aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorclauverjat <[email protected]>2024-04-24 22:35:14 +0200
committerGitHub <[email protected]>2024-04-24 14:35:14 -0600
commit76c4cf5a56b4ee576001e649e72d6e7fdf730364 (patch)
tree32600f4fb78482a51d36ec8c78e9331d4b536c74
parent797973944f9bf60c84350a38848613b6247a66eb (diff)
downloadcaddy-76c4cf5a56b4ee576001e649e72d6e7fdf730364.tar.gz
caddy-76c4cf5a56b4ee576001e649e72d6e7fdf730364.zip
caddytls: Option to configure certificate lifetime (#6253)
* Add option to configure certificate lifetime * Bump CertMagic dep to latest master commit * Apply suggestions and ran go mod tidy * Update modules/caddytls/acmeissuer.go Co-authored-by: Matt Holt <[email protected]> --------- Co-authored-by: Matt Holt <[email protected]>
-rw-r--r--caddyconfig/httpcaddyfile/options.go1
-rw-r--r--caddyconfig/httpcaddyfile/tlsapp.go5
-rw-r--r--go.mod2
-rw-r--r--go.sum4
-rw-r--r--modules/caddytls/acmeissuer.go24
5 files changed, 33 insertions, 3 deletions
diff --git a/caddyconfig/httpcaddyfile/options.go b/caddyconfig/httpcaddyfile/options.go
index 6a8ba0bd3..db9be52ca 100644
--- a/caddyconfig/httpcaddyfile/options.go
+++ b/caddyconfig/httpcaddyfile/options.go
@@ -54,6 +54,7 @@ func init() {
RegisterGlobalOption("auto_https", parseOptAutoHTTPS)
RegisterGlobalOption("servers", parseServerOptions)
RegisterGlobalOption("ocsp_stapling", parseOCSPStaplingOptions)
+ RegisterGlobalOption("cert_lifetime", parseOptDuration)
RegisterGlobalOption("log", parseLogOptions)
RegisterGlobalOption("preferred_chains", parseOptPreferredChains)
RegisterGlobalOption("persist_config", parseOptPersistConfig)
diff --git a/caddyconfig/httpcaddyfile/tlsapp.go b/caddyconfig/httpcaddyfile/tlsapp.go
index bf3bed41a..f1ee1e863 100644
--- a/caddyconfig/httpcaddyfile/tlsapp.go
+++ b/caddyconfig/httpcaddyfile/tlsapp.go
@@ -456,6 +456,7 @@ func fillInGlobalACMEDefaults(issuer certmagic.Issuer, options map[string]any) e
globalACMEDNS := options["acme_dns"]
globalACMEEAB := options["acme_eab"]
globalPreferredChains := options["preferred_chains"]
+ globalCertLifetime := options["cert_lifetime"]
if globalEmail != nil && acmeIssuer.Email == "" {
acmeIssuer.Email = globalEmail.(string)
@@ -479,6 +480,10 @@ func fillInGlobalACMEDefaults(issuer certmagic.Issuer, options map[string]any) e
if globalPreferredChains != nil && acmeIssuer.PreferredChains == nil {
acmeIssuer.PreferredChains = globalPreferredChains.(*caddytls.ChainPreference)
}
+
+ if globalCertLifetime != nil && acmeIssuer.CertificateLifetime == 0 {
+ acmeIssuer.CertificateLifetime = globalCertLifetime.(caddy.Duration)
+ }
return nil
}
diff --git a/go.mod b/go.mod
index 6c4fed3c4..90f6042fb 100644
--- a/go.mod
+++ b/go.mod
@@ -7,7 +7,7 @@ require (
github.com/Masterminds/sprig/v3 v3.2.3
github.com/alecthomas/chroma/v2 v2.13.0
github.com/aryann/difflib v0.0.0-20210328193216-ff5ff6dc229b
- github.com/caddyserver/certmagic v0.20.1-0.20240412214119-167015dd6570
+ github.com/caddyserver/certmagic v0.20.1-0.20240419174353-855d4670a49d
github.com/caddyserver/zerossl v0.1.2
github.com/dustin/go-humanize v1.0.1
github.com/go-chi/chi/v5 v5.0.12
diff --git a/go.sum b/go.sum
index 14434b24a..3fa853c7b 100644
--- a/go.sum
+++ b/go.sum
@@ -68,8 +68,8 @@ github.com/aws/smithy-go v1.19.0 h1:KWFKQV80DpP3vJrrA9sVAHQ5gc2z8i4EzrLhLlWXcBM=
github.com/aws/smithy-go v1.19.0/go.mod h1:NukqUGpCZIILqqiV0NIjeFh24kd/FAa4beRb6nbIUPE=
github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
-github.com/caddyserver/certmagic v0.20.1-0.20240412214119-167015dd6570 h1:SsAXjoQx2wOmLl6mEwJEwh7wwys2hb/l/mhtmxA3wts=
-github.com/caddyserver/certmagic v0.20.1-0.20240412214119-167015dd6570/go.mod h1:e1NhB1rF5KZnAuAX6oSyhE7sg1Ru5bWgggw5RtauhEY=
+github.com/caddyserver/certmagic v0.20.1-0.20240419174353-855d4670a49d h1:fi1dMdHOoyWHXpxpCbaB+H4xdAgQcBP2AXSqpXVpIcg=
+github.com/caddyserver/certmagic v0.20.1-0.20240419174353-855d4670a49d/go.mod h1:e1NhB1rF5KZnAuAX6oSyhE7sg1Ru5bWgggw5RtauhEY=
github.com/caddyserver/zerossl v0.1.2 h1:tlEu1VzWGoqcCpivs9liKAKhfpJWYJkHEMmlxRbVAxE=
github.com/caddyserver/zerossl v0.1.2/go.mod h1:wtiJEHbdvunr40ZzhXlnIkOB8Xj4eKtBKizCcZitJiQ=
github.com/cenkalti/backoff/v4 v4.2.1 h1:y4OZtCnogmCPw98Zjyt5a6+QwPLGkiQsYW5oUqylYbM=
diff --git a/modules/caddytls/acmeissuer.go b/modules/caddytls/acmeissuer.go
index 547618e8f..1f57c7e38 100644
--- a/modules/caddytls/acmeissuer.go
+++ b/modules/caddytls/acmeissuer.go
@@ -88,6 +88,15 @@ type ACMEIssuer struct {
// will be selected.
PreferredChains *ChainPreference `json:"preferred_chains,omitempty"`
+ // The validity period to ask the CA to issue a certificate for.
+ // Default: 0 (CA chooses lifetime).
+ // This value is used to compute the "notAfter" field of the ACME order;
+ // therefore the system must have a reasonably synchronized clock.
+ // NOTE: Not all CAs support this. Check with your CA's ACME
+ // documentation to see if this is allowed and what values may
+ // be used. EXPERIMENTAL: Subject to change.
+ CertificateLifetime caddy.Duration `json:"certificate_lifetime,omitempty"`
+
rootPool *x509.CertPool
logger *zap.Logger
@@ -178,6 +187,7 @@ func (iss *ACMEIssuer) makeIssuerTemplate() (certmagic.ACMEIssuer, error) {
CertObtainTimeout: time.Duration(iss.ACMETimeout),
TrustedRoots: iss.rootPool,
ExternalAccount: iss.ExternalAccount,
+ NotAfter: time.Duration(iss.CertificateLifetime),
Logger: iss.logger,
}
@@ -349,6 +359,20 @@ func (iss *ACMEIssuer) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
for d.NextBlock(0) {
switch d.Val() {
+ case "lifetime":
+ var lifetimeStr string
+ if !d.AllArgs(&lifetimeStr) {
+ return d.ArgErr()
+ }
+ lifetime, err := caddy.ParseDuration(lifetimeStr)
+ if err != nil {
+ return d.Errf("invalid lifetime %s: %v", lifetimeStr, err)
+ }
+ if lifetime < 0 {
+ return d.Errf("lifetime must be >= 0: %s", lifetime)
+ }
+ iss.CertificateLifetime = caddy.Duration(lifetime)
+
case "dir":
if iss.CA != "" {
return d.Errf("directory is already specified: %s", iss.CA)