From f96a4d32a339d02b984a38bd9a6eacdee3c93b9c Mon Sep 17 00:00:00 2001
From: Zoey <zoey@z0ey.de>
Date: Fri, 12 Jan 2024 17:51:11 +0100
Subject: [PATCH] remove route53 until
 https://github.com/certbot/certbot/pull/5781 or similar is merged

Signed-off-by: Zoey <zoey@z0ey.de>
---
 Caddy.Dockerfile                              |  2 ++
 Caddyfile                                     |  1 +
 README.md                                     |  4 ++-
 backend/internal/certificate.js               | 26 ++-----------------
 global/certbot-dns-plugins.js                 | 22 +++++++---------
 .../conf/conf.d/include/acme-challenge.conf   |  2 +-
 .../local/nginx/conf/conf.d/include/hsts.conf |  4 ---
 rootfs/usr/local/nginx/conf/nginx.conf        |  4 +++
 8 files changed, 22 insertions(+), 43 deletions(-)

diff --git a/Caddy.Dockerfile b/Caddy.Dockerfile
index 7e1516ff..d1f336e8 100644
--- a/Caddy.Dockerfile
+++ b/Caddy.Dockerfile
@@ -4,3 +4,5 @@ FROM alpine:3.19.0
 RUN apk add --no-cache ca-certificates tzdata
 COPY --from=caddy /usr/bin/caddy /usr/bin/caddy
 COPY Caddyfile /etc/caddy/Caddyfile
+
+CMD ["caddy", "run", "--config", "/etc/caddy/Caddyfile", "--adapter", "caddyfile"]
diff --git a/Caddyfile b/Caddyfile
index 3114ce60..7ef4102e 100644
--- a/Caddyfile
+++ b/Caddyfile
@@ -1,4 +1,5 @@
 {
+	auto_https off
 	servers :80 {
 		protocols h1 h2c
 	}
diff --git a/README.md b/README.md
index ef8eec47..15f75e44 100644
--- a/README.md
+++ b/README.md
@@ -12,7 +12,7 @@ running at home or otherwise, including free TLS, without having to know too muc
 **Note: To fix [this issue](https://github.com/SpiderLabs/ModSecurity/issues/2848), instead of running `nginx -s reload`, this fork stops nginx and starts it again. This can result in a 502 error when you update your hosts. See https://github.com/ZoeyVid/NPMplus/issues/296 and https://github.com/ZoeyVid/NPMplus/issues/283.** <br>
 --->
 **Note: Reloading the NPMplus UI can cause a 502 error. See https://github.com/ZoeyVid/NPMplus/issues/241.** <br>
-**Note: NO armv7 support.** <br>
+**Note: NO armv7 and route53 support.** <br>
 **Note: add `net.ipv4.ip_unprivileged_port_start=0` at the end of `/etc/sysctl.conf` to support PUID/PGID in network mode host.** <br>
 **Note: If you don't use network mode host, which I don't recommend, don't forget to expose port 443 on tcp AND udp (http3/quic needs udp).** <br>
 **Note: If you don't use network mode host, which I don't recommend, don't forget to enable IPv6 in Docker, see [here](https://github.com/nextcloud/all-in-one/blob/main/docker-ipv6-support.md), you only need to edit the daemon.json and restart docker, if you use the bridge network, otherwise please enable IPv6 in your custom docker network!** <br>
@@ -122,6 +122,7 @@ a) Custom Nginx Configuration (advanced tab), which looks the following for file
 - Note: the slash at the end of the file path is important
 ```
 location / {
+    include conf.d/include/acme-challenge.conf;
     alias /var/www/<your-html-site-folder-name>/;
 }
 ```
@@ -132,6 +133,7 @@ b) Custom Nginx Configuration (advanced tab), which looks the following for file
 - Note: to add more php extension using envs you can set in the compose file
 ```
 location / {
+    include conf.d/include/acme-challenge.conf;
     alias /var/www/<your-html-site-folder-name>/;
 
     location ~ [^/]\.php(/|$) {
diff --git a/backend/internal/certificate.js b/backend/internal/certificate.js
index 0d72cbbe..80fafea7 100644
--- a/backend/internal/certificate.js
+++ b/backend/internal/certificate.js
@@ -832,34 +832,18 @@ const internalCertificate = {
 		const credentialsCmd     = `echo '${escapedCredentials}' | tee '${credentialsLocation}'`;
 		const prepareCmd         = 'pip install --no-cache-dir ' + dns_plugin.package_name;
 
-		// Whether the plugin has a --<name>-credentials argument
-		const hasConfigArg = certificate.meta.dns_provider !== 'route53';
-
 		let mainCmd = certbotCommand + ' certonly ' +
 			'--config "' + certbotConfig + '" ' +
 			'--cert-name "npm-' + certificate.id + '" ' +
 			'--domains "' + certificate.domain_names.join(',') + '" ' +
 			'--authenticator ' + dns_plugin.full_plugin_name + ' ' +
-			(
-				hasConfigArg
-					? '--' + dns_plugin.full_plugin_name + '-credentials "' + credentialsLocation + '"'
-					: ''
-			) +
+			'--' + dns_plugin.full_plugin_name + '-credentials "' + credentialsLocation + '"' +
 			(
 				certificate.meta.propagation_seconds !== undefined
 					? ' --' + dns_plugin.full_plugin_name + '-propagation-seconds ' + certificate.meta.propagation_seconds
 					: ''
 			);
 
-		// Prepend the path to the credentials file as an environment variable
-		if (certificate.meta.dns_provider === 'route53') {
-			mainCmd = 'AWS_CONFIG_FILE=\'' + credentialsLocation + '\' ' + mainCmd;
-		}
-
-		if (certificate.meta.dns_provider === 'duckdns') {
-			mainCmd = mainCmd + ' --dns-duckdns-no-txt-restore';
-		}
-
 		if (certificate.meta.letsencrypt_email === '') {
 			mainCmd = mainCmd + ' --register-unsafely-without-email ';
 		} else {
@@ -972,12 +956,6 @@ const internalCertificate = {
 			'--preferred-challenges "dns,http" ' +
 			'--no-random-sleep-on-renew';
 
-		// Prepend the path to the credentials file as an environment variable
-		if (certificate.meta.dns_provider === 'route53') {
-			const credentialsLocation = '/data/tls/certbot/credentials/credentials-' + certificate.id;
-			mainCmd                   = 'AWS_CONFIG_FILE=\'' + credentialsLocation + '\' ' + mainCmd;
-		}
-
 		logger.info('Command:', mainCmd);
 
 		return utils.exec(mainCmd)
@@ -1110,7 +1088,7 @@ const internalCertificate = {
 		async function performTestForDomain (domain) {
 			logger.info('Testing http challenge for ' + domain);
 			const url      = `http://${domain}/.well-known/acme-challenge/test-challenge`;
-			const formBody = `method=G&url=${encodeURI(url)}&bodytype=T&requestbody=&headername=User-Agent&headervalue=None&locationid=1&ch=false&cc=false`;
+			const formBody = `method=G&url=${encodeURI(url)}&bodytype=T&locationid=10`;
 			const options  = {
 				method:  'POST',
 				headers: {
diff --git a/global/certbot-dns-plugins.js b/global/certbot-dns-plugins.js
index 0ea06245..9b647393 100644
--- a/global/certbot-dns-plugins.js
+++ b/global/certbot-dns-plugins.js
@@ -61,8 +61,6 @@ dns_azure_zone2 = example.org:/subscriptions/99800903-fb14-4992-9aff-12eaf274462
 	bunny: {
 		display_name:        'bunny.net',
 		package_name:        'certbot-dns-bunny',
-		version_requirement: '~=0.0.9',
-		dependencies:        '',
 		credentials:         `# Bunny API token used by Certbot (see https://dash.bunny.net/account/settings)
 dns_bunny_api_key = xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx`,
 		full_plugin_name: 'dns-bunny',
@@ -452,20 +450,18 @@ dns_rfc2136_algorithm = HMAC-SHA512`,
 		full_plugin_name: 'dns-rfc2136',
 	},
 	//####################################################//
-	route53: {
-		display_name:        'Route 53 (Amazon)',
-		package_name:        'certbot-dns-route53',
-		credentials:         `[default]
-aws_access_key_id=AKIAIOSFODNN7EXAMPLE
-aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY`,
-		full_plugin_name: 'dns-route53',
-	},
-	//####################################################//
+/**	route53: {
+*		display_name:        'Route 53 (Amazon)',
+*		package_name:        'certbot-dns-route53',
+*		credentials:         `[default]
+*aws_access_key_id=AKIAIOSFODNN7EXAMPLE
+*aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY`,
+*		full_plugin_name: 'dns-route53',
+*	},
+**/ //####################################################//
 	strato: {
 		display_name:        'Strato',
 		package_name:        'certbot-dns-strato',
-		version_requirement: '~=0.1.1',
-		dependencies:        '',
 		credentials:         `dns_strato_username = user
 dns_strato_password = pass
 # uncomment if you're using two factor authentication:
diff --git a/rootfs/usr/local/nginx/conf/conf.d/include/acme-challenge.conf b/rootfs/usr/local/nginx/conf/conf.d/include/acme-challenge.conf
index a12a0946..fcad5607 100644
--- a/rootfs/usr/local/nginx/conf/conf.d/include/acme-challenge.conf
+++ b/rootfs/usr/local/nginx/conf/conf.d/include/acme-challenge.conf
@@ -2,7 +2,7 @@ location /.well-known/acme-challenge/ {
     auth_basic off;
     auth_request off;
     allow all;
-    alias /tmp/acme-challenge/;
+    root /tmp/acme-challenge;
 }
 
 location = /.well-known/acme-challenge/ {
diff --git a/rootfs/usr/local/nginx/conf/conf.d/include/hsts.conf b/rootfs/usr/local/nginx/conf/conf.d/include/hsts.conf
index 2887f00c..ad81d1d2 100644
--- a/rootfs/usr/local/nginx/conf/conf.d/include/hsts.conf
+++ b/rootfs/usr/local/nginx/conf/conf.d/include/hsts.conf
@@ -4,8 +4,4 @@ more_set_headers "X-Content-Type-Options: nosniff";
 more_set_headers "Referrer-Policy: strict-origin-when-cross-origin";
 more_set_headers "Content-Security-Policy: $content_security_policy";
 
-map $scheme $hsts_header {
-    https "max-age=31536000; includeSubDomains; preload";
-}
-
 more_set_headers "Strict-Transport-Security: $hsts_header";
diff --git a/rootfs/usr/local/nginx/conf/nginx.conf b/rootfs/usr/local/nginx/conf/nginx.conf
index 37248bc3..109226d5 100644
--- a/rootfs/usr/local/nginx/conf/nginx.conf
+++ b/rootfs/usr/local/nginx/conf/nginx.conf
@@ -67,6 +67,10 @@ http {
         '' "upgrade-insecure-requests";
     }
 
+    map $scheme $hsts_header {
+        https "max-age=63072000; includeSubDomains; preload";
+    }
+
     # Websocket
     map $http_upgrade $connection_upgrade {
         default upgrade;