summaryrefslogtreecommitdiff
path: root/modules
diff options
context:
space:
mode:
authorRan Chen <crccw@google.com>2022-03-09 03:03:43 +0800
committerGitHub <noreply@github.com>2022-03-08 12:03:43 -0700
commitd9b1d463259a6f8f520edd6659dac11218c82b4e (patch)
treea48f08560bf50c9b416b2858f1528422d52c2e8b /modules
parentc8f2834b514f8bfb405c11be53d60a6cfc5228ca (diff)
caddytls: dns_challenge_override_domain for challenge delegation (#4596)
* Add a override_domain option to allow DNS chanllenge delegation CNAME can be used to delegate answering the chanllenge to another DNS zone. One usage is to reduce the exposure of the DNS credential [1]. Based on the discussion in caddy/certmagic#160, we are adding an option to allow the user explicitly specify the domain to delegate, instead of following the CNAME chain. This needs caddy/certmagic#160. * rename override_domain to dns_challenge_override_domain * Update CertMagic; fix spelling Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
Diffstat (limited to 'modules')
-rw-r--r--modules/caddytls/acmeissuer.go14
-rw-r--r--modules/caddytls/automation.go5
2 files changed, 19 insertions, 0 deletions
diff --git a/modules/caddytls/acmeissuer.go b/modules/caddytls/acmeissuer.go
index 42cef02..48a961f 100644
--- a/modules/caddytls/acmeissuer.go
+++ b/modules/caddytls/acmeissuer.go
@@ -144,6 +144,7 @@ func (iss *ACMEIssuer) Provision(ctx caddy.Context) error {
TTL: time.Duration(iss.Challenges.DNS.TTL),
PropagationTimeout: time.Duration(iss.Challenges.DNS.PropagationTimeout),
Resolvers: iss.Challenges.DNS.Resolvers,
+ OverrideDomain: iss.Challenges.DNS.OverrideDomain,
}
}
}
@@ -417,6 +418,19 @@ func (iss *ACMEIssuer) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
return d.ArgErr()
}
+ case "dns_challenge_override_domain":
+ arg := d.RemainingArgs()
+ if len(arg) != 1 {
+ return d.ArgErr()
+ }
+ if iss.Challenges == nil {
+ iss.Challenges = new(ChallengesConfig)
+ }
+ if iss.Challenges.DNS == nil {
+ iss.Challenges.DNS = new(DNSChallengeConfig)
+ }
+ iss.Challenges.DNS.OverrideDomain = arg[0]
+
case "preferred_chains":
chainPref, err := ParseCaddyfilePreferredChainsOptions(d)
if err != nil {
diff --git a/modules/caddytls/automation.go b/modules/caddytls/automation.go
index 95b1772..eb97c82 100644
--- a/modules/caddytls/automation.go
+++ b/modules/caddytls/automation.go
@@ -370,6 +370,11 @@ type DNSChallengeConfig struct {
// Often necessary to configure when using split-horizon DNS.
Resolvers []string `json:"resolvers,omitempty"`
+ // Override the domain to use for the DNS challenge. This
+ // is to delegate the challenge to a different domain,
+ // e.g. one that updates faster or one with a provider API.
+ OverrideDomain string `json:"override_domain,omitempty"`
+
solver acmez.Solver
}