Merge pull request #714 from mritd/master

feat(server): add ZeroSSL EAB
2025-06-08 13:29:53 +00:00 · 2023-09-29 22:31:28 -07:00 · 2023-09-29 22:31:28 -07:00 · 922edce1d0
commit 922edce1d0
parent 8faaf3b2e8 39518268f0
2 changed files with 51 additions and 1 deletions
--- a/app/cmd/server.go
+++ b/app/cmd/server.go
@ -3,7 +3,9 @@ package cmd
 import (
 	"context"
 	"crypto/tls"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"net"
 	"net/http"
 	"net/http/httputil"
@ -13,6 +15,7 @@ import (
 	"time"
 	"github.com/caddyserver/certmagic"
 	"github.com/mholt/acmez/acme"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 	"go.uber.org/zap"
@ -264,6 +267,11 @@ func (c *serverConfig) fillTLSConfig(hyConfig *server.Config) error {
 			cmIssuer.CA = certmagic.LetsEncryptProductionCA
 		case "zerossl", "zero":
 			cmIssuer.CA = certmagic.ZeroSSLProductionCA
 			eab, err := genZeroSSLEAB(c.ACME.Email)
 			if err != nil {
 				return configError{Field: "acme.ca", Err: err}
 			}
 			cmIssuer.ExternalAccount = eab
 		default:
 			return configError{Field: "acme.ca", Err: errors.New("unknown CA")}
 		}
@ -288,6 +296,48 @@ func (c *serverConfig) fillTLSConfig(hyConfig *server.Config) error {
 	return nil
 }
 func genZeroSSLEAB(email string) (*acme.EAB, error) {
 	req, err := http.NewRequest(
 		http.MethodPost,
 		"https://api.zerossl.com/acme/eab-credentials-email",
 		strings.NewReader(url.Values{"email": []string{email}}.Encode()),
 	)
 	if err != nil {
 		return nil, fmt.Errorf("failed to creare ZeroSSL EAB request: %w", err)
 	}
 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 	req.Header.Set("User-Agent", certmagic.UserAgent)
 	resp, err := http.DefaultClient.Do(req)
 	if err != nil {
 		return nil, fmt.Errorf("failed to send ZeroSSL EAB request: %w", err)
 	}
 	defer func() { _ = resp.Body.Close() }()
 	var result struct {
 		Success bool `json:"success"`
 		Error   struct {
 			Code int    `json:"code"`
 			Type string `json:"type"`
 		} `json:"error"`
 		EABKID     string `json:"eab_kid"`
 		EABHMACKey string `json:"eab_hmac_key"`
 	}
 	if err = json.NewDecoder(resp.Body).Decode(&result); err != nil {
 		return nil, fmt.Errorf("failed decoding ZeroSSL EAB API response: %w", err)
 	}
 	if result.Error.Code != 0 {
 		return nil, fmt.Errorf("failed getting ZeroSSL EAB credentials: HTTP %d: %s (code %d)", resp.StatusCode, result.Error.Type, result.Error.Code)
 	}
 	if resp.StatusCode != http.StatusOK {
 		return nil, fmt.Errorf("failed getting EAB credentials: HTTP %d", resp.StatusCode)
 	}
 	return &acme.EAB{
 		KeyID:  result.EABKID,
 		MACKey: result.EABHMACKey,
 	}, nil
 }
 func (c *serverConfig) fillQUICConfig(hyConfig *server.Config) error {
 	hyConfig.QUICConfig = server.QUICConfig{
 		InitialStreamReceiveWindow:     c.QUIC.InitStreamReceiveWindow,
--- a/app/go.mod
+++ b/app/go.mod
@ -8,6 +8,7 @@ require (
 	github.com/apernet/hysteria/extras v0.0.0-00010101000000-000000000000
 	github.com/caddyserver/certmagic v0.17.2
 	github.com/mdp/qrterminal/v3 v3.1.1
 	github.com/mholt/acmez v1.0.4
 	github.com/oschwald/geoip2-golang v1.9.0
 	github.com/spf13/cobra v1.7.0
 	github.com/spf13/viper v1.15.0
@ -29,7 +30,6 @@ require (
 	github.com/klauspost/cpuid/v2 v2.1.1 // indirect
 	github.com/libdns/libdns v0.2.1 // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
 	github.com/mholt/acmez v1.0.4 // indirect
 	github.com/miekg/dns v1.1.55 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/onsi/ginkgo/v2 v2.9.5 // indirect