Add zero ssl to acme certificates #2392 #2458
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Currently the API_KEY only version is not working properly. You must add EAB_KID AND EAB_HMAC_KEY
ACME Certificate Authority Settings (New)
Variable | Default | Options | Description
ACME_SSL_CA_PROVIDER | "letsencrypt" | "letsencrypt", "zerossl" | Choose certificate authority
ACME_ZEROSSL_API_KEY | "" | API key string | ZeroSSL API key for EAB setup
ZeroSSL EAB Credentials (New - Alternative to API Key)
Variable | Default | Options | Description
ACME_ZEROSSL_EAB_KID | "" | EAB Kid string | Manual ZeroSSL EAB Kid
ACME_ZEROSSL_EAB_HMAC_KEY | "" | EAB HMAC string | Manual ZeroSSL EAB HMAC Key
HTTP Challenge Validation Settings (New)
Variable | Default | Options | Description
ACME_SKIP_HTTP_DNS_CHECK | "no" | "yes", "no" | Skip DNS A/AAAA record validation
ACME_SKIP_CAA_CHECK | "no" | "yes", "no" | Skip CAA record validation
ACME_HTTP_STRICT_IP_CHECK | "no" | "yes", "no" | Fail on server IP mismatches
ACME_DNS_RETRY_COUNT | "2" | Number (0-10) | DNS lookup retry attempts
For multisite mode (MULTISITE="yes"), prefix any variable with {SERVER}_: example.com_ACME_SSL_CA_PROVIDER="zerossl"
example.com_ACME_ZEROSSL_API_KEY="your_api_key"
example.com_ACME_ZEROSSL_EAB_KID="XYZ"
example.com_ACME_ZEROSSL_EAB_HMAC_KEY="ABCABC"
Features added:
ACME_SKIP_HTTP_DNS_CHECK (default no) - DNS A/AAAA record validation
ACME_SKIP_CAA_CHECK (default no) - CAA record validation (dig required)
ACME_HTTP_STRICT_IP_CHECK (default no) - Fail on server IP mismatches - I really recommend to set it to yes to verify misconfigurations
The ACME_SKIP_HTTP_DNS_CHECK = no means your instance will do a DNS lookup when using HTTP verification.
If your DNS record is missing it will hard fail.
So you don't loose one request using ACME because of a failed DNS record entry
- formating: apply 79-character line limits for code (120 max fallback) - documentation: aff documentation of functions - debugging: add debugging output when LOG_LEVEL: "DEBUG"
- formating: apply 79-character line limits for code (120 max fallback) - documentation: aff documentation of functions - debugging: add debugging output when LOG_LEVEL: "DEBUG"
There was a problem hiding this comment.
Pull Request Overview
Adds support for ZeroSSL alongside Let's Encrypt, enhances OCSP reporting, and improves UI debug logging and configuration.
- Introduces
ocsp_supportin certificate metadata and surfaces it in the DataTable UI - Expands context processor and main.js with detailed debug logging
- Updates documentation (README) to cover multiple CAs (Let’s Encrypt, ZeroSSL) and new config options
Reviewed Changes
Copilot reviewed 10 out of 11 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| src/common/core/letsencrypt/ui/hooks.py | Refactored context processor, added debug logs and column docs |
| src/common/core/letsencrypt/ui/blueprints/static/js/main.js | Added debug logging, OCSP column, improved modal and AJAX flows |
| src/common/core/letsencrypt/ui/blueprints/letsencrypt.py | Extended certificate retrieval with ocsp_support extraction |
| src/common/core/letsencrypt/ui/actions.py | Added debug logging to cache extraction helper |
| src/common/core/letsencrypt/jobs/letsencrypt.py | Added ZeroSSL CA selection import and debug logs to jobs |
| src/common/core/letsencrypt/jobs/certbot-renew.py | Enhanced debug logging and env setup for renewal job |
| src/common/core/letsencrypt/jobs/certbot-deploy.py | Extended debug logging and CA deployment flow |
| src/common/core/letsencrypt/jobs/certbot-cleanup.py | Improved debug logging and standardized cleanup API calls |
| src/common/core/letsencrypt/jobs/certbot-auth.py | Added debug logging and standardized challenge distribution |
| src/common/core/letsencrypt/README.md | Expanded docs to include ZeroSSL, new settings, and examples |
Comments suppressed due to low confidence (2)
src/common/core/letsencrypt/ui/blueprints/letsencrypt.py:162
- The new
ocsp_supportfield is populated by custom logic but isn’t covered by existing tests. Consider adding unit tests to verify OCSP URL detection and correct JSON output.
"ocsp_support": [],
src/common/core/letsencrypt/ui/hooks.py:58
- The
return Noneappears misaligned with the surroundingifblock. Please adjust indentation so it's clearly inside theif path_excluded:to improve readability and prevent accidental fall-through.
return None
| } | ||
|
|
||
| $("#errorModalLabel").text(title); | ||
| $("#errorModalContent").html(message); |
There was a problem hiding this comment.
Injecting message via html() can expose the UI to XSS if the server response isn't fully sanitized. Consider using text() or a sanitization library to safely render error messages.
Suggested change
| $("#errorModalContent").html(message); | |
| $("#errorModalContent").text(message); |
Copilot uses AI. Check for mistakes.
| # Linux case | ||
| LOGGER.info( | ||
| f"Successfully sent API request to " | ||
| f"{api.endpoint}/lets-encrypt/challenge" |
There was a problem hiding this comment.
The directory name lets-encrypt is inconsistent with other code that uses letsencrypt. This mismatch can lead to missing file errors. Please unify the folder name.
Suggested change
| f"{api.endpoint}/lets-encrypt/challenge" | |
| f"{api.endpoint}/letsencrypt/challenge" |
Copilot uses AI. Check for mistakes.
Injecting message via html() can expose the UI to XSS if the server response isn't fully sanitized. Consider using text() or a sanitization library to safely render error messages.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.