acme staging config flag

Author: j-chmielewski

example-config.toml

@@ -17,3 +17,4 @@ log_level = "info"
 rate_limit_per_second = 0
 rate_limit_burst = 0
 url = "http://localhost:8080"
+acme_staging = false

src/acme.rs

@@ -123,11 +123,18 @@ async fn check_domain_resolves(domain: &str) -> anyhow::Result<()> {
 pub async fn run_acme_http01(
     domain: String,
     existing_credentials_json: String,
+    use_staging: bool,
     port80_permit: Option<Port80Permit>,
     progress_tx: mpsc::UnboundedSender<AcmeStep>,
 ) -> anyhow::Result<AcmeCertResult> {
     info!("Starting ACME HTTP-01 certificate issuance for domain: {domain}");
-    info!("Using Let's Encrypt production environment");
+    let dir_url = if use_staging {
+        info!("Using Let's Encrypt staging environment");
+        LetsEncrypt::Staging.url().to_owned()
+    } else {
+        info!("Using Let's Encrypt production environment");
+        LetsEncrypt::Production.url().to_owned()
+    };
 
     // DNS pre-flight: verify the domain resolves before attempting ACME.
     let _ = progress_tx.send(AcmeStep::CheckingDomain);
@@ -140,7 +147,6 @@ pub async fn run_acme_http01(
     let (account, credentials) = if existing_credentials_json.is_empty() {
         info!("No stored ACME account found; creating a new one with Let's Encrypt");
         let builder = Account::builder().context("Failed to create ACME account builder")?;
-        let dir_url = LetsEncrypt::Production.url().to_owned();
         info!("Registering account at ACME directory: {dir_url}");
         let (account, credentials) = builder
             .create(
@@ -149,7 +155,7 @@ pub async fn run_acme_http01(
                     contact: &[],
                     only_return_existing: false,
                 },
-                dir_url,
+                dir_url.clone(),
                 None,
             )
             .await

src/config.rs

@@ -84,6 +84,10 @@ pub struct EnvConfig {
     /// server is restarted on this port using those certificates.
     #[arg(long, env = "DEFGUARD_PROXY_HTTPS_PORT", default_value_t = 443)]
     pub https_port: u16,
+
+    /// Use Let's Encrypt staging environment for ACME issuance.
+    #[arg(long, env = "DEFGUARD_PROXY_ACME_STAGING", default_value_t = false)]
+    pub acme_staging: bool,
 }
 
 #[derive(thiserror::Error, Debug)]

src/grpc.rs

@@ -62,6 +62,7 @@ pub(crate) struct ProxyServer {
     /// Shared log receiver - written by `GrpcLogLayer` for every tracing event.
     /// Drained during ACME execution to collect proxy log lines for error reporting.
     logs_rx: LogsReceiver,
+    acme_staging: bool,
 }
 
 impl ProxyServer {
@@ -74,6 +75,7 @@ impl ProxyServer {
         https_cert_tx: broadcast::Sender<(String, String)>,
         port80_pause_tx: Option<mpsc::Sender<(oneshot::Sender<()>, oneshot::Receiver<()>)>>,
         logs_rx: LogsReceiver,
+        acme_staging: bool,
     ) -> Self {
         Self {
             cookie_key,
@@ -88,6 +90,7 @@ impl ProxyServer {
             https_cert_tx,
             port80_pause_tx,
             logs_rx,
+            acme_staging,
         }
     }
 
@@ -212,6 +215,7 @@ impl Clone for ProxyServer {
             https_cert_tx: self.https_cert_tx.clone(),
             port80_pause_tx: self.port80_pause_tx.clone(),
             logs_rx: Arc::clone(&self.logs_rx),
+            acme_staging: self.acme_staging,
         }
     }
 }
@@ -389,6 +393,7 @@ impl proxy_server::Proxy for ProxyServer {
 
         let pause_tx = self.port80_pause_tx.clone();
         let logs_rx = Arc::clone(&self.logs_rx);
+        let acme_staging = self.acme_staging;
         tokio::spawn(async move {
             // Request a graceful hand-off of port 80 from the main HTTP server if it is bound
             // there, so the ACME challenge listener can bind.
@@ -432,8 +437,14 @@ impl proxy_server::Proxy for ProxyServer {
                 }
             });
 
-            match acme::run_acme_http01(domain.clone(), existing_credentials, permit, progress_tx)
-                .await
+            match acme::run_acme_http01(
+                domain.clone(),
+                existing_credentials,
+                acme_staging,
+                permit,
+                progress_tx,
+            )
+            .await
             {
                 Ok(acme_result) => {
                     let cert_event = AcmeIssueEvent {

src/http.rs

@@ -339,6 +339,7 @@ pub async fn run_server(
         https_cert_tx,
         port80_pause_tx,
         Arc::clone(&logs_rx),
+        env_config.acme_staging,
     );
 
     // Preload existing TLS configuration so /api/v1/info can report "disconnected"