caddytls: Support external certificate Managers (like Tailscale) (#4541)

Huge thank-you to Tailscale (https://tailscale.com) for making this change possible! This is a great feature for Caddy and Tailscale is a great fit for a standard implementation. * caddytls: GetCertificate modules; Tailscale * Caddyfile support for get_certificate Also fix AP provisioning in case of empty subject list (persist loaded module on struct, much like Issuers, to surive reprovisioning). And implement start of HTTP cert getter, still WIP. * Update modules/caddytls/automation.go Co-authored-by: Francis Lavoie <lavofr@gmail.com> * Use tsclient package, check status for name * Implement HTTP cert getter And use reuse CertMagic's PEM functions for private keys. * Remove cache option from Tailscale getter Tailscale does its own caching and we don't need the added complexity... for now, at least. * Several updates - Option to disable cert automation in auto HTTPS - Support multiple cert managers - Remove cache feature from cert manager modules - Minor improvements to auto HTTPS logging * Run go mod tidy * Try to get certificates from Tailscale implicitly Only for domains ending in .ts.net. I think this is really cool! Co-authored-by: Francis Lavoie <lavofr@gmail.com>
author: Matt Holt <mholt@users.noreply.github.com> 2022-02-17 15:40:34 -0700
committer: GitHub <noreply@github.com> 2022-02-17 15:40:34 -0700
commit: 57a708d189cfe4ccc20ae92df95dd35e52a434a8 (patch)
tree: 6a8b2ded2d0d70cea75c7b1cc5bd536b7999e9d8 /modules/caddytls/folderloader.go
parent: 32aad909380f08a40389a33bfe788c8a35b1d850 (diff)
1 files changed, 15 insertions, 20 deletions
diff --git a/modules/caddytls/folderloader.go b/modules/caddytls/folderloader.go
index 0ff0629..33b31a5 100644
--- a/modules/caddytls/folderloader.go
+++ b/modules/caddytls/folderloader.go
@@ -61,10 +61,14 @@ func (fl FolderLoader) LoadCertificates() ([]Certificate, error) {
 				return nil
 			}
 
-			cert, err := x509CertFromCertAndKeyPEMFile(fpath)
+			bundle, err := os.ReadFile(fpath)
 			if err != nil {
 				return err
 			}
+			cert, err := tlsCertFromCertAndKeyPEMBundle(bundle)
+			if err != nil {
+				return fmt.Errorf("%s: %w", fpath, err)
+			}
 
 			certs = append(certs, Certificate{Certificate: cert})
 
@@ -77,12 +81,7 @@ func (fl FolderLoader) LoadCertificates() ([]Certificate, error) {
 	return certs, nil
 }
 
-func x509CertFromCertAndKeyPEMFile(fpath string) (tls.Certificate, error) {
-	bundle, err := os.ReadFile(fpath)
-	if err != nil {
-		return tls.Certificate{}, err
-	}
-
+func tlsCertFromCertAndKeyPEMBundle(bundle []byte) (tls.Certificate, error) {
 	certBuilder, keyBuilder := new(bytes.Buffer), new(bytes.Buffer)
 	var foundKey bool // use only the first key in the file
 
@@ -96,8 +95,7 @@ func x509CertFromCertAndKeyPEMFile(fpath string) (tls.Certificate, error) {
 
 		if derBlock.Type == "CERTIFICATE" {
 			// Re-encode certificate as PEM, appending to certificate chain
-			err = pem.Encode(certBuilder, derBlock)
-			if err != nil {
+			if err := pem.Encode(certBuilder, derBlock); err != nil {
 				return tls.Certificate{}, err
 			}
 		} else if derBlock.Type == "EC PARAMETERS" {
@@ -105,18 +103,16 @@ func x509CertFromCertAndKeyPEMFile(fpath string) (tls.Certificate, error) {
 			// parameters and key (parameter block should come first)
 			if !foundKey {
 				// Encode parameters
-				err = pem.Encode(keyBuilder, derBlock)
-				if err != nil {
+				if err := pem.Encode(keyBuilder, derBlock); err != nil {
 					return tls.Certificate{}, err
 				}
 
 				// Key must immediately follow
 				derBlock, bundle = pem.Decode(bundle)
 				if derBlock == nil || derBlock.Type != "EC PRIVATE KEY" {
-					return tls.Certificate{}, fmt.Errorf("%s: expected elliptic private key to immediately follow EC parameters", fpath)
+					return tls.Certificate{}, fmt.Errorf("expected elliptic private key to immediately follow EC parameters")
 				}
-				err = pem.Encode(keyBuilder, derBlock)
-				if err != nil {
+				if err := pem.Encode(keyBuilder, derBlock); err != nil {
 					return tls.Certificate{}, err
 				}
 				foundKey = true
@@ -124,28 +120,27 @@ func x509CertFromCertAndKeyPEMFile(fpath string) (tls.Certificate, error) {
 		} else if derBlock.Type == "PRIVATE KEY" || strings.HasSuffix(derBlock.Type, " PRIVATE KEY") {
 			// RSA key
 			if !foundKey {
-				err = pem.Encode(keyBuilder, derBlock)
-				if err != nil {
+				if err := pem.Encode(keyBuilder, derBlock); err != nil {
 					return tls.Certificate{}, err
 				}
 				foundKey = true
 			}
 		} else {
-			return tls.Certificate{}, fmt.Errorf("%s: unrecognized PEM block type: %s", fpath, derBlock.Type)
+			return tls.Certificate{}, fmt.Errorf("unrecognized PEM block type: %s", derBlock.Type)
 		}
 	}
 
 	certPEMBytes, keyPEMBytes := certBuilder.Bytes(), keyBuilder.Bytes()
 	if len(certPEMBytes) == 0 {
-		return tls.Certificate{}, fmt.Errorf("%s: failed to parse PEM data", fpath)
+		return tls.Certificate{}, fmt.Errorf("failed to parse PEM data")
 	}
 	if len(keyPEMBytes) == 0 {
-		return tls.Certificate{}, fmt.Errorf("%s: no private key block found", fpath)
+		return tls.Certificate{}, fmt.Errorf("no private key block found")
 	}
 
 	cert, err := tls.X509KeyPair(certPEMBytes, keyPEMBytes)
 	if err != nil {
-		return tls.Certificate{}, fmt.Errorf("%s: making X509 key pair: %v", fpath, err)
+		return tls.Certificate{}, fmt.Errorf("making X509 key pair: %v", err)
 	}
 
 	return cert, nil
author	Matt Holt <mholt@users.noreply.github.com>	2022-02-17 15:40:34 -0700
committer	GitHub <noreply@github.com>	2022-02-17 15:40:34 -0700
commit	57a708d189cfe4ccc20ae92df95dd35e52a434a8 (patch)
tree	6a8b2ded2d0d70cea75c7b1cc5bd536b7999e9d8 /modules/caddytls/folderloader.go
parent	32aad909380f08a40389a33bfe788c8a35b1d850 (diff)