From 01a180362514a2e9ba29339ccf384a08e8a4aed3 Mon Sep 17 00:00:00 2001
From: Girish Ramakrishnan <girish@cloudron.io>
Date: Mon, 15 Nov 2021 23:28:19 -0800
Subject: [PATCH] provision: delay initialization of secrets until provision
 time

when we create the DO 1-click image, the key also gets snapshotted.

https://community.letsencrypt.org/t/receiving-expiration-emails-for-dozens-of-domains/165441
---
 src/nginxconfig.ejs | 3 +++
 src/provision.js    | 2 ++
 src/server.js       | 2 --
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/nginxconfig.ejs b/src/nginxconfig.ejs
index 193fefdaf..d5ae56994 100644
--- a/src/nginxconfig.ejs
+++ b/src/nginxconfig.ejs
@@ -87,7 +87,10 @@ server {
     ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256;
     ssl_prefer_server_ciphers off;
 
+    # dhparams is generated only after dns setup
+<% if (endpoint !== 'ip' && endpoint !== 'setup') { -%>
     ssl_dhparam /home/yellowtent/platformdata/dhparams.pem;
+<% } -%>
     add_header Strict-Transport-Security "max-age=63072000";
 
     <% if ( ocsp ) { -%>
diff --git a/src/provision.js b/src/provision.js
index a3f3271e3..9a15a941e 100644
--- a/src/provision.js
+++ b/src/provision.js
@@ -10,6 +10,7 @@ exports = module.exports = {
 const assert = require('assert'),
     backups = require('./backups.js'),
     backuptask = require('./backuptask.js'),
+    blobs = require('./blobs.js'),
     BoxError = require('./boxerror.js'),
     branding = require('./branding.js'),
     constants = require('./constants.js'),
@@ -61,6 +62,7 @@ async function setupTask(domain, auditSource) {
     assert.strictEqual(typeof auditSource, 'object');
 
     try {
+        await blobs.initSecrets();
         await cloudron.setupDnsAndCert(constants.DASHBOARD_LOCATION, domain, auditSource, (progress) => setProgress('setup', progress.message));
         await cloudron.setDashboardDomain(domain, auditSource);
         setProgress('setup', 'Done'),
diff --git a/src/server.js b/src/server.js
index 9ae0a1fe8..4b3ed03ce 100644
--- a/src/server.js
+++ b/src/server.js
@@ -6,7 +6,6 @@ exports = module.exports = {
 };
 
 const assert = require('assert'),
-    blobs = require('./blobs.js'),
     cloudron = require('./cloudron.js'),
     constants = require('./constants.js'),
     database = require('./database.js'),
@@ -380,7 +379,6 @@ async function start() {
 
     await database.initialize();
     await settings.initCache(); // pre-load very often used settings
-    await blobs.initSecrets();
     await cloudron.initialize();
     await util.promisify(gHttpServer.listen.bind(gHttpServer))(constants.PORT, '127.0.0.1');
     await safe(eventlog.add(eventlog.ACTION_START, { userId: null, username: 'boot' }, { version: constants.VERSION })); // can fail if db down