diff options
Diffstat (limited to 'caddyconfig')
-rw-r--r-- | caddyconfig/httpcaddyfile/builtins.go | 52 | ||||
-rw-r--r-- | caddyconfig/httpcaddyfile/options.go | 29 | ||||
-rw-r--r-- | caddyconfig/httpcaddyfile/tlsapp.go | 40 |
3 files changed, 105 insertions, 16 deletions
diff --git a/caddyconfig/httpcaddyfile/builtins.go b/caddyconfig/httpcaddyfile/builtins.go index 520796d..e8fbf23 100644 --- a/caddyconfig/httpcaddyfile/builtins.go +++ b/caddyconfig/httpcaddyfile/builtins.go @@ -29,6 +29,7 @@ import ( "github.com/caddyserver/caddy/v2/caddyconfig/caddyfile" "github.com/caddyserver/caddy/v2/modules/caddyhttp" "github.com/caddyserver/caddy/v2/modules/caddytls" + "github.com/caddyserver/certmagic" "github.com/mholt/acmez/acme" "go.uber.org/zap/zapcore" ) @@ -76,6 +77,7 @@ func parseBind(h Helper) ([]ConfigValue, error) { // ca_root <pem_file> // dns <provider_name> // on_demand +// issuer <module_name> ... // } // func parseTLS(h Helper) ([]ConfigValue, error) { @@ -85,6 +87,7 @@ func parseTLS(h Helper) ([]ConfigValue, error) { var certSelector caddytls.CustomCertSelectionPolicy var acmeIssuer *caddytls.ACMEIssuer var internalIssuer *caddytls.InternalIssuer + var issuer certmagic.Issuer var onDemand bool for h.Next() { @@ -276,6 +279,28 @@ func parseTLS(h Helper) ([]ConfigValue, error) { MACKey: arg[1], } + case "issuer": + if !h.NextArg() { + return nil, h.ArgErr() + } + modName := h.Val() + mod, err := caddy.GetModule("tls.issuance." + modName) + if err != nil { + return nil, h.Errf("getting issuer module '%s': %v", modName, err) + } + unm, ok := mod.New().(caddyfile.Unmarshaler) + if !ok { + return nil, h.Errf("issuer module '%s' is not a Caddyfile unmarshaler", mod.ID) + } + err = unm.UnmarshalCaddyfile(h.NewFromNextSegment()) + if err != nil { + return nil, err + } + issuer, ok = unm.(certmagic.Issuer) + if !ok { + return nil, h.Errf("module %s is not a certmagic.Issuer", mod.ID) + } + case "dns": if !h.NextArg() { return nil, h.ArgErr() @@ -350,7 +375,24 @@ func parseTLS(h Helper) ([]ConfigValue, error) { // the logic to support this would be complex return nil, h.Err("cannot use both ACME and internal issuers in same server block") } - if acmeIssuer != nil { + if issuer != nil && (acmeIssuer != nil || internalIssuer != nil) { + // similarly, the logic to support this would be complex + return nil, h.Err("when defining an issuer, all its config must be in its block, rather than from separate tls subdirectives") + } + switch { + case issuer != nil: + configVals = append(configVals, ConfigValue{ + Class: "tls.cert_issuer", + Value: issuer, + }) + + case internalIssuer != nil: + configVals = append(configVals, ConfigValue{ + Class: "tls.cert_issuer", + Value: internalIssuer, + }) + + case acmeIssuer != nil: // fill in global defaults, if configured if email := h.Option("email"); email != nil && acmeIssuer.Email == "" { acmeIssuer.Email = email.(string) @@ -361,15 +403,9 @@ func parseTLS(h Helper) ([]ConfigValue, error) { if caPemFile := h.Option("acme_ca_root"); caPemFile != nil { acmeIssuer.TrustedRootsPEMFiles = append(acmeIssuer.TrustedRootsPEMFiles, caPemFile.(string)) } - configVals = append(configVals, ConfigValue{ Class: "tls.cert_issuer", - Value: acmeIssuer, - }) - } else if internalIssuer != nil { - configVals = append(configVals, ConfigValue{ - Class: "tls.cert_issuer", - Value: internalIssuer, + Value: disambiguateACMEIssuer(acmeIssuer), }) } diff --git a/caddyconfig/httpcaddyfile/options.go b/caddyconfig/httpcaddyfile/options.go index 613bbc6..7d34805 100644 --- a/caddyconfig/httpcaddyfile/options.go +++ b/caddyconfig/httpcaddyfile/options.go @@ -20,6 +20,7 @@ import ( "github.com/caddyserver/caddy/v2" "github.com/caddyserver/caddy/v2/caddyconfig/caddyfile" "github.com/caddyserver/caddy/v2/modules/caddytls" + "github.com/caddyserver/certmagic" "github.com/mholt/acmez/acme" ) @@ -35,6 +36,7 @@ func init() { RegisterGlobalOption("acme_ca_root", parseOptSingleString) RegisterGlobalOption("acme_dns", parseOptSingleString) RegisterGlobalOption("acme_eab", parseOptACMEEAB) + RegisterGlobalOption("cert_issuer", parseOptCertIssuer) RegisterGlobalOption("email", parseOptSingleString) RegisterGlobalOption("admin", parseOptAdmin) RegisterGlobalOption("on_demand_tls", parseOptOnDemand) @@ -210,6 +212,33 @@ func parseOptACMEEAB(d *caddyfile.Dispenser) (interface{}, error) { return eab, nil } +func parseOptCertIssuer(d *caddyfile.Dispenser) (interface{}, error) { + if !d.Next() { // consume option name + return nil, d.ArgErr() + } + if !d.Next() { // get issuer module name + return nil, d.ArgErr() + } + modName := d.Val() + mod, err := caddy.GetModule("tls.issuance." + modName) + if err != nil { + return nil, d.Errf("getting issuer module '%s': %v", modName, err) + } + unm, ok := mod.New().(caddyfile.Unmarshaler) + if !ok { + return nil, d.Errf("issuer module '%s' is not a Caddyfile unmarshaler", mod.ID) + } + err = unm.UnmarshalCaddyfile(d.NewFromNextSegment()) + if err != nil { + return nil, err + } + iss, ok := unm.(certmagic.Issuer) + if !ok { + return nil, d.Errf("module %s is not a certmagic.Issuer", mod.ID) + } + return iss, nil +} + func parseOptSingleString(d *caddyfile.Dispenser) (interface{}, error) { d.Next() // consume parameter name if !d.Next() { diff --git a/caddyconfig/httpcaddyfile/tlsapp.go b/caddyconfig/httpcaddyfile/tlsapp.go index db6bf98..a721fee 100644 --- a/caddyconfig/httpcaddyfile/tlsapp.go +++ b/caddyconfig/httpcaddyfile/tlsapp.go @@ -21,6 +21,7 @@ import ( "reflect" "sort" "strconv" + "strings" "github.com/caddyserver/caddy/v2" "github.com/caddyserver/caddy/v2/caddyconfig" @@ -135,8 +136,11 @@ func (st ServerType) buildTLSApp( // issuer, skip, since we intend to adjust only ACME issuers var acmeIssuer *caddytls.ACMEIssuer if ap.Issuer != nil { - var ok bool - if acmeIssuer, ok = ap.Issuer.(*caddytls.ACMEIssuer); !ok { + // ensure we include any issuer that embeds/wraps an underlying ACME issuer + type acmeCapable interface{ GetACMEIssuer() *caddytls.ACMEIssuer } + if acmeWrapper, ok := ap.Issuer.(acmeCapable); ok { + acmeIssuer = acmeWrapper.GetACMEIssuer() + } else { break } } @@ -348,6 +352,8 @@ func (st ServerType) buildTLSApp( // returned if there are no default/global options. However, if always is // true, a non-nil value will always be returned (unless there is an error). func newBaseAutomationPolicy(options map[string]interface{}, warnings []caddyconfig.Warning, always bool) (*caddytls.AutomationPolicy, error) { + issuer, hasIssuer := options["cert_issuer"] + acmeCA, hasACMECA := options["acme_ca"] acmeCARoot, hasACMECARoot := options["acme_ca_root"] acmeDNS, hasACMEDNS := options["acme_dns"] @@ -357,7 +363,7 @@ func newBaseAutomationPolicy(options map[string]interface{}, warnings []caddycon localCerts, hasLocalCerts := options["local_certs"] keyType, hasKeyType := options["key_type"] - hasGlobalAutomationOpts := hasACMECA || hasACMECARoot || hasACMEDNS || hasACMEEAB || hasEmail || hasLocalCerts || hasKeyType + hasGlobalAutomationOpts := hasIssuer || hasACMECA || hasACMECARoot || hasACMEDNS || hasACMEEAB || hasEmail || hasLocalCerts || hasKeyType // if there are no global options related to automation policies // set, then we can just return right away @@ -369,8 +375,16 @@ func newBaseAutomationPolicy(options map[string]interface{}, warnings []caddycon } ap := new(caddytls.AutomationPolicy) + if keyType != nil { + ap.KeyType = keyType.(string) + } - if localCerts != nil { + if hasIssuer { + if hasACMECA || hasACMEDNS || hasACMEEAB || hasEmail || hasLocalCerts { + return nil, fmt.Errorf("global options are ambiguous: cert_issuer is confusing when combined with acme_*, email, or local_certs options") + } + ap.Issuer = issuer.(certmagic.Issuer) + } else if localCerts != nil { // internal issuer enabled trumps any ACME configurations; useful in testing ap.Issuer = new(caddytls.InternalIssuer) // we'll encode it later } else { @@ -402,15 +416,25 @@ func newBaseAutomationPolicy(options map[string]interface{}, warnings []caddycon if acmeEAB != nil { mgr.ExternalAccount = acmeEAB.(*acme.EAB) } - if keyType != nil { - ap.KeyType = keyType.(string) - } - ap.Issuer = mgr // we'll encode it later + ap.Issuer = disambiguateACMEIssuer(mgr) // we'll encode it later } return ap, nil } +// disambiguateACMEIssuer returns an issuer based on the properties of acmeIssuer. +// If acmeIssuer implicitly configures a certain kind of ACMEIssuer (for example, +// ZeroSSL), the proper wrapper over acmeIssuer will be returned instead. +func disambiguateACMEIssuer(acmeIssuer *caddytls.ACMEIssuer) certmagic.Issuer { + // as a special case, we integrate with ZeroSSL's ACME endpoint if it looks like an + // implicit ZeroSSL configuration (this requires a wrapper type over ACMEIssuer + // because of the EAB generation; if EAB is provided, we can use plain ACMEIssuer) + if strings.Contains(acmeIssuer.CA, "acme.zerossl.com") && acmeIssuer.ExternalAccount == nil { + return &caddytls.ZeroSSLIssuer{ACMEIssuer: acmeIssuer} + } + return acmeIssuer +} + // consolidateAutomationPolicies combines automation policies that are the same, // for a cleaner overall output. func consolidateAutomationPolicies(aps []*caddytls.AutomationPolicy) []*caddytls.AutomationPolicy { |