]  domain.tld
 │   ├── [-rw-r--r-- root root]  cert.pem
 │   ├── [-rw-r--r-- root root]  chain.pem
@@ -90,8 +88,6 @@ For example, `FILES_UID=1000`, `FILES_PERMS=644` and `FOLDERS_PERMS=700` will re
 ```
 [drwxr-xr-x]  /etc/nginx/certs
 ├── [-rw-r--r-- 1000 1000]  dhparam.pem
-├── [-rw-r--r-- 1000 1000]  default.crt
-├── [-rw-r--r-- 1000 1000]  default.key
 ├── [drwx------ 1000 1000]  domain.tld
 │   ├── [-rw-r--r-- 1000 1000]  cert.pem
 │   ├── [-rw-r--r-- 1000 1000]  chain.pem
diff --git a/test/config.sh b/test/config.sh
@@ -5,7 +5,6 @@ globalTests+=(
 	docker_api
 	docker_api_legacy
 	location_config
-	default_cert
 	certs_single
 	certs_san
 	certs_single_domain
diff --git a/test/tests/certs_single_domain/run.sh b/test/tests/certs_single_domain/run.sh
@@ -96,7 +96,6 @@ for hosts in "${letsencrypt_hosts[@]}"; do
   done
 
   docker stop "$container" &> /dev/null
-  docker exec "$le_container_name" /app/cleanup_test_artifacts --default-cert
   i=$(( i + 1 ))
 
 done
diff --git a/test/tests/default_cert/expected-std-out.txt b/test/tests/default_cert/expected-std-out.txt
diff --git a/test/tests/default_cert/run.sh b/test/tests/default_cert/run.sh
diff --git a/test/tests/permissions_custom/run.sh b/test/tests/permissions_custom/run.sh
@@ -66,9 +66,8 @@ done
 
 # Array of private file paths to test
 private_files=( \
-  [0]="/etc/nginx/certs/default.key" \
-  [1]="/etc/nginx/certs/${domains[0]}/key.pem" \
-  [2]="/etc/acme.sh/default/${domains[0]}/${domains[0]}.key" \
+  [0]="/etc/nginx/certs/${domains[0]}/key.pem" \
+  [1]="/etc/acme.sh/default/${domains[0]}/${domains[0]}.key" \
   )
 
 # Test private file paths
@@ -85,8 +84,7 @@ public_files=( \
   [1]="/etc/nginx/certs/${domains[0]}/cert.pem" \
   [2]="/etc/nginx/certs/${domains[0]}/chain.pem" \
   [3]="/etc/nginx/certs/${domains[0]}/fullchain.pem" \
-  [4]="/etc/nginx/certs/default.crt" \
-  [5]="/etc/nginx/certs/dhparam.pem" \
+  [4]="/etc/nginx/certs/dhparam.pem" \
   )
 
 # Test public file paths
diff --git a/test/tests/permissions_default/run.sh b/test/tests/permissions_default/run.sh
@@ -60,9 +60,8 @@ done
 
 # Array of private file paths to test
 private_files=( \
-  [0]="/etc/nginx/certs/default.key" \
-  [1]="/etc/nginx/certs/${domains[0]}/key.pem" \
-  [2]="/etc/acme.sh/default/${domains[0]}/${domains[0]}.key" \
+  [0]="/etc/nginx/certs/${domains[0]}/key.pem" \
+  [1]="/etc/acme.sh/default/${domains[0]}/${domains[0]}.key" \
   )
 
 # Test private file paths
@@ -79,8 +78,7 @@ public_files=( \
   [1]="/etc/nginx/certs/${domains[0]}/cert.pem" \
   [2]="/etc/nginx/certs/${domains[0]}/chain.pem" \
   [3]="/etc/nginx/certs/${domains[0]}/fullchain.pem" \
-  [4]="/etc/nginx/certs/default.crt" \
-  [5]="/etc/nginx/certs/dhparam.pem" \
+  [4]="/etc/nginx/certs/dhparam.pem" \
   )
 
 # Test public file paths
diff --git a/test/tests/symlinks/run.sh b/test/tests/symlinks/run.sh
@@ -47,8 +47,7 @@ docker exec "$le_container_name" cp /etc/nginx/certs/le1.wtf/key.pem /etc/nginx/
 docker exec "$le_container_name" bash -c 'cd /etc/nginx/certs; ln -s ./le4.wtf/fullchain.pem ./le4.wtf.crt'
 docker exec "$le_container_name" bash -c 'cd /etc/nginx/certs; ln -s ./le4.wtf/key.pem ./le4.wtf.key'
 
-# symlink default certificate to le1.wtf certificate
-docker exec "$le_container_name" rm -f /etc/nginx/certs/default.crt /etc/nginx/certs/default.key
+# Symlink default certificate to le1.wtf certificate
 docker exec "$le_container_name" bash -c 'cd /etc/nginx/certs; ln -s ./le1.wtf/fullchain.pem ./default.crt'
 docker exec "$le_container_name" bash -c 'cd /etc/nginx/certs; ln -s ./le1.wtf/key.pem ./default.key'
 
diff --git a/test/tests/test-functions.sh b/test/tests/test-functions.sh
@@ -263,7 +263,6 @@ export -f check_cert_subj
 
 # Wait for a successful https connection to domain passed with -d/--domain then wait
 #   - until the served certificate isn't the default one (default behavior)
-#   - until the served certificate is the default one (--default-cert)
 #   - until the served certificate subject match a string (--subject-match)
 function wait_for_conn {
   local action
@@ -280,11 +279,6 @@ function wait_for_conn {
       shift
       ;;
 
-      --default-cert)
-      action='--match'
-      shift
-      ;;
-
       --subject-match)
       action='--match'
       string="$2"
