diff --git a/caddyconfig/httpcaddyfile/builtins.go b/caddyconfig/httpcaddyfile/builtins.go index aa68adb4..4945a81a 100644 --- a/caddyconfig/httpcaddyfile/builtins.go +++ b/caddyconfig/httpcaddyfile/builtins.go @@ -369,31 +369,57 @@ func parseTLS(h Helper) ([]ConfigValue, error) { }) } + // some tls subdirectives are shortcuts that implicitly configure issuers, and the + // user can also configure issuers explicitly using the issuer subdirective; the + // logic to support both would likely be complex, or at least unintuitive if len(issuers) > 0 && (acmeIssuer != nil || internalIssuer != nil) { - // some tls subdirectives are shortcuts that implicitly configure issuers, and the - // user can also configure issuers explicitly using the issuer subdirective; the - // logic to support both would likely be complex, or at least unintuitive return nil, h.Err("cannot mix issuer subdirective (explicit issuers) with other issuer-specific subdirectives (implicit issuers)") } - for _, issuer := range issuers { - configVals = append(configVals, ConfigValue{ - Class: "tls.cert_issuer", - Value: issuer, - }) + if acmeIssuer != nil && internalIssuer != nil { + return nil, h.Err("cannot create both ACME and internal certificate issuers") } - if acmeIssuer != nil { - configVals = append(configVals, ConfigValue{ - Class: "tls.cert_issuer", - Value: disambiguateACMEIssuer(acmeIssuer), - }) - } - if internalIssuer != nil { + + // now we should either have: explicitly-created issuers, or an implicitly-created + // ACME or internal issuer, or no issuers at all + switch { + case len(issuers) > 0: + for _, issuer := range issuers { + configVals = append(configVals, ConfigValue{ + Class: "tls.cert_issuer", + Value: issuer, + }) + } + + case acmeIssuer != nil: + // implicit ACME issuers (from various subdirectives) - use defaults; there might be more than one + defaultIssuers := caddytls.DefaultIssuers() + + // if a CA endpoint was set, override multiple implicit issuers since it's a specific one + if acmeIssuer.CA != "" { + defaultIssuers = []certmagic.Issuer{acmeIssuer} + } + + for _, issuer := range defaultIssuers { + switch iss := issuer.(type) { + case *caddytls.ACMEIssuer: + issuer = acmeIssuer + case *caddytls.ZeroSSLIssuer: + iss.ACMEIssuer = acmeIssuer + } + configVals = append(configVals, ConfigValue{ + Class: "tls.cert_issuer", + Value: issuer, + }) + } + + case internalIssuer != nil: configVals = append(configVals, ConfigValue{ Class: "tls.cert_issuer", Value: internalIssuer, }) } + // certificate key type if keyType != "" { configVals = append(configVals, ConfigValue{ Class: "tls.key_type", diff --git a/caddyconfig/httpcaddyfile/tlsapp.go b/caddyconfig/httpcaddyfile/tlsapp.go index dbf3cc71..d831d1b2 100644 --- a/caddyconfig/httpcaddyfile/tlsapp.go +++ b/caddyconfig/httpcaddyfile/tlsapp.go @@ -316,13 +316,15 @@ func (st ServerType) buildTLSApp( if hasGlobalACMEDefaults { for _, ap := range tlsApp.Automation.Policies { if len(ap.Issuers) == 0 { - acme, zerosslACME := new(caddytls.ACMEIssuer), new(caddytls.ACMEIssuer) - zerossl := &caddytls.ZeroSSLIssuer{ACMEIssuer: zerosslACME} - ap.Issuers = []certmagic.Issuer{acme, zerossl} // TODO: keep this in sync with Caddy's other issuer defaults elsewhere, like in caddytls/automation.go (DefaultIssuers). + ap.Issuers = caddytls.DefaultIssuers() - // if a non-ZeroSSL endpoint is specified, we assume we can't use the ZeroSSL issuer successfully - if globalACMECA != nil && !strings.Contains(globalACMECA.(string), "zerossl") { - ap.Issuers = []certmagic.Issuer{acme} + // if a specific endpoint is configured, can't use multiple default issuers + if globalACMECA != nil { + if strings.Contains(globalACMECA.(string), "zerossl") { + ap.Issuers = []certmagic.Issuer{&caddytls.ZeroSSLIssuer{ACMEIssuer: new(caddytls.ACMEIssuer)}} + } else { + ap.Issuers = []certmagic.Issuer{new(caddytls.ACMEIssuer)} + } } } } @@ -463,19 +465,6 @@ func newBaseAutomationPolicy(options map[string]interface{}, warnings []caddycon return ap, nil } -// disambiguateACMEIssuer returns an issuer based on the properties of acmeIssuer. -// If acmeIssuer implicitly configures a certain kind of ACMEIssuer (for example, -// ZeroSSL), the proper wrapper over acmeIssuer will be returned instead. -func disambiguateACMEIssuer(acmeIssuer *caddytls.ACMEIssuer) certmagic.Issuer { - // as a special case, we integrate with ZeroSSL's ACME endpoint if it looks like an - // implicit ZeroSSL configuration (this requires a wrapper type over ACMEIssuer - // because of the EAB generation; if EAB is provided, we can use plain ACMEIssuer) - if strings.Contains(acmeIssuer.CA, "acme.zerossl.com") && acmeIssuer.ExternalAccount == nil { - return &caddytls.ZeroSSLIssuer{ACMEIssuer: acmeIssuer} - } - return acmeIssuer -} - // consolidateAutomationPolicies combines automation policies that are the same, // for a cleaner overall output. func consolidateAutomationPolicies(aps []*caddytls.AutomationPolicy) []*caddytls.AutomationPolicy { diff --git a/modules/caddyhttp/autohttps.go b/modules/caddyhttp/autohttps.go index c1d4c087..5c83d8fd 100644 --- a/modules/caddyhttp/autohttps.go +++ b/modules/caddyhttp/autohttps.go @@ -444,7 +444,7 @@ func (app *App) createAutomationPolicies(ctx caddy.Context, internalNames []stri // what the HTTP and HTTPS ports are) if ap.Issuers == nil { var err error - ap.Issuers, err = caddytls.DefaultIssuers(ctx) + ap.Issuers, err = caddytls.DefaultIssuersProvisioned(ctx) if err != nil { return err } @@ -499,7 +499,7 @@ func (app *App) createAutomationPolicies(ctx caddy.Context, internalNames []stri // never overwrite any other issuer that might already be configured if basePolicy.Issuers == nil { var err error - basePolicy.Issuers, err = caddytls.DefaultIssuers(ctx) + basePolicy.Issuers, err = caddytls.DefaultIssuersProvisioned(ctx) if err != nil { return err } diff --git a/modules/caddytls/automation.go b/modules/caddytls/automation.go index ed29e06a..bcc0a0c7 100644 --- a/modules/caddytls/automation.go +++ b/modules/caddytls/automation.go @@ -187,7 +187,7 @@ func (ap *AutomationPolicy) Provision(tlsApp *TLS) error { issuers := ap.Issuers if len(issuers) == 0 { var err error - issuers, err = DefaultIssuers(tlsApp.ctx) + issuers, err = DefaultIssuersProvisioned(tlsApp.ctx) if err != nil { return err } @@ -242,21 +242,28 @@ func (ap *AutomationPolicy) Provision(tlsApp *TLS) error { return nil } -// DefaultIssuers returns empty but provisioned default Issuers. +// DefaultIssuers returns empty Issuers (not provisioned) to be used as defaults. // This function is experimental and has no compatibility promises. -func DefaultIssuers(ctx caddy.Context) ([]certmagic.Issuer, error) { - acme := new(ACMEIssuer) - err := acme.Provision(ctx) - if err != nil { - return nil, err +func DefaultIssuers() []certmagic.Issuer { + return []certmagic.Issuer{ + new(ACMEIssuer), + &ZeroSSLIssuer{ACMEIssuer: new(ACMEIssuer)}, } - zerossl := new(ZeroSSLIssuer) - err = zerossl.Provision(ctx) - if err != nil { - return nil, err +} + +// DefaultIssuersProvisioned returns empty but provisioned default Issuers from +// DefaultIssuers(). This function is experimental and has no compatibility promises. +func DefaultIssuersProvisioned(ctx caddy.Context) ([]certmagic.Issuer, error) { + issuers := DefaultIssuers() + for i, iss := range issuers { + if prov, ok := iss.(caddy.Provisioner); ok { + err := prov.Provision(ctx) + if err != nil { + return nil, fmt.Errorf("provisioning default issuer %d: %T: %v", i, iss, err) + } + } } - // TODO: eventually, insert ZeroSSL into first position in the slice -- see also httpcaddyfile/tlsapp.go for where similar defaults are configured - return []certmagic.Issuer{acme, zerossl}, nil + return issuers, nil } // ChallengesConfig configures the ACME challenges.