mirror of
https://github.com/caddyserver/caddy.git
synced 2025-01-28 04:45:56 +03:00
httpcaddyfile: Carry bind setting through to ACME issuer (fixes #3232)
This commit is contained in:
Matthew Holt
parent
6a32daa225
commit
145aebbba5
1 changed files with 55 additions and 7 deletions
|
|
@ -100,15 +100,58 @@ func (st ServerType) buildTLSApp(
|
||||||
return nil, warnings, err
|
return nil, warnings, err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
encoded := caddyconfig.JSONModuleObject(issuer, "module", issuer.(caddy.Module).CaddyModule().ID.Name(), &warnings)
|
if ap == catchAllAP && !reflect.DeepEqual(ap.Issuer, issuer) {
|
||||||
if ap == catchAllAP && ap.IssuerRaw != nil && !bytes.Equal(ap.IssuerRaw, encoded) {
|
return nil, warnings, fmt.Errorf("automation policy from site block is also default/catch-all policy because of key without hostname, and the two are in conflict: %#v != %#v", ap.Issuer, issuer)
|
||||||
return nil, warnings, fmt.Errorf("conflicting issuer configuration: %s != %s", ap.IssuerRaw, encoded)
|
|
||||||
}
|
}
|
||||||
ap.IssuerRaw = encoded
|
ap.Issuer = issuer
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// custom bind host
|
||||||
|
for _, cfgVal := range sblock.pile["bind"] {
|
||||||
|
// either an existing issuer is already configured (and thus, ap is not
|
||||||
|
// nil), or we need to configure an issuer, so we need ap to be non-nil
|
||||||
|
if ap == nil {
|
||||||
|
ap, err = newBaseAutomationPolicy(options, warnings, true)
|
||||||
|
if err != nil {
|
||||||
|
return nil, warnings, err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// if an issuer was already configured and it is NOT an ACME
|
||||||
|
// issuer, skip, since we intend to adjust only ACME issuers
|
||||||
|
var acmeIssuer *caddytls.ACMEIssuer
|
||||||
|
if ap.Issuer != nil {
|
||||||
|
var ok bool
|
||||||
|
if acmeIssuer, ok = ap.Issuer.(*caddytls.ACMEIssuer); !ok {
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// proceed to configure the ACME issuer's bind host, without
|
||||||
|
// overwriting any existing settings
|
||||||
|
if acmeIssuer == nil {
|
||||||
|
acmeIssuer = new(caddytls.ACMEIssuer)
|
||||||
|
}
|
||||||
|
if acmeIssuer.Challenges == nil {
|
||||||
|
acmeIssuer.Challenges = new(caddytls.ChallengesConfig)
|
||||||
|
}
|
||||||
|
if acmeIssuer.Challenges.BindHost == "" {
|
||||||
|
// only binding to one host is supported
|
||||||
|
var bindHost string
|
||||||
|
if bindHosts, ok := cfgVal.Value.([]string); ok && len(bindHosts) > 0 {
|
||||||
|
bindHost = bindHosts[0]
|
||||||
|
}
|
||||||
|
acmeIssuer.Challenges.BindHost = bindHost
|
||||||
|
}
|
||||||
|
ap.Issuer = acmeIssuer // we'll encode it later
|
||||||
|
}
|
||||||
|
|
||||||
if ap != nil {
|
if ap != nil {
|
||||||
|
// encode issuer now that it's all set up
|
||||||
|
issuerName := ap.Issuer.(caddy.Module).CaddyModule().ID.Name()
|
||||||
|
ap.IssuerRaw = caddyconfig.JSONModuleObject(ap.Issuer, "module", issuerName, &warnings)
|
||||||
|
|
||||||
// first make sure this block is allowed to create an automation policy;
|
// first make sure this block is allowed to create an automation policy;
|
||||||
// doing so is forbidden if it has a key with no host (i.e. ":443")
|
// doing so is forbidden if it has a key with no host (i.e. ":443")
|
||||||
// and if there is a different server block that also has a key with no
|
// and if there is a different server block that also has a key with no
|
||||||
|
|
@ -222,6 +265,11 @@ func (st ServerType) buildTLSApp(
|
||||||
|
|
||||||
// if there is a global/catch-all automation policy, ensure it goes last
|
// if there is a global/catch-all automation policy, ensure it goes last
|
||||||
if catchAllAP != nil {
|
if catchAllAP != nil {
|
||||||
|
// first, encode its issuer
|
||||||
|
issuerName := catchAllAP.Issuer.(caddy.Module).CaddyModule().ID.Name()
|
||||||
|
catchAllAP.IssuerRaw = caddyconfig.JSONModuleObject(catchAllAP.Issuer, "module", issuerName, &warnings)
|
||||||
|
|
||||||
|
// then append it to the end of the policies list
|
||||||
if tlsApp.Automation == nil {
|
if tlsApp.Automation == nil {
|
||||||
tlsApp.Automation = new(caddytls.AutomationConfig)
|
tlsApp.Automation = new(caddytls.AutomationConfig)
|
||||||
}
|
}
|
||||||
|
|
@ -290,7 +338,7 @@ func newBaseAutomationPolicy(options map[string]interface{}, warnings []caddycon
|
||||||
|
|
||||||
if localCerts != nil {
|
if localCerts != nil {
|
||||||
// internal issuer enabled trumps any ACME configurations; useful in testing
|
// internal issuer enabled trumps any ACME configurations; useful in testing
|
||||||
ap.IssuerRaw = caddyconfig.JSONModuleObject(caddytls.InternalIssuer{}, "module", "internal", &warnings)
|
ap.Issuer = new(caddytls.InternalIssuer) // we'll encode it later
|
||||||
} else {
|
} else {
|
||||||
if acmeCA == nil {
|
if acmeCA == nil {
|
||||||
acmeCA = ""
|
acmeCA = ""
|
||||||
|
|
@ -298,7 +346,7 @@ func newBaseAutomationPolicy(options map[string]interface{}, warnings []caddycon
|
||||||
if email == nil {
|
if email == nil {
|
||||||
email = ""
|
email = ""
|
||||||
}
|
}
|
||||||
mgr := caddytls.ACMEIssuer{
|
mgr := &caddytls.ACMEIssuer{
|
||||||
CA: acmeCA.(string),
|
CA: acmeCA.(string),
|
||||||
Email: email.(string),
|
Email: email.(string),
|
||||||
}
|
}
|
||||||
|
|
@ -315,7 +363,7 @@ func newBaseAutomationPolicy(options map[string]interface{}, warnings []caddycon
|
||||||
if acmeCARoot != nil {
|
if acmeCARoot != nil {
|
||||||
mgr.TrustedRootsPEMFiles = []string{acmeCARoot.(string)}
|
mgr.TrustedRootsPEMFiles = []string{acmeCARoot.(string)}
|
||||||
}
|
}
|
||||||
ap.IssuerRaw = caddyconfig.JSONModuleObject(mgr, "module", "acme", &warnings)
|
ap.Issuer = mgr // we'll encode it later
|
||||||
}
|
}
|
||||||
|
|
||||||
return ap, nil
|
return ap, nil
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue