Certificate settings

crates/defguard/src/main.rs

@@ -233,6 +233,7 @@ async fn main() -> Result<(), anyhow::Error> {
     update_counts(&pool).await?;
 
     let (proxy_control_tx, proxy_control_rx) = channel::<ProxyControlMessage>(100);
+    let (web_reload_tx, _web_reload_rx) = tokio::sync::broadcast::channel::<()>(8);
     let proxy_secret_key = settings.secret_key_required()?;
     let proxy_manager = ProxyManager::new(
         pool.clone(),
@@ -270,6 +271,7 @@ async fn main() -> Result<(), anyhow::Error> {
             webhook_tx,
             webhook_rx,
             gateway_tx.clone(),
+            web_reload_tx,
             pool.clone(),
             failed_logins,
             api_event_tx,

crates/defguard_certs/src/lib.rs

@@ -9,7 +9,10 @@ use rcgen::{
 use rustls_pki_types::{CertificateDer, CertificateSigningRequestDer, pem::PemObject};
 use thiserror::Error;
 use time::{Duration, OffsetDateTime};
-use x509_parser::parse_x509_certificate;
+use x509_parser::{
+    extensions::{GeneralName, ParsedExtension},
+    parse_x509_certificate,
+};
 
 const CA_NAME: &str = "Defguard CA";
 const NOT_BEFORE_OFFSET_SECS: Duration = Duration::minutes(5);
@@ -144,6 +147,7 @@ impl CertificateAuthority<'_> {
 
 pub struct CertificateInfo {
     pub subject_common_name: String,
+    pub subject_email: Option<String>,
     pub not_before: NaiveDateTime,
     pub not_after: NaiveDateTime,
     pub serial: String,
@@ -158,6 +162,17 @@ impl CertificateInfo {
 
         let subject = &parsed.tbs_certificate.subject;
         let serial = parsed.raw_serial_as_string();
+        let subject_email = parsed.tbs_certificate.extensions().iter().find_map(|ext| {
+            match ext.parsed_extension() {
+                ParsedExtension::SubjectAlternativeName(san) => {
+                    san.general_names.iter().find_map(|name| match name {
+                        GeneralName::RFC822Name(email) => Some(email.to_string()),
+                        _ => None,
+                    })
+                }
+                _ => None,
+            }
+        });
 
         let cn = subject
             .iter_common_name()
@@ -174,6 +189,7 @@ impl CertificateInfo {
 
         Ok(Self {
             subject_common_name: cn.to_string(),
+            subject_email,
             not_before: chrono::DateTime::from_timestamp(not_before.unix_timestamp(), 0)
                 .ok_or_else(|| {
                     CertificateError::ParsingError(format!(
@@ -425,30 +441,15 @@ mod tests {
 
     #[test]
     fn test_ca_email() {
-        use x509_parser::parse_x509_certificate;
-
         let expected_email = "contact@defguard.net";
         let ca = CertificateAuthority::new("Test CA", expected_email, 365).unwrap();
 
-        let (_rem, parsed) = parse_x509_certificate(ca.cert_der()).unwrap();
-
-        let san_ext = parsed
-            .tbs_certificate
-            .extensions()
-            .iter()
-            .find(|ext| ext.oid == x509_parser::oid_registry::OID_X509_EXT_SUBJECT_ALT_NAME)
-            .expect("Subject Alternative Name extension not found");
-
-        let san_value = san_ext.value;
-
-        let email_bytes = expected_email.as_bytes();
-        let email_found = san_value
-            .windows(email_bytes.len())
-            .any(|window| window == email_bytes);
+        let info = CertificateInfo::from_der(ca.cert_der()).unwrap();
 
-        assert!(
-            email_found,
-            "Email '{expected_email}' should be present in Subject Alternative Names"
+        assert_eq!(
+            info.subject_email.as_deref(),
+            Some(expected_email),
+            "Email should be parsed from Subject Alternative Names"
         );
     }
 

crates/defguard_common/src/types/proxy.rs

@@ -14,6 +14,7 @@ pub enum ProxyControlMessage {
         cert_pem: String,
         key_pem: String,
     },
+    ClearHttpsCerts,
 }
 
 #[derive(ToSchema, Serialize)]

crates/defguard_core/src/appstate.rs

@@ -30,6 +30,7 @@ pub struct AppState {
     pub pool: PgPool,
     tx: UnboundedSender<AppEvent>,
     pub wireguard_tx: Sender<GatewayEvent>,
+    pub web_reload_tx: tokio::sync::broadcast::Sender<()>,
     pub failed_logins: Arc<Mutex<FailedLoginMap>>,
     key: Key,
     pub event_tx: UnboundedSender<ApiEvent>,
@@ -116,6 +117,7 @@ impl AppState {
         tx: UnboundedSender<AppEvent>,
         rx: UnboundedReceiver<AppEvent>,
         wireguard_tx: Sender<GatewayEvent>,
+        web_reload_tx: tokio::sync::broadcast::Sender<()>,
         key: Key,
         failed_logins: Arc<Mutex<FailedLoginMap>>,
         event_tx: UnboundedSender<ApiEvent>,
@@ -128,6 +130,7 @@ impl AppState {
             pool,
             tx,
             wireguard_tx,
+            web_reload_tx,
             failed_logins,
             key,
             event_tx,

crates/defguard_core/src/enterprise/firewall/tests/mod.rs

@@ -27,7 +27,7 @@ use crate::enterprise::{
         AclRuleInfo, AclRuleNetwork, AclRuleUser, AliasKind, PortRange, RuleState,
     },
     firewall::try_get_location_firewall_config,
-    license::{License, LicenseTier, set_cached_license},
+    license::{License, LicenseTier, SupportType, set_cached_license},
 };
 
 mod all_locations;
@@ -55,7 +55,7 @@ fn set_test_license_business() {
         customer_id: "0c4dcb5400544d47ad8617fcdf2704cb".into(),
         limits: None,
         subscription: false,
-        support_type: crate::enterprise::license::SupportType::Basic,
+        support_type: SupportType::Basic,
         tier: LicenseTier::Business,
         valid_until: None,
         version_date_limit: None,

crates/defguard_core/src/handlers/component_setup.rs

@@ -10,14 +10,15 @@ use axum::{
     extract::{Path, Query},
     response::sse::{Event, KeepAlive, Sse},
 };
+use chrono::NaiveDateTime;
 use defguard_certs::der_to_pem;
 use defguard_common::{
     VERSION,
     auth::claims::Claims,
     db::{
         Id,
         models::{
-            Certificates,
+            Certificates, Settings,
             certificates::ProxyCertSource,
             gateway::Gateway,
             initial_setup_wizard::{InitialSetupState, InitialSetupStep},
@@ -1115,6 +1116,16 @@ fn acme_step_name(step: AcmeStep) -> &'static str {
     }
 }
 
+fn parse_cert_expiry(cert_pem: &str) -> Option<NaiveDateTime> {
+    let der = defguard_certs::parse_pem_certificate(cert_pem)
+        .map_err(|e| warn!("Failed to parse ACME cert PEM for expiry: {e}"))
+        .ok()?;
+    defguard_certs::CertificateInfo::from_der(&der)
+        .map(|info| info.not_after)
+        .map_err(|e| warn!("Failed to extract expiry from ACME cert: {e}"))
+        .ok()
+}
+
 /// Connects to the proxy's permanent `Proxy` gRPC service and calls `TriggerAcme`.
 ///
 /// Returns `(cert_pem, key_pem, account_credentials_json)` on success, or
@@ -1233,12 +1244,27 @@ pub async fn stream_proxy_acme(
             }
         };
 
-        let domain = match certs.acme_domain.clone() {
-            Some(d) if !d.is_empty() => d,
+        let domain = match Settings::get_current_settings().public_proxy_url.trim() {
+            url if !url.is_empty() => match Url::parse(url)
+                .ok()
+                .and_then(|u| u.host_str().map(ToString::to_string))
+                .filter(|host| !host.is_empty())
+            {
+                Some(host) => host,
+                None => {
+                    yield Ok(acme_error_event(
+                        "Connecting",
+                        "Public proxy URL is not configured with a valid hostname. Please re-submit the external URL settings with a valid domain."
+                            .to_string(),
+                        None,
+                    ));
+                    return;
+                }
+            },
             _ => {
                 yield Ok(acme_error_event(
                     "Connecting",
-                    "No ACME domain configured. Please re-submit the external URL settings \
+                    "Public proxy URL is not configured. Please re-submit the external URL settings \
                      with a Let's Encrypt domain."
                         .to_string(),
                     None,
@@ -1340,10 +1366,13 @@ pub async fn stream_proxy_acme(
         // Progress channel closed - collect the final result.
         match result_rx.await {
             Ok(Ok((cert_pem, key_pem, new_account_credentials_json))) => {
+                let acme_cert_expiry = parse_cert_expiry(&cert_pem);
                 match Certificates::get_or_default(&pool).await {
                     Ok(mut updated_certs) => {
+                        updated_certs.acme_domain = Some(domain.clone());
                         updated_certs.proxy_http_cert_pem = Some(cert_pem.clone());
                         updated_certs.proxy_http_cert_key_pem = Some(key_pem.clone());
+                        updated_certs.proxy_http_cert_expiry = acme_cert_expiry;
                         updated_certs.acme_account_credentials =
                             Some(new_account_credentials_json);
                         updated_certs.proxy_http_cert_source =