Merge pull request #7533 from TheThingsNetwork/fix/acme-host-policy

Support wildcards in ACME hosts

Author: johanstokking

CHANGELOG.md

@@ -13,6 +13,8 @@ For details about compatibility between different releases, see the **Commitment
 
 ### Changed
 
+- Support wildcards in the supported hosts for TLS certifictes obtained via ACME (`tls.acme.hosts`).
+
 ### Deprecated
 
 ### Removed

config/messages.json

@@ -3626,6 +3626,15 @@
       "file": "listeners.go"
     }
   },
+  "error:pkg/config/tlsconfig:acme_host_not_whitelisted": {
+    "translations": {
+      "en": "host `{host}` for ACME not whitelisted"
+    },
+    "description": {
+      "package": "pkg/config/tlsconfig",
+      "file": "config.go"
+    }
+  },
   "error:pkg/config/tlsconfig:fetch_file": {
     "translations": {
       "en": "fetch file `{name}`"

pkg/config/tlsconfig/config.go

@@ -20,12 +20,14 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"os"
+	"strings"
 	"sync/atomic"
 
 	"go.thethings.network/lorawan-stack/v3/pkg/errors"
 	"go.thethings.network/lorawan-stack/v3/pkg/fetch"
 	"golang.org/x/crypto/acme"
 	"golang.org/x/crypto/acme/autocert"
+	"golang.org/x/net/idna"
 )
 
 // ACME represents ACME configuration.
@@ -62,7 +64,7 @@ func (a *ACME) Initialize() (*autocert.Manager, error) {
 	a.manager = &autocert.Manager{
 		Cache:      autocert.DirCache(a.Dir),
 		Prompt:     autocert.AcceptTOS,
-		HostPolicy: autocert.HostWhitelist(a.Hosts...),
+		HostPolicy: a.buildHostPolicy(),
 		Client: &acme.Client{
 			DirectoryURL: a.Endpoint,
 		},
@@ -80,6 +82,39 @@ func (a ACME) IsZero() bool {
 		len(a.Hosts) == 0
 }
 
+var errACMEHostNotWhitelisted = errors.DefineFailedPrecondition(
+	"acme_host_not_whitelisted", "host `{host}` for ACME not whitelisted",
+)
+
+func (a ACME) buildHostPolicy() autocert.HostPolicy {
+	var (
+		exact     = make(map[string]bool, len(a.Hosts))
+		wildcards = make(map[string]bool, len(a.Hosts))
+	)
+	for _, h := range a.Hosts {
+		h, wildcard := strings.CutPrefix(h, "*.")
+		h, err := idna.Lookup.ToASCII(h)
+		if err != nil {
+			continue
+		}
+		if wildcard {
+			wildcards[h] = true
+		} else {
+			exact[h] = true
+		}
+	}
+	return func(_ context.Context, host string) error {
+		if exact[host] {
+			return nil
+		}
+		parts := strings.SplitN(host, ".", 2)
+		if len(parts) == 2 && wildcards[parts[1]] {
+			return nil
+		}
+		return errACMEHostNotWhitelisted.WithAttributes("host", host)
+	}
+}
+
 // ServerKeyVault defines configuration for loading a TLS server certificate from the key vault.
 type ServerKeyVault struct {
 	CertificateProvider interface {

pkg/config/tlsconfig/config_test.go

@@ -28,7 +28,8 @@ import (
 	"time"
 
 	"github.com/smarty/assertions"
-	. "go.thethings.network/lorawan-stack/v3/pkg/config/tlsconfig"
+	"go.thethings.network/lorawan-stack/v3/pkg/config/tlsconfig"
+	"go.thethings.network/lorawan-stack/v3/pkg/util/test"
 	"go.thethings.network/lorawan-stack/v3/pkg/util/test/assertions/should"
 )
 
@@ -83,8 +84,8 @@ func TestApplyTLSClientConfig(t *testing.T) {
 	t.Parallel()
 	a := assertions.New(t)
 	caCert, _ := genCert()
-	tlsConfig := &tls.Config{}
-	err := (&Client{
+	tlsConfig := &tls.Config{} //nolint:gosec
+	err := (&tlsconfig.Client{
 		FileReader: mockFileReader{
 			"ca.pem": caCert,
 		},
@@ -96,9 +97,10 @@ func TestApplyTLSClientConfig(t *testing.T) {
 	a.So(tlsConfig.InsecureSkipVerify, should.BeTrue)
 
 	t.Run("Empty", func(t *testing.T) {
+		t.Parallel()
 		a := assertions.New(t)
 		tlsConfig := &tls.Config{} //nolint:gosec
-		err := (&Client{}).ApplyTo(tlsConfig)
+		err := (&tlsconfig.Client{}).ApplyTo(tlsConfig)
 		a.So(err, should.BeNil)
 		a.So(tlsConfig.RootCAs, should.BeNil)
 		a.So(tlsConfig.InsecureSkipVerify, should.BeFalse)
@@ -110,7 +112,7 @@ func TestApplyTLSServerAuth(t *testing.T) {
 	a := assertions.New(t)
 	cert, key := genCert()
 	tlsConfig := &tls.Config{} //nolint:gosec
-	err := (&ServerAuth{
+	err := (&tlsconfig.ServerAuth{
 		Source: "file",
 		FileReader: mockFileReader{
 			"cert.pem": cert,
@@ -128,7 +130,7 @@ func TestApplyTLSClientAuth(t *testing.T) {
 	a := assertions.New(t)
 	cert, key := genCert()
 	tlsConfig := &tls.Config{} //nolint:gosec
-	err := (&ClientAuth{
+	err := (&tlsconfig.ClientAuth{
 		Source: "file",
 		FileReader: mockFileReader{
 			"cert.pem": cert,
@@ -140,3 +142,23 @@ func TestApplyTLSClientAuth(t *testing.T) {
 	a.So(err, should.BeNil)
 	a.So(tlsConfig.GetClientCertificate, should.NotBeNil)
 }
+
+func TestACMEHosts(t *testing.T) {
+	t.Parallel()
+	a, ctx := test.New(t)
+	acmeConfig := &tlsconfig.ACME{
+		Enable:      true,
+		Endpoint:    "https://acme.example.com/directory",
+		Dir:         "testdata",
+		Email:       "[email protected]",
+		Hosts:       []string{"example.com", "*.example.org"},
+		DefaultHost: "example.com",
+	}
+	manager, err := acmeConfig.Initialize()
+	a.So(err, should.BeNil)
+	a.So(manager.HostPolicy(ctx, "example.com"), should.BeNil)
+	a.So(manager.HostPolicy(ctx, "subdomain.example.com"), should.NotBeNil)
+	a.So(manager.HostPolicy(ctx, "example.net"), should.NotBeNil)
+	a.So(manager.HostPolicy(ctx, "example.org"), should.NotBeNil)
+	a.So(manager.HostPolicy(ctx, "subdomain.example.org"), should.BeNil)
+}

pkg/webui/locales/ja.json

@@ -2228,6 +2228,7 @@
   "error:pkg/cluster:peer_unavailable": "クラスター {cluster_role} が利用できません",
   "error:pkg/component:listen_endpoint": "アドレス `{endpoint}` が見当たりません",
   "error:pkg/component:listener": "リスナー `{protocol}` を生成できません",
+  "error:pkg/config/tlsconfig:acme_host_not_whitelisted": "",
   "error:pkg/config/tlsconfig:fetch_file": "ファイル`{name}`を取得",
   "error:pkg/config/tlsconfig:missing_acme_default_host": "",
   "error:pkg/config/tlsconfig:missing_acme_dir": "ACEMの保存先が見つかりません",