Client certificate support is added as a new separate type of option for
access-lists.
This commit is the support code to enable access-lists to contain
Client Certificate references.
Add initial support for managing Client Certificate Authority public
certificates as certificate objects in the database. The new provider
type 'clientca' is defined to implement this.
OpenSSL data parsing could be confused when parsing certificates which
have Country/Org and other parameters in the subject line.
This is fixed by writing a more robust parser of the output lines, and
using that to do parsing which now correctly handles this case.
- No longer use config npm package
- Prefer config from env vars, though still has support for config file
- No longer writes a config file for database config
- Writes keys to a new file in /data folder
- Removes a lot of cruft and improves config understanding
with PUID and PGID environment variables
- Detects if image is run with a user in docker command and fails if so
- Adds s6 prepare scripts for adding a 'npmuser'
- Split up and refactor the s6 prepare scripts
- Runs nginx and backend node as 'npmuser'
- Changes ownership of files required at startup
When editing an access list, all affected sites get their config updated without certificates, functionally breaking https on those sites until they get a manual config change that rewrites the config properly. Properly fetch the certificate from the DB before `bulkGenerateConfigs` so it gets updated right.
I am not certain whether there are similar bugs in other places that use `bulkGenerateConfigs`.
Should fix#2254
