summaryrefslogtreecommitdiff
path: root/modules/caddytls/automation.go
AgeCommit message (Collapse)Author
2023-05-15caddyhttp: Refactor cert Managers (fix #5415) (#5533)Matt Holt
2023-03-27caddytls: Eval replacer on automation policy subjects (#5459)Francis Lavoie
Also renamed the field to SubjectsRaw, which can be considered a breaking change but I don't expect this to affect much.
2023-03-20caddytls: Zero out throttle window first (#5443)Matt Holt
* caddytls: Zero out throttle window first * Don't error for on-demand Fixes https://github.com/caddyserver/caddy/commit/b97c76fb4789b8da0b80f5a2c1c1c5bebba163b5 --------- Co-authored-by: Francis Lavoie <lavofr@gmail.com>
2023-03-14caddytls: Allow on-demand w/o ask for internal-onlyMatthew Holt
2023-03-14caddytls: Require 'ask' endpoint for on-demand TLSMatthew Holt
2023-01-30caddytls: Debug log for ask endpointMatthew Holt
2022-08-31events: Implement event system (#4912)Francis Lavoie
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2022-08-23caddytls: Log error if ask request failsMatthew Holt
Errors returned from the DecisionFunc (whether to get a cert on-demand) are used as a signal whether to allow a cert or not; *any* error will forbid cert issuance. We bubble up the error all the way to the caller, but that caller is the Go standard library which might gobble it up. Now we explicitly log connection errors so sysadmins can ensure their ask endpoints are working. Thanks to our sponsor AppCove for reporting this!
2022-08-02chore: Bump up to Go 1.19, minimum 1.18 (#4925)Francis Lavoie
2022-04-22caddytls: Add `propagation_delay`, support `propagation_timeout -1` (#4723)Francis Lavoie
2022-03-25go.mod: Upgrade CertMagic to v0.16.0Matthew Holt
Includes several breaking changes; code base updated accordingly. - Added lots of context arguments - Use fs.ErrNotExist - Rename ACMEManager -> ACMEIssuer; CertificateManager -> Manager
2022-03-08caddytls: dns_challenge_override_domain for challenge delegation (#4596)Ran Chen
* Add a override_domain option to allow DNS chanllenge delegation CNAME can be used to delegate answering the chanllenge to another DNS zone. One usage is to reduce the exposure of the DNS credential [1]. Based on the discussion in caddy/certmagic#160, we are adding an option to allow the user explicitly specify the domain to delegate, instead of following the CNAME chain. This needs caddy/certmagic#160. * rename override_domain to dns_challenge_override_domain * Update CertMagic; fix spelling Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
2022-02-17caddytls: Support external certificate Managers (like Tailscale) (#4541)Matt Holt
Huge thank-you to Tailscale (https://tailscale.com) for making this change possible! This is a great feature for Caddy and Tailscale is a great fit for a standard implementation. * caddytls: GetCertificate modules; Tailscale * Caddyfile support for get_certificate Also fix AP provisioning in case of empty subject list (persist loaded module on struct, much like Issuers, to surive reprovisioning). And implement start of HTTP cert getter, still WIP. * Update modules/caddytls/automation.go Co-authored-by: Francis Lavoie <lavofr@gmail.com> * Use tsclient package, check status for name * Implement HTTP cert getter And use reuse CertMagic's PEM functions for private keys. * Remove cache option from Tailscale getter Tailscale does its own caching and we don't need the added complexity... for now, at least. * Several updates - Option to disable cert automation in auto HTTPS - Support multiple cert managers - Remove cache feature from cert manager modules - Minor improvements to auto HTTPS logging * Run go mod tidy * Try to get certificates from Tailscale implicitly Only for domains ending in .ts.net. I think this is really cool! Co-authored-by: Francis Lavoie <lavofr@gmail.com>
2021-09-24General minor improvements to docsMatthew Holt
2021-06-25caddytls: Remove "IssuerRaw" fieldMatthew Holt
Has been deprecated and printing warnings for about 8 months now. Replaced by "IssuersRaw" field in v2.3.0.
2021-04-12caddytls: Configurable storage clean intervalMatthew Holt
Can drastically reduce costs on storage backends where scans are expensive. Also reduced default interval to 24h. See https://github.com/silinternational/certmagic-storage-dynamodb/issues/18
2021-02-02httpcaddyfile: Fix default issuers when email providedMatthew Holt
If `tls <email>` is used, we should apply that to all applicable default issuers, not drop them. This refactoring applies implicit ACME issuer settings from the tls directive to all default ACME issuers, like ZeroSSL. We also consolidate some annoying logic and improve config validity checks. Ref: https://caddy.community/t/error-obtaining-certificate-after-caddy-restart/11335/8
2021-01-07caddytls: Configurable OCSP stapling; global option (closes #3714)Matthew Holt
Allows user to disable OCSP stapling (including support in the Caddyfile via the ocsp_stapling global option) or overriding responder URLs. Useful in environments where responders are not reachable due to firewalls.
2020-11-16caddytls: Support multiple issuers (#3862)Matt Holt
* caddytls: Support multiple issuers Defaults are Let's Encrypt and ZeroSSL. There are probably bugs. * Commit updated integration tests, d'oh * Update go.mod
2020-08-21caddytls: Configure custom DNS resolvers for DNS challenge (close #2476)Matthew Holt
And #3391 Maybe also related: #3664
2020-07-30caddytls: Replace lego with acmez (#3621)Matt Holt
* Replace lego with acmez; upgrade CertMagic * Update integration test
2020-06-05caddytls: Configurable cache size limitMatthew Holt
2020-05-02caddytls: Fix namespace tls.dns -> dns.providersMatthew Holt
Coulda sworn I did this already but I think I messed up my git commands
2020-04-30caddytls: Adjust DNS challenge structure; clarify some docsMatthew Holt
2020-04-09caddytls: Don't initialize default internal issuer unless necessaryMatthew Holt
Otherwise, a password prompt can occur unnecessarily.
2020-04-08chore: make the linter happier (#3245)Mohammed Al Sahaf
* chore: make the linter happier * chore: remove reference to maligned linter in .golangci.yml
2020-04-08httpcaddyfile, caddytls: Multiple edge case fixes; add testsMatthew Holt
- Create two default automation policies; if the TLS app is used in isolation with the 'automate' certificate loader, it will now use an internal issuer for internal-only names, and an ACME issuer for all other names by default. - If the HTTP Caddyfile adds an 'automate' loader, it now also adds an automation policy for any names in that loader that do not qualify for public certificates so that they will be issued internally. (It might be nice if this wasn't necessary, but the alternative is to either make auto-HTTPS logic way more complex by scanning the names in the 'automate' loader, or to have an automation policy without an issuer switch between default issuer based on the name being issued a certificate - I think I like the latter option better, right now we do something kind of like that but at a level above each individual automation policies, we do that switch only when no automation policies match, rather than when a policy without an issuer does match.) - Set the default LoggerName rather than a LoggerNames with an empty host value, which is now taken literally rather than as a catch-all. - hostsFromKeys, the function that gets a list of hosts from server block keys, no longer returns an empty string in its resulting slice, ever.
2020-04-06caddytls: Support custom bind host for challenges (#3232)Matthew Holt
2020-03-26caddytls: Remove ManageSyncMatthew Holt
This seems unnecessary for now and we can always add it in later if people have a good reason to need it.
2020-03-25caddytls: Support placeholders in key_type (#3176)Pascal
* tls: Support placeholders in key_type * caddytls: Simplify placeholder support for ap.KeyType Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
2020-03-23tls: Few minor improvements/simplificationsMatthew Holt
2020-03-20tls/http: Fix auto-HTTPS logic w/rt default issuers (fixes #3164)Matthew Holt
The comments in the code should explain the new logic thoroughly. The basic problem for the issue was that we were overriding a catch-all automation policy's explicitly-configured issuer with our own, for names that we thought looked like public names. In other words, one could configure an internal issuer for all names, but then our auto HTTPS would create a new policy for public-looking names that uses the default ACME issuer, because we assume public<==>ACME and nonpublic<==>Internal, but that is not always the case. The new logic still assumes nonpublic<==>Internal (on catch-all policies only), but no longer assumes that public-looking names always use an ACME issuer. Also fix a bug where HTTPPort and HTTPSPort from the HTTP app weren't being carried through to ACME issuers properly. It required a bit of refactoring.
2020-03-17httpcaddyfile: Many tls-related improvements including on-demand supportMatthew Holt
Holy heck this was complicated
2020-03-15caddytls: Clean up some code related to automationMatthew Holt