summaryrefslogtreecommitdiff
path: root/caddyconfig/httpcaddyfile
diff options
context:
space:
mode:
Diffstat (limited to 'caddyconfig/httpcaddyfile')
-rw-r--r--caddyconfig/httpcaddyfile/builtins.go56
-rw-r--r--caddyconfig/httpcaddyfile/tlsapp.go29
2 files changed, 50 insertions, 35 deletions
diff --git a/caddyconfig/httpcaddyfile/builtins.go b/caddyconfig/httpcaddyfile/builtins.go
index aa68adb..4945a81 100644
--- a/caddyconfig/httpcaddyfile/builtins.go
+++ b/caddyconfig/httpcaddyfile/builtins.go
@@ -369,31 +369,57 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
})
}
+ // some tls subdirectives are shortcuts that implicitly configure issuers, and the
+ // user can also configure issuers explicitly using the issuer subdirective; the
+ // logic to support both would likely be complex, or at least unintuitive
if len(issuers) > 0 && (acmeIssuer != nil || internalIssuer != nil) {
- // some tls subdirectives are shortcuts that implicitly configure issuers, and the
- // user can also configure issuers explicitly using the issuer subdirective; the
- // logic to support both would likely be complex, or at least unintuitive
return nil, h.Err("cannot mix issuer subdirective (explicit issuers) with other issuer-specific subdirectives (implicit issuers)")
}
- for _, issuer := range issuers {
- configVals = append(configVals, ConfigValue{
- Class: "tls.cert_issuer",
- Value: issuer,
- })
- }
- if acmeIssuer != nil {
- configVals = append(configVals, ConfigValue{
- Class: "tls.cert_issuer",
- Value: disambiguateACMEIssuer(acmeIssuer),
- })
+ if acmeIssuer != nil && internalIssuer != nil {
+ return nil, h.Err("cannot create both ACME and internal certificate issuers")
}
- if internalIssuer != nil {
+
+ // now we should either have: explicitly-created issuers, or an implicitly-created
+ // ACME or internal issuer, or no issuers at all
+ switch {
+ case len(issuers) > 0:
+ for _, issuer := range issuers {
+ configVals = append(configVals, ConfigValue{
+ Class: "tls.cert_issuer",
+ Value: issuer,
+ })
+ }
+
+ case acmeIssuer != nil:
+ // implicit ACME issuers (from various subdirectives) - use defaults; there might be more than one
+ defaultIssuers := caddytls.DefaultIssuers()
+
+ // if a CA endpoint was set, override multiple implicit issuers since it's a specific one
+ if acmeIssuer.CA != "" {
+ defaultIssuers = []certmagic.Issuer{acmeIssuer}
+ }
+
+ for _, issuer := range defaultIssuers {
+ switch iss := issuer.(type) {
+ case *caddytls.ACMEIssuer:
+ issuer = acmeIssuer
+ case *caddytls.ZeroSSLIssuer:
+ iss.ACMEIssuer = acmeIssuer
+ }
+ configVals = append(configVals, ConfigValue{
+ Class: "tls.cert_issuer",
+ Value: issuer,
+ })
+ }
+
+ case internalIssuer != nil:
configVals = append(configVals, ConfigValue{
Class: "tls.cert_issuer",
Value: internalIssuer,
})
}
+ // certificate key type
if keyType != "" {
configVals = append(configVals, ConfigValue{
Class: "tls.key_type",
diff --git a/caddyconfig/httpcaddyfile/tlsapp.go b/caddyconfig/httpcaddyfile/tlsapp.go
index dbf3cc7..d831d1b 100644
--- a/caddyconfig/httpcaddyfile/tlsapp.go
+++ b/caddyconfig/httpcaddyfile/tlsapp.go
@@ -316,13 +316,15 @@ func (st ServerType) buildTLSApp(
if hasGlobalACMEDefaults {
for _, ap := range tlsApp.Automation.Policies {
if len(ap.Issuers) == 0 {
- acme, zerosslACME := new(caddytls.ACMEIssuer), new(caddytls.ACMEIssuer)
- zerossl := &caddytls.ZeroSSLIssuer{ACMEIssuer: zerosslACME}
- ap.Issuers = []certmagic.Issuer{acme, zerossl} // TODO: keep this in sync with Caddy's other issuer defaults elsewhere, like in caddytls/automation.go (DefaultIssuers).
-
- // if a non-ZeroSSL endpoint is specified, we assume we can't use the ZeroSSL issuer successfully
- if globalACMECA != nil && !strings.Contains(globalACMECA.(string), "zerossl") {
- ap.Issuers = []certmagic.Issuer{acme}
+ ap.Issuers = caddytls.DefaultIssuers()
+
+ // if a specific endpoint is configured, can't use multiple default issuers
+ if globalACMECA != nil {
+ if strings.Contains(globalACMECA.(string), "zerossl") {
+ ap.Issuers = []certmagic.Issuer{&caddytls.ZeroSSLIssuer{ACMEIssuer: new(caddytls.ACMEIssuer)}}
+ } else {
+ ap.Issuers = []certmagic.Issuer{new(caddytls.ACMEIssuer)}
+ }
}
}
}
@@ -463,19 +465,6 @@ func newBaseAutomationPolicy(options map[string]interface{}, warnings []caddycon
return ap, nil
}
-// disambiguateACMEIssuer returns an issuer based on the properties of acmeIssuer.
-// If acmeIssuer implicitly configures a certain kind of ACMEIssuer (for example,
-// ZeroSSL), the proper wrapper over acmeIssuer will be returned instead.
-func disambiguateACMEIssuer(acmeIssuer *caddytls.ACMEIssuer) certmagic.Issuer {
- // as a special case, we integrate with ZeroSSL's ACME endpoint if it looks like an
- // implicit ZeroSSL configuration (this requires a wrapper type over ACMEIssuer
- // because of the EAB generation; if EAB is provided, we can use plain ACMEIssuer)
- if strings.Contains(acmeIssuer.CA, "acme.zerossl.com") && acmeIssuer.ExternalAccount == nil {
- return &caddytls.ZeroSSLIssuer{ACMEIssuer: acmeIssuer}
- }
- return acmeIssuer
-}
-
// consolidateAutomationPolicies combines automation policies that are the same,
// for a cleaner overall output.
func consolidateAutomationPolicies(aps []*caddytls.AutomationPolicy) []*caddytls.AutomationPolicy {