diff options
author | Matthew Holt <mholt@users.noreply.github.com> | 2021-02-26 19:27:58 -0700 |
---|---|---|
committer | Matthew Holt <mholt@users.noreply.github.com> | 2021-02-26 19:27:58 -0700 |
commit | ec309c6d52fdfce0431a1303a49f28c3f546176a (patch) | |
tree | cd393f46fe81728937c196a444a9483c73d44614 | |
parent | ce5a0934a89aabf1bc145ed0100df5f889b7dd74 (diff) |
caddypki: Add SignWithRoot option for ACME server
See https://caddy.community/t/setting-up-a-caddy-pki-based-on-a-windows-
root-ca-was-getting-pki-config/11616/7
Also improved a godoc comment in the caddytls package.
-rw-r--r-- | modules/caddypki/acmeserver/acmeserver.go | 8 | ||||
-rw-r--r-- | modules/caddytls/tls.go | 13 |
2 files changed, 16 insertions, 5 deletions
diff --git a/modules/caddypki/acmeserver/acmeserver.go b/modules/caddypki/acmeserver/acmeserver.go index d5e5559..f5c013b 100644 --- a/modules/caddypki/acmeserver/acmeserver.go +++ b/modules/caddypki/acmeserver/acmeserver.go @@ -66,6 +66,13 @@ type Handler struct { // on this property long-term; check release notes. PathPrefix string `json:"path_prefix,omitempty"` + // If true, the CA's root will be the issuer instead of + // the intermediate. This is NOT recommended and should + // only be used when devices/clients do not properly + // validate certificate chains. EXPERIMENTAL: Might be + // changed or removed in the future. + SignWithRoot bool `json:"sign_with_root,omitempty"` + acmeEndpoints http.Handler logger *zap.Logger } @@ -109,6 +116,7 @@ func (ash *Handler) Provision(ctx caddy.Context) error { } authorityConfig := caddypki.AuthorityConfig{ + SignWithRoot: ash.SignWithRoot, AuthConfig: &authority.AuthConfig{ Provisioners: provisioner.List{ &provisioner.ACME{ diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go index 51c4cab..31b13fb 100644 --- a/modules/caddytls/tls.go +++ b/modules/caddytls/tls.go @@ -478,11 +478,14 @@ type Certificate struct { Tags []string } -// AutomateLoader is a no-op certificate loader module -// that is treated as a special case: it uses this app's -// automation features to load certificates for the -// list of hostnames, rather than loading certificates -// manually. +// AutomateLoader will automatically manage certificates for the names +// in the list, including obtaining and renewing certificates. Automated +// certificates are managed according to their matching automation policy, +// configured elsewhere in this app. +// +// This is a no-op certificate loader module that is treated as a special +// case: it uses this app's automation features to load certificates for the +// list of hostnames, rather than loading certificates manually. type AutomateLoader []string // CaddyModule returns the Caddy module information. |