From c2cd3fb19b0944d4c49017ab20b1b6aa543c22e4 Mon Sep 17 00:00:00 2001
From: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Date: Thu, 17 Jul 2025 21:21:43 +0200
Subject: [PATCH] [v12.0/forgejo] fix: use correct ACME default (#8552)

**Backport:** https://codeberg.org/forgejo/forgejo/pulls/8550

- The `ACME_URL` setting is documented to default to Let's encrypt
production server if left empty, so do precisely that.
- Use a HTTP proxy to communicate with ACME if Forgejo is configured to
use that.
- Regression of forgejo/forgejo#7409 (previously certmagic took care of
setting these defaults).
- Resolves forgejo/forgejo#8548

## Testing

1. Configure Forgejo's root URL to a public facing domain (that can pass a ACME challenge)
2. Configure Forgejo to use ACME by setting `[server].ENABLE_ACME = true` and `[server].ACME_ACCEPTTOS = true`.
3. Start Forgejo.
4. Observe that it's available via https.

Co-authored-by: Gusted <postmaster@gusted.xyz>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8552
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
---
 cmd/web_acme.go           | 7 +++++++
 modules/setting/server.go | 4 +++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/cmd/web_acme.go b/cmd/web_acme.go
index 03b3b9f0da..be6314addb 100644
--- a/cmd/web_acme.go
+++ b/cmd/web_acme.go
@@ -15,6 +15,7 @@ import (
 	"forgejo.org/modules/graceful"
 	"forgejo.org/modules/log"
 	"forgejo.org/modules/process"
+	"forgejo.org/modules/proxy"
 	"forgejo.org/modules/setting"
 
 	"github.com/caddyserver/certmagic"
@@ -76,6 +77,12 @@ func runACME(listenAddr string, m http.Handler) error {
 		ListenHost:              setting.HTTPAddr,
 		AltTLSALPNPort:          altTLSALPNPort,
 		AltHTTPPort:             altHTTPPort,
+		HTTPProxy:               proxy.Proxy(),
+	}
+
+	// Preserve behavior to use Let's encrypt test CA when Let's encrypt is CA.
+	if certmagic.DefaultACME.CA == certmagic.LetsEncryptProductionCA {
+		certmagic.DefaultACME.TestCA = certmagic.LetsEncryptStagingCA
 	}
 
 	magic := certmagic.NewDefault()
diff --git a/modules/setting/server.go b/modules/setting/server.go
index bff51f787d..3ff91d2cde 100644
--- a/modules/setting/server.go
+++ b/modules/setting/server.go
@@ -16,6 +16,8 @@ import (
 	"forgejo.org/modules/json"
 	"forgejo.org/modules/log"
 	"forgejo.org/modules/util"
+
+	"github.com/caddyserver/certmagic"
 )
 
 // Scheme describes protocol types
@@ -206,7 +208,7 @@ func loadServerFrom(rootCfg ConfigProvider) {
 			EnableAcme = sec.Key("ENABLE_LETSENCRYPT").MustBool(false)
 		}
 		if EnableAcme {
-			AcmeURL = sec.Key("ACME_URL").MustString("")
+			AcmeURL = sec.Key("ACME_URL").MustString(certmagic.LetsEncryptProductionCA)
 			AcmeCARoot = sec.Key("ACME_CA_ROOT").MustString("")
 
 			if sec.HasKey("ACME_ACCEPTTOS") {