From 412dcc07d3201561302bc20b6200d893aee69657 Mon Sep 17 00:00:00 2001 From: Matt Holt Date: Tue, 5 Jul 2022 18:12:25 -0600 Subject: [PATCH] caddytls: Reuse issuer between PreCheck and Issue (#4866) This enables EAB reuse for ZeroSSLIssuer (which is now supported by ZeroSSL). --- modules/caddytls/acmeissuer.go | 19 +++++++++---------- modules/caddytls/tls.go | 2 +- modules/caddytls/zerosslissuer.go | 4 ++-- 3 files changed, 12 insertions(+), 13 deletions(-) diff --git a/modules/caddytls/acmeissuer.go b/modules/caddytls/acmeissuer.go index 09b31bf1..9552d6f6 100644 --- a/modules/caddytls/acmeissuer.go +++ b/modules/caddytls/acmeissuer.go @@ -85,9 +85,11 @@ type ACMEIssuer struct { PreferredChains *ChainPreference `json:"preferred_chains,omitempty"` rootPool *x509.CertPool - template certmagic.ACMEIssuer - magic *certmagic.Config logger *zap.Logger + + template certmagic.ACMEIssuer // set at Provision + magic *certmagic.Config // set at PreCheck + issuer *certmagic.ACMEIssuer // set at PreCheck; result of template + magic } // CaddyModule returns the Caddy module information. @@ -217,30 +219,27 @@ func (iss *ACMEIssuer) makeIssuerTemplate() (certmagic.ACMEIssuer, error) { // the ConfigSetter interface. func (iss *ACMEIssuer) SetConfig(cfg *certmagic.Config) { iss.magic = cfg + iss.issuer = certmagic.NewACMEIssuer(cfg, iss.template) } -// TODO: I kind of hate how each call to these methods needs to -// make a new ACME manager to fill in defaults before using; can -// we find the right place to do that just once and then re-use? - // PreCheck implements the certmagic.PreChecker interface. func (iss *ACMEIssuer) PreCheck(ctx context.Context, names []string, interactive bool) error { - return certmagic.NewACMEIssuer(iss.magic, iss.template).PreCheck(ctx, names, interactive) + return iss.issuer.PreCheck(ctx, names, interactive) } // Issue obtains a certificate for the given csr. func (iss *ACMEIssuer) Issue(ctx context.Context, csr *x509.CertificateRequest) (*certmagic.IssuedCertificate, error) { - return certmagic.NewACMEIssuer(iss.magic, iss.template).Issue(ctx, csr) + return iss.issuer.Issue(ctx, csr) } // IssuerKey returns the unique issuer key for the configured CA endpoint. func (iss *ACMEIssuer) IssuerKey() string { - return certmagic.NewACMEIssuer(iss.magic, iss.template).IssuerKey() + return iss.issuer.IssuerKey() } // Revoke revokes the given certificate. func (iss *ACMEIssuer) Revoke(ctx context.Context, cert certmagic.CertificateResource, reason int) error { - return certmagic.NewACMEIssuer(iss.magic, iss.template).Revoke(ctx, cert, reason) + return iss.issuer.Revoke(ctx, cert, reason) } // GetACMEIssuer returns iss. This is useful when other types embed ACMEIssuer, because diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go index 9fe30fe3..429b24c9 100644 --- a/modules/caddytls/tls.go +++ b/modules/caddytls/tls.go @@ -336,7 +336,7 @@ func (t *TLS) HandleHTTPChallenge(w http.ResponseWriter, r *http.Request) bool { for _, iss := range ap.magic.Issuers { if am, ok := iss.(acmeCapable); ok { iss := am.GetACMEIssuer() - if certmagic.NewACMEIssuer(iss.magic, iss.template).HandleHTTPChallenge(w, r) { + if iss.issuer.HandleHTTPChallenge(w, r) { return true } } diff --git a/modules/caddytls/zerosslissuer.go b/modules/caddytls/zerosslissuer.go index a75063bc..a051ed47 100644 --- a/modules/caddytls/zerosslissuer.go +++ b/modules/caddytls/zerosslissuer.go @@ -162,8 +162,8 @@ func (iss *ZeroSSLIssuer) generateEABCredentials(ctx context.Context, acct acme. func (iss *ZeroSSLIssuer) initialize() { iss.mu.Lock() defer iss.mu.Unlock() - if iss.template.NewAccountFunc == nil { - iss.template.NewAccountFunc = iss.newAccountCallback + if iss.ACMEIssuer.issuer.NewAccountFunc == nil { + iss.ACMEIssuer.issuer.NewAccountFunc = iss.newAccountCallback } }