diff options
author | Matthew Holt <[email protected]> | 2024-04-23 11:40:12 -0600 |
---|---|---|
committer | Matthew Holt <[email protected]> | 2024-04-23 11:40:12 -0600 |
commit | 13afd1db386aa367e4106dc849fb1683be1985b0 (patch) | |
tree | 79f4a803127cbcae1d76fbba2c6119a2742b6be1 | |
parent | 868af6a062290b82fb1d4d70697739974e814e50 (diff) | |
download | caddy-13afd1db386aa367e4106dc849fb1683be1985b0.tar.gz caddy-13afd1db386aa367e4106dc849fb1683be1985b0.zip |
caddytls: Evict internal certs from cache based on issuer
During a config reload, we would keep certs in the cache fi they were used by the next config. If one config uses InternalIssuer and the other uses a public CA, this behavior is problematic / unintuitive, because there is a big difference between private/public CAs.
This change should ensure that internal issuers are considered when deciding whether to keep or evict from the cache during a reload, by making them distinct from each other and certs from public CAs.
-rw-r--r-- | go.mod | 2 | ||||
-rw-r--r-- | go.sum | 4 | ||||
-rw-r--r-- | modules/caddytls/tls.go | 17 |
3 files changed, 18 insertions, 5 deletions
@@ -7,7 +7,7 @@ require ( github.com/Masterminds/sprig/v3 v3.2.3 github.com/alecthomas/chroma/v2 v2.13.0 github.com/aryann/difflib v0.0.0-20210328193216-ff5ff6dc229b - github.com/caddyserver/certmagic v0.20.1-0.20240412214119-167015dd6570 + github.com/caddyserver/certmagic v0.20.1-0.20240423172519-140a6fa9202e github.com/caddyserver/zerossl v0.1.2 github.com/dustin/go-humanize v1.0.1 github.com/go-chi/chi/v5 v5.0.12 @@ -68,8 +68,8 @@ github.com/aws/smithy-go v1.19.0 h1:KWFKQV80DpP3vJrrA9sVAHQ5gc2z8i4EzrLhLlWXcBM= github.com/aws/smithy-go v1.19.0/go.mod h1:NukqUGpCZIILqqiV0NIjeFh24kd/FAa4beRb6nbIUPE= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= -github.com/caddyserver/certmagic v0.20.1-0.20240412214119-167015dd6570 h1:SsAXjoQx2wOmLl6mEwJEwh7wwys2hb/l/mhtmxA3wts= -github.com/caddyserver/certmagic v0.20.1-0.20240412214119-167015dd6570/go.mod h1:e1NhB1rF5KZnAuAX6oSyhE7sg1Ru5bWgggw5RtauhEY= +github.com/caddyserver/certmagic v0.20.1-0.20240423172519-140a6fa9202e h1:+D6CR2rMrHZe79HSwjgefZWP9y78FMQ2NygXvhF0XVA= +github.com/caddyserver/certmagic v0.20.1-0.20240423172519-140a6fa9202e/go.mod h1:e1NhB1rF5KZnAuAX6oSyhE7sg1Ru5bWgggw5RtauhEY= github.com/caddyserver/zerossl v0.1.2 h1:tlEu1VzWGoqcCpivs9liKAKhfpJWYJkHEMmlxRbVAxE= github.com/caddyserver/zerossl v0.1.2/go.mod h1:wtiJEHbdvunr40ZzhXlnIkOB8Xj4eKtBKizCcZitJiQ= github.com/cenkalti/backoff/v4 v4.2.1 h1:y4OZtCnogmCPw98Zjyt5a6+QwPLGkiQsYW5oUqylYbM= diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go index 2a05d5235..c59d8e975 100644 --- a/modules/caddytls/tls.go +++ b/modules/caddytls/tls.go @@ -22,6 +22,7 @@ import ( "log" "net/http" "runtime/debug" + "strings" "sync" "time" @@ -358,10 +359,12 @@ func (t *TLS) Cleanup() error { // compute which certificates were managed or loaded into the cert cache by this // app instance (which is being stopped) that are not managed or loaded by the // new app instance (which just started), and remove them from the cache - var noLongerManaged, noLongerLoaded []string + var noLongerManaged []certmagic.SubjectIssuer + var noLongerLoaded []string for subj := range t.managing { if _, ok := nextTLSApp.managing[subj]; !ok { - noLongerManaged = append(noLongerManaged, subj) + name, issuerKey, _ := strings.Cut(subj, "~") + noLongerManaged = append(noLongerManaged, certmagic.SubjectIssuer{Subject: name, IssuerKey: issuerKey}) } } for hash := range t.loaded { @@ -407,6 +410,16 @@ func (t *TLS) Manage(names []string) error { return fmt.Errorf("automate: manage %v: %v", names, err) } for _, name := range names { + // certs that are issued solely by our internal issuer are a little bit of + // a special case: if you have an initial config that manages example.com + // using internal CA, then after testing it you switch to a production CA, + // you wouldn't want to keep using the same self-signed cert, obviously; + // so we differentiate these in the list + if len(ap.Issuers) == 1 { + if _, ok := ap.Issuers[0].(*InternalIssuer); ok { + name += "~" + ap.Issuers[0].IssuerKey() + } + } t.managing[name] = struct{}{} } } |