mirror of
https://github.com/caddyserver/caddy.git
synced 2025-01-14 14:56:27 +03:00
The fix for 4822 is the change at the top of the file, and 4779's fix is toward the bottom of the file.
This commit is contained in:
parent
a9267791c4
commit
886ba84baa
2 changed files with 20 additions and 9 deletions
|
@ -350,7 +350,6 @@ func (st ServerType) buildTLSApp(
|
||||||
globalPreferredChains := options["preferred_chains"]
|
globalPreferredChains := options["preferred_chains"]
|
||||||
hasGlobalACMEDefaults := globalEmail != nil || globalACMECA != nil || globalACMECARoot != nil || globalACMEDNS != nil || globalACMEEAB != nil || globalPreferredChains != nil
|
hasGlobalACMEDefaults := globalEmail != nil || globalACMECA != nil || globalACMECARoot != nil || globalACMEDNS != nil || globalACMEEAB != nil || globalPreferredChains != nil
|
||||||
if hasGlobalACMEDefaults {
|
if hasGlobalACMEDefaults {
|
||||||
// for _, ap := range tlsApp.Automation.Policies {
|
|
||||||
for i := 0; i < len(tlsApp.Automation.Policies); i++ {
|
for i := 0; i < len(tlsApp.Automation.Policies); i++ {
|
||||||
ap := tlsApp.Automation.Policies[i]
|
ap := tlsApp.Automation.Policies[i]
|
||||||
if len(ap.Issuers) == 0 && automationPolicyHasAllPublicNames(ap) {
|
if len(ap.Issuers) == 0 && automationPolicyHasAllPublicNames(ap) {
|
||||||
|
|
|
@ -152,9 +152,7 @@ func (app *App) automaticHTTPSPhase1(ctx caddy.Context, repl *caddy.Replacer) er
|
||||||
return fmt.Errorf("%s: route %d, matcher set %d, matcher %d, host matcher %d: %v",
|
return fmt.Errorf("%s: route %d, matcher set %d, matcher %d, host matcher %d: %v",
|
||||||
srvName, routeIdx, matcherSetIdx, matcherIdx, hostMatcherIdx, err)
|
srvName, routeIdx, matcherSetIdx, matcherIdx, hostMatcherIdx, err)
|
||||||
}
|
}
|
||||||
// only include domain if it's not explicitly skipped and it's not a Tailscale domain
|
if !srv.AutoHTTPS.Skipped(d, srv.AutoHTTPS.Skip) {
|
||||||
// (the implicit Tailscale manager module will get those certs at run-time)
|
|
||||||
if !srv.AutoHTTPS.Skipped(d, srv.AutoHTTPS.Skip) && !isTailscaleDomain(d) {
|
|
||||||
serverDomainSet[d] = struct{}{}
|
serverDomainSet[d] = struct{}{}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -181,6 +179,11 @@ func (app *App) automaticHTTPSPhase1(ctx caddy.Context, repl *caddy.Replacer) er
|
||||||
app.logger.Warn("skipping automated certificate management for server because it is disabled", zap.String("server_name", srvName))
|
app.logger.Warn("skipping automated certificate management for server because it is disabled", zap.String("server_name", srvName))
|
||||||
} else {
|
} else {
|
||||||
for d := range serverDomainSet {
|
for d := range serverDomainSet {
|
||||||
|
// the implicit Tailscale manager module will get its own certs at run-time
|
||||||
|
if isTailscaleDomain(d) {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
if certmagic.SubjectQualifiesForCert(d) &&
|
if certmagic.SubjectQualifiesForCert(d) &&
|
||||||
!srv.AutoHTTPS.Skipped(d, srv.AutoHTTPS.SkipCerts) {
|
!srv.AutoHTTPS.Skipped(d, srv.AutoHTTPS.SkipCerts) {
|
||||||
// if a certificate for this name is already loaded,
|
// if a certificate for this name is already loaded,
|
||||||
|
@ -436,7 +439,7 @@ func (app *App) makeRedirRoute(redirToPort uint, matcherSet MatcherSet) Route {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// createAutomationPolicy ensures that automated certificates for this
|
// createAutomationPolicies ensures that automated certificates for this
|
||||||
// app are managed properly. This adds up to two automation policies:
|
// app are managed properly. This adds up to two automation policies:
|
||||||
// one for the public names, and one for the internal names. If a catch-all
|
// one for the public names, and one for the internal names. If a catch-all
|
||||||
// automation policy exists, it will be shallow-copied and used as the
|
// automation policy exists, it will be shallow-copied and used as the
|
||||||
|
@ -485,6 +488,12 @@ func (app *App) createAutomationPolicies(ctx caddy.Context, internalNames []stri
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
ap.Managers = []certmagic.Manager{ts}
|
ap.Managers = []certmagic.Manager{ts}
|
||||||
|
|
||||||
|
// must reprovision the automation policy so that the underlying
|
||||||
|
// CertMagic config knows about the updated Managers
|
||||||
|
if err := ap.Provision(app.tlsApp); err != nil {
|
||||||
|
return fmt.Errorf("re-provisioning automation policy: %v", err)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// while we're here, is this the catch-all/base policy?
|
// while we're here, is this the catch-all/base policy?
|
||||||
|
@ -495,14 +504,17 @@ func (app *App) createAutomationPolicies(ctx caddy.Context, internalNames []stri
|
||||||
}
|
}
|
||||||
|
|
||||||
if basePolicy == nil {
|
if basePolicy == nil {
|
||||||
// no base policy found, we will make one! (with implicit Tailscale integration)
|
// no base policy found; we will make one
|
||||||
|
basePolicy = new(caddytls.AutomationPolicy)
|
||||||
|
}
|
||||||
|
|
||||||
|
if basePolicy.Managers == nil {
|
||||||
|
// add implicit Tailscale integration, for harmless convenience
|
||||||
ts, err := implicitTailscale(ctx)
|
ts, err := implicitTailscale(ctx)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
basePolicy = &caddytls.AutomationPolicy{
|
basePolicy.Managers = []certmagic.Manager{ts}
|
||||||
Managers: []certmagic.Manager{ts},
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// if the basePolicy has an existing ACMEIssuer (particularly to
|
// if the basePolicy has an existing ACMEIssuer (particularly to
|
||||||
|
|
Loading…
Reference in a new issue