diff options
author | Matt Holt <mholt@users.noreply.github.com> | 2019-09-24 15:46:39 -0700 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-09-24 15:46:39 -0700 |
commit | 11696793bd15503006f44876c0f9f3b5d53e4d18 (patch) | |
tree | c9135f00e94c706eb5cdee6b474d6cb67ef1a97e /modules/caddytls | |
parent | 3e8bff594a463242665fb3bc5f564bbb271c95cd (diff) |
tls/acme: Ability to customize trusted roots for ACME servers (#2756)
Closes #2702
Diffstat (limited to 'modules/caddytls')
-rw-r--r-- | modules/caddytls/acmemanager.go | 41 |
1 files changed, 30 insertions, 11 deletions
diff --git a/modules/caddytls/acmemanager.go b/modules/caddytls/acmemanager.go index f9a6409..9df2e26 100644 --- a/modules/caddytls/acmemanager.go +++ b/modules/caddytls/acmemanager.go @@ -15,8 +15,10 @@ package caddytls import ( + "crypto/x509" "encoding/json" "fmt" + "io/ioutil" "net/url" "time" @@ -38,17 +40,19 @@ func init() { // after you have configured this struct // to your liking. type ACMEManagerMaker struct { - CA string `json:"ca,omitempty"` - Email string `json:"email,omitempty"` - RenewAhead caddy.Duration `json:"renew_ahead,omitempty"` - KeyType string `json:"key_type,omitempty"` - ACMETimeout caddy.Duration `json:"acme_timeout,omitempty"` - MustStaple bool `json:"must_staple,omitempty"` - Challenges ChallengesConfig `json:"challenges,omitempty"` - OnDemand bool `json:"on_demand,omitempty"` - Storage json.RawMessage `json:"storage,omitempty"` - - storage certmagic.Storage + CA string `json:"ca,omitempty"` + Email string `json:"email,omitempty"` + RenewAhead caddy.Duration `json:"renew_ahead,omitempty"` + KeyType string `json:"key_type,omitempty"` + ACMETimeout caddy.Duration `json:"acme_timeout,omitempty"` + MustStaple bool `json:"must_staple,omitempty"` + Challenges ChallengesConfig `json:"challenges,omitempty"` + OnDemand bool `json:"on_demand,omitempty"` + Storage json.RawMessage `json:"storage,omitempty"` + TrustedRootsPEMFiles []string `json:"trusted_roots_pem_files,omitempty"` + + storage certmagic.Storage + rootPool *x509.CertPool } // CaddyModule returns the Caddy module information. @@ -91,6 +95,20 @@ func (m *ACMEManagerMaker) Provision(ctx caddy.Context) error { m.Storage = nil // allow GC to deallocate } + // add any custom CAs to trust store + if len(m.TrustedRootsPEMFiles) > 0 { + m.rootPool = x509.NewCertPool() + for _, pemFile := range m.TrustedRootsPEMFiles { + pemData, err := ioutil.ReadFile(pemFile) + if err != nil { + return fmt.Errorf("loading trusted root CA's PEM file: %s: %v", pemFile, err) + } + if !m.rootPool.AppendCertsFromPEM(pemData) { + return fmt.Errorf("unable to add %s to trust pool: %v", pemFile, err) + } + } + } + return nil } @@ -150,6 +168,7 @@ func (m *ACMEManagerMaker) makeCertMagicConfig(ctx caddy.Context) certmagic.Conf OnDemand: ond, MustStaple: m.MustStaple, Storage: storage, + TrustedRoots: m.rootPool, // TODO: listenHost } } |