From bfaf2a8201b83d7369772cb6f2439abe66d9342a Mon Sep 17 00:00:00 2001 From: Kyle McCullough Date: Mon, 5 Dec 2022 23:12:26 -0800 Subject: acme_server: Configurable default lifetime for issued certificates (#5232) * acme_server: add certificate lifetime configuration option Signed-off-by: Kyle McCullough * pki: allow intermediate cert lifetime to be configured Signed-off-by: Kyle McCullough Signed-off-by: Kyle McCullough --- modules/caddypki/acmeserver/acmeserver.go | 14 +++++++++++++- modules/caddypki/acmeserver/caddyfile.go | 19 +++++++++++++++++++ modules/caddypki/ca.go | 10 +++++++++- modules/caddypki/certificates.go | 4 ++-- 4 files changed, 43 insertions(+), 4 deletions(-) (limited to 'modules/caddypki') diff --git a/modules/caddypki/acmeserver/acmeserver.go b/modules/caddypki/acmeserver/acmeserver.go index 921d0b8..6ecdfdc 100644 --- a/modules/caddypki/acmeserver/acmeserver.go +++ b/modules/caddypki/acmeserver/acmeserver.go @@ -48,6 +48,9 @@ type Handler struct { // the default ID is "local". CA string `json:"ca,omitempty"` + // The lifetime for issued certificates + Lifetime caddy.Duration `json:"lifetime,omitempty"` + // The hostname or IP address by which ACME clients // will access the server. This is used to populate // the ACME directory endpoint. If not set, the Host @@ -95,6 +98,9 @@ func (ash *Handler) Provision(ctx caddy.Context) error { if ash.PathPrefix == "" { ash.PathPrefix = defaultPathPrefix } + if ash.Lifetime == 0 { + ash.Lifetime = caddy.Duration(12 * time.Hour) + } // get a reference to the configured CA appModule, err := ctx.App("pki") @@ -107,6 +113,12 @@ func (ash *Handler) Provision(ctx caddy.Context) error { return err } + // make sure leaf cert lifetime is less than the intermediate cert lifetime. this check only + // applies for caddy-managed intermediate certificates + if ca.Intermediate == nil && ash.Lifetime >= ca.IntermediateLifetime { + return fmt.Errorf("certificate lifetime (%s) should be less than intermediate certificate lifetime (%s)", time.Duration(ash.Lifetime), time.Duration(ca.IntermediateLifetime)) + } + database, err := ash.openDatabase() if err != nil { return err @@ -122,7 +134,7 @@ func (ash *Handler) Provision(ctx caddy.Context) error { Claims: &provisioner.Claims{ MinTLSDur: &provisioner.Duration{Duration: 5 * time.Minute}, MaxTLSDur: &provisioner.Duration{Duration: 24 * time.Hour * 365}, - DefaultTLSDur: &provisioner.Duration{Duration: 12 * time.Hour}, + DefaultTLSDur: &provisioner.Duration{Duration: time.Duration(ash.Lifetime)}, }, }, }, diff --git a/modules/caddypki/acmeserver/caddyfile.go b/modules/caddypki/acmeserver/caddyfile.go index fe12712..ae2d8ef 100644 --- a/modules/caddypki/acmeserver/caddyfile.go +++ b/modules/caddypki/acmeserver/caddyfile.go @@ -15,6 +15,9 @@ package acmeserver import ( + "time" + + "github.com/caddyserver/caddy/v2" "github.com/caddyserver/caddy/v2/caddyconfig/httpcaddyfile" "github.com/caddyserver/caddy/v2/modules/caddypki" ) @@ -27,6 +30,7 @@ func init() { // // acme_server [] { // ca +// lifetime // } func parseACMEServer(h httpcaddyfile.Helper) ([]httpcaddyfile.ConfigValue, error) { if !h.Next() { @@ -55,6 +59,21 @@ func parseACMEServer(h httpcaddyfile.Helper) ([]httpcaddyfile.ConfigValue, error ca = new(caddypki.CA) } ca.ID = acmeServer.CA + case "lifetime": + if !h.NextArg() { + return nil, h.ArgErr() + } + + dur, err := caddy.ParseDuration(h.Val()) + if err != nil { + return nil, err + } + + if d := time.Duration(ca.IntermediateLifetime); d > 0 && dur > d { + return nil, h.Errf("certificate lifetime (%s) exceeds intermediate certificate lifetime (%s)", dur, d) + } + + acmeServer.Lifetime = caddy.Duration(dur) } } } diff --git a/modules/caddypki/ca.go b/modules/caddypki/ca.go index 914eddf..1ba0890 100644 --- a/modules/caddypki/ca.go +++ b/modules/caddypki/ca.go @@ -48,6 +48,9 @@ type CA struct { // intermediate certificates. IntermediateCommonName string `json:"intermediate_common_name,omitempty"` + // The lifetime for the intermediate certificates + IntermediateLifetime caddy.Duration `json:"intermediate_lifetime,omitempty"` + // Whether Caddy will attempt to install the CA's root // into the system trust store, as well as into Java // and Mozilla Firefox trust stores. Default: true. @@ -118,6 +121,11 @@ func (ca *CA) Provision(ctx caddy.Context, id string, log *zap.Logger) error { if ca.IntermediateCommonName == "" { ca.IntermediateCommonName = defaultIntermediateCommonName } + if ca.IntermediateLifetime == 0 { + ca.IntermediateLifetime = caddy.Duration(defaultIntermediateLifetime) + } else if time.Duration(ca.IntermediateLifetime) >= defaultRootLifetime { + return fmt.Errorf("intermediate certificate lifetime must be less than root certificate lifetime (%s)", defaultRootLifetime) + } // load the certs and key that will be used for signing var rootCert, interCert *x509.Certificate @@ -341,7 +349,7 @@ func (ca CA) loadOrGenIntermediate(rootCert *x509.Certificate, rootKey crypto.Si func (ca CA) genIntermediate(rootCert *x509.Certificate, rootKey crypto.Signer) (interCert *x509.Certificate, interKey crypto.Signer, err error) { repl := ca.newReplacer() - interCert, interKey, err = generateIntermediate(repl.ReplaceAll(ca.IntermediateCommonName, ""), rootCert, rootKey) + interCert, interKey, err = generateIntermediate(repl.ReplaceAll(ca.IntermediateCommonName, ""), rootCert, rootKey, time.Duration(ca.IntermediateLifetime)) if err != nil { return nil, nil, fmt.Errorf("generating CA intermediate: %v", err) } diff --git a/modules/caddypki/certificates.go b/modules/caddypki/certificates.go index c3b88a1..e300429 100644 --- a/modules/caddypki/certificates.go +++ b/modules/caddypki/certificates.go @@ -35,8 +35,8 @@ func generateRoot(commonName string) (*x509.Certificate, crypto.Signer, error) { return root, signer, nil } -func generateIntermediate(commonName string, rootCrt *x509.Certificate, rootKey crypto.Signer) (*x509.Certificate, crypto.Signer, error) { - template, signer, err := newCert(commonName, x509util.DefaultIntermediateTemplate, defaultIntermediateLifetime) +func generateIntermediate(commonName string, rootCrt *x509.Certificate, rootKey crypto.Signer, lifetime time.Duration) (*x509.Certificate, crypto.Signer, error) { + template, signer, err := newCert(commonName, x509util.DefaultIntermediateTemplate, lifetime) if err != nil { return nil, nil, err } -- cgit v1.2.3