summaryrefslogtreecommitdiff
path: root/caddyconfig/httpcaddyfile/builtins.go
diff options
context:
space:
mode:
Diffstat (limited to 'caddyconfig/httpcaddyfile/builtins.go')
-rw-r--r--caddyconfig/httpcaddyfile/builtins.go52
1 files changed, 44 insertions, 8 deletions
diff --git a/caddyconfig/httpcaddyfile/builtins.go b/caddyconfig/httpcaddyfile/builtins.go
index 520796d..e8fbf23 100644
--- a/caddyconfig/httpcaddyfile/builtins.go
+++ b/caddyconfig/httpcaddyfile/builtins.go
@@ -29,6 +29,7 @@ import (
"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
"github.com/caddyserver/caddy/v2/modules/caddyhttp"
"github.com/caddyserver/caddy/v2/modules/caddytls"
+ "github.com/caddyserver/certmagic"
"github.com/mholt/acmez/acme"
"go.uber.org/zap/zapcore"
)
@@ -76,6 +77,7 @@ func parseBind(h Helper) ([]ConfigValue, error) {
// ca_root <pem_file>
// dns <provider_name>
// on_demand
+// issuer <module_name> ...
// }
//
func parseTLS(h Helper) ([]ConfigValue, error) {
@@ -85,6 +87,7 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
var certSelector caddytls.CustomCertSelectionPolicy
var acmeIssuer *caddytls.ACMEIssuer
var internalIssuer *caddytls.InternalIssuer
+ var issuer certmagic.Issuer
var onDemand bool
for h.Next() {
@@ -276,6 +279,28 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
MACKey: arg[1],
}
+ case "issuer":
+ if !h.NextArg() {
+ return nil, h.ArgErr()
+ }
+ modName := h.Val()
+ mod, err := caddy.GetModule("tls.issuance." + modName)
+ if err != nil {
+ return nil, h.Errf("getting issuer module '%s': %v", modName, err)
+ }
+ unm, ok := mod.New().(caddyfile.Unmarshaler)
+ if !ok {
+ return nil, h.Errf("issuer module '%s' is not a Caddyfile unmarshaler", mod.ID)
+ }
+ err = unm.UnmarshalCaddyfile(h.NewFromNextSegment())
+ if err != nil {
+ return nil, err
+ }
+ issuer, ok = unm.(certmagic.Issuer)
+ if !ok {
+ return nil, h.Errf("module %s is not a certmagic.Issuer", mod.ID)
+ }
+
case "dns":
if !h.NextArg() {
return nil, h.ArgErr()
@@ -350,7 +375,24 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
// the logic to support this would be complex
return nil, h.Err("cannot use both ACME and internal issuers in same server block")
}
- if acmeIssuer != nil {
+ if issuer != nil && (acmeIssuer != nil || internalIssuer != nil) {
+ // similarly, the logic to support this would be complex
+ return nil, h.Err("when defining an issuer, all its config must be in its block, rather than from separate tls subdirectives")
+ }
+ switch {
+ case issuer != nil:
+ configVals = append(configVals, ConfigValue{
+ Class: "tls.cert_issuer",
+ Value: issuer,
+ })
+
+ case internalIssuer != nil:
+ configVals = append(configVals, ConfigValue{
+ Class: "tls.cert_issuer",
+ Value: internalIssuer,
+ })
+
+ case acmeIssuer != nil:
// fill in global defaults, if configured
if email := h.Option("email"); email != nil && acmeIssuer.Email == "" {
acmeIssuer.Email = email.(string)
@@ -361,15 +403,9 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
if caPemFile := h.Option("acme_ca_root"); caPemFile != nil {
acmeIssuer.TrustedRootsPEMFiles = append(acmeIssuer.TrustedRootsPEMFiles, caPemFile.(string))
}
-
configVals = append(configVals, ConfigValue{
Class: "tls.cert_issuer",
- Value: acmeIssuer,
- })
- } else if internalIssuer != nil {
- configVals = append(configVals, ConfigValue{
- Class: "tls.cert_issuer",
- Value: internalIssuer,
+ Value: disambiguateACMEIssuer(acmeIssuer),
})
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-10 19:19:10 +0000