summaryrefslogtreecommitdiff
path: root/caddyconfig/httpcaddyfile
diff options
context:
space:
mode:
authorMatthew Holt <mholt@users.noreply.github.com>2021-02-02 16:17:26 -0700
committerMatthew Holt <mholt@users.noreply.github.com>2021-02-02 16:17:26 -0700
commit90284e8017fedeb6eeb9f4183660a679b8a5e15e (patch)
treeda996b6608f84a81ebc80577af1e55a913a7073c /caddyconfig/httpcaddyfile
parent2772ede43c852fa50f3527dbd94ae747b6f64365 (diff)
httpcaddyfile: Fix default issuers when email provided
If `tls <email>` is used, we should apply that to all applicable default issuers, not drop them. This refactoring applies implicit ACME issuer settings from the tls directive to all default ACME issuers, like ZeroSSL. We also consolidate some annoying logic and improve config validity checks. Ref: https://caddy.community/t/error-obtaining-certificate-after-caddy-restart/11335/8
Diffstat (limited to 'caddyconfig/httpcaddyfile')
-rw-r--r--caddyconfig/httpcaddyfile/builtins.go56
-rw-r--r--caddyconfig/httpcaddyfile/tlsapp.go29
2 files changed, 50 insertions, 35 deletions
diff --git a/caddyconfig/httpcaddyfile/builtins.go b/caddyconfig/httpcaddyfile/builtins.go
index aa68adb..4945a81 100644
--- a/caddyconfig/httpcaddyfile/builtins.go
+++ b/caddyconfig/httpcaddyfile/builtins.go
@@ -369,31 +369,57 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
})
}
+ // some tls subdirectives are shortcuts that implicitly configure issuers, and the
+ // user can also configure issuers explicitly using the issuer subdirective; the
+ // logic to support both would likely be complex, or at least unintuitive
if len(issuers) > 0 && (acmeIssuer != nil || internalIssuer != nil) {
- // some tls subdirectives are shortcuts that implicitly configure issuers, and the
- // user can also configure issuers explicitly using the issuer subdirective; the
- // logic to support both would likely be complex, or at least unintuitive
return nil, h.Err("cannot mix issuer subdirective (explicit issuers) with other issuer-specific subdirectives (implicit issuers)")
}
- for _, issuer := range issuers {
- configVals = append(configVals, ConfigValue{
- Class: "tls.cert_issuer",
- Value: issuer,
- })
- }
- if acmeIssuer != nil {
- configVals = append(configVals, ConfigValue{
- Class: "tls.cert_issuer",
- Value: disambiguateACMEIssuer(acmeIssuer),
- })
+ if acmeIssuer != nil && internalIssuer != nil {
+ return nil, h.Err("cannot create both ACME and internal certificate issuers")
}
- if internalIssuer != nil {
+
+ // now we should either have: explicitly-created issuers, or an implicitly-created
+ // ACME or internal issuer, or no issuers at all
+ switch {
+ case len(issuers) > 0:
+ for _, issuer := range issuers {
+ configVals = append(configVals, ConfigValue{
+ Class: "tls.cert_issuer",
+ Value: issuer,
+ })
+ }
+
+ case acmeIssuer != nil:
+ // implicit ACME issuers (from various subdirectives) - use defaults; there might be more than one
+ defaultIssuers := caddytls.DefaultIssuers()
+
+ // if a CA endpoint was set, override multiple implicit issuers since it's a specific one
+ if acmeIssuer.CA != "" {
+ defaultIssuers = []certmagic.Issuer{acmeIssuer}
+ }
+
+ for _, issuer := range defaultIssuers {
+ switch iss := issuer.(type) {
+ case *caddytls.ACMEIssuer:
+ issuer = acmeIssuer
+ case *caddytls.ZeroSSLIssuer:
+ iss.ACMEIssuer = acmeIssuer
+ }
+ configVals = append(configVals, ConfigValue{
+ Class: "tls.cert_issuer",
+ Value: issuer,
+ })
+ }
+
+ case internalIssuer != nil:
configVals = append(configVals, ConfigValue{
Class: "tls.cert_issuer",
Value: internalIssuer,
})
}
+ // certificate key type
if keyType != "" {
configVals = append(configVals, ConfigValue{
Class: "tls.key_type",
diff --git a/caddyconfig/httpcaddyfile/tlsapp.go b/caddyconfig/httpcaddyfile/tlsapp.go
index dbf3cc7..d831d1b 100644
--- a/caddyconfig/httpcaddyfile/tlsapp.go
+++ b/caddyconfig/httpcaddyfile/tlsapp.go
@@ -316,13 +316,15 @@ func (st ServerType) buildTLSApp(
if hasGlobalACMEDefaults {
for _, ap := range tlsApp.Automation.Policies {
if len(ap.Issuers) == 0 {
- acme, zerosslACME := new(caddytls.ACMEIssuer), new(caddytls.ACMEIssuer)
- zerossl := &caddytls.ZeroSSLIssuer{ACMEIssuer: zerosslACME}
- ap.Issuers = []certmagic.Issuer{acme, zerossl} // TODO: keep this in sync with Caddy's other issuer defaults elsewhere, like in caddytls/automation.go (DefaultIssuers).
-
- // if a non-ZeroSSL endpoint is specified, we assume we can't use the ZeroSSL issuer successfully
- if globalACMECA != nil && !strings.Contains(globalACMECA.(string), "zerossl") {
- ap.Issuers = []certmagic.Issuer{acme}
+ ap.Issuers = caddytls.DefaultIssuers()
+
+ // if a specific endpoint is configured, can't use multiple default issuers
+ if globalACMECA != nil {
+ if strings.Contains(globalACMECA.(string), "zerossl") {
+ ap.Issuers = []certmagic.Issuer{&caddytls.ZeroSSLIssuer{ACMEIssuer: new(caddytls.ACMEIssuer)}}
+ } else {
+ ap.Issuers = []certmagic.Issuer{new(caddytls.ACMEIssuer)}
+ }
}
}
}
@@ -463,19 +465,6 @@ func newBaseAutomationPolicy(options map[string]interface{}, warnings []caddycon
return ap, nil
}
-// disambiguateACMEIssuer returns an issuer based on the properties of acmeIssuer.
-// If acmeIssuer implicitly configures a certain kind of ACMEIssuer (for example,
-// ZeroSSL), the proper wrapper over acmeIssuer will be returned instead.
-func disambiguateACMEIssuer(acmeIssuer *caddytls.ACMEIssuer) certmagic.Issuer {
- // as a special case, we integrate with ZeroSSL's ACME endpoint if it looks like an
- // implicit ZeroSSL configuration (this requires a wrapper type over ACMEIssuer
- // because of the EAB generation; if EAB is provided, we can use plain ACMEIssuer)
- if strings.Contains(acmeIssuer.CA, "acme.zerossl.com") && acmeIssuer.ExternalAccount == nil {
- return &caddytls.ZeroSSLIssuer{ACMEIssuer: acmeIssuer}
- }
- return acmeIssuer
-}
-
// consolidateAutomationPolicies combines automation policies that are the same,
// for a cleaner overall output.
func consolidateAutomationPolicies(aps []*caddytls.AutomationPolicy) []*caddytls.AutomationPolicy {