-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
luci-app-acme: improve UI for inexperienced users #7147
base: master
Are you sure you want to change the base?
Conversation
The dns_wait is supported by the acme but wasn't yet configurable on UI. Signed-off-by: Sergey Ponomarev <[email protected]>
Use the %s placeholder instead of URLs. Signed-off-by: Sergey Ponomarev <[email protected]>
The introduction is confusing because the acme.sh use by default ZeroSSL. Signed-off-by: Sergey Ponomarev <[email protected]>
Signed-off-by: Sergey Ponomarev <[email protected]>
By default it's ZeroSSL. Signed-off-by: Sergey Ponomarev <[email protected]>
Also change days placeholder to 60 which is a default for acme.sh Signed-off-by: Sergey Ponomarev <[email protected]>
The article is "Get a free HTTPS certificate from LetsEncrypt for OpenWrt with ACME.sh" Signed-off-by: Sergey Ponomarev <[email protected]>
A user must specify the validation_method first. Signed-off-by: Sergey Ponomarev <[email protected]>
We can't just use the datatype = "list(hostname)" because a domain may have a wildcard. So check the domain by a simple regexp. Check that DNS mode is used for wildcard. Signed-off-by: Sergey Ponomarev <[email protected]>
…S mode is used Signed-off-by: Sergey Ponomarev <[email protected]>
Check if the hostname is FQDN (e.g. has least one dot). Check if the domain in the browser is not an IP and FQDN. Signed-off-by: Sergey Ponomarev <[email protected]>
Many users already have a DDNS configured e.g. DuckDNS.org or Cloudflare. We can import the configurations to simplify configurations and avoid mistakes. Signed-off-by: Sergey Ponomarev <[email protected]>
We must simplify for a user to understand what happened. Signed-off-by: Sergey Ponomarev <[email protected]>
In the 585df1d I changed the validation_method to webroot by mistake because I thought this is a default in the acme.sh. Signed-off-by: Sergey Ponomarev <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I generally applaud the effort to make things more user friendly, but have some comments, see below.
Also a general one: You're adding new reads to the file system but not updating the acl config accordingly. So will things actually work correctly? How did you test all the permutations?
applications/luci-app-acme/htdocs/luci-static/resources/view/acme.js
Outdated
Show resolved
Hide resolved
applications/luci-app-acme/htdocs/luci-static/resources/view/acme.js
Outdated
Show resolved
Hide resolved
applications/luci-app-acme/htdocs/luci-static/resources/view/acme.js
Outdated
Show resolved
Hide resolved
applications/luci-app-acme/htdocs/luci-static/resources/view/acme.js
Outdated
Show resolved
Hide resolved
applications/luci-app-acme/htdocs/luci-static/resources/view/acme.js
Outdated
Show resolved
Hide resolved
applications/luci-app-acme/htdocs/luci-static/resources/view/acme.js
Outdated
Show resolved
Hide resolved
applications/luci-app-acme/htdocs/luci-static/resources/view/acme.js
Outdated
Show resolved
Hide resolved
Signed-off-by: Sergey Ponomarev <[email protected]>
Signed-off-by: Sergey Ponomarev <[email protected]>
Also use L.resolveDefault() to not fail if the ACL is not present. Signed-off-by: Sergey Ponomarev <[email protected]>
Make the wildcard allowed only the beginning. Add lowercase requirement. Signed-off-by: Sergey Ponomarev <[email protected]>
Please squash before merging, I made many commits to just simplify the review. |
Signed-off-by: Sergey Ponomarev <[email protected]>
applications/luci-app-acme/htdocs/luci-static/resources/view/acme/acme.js
Outdated
Show resolved
Hide resolved
Signed-off-by: Sergey Ponomarev <[email protected]>
Signed-off-by: Sergey Ponomarev <[email protected]>
Signed-off-by: Sergey Ponomarev <[email protected]>
Signed-off-by: Sergey Ponomarev <[email protected]>
Signed-off-by: Sergey Ponomarev <[email protected]>
applications/luci-app-acme/htdocs/luci-static/resources/view/acme/acme.js
Outdated
Show resolved
Hide resolved
applications/luci-app-acme/htdocs/luci-static/resources/view/acme/acme.js
Show resolved
Hide resolved
Chrome console:
_isFqdn('0a.net')
true
_isFqdn('0a')
false
_isFqdn('192.168.1.1')
false
_isFqdn('[::1]')
false
The wildcards are out of context here. The main goal of the function is
to determine if the browser URL can be used as a domain
e.g. `example.com` - ok, just `router` - not ok.
…On 07/06/2024 22:46, Paul Donald wrote:
function _isFqdn(domain) { + // Is not an IP i.e. starts from
alphanumeric and has least one dot + return
/[a-z0-9-]\..*$/.test(domain) && !/[0-9-]\..*$/.test(domain);
|
Signed-off-by: Sergey Ponomarev <[email protected]>
let ddnsDomainsList = []; | ||
for (let ddnsDomain of ddnsDomains) { | ||
ddnsDomainsList.push(ddnsDomain.domains[0]); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you want to clean it up, I'm fine with either tho.
let ddnsDomainsList = ddnsDomains.map(d => d.domains[0]);
Right, but: Maybe something like: function _isIP(str) {
return /^[0-9\.]+$/.test(str) || /[\[\]:]/.test(str);
}
function _isFqdn(str) {
return !_isIP(str) && /\./.test(str);
} |
@@ -648,7 +648,7 @@ function _collectDdnsDomains() { | |||
if (credentials.length > 0) { | |||
ddnsDomains.push({ | |||
sectionId: ddnsService['.name'], | |||
domains: [ddnsService['domain']], | |||
domains: [ddnsService['domain'], '*.' + ddnsService['domain']], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why? I don't think we should be encouraging people to randomly issue wildcard certs...
@@ -665,6 +657,45 @@ function _collectDdnsDomains() { | |||
return ddnsDomains; | |||
} | |||
|
|||
function _importDdns(ddnsDomains) { | |||
alert(_('After import check the added domain certificate configurations.')); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
alert()
is not a good way to send messages to the uses. Pretty sure luci has some way of adding messages, please use that instead.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please remove this alert()
for (let d of ddnsDomain.domains) { | ||
let dupDomainSection = certSectionDomains.get(d); | ||
if (dupDomainSection) { | ||
alert(_('The domain %s in DDNS %s already was configured in %s. Please check it after the import.').format(d, sectionId, dupDomainSection)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If it's already configured we should just skip it instead of bugging the user...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please remove this alert()
Normally the message should never occur. It would be better to let a user to know for any duplucate. Or we can just override and a user will check the Changes to apply to see what changed
10 июн. 2024 г. 12:52:35 Toke Høiland-Jørgensen ***@***.***>:
…
***@***.**** commented on this pull request.
----------------------------------------
In applications/luci-app-acme/htdocs/luci-static/resources/view/acme/acme.js[#7147 (comment)]:
> + }
+ }
+ }
+ console.log(certSections);
+ console.log(certSectionDomains);
+ for (let ddnsDomain of ddnsDomains) {
+ let sectionId = ddnsDomain.sectionId;
+ // ensure unique sectionId
+ if (certSectionNames.has(sectionId)) {
+ sectionId += '_' + new Date().getTime();
+ }
+ if (ddnsDomain.domains) {
+ for (let d of ddnsDomain.domains) {
+ let dupDomainSection = certSectionDomains.get(d);
+ if (dupDomainSection) {
+ alert(_('The domain %s in DDNS %s already was configured in %s. Please check it after the import.').format(d, sectionId, dupDomainSection));
If it's already configured we should just skip it instead of bugging the user...
—
Reply to this email directly, view it on GitHub[#7147 (review)], or unsubscribe[https://github.com/notifications/unsubscribe-auth/AADFODUDNZGP6H2A67FIIVTZGVZOFAVCNFSM6AAAAABIUMU2QOVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZDCMBXGMZDSMBRGI].
You are receiving this because you authored the thread.
[Отслеживающее изображение][https://github.com/notifications/beacon/AADFODTJ2OJU4DRCOBO65VDZGVZOFA5CNFSM6AAAAABIUMU2QOWGG33NNVSW45C7OR4XAZNRKB2WY3CSMVYXKZLTORJGK5TJMV32UY3PNVWWK3TUL5UWJTT5TNE7I.gif]
|
Nothing wrong with wildcards per se. Having them by default may simplify next configurations steps for new subdomains e.g. adding of nextcloud.example.duckdns.org.
An advanced user can remove the wildcard if not needed.
10 июн. 2024 г. 12:50:48 Toke Høiland-Jørgensen ***@***.***>:
…
***@***.**** commented on this pull request.
----------------------------------------
In applications/luci-app-acme/htdocs/luci-static/resources/view/acme/acme.js[#7147 (comment)]:
> @@ -648,7 +648,7 @@ function _collectDdnsDomains() {
if (credentials.length > 0) {
ddnsDomains.push({
sectionId: ddnsService['.name'],
- domains: [ddnsService['domain']],
+ domains: [ddnsService['domain'], '*.' + ddnsService['domain']],
Why? I don't think we should be encouraging people to randomly issue wildcard certs...
—
Reply to this email directly, view it on GitHub[#7147 (review)], or unsubscribe[https://github.com/notifications/unsubscribe-auth/AADFODVK34LZBZEHGG3JWADZGVZHRAVCNFSM6AAAAABIUMU2QOVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZDCMBXGMZDEMRXGM].
You are receiving this because you authored the thread.
[Отслеживающее изображение][https://github.com/notifications/beacon/AADFODV36ZNNE3NNETB4BXTZGVZHRA5CNFSM6AAAAABIUMU2QOWGG33NNVSW45C7OR4XAZNRKB2WY3CSMVYXKZLTORJGK5TJMV32UY3PNVWWK3TUL5UWJTT5TMX2C.gif]
|
Yes, the alert() is anoying, still it's much easier to implement it. Ideally a user should never see it
10 июн. 2024 г. 12:51:54 Toke Høiland-Jørgensen ***@***.***>:
…
***@***.**** commented on this pull request.
----------------------------------------
In applications/luci-app-acme/htdocs/luci-static/resources/view/acme/acme.js[#7147 (comment)]:
> @@ -665,6 +657,45 @@ function _collectDdnsDomains() {
return ddnsDomains;
}
+function _importDdns(ddnsDomains) {
+ alert(_('After import check the added domain certificate configurations.'));
*alert()* is not a good way to send messages to the uses. Pretty sure luci has some way of adding messages, please use that instead.
—
Reply to this email directly, view it on GitHub[#7147 (review)], or unsubscribe[https://github.com/notifications/unsubscribe-auth/AADFODQD22UNPSCPBG4JEKLZGVZLTAVCNFSM6AAAAABIUMU2QOVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZDCMBXGMZDMNBWGU].
You are receiving this because you authored the thread.
[Отслеживающее изображение][https://github.com/notifications/beacon/AADFODQON3AGDYWZM73JAE3ZGVZLTA5CNFSM6AAAAABIUMU2QOWGG33NNVSW45C7OR4XAZNRKB2WY3CSMVYXKZLTORJGK5TJMV32UY3PNVWWK3TUL5UWJTT5TNAAC.gif]
|
Sergey Ponomarev ***@***.***> writes:
Nothing wrong with wildcards per se. Having them by default may simplify next configurations steps for new subdomains e.g. adding of nextcloud.example.duckdns.org.
I disagree. A wildcard certificate assigns a lot more trust to the
device than a single domain, so the principle of least privilege
dictates that these should only be used when absolutely necessary.
An advanced user can remove the wildcard if not needed.
No, an advanced user can add it if needed :)
|
Sergey Ponomarev ***@***.***> writes:
Yes, the alert() is anoying, still it's much easier to implement it.
Ideally a user should never see it
No, don't offload pain on the user to make things easier to implement.
"Should never see it" is not a good argument, it will definitely happen
more than expected.
|
Do not use alert. It's is extremely difficult to manage with keyboard
only.
|
Please remove |
ping @stokito |
Maintainer: @tohojo
CC @hgl @stangri @systemcrash