diff options
| author | Matthew Holt <mholt@users.noreply.github.com> | 2020-12-15 12:16:04 -0700 |
|---|---|---|
| committer | Matthew Holt <mholt@users.noreply.github.com> | 2020-12-15 12:16:04 -0700 |
| commit | e384f07a3ce91ddbc8c4d4344f03a0dafe3df9f3 (patch) | |
| tree | 8e68b638a579c857328003a732fc07907b7e100a /modules/caddytls | |
| parent | 132525de3bfd6acb16f8628fa057cb03e102a177 (diff) | |
caddytls: Improve alt chain preference settings
This allows for finer-grained control when choosing alternate chains than
simply the previous/Certbot-esque behavior of "choose first chain that
contains an issuer's common name." This update allows you to sort by
length (if optimizing for efficiency on the wire) and also to select the
chain with a specific root CommonName.
Diffstat (limited to 'modules/caddytls')
| -rw-r--r-- | modules/caddytls/acmeissuer.go | 34 |
1 files changed, 29 insertions, 5 deletions
diff --git a/modules/caddytls/acmeissuer.go b/modules/caddytls/acmeissuer.go index 7c79c7e..df071c4 100644 --- a/modules/caddytls/acmeissuer.go +++ b/modules/caddytls/acmeissuer.go @@ -74,10 +74,11 @@ type ACMEIssuer struct { // is internal or for development/testing purposes. TrustedRootsPEMFiles []string `json:"trusted_roots_pem_files,omitempty"` - // List of preferred certificate chains, by issuer's CommonName. If empty, - // or if no matching chain is found, the first chain offered by the server - // will be used. - PreferredChains []string `json:"preferred_chains,omitempty"` + // Preferences for selecting alternate certificate chains, if offered + // by the CA. By default, the first offered chain will be selected. + // If configured, the chains may be sorted and the first matching chain + // will be selected. + PreferredChains *ChainPreference `json:"preferred_chains,omitempty"` rootPool *x509.CertPool template certmagic.ACMEManager @@ -163,7 +164,6 @@ func (iss *ACMEIssuer) makeIssuerTemplate() (certmagic.ACMEManager, error) { CertObtainTimeout: time.Duration(iss.ACMETimeout), TrustedRoots: iss.rootPool, ExternalAccount: iss.ExternalAccount, - PreferredChains: iss.PreferredChains, Logger: iss.logger, } @@ -182,6 +182,14 @@ func (iss *ACMEIssuer) makeIssuerTemplate() (certmagic.ACMEManager, error) { template.ListenHost = iss.Challenges.BindHost } + if iss.PreferredChains != nil { + template.PreferredChains = certmagic.ChainPreference{ + Smallest: iss.PreferredChains.Smallest, + AnyCommonName: iss.PreferredChains.AnyCommonName, + RootCommonName: iss.PreferredChains.RootCommonName, + } + } + return template, nil } @@ -407,6 +415,22 @@ func onDemandAskRequest(ask string, name string) error { return nil } +// ChainPreference describes the client's preferred certificate chain, +// useful if the CA offers alternate chains. The first matching chain +// will be selected. +type ChainPreference struct { + // Prefer chains with the fewest number of bytes. + Smallest *bool `json:"smallest,omitempty"` + + // Select first chain having a root with one of + // these common names. + RootCommonName []string `json:"root_common_name,omitempty"` + + // Select first chain that has any issuer with one + // of these common names. + AnyCommonName []string `json:"any_common_name,omitempty"` +} + // Interface guards var ( _ certmagic.PreChecker = (*ACMEIssuer)(nil) |