summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatthew Holt <mholt@users.noreply.github.com>2020-12-15 12:16:04 -0700
committerMatthew Holt <mholt@users.noreply.github.com>2020-12-15 12:16:04 -0700
commite384f07a3ce91ddbc8c4d4344f03a0dafe3df9f3 (patch)
tree8e68b638a579c857328003a732fc07907b7e100a
parent132525de3bfd6acb16f8628fa057cb03e102a177 (diff)
caddytls: Improve alt chain preference settings
This allows for finer-grained control when choosing alternate chains than simply the previous/Certbot-esque behavior of "choose first chain that contains an issuer's common name." This update allows you to sort by length (if optimizing for efficiency on the wire) and also to select the chain with a specific root CommonName.
-rw-r--r--go.mod2
-rw-r--r--go.sum4
-rw-r--r--modules/caddytls/acmeissuer.go34
3 files changed, 32 insertions, 8 deletions
diff --git a/go.mod b/go.mod
index 57df139..f116149 100644
--- a/go.mod
+++ b/go.mod
@@ -6,7 +6,7 @@ require (
github.com/Masterminds/sprig/v3 v3.1.0
github.com/alecthomas/chroma v0.8.2
github.com/aryann/difflib v0.0.0-20170710044230-e206f873d14a
- github.com/caddyserver/certmagic v0.12.1-0.20201209195841-b726d1ed13c3
+ github.com/caddyserver/certmagic v0.12.1-0.20201215190346-201f83a06067
github.com/dustin/go-humanize v1.0.1-0.20200219035652-afde56e7acac
github.com/go-chi/chi v4.1.2+incompatible
github.com/google/cel-go v0.6.0
diff --git a/go.sum b/go.sum
index d8e38cf..27dab3b 100644
--- a/go.sum
+++ b/go.sum
@@ -85,8 +85,8 @@ github.com/bombsimon/wsl/v2 v2.0.0/go.mod h1:mf25kr/SqFEPhhcxW1+7pxzGlW+hIl/hYTK
github.com/boombuler/barcode v1.0.0/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
github.com/bradfitz/go-smtpd v0.0.0-20170404230938-deb6d6237625/go.mod h1:HYsPBTaaSFSlLx/70C2HPIMNZpVV8+vt/A+FMnYP11g=
github.com/buger/jsonparser v0.0.0-20181115193947-bf1c66bbce23/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s=
-github.com/caddyserver/certmagic v0.12.1-0.20201209195841-b726d1ed13c3 h1:NW/7kFV4p6VLwG5eQa6ECivSqxAO0MmnAsAV7esFp0o=
-github.com/caddyserver/certmagic v0.12.1-0.20201209195841-b726d1ed13c3/go.mod h1:tr26xh+9fY5dN0J6IPAlMj07qpog22PJKa7Nw7j835U=
+github.com/caddyserver/certmagic v0.12.1-0.20201215190346-201f83a06067 h1:gpjCX6/8hHRgVXxy1v2AQdoAX6XRXIA8fBUZtEpnVg0=
+github.com/caddyserver/certmagic v0.12.1-0.20201215190346-201f83a06067/go.mod h1:tr26xh+9fY5dN0J6IPAlMj07qpog22PJKa7Nw7j835U=
github.com/census-instrumentation/opencensus-proto v0.2.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko=
diff --git a/modules/caddytls/acmeissuer.go b/modules/caddytls/acmeissuer.go
index 7c79c7e..df071c4 100644
--- a/modules/caddytls/acmeissuer.go
+++ b/modules/caddytls/acmeissuer.go
@@ -74,10 +74,11 @@ type ACMEIssuer struct {
// is internal or for development/testing purposes.
TrustedRootsPEMFiles []string `json:"trusted_roots_pem_files,omitempty"`
- // List of preferred certificate chains, by issuer's CommonName. If empty,
- // or if no matching chain is found, the first chain offered by the server
- // will be used.
- PreferredChains []string `json:"preferred_chains,omitempty"`
+ // Preferences for selecting alternate certificate chains, if offered
+ // by the CA. By default, the first offered chain will be selected.
+ // If configured, the chains may be sorted and the first matching chain
+ // will be selected.
+ PreferredChains *ChainPreference `json:"preferred_chains,omitempty"`
rootPool *x509.CertPool
template certmagic.ACMEManager
@@ -163,7 +164,6 @@ func (iss *ACMEIssuer) makeIssuerTemplate() (certmagic.ACMEManager, error) {
CertObtainTimeout: time.Duration(iss.ACMETimeout),
TrustedRoots: iss.rootPool,
ExternalAccount: iss.ExternalAccount,
- PreferredChains: iss.PreferredChains,
Logger: iss.logger,
}
@@ -182,6 +182,14 @@ func (iss *ACMEIssuer) makeIssuerTemplate() (certmagic.ACMEManager, error) {
template.ListenHost = iss.Challenges.BindHost
}
+ if iss.PreferredChains != nil {
+ template.PreferredChains = certmagic.ChainPreference{
+ Smallest: iss.PreferredChains.Smallest,
+ AnyCommonName: iss.PreferredChains.AnyCommonName,
+ RootCommonName: iss.PreferredChains.RootCommonName,
+ }
+ }
+
return template, nil
}
@@ -407,6 +415,22 @@ func onDemandAskRequest(ask string, name string) error {
return nil
}
+// ChainPreference describes the client's preferred certificate chain,
+// useful if the CA offers alternate chains. The first matching chain
+// will be selected.
+type ChainPreference struct {
+ // Prefer chains with the fewest number of bytes.
+ Smallest *bool `json:"smallest,omitempty"`
+
+ // Select first chain having a root with one of
+ // these common names.
+ RootCommonName []string `json:"root_common_name,omitempty"`
+
+ // Select first chain that has any issuer with one
+ // of these common names.
+ AnyCommonName []string `json:"any_common_name,omitempty"`
+}
+
// Interface guards
var (
_ certmagic.PreChecker = (*ACMEIssuer)(nil)