summaryrefslogtreecommitdiff
path: root/caddyconfig/httpcaddyfile
diff options
context:
space:
mode:
authorMatthew Holt <mholt@users.noreply.github.com>2020-10-22 12:40:23 -0600
committerMatthew Holt <mholt@users.noreply.github.com>2020-10-22 12:40:23 -0600
commitb6686a54d8b21bedbf042caa4a6c09d78d345fc7 (patch)
treedbd984913bfb5c0341b6e3899a9da332ad8a160b /caddyconfig/httpcaddyfile
parent97caf368eea8d2c33a7786fbe3471b83b5b294dc (diff)
httpcaddyfile: Improve AP logic with OnDemand
We have users that have site blocks like *.*.tld with on-demand TLS enabled. While *.*.tld does not qualify for a publicly-trusted cert due to its wildcards, On-Demand TLS does not actually obtain a cert with those wildcards, since it uses the actual hostname on the handshake. This improves on that logic, but I am still not 100% satisfied with the result since I think we need to also check if another site block is more specific, like foo.example.tld, which might not have on-demand TLS enabled, and make sure an automation policy gets created before the more general policy with on-demand...
Diffstat (limited to 'caddyconfig/httpcaddyfile')
-rw-r--r--caddyconfig/httpcaddyfile/tlsapp.go12
1 files changed, 11 insertions, 1 deletions
diff --git a/caddyconfig/httpcaddyfile/tlsapp.go b/caddyconfig/httpcaddyfile/tlsapp.go
index a721fee..e732957 100644
--- a/caddyconfig/httpcaddyfile/tlsapp.go
+++ b/caddyconfig/httpcaddyfile/tlsapp.go
@@ -213,7 +213,17 @@ func (st ServerType) buildTLSApp(
if ap.Issuer == nil {
var internal, external []string
for _, s := range ap.Subjects {
- if certmagic.SubjectQualifiesForPublicCert(s) {
+ if !certmagic.SubjectQualifiesForCert(s) {
+ return nil, warnings, fmt.Errorf("subject does not qualify for certificate: '%s'", s)
+ }
+ // we don't use certmagic.SubjectQualifiesForPublicCert() because of one nuance:
+ // names like *.*.tld that may not qualify for a public certificate are actually
+ // fine when used with OnDemand, since OnDemand (currently) does not obtain
+ // wildcards (if it ever does, there will be a separate config option to enable
+ // it that we would need to check here) since the hostname is known at handshake;
+ // and it is unexpected to switch to internal issuer when the user wants to get
+ // regular certificates on-demand for a class of certs like *.*.tld.
+ if !certmagic.SubjectIsIP(s) && !certmagic.SubjectIsInternal(s) && (strings.Count(s, "*.") < 2 || ap.OnDemand) {
external = append(external, s)
} else {
internal = append(internal, s)