aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorMatthew Holt <[email protected]>2024-04-23 11:40:12 -0600
committerMatthew Holt <[email protected]>2024-04-23 11:40:12 -0600
commit13afd1db386aa367e4106dc849fb1683be1985b0 (patch)
tree79f4a803127cbcae1d76fbba2c6119a2742b6be1
parent868af6a062290b82fb1d4d70697739974e814e50 (diff)
downloadcaddy-13afd1db386aa367e4106dc849fb1683be1985b0.tar.gz
caddy-13afd1db386aa367e4106dc849fb1683be1985b0.zip
caddytls: Evict internal certs from cache based on issuer
During a config reload, we would keep certs in the cache fi they were used by the next config. If one config uses InternalIssuer and the other uses a public CA, this behavior is problematic / unintuitive, because there is a big difference between private/public CAs. This change should ensure that internal issuers are considered when deciding whether to keep or evict from the cache during a reload, by making them distinct from each other and certs from public CAs.
-rw-r--r--go.mod2
-rw-r--r--go.sum4
-rw-r--r--modules/caddytls/tls.go17
3 files changed, 18 insertions, 5 deletions
diff --git a/go.mod b/go.mod
index c3dc1568f..fb532d622 100644
--- a/go.mod
+++ b/go.mod
@@ -7,7 +7,7 @@ require (
github.com/Masterminds/sprig/v3 v3.2.3
github.com/alecthomas/chroma/v2 v2.13.0
github.com/aryann/difflib v0.0.0-20210328193216-ff5ff6dc229b
- github.com/caddyserver/certmagic v0.20.1-0.20240412214119-167015dd6570
+ github.com/caddyserver/certmagic v0.20.1-0.20240423172519-140a6fa9202e
github.com/caddyserver/zerossl v0.1.2
github.com/dustin/go-humanize v1.0.1
github.com/go-chi/chi/v5 v5.0.12
diff --git a/go.sum b/go.sum
index bd298867e..d32bfca89 100644
--- a/go.sum
+++ b/go.sum
@@ -68,8 +68,8 @@ github.com/aws/smithy-go v1.19.0 h1:KWFKQV80DpP3vJrrA9sVAHQ5gc2z8i4EzrLhLlWXcBM=
github.com/aws/smithy-go v1.19.0/go.mod h1:NukqUGpCZIILqqiV0NIjeFh24kd/FAa4beRb6nbIUPE=
github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
-github.com/caddyserver/certmagic v0.20.1-0.20240412214119-167015dd6570 h1:SsAXjoQx2wOmLl6mEwJEwh7wwys2hb/l/mhtmxA3wts=
-github.com/caddyserver/certmagic v0.20.1-0.20240412214119-167015dd6570/go.mod h1:e1NhB1rF5KZnAuAX6oSyhE7sg1Ru5bWgggw5RtauhEY=
+github.com/caddyserver/certmagic v0.20.1-0.20240423172519-140a6fa9202e h1:+D6CR2rMrHZe79HSwjgefZWP9y78FMQ2NygXvhF0XVA=
+github.com/caddyserver/certmagic v0.20.1-0.20240423172519-140a6fa9202e/go.mod h1:e1NhB1rF5KZnAuAX6oSyhE7sg1Ru5bWgggw5RtauhEY=
github.com/caddyserver/zerossl v0.1.2 h1:tlEu1VzWGoqcCpivs9liKAKhfpJWYJkHEMmlxRbVAxE=
github.com/caddyserver/zerossl v0.1.2/go.mod h1:wtiJEHbdvunr40ZzhXlnIkOB8Xj4eKtBKizCcZitJiQ=
github.com/cenkalti/backoff/v4 v4.2.1 h1:y4OZtCnogmCPw98Zjyt5a6+QwPLGkiQsYW5oUqylYbM=
diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go
index 2a05d5235..c59d8e975 100644
--- a/modules/caddytls/tls.go
+++ b/modules/caddytls/tls.go
@@ -22,6 +22,7 @@ import (
"log"
"net/http"
"runtime/debug"
+ "strings"
"sync"
"time"
@@ -358,10 +359,12 @@ func (t *TLS) Cleanup() error {
// compute which certificates were managed or loaded into the cert cache by this
// app instance (which is being stopped) that are not managed or loaded by the
// new app instance (which just started), and remove them from the cache
- var noLongerManaged, noLongerLoaded []string
+ var noLongerManaged []certmagic.SubjectIssuer
+ var noLongerLoaded []string
for subj := range t.managing {
if _, ok := nextTLSApp.managing[subj]; !ok {
- noLongerManaged = append(noLongerManaged, subj)
+ name, issuerKey, _ := strings.Cut(subj, "~")
+ noLongerManaged = append(noLongerManaged, certmagic.SubjectIssuer{Subject: name, IssuerKey: issuerKey})
}
}
for hash := range t.loaded {
@@ -407,6 +410,16 @@ func (t *TLS) Manage(names []string) error {
return fmt.Errorf("automate: manage %v: %v", names, err)
}
for _, name := range names {
+ // certs that are issued solely by our internal issuer are a little bit of
+ // a special case: if you have an initial config that manages example.com
+ // using internal CA, then after testing it you switch to a production CA,
+ // you wouldn't want to keep using the same self-signed cert, obviously;
+ // so we differentiate these in the list
+ if len(ap.Issuers) == 1 {
+ if _, ok := ap.Issuers[0].(*InternalIssuer); ok {
+ name += "~" + ap.Issuers[0].IssuerKey()
+ }
+ }
t.managing[name] = struct{}{}
}
}