Mercurial Hosting > luan

changeset 2086:a3a97ccd4b27 ssltesting tip

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
remove superfluous code
author Violet7
date Wed, 10 Dec 2025 16:32:42 -0800
parents c35179c79298
children
files host/startup/nginx/nginx.acme_setup.conf.luan host/startup/nginx/nginx.conf.luan src/luan/host/https.luan
diffstat 3 files changed, 5 insertions(+), 63 deletions(-) [+]
line wrap: on
line diff
--- a/host/startup/nginx/nginx.acme_setup.conf.luan	Wed Dec 10 11:44:41 2025 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,32 +0,0 @@
-local rootDir, domain = ...
-
-%>
-	# This config exists to serve up acme challenges on
-	# .well-known for initial domain verification by letsencrypt.
-	# see set_https in luan/src/luan/host/https.luan for more.
-	server {
-		server_name <%=domain%>;
-		listen 80;
-		listen [::]:80;
-
-		error_log <%=rootDir%>/error.log;
-		access_log <%=rootDir%>/access.log;
-
-		# this directive should be included in a per-site
-		# nginx conf. this only exists for nginx.ssl.conf
-		# as far as I am aware. Currently, this will cause
-		# conflict with the server block defined in that
-		# file, so this file should be deleted when the
-		# initial setup is finished, and this directive
-		# should be added to that file instead.
-		location /.well-known/acme-challenge/ {
-				root <%=rootDir%>;
-				try_files $uri $uri/ =404;
-		}
-
-		include nginx.default.conf;
-
-	}
-
-<%
-
--- a/host/startup/nginx/nginx.conf.luan	Wed Dec 10 11:44:41 2025 -0700
+++ b/host/startup/nginx/nginx.conf.luan	Wed Dec 10 16:32:42 2025 -0800
@@ -33,6 +33,5 @@
 	}
 
 	include <%=rootDir%>/sites/*/nginx.ssl.conf;
-	include <%=rootDir%>/sites/*/nginx.acme_setup.conf;
 }
 <%
--- a/src/luan/host/https.luan	Wed Dec 10 11:44:41 2025 -0700
+++ b/src/luan/host/https.luan	Wed Dec 10 16:32:42 2025 -0800
@@ -22,9 +22,6 @@
 local function do_set_https(is_https,domain,site_dir,luanhost_dir,dry_run)
 	local nginx_file = site_dir.child("nginx.ssl.conf")
 
-	-- for storing csr and key, but not fullchain
-	-- TODO: store fullchain in here,
-	-- not done yet for backwards compatibility
 	local ssl_files_dir = site_dir.child("ssl/")
 	ssl_files_dir.mkdir()
 
@@ -59,13 +56,7 @@
 					logger.error("the domain "..domain.." doesn't map to this machine")
 					return
 				end
-				-- set up a temporary barebones nginx conf
-				-- to serve acme challenges on the domain
-				local temp_dir = uri("file:/tmp/acme_setup/"..domain)
 				try
-					-- Clean out old temp files
-					temp_dir.delete()
-
 					-- CHANGEME
 					dry_run = true
 
@@ -77,29 +68,13 @@
 					local acme_challenges = wellknown.child("acme-challenge/")
 					acme_challenges.mkdir()
 
-					-- generate and write the conf
-					-- TODO: maybe store this in the ssl files dir?
-					local conf = load_file(luanhost_file.."startup/nginx/nginx.acme_setup.conf.luan")
-					local acme_nginx = ` conf(site_dir.canonical().to_string(),domain) `
-					local outfile = site_dir.child("nginx.acme_setup.conf")
-					outfile.write(acme_nginx)
-
-					-- reload nginx
-					local cmd = [[
-						sudo $(which nginx) -t -c "]]..luanhost_dir_str..[[/local/nginx.conf" && \ 
-						sudo $(which nginx) -s reload -c "]]..luanhost_dir_str..[[/local/nginx.conf";
-					]]
-					local s = uri("bash:"..cmd).read_text()
-					logger.info("reload_nginx "..s)
-
-					-- We've set up nginx to serve from our temp root, now we need to
-					-- create a *domain key*, which we then use to sign our cert.
+					-- Create a domain key to sign the certificate signing request (csr).
 					local key_file_str = key_file.canonical().to_string()
 					local cmd = "openssl genrsa 4096 > "..key_file_str
 					local s = uri("bash:"..cmd).read_text()
 					logger.info("create domain key\n"..s)
 
-					-- create the certificate signing request (CSR), signed with the key we just made
+					-- Create the csr.
 					local csr_file_str = csr_file.canonical().to_string()
 					local cmd = 'openssl req -new -sha256 -key '..key_file_str..' -subj "/CN='..domain..'" > '..csr_file_str
 					local s = uri("bash:"..cmd).read_text()
@@ -119,16 +94,18 @@
 						cmd = cmd.." --directory-url "..dry_run_dir_url
 					end
 					cmd = cmd.." > "..tmp_cert_out.canonical().to_string()
-					logger.info("acme-tiny commandline:\n")
+					logger.info("acme-tiny commandline:\n"..cmd)
 
 					local s = uri("bash:"..cmd).read_text()
 					logger.info("get cert signed by letsencrypt\n"..s)
 
+					-- Empty stdout from acme-tiny is a failure.
 					if tmp_cert_out.length() == 0 then
 						-- TODO: this should fail non-gracefully,
 						-- all failures here are almost certainly bugs.
 						logger.error("FAILED getting cert from letsencrypt.\nSee previous output.\nNot writing to fullchain.cer")
 					else
+						-- Success! Move the temp output to the real fullchain.
 						local tmp_out_str = tmp_cert_out.canonical().to_string()
 						local local_cer_file_str = local_cer_file.canonical().to_string()
 
@@ -139,8 +116,6 @@
 
 				catch e
 					logger.error("Error setting up ACME: "..e)
-				finally
-					temp_dir.delete()
 				end_try
 
 			end