Merge pull request #820 from jc21/develop

v2.7.3

.jenkins/config-mysql.json

@@ -1,10 +0,0 @@
-{
-	"database": {
-		"engine": "mysql",
-		"host": "db",
-		"name": "npm",
-		"user": "npm",
-		"password": "npm",
-		"port": 3306
-	}
-}

.jenkins/config-sqlite.json

@@ -1,11 +0,0 @@
-{
-	"database": {
-		"engine": "knex-native",
-		"knex": {
-			"client": "sqlite3",
-			"connection": {
-				"filename": "/data/database.sqlite"
-			}
-		}
-	}
-}

.version

@@ -1 +1 @@
-2.4.0
+2.7.2

Jenkinsfile

@@ -65,6 +65,7 @@ pipeline {
 				// See: https://github.com/yarnpkg/yarn/issues/3254
 				sh '''docker run --rm \\
 					-v "$(pwd)/backend:/app" \\
+					-v "$(pwd)/global:/app/global" \\
 					-w /app \\
 					node:latest \\
 					sh -c "yarn install && yarn eslint . && rm -rf node_modules"

README.md

@@ -1,7 +1,7 @@
 <p align="center">
 	<img src="https://nginxproxymanager.com/github.png">
 	<br><br>
-	<img src="https://img.shields.io/badge/version-2.4.0-green.svg?style=for-the-badge">
+	<img src="https://img.shields.io/badge/version-2.7.3-green.svg?style=for-the-badge">
 	<a href="https://hub.docker.com/repository/docker/jc21/nginx-proxy-manager">
 		<img src="https://img.shields.io/docker/stars/jc21/nginx-proxy-manager.svg?style=for-the-badge">
 	</a>
@@ -173,6 +173,62 @@ Special thanks to the following contributors:
 				<br /><sub><b>vrenjith</b></sub>
 			</a>
 		</td>
+		<td align="center">
+			<a href="https://github.com/duhruh">
+				<img src="https://avatars2.githubusercontent.com/u/1133969?s=460&u=c0691e6131ec6d516416c1c6fcedb5034f877bbe&v=4" width="80px;" alt=""/>
+				<br /><sub><b>David Rivera</b></sub>
+			</a>
+		</td>
+		<td align="center">
+			<a href="https://github.com/jipjan">
+				<img src="https://avatars2.githubusercontent.com/u/1384618?s=460&v=4" width="80px;" alt=""/>
+				<br /><sub><b>Jaap-Jan de Wit</b></sub>
+			</a>
+		</td>
+		<td align="center">
+			<a href="https://github.com/jmwebslave">
+				<img src="https://avatars2.githubusercontent.com/u/6118262?s=460&u=7db409c47135b1e141c366bbb03ed9fae6ac2638&v=4" width="80px;" alt=""/>
+				<br /><sub><b>James Morgan</b></sub>
+			</a>
+		</td>
+	</tr>
+	<tr>
+		<td align="center">
+			<a href="https://github.com/chaptergy">
+				<img src="https://avatars2.githubusercontent.com/u/26956711?s=460&u=7d9adebabb6b4e7af7cb05d98d751087a372304b&v=4" width="80px;" alt=""/>
+				<br /><sub><b>chaptergy</b></sub>
+			</a>
+		</td>
+		<td align="center">
+			<a href="https://github.com/Philip-Mooney">
+				<img src="https://avatars0.githubusercontent.com/u/48624631?s=460&v=4" width="80px;" alt=""/>
+				<br /><sub><b>Philip Mooney</b></sub>
+			</a>
+		</td>
+		<td align="center">
+			<a href="https://github.com/WaterCalm">
+				<img src="https://avatars1.githubusercontent.com/u/23502129?s=400&v=4" width="80px;" alt=""/>
+				<br /><sub><b>WaterCalm</b></sub>
+			</a>
+		</td>
+		<td align="center">
+			<a href="https://github.com/lebrou34">
+				<img src="https://avatars1.githubusercontent.com/u/16373103?s=460&v=4" width="80px;" alt=""/>
+				<br /><sub><b>lebrou34</b></sub>
+			</a>
+		</td>
+		<td align="center">
+			<a href="https://github.com/lightglitch">
+				<img src="https://avatars0.githubusercontent.com/u/196953?s=460&v=4" width="80px;" alt=""/>
+				<br /><sub><b>Mário Franco</b></sub>
+			</a>
+		</td>
+		<td align="center">
+			<a href="https://github.com/klutchell">
+				<img src="https://avatars3.githubusercontent.com/u/20458272?s=460&v=4" width="80px;" alt=""/>
+				<br /><sub><b>Kyle Harding</b></sub>
+			</a>
+		</td>
 	</tr>
 </table>
 <!-- markdownlint-enable -->

backend/app.js

@@ -66,7 +66,7 @@ app.use(function (err, req, res, next) {
 		}
 	};
 
-	if (process.env.NODE_ENV === 'development') {
+	if (process.env.NODE_ENV === 'development' || (req.baseUrl + req.path).includes('nginx/certificates')) {
 		payload.debug = {
 			stack:    typeof err.stack !== 'undefined' && err.stack ? err.stack.split('\n') : null,
 			previous: err.previous

backend/config/sqlite-test-db.json

@@ -4,7 +4,7 @@
       "knex": {
         "client": "sqlite3",
         "connection": {
-          "filename": "/app/backend/config/mydb.sqlite"
+          "filename": "/app/config/mydb.sqlite"
         },
         "pool": {
           "min": 0,

backend/index.js

@@ -2,7 +2,10 @@
 
 const logger = require('./logger').global;
 
-function appStart () {
+async function appStart () {
+	// Create config file db settings if environment variables have been set
+	await createDbConfigFromEnvironment();
+
 	const migrate             = require('./migrate');
 	const setup               = require('./setup');
 	const app                 = require('./app');
@@ -39,9 +42,92 @@ function appStart () {
 		});
 }
 
+async function createDbConfigFromEnvironment() {
+	return new Promise((resolve, reject) => {
+		const envMysqlHost  = process.env.DB_MYSQL_HOST || null;
+		const envMysqlPort  = process.env.DB_MYSQL_PORT || null;
+		const envMysqlUser  = process.env.DB_MYSQL_USER || null;
+		const envMysqlName  = process.env.DB_MYSQL_NAME || null;
+		const envSqliteFile = process.env.DB_SQLITE_FILE || null;
+
+		if ((envMysqlHost && envMysqlPort && envMysqlUser && envMysqlName) || envSqliteFile) {
+			const fs       = require('fs');
+			const filename = (process.env.NODE_CONFIG_DIR || './config') + '/' + (process.env.NODE_ENV || 'default') + '.json';
+			let configData = {};
+
+			try {
+				configData = require(filename);
+			} catch (err) {
+				// do nothing
+			}
+
+			if (configData.database && configData.database.engine && !configData.database.fromEnv) {
+				logger.info('Manual db configuration already exists, skipping config creation from environment variables');
+				resolve();
+				return;
+			}
+
+			if (envMysqlHost && envMysqlPort && envMysqlUser && envMysqlName) {
+				const newConfig = {
+					fromEnv:  true,
+					engine:   'mysql',
+					host:     envMysqlHost,
+					port:     envMysqlPort,
+					user:     envMysqlUser,
+					password: process.env.DB_MYSQL_PASSWORD,
+					name:     envMysqlName,
+				};
+
+				if (JSON.stringify(configData.database) === JSON.stringify(newConfig)) {
+					// Config is unchanged, skip overwrite
+					resolve();
+					return;
+				}
+
+				logger.info('Generating MySQL db configuration from environment variables');
+				configData.database = newConfig;
+
+			} else {
+				const newConfig = {
+					fromEnv: true,
+					engine:  'knex-native',
+					knex:    {
+						client:     'sqlite3',
+						connection: {
+							filename: envSqliteFile
+						}
+					}
+				};
+				if (JSON.stringify(configData.database) === JSON.stringify(newConfig)) {
+					// Config is unchanged, skip overwrite
+					resolve();
+					return;
+				}
+
+				logger.info('Generating Sqlite db configuration from environment variables');
+				configData.database = newConfig;
+			}
+
+			// Write config
+			fs.writeFile(filename, JSON.stringify(configData, null, 2), (err) => {
+				if (err) {
+					logger.error('Could not write db config to config file: ' + filename);
+					reject(err);
+				} else {
+					logger.info('Wrote db configuration to config file: ' + filename);
+					resolve();
+				}
+			});
+		} else {
+			resolve();
+		}
+	});
+}
+
 try {
 	appStart();
 } catch (err) {
 	logger.error(err.message, err);
 	process.exit(1);
 }
+

backend/internal/access-list.js

@@ -31,6 +31,7 @@ const internalAccessList = {
 					.insertAndFetch({
 						name:          data.name,
 						satisfy_any:   data.satisfy_any,
+						pass_auth:     data.pass_auth,
 						owner_user_id: access.token.getUserId(1)
 					});
 			})
@@ -128,6 +129,7 @@ const internalAccessList = {
 						.patch({
 							name:        data.name,
 							satisfy_any: data.satisfy_any,
+							pass_auth:   data.pass_auth,
 						});
 				}
 			})
@@ -384,7 +386,7 @@ const internalAccessList = {
 					.orderBy('access_list.name', 'ASC');
 
 				if (access_data.permission_visibility !== 'all') {
-					query.andWhere('owner_user_id', access.token.getUserId(1));
+					query.andWhere('access_list.owner_user_id', access.token.getUserId(1));
 				}
 
 				// Query is used for searching

backend/internal/certificate.js

@@ -13,6 +13,7 @@ const internalNginx    = require('./nginx');
 const internalHost     = require('./host');
 const certbot_command  = '/usr/bin/certbot';
 const le_config        = '/etc/letsencrypt.ini';
+const dns_plugins      = require('../global/certbot-dns-plugins');
 
 function omissions() {
 	return ['is_deleted'];
@@ -77,7 +78,7 @@ const internalCertificate = {
 													.where('id', certificate.id)
 													.andWhere('provider', 'letsencrypt')
 													.patch({
-														expires_on: certificateModel.raw('FROM_UNIXTIME(' + cert_info.dates.to + ')')
+														expires_on: moment(cert_info.dates.to, 'X').format('YYYY-MM-DD HH:mm:ss')
 													});
 											})
 											.catch((err) => {
@@ -141,36 +142,60 @@ const internalCertificate = {
 								});
 						})
 						.then((in_use_result) => {
-							// 3. Generate the LE config
-							return internalNginx.generateLetsEncryptRequestConfig(certificate)
-								.then(internalNginx.reload)
-								.then(() => {
+							// With DNS challenge no config is needed, so skip 3 and 5.
+							if (certificate.meta.dns_challenge) {
+								return internalNginx.reload().then(() => {
 									// 4. Request cert
-									return internalCertificate.requestLetsEncryptSsl(certificate);
+									return internalCertificate.requestLetsEncryptSslWithDnsChallenge(certificate);
 								})
-								.then(() => {
-									// 5. Remove LE config
-									return internalNginx.deleteLetsEncryptRequestConfig(certificate);
-								})
-								.then(internalNginx.reload)
-								.then(() => {
-									// 6. Re-instate previously disabled hosts
-									return internalCertificate.enableInUseHosts(in_use_result);
-								})
-								.then(() => {
-									return certificate;
-								})
-								.catch((err) => {
-									// In the event of failure, revert things and throw err back
-									return internalNginx.deleteLetsEncryptRequestConfig(certificate)
-										.then(() => {
-											return internalCertificate.enableInUseHosts(in_use_result);
-										})
-										.then(internalNginx.reload)
-										.then(() => {
-											throw err;
-										});
-								});
+									.then(internalNginx.reload)
+									.then(() => {
+										// 6. Re-instate previously disabled hosts
+										return internalCertificate.enableInUseHosts(in_use_result);
+									})
+									.then(() => {
+										return certificate;
+									})
+									.catch((err) => {
+										// In the event of failure, revert things and throw err back
+										return internalCertificate.enableInUseHosts(in_use_result)
+											.then(internalNginx.reload)
+											.then(() => {
+												throw err;
+											});
+									});
+							} else {
+								// 3. Generate the LE config
+								return internalNginx.generateLetsEncryptRequestConfig(certificate)
+									.then(internalNginx.reload)
+									.then(() => {
+										// 4. Request cert
+										return internalCertificate.requestLetsEncryptSsl(certificate);
+									})
+									.then(() => {
+										// 5. Remove LE config
+										return internalNginx.deleteLetsEncryptRequestConfig(certificate);
+									})
+									.then(internalNginx.reload)
+									.then(() => {
+										// 6. Re-instate previously disabled hosts
+										return internalCertificate.enableInUseHosts(in_use_result);
+									})
+									.then(() => {
+										return certificate;
+									})
+									.catch((err) => {
+										// In the event of failure, revert things and throw err back
+										return internalNginx.deleteLetsEncryptRequestConfig(certificate)
+											.then(() => {
+												return internalCertificate.enableInUseHosts(in_use_result);
+											})
+											.then(internalNginx.reload)
+											.then(() => {
+												throw err;
+											});
+									});
+							}
 						})
 						.then(() => {
 							// At this point, the letsencrypt cert should exist on disk.
@@ -180,7 +205,7 @@ const internalCertificate = {
 									return certificateModel
 										.query()
 										.patchAndFetchById(certificate.id, {
-											expires_on: certificateModel.raw('FROM_UNIXTIME(' + cert_info.dates.to + ')')
+											expires_on: moment(cert_info.dates.to, 'X').format('YYYY-MM-DD HH:mm:ss')
 										})
 										.then((saved_row) => {
 											// Add cert data for audit log
@@ -191,6 +216,13 @@ const internalCertificate = {
 											return saved_row;
 										});
 								});
+						}).catch(async (error) => {
+							// Delete the certificate from the database if it was not created successfully
+							await certificateModel
+								.query()
+								.deleteById(certificate.id);
+							
+							throw error;
 						});
 				} else {
 					return certificate;
@@ -558,7 +590,7 @@ const internalCertificate = {
 						// TODO: This uses a mysql only raw function that won't translate to postgres
 						return internalCertificate.update(access, {
 							id:           data.id,
-							expires_on:   certificateModel.raw('FROM_UNIXTIME(' + validations.certificate.dates.to + ')'),
+							expires_on:   moment(validations.certificate.dates.to, 'X').format('YYYY-MM-DD HH:mm:ss'),
 							domain_names: [validations.certificate.cn],
 							meta:         _.clone(row.meta) // Prevent the update method from changing this value that we'll use later
 						})
@@ -583,18 +615,26 @@ const internalCertificate = {
 	checkPrivateKey: (private_key) => {
 		return tempWrite(private_key, '/tmp')
 			.then((filepath) => {
-				return utils.exec('openssl rsa -in ' + filepath + ' -check -noout')
-					.then((result) => {
-						if (!result.toLowerCase().includes('key ok')) {
-							throw new error.ValidationError(result);
-						}
-
-						fs.unlinkSync(filepath);
-						return true;
-					}).catch((err) => {
-						fs.unlinkSync(filepath);
-						throw new error.ValidationError('Certificate Key is not valid (' + err.message + ')', err);
-					});
+				return new Promise((resolve, reject) => {
+					const failTimeout = setTimeout(() => {
+						reject(new error.ValidationError('Result Validation Error: Validation timed out. This could be due to the key being passphrase-protected.'));
+					}, 10000);
+					utils
+						.exec('openssl pkey -in ' + filepath + ' -check -noout 2>&1 ')
+						.then((result) => {
+							clearTimeout(failTimeout);
+							if (!result.toLowerCase().includes('key is valid')) {
+								reject(new error.ValidationError('Result Validation Error: ' + result));
+							}
+							fs.unlinkSync(filepath);
+							resolve(true);
+						})
+						.catch((err) => {
+							clearTimeout(failTimeout);
+							fs.unlinkSync(filepath);
+							reject(new error.ValidationError('Certificate Key is not valid (' + err.message + ')', err));
+						});
+				});
 			});
 	},
 
@@ -733,7 +773,6 @@ const internalCertificate = {
 			'--agree-tos ' +
 			'--email "' + certificate.meta.letsencrypt_email + '" ' +
 			'--preferred-challenges "dns,http" ' +
-			'--webroot ' +
 			'--domains "' + certificate.domain_names.join(',') + '" ' +
 			(le_staging ? '--staging' : '');
 
@@ -748,6 +787,76 @@ const internalCertificate = {
 			});
 	},
 
+	/**
+	 * @param   {Object}  certificate   			the certificate row
+	 * @param		{String} 	dns_provider				the dns provider name (key used in `certbot-dns-plugins.js`)
+	 * @param		{String | null} 	credentials	the content of this providers credentials file
+	 * @param		{String} 	propagation_seconds	the cloudflare api token
+	 * @returns {Promise}
+	 */
+	requestLetsEncryptSslWithDnsChallenge: (certificate) => {
+		const dns_plugin = dns_plugins[certificate.meta.dns_provider];
+
+		if (!dns_plugin) {
+			throw Error(`Unknown DNS provider '${certificate.meta.dns_provider}'`);
+		}
+
+		logger.info(`Requesting Let'sEncrypt certificates via ${dns_plugin.display_name} for Cert #${certificate.id}: ${certificate.domain_names.join(', ')}`);
+
+		const credentials_loc = '/etc/letsencrypt/credentials/credentials-' + certificate.id;
+		const credentials_cmd = 'mkdir -p /etc/letsencrypt/credentials 2> /dev/null; echo \'' + certificate.meta.dns_provider_credentials.replace('\'', '\\\'') + '\' > \'' + credentials_loc + '\' && chmod 600 \'' + credentials_loc + '\'';
+		const prepare_cmd     = 'pip3 install ' + dns_plugin.package_name + '==' + dns_plugin.package_version + ' ' + dns_plugin.dependencies;
+
+		// Whether the plugin has a --<name>-credentials argument
+		const has_config_arg = certificate.meta.dns_provider !== 'route53';
+
+		let main_cmd = 
+			certbot_command + ' certonly --non-interactive ' +
+			'--cert-name "npm-' + certificate.id + '" ' +
+			'--agree-tos ' +
+			'--email "' + certificate.meta.letsencrypt_email + '" ' +			
+			'--domains "' + certificate.domain_names.join(',') + '" ' +
+			'--authenticator ' + dns_plugin.full_plugin_name + ' ' +
+			(
+				has_config_arg 
+					? '--' + dns_plugin.full_plugin_name + '-credentials "' + credentials_loc + '"' 
+					: ''
+			) +
+			(
+				certificate.meta.propagation_seconds !== undefined 
+					? ' --' + dns_plugin.full_plugin_name + '-propagation-seconds ' + certificate.meta.propagation_seconds 
+					: ''
+			) +
+			(le_staging ? ' --staging' : '');
+
+		// Prepend the path to the credentials file as an environment variable
+		if (certificate.meta.dns_provider === 'route53') {
+			main_cmd = 'AWS_CONFIG_FILE=\'' + credentials_loc + '\' ' + main_cmd;
+		}
+
+		if (debug_mode) {
+			logger.info('Command:', `${credentials_cmd} && ${prepare_cmd} && ${main_cmd}`);
+		}
+
+		return utils.exec(credentials_cmd)
+			.then(() => {
+				return utils.exec(prepare_cmd)
+					.then(() => {
+						return utils.exec(main_cmd)
+							.then(async (result) => {
+								logger.info(result);
+								return result;
+							});
+					});
+			}).catch(async (err) => {
+				// Don't fail if file does not exist
+				const delete_credentials_cmd = `rm -f '${credentials_loc}' || true`;
+				await utils.exec(delete_credentials_cmd);
+				throw err;
+			});
+	},
+
+
 	/**
 	 * @param   {Access}  access
 	 * @param   {Object}  data
@@ -761,7 +870,9 @@ const internalCertificate = {
 			})
 			.then((certificate) => {
 				if (certificate.provider === 'letsencrypt') {
-					return internalCertificate.renewLetsEncryptSsl(certificate)
+					let renewMethod = certificate.meta.dns_challenge ? internalCertificate.renewLetsEncryptSslWithDnsChallenge : internalCertificate.renewLetsEncryptSsl;		
+
+					return renewMethod(certificate)
 						.then(() => {
 							return internalCertificate.getCertificateInfoFromFile('/etc/letsencrypt/live/npm-' + certificate.id + '/fullchain.pem');
 						})
@@ -769,7 +880,7 @@ const internalCertificate = {
 							return certificateModel
 								.query()
 								.patchAndFetchById(certificate.id, {
-									expires_on: certificateModel.raw('FROM_UNIXTIME(' + cert_info.dates.to + ')')
+									expires_on: moment(cert_info.dates.to, 'X').format('YYYY-MM-DD HH:mm:ss')
 								});
 						})
 						.then((updated_certificate) => {
@@ -815,6 +926,42 @@ const internalCertificate = {
 			});
 	},
 
+	/**
+	 * @param   {Object}  certificate   the certificate row
+	 * @returns {Promise}
+	 */
+	renewLetsEncryptSslWithDnsChallenge: (certificate) => {
+		const dns_plugin = dns_plugins[certificate.meta.dns_provider];
+
+		if (!dns_plugin) {
+			throw Error(`Unknown DNS provider '${certificate.meta.dns_provider}'`);
+		}
+
+		logger.info(`Renewing Let'sEncrypt certificates via ${dns_plugin.display_name} for Cert #${certificate.id}: ${certificate.domain_names.join(', ')}`);
+
+		let main_cmd = 
+			certbot_command + ' renew --non-interactive ' +
+			'--cert-name "npm-' + certificate.id + '" ' +
+			'--disable-hook-validation' +
+			(le_staging ? ' --staging' : '');
+
+		// Prepend the path to the credentials file as an environment variable
+		if (certificate.meta.dns_provider === 'route53') {
+			const credentials_loc = '/etc/letsencrypt/credentials/credentials-' + certificate.id;
+			main_cmd              = 'AWS_CONFIG_FILE=\'' + credentials_loc + '\' ' + main_cmd;
+		}
+
+		if (debug_mode) {
+			logger.info('Command:', main_cmd);
+		}
+
+		return utils.exec(main_cmd)
+			.then(async (result) => {
+				logger.info(result);
+				return result;
+			});
+	},
+
 	/**
 	 * @param   {Object}  certificate    the certificate row
 	 * @param   {Boolean} [throw_errors]
@@ -823,21 +970,21 @@ const internalCertificate = {
 	revokeLetsEncryptSsl: (certificate, throw_errors) => {
 		logger.info('Revoking Let\'sEncrypt certificates for Cert #' + certificate.id + ': ' + certificate.domain_names.join(', '));
 
-		let cmd = certbot_command + ' revoke --non-interactive ' +
-			'--config "' + le_config + '" ' +
+		const main_cmd = certbot_command + ' revoke --non-interactive ' +
 			'--cert-path "/etc/letsencrypt/live/npm-' + certificate.id + '/fullchain.pem" ' +
 			'--delete-after-revoke ' +
 			(le_staging ? '--staging' : '');
 
+		// Don't fail command if file does not exist
+		const delete_credentials_cmd = `rm -f '/etc/letsencrypt/credentials/credentials-${certificate.id}' || true`;
+
 		if (debug_mode) {
-			logger.info('Command:', cmd);
+			logger.info('Command:', main_cmd + '; ' + delete_credentials_cmd);
 		}
 
-		return utils.exec(cmd)
-			.then((result) => {
-				if (debug_mode) {
-					logger.info('Command:', cmd);
-				}
+		return utils.exec(main_cmd)
+			.then(async (result) => {
+				await utils.exec(delete_credentials_cmd);
 				logger.info(result);
 				return result;
 			})

backend/internal/host.js

@@ -106,7 +106,7 @@ const internalHost = {
 					response_object.total_count      += response_object.redirection_hosts.length;
 				}
 
-				if (promises_results[1]) {
+				if (promises_results[2]) {
 					// Dead Hosts
 					response_object.dead_hosts   = internalHost._getHostsWithDomains(promises_results[2], domain_names);
 					response_object.total_count += response_object.dead_hosts.length;
@@ -158,7 +158,7 @@ const internalHost = {
 					}
 				}
 
-				if (promises_results[1]) {
+				if (promises_results[2]) {
 					// Dead Hosts
 					if (internalHost._checkHostnameRecordsTaken(hostname, promises_results[2], ignore_type === 'dead' && ignore_id ? ignore_id : 0)) {
 						is_taken = true;

backend/migrations/20201014143841_pass_auth.js

@@ -0,0 +1,41 @@
+const migrate_name = 'pass_auth';
+const logger       = require('../logger').migrate;
+
+/**
+ * Migrate
+ *
+ * @see http://knexjs.org/#Schema
+ *
+ * @param   {Object}  knex
+ * @param   {Promise} Promise
+ * @returns {Promise}
+ */
+exports.up = function (knex/*, Promise*/) {
+
+	logger.info('[' + migrate_name + '] Migrating Up...');
+
+	return knex.schema.table('access_list', function (access_list) {
+		access_list.integer('pass_auth').notNull().defaultTo(1);
+	})
+		.then(() => {
+			logger.info('[' + migrate_name + '] access_list Table altered');
+		});
+};
+
+/**
+ * Undo Migrate
+ *
+ * @param {Object} knex
+ * @param {Promise} Promise
+ * @returns {Promise}
+ */
+exports.down = function (knex/*, Promise*/) {
+	logger.info('[' + migrate_name + '] Migrating Down...');
+
+	return knex.schema.table('access_list', function (access_list) {
+		access_list.dropColumn('pass_auth');
+	})
+		.then(() => {
+			logger.info('[' + migrate_name + '] access_list pass_auth Column dropped');
+		});
+};

backend/models/access_list.js

@@ -93,6 +93,10 @@ class AccessList extends Model {
 	get satisfy() {
 		return this.satisfy_any ? 'satisfy any' : 'satisfy all';
 	}
+
+	get passauth() {
+		return this.pass_auth ? '' : 'proxy_set_header Authorization "";';
+	}
 }
 
 module.exports = AccessList;

backend/models/now_helper.js

@@ -6,7 +6,7 @@ Model.knex(db);
 
 module.exports = function () {
 	if (config.database.knex && config.database.knex.client === 'sqlite3') {
-		return Model.raw('date(\'now\')');
+		return Model.raw('datetime(\'now\',\'localtime\')');
 	} else {
 		return Model.raw('NOW()');
 	}

backend/package.json

@@ -6,7 +6,7 @@
 	"dependencies": {
 		"ajv": "^6.12.0",
 		"batchflow": "^0.4.0",
-		"bcrypt": "^4.0.1",
+		"bcrypt": "^5.0.0",
 		"body-parser": "^1.19.0",
 		"compression": "^1.7.4",
 		"config": "^3.3.1",

backend/routes/api/nginx/certificates.js

@@ -58,6 +58,7 @@ router
 	.post((req, res, next) => {
 		apiValidator({$ref: 'endpoints/certificates#/links/1/schema'}, req.body)
 			.then((payload) => {
+				req.setTimeout(900000); // 15 minutes timeout
 				return internalCertificate.create(res.locals.access, payload);
 			})
 			.then((result) => {
@@ -197,6 +198,7 @@ router
 	 * Renew certificate
 	 */
 	.post((req, res, next) => {
+		req.setTimeout(900000); // 15 minutes timeout
 		internalCertificate.renew(res.locals.access, {
 			id: parseInt(req.params.certificate_id, 10)
 		})

backend/schema/endpoints/access-lists.json

@@ -42,6 +42,9 @@
 		"satisfy_any": {
 			"type": "boolean"
 		},
+		"pass_auth": {
+			"type": "boolean"
+		},
 		"meta": {
 			"type": "object"
 		}
@@ -102,6 +105,9 @@
 					"satisfy_any": {
 						"$ref": "#/definitions/satisfy_any"
 					},
+					"pass_auth": {
+						"$ref": "#/definitions/pass_auth"
+					},
 					"items": {
 						"type": "array",
 						"minItems": 0,
@@ -167,6 +173,9 @@
 					"satisfy_any": {
 						"$ref": "#/definitions/satisfy_any"
 					},
+					"pass_auth": {
+						"$ref": "#/definitions/pass_auth"
+					},
 					"items": {
 						"type": "array",
 						"minItems": 0,

backend/schema/endpoints/certificates.json

@@ -41,6 +41,24 @@
         },
         "letsencrypt_agree": {
           "type": "boolean"
+        },
+        "dns_challenge": {
+          "type": "boolean"
+        },
+        "dns_provider": {
+          "type": "string"
+        },
+        "dns_provider_credentials": {
+          "type": "string"
+        },
+        "propagation_seconds": {
+          "anyOf": [
+            { 
+              "type": "integer",
+              "minimum": 0 
+            }
+          ]
+          
         }
       }
     }

backend/setup.js

@@ -2,10 +2,13 @@ const fs                  = require('fs');
 const NodeRSA             = require('node-rsa');
 const config              = require('config');
 const logger              = require('./logger').setup;
+const certificateModel    = require('./models/certificate');
 const userModel           = require('./models/user');
 const userPermissionModel = require('./models/user_permission');
+const utils               = require('./lib/utils');
 const authModel           = require('./models/auth');
 const settingModel        = require('./models/setting');
+const dns_plugins         = require('./global/certbot-dns-plugins');
 const debug_mode          = process.env.NODE_ENV !== 'production' || !!process.env.DEBUG;
 
 /**
@@ -155,8 +158,53 @@ const setupDefaultSettings = () => {
 		});
 };
 
+/**
+ * Installs all Certbot plugins which are required for an installed certificate
+ *
+ * @returns {Promise}
+ */
+const setupCertbotPlugins = () => {
+	return certificateModel
+		.query()
+		.where('is_deleted', 0)
+		.andWhere('provider', 'letsencrypt')
+		.then((certificates) => {
+			if (certificates && certificates.length) {
+				let plugins  = [];
+				let promises = [];
+
+				certificates.map(function (certificate) {
+					if (certificate.meta && certificate.meta.dns_challenge === true) {
+						const dns_plugin          = dns_plugins[certificate.meta.dns_provider];
+						const packages_to_install = `${dns_plugin.package_name}==${dns_plugin.package_version} ${dns_plugin.dependencies}`;
+
+						if (plugins.indexOf(packages_to_install) === -1) plugins.push(packages_to_install);
+
+						// Make sure credentials file exists
+						const credentials_loc = '/etc/letsencrypt/credentials/credentials-' + certificate.id; 
+						const credentials_cmd = '[ -f \'' + credentials_loc + '\' ] || { mkdir -p /etc/letsencrypt/credentials 2> /dev/null; echo \'' + certificate.meta.dns_provider_credentials.replace('\'', '\\\'') + '\' > \'' + credentials_loc + '\' && chmod 600 \'' + credentials_loc + '\'; }';
+						promises.push(utils.exec(credentials_cmd));
+					}
+				});
+
+				if (plugins.length) {
+					const install_cmd = 'pip3 install ' + plugins.join(' ');
+					promises.push(utils.exec(install_cmd));
+				}
+
+				if (promises.length) {
+					return Promise.all(promises)
+						.then(() => { 
+							logger.info('Added Certbot plugins ' + plugins.join(', ')); 
+						});
+				}
+			}
+		});
+};
+
 module.exports = function () {
 	return setupJwt()
 		.then(setupDefaultUser)
-		.then(setupDefaultSettings);
+		.then(setupDefaultSettings)
+		.then(setupCertbotPlugins);
 };

backend/templates/proxy_host.conf

@@ -27,6 +27,8 @@ server {
     # Authorization
     auth_basic            "Authorization required";
     auth_basic_user_file  /data/access/{{ access_list_id }};
+
+    {{ access_list.passauth }}
     {% endif %}
 
     # Access Rules
@@ -35,7 +37,9 @@ server {
     {% endfor %}deny all;
 
     # Access checks must...
+    {% if access_list.satisfy %}
     {{ access_list.satisfy }};
+    {% endif %}
 
     {% endif %}
 

backend/yarn.lock

@@ -249,13 +249,13 @@ batchflow@^0.4.0:
   resolved "https://registry.yarnpkg.com/batchflow/-/batchflow-0.4.0.tgz#7d419df79b6b7587b06f9ea34f96ccef6f74e5b5"
   integrity sha1-fUGd95trdYewb56jT5bM72905bU=
 
-bcrypt@^4.0.1:
-  version "4.0.1"
-  resolved "https://registry.yarnpkg.com/bcrypt/-/bcrypt-4.0.1.tgz#06e21e749a061020e4ff1283c1faa93187ac57fe"
-  integrity sha512-hSIZHkUxIDS5zA2o00Kf2O5RfVbQ888n54xQoF/eIaquU4uaLxK8vhhBdktd0B3n2MjkcAWzv4mnhogykBKOUQ==
+bcrypt@^5.0.0:
+  version "5.0.0"
+  resolved "https://registry.yarnpkg.com/bcrypt/-/bcrypt-5.0.0.tgz#051407c7cd5ffbfb773d541ca3760ea0754e37e2"
+  integrity sha512-jB0yCBl4W/kVHM2whjfyqnxTmOHkCX4kHEa5nYKSoGeYe8YrjTYTc87/6bwt1g8cmV0QrbhKriETg9jWtcREhg==
   dependencies:
-    node-addon-api "^2.0.0"
-    node-pre-gyp "0.14.0"
+    node-addon-api "^3.0.0"
+    node-pre-gyp "0.15.0"
 
 bignumber.js@9.0.0:
   version "9.0.0"
@@ -1548,9 +1548,9 @@ inherits@2.0.3:
   integrity sha1-Yzwsg+PaQqUC9SRmAiSA9CCCYd4=
 
 ini@^1.3.4, ini@^1.3.5, ini@~1.3.0:
-  version "1.3.5"
-  resolved "https://registry.yarnpkg.com/ini/-/ini-1.3.5.tgz#eee25f56db1c9ec6085e0c22778083f596abf927"
-  integrity sha512-RZY5huIKCMRWDUqZlEi72f/lmXKMvuszcMBduliQ3nnWbx9X/ZBQO7DijMEYS9EhHBb2qacRUMtC7svLwe0lcw==
+  version "1.3.8"
+  resolved "https://registry.yarnpkg.com/ini/-/ini-1.3.8.tgz#a29da425b48806f34767a4efce397269af28432c"
+  integrity sha512-JV/yugV2uzW5iMRSiZAyDtQd+nxtUnjeLt0acNdw98kKLrvuRVyB80tsREOE7yvGVgalhZ6RNXCmEHkUKBKxew==
 
 inquirer@^7.0.0:
   version "7.3.3"
@@ -2166,7 +2166,7 @@ mixin-deep@^1.2.0:
     for-in "^1.0.2"
     is-extendable "^1.0.1"
 
-mkdirp@^0.5.0, mkdirp@^0.5.1:
+mkdirp@^0.5.0, mkdirp@^0.5.1, mkdirp@^0.5.3:
   version "0.5.5"
   resolved "https://registry.yarnpkg.com/mkdirp/-/mkdirp-0.5.5.tgz#d91cefd62d1436ca0f41620e251288d420099def"
   integrity sha512-NKmAlESf6jMGym1++R0Ra7wvhV+wFW63FaSOFPwRahvea0gMUcGUhVeAg/0BC0wiv9ih5NYPB1Wn1UEI1/L+xQ==
@@ -2235,7 +2235,7 @@ natural-compare@^1.4.0:
   resolved "https://registry.yarnpkg.com/natural-compare/-/natural-compare-1.4.0.tgz#4abebfeed7541f2c27acfb29bdbbd15c8d5ba4f7"
   integrity sha1-Sr6/7tdUHywnrPspvbvRXI1bpPc=
 
-needle@^2.2.1:
+needle@^2.2.1, needle@^2.5.0:
   version "2.5.0"
   resolved "https://registry.yarnpkg.com/needle/-/needle-2.5.0.tgz#e6fc4b3cc6c25caed7554bd613a5cf0bac8c31c0"
   integrity sha512-o/qITSDR0JCyCKEQ1/1bnUXMmznxabbwi/Y4WwJElf+evwJNFNwIDMCCt5IigFVxgeGBJESLohGtIS9gEzo1fA==
@@ -2254,19 +2254,19 @@ nice-try@^1.0.4:
   resolved "https://registry.yarnpkg.com/nice-try/-/nice-try-1.0.5.tgz#a3378a7696ce7d223e88fc9b764bd7ef1089e366"
   integrity sha512-1nh45deeb5olNY7eX82BkPO7SSxR5SSYJiPTrTdFUVYwAl8CKMA5N9PjTYkHiRjisVcxcQ1HXdLhx2qxxJzLNQ==
 
-node-addon-api@^2.0.0:
-  version "2.0.2"
-  resolved "https://registry.yarnpkg.com/node-addon-api/-/node-addon-api-2.0.2.tgz#432cfa82962ce494b132e9d72a15b29f71ff5d32"
-  integrity sha512-Ntyt4AIXyaLIuMHF6IOoTakB3K+RWxwtsHNRxllEoA6vPwP9o4866g6YWDLUdnucilZhmkxiHwHr11gAENw+QA==
+node-addon-api@^3.0.0:
+  version "3.0.0"
+  resolved "https://registry.yarnpkg.com/node-addon-api/-/node-addon-api-3.0.0.tgz#812446a1001a54f71663bed188314bba07e09247"
+  integrity sha512-sSHCgWfJ+Lui/u+0msF3oyCgvdkhxDbkCS6Q8uiJquzOimkJBvX6hl5aSSA7DR1XbMpdM8r7phjcF63sF4rkKg==
 
-node-pre-gyp@0.14.0:
-  version "0.14.0"
-  resolved "https://registry.yarnpkg.com/node-pre-gyp/-/node-pre-gyp-0.14.0.tgz#9a0596533b877289bcad4e143982ca3d904ddc83"
-  integrity sha512-+CvDC7ZttU/sSt9rFjix/P05iS43qHCOOGzcr3Ry99bXG7VX953+vFyEuph/tfqoYu8dttBkE86JSKBO2OzcxA==
+node-pre-gyp@0.15.0:
+  version "0.15.0"
+  resolved "https://registry.yarnpkg.com/node-pre-gyp/-/node-pre-gyp-0.15.0.tgz#c2fc383276b74c7ffa842925241553e8b40f1087"
+  integrity sha512-7QcZa8/fpaU/BKenjcaeFF9hLz2+7S9AqyXFhlH/rilsQ/hPZKK32RtR5EQHJElgu+q5RfbJ34KriI79UWaorA==
   dependencies:
     detect-libc "^1.0.2"
-    mkdirp "^0.5.1"
-    needle "^2.2.1"
+    mkdirp "^0.5.3"
+    needle "^2.5.0"
     nopt "^4.0.1"
     npm-packlist "^1.1.6"
     npmlog "^4.0.2"

docker/Dockerfile

@@ -17,7 +17,8 @@ ENV NODE_ENV=production
 
 RUN echo "fs.file-max = 65535" > /etc/sysctl.conf \
 	&& apk update \
-	&& apk add python2 certbot jq \
+	&& apk add python3 certbot jq \
+	&& python3 -m ensurepip \
 	&& rm -rf /var/cache/apk/*
 
 ENV NPM_BUILD_VERSION="${BUILD_VERSION}" NPM_BUILD_COMMIT="${BUILD_COMMIT}" NPM_BUILD_DATE="${BUILD_DATE}"
@@ -33,6 +34,7 @@ EXPOSE 443
 COPY docker/rootfs      /
 ADD backend             /app
 ADD frontend/dist       /app/frontend
+COPY global             /app/global
 
 WORKDIR /app
 RUN yarn install

docker/dev/Dockerfile

@@ -7,7 +7,8 @@ ENV S6_FIX_ATTRS_HIDDEN=1
 
 RUN echo "fs.file-max = 65535" > /etc/sysctl.conf \
 	&& apk update \
-	&& apk add python2 certbot jq \
+	&& apk add python3 certbot jq \
+	&& python3 -m ensurepip \
 	&& rm -rf /var/cache/apk/*
 
 # Task

docker/docker-compose.ci.yml

@@ -5,11 +5,15 @@ services:
   fullstack-mysql:
     image: ${IMAGE}:ci-${BUILD_NUMBER}
     environment:
-      - NODE_ENV=development
-      - FORCE_COLOR=1
+      NODE_ENV: "development"
+      FORCE_COLOR: 1
+      DB_MYSQL_HOST: "db"
+      DB_MYSQL_PORT: 3306
+      DB_MYSQL_USER: "npm"
+      DB_MYSQL_PASSWORD: "npm"
+      DB_MYSQL_NAME: "npm"
     volumes:
       - npm_data:/data
-      - ../.jenkins/config-mysql.json:/app/config/development.json
     expose:
       - 81
       - 80
@@ -20,11 +24,11 @@ services:
   fullstack-sqlite:
     image: ${IMAGE}:ci-${BUILD_NUMBER}
     environment:
-      - NODE_ENV=development
-      - FORCE_COLOR=1
+      NODE_ENV: "development"
+      FORCE_COLOR: 1
+      DB_SQLITE_FILE: "/data/database.sqlite"
     volumes:
       - npm_data:/data
-      - ../.jenkins/config-sqlite.json:/app/config/development.json
     expose:
       - 81
       - 80
@@ -43,8 +47,8 @@ services:
   cypress-mysql:
     image: ${IMAGE}-cypress:ci-${BUILD_NUMBER}
     build:
-      context: ../
-      dockerfile: test/cypress/Dockerfile
+      context: ../test/
+      dockerfile: cypress/Dockerfile
     environment:
       CYPRESS_baseUrl: "http://fullstack-mysql:81"
     volumes:
@@ -54,8 +58,8 @@ services:
   cypress-sqlite:
     image: ${IMAGE}-cypress:ci-${BUILD_NUMBER}
     build:
-      context: ../
-      dockerfile: test/cypress/Dockerfile
+      context: ../test/
+      dockerfile: cypress/Dockerfile
     environment:
       CYPRESS_baseUrl: "http://fullstack-sqlite:81"
     volumes:

docker/docker-compose.dev.yml

@@ -11,21 +11,33 @@ services:
       - 3080:80
       - 3081:81
       - 3443:443
+    networks:
+      - nginx_proxy_manager
     environment:
-      - NODE_ENV=development
-      - FORCE_COLOR=1
-      - DEVELOPMENT=true
-      #- DISABLE_IPV6=true
+      NODE_ENV: "development"
+      FORCE_COLOR: 1
+      DEVELOPMENT: "true"
+      DB_MYSQL_HOST: "db"
+      DB_MYSQL_PORT: 3306
+      DB_MYSQL_USER: "npm"
+      DB_MYSQL_PASSWORD: "npm"
+      DB_MYSQL_NAME: "npm"
+      # DB_SQLITE_FILE: "/data/database.sqlite"
+      # DISABLE_IPV6: "true"
     volumes:
       - npm_data:/data
       - le_data:/etc/letsencrypt
-      - ..:/app
+      - ../backend:/app
+      - ../frontend:/app/frontend
+      - ../global:/app/global
     depends_on:
       - db
     working_dir: /app
 
   db:
     image: jc21/mariadb-aria
+    networks:
+      - nginx_proxy_manager
     environment:
       MYSQL_ROOT_PASSWORD: "npm"
       MYSQL_DATABASE: "npm"
@@ -38,6 +50,8 @@ services:
     image: 'swaggerapi/swagger-ui:latest'
     ports:
       - 3001:80
+    networks:
+      - nginx_proxy_manager
     environment:
       URL: "http://127.0.0.1:3081/api/schema"
       PORT: '80'
@@ -48,3 +62,6 @@ volumes:
   npm_data:
   le_data:
   db_data:
+
+networks:
+  nginx_proxy_manager:

docker/rootfs/etc/nginx/conf.d/dev.conf

@@ -17,6 +17,9 @@ server {
 		proxy_set_header      X-Forwarded-Proto  $scheme;
 		proxy_set_header      X-Forwarded-For    $remote_addr;
 		proxy_pass            http://127.0.0.1:3000/;
+
+		proxy_read_timeout 15m;
+		proxy_send_timeout 15m;
 	}
 
 	location / {

docker/rootfs/etc/nginx/conf.d/include/ip_ranges.conf

@@ -1,196 +1,2 @@
-
-set_real_ip_from 144.220.0.0/16;
-
-set_real_ip_from 52.124.128.0/17;
-
-set_real_ip_from 54.230.0.0/16;
-
-set_real_ip_from 54.239.128.0/18;
-
-set_real_ip_from 52.82.128.0/19;
-
-set_real_ip_from 99.84.0.0/16;
-
-set_real_ip_from 204.246.172.0/24;
-
-set_real_ip_from 205.251.192.0/19;
-
-set_real_ip_from 54.239.192.0/19;
-
-set_real_ip_from 70.132.0.0/18;
-
-set_real_ip_from 13.32.0.0/15;
-
-set_real_ip_from 13.224.0.0/14;
-
-set_real_ip_from 13.35.0.0/16;
-
-set_real_ip_from 204.246.164.0/22;
-
-set_real_ip_from 204.246.168.0/22;
-
-set_real_ip_from 71.152.0.0/17;
-
-set_real_ip_from 216.137.32.0/19;
-
-set_real_ip_from 205.251.249.0/24;
-
-set_real_ip_from 99.86.0.0/16;
-
-set_real_ip_from 52.46.0.0/18;
-
-set_real_ip_from 52.84.0.0/15;
-
-set_real_ip_from 204.246.173.0/24;
-
-set_real_ip_from 130.176.0.0/16;
-
-set_real_ip_from 64.252.64.0/18;
-
-set_real_ip_from 204.246.174.0/23;
-
-set_real_ip_from 64.252.128.0/18;
-
-set_real_ip_from 205.251.254.0/24;
-
-set_real_ip_from 143.204.0.0/16;
-
-set_real_ip_from 205.251.252.0/23;
-
-set_real_ip_from 204.246.176.0/20;
-
-set_real_ip_from 13.249.0.0/16;
-
-set_real_ip_from 54.240.128.0/18;
-
-set_real_ip_from 205.251.250.0/23;
-
-set_real_ip_from 52.222.128.0/17;
-
-set_real_ip_from 54.182.0.0/16;
-
-set_real_ip_from 54.192.0.0/16;
-
-set_real_ip_from 13.124.199.0/24;
-
-set_real_ip_from 34.226.14.0/24;
-
-set_real_ip_from 52.15.127.128/26;
-
-set_real_ip_from 35.158.136.0/24;
-
-set_real_ip_from 52.57.254.0/24;
-
-set_real_ip_from 18.216.170.128/25;
-
-set_real_ip_from 13.52.204.0/23;
-
-set_real_ip_from 13.54.63.128/26;
-
-set_real_ip_from 13.59.250.0/26;
-
-set_real_ip_from 13.210.67.128/26;
-
-set_real_ip_from 35.167.191.128/26;
-
-set_real_ip_from 52.47.139.0/24;
-
-set_real_ip_from 52.199.127.192/26;
-
-set_real_ip_from 52.212.248.0/26;
-
-set_real_ip_from 52.66.194.128/26;
-
-set_real_ip_from 13.113.203.0/24;
-
-set_real_ip_from 99.79.168.0/23;
-
-set_real_ip_from 34.195.252.0/24;
-
-set_real_ip_from 35.162.63.192/26;
-
-set_real_ip_from 34.223.12.224/27;
-
-set_real_ip_from 52.56.127.0/25;
-
-set_real_ip_from 34.223.80.192/26;
-
-set_real_ip_from 13.228.69.0/24;
-
-set_real_ip_from 34.216.51.0/25;
-
-set_real_ip_from 3.231.2.0/25;
-
-set_real_ip_from 54.233.255.128/26;
-
-set_real_ip_from 18.200.212.0/23;
-
-set_real_ip_from 52.52.191.128/26;
-
-set_real_ip_from 3.234.232.224/27;
-
-set_real_ip_from 52.78.247.128/26;
-
-set_real_ip_from 52.220.191.0/26;
-
-set_real_ip_from 34.232.163.208/29;
-
-set_real_ip_from 2600:9000:eee::/48;
-
-set_real_ip_from 2600:9000:4000::/36;
-
-set_real_ip_from 2600:9000:3000::/36;
-
-set_real_ip_from 2600:9000:f000::/36;
-
-set_real_ip_from 2600:9000:fff::/48;
-
-set_real_ip_from 2600:9000:2000::/36;
-
-set_real_ip_from 2600:9000:1000::/36;
-
-set_real_ip_from 2600:9000:ddd::/48;
-
-set_real_ip_from 2600:9000:5300::/40;
-
-set_real_ip_from 173.245.48.0/20;
-
-set_real_ip_from 103.21.244.0/22;
-
-set_real_ip_from 103.22.200.0/22;
-
-set_real_ip_from 103.31.4.0/22;
-
-set_real_ip_from 141.101.64.0/18;
-
-set_real_ip_from 108.162.192.0/18;
-
-set_real_ip_from 190.93.240.0/20;
-
-set_real_ip_from 188.114.96.0/20;
-
-set_real_ip_from 197.234.240.0/22;
-
-set_real_ip_from 198.41.128.0/17;
-
-set_real_ip_from 162.158.0.0/15;
-
-set_real_ip_from 104.16.0.0/12;
-
-set_real_ip_from 172.64.0.0/13;
-
-set_real_ip_from 131.0.72.0/22;
-
-set_real_ip_from 2400:cb00::/32;
-
-set_real_ip_from 2606:4700::/32;
-
-set_real_ip_from 2803:f800::/32;
-
-set_real_ip_from 2405:b500::/32;
-
-set_real_ip_from 2405:8100::/32;
-
-set_real_ip_from 2a06:98c0::/29;
-
-set_real_ip_from 2c0f:f248::/32;
+# This should be left blank is it is populated programatically
+# by the application backend.

docker/rootfs/etc/nginx/conf.d/include/proxy.conf

@@ -3,4 +3,6 @@ proxy_set_header Host $host;
 proxy_set_header X-Forwarded-Scheme $scheme;
 proxy_set_header X-Forwarded-Proto  $scheme;
 proxy_set_header X-Forwarded-For    $remote_addr;
+proxy_set_header X-Real-IP          $remote_addr;
 proxy_pass       $forward_scheme://$server:$port;
+

docker/rootfs/etc/nginx/conf.d/production.conf

@@ -18,6 +18,9 @@ server {
 		proxy_set_header      X-Forwarded-Proto  $scheme;
 		proxy_set_header      X-Forwarded-For    $remote_addr;
 		proxy_pass            http://127.0.0.1:3000/;
+
+		proxy_read_timeout 15m;
+		proxy_send_timeout 15m;
 	}
 
 	location / {

docker/rootfs/etc/nginx/nginx.conf

@@ -27,9 +27,9 @@ http {
 	tcp_nodelay                   on;
 	client_body_temp_path         /tmp/nginx/body 1 2;
 	keepalive_timeout             90s;
-        proxy_connect_timeout         90s;
-        proxy_send_timeout            90s;
-        proxy_read_timeout            90s;
+	proxy_connect_timeout         90s;
+	proxy_send_timeout            90s;
+	proxy_read_timeout            90s;
 	ssl_prefer_server_ciphers     on;
 	gzip                          on;
 	proxy_ignore_client_abort     off;
@@ -60,10 +60,13 @@ http {
 	# Real IP Determination
 	# Docker subnet:
 	set_real_ip_from 172.0.0.0/8;
+	# Local subnets:
+	set_real_ip_from 10.0.0.0/8;
+	set_real_ip_from 192.0.0.0/8;
 	# NPM generated CDN ip ranges:
 	include conf.d/include/ip_ranges.conf;
 	# always put the following 2 lines after ip subnets:
-	real_ip_header X-Forwarded-For;
+	real_ip_header X-Real-IP;
 	real_ip_recursive on;
 
 	# Files generated by NPM
@@ -81,6 +84,9 @@ http {
 stream {
 	# Files generated by NPM
 	include /data/nginx/stream/*.conf;
+
+	# Custom
+	include /data/nginx/custom/stream[.]conf;
 }
 
 # Custom

docker/rootfs/etc/services.d/manager/run

@@ -5,7 +5,7 @@ mkdir -p /data/letsencrypt-acme-challenge
 cd /app || echo
 
 if [ "$DEVELOPMENT" == "true" ]; then
-	cd /app/backend || exit 1
+	cd /app || exit 1
 	yarn install
 	node --max_old_space_size=250 --abort_on_uncaught_exception node_modules/nodemon/bin/nodemon.js
 else

docs/README.md

@@ -45,21 +45,7 @@ footer: MIT Licensed | Copyright © 2016-present jc21.com
 - [Docker Install documentation](https://docs.docker.com/install/)
 - [Docker-Compose Install documentation](https://docs.docker.com/compose/install/)
 
-2. Create a config file for example
-```json
-{
-  "database": {
-    "engine": "mysql",
-    "host": "db",
-    "name": "npm",
-    "user": "npm",
-    "password": "npm",
-    "port": 3306
-  }
-}
-```
-
-3. Create a docker-compose.yml file similar to this:
+2. Create a docker-compose.yml file similar to this:
 
 ```yml
 version: '3'
@@ -70,8 +56,13 @@ services:
       - '80:80'
       - '81:81'
       - '443:443'
+    environment:
+      DB_MYSQL_HOST: "db"
+      DB_MYSQL_PORT: 3306
+      DB_MYSQL_USER: "npm"
+      DB_MYSQL_PASSWORD: "npm"
+      DB_MYSQL_NAME: "npm"
     volumes:
-      - ./config.json:/app/config/production.json
       - ./data:/data
       - ./letsencrypt:/etc/letsencrypt
   db:
@@ -85,13 +76,13 @@ services:
       - ./data/mysql:/var/lib/mysql
 ```
 
-4. Bring up your stack
+3. Bring up your stack
 
 ```bash
 docker-compose up -d
 ```
 
-5. Log in to the Admin UI
+4. Log in to the Admin UI
 
 When your docker container is running, connect to it on port `81` for the admin interface.
 Sometimes this can take a little bit because of the entropy of keys.

docs/advanced-config/README.md

@@ -24,6 +24,7 @@ You can add your custom configuration snippet files at `/data/nginx/custom` as f
 
  - `/data/nginx/custom/root.conf`: Included at the very end of nginx.conf
  - `/data/nginx/custom/http.conf`: Included at the end of the main http block
+ - `/data/nginx/custom/stream.conf`: Included at the end of the main stream block
  - `/data/nginx/custom/server_proxy.conf`: Included at the end of every proxy server block
  - `/data/nginx/custom/server_redirect.conf`: Included at the end of every redirection server block
  - `/data/nginx/custom/server_stream.conf`: Included at the end of every stream server block

docs/package.json

@@ -434,7 +434,7 @@
     "neo-async": "^2.6.2",
     "nice-try": "^2.0.1",
     "no-case": "^3.0.3",
-    "node-forge": "^0.9.1",
+    "node-forge": "^0.10.0",
     "node-libs-browser": "^2.2.1",
     "node-releases": "^1.1.60",
     "nopt": "^4.0.3",

docs/setup/README.md

@@ -1,50 +1,5 @@
 # Full Setup Instructions
 
-### Configuration File
-
-**The configuration file needs to be provided by you!**
-
-Don't worry, this is easy to do.
-
-The app requires a configuration file to let it know what database you're using. By default, this file is called `config.json`
-
-Here's an example configuration for `mysql` (or mariadb) that is compatible with the docker-compose example below:
-
-```json
-{
-  "database": {
-    "engine": "mysql",
-    "host": "db",
-    "name": "npm",
-    "user": "npm",
-    "password": "npm",
-    "port": 3306
-  }
-}
-```
-
-Alternatively if you would like to use a Sqlite database file:
-
-```json
-{
-  "database": {
-    "engine": "knex-native",
-    "knex": {
-      "client": "sqlite3",
-      "connection": {
-        "filename": "/data/database.sqlite"
-      }
-    }
-  }
-}
-```
-
-Once you've created your configuration file it's easy to mount it in the docker container.
-
-**Note:** After the first run of the application, the config file will be altered to include generated encryption keys unique to your installation. These keys
-affect the login and session management of the application. If these keys change for any reason, all users will be logged out.
-
-
 ### MySQL Database
 
 If you opt for the MySQL configuration you will have to provide the database server yourself. You can also use MariaDB. Here are the minimum supported versions:
@@ -61,7 +16,6 @@ When using a `mariadb` database, the NPM configuration file should still use the
 
 :::
 
-
 ### Running the App
 
 Via `docker-compose`:
@@ -70,7 +24,7 @@ Via `docker-compose`:
 version: "3"
 services:
   app:
-    image: jc21/nginx-proxy-manager:2
+    image: 'jc21/nginx-proxy-manager:latest'
     restart: always
     ports:
       # Public HTTP Port:
@@ -80,11 +34,18 @@ services:
       # Admin Web Port:
       - '81:81'
     environment:
+      # These are the settings to access your db
+      DB_MYSQL_HOST: "db"
+      DB_MYSQL_PORT: 3306
+      DB_MYSQL_USER: "npm"
+      DB_MYSQL_PASSWORD: "npm"
+      DB_MYSQL_NAME: "npm"
+      # If you would rather use Sqlite uncomment this
+      # and remove all DB_MYSQL_* lines above
+      # DB_SQLITE_FILE: "/data/database.sqlite"
       # Uncomment this if IPv6 is not enabled on your host
       # DISABLE_IPV6: 'true'
     volumes:
-      # Make sure this config.json file exists as per instructions above:
-      - ./config.json:/app/config/production.json
       - ./data:/data
       - ./letsencrypt:/etc/letsencrypt
     depends_on:
@@ -101,14 +62,14 @@ services:
       - ./data/mysql:/var/lib/mysql
 ```
 
+_Please note, that `DB_MYSQL_*` environment variables will take precedent over `DB_SQLITE_*` variables. So if you keep the MySQL variables, you will not be able to use Sqlite._
+
 Then:
 
 ```bash
 docker-compose up -d
 ```
 
-The config file (config.json) must be present in this directory.
-
 ### Running on Raspberry PI / ARM devices
 
 The docker images support the following architectures:
@@ -146,3 +107,49 @@ Password: changeme
 ```
 
 Immediately after logging in with this default user you will be asked to modify your details and change your password.
+
+### Configuration File
+
+::: warning
+
+This section is meant for advanced users
+
+:::
+
+If you would like more control over the database settings you can define a custom config JSON file.
+
+
+Here's an example for `sqlite` configuration as it is generated from the environment variables:
+
+```json
+{
+  "database": {
+    "engine": "knex-native",
+    "knex": {
+      "client": "sqlite3",
+      "connection": {
+        "filename": "/data/database.sqlite"
+      }
+    }
+  }
+}
+```
+
+You can modify the `knex` object with your custom configuration, but note that not all knex clients might be installed in the image.
+
+Once you've created your configuration file you can mount it to `/app/config/production.json` inside you container using:
+
+```
+[...]
+services:
+  app:
+    image: 'jc21/nginx-proxy-manager:latest'
+    [...]
+    volumes:
+      - ./config.json:/app/config/production.json
+      [...]
+[...]
+```
+
+**Note:** After the first run of the application, the config file will be altered to include generated encryption keys unique to your installation.
+These keys affect the login and session management of the application. If these keys change for any reason, all users will be logged out.

docs/yarn.lock

@@ -5125,9 +5125,9 @@ inherits@2.0.3:
   integrity sha1-Yzwsg+PaQqUC9SRmAiSA9CCCYd4=
 
 ini@^1.3.5, ini@~1.3.0:
-  version "1.3.5"
-  resolved "https://registry.yarnpkg.com/ini/-/ini-1.3.5.tgz#eee25f56db1c9ec6085e0c22778083f596abf927"
-  integrity sha512-RZY5huIKCMRWDUqZlEi72f/lmXKMvuszcMBduliQ3nnWbx9X/ZBQO7DijMEYS9EhHBb2qacRUMtC7svLwe0lcw==
+  version "1.3.8"
+  resolved "https://registry.yarnpkg.com/ini/-/ini-1.3.8.tgz#a29da425b48806f34767a4efce397269af28432c"
+  integrity sha512-JV/yugV2uzW5iMRSiZAyDtQd+nxtUnjeLt0acNdw98kKLrvuRVyB80tsREOE7yvGVgalhZ6RNXCmEHkUKBKxew==
 
 internal-ip@^4.3.0:
   version "4.3.0"
@@ -6584,10 +6584,10 @@ node-forge@0.9.0:
   resolved "https://registry.yarnpkg.com/node-forge/-/node-forge-0.9.0.tgz#d624050edbb44874adca12bb9a52ec63cb782579"
   integrity sha512-7ASaDa3pD+lJ3WvXFsxekJQelBKRpne+GOVbLbtHYdd7pFspyeuJHnWfLplGf3SwKGbfs/aYl5V/JCIaHVUKKQ==
 
-node-forge@^0.9.1:
-  version "0.9.1"
-  resolved "https://registry.yarnpkg.com/node-forge/-/node-forge-0.9.1.tgz#775368e6846558ab6676858a4d8c6e8d16c677b5"
-  integrity sha512-G6RlQt5Sb4GMBzXvhfkeFmbqR6MzhtnT7VTHuLadjkii3rdYHNdw0m8zA4BTxVIh68FicCQ2NSUANpsqkr9jvQ==
+node-forge@^0.10.0:
+  version "0.10.0"
+  resolved "https://registry.yarnpkg.com/node-forge/-/node-forge-0.10.0.tgz#32dea2afb3e9926f02ee5ce8794902691a676bf3"
+  integrity sha512-PPmu8eEeG9saEUvI97fm4OYxXVB6bFvyNTyiUOBichBpFG8A1Ljw3bY62+5oOjDEMHRnd0Y7HQ+x7uzxOzC6JA==
 
 node-libs-browser@^2.2.1:
   version "2.2.1"
@@ -7679,9 +7679,9 @@ pretty-time@^1.1.0:
   integrity sha512-28iF6xPQrP8Oa6uxE6a1biz+lWeTOAPKggvjB8HAs6nVMKZwf5bG++632Dx614hIWgUPkgivRfG+a8uAXGTIbA==
 
 prismjs@^1.13.0, prismjs@^1.20.0:
-  version "1.20.0"
-  resolved "https://registry.yarnpkg.com/prismjs/-/prismjs-1.20.0.tgz#9b685fc480a3514ee7198eac6a3bf5024319ff03"
-  integrity sha512-AEDjSrVNkynnw6A+B1DsFkd6AVdTnp+/WoUixFRULlCLZVRZlVQMVWio/16jv7G1FscUxQxOQhWwApgbnxr6kQ==
+  version "1.21.0"
+  resolved "https://registry.yarnpkg.com/prismjs/-/prismjs-1.21.0.tgz#36c086ec36b45319ec4218ee164c110f9fc015a3"
+  integrity sha512-uGdSIu1nk3kej2iZsLyDoJ7e9bnPzIgY0naW/HdknGj61zScaprVEVGHrPoXqI+M9sP0NDnTK2jpkvmldpuqDw==
   optionalDependencies:
     clipboard "^2.0.0"
 

frontend/js/app/api.js

@@ -53,7 +53,7 @@ function fetch(verb, path, data, options) {
             contentType: options.contentType || 'application/json; charset=UTF-8',
             processData: options.processData || true,
             crossDomain: true,
-            timeout:     options.timeout ? options.timeout : 30000,
+            timeout:     options.timeout ? options.timeout : 180000,
             xhrFields:   {
                 withCredentials: true
             },
@@ -139,7 +139,11 @@ function FileUpload(path, fd) {
         xhr.onreadystatechange = function () {
             if (this.readyState === XMLHttpRequest.DONE) {
                 if (xhr.status !== 200 && xhr.status !== 201) {
-                    reject(new Error('Upload failed: ' + xhr.status));
+                    try {
+                        reject(new Error('Upload failed: ' + JSON.parse(xhr.responseText).error.message));
+                    } catch (err) {
+                        reject(new Error('Upload failed: ' + xhr.status));
+                    }  
                 } else {
                     resolve(xhr.responseText);
                 }
@@ -587,7 +591,9 @@ module.exports = {
              * @param {Object}  data
              */
             create: function (data) {
-                return fetch('post', 'nginx/certificates', data);
+
+                const timeout = 180000 + (data && data.meta && data.meta.propagation_seconds ? Number(data.meta.propagation_seconds) * 1000 : 0);
+                return fetch('post', 'nginx/certificates', data, {timeout});
             },
 
             /**
@@ -630,8 +636,8 @@ module.exports = {
              * @param   {Number}  id
              * @returns {Promise}
              */
-            renew: function (id) {
-                return fetch('post', 'nginx/certificates/' + id + '/renew');
+            renew: function (id, timeout = 180000) {
+                return fetch('post', 'nginx/certificates/' + id + '/renew', undefined, {timeout});
             }
         }
     },

frontend/js/app/nginx/access/form.ejs

@@ -31,6 +31,16 @@
                                 </label>
                             </div>
                         </div>
+
+                        <div class="col-sm-6 col-md-6">
+                            <div class="form-group">
+                                <label class="custom-switch">
+                                    <input type="checkbox" class="custom-switch-input" name="pass_auth" value="1"<%- typeof pass_auth !== 'undefined' && pass_auth ? ' checked' : '' %>>
+                                    <span class="custom-switch-indicator"></span>
+                                    <span class="custom-switch-description"><%- i18n('access-lists', 'pass-auth') %></span>
+                                </label>
+                            </div>
+                        </div>
                     </div>
                 </div>
 

frontend/js/app/nginx/access/form.js

@@ -73,6 +73,7 @@ module.exports = Mn.View.extend({
             let data = {
                 name:       form_data.name,
                 satisfy_any: !!form_data.satisfy_any,
+                pass_auth: !!form_data.pass_auth,
                 items:      items_data,
                 clients:    clients_data
             };

frontend/js/app/nginx/certificates/delete.js

@@ -16,6 +16,8 @@ module.exports = Mn.View.extend({
     events: {
         'click @ui.save': function (e) {
             e.preventDefault();
+            this.ui.save.addClass('btn-loading');
+            this.ui.buttons.prop('disabled', true).addClass('btn-disabled');
 
             App.Api.Nginx.Certificates.delete(this.model.get('id'))
                 .then(() => {
@@ -25,6 +27,7 @@ module.exports = Mn.View.extend({
                 .catch(err => {
                     alert(err.message);
                     this.ui.buttons.prop('disabled', false).removeClass('btn-disabled');
+                    this.ui.save.removeClass('btn-loading');
                 });
         }
     }

frontend/js/app/nginx/certificates/form.ejs

@@ -1,10 +1,15 @@
 <div class="modal-content">
     <div class="modal-header">
         <h5 class="modal-title"><%- i18n('certificates', 'form-title', {provider: provider}) %></h5>
-        <button type="button" class="close cancel" aria-label="Close" data-dismiss="modal">&nbsp;</button>
+        <button type="button" class="close cancel non-loader-content" aria-label="Close" data-dismiss="modal">&nbsp;</button>
     </div>
     <div class="modal-body">
-        <form>
+        <div class="alert alert-danger mb-0 rounded-0" id="le-error-info" role="alert"></div>
+        <div class="text-center loader-content">
+            <div class="loader mx-auto my-6"></div>
+            <p><%- i18n('ssl', 'processing-info') %></p>
+        </div>
+        <form class="non-loader-content">
             <div class="row">
                 <% if (provider === 'letsencrypt') { %>
                     <div class="col-sm-12 col-md-12">
@@ -20,6 +25,99 @@
                             <input name="meta[letsencrypt_email]" type="email" class="form-control" placeholder="" value="<%- getLetsencryptEmail() %>" required>
                         </div>
                     </div>
+
+                    <!-- DNS challenge -->
+                    <div class="col-sm-12 col-md-12">
+                        <div class="form-group">
+                            <label class="custom-switch">
+                                <input 
+                                    type="checkbox" 
+                                    class="custom-switch-input" 
+                                    name="meta[dns_challenge]" 
+                                    value="1" 
+                                    <%- getUseDnsChallenge() ? 'checked' : '' %>
+                                >
+                                <span class="custom-switch-indicator"></span>
+                                <span class="custom-switch-description"><%= i18n('ssl', 'dns-challenge') %></span>
+                            </label>
+                        </div>
+                    </div>
+                    <div class="col-sm-12 col-md-12">
+                        <fieldset class="form-fieldset dns-challenge">
+                            <div class="text-red mb-4"><i class="fe fe-alert-triangle"></i> <%= i18n('ssl', 'certbot-warning') %></div>
+
+                            <!-- Certbot DNS plugin selection -->
+                            <div class="row">
+                                <div class="col-sm-12 col-md-12">
+                                    <div class="form-group">
+                                        <label class="form-label"><%- i18n('ssl', 'dns-provider') %> <span class="form-required">*</span></label>
+                                        <select 
+                                            name="meta[dns_provider]" 
+                                            id="dns_provider"
+                                            class="form-control custom-select"
+                                        >
+                                            <option 
+                                                value="" 
+                                                disabled 
+                                                hidden
+                                                <%- getDnsProvider() === null ? 'selected' : '' %>
+                                            >Please Choose...</option>
+                                            <% _.each(dns_plugins, function(plugin_info, plugin_name){ %>
+                                            <option 
+                                                value="<%- plugin_name %>"
+                                                <%- getDnsProvider() === plugin_name ? 'selected' : '' %>
+                                            ><%- plugin_info.display_name %></option>
+                                            <% }); %>
+                                        </select>
+                                    </div>
+                                </div>
+                            </div>
+
+                            <!-- Certbot credentials file content -->
+                            <div class="row credentials-file-content">
+                                <div class="col-sm-12 col-md-12">
+                                    <div class="form-group">
+                                        <label class="form-label"><%- i18n('ssl', 'credentials-file-content') %> <span class="form-required">*</span></label>
+                                        <textarea 
+                                            name="meta[dns_provider_credentials]" 
+                                            class="form-control text-monospace" 
+                                            id="dns_provider_credentials" 
+                                        ><%- getDnsProviderCredentials() %></textarea>
+                                        <div class="text-secondary small">
+                                            <i class="fe fe-info"></i> 
+                                            <%= i18n('ssl', 'credentials-file-content-info') %>
+                                        </div>
+                                        <div class="text-red small">
+                                            <i class="fe fe-alert-triangle"></i> 
+                                            <%= i18n('ssl', 'stored-as-plaintext-info') %>
+                                        </div>
+                                    </div>
+                                </div>
+                            </div>
+
+                            <!-- DNS propagation delay -->
+                            <div class="row">
+                                <div class="col-sm-12 col-md-12">
+                                    <div class="form-group mb-0">
+                                        <label class="form-label"><%- i18n('ssl', 'propagation-seconds') %></label>
+                                        <input 
+                                            type="number"
+                                            min="0"
+                                            name="meta[propagation_seconds]" 
+                                            class="form-control" 
+                                            id="propagation_seconds" 
+                                            value="<%- getPropagationSeconds() %>"
+                                        >
+                                        <div class="text-secondary small">
+                                            <i class="fe fe-info"></i> 
+                                            <%= i18n('ssl', 'propagation-seconds-info') %>
+                                        </div>
+                                    </div>
+                                </div>
+                            </div>
+                        </fieldset>
+                    </div>
+
                     <div class="col-sm-12 col-md-12">
                         <div class="form-group">
                             <label class="custom-switch">
@@ -31,6 +129,9 @@
                     </div>
                 <% } else if (provider === 'other') { %>
                     <!-- Other -->
+                    <div class="col-sm-12 col-md-12">
+                        <div class="text-blue mb-4"><i class="fe fe-alert-triangle"></i> <%= i18n('ssl', 'passphrase-protection-support-info') %></div>
+                    </div>
                     <div class="col-sm-12 col-md-12">
                         <div class="form-group">
                             <label class="form-label"><%- i18n('str', 'name') %> <span class="form-required">*</span></label>
@@ -42,7 +143,7 @@
                             <div class="form-label"><%- i18n('certificates', 'other-certificate-key') %><span class="form-required">*</span></div>
                             <div class="custom-file">
                                 <input type="file" class="custom-file-input" name="meta[other_certificate_key]" id="other_certificate_key" required>
-                                <label class="custom-file-label"><%- i18n('str', 'choose-file') %></label>
+                                <label id="other_certificate_key_label" class="custom-file-label"><%- i18n('str', 'choose-file') %></label>
                             </div>
                         </div>
                     </div>
@@ -51,7 +152,7 @@
                             <div class="form-label"><%- i18n('certificates', 'other-certificate') %><span class="form-required">*</span></div>
                             <div class="custom-file">
                                 <input type="file" class="custom-file-input" name="meta[other_certificate]" id="other_certificate">
-                                <label class="custom-file-label"><%- i18n('str', 'choose-file') %></label>
+                                <label id="other_certificate_label" class="custom-file-label"><%- i18n('str', 'choose-file') %></label>
                             </div>
                         </div>
                     </div>
@@ -60,7 +161,7 @@
                             <div class="form-label"><%- i18n('certificates', 'other-intermediate-certificate') %></div>
                             <div class="custom-file">
                                 <input type="file" class="custom-file-input" name="meta[other_intermediate_certificate]" id="other_intermediate_certificate">
-                                <label class="custom-file-label"><%- i18n('str', 'choose-file') %></label>
+                                <label id="other_intermediate_certificate_label" class="custom-file-label"><%- i18n('str', 'choose-file') %></label>
                             </div>
                         </div>
                     </div>
@@ -69,7 +170,7 @@
             </div>
         </form>
     </div>
-    <div class="modal-footer">
+    <div class="modal-footer non-loader-content">
         <button type="button" class="btn btn-secondary cancel" data-dismiss="modal"><%- i18n('str', 'cancel') %></button>
         <button type="button" class="btn btn-teal save"><%- i18n('str', 'save') %></button>
     </div>

frontend/js/app/nginx/certificates/form.js

@@ -3,6 +3,8 @@ const Mn               = require('backbone.marionette');
 const App              = require('../../main');
 const CertificateModel = require('../../../models/certificate');
 const template         = require('./form.ejs');
+const i18n             = require('../../i18n');
+const dns_providers    = require('../../../../../global/certbot-dns-plugins');
 
 require('jquery-serializejson');
 require('selectize');
@@ -13,42 +15,105 @@ module.exports = Mn.View.extend({
     max_file_size: 102400,
 
     ui: {
-        form:                           'form',
-        domain_names:                   'input[name="domain_names"]',
-        buttons:                        '.modal-footer button',
-        cancel:                         'button.cancel',
-        save:                           'button.save',
-        other_certificate:              '#other_certificate',
-        other_certificate_key:          '#other_certificate_key',
-        other_intermediate_certificate: '#other_intermediate_certificate'
+        form:                                 'form',
+        loader_content:                       '.loader-content',
+        non_loader_content:                   '.non-loader-content',
+        le_error_info:                        '#le-error-info',
+        domain_names:                         'input[name="domain_names"]',
+        buttons:                              '.modal-footer button',
+        cancel:                               'button.cancel',
+        save:                                 'button.save',
+        other_certificate:                    '#other_certificate',
+        other_certificate_label:              '#other_certificate_label',
+        other_certificate_key:                '#other_certificate_key',
+        dns_challenge_switch:                 'input[name="meta[dns_challenge]"]',
+        dns_challenge_content:                '.dns-challenge',
+        dns_provider:                         'select[name="meta[dns_provider]"]',
+        credentials_file_content:             '.credentials-file-content',
+        dns_provider_credentials:             'textarea[name="meta[dns_provider_credentials]"]',
+        propagation_seconds:                  'input[name="meta[propagation_seconds]"]',
+        other_certificate_key_label:          '#other_certificate_key_label',
+        other_intermediate_certificate:       '#other_intermediate_certificate',
+        other_intermediate_certificate_label: '#other_intermediate_certificate_label'
     },
-
+    
     events: {
+        'change @ui.dns_challenge_switch': function () {
+            const checked = this.ui.dns_challenge_switch.prop('checked');
+            if (checked) {
+                this.ui.dns_provider.prop('required', 'required');
+                const selected_provider = this.ui.dns_provider[0].options[this.ui.dns_provider[0].selectedIndex].value;
+                if(selected_provider != '' && dns_providers[selected_provider].credentials !== false){
+                    this.ui.dns_provider_credentials.prop('required', 'required');
+                }
+                this.ui.dns_challenge_content.show();
+            } else {
+                this.ui.dns_provider.prop('required', false);
+                this.ui.dns_provider_credentials.prop('required', false);
+                this.ui.dns_challenge_content.hide();                
+            }
+        },
+
+        'change @ui.dns_provider': function () {
+            const selected_provider = this.ui.dns_provider[0].options[this.ui.dns_provider[0].selectedIndex].value;
+            if (selected_provider != '' && dns_providers[selected_provider].credentials !== false) {
+                this.ui.dns_provider_credentials.prop('required', 'required');
+                this.ui.dns_provider_credentials[0].value = dns_providers[selected_provider].credentials;
+                this.ui.credentials_file_content.show();
+            } else {
+                this.ui.dns_provider_credentials.prop('required', false);
+                this.ui.credentials_file_content.hide();                
+            }
+        },
+        
         'click @ui.save': function (e) {
             e.preventDefault();
+            this.ui.le_error_info.hide();
 
             if (!this.ui.form[0].checkValidity()) {
                 $('<input type="submit">').hide().appendTo(this.ui.form).click().remove();
+                $(this).removeClass('btn-loading');
                 return;
             }
 
-            let view      = this;
             let data      = this.ui.form.serializeJSON();
             data.provider = this.model.get('provider');
-
-            // Manipulate
-            if (typeof data.meta !== 'undefined' && typeof data.meta.letsencrypt_agree !== 'undefined') {
-                data.meta.letsencrypt_agree = !!data.meta.letsencrypt_agree;
-            }
-
-            if (typeof data.domain_names === 'string' && data.domain_names) {
-                data.domain_names = data.domain_names.split(',');
-            }
-
             let ssl_files = [];
 
-            // check files are attached
-            if (this.model.get('provider') === 'other' && !this.model.hasSslFiles()) {
+            if (data.provider === 'letsencrypt') {
+                if (typeof data.meta === 'undefined') data.meta = {};
+
+                let domain_err = false;
+                if (!data.meta.dns_challenge) {                
+                    data.domain_names.split(',').map(function (name) {
+                        if (name.match(/\*/im)) {
+                            domain_err = true;
+                        }
+                    });
+                }
+
+                if (domain_err) {
+                    alert(i18n('ssl', 'no-wildcard-without-dns'));
+                    return;
+                }
+
+                // Manipulate
+                data.meta.letsencrypt_agree = data.meta.letsencrypt_agree == 1;
+                data.meta.dns_challenge = data.meta.dns_challenge == 1;
+
+                if(!data.meta.dns_challenge){
+                    data.meta.dns_provider = undefined;
+                    data.meta.dns_provider_credentials = undefined;
+                    data.meta.propagation_seconds = undefined;
+                } else {
+                    if(data.meta.propagation_seconds === '') data.meta.propagation_seconds = undefined; 
+                }
+
+                if (typeof data.domain_names === 'string' && data.domain_names) {
+                    data.domain_names = data.domain_names.split(',');
+                }
+            } else if (data.provider === 'other' && !this.model.hasSslFiles()) {
+                // check files are attached
                 if (!this.ui.other_certificate[0].files.length || !this.ui.other_certificate[0].files[0].size) {
                     alert('Certificate file is not attached');
                     return;
@@ -80,18 +145,19 @@ module.exports = Mn.View.extend({
                 }
             }
 
-            this.ui.buttons.prop('disabled', true).addClass('btn-disabled');
+            this.ui.loader_content.show();
+            this.ui.non_loader_content.hide();
 
             // compile file data
             let form_data = new FormData();
-            if (view.model.get('provider') && ssl_files.length) {
+            if (data.provider === 'other' && ssl_files.length) {
                 ssl_files.map(function (file) {
                     form_data.append(file.name, file.file);
                 });
             }
 
             new Promise(resolve => {
-                if (view.model.get('provider') === 'other') {
+                if (data.provider === 'other') {
                     resolve(App.Api.Nginx.Certificates.validate(form_data));
                 } else {
                     resolve();
@@ -101,13 +167,13 @@ module.exports = Mn.View.extend({
                     return App.Api.Nginx.Certificates.create(data);
                 })
                 .then(result => {
-                    view.model.set(result);
+                    this.model.set(result);
 
                     // Now upload the certs if we need to
-                    if (view.model.get('provider') === 'other') {
-                        return App.Api.Nginx.Certificates.upload(view.model.get('id'), form_data)
+                    if (data.provider === 'other') {
+                        return App.Api.Nginx.Certificates.upload(this.model.get('id'), form_data)
                             .then(result => {
-                                view.model.set('meta', _.assign({}, view.model.get('meta'), result));
+                                this.model.set('meta', _.assign({}, this.model.get('meta'), result));
                             });
                     }
                 })
@@ -117,20 +183,52 @@ module.exports = Mn.View.extend({
                     });
                 })
                 .catch(err => {
-                    alert(err.message);
-                    this.ui.buttons.prop('disabled', false).removeClass('btn-disabled');
+                    let more_info = '';
+                    if (err.code === 500 && err.debug) {
+                        try{
+                            more_info = JSON.parse(err.debug).debug.stack.join("\n");
+                        } catch(e) {}
+                    }
+                    this.ui.le_error_info[0].innerHTML = `${err.message}${more_info !== '' ? `<pre class="mt-3">${more_info}</pre>`:''}`;
+                    this.ui.le_error_info.show();
+                    this.ui.le_error_info[0].scrollIntoView();
+                    this.ui.loader_content.hide();
+                    this.ui.non_loader_content.show();
                 });
+        },
+        'change @ui.other_certificate_key': function(e){
+            this.setFileName("other_certificate_key_label", e)
+        },
+        'change @ui.other_certificate': function(e){
+            this.setFileName("other_certificate_label", e)
+        },
+        'change @ui.other_intermediate_certificate': function(e){
+            this.setFileName("other_intermediate_certificate_label", e)
         }
     },
-
+    setFileName(ui, e){
+        this.getUI(ui).text(e.target.files[0].name)
+    },
     templateContext: {
         getLetsencryptEmail: function () {
             return typeof this.meta.letsencrypt_email !== 'undefined' ? this.meta.letsencrypt_email : App.Cache.User.get('email');
         },
-
         getLetsencryptAgree: function () {
             return typeof this.meta.letsencrypt_agree !== 'undefined' ? this.meta.letsencrypt_agree : false;
-        }
+        },
+        getUseDnsChallenge: function () {
+            return typeof this.meta.dns_challenge !== 'undefined' ? this.meta.dns_challenge : false;
+        },
+        getDnsProvider: function () {
+            return typeof this.meta.dns_provider !== 'undefined' && this.meta.dns_provider != '' ? this.meta.dns_provider : null;
+        },
+        getDnsProviderCredentials: function () {
+            return typeof this.meta.dns_provider_credentials !== 'undefined' ? this.meta.dns_provider_credentials : '';
+        },
+        getPropagationSeconds: function () {
+            return typeof this.meta.propagation_seconds !== 'undefined' ? this.meta.propagation_seconds : '';
+        },
+        dns_plugins: dns_providers,
     },
 
     onRender: function () {
@@ -144,8 +242,12 @@ module.exports = Mn.View.extend({
                     text:  input
                 };
             },
-            createFilter: /^(?:[^.*]+\.?)+[^.]$/
+            createFilter: /^(?:[^.]+\.?)+[^.]$/
         });
+        this.ui.dns_challenge_content.hide();
+        this.ui.credentials_file_content.hide(); 
+        this.ui.loader_content.hide();
+        this.ui.le_error_info.hide();
     },
 
     initialize: function (options) {

frontend/js/app/nginx/certificates/list/item.ejs

@@ -28,7 +28,7 @@
     </div>
 </td>
 <td>
-    <%- i18n('ssl', provider) %>
+    <%- i18n('ssl', provider) %><% if (meta.dns_provider) { %> - <%- dns_providers[meta.dns_provider].display_name %><% } %>
 </td>
 <td class="<%- isExpired() ? 'text-danger' : '' %>">
     <%- formatDbDate(expires_on, 'Do MMMM YYYY, h:mm a') %>

frontend/js/app/nginx/certificates/list/item.js

@@ -1,7 +1,8 @@
-const Mn       = require('backbone.marionette');
-const moment   = require('moment');
-const App      = require('../../../main');
-const template = require('./item.ejs');
+const Mn            = require('backbone.marionette');
+const moment        = require('moment');
+const App           = require('../../../main');
+const template      = require('./item.ejs');
+const dns_providers = require('../../../../../../global/certbot-dns-plugins')
 
 module.exports = Mn.View.extend({
     template: template,
@@ -35,7 +36,8 @@ module.exports = Mn.View.extend({
         canManage: App.Cache.User.canManage('certificates'),
         isExpired: function () {
             return moment(this.expires_on).isBefore(moment());
-        }
+        },
+        dns_providers: dns_providers
     },
 
     initialize: function () {

frontend/js/app/nginx/dead/form.ejs

@@ -4,6 +4,7 @@
         <button type="button" class="close cancel" aria-label="Close" data-dismiss="modal">&nbsp;</button>
     </div>
     <div class="modal-body has-tabs">
+        <div class="alert alert-danger mb-0 rounded-0" id="le-error-info" role="alert"></div>
         <form>
             <ul class="nav nav-tabs" role="tablist">
                 <li role="presentation" class="nav-item"><a href="#details" aria-controls="tab1" role="tab" data-toggle="tab" class="nav-link active"><i class="fe fe-zap"></i> <%- i18n('all-hosts', 'details') %></a></li>
@@ -73,6 +74,98 @@
                             </div>
                         </div>
 
+                        <!-- DNS challenge -->
+                        <div class="col-sm-12 col-md-12 letsencrypt">
+                            <div class="form-group">
+                                <label class="custom-switch">
+                                    <input 
+                                        type="checkbox" 
+                                        class="custom-switch-input" 
+                                        name="meta[dns_challenge]" 
+                                        value="1" 
+                                        <%- getUseDnsChallenge() ? 'checked' : '' %>
+                                    >
+                                    <span class="custom-switch-indicator"></span>
+                                    <span class="custom-switch-description"><%= i18n('ssl', 'dns-challenge') %></span>
+                                </label>
+                            </div>
+                        </div>
+                        <div class="col-sm-12 col-md-12 letsencrypt">
+                            <fieldset class="form-fieldset dns-challenge">
+                                <div class="text-red mb-4"><i class="fe fe-alert-triangle"></i> <%= i18n('ssl', 'certbot-warning') %></div>
+
+                                <!-- Certbot DNS plugin selection -->
+                                <div class="row">
+                                    <div class="col-sm-12 col-md-12">
+                                        <div class="form-group">
+                                            <label class="form-label"><%- i18n('ssl', 'dns-provider') %> <span class="form-required">*</span></label>
+                                            <select 
+                                                name="meta[dns_provider]" 
+                                                id="dns_provider"
+                                                class="form-control custom-select"
+                                            >
+                                                <option 
+                                                    value="" 
+                                                    disabled 
+                                                    hidden
+                                                    <%- getDnsProvider() === null ? 'selected' : '' %>
+                                                >Please Choose...</option>
+                                                <% _.each(dns_plugins, function(plugin_info, plugin_name){ %>
+                                                <option 
+                                                    value="<%- plugin_name %>"
+                                                    <%- getDnsProvider() === plugin_name ? 'selected' : '' %>
+                                                ><%- plugin_info.display_name %></option>
+                                                <% }); %>
+                                            </select>
+                                        </div>
+                                    </div>
+                                </div>
+
+                                <!-- Certbot credentials file content -->
+                                <div class="row credentials-file-content">
+                                    <div class="col-sm-12 col-md-12">
+                                        <div class="form-group">
+                                            <label class="form-label"><%- i18n('ssl', 'credentials-file-content') %> <span class="form-required">*</span></label>
+                                            <textarea 
+                                                name="meta[dns_provider_credentials]" 
+                                                class="form-control text-monospace" 
+                                                id="dns_provider_credentials" 
+                                            ><%- getDnsProviderCredentials() %></textarea>
+                                            <div class="text-secondary small">
+                                                <i class="fe fe-info"></i> 
+                                                <%= i18n('ssl', 'credentials-file-content-info') %>
+                                            </div>
+                                            <div class="text-red small">
+                                                <i class="fe fe-alert-triangle"></i> 
+                                                <%= i18n('ssl', 'stored-as-plaintext-info') %>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </div>
+
+                                <!-- DNS propagation delay -->
+                                <div class="row">
+                                    <div class="col-sm-12 col-md-12">
+                                        <div class="form-group mb-0">
+                                            <label class="form-label"><%- i18n('ssl', 'propagation-seconds') %></label>
+                                            <input 
+                                                type="number"
+                                                min="0"
+                                                name="meta[propagation_seconds]" 
+                                                class="form-control" 
+                                                id="propagation_seconds" 
+                                                value="<%- getPropagationSeconds() %>"
+                                            >
+                                            <div class="text-secondary small">
+                                                <i class="fe fe-info"></i> 
+                                                <%= i18n('ssl', 'propagation-seconds-info') %>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </div>
+                            </fieldset>
+                        </div>
+
                         <!-- Lets encrypt -->
                         <div class="col-sm-12 col-md-12 letsencrypt">
                             <div class="form-group">

frontend/js/app/nginx/dead/form.js

@@ -4,6 +4,8 @@ const DeadHostModel        = require('../../../models/dead-host');
 const template             = require('./form.ejs');
 const certListItemTemplate = require('../certificates-list-item.ejs');
 const Helpers              = require('../../../lib/helpers');
+const i18n                 = require('../../i18n');
+const dns_providers        = require('../../../../../global/certbot-dns-plugins');
 
 require('jquery-serializejson');
 require('selectize');
@@ -13,17 +15,24 @@ module.exports = Mn.View.extend({
     className: 'modal-dialog',
 
     ui: {
-        form:               'form',
-        domain_names:       'input[name="domain_names"]',
-        buttons:            '.modal-footer button',
-        cancel:             'button.cancel',
-        save:               'button.save',
-        certificate_select: 'select[name="certificate_id"]',
-        ssl_forced:         'input[name="ssl_forced"]',
-        hsts_enabled:       'input[name="hsts_enabled"]',
-        hsts_subdomains:    'input[name="hsts_subdomains"]',
-        http2_support:      'input[name="http2_support"]',
-        letsencrypt:        '.letsencrypt'
+        form:                     'form',
+        domain_names:             'input[name="domain_names"]',
+        buttons:                  '.modal-footer button',
+        cancel:                   'button.cancel',
+        save:                     'button.save',
+        le_error_info:            '#le-error-info',
+        certificate_select:       'select[name="certificate_id"]',
+        ssl_forced:               'input[name="ssl_forced"]',
+        hsts_enabled:             'input[name="hsts_enabled"]',
+        hsts_subdomains:          'input[name="hsts_subdomains"]',
+        http2_support:            'input[name="http2_support"]',
+        dns_challenge_switch:     'input[name="meta[dns_challenge]"]',
+        dns_challenge_content:    '.dns-challenge',
+        dns_provider:             'select[name="meta[dns_provider]"]',
+        credentials_file_content: '.credentials-file-content',
+        dns_provider_credentials: 'textarea[name="meta[dns_provider_credentials]"]',
+        propagation_seconds:      'input[name="meta[propagation_seconds]"]',
+        letsencrypt:              '.letsencrypt'
     },
 
     events: {
@@ -31,10 +40,12 @@ module.exports = Mn.View.extend({
             let id = this.ui.certificate_select.val();
             if (id === 'new') {
                 this.ui.letsencrypt.show().find('input').prop('disabled', false);
+                this.ui.dns_challenge_content.hide();
             } else {
                 this.ui.letsencrypt.hide().find('input').prop('disabled', true);
             }
 
+
             let enabled = id === 'new' || parseInt(id, 10) > 0;
 
             let inputs = this.ui.ssl_forced.add(this.ui.http2_support);
@@ -76,8 +87,37 @@ module.exports = Mn.View.extend({
             }
         },
 
+        'change @ui.dns_challenge_switch': function () {
+            const checked = this.ui.dns_challenge_switch.prop('checked');
+            if (checked) {
+                this.ui.dns_provider.prop('required', 'required');
+                const selected_provider = this.ui.dns_provider[0].options[this.ui.dns_provider[0].selectedIndex].value;
+                if(selected_provider != '' && dns_providers[selected_provider].credentials !== false){
+                    this.ui.dns_provider_credentials.prop('required', 'required');
+                }
+                this.ui.dns_challenge_content.show();
+            } else {
+                this.ui.dns_provider.prop('required', false);
+                this.ui.dns_provider_credentials.prop('required', false);
+                this.ui.dns_challenge_content.hide();                
+            }
+        },
+
+        'change @ui.dns_provider': function () {
+            const selected_provider = this.ui.dns_provider[0].options[this.ui.dns_provider[0].selectedIndex].value;
+            if (selected_provider != '' && dns_providers[selected_provider].credentials !== false) {
+                this.ui.dns_provider_credentials.prop('required', 'required');
+                this.ui.dns_provider_credentials[0].value = dns_providers[selected_provider].credentials;
+                this.ui.credentials_file_content.show();
+            } else {
+                this.ui.dns_provider_credentials.prop('required', false);
+                this.ui.credentials_file_content.hide();                
+            }
+        },
+
         'click @ui.save': function (e) {
             e.preventDefault();
+            this.ui.le_error_info.hide();
 
             if (!this.ui.form[0].checkValidity()) {
                 $('<input type="submit">').hide().appendTo(this.ui.form).click().remove();
@@ -88,30 +128,42 @@ module.exports = Mn.View.extend({
             let data = this.ui.form.serializeJSON();
 
             // Manipulate
-            data.hsts_enabled    = !!data.hsts_enabled;
-            data.hsts_subdomains = !!data.hsts_subdomains;
-            data.http2_support   = !!data.http2_support;
-            data.ssl_forced      = !!data.ssl_forced;
+            data.hsts_enabled       = !!data.hsts_enabled;
+            data.hsts_subdomains    = !!data.hsts_subdomains;
+            data.http2_support      = !!data.http2_support;
+            data.ssl_forced         = !!data.ssl_forced;
+
+            if (typeof data.meta === 'undefined') data.meta = {};
+            data.meta.letsencrypt_agree = data.meta.letsencrypt_agree == 1;
+            data.meta.dns_challenge = data.meta.dns_challenge == 1;
+            
+            if(!data.meta.dns_challenge){
+                data.meta.dns_provider = undefined;
+                data.meta.dns_provider_credentials = undefined;
+                data.meta.propagation_seconds = undefined;
+            } else {
+                if(data.meta.propagation_seconds === '') data.meta.propagation_seconds = undefined; 
+            }
 
             if (typeof data.domain_names === 'string' && data.domain_names) {
                 data.domain_names = data.domain_names.split(',');
             }
 
             // Check for any domain names containing wildcards, which are not allowed with letsencrypt
-            if (data.certificate_id === 'new') {
+            if (data.certificate_id === 'new') {                
                 let domain_err = false;
-                data.domain_names.map(function (name) {
-                    if (name.match(/\*/im)) {
-                        domain_err = true;
-                    }
-                });
-
-                if (domain_err) {
-                    alert('Cannot request Let\'s Encrypt Certificate for wildcard domains');
-                    return;
+                if (!data.meta.dns_challenge) {
+                    data.domain_names.map(function (name) {
+                        if (name.match(/\*/im)) {
+                            domain_err = true;
+                        }
+                    });
                 }
 
-                data.meta.letsencrypt_agree = data.meta.letsencrypt_agree === '1';
+                if (domain_err) {
+                    alert(i18n('ssl', 'no-wildcard-without-dns'));
+                    return;
+                }
             } else {
                 data.certificate_id = parseInt(data.certificate_id, 10);
             }
@@ -127,6 +179,8 @@ module.exports = Mn.View.extend({
             }
 
             this.ui.buttons.prop('disabled', true).addClass('btn-disabled');
+            this.ui.save.addClass('btn-loading');
+
             method(data)
                 .then(result => {
                     view.model.set(result);
@@ -138,8 +192,17 @@ module.exports = Mn.View.extend({
                     });
                 })
                 .catch(err => {
-                    alert(err.message);
+                    let more_info = '';
+                    if(err.code === 500 && err.debug){
+                        try{
+                            more_info = JSON.parse(err.debug).debug.stack.join("\n");
+                        } catch(e) {}
+                    }
+                    this.ui.le_error_info[0].innerHTML = `${err.message}${more_info !== '' ? `<pre class="mt-3">${more_info}</pre>`:''}`;
+                    this.ui.le_error_info.show();
+                    this.ui.le_error_info[0].scrollIntoView();
                     this.ui.buttons.prop('disabled', false).removeClass('btn-disabled');
+                    this.ui.save.removeClass('btn-loading');
                 });
         }
     },
@@ -147,7 +210,20 @@ module.exports = Mn.View.extend({
     templateContext: {
         getLetsencryptEmail: function () {
             return App.Cache.User.get('email');
-        }
+        },
+        getUseDnsChallenge: function () {
+            return typeof this.meta.dns_challenge !== 'undefined' ? this.meta.dns_challenge : false;
+        },
+        getDnsProvider: function () {
+            return typeof this.meta.dns_provider !== 'undefined' && this.meta.dns_provider != '' ? this.meta.dns_provider : null;
+        },
+        getDnsProviderCredentials: function () {
+            return typeof this.meta.dns_provider_credentials !== 'undefined' ? this.meta.dns_provider_credentials : '';
+        },
+        getPropagationSeconds: function () {
+            return typeof this.meta.propagation_seconds !== 'undefined' ? this.meta.propagation_seconds : '';
+        },
+        dns_plugins: dns_providers,
     },
 
     onRender: function () {
@@ -168,6 +244,9 @@ module.exports = Mn.View.extend({
         });
 
         // Certificates
+        this.ui.le_error_info.hide();
+        this.ui.dns_challenge_content.hide();
+        this.ui.credentials_file_content.hide();
         this.ui.letsencrypt.hide();
         this.ui.certificate_select.selectize({
             valueField:       'id',

frontend/js/app/nginx/proxy/form.ejs

@@ -4,6 +4,7 @@
         <button type="button" class="close cancel" aria-label="Close" data-dismiss="modal">&nbsp;</button>
     </div>
     <div class="modal-body has-tabs">
+        <div class="alert alert-danger mb-0 rounded-0" id="le-error-info" role="alert"></div>
         <form>
             <ul class="nav nav-tabs" role="tablist">
                 <li role="presentation" class="nav-item"><a href="#details" aria-controls="tab1" role="tab" data-toggle="tab" class="nav-link active"><i class="fe fe-zap"></i> <%- i18n('all-hosts', 'details') %></a></li>
@@ -141,6 +142,98 @@
                             </div>
                         </div>
 
+                        <!-- DNS challenge -->
+                        <div class="col-sm-12 col-md-12 letsencrypt">
+                            <div class="form-group">
+                                <label class="custom-switch">
+                                    <input 
+                                        type="checkbox" 
+                                        class="custom-switch-input" 
+                                        name="meta[dns_challenge]" 
+                                        value="1" 
+                                        <%- getUseDnsChallenge() ? 'checked' : '' %>
+                                    >
+                                    <span class="custom-switch-indicator"></span>
+                                    <span class="custom-switch-description"><%= i18n('ssl', 'dns-challenge') %></span>
+                                </label>
+                            </div>
+                        </div>
+                        <div class="col-sm-12 col-md-12 letsencrypt">
+                            <fieldset class="form-fieldset dns-challenge">
+                                <div class="text-red mb-4"><i class="fe fe-alert-triangle"></i> <%= i18n('ssl', 'certbot-warning') %></div>
+
+                                <!-- Certbot DNS plugin selection -->
+                                <div class="row">
+                                    <div class="col-sm-12 col-md-12">
+                                        <div class="form-group">
+                                            <label class="form-label"><%- i18n('ssl', 'dns-provider') %> <span class="form-required">*</span></label>
+                                            <select 
+                                                name="meta[dns_provider]" 
+                                                id="dns_provider"
+                                                class="form-control custom-select"
+                                            >
+                                                <option 
+                                                    value="" 
+                                                    disabled 
+                                                    hidden
+                                                    <%- getDnsProvider() === null ? 'selected' : '' %>
+                                                >Please Choose...</option>
+                                                <% _.each(dns_plugins, function(plugin_info, plugin_name){ %>
+                                                <option 
+                                                    value="<%- plugin_name %>"
+                                                    <%- getDnsProvider() === plugin_name ? 'selected' : '' %>
+                                                ><%- plugin_info.display_name %></option>
+                                                <% }); %>
+                                            </select>
+                                        </div>
+                                    </div>
+                                </div>
+
+                                <!-- Certbot credentials file content -->
+                                <div class="row credentials-file-content">
+                                    <div class="col-sm-12 col-md-12">
+                                        <div class="form-group">
+                                            <label class="form-label"><%- i18n('ssl', 'credentials-file-content') %> <span class="form-required">*</span></label>
+                                            <textarea 
+                                                name="meta[dns_provider_credentials]" 
+                                                class="form-control text-monospace" 
+                                                id="dns_provider_credentials" 
+                                            ><%- getDnsProviderCredentials() %></textarea>
+                                            <div class="text-secondary small">
+                                                <i class="fe fe-info"></i> 
+                                                <%= i18n('ssl', 'credentials-file-content-info') %>
+                                            </div>
+                                            <div class="text-red small">
+                                                <i class="fe fe-alert-triangle"></i> 
+                                                <%= i18n('ssl', 'stored-as-plaintext-info') %>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </div>
+
+                                <!-- DNS propagation delay -->
+                                <div class="row">
+                                    <div class="col-sm-12 col-md-12">
+                                        <div class="form-group mb-0">
+                                            <label class="form-label"><%- i18n('ssl', 'propagation-seconds') %></label>
+                                            <input 
+                                                type="number"
+                                                min="0"
+                                                name="meta[propagation_seconds]" 
+                                                class="form-control" 
+                                                id="propagation_seconds" 
+                                                value="<%- getPropagationSeconds() %>"
+                                            >
+                                            <div class="text-secondary small">
+                                                <i class="fe fe-info"></i> 
+                                                <%= i18n('ssl', 'propagation-seconds-info') %>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </div>
+                            </fieldset>
+                        </div>
+
                         <!-- Lets encrypt -->
                         <div class="col-sm-12 col-md-12 letsencrypt">
                             <div class="form-group">

frontend/js/app/nginx/proxy/form.js

@@ -7,6 +7,8 @@ const certListItemTemplate   = require('../certificates-list-item.ejs');
 const accessListItemTemplate = require('./access-list-item.ejs');
 const CustomLocation         = require('./location');
 const Helpers                = require('../../../lib/helpers');
+const i18n                   = require('../../i18n');
+const dns_providers          = require('../../../../../global/certbot-dns-plugins');
 
 
 require('jquery-serializejson');
@@ -19,22 +21,29 @@ module.exports = Mn.View.extend({
     locationsCollection: new ProxyLocationModel.Collection(),
 
     ui: {
-        form:               'form',
-        domain_names:       'input[name="domain_names"]',
-        forward_host:       'input[name="forward_host"]',
-        buttons:            '.modal-footer button',
-        cancel:             'button.cancel',
-        save:               'button.save',
-        add_location_btn:   'button.add_location',
-        locations_container:'.locations_container',
-        certificate_select: 'select[name="certificate_id"]',
-        access_list_select: 'select[name="access_list_id"]',
-        ssl_forced:         'input[name="ssl_forced"]',
-        hsts_enabled:       'input[name="hsts_enabled"]',
-        hsts_subdomains:    'input[name="hsts_subdomains"]',
-        http2_support:      'input[name="http2_support"]',
-        forward_scheme:     'select[name="forward_scheme"]',
-        letsencrypt:        '.letsencrypt'
+        form:                     'form',
+        domain_names:             'input[name="domain_names"]',
+        forward_host:             'input[name="forward_host"]',
+        buttons:                  '.modal-footer button',
+        cancel:                   'button.cancel',
+        save:                     'button.save',
+        add_location_btn:         'button.add_location',
+        locations_container:      '.locations_container',
+        le_error_info:            '#le-error-info',
+        certificate_select:       'select[name="certificate_id"]',
+        access_list_select:       'select[name="access_list_id"]',
+        ssl_forced:               'input[name="ssl_forced"]',
+        hsts_enabled:             'input[name="hsts_enabled"]',
+        hsts_subdomains:          'input[name="hsts_subdomains"]',
+        http2_support:            'input[name="http2_support"]',
+        dns_challenge_switch:     'input[name="meta[dns_challenge]"]',
+        dns_challenge_content:    '.dns-challenge',
+        dns_provider:             'select[name="meta[dns_provider]"]',
+        credentials_file_content: '.credentials-file-content',
+        dns_provider_credentials: 'textarea[name="meta[dns_provider_credentials]"]',
+        propagation_seconds:      'input[name="meta[propagation_seconds]"]',
+        forward_scheme:           'select[name="forward_scheme"]',
+        letsencrypt:              '.letsencrypt'
     },
 
     regions: {
@@ -46,6 +55,7 @@ module.exports = Mn.View.extend({
             let id = this.ui.certificate_select.val();
             if (id === 'new') {
                 this.ui.letsencrypt.show().find('input').prop('disabled', false);
+                this.ui.dns_challenge_content.hide();
             } else {
                 this.ui.letsencrypt.hide().find('input').prop('disabled', true);
             }
@@ -91,6 +101,34 @@ module.exports = Mn.View.extend({
             }
         },
 
+        'change @ui.dns_challenge_switch': function () {
+            const checked = this.ui.dns_challenge_switch.prop('checked');
+            if (checked) {
+                this.ui.dns_provider.prop('required', 'required');
+                const selected_provider = this.ui.dns_provider[0].options[this.ui.dns_provider[0].selectedIndex].value;
+                if(selected_provider != '' && dns_providers[selected_provider].credentials !== false){
+                    this.ui.dns_provider_credentials.prop('required', 'required');
+                }
+                this.ui.dns_challenge_content.show();
+            } else {
+                this.ui.dns_provider.prop('required', false);
+                this.ui.dns_provider_credentials.prop('required', false);
+                this.ui.dns_challenge_content.hide();                
+            }
+        },
+
+        'change @ui.dns_provider': function () {
+            const selected_provider = this.ui.dns_provider[0].options[this.ui.dns_provider[0].selectedIndex].value;
+            if (selected_provider != '' && dns_providers[selected_provider].credentials !== false) {
+                this.ui.dns_provider_credentials.prop('required', 'required');
+                this.ui.dns_provider_credentials[0].value = dns_providers[selected_provider].credentials;
+                this.ui.credentials_file_content.show();
+            } else {
+                this.ui.dns_provider_credentials.prop('required', false);
+                this.ui.credentials_file_content.hide();                
+            }
+        },
+
         'click @ui.add_location_btn': function (e) {
             e.preventDefault();
             
@@ -100,6 +138,7 @@ module.exports = Mn.View.extend({
 
         'click @ui.save': function (e) {
             e.preventDefault();
+            this.ui.le_error_info.hide();
 
             if (!this.ui.form[0].checkValidity()) {
                 $('<input type="submit">').hide().appendTo(this.ui.form).click().remove();
@@ -128,26 +167,38 @@ module.exports = Mn.View.extend({
             data.hsts_enabled            = !!data.hsts_enabled;
             data.hsts_subdomains         = !!data.hsts_subdomains;
             data.ssl_forced              = !!data.ssl_forced;
+            
+            if (typeof data.meta === 'undefined') data.meta = {};
+            data.meta.letsencrypt_agree = data.meta.letsencrypt_agree == 1;
+            data.meta.dns_challenge = data.meta.dns_challenge == 1;
+            
+            if(!data.meta.dns_challenge){
+                data.meta.dns_provider = undefined;
+                data.meta.dns_provider_credentials = undefined;
+                data.meta.propagation_seconds = undefined;
+            } else {
+                if(data.meta.propagation_seconds === '') data.meta.propagation_seconds = undefined; 
+            }
 
             if (typeof data.domain_names === 'string' && data.domain_names) {
                 data.domain_names = data.domain_names.split(',');
             }
 
             // Check for any domain names containing wildcards, which are not allowed with letsencrypt
-            if (data.certificate_id === 'new') {
+            if (data.certificate_id === 'new') {                
                 let domain_err = false;
-                data.domain_names.map(function (name) {
-                    if (name.match(/\*/im)) {
-                        domain_err = true;
-                    }
-                });
-
-                if (domain_err) {
-                    alert('Cannot request Let\'s Encrypt Certificate for wildcard domains');
-                    return;
+                if (!data.meta.dns_challenge) {
+                    data.domain_names.map(function (name) {
+                        if (name.match(/\*/im)) {
+                            domain_err = true;
+                        }
+                    });
                 }
 
-                data.meta.letsencrypt_agree = data.meta.letsencrypt_agree === '1';
+                if (domain_err) {
+                    alert(i18n('ssl', 'no-wildcard-without-dns'));
+                    return;
+                }
             } else {
                 data.certificate_id = parseInt(data.certificate_id, 10);
             }
@@ -163,6 +214,8 @@ module.exports = Mn.View.extend({
             }
 
             this.ui.buttons.prop('disabled', true).addClass('btn-disabled');
+            this.ui.save.addClass('btn-loading');
+
             method(data)
                 .then(result => {
                     view.model.set(result);
@@ -174,8 +227,17 @@ module.exports = Mn.View.extend({
                     });
                 })
                 .catch(err => {
-                    alert(err.message);
+                    let more_info = '';
+                    if(err.code === 500 && err.debug){
+                        try{
+                            more_info = JSON.parse(err.debug).debug.stack.join("\n");
+                        } catch(e) {}
+                    }
+                    this.ui.le_error_info[0].innerHTML = `${err.message}${more_info !== '' ? `<pre class="mt-3">${more_info}</pre>`:''}`;
+                    this.ui.le_error_info.show();
+                    this.ui.le_error_info[0].scrollIntoView();
                     this.ui.buttons.prop('disabled', false).removeClass('btn-disabled');
+                    this.ui.save.removeClass('btn-loading');
                 });
         }
     },
@@ -183,7 +245,20 @@ module.exports = Mn.View.extend({
     templateContext: {
         getLetsencryptEmail: function () {
             return App.Cache.User.get('email');
-        }
+        },
+        getUseDnsChallenge: function () {
+            return typeof this.meta.dns_challenge !== 'undefined' ? this.meta.dns_challenge : false;
+        },
+        getDnsProvider: function () {
+            return typeof this.meta.dns_provider !== 'undefined' && this.meta.dns_provider != '' ? this.meta.dns_provider : null;
+        },
+        getDnsProviderCredentials: function () {
+            return typeof this.meta.dns_provider_credentials !== 'undefined' ? this.meta.dns_provider_credentials : '';
+        },
+        getPropagationSeconds: function () {
+            return typeof this.meta.propagation_seconds !== 'undefined' ? this.meta.propagation_seconds : '';
+        },
+        dns_plugins: dns_providers,
     },
 
     onRender: function () {
@@ -203,7 +278,7 @@ module.exports = Mn.View.extend({
                     text:  input
                 };
             },
-            createFilter: /^(?:\*\.)?(?:[^.*]+\.?)+[^.]$/
+            createFilter: /^(?:\.)?(?:[^.*]+\.?)+[^.]$/
         });
 
         // Access Lists
@@ -237,6 +312,9 @@ module.exports = Mn.View.extend({
         });
 
         // Certificates
+        this.ui.le_error_info.hide();
+        this.ui.dns_challenge_content.hide();
+        this.ui.credentials_file_content.hide();
         this.ui.letsencrypt.hide();
         this.ui.certificate_select.selectize({
             valueField:       'id',

frontend/js/app/nginx/redirection/form.ejs

@@ -4,6 +4,7 @@
         <button type="button" class="close cancel" aria-label="Close" data-dismiss="modal">&nbsp;</button>
     </div>
     <div class="modal-body has-tabs">
+        <div class="alert alert-danger mb-0 rounded-0" id="le-error-info" role="alert"></div>
         <form>
             <ul class="nav nav-tabs" role="tablist">
                 <li role="presentation" class="nav-item"><a href="#details" aria-controls="tab1" role="tab" data-toggle="tab" class="nav-link active"><i class="fe fe-zap"></i> <%- i18n('all-hosts', 'details') %></a></li>
@@ -97,6 +98,98 @@
                             </div>
                         </div>
 
+                        <!-- DNS challenge -->
+                        <div class="col-sm-12 col-md-12 letsencrypt">
+                            <div class="form-group">
+                                <label class="custom-switch">
+                                    <input 
+                                        type="checkbox" 
+                                        class="custom-switch-input" 
+                                        name="meta[dns_challenge]" 
+                                        value="1" 
+                                        <%- getUseDnsChallenge() ? 'checked' : '' %>
+                                    >
+                                    <span class="custom-switch-indicator"></span>
+                                    <span class="custom-switch-description"><%= i18n('ssl', 'dns-challenge') %></span>
+                                </label>
+                            </div>
+                        </div>
+                        <div class="col-sm-12 col-md-12 letsencrypt">
+                            <fieldset class="form-fieldset dns-challenge">
+                                <div class="text-red mb-4"><i class="fe fe-alert-triangle"></i> <%= i18n('ssl', 'certbot-warning') %></div>
+
+                                <!-- Certbot DNS plugin selection -->
+                                <div class="row">
+                                    <div class="col-sm-12 col-md-12">
+                                        <div class="form-group">
+                                            <label class="form-label"><%- i18n('ssl', 'dns-provider') %> <span class="form-required">*</span></label>
+                                            <select 
+                                                name="meta[dns_provider]" 
+                                                id="dns_provider"
+                                                class="form-control custom-select"
+                                            >
+                                                <option 
+                                                    value="" 
+                                                    disabled 
+                                                    hidden
+                                                    <%- getDnsProvider() === null ? 'selected' : '' %>
+                                                >Please Choose...</option>
+                                                <% _.each(dns_plugins, function(plugin_info, plugin_name){ %>
+                                                <option 
+                                                    value="<%- plugin_name %>"
+                                                    <%- getDnsProvider() === plugin_name ? 'selected' : '' %>
+                                                ><%- plugin_info.display_name %></option>
+                                                <% }); %>
+                                            </select>
+                                        </div>
+                                    </div>
+                                </div>
+
+                                <!-- Certbot credentials file content -->
+                                <div class="row credentials-file-content">
+                                    <div class="col-sm-12 col-md-12">
+                                        <div class="form-group">
+                                            <label class="form-label"><%- i18n('ssl', 'credentials-file-content') %> <span class="form-required">*</span></label>
+                                            <textarea 
+                                                name="meta[dns_provider_credentials]" 
+                                                class="form-control text-monospace" 
+                                                id="dns_provider_credentials" 
+                                            ><%- getDnsProviderCredentials() %></textarea>
+                                            <div class="text-secondary small">
+                                                <i class="fe fe-info"></i> 
+                                                <%= i18n('ssl', 'credentials-file-content-info') %>
+                                            </div>
+                                            <div class="text-red small">
+                                                <i class="fe fe-alert-triangle"></i> 
+                                                <%= i18n('ssl', 'stored-as-plaintext-info') %>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </div>
+
+                                <!-- DNS propagation delay -->
+                                <div class="row">
+                                    <div class="col-sm-12 col-md-12">
+                                        <div class="form-group mb-0">
+                                            <label class="form-label"><%- i18n('ssl', 'propagation-seconds') %></label>
+                                            <input 
+                                                type="number"
+                                                min="0"
+                                                name="meta[propagation_seconds]" 
+                                                class="form-control" 
+                                                id="propagation_seconds" 
+                                                value="<%- getPropagationSeconds() %>"
+                                            >
+                                            <div class="text-secondary small">
+                                                <i class="fe fe-info"></i> 
+                                                <%= i18n('ssl', 'propagation-seconds-info') %>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </div>
+                            </fieldset>
+                        </div>
+
                         <!-- Lets encrypt -->
                         <div class="col-sm-12 col-md-12 letsencrypt">
                             <div class="form-group">

frontend/js/app/nginx/redirection/form.js

@@ -4,6 +4,9 @@ const RedirectionHostModel = require('../../../models/redirection-host');
 const template             = require('./form.ejs');
 const certListItemTemplate = require('../certificates-list-item.ejs');
 const Helpers              = require('../../../lib/helpers');
+const i18n                 = require('../../i18n');
+const dns_providers        = require('../../../../../global/certbot-dns-plugins');
+
 
 require('jquery-serializejson');
 require('selectize');
@@ -13,17 +16,24 @@ module.exports = Mn.View.extend({
     className: 'modal-dialog',
 
     ui: {
-        form:               'form',
-        domain_names:       'input[name="domain_names"]',
-        buttons:            '.modal-footer button',
-        cancel:             'button.cancel',
-        save:               'button.save',
-        certificate_select: 'select[name="certificate_id"]',
-        ssl_forced:         'input[name="ssl_forced"]',
-        hsts_enabled:       'input[name="hsts_enabled"]',
-        hsts_subdomains:    'input[name="hsts_subdomains"]',
-        http2_support:      'input[name="http2_support"]',
-        letsencrypt:        '.letsencrypt'
+        form:                     'form',
+        domain_names:             'input[name="domain_names"]',
+        buttons:                  '.modal-footer button',
+        cancel:                   'button.cancel',
+        save:                     'button.save',
+        le_error_info:            '#le-error-info',
+        certificate_select:       'select[name="certificate_id"]',
+        ssl_forced:               'input[name="ssl_forced"]',
+        hsts_enabled:             'input[name="hsts_enabled"]',
+        hsts_subdomains:          'input[name="hsts_subdomains"]',
+        http2_support:            'input[name="http2_support"]',
+        dns_challenge_switch:     'input[name="meta[dns_challenge]"]',
+        dns_challenge_content:    '.dns-challenge',
+        dns_provider:             'select[name="meta[dns_provider]"]',
+        credentials_file_content: '.credentials-file-content',
+        dns_provider_credentials: 'textarea[name="meta[dns_provider_credentials]"]',
+        propagation_seconds:      'input[name="meta[propagation_seconds]"]',
+        letsencrypt:              '.letsencrypt'
     },
 
     events: {
@@ -31,6 +41,7 @@ module.exports = Mn.View.extend({
             let id = this.ui.certificate_select.val();
             if (id === 'new') {
                 this.ui.letsencrypt.show().find('input').prop('disabled', false);
+                this.ui.dns_challenge_content.hide();
             } else {
                 this.ui.letsencrypt.hide().find('input').prop('disabled', true);
             }
@@ -76,8 +87,37 @@ module.exports = Mn.View.extend({
             }
         },
 
+        'change @ui.dns_challenge_switch': function () {
+            const checked = this.ui.dns_challenge_switch.prop('checked');
+            if (checked) {
+                this.ui.dns_provider.prop('required', 'required');
+                const selected_provider = this.ui.dns_provider[0].options[this.ui.dns_provider[0].selectedIndex].value;
+                if(selected_provider != '' && dns_providers[selected_provider].credentials !== false){
+                    this.ui.dns_provider_credentials.prop('required', 'required');
+                }
+                this.ui.dns_challenge_content.show();
+            } else {
+                this.ui.dns_provider.prop('required', false);
+                this.ui.dns_provider_credentials.prop('required', false);
+                this.ui.dns_challenge_content.hide();                
+            }
+        },
+
+        'change @ui.dns_provider': function () {
+            const selected_provider = this.ui.dns_provider[0].options[this.ui.dns_provider[0].selectedIndex].value;
+            if (selected_provider != '' && dns_providers[selected_provider].credentials !== false) {
+                this.ui.dns_provider_credentials.prop('required', 'required');
+                this.ui.dns_provider_credentials[0].value = dns_providers[selected_provider].credentials;
+                this.ui.credentials_file_content.show();
+            } else {
+                this.ui.dns_provider_credentials.prop('required', false);
+                this.ui.credentials_file_content.hide();                
+            }
+        },
+
         'click @ui.save': function (e) {
             e.preventDefault();
+            this.ui.le_error_info.hide();
 
             if (!this.ui.form[0].checkValidity()) {
                 $('<input type="submit">').hide().appendTo(this.ui.form).click().remove();
@@ -88,32 +128,44 @@ module.exports = Mn.View.extend({
             let data = this.ui.form.serializeJSON();
 
             // Manipulate
-            data.block_exploits  = !!data.block_exploits;
-            data.preserve_path   = !!data.preserve_path;
-            data.http2_support   = !!data.http2_support;
-            data.hsts_enabled    = !!data.hsts_enabled;
-            data.hsts_subdomains = !!data.hsts_subdomains;
-            data.ssl_forced      = !!data.ssl_forced;
+            data.block_exploits     = !!data.block_exploits;
+            data.preserve_path      = !!data.preserve_path;
+            data.http2_support      = !!data.http2_support;
+            data.hsts_enabled       = !!data.hsts_enabled;
+            data.hsts_subdomains    = !!data.hsts_subdomains;
+            data.ssl_forced         = !!data.ssl_forced;
+            
+            if (typeof data.meta === 'undefined') data.meta = {};
+            data.meta.letsencrypt_agree = data.meta.letsencrypt_agree == 1;
+            data.meta.dns_challenge = data.meta.dns_challenge == 1;
+            
+            if(!data.meta.dns_challenge){
+                data.meta.dns_provider = undefined;
+                data.meta.dns_provider_credentials = undefined;
+                data.meta.propagation_seconds = undefined;
+            } else {
+                if(data.meta.propagation_seconds === '') data.meta.propagation_seconds = undefined; 
+            }
 
             if (typeof data.domain_names === 'string' && data.domain_names) {
                 data.domain_names = data.domain_names.split(',');
             }
 
             // Check for any domain names containing wildcards, which are not allowed with letsencrypt
-            if (data.certificate_id === 'new') {
+            if (data.certificate_id === 'new') {                
                 let domain_err = false;
-                data.domain_names.map(function (name) {
-                    if (name.match(/\*/im)) {
-                        domain_err = true;
-                    }
-                });
-
-                if (domain_err) {
-                    alert('Cannot request Let\'s Encrypt Certificate for wildcard domains');
-                    return;
+                if (!data.meta.dns_challenge) {
+                    data.domain_names.map(function (name) {
+                        if (name.match(/\*/im)) {
+                            domain_err = true;
+                        }
+                    });
                 }
 
-                data.meta.letsencrypt_agree = data.meta.letsencrypt_agree === '1';
+                if (domain_err) {
+                    alert(i18n('ssl', 'no-wildcard-without-dns'));
+                    return;
+                }             
             } else {
                 data.certificate_id = parseInt(data.certificate_id, 10);
             }
@@ -129,6 +181,8 @@ module.exports = Mn.View.extend({
             }
 
             this.ui.buttons.prop('disabled', true).addClass('btn-disabled');
+            this.ui.save.addClass('btn-loading');
+
             method(data)
                 .then(result => {
                     view.model.set(result);
@@ -140,8 +194,17 @@ module.exports = Mn.View.extend({
                     });
                 })
                 .catch(err => {
-                    alert(err.message);
+                    let more_info = '';
+                    if(err.code === 500 && err.debug){
+                        try{
+                            more_info = JSON.parse(err.debug).debug.stack.join("\n");
+                        } catch(e) {}
+                    }
+                    this.ui.le_error_info[0].innerHTML = `${err.message}${more_info !== '' ? `<pre class="mt-3">${more_info}</pre>`:''}`;
+                    this.ui.le_error_info.show();
+                    this.ui.le_error_info[0].scrollIntoView();
                     this.ui.buttons.prop('disabled', false).removeClass('btn-disabled');
+                    this.ui.save.removeClass('btn-loading');
                 });
         }
     },
@@ -149,7 +212,20 @@ module.exports = Mn.View.extend({
     templateContext: {
         getLetsencryptEmail: function () {
             return App.Cache.User.get('email');
-        }
+        },
+        getUseDnsChallenge: function () {
+            return typeof this.meta.dns_challenge !== 'undefined' ? this.meta.dns_challenge : false;
+        },
+        getDnsProvider: function () {
+            return typeof this.meta.dns_provider !== 'undefined' && this.meta.dns_provider != '' ? this.meta.dns_provider : null;
+        },
+        getDnsProviderCredentials: function () {
+            return typeof this.meta.dns_provider_credentials !== 'undefined' ? this.meta.dns_provider_credentials : '';
+        },
+        getPropagationSeconds: function () {
+            return typeof this.meta.propagation_seconds !== 'undefined' ? this.meta.propagation_seconds : '';
+        },
+        dns_plugins: dns_providers,
     },
 
     onRender: function () {
@@ -170,6 +246,9 @@ module.exports = Mn.View.extend({
         });
 
         // Certificates
+        this.ui.le_error_info.hide();
+        this.ui.dns_challenge_content.hide();
+        this.ui.credentials_file_content.hide();
         this.ui.letsencrypt.hide();
         this.ui.certificate_select.selectize({
             valueField:       'id',

frontend/js/i18n/messages.json

@@ -101,7 +101,19 @@
       "letsencrypt-email": "Email Address for Let's Encrypt",
       "letsencrypt-agree": "I Agree to the <a href=\"{url}\" target=\"_blank\">Let's Encrypt Terms of Service</a>",
       "delete-ssl": "The SSL certificates attached will NOT be removed, they will need to be removed manually.",
-      "hosts-warning": "These domains must be already configured to point to this installation"
+      "hosts-warning": "These domains must be already configured to point to this installation",
+      "no-wildcard-without-dns": "Cannot request Let's Encrypt Certificate for wildcard domains when not using DNS challenge",
+      "dns-challenge": "Use a DNS Challenge",
+      "certbot-warning": "This section requires some knowledge about Certbot and its DNS plugins. Please consult the respective plugins documentation.",
+      "dns-provider": "DNS Provider",
+      "please-choose": "Please Choose...",
+      "credentials-file-content": "Credentials File Content",
+      "credentials-file-content-info": "This plugin requires a configuration file containing an API token or other credentials to your provider",
+      "stored-as-plaintext-info": "This data will be stored as plaintext in the database and in a file!",
+      "propagation-seconds": "Propagation Seconds",
+      "propagation-seconds-info": "Leave empty to use the plugins default value. Number of seconds to wait for DNS propagation.",
+      "processing-info": "Processing... This might take a few minutes.",
+      "passphrase-protection-support-info": "Key files protected with a passphrase are not supported."
     },
     "proxy-hosts": {
       "title": "Proxy Hosts",
@@ -195,7 +207,8 @@
       "authorization": "Authorization",
       "access": "Access",
       "satisfy": "Satisfy",
-      "satisfy-any": "Satisfy Any"
+      "satisfy-any": "Satisfy Any",
+      "pass-auth": "Pass Auth to Host"
     },
     "users": {
       "title": "Users",

global/certbot-dns-plugins.js

@@ -0,0 +1,294 @@
+/**
+ * This file contains info about available Certbot DNS plugins.
+ * This only works for plugins which use the standard argument structure, so:
+ * --authenticator <plugin-name> --<plugin-name>-credentials <FILE> --<plugin-name>-propagation-seconds <number>
+ *
+ * File Structure:
+ *
+ *  {
+ *    cloudflare: {
+ *      display_name: "Name displayed to the user",
+ *      package_name: "Package name in PyPi repo",
+ *      package_version: "Package version in PyPi repo",
+ *      dependencies: "Additional dependencies, space separated (as you would pass it to pip install)",
+ *      credentials: `Template of the credentials file`,
+ *      full_plugin_name: "The full plugin name as used in the commandline with certbot, including prefixes, e.g. 'certbot-dns-njalla:dns-njalla'",
+ *    },
+ *    ...
+ *  }
+ *
+ */
+
+module.exports = {
+	aliyun: {
+		display_name:    'Aliyun',
+		package_name:    'certbot-dns-aliyun',
+		package_version: '0.38.1',
+		dependencies:    '',
+		credentials:     `certbot_dns_aliyun:dns_aliyun_access_key = 12345678
+certbot_dns_aliyun:dns_aliyun_access_key_secret = 1234567890abcdef1234567890abcdef`,
+		full_plugin_name: 'certbot-dns-aliyun:dns-aliyun',
+	},
+	//####################################################//
+	cloudflare: {
+		display_name:    'Cloudflare',
+		package_name:    'certbot-dns-cloudflare',
+		package_version: '1.8.0',
+		dependencies:    'cloudflare',
+		credentials:     `# Cloudflare API token
+dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567`,
+		full_plugin_name: 'dns-cloudflare',
+	},
+	//####################################################//
+	cloudxns: {
+		display_name:    'CloudXNS',
+		package_name:    'certbot-dns-cloudxns',
+		package_version: '1.8.0',
+		dependencies:    '',
+		credentials:     `dns_cloudxns_api_key = 1234567890abcdef1234567890abcdef
+dns_cloudxns_secret_key = 1122334455667788`,
+		full_plugin_name: 'dns-cloudxns',
+	},
+	//####################################################//
+	corenetworks: {
+		display_name:    'Core Networks',
+		package_name:    'certbot-dns-corenetworks',
+		package_version: '0.1.4',
+		dependencies:    '',
+		credentials:     `certbot_dns_corenetworks:dns_corenetworks_username = asaHB12r
+certbot_dns_corenetworks:dns_corenetworks_password = secure_password`,
+		full_plugin_name: 'certbot-dns-corenetworks:dns-corenetworks',
+	},
+	//####################################################//
+	cpanel: {
+		display_name:    'cPanel',
+		package_name:    'certbot-dns-cpanel',
+		package_version: '0.2.2',
+		dependencies:    '',
+		credentials:     `certbot_dns_cpanel:cpanel_url = https://cpanel.example.com:2083
+certbot_dns_cpanel:cpanel_username = user
+certbot_dns_cpanel:cpanel_password = hunter2`,
+		full_plugin_name: 'certbot-dns-cpanel:cpanel',
+	},
+	//####################################################//
+	digitalocean: {
+		display_name:     'DigitalOcean',
+		package_name:     'certbot-dns-digitalocean',
+		package_version:  '1.8.0',
+		dependencies:     '',
+		credentials:      'dns_digitalocean_token = 0000111122223333444455556666777788889999aaaabbbbccccddddeeeeffff',
+		full_plugin_name: 'dns-digitalocean',
+	},
+	//####################################################//
+	directadmin: {
+		display_name:    'DirectAdmin',
+		package_name:    'certbot-dns-directadmin',
+		package_version: '0.0.20',
+		dependencies:    '',
+		credentials:     `directadmin_url = https://my.directadminserver.com:2222
+directadmin_username = username
+directadmin_password = aSuperStrongPassword`,
+		full_plugin_name: 'certbot-dns-directadmin:directadmin',
+	},
+	//####################################################//
+	dnsimple: {
+		display_name:     'DNSimple',
+		package_name:     'certbot-dns-dnsimple',
+		package_version:  '1.8.0',
+		dependencies:     '',
+		credentials:      'dns_dnsimple_token = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw',
+		full_plugin_name: 'dns-dnsimple',
+	},
+	//####################################################//
+	dnsmadeeasy: {
+		display_name:    'DNS Made Easy',
+		package_name:    'certbot-dns-dnsmadeeasy',
+		package_version: '1.8.0',
+		dependencies:    '',
+		credentials:     `dns_dnsmadeeasy_api_key = 1c1a3c91-4770-4ce7-96f4-54c0eb0e457a
+dns_dnsmadeeasy_secret_key = c9b5625f-9834-4ff8-baba-4ed5f32cae55`,
+		full_plugin_name: 'dns-dnsmadeeasy',
+	},
+	//####################################################//
+	dnspod: {
+		display_name:    'DNSPod',
+		package_name:    'certbot-dns-dnspod',
+		package_version: '0.1.0',
+		dependencies:    '',
+		credentials:     `certbot_dns_dnspod:dns_dnspod_email = "DNSPOD-API-REQUIRES-A-VALID-EMAIL"
+certbot_dns_dnspod:dns_dnspod_api_token = "DNSPOD-API-TOKEN"`,
+		full_plugin_name: 'certbot-dns-dnspod:dns-dnspod',
+	},
+	//####################################################//
+	gandi: {
+		display_name:     'Gandi Live DNS',
+		package_name:     'certbot_plugin_gandi',
+		package_version:  '1.2.5',
+		dependencies:     '',
+		credentials:      'certbot_plugin_gandi:dns_api_key = APIKEY',
+		full_plugin_name: 'certbot-plugin-gandi:dns',
+	},
+	//####################################################//
+	google: {
+		display_name:    'Google',
+		package_name:    'certbot-dns-google',
+		package_version: '1.8.0',
+		dependencies:    '',
+		credentials:     `{
+"type": "service_account",
+...
+}`,
+		full_plugin_name: 'dns-google',
+	},
+	//####################################################//
+	hetzner: {
+		display_name:     'Hetzner',
+		package_name:     'certbot-dns-hetzner',
+		package_version:  '1.0.4',
+		dependencies:     '',
+		credentials:      'certbot_dns_hetzner:dns_hetzner_api_token = 0123456789abcdef0123456789abcdef',
+		full_plugin_name: 'certbot-dns-hetzner:dns-hetzner',
+	},
+	//####################################################//
+	inwx: {
+		display_name:    'INWX',
+		package_name:    'certbot-dns-inwx',
+		package_version: '2.1.2',
+		dependencies:    '',
+		credentials:     `certbot_dns_inwx:dns_inwx_url = https://api.domrobot.com/xmlrpc/
+certbot_dns_inwx:dns_inwx_username = your_username
+certbot_dns_inwx:dns_inwx_password = your_password
+certbot_dns_inwx:dns_inwx_shared_secret = your_shared_secret optional`,
+		full_plugin_name: 'certbot-dns-inwx:dns-inwx',
+	},
+	//####################################################//
+	ispconfig: {
+		display_name:    'ISPConfig',
+		package_name:    'certbot-dns-ispconfig',
+		package_version: '0.2.0',
+		dependencies:    '',
+		credentials:     `certbot_dns_ispconfig:dns_ispconfig_username = myremoteuser
+certbot_dns_ispconfig:dns_ispconfig_password = verysecureremoteuserpassword
+certbot_dns_ispconfig:dns_ispconfig_endpoint = https://localhost:8080`,
+		full_plugin_name: 'certbot-dns-ispconfig:dns-ispconfig',
+	},
+	//####################################################//
+	isset: {
+		display_name:    'Isset',
+		package_name:    'certbot-dns-isset',
+		package_version: '0.0.3',
+		dependencies:    '',
+		credentials:     `certbot_dns_isset:dns_isset_endpoint="https://customer.isset.net/api"
+certbot_dns_isset:dns_isset_token="<token>"`,
+		full_plugin_name: 'certbot-dns-isset:dns-isset',
+	},
+	//####################################################//
+	linode: {
+		display_name:    'Linode',
+		package_name:    'certbot-dns-linode',
+		package_version: '1.8.0',
+		dependencies:    '',
+		credentials:     `dns_linode_key = 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ64
+dns_linode_version = [<blank>|3|4]`,
+		full_plugin_name: 'dns-linode',
+	},
+	//####################################################//
+	luadns: {
+		display_name:    'LuaDNS',
+		package_name:    'certbot-dns-luadns',
+		package_version: '1.8.0',
+		dependencies:    '',
+		credentials:     `dns_luadns_email = user@example.com
+dns_luadns_token = 0123456789abcdef0123456789abcdef`,
+		full_plugin_name: 'dns-luadns',
+	},
+	//####################################################//
+	netcup: {
+		display_name:    'netcup',
+		package_name:    'certbot-dns-netcup',
+		package_version: '1.0.0',
+		dependencies:    '',
+		credentials:     `dns_netcup_customer_id  = 123456
+dns_netcup_api_key      = 0123456789abcdef0123456789abcdef01234567
+dns_netcup_api_password = abcdef0123456789abcdef01234567abcdef0123`,
+		full_plugin_name: 'certbot-dns-netcup:dns-netcup',
+	},
+	//####################################################//
+	njalla: {
+		display_name:     'Njalla',
+		package_name:     'certbot-dns-njalla',
+		package_version:  '1.0.0',
+		dependencies:     '',
+		credentials:      'certbot_dns_njalla:dns_njalla_token = 0123456789abcdef0123456789abcdef01234567',
+		full_plugin_name: 'certbot-dns-njalla:dns-njalla',
+	},
+	//####################################################//
+	nsone: {
+		display_name:     'NS1',
+		package_name:     'certbot-dns-nsone',
+		package_version:  '1.8.0',
+		dependencies:     '',
+		credentials:      'dns_nsone_api_key = MDAwMDAwMDAwMDAwMDAw',
+		full_plugin_name: 'dns-nsone',
+	},
+	//####################################################//
+	ovh: {
+		display_name:    'OVH',
+		package_name:    'certbot-dns-ovh',
+		package_version: '1.8.0',
+		dependencies:    '',
+		credentials:     `dns_ovh_endpoint = ovh-eu
+dns_ovh_application_key = MDAwMDAwMDAwMDAw
+dns_ovh_application_secret = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
+dns_ovh_consumer_key = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw`,
+		full_plugin_name: 'dns-ovh',
+	},
+	//####################################################//
+	powerdns: {
+		display_name:    'PowerDNS',
+		package_name:    'certbot-dns-powerdns',
+		package_version: '0.2.0',
+		dependencies:    '',
+		credentials:     `certbot_dns_powerdns:dns_powerdns_api_url = https://api.mypowerdns.example.org
+certbot_dns_powerdns:dns_powerdns_api_key = AbCbASsd!@34`,
+		full_plugin_name: 'certbot-dns-powerdns:dns-powerdns',
+	},
+	//####################################################//
+	rfc2136: {
+		display_name:    'RFC 2136',
+		package_name:    'certbot-dns-rfc2136',
+		package_version: '1.8.0',
+		dependencies:    '',
+		credentials:     `# Target DNS server
+dns_rfc2136_server = 192.0.2.1
+# Target DNS port
+dns_rfc2136_port = 53
+# TSIG key name
+dns_rfc2136_name = keyname.
+# TSIG key secret
+dns_rfc2136_secret = 4q4wM/2I180UXoMyN4INVhJNi8V9BCV+jMw2mXgZw/CSuxUT8C7NKKFs AmKd7ak51vWKgSl12ib86oQRPkpDjg==
+# TSIG key algorithm
+dns_rfc2136_algorithm = HMAC-SHA512`,
+		full_plugin_name: 'dns-rfc2136',
+	},
+	//####################################################//
+	route53: {
+		display_name:    'Route 53 (Amazon)',
+		package_name:    'certbot-dns-route53',
+		package_version: '1.8.0',
+		dependencies:    '',
+		credentials:     `[default]
+aws_access_key_id=AKIAIOSFODNN7EXAMPLE
+aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY`,
+		full_plugin_name: 'dns-route53',
+	},
+	//####################################################//
+	vultr: {
+		display_name:     'Vultr',
+		package_name:     'certbot-dns-vultr',
+		package_version:  '1.0.3',
+		dependencies:     '',
+		credentials:      'certbot_dns_vultr:dns_vultr_key = YOUR_VULTR_API_KEY',
+		full_plugin_name: 'certbot-dns-vultr:dns-vultr',
+	},
+};

scripts/frontend-build

@@ -10,7 +10,7 @@ if hash docker 2>/dev/null; then
 	docker pull "${DOCKER_IMAGE}"
 	cd "${DIR}/.."
 	echo -e "${BLUE}❯ ${CYAN}Building Frontend ...${RESET}"
-	docker run --rm -e CI=true -v "$(pwd)/frontend:/app/frontend" -w /app/frontend "$DOCKER_IMAGE" sh -c "yarn install && yarn build && yarn build && chown -R $(id -u):$(id -g) /app/frontend"
+	docker run --rm -e CI=true -v "$(pwd)/frontend:/app/frontend" -v "$(pwd)/global:/app/global" -w /app/frontend "$DOCKER_IMAGE" sh -c "yarn install && yarn build && yarn build && chown -R $(id -u):$(id -g) /app/frontend"
 	echo -e "${BLUE}❯ ${GREEN}Building Frontend Complete${RESET}"
 else
 	echo -e "${RED}❯ docker command is not available${RESET}"

scripts/test-dev

@@ -7,7 +7,7 @@ DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 if hash docker-compose 2>/dev/null; then
 	cd "${DIR}/.."
 	echo -e "${BLUE}❯ ${CYAN}Testing Dev Stack ...${RESET}"
-	docker-compose exec -T npm bash -c "cd /app/backend && task test"
+	docker-compose exec -T npm bash -c "cd /app && task test"
 else
 	echo -e "${RED}❯ docker-compose command is not available${RESET}"
 fi

test/.dockerignore

@@ -0,0 +1 @@
+node_modules

test/cypress/Dockerfile

@@ -1,6 +1,11 @@
-FROM cypress/included:4.12.1
+FROM cypress/included:5.6.0
 
-COPY --chown=1000 ./test /test
+COPY --chown=1000 ./ /test
+
+# mkcert
+ENV MKCERT=1.4.2
+RUN wget -O /usr/bin/mkcert "https://github.com/FiloSottile/mkcert/releases/download/v${MKCERT}/mkcert-v${MKCERT}-linux-amd64" \
+	&& chmod +x /usr/bin/mkcert
 
 WORKDIR /test
 RUN yarn install

test/package.json

@@ -7,7 +7,7 @@
 		"@jc21/cypress-swagger-validation": "^0.0.9",
 		"@jc21/restler": "^3.4.0",
 		"chalk": "^4.1.0",
-		"cypress": "^4.12.1",
+		"cypress": "^5.6.0",
 		"cypress-multi-reporters": "^1.4.0",
 		"cypress-plugin-retries": "^1.5.2",
 		"eslint": "^7.6.0",

test/yarn.lock

@@ -1293,9 +1293,9 @@ inherits@2, inherits@^2.0.3, inherits@~2.0.3:
   integrity sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==
 
 ini@^1.3.5:
-  version "1.3.5"
-  resolved "https://registry.yarnpkg.com/ini/-/ini-1.3.5.tgz#eee25f56db1c9ec6085e0c22778083f596abf927"
-  integrity sha512-RZY5huIKCMRWDUqZlEi72f/lmXKMvuszcMBduliQ3nnWbx9X/ZBQO7DijMEYS9EhHBb2qacRUMtC7svLwe0lcw==
+  version "1.3.8"
+  resolved "https://registry.yarnpkg.com/ini/-/ini-1.3.8.tgz#a29da425b48806f34767a4efce397269af28432c"
+  integrity sha512-JV/yugV2uzW5iMRSiZAyDtQd+nxtUnjeLt0acNdw98kKLrvuRVyB80tsREOE7yvGVgalhZ6RNXCmEHkUKBKxew==
 
 is-arguments@^1.0.4:
   version "1.0.4"