feat(autocert): generate unique ACME key paths per CA directory URL

Previously, ACME keys were stored at a single default path regardless of
which CA directory URL was configured. This caused key conflicts when
using multiple different ACME CAs.

Now, the key path is derived from a SHA256 hash of the CA directory URL,
allowing each CA to have its own key file:
- Default CA (Let's Encrypt): certs/acme.key
- Custom CA: certs/acme_<url_hash_16chars>.key

This enables running certificates against multiple ACME providers without
key collision issues.

Makefile

@@ -92,7 +92,7 @@ docker-build-test:
 
 go_ver := $(shell go version | cut -d' ' -f3 | cut -d'o' -f2)
 files := $(shell find . -name go.mod -type f -or -name Dockerfile -type f)
-gomod_paths := $(shell find . -name go.mod -type f | grep -vE '^./internal/(go-oidc|go-proxmox|gopsutil)/' | xargs dirname)
+gomod_paths := $(shell find . -name go.mod -type f | xargs dirname)
 
 update-go:
 	for file in ${files}; do \

internal/api/v1/agent/verify.go

@@ -1,7 +1,6 @@
 package agentapi
 
 import (
-	"context"
 	"fmt"
 	"net/http"
 	"os"
@@ -37,9 +36,6 @@ type VerifyNewAgentRequest struct {
 // @Failure		500		{object}	ErrorResponse
 // @Router			/agent/verify [post]
 func Verify(c *gin.Context) {
-	// avoid timeout waiting for response headers
-	c.Status(http.StatusContinue)
-
 	var request VerifyNewAgentRequest
 	if err := c.ShouldBindJSON(&request); err != nil {
 		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
@@ -64,7 +60,7 @@ func Verify(c *gin.Context) {
 		return
 	}
 
-	nRoutesAdded, err := verifyNewAgent(c.Request.Context(), request.Host, ca, client, request.ContainerRuntime)
+	nRoutesAdded, err := verifyNewAgent(request.Host, ca, client, request.ContainerRuntime)
 	if err != nil {
 		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
 		return
@@ -86,7 +82,7 @@ func Verify(c *gin.Context) {
 
 var errAgentAlreadyExists = gperr.New("agent already exists")
 
-func verifyNewAgent(ctx context.Context, host string, ca agent.PEMPair, client agent.PEMPair, containerRuntime agent.ContainerRuntime) (int, gperr.Error) {
+func verifyNewAgent(host string, ca agent.PEMPair, client agent.PEMPair, containerRuntime agent.ContainerRuntime) (int, gperr.Error) {
 	var agentCfg agent.AgentConfig
 	agentCfg.Addr = host
 	agentCfg.Runtime = containerRuntime
@@ -103,7 +99,7 @@ func verifyNewAgent(ctx context.Context, host string, ca agent.PEMPair, client a
 		return 0, errAgentAlreadyExists
 	}
 
-	err := agentCfg.InitWithCerts(ctx, ca.Cert, client.Cert, client.Key)
+	err := agentCfg.InitWithCerts(cfgState.Context(), ca.Cert, client.Cert, client.Key)
 	if err != nil {
 		return 0, gperr.Wrap(err, "failed to initialize agent config")
 	}

internal/autocert/provider.go

@@ -222,9 +222,8 @@ func (p *Provider) ObtainCertIfNotExistsAll() error {
 		})
 	}
 
-	err := errs.Wait().Error()
 	p.rebuildSNIMatcher()
-	return err
+	return errs.Wait().Error()
 }
 
 // obtainCertIfNotExists obtains a new certificate for this provider if it does not exist.
@@ -262,10 +261,7 @@ func (p *Provider) ObtainCertAll() error {
 			return nil
 		})
 	}
-
-	err := errs.Wait().Error()
-	p.rebuildSNIMatcher()
-	return err
+	return errs.Wait().Error()
 }
 
 // ObtainCert renews existing certificate or obtains a new certificate for this provider.

internal/health/check/stream.go

@@ -12,14 +12,6 @@ import (
 )
 
 func Stream(ctx context.Context, url *url.URL, timeout time.Duration) (types.HealthCheckResult, error) {
-	if port := url.Port(); port == "" || port == "0" {
-		return types.HealthCheckResult{
-			Latency: 0,
-			Healthy: false,
-			Detail:  "no port specified",
-		}, nil
-	}
-
 	dialer := net.Dialer{
 		Timeout:       timeout,
 		FallbackDelay: -1,

internal/route/route.go

@@ -254,7 +254,7 @@ func (r *Route) validate() gperr.Error {
 	}
 
 	// return error if route is localhost:<godoxy_port> but route is not agent
-	if !r.IsAgent() && !r.ShouldExclude() {
+	if !r.IsAgent() {
 		switch r.Host {
 		case "localhost", "127.0.0.1":
 			switch r.Port.Proxy {
@@ -749,7 +749,6 @@ const (
 	ExcludedReasonNoPortSpecified
 	ExcludedReasonBlacklisted
 	ExcludedReasonBuildx
-	ExcludedReasonYAMLAnchor
 	ExcludedReasonOld
 )
 
@@ -769,8 +768,6 @@ func (re ExcludedReason) String() string {
 		return "Blacklisted (backend service or database)"
 	case ExcludedReasonBuildx:
 		return "Buildx"
-	case ExcludedReasonYAMLAnchor:
-		return "YAML anchor or reference"
 	case ExcludedReasonOld:
 		return "Container renaming intermediate state"
 	default:
@@ -805,12 +802,6 @@ func (r *Route) findExcludedReason() ExcludedReason {
 	} else if r.IsZeroPort() && r.Scheme != route.SchemeFileServer {
 		return ExcludedReasonNoPortSpecified
 	}
-	// this should happen on validation API only,
-	// those routes are removed before validation.
-	// see removeXPrefix in provider/file.go
-	if strings.HasPrefix(r.Alias, "x-") { // for YAML anchors and references
-		return ExcludedReasonYAMLAnchor
-	}
 	if strings.HasSuffix(r.Alias, "-old") {
 		return ExcludedReasonOld
 	}

socket-proxy.Dockerfile

@@ -49,7 +49,5 @@ COPY --from=builder /app/run /app/run
 
 WORKDIR /app
 
-LABEL proxy.#1.healthcheck.disable=true
-
 ENV LISTEN_ADDR=0.0.0.0:2375
 CMD ["/app/run"]