diff options
-rw-r--r-- | caddyconfig/httpcaddyfile/tlsapp.go | 1 | ||||
-rw-r--r-- | modules/caddyhttp/autohttps.go | 28 |
2 files changed, 20 insertions, 9 deletions
diff --git a/caddyconfig/httpcaddyfile/tlsapp.go b/caddyconfig/httpcaddyfile/tlsapp.go index 76d7ebf..40ea47d 100644 --- a/caddyconfig/httpcaddyfile/tlsapp.go +++ b/caddyconfig/httpcaddyfile/tlsapp.go @@ -350,7 +350,6 @@ func (st ServerType) buildTLSApp( globalPreferredChains := options["preferred_chains"] hasGlobalACMEDefaults := globalEmail != nil || globalACMECA != nil || globalACMECARoot != nil || globalACMEDNS != nil || globalACMEEAB != nil || globalPreferredChains != nil if hasGlobalACMEDefaults { - // for _, ap := range tlsApp.Automation.Policies { for i := 0; i < len(tlsApp.Automation.Policies); i++ { ap := tlsApp.Automation.Policies[i] if len(ap.Issuers) == 0 && automationPolicyHasAllPublicNames(ap) { diff --git a/modules/caddyhttp/autohttps.go b/modules/caddyhttp/autohttps.go index 91611f9..4cc5d2f 100644 --- a/modules/caddyhttp/autohttps.go +++ b/modules/caddyhttp/autohttps.go @@ -152,9 +152,7 @@ func (app *App) automaticHTTPSPhase1(ctx caddy.Context, repl *caddy.Replacer) er return fmt.Errorf("%s: route %d, matcher set %d, matcher %d, host matcher %d: %v", srvName, routeIdx, matcherSetIdx, matcherIdx, hostMatcherIdx, err) } - // only include domain if it's not explicitly skipped and it's not a Tailscale domain - // (the implicit Tailscale manager module will get those certs at run-time) - if !srv.AutoHTTPS.Skipped(d, srv.AutoHTTPS.Skip) && !isTailscaleDomain(d) { + if !srv.AutoHTTPS.Skipped(d, srv.AutoHTTPS.Skip) { serverDomainSet[d] = struct{}{} } } @@ -181,6 +179,11 @@ func (app *App) automaticHTTPSPhase1(ctx caddy.Context, repl *caddy.Replacer) er app.logger.Warn("skipping automated certificate management for server because it is disabled", zap.String("server_name", srvName)) } else { for d := range serverDomainSet { + // the implicit Tailscale manager module will get its own certs at run-time + if isTailscaleDomain(d) { + continue + } + if certmagic.SubjectQualifiesForCert(d) && !srv.AutoHTTPS.Skipped(d, srv.AutoHTTPS.SkipCerts) { // if a certificate for this name is already loaded, @@ -436,7 +439,7 @@ func (app *App) makeRedirRoute(redirToPort uint, matcherSet MatcherSet) Route { } } -// createAutomationPolicy ensures that automated certificates for this +// createAutomationPolicies ensures that automated certificates for this // app are managed properly. This adds up to two automation policies: // one for the public names, and one for the internal names. If a catch-all // automation policy exists, it will be shallow-copied and used as the @@ -485,6 +488,12 @@ func (app *App) createAutomationPolicies(ctx caddy.Context, internalNames []stri return err } ap.Managers = []certmagic.Manager{ts} + + // must reprovision the automation policy so that the underlying + // CertMagic config knows about the updated Managers + if err := ap.Provision(app.tlsApp); err != nil { + return fmt.Errorf("re-provisioning automation policy: %v", err) + } } // while we're here, is this the catch-all/base policy? @@ -495,14 +504,17 @@ func (app *App) createAutomationPolicies(ctx caddy.Context, internalNames []stri } if basePolicy == nil { - // no base policy found, we will make one! (with implicit Tailscale integration) + // no base policy found; we will make one + basePolicy = new(caddytls.AutomationPolicy) + } + + if basePolicy.Managers == nil { + // add implicit Tailscale integration, for harmless convenience ts, err := implicitTailscale(ctx) if err != nil { return err } - basePolicy = &caddytls.AutomationPolicy{ - Managers: []certmagic.Manager{ts}, - } + basePolicy.Managers = []certmagic.Manager{ts} } // if the basePolicy has an existing ACMEIssuer (particularly to |