feat(gateway): add acme-dns provider support for web endpoints

gustavosbarreto · gustavosbarreto · commit 14c5e8061eba · 2026-01-16T14:38:52.000-03:00
Add support for acme-dns as a third DNS provider option for obtaining
wildcard certificates for web endpoints, alongside existing Cloudflare
and DigitalOcean providers.

This enables customers who don't use Cloudflare or DigitalOcean for DNS
management to use custom domains with acme-dns challenge delegation.
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -109,6 +109,10 @@ services:
       - SHELLHUB_WEB_ENDPOINTS_DOMAIN=${SHELLHUB_WEB_ENDPOINTS_DOMAIN}
       - SHELLHUB_WEB_ENDPOINTS_DNS_PROVIDER=${SHELLHUB_WEB_ENDPOINTS_DNS_PROVIDER}
       - SHELLHUB_WEB_ENDPOINTS_DNS_PROVIDER_TOKEN=${SHELLHUB_WEB_ENDPOINTS_DNS_PROVIDER_TOKEN}
+      - SHELLHUB_WEB_ENDPOINTS_ACME_DNS_URL=${SHELLHUB_WEB_ENDPOINTS_ACME_DNS_URL}
+      - SHELLHUB_WEB_ENDPOINTS_ACME_DNS_USERNAME=${SHELLHUB_WEB_ENDPOINTS_ACME_DNS_USERNAME}
+      - SHELLHUB_WEB_ENDPOINTS_ACME_DNS_PASSWORD=${SHELLHUB_WEB_ENDPOINTS_ACME_DNS_PASSWORD}
+      - SHELLHUB_WEB_ENDPOINTS_ACME_DNS_SUBDOMAIN=${SHELLHUB_WEB_ENDPOINTS_ACME_DNS_SUBDOMAIN}
       - SHELLHUB_VERSION=${SHELLHUB_VERSION}
       - SHELLHUB_SSH_PORT=${SHELLHUB_SSH_PORT}
       - SHELLHUB_PROXY=${SHELLHUB_PROXY}
diff --git a/gateway/certbot.go b/gateway/certbot.go
@@ -119,6 +119,9 @@ const DigitalOceanDNSProvider = "digitalocean"
 // CloudflareDNSProvider represents the Cloudflare DNS provider.
 const CloudflareDNSProvider = "cloudflare"
 
+// AcmeDNSProvider represents the acme-dns provider for DNS-01 challenges.
+const AcmeDNSProvider = "acmedns"
+
 // Config holds the configuration for CertBot operations.
 type Config struct {
 	// RootDir is the root directory where CertBot stores its configurations
@@ -298,22 +301,35 @@ type WebEndpointsCertificate struct {
 	Domain string
 	// Provider is the DNS provider used for DNS-01 challenges.
 	Provider DNSProvider
-	// Token is the API token for the DNS provider.
+	// Token is the API token for the DNS provider (used for Cloudflare and DigitalOcean).
 	Token string
+	// AcmeDNSURL is the URL of the acme-dns server (only for acmedns provider).
+	AcmeDNSURL string
+	// AcmeDNSUsername is the username from acme-dns registration (only for acmedns provider).
+	AcmeDNSUsername string
+	// AcmeDNSPassword is the password from acme-dns registration (only for acmedns provider).
+	AcmeDNSPassword string
+	// AcmeDNSSubdomain is the subdomain from acme-dns registration (only for acmedns provider).
+	AcmeDNSSubdomain string
 
 	ex Executor
 	fs afero.Fs
 }
 
 // NewWebEndpointsCertificate creates a new TunnelsCertificate instance for generating
 // wildcard certificates using DNS-01 challenges.
-func NewWebEndpointsCertificate(domain string, provider DNSProvider, token string) Certificate {
+func NewWebEndpointsCertificate(domain string, provider DNSProvider, token string, acmeDNSURL, acmeDNSUsername, acmeDNSPassword, acmeDNSSubdomain string) Certificate {
 	return &WebEndpointsCertificate{
 		Domain: domain,
 
 		Provider: provider,
 		Token:    token,
 
+		AcmeDNSURL:       acmeDNSURL,
+		AcmeDNSUsername:  acmeDNSUsername,
+		AcmeDNSPassword:  acmeDNSPassword,
+		AcmeDNSSubdomain: acmeDNSSubdomain,
+
 		ex: NewExecutor(),
 		fs: afero.NewOsFs(),
 	}
@@ -322,22 +338,46 @@ func NewWebEndpointsCertificate(domain string, provider DNSProvider, token strin
 // generateProviderCredentialsFile creates a credentials file for the DNS provider.
 // This file contains the API token needed for DNS-01 challenges.
 func (d *WebEndpointsCertificate) generateProviderCredentialsFile() (afero.File, error) {
-	tokenLine := fmt.Sprintf("dns_%s_token = %s", d.Provider, d.Token)
-
-	// Certbot Cloudflare plugin expects dns_cloudflare_api_token
-	if d.Provider == CloudflareDNSProvider {
-		tokenLine = fmt.Sprintf("dns_cloudflare_api_token = %s", d.Token)
-	}
-
-	file, err := d.fs.Create(fmt.Sprintf("/etc/shellhub-gateway/%s.ini", string(d.Provider)))
+	var content string
+	var filename string
+
+	switch d.Provider {
+	case CloudflareDNSProvider:
+		// Certbot Cloudflare plugin expects dns_cloudflare_api_token
+		content = fmt.Sprintf("dns_cloudflare_api_token = %s", d.Token)
+		filename = "/etc/shellhub-gateway/cloudflare.ini"
+
+	case DigitalOceanDNSProvider:
+		content = fmt.Sprintf("dns_digitalocean_token = %s", d.Token)
+		filename = "/etc/shellhub-gateway/digitalocean.ini"
+
+	case AcmeDNSProvider:
+		// certbot-dns-acmedns expects a JSON file with acme-dns credentials
+		content = fmt.Sprintf(`{
+  "%s": {
+    "username": "%s",
+    "password": "%s",
+    "fulldomain": "%s",
+    "subdomain": "%s",
+    "allowfrom": []
+  }
+}`, d.Domain, d.AcmeDNSUsername, d.AcmeDNSPassword,
+			fmt.Sprintf("_acme-challenge.%s", d.Domain), d.AcmeDNSSubdomain)
+		filename = "/etc/shellhub-gateway/acmedns.json"
+
+	default:
+		return nil, fmt.Errorf("unsupported DNS provider: %s", d.Provider)
+	}
+
+	file, err := d.fs.Create(filename)
 	if err != nil {
-		log.WithError(err).Error("failed to create shellhub-gateway file with dns provider token")
+		log.WithError(err).WithField("filename", filename).Error("failed to create credentials file")
 
 		return nil, err
 	}
 
-	if _, err := file.Write([]byte(tokenLine)); err != nil {
-		log.WithError(err).Error("failed to write the token into credentials file")
+	if _, err := file.Write([]byte(content)); err != nil {
+		log.WithError(err).Error("failed to write credentials to file")
 
 		return nil, err
 	}
@@ -354,8 +394,24 @@ func (d *WebEndpointsCertificate) Check() error {
 		return errors.New("DNS provider is required for certificate generation")
 	}
 
-	if d.Token == "" {
-		return errors.New("DNS provider token is required for certificate generation")
+	// Validate provider-specific credentials
+	switch d.Provider {
+	case CloudflareDNSProvider, DigitalOceanDNSProvider:
+		if d.Token == "" {
+			return fmt.Errorf("DNS provider token is required for %s", d.Provider)
+		}
+	case AcmeDNSProvider:
+		if d.AcmeDNSUsername == "" {
+			return errors.New("acme-dns username is required for acmedns provider")
+		}
+		if d.AcmeDNSPassword == "" {
+			return errors.New("acme-dns password is required for acmedns provider")
+		}
+		if d.AcmeDNSSubdomain == "" {
+			return errors.New("acme-dns subdomain is required for acmedns provider")
+		}
+	default:
+		return fmt.Errorf("unsupported DNS provider: %s", d.Provider)
 	}
 
 	if _, err := d.fs.Stat("/etc/shellhub-gateway"); os.IsNotExist(err) {
@@ -384,7 +440,7 @@ func (d *WebEndpointsCertificate) Generate(staging bool) error {
 	// Create the DNS provider credentials file
 	file, err := d.generateProviderCredentialsFile()
 	if err != nil {
-		log.WithError(err).Error("failed to generate INI file")
+		log.WithError(err).Error("failed to generate credentials file")
 
 		return err
 	}
@@ -397,13 +453,28 @@ func (d *WebEndpointsCertificate) Generate(staging bool) error {
 		"--register-unsafely-without-email",
 		"--cert-name",
 		fmt.Sprintf("*.%s", d.Domain),
-		fmt.Sprintf("--dns-%s", d.Provider),
-		fmt.Sprintf("--dns-%s-credentials", d.Provider),
-		file.Name(),
-		"-d",
-		fmt.Sprintf("*.%s", d.Domain),
 	}
 
+	// Add provider-specific arguments
+	if d.Provider == AcmeDNSProvider {
+		// certbot-dns-acmedns uses different flags
+		args = append(args,
+			"--dns-acmedns",
+			"--dns-acmedns-credentials",
+			file.Name(),
+		)
+	} else {
+		// Standard certbot DNS plugins (cloudflare, digitalocean)
+		args = append(args,
+			fmt.Sprintf("--dns-%s", d.Provider),
+			fmt.Sprintf("--dns-%s-credentials", d.Provider),
+			file.Name(),
+		)
+	}
+
+	// Add domain
+	args = append(args, "-d", fmt.Sprintf("*.%s", d.Domain))
+
 	if staging {
 		log.Info("running generate with staging on dns")
 
diff --git a/gateway/certbot_test.go b/gateway/certbot_test.go
@@ -37,6 +37,21 @@ func TestTunnelsCertificate_generateProviderCredentialsFile(t *testing.T) {
 			wantFile:    "/etc/shellhub-gateway/cloudflare.ini",
 			wantContent: "dns_cloudflare_api_token = test-cf",
 		},
+		{
+			name:     "AcmeDNS",
+			provider: AcmeDNSProvider,
+			token:    "", // Not used for acme-dns
+			wantFile: "/etc/shellhub-gateway/acmedns.json",
+			wantContent: `{
+  "localhost": {
+    "username": "test-username",
+    "password": "test-password",
+    "fulldomain": "_acme-challenge.localhost",
+    "subdomain": "test-subdomain",
+    "allowfrom": []
+  }
+}`,
+		},
 	}
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
@@ -45,6 +60,14 @@ func TestTunnelsCertificate_generateProviderCredentialsFile(t *testing.T) {
 				Provider: tc.provider,
 				Token:    tc.token,
 			}
+
+			// Add acme-dns specific fields if needed
+			if tc.provider == AcmeDNSProvider {
+				cert.AcmeDNSUsername = "test-username"
+				cert.AcmeDNSPassword = "test-password"
+				cert.AcmeDNSSubdomain = "test-subdomain"
+			}
+
 			cert.fs = afero.NewMemMapFs()
 
 			file, err := cert.generateProviderCredentialsFile()
@@ -173,6 +196,35 @@ func TestTunnelsCertificate_generate(t *testing.T) {
 			},
 			expected: nil,
 		},
+		{
+			// AcmeDNS provider invocation
+			name: "acmedns provider",
+			config: WebEndpointsCertificate{
+				Domain:           "localhost",
+				Provider:         "acmedns",
+				AcmeDNSUsername:  "test-user",
+				AcmeDNSPassword:  "test-pass",
+				AcmeDNSSubdomain: "test-subdomain",
+			},
+			expectCalls: func(executorMock *gatewayMocks.Executor) {
+				executorMock.On("Command", "certbot",
+					"certonly",
+					"--non-interactive",
+					"--agree-tos",
+					"--register-unsafely-without-email",
+					"--cert-name",
+					"*.localhost",
+					"--dns-acmedns",
+					"--dns-acmedns-credentials",
+					"/etc/shellhub-gateway/acmedns.json",
+					"-d",
+					"*.localhost",
+				).Return(exec.Command("")).Once()
+
+				executorMock.On("Run", mock.AnythingOfType("*exec.Cmd")).Return(nil).Once()
+			},
+			expected: nil,
+		},
 	}
 
 	for _, tc := range tests {
diff --git a/gateway/config.go b/gateway/config.go
@@ -17,6 +17,10 @@ type GatewayConfig struct {
 	WebEndpointsDomain           string      `env:"SHELLHUB_WEB_ENDPOINTS_DOMAIN"`
 	WebEndpointsDNSProvider      DNSProvider `env:"SHELLHUB_WEB_ENDPOINTS_DNS_PROVIDER,default=digitalocean"`
 	WebEndpointsDNSProviderToken string      `env:"SHELLHUB_WEB_ENDPOINTS_DNS_PROVIDER_TOKEN"`
+	WebEndpointsAcmeDNSURL       string      `env:"SHELLHUB_WEB_ENDPOINTS_ACME_DNS_URL"`
+	WebEndpointsAcmeDNSUsername  string      `env:"SHELLHUB_WEB_ENDPOINTS_ACME_DNS_USERNAME"`
+	WebEndpointsAcmeDNSPassword  string      `env:"SHELLHUB_WEB_ENDPOINTS_ACME_DNS_PASSWORD"`
+	WebEndpointsAcmeDNSSubdomain string      `env:"SHELLHUB_WEB_ENDPOINTS_ACME_DNS_SUBDOMAIN"`
 	WorkerProcesses              string      `env:"WORKER_PROCESSES,default=auto"`
 	MaxWorkerOpenFiles           int         `env:"MAX_WORKER_OPEN_FILES,default=0"`
 	MaxWorkerConnections         int         `env:"MAX_WORKER_CONNECTIONS,default=16384"`
diff --git a/gateway/main.go b/gateway/main.go
@@ -95,6 +95,10 @@ func NewGateway(config *GatewayConfig, controller *NginxController, features []s
 					g.Config.WebEndpointsDomain,
 					g.Config.WebEndpointsDNSProvider,
 					g.Config.WebEndpointsDNSProviderToken,
+					g.Config.WebEndpointsAcmeDNSURL,
+					g.Config.WebEndpointsAcmeDNSUsername,
+					g.Config.WebEndpointsAcmeDNSPassword,
+					g.Config.WebEndpointsAcmeDNSSubdomain,
 				),
 			)
 		}

Original file line number	Diff line number	Diff line change
`@@ -95,6 +95,10 @@ func NewGateway(config GatewayConfig, controller NginxController, features []s`
`95`	`95`	`g.Config.WebEndpointsDomain,`
`96`	`96`	`g.Config.WebEndpointsDNSProvider,`
`97`	`97`	`g.Config.WebEndpointsDNSProviderToken,`
	`98`	`+ g.Config.WebEndpointsAcmeDNSURL,`
	`99`	`+ g.Config.WebEndpointsAcmeDNSUsername,`
	`100`	`+ g.Config.WebEndpointsAcmeDNSPassword,`
	`101`	`+ g.Config.WebEndpointsAcmeDNSSubdomain,`
`98`	`102`	`),`
`99`	`103`	`)`
`100`	`104`	`}`