summaryrefslogtreecommitdiff
path: root/modules
diff options
context:
space:
mode:
Diffstat (limited to 'modules')
-rw-r--r--modules/caddytls/automation.go6
-rw-r--r--modules/caddytls/tls.go22
2 files changed, 22 insertions, 6 deletions
diff --git a/modules/caddytls/automation.go b/modules/caddytls/automation.go
index 22cf20b..87e6b28 100644
--- a/modules/caddytls/automation.go
+++ b/modules/caddytls/automation.go
@@ -53,7 +53,8 @@ type AutomationConfig struct {
// a low value.
RenewCheckInterval caddy.Duration `json:"renew_interval,omitempty"`
- defaultAutomationPolicy *AutomationPolicy
+ defaultPublicAutomationPolicy *AutomationPolicy
+ defaultInternalAutomationPolicy *AutomationPolicy
}
// AutomationPolicy designates the policy for automating the
@@ -67,7 +68,8 @@ type AutomationPolicy struct {
// Which subjects (hostnames or IP addresses) this policy applies to.
Subjects []string `json:"subjects,omitempty"`
- // The module that will issue certificates. Default: acme
+ // The module that will issue certificates. Default: internal if all
+ // subjects do not qualify for public certificates; othewise acme.
IssuerRaw json.RawMessage `json:"issuer,omitempty" caddy:"namespace=tls.issuance inline_key=module"`
// If true, certificates will be requested with MustStaple. Not all
diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go
index 54f0e23..1255d3d 100644
--- a/modules/caddytls/tls.go
+++ b/modules/caddytls/tls.go
@@ -93,10 +93,17 @@ func (t *TLS) Provision(ctx caddy.Context) error {
if t.Automation == nil {
t.Automation = new(AutomationConfig)
}
- t.Automation.defaultAutomationPolicy = new(AutomationPolicy)
- err := t.Automation.defaultAutomationPolicy.Provision(t)
+ t.Automation.defaultPublicAutomationPolicy = new(AutomationPolicy)
+ err := t.Automation.defaultPublicAutomationPolicy.Provision(t)
if err != nil {
- return fmt.Errorf("provisioning default automation policy: %v", err)
+ return fmt.Errorf("provisioning default public automation policy: %v", err)
+ }
+ t.Automation.defaultInternalAutomationPolicy = &AutomationPolicy{
+ IssuerRaw: json.RawMessage(`{"module":"internal"}`),
+ }
+ err = t.Automation.defaultInternalAutomationPolicy.Provision(t)
+ if err != nil {
+ return fmt.Errorf("provisioning default internal automation policy: %v", err)
}
for i, ap := range t.Automation.Policies {
err := ap.Provision(t)
@@ -318,6 +325,10 @@ func (t *TLS) getConfigForName(name string) *certmagic.Config {
return ap.magic
}
+// getAutomationPolicyForName returns the first matching automation policy
+// for the given subject name. If no matching policy can be found, the
+// default policy is used, depending on whether the name qualifies for a
+// public certificate or not.
func (t *TLS) getAutomationPolicyForName(name string) *AutomationPolicy {
for _, ap := range t.Automation.Policies {
if len(ap.Subjects) == 0 {
@@ -329,7 +340,10 @@ func (t *TLS) getAutomationPolicyForName(name string) *AutomationPolicy {
}
}
}
- return t.Automation.defaultAutomationPolicy
+ if certmagic.SubjectQualifiesForPublicCert(name) {
+ return t.Automation.defaultPublicAutomationPolicy
+ }
+ return t.Automation.defaultInternalAutomationPolicy
}
// AllMatchingCertificates returns the list of all certificates in