caddyhttp: Use internal issuer for IPs when no APs configured

This fixes a regression in 2.8 where IP addresses
would be considered qualifying for public certs
by auto-HTTPS. The default issuers do not issue
IP certs at this time, so if no APs are explicitly
configured, we assign them to the internal
issuer. We have to add a couple lines of code because
CertMagic can no longer consider IPs as not
qualifying for public certs, since there are public CAs
that issue IP certs. This edge case is specific to Caddy's
auto-HTTPS.

Without this patch, Caddy will try using Let's Encrypt
or ZeroSSL's ACME endpoint to get IP certs, neither
of which support that.
This commit is contained in:
Matthew Holt 2024-10-04 10:23:30 -06:00
parent 2ae58ac13e
commit 88fd5f3491
No known key found for this signature in database
GPG key ID: 2A349DD577D586A5

View file

@ -320,11 +320,21 @@ uniqueDomainsLoop:
} }
} }
// if no automation policy exists for the name yet, we // if no automation policy exists for the name yet, we will associate it with an implicit one;
// will associate it with an implicit one // we handle tailscale domains specially, and we also separate out identifiers that need the
// internal issuer (self-signed certs); certmagic does not consider public IP addresses to be
// disqualified for public certs, because there are public CAs that will issue certs for IPs.
// However, with auto-HTTPS, many times there is no issuer explicitly defined, and the default
// issuers do not (currently, as of 2024) issue IP certificates; so assign all IP subjects to
// the internal issuer when there are no explicit automation policies
shouldUseInternal := func(ident string) bool {
usingDefaultIssuersAndIsIP := certmagic.SubjectIsIP(ident) &&
(app.tlsApp == nil || app.tlsApp.Automation == nil || len(app.tlsApp.Automation.Policies) == 0)
return !certmagic.SubjectQualifiesForPublicCert(d) || usingDefaultIssuersAndIsIP
}
if isTailscaleDomain(d) { if isTailscaleDomain(d) {
tailscale = append(tailscale, d) tailscale = append(tailscale, d)
} else if !certmagic.SubjectQualifiesForPublicCert(d) { } else if shouldUseInternal(d) {
internal = append(internal, d) internal = append(internal, d)
} }
} }