summaryrefslogtreecommitdiffhomepage
path: root/modules/caddytls/acmeissuer.go
diff options
context:
space:
mode:
Diffstat (limited to 'modules/caddytls/acmeissuer.go')
-rw-r--r--modules/caddytls/acmeissuer.go24
1 files changed, 24 insertions, 0 deletions
diff --git a/modules/caddytls/acmeissuer.go b/modules/caddytls/acmeissuer.go
index 547618e8f..1f57c7e38 100644
--- a/modules/caddytls/acmeissuer.go
+++ b/modules/caddytls/acmeissuer.go
@@ -88,6 +88,15 @@ type ACMEIssuer struct {
// will be selected.
PreferredChains *ChainPreference `json:"preferred_chains,omitempty"`
+ // The validity period to ask the CA to issue a certificate for.
+ // Default: 0 (CA chooses lifetime).
+ // This value is used to compute the "notAfter" field of the ACME order;
+ // therefore the system must have a reasonably synchronized clock.
+ // NOTE: Not all CAs support this. Check with your CA's ACME
+ // documentation to see if this is allowed and what values may
+ // be used. EXPERIMENTAL: Subject to change.
+ CertificateLifetime caddy.Duration `json:"certificate_lifetime,omitempty"`
+
rootPool *x509.CertPool
logger *zap.Logger
@@ -178,6 +187,7 @@ func (iss *ACMEIssuer) makeIssuerTemplate() (certmagic.ACMEIssuer, error) {
CertObtainTimeout: time.Duration(iss.ACMETimeout),
TrustedRoots: iss.rootPool,
ExternalAccount: iss.ExternalAccount,
+ NotAfter: time.Duration(iss.CertificateLifetime),
Logger: iss.logger,
}
@@ -349,6 +359,20 @@ func (iss *ACMEIssuer) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
for d.NextBlock(0) {
switch d.Val() {
+ case "lifetime":
+ var lifetimeStr string
+ if !d.AllArgs(&lifetimeStr) {
+ return d.ArgErr()
+ }
+ lifetime, err := caddy.ParseDuration(lifetimeStr)
+ if err != nil {
+ return d.Errf("invalid lifetime %s: %v", lifetimeStr, err)
+ }
+ if lifetime < 0 {
+ return d.Errf("lifetime must be >= 0: %s", lifetime)
+ }
+ iss.CertificateLifetime = caddy.Duration(lifetime)
+
case "dir":
if iss.CA != "" {
return d.Errf("directory is already specified: %s", iss.CA)