summaryrefslogtreecommitdiff
path: root/modules/caddytls
diff options
context:
space:
mode:
authorMatt Holt <mholt@users.noreply.github.com>2019-09-24 15:46:39 -0700
committerGitHub <noreply@github.com>2019-09-24 15:46:39 -0700
commit11696793bd15503006f44876c0f9f3b5d53e4d18 (patch)
treec9135f00e94c706eb5cdee6b474d6cb67ef1a97e /modules/caddytls
parent3e8bff594a463242665fb3bc5f564bbb271c95cd (diff)
tls/acme: Ability to customize trusted roots for ACME servers (#2756)
Closes #2702
Diffstat (limited to 'modules/caddytls')
-rw-r--r--modules/caddytls/acmemanager.go41
1 files changed, 30 insertions, 11 deletions
diff --git a/modules/caddytls/acmemanager.go b/modules/caddytls/acmemanager.go
index f9a6409..9df2e26 100644
--- a/modules/caddytls/acmemanager.go
+++ b/modules/caddytls/acmemanager.go
@@ -15,8 +15,10 @@
package caddytls
import (
+ "crypto/x509"
"encoding/json"
"fmt"
+ "io/ioutil"
"net/url"
"time"
@@ -38,17 +40,19 @@ func init() {
// after you have configured this struct
// to your liking.
type ACMEManagerMaker struct {
- CA string `json:"ca,omitempty"`
- Email string `json:"email,omitempty"`
- RenewAhead caddy.Duration `json:"renew_ahead,omitempty"`
- KeyType string `json:"key_type,omitempty"`
- ACMETimeout caddy.Duration `json:"acme_timeout,omitempty"`
- MustStaple bool `json:"must_staple,omitempty"`
- Challenges ChallengesConfig `json:"challenges,omitempty"`
- OnDemand bool `json:"on_demand,omitempty"`
- Storage json.RawMessage `json:"storage,omitempty"`
-
- storage certmagic.Storage
+ CA string `json:"ca,omitempty"`
+ Email string `json:"email,omitempty"`
+ RenewAhead caddy.Duration `json:"renew_ahead,omitempty"`
+ KeyType string `json:"key_type,omitempty"`
+ ACMETimeout caddy.Duration `json:"acme_timeout,omitempty"`
+ MustStaple bool `json:"must_staple,omitempty"`
+ Challenges ChallengesConfig `json:"challenges,omitempty"`
+ OnDemand bool `json:"on_demand,omitempty"`
+ Storage json.RawMessage `json:"storage,omitempty"`
+ TrustedRootsPEMFiles []string `json:"trusted_roots_pem_files,omitempty"`
+
+ storage certmagic.Storage
+ rootPool *x509.CertPool
}
// CaddyModule returns the Caddy module information.
@@ -91,6 +95,20 @@ func (m *ACMEManagerMaker) Provision(ctx caddy.Context) error {
m.Storage = nil // allow GC to deallocate
}
+ // add any custom CAs to trust store
+ if len(m.TrustedRootsPEMFiles) > 0 {
+ m.rootPool = x509.NewCertPool()
+ for _, pemFile := range m.TrustedRootsPEMFiles {
+ pemData, err := ioutil.ReadFile(pemFile)
+ if err != nil {
+ return fmt.Errorf("loading trusted root CA's PEM file: %s: %v", pemFile, err)
+ }
+ if !m.rootPool.AppendCertsFromPEM(pemData) {
+ return fmt.Errorf("unable to add %s to trust pool: %v", pemFile, err)
+ }
+ }
+ }
+
return nil
}
@@ -150,6 +168,7 @@ func (m *ACMEManagerMaker) makeCertMagicConfig(ctx caddy.Context) certmagic.Conf
OnDemand: ond,
MustStaple: m.MustStaple,
Storage: storage,
+ TrustedRoots: m.rootPool,
// TODO: listenHost
}
}