Skip to content

feat: upgrade lego to v5.1.0 and add Dynadot DNS provider#12829

Open
rowanchen-com wants to merge 2 commits into
1Panel-dev:dev-v2from
rowanchen-com:feat/lego-v5-and-dynadot
Open

feat: upgrade lego to v5.1.0 and add Dynadot DNS provider#12829
rowanchen-com wants to merge 2 commits into
1Panel-dev:dev-v2from
rowanchen-com:feat/lego-v5-and-dynadot

Conversation

@rowanchen-com
Copy link
Copy Markdown
Contributor

@rowanchen-com rowanchen-com commented May 23, 2026

What this PR does / why we need it?

Adding Dynadot requires lego v5.1.0 (the provider is not in v4), so this
PR does both at once: upgrade lego from v4.35.2 to v5.1.0, and wire up
the new Dynadot DNS provider.

Summary of your change

Commit 1 -- lego v5 upgrade

  • Adapt to v5 API breaks: Obtain/ObtainForCSR/Revoke take a context.Context;
    AcmeUser.Key is crypto.Signer instead of crypto.PrivateKey; account
    registration is *acme.ExtendedAccount instead of *registration.Resource;
    certificate.Resource.Domain was renamed to Domains ([]string).
  • dns01.AddRecursiveNameservers and dns01.AddDNSTimeout were removed;
    use dns01.SetDefaultClient(dns01.NewClient(&Options{...})) instead. The
    custom recursive nameserver fields in the website SSL form keep working.
  • ObtainRequest disables the Common Name by default in v5. EnableCommonName
    is set to true to keep the v4 behaviour, otherwise older clients (Java
    keystores, embedded routers) that still rely on the CN field would fail
    the TLS handshake.
  • lego.CertificateConfig.KeyType field was removed; the matching code path
    is dropped.
  • lego log.Logger is now *slog.Logger; bridge it to the existing per-domain
    *log.Logger via slog.NewTextHandler so SSL apply logs still land in
    SSLLogDir.

Backward compatibility for users upgrading from v4

  • certcrypto.KeyType string values were renamed: P256 -> EC256,
    P384 -> EC384, 2048 -> RSA2048, 3072 -> RSA3072, 4096 -> RSA4096,
    8192 -> RSA8192. A gormigrate migration rewrites the key_type column in
    website_acme_accounts, website_ssls and website_cas on first start, so
    old certificates renew automatically. A normalizeKeyType helper also
    handles the mapping at runtime as a safety net.
  • v5 serializes private keys as PKCS#8 while v4 used SEC1 (EC) and PKCS#1
    (RSA). A new parsePrivateKeyPEM helper tries PKCS#8 first and falls back
    to the legacy formats, so existing account keys persisted under v4 keep
    loading without manual conversion.
  • Frontend KeyTypes select options and the four form-initial keyType
    defaults are updated to the v5 form.

Commit 2 -- Dynadot / DnsPod

  • Add Dynadot DNS provider, surfaced in the DNS account dialog next to
    the other API-key/secret based providers.
  • Remove DnsPod from the provider list (lego v5 has no DnsPod
    implementation). The startup migration counts existing DnsPod rows in
    website_dns_accounts and logs a warning so the operator can switch them
    to TencentCloud, which now manages DNSPod-hosted zones via the same
    underlying API. Existing rows are not deleted.

Tested locally against AliYun, Spaceship, CloudFlare and Dynadot.
Certificates issued under v4 renew under the v5 binary in seconds (LE
authorization is reused), and brand-new domains go through the full
DNS-01 flow correctly.

Please indicate you've done the following:

  • Made sure tests are passing and test coverage is added if needed.
  • Made sure commit message follow the rule of Conventional Commits specification.
  • Considered the docs impact and opened a new docs issue or PR with docs changes if needed.
b0a450fd22f29ac60ed430d89d389765 3cbe75f061009b585206421b66d441ac 9d130586ce67a02acd7c1ef3a0a3ca58 98d7ed534e81c8aae2466e76324824a3 836234002216d5d7a5a8129cbb416c9f bc6fdfedb4ce13c2a39e13c06d26222d 4bdbd96717254fe0f90c1081e8c8bc08

@rowanchen-com
feat(ssl): upgrade go-acme/lego to v5.1.0
1331d65 
lego v5 introduces several breaking API changes that touch every entry
point we use. This commit migrates 1Panel's SSL stack to v5 and adds a
data migration so existing certificates keep auto-renewing without
operator action.

Code changes:

- AcmeUser.Key is now a crypto.Signer (was crypto.PrivateKey); same for
  the key returned by GetPrivateKeyByType. Account registration is now
  an *acme.ExtendedAccount (was *registration.Resource).

- A new parsePrivateKeyPEM helper accepts both v4 (SEC1 EC, PKCS#1 RSA)
  and v5 (PKCS#8) key formats, so account/certificate keys persisted
  under v4 keep loading after the upgrade.

- Obtain/ObtainForCSR/Revoke now require a context.Context.

- dns01.AddRecursiveNameservers and dns01.AddDNSTimeout were removed.
  Recursive nameservers and timeout are now passed via
  dns01.SetDefaultClient(dns01.NewClient(&dns01.Options{...})).

- ObtainRequest disables the CN by default in v5; we set
  EnableCommonName: true to preserve the v4 behaviour for legacy
  clients (Java keystores, embedded routers, etc.) that still rely on
  the CommonName field.

- lego.CertificateConfig.KeyType was removed (the key type is taken
  from the user's account); the matching code path is dropped.

- certificate.Resource.Domain was renamed to Domains (now []string).

- log.Logger is now an *slog.Logger; switch website_ssl.go over to slog
  with a TextHandler that writes to the existing file logger.

KeyType migration:

- certcrypto.KeyType string values were renamed in v5: P256->EC256,
  P384->EC384, 2048->RSA2048, 3072->RSA3072, 4096->RSA4096,
  8192->RSA8192. A gormigrate migration rewrites the key_type column
  in website_acme_accounts, website_ssls and website_cas on first
  start, so old certificates renew under their new names automatically.

- A normalizeKeyType helper falls back to the same mapping at runtime,
  in case the database migration has not yet run.

- Frontend KeyTypes select options and four form-initial keyType
  defaults are updated to the v5 form so newly created accounts also
  use the new strings.

Build and vet pass on linux/amd64 (GOOS=linux GOARCH=amd64 go build/vet
./...).
@rowanchen-com
feat(ssl): add Dynadot DNS provider, drop DnsPod
08c8924 
Dynadot was added to upstream lego in v5.1.0
(go-acme/lego#3125). Wire it into the same DNS provider
switch the other 25 providers use, and surface it in the frontend so
users can pick it in the DNS account dialog.

DnsPod is removed from the DNS provider list. lego v5 has no DnsPod
implementation; the previous frontend already showed a deprecation
hint pointing at TencentCloud, which is now the recommended way to
manage DNSPod-hosted zones (the underlying API is the same).
@f2c-ci-robot
Copy link
Copy Markdown

f2c-ci-robot Bot commented May 23, 2026

Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@f2c-ci-robot
Copy link
Copy Markdown

f2c-ci-robot Bot commented May 23, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign ssongliu for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ssongliu ssongliu Awaiting requested review from ssongliu

@wanghe-fit2cloud wanghe-fit2cloud Awaiting requested review from wanghe-fit2cloud

Assignees

No one assigned

Labels

do-not-merge/release-note-label-needed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rowanchen-com