diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go index 0b39c712..98e11641 100644 --- a/modules/caddytls/tls.go +++ b/modules/caddytls/tls.go @@ -479,6 +479,9 @@ type AutomationPolicy struct { // TODO: is this really necessary per-policy? why not a global setting... ManageSync bool `json:"manage_sync,omitempty"` + // Issuer stores the decoded issuer parameters. This is only + // used to populate an underlying certmagic.Config's Issuer + // field; it is not referenced thereafter. Issuer certmagic.Issuer `json:"-"` magic *certmagic.Config @@ -527,6 +530,14 @@ func (ap *AutomationPolicy) provision(tlsApp *TLS) error { } } + if ap.IssuerRaw != nil { + val, err := tlsApp.ctx.LoadModule(ap, "IssuerRaw") + if err != nil { + return fmt.Errorf("loading TLS automation management module: %s", err) + } + ap.Issuer = val.(certmagic.Issuer) + } + keySource := certmagic.StandardKeyGenerator{ KeyType: supportedCertKeyTypes[ap.KeyType], } @@ -542,17 +553,13 @@ func (ap *AutomationPolicy) provision(tlsApp *TLS) error { KeySource: keySource, OnDemand: ond, Storage: storage, + Issuer: ap.Issuer, // if nil, certmagic.New() will set default in returned Config + } + if rev, ok := ap.Issuer.(certmagic.Revoker); ok { + template.Revoker = rev } ap.magic = certmagic.New(tlsApp.certCache, template) - if ap.IssuerRaw != nil { - val, err := tlsApp.ctx.LoadModule(ap, "IssuerRaw") - if err != nil { - return fmt.Errorf("loading TLS automation management module: %s", err) - } - ap.Issuer = val.(certmagic.Issuer) - } - // sometimes issuers may need the parent certmagic.Config in // order to function properly (for example, ACMEIssuer needs // access to the correct storage and cache so it can solve @@ -562,11 +569,6 @@ func (ap *AutomationPolicy) provision(tlsApp *TLS) error { configger.SetConfig(ap.magic) } - ap.magic.Issuer = ap.Issuer - if rev, ok := ap.Issuer.(certmagic.Revoker); ok { - ap.magic.Revoker = rev - } - return nil }