Commit 45939820 authored by Matthew Holt's avatar Matthew Holt

letsencrypt: Major refactor of Activate(), fixes #474 and closes #397

Makes restarts cleaner and improves configuration usability related to the tls directive
parent 94100a7b
This diff is collapsed.
...@@ -131,14 +131,13 @@ func getCertsForNewCaddyfile(newCaddyfile Input) error { ...@@ -131,14 +131,13 @@ func getCertsForNewCaddyfile(newCaddyfile Input) error {
return errors.New("loading Caddyfile: " + err.Error()) return errors.New("loading Caddyfile: " + err.Error())
} }
// TODO: Yuck, this is hacky. port 443 not set until letsencrypt is activated, so we change it here. // first mark the configs that are qualified for managed TLS
for i := range configs { letsencrypt.MarkQualified(configs)
if configs[i].Port == "" && letsencrypt.ConfigQualifies(configs, i) {
configs[i].Port = "443" // we must make sure port is set before we group by bind address
} letsencrypt.EnableTLS(configs)
}
// only get certs for configs that bind to an address we're already listening on // we only need to issue certs for hosts where we already have an active listener
groupings, err := arrangeBindings(configs) groupings, err := arrangeBindings(configs)
if err != nil { if err != nil {
return errors.New("arranging bindings: " + err.Error()) return errors.New("arranging bindings: " + err.Error())
...@@ -156,8 +155,8 @@ GroupLoop: ...@@ -156,8 +155,8 @@ GroupLoop:
} }
serversMu.Unlock() serversMu.Unlock()
// obtain certs for eligible configs; letsencrypt pkg will filter out the rest. // place certs on the disk
configs, err = letsencrypt.ObtainCertsAndConfigure(configsToSetup, letsencrypt.AlternatePort) err = letsencrypt.ObtainCerts(configsToSetup, letsencrypt.AlternatePort)
if err != nil { if err != nil {
return errors.New("obtaining certs: " + err.Error()) return errors.New("obtaining certs: " + err.Error())
} }
......
...@@ -11,12 +11,12 @@ import ( ...@@ -11,12 +11,12 @@ import (
// TLS sets up the TLS configuration (but does not activate Let's Encrypt; that is handled elsewhere). // TLS sets up the TLS configuration (but does not activate Let's Encrypt; that is handled elsewhere).
func TLS(c *Controller) (middleware.Middleware, error) { func TLS(c *Controller) (middleware.Middleware, error) {
if c.Scheme == "http" { if c.Scheme == "http" && c.Port != "80" {
c.TLS.Enabled = false c.TLS.Enabled = false
log.Printf("[WARNING] TLS disabled for %s://%s. To force TLS over the plaintext HTTP port, "+ log.Printf("[WARNING] TLS disabled for %s://%s. To force TLS over the plaintext HTTP port, "+
"specify port 80 explicitly (https://%s:80).", c.Scheme, c.Address(), c.Host) "specify port 80 explicitly (https://%s:80).", c.Scheme, c.Address(), c.Host)
} else { } else {
c.TLS.Enabled = true // assume this for now c.TLS.Enabled = true
} }
for c.Next() { for c.Next() {
...@@ -32,13 +32,6 @@ func TLS(c *Controller) (middleware.Middleware, error) { ...@@ -32,13 +32,6 @@ func TLS(c *Controller) (middleware.Middleware, error) {
case 2: case 2:
c.TLS.Certificate = args[0] c.TLS.Certificate = args[0]
c.TLS.Key = args[1] c.TLS.Key = args[1]
// manual HTTPS configuration without port specified should be
// served on the HTTPS port; that is what user would expect, and
// makes it consistent with how the letsencrypt package works.
if c.Port == "" {
c.Port = "443"
}
} }
// Optional block with extra parameters // Optional block with extra parameters
...@@ -86,8 +79,9 @@ func TLS(c *Controller) (middleware.Middleware, error) { ...@@ -86,8 +79,9 @@ func TLS(c *Controller) (middleware.Middleware, error) {
return nil, nil return nil, nil
} }
// SetDefaultTLSParams sets the default TLS cipher suites, protocol versions and server preferences // SetDefaultTLSParams sets the default TLS cipher suites, protocol versions,
// of a server.Config if they were not previously set. // and server preferences of a server.Config if they were not previously set
// (it does not overwrite; only fills in missing values).
func SetDefaultTLSParams(c *server.Config) { func SetDefaultTLSParams(c *server.Config) {
// If no ciphers provided, use all that Caddy supports for the protocol // If no ciphers provided, use all that Caddy supports for the protocol
if len(c.TLS.Ciphers) == 0 { if len(c.TLS.Ciphers) == 0 {
...@@ -107,6 +101,11 @@ func SetDefaultTLSParams(c *server.Config) { ...@@ -107,6 +101,11 @@ func SetDefaultTLSParams(c *server.Config) {
// Prefer server cipher suites // Prefer server cipher suites
c.TLS.PreferServerCipherSuites = true c.TLS.PreferServerCipherSuites = true
// Default TLS port is 443; only use if port is not manually specified
if c.Port == "" {
c.Port = "443"
}
} }
// Map of supported protocols // Map of supported protocols
......
...@@ -69,6 +69,7 @@ type TLSConfig struct { ...@@ -69,6 +69,7 @@ type TLSConfig struct {
Certificate string Certificate string
Key string Key string
LetsEncryptEmail string LetsEncryptEmail string
Managed bool // will be set to true if config qualifies for automatic, managed TLS
//DisableHTTPRedir bool // TODO: not a good idea - should we really allow it? //DisableHTTPRedir bool // TODO: not a good idea - should we really allow it?
OCSPStaple []byte OCSPStaple []byte
Ciphers []uint16 Ciphers []uint16
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment