diff options
author | Matt Holt <mholt@users.noreply.github.com> | 2022-07-05 18:12:25 -0600 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-07-05 18:12:25 -0600 |
commit | 412dcc07d3201561302bc20b6200d893aee69657 (patch) | |
tree | fa52315c153c528bc053a0e52a26916e043973b4 /modules | |
parent | 660c59b6f3c138ce1a143ea864225ba177005e8e (diff) |
caddytls: Reuse issuer between PreCheck and Issue (#4866)
This enables EAB reuse for ZeroSSLIssuer (which is now supported by ZeroSSL).
Diffstat (limited to 'modules')
-rw-r--r-- | modules/caddytls/acmeissuer.go | 19 | ||||
-rw-r--r-- | modules/caddytls/tls.go | 2 | ||||
-rw-r--r-- | modules/caddytls/zerosslissuer.go | 4 |
3 files changed, 12 insertions, 13 deletions
diff --git a/modules/caddytls/acmeissuer.go b/modules/caddytls/acmeissuer.go index 09b31bf..9552d6f 100644 --- a/modules/caddytls/acmeissuer.go +++ b/modules/caddytls/acmeissuer.go @@ -85,9 +85,11 @@ type ACMEIssuer struct { PreferredChains *ChainPreference `json:"preferred_chains,omitempty"` rootPool *x509.CertPool - template certmagic.ACMEIssuer - magic *certmagic.Config logger *zap.Logger + + template certmagic.ACMEIssuer // set at Provision + magic *certmagic.Config // set at PreCheck + issuer *certmagic.ACMEIssuer // set at PreCheck; result of template + magic } // CaddyModule returns the Caddy module information. @@ -217,30 +219,27 @@ func (iss *ACMEIssuer) makeIssuerTemplate() (certmagic.ACMEIssuer, error) { // the ConfigSetter interface. func (iss *ACMEIssuer) SetConfig(cfg *certmagic.Config) { iss.magic = cfg + iss.issuer = certmagic.NewACMEIssuer(cfg, iss.template) } -// TODO: I kind of hate how each call to these methods needs to -// make a new ACME manager to fill in defaults before using; can -// we find the right place to do that just once and then re-use? - // PreCheck implements the certmagic.PreChecker interface. func (iss *ACMEIssuer) PreCheck(ctx context.Context, names []string, interactive bool) error { - return certmagic.NewACMEIssuer(iss.magic, iss.template).PreCheck(ctx, names, interactive) + return iss.issuer.PreCheck(ctx, names, interactive) } // Issue obtains a certificate for the given csr. func (iss *ACMEIssuer) Issue(ctx context.Context, csr *x509.CertificateRequest) (*certmagic.IssuedCertificate, error) { - return certmagic.NewACMEIssuer(iss.magic, iss.template).Issue(ctx, csr) + return iss.issuer.Issue(ctx, csr) } // IssuerKey returns the unique issuer key for the configured CA endpoint. func (iss *ACMEIssuer) IssuerKey() string { - return certmagic.NewACMEIssuer(iss.magic, iss.template).IssuerKey() + return iss.issuer.IssuerKey() } // Revoke revokes the given certificate. func (iss *ACMEIssuer) Revoke(ctx context.Context, cert certmagic.CertificateResource, reason int) error { - return certmagic.NewACMEIssuer(iss.magic, iss.template).Revoke(ctx, cert, reason) + return iss.issuer.Revoke(ctx, cert, reason) } // GetACMEIssuer returns iss. This is useful when other types embed ACMEIssuer, because diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go index 9fe30fe..429b24c 100644 --- a/modules/caddytls/tls.go +++ b/modules/caddytls/tls.go @@ -336,7 +336,7 @@ func (t *TLS) HandleHTTPChallenge(w http.ResponseWriter, r *http.Request) bool { for _, iss := range ap.magic.Issuers { if am, ok := iss.(acmeCapable); ok { iss := am.GetACMEIssuer() - if certmagic.NewACMEIssuer(iss.magic, iss.template).HandleHTTPChallenge(w, r) { + if iss.issuer.HandleHTTPChallenge(w, r) { return true } } diff --git a/modules/caddytls/zerosslissuer.go b/modules/caddytls/zerosslissuer.go index a75063b..a051ed4 100644 --- a/modules/caddytls/zerosslissuer.go +++ b/modules/caddytls/zerosslissuer.go @@ -162,8 +162,8 @@ func (iss *ZeroSSLIssuer) generateEABCredentials(ctx context.Context, acct acme. func (iss *ZeroSSLIssuer) initialize() { iss.mu.Lock() defer iss.mu.Unlock() - if iss.template.NewAccountFunc == nil { - iss.template.NewAccountFunc = iss.newAccountCallback + if iss.ACMEIssuer.issuer.NewAccountFunc == nil { + iss.ACMEIssuer.issuer.NewAccountFunc = iss.newAccountCallback } } |