summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--caddyconfig/httpcaddyfile/tlsapp.go1
-rw-r--r--modules/caddyhttp/autohttps.go28
2 files changed, 20 insertions, 9 deletions
diff --git a/caddyconfig/httpcaddyfile/tlsapp.go b/caddyconfig/httpcaddyfile/tlsapp.go
index 76d7ebf..40ea47d 100644
--- a/caddyconfig/httpcaddyfile/tlsapp.go
+++ b/caddyconfig/httpcaddyfile/tlsapp.go
@@ -350,7 +350,6 @@ func (st ServerType) buildTLSApp(
globalPreferredChains := options["preferred_chains"]
hasGlobalACMEDefaults := globalEmail != nil || globalACMECA != nil || globalACMECARoot != nil || globalACMEDNS != nil || globalACMEEAB != nil || globalPreferredChains != nil
if hasGlobalACMEDefaults {
- // for _, ap := range tlsApp.Automation.Policies {
for i := 0; i < len(tlsApp.Automation.Policies); i++ {
ap := tlsApp.Automation.Policies[i]
if len(ap.Issuers) == 0 && automationPolicyHasAllPublicNames(ap) {
diff --git a/modules/caddyhttp/autohttps.go b/modules/caddyhttp/autohttps.go
index 91611f9..4cc5d2f 100644
--- a/modules/caddyhttp/autohttps.go
+++ b/modules/caddyhttp/autohttps.go
@@ -152,9 +152,7 @@ func (app *App) automaticHTTPSPhase1(ctx caddy.Context, repl *caddy.Replacer) er
return fmt.Errorf("%s: route %d, matcher set %d, matcher %d, host matcher %d: %v",
srvName, routeIdx, matcherSetIdx, matcherIdx, hostMatcherIdx, err)
}
- // only include domain if it's not explicitly skipped and it's not a Tailscale domain
- // (the implicit Tailscale manager module will get those certs at run-time)
- if !srv.AutoHTTPS.Skipped(d, srv.AutoHTTPS.Skip) && !isTailscaleDomain(d) {
+ if !srv.AutoHTTPS.Skipped(d, srv.AutoHTTPS.Skip) {
serverDomainSet[d] = struct{}{}
}
}
@@ -181,6 +179,11 @@ func (app *App) automaticHTTPSPhase1(ctx caddy.Context, repl *caddy.Replacer) er
app.logger.Warn("skipping automated certificate management for server because it is disabled", zap.String("server_name", srvName))
} else {
for d := range serverDomainSet {
+ // the implicit Tailscale manager module will get its own certs at run-time
+ if isTailscaleDomain(d) {
+ continue
+ }
+
if certmagic.SubjectQualifiesForCert(d) &&
!srv.AutoHTTPS.Skipped(d, srv.AutoHTTPS.SkipCerts) {
// if a certificate for this name is already loaded,
@@ -436,7 +439,7 @@ func (app *App) makeRedirRoute(redirToPort uint, matcherSet MatcherSet) Route {
}
}
-// createAutomationPolicy ensures that automated certificates for this
+// createAutomationPolicies ensures that automated certificates for this
// app are managed properly. This adds up to two automation policies:
// one for the public names, and one for the internal names. If a catch-all
// automation policy exists, it will be shallow-copied and used as the
@@ -485,6 +488,12 @@ func (app *App) createAutomationPolicies(ctx caddy.Context, internalNames []stri
return err
}
ap.Managers = []certmagic.Manager{ts}
+
+ // must reprovision the automation policy so that the underlying
+ // CertMagic config knows about the updated Managers
+ if err := ap.Provision(app.tlsApp); err != nil {
+ return fmt.Errorf("re-provisioning automation policy: %v", err)
+ }
}
// while we're here, is this the catch-all/base policy?
@@ -495,14 +504,17 @@ func (app *App) createAutomationPolicies(ctx caddy.Context, internalNames []stri
}
if basePolicy == nil {
- // no base policy found, we will make one! (with implicit Tailscale integration)
+ // no base policy found; we will make one
+ basePolicy = new(caddytls.AutomationPolicy)
+ }
+
+ if basePolicy.Managers == nil {
+ // add implicit Tailscale integration, for harmless convenience
ts, err := implicitTailscale(ctx)
if err != nil {
return err
}
- basePolicy = &caddytls.AutomationPolicy{
- Managers: []certmagic.Manager{ts},
- }
+ basePolicy.Managers = []certmagic.Manager{ts}
}
// if the basePolicy has an existing ACMEIssuer (particularly to