Add support for OCSP Must-Staple for Let's Encrypt certs (#1221)

* Fix Caddytls * Let the user decide * Address comments
2025-01-27 23:03:37 -05:00 · 2016-10-29 16:44:49 +02:00 · 2016-10-29 16:44:49 +02:00 · 53e117802f
commit 53e117802f
parent 23f89f30e9
4 changed files with 12 additions and 2 deletions
--- a/caddytls/client.go
+++ b/caddytls/client.go
@ -197,7 +197,7 @@ Attempts:
 	for attempts := 0; attempts < 2; attempts++ {
 		namesObtaining.Add([]string{name})
 		acmeMu.Lock()
-		certificate, failures := c.acmeClient.ObtainCertificate([]string{name}, true, nil)
+		certificate, failures := c.acmeClient.ObtainCertificate([]string{name}, true, nil, c.config.MustStaple)
 		acmeMu.Unlock()
 		namesObtaining.Remove([]string{name})
 		if len(failures) > 0 {
@ -285,7 +285,7 @@ func (c *ACMEClient) Renew(name string) error {
 	for attempts := 0; attempts < 2; attempts++ {
 		namesObtaining.Add([]string{name})
 		acmeMu.Lock()
-		newCertMeta, err = c.acmeClient.RenewCertificate(certMeta, true)
+		newCertMeta, err = c.acmeClient.RenewCertificate(certMeta, true, c.config.MustStaple)
 		acmeMu.Unlock()
 		namesObtaining.Remove([]string{name})
 		if err == nil {
--- a/caddytls/config.go
+++ b/caddytls/config.go
@ -105,6 +105,9 @@ type Config struct {

 	// The state needed to operate on-demand TLS
 	OnDemandState OnDemandState
+
+	// Add the must staple TLS extension to the CSR generated by lego/acme
+	MustStaple bool
 }

 // OnDemandState contains some state relevant for providing
--- a/caddytls/setup.go
+++ b/caddytls/setup.go
@ -164,6 +164,8 @@ func setupTLS(c *caddy.Controller) error {
 					return c.Errf("Unsupported Storage provider '%s'", args[0])
 				}
 				config.StorageProvider = args[0]
+			case "muststaple":
+				config.MustStaple = true
 			default:
 				return c.Errf("Unknown keyword '%s'", c.Val())
 			}
--- a/caddytls/setup_test.go
+++ b/caddytls/setup_test.go
@ -103,6 +103,7 @@ func TestSetupParseWithOptionalParams(t *testing.T) {
 	params := `tls ` + certFile + ` ` + keyFile + ` {
            protocols tls1.0 tls1.2
            ciphers RSA-AES256-CBC-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384
+            muststaple
        }`
 	cfg := new(Config)
 	RegisterConfigGetter("", func(c *caddy.Controller) *Config { return cfg })
@ -124,6 +125,10 @@ func TestSetupParseWithOptionalParams(t *testing.T) {
 	if len(cfg.Ciphers)-1 != 3 {
 		t.Errorf("Expected 3 Ciphers (not including TLS_FALLBACK_SCSV), got %v", len(cfg.Ciphers)-1)
 	}
+
+	if !cfg.MustStaple {
+		t.Errorf("Expected must staple to be true")
+	}
 }

 func TestSetupDefaultWithOptionalParams(t *testing.T) {