Support wildcard certificates in NS8

NethServer · Jan 15, 2025 · 2524cf5 · 2524cf5
1 parent 24bfaa1
commit 2524cf5
Show file tree

Hide file tree

Showing 9 changed files with 115 additions and 7 deletions.
diff --git a/imageroot/actions/get-certificate/validate-input.json b/imageroot/actions/get-certificate/validate-input.json
@@ -6,6 +6,9 @@
     "examples": [
         {
         "fqdn": "example.com"
+    },
+        {
+        "fqdn": "*.example.com"
     }
     ],
     "type": "object",
@@ -16,7 +19,7 @@
         "fqdn": {
             "type":"string",
             "format": "hostname",
-            "title": "A fully qualified domain name"
+            "title": "A fully qualified domain name or wildcard domain"
         }
     }
 }
diff --git a/imageroot/actions/get-certificate/validate-output.json b/imageroot/actions/get-certificate/validate-output.json
@@ -8,6 +8,11 @@
             "fqdn": "example.com",
             "obtained": "true",
             "type": "internal"
+        },
+        {
+            "fqdn": "*.example.com",
+            "obtained": "true",
+            "type": "custom"
         }
     ],
     "type": "object",
@@ -18,7 +23,7 @@
                 "fqdn": {
                     "type": "string",
                     "format": "hostname",
-                    "title": "A fully qualified domain name"
+                    "title": "A fully qualified domain name or wildcard domain"
                 },
                 "type": {
                     "type": "string",
@@ -45,4 +50,4 @@
             "additionalProperties": false
         }
     ]
-}
+}
diff --git a/imageroot/actions/list-certificates/validate-output.json b/imageroot/actions/list-certificates/validate-output.json
@@ -27,6 +27,11 @@
                 "fqdn": "webserver2.domain.com",
                 "type": "custom",
                 "obtained": true
+            },
+            {
+                "fqdn": "*.example.com",
+                "type": "custom",
+                "obtained": true
             }
         ]
     ],
@@ -66,4 +71,4 @@
             }
         }
     ]
-}
+}
diff --git a/imageroot/actions/set-certificate/20writeconfig b/imageroot/actions/set-certificate/20writeconfig
@@ -35,6 +35,11 @@ router = {
         'tls': { 'domains': [{'main': data["fqdn"]}], 'certresolver': "acmeServer"}
         }
 
+# Check if the certificate is a wildcard certificate
+if data["fqdn"].startswith("*."):
+    wildcard_fqdn = data["fqdn"].replace("*.", "wildcard_")
+    router['tls']['domains'][0]['main'] = wildcard_fqdn
+
 # Write configuration file
 config = {"http": {"routers": {f'certificate-{data["fqdn"]}': router}}}
 with open(f'configs/certificate-{data["fqdn"]}.yml', 'w') as fp:

diff --git a/imageroot/actions/upload-certificate/20decode_upload b/imageroot/actions/upload-certificate/20decode_upload
@@ -26,3 +26,8 @@ with open(CERT_FILE, 'w', encoding='UTF-8') as file:
 # decode key to file
 with open(KEY_FILE, 'w', encoding='UTF-8') as file:
     file.writelines(b64decode(data["keyFile"]).decode())
+
+# check for wildcard common name
+if "wildcard" in data:
+    wildcard_cn_name = data["wildcard"].replace("*.", "wildcard_")
+    data["wildcard"] = wildcard_cn_name
diff --git a/imageroot/actions/upload-certificate/21validate_certificates b/imageroot/actions/upload-certificate/21validate_certificates
@@ -59,11 +59,16 @@ fi
 cert_public_key="$(openssl x509 -noout -pubkey -in  $CERT_FILE | openssl md5)"
 key_public_key="$(openssl  pkey -pubout -in $KEY_FILE | openssl md5)"
 
-
 if [ "$cert_public_key" != "$key_public_key" ]; then
     echo "Key didn't generate certificate." 1>&2
     echo "set-status validation-failed" >&${AGENT_COMFD:-2}
     printf '{"field":"certFile","parameter":"certFile","value":"","error":"key_mismatch"}\n'
     del_certs
     exit 3
 fi
+
+# check for wildcard common name
+if echo "$cn_name" | grep -q '^\*'; then
+    wildcard_cn_name=$(echo "$cn_name" | sed 's/^\*\.//')
+    cn_name="wildcard_$wildcard_cn_name"
+fi
diff --git a/imageroot/actions/upload-certificate/22save_certificates b/imageroot/actions/upload-certificate/22save_certificates
@@ -16,6 +16,13 @@ trap 'rm -f $KEY_FILE $CERT_FILE' EXIT
 # extract common name
 cn_name=$(openssl x509 -noout -subject -nameopt=multiline -in $CERT_FILE | sed -n 's/ *commonName *= //p')
 
+# check if the certificate is a wildcard certificate
+if echo "$cn_name" | grep -q '^\*'; then
+    # handle wildcard certificate
+    wildcard_cn_name=$(echo "$cn_name" | sed 's/^\*\.//')
+    cn_name="wildcard_$wildcard_cn_name"
+fi
+
 # copy certificate in traefik shared directory
 cp $KEY_FILE "custom_certificates/$cn_name.key"
 cp $CERT_FILE "custom_certificates/$cn_name.crt"

diff --git a/imageroot/actions/upload-certificate/23export_certificates b/imageroot/actions/upload-certificate/23export_certificates
@@ -33,6 +33,11 @@ result = subprocess.run(
 subject = result.stdout
 domain = {'main': subject.split("\n")[1].split("CN=")[1]}
 
+# check if the certificate is a wildcard certificate
+if domain["main"].startswith("*."):
+    wildcard_cn_name = domain["main"].replace("*.", "wildcard_")
+    domain["main"] = wildcard_cn_name
+
 # save the certificate and key in redis
 rdb = agent.redis_connect(privileged=True)
 rkey = f'module/{module_id}/certificate/{domain["main"]}'

diff --git a/ui/index.html b/ui/index.html
@@ -2,9 +2,77 @@
 <html>
     <head>
         <title>Traefik admin UI</title>
+        <style>
+            body {
+                font-family: Arial, sans-serif;
+                margin: 20px;
+            }
+            h1 {
+                color: #333;
+            }
+            .container {
+                max-width: 800px;
+                margin: 0 auto;
+            }
+            .certificates {
+                margin-top: 20px;
+            }
+            .certificate {
+                border: 1px solid #ccc;
+                padding: 10px;
+                margin-bottom: 10px;
+            }
+            .certificate h2 {
+                margin-top: 0;
+            }
+            .actions {
+                margin-top: 10px;
+            }
+            .actions button {
+                margin-right: 10px;
+            }
+        </style>
     </head>
     <body>
-        <h1>Traefik admin UI</h1>
-        <p>This is a placeholder</p>
+        <div class="container">
+            <h1>Traefik admin UI</h1>
+            <div class="certificates">
+                <h2>Wildcard Certificates</h2>
+                <div id="wildcard-certificates"></div>
+                <div class="actions">
+                    <button onclick="uploadCertificate()">Upload Certificate</button>
+                </div>
+            </div>
+        </div>
+        <script>
+            function uploadCertificate() {
+                // Implement the logic to upload a wildcard certificate
+                alert('Upload Certificate functionality is not implemented yet.');
+            }
+
+            function fetchCertificates() {
+                // Implement the logic to fetch and display wildcard certificates
+                const certificates = [
+                    { fqdn: '*.example.com', type: 'custom', obtained: true },
+                    { fqdn: '*.mydomain.org', type: 'custom', obtained: true }
+                ];
+
+                const container = document.getElementById('wildcard-certificates');
+                container.innerHTML = '';
+
+                certificates.forEach(cert => {
+                    const certDiv = document.createElement('div');
+                    certDiv.className = 'certificate';
+                    certDiv.innerHTML = `
+                        <h2>${cert.fqdn}</h2>
+                        <p>Type: ${cert.type}</p>
+                        <p>Obtained: ${cert.obtained}</p>
+                    `;
+                    container.appendChild(certDiv);
+                });
+            }
+
+            document.addEventListener('DOMContentLoaded', fetchCertificates);
+        </script>
     </body>
 </html>