Security update

fix server not start in https
add test argument to client that allow skip verify server certification
do not send body "404 page not found" when request non api path and non api method
modify validBefore turncate to 1hour

Author: LDLDL

exec/client/main.go

@@ -3,9 +3,11 @@ package main
 import (
 	"pkg.para.party/certdx/pkg/client"
 
+	"crypto/tls"
 	"fmt"
 	"io"
 	"log"
+	"net/http"
 	"os"
 
 	"github.com/BurntSushi/toml"
@@ -18,6 +20,7 @@ var (
 )
 
 var (
+	test     = flag.BoolP("test", "t", false, "Testing not verify server certification")
 	pLogPath = flag.StringP("log", "l", "", "Log file path")
 	help     = flag.BoolP("help", "h", false, "Print help")
 	version  = flag.BoolP("version", "v", false, "Print version")
@@ -40,6 +43,14 @@ func init() {
 		os.Exit(0)
 	}
 
+	if *test {
+		client.HttpClient.Transport = &http.Transport{
+			TLSClientConfig: &tls.Config{
+				InsecureSkipVerify: true,
+			},
+		}
+	}
+
 	if *pLogPath != "" {
 		logFile, err := os.OpenFile(*pLogPath, os.O_WRONLY|os.O_CREATE|os.O_APPEND, os.ModePerm)
 		if err != nil {

exec/server/main.go

@@ -125,7 +125,7 @@ func serveHttps() {
 
 		go func() {
 			log.Printf("[INF] Https server started")
-			err := server.ListenAndServe()
+			err := server.ListenAndServeTLS("", "")
 			log.Printf("[INF] Https server stopped: %s", err)
 		}()
 		<-*entry.Updated.Load()
@@ -135,7 +135,7 @@ func serveHttps() {
 
 func main() {
 	if config.HttpServer.Enabled {
-		http.HandleFunc(config.HttpServer.APIPath, server.APIHandler)
+		http.HandleFunc("/", server.APIHandler)
 
 		if !config.HttpServer.Secure {
 			log.Printf("[INF] Http server started")

pkg/client/http.go

@@ -11,7 +11,7 @@ import (
 	"time"
 )
 
-var client = &http.Client{
+var HttpClient = &http.Client{
 	Timeout: 30 * time.Second,
 }
 
@@ -32,7 +32,7 @@ func GetCert(server *config.ClientHttpServer, domains []string) (*types.HttpCert
 		}
 	}
 
-	resp, err := client.Do(req)
+	resp, err := HttpClient.Do(req)
 	if err != nil {
 		return nil, err
 	}

pkg/server/http.go

@@ -10,12 +10,14 @@ import (
 )
 
 func APIHandler(w http.ResponseWriter, r *http.Request) {
-	if checkAuthorization(r) {
+	if r.URL.Path == Config.HttpServer.APIPath {
 		switch r.Method {
 		case "POST":
-			log.Printf("[INF] Http received cert request from: %s", r.RemoteAddr)
-			handleCertReq(&w, r)
-			return
+			if checkAuthorization(r) {
+				log.Printf("[INF] Http received cert request from: %s", r.RemoteAddr)
+				handleCertReq(&w, r)
+				return
+			}
 		default:
 		}
 	}

pkg/server/server.go

@@ -68,7 +68,7 @@ func (c *ServerCertCacheEntry) Renew(retry bool) (bool, error) {
 
 	log.Printf("[INF] Renew cert: %v", c.Domains)
 	if !time.Now().Before(c.cert.ValidBefore) {
-		newValidBefore := time.Now().Truncate(1 * time.Minute).Add(Config.ACME.CertLifeTimeDuration)
+		newValidBefore := time.Now().Truncate(1 * time.Hour).Add(Config.ACME.CertLifeTimeDuration)
 
 		acme, err := GetACME()
 		if err != nil {