summaryrefslogtreecommitdiff
path: root/modules
diff options
context:
space:
mode:
authorMatthew Holt <mholt@users.noreply.github.com>2021-02-02 16:17:26 -0700
committerMatthew Holt <mholt@users.noreply.github.com>2021-02-02 16:17:26 -0700
commit90284e8017fedeb6eeb9f4183660a679b8a5e15e (patch)
treeda996b6608f84a81ebc80577af1e55a913a7073c /modules
parent2772ede43c852fa50f3527dbd94ae747b6f64365 (diff)
httpcaddyfile: Fix default issuers when email provided
If `tls <email>` is used, we should apply that to all applicable default issuers, not drop them. This refactoring applies implicit ACME issuer settings from the tls directive to all default ACME issuers, like ZeroSSL. We also consolidate some annoying logic and improve config validity checks. Ref: https://caddy.community/t/error-obtaining-certificate-after-caddy-restart/11335/8
Diffstat (limited to 'modules')
-rw-r--r--modules/caddyhttp/autohttps.go4
-rw-r--r--modules/caddytls/automation.go33
2 files changed, 22 insertions, 15 deletions
diff --git a/modules/caddyhttp/autohttps.go b/modules/caddyhttp/autohttps.go
index c1d4c08..5c83d8f 100644
--- a/modules/caddyhttp/autohttps.go
+++ b/modules/caddyhttp/autohttps.go
@@ -444,7 +444,7 @@ func (app *App) createAutomationPolicies(ctx caddy.Context, internalNames []stri
// what the HTTP and HTTPS ports are)
if ap.Issuers == nil {
var err error
- ap.Issuers, err = caddytls.DefaultIssuers(ctx)
+ ap.Issuers, err = caddytls.DefaultIssuersProvisioned(ctx)
if err != nil {
return err
}
@@ -499,7 +499,7 @@ func (app *App) createAutomationPolicies(ctx caddy.Context, internalNames []stri
// never overwrite any other issuer that might already be configured
if basePolicy.Issuers == nil {
var err error
- basePolicy.Issuers, err = caddytls.DefaultIssuers(ctx)
+ basePolicy.Issuers, err = caddytls.DefaultIssuersProvisioned(ctx)
if err != nil {
return err
}
diff --git a/modules/caddytls/automation.go b/modules/caddytls/automation.go
index ed29e06..bcc0a0c 100644
--- a/modules/caddytls/automation.go
+++ b/modules/caddytls/automation.go
@@ -187,7 +187,7 @@ func (ap *AutomationPolicy) Provision(tlsApp *TLS) error {
issuers := ap.Issuers
if len(issuers) == 0 {
var err error
- issuers, err = DefaultIssuers(tlsApp.ctx)
+ issuers, err = DefaultIssuersProvisioned(tlsApp.ctx)
if err != nil {
return err
}
@@ -242,21 +242,28 @@ func (ap *AutomationPolicy) Provision(tlsApp *TLS) error {
return nil
}
-// DefaultIssuers returns empty but provisioned default Issuers.
+// DefaultIssuers returns empty Issuers (not provisioned) to be used as defaults.
// This function is experimental and has no compatibility promises.
-func DefaultIssuers(ctx caddy.Context) ([]certmagic.Issuer, error) {
- acme := new(ACMEIssuer)
- err := acme.Provision(ctx)
- if err != nil {
- return nil, err
+func DefaultIssuers() []certmagic.Issuer {
+ return []certmagic.Issuer{
+ new(ACMEIssuer),
+ &ZeroSSLIssuer{ACMEIssuer: new(ACMEIssuer)},
}
- zerossl := new(ZeroSSLIssuer)
- err = zerossl.Provision(ctx)
- if err != nil {
- return nil, err
+}
+
+// DefaultIssuersProvisioned returns empty but provisioned default Issuers from
+// DefaultIssuers(). This function is experimental and has no compatibility promises.
+func DefaultIssuersProvisioned(ctx caddy.Context) ([]certmagic.Issuer, error) {
+ issuers := DefaultIssuers()
+ for i, iss := range issuers {
+ if prov, ok := iss.(caddy.Provisioner); ok {
+ err := prov.Provision(ctx)
+ if err != nil {
+ return nil, fmt.Errorf("provisioning default issuer %d: %T: %v", i, iss, err)
+ }
+ }
}
- // TODO: eventually, insert ZeroSSL into first position in the slice -- see also httpcaddyfile/tlsapp.go for where similar defaults are configured
- return []certmagic.Issuer{acme, zerossl}, nil
+ return issuers, nil
}
// ChallengesConfig configures the ACME challenges.