From 27e853454da6b9f2dc510a22a890924dbb7045ac Mon Sep 17 00:00:00 2001 From: Gusted Date: Thu, 17 Jul 2025 20:40:09 +0200 Subject: [PATCH] fix: use correct ACME default (#8550) - The `ACME_URL` setting is documented to default to Let's encrypt production server if left empty, so do precisely that. - Use a HTTP proxy to communicate with ACME if Forgejo is configured to use that. - Regression of forgejo/forgejo#7409 (previously certmagic took care of setting these defaults). - Resolves forgejo/forgejo#8548 ## Testing 1. Configure Forgejo's root URL to a public facing domain (that can pass a ACME challenge) 2. Configure Forgejo to use ACME by setting `[server].ENABLE_ACME = true` and `[server].ACME_ACCEPTTOS = true`. 3. Start Forgejo. 4. Observe that it's available via https. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8550 Reviewed-by: Earl Warren Co-authored-by: Gusted Co-committed-by: Gusted --- cmd/web_acme.go | 7 +++++++ modules/setting/server.go | 4 +++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/cmd/web_acme.go b/cmd/web_acme.go index 03b3b9f0da..be6314addb 100644 --- a/cmd/web_acme.go +++ b/cmd/web_acme.go @@ -15,6 +15,7 @@ import ( "forgejo.org/modules/graceful" "forgejo.org/modules/log" "forgejo.org/modules/process" + "forgejo.org/modules/proxy" "forgejo.org/modules/setting" "github.com/caddyserver/certmagic" @@ -76,6 +77,12 @@ func runACME(listenAddr string, m http.Handler) error { ListenHost: setting.HTTPAddr, AltTLSALPNPort: altTLSALPNPort, AltHTTPPort: altHTTPPort, + HTTPProxy: proxy.Proxy(), + } + + // Preserve behavior to use Let's encrypt test CA when Let's encrypt is CA. + if certmagic.DefaultACME.CA == certmagic.LetsEncryptProductionCA { + certmagic.DefaultACME.TestCA = certmagic.LetsEncryptStagingCA } magic := certmagic.NewDefault() diff --git a/modules/setting/server.go b/modules/setting/server.go index bff51f787d..3ff91d2cde 100644 --- a/modules/setting/server.go +++ b/modules/setting/server.go @@ -16,6 +16,8 @@ import ( "forgejo.org/modules/json" "forgejo.org/modules/log" "forgejo.org/modules/util" + + "github.com/caddyserver/certmagic" ) // Scheme describes protocol types @@ -206,7 +208,7 @@ func loadServerFrom(rootCfg ConfigProvider) { EnableAcme = sec.Key("ENABLE_LETSENCRYPT").MustBool(false) } if EnableAcme { - AcmeURL = sec.Key("ACME_URL").MustString("") + AcmeURL = sec.Key("ACME_URL").MustString(certmagic.LetsEncryptProductionCA) AcmeCARoot = sec.Key("ACME_CA_ROOT").MustString("") if sec.HasKey("ACME_ACCEPTTOS") {