roster-server 2.2.1 → 2.2.4

package/README.md

@@ -62,7 +62,19 @@ You can serve all subdomains of a domain with a single handler in three ways:
 2. **Register (default port)**: `roster.register('*.example.com', handler)` for the default HTTPS port.
 3. **Register (custom port)**: `roster.register('*.example.com:8080', handler)` for a specific port.
 
-Wildcard SSL certificates require **DNS-01** validation (Let's Encrypt does not support HTTP-01 for wildcards). By default Roster uses `acme-dns-01-cli` through an internal wrapper (adds `propagationDelay` and modern plugin signatures). Override with a custom plugin:
+Wildcard SSL certificates require **DNS-01** validation (Let's Encrypt does not support HTTP-01 for wildcards). By default Roster uses `acme-dns-01-cli` through an internal wrapper (adds `propagationDelay` and modern plugin signatures).
+
+For fully automatic TXT records with Linode DNS, set:
+
+```bash
+export ROSTER_DNS_PROVIDER=linode
+export LINODE_API_KEY=...
+```
+
+Then Roster creates/removes `_acme-challenge` TXT records automatically via `api.linode.com`.
+If `LINODE_API_KEY` is present, this mode auto-enables by default for wildcard DNS-01.
+
+Override with a custom plugin:
 
 ```javascript
 import Roster from 'roster-server';
@@ -210,7 +222,7 @@ When creating a new `RosterServer` instance, you can pass the following options:
 - `email` (string): Your email for Let's Encrypt notifications.
 - `wwwPath` (string): Path to your `www` directory containing your sites.
 - `greenlockStorePath` (string): Directory for Greenlock configuration.
-- `dnsChallenge` (object|false): Optional override for wildcard DNS-01 challenge config. Default is local/manual `acme-dns-01-cli` wrapper with `propagationDelay: 120000`, `autoContinue: false`, and `dryRunDelay: 120000`. This is safer for manual DNS providers (Linode/Cloudflare UI) because Roster waits longer and does not auto-advance in interactive terminals. Set `false` to disable. You can pass `{ module: '...', propagationDelay: 180000 }` to tune DNS wait time (ms). Set `autoContinue: true` (or env `ROSTER_DNS_AUTO_CONTINUE=1`) to continue automatically after delay. For Greenlock dry-runs (`_greenlock-dryrun-*`), delay defaults to `dryRunDelay` (same as `propagationDelay` unless overridden with `dnsChallenge.dryRunDelay` or env `ROSTER_DNS_DRYRUN_DELAY_MS`). When wildcard sites are present, Roster creates a separate wildcard certificate (`*.example.com`) that uses `dns-01`, while apex/www stay on the regular certificate flow (typically `http-01`), reducing manual TXT records.
+- `dnsChallenge` (object|false): Optional override for wildcard DNS-01 challenge config. Default is `acme-dns-01-cli` wrapper with `propagationDelay: 120000`, `autoContinue: false`, and `dryRunDelay: 120000`. Manual mode still works, but you can enable automatic Linode DNS API mode by setting `ROSTER_DNS_PROVIDER=linode` and `LINODE_API_KEY`. In automatic mode, Roster creates/removes TXT records itself and still polls public resolvers every 15s before continuing. Set `false` to disable DNS challenge. You can pass `{ module: '...', propagationDelay: 180000 }` to tune DNS wait time (ms). For Greenlock dry-runs (`_greenlock-dryrun-*`), delay defaults to `dryRunDelay` (same as `propagationDelay` unless overridden with `dnsChallenge.dryRunDelay` or env `ROSTER_DNS_DRYRUN_DELAY_MS`). When wildcard sites are present, Roster creates a separate wildcard certificate (`*.example.com`) that uses `dns-01`, while apex/www stay on the regular certificate flow (typically `http-01`), reducing manual TXT records.
 - `staging` (boolean): Set to `true` to use Let's Encrypt's staging environment (for testing).
 - `local` (boolean): Set to `true` to run in local development mode.
 - `minLocalPort` (number): Minimum port for local mode (default: 4000).

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "roster-server",
-    "version": "2.2.1",
+    "version": "2.2.4",
     "description": "👾 RosterServer - A domain host router to host multiple HTTPS.",
     "main": "index.js",
     "scripts": {

package/tasks/lessons.md

@@ -0,0 +1,3 @@
+# Lessons Learned
+
+- When wildcard TLS must run under Bun, do not rely on manual DNS instructions; default to API-driven DNS-01 TXT creation/removal (Linode/Akamai) with propagation polling, then fall back to manual mode only when no provider token is configured.

package/test/acme-dns-01-cli-wrapper.test.js

@@ -0,0 +1,253 @@
+'use strict';
+
+const { describe, it, afterEach } = require('node:test');
+const assert = require('node:assert');
+const wrapper = require('../vendor/acme-dns-01-cli-wrapper.js');
+
+function buildChallengeOpts() {
+    return {
+        challenge: {
+            altname: '*.example.com',
+            dnsHost: '_acme-challenge.example.com',
+            dnsAuthorization: 'test-token'
+        }
+    };
+}
+
+describe('acme-dns-01-cli-wrapper automatic Linode DNS', () => {
+    const originalFetch = global.fetch;
+    const originalLinodeApiKey = process.env.LINODE_API_KEY;
+
+    afterEach(() => {
+        global.fetch = originalFetch;
+        if (originalLinodeApiKey === undefined) delete process.env.LINODE_API_KEY;
+        else process.env.LINODE_API_KEY = originalLinodeApiKey;
+    });
+
+    it('creates and removes TXT records via Linode API', async () => {
+        const calls = [];
+        global.fetch = async (url, options = {}) => {
+            calls.push({ url, options });
+            if (url.endsWith('/domains/example.com')) {
+                return { ok: true, status: 200, json: async () => ({}) };
+            }
+            if (url.endsWith('/domains/example.com/records?page_size=500')) {
+                return { ok: true, status: 200, json: async () => ({ data: [] }) };
+            }
+            if (url.endsWith('/domains/example.com/records') && options.method === 'POST') {
+                return { ok: true, status: 200, json: async () => ({ id: 321 }) };
+            }
+            if (url.endsWith('/domains/example.com/records/321') && options.method === 'DELETE') {
+                return { ok: true, status: 204, json: async () => ({}) };
+            }
+            return { ok: false, status: 404, statusText: 'not mocked', text: async () => 'not mocked' };
+        };
+
+        const challenger = wrapper.create({
+            provider: 'linode',
+            linodeApiKey: 'fake-token',
+            verifyDnsBeforeContinue: false,
+            propagationDelay: 0,
+            dryRunDelay: 0
+        });
+
+        const opts = buildChallengeOpts();
+        await challenger.set(opts);
+        await challenger.remove(opts);
+
+        assert.ok(calls.some((c) => c.url.endsWith('/domains/example.com/records') && c.options.method === 'POST'));
+        assert.ok(calls.some((c) => c.url.endsWith('/domains/example.com/records/321') && c.options.method === 'DELETE'));
+    });
+
+    it('uses LINODE_API_KEY from environment', async () => {
+        process.env.LINODE_API_KEY = 'fake-linode-key';
+        const calls = [];
+        global.fetch = async (url, options = {}) => {
+            calls.push({ url, options });
+            if (url.endsWith('/domains/example.com')) {
+                return { ok: true, status: 200, json: async () => ({}) };
+            }
+            if (url.endsWith('/domains/example.com/records?page_size=500')) {
+                return { ok: true, status: 200, json: async () => ({ data: [{ id: 111, type: 'TXT', name: '_acme-challenge', target: 'test-token' }] }) };
+            }
+            return { ok: true, status: 204, json: async () => ({}) };
+        };
+
+        const challenger = wrapper.create({
+            provider: 'linode',
+            verifyDnsBeforeContinue: false,
+            propagationDelay: 0,
+            dryRunDelay: 0
+        });
+
+        await challenger.set(buildChallengeOpts());
+        assert.ok(calls.length >= 2);
+        const authHeader = calls[0].options?.headers?.Authorization || '';
+        assert.ok(authHeader.startsWith('Bearer '));
+    });
+
+    it('falls back to parent zone when exact zone does not exist', async () => {
+        const calls = [];
+        global.fetch = async (url, options = {}) => {
+            calls.push({ url, options });
+            if (url.endsWith('/domains/sub.example.com')) {
+                return { ok: false, status: 404, statusText: 'Not Found', text: async () => 'not found' };
+            }
+            if (url.endsWith('/domains/example.com')) {
+                return { ok: true, status: 200, json: async () => ({}) };
+            }
+            if (url.endsWith('/domains/example.com/records?page_size=500')) {
+                return { ok: true, status: 200, json: async () => ({ data: [] }) };
+            }
+            if (url.endsWith('/domains/example.com/records') && options.method === 'POST') {
+                return { ok: true, status: 200, json: async () => ({ id: 654 }) };
+            }
+            if (url.endsWith('/domains/example.com/records/654') && options.method === 'DELETE') {
+                return { ok: true, status: 204, json: async () => ({}) };
+            }
+            return { ok: false, status: 404, statusText: 'not mocked', text: async () => 'not mocked' };
+        };
+
+        const challenger = wrapper.create({
+            provider: 'linode',
+            linodeApiKey: 'fake-token',
+            verifyDnsBeforeContinue: false,
+            propagationDelay: 0,
+            dryRunDelay: 0
+        });
+
+        const opts = {
+            challenge: {
+                altname: '*.sub.example.com',
+                dnsHost: '_acme-challenge.sub.example.com',
+                dnsAuthorization: 'fallback-token'
+            }
+        };
+
+        await challenger.set(opts);
+        await challenger.remove(opts);
+
+        const postCall = calls.find((c) => c.url.endsWith('/domains/example.com/records') && c.options.method === 'POST');
+        assert.ok(postCall, 'expected TXT create call on parent zone');
+        const payload = JSON.parse(postCall.options.body);
+        assert.strictEqual(payload.name, '_acme-challenge.sub');
+    });
+
+    it('falls back to manual when provider mode has no API key (default)', async () => {
+        const prevLinode = process.env.LINODE_API_KEY;
+        delete process.env.LINODE_API_KEY;
+        global.fetch = async () => ({ ok: true, status: 200, json: async () => ({}) });
+
+        try {
+            const challenger = wrapper.create({
+                provider: 'linode',
+                verifyDnsBeforeContinue: false,
+                propagationDelay: 0,
+                dryRunDelay: 0
+            });
+            await challenger.set(buildChallengeOpts());
+        } finally {
+            if (prevLinode === undefined) delete process.env.LINODE_API_KEY;
+            else process.env.LINODE_API_KEY = prevLinode;
+        }
+    });
+
+    it('throws when provider mode has no API key and strict mode is enabled', async () => {
+        const prevLinode = process.env.LINODE_API_KEY;
+        delete process.env.LINODE_API_KEY;
+        global.fetch = async () => ({ ok: true, status: 200, json: async () => ({}) });
+
+        try {
+            const challenger = wrapper.create({
+                provider: 'linode',
+                dnsApiFallbackToManual: false,
+                verifyDnsBeforeContinue: false,
+                propagationDelay: 0,
+                dryRunDelay: 0
+            });
+            await assert.rejects(
+                challenger.set(buildChallengeOpts()),
+                /Linode API key not configured/
+            );
+        } finally {
+            if (prevLinode === undefined) delete process.env.LINODE_API_KEY;
+            else process.env.LINODE_API_KEY = prevLinode;
+        }
+    });
+
+    it('uses configured TXT TTL when creating Linode records', async () => {
+        const calls = [];
+        global.fetch = async (url, options = {}) => {
+            calls.push({ url, options });
+            if (url.endsWith('/domains/example.com')) {
+                return { ok: true, status: 200, json: async () => ({}) };
+            }
+            if (url.endsWith('/domains/example.com/records?page_size=500')) {
+                return { ok: true, status: 200, json: async () => ({ data: [] }) };
+            }
+            if (url.endsWith('/domains/example.com/records') && options.method === 'POST') {
+                return { ok: true, status: 200, json: async () => ({ id: 222 }) };
+            }
+            return { ok: true, status: 204, json: async () => ({}) };
+        };
+
+        const challenger = wrapper.create({
+            provider: 'linode',
+            linodeApiKey: 'fake-token',
+            txtRecordTtl: 300,
+            verifyDnsBeforeContinue: false,
+            propagationDelay: 0,
+            dryRunDelay: 0
+        });
+
+        await challenger.set(buildChallengeOpts());
+        const postCall = calls.find((c) => c.url.endsWith('/domains/example.com/records') && c.options.method === 'POST');
+        assert.ok(postCall, 'expected TXT create call');
+        const payload = JSON.parse(postCall.options.body);
+        assert.strictEqual(payload.ttl_sec, 300);
+    });
+
+    it('auto-enables Linode provider when API key is present', async () => {
+        process.env.LINODE_API_KEY = 'fake-token';
+        const calls = [];
+        global.fetch = async (url, options = {}) => {
+            calls.push({ url, options });
+            if (url.endsWith('/domains/example.com')) {
+                return { ok: true, status: 200, json: async () => ({}) };
+            }
+            if (url.endsWith('/domains/example.com/records?page_size=500')) {
+                return { ok: true, status: 200, json: async () => ({ data: [{ id: 111, type: 'TXT', name: '_acme-challenge', target: 'test-token' }] }) };
+            }
+            return { ok: true, status: 204, json: async () => ({}) };
+        };
+
+        const challenger = wrapper.create({
+            verifyDnsBeforeContinue: false,
+            propagationDelay: 0,
+            dryRunDelay: 0
+        });
+
+        await challenger.set(buildChallengeOpts());
+        assert.ok(calls.length >= 2);
+    });
+
+    it('falls back to manual flow when Linode API fails', async () => {
+        let fetchCalls = 0;
+        global.fetch = async () => {
+            fetchCalls += 1;
+            return { ok: false, status: 404, statusText: 'Not Found', text: async () => 'not found' };
+        };
+
+        const challenger = wrapper.create({
+            provider: 'linode',
+            linodeApiKey: 'fake-token',
+            dnsApiFallbackToManual: true,
+            verifyDnsBeforeContinue: false,
+            propagationDelay: 0,
+            dryRunDelay: 0
+        });
+
+        await challenger.set(buildChallengeOpts());
+        assert.ok(fetchCalls > 0);
+    });
+});

package/vendor/acme-dns-01-cli-wrapper.js

@@ -3,6 +3,19 @@
 const legacyCli = require('acme-dns-01-cli');
 const log = require('lemonlog')('acme-dns-01');
 const dns = require('node:dns').promises;
+let envFileLoadAttempted = false;
+
+function loadEnvFileSafely() {
+    if (envFileLoadAttempted) return;
+    envFileLoadAttempted = true;
+    try {
+        if (typeof process.loadEnvFile === 'function') {
+            process.loadEnvFile();
+        }
+    } catch {
+        // Ignore missing .env or unsupported runtime behavior.
+    }
+}
 
 function toPromise(fn, context) {
     if (typeof fn !== 'function') {
@@ -41,6 +54,7 @@ function toPromise(fn, context) {
 }
 
 module.exports.create = function create(config = {}) {
+    loadEnvFileSafely();
     const challenger = legacyCli.create(config);
     const propagationDelay = Number.isFinite(config.propagationDelay)
         ? config.propagationDelay
@@ -106,6 +120,21 @@ module.exports.create = function create(config = {}) {
         resolver.setServers([server]);
         return { server, resolver };
     });
+    const normalizeProvider = (value) => String(value || '').trim().toLowerCase();
+    const configuredProvider = normalizeProvider(
+        config.provider
+        || process.env.ROSTER_DNS_PROVIDER
+        || (config.linodeApiKey || process.env.LINODE_API_KEY ? 'linode' : '')
+    );
+    const isLinodeProvider = configuredProvider === 'linode';
+    const dnsApiFallbackToManual = config.dnsApiFallbackToManual !== undefined
+        ? parseBool(config.dnsApiFallbackToManual, true)
+        : parseBool(process.env.ROSTER_DNS_API_FALLBACK_TO_MANUAL, true);
+    const linodeApiKey = config.linodeApiKey
+        || process.env.LINODE_API_KEY
+        || '';
+    const linodeApiBase = String(config.linodeApiBase || process.env.LINODE_API_BASE_URL || 'https://api.linode.com/v4').replace(/\/+$/, '');
+    const txtRecordTtl = Number.isFinite(config.txtRecordTtl) ? Math.max(30, Number(config.txtRecordTtl)) : 60;
 
     function sleep(ms) {
         return new Promise((resolve) => setTimeout(resolve, ms));
@@ -169,6 +198,120 @@ module.exports.create = function create(config = {}) {
 
     const presentedByHost = new Map();
     const presentedByAltname = new Map();
+    const linodeTxtRecordsByHost = new Map();
+
+    function buildZoneCandidates({ dnsHost, altname }) {
+        const candidates = new Set();
+        const add = (value) => {
+            const normalized = String(value || '').replace(/\.$/, '').toLowerCase();
+            if (!normalized) return;
+            const labels = normalized.split('.').filter(Boolean);
+            for (let i = 0; i <= labels.length - 2; i += 1) {
+                candidates.add(labels.slice(i).join('.'));
+            }
+        };
+
+        if (dnsHost) {
+            const normalizedDnsHost = String(dnsHost).replace(/^_acme-challenge\./, '').replace(/^_greenlock-[^.]+\./, '');
+            add(normalizedDnsHost);
+        }
+        if (altname) {
+            add(String(altname).replace(/^\*\./, ''));
+        }
+        return Array.from(candidates);
+    }
+
+    function linodeRecordNameForHost(dnsHost, zone) {
+        const host = String(dnsHost || '').replace(/\.$/, '').toLowerCase();
+        const normalizedZone = String(zone || '').replace(/\.$/, '').toLowerCase();
+        if (!host || !normalizedZone) return '';
+        if (host === normalizedZone) return '';
+        if (!host.endsWith(`.${normalizedZone}`)) return '';
+        return host.slice(0, host.length - normalizedZone.length - 1);
+    }
+
+    async function linodeRequest(pathname, method = 'GET', body) {
+        const apiKey = String(linodeApiKey || '').trim();
+        if (!apiKey) {
+            throw new Error('Linode API key not configured. Set LINODE_API_KEY.');
+        }
+        if (typeof fetch !== 'function') {
+            throw new Error('Global fetch is unavailable in this runtime; cannot call Linode DNS API.');
+        }
+        const response = await fetch(`${linodeApiBase}${pathname}`, {
+            method,
+            headers: {
+                Authorization: `Bearer ${apiKey}`,
+                'Content-Type': 'application/json'
+            },
+            ...(body ? { body: JSON.stringify(body) } : {})
+        });
+
+        if (!response.ok) {
+            let details = '';
+            try {
+                details = await response.text();
+            } catch {
+                details = '';
+            }
+            throw new Error(`Linode API ${method} ${pathname} failed (${response.status}): ${details || response.statusText}`);
+        }
+        if (response.status === 204) return null;
+        return response.json();
+    }
+
+    async function linodeUpsertTxtRecord(dnsHost, dnsAuthorization, altname) {
+        const zoneCandidates = buildZoneCandidates({ dnsHost, altname });
+        let lastError = null;
+
+        for (const zone of zoneCandidates) {
+            try {
+                await linodeRequest(`/domains/${encodeURIComponent(zone)}`, 'GET');
+            } catch (error) {
+                lastError = error;
+                continue;
+            }
+
+            const recordName = linodeRecordNameForHost(dnsHost, zone);
+            if (!recordName && dnsHost !== zone) continue;
+
+            const recordsResult = await linodeRequest(`/domains/${encodeURIComponent(zone)}/records?page_size=500`, 'GET');
+            const existing = Array.isArray(recordsResult?.data) ? recordsResult.data : [];
+            const sameRecord = existing.find((record) =>
+                record?.type === 'TXT'
+                && String(record?.name || '') === String(recordName || '')
+                && String(record?.target || '') === String(dnsAuthorization || '')
+            );
+
+            if (sameRecord && sameRecord.id) {
+                linodeTxtRecordsByHost.set(dnsHost, { zone, id: sameRecord.id });
+                return { zone, id: sameRecord.id, reused: true };
+            }
+
+            const created = await linodeRequest(`/domains/${encodeURIComponent(zone)}/records`, 'POST', {
+                type: 'TXT',
+                name: recordName,
+                target: dnsAuthorization,
+                ttl_sec: txtRecordTtl
+            });
+
+            if (created?.id) {
+                linodeTxtRecordsByHost.set(dnsHost, { zone, id: created.id });
+                return { zone, id: created.id, reused: false };
+            }
+        }
+
+        if (lastError) throw lastError;
+        throw new Error(`Unable to map ${dnsHost} to a Linode DNS zone`);
+    }
+
+    async function linodeRemoveTxtRecord(dnsHost) {
+        const stored = linodeTxtRecordsByHost.get(dnsHost);
+        if (!stored?.zone || !stored?.id) return false;
+        await linodeRequest(`/domains/${encodeURIComponent(stored.zone)}/records/${stored.id}`, 'DELETE');
+        linodeTxtRecordsByHost.delete(dnsHost);
+        return true;
+    }
 
     async function setChallenge(opts) {
         const ch = opts?.challenge || {};
@@ -184,6 +327,26 @@ module.exports.create = function create(config = {}) {
         if (altname && dnsAuth) {
             presentedByAltname.set(altname, { dnsHost, dnsAuthorization: dnsAuth });
         }
+        if (isLinodeProvider && dnsHost && dnsAuth) {
+            try {
+                const result = await linodeUpsertTxtRecord(dnsHost, dnsAuth, altname);
+                log.info(
+                    `Linode DNS TXT ${result?.reused ? 'reused' : 'created'} for ${dnsHost}` +
+                    (result?.zone ? ` (zone ${result.zone})` : '')
+                );
+            } catch (error) {
+                const errorMsg = error?.message || error;
+                if (dnsApiFallbackToManual) {
+                    log.warn(
+                        `Linode DNS API failed for ${dnsHost}: ${errorMsg}. ` +
+                        'Falling back to manual/legacy DNS flow for this challenge.'
+                    );
+                } else {
+                    log.error(`Failed to create Linode DNS TXT for ${dnsHost}: ${errorMsg}`);
+                    throw error;
+                }
+            }
+        }
         const isDryRunChallenge = dnsHost.includes('_greenlock-dryrun-');
         const effectiveDelay = isDryRunChallenge
             ? Math.max(0, dryRunDelay)
@@ -218,8 +381,10 @@ module.exports.create = function create(config = {}) {
         }
 
         log.info(
-            'Non-interactive mode (or autoContinue) detected. ' +
-            'Set the TXT record now. Continuing automatically in ' +
+            (isLinodeProvider
+                ? 'Automatic DNS provider mode detected.'
+                : 'Non-interactive mode (or autoContinue) detected. Set the TXT record now.') +
+            ' Continuing automatically in ' +
             effectiveDelay +
             'ms...'
         );
@@ -254,10 +419,34 @@ module.exports.create = function create(config = {}) {
         };
     }
 
+    async function removeChallenge(opts) {
+        const ch = opts?.challenge || {};
+        const altname = String(ch.altname || opts?.altname || '');
+        const wildcardZone = altname.startsWith('*.') ? altname.slice(2) : '';
+        const dnsHostFromAltname = wildcardZone ? `_acme-challenge.${wildcardZone}` : '';
+        const dnsHost = String(ch.dnsHost || opts?.dnsHost || dnsHostFromAltname || '');
+
+        if (isLinodeProvider && dnsHost) {
+            try {
+                const removed = await linodeRemoveTxtRecord(dnsHost);
+                if (removed) {
+                    log.info(`Linode DNS TXT removed for ${dnsHost}`);
+                }
+                return null;
+            } catch (error) {
+                log.warn(`Failed to remove Linode DNS TXT for ${dnsHost}: ${error?.message || error}`);
+                return null;
+            }
+        }
+
+        const legacyRemove = toPromise(challenger.remove, challenger);
+        return legacyRemove(opts);
+    }
+
     const wrapped = {
         propagationDelay,
         set: setChallenge,
-        remove: toPromise(challenger.remove, challenger),
+        remove: removeChallenge,
         get: getChallenge,
         zones: async (opts) => {
             const dnsHost =

package/.claude/settings.local.json

@@ -1,11 +0,0 @@
-{
-  "permissions": {
-    "allow": [
-      "Bash(node:*)",
-      "Bash(timeout:*)",
-      "Bash(rm:*)",
-      "Bash(git checkout:*)"
-    ],
-    "deny": []
-  }
-}