feat(cert): add support for multiple domains in a single certificate

yarlson · yarlson · commit 2542d1b4bb9b · 2025-04-08T18:39:34.000+03:00
This change enables SAN certificates, allowing users to specify multiple domains for a single certificate. It modifies the CLI interface, updates the README, and refactors the internal logic to handle multiple domains throughout the certificate management process.
diff --git a/README.md b/README.md
@@ -12,6 +12,7 @@ Zero is a lightweight service that manages SSL/TLS certificates using ZeroSSL. I
 
 Core Features:
 - Automatic SSL/TLS certificate management via ZeroSSL
+- Support for multiple domains in a single certificate (SAN certificates)
 - Daily certificate monitoring and renewal (30 days before expiration)
 - Built-in HTTP server for ACME challenges
 - HTTP to HTTPS traffic redirection
@@ -119,12 +120,24 @@ zero --help
 
 ## Usage
 
-Basic usage:
+Basic usage for a single domain:
 
 ```bash
 zero -d example.com -e user@example.com
 ```
 
+With multiple domains:
+
+```bash
+zero -d example.com,www.example.com -e user@example.com
+```
+
+Or by specifying the domain flag multiple times:
+
+```bash
+zero -d example.com -d www.example.com -e user@example.com
+```
+
 With all options:
 
 ```bash
@@ -133,7 +146,7 @@ zero -d example.com -e user@example.com [-c /path/to/certs] [-p port] [-t HH:mm]
 
 Options:
 
-- `-d, --domain`: Domain name for the certificate (required)
+- `-d, --domain`: Domain name(s) for the certificate (comma-separated or repeated, at least one required)
 - `-e, --email`: Email address for credential retrieval and account registration (required)
 - `-c, --cert-dir`: Directory to store certificates (default: "./certs")
 - `-p, --port`: HTTP port for ACME challenges (default: 80)
@@ -188,7 +201,6 @@ This is particularly useful for reloading Nginx configuration after certificate
 ## Limitations
 
 - Only supports HTTP-01 challenge
-- Designed for single-domain certificates
 - No support for wildcard certificates
 
 ## Contributing
diff --git a/cmd/zero/main.go b/cmd/zero/main.go
@@ -27,7 +27,7 @@ const (
 )
 
 type Config struct {
-	Domain        string
+	Domains       []string
 	Email         string
 	CertDir       string
 	Time          string
@@ -39,7 +39,7 @@ type Config struct {
 func parseFlags() (*Config, error) {
 	cfg := &Config{}
 
-	pflag.StringVarP(&cfg.Domain, "domain", "d", "", "Domain name for the certificate")
+	pflag.StringSliceVarP(&cfg.Domains, "domain", "d", []string{}, "Domain name(s) for the certificate (comma-separated or repeated)")
 	pflag.StringVarP(&cfg.Email, "email", "e", "", "Email address for account registration")
 	pflag.StringVarP(&cfg.CertDir, "cert-dir", "c", defaultCertDir, "Directory to store certificates")
 	pflag.StringVarP(&cfg.Time, "time", "t", defaultTime, "Time for daily renewal in HH:mm format")
@@ -49,15 +49,15 @@ func parseFlags() (*Config, error) {
 
 	pflag.Usage = func() {
 		_, _ = fmt.Fprintf(os.Stderr, "Usage of %s:\n", os.Args[0])
-		_, _ = fmt.Fprintf(os.Stderr, "  %s -d example.com -e user@example.com [-c /path/to/certs] [--time HH:mm] [-p port]\n\n", os.Args[0])
+		_, _ = fmt.Fprintf(os.Stderr, "  %s -d example.com,www.example.com -e user@example.com [-c /path/to/certs] [--time HH:mm] [-p port]\n\n", os.Args[0])
 		_, _ = fmt.Fprintf(os.Stderr, "Options:\n")
 		pflag.PrintDefaults()
 	}
 
 	pflag.Parse()
 
-	if cfg.Domain == "" || cfg.Email == "" {
-		return nil, errors.New("domain and email are required")
+	if len(cfg.Domains) == 0 || cfg.Email == "" {
+		return nil, errors.New("at least one domain and email are required")
 	}
 
 	if _, err := task.ParseTime(cfg.Time); err != nil {
@@ -98,7 +98,7 @@ func main() {
 
 	// Start certificate checker
 	checkCert := func(ctx context.Context) error {
-		return zeroManager.CheckCertificate(ctx, cfg.Domain, cfg.Email, cfg.CertDir)
+		return zeroManager.CheckCertificate(ctx, cfg.Domains, cfg.Email, cfg.CertDir)
 	}
 
 	scheduler := task.NewScheduler(checkCert, cfg.Time)
diff --git a/internal/acme/zerossl.go b/internal/acme/zerossl.go
@@ -63,7 +63,11 @@ func (s *ZeroSSL) FetchCredentials(ctx context.Context, email string) (kid, hmac
 	if err != nil {
 		return "", "", fmt.Errorf("fetch EAB credentials: %w", err)
 	}
-	defer resp.Body.Close()
+	defer func() {
+		if closeErr := resp.Body.Close(); closeErr != nil && err == nil {
+			err = fmt.Errorf("close response body: %w", closeErr)
+		}
+	}()
 
 	body, err := io.ReadAll(resp.Body)
 	if err != nil {
@@ -89,7 +93,7 @@ func (s *ZeroSSL) FetchCredentials(ctx context.Context, email string) (kid, hmac
 	return result.EABKID, result.EABHMACKey, nil
 }
 
-func (s *ZeroSSL) ObtainCertificate(ctx context.Context, domain, email string, challengeHandler func(token, response string)) ([][]byte, crypto.PrivateKey, error) {
+func (s *ZeroSSL) ObtainCertificate(ctx context.Context, domains []string, email string, challengeHandler func(token, response string)) ([][]byte, crypto.PrivateKey, error) {
 	eabKID, eabHMACKey, err := s.FetchCredentials(ctx, email)
 	if err != nil {
 		return nil, nil, fmt.Errorf("fetch ZeroSSL credentials: %w", err)
@@ -127,44 +131,45 @@ func (s *ZeroSSL) ObtainCertificate(ctx context.Context, domain, email string, c
 		return nil, nil, fmt.Errorf("generate certificate private key: %w", err)
 	}
 
-	order, err := client.AuthorizeOrder(ctx, []acme.AuthzID{{Type: "dns", Value: domain}})
+	var authzIDs []acme.AuthzID
+	for _, d := range domains {
+		authzIDs = append(authzIDs, acme.AuthzID{Type: "dns", Value: d})
+	}
+
+	order, err := client.AuthorizeOrder(ctx, authzIDs)
 	if err != nil {
 		return nil, nil, fmt.Errorf("create order: %w", err)
 	}
 
-	var challenge *acme.Challenge
 	for _, authzURL := range order.AuthzURLs {
 		auth, err := client.GetAuthorization(ctx, authzURL)
 		if err != nil {
 			return nil, nil, fmt.Errorf("get authorization: %w", err)
 		}
+		var challenge *acme.Challenge
 		for _, c := range auth.Challenges {
 			if c.Type == "http-01" {
 				challenge = c
 				break
 			}
 		}
-		if challenge != nil {
-			break
+		if challenge == nil {
+			return nil, nil, fmt.Errorf("no HTTP-01 challenge found")
 		}
-	}
-	if challenge == nil {
-		return nil, nil, fmt.Errorf("no HTTP-01 challenge found")
-	}
 
-	token := challenge.Token
-	keyAuth, err := client.HTTP01ChallengeResponse(challenge.Token)
-	if err != nil {
-		return nil, nil, fmt.Errorf("get key authorization: %w", err)
-	}
+		token := challenge.Token
+		keyAuth, err := client.HTTP01ChallengeResponse(challenge.Token)
+		if err != nil {
+			return nil, nil, fmt.Errorf("get key authorization: %w", err)
+		}
 
-	challengeHandler(token, keyAuth)
+		challengeHandler(token, keyAuth)
 
-	log.Printf("Starting HTTP-01 challenge verification...")
-	if _, err := client.Accept(ctx, challenge); err != nil {
-		return nil, nil, fmt.Errorf("accept challenge: %w", err)
+		log.Printf("Starting HTTP-01 challenge verification for domain authorization")
+		if _, err := client.Accept(ctx, challenge); err != nil {
+			return nil, nil, fmt.Errorf("accept challenge: %w", err)
+		}
 	}
-	log.Printf("Challenge accepted, waiting for verification (timeout: 10 minutes)...")
 
 	log.Printf("Waiting for order verification (timeout: 10 minutes)...")
 	ctxWithTimeout, cancel := context.WithTimeout(ctx, 10*time.Minute)
@@ -177,8 +182,8 @@ func (s *ZeroSSL) ObtainCertificate(ctx context.Context, domain, email string, c
 	log.Printf("Order verified successfully")
 
 	csrTemplate := &x509.CertificateRequest{
-		Subject:  pkix.Name{CommonName: domain},
-		DNSNames: []string{domain},
+		Subject:  pkix.Name{CommonName: domains[0]},
+		DNSNames: domains,
 	}
 	csrDER, err := x509.CreateCertificateRequest(rand.Reader, csrTemplate, certPrivateKey)
 	if err != nil {
diff --git a/internal/cert/store.go b/internal/cert/store.go
@@ -25,7 +25,11 @@ func (s *Store) SaveCertificate(filename string, certBytes [][]byte) error {
 	if err != nil {
 		return fmt.Errorf("create certificate file: %w", err)
 	}
-	defer file.Close()
+	defer func() {
+		if closeErr := file.Close(); closeErr != nil && err == nil {
+			err = fmt.Errorf("close certificate file: %w", closeErr)
+		}
+	}()
 
 	for _, cert := range certBytes {
 		if err := pem.Encode(file, &pem.Block{Type: "CERTIFICATE", Bytes: cert}); err != nil {
@@ -40,7 +44,11 @@ func (s *Store) SavePrivateKey(filename string, privateKey crypto.PrivateKey) er
 	if err != nil {
 		return fmt.Errorf("create private key file: %w", err)
 	}
-	defer file.Close()
+	defer func() {
+		if closeErr := file.Close(); closeErr != nil && err == nil {
+			err = fmt.Errorf("close private key file: %w", closeErr)
+		}
+	}()
 
 	privateKeyBytes, err := x509.MarshalPKCS8PrivateKey(privateKey)
 	if err != nil {
diff --git a/internal/cert/store_test.go b/internal/cert/store_test.go
@@ -19,7 +19,12 @@ func TestStore(t *testing.T) {
 	t.Run("certificate operations", func(t *testing.T) {
 		store := NewStore()
 		tmpFile := "test_cert.pem"
-		defer os.Remove(tmpFile)
+		defer func() {
+			err := os.Remove(tmpFile)
+			if err != nil && !os.IsNotExist(err) {
+				t.Logf("Failed to remove test certificate file: %v", err)
+			}
+		}()
 
 		// Create a self-signed test certificate
 		template := &x509.Certificate{
@@ -49,7 +54,12 @@ func TestStore(t *testing.T) {
 	t.Run("private key operations", func(t *testing.T) {
 		store := NewStore()
 		tmpFile := "test_key.pem"
-		defer os.Remove(tmpFile)
+		defer func() {
+			err := os.Remove(tmpFile)
+			if err != nil && !os.IsNotExist(err) {
+				t.Logf("Failed to remove test key file: %v", err)
+			}
+		}()
 
 		// Generate and save private key
 		priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
diff --git a/internal/hook/hook.go b/internal/hook/hook.go
@@ -5,6 +5,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"log"
 	"net"
 	"net/http"
 	"os/exec"
@@ -83,7 +84,11 @@ func (h *Hook) findContainer() (string, error) {
 	if err != nil {
 		return "", err
 	}
-	defer resp.Body.Close()
+	defer func() {
+		if closeErr := resp.Body.Close(); closeErr != nil {
+			log.Printf("Failed to close response body: %v", closeErr)
+		}
+	}()
 
 	var containers []struct {
 		ID              string   `json:"Id"`
@@ -153,7 +158,11 @@ func (h *Hook) createExec(containerID string) (string, error) {
 	if err != nil {
 		return "", err
 	}
-	defer resp.Body.Close()
+	defer func() {
+		if closeErr := resp.Body.Close(); closeErr != nil {
+			log.Printf("Failed to close response body: %v", closeErr)
+		}
+	}()
 
 	var result struct {
 		ID string `json:"Id"`
@@ -194,7 +203,11 @@ func (h *Hook) startExec(execID string) error {
 	if err != nil {
 		return err
 	}
-	defer resp.Body.Close()
+	defer func() {
+		if closeErr := resp.Body.Close(); closeErr != nil {
+			log.Printf("Failed to close response body: %v", closeErr)
+		}
+	}()
 
 	return nil
 }
diff --git a/internal/server/server_test.go b/internal/server/server_test.go
@@ -72,7 +72,11 @@ func TestServer(t *testing.T) {
 
 				resp, err := http.DefaultClient.Do(req)
 				require.NoError(t, err)
-				defer resp.Body.Close()
+				defer func() {
+					if closeErr := resp.Body.Close(); closeErr != nil {
+						t.Logf("Failed to close response body: %v", closeErr)
+					}
+				}()
 
 				assert.Equal(t, tc.expectedCode, resp.StatusCode)
 
@@ -125,7 +129,11 @@ func TestServer(t *testing.T) {
 
 				resp, err := client.Get(tc.requestURL)
 				require.NoError(t, err)
-				defer resp.Body.Close()
+				defer func() {
+					if closeErr := resp.Body.Close(); closeErr != nil {
+						t.Logf("Failed to close response body: %v", closeErr)
+					}
+				}()
 
 				assert.Equal(t, http.StatusMovedPermanently, resp.StatusCode)
 				location := resp.Header.Get("Location")
diff --git a/internal/zero/manager.go b/internal/zero/manager.go
@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"log"
 	"path/filepath"
+	"strings"
 	"time"
 
 	"github.com/yarlson/zero/internal/acme"
@@ -32,8 +33,8 @@ func NewManager(zeroSSL *acme.ZeroSSL, store *cert.Store, hook *hook.Hook) *Mana
 	}
 }
 
-func (s *Manager) ObtainOrRenewCertificate(ctx context.Context, domain, email, certFile, keyFile string) error {
-	certs, privateKey, err := s.zeroSSL.ObtainCertificate(ctx, domain, email, s.store.StoreChallenge)
+func (s *Manager) ObtainOrRenewCertificate(ctx context.Context, domains []string, email, certFile, keyFile string) error {
+	certs, privateKey, err := s.zeroSSL.ObtainCertificate(ctx, domains, email, s.store.StoreChallenge)
 	if err != nil {
 		return fmt.Errorf("obtain certificate: %w", err)
 	}
@@ -62,18 +63,27 @@ func (s *Manager) CertificateNeedsRenewal(cert *x509.Certificate) bool {
 	return time.Now().Add(renewBeforeDays * 24 * time.Hour).After(cert.NotAfter)
 }
 
-func (s *Manager) CheckCertificate(ctx context.Context, domain, email, certDir string) error {
-	certFile := filepath.Join(certDir, domain+".crt")
-	keyFile := filepath.Join(certDir, domain+".key")
+func (s *Manager) CheckCertificate(ctx context.Context, domains []string, email, certDir string) error {
+	var certFile, keyFile string
+	if len(domains) == 1 {
+		// Single domain case (backward compatibility)
+		certFile = filepath.Join(certDir, domains[0]+".crt")
+		keyFile = filepath.Join(certDir, domains[0]+".key")
+	} else {
+		// Multiple domains case - join domain names with underscore
+		joinedName := strings.Join(domains, "_")
+		certFile = filepath.Join(certDir, joinedName+".crt")
+		keyFile = filepath.Join(certDir, joinedName+".key")
+	}
 
 	certificate, err := s.store.LoadCertificate(certFile)
 	if err != nil {
 		log.Printf("Load existing certificate: %v", err)
 	}
 
 	if certificate == nil || s.CertificateNeedsRenewal(certificate) {
-		log.Printf("Obtaining certificate for %s", domain)
-		if err := s.ObtainOrRenewCertificate(ctx, domain, email, certFile, keyFile); err != nil {
+		log.Printf("Obtaining certificate for domains: %v", domains)
+		if err := s.ObtainOrRenewCertificate(ctx, domains, email, certFile, keyFile); err != nil {
 			if errors.Is(err, context.Canceled) {
 				return errors.New("operation canceled")
 			}
