aboutsummaryrefslogtreecommitdiffhomepage
path: root/caddyconfig/httpcaddyfile/builtins.go
diff options
context:
space:
mode:
authorMatthew Holt <[email protected]>2021-02-02 16:17:26 -0700
committerMatthew Holt <[email protected]>2021-02-02 16:17:26 -0700
commit90284e8017fedeb6eeb9f4183660a679b8a5e15e (patch)
treeda996b6608f84a81ebc80577af1e55a913a7073c /caddyconfig/httpcaddyfile/builtins.go
parent2772ede43c852fa50f3527dbd94ae747b6f64365 (diff)
downloadcaddy-90284e8017fedeb6eeb9f4183660a679b8a5e15e.tar.gz
caddy-90284e8017fedeb6eeb9f4183660a679b8a5e15e.zip
httpcaddyfile: Fix default issuers when email provided
If `tls <email>` is used, we should apply that to all applicable default issuers, not drop them. This refactoring applies implicit ACME issuer settings from the tls directive to all default ACME issuers, like ZeroSSL. We also consolidate some annoying logic and improve config validity checks. Ref: https://caddy.community/t/error-obtaining-certificate-after-caddy-restart/11335/8
Diffstat (limited to 'caddyconfig/httpcaddyfile/builtins.go')
-rw-r--r--caddyconfig/httpcaddyfile/builtins.go56
1 files changed, 41 insertions, 15 deletions
diff --git a/caddyconfig/httpcaddyfile/builtins.go b/caddyconfig/httpcaddyfile/builtins.go
index aa68adb4f..4945a81a5 100644
--- a/caddyconfig/httpcaddyfile/builtins.go
+++ b/caddyconfig/httpcaddyfile/builtins.go
@@ -369,31 +369,57 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
})
}
+ // some tls subdirectives are shortcuts that implicitly configure issuers, and the
+ // user can also configure issuers explicitly using the issuer subdirective; the
+ // logic to support both would likely be complex, or at least unintuitive
if len(issuers) > 0 && (acmeIssuer != nil || internalIssuer != nil) {
- // some tls subdirectives are shortcuts that implicitly configure issuers, and the
- // user can also configure issuers explicitly using the issuer subdirective; the
- // logic to support both would likely be complex, or at least unintuitive
return nil, h.Err("cannot mix issuer subdirective (explicit issuers) with other issuer-specific subdirectives (implicit issuers)")
}
- for _, issuer := range issuers {
- configVals = append(configVals, ConfigValue{
- Class: "tls.cert_issuer",
- Value: issuer,
- })
- }
- if acmeIssuer != nil {
- configVals = append(configVals, ConfigValue{
- Class: "tls.cert_issuer",
- Value: disambiguateACMEIssuer(acmeIssuer),
- })
+ if acmeIssuer != nil && internalIssuer != nil {
+ return nil, h.Err("cannot create both ACME and internal certificate issuers")
}
- if internalIssuer != nil {
+
+ // now we should either have: explicitly-created issuers, or an implicitly-created
+ // ACME or internal issuer, or no issuers at all
+ switch {
+ case len(issuers) > 0:
+ for _, issuer := range issuers {
+ configVals = append(configVals, ConfigValue{
+ Class: "tls.cert_issuer",
+ Value: issuer,
+ })
+ }
+
+ case acmeIssuer != nil:
+ // implicit ACME issuers (from various subdirectives) - use defaults; there might be more than one
+ defaultIssuers := caddytls.DefaultIssuers()
+
+ // if a CA endpoint was set, override multiple implicit issuers since it's a specific one
+ if acmeIssuer.CA != "" {
+ defaultIssuers = []certmagic.Issuer{acmeIssuer}
+ }
+
+ for _, issuer := range defaultIssuers {
+ switch iss := issuer.(type) {
+ case *caddytls.ACMEIssuer:
+ issuer = acmeIssuer
+ case *caddytls.ZeroSSLIssuer:
+ iss.ACMEIssuer = acmeIssuer
+ }
+ configVals = append(configVals, ConfigValue{
+ Class: "tls.cert_issuer",
+ Value: issuer,
+ })
+ }
+
+ case internalIssuer != nil:
configVals = append(configVals, ConfigValue{
Class: "tls.cert_issuer",
Value: internalIssuer,
})
}
+ // certificate key type
if keyType != "" {
configVals = append(configVals, ConfigValue{
Class: "tls.key_type",