From e6f46c8d78b77d0aefe50750dfd6f6a18ba138e5 Mon Sep 17 00:00:00 2001 From: Ranveer Avhad <46259310+Ranveer777@users.noreply.github.com> Date: Tue, 28 May 2024 05:36:54 +0530 Subject: [PATCH] acmeserver: Add `sign_with_root` for Caddyfile (#6345) * Added sign_with_root option available in the Caddyfile * Added tests for sign_with_root to validate the adapted JSON config --- .../acme_server_sign_with_root.caddyfiletest | 67 +++++++++++++++++++ modules/caddypki/acmeserver/caddyfile.go | 6 ++ 2 files changed, 73 insertions(+) create mode 100644 caddytest/integration/caddyfile_adapt/acme_server_sign_with_root.caddyfiletest diff --git a/caddytest/integration/caddyfile_adapt/acme_server_sign_with_root.caddyfiletest b/caddytest/integration/caddyfile_adapt/acme_server_sign_with_root.caddyfiletest new file mode 100644 index 00000000..9880f282 --- /dev/null +++ b/caddytest/integration/caddyfile_adapt/acme_server_sign_with_root.caddyfiletest @@ -0,0 +1,67 @@ +{ + pki { + ca internal { + name "Internal" + root_cn "Internal Root Cert" + intermediate_cn "Internal Intermediate Cert" + } + } +} + +acme.example.com { + acme_server { + ca internal + sign_with_root + } +} +---------- +{ + "apps": { + "http": { + "servers": { + "srv0": { + "listen": [ + ":443" + ], + "routes": [ + { + "match": [ + { + "host": [ + "acme.example.com" + ] + } + ], + "handle": [ + { + "handler": "subroute", + "routes": [ + { + "handle": [ + { + "ca": "internal", + "handler": "acme_server", + "sign_with_root": true + } + ] + } + ] + } + ], + "terminal": true + } + ] + } + } + }, + "pki": { + "certificate_authorities": { + "internal": { + "name": "Internal", + "root_common_name": "Internal Root Cert", + "intermediate_common_name": "Internal Intermediate Cert" + } + } + } + } +} diff --git a/modules/caddypki/acmeserver/caddyfile.go b/modules/caddypki/acmeserver/caddyfile.go index 7eaaec49..c4d11112 100644 --- a/modules/caddypki/acmeserver/caddyfile.go +++ b/modules/caddypki/acmeserver/caddyfile.go @@ -42,6 +42,7 @@ func init() { // domains // ip_ranges // } +// sign_with_root // } func parseACMEServer(h httpcaddyfile.Helper) ([]httpcaddyfile.ConfigValue, error) { h.Next() // consume directive name @@ -136,6 +137,11 @@ func parseACMEServer(h httpcaddyfile.Helper) ([]httpcaddyfile.ConfigValue, error acmeServer.Policy = &Policy{} } acmeServer.Policy.Deny = r + case "sign_with_root": + if h.NextArg() { + return nil, h.ArgErr() + } + acmeServer.SignWithRoot = true default: return nil, h.Errf("unrecognized ACME server directive: %s", h.Val()) }