2021-06-08 15:10:37 -05:00
|
|
|
{
|
|
|
|
preferred_chains smallest
|
|
|
|
}
|
|
|
|
|
httpcaddyfile: Don't put localhost in public APs (fix #4220)
If an email is specified in global options, a site called 'localhost' shouldn't be bunched together with public DNS names in the automation policies, which get the default, public-CA issuers. Fix old test that did this.
I also noticed that these two:
localhost {
}
example.com {
}
and
localhost, example.com {
}
produce slightly different TLS automation policies. The former is what the new test case covers, and we have logic that removes the empty automation policy for localhost so that auto-HTTPS can implicitly create one. (We prefer that whenever possible.) But the latter case produces two automation policies, with the second one being for localhost, with an explicit internal issuer. It's not wrong, just more explicit than it needs to be.
I'd really like to completely rewrite the code from scratch that generates automation policies, hopefully there is a simpler, more correct algorithm.
2021-06-25 12:28:32 -05:00
|
|
|
example.com
|
2021-06-08 15:10:37 -05:00
|
|
|
----------
|
|
|
|
{
|
|
|
|
"apps": {
|
|
|
|
"http": {
|
|
|
|
"servers": {
|
|
|
|
"srv0": {
|
|
|
|
"listen": [
|
|
|
|
":443"
|
|
|
|
],
|
|
|
|
"routes": [
|
|
|
|
{
|
|
|
|
"match": [
|
|
|
|
{
|
|
|
|
"host": [
|
httpcaddyfile: Don't put localhost in public APs (fix #4220)
If an email is specified in global options, a site called 'localhost' shouldn't be bunched together with public DNS names in the automation policies, which get the default, public-CA issuers. Fix old test that did this.
I also noticed that these two:
localhost {
}
example.com {
}
and
localhost, example.com {
}
produce slightly different TLS automation policies. The former is what the new test case covers, and we have logic that removes the empty automation policy for localhost so that auto-HTTPS can implicitly create one. (We prefer that whenever possible.) But the latter case produces two automation policies, with the second one being for localhost, with an explicit internal issuer. It's not wrong, just more explicit than it needs to be.
I'd really like to completely rewrite the code from scratch that generates automation policies, hopefully there is a simpler, more correct algorithm.
2021-06-25 12:28:32 -05:00
|
|
|
"example.com"
|
2021-06-08 15:10:37 -05:00
|
|
|
]
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"terminal": true
|
|
|
|
}
|
|
|
|
]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
},
|
|
|
|
"tls": {
|
|
|
|
"automation": {
|
|
|
|
"policies": [
|
|
|
|
{
|
|
|
|
"subjects": [
|
httpcaddyfile: Don't put localhost in public APs (fix #4220)
If an email is specified in global options, a site called 'localhost' shouldn't be bunched together with public DNS names in the automation policies, which get the default, public-CA issuers. Fix old test that did this.
I also noticed that these two:
localhost {
}
example.com {
}
and
localhost, example.com {
}
produce slightly different TLS automation policies. The former is what the new test case covers, and we have logic that removes the empty automation policy for localhost so that auto-HTTPS can implicitly create one. (We prefer that whenever possible.) But the latter case produces two automation policies, with the second one being for localhost, with an explicit internal issuer. It's not wrong, just more explicit than it needs to be.
I'd really like to completely rewrite the code from scratch that generates automation policies, hopefully there is a simpler, more correct algorithm.
2021-06-25 12:28:32 -05:00
|
|
|
"example.com"
|
2021-06-08 15:10:37 -05:00
|
|
|
],
|
|
|
|
"issuers": [
|
|
|
|
{
|
|
|
|
"module": "acme",
|
|
|
|
"preferred_chains": {
|
|
|
|
"smallest": true
|
|
|
|
}
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"module": "zerossl",
|
|
|
|
"preferred_chains": {
|
|
|
|
"smallest": true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
]
|
|
|
|
}
|
|
|
|
]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|