From 145aebbba50e9ed5487ecc24b0e0ca384842ccc0 Mon Sep 17 00:00:00 2001 From: Matthew Holt Date: Mon, 6 Apr 2020 12:24:35 -0600 Subject: [PATCH] httpcaddyfile: Carry bind setting through to ACME issuer (fixes #3232) --- caddyconfig/httpcaddyfile/tlsapp.go | 62 +++++++++++++++++++++++++---- 1 file changed, 55 insertions(+), 7 deletions(-) diff --git a/caddyconfig/httpcaddyfile/tlsapp.go b/caddyconfig/httpcaddyfile/tlsapp.go index 6214d61d..1b7357cf 100644 --- a/caddyconfig/httpcaddyfile/tlsapp.go +++ b/caddyconfig/httpcaddyfile/tlsapp.go @@ -100,15 +100,58 @@ func (st ServerType) buildTLSApp( return nil, warnings, err } } - encoded := caddyconfig.JSONModuleObject(issuer, "module", issuer.(caddy.Module).CaddyModule().ID.Name(), &warnings) - if ap == catchAllAP && ap.IssuerRaw != nil && !bytes.Equal(ap.IssuerRaw, encoded) { - return nil, warnings, fmt.Errorf("conflicting issuer configuration: %s != %s", ap.IssuerRaw, encoded) + if ap == catchAllAP && !reflect.DeepEqual(ap.Issuer, issuer) { + return nil, warnings, fmt.Errorf("automation policy from site block is also default/catch-all policy because of key without hostname, and the two are in conflict: %#v != %#v", ap.Issuer, issuer) } - ap.IssuerRaw = encoded + ap.Issuer = issuer } } + // custom bind host + for _, cfgVal := range sblock.pile["bind"] { + // either an existing issuer is already configured (and thus, ap is not + // nil), or we need to configure an issuer, so we need ap to be non-nil + if ap == nil { + ap, err = newBaseAutomationPolicy(options, warnings, true) + if err != nil { + return nil, warnings, err + } + } + + // if an issuer was already configured and it is NOT an ACME + // issuer, skip, since we intend to adjust only ACME issuers + var acmeIssuer *caddytls.ACMEIssuer + if ap.Issuer != nil { + var ok bool + if acmeIssuer, ok = ap.Issuer.(*caddytls.ACMEIssuer); !ok { + break + } + } + + // proceed to configure the ACME issuer's bind host, without + // overwriting any existing settings + if acmeIssuer == nil { + acmeIssuer = new(caddytls.ACMEIssuer) + } + if acmeIssuer.Challenges == nil { + acmeIssuer.Challenges = new(caddytls.ChallengesConfig) + } + if acmeIssuer.Challenges.BindHost == "" { + // only binding to one host is supported + var bindHost string + if bindHosts, ok := cfgVal.Value.([]string); ok && len(bindHosts) > 0 { + bindHost = bindHosts[0] + } + acmeIssuer.Challenges.BindHost = bindHost + } + ap.Issuer = acmeIssuer // we'll encode it later + } + if ap != nil { + // encode issuer now that it's all set up + issuerName := ap.Issuer.(caddy.Module).CaddyModule().ID.Name() + ap.IssuerRaw = caddyconfig.JSONModuleObject(ap.Issuer, "module", issuerName, &warnings) + // first make sure this block is allowed to create an automation policy; // doing so is forbidden if it has a key with no host (i.e. ":443") // and if there is a different server block that also has a key with no @@ -222,6 +265,11 @@ func (st ServerType) buildTLSApp( // if there is a global/catch-all automation policy, ensure it goes last if catchAllAP != nil { + // first, encode its issuer + issuerName := catchAllAP.Issuer.(caddy.Module).CaddyModule().ID.Name() + catchAllAP.IssuerRaw = caddyconfig.JSONModuleObject(catchAllAP.Issuer, "module", issuerName, &warnings) + + // then append it to the end of the policies list if tlsApp.Automation == nil { tlsApp.Automation = new(caddytls.AutomationConfig) } @@ -290,7 +338,7 @@ func newBaseAutomationPolicy(options map[string]interface{}, warnings []caddycon if localCerts != nil { // internal issuer enabled trumps any ACME configurations; useful in testing - ap.IssuerRaw = caddyconfig.JSONModuleObject(caddytls.InternalIssuer{}, "module", "internal", &warnings) + ap.Issuer = new(caddytls.InternalIssuer) // we'll encode it later } else { if acmeCA == nil { acmeCA = "" @@ -298,7 +346,7 @@ func newBaseAutomationPolicy(options map[string]interface{}, warnings []caddycon if email == nil { email = "" } - mgr := caddytls.ACMEIssuer{ + mgr := &caddytls.ACMEIssuer{ CA: acmeCA.(string), Email: email.(string), } @@ -315,7 +363,7 @@ func newBaseAutomationPolicy(options map[string]interface{}, warnings []caddycon if acmeCARoot != nil { mgr.TrustedRootsPEMFiles = []string{acmeCARoot.(string)} } - ap.IssuerRaw = caddyconfig.JSONModuleObject(mgr, "module", "acme", &warnings) + ap.Issuer = mgr // we'll encode it later } return ap, nil