summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--caddyconfig/httpcaddyfile/tlsapp.go62
1 files changed, 55 insertions, 7 deletions
diff --git a/caddyconfig/httpcaddyfile/tlsapp.go b/caddyconfig/httpcaddyfile/tlsapp.go
index 6214d61..1b7357c 100644
--- a/caddyconfig/httpcaddyfile/tlsapp.go
+++ b/caddyconfig/httpcaddyfile/tlsapp.go
@@ -100,15 +100,58 @@ func (st ServerType) buildTLSApp(
return nil, warnings, err
}
}
- encoded := caddyconfig.JSONModuleObject(issuer, "module", issuer.(caddy.Module).CaddyModule().ID.Name(), &warnings)
- if ap == catchAllAP && ap.IssuerRaw != nil && !bytes.Equal(ap.IssuerRaw, encoded) {
- return nil, warnings, fmt.Errorf("conflicting issuer configuration: %s != %s", ap.IssuerRaw, encoded)
+ if ap == catchAllAP && !reflect.DeepEqual(ap.Issuer, issuer) {
+ return nil, warnings, fmt.Errorf("automation policy from site block is also default/catch-all policy because of key without hostname, and the two are in conflict: %#v != %#v", ap.Issuer, issuer)
}
- ap.IssuerRaw = encoded
+ ap.Issuer = issuer
}
}
+ // custom bind host
+ for _, cfgVal := range sblock.pile["bind"] {
+ // either an existing issuer is already configured (and thus, ap is not
+ // nil), or we need to configure an issuer, so we need ap to be non-nil
+ if ap == nil {
+ ap, err = newBaseAutomationPolicy(options, warnings, true)
+ if err != nil {
+ return nil, warnings, err
+ }
+ }
+
+ // if an issuer was already configured and it is NOT an ACME
+ // issuer, skip, since we intend to adjust only ACME issuers
+ var acmeIssuer *caddytls.ACMEIssuer
+ if ap.Issuer != nil {
+ var ok bool
+ if acmeIssuer, ok = ap.Issuer.(*caddytls.ACMEIssuer); !ok {
+ break
+ }
+ }
+
+ // proceed to configure the ACME issuer's bind host, without
+ // overwriting any existing settings
+ if acmeIssuer == nil {
+ acmeIssuer = new(caddytls.ACMEIssuer)
+ }
+ if acmeIssuer.Challenges == nil {
+ acmeIssuer.Challenges = new(caddytls.ChallengesConfig)
+ }
+ if acmeIssuer.Challenges.BindHost == "" {
+ // only binding to one host is supported
+ var bindHost string
+ if bindHosts, ok := cfgVal.Value.([]string); ok && len(bindHosts) > 0 {
+ bindHost = bindHosts[0]
+ }
+ acmeIssuer.Challenges.BindHost = bindHost
+ }
+ ap.Issuer = acmeIssuer // we'll encode it later
+ }
+
if ap != nil {
+ // encode issuer now that it's all set up
+ issuerName := ap.Issuer.(caddy.Module).CaddyModule().ID.Name()
+ ap.IssuerRaw = caddyconfig.JSONModuleObject(ap.Issuer, "module", issuerName, &warnings)
+
// first make sure this block is allowed to create an automation policy;
// doing so is forbidden if it has a key with no host (i.e. ":443")
// and if there is a different server block that also has a key with no
@@ -222,6 +265,11 @@ func (st ServerType) buildTLSApp(
// if there is a global/catch-all automation policy, ensure it goes last
if catchAllAP != nil {
+ // first, encode its issuer
+ issuerName := catchAllAP.Issuer.(caddy.Module).CaddyModule().ID.Name()
+ catchAllAP.IssuerRaw = caddyconfig.JSONModuleObject(catchAllAP.Issuer, "module", issuerName, &warnings)
+
+ // then append it to the end of the policies list
if tlsApp.Automation == nil {
tlsApp.Automation = new(caddytls.AutomationConfig)
}
@@ -290,7 +338,7 @@ func newBaseAutomationPolicy(options map[string]interface{}, warnings []caddycon
if localCerts != nil {
// internal issuer enabled trumps any ACME configurations; useful in testing
- ap.IssuerRaw = caddyconfig.JSONModuleObject(caddytls.InternalIssuer{}, "module", "internal", &warnings)
+ ap.Issuer = new(caddytls.InternalIssuer) // we'll encode it later
} else {
if acmeCA == nil {
acmeCA = ""
@@ -298,7 +346,7 @@ func newBaseAutomationPolicy(options map[string]interface{}, warnings []caddycon
if email == nil {
email = ""
}
- mgr := caddytls.ACMEIssuer{
+ mgr := &caddytls.ACMEIssuer{
CA: acmeCA.(string),
Email: email.(string),
}
@@ -315,7 +363,7 @@ func newBaseAutomationPolicy(options map[string]interface{}, warnings []caddycon
if acmeCARoot != nil {
mgr.TrustedRootsPEMFiles = []string{acmeCARoot.(string)}
}
- ap.IssuerRaw = caddyconfig.JSONModuleObject(mgr, "module", "acme", &warnings)
+ ap.Issuer = mgr // we'll encode it later
}
return ap, nil