summaryrefslogtreecommitdiff
path: root/modules/caddytls
AgeCommit message (Collapse)Author
2023-05-15caddyhttp: Refactor cert Managers (fix #5415) (#5533)Matt Holt
2023-05-13caddytls: Check for nil ALPN; close #5470 (#5473)Matt Holt
* Check for nil ALPN; close #5470 * Apply patch * Actually I want to try this
2023-05-10caddytls: Configurable fallback SNI (#5527)Matt Holt
* Initial implementation of fallback_sni * Apply upstream patch
2023-03-27caddytls: Eval replacer on automation policy subjects (#5459)Francis Lavoie
Also renamed the field to SubjectsRaw, which can be considered a breaking change but I don't expect this to affect much.
2023-03-20caddytls: Zero out throttle window first (#5443)Matt Holt
* caddytls: Zero out throttle window first * Don't error for on-demand Fixes https://github.com/caddyserver/caddy/commit/b97c76fb4789b8da0b80f5a2c1c1c5bebba163b5 --------- Co-authored-by: Francis Lavoie <lavofr@gmail.com>
2023-03-14caddytls: Allow on-demand w/o ask for internal-onlyMatthew Holt
2023-03-14caddytls: Require 'ask' endpoint for on-demand TLSMatthew Holt
2023-02-22caddytls: Relax the warning for on-demand (#5384)Francis Lavoie
2023-01-30caddytls: Debug log for ask endpointMatthew Holt
2023-01-06caddytls: Add `dns_ttl` config, improve Caddyfile `tls` options (#5287)Yannick Ihmels
2022-09-16core: Variadic Context.Logger(); soft deprecationMatthew Holt
Ideally I'd just remove the parameter to caddy.Context.Logger(), but this would break most Caddy plugins. Instead, I'm making it variadic and marking it as partially deprecated. In the future, I might completely remove the parameter once most plugins have updated.
2022-09-16caddyhttp: Support TLS key logging for debugging (#4808)David Manouchehri
* Add SSL key logging. * Resolve merge conflict with master * Add Caddyfile support; various fixes * Also commit go.mod and go.sum, oops * Appease linter * Minor tweaks * Add doc comment Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2022-09-16caddytls: Debug log on implicit tailscale error (#5041)Matthew Holt
2022-09-13caddytls: Error if placeholder is empty in 'ask'Matthew Holt
Fixes #5036
2022-08-31events: Implement event system (#4912)Francis Lavoie
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2022-08-23caddytls: Log error if ask request failsMatthew Holt
Errors returned from the DecisionFunc (whether to get a cert on-demand) are used as a signal whether to allow a cert or not; *any* error will forbid cert issuance. We bubble up the error all the way to the caller, but that caller is the Go standard library which might gobble it up. Now we explicitly log connection errors so sysadmins can ensure their ask endpoints are working. Thanks to our sponsor AppCove for reporting this!
2022-08-17core: Change net.IP to netip.Addr; use netip.Prefix (#4966)WilczyńskiT
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2022-08-15caddyhttp: Enable HTTP/3 by default (#4707)Matt Holt
2022-08-08Improve docs for ZeroSSL issuerMatthew Holt
2022-08-02chore: Bump up to Go 1.19, minimum 1.18 (#4925)Francis Lavoie
2022-07-28caddytls: Remove PreferServerCipherSuitesMatthew Holt
It has been deprecated by Go
2022-07-05caddytls: Reuse issuer between PreCheck and Issue (#4866)Matt Holt
This enables EAB reuse for ZeroSSLIssuer (which is now supported by ZeroSSL).
2022-06-02caddytls: Make peer certificate verification pluggable (#4389)Gr33nbl00d
* caddytls: Adding ClientCertValidator for custom client cert validations * caddytls: Cleanups for ClientCertValidator changes caddytls: Cleanups for ClientCertValidator changes * Update modules/caddytls/connpolicy.go Co-authored-by: Francis Lavoie <lavofr@gmail.com> * Update modules/caddytls/connpolicy.go Co-authored-by: Francis Lavoie <lavofr@gmail.com> * Update modules/caddytls/connpolicy.go Co-authored-by: Francis Lavoie <lavofr@gmail.com> * Update modules/caddytls/connpolicy.go Co-authored-by: Francis Lavoie <lavofr@gmail.com> * Update modules/caddytls/connpolicy.go Co-authored-by: Matt Holt <mholt@users.noreply.github.com> * Update modules/caddytls/connpolicy.go Co-authored-by: Matt Holt <mholt@users.noreply.github.com> * Unexported field Validators, corrected renaming of LeafVerificationValidator to LeafCertClientAuth * admin: Write proper status on invalid requests (#4569) (fix #4561) * Apply suggestions from code review * Register module; fix compilation * Add log for deprecation notice Co-authored-by: Roettges Florian <roettges.florian@scheidt-bachmann.de> Co-authored-by: Francis Lavoie <lavofr@gmail.com> Co-authored-by: Matt Holt <mholt@users.noreply.github.com> Co-authored-by: Alok Naushad <alokme123@gmail.com>
2022-04-22caddytls: Add `propagation_delay`, support `propagation_timeout -1` (#4723)Francis Lavoie
2022-03-25go.mod: Upgrade CertMagic to v0.16.0Matthew Holt
Includes several breaking changes; code base updated accordingly. - Added lots of context arguments - Use fs.ErrNotExist - Rename ACMEManager -> ACMEIssuer; CertificateManager -> Manager
2022-03-08caddytls: dns_challenge_override_domain for challenge delegation (#4596)Ran Chen
* Add a override_domain option to allow DNS chanllenge delegation CNAME can be used to delegate answering the chanllenge to another DNS zone. One usage is to reduce the exposure of the DNS credential [1]. Based on the discussion in caddy/certmagic#160, we are adding an option to allow the user explicitly specify the domain to delegate, instead of following the CNAME chain. This needs caddy/certmagic#160. * rename override_domain to dns_challenge_override_domain * Update CertMagic; fix spelling Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
2022-02-17caddytls: Support external certificate Managers (like Tailscale) (#4541)Matt Holt
Huge thank-you to Tailscale (https://tailscale.com) for making this change possible! This is a great feature for Caddy and Tailscale is a great fit for a standard implementation. * caddytls: GetCertificate modules; Tailscale * Caddyfile support for get_certificate Also fix AP provisioning in case of empty subject list (persist loaded module on struct, much like Issuers, to surive reprovisioning). And implement start of HTTP cert getter, still WIP. * Update modules/caddytls/automation.go Co-authored-by: Francis Lavoie <lavofr@gmail.com> * Use tsclient package, check status for name * Implement HTTP cert getter And use reuse CertMagic's PEM functions for private keys. * Remove cache option from Tailscale getter Tailscale does its own caching and we don't need the added complexity... for now, at least. * Several updates - Option to disable cert automation in auto HTTPS - Support multiple cert managers - Remove cache feature from cert manager modules - Minor improvements to auto HTTPS logging * Run go mod tidy * Try to get certificates from Tailscale implicitly Only for domains ending in .ts.net. I think this is really cool! Co-authored-by: Francis Lavoie <lavofr@gmail.com>
2022-01-18caddytls: Add internal Caddyfile `lifetime`, `sign_with_root` opts (#4513)Francis Lavoie
2022-01-13caddytls: Fix `MatchRemoteIP` provisoning with multiple CIDR ranges (#4522)GallopingKylin
2021-12-13caddypki: Minor tweak, don't use context pointerMatthew Holt
2021-12-13pki: Avoid provisioning the `local` CA when not necessary (#4463)Francis Lavoie
* pki: Avoid provisioning the `local` CA when not necessary * pki: Refactor CA loading to keep the logic in the PKI app
2021-11-02caddytls: Mark storage clean timestamp at end of routine (#4401)Matt Holt
See discussion on 42b7134ffa3bf3e9e86514c82407979c2627a5ab
2021-09-29Move from deprecated ioutil to os and io packages (#4364)KallyDev
2021-09-24General minor improvements to docsMatthew Holt
2021-06-25caddytls: Remove "IssuerRaw" fieldMatthew Holt
Has been deprecated and printing warnings for about 8 months now. Replaced by "IssuersRaw" field in v2.3.0.
2021-06-08httpcaddyfile: Add `preferred_chains` global option and issuer subdirective ↵Klooven
(#4192) * Added preferred_chains option to Caddyfile * Caddyfile adapt tests for preferred_chains
2021-06-07caddytls: Add Caddyfile support for `propagation_timeout` (#4178)Peter Magnusson
* add propagation_timeout to UnmarshalCaddyfile - Closes #4177 * added caddyfile_adapt test
2021-06-03go.mod: Update direct dependenciesMatthew Holt
2021-05-08caddytls: Run replacer on ask URL, for env vars (#4154)Francis Lavoie
Fixes #3922
2021-04-30caddytls: Implement remote IP connection matcher (#4123)Matt Holt
* caddytls: Implement remote IP connection matcher * Implement IP range negation If both Ranges and NotRanges are specified, both must match.
2021-04-21caddytls: Add `load_storage` module (#4055)Francis Lavoie
An idea that came up in https://caddy.community/t/save-internally-issued-wildcard-certificate-in-consul/11740, this a simple module that might be useful for anyone who uses storage modules that aren't filesystem, to let them load certs/keys externally issued for use by Caddy. Bit goofy, since we need to fetch the certmagic.Storage during provisioning, it needs a wrapping struct instead of just being an array like `load_files`. Future work might involve adding Caddyfile support via a subdirective of the `tls` directive maybe?
2021-04-12caddytls: Disable OCSP stapling for manual certs (#4064)Matthew Holt
2021-04-12caddytls: Configurable storage clean intervalMatthew Holt
Can drastically reduce costs on storage backends where scans are expensive. Also reduced default interval to 24h. See https://github.com/silinternational/certmagic-storage-dynamodb/issues/18
2021-04-01Minor tweaksMatthew Holt
2021-02-26caddypki: Add SignWithRoot option for ACME serverMatthew Holt
See https://caddy.community/t/setting-up-a-caddy-pki-based-on-a-windows- root-ca-was-getting-pki-config/11616/7 Also improved a godoc comment in the caddytls package.
2021-02-22caddytls: Remove old asset migration code (close #3894)Matthew Holt
2021-02-16Improve security warningsMatthew Holt
2021-02-10caddytls: Save email with account if not already specifiedMatthew Holt
I'm pretty sure this fixes a bug when the default email is used...
2021-02-02acmeserver: Support custom CAs from CaddyfileMatthew Holt
The HTTP Caddyfile adapter can now configure the PKI app, and the acme_server directive can now be used to specify a custom CA used for issuing certificates. More customization options can follow later as needed.
2021-02-02httpcaddyfile: Fix default issuers when email providedMatthew Holt
If `tls <email>` is used, we should apply that to all applicable default issuers, not drop them. This refactoring applies implicit ACME issuer settings from the tls directive to all default ACME issuers, like ZeroSSL. We also consolidate some annoying logic and improve config validity checks. Ref: https://caddy.community/t/error-obtaining-certificate-after-caddy-restart/11335/8