summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRan Chen <crccw@google.com>2022-03-09 03:03:43 +0800
committerGitHub <noreply@github.com>2022-03-08 12:03:43 -0700
commitd9b1d463259a6f8f520edd6659dac11218c82b4e (patch)
treea48f08560bf50c9b416b2858f1528422d52c2e8b
parentc8f2834b514f8bfb405c11be53d60a6cfc5228ca (diff)
caddytls: dns_challenge_override_domain for challenge delegation (#4596)
* Add a override_domain option to allow DNS chanllenge delegation CNAME can be used to delegate answering the chanllenge to another DNS zone. One usage is to reduce the exposure of the DNS credential [1]. Based on the discussion in caddy/certmagic#160, we are adding an option to allow the user explicitly specify the domain to delegate, instead of following the CNAME chain. This needs caddy/certmagic#160. * rename override_domain to dns_challenge_override_domain * Update CertMagic; fix spelling Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
-rw-r--r--caddyconfig/httpcaddyfile/builtins.go16
-rw-r--r--go.mod2
-rw-r--r--go.sum4
-rw-r--r--modules/caddytls/acmeissuer.go14
-rw-r--r--modules/caddytls/automation.go5
5 files changed, 38 insertions, 3 deletions
diff --git a/caddyconfig/httpcaddyfile/builtins.go b/caddyconfig/httpcaddyfile/builtins.go
index 2606bf3..e1430d0 100644
--- a/caddyconfig/httpcaddyfile/builtins.go
+++ b/caddyconfig/httpcaddyfile/builtins.go
@@ -362,6 +362,22 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
}
acmeIssuer.Challenges.DNS.Resolvers = args
+ case "dns_challenge_override_domain":
+ arg := h.RemainingArgs()
+ if len(arg) != 1 {
+ return nil, h.ArgErr()
+ }
+ if acmeIssuer == nil {
+ acmeIssuer = new(caddytls.ACMEIssuer)
+ }
+ if acmeIssuer.Challenges == nil {
+ acmeIssuer.Challenges = new(caddytls.ChallengesConfig)
+ }
+ if acmeIssuer.Challenges.DNS == nil {
+ acmeIssuer.Challenges.DNS = new(caddytls.DNSChallengeConfig)
+ }
+ acmeIssuer.Challenges.DNS.OverrideDomain = arg[0]
+
case "ca_root":
arg := h.RemainingArgs()
if len(arg) != 1 {
diff --git a/go.mod b/go.mod
index 9433f0f..511d2a8 100644
--- a/go.mod
+++ b/go.mod
@@ -8,7 +8,7 @@ require (
github.com/Masterminds/sprig/v3 v3.2.2
github.com/alecthomas/chroma v0.10.0
github.com/aryann/difflib v0.0.0-20210328193216-ff5ff6dc229b
- github.com/caddyserver/certmagic v0.15.4-0.20220217213750-797d29bcf32f
+ github.com/caddyserver/certmagic v0.15.4
github.com/dustin/go-humanize v1.0.1-0.20200219035652-afde56e7acac
github.com/fsnotify/fsnotify v1.5.1 // indirect
github.com/go-chi/chi v4.1.2+incompatible
diff --git a/go.sum b/go.sum
index 20acd7b..2107d53 100644
--- a/go.sum
+++ b/go.sum
@@ -189,8 +189,8 @@ github.com/boombuler/barcode v1.0.1/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl
github.com/bradfitz/go-smtpd v0.0.0-20170404230938-deb6d6237625/go.mod h1:HYsPBTaaSFSlLx/70C2HPIMNZpVV8+vt/A+FMnYP11g=
github.com/buger/jsonparser v0.0.0-20181115193947-bf1c66bbce23/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s=
github.com/caarlos0/ctrlc v1.0.0/go.mod h1:CdXpj4rmq0q/1Eb44M9zi2nKB0QraNKuRGYGrrHhcQw=
-github.com/caddyserver/certmagic v0.15.4-0.20220217213750-797d29bcf32f h1:sdjilRh0dxXpofiwDSFU7itmxuXetKB6xWd+lNRVq9s=
-github.com/caddyserver/certmagic v0.15.4-0.20220217213750-797d29bcf32f/go.mod h1:qhkAOthf72ufAcp3Y5jF2RaGE96oip3UbEQRIzwe3/8=
+github.com/caddyserver/certmagic v0.15.4 h1:kz//9+Z/xw197jtIBxxUDub8pQi9gcYvhXk5Ouw2EkM=
+github.com/caddyserver/certmagic v0.15.4/go.mod h1:qhkAOthf72ufAcp3Y5jF2RaGE96oip3UbEQRIzwe3/8=
github.com/campoy/unique v0.0.0-20180121183637-88950e537e7e/go.mod h1:9IOqJGCPMSc6E5ydlp5NIonxObaeu/Iub/X03EKPVYo=
github.com/casbin/casbin/v2 v2.1.2/go.mod h1:YcPU1XXisHhLzuxH9coDNf2FbKpjGlbCg3n9yuLkIJQ=
github.com/cavaliercoder/go-cpio v0.0.0-20180626203310-925f9528c45e/go.mod h1:oDpT4efm8tSYHXV5tHSdRvBet/b/QzxZ+XyyPehvm3A=
diff --git a/modules/caddytls/acmeissuer.go b/modules/caddytls/acmeissuer.go
index 42cef02..48a961f 100644
--- a/modules/caddytls/acmeissuer.go
+++ b/modules/caddytls/acmeissuer.go
@@ -144,6 +144,7 @@ func (iss *ACMEIssuer) Provision(ctx caddy.Context) error {
TTL: time.Duration(iss.Challenges.DNS.TTL),
PropagationTimeout: time.Duration(iss.Challenges.DNS.PropagationTimeout),
Resolvers: iss.Challenges.DNS.Resolvers,
+ OverrideDomain: iss.Challenges.DNS.OverrideDomain,
}
}
}
@@ -417,6 +418,19 @@ func (iss *ACMEIssuer) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
return d.ArgErr()
}
+ case "dns_challenge_override_domain":
+ arg := d.RemainingArgs()
+ if len(arg) != 1 {
+ return d.ArgErr()
+ }
+ if iss.Challenges == nil {
+ iss.Challenges = new(ChallengesConfig)
+ }
+ if iss.Challenges.DNS == nil {
+ iss.Challenges.DNS = new(DNSChallengeConfig)
+ }
+ iss.Challenges.DNS.OverrideDomain = arg[0]
+
case "preferred_chains":
chainPref, err := ParseCaddyfilePreferredChainsOptions(d)
if err != nil {
diff --git a/modules/caddytls/automation.go b/modules/caddytls/automation.go
index 95b1772..eb97c82 100644
--- a/modules/caddytls/automation.go
+++ b/modules/caddytls/automation.go
@@ -370,6 +370,11 @@ type DNSChallengeConfig struct {
// Often necessary to configure when using split-horizon DNS.
Resolvers []string `json:"resolvers,omitempty"`
+ // Override the domain to use for the DNS challenge. This
+ // is to delegate the challenge to a different domain,
+ // e.g. one that updates faster or one with a provider API.
+ OverrideDomain string `json:"override_domain,omitempty"`
+
solver acmez.Solver
}