1. 26 Feb, 2016 1 commit
    • Matthew Holt's avatar
      Implant version information with -ldflags with help of build script · da08c94a
      Matthew Holt authored
      Without -ldflags, the verison information needs to be updated manually,
      which is never done between releases, so development builds appear
      indiscernable from stable builds using `caddy -version`.
      
      This is part of a set of changes intended to relieve the burden of
      always updating version information manually and distributing binaries
      that look stable but actually may not be.
      
      A stable build is defined as one which is produced at a git tag with
      a clean working directory (no uncommitted changes). A dev build is
      anything else. With this build script, `caddy -version` will now reveal
      whether it is a development build and, if so, the base version, the
      latest commit, the date and time of build, and the names of files with
      changes as well as how many changes were made.
      
      The output of `caddy -version` for stable builds remains the same.
      da08c94a
  2. 25 Feb, 2016 3 commits
  3. 24 Feb, 2016 7 commits
  4. 23 Feb, 2016 2 commits
  5. 22 Feb, 2016 2 commits
  6. 20 Feb, 2016 3 commits
  7. 19 Feb, 2016 6 commits
  8. 18 Feb, 2016 1 commit
  9. 17 Feb, 2016 1 commit
  10. 16 Feb, 2016 1 commit
    • Matthew Holt's avatar
      Bug fixes and other improvements to TLS functions · 1cfd960f
      Matthew Holt authored
      Now attempt to staple OCSP even for certs that don't have an existing staple (issue #605). "tls off" short-circuits tls setup function. Now we call getEmail() when setting up an acme.Client that does renewals, rather than making a new account with empty email address. Check certificate expiry every 12 hours, and OCSP every hour.
      1cfd960f
  11. 15 Feb, 2016 1 commit
  12. 14 Feb, 2016 1 commit
  13. 12 Feb, 2016 2 commits
    • Matthew Holt's avatar
      Fix HTTPS config for empty/no Caddyfile · a11e14ac
      Matthew Holt authored
      This fixes a regression introduced in recent commits that enabled TLS on the default ":2015" config. This fix is possible because On-Demand TLS is no longer implicit; it must be explicitly enabled by the user by setting a maximum number of certificates to issue.
      a11e14ac
    • Jacob Hands's avatar
      Use rotating log files · dc63e501
      Jacob Hands authored
      dc63e501
  14. 11 Feb, 2016 6 commits
    • Matthew Holt's avatar
      https: Only create ACMEClient if it's actually going to be used · 04c7c442
      Matthew Holt authored
      Otherwise it tries to create an account and stuff at first start, even without a Caddyfile or when serving localhost.
      04c7c442
    • Matthew Holt's avatar
      Fix edge case related to reloaded configs and ACME challenge · 7bd2adf0
      Matthew Holt authored
      If Caddy is running but not listening on port 80, reloading Caddy with a new Caddyfile that needs to obtain a TLS cert from the CA would fail, because it was just assumed that, if reloading, port 80 as already in use. That is not always the case, so we scan the servers to see if one of them is listening on port 80, and we configure the ACME client accordingly. Kind of a hack... but it works.
      7bd2adf0
    • Matthew Holt's avatar
      Additional mitigation for on-demand TLS · 1fe39e46
      Matthew Holt authored
      After 10 certificates are issued, no new certificate requests are allowed for 10 minutes after a successful issuance.
      1fe39e46
    • Matthew Holt's avatar
    • Matthew Holt's avatar
      Merge branch 'master' into getcertificate · d25a3e95
      Matthew Holt authored
      d25a3e95
    • Matthew Holt's avatar
      Major refactor of all HTTPS/TLS/ACME code · 11103bd8
      Matthew Holt authored
      Biggest change is no longer using standard library's tls.Config.getCertificate function to get a certificate during TLS handshake. Implemented our own cache which can be changed dynamically at runtime, even during TLS handshakes. As such, restarts are no longer required after certificate renewals or OCSP updates.
      
      We also allow loading multiple certificates and keys per host, even by specifying a directory (tls got a new 'load' command for that).
      
      Renamed the letsencrypt package to https in a gradual effort to become more generic; and https is more fitting for what the package does now.
      
      There are still some known bugs, e.g. reloading where a new certificate is required but port 80 isn't currently listening, will cause the challenge to fail. There's still plenty of cleanup to do and tests to write. It is especially confusing right now how we enable "on-demand" TLS during setup and keep track of that. But this change should basically work so far.
      11103bd8
  15. 10 Feb, 2016 3 commits