Generate Let's Encrypt private keyacme-private-key-application-settings

4 files changed, 54 insertions, 1 deletions

diff --git a/app/models/application_setting.rb b/app/models/application_setting.rb
index fb1e558e46c..bbe2d2e8fd4 100644
--- a/app/models/application_setting.rb
+++ b/app/models/application_setting.rb
@@ -257,6 +257,12 @@ class ApplicationSetting < ApplicationRecord
                  algorithm: 'aes-256-gcm',
                  encode: true
 
+  attr_encrypted :lets_encrypt_private_key,
+                 mode: :per_attribute_iv,
+                 key: Settings.attr_encrypted_db_key_base_truncated,
+                 algorithm: 'aes-256-gcm',
+                 encode: true
+
   before_validation :ensure_uuid!
   before_validation :strip_sentry_values
 
diff --git a/lib/gitlab/lets_encrypt/client.rb b/lib/gitlab/lets_encrypt/client.rb
index d7468b06767..33119452318 100644
--- a/lib/gitlab/lets_encrypt/client.rb
+++ b/lib/gitlab/lets_encrypt/client.rb
@@ -45,7 +45,7 @@ module Gitlab
       end
 
       def private_key
-        @private_key ||= OpenSSL::PKey.read(Gitlab::Application.secrets.lets_encrypt_private_key)
+        @private_key ||= OpenSSL::PKey.read(Gitlab::CurrentSettings.lets_encrypt_private_key || generate_private_key)
       end
 
       def admin_email
@@ -69,6 +69,17 @@ module Gitlab
           STAGING_DIRECTORY_URL
         end
       end
+
+      def generate_private_key
+        application_settings = Gitlab::CurrentSettings.current_application_settings
+        application_settings.with_lock do
+          unless application_settings.lets_encrypt_private_key
+            application_settings.update(lets_encrypt_private_key: OpenSSL::PKey::RSA.new(4096).to_pem)
+          end
+
+          application_settings.lets_encrypt_private_key
+        end
+      end
     end
   end
 end
diff --git a/spec/lib/gitlab/lets_encrypt/client_spec.rb b/spec/lib/gitlab/lets_encrypt/client_spec.rb
index 16a16acfd25..5b9e4e0b6ab 100644
--- a/spec/lib/gitlab/lets_encrypt/client_spec.rb
+++ b/spec/lib/gitlab/lets_encrypt/client_spec.rb
@@ -26,6 +26,33 @@ describe ::Gitlab::LetsEncrypt::Client do
       )
     end
 
+    it 'generates and stores private key and initialize acme client with it' do
+      expect(Gitlab::CurrentSettings.lets_encrypt_private_key).to eq(nil)
+
+      subject
+
+      saved_private_key = Gitlab::CurrentSettings.lets_encrypt_private_key
+
+      expect(saved_private_key).to be
+      expect(Acme::Client).to have_received(:new).with(
+        hash_including(private_key: eq_pem(saved_private_key))
+      )
+    end
+
+    context 'when private key is saved in settings' do
+      let!(:saved_private_key) do
+        key = OpenSSL::PKey::RSA.new(4096)
+        Gitlab::CurrentSettings.current_application_settings.update(lets_encrypt_private_key: key.to_pem)
+        key
+      end
+
+      it 'uses current value of private key' do
+        subject
+
+        expect(Gitlab::CurrentSettings.lets_encrypt_private_key).to eq(saved_private_key.to_pem)
+      end
+    end
+
     context 'when acme integration is disabled' do
       before do
         stub_application_setting(lets_encrypt_terms_of_service_accepted: false)
diff --git a/spec/support/matchers/eq_pem.rb b/spec/support/matchers/eq_pem.rb
new file mode 100644
index 00000000000..69ea6eb4df8
--- /dev/null
+++ b/spec/support/matchers/eq_pem.rb
@@ -0,0 +1,9 @@
+RSpec::Matchers.define :eq_pem do |expected_pem_string|
+  match do |actual|
+    actual.to_pem == expected_pem_string
+  end
+
+  description do
+    "contain pem #{expected_pem_string}"
+  end
+end