feat(autocert): generate unique ACME key paths per CA directory URL

Previously, ACME keys were stored at a single default path regardless of which CA directory URL was configured. This caused key conflicts when using multiple different ACME CAs. Now, the key path is derived from a SHA256 hash of the CA directory URL, allowing each CA to have its own key file: - Default CA (Let's Encrypt): certs/acme.key - Custom CA: certs/acme_<url_hash_16chars>.key This enables running certificates against multiple ACME providers without key collision issues.
fix(autocert): correct ObtainCert error handling
2026-02-18 00:17:41 +01:00 · 2026-01-31 16:48:18 +08:00 · 2026-01-31 16:17:07 +08:00 · 2026-01-30 00:34:33 +08:00 · 2026-01-27 00:39:19 +08:00 · 2026-01-27 00:06:26 +08:00
4 changed files with 47 additions and 29 deletions
--- a/internal/autocert/config.go
+++ b/internal/autocert/config.go
@@ -4,10 +4,13 @@ import (
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/sha256"
 	"crypto/x509"
 	"encoding/hex"
 	"fmt"
 	"net/http"
 	"os"
 	"path/filepath"
 	"regexp"
 	"github.com/go-acme/lego/v4/certcrypto"
@@ -27,7 +30,7 @@ type Config struct {
 	CertPath    string                       `json:"cert_path,omitempty"`
 	KeyPath     string                       `json:"key_path,omitempty"`
 	Extra       []ConfigExtra                `json:"extra,omitempty"`
-	ACMEKeyPath string                       `json:"acme_key_path,omitempty"` // shared by all extra providers
+	ACMEKeyPath string                       `json:"acme_key_path,omitempty"` // shared by all extra providers with the same CA directory URL
 	Provider    string                       `json:"provider,omitempty"`
 	Options     map[string]strutils.Redacted `json:"options,omitempty"`
@@ -88,7 +91,7 @@ func (cfg *Config) validate(seenPaths map[string]int) gperr.Error {
 		cfg.KeyPath = KeyFileDefault
 	}
 	if cfg.ACMEKeyPath == "" {
-		cfg.ACMEKeyPath = ACMEKeyFileDefault
+		cfg.ACMEKeyPath = acmeKeyPath(cfg.CADirURL)
 	}
 	b := gperr.NewBuilder("certificate error")
@@ -272,3 +275,16 @@ func (cfg *Config) SaveACMEKey(key *ecdsa.PrivateKey) error {
 	}
 	return os.WriteFile(cfg.ACMEKeyPath, data, 0o600)
 }
 // acmeKeyPath returns the path to the ACME key file based on the CA directory URL.
 // Different CA directory URLs will use different key files to avoid key conflicts.
 func acmeKeyPath(caDirURL string) string {
 	// Use a hash of the CA directory URL to create a unique key filename
 	// Default to "acme" if no custom CA is configured (Let's Encrypt default)
 	filename := "acme"
 	if caDirURL != "" {
 		hash := sha256.Sum256([]byte(caDirURL))
 		filename = "acme_" + hex.EncodeToString(hash[:])[:16]
 	}
 	return filepath.Join(certBasePath, filename+".key")
 }
--- a/internal/autocert/paths.go
+++ b/internal/autocert/paths.go
@@ -1,8 +1,7 @@
 package autocert
 const (
-	certBasePath       = "certs/"
+	certBasePath    = "certs/"
-	CertFileDefault    = certBasePath + "cert.crt"
+	CertFileDefault = certBasePath + "cert.crt"
-	KeyFileDefault     = certBasePath + "priv.key"
+	KeyFileDefault  = certBasePath + "priv.key"
 	ACMEKeyFileDefault = certBasePath + "acme.key"
 )
--- a/internal/autocert/provider.go
+++ b/internal/autocert/provider.go
@@ -228,7 +228,7 @@ func (p *Provider) ObtainCertIfNotExistsAll() error {
 // obtainCertIfNotExists obtains a new certificate for this provider if it does not exist.
 func (p *Provider) obtainCertIfNotExists() error {
-	err := p.LoadCert()
+	err := p.loadCert()
 	if err == nil {
 		return nil
 	}
@@ -346,29 +346,32 @@ func (p *Provider) ObtainCert() error {
 	return nil
 }
-func (p *Provider) LoadCert() error {
+func (p *Provider) LoadCertAll() error {
 	var errs gperr.Builder
 	for _, provider := range p.allProviders() {
 		if err := provider.loadCert(); err != nil {
 			errs.Add(provider.fmtError(err))
 		}
 	}
 	p.rebuildSNIMatcher()
 	return errs.Error()
 }
 func (p *Provider) loadCert() error {
 	cert, err := tls.LoadX509KeyPair(p.cfg.CertPath, p.cfg.KeyPath)
 	if err != nil {
-		errs.Addf("load SSL certificate: %w", p.fmtError(err))
+		return err
 	}
 	expiries, err := getCertExpiries(&cert)
 	if err != nil {
-		errs.Addf("parse SSL certificate: %w", p.fmtError(err))
+		return err
 	}
 	p.tlsCert = &cert
 	p.certExpiries = expiries
-	for _, ep := range p.extraProviders {
+	return nil
 		if err := ep.LoadCert(); err != nil {
 			errs.Add(err)
 		}
 	}
 	p.rebuildSNIMatcher()
 	return errs.Error()
 }
 // PrintCertExpiriesAll prints the certificate expiries for this provider and all extra providers.
--- a/internal/autocert/provider_test/sni_test.go
+++ b/internal/autocert/provider_test/sni_test.go
@@ -81,7 +81,7 @@ func TestGetCertBySNI(t *testing.T) {
 		p, err := autocert.NewProvider(cfg, nil, nil)
 		require.NoError(t, err)
-		err = p.LoadCert()
+		err = p.LoadCertAll()
 		require.NoError(t, err)
 		cert, err := p.GetCert(&tls.ClientHelloInfo{ServerName: "a.internal.example.com"})
@@ -113,7 +113,7 @@ func TestGetCertBySNI(t *testing.T) {
 		p, err := autocert.NewProvider(cfg, nil, nil)
 		require.NoError(t, err)
-		err = p.LoadCert()
+		err = p.LoadCertAll()
 		require.NoError(t, err)
 		cert, err := p.GetCert(&tls.ClientHelloInfo{ServerName: "foo.example.com"})
@@ -145,7 +145,7 @@ func TestGetCertBySNI(t *testing.T) {
 		p, err := autocert.NewProvider(cfg, nil, nil)
 		require.NoError(t, err)
-		err = p.LoadCert()
+		err = p.LoadCertAll()
 		require.NoError(t, err)
 		cert, err := p.GetCert(&tls.ClientHelloInfo{ServerName: "unknown.domain.com"})
@@ -171,7 +171,7 @@ func TestGetCertBySNI(t *testing.T) {
 		p, err := autocert.NewProvider(cfg, nil, nil)
 		require.NoError(t, err)
-		err = p.LoadCert()
+		err = p.LoadCertAll()
 		require.NoError(t, err)
 		cert, err := p.GetCert(nil)
@@ -197,7 +197,7 @@ func TestGetCertBySNI(t *testing.T) {
 		p, err := autocert.NewProvider(cfg, nil, nil)
 		require.NoError(t, err)
-		err = p.LoadCert()
+		err = p.LoadCertAll()
 		require.NoError(t, err)
 		cert, err := p.GetCert(&tls.ClientHelloInfo{ServerName: ""})
@@ -229,7 +229,7 @@ func TestGetCertBySNI(t *testing.T) {
 		p, err := autocert.NewProvider(cfg, nil, nil)
 		require.NoError(t, err)
-		err = p.LoadCert()
+		err = p.LoadCertAll()
 		require.NoError(t, err)
 		cert, err := p.GetCert(&tls.ClientHelloInfo{ServerName: "FOO.EXAMPLE.COM"})
@@ -261,7 +261,7 @@ func TestGetCertBySNI(t *testing.T) {
 		p, err := autocert.NewProvider(cfg, nil, nil)
 		require.NoError(t, err)
-		err = p.LoadCert()
+		err = p.LoadCertAll()
 		require.NoError(t, err)
 		cert, err := p.GetCert(&tls.ClientHelloInfo{ServerName: "  foo.example.com.  "})
@@ -293,7 +293,7 @@ func TestGetCertBySNI(t *testing.T) {
 		p, err := autocert.NewProvider(cfg, nil, nil)
 		require.NoError(t, err)
-		err = p.LoadCert()
+		err = p.LoadCertAll()
 		require.NoError(t, err)
 		cert, err := p.GetCert(&tls.ClientHelloInfo{ServerName: "foo.a.example.com"})
@@ -319,7 +319,7 @@ func TestGetCertBySNI(t *testing.T) {
 		p, err := autocert.NewProvider(cfg, nil, nil)
 		require.NoError(t, err)
-		err = p.LoadCert()
+		err = p.LoadCertAll()
 		require.NoError(t, err)
 		cert, err := p.GetCert(&tls.ClientHelloInfo{ServerName: "bar.example.com"})
@@ -355,7 +355,7 @@ func TestGetCertBySNI(t *testing.T) {
 		p, err := autocert.NewProvider(cfg, nil, nil)
 		require.NoError(t, err)
-		err = p.LoadCert()
+		err = p.LoadCertAll()
 		require.NoError(t, err)
 		cert1, err := p.GetCert(&tls.ClientHelloInfo{ServerName: "foo.test.com"})
@@ -392,7 +392,7 @@ func TestGetCertBySNI(t *testing.T) {
 		p, err := autocert.NewProvider(cfg, nil, nil)
 		require.NoError(t, err)
-		err = p.LoadCert()
+		err = p.LoadCertAll()
 		require.NoError(t, err)
 		cert1, err := p.GetCert(&tls.ClientHelloInfo{ServerName: "foo.example.com"})
Author	SHA1	Message	Date
yusing	6bb36e2e83	feat(autocert): generate unique ACME key paths per CA directory URL Previously, ACME keys were stored at a single default path regardless of which CA directory URL was configured. This caused key conflicts when using multiple different ACME CAs. Now, the key path is derived from a SHA256 hash of the CA directory URL, allowing each CA to have its own key file: - Default CA (Let's Encrypt): certs/acme.key - Custom CA: certs/acme_<url_hash_16chars>.key This enables running certificates against multiple ACME providers without key collision issues.	2026-01-31 16:48:18 +08:00
yusing	4b57ef1cad	fix(autocert): correct ObtainCert error handling - ObtainCertIfNotExistsAll longer fail on fs.ErrNotExists - Separate public LoadCertAll (loads all providers) from private loadCert - LoadCertAll now uses allProviders() for iteration - Updated tests to use LoadCertAll	2026-01-31 16:17:07 +08:00
yusing	3850a4a6e7	Merge branch 'main' into dev	2026-01-30 00:34:33 +08:00
yusing	da3c624582	Merge branch 'main' into dev	2026-01-27 00:39:19 +08:00
yusing	157a83bef8	Merge branch 'main' into dev	2026-01-27 00:06:26 +08:00
yusing	d61bd5ce51	chore: update go to 1.25.6 and dependencies	2026-01-16 18:34:39 +08:00
yusing	bad3e9a989	chore(README): remove zeabur badge	2026-01-16 14:21:37 +08:00
yusing	9adfd73121	fix(health): correct docker fallback url	2026-01-16 14:09:07 +08:00
yusing	4a652aaf55	fix(swagger): explicit set type names for IconFetchResult and IconMetaSearch	2026-01-16 12:26:14 +08:00
yusing	16c986978d	chore(idlewatcher): remove junk comment	2026-01-16 11:35:40 +08:00
yusing	107b7c5f64	Merge branch 'main' into dev	2026-01-16 10:10:21 +08:00
yusing	818d75c8b7	Merge branch 'main' into dev	2026-01-04 12:43:18 +08:00
yusing	f1bc5de3ea	Merge branch 'main' into dev	2026-01-04 12:28:32 +08:00
yusing	425ff0b25c	Merge branch 'main' into dev	2026-01-02 22:12:11 +08:00
yusing	1f6614e337	refactor(config): correct logic in InitFromFile	2026-01-02 21:57:31 +08:00
yusing	9ba102a33d	chore: update goutils	2026-01-02 21:56:55 +08:00
yusing	31c616246b	Merge branch 'main' into dev	2026-01-02 15:49:20 +08:00
yusing	390859bd1f	Merge branch 'main' into dev	2026-01-02 15:43:04 +08:00
yusing	243662c13b	Merge branch 'main' into dev	2026-01-01 18:25:56 +08:00
yusing	588e9f5b18	Merge branch 'main' into dev	2025-12-30 22:01:48 +08:00
yusing	a3bf88cc9c	chore(goutils): update subproject commit reference to 51a75d68	2025-12-30 22:00:28 +08:00
yusing	9b1af57859	Merge branch 'main' into dev	2025-12-30 21:52:24 +08:00
yusing	bb7471cc9c	fix(tests/metrics): correct syntax error	2025-12-30 21:52:22 +08:00
yusing	a403b2b629	Merge branch 'main' into dev	2025-12-23 12:30:26 +08:00
yusing	54b9e7f236	Merge branch 'main' into dev	2025-12-22 17:15:02 +08:00
yusing	45b89cd452	fix(oidc): add trailing slash to OIDCAuthBasePath to work with paths like /authorize	2025-12-22 17:13:42 +08:00
yusing	72fea96c7b	Merge branch 'main' into dev	2025-12-22 12:10:31 +08:00
yusing	aef646be6f	Merge branch 'main' into dev	2025-12-22 10:45:44 +08:00
yusing	135a4ff6c7	Merge branch 'main' into dev	2025-12-20 19:31:12 +08:00
yusing	5f418b62c7	chore: upgrade dependencies	2025-12-17 17:37:58 +08:00
yusing	bd92c46375	refactor(http): enhance health check error logic by treating all 5xx as unhealthy	2025-12-17 12:24:04 +08:00
yusing	21a23dd147	fix(idlewatcher): directly serve the request on ready instead of redirecting	2025-12-17 11:48:22 +08:00