From 95af4262a8adf12e0c5eb178d9e521903eb8b0e4 Mon Sep 17 00:00:00 2001 From: Matthew Holt Date: Thu, 12 Nov 2020 15:02:35 -0700 Subject: [PATCH] caddytls: Support ACME alt cert chain preferences --- go.mod | 2 +- go.sum | 4 ++-- modules/caddytls/acmeissuer.go | 6 ++++++ 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 76e7a779..8a0d4f25 100644 --- a/go.mod +++ b/go.mod @@ -6,7 +6,7 @@ require ( github.com/Masterminds/sprig/v3 v3.1.0 github.com/alecthomas/chroma v0.8.0 github.com/aryann/difflib v0.0.0-20170710044230-e206f873d14a - github.com/caddyserver/certmagic v0.12.1-0.20201021150819-90d1550af48c + github.com/caddyserver/certmagic v0.12.1-0.20201112220015-12df2be5a021 github.com/dustin/go-humanize v1.0.1-0.20200219035652-afde56e7acac github.com/go-chi/chi v4.1.2+incompatible github.com/google/cel-go v0.5.1 diff --git a/go.sum b/go.sum index a18b0928..294ecccc 100644 --- a/go.sum +++ b/go.sum @@ -85,8 +85,8 @@ github.com/bombsimon/wsl/v2 v2.0.0/go.mod h1:mf25kr/SqFEPhhcxW1+7pxzGlW+hIl/hYTK github.com/boombuler/barcode v1.0.0/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= github.com/bradfitz/go-smtpd v0.0.0-20170404230938-deb6d6237625/go.mod h1:HYsPBTaaSFSlLx/70C2HPIMNZpVV8+vt/A+FMnYP11g= github.com/buger/jsonparser v0.0.0-20181115193947-bf1c66bbce23/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s= -github.com/caddyserver/certmagic v0.12.1-0.20201021150819-90d1550af48c h1:IvUz1LXmHL2y3UVGbzmnvz5/2CA1rvurJA/AL4reKKI= -github.com/caddyserver/certmagic v0.12.1-0.20201021150819-90d1550af48c/go.mod h1:tr26xh+9fY5dN0J6IPAlMj07qpog22PJKa7Nw7j835U= +github.com/caddyserver/certmagic v0.12.1-0.20201112220015-12df2be5a021 h1:VY4JahIicW/GT84KoIm+TSKwMHj08NyPJhsGypTWJn4= +github.com/caddyserver/certmagic v0.12.1-0.20201112220015-12df2be5a021/go.mod h1:tr26xh+9fY5dN0J6IPAlMj07qpog22PJKa7Nw7j835U= github.com/census-instrumentation/opencensus-proto v0.2.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko= diff --git a/modules/caddytls/acmeissuer.go b/modules/caddytls/acmeissuer.go index b73b34ff..6466229d 100644 --- a/modules/caddytls/acmeissuer.go +++ b/modules/caddytls/acmeissuer.go @@ -74,6 +74,11 @@ type ACMEIssuer struct { // is internal or for development/testing purposes. TrustedRootsPEMFiles []string `json:"trusted_roots_pem_files,omitempty"` + // List of preferred certificate chains, by issuer's CommonName. If empty, + // or if no matching chain is found, the first chain offered by the server + // will be used. + PreferredChains []string `json:"preferred_chains,omitempty"` + rootPool *x509.CertPool template certmagic.ACMEManager magic *certmagic.Config @@ -149,6 +154,7 @@ func (iss *ACMEIssuer) makeIssuerTemplate() (certmagic.ACMEManager, error) { CertObtainTimeout: time.Duration(iss.ACMETimeout), TrustedRoots: iss.rootPool, ExternalAccount: iss.ExternalAccount, + PreferredChains: iss.PreferredChains, Logger: iss.logger, }