luci-app-acme: improve UI for inexperienced users #7147
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The dns_wait is supported by the acme but wasn't yet configurable on UI. Signed-off-by: Sergey Ponomarev <[email protected]>
Use the %s placeholder instead of URLs. Signed-off-by: Sergey Ponomarev <[email protected]>
The introduction is confusing because the acme.sh use by default ZeroSSL. Signed-off-by: Sergey Ponomarev <[email protected]>
Signed-off-by: Sergey Ponomarev <[email protected]>
By default it's ZeroSSL. Signed-off-by: Sergey Ponomarev <[email protected]>
Also change days placeholder to 60 which is a default for acme.sh Signed-off-by: Sergey Ponomarev <[email protected]>
The article is "Get a free HTTPS certificate from LetsEncrypt for OpenWrt with ACME.sh" Signed-off-by: Sergey Ponomarev <[email protected]>
A user must specify the validation_method first. Signed-off-by: Sergey Ponomarev <[email protected]>
We can't just use the datatype = "list(hostname)" because a domain may have a wildcard. So check the domain by a simple regexp. Check that DNS mode is used for wildcard. Signed-off-by: Sergey Ponomarev <[email protected]>
…S mode is used Signed-off-by: Sergey Ponomarev <[email protected]>
Check if the hostname is FQDN (e.g. has least one dot). Check if the domain in the browser is not an IP and FQDN. Signed-off-by: Sergey Ponomarev <[email protected]>
Many users already have a DDNS configured e.g. DuckDNS.org or Cloudflare. We can import the configurations to simplify configurations and avoid mistakes. Signed-off-by: Sergey Ponomarev <[email protected]>
stokito
changed the title
We must simplify for a user to understand what happened. Signed-off-by: Sergey Ponomarev <[email protected]>
In the 585df1d I changed the validation_method to webroot by mistake because I thought this is a default in the acme.sh. Signed-off-by: Sergey Ponomarev <[email protected]>
tohojo
requested changes
Jun 3, 2024
There was a problem hiding this comment.
I generally applaud the effort to make things more user friendly, but have some comments, see below.
Also a general one: You're adding new reads to the file system but not updating the acl config accordingly. So will things actually work correctly? How did you test all the permutations?
applications/luci-app-acme/htdocs/luci-static/resources/view/acme.js
Outdated
Show resolved
Hide resolved
applications/luci-app-acme/htdocs/luci-static/resources/view/acme.js
Outdated
Show resolved
Hide resolved
applications/luci-app-acme/htdocs/luci-static/resources/view/acme.js
Outdated
Show resolved
Hide resolved
applications/luci-app-acme/htdocs/luci-static/resources/view/acme.js
Outdated
Show resolved
Hide resolved
applications/luci-app-acme/htdocs/luci-static/resources/view/acme.js
Outdated
Show resolved
Hide resolved
applications/luci-app-acme/htdocs/luci-static/resources/view/acme.js
Outdated
Show resolved
Hide resolved
applications/luci-app-acme/htdocs/luci-static/resources/view/acme.js
Outdated
Show resolved
Hide resolved
Signed-off-by: Sergey Ponomarev <[email protected]>
Signed-off-by: Sergey Ponomarev <[email protected]>
Also use L.resolveDefault() to not fail if the ACL is not present. Signed-off-by: Sergey Ponomarev <[email protected]>
Make the wildcard allowed only the beginning. Add lowercase requirement. Signed-off-by: Sergey Ponomarev <[email protected]>
|
Please squash before merging, I made many commits to just simplify the review. |
Signed-off-by: Sergey Ponomarev <[email protected]>
tohojo
reviewed
Jun 4, 2024
applications/luci-app-acme/htdocs/luci-static/resources/view/acme/acme.js
Outdated
Show resolved
Hide resolved
Signed-off-by: Sergey Ponomarev <[email protected]>
Signed-off-by: Sergey Ponomarev <[email protected]>
Signed-off-by: Sergey Ponomarev <[email protected]>
Signed-off-by: Sergey Ponomarev <[email protected]>
Signed-off-by: Sergey Ponomarev <[email protected]>
systemcrash
requested changes
Jun 7, 2024
applications/luci-app-acme/htdocs/luci-static/resources/view/acme/acme.js
Outdated
Show resolved
Hide resolved
applications/luci-app-acme/htdocs/luci-static/resources/view/acme/acme.js
Show resolved
Hide resolved
|
Chrome console:
_isFqdn('0a.net')
true
_isFqdn('0a')
false
_isFqdn('192.168.1.1')
false
_isFqdn('[::1]')
false
The wildcards are out of context here. The main goal of the function is
to determine if the browser URL can be used as a domain
e.g. `example.com` - ok, just `router` - not ok.
…On 07/06/2024 22:46, Paul Donald wrote:
function _isFqdn(domain) { + // Is not an IP i.e. starts from
alphanumeric and has least one dot + return
/[a-z0-9-]\..*$/.test(domain) && !/[0-9-]\..*$/.test(domain);
|
Signed-off-by: Sergey Ponomarev <[email protected]>
dannil
reviewed
Jun 7, 2024
Comment on lines
+61
to
+64
| let ddnsDomainsList = []; | ||
| for (let ddnsDomain of ddnsDomains) { | ||
| ddnsDomainsList.push(ddnsDomain.domains[0]); | ||
| } |
There was a problem hiding this comment.
If you want to clean it up, I'm fine with either tho.
let ddnsDomainsList = ddnsDomains.map(d => d.domains[0]);
Right, but: Maybe something like: function _isIP(str) {
return /^[0-9\.]+$/.test(str) || /[\[\]:]/.test(str);
}
function _isFqdn(str) {
return !_isIP(str) && /\./.test(str);
} |
tohojo
reviewed
Jun 10, 2024
| @@ -648,7 +648,7 @@ function _collectDdnsDomains() { | |||
| if (credentials.length > 0) { | |||
| ddnsDomains.push({ | |||
| sectionId: ddnsService['.name'], | |||
| domains: [ddnsService['domain']], | |||
| domains: [ddnsService['domain'], '*.' + ddnsService['domain']], | |||
There was a problem hiding this comment.
Why? I don't think we should be encouraging people to randomly issue wildcard certs...
tohojo
reviewed
Jun 10, 2024
| @@ -665,6 +657,45 @@ function _collectDdnsDomains() { | |||
| return ddnsDomains; | |||
| } | |||
|
|
|||
| function _importDdns(ddnsDomains) { | |||
| alert(_('After import check the added domain certificate configurations.')); | |||
There was a problem hiding this comment.
alert() is not a good way to send messages to the uses. Pretty sure luci has some way of adding messages, please use that instead.
There was a problem hiding this comment.
Please remove this alert()
tohojo
reviewed
Jun 10, 2024
| for (let d of ddnsDomain.domains) { | ||
| let dupDomainSection = certSectionDomains.get(d); | ||
| if (dupDomainSection) { | ||
| alert(_('The domain %s in DDNS %s already was configured in %s. Please check it after the import.').format(d, sectionId, dupDomainSection)); |
There was a problem hiding this comment.
If it's already configured we should just skip it instead of bugging the user...
There was a problem hiding this comment.
Please remove this alert()
|
Normally the message should never occur. It would be better to let a user to know for any duplucate. Or we can just override and a user will check the Changes to apply to see what changed
10 июн. 2024 г. 12:52:35 Toke Høiland-Jørgensen ***@***.***>:
…
***@***.**** commented on this pull request.
----------------------------------------
In applications/luci-app-acme/htdocs/luci-static/resources/view/acme/acme.js[#7147 (comment)]:
> + }
+ }
+ }
+ console.log(certSections);
+ console.log(certSectionDomains);
+ for (let ddnsDomain of ddnsDomains) {
+ let sectionId = ddnsDomain.sectionId;
+ // ensure unique sectionId
+ if (certSectionNames.has(sectionId)) {
+ sectionId += '_' + new Date().getTime();
+ }
+ if (ddnsDomain.domains) {
+ for (let d of ddnsDomain.domains) {
+ let dupDomainSection = certSectionDomains.get(d);
+ if (dupDomainSection) {
+ alert(_('The domain %s in DDNS %s already was configured in %s. Please check it after the import.').format(d, sectionId, dupDomainSection));
If it's already configured we should just skip it instead of bugging the user...
—
Reply to this email directly, view it on GitHub[#7147 (review)], or unsubscribe[https://github.com/notifications/unsubscribe-auth/AADFODUDNZGP6H2A67FIIVTZGVZOFAVCNFSM6AAAAABIUMU2QOVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZDCMBXGMZDSMBRGI].
You are receiving this because you authored the thread.
[Отслеживающее изображение][https://github.com/notifications/beacon/AADFODTJ2OJU4DRCOBO65VDZGVZOFA5CNFSM6AAAAABIUMU2QOWGG33NNVSW45C7OR4XAZNRKB2WY3CSMVYXKZLTORJGK5TJMV32UY3PNVWWK3TUL5UWJTT5TNE7I.gif]
|
|
Nothing wrong with wildcards per se. Having them by default may simplify next configurations steps for new subdomains e.g. adding of nextcloud.example.duckdns.org.
An advanced user can remove the wildcard if not needed.
10 июн. 2024 г. 12:50:48 Toke Høiland-Jørgensen ***@***.***>:
…
***@***.**** commented on this pull request.
----------------------------------------
In applications/luci-app-acme/htdocs/luci-static/resources/view/acme/acme.js[#7147 (comment)]:
> @@ -648,7 +648,7 @@ function _collectDdnsDomains() {
if (credentials.length > 0) {
ddnsDomains.push({
sectionId: ddnsService['.name'],
- domains: [ddnsService['domain']],
+ domains: [ddnsService['domain'], '*.' + ddnsService['domain']],
Why? I don't think we should be encouraging people to randomly issue wildcard certs...
—
Reply to this email directly, view it on GitHub[#7147 (review)], or unsubscribe[https://github.com/notifications/unsubscribe-auth/AADFODVK34LZBZEHGG3JWADZGVZHRAVCNFSM6AAAAABIUMU2QOVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZDCMBXGMZDEMRXGM].
You are receiving this because you authored the thread.
[Отслеживающее изображение][https://github.com/notifications/beacon/AADFODV36ZNNE3NNETB4BXTZGVZHRA5CNFSM6AAAAABIUMU2QOWGG33NNVSW45C7OR4XAZNRKB2WY3CSMVYXKZLTORJGK5TJMV32UY3PNVWWK3TUL5UWJTT5TMX2C.gif]
|
|
Yes, the alert() is anoying, still it's much easier to implement it. Ideally a user should never see it
10 июн. 2024 г. 12:51:54 Toke Høiland-Jørgensen ***@***.***>:
…
***@***.**** commented on this pull request.
----------------------------------------
In applications/luci-app-acme/htdocs/luci-static/resources/view/acme/acme.js[#7147 (comment)]:
> @@ -665,6 +657,45 @@ function _collectDdnsDomains() {
return ddnsDomains;
}
+function _importDdns(ddnsDomains) {
+ alert(_('After import check the added domain certificate configurations.'));
*alert()* is not a good way to send messages to the uses. Pretty sure luci has some way of adding messages, please use that instead.
—
Reply to this email directly, view it on GitHub[#7147 (review)], or unsubscribe[https://github.com/notifications/unsubscribe-auth/AADFODQD22UNPSCPBG4JEKLZGVZLTAVCNFSM6AAAAABIUMU2QOVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZDCMBXGMZDMNBWGU].
You are receiving this because you authored the thread.
[Отслеживающее изображение][https://github.com/notifications/beacon/AADFODQON3AGDYWZM73JAE3ZGVZLTA5CNFSM6AAAAABIUMU2QOWGG33NNVSW45C7OR4XAZNRKB2WY3CSMVYXKZLTORJGK5TJMV32UY3PNVWWK3TUL5UWJTT5TNAAC.gif]
|
|
Sergey Ponomarev ***@***.***> writes:
Nothing wrong with wildcards per se. Having them by default may simplify next configurations steps for new subdomains e.g. adding of nextcloud.example.duckdns.org.
I disagree. A wildcard certificate assigns a lot more trust to the
device than a single domain, so the principle of least privilege
dictates that these should only be used when absolutely necessary.
An advanced user can remove the wildcard if not needed.
No, an advanced user can add it if needed :)
|
|
Sergey Ponomarev ***@***.***> writes:
Yes, the alert() is anoying, still it's much easier to implement it.
Ideally a user should never see it
No, don't offload pain on the user to make things easier to implement.
"Should never see it" is not a good argument, it will definitely happen
more than expected.
|
|
Do not use alert. It's is extremely difficult to manage with keyboard
only.
|
|
Please remove |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Maintainer: @tohojo
CC @hgl @stangri @systemcrash