diff options
Diffstat (limited to 'modules/caddytls')
-rw-r--r-- | modules/caddytls/automation.go | 6 | ||||
-rw-r--r-- | modules/caddytls/tls.go | 22 |
2 files changed, 22 insertions, 6 deletions
diff --git a/modules/caddytls/automation.go b/modules/caddytls/automation.go index 22cf20b..87e6b28 100644 --- a/modules/caddytls/automation.go +++ b/modules/caddytls/automation.go @@ -53,7 +53,8 @@ type AutomationConfig struct { // a low value. RenewCheckInterval caddy.Duration `json:"renew_interval,omitempty"` - defaultAutomationPolicy *AutomationPolicy + defaultPublicAutomationPolicy *AutomationPolicy + defaultInternalAutomationPolicy *AutomationPolicy } // AutomationPolicy designates the policy for automating the @@ -67,7 +68,8 @@ type AutomationPolicy struct { // Which subjects (hostnames or IP addresses) this policy applies to. Subjects []string `json:"subjects,omitempty"` - // The module that will issue certificates. Default: acme + // The module that will issue certificates. Default: internal if all + // subjects do not qualify for public certificates; othewise acme. IssuerRaw json.RawMessage `json:"issuer,omitempty" caddy:"namespace=tls.issuance inline_key=module"` // If true, certificates will be requested with MustStaple. Not all diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go index 54f0e23..1255d3d 100644 --- a/modules/caddytls/tls.go +++ b/modules/caddytls/tls.go @@ -93,10 +93,17 @@ func (t *TLS) Provision(ctx caddy.Context) error { if t.Automation == nil { t.Automation = new(AutomationConfig) } - t.Automation.defaultAutomationPolicy = new(AutomationPolicy) - err := t.Automation.defaultAutomationPolicy.Provision(t) + t.Automation.defaultPublicAutomationPolicy = new(AutomationPolicy) + err := t.Automation.defaultPublicAutomationPolicy.Provision(t) if err != nil { - return fmt.Errorf("provisioning default automation policy: %v", err) + return fmt.Errorf("provisioning default public automation policy: %v", err) + } + t.Automation.defaultInternalAutomationPolicy = &AutomationPolicy{ + IssuerRaw: json.RawMessage(`{"module":"internal"}`), + } + err = t.Automation.defaultInternalAutomationPolicy.Provision(t) + if err != nil { + return fmt.Errorf("provisioning default internal automation policy: %v", err) } for i, ap := range t.Automation.Policies { err := ap.Provision(t) @@ -318,6 +325,10 @@ func (t *TLS) getConfigForName(name string) *certmagic.Config { return ap.magic } +// getAutomationPolicyForName returns the first matching automation policy +// for the given subject name. If no matching policy can be found, the +// default policy is used, depending on whether the name qualifies for a +// public certificate or not. func (t *TLS) getAutomationPolicyForName(name string) *AutomationPolicy { for _, ap := range t.Automation.Policies { if len(ap.Subjects) == 0 { @@ -329,7 +340,10 @@ func (t *TLS) getAutomationPolicyForName(name string) *AutomationPolicy { } } } - return t.Automation.defaultAutomationPolicy + if certmagic.SubjectQualifiesForPublicCert(name) { + return t.Automation.defaultPublicAutomationPolicy + } + return t.Automation.defaultInternalAutomationPolicy } // AllMatchingCertificates returns the list of all certificates in |