Merge pull request #2180 from nordic-institute/XRDDEV-2535

feat: acme support
nordic-institute · Jun 11, 2024 · f5710eb · f5710eb
2 parents 0aecb62 + 71d6ea1
commit f5710eb
Show file tree

Hide file tree

Showing 7 changed files with 13 additions and 0 deletions.
diff --git a/doc/Manuals/ug-syspar_x-road_v6_system_parameters.md b/doc/Manuals/ug-syspar_x-road_v6_system_parameters.md
@@ -444,6 +444,7 @@ the message log.
 | acme-certificate-wait-attempts               | 5                         | Number of attempts to check whether the ACME certificate is ready before giving up                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
 | acme-certificate-wait-interval               | 5000                      | Amount of time in milliseconds to wait between ACME certificate completion check attempts                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
 | acme-certificate-account-key-pair-expiration | 365                       | Amount of days the ACME server account's self-signed certificate is valid                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
+| acme-challenge-port-enabled                  | false                     | If enabled, the API will listen on port 80 for incoming acme challenge requests                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
 
 > **NOTE**: `strict-identifier-checks` default value is true for new installations starting from version 7.3.0. It is 
 > set to `false` in `local.ini` during upgrade process if version installed before upgrade is less than 7.3.0.

diff --git a/src/common/common-core/src/main/java/ee/ria/xroad/common/SystemProperties.java b/src/common/common-core/src/main/java/ee/ria/xroad/common/SystemProperties.java
@@ -120,6 +120,10 @@ private SystemProperties() {
     public static final String PROXY_UI_API_ACME_ACCOUNT_KEY_PAIR_EXPIRATION_IN_DAYS =
             PREFIX + "proxy-ui-api.acme-certificate-account-key-pair-expiration";
 
+    /** property name of whether the service should listen on port 80 for incoming acme challenge requests */
+    public static final String PROXY_UI_API_ACME_CHALLENGE_PORT_ENABLED =
+            PREFIX + "proxy-ui-api.acme-challenge-port-enabled";
+
     // Proxy ------------------------------------------------------------------
 
     /** Property name of controlling SSL support between Proxies. */

diff --git a/src/packages/src/xroad/default-configuration/override-securityserver-fi.ini b/src/packages/src/xroad/default-configuration/override-securityserver-fi.ini
@@ -21,6 +21,9 @@ client-use-idle-connection-monitor=true
 client-timeout=30000
 server-min-supported-client-version=7.3.0
 
+[proxy-ui-api]
+acme-challenge-port-enabled=true
+
 [message-log]
 message-body-logging=false
 acceptable-timestamp-failure-period=172800
diff --git a/src/packages/src/xroad/redhat/SOURCES/proxy-ui-api/xroad-proxy-ui-api.service b/src/packages/src/xroad/redhat/SOURCES/proxy-ui-api/xroad-proxy-ui-api.service
@@ -7,6 +7,7 @@ StartLimitBurst=5
 StartLimitIntervalSec=40
 
 [Service]
+AmbientCapabilities=CAP_NET_BIND_SERVICE
 User=xroad
 Group=xroad
 ExecStart=/usr/share/xroad/bin/xroad-proxy-ui-api

diff --git a/src/packages/src/xroad/ubuntu/generic/xroad-proxy-ui-api.service b/src/packages/src/xroad/ubuntu/generic/xroad-proxy-ui-api.service
@@ -7,6 +7,7 @@ StartLimitBurst=5
 StartLimitIntervalSec=40
 
 [Service]
+AmbientCapabilities=CAP_NET_BIND_SERVICE
 User=xroad
 Group=xroad
 ExecStart=/usr/share/xroad/bin/xroad-proxy-ui-api

diff --git a/...ation/src/main/java/org/niis/xroad/securityserver/restapi/config/AcmeChallengeConfig.java b/...ation/src/main/java/org/niis/xroad/securityserver/restapi/config/AcmeChallengeConfig.java
@@ -27,6 +27,7 @@
 
 import org.apache.catalina.connector.Connector;
 import org.apache.coyote.http11.Http11NioProtocol;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory;
 import org.springframework.boot.web.server.WebServerFactoryCustomizer;
 import org.springframework.context.annotation.Bean;
@@ -37,6 +38,7 @@
 public class AcmeChallengeConfig {
 
     @Profile("nontest")
+    @ConditionalOnProperty(value = "xroad.proxy-ui-api.acme-challenge-port-enabled", havingValue = "true")
     @Bean
     public WebServerFactoryCustomizer<TomcatServletWebServerFactory> acmeChallengeCustomizer() {
         return this::acmeChallengeCustomizer;

diff --git a/...urity-server/system-test/src/intTest/resources/container-files/etc/xroad/conf.d/local.ini b/...urity-server/system-test/src/intTest/resources/container-files/etc/xroad/conf.d/local.ini
@@ -2,6 +2,7 @@
 rate-limit-enabled=true
 rate-limit-requests-per-second=100
 rate-limit-requests-per-minute=1000
+acme-challenge-port-enabled=true
 [proxy]
 backup-encryption-enabled = true
 backup-encryption-keyids = "backup.key1@example.org, backup.key2@example.org, backup.key3@example.org"