Fix ssl handling

Follow 6.4.0 (stable) conventions: nginx certificate handling details The nginx startup script looks for a SSL certificate on the USB boot flash in this order: config/ssl/certs/certficate_bundle.pem config/ssl/certs/<server-name>_unraid_bundle.pem If neither file exists, a self-signed SSL certificate is automatically created and stored in config/ssl/certs/<server-name>_unraid_bundle.pem Provisioning a Let's Encrypt certificate writes the certificate to config/ssl/certs/certficate_bundle.pem Ref #124
jbrodriguez · Jan 18, 2018 · 06b2239 · 06b2239
1 parent f855d1b
commit 06b2239
Show file tree

Hide file tree

Showing 3 changed files with 50 additions and 23 deletions.
diff --git a/server/src/app/app.go b/server/src/app/app.go
@@ -61,7 +61,7 @@ func (a *App) Run(settings *lib.Settings) {
 	bus := pubsub.New(623)
 
 	array := services.NewArray(bus, settings)
-	server := services.NewServer(bus, settings, array.GetSSLSettings())
+	server := services.NewServer(bus, settings, array.GetCertificate())
 	planner := services.NewPlanner(bus, settings)
 	core := services.NewCore(bus, settings)
 

diff --git a/server/src/services/array.go b/server/src/services/array.go
@@ -20,6 +20,8 @@ import (
 	ini "github.com/vaughan0/go-ini"
 )
 
+const certDir = "/boot/config/ssl/certs"
+
 // Array -
 type Array struct {
 	bus      *pubsub.PubSub
@@ -76,8 +78,8 @@ func (a *Array) SanityCheck(locations []string) error {
 	return nil
 }
 
-// GetSSLSettings -
-func (a *Array) GetSSLSettings() string {
+// GetCertificate -
+func (a *Array) GetCertificate() string {
 	// get array status
 	file, err := ini.LoadFile("/var/local/emhttp/var.ini")
 	if err != nil {
@@ -87,7 +89,18 @@ func (a *Array) GetSSLSettings() string {
 	usessl, _ := file.Get("", "USE_SSL")
 	usessl = strings.Replace(usessl, "\"", "", -1)
 
-	return usessl
+	name, _ := file.Get("", "NAME")
+	name = strings.Replace(name, "\"", "", -1)
+
+	cert := getCertificateName(certDir, name)
+
+	secure := cert != "" && !(usessl == "" || usessl == "no")
+
+	if secure {
+		return cert
+	}
+
+	return ""
 }
 
 func (a *Array) getStatus(msg *pubsub.Message) {
@@ -260,3 +273,31 @@ func (a *Array) getLog(msg *pubsub.Message) {
 	outbound := &dto.Packet{Topic: "gotLog", Payload: log}
 	a.bus.Pub(&pubsub.Message{Payload: outbound}, "socket:broadcast")
 }
+
+func getCertificateName(certDir, name string) string {
+	cert := filepath.Join(certDir, "certificate_bundle.pem")
+
+	exists, err := lib.Exists(cert)
+	if err != nil {
+		mlog.Warning("unable to check for %s presence:(%s)", cert, err)
+		return ""
+	}
+
+	if exists {
+		return cert
+	}
+
+	cert = filepath.Join(certDir, name+"_unraid_bundle.pem")
+
+	exists, err = lib.Exists(filepath.Join(certDir, cert))
+	if err != nil {
+		mlog.Warning("unable to check for %s presence:(%s)", cert, err)
+		return ""
+	}
+
+	if exists {
+		return cert
+	}
+
+	return ""
+}
diff --git a/server/src/services/server.go b/server/src/services/server.go
@@ -24,8 +24,6 @@ var upgrader = websocket.Upgrader{
 	CheckOrigin: func(r *http.Request) bool { return true },
 }
 
-const certificate = "/boot/config/ssl/certs/certificate_bundle.pem"
-
 // Server -
 type Server struct {
 	bus      *pubsub.PubSub
@@ -34,17 +32,17 @@ type Server struct {
 	engine *echo.Echo
 	actor  *actor.Actor
 
-	ssl string
+	cert string
 
 	pool map[*net.Connection]bool
 }
 
 // NewServer -
-func NewServer(bus *pubsub.PubSub, settings *lib.Settings, ssl string) *Server {
+func NewServer(bus *pubsub.PubSub, settings *lib.Settings, cert string) *Server {
 	server := &Server{
 		bus:      bus,
 		actor:    actor.NewActor(bus),
-		ssl:      ssl,
+		cert:     cert,
 		settings: settings,
 		pool:     make(map[*net.Connection]bool),
 	}
@@ -108,10 +106,10 @@ func (s *Server) Start() {
 	port := fmt.Sprintf(":%s", s.settings.Port)
 
 	protocol := "http"
-	if s.useSsl() {
+	if s.cert != "" {
 		protocol = "https"
 		go func() {
-			err := s.engine.StartTLS(port, certificate, certificate)
+			err := s.engine.StartTLS(port, s.cert, s.cert)
 			if err != nil {
 				mlog.Fatalf("Unable to start on https: %s", err)
 			}
@@ -372,15 +370,3 @@ func (s *Server) broadcast(msg *pubsub.Message) {
 		conn.Write(packet)
 	}
 }
-
-func (s *Server) useSsl() bool {
-	exists, err := lib.Exists(certificate)
-	if err != nil {
-		mlog.Warning("unable to check for certificate presence:(%s)", err)
-	}
-
-	// if usessl == "" this isn't a 6.4.x server
-	// otherwise usessl has some value, the plugin will serve off http if the value is no, in any
-	// other case, it will serve off https
-	return exists && !(s.ssl == "" || s.ssl == "no")
-}