feat(provider): support for the HTTP-01 challenge (#29)

The functionality is designed to activate by setting "webroot" in the provider's configuration. It is the responsibility of system administrators to route HTTP traffic for the prefix /.well-known/acme-challenge/ to Inca.

TODO: There are no unit tests for the providers, and this is partially correct as we do not want to rewrite tests that cover the features provided by the library we are using (lego). However, it would be very helpful to start introducing tests for the glue code.

For now, the introduced functionality is trivial, and it seems possible to safely introduce it without implementing unit testing beforehand for this portion of the code.

NB: Static serving is heavily dependent on the WORKDIR /tmp Docker directive; everything breaks down in different environments.

Dockerfile

@@ -11,5 +11,6 @@ RUN go build
 FROM alpine:3.19
 WORKDIR /tmp
 COPY --from=builder /workspace/inca /usr/sbin/
+RUN mkdir -p /tmp/server/webroot
 ENTRYPOINT ["/usr/sbin/inca"]
 LABEL org.opencontainers.image.source=https://github.com/immobiliare/inca

provider/letsencrypt.go

@@ -14,6 +14,7 @@ import (
 	"github.com/go-acme/lego/v4/lego"
 	"github.com/go-acme/lego/v4/log"
 	"github.com/go-acme/lego/v4/providers/dns"
+	"github.com/go-acme/lego/v4/providers/http/webroot"
 	"github.com/go-acme/lego/v4/registration"
 	"github.com/immobiliare/inca/pki"
 	"github.com/immobiliare/inca/util"
@@ -171,12 +172,7 @@ func (p *LetsEncrypt) Get(name string, options map[string]string) ([]byte, []byt
 		}
 	}
 
-	provider, err := dns.NewDNSChallengeProviderByName(targetProvider.provider)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	if err := p.client.Challenge.SetDNS01Provider(provider); err != nil {
+	if err := p.SetChallengeProvider(targetProvider.provider); err != nil {
 		return nil, nil, err
 	}
 
@@ -198,6 +194,24 @@ func (p *LetsEncrypt) Get(name string, options map[string]string) ([]byte, []byt
 	return certificates.Certificate, certificates.PrivateKey, nil
 }
 
+func (p *LetsEncrypt) SetChallengeProvider(providerId string) error {
+	if providerId == "webroot" {
+		provider, err := webroot.NewHTTPProvider("./server/webroot")
+		if err != nil {
+			return err
+		}
+
+		return p.client.Challenge.SetHTTP01Provider(provider)
+	}
+
+	provider, err := dns.NewDNSChallengeProviderByName(providerId)
+	if err != nil {
+		return err
+	}
+
+	return p.client.Challenge.SetDNS01Provider(provider)
+}
+
 func (p *LetsEncrypt) Del(name string, data []byte) error {
 	targetProvider, err := p.getChallengeProvider(name)
 	if err != nil {

server/inca.go

@@ -76,7 +76,8 @@ func Spinup(path string) (*Inca, error) {
 	inca.Use(middleware.Logger(zerolog.New(os.Stdout), func(c *fiber.Ctx) bool {
 		return strings.HasPrefix(c.Path(), "/health") ||
 			strings.HasPrefix(c.Path(), "/static/") ||
-			strings.HasPrefix(c.Path(), "/favicon.ico")
+			strings.HasPrefix(c.Path(), "/favicon.ico") ||
+			strings.HasPrefix(c.Path(), "/.well-known/acme-challenge/")
 	}))
 	inca.Use(redirect.New(redirect.Config{
 		Rules: map[string]string{
@@ -95,6 +96,7 @@ func Spinup(path string) (*Inca, error) {
 			MaxAge:     86400,
 		}),
 	)
+  inca.Static("/.well-known/acme-challenge/", "./server/webroot")
 	incaWeb := inca.Group("/web")
 	incaWeb.Use(middleware.Session(inca.sessionStore, inca.acl))
 	incaWeb.Get("/", inca.handlerWebIndex)