summaryrefslogtreecommitdiff
path: root/modules/caddypki
AgeCommit message (Collapse)Author
2022-11-23caddypki: Use go.step.sm/crypto to generate the PKI (#5217)Mariano Cano
This commit replaces the use of github.com/smallstep/cli to generate the root and intermediate certificates and uses go.step.sm/crypto instead. It also upgrades the version of github.com/smallstep/certificates to the latest version.
2022-11-14reverseproxy: Mask the WS close message when we're the client (#5199)Francis Lavoie
* reverseproxy: Mask the WS close message when we're the client * weakrand * Bump golangci-lint version so path ignores work on Windows * gofmt * ugh, gofmt everything, I guess
2022-11-08caddypki: Prefer user-configured root instead of generating new one (#5189)Jonathan Garcia
instead of generating a new root certificate at the default location load the certificate from the configuration. fixes: #5181
2022-09-16core: Variadic Context.Logger(); soft deprecationMatthew Holt
Ideally I'd just remove the parameter to caddy.Context.Logger(), but this would break most Caddy plugins. Instead, I'm making it variadic and marking it as partially deprecated. In the future, I might completely remove the parameter once most plugins have updated.
2022-08-02chore: Bump up to Go 1.19, minimum 1.18 (#4925)Francis Lavoie
2022-07-20cmd: Fix reload with stdin (#4900)Francis Lavoie
2022-04-25caddypki: Fix `caddy trust` command to use the correct API endpoint (#4730)Francis Lavoie
2022-04-13caddypki: Load intermediate for signing on-the-fly (#4669)Francis Lavoie
* caddypki: Load intermediate for signing on-the-fly Fixes #4517 Big thanks to @maraino for adding an API in `smallstep/certificates` so that we can fix this * Debug log * Trying a hunch, does it need to be a pointer receiver? * Clarify pointer receiver Co-authored-by: Matt Holt <mholt@users.noreply.github.com> Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2022-03-25go.mod: Upgrade CertMagic to v0.16.0Matthew Holt
Includes several breaking changes; code base updated accordingly. - Added lots of context arguments - Use fs.ErrNotExist - Rename ACMEManager -> ACMEIssuer; CertificateManager -> Manager
2022-03-13chore: Comment fixes (#4634)Francis Lavoie
2022-03-02caddypki: Try to fix lint warningsMatthew Holt
2022-03-02caddypki: Refactor /pki/ admin endpointsMatthew Holt
Remove /pki/certificates/<ca> endpoint and split into two endpoints: - GET /pki/ca/<id> to get CA info and certs in JSON format - GET /pki/ca/<id>/certificates to get cert in PEM chain
2022-03-02pki: Implement API endpoints for certs and `caddy trust` (#4443)Francis Lavoie
* admin: Implement /pki/certificates/<id> API * pki: Lower "skip_install_trust" log level to INFO See https://github.com/caddyserver/caddy/issues/4058#issuecomment-976132935 It's not necessary to warn about this, because this was an option explicitly configured by the user. Still useful to log, but we don't need to be so loud about it. * cmd: Export functions needed for PKI app, return API response to caller * pki: Rewrite `caddy trust` command to use new admin endpoint instead * pki: Rewrite `caddy untrust` command to support using admin endpoint * Refactor cmd and pki packages for determining admin API endpoint
2022-02-17caddytls: Support external certificate Managers (like Tailscale) (#4541)Matt Holt
Huge thank-you to Tailscale (https://tailscale.com) for making this change possible! This is a great feature for Caddy and Tailscale is a great fit for a standard implementation. * caddytls: GetCertificate modules; Tailscale * Caddyfile support for get_certificate Also fix AP provisioning in case of empty subject list (persist loaded module on struct, much like Issuers, to surive reprovisioning). And implement start of HTTP cert getter, still WIP. * Update modules/caddytls/automation.go Co-authored-by: Francis Lavoie <lavofr@gmail.com> * Use tsclient package, check status for name * Implement HTTP cert getter And use reuse CertMagic's PEM functions for private keys. * Remove cache option from Tailscale getter Tailscale does its own caching and we don't need the added complexity... for now, at least. * Several updates - Option to disable cert automation in auto HTTPS - Support multiple cert managers - Remove cache feature from cert manager modules - Minor improvements to auto HTTPS logging * Run go mod tidy * Try to get certificates from Tailscale implicitly Only for domains ending in .ts.net. I think this is really cool! Co-authored-by: Francis Lavoie <lavofr@gmail.com>
2022-01-07caddypki: Return error if no PEM data foundMatthew Holt
Best guess for https://caddy.community/t/on-fly-certificate-generation-based-on-sni/14639/4
2021-12-13caddypki: Minor tweak, don't use context pointerMatthew Holt
2021-12-13pki: Avoid provisioning the `local` CA when not necessary (#4463)Francis Lavoie
* pki: Avoid provisioning the `local` CA when not necessary * pki: Refactor CA loading to keep the logic in the PKI app
2021-09-29Move from deprecated ioutil to os and io packages (#4364)KallyDev
2021-09-24General minor improvements to docsMatthew Holt
2021-07-01acmeserver: Don't set host for directory links by defaultMatthew Holt
This makes the server more easily proxied.
2021-06-21acmeserver: Trim slashes from path prefixMatthew Holt
See https://caddy.community/t/mtls-tls-internal-error/12807
2021-06-03go.mod: Update direct dependenciesMatthew Holt
2021-04-01Minor tweaksMatthew Holt
2021-02-26caddypki: Add SignWithRoot option for ACME serverMatthew Holt
See https://caddy.community/t/setting-up-a-caddy-pki-based-on-a-windows- root-ca-was-getting-pki-config/11616/7 Also improved a godoc comment in the caddytls package.
2021-02-02acmeserver: Support custom CAs from CaddyfileMatthew Holt
The HTTP Caddyfile adapter can now configure the PKI app, and the acme_server directive can now be used to specify a custom CA used for issuing certificates. More customization options can follow later as needed.
2020-11-23acme_server: fix reload of acme database (#3874)Ian
* acme_server: Refactor database creation apart from authority creation This is a WIP commit that doesn't really offer anything other than setting us up for using a UsagePool to gracefully reload acme_server configs. * Implement UsagePool * Remove unused context * Fix initializing non-ACME CA This will handle cases where a DB is not provided * Sanitize acme db path and clean debug logs * Move regex to package level to prevent recompiling
2020-11-23acme_server: switch to bbolt storage (#3868)Ian
* acme_server: switch to bbolt storage There have been some issues with the badger storage engine being used by the embedded acme_server. This will replace the storage engine with bbolt * Switch database path back to acme_server/db and remove if directory
2020-11-22ci: Use golangci's github action for linting (#3794)Dave Henderson
* ci: Use golangci's github action for linting Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Fix most of the staticcheck lint errors Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Fix the prealloc lint errors Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Fix the misspell lint errors Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Fix the varcheck lint errors Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Fix the errcheck lint errors Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Fix the bodyclose lint errors Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Fix the deadcode lint errors Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Fix the unused lint errors Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Fix the gosec lint errors Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Fix the gosimple lint errors Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Fix the ineffassign lint errors Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Fix the staticcheck lint errors Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Revert the misspell change, use a neutral English Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Remove broken golangci-lint CI job Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Re-add errantly-removed weakrand initialization Signed-off-by: Dave Henderson <dhenderson@gmail.com> * don't break the loop and return * Removing extra handling for null rootKey * unignore RegisterModule/RegisterAdapter Co-authored-by: Mohammed Al Sahaf <msaa1990@gmail.com> * single-line log message Co-authored-by: Matt Holt <mholt@users.noreply.github.com> * Fix lint after a1808b0dbf209c615e438a496d257ce5e3acdce2 was merged Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Revert ticker change, ignore it instead Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Ignore some of the write errors Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Remove blank line Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Use lifetime Signed-off-by: Dave Henderson <dhenderson@gmail.com> * close immediately Co-authored-by: Matt Holt <mholt@users.noreply.github.com> * Preallocate configVals Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Update modules/caddytls/distributedstek/distributedstek.go Co-authored-by: Mohammed Al Sahaf <msaa1990@gmail.com> Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2020-06-03caddypki: Add 'acme_server' Caddyfile directiveMatthew Holt
2020-05-18pki: Add docs to some struct fieldsMatthew Holt
2020-05-12all: Recover from panics in goroutinesMatthew Holt
2020-05-06Update dependencies and get rid of placeholder hacks in CA codeMatthew Holt
With the latest commit on smallstep/certificates, placeholders in config are no longer needed.
2020-05-05pki: Embedded ACME server (#3198)Matt Holt
* pki: Initial commit of embedded ACME server (#3021) * reverseproxy: Support auto-managed TLS client certificates (#3021) * A little cleanup after today's review session
2020-03-31pki: Add trust subcommand to install root cert (closes #3204)Matthew Holt
2020-03-14pki: Don't treat cert installation failure as errorMatthew Holt
See https://caddy.community/t/fail-to-start-caddy2-not-nss-security-databases-found/7223?u=matt
2020-03-13Minor tweaksMatthew Holt
2020-03-13v2: Implement 'pki' app powered by Smallstep for localhost certificates (#3125)Matt Holt
* pki: Initial commit of PKI app (WIP) (see #2502 and #3021) * pki: Ability to use root/intermediates, and sign with root * pki: Fix benign misnamings left over from copy+paste * pki: Only install root if not already trusted * Make HTTPS port the default; all names use auto-HTTPS; bug fixes * Fix build - what happened to our CI tests?? * Fix go.mod