diff options
Diffstat (limited to 'caddyconfig/httpcaddyfile/tlsapp.go')
-rw-r--r-- | caddyconfig/httpcaddyfile/tlsapp.go | 40 |
1 files changed, 32 insertions, 8 deletions
diff --git a/caddyconfig/httpcaddyfile/tlsapp.go b/caddyconfig/httpcaddyfile/tlsapp.go index db6bf98..a721fee 100644 --- a/caddyconfig/httpcaddyfile/tlsapp.go +++ b/caddyconfig/httpcaddyfile/tlsapp.go @@ -21,6 +21,7 @@ import ( "reflect" "sort" "strconv" + "strings" "github.com/caddyserver/caddy/v2" "github.com/caddyserver/caddy/v2/caddyconfig" @@ -135,8 +136,11 @@ func (st ServerType) buildTLSApp( // issuer, skip, since we intend to adjust only ACME issuers var acmeIssuer *caddytls.ACMEIssuer if ap.Issuer != nil { - var ok bool - if acmeIssuer, ok = ap.Issuer.(*caddytls.ACMEIssuer); !ok { + // ensure we include any issuer that embeds/wraps an underlying ACME issuer + type acmeCapable interface{ GetACMEIssuer() *caddytls.ACMEIssuer } + if acmeWrapper, ok := ap.Issuer.(acmeCapable); ok { + acmeIssuer = acmeWrapper.GetACMEIssuer() + } else { break } } @@ -348,6 +352,8 @@ func (st ServerType) buildTLSApp( // returned if there are no default/global options. However, if always is // true, a non-nil value will always be returned (unless there is an error). func newBaseAutomationPolicy(options map[string]interface{}, warnings []caddyconfig.Warning, always bool) (*caddytls.AutomationPolicy, error) { + issuer, hasIssuer := options["cert_issuer"] + acmeCA, hasACMECA := options["acme_ca"] acmeCARoot, hasACMECARoot := options["acme_ca_root"] acmeDNS, hasACMEDNS := options["acme_dns"] @@ -357,7 +363,7 @@ func newBaseAutomationPolicy(options map[string]interface{}, warnings []caddycon localCerts, hasLocalCerts := options["local_certs"] keyType, hasKeyType := options["key_type"] - hasGlobalAutomationOpts := hasACMECA || hasACMECARoot || hasACMEDNS || hasACMEEAB || hasEmail || hasLocalCerts || hasKeyType + hasGlobalAutomationOpts := hasIssuer || hasACMECA || hasACMECARoot || hasACMEDNS || hasACMEEAB || hasEmail || hasLocalCerts || hasKeyType // if there are no global options related to automation policies // set, then we can just return right away @@ -369,8 +375,16 @@ func newBaseAutomationPolicy(options map[string]interface{}, warnings []caddycon } ap := new(caddytls.AutomationPolicy) + if keyType != nil { + ap.KeyType = keyType.(string) + } - if localCerts != nil { + if hasIssuer { + if hasACMECA || hasACMEDNS || hasACMEEAB || hasEmail || hasLocalCerts { + return nil, fmt.Errorf("global options are ambiguous: cert_issuer is confusing when combined with acme_*, email, or local_certs options") + } + ap.Issuer = issuer.(certmagic.Issuer) + } else if localCerts != nil { // internal issuer enabled trumps any ACME configurations; useful in testing ap.Issuer = new(caddytls.InternalIssuer) // we'll encode it later } else { @@ -402,15 +416,25 @@ func newBaseAutomationPolicy(options map[string]interface{}, warnings []caddycon if acmeEAB != nil { mgr.ExternalAccount = acmeEAB.(*acme.EAB) } - if keyType != nil { - ap.KeyType = keyType.(string) - } - ap.Issuer = mgr // we'll encode it later + ap.Issuer = disambiguateACMEIssuer(mgr) // we'll encode it later } return ap, nil } +// disambiguateACMEIssuer returns an issuer based on the properties of acmeIssuer. +// If acmeIssuer implicitly configures a certain kind of ACMEIssuer (for example, +// ZeroSSL), the proper wrapper over acmeIssuer will be returned instead. +func disambiguateACMEIssuer(acmeIssuer *caddytls.ACMEIssuer) certmagic.Issuer { + // as a special case, we integrate with ZeroSSL's ACME endpoint if it looks like an + // implicit ZeroSSL configuration (this requires a wrapper type over ACMEIssuer + // because of the EAB generation; if EAB is provided, we can use plain ACMEIssuer) + if strings.Contains(acmeIssuer.CA, "acme.zerossl.com") && acmeIssuer.ExternalAccount == nil { + return &caddytls.ZeroSSLIssuer{ACMEIssuer: acmeIssuer} + } + return acmeIssuer +} + // consolidateAutomationPolicies combines automation policies that are the same, // for a cleaner overall output. func consolidateAutomationPolicies(aps []*caddytls.AutomationPolicy) []*caddytls.AutomationPolicy { |