feat(autocert): add multi-certificate support (#185)

Multi-certificate, SNI matching with exact map and suffix tree Add support for multiple TLS certificates with SNI-based selection. The root provider maintains a single centralized SNI matcher that uses an exact match map for O(1) lookups, falling back to a suffix tree for wildcard matching. Key features: - Add `Extra []Config` field to autocert.Config for additional certificates - Each extra entry must specify unique `cert_path` and `key_path` - Extra certs inherit main config (except `email` and `extra` fields) - Extra certs participate in ACME obtain/renew cycles independently - SNI selection precedence: exact match > wildcard match, main > extra - Single centralized SNI matcher on root provider rebuilt after cert changes The SNI matcher structure: - Exact match map: O(1) lookup for exact domain matches - Suffix tree: Efficient wildcard matching (e.g., *.example.com) Implementation details: - Provider.GetCert() now uses SNI from ClientHelloInfo for selection - Main cert is returned as fallback when no SNI match is found - Extra providers are created as child providers with merged configs - SNI matcher is rebuilt after Setup() and after ObtainCert() completes
2026-04-23 08:48:32 +02:00 · 2026-01-04 00:37:26 +08:00
parent 117dbb62f4
commit c00854a124
7 changed files with 813 additions and 13 deletions
--- a/internal/autocert/setup.go
+++ b/internal/autocert/setup.go
@@ -2,9 +2,11 @@ package autocert

 import (
 	"errors"
+	"fmt"
 	"os"

 	"github.com/rs/zerolog/log"
+	gperr "github.com/yusing/goutils/errs"
 	strutils "github.com/yusing/goutils/strings"
 )

@@ -19,6 +21,10 @@ func (p *Provider) Setup() (err error) {
 		}
 	}

+	if err = p.setupExtraProviders(); err != nil {
+		return err
+	}
+
 	for _, expiry := range p.GetExpiries() {
 		log.Info().Msg("certificate expire on " + strutils.FormatTime(expiry))
 		break
@@ -26,3 +32,70 @@ func (p *Provider) Setup() (err error) {

 	return nil
 }
+
+func (p *Provider) setupExtraProviders() error {
+	p.extraProviders = nil
+	p.sniMatcher = sniMatcher{}
+	if len(p.cfg.Extra) == 0 {
+		p.rebuildSNIMatcher()
+		return nil
+	}
+
+	for i := range p.cfg.Extra {
+		merged := mergeExtraConfig(p.cfg, &p.cfg.Extra[i])
+		user, legoCfg, err := merged.GetLegoConfig()
+		if err != nil {
+			return err.Subjectf("extra[%d]", i)
+		}
+		ep := NewProvider(&merged, user, legoCfg)
+		if err := ep.Setup(); err != nil {
+			return gperr.PrependSubject(fmt.Sprintf("extra[%d]", i), err)
+		}
+		p.extraProviders = append(p.extraProviders, ep)
+	}
+	p.rebuildSNIMatcher()
+	return nil
+}
+
+func mergeExtraConfig(mainCfg *Config, extraCfg *Config) Config {
+	merged := *mainCfg
+	merged.Extra = nil
+	merged.CertPath = extraCfg.CertPath
+	merged.KeyPath = extraCfg.KeyPath
+
+	if merged.Email == "" {
+		merged.Email = mainCfg.Email
+	}
+
+	if len(extraCfg.Domains) > 0 {
+		merged.Domains = extraCfg.Domains
+	}
+	if extraCfg.ACMEKeyPath != "" {
+		merged.ACMEKeyPath = extraCfg.ACMEKeyPath
+	}
+	if extraCfg.Provider != "" {
+		merged.Provider = extraCfg.Provider
+	}
+	if len(extraCfg.Options) > 0 {
+		merged.Options = extraCfg.Options
+	}
+	if len(extraCfg.Resolvers) > 0 {
+		merged.Resolvers = extraCfg.Resolvers
+	}
+	if extraCfg.CADirURL != "" {
+		merged.CADirURL = extraCfg.CADirURL
+	}
+	if len(extraCfg.CACerts) > 0 {
+		merged.CACerts = extraCfg.CACerts
+	}
+	if extraCfg.EABKid != "" {
+		merged.EABKid = extraCfg.EABKid
+	}
+	if extraCfg.EABHmac != "" {
+		merged.EABHmac = extraCfg.EABHmac
+	}
+	if extraCfg.HTTPClient != nil {
+		merged.HTTPClient = extraCfg.HTTPClient
+	}
+	return merged
+}