From 81413caea251a3ef9e3641d7b1b6e867572a2b1b Mon Sep 17 00:00:00 2001 From: Matt Holt Date: Sat, 13 Apr 2024 21:31:43 -0400 Subject: caddytls: Upgrade ACMEz to v2; support ZeroSSL API; various fixes (#6229) * WIP: acmez v2, CertMagic, and ZeroSSL issuer upgrades * caddytls: ZeroSSLIssuer now uses ZeroSSL API instead of ACME * Fix go.mod * caddytls: Fix automation related to managers (fix #6060) * Fix typo (appease linter) * Fix HTTP validation with ZeroSSL API --- caddytest/integration/acme_test.go | 8 ++++---- caddytest/integration/acmeserver_test.go | 15 +++++---------- .../global_options_preferred_chains.caddyfiletest | 6 ------ .../tls_automation_policies_3.caddyfiletest | 3 ++- .../tls_automation_policies_4.caddyfiletest | 3 ++- .../tls_automation_policies_8.caddyfiletest | 3 ++- ...tomation_policies_global_email_localhost.caddyfiletest | 3 ++- .../integration/caddyfile_adapt/tls_dns_ttl.caddyfiletest | 8 -------- .../tls_explicit_issuer_dns_ttl.caddyfiletest | 9 ++++----- .../tls_explicit_issuer_propagation_options.caddyfiletest | 11 +++++------ .../caddyfile_adapt/tls_propagation_options.caddyfiletest | 9 --------- 11 files changed, 26 insertions(+), 52 deletions(-) (limited to 'caddytest') diff --git a/caddytest/integration/acme_test.go b/caddytest/integration/acme_test.go index 840af023f..ceacd1db0 100644 --- a/caddytest/integration/acme_test.go +++ b/caddytest/integration/acme_test.go @@ -13,8 +13,8 @@ import ( "github.com/caddyserver/caddy/v2" "github.com/caddyserver/caddy/v2/caddytest" - "github.com/mholt/acmez" - "github.com/mholt/acmez/acme" + "github.com/mholt/acmez/v2" + "github.com/mholt/acmez/v2/acme" smallstepacme "github.com/smallstep/certificates/acme" "go.uber.org/zap" ) @@ -77,7 +77,7 @@ func TestACMEServerWithDefaults(t *testing.T) { return } - certs, err := client.ObtainCertificate(ctx, account, certPrivateKey, []string{"localhost"}) + certs, err := client.ObtainCertificateForSANs(ctx, account, certPrivateKey, []string{"localhost"}) if err != nil { t.Errorf("obtaining certificate: %v", err) return @@ -146,7 +146,7 @@ func TestACMEServerWithMismatchedChallenges(t *testing.T) { return } - certs, err := client.ObtainCertificate(ctx, account, certPrivateKey, []string{"localhost"}) + certs, err := client.ObtainCertificateForSANs(ctx, account, certPrivateKey, []string{"localhost"}) if len(certs) > 0 { t.Errorf("expected '0' certificates, but received '%d'", len(certs)) } diff --git a/caddytest/integration/acmeserver_test.go b/caddytest/integration/acmeserver_test.go index 435bfc7b4..22b716f84 100644 --- a/caddytest/integration/acmeserver_test.go +++ b/caddytest/integration/acmeserver_test.go @@ -9,8 +9,8 @@ import ( "testing" "github.com/caddyserver/caddy/v2/caddytest" - "github.com/mholt/acmez" - "github.com/mholt/acmez/acme" + "github.com/mholt/acmez/v2" + "github.com/mholt/acmez/v2/acme" "go.uber.org/zap" ) @@ -105,12 +105,7 @@ func TestACMEServerAllowPolicy(t *testing.T) { return } { - certs, err := client.ObtainCertificate( - ctx, - account, - certPrivateKey, - []string{"localhost"}, - ) + certs, err := client.ObtainCertificateForSANs(ctx, account, certPrivateKey, []string{"localhost"}) if err != nil { t.Errorf("obtaining certificate for allowed domain: %v", err) return @@ -126,7 +121,7 @@ func TestACMEServerAllowPolicy(t *testing.T) { } } { - _, err := client.ObtainCertificate(ctx, account, certPrivateKey, []string{"not-matching.localhost"}) + _, err := client.ObtainCertificateForSANs(ctx, account, certPrivateKey, []string{"not-matching.localhost"}) if err == nil { t.Errorf("obtaining certificate for 'not-matching.localhost' domain") } else if err != nil && !strings.Contains(err.Error(), "urn:ietf:params:acme:error:rejectedIdentifier") { @@ -199,7 +194,7 @@ func TestACMEServerDenyPolicy(t *testing.T) { return } { - _, err := client.ObtainCertificate(ctx, account, certPrivateKey, []string{"deny.localhost"}) + _, err := client.ObtainCertificateForSANs(ctx, account, certPrivateKey, []string{"deny.localhost"}) if err == nil { t.Errorf("obtaining certificate for 'deny.localhost' domain") } else if err != nil && !strings.Contains(err.Error(), "urn:ietf:params:acme:error:rejectedIdentifier") { diff --git a/caddytest/integration/caddyfile_adapt/global_options_preferred_chains.caddyfiletest b/caddytest/integration/caddyfile_adapt/global_options_preferred_chains.caddyfiletest index 9173b26bf..1f5d0093e 100644 --- a/caddytest/integration/caddyfile_adapt/global_options_preferred_chains.caddyfiletest +++ b/caddytest/integration/caddyfile_adapt/global_options_preferred_chains.caddyfiletest @@ -40,12 +40,6 @@ example.com "preferred_chains": { "smallest": true } - }, - { - "module": "zerossl", - "preferred_chains": { - "smallest": true - } } ] } diff --git a/caddytest/integration/caddyfile_adapt/tls_automation_policies_3.caddyfiletest b/caddytest/integration/caddyfile_adapt/tls_automation_policies_3.caddyfiletest index da5824a36..9daaf436d 100644 --- a/caddytest/integration/caddyfile_adapt/tls_automation_policies_3.caddyfiletest +++ b/caddytest/integration/caddyfile_adapt/tls_automation_policies_3.caddyfiletest @@ -70,8 +70,9 @@ c.example.com { "module": "acme" }, { + "ca": "https://acme.zerossl.com/v2/DV90", "email": "abc@example.com", - "module": "zerossl" + "module": "acme" } ] }, diff --git a/caddytest/integration/caddyfile_adapt/tls_automation_policies_4.caddyfiletest b/caddytest/integration/caddyfile_adapt/tls_automation_policies_4.caddyfiletest index d8f2164de..a4385a8f3 100644 --- a/caddytest/integration/caddyfile_adapt/tls_automation_policies_4.caddyfiletest +++ b/caddytest/integration/caddyfile_adapt/tls_automation_policies_4.caddyfiletest @@ -131,8 +131,9 @@ abc.de { "module": "acme" }, { + "ca": "https://acme.zerossl.com/v2/DV90", "email": "my.email@example.com", - "module": "zerossl" + "module": "acme" } ] } diff --git a/caddytest/integration/caddyfile_adapt/tls_automation_policies_8.caddyfiletest b/caddytest/integration/caddyfile_adapt/tls_automation_policies_8.caddyfiletest index 1703178eb..bd1bbf221 100644 --- a/caddytest/integration/caddyfile_adapt/tls_automation_policies_8.caddyfiletest +++ b/caddytest/integration/caddyfile_adapt/tls_automation_policies_8.caddyfiletest @@ -86,8 +86,9 @@ http://localhost:8081 { "module": "acme" }, { + "ca": "https://acme.zerossl.com/v2/DV90", "email": "abc@example.com", - "module": "zerossl" + "module": "acme" } ] } diff --git a/caddytest/integration/caddyfile_adapt/tls_automation_policies_global_email_localhost.caddyfiletest b/caddytest/integration/caddyfile_adapt/tls_automation_policies_global_email_localhost.caddyfiletest index e8ef3a7e9..50fbf51aa 100644 --- a/caddytest/integration/caddyfile_adapt/tls_automation_policies_global_email_localhost.caddyfiletest +++ b/caddytest/integration/caddyfile_adapt/tls_automation_policies_global_email_localhost.caddyfiletest @@ -54,8 +54,9 @@ example.com { "module": "acme" }, { + "ca": "https://acme.zerossl.com/v2/DV90", "email": "foo@bar", - "module": "zerossl" + "module": "acme" } ] } diff --git a/caddytest/integration/caddyfile_adapt/tls_dns_ttl.caddyfiletest b/caddytest/integration/caddyfile_adapt/tls_dns_ttl.caddyfiletest index 02e46763d..c452bf79f 100644 --- a/caddytest/integration/caddyfile_adapt/tls_dns_ttl.caddyfiletest +++ b/caddytest/integration/caddyfile_adapt/tls_dns_ttl.caddyfiletest @@ -58,14 +58,6 @@ tls { } }, "module": "acme" - }, - { - "challenges": { - "dns": { - "ttl": 310000000000 - } - }, - "module": "zerossl" } ] } diff --git a/caddytest/integration/caddyfile_adapt/tls_explicit_issuer_dns_ttl.caddyfiletest b/caddytest/integration/caddyfile_adapt/tls_explicit_issuer_dns_ttl.caddyfiletest index 53629e3a1..d552599ff 100644 --- a/caddytest/integration/caddyfile_adapt/tls_explicit_issuer_dns_ttl.caddyfiletest +++ b/caddytest/integration/caddyfile_adapt/tls_explicit_issuer_dns_ttl.caddyfiletest @@ -5,7 +5,7 @@ tls { issuer acme { dns_ttl 5m10s } - issuer zerossl { + issuer zerossl api_key { dns_ttl 10m20s } } @@ -65,10 +65,9 @@ tls { "module": "acme" }, { - "challenges": { - "dns": { - "ttl": 620000000000 - } + "api_key": "api_key", + "cname_validation": { + "ttl": 620000000000 }, "module": "zerossl" } diff --git a/caddytest/integration/caddyfile_adapt/tls_explicit_issuer_propagation_options.caddyfiletest b/caddytest/integration/caddyfile_adapt/tls_explicit_issuer_propagation_options.caddyfiletest index 032f9284f..206d59ca5 100644 --- a/caddytest/integration/caddyfile_adapt/tls_explicit_issuer_propagation_options.caddyfiletest +++ b/caddytest/integration/caddyfile_adapt/tls_explicit_issuer_propagation_options.caddyfiletest @@ -6,7 +6,7 @@ tls { propagation_delay 5m10s propagation_timeout 10m20s } - issuer zerossl { + issuer zerossl api_key { propagation_delay 5m30s propagation_timeout -1 } @@ -68,11 +68,10 @@ tls { "module": "acme" }, { - "challenges": { - "dns": { - "propagation_delay": 330000000000, - "propagation_timeout": -1 - } + "api_key": "api_key", + "cname_validation": { + "propagation_delay": 330000000000, + "propagation_timeout": -1 }, "module": "zerossl" } diff --git a/caddytest/integration/caddyfile_adapt/tls_propagation_options.caddyfiletest b/caddytest/integration/caddyfile_adapt/tls_propagation_options.caddyfiletest index ee4666b66..43ec9774b 100644 --- a/caddytest/integration/caddyfile_adapt/tls_propagation_options.caddyfiletest +++ b/caddytest/integration/caddyfile_adapt/tls_propagation_options.caddyfiletest @@ -60,15 +60,6 @@ tls { } }, "module": "acme" - }, - { - "challenges": { - "dns": { - "propagation_delay": 310000000000, - "propagation_timeout": 620000000000 - } - }, - "module": "zerossl" } ] } -- cgit v1.2.3