Avoid multiple TLS certificates for the same server name

[DavidePrincipi]

A request for a new TLS certificate can be initiated during app configuration (implicitly), during manual HTTP route creation, or from the TLS certificates page. This may happen:

1. Implicitly, when a web app is configured and an HTTP route is created by a set-route action call.
2. Implicitly, when an app like Mail or NethVoice Proxy is configured and it calls the set-certificate action.
3. Implicitly, when a manual HTTP route is created with the Let's Encrypt switch enabled.
4. From the TLS certificates page, when the sysadmin clicks the Request certificate button (invoking the set-certificate action).

The current issue is that certificates obtained by scenarios 1, 2, and 3 are not visible on the TLS certificates page. As a result, the sysadmin might run step 4 unnecessarily, which leads to a non-optimal configuration.

The TLS certificates page currently lists the server names included in the default Traefik certificate (if obtained via the acmeServer provider) and the main subject name of uploaded certificates.

Proposed solution

• Make the Upload certificate button the primary page action and move it to the left position. Downgrade the Request certificate button to a secondary action.
• Prevent multiple certificates for the same name with a validation check in the Request certificate procedure. The check must be bypassable.
• Display ACME errors in the Request certificate validation procedure using inline notifications.
• On the HTTP routes page, display the host+path as a URL-like string replacing the current Name column value. Since this URL may not be unique (unlike the Name value), the original Name should remain accessible via another column or a tooltip.
• Ensure that existing applications execute the set-route action as a visible Task toast-notification, so that the sysadmin can see its success or failure.

Alternative solutions

After this mitigation round, a major rework of the HTTP routes and TLS certificates pages is still desired to improve the overall UX.

See also

• https://community.nethserver.org/t/nethserver-project-milestone-8-4/25647/8?u=davidep
• https://mattermost.nethesis.it/nethesis/pl/43tqgnq1zpduxfkzitdmiof4ny

---

Thanks to @Amygos @AmaLuci @andre8244 @nrauso

[DavidePrincipi]

In testing Traefik 3.2.0-dev.1

The core UI part is still not merged, see NethServer/ns8-core#887

Changes:

• feat(ui): enable set-certificate conflict check ns8-core#885 (merged into core PR 887)
• feat: validate FQDN against HTTP routes ns8-traefik#99

Test case

Expected behavior: a validation error prevents to Request a certificate for a FQDN if it is already configured in the HTTP routes page with Let's Encrypt flag enabled.