diff --git a/cmd/server/flags.go b/cmd/server/flags.go index 6c5320801..6dd19c1be 100644 --- a/cmd/server/flags.go +++ b/cmd/server/flags.go @@ -93,16 +93,6 @@ var flags = append([]cli.Flag{ Name: "custom-js-file", Usage: "file path for the server to serve a custom .JS file, used for customizing the UI", }, - &cli.StringFlag{ - Sources: cli.EnvVars("WOODPECKER_LETS_ENCRYPT_EMAIL"), - Name: "lets-encrypt-email", - Usage: "let's encrypt email", - }, - &cli.BoolFlag{ - Sources: cli.EnvVars("WOODPECKER_LETS_ENCRYPT"), - Name: "lets-encrypt", - Usage: "enable let's encrypt", - }, &cli.StringFlag{ Sources: cli.EnvVars("WOODPECKER_GRPC_ADDR"), Name: "grpc-addr", diff --git a/cmd/server/health.go b/cmd/server/health.go index 10780889f..590bb552a 100644 --- a/cmd/server/health.go +++ b/cmd/server/health.go @@ -39,7 +39,7 @@ func pinger(_ context.Context, c *cli.Command) error { } // if woodpecker do ssl on it's own - if c.String("server-cert") != "" || c.Bool("lets-encrypt") { + if c.String("server-cert") != "" { scheme = "https" } diff --git a/cmd/server/server.go b/cmd/server/server.go index 42338ddd5..2983947d2 100644 --- a/cmd/server/server.go +++ b/cmd/server/server.go @@ -25,7 +25,6 @@ import ( "strings" "time" - "github.com/caddyserver/certmagic" "github.com/gin-gonic/gin" prometheus_http "github.com/prometheus/client_golang/prometheus/promhttp" "github.com/rs/zerolog" @@ -167,8 +166,7 @@ func run(ctx context.Context, c *cli.Command) error { middleware.Store(_store), ) - switch { - case c.String("server-cert") != "": + if c.String("server-cert") != "" { // start the server with tls enabled serviceWaitingGroup.Go(func() error { tlsServer := &http.Server{ @@ -234,32 +232,7 @@ func run(ctx context.Context, c *cli.Command) error { } return nil }) - case c.Bool("lets-encrypt"): - // start the server with lets-encrypt - certmagic.DefaultACME.Email = c.String("lets-encrypt-email") - certmagic.DefaultACME.Agreed = true - - address, err := url.Parse(strings.TrimSuffix(c.String("server-host"), "/")) - if err != nil { - return err - } - - serviceWaitingGroup.Go(func() error { - go func() { - <-ctx.Done() - log.Error().Msg("there is no certmagic.HTTPS alternative who is context aware we will fail in 2 seconds") - time.Sleep(time.Second * 2) - log.Fatal().Msg("we kill certmagic by fail") //nolint:forbidigo - }() - - log.Info().Msg("starting certmagic server ...") - if err := certmagic.HTTPS([]string{address.Host}, handler); err != nil { - log.Error().Err(err).Msg("certmagic does not work") - stopServerFunc(fmt.Errorf("certmagic failed: %w", err)) - } - return nil - }) - default: + } else { // start the server without tls serviceWaitingGroup.Go(func() error { httpServer := &http.Server{ diff --git a/docs/docs/30-administration/10-server-config.md b/docs/docs/30-administration/10-server-config.md index 902edf82c..a308123eb 100644 --- a/docs/docs/30-administration/10-server-config.md +++ b/docs/docs/30-administration/10-server-config.md @@ -275,12 +275,6 @@ The file must be UTF-8 encoded, to ensure all special characters are preserved. Example: `WOODPECKER_CUSTOM_JS_FILE=/usr/local/www/woodpecker.js` -### `WOODPECKER_LETS_ENCRYPT` - -> Default: `false` - -Automatically generates an SSL certificate using Let's Encrypt, and configures the server to accept HTTPS requests. - ### `WOODPECKER_GRPC_ADDR` > Default: `:9000` diff --git a/docs/docs/30-administration/40-advanced/20-ssl.md b/docs/docs/30-administration/40-advanced/20-ssl.md index 6fda26d3d..36f2573db 100644 --- a/docs/docs/30-administration/40-advanced/20-ssl.md +++ b/docs/docs/30-administration/40-advanced/20-ssl.md @@ -1,35 +1,5 @@ # SSL -Woodpecker supports two ways of enabling SSL communication. You can either use Let's Encrypt to get automated SSL support with -renewal or provide your own SSL certificates. - -## Let's Encrypt - -Woodpecker supports automated SSL configuration and updates using Let's Encrypt. - -You can enable Let's Encrypt by making the following modifications to your server configuration: - -```ini -WOODPECKER_LETS_ENCRYPT=true -WOODPECKER_LETS_ENCRYPT_EMAIL=ssl-admin@example.tld -``` - -Note that Woodpecker uses the hostname from the `WOODPECKER_HOST` environment variable when requesting certificates. For example, if `WOODPECKER_HOST=https://example.com` is set the certificate is requested for `example.com`. To receive emails before certificates expire Let's Encrypt requires an email address. You can set it with `WOODPECKER_LETS_ENCRYPT_EMAIL=ssl-admin@example.tld`. - -The SSL certificates are stored in `$HOME/.local/share/certmagic` for binary versions of Woodpecker and in `/var/lib/woodpecker` for the Container versions of it. You can set a custom path by setting `XDG_DATA_HOME` if required. - -> Once enabled you can visit the Woodpecker UI with http and the HTTPS address. HTTP will be redirected to HTTPS. - -### Certificate Cache - -Woodpecker writes the certificates to `/var/lib/woodpecker/certmagic/`. - -### Certificate Updates - -Woodpecker uses the official Go acme library which will handle certificate upgrades. There should be no addition configuration or management required. - -## SSL with own certificates - Woodpecker supports SSL configuration by mounting certificates into your container. ```ini @@ -37,17 +7,17 @@ WOODPECKER_SERVER_CERT=/etc/certs/woodpecker.example.com/server.crt WOODPECKER_SERVER_KEY=/etc/certs/woodpecker.example.com/server.key ``` -### Certificate Chain +## Certificate Chain The most common problem encountered is providing a certificate file without the intermediate chain. > LoadX509KeyPair reads and parses a public/private key pair from a pair of files. The files must contain PEM encoded data. The certificate file may contain intermediate certificates following the leaf certificate to form a certificate chain. -### Certificate Errors +## Certificate Errors SSL support is provided using the [ListenAndServeTLS](https://golang.org/pkg/net/http/#ListenAndServeTLS) function from the Go standard library. If you receive certificate errors or warnings please examine your configuration more closely. -### Running in containers +## Running in containers Update your configuration to expose the following ports: diff --git a/docs/src/pages/migrations.md b/docs/src/pages/migrations.md index e4bc3d227..6efe74623 100644 --- a/docs/src/pages/migrations.md +++ b/docs/src/pages/migrations.md @@ -46,6 +46,7 @@ This will be the next version of Woodpecker. - `woodpecker-cli secret [add|rm|...] --repository` is now `woodpecker-cli repo secret [add|rm|...]` - `woodpecker-cli pipeline logs` is now `woodpecker-cli pipeline log show` - `woodpecker-cli [registry|secret|...] info` is now `woodpecker-cli [registry|secret|...] show` +- Dropped native Let's Encrypt certificate support. You can either generate Let's Encrypt certificates externally and use `WOODPECKER_SERVER_CERT` and `WOODPECKER_SERVER_KEY` or use Woodpecker behind a reverse proxy like Caddy. ## Admin migrations diff --git a/go.mod b/go.mod index e167135df..786434cb8 100644 --- a/go.mod +++ b/go.mod @@ -13,7 +13,6 @@ require ( github.com/6543/logfile-open v1.2.1 github.com/adrg/xdg v0.5.3 github.com/bmatcuk/doublestar/v4 v4.7.1 - github.com/caddyserver/certmagic v0.21.4 github.com/cenkalti/backoff/v4 v4.3.0 github.com/charmbracelet/huh v0.6.0 github.com/charmbracelet/huh/spinner v0.0.0-20240327025511-ec643317aa10 @@ -90,7 +89,6 @@ require ( github.com/beorn7/perks v1.0.1 // indirect github.com/bytedance/sonic v1.11.6 // indirect github.com/bytedance/sonic/loader v0.1.1 // indirect - github.com/caddyserver/zerossl v0.1.3 // indirect github.com/catppuccin/go v0.2.0 // indirect github.com/cespare/xxhash/v2 v2.3.0 // indirect github.com/charmbracelet/bubbles v0.20.0 // indirect @@ -155,15 +153,12 @@ require ( github.com/lestrrat-go/iter v1.0.2 // indirect github.com/lestrrat-go/jwx/v2 v2.1.0 // indirect github.com/lestrrat-go/option v1.0.1 // indirect - github.com/libdns/libdns v0.2.2 // indirect github.com/lucasb-eyer/go-colorful v1.2.0 // indirect github.com/mailru/easyjson v0.7.7 // indirect github.com/mattn/go-colorable v0.1.13 // indirect github.com/mattn/go-isatty v0.0.20 // indirect github.com/mattn/go-localereader v0.0.1 // indirect github.com/mattn/go-runewidth v0.0.16 // indirect - github.com/mholt/acmez/v2 v2.0.3 // indirect - github.com/miekg/dns v1.1.62 // indirect github.com/mitchellh/hashstructure/v2 v2.0.2 // indirect github.com/moby/docker-image-spec v1.3.1 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect @@ -199,14 +194,12 @@ require ( github.com/x448/float16 v0.8.4 // indirect github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect - github.com/zeebo/blake3 v0.2.4 // indirect go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 // indirect go.opentelemetry.io/otel v1.29.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.28.0 // indirect go.opentelemetry.io/otel/metric v1.29.0 // indirect go.opentelemetry.io/otel/sdk v1.28.0 // indirect go.opentelemetry.io/otel/trace v1.29.0 // indirect - go.uber.org/zap v1.27.0 // indirect golang.org/x/arch v0.8.0 // indirect golang.org/x/mod v0.22.0 // indirect golang.org/x/sys v0.28.0 // indirect diff --git a/go.sum b/go.sum index e49ddaba7..ba8fc1251 100644 --- a/go.sum +++ b/go.sum @@ -48,10 +48,6 @@ github.com/bytedance/sonic v1.11.6 h1:oUp34TzMlL+OY1OUWxHqsdkgC/Zfc85zGqw9siXjrc github.com/bytedance/sonic v1.11.6/go.mod h1:LysEHSvpvDySVdC2f87zGWf6CIKJcAvqab1ZaiQtds4= github.com/bytedance/sonic/loader v0.1.1 h1:c+e5Pt1k/cy5wMveRDyk2X4B9hF4g7an8N3zCYjJFNM= github.com/bytedance/sonic/loader v0.1.1/go.mod h1:ncP89zfokxS5LZrJxl5z0UJcsk4M4yY2JpfqGeCtNLU= -github.com/caddyserver/certmagic v0.21.4 h1:e7VobB8rffHv8ZZpSiZtEwnLDHUwLVYLWzWSa1FfKI0= -github.com/caddyserver/certmagic v0.21.4/go.mod h1:swUXjQ1T9ZtMv95qj7/InJvWLXURU85r+CfG0T+ZbDE= -github.com/caddyserver/zerossl v0.1.3 h1:onS+pxp3M8HnHpN5MMbOMyNjmTheJyWRaZYwn+YTAyA= -github.com/caddyserver/zerossl v0.1.3/go.mod h1:CxA0acn7oEGO6//4rtrRjYgEoa4MFw/XofZnrYwGqG4= github.com/catppuccin/go v0.2.0 h1:ktBeIrIP42b/8FGiScP9sgrWOss3lw0Z5SktRoithGA= github.com/catppuccin/go v0.2.0/go.mod h1:8IHJuMGaUUjQM82qBrGNBv7LFq6JI3NnQCF6MOlZjpc= github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= @@ -372,8 +368,6 @@ github.com/lib/pq v1.10.2/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= github.com/lib/pq v1.10.7/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw= github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= -github.com/libdns/libdns v0.2.2 h1:O6ws7bAfRPaBsgAYt8MDe2HcNBGC29hkZ9MX2eUSX3s= -github.com/libdns/libdns v0.2.2/go.mod h1:4Bj9+5CQiNMVGf87wjX4CY3HQJypUHRuLvlsfsZqLWQ= github.com/lucasb-eyer/go-colorful v1.2.0 h1:1nnpGOrhyZZuNyfu1QjKiUICQ74+3FNCN69Aj6K7nkY= github.com/lucasb-eyer/go-colorful v1.2.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0= github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= @@ -400,10 +394,6 @@ github.com/mattn/go-sqlite3 v1.14.15/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S github.com/mattn/go-sqlite3 v1.14.16/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S2DGjv9HUNg= github.com/mattn/go-sqlite3 v1.14.24 h1:tpSp2G2KyMnnQu99ngJ47EIkWVmliIizyZBfPrBWDRM= github.com/mattn/go-sqlite3 v1.14.24/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y= -github.com/mholt/acmez/v2 v2.0.3 h1:CgDBlEwg3QBp6s45tPQmFIBrkRIkBT4rW4orMM6p4sw= -github.com/mholt/acmez/v2 v2.0.3/go.mod h1:pQ1ysaDeGrIMvJ9dfJMk5kJNkn7L2sb3UhyrX6Q91cw= -github.com/miekg/dns v1.1.62 h1:cN8OuEF1/x5Rq6Np+h1epln8OiyPWV+lROx9LxcGgIQ= -github.com/miekg/dns v1.1.62/go.mod h1:mvDlcItzm+br7MToIKqkglaGhlFMHJ9DTNNWONWXbNQ= github.com/mitchellh/hashstructure/v2 v2.0.2 h1:vGKWl0YJqUNxE8d+h8f6NJLcCJrgbhC4NcD46KavDd4= github.com/mitchellh/hashstructure/v2 v2.0.2/go.mod h1:MG3aRVU/N29oo/V/IhBX8GR/zz4kQkprJgF2EVszyDE= github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= @@ -565,12 +555,6 @@ github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9dec github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= github.com/zalando/go-keyring v0.2.6 h1:r7Yc3+H+Ux0+M72zacZoItR3UDxeWfKTcabvkI8ua9s= github.com/zalando/go-keyring v0.2.6/go.mod h1:2TCrxYrbUNYfNS/Kgy/LSrkSQzZ5UPVH85RwfczwvcI= -github.com/zeebo/assert v1.1.0 h1:hU1L1vLTHsnO8x8c9KAR5GmM5QscxHg5RNU5z5qbUWY= -github.com/zeebo/assert v1.1.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN/wJ0= -github.com/zeebo/blake3 v0.2.4 h1:KYQPkhpRtcqh0ssGYcKLG1JYvddkEA8QwCM/yBqhaZI= -github.com/zeebo/blake3 v0.2.4/go.mod h1:7eeQ6d2iXWRGF6npfaxl2CU+xy2Fjo2gxeyZGCRUjcE= -github.com/zeebo/pcg v1.0.1 h1:lyqfGeWiv4ahac6ttHs+I5hwtH/+1mrhlCtVNQM2kHo= -github.com/zeebo/pcg v1.0.1/go.mod h1:09F0S9iiKrwn9rlI5yjLkmrug154/YRW6KnnXVDM/l4= github.com/zenazn/goji v0.9.0/go.mod h1:7S9M489iMyHBNxwZnk9/EHS098H4/F6TATF2mIxtB1Q= github.com/ziutek/mymysql v1.5.4/go.mod h1:LMSpPZ6DbqWFxNCHW77HeMg9I646SAhApZ/wKdgO/C0= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 h1:TT4fX+nBOA/+LUkobKGW1ydGcn+G3vRw9+g5HwCphpk= @@ -604,8 +588,6 @@ go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee/go.mod h1:vJERXedbb3MVM5f9E go.uber.org/zap v1.9.1/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= go.uber.org/zap v1.13.0/go.mod h1:zwrFLgMcdUuIBviXEYEH1YKNaOBnKXsx2IPda5bBwHM= -go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= -go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= golang.org/x/arch v0.0.0-20210923205945-b76863e36670/go.mod h1:5om86z9Hs0C8fWVUuoMHwpExlXzs5Tkyp9hOrfG7pp8= golang.org/x/arch v0.8.0 h1:3wRIsP3pM4yUptoR96otTUOXI367OS0+c9eeRi9doIc= golang.org/x/arch v0.8.0/go.mod h1:FEVrYAQjsQXMVJ1nsMoVVXPZg6p2JE2mx8psSWTDQys=