diff options
| author | Matthew Holt <mholt@users.noreply.github.com> | 2020-03-17 21:00:45 -0600 |
|---|---|---|
| committer | Matthew Holt <mholt@users.noreply.github.com> | 2020-03-17 21:00:45 -0600 |
| commit | fc7340e11aa9ca6326909aedfd36bb2c5b53d2a8 (patch) | |
| tree | b057f7368a355192bdb40784b6d95716982e6923 /modules/caddytls/automation.go | |
| parent | 3f48a2eb455167af8d77c5c4543bd17a80a93260 (diff) | |
httpcaddyfile: Many tls-related improvements including on-demand support
Holy heck this was complicated
Diffstat (limited to 'modules/caddytls/automation.go')
| -rw-r--r-- | modules/caddytls/automation.go | 51 |
1 files changed, 35 insertions, 16 deletions
diff --git a/modules/caddytls/automation.go b/modules/caddytls/automation.go index d10a4c6..e91811d 100644 --- a/modules/caddytls/automation.go +++ b/modules/caddytls/automation.go @@ -23,6 +23,7 @@ import ( "github.com/caddyserver/caddy/v2" "github.com/caddyserver/certmagic" "github.com/go-acme/lego/v3/challenge" + "go.uber.org/zap" ) // AutomationConfig designates configuration for the @@ -131,31 +132,49 @@ func (ap *AutomationPolicy) provision(tlsApp *TLS) error { var ond *certmagic.OnDemandConfig if ap.OnDemand { - var onDemand *OnDemandConfig - if tlsApp.Automation != nil { - onDemand = tlsApp.Automation.OnDemand - } - ond = &certmagic.OnDemandConfig{ DecisionFunc: func(name string) error { - if onDemand != nil { - if onDemand.Ask != "" { - err := onDemandAskRequest(onDemand.Ask, name) - if err != nil { - return err - } - } - // check the rate limiter last because - // doing so makes a reservation - if !onDemandRateLimiter.Allow() { - return fmt.Errorf("on-demand rate limit exceeded") + // if an "ask" endpoint was defined, consult it first + if tlsApp.Automation != nil && + tlsApp.Automation.OnDemand != nil && + tlsApp.Automation.OnDemand.Ask != "" { + err := onDemandAskRequest(tlsApp.Automation.OnDemand.Ask, name) + if err != nil { + return err } } + // check the rate limiter last because + // doing so makes a reservation + if !onDemandRateLimiter.Allow() { + return fmt.Errorf("on-demand rate limit exceeded") + } return nil }, } } + // if this automation policy has no Issuer defined, and + // none the subjects do not qualify for a public certificate, + // set the issuer to internal so that these names can all + // get certificates; critically, we can only do this if an + // issuer is not explictly configured AND if the list of + // subjects is non-empty + if ap.IssuerRaw == nil && len(ap.Subjects) > 0 { + var anyPublic bool + for _, s := range ap.Subjects { + if certmagic.SubjectQualifiesForPublicCert(s) { + anyPublic = true + break + } + } + if !anyPublic { + tlsApp.logger.Info("setting internal issuer for automation policy that has only internal subjects but no issuer configured", + zap.Strings("subjects", ap.Subjects)) + ap.IssuerRaw = json.RawMessage(`{"module":"internal"}`) + } + } + + // load and provision the issuer module if ap.IssuerRaw != nil { val, err := tlsApp.ctx.LoadModule(ap, "IssuerRaw") if err != nil { |