summaryrefslogtreecommitdiff
path: root/caddyconfig
diff options
context:
space:
mode:
Diffstat (limited to 'caddyconfig')
-rw-r--r--caddyconfig/httpcaddyfile/builtins.go52
-rw-r--r--caddyconfig/httpcaddyfile/options.go29
-rw-r--r--caddyconfig/httpcaddyfile/tlsapp.go40
3 files changed, 105 insertions, 16 deletions
diff --git a/caddyconfig/httpcaddyfile/builtins.go b/caddyconfig/httpcaddyfile/builtins.go
index 520796d..e8fbf23 100644
--- a/caddyconfig/httpcaddyfile/builtins.go
+++ b/caddyconfig/httpcaddyfile/builtins.go
@@ -29,6 +29,7 @@ import (
"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
"github.com/caddyserver/caddy/v2/modules/caddyhttp"
"github.com/caddyserver/caddy/v2/modules/caddytls"
+ "github.com/caddyserver/certmagic"
"github.com/mholt/acmez/acme"
"go.uber.org/zap/zapcore"
)
@@ -76,6 +77,7 @@ func parseBind(h Helper) ([]ConfigValue, error) {
// ca_root <pem_file>
// dns <provider_name>
// on_demand
+// issuer <module_name> ...
// }
//
func parseTLS(h Helper) ([]ConfigValue, error) {
@@ -85,6 +87,7 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
var certSelector caddytls.CustomCertSelectionPolicy
var acmeIssuer *caddytls.ACMEIssuer
var internalIssuer *caddytls.InternalIssuer
+ var issuer certmagic.Issuer
var onDemand bool
for h.Next() {
@@ -276,6 +279,28 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
MACKey: arg[1],
}
+ case "issuer":
+ if !h.NextArg() {
+ return nil, h.ArgErr()
+ }
+ modName := h.Val()
+ mod, err := caddy.GetModule("tls.issuance." + modName)
+ if err != nil {
+ return nil, h.Errf("getting issuer module '%s': %v", modName, err)
+ }
+ unm, ok := mod.New().(caddyfile.Unmarshaler)
+ if !ok {
+ return nil, h.Errf("issuer module '%s' is not a Caddyfile unmarshaler", mod.ID)
+ }
+ err = unm.UnmarshalCaddyfile(h.NewFromNextSegment())
+ if err != nil {
+ return nil, err
+ }
+ issuer, ok = unm.(certmagic.Issuer)
+ if !ok {
+ return nil, h.Errf("module %s is not a certmagic.Issuer", mod.ID)
+ }
+
case "dns":
if !h.NextArg() {
return nil, h.ArgErr()
@@ -350,7 +375,24 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
// the logic to support this would be complex
return nil, h.Err("cannot use both ACME and internal issuers in same server block")
}
- if acmeIssuer != nil {
+ if issuer != nil && (acmeIssuer != nil || internalIssuer != nil) {
+ // similarly, the logic to support this would be complex
+ return nil, h.Err("when defining an issuer, all its config must be in its block, rather than from separate tls subdirectives")
+ }
+ switch {
+ case issuer != nil:
+ configVals = append(configVals, ConfigValue{
+ Class: "tls.cert_issuer",
+ Value: issuer,
+ })
+
+ case internalIssuer != nil:
+ configVals = append(configVals, ConfigValue{
+ Class: "tls.cert_issuer",
+ Value: internalIssuer,
+ })
+
+ case acmeIssuer != nil:
// fill in global defaults, if configured
if email := h.Option("email"); email != nil && acmeIssuer.Email == "" {
acmeIssuer.Email = email.(string)
@@ -361,15 +403,9 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
if caPemFile := h.Option("acme_ca_root"); caPemFile != nil {
acmeIssuer.TrustedRootsPEMFiles = append(acmeIssuer.TrustedRootsPEMFiles, caPemFile.(string))
}
-
configVals = append(configVals, ConfigValue{
Class: "tls.cert_issuer",
- Value: acmeIssuer,
- })
- } else if internalIssuer != nil {
- configVals = append(configVals, ConfigValue{
- Class: "tls.cert_issuer",
- Value: internalIssuer,
+ Value: disambiguateACMEIssuer(acmeIssuer),
})
}
diff --git a/caddyconfig/httpcaddyfile/options.go b/caddyconfig/httpcaddyfile/options.go
index 613bbc6..7d34805 100644
--- a/caddyconfig/httpcaddyfile/options.go
+++ b/caddyconfig/httpcaddyfile/options.go
@@ -20,6 +20,7 @@ import (
"github.com/caddyserver/caddy/v2"
"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
"github.com/caddyserver/caddy/v2/modules/caddytls"
+ "github.com/caddyserver/certmagic"
"github.com/mholt/acmez/acme"
)
@@ -35,6 +36,7 @@ func init() {
RegisterGlobalOption("acme_ca_root", parseOptSingleString)
RegisterGlobalOption("acme_dns", parseOptSingleString)
RegisterGlobalOption("acme_eab", parseOptACMEEAB)
+ RegisterGlobalOption("cert_issuer", parseOptCertIssuer)
RegisterGlobalOption("email", parseOptSingleString)
RegisterGlobalOption("admin", parseOptAdmin)
RegisterGlobalOption("on_demand_tls", parseOptOnDemand)
@@ -210,6 +212,33 @@ func parseOptACMEEAB(d *caddyfile.Dispenser) (interface{}, error) {
return eab, nil
}
+func parseOptCertIssuer(d *caddyfile.Dispenser) (interface{}, error) {
+ if !d.Next() { // consume option name
+ return nil, d.ArgErr()
+ }
+ if !d.Next() { // get issuer module name
+ return nil, d.ArgErr()
+ }
+ modName := d.Val()
+ mod, err := caddy.GetModule("tls.issuance." + modName)
+ if err != nil {
+ return nil, d.Errf("getting issuer module '%s': %v", modName, err)
+ }
+ unm, ok := mod.New().(caddyfile.Unmarshaler)
+ if !ok {
+ return nil, d.Errf("issuer module '%s' is not a Caddyfile unmarshaler", mod.ID)
+ }
+ err = unm.UnmarshalCaddyfile(d.NewFromNextSegment())
+ if err != nil {
+ return nil, err
+ }
+ iss, ok := unm.(certmagic.Issuer)
+ if !ok {
+ return nil, d.Errf("module %s is not a certmagic.Issuer", mod.ID)
+ }
+ return iss, nil
+}
+
func parseOptSingleString(d *caddyfile.Dispenser) (interface{}, error) {
d.Next() // consume parameter name
if !d.Next() {
diff --git a/caddyconfig/httpcaddyfile/tlsapp.go b/caddyconfig/httpcaddyfile/tlsapp.go
index db6bf98..a721fee 100644
--- a/caddyconfig/httpcaddyfile/tlsapp.go
+++ b/caddyconfig/httpcaddyfile/tlsapp.go
@@ -21,6 +21,7 @@ import (
"reflect"
"sort"
"strconv"
+ "strings"
"github.com/caddyserver/caddy/v2"
"github.com/caddyserver/caddy/v2/caddyconfig"
@@ -135,8 +136,11 @@ func (st ServerType) buildTLSApp(
// issuer, skip, since we intend to adjust only ACME issuers
var acmeIssuer *caddytls.ACMEIssuer
if ap.Issuer != nil {
- var ok bool
- if acmeIssuer, ok = ap.Issuer.(*caddytls.ACMEIssuer); !ok {
+ // ensure we include any issuer that embeds/wraps an underlying ACME issuer
+ type acmeCapable interface{ GetACMEIssuer() *caddytls.ACMEIssuer }
+ if acmeWrapper, ok := ap.Issuer.(acmeCapable); ok {
+ acmeIssuer = acmeWrapper.GetACMEIssuer()
+ } else {
break
}
}
@@ -348,6 +352,8 @@ func (st ServerType) buildTLSApp(
// returned if there are no default/global options. However, if always is
// true, a non-nil value will always be returned (unless there is an error).
func newBaseAutomationPolicy(options map[string]interface{}, warnings []caddyconfig.Warning, always bool) (*caddytls.AutomationPolicy, error) {
+ issuer, hasIssuer := options["cert_issuer"]
+
acmeCA, hasACMECA := options["acme_ca"]
acmeCARoot, hasACMECARoot := options["acme_ca_root"]
acmeDNS, hasACMEDNS := options["acme_dns"]
@@ -357,7 +363,7 @@ func newBaseAutomationPolicy(options map[string]interface{}, warnings []caddycon
localCerts, hasLocalCerts := options["local_certs"]
keyType, hasKeyType := options["key_type"]
- hasGlobalAutomationOpts := hasACMECA || hasACMECARoot || hasACMEDNS || hasACMEEAB || hasEmail || hasLocalCerts || hasKeyType
+ hasGlobalAutomationOpts := hasIssuer || hasACMECA || hasACMECARoot || hasACMEDNS || hasACMEEAB || hasEmail || hasLocalCerts || hasKeyType
// if there are no global options related to automation policies
// set, then we can just return right away
@@ -369,8 +375,16 @@ func newBaseAutomationPolicy(options map[string]interface{}, warnings []caddycon
}
ap := new(caddytls.AutomationPolicy)
+ if keyType != nil {
+ ap.KeyType = keyType.(string)
+ }
- if localCerts != nil {
+ if hasIssuer {
+ if hasACMECA || hasACMEDNS || hasACMEEAB || hasEmail || hasLocalCerts {
+ return nil, fmt.Errorf("global options are ambiguous: cert_issuer is confusing when combined with acme_*, email, or local_certs options")
+ }
+ ap.Issuer = issuer.(certmagic.Issuer)
+ } else if localCerts != nil {
// internal issuer enabled trumps any ACME configurations; useful in testing
ap.Issuer = new(caddytls.InternalIssuer) // we'll encode it later
} else {
@@ -402,15 +416,25 @@ func newBaseAutomationPolicy(options map[string]interface{}, warnings []caddycon
if acmeEAB != nil {
mgr.ExternalAccount = acmeEAB.(*acme.EAB)
}
- if keyType != nil {
- ap.KeyType = keyType.(string)
- }
- ap.Issuer = mgr // we'll encode it later
+ ap.Issuer = disambiguateACMEIssuer(mgr) // we'll encode it later
}
return ap, nil
}
+// disambiguateACMEIssuer returns an issuer based on the properties of acmeIssuer.
+// If acmeIssuer implicitly configures a certain kind of ACMEIssuer (for example,
+// ZeroSSL), the proper wrapper over acmeIssuer will be returned instead.
+func disambiguateACMEIssuer(acmeIssuer *caddytls.ACMEIssuer) certmagic.Issuer {
+ // as a special case, we integrate with ZeroSSL's ACME endpoint if it looks like an
+ // implicit ZeroSSL configuration (this requires a wrapper type over ACMEIssuer
+ // because of the EAB generation; if EAB is provided, we can use plain ACMEIssuer)
+ if strings.Contains(acmeIssuer.CA, "acme.zerossl.com") && acmeIssuer.ExternalAccount == nil {
+ return &caddytls.ZeroSSLIssuer{ACMEIssuer: acmeIssuer}
+ }
+ return acmeIssuer
+}
+
// consolidateAutomationPolicies combines automation policies that are the same,
// for a cleaner overall output.
func consolidateAutomationPolicies(aps []*caddytls.AutomationPolicy) []*caddytls.AutomationPolicy {