mirror of
https://github.com/caddyserver/caddy.git
synced 2025-01-06 22:40:31 -05:00
tls: Update to match CertMagic refactor (#2571)
* Update to match CertMagic's refactoring * mod: CertMagic v0.5.0
This commit is contained in:
parent
fd6e4516dc
commit
917d9bc9da
8 changed files with 60 additions and 21 deletions
|
@ -45,11 +45,11 @@ import (
|
|||
func init() {
|
||||
caddy.TrapSignals()
|
||||
|
||||
flag.BoolVar(&certmagic.Agreed, "agree", false, "Agree to the CA's Subscriber Agreement")
|
||||
flag.StringVar(&certmagic.CA, "ca", certmagic.CA, "URL to certificate authority's ACME server directory")
|
||||
flag.StringVar(&certmagic.DefaultServerName, "default-sni", certmagic.DefaultServerName, "If a ClientHello ServerName is empty, use this ServerName to choose a TLS certificate")
|
||||
flag.BoolVar(&certmagic.DisableHTTPChallenge, "disable-http-challenge", certmagic.DisableHTTPChallenge, "Disable the ACME HTTP challenge")
|
||||
flag.BoolVar(&certmagic.DisableTLSALPNChallenge, "disable-tls-alpn-challenge", certmagic.DisableTLSALPNChallenge, "Disable the ACME TLS-ALPN challenge")
|
||||
flag.BoolVar(&certmagic.Default.Agreed, "agree", false, "Agree to the CA's Subscriber Agreement")
|
||||
flag.StringVar(&certmagic.Default.CA, "ca", certmagic.Default.CA, "URL to certificate authority's ACME server directory")
|
||||
flag.StringVar(&certmagic.Default.DefaultServerName, "default-sni", certmagic.Default.DefaultServerName, "If a ClientHello ServerName is empty, use this ServerName to choose a TLS certificate")
|
||||
flag.BoolVar(&certmagic.Default.DisableHTTPChallenge, "disable-http-challenge", certmagic.Default.DisableHTTPChallenge, "Disable the ACME HTTP challenge")
|
||||
flag.BoolVar(&certmagic.Default.DisableTLSALPNChallenge, "disable-tls-alpn-challenge", certmagic.Default.DisableTLSALPNChallenge, "Disable the ACME TLS-ALPN challenge")
|
||||
flag.StringVar(&disabledMetrics, "disabled-metrics", "", "Comma-separated list of telemetry metrics to disable")
|
||||
flag.StringVar(&conf, "conf", "", "Caddyfile to load (default \""+caddy.DefaultConfigFile+"\")")
|
||||
flag.StringVar(&cpu, "cpu", "100%", "CPU cap")
|
||||
|
@ -57,7 +57,7 @@ func init() {
|
|||
flag.StringVar(&envFile, "envfile", "", "Path to file with environment variables to load in KEY=VALUE format")
|
||||
flag.BoolVar(&fromJSON, "json-to-caddyfile", false, "From JSON stdin to Caddyfile stdout")
|
||||
flag.BoolVar(&plugins, "plugins", false, "List installed plugins")
|
||||
flag.StringVar(&certmagic.Email, "email", "", "Default ACME CA account email address")
|
||||
flag.StringVar(&certmagic.Default.Email, "email", "", "Default ACME CA account email address")
|
||||
flag.DurationVar(&certmagic.HTTPTimeout, "catimeout", certmagic.HTTPTimeout, "Default ACME CA HTTP timeout")
|
||||
flag.StringVar(&logfile, "log", "", "Process log file")
|
||||
flag.IntVar(&logRollMB, "log-roll-mb", 100, "Roll process log when it reaches this many megabytes (0 to disable rolling)")
|
||||
|
|
|
@ -234,7 +234,7 @@ func (h *httpContext) MakeServers() ([]caddy.Server, error) {
|
|||
// trusted CA (obviously not a perfect heuristic)
|
||||
var looksLikeProductionCA bool
|
||||
for _, publicCAEndpoint := range caddytls.KnownACMECAs {
|
||||
if strings.Contains(certmagic.CA, publicCAEndpoint) {
|
||||
if strings.Contains(certmagic.Default.CA, publicCAEndpoint) {
|
||||
looksLikeProductionCA = true
|
||||
break
|
||||
}
|
||||
|
|
|
@ -21,6 +21,7 @@ import (
|
|||
"io/ioutil"
|
||||
"os"
|
||||
"sync/atomic"
|
||||
"time"
|
||||
|
||||
"github.com/go-acme/lego/challenge/tlsalpn01"
|
||||
|
||||
|
@ -117,22 +118,48 @@ func NewConfig(inst *caddy.Instance) (*Config, error) {
|
|||
if err != nil {
|
||||
return nil, fmt.Errorf("constructing cluster plugin %s: %v", clusterPluginName, err)
|
||||
}
|
||||
certmagic.DefaultStorage = storage
|
||||
certmagic.Default.Storage = storage
|
||||
} else {
|
||||
return nil, fmt.Errorf("unrecognized cluster plugin (was it included in the Caddy build?): %s", clusterPluginName)
|
||||
}
|
||||
}
|
||||
certCache = certmagic.NewCache(certmagic.DefaultStorage)
|
||||
certCache = certmagic.NewCache(certmagic.CacheOptions{
|
||||
GetConfigForCert: func(cert certmagic.Certificate) (certmagic.Config, error) {
|
||||
inst.StorageMu.Lock()
|
||||
cfgMap, ok := inst.Storage[configMapKey].(map[string]*Config)
|
||||
inst.StorageMu.Unlock()
|
||||
if ok {
|
||||
for hostname, cfg := range cfgMap {
|
||||
if cfg.Manager != nil && hostname == cert.Names[0] {
|
||||
return *cfg.Manager, nil
|
||||
}
|
||||
}
|
||||
}
|
||||
// returning Default not strictly necessary, since Default is used as template
|
||||
// anyway; but this makes it clear that that's what we fall back to
|
||||
return certmagic.Default, nil
|
||||
},
|
||||
})
|
||||
storageCleaningTicker := time.NewTicker(12 * time.Hour)
|
||||
go func() {
|
||||
for range storageCleaningTicker.C {
|
||||
certmagic.CleanStorage(certmagic.Default.Storage, certmagic.CleanStorageOptions{
|
||||
OCSPStaples: true,
|
||||
})
|
||||
}
|
||||
}()
|
||||
inst.OnShutdown = append(inst.OnShutdown, func() error {
|
||||
certCache.Stop()
|
||||
storageCleaningTicker.Stop()
|
||||
return nil
|
||||
})
|
||||
|
||||
inst.StorageMu.Lock()
|
||||
inst.Storage[CertCacheInstStorageKey] = certCache
|
||||
inst.StorageMu.Unlock()
|
||||
}
|
||||
return &Config{
|
||||
Manager: certmagic.NewWithCache(certCache, certmagic.Config{}),
|
||||
Manager: certmagic.New(certCache, certmagic.Config{}),
|
||||
}, nil
|
||||
}
|
||||
|
||||
|
@ -418,7 +445,6 @@ func SetDefaultTLSParams(config *Config) {
|
|||
var supportedKeyTypes = map[string]certcrypto.KeyType{
|
||||
"P384": certcrypto.EC384,
|
||||
"P256": certcrypto.EC256,
|
||||
"RSA8192": certcrypto.RSA8192,
|
||||
"RSA4096": certcrypto.RSA4096,
|
||||
"RSA2048": certcrypto.RSA2048,
|
||||
}
|
||||
|
|
|
@ -42,7 +42,7 @@ type configGroup map[string]*Config
|
|||
func (cg configGroup) getConfig(hello *tls.ClientHelloInfo) *Config {
|
||||
name := certmagic.NormalizedName(hello.ServerName)
|
||||
if name == "" {
|
||||
name = certmagic.NormalizedName(certmagic.DefaultServerName)
|
||||
name = certmagic.NormalizedName(certmagic.Default.DefaultServerName)
|
||||
}
|
||||
|
||||
// if SNI is empty, prefer matching IP address (it is
|
||||
|
|
|
@ -63,7 +63,7 @@ func setupTLS(c *caddy.Controller) error {
|
|||
if err != nil {
|
||||
return fmt.Errorf("constructing cluster plugin %s: %v", clusterPluginName, err)
|
||||
}
|
||||
certmagic.DefaultStorage = storage
|
||||
certmagic.Default.Storage = storage
|
||||
} else {
|
||||
return fmt.Errorf("unrecognized cluster plugin (was it included in the Caddy build?): %s", clusterPluginName)
|
||||
}
|
||||
|
@ -363,6 +363,14 @@ func setupTLS(c *caddy.Controller) error {
|
|||
telemetry.Increment("tls_self_signed_count")
|
||||
}
|
||||
|
||||
// store this as a custom config
|
||||
cfgMap, ok := c.Get(configMapKey).(map[string]*Config)
|
||||
if !ok || cfgMap == nil {
|
||||
cfgMap = make(map[string]*Config)
|
||||
}
|
||||
cfgMap[config.Hostname] = config
|
||||
c.Set(configMapKey, cfgMap)
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
|
@ -449,3 +457,5 @@ func loadCertsInDir(cfg *Config, c *caddy.Controller, dir string) error {
|
|||
func constructDefaultClusterPlugin() (certmagic.Storage, error) {
|
||||
return &certmagic.FileStorage{Path: caddy.AssetsPath()}, nil
|
||||
}
|
||||
|
||||
const configMapKey = "tls_custom_configs"
|
||||
|
|
|
@ -53,8 +53,8 @@ func TestSetupParseBasic(t *testing.T) {
|
|||
}
|
||||
defer os.RemoveAll(tmpdir)
|
||||
|
||||
certCache := certmagic.NewCache(&certmagic.FileStorage{Path: tmpdir})
|
||||
cfg := &Config{Manager: certmagic.NewWithCache(certCache, certmagic.Config{})}
|
||||
certmagic.Default.Storage = &certmagic.FileStorage{Path: tmpdir}
|
||||
cfg := &Config{Manager: certmagic.NewDefault()}
|
||||
RegisterConfigGetter("", func(c *caddy.Controller) *Config { return cfg })
|
||||
c := caddy.NewTestController("", `tls `+certFile+` `+keyFile+``)
|
||||
|
||||
|
@ -139,8 +139,8 @@ func TestSetupParseWithOptionalParams(t *testing.T) {
|
|||
}
|
||||
defer os.RemoveAll(tmpdir)
|
||||
|
||||
certCache := certmagic.NewCache(&certmagic.FileStorage{Path: tmpdir})
|
||||
cfg := &Config{Manager: certmagic.NewWithCache(certCache, certmagic.Config{})}
|
||||
certmagic.Default.Storage = &certmagic.FileStorage{Path: tmpdir}
|
||||
cfg := &Config{Manager: certmagic.NewDefault()}
|
||||
RegisterConfigGetter("", func(c *caddy.Controller) *Config { return cfg })
|
||||
c := caddy.NewTestController("", params)
|
||||
|
||||
|
@ -276,8 +276,7 @@ func TestSetupParseWithClientAuth(t *testing.T) {
|
|||
clients verify_if_given
|
||||
}`, tls.VerifyClientCertIfGiven, true, noCAs},
|
||||
} {
|
||||
certCache := certmagic.NewCache(certmagic.DefaultStorage)
|
||||
cfg := &Config{Manager: certmagic.NewWithCache(certCache, certmagic.Config{})}
|
||||
cfg := &Config{Manager: certmagic.NewDefault()}
|
||||
RegisterConfigGetter("", func(c *caddy.Controller) *Config { return cfg })
|
||||
c := caddy.NewTestController("", caseData.params)
|
||||
|
||||
|
|
4
go.mod
4
go.mod
|
@ -7,7 +7,7 @@ require (
|
|||
github.com/caddyserver/builds v0.0.0-20170910200810-c62e2219460a
|
||||
github.com/dustin/go-humanize v1.0.0
|
||||
github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568
|
||||
github.com/go-acme/lego v2.4.0+incompatible
|
||||
github.com/go-acme/lego v2.5.0+incompatible
|
||||
github.com/google/uuid v1.1.1
|
||||
github.com/gorilla/websocket v1.4.0
|
||||
github.com/hashicorp/go-syslog v1.0.0
|
||||
|
@ -15,7 +15,7 @@ require (
|
|||
github.com/klauspost/cpuid v1.2.0
|
||||
github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348 // indirect
|
||||
github.com/lucas-clemente/quic-go v0.10.2
|
||||
github.com/mholt/certmagic v0.0.0-20190319183800-ee1543e2f234
|
||||
github.com/mholt/certmagic v0.5.0
|
||||
github.com/naoina/go-stringutil v0.1.0 // indirect
|
||||
github.com/naoina/toml v0.1.1
|
||||
github.com/russross/blackfriday v0.0.0-20170610170232-067529f716f4
|
||||
|
|
4
go.sum
4
go.sum
|
@ -19,6 +19,8 @@ github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMo
|
|||
github.com/go-acme/lego v2.3.1-0.20190318164254-3684cc738d37+incompatible/go.mod h1:yzMNe9CasVUhkquNvti5nAtPmG94USbYxYrZfTkIn0M=
|
||||
github.com/go-acme/lego v2.4.0+incompatible h1:+BTLUfLtDc5qQauyiTCXH6lupEUOCvXyGlEjdeU0YQI=
|
||||
github.com/go-acme/lego v2.4.0+incompatible/go.mod h1:yzMNe9CasVUhkquNvti5nAtPmG94USbYxYrZfTkIn0M=
|
||||
github.com/go-acme/lego v2.5.0+incompatible h1:5fNN9yRQfv8ymH3DSsxla+4aYeQt2IgfZqHKVnK8f0s=
|
||||
github.com/go-acme/lego v2.5.0+incompatible/go.mod h1:yzMNe9CasVUhkquNvti5nAtPmG94USbYxYrZfTkIn0M=
|
||||
github.com/golang/mock v1.2.0 h1:28o5sBqPkBsMGnC6b4MvE2TzSr5/AT4c/1fLqVGIwlk=
|
||||
github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
|
||||
github.com/golang/protobuf v1.2.0 h1:P3YflyNX/ehuJFLhxviNdFxQPkGK5cDcApsge1SqnvM=
|
||||
|
@ -49,6 +51,8 @@ github.com/lucas-clemente/quic-go-certificates v0.0.0-20160823095156-d2f86524cce
|
|||
github.com/marten-seemann/qtls v0.2.3/go.mod h1:xzjG7avBwGGbdZ8dTGxlBnLArsVKLvwmjgmPuiQEcYk=
|
||||
github.com/mholt/certmagic v0.0.0-20190319183800-ee1543e2f234 h1:6biVHmhBIOQCzdOClOJ97D/Ip9oH8TgFftq2bj/93YI=
|
||||
github.com/mholt/certmagic v0.0.0-20190319183800-ee1543e2f234/go.mod h1:KvmxBmeVqj88J9Z9us/x04Yp/YYfMtmGkhQFWewFe6U=
|
||||
github.com/mholt/certmagic v0.5.0 h1:lYXxsLUFya/I3BgDCrfuwcMQOB+4auzI8CCzpK41tjc=
|
||||
github.com/mholt/certmagic v0.5.0/go.mod h1:g4cOPxcjV0oFq3qwpjSA30LReKD8AoIfwAY9VvG35NY=
|
||||
github.com/miekg/dns v1.1.3 h1:1g0r1IvskvgL8rR+AcHzUA+oFmGcQlaIm4IqakufeMM=
|
||||
github.com/miekg/dns v1.1.3/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
|
||||
github.com/naoina/go-stringutil v0.1.0 h1:rCUeRUHjBjGTSHl0VC00jUPLz8/F9dDzYI70Hzifhks=
|
||||
|
|
Loading…
Reference in a new issue