Commit 917d9bc9 authored by Matt Holt's avatar Matt Holt Committed by GitHub

tls: Update to match CertMagic refactor (#2571)

* Update to match CertMagic's refactoring

* mod: CertMagic v0.5.0
parent fd6e4516
......@@ -45,11 +45,11 @@ import (
func init() {
caddy.TrapSignals()
flag.BoolVar(&certmagic.Agreed, "agree", false, "Agree to the CA's Subscriber Agreement")
flag.StringVar(&certmagic.CA, "ca", certmagic.CA, "URL to certificate authority's ACME server directory")
flag.StringVar(&certmagic.DefaultServerName, "default-sni", certmagic.DefaultServerName, "If a ClientHello ServerName is empty, use this ServerName to choose a TLS certificate")
flag.BoolVar(&certmagic.DisableHTTPChallenge, "disable-http-challenge", certmagic.DisableHTTPChallenge, "Disable the ACME HTTP challenge")
flag.BoolVar(&certmagic.DisableTLSALPNChallenge, "disable-tls-alpn-challenge", certmagic.DisableTLSALPNChallenge, "Disable the ACME TLS-ALPN challenge")
flag.BoolVar(&certmagic.Default.Agreed, "agree", false, "Agree to the CA's Subscriber Agreement")
flag.StringVar(&certmagic.Default.CA, "ca", certmagic.Default.CA, "URL to certificate authority's ACME server directory")
flag.StringVar(&certmagic.Default.DefaultServerName, "default-sni", certmagic.Default.DefaultServerName, "If a ClientHello ServerName is empty, use this ServerName to choose a TLS certificate")
flag.BoolVar(&certmagic.Default.DisableHTTPChallenge, "disable-http-challenge", certmagic.Default.DisableHTTPChallenge, "Disable the ACME HTTP challenge")
flag.BoolVar(&certmagic.Default.DisableTLSALPNChallenge, "disable-tls-alpn-challenge", certmagic.Default.DisableTLSALPNChallenge, "Disable the ACME TLS-ALPN challenge")
flag.StringVar(&disabledMetrics, "disabled-metrics", "", "Comma-separated list of telemetry metrics to disable")
flag.StringVar(&conf, "conf", "", "Caddyfile to load (default \""+caddy.DefaultConfigFile+"\")")
flag.StringVar(&cpu, "cpu", "100%", "CPU cap")
......@@ -57,7 +57,7 @@ func init() {
flag.StringVar(&envFile, "envfile", "", "Path to file with environment variables to load in KEY=VALUE format")
flag.BoolVar(&fromJSON, "json-to-caddyfile", false, "From JSON stdin to Caddyfile stdout")
flag.BoolVar(&plugins, "plugins", false, "List installed plugins")
flag.StringVar(&certmagic.Email, "email", "", "Default ACME CA account email address")
flag.StringVar(&certmagic.Default.Email, "email", "", "Default ACME CA account email address")
flag.DurationVar(&certmagic.HTTPTimeout, "catimeout", certmagic.HTTPTimeout, "Default ACME CA HTTP timeout")
flag.StringVar(&logfile, "log", "", "Process log file")
flag.IntVar(&logRollMB, "log-roll-mb", 100, "Roll process log when it reaches this many megabytes (0 to disable rolling)")
......
......@@ -234,7 +234,7 @@ func (h *httpContext) MakeServers() ([]caddy.Server, error) {
// trusted CA (obviously not a perfect heuristic)
var looksLikeProductionCA bool
for _, publicCAEndpoint := range caddytls.KnownACMECAs {
if strings.Contains(certmagic.CA, publicCAEndpoint) {
if strings.Contains(certmagic.Default.CA, publicCAEndpoint) {
looksLikeProductionCA = true
break
}
......
......@@ -21,6 +21,7 @@ import (
"io/ioutil"
"os"
"sync/atomic"
"time"
"github.com/go-acme/lego/challenge/tlsalpn01"
......@@ -117,22 +118,48 @@ func NewConfig(inst *caddy.Instance) (*Config, error) {
if err != nil {
return nil, fmt.Errorf("constructing cluster plugin %s: %v", clusterPluginName, err)
}
certmagic.DefaultStorage = storage
certmagic.Default.Storage = storage
} else {
return nil, fmt.Errorf("unrecognized cluster plugin (was it included in the Caddy build?): %s", clusterPluginName)
}
}
certCache = certmagic.NewCache(certmagic.DefaultStorage)
certCache = certmagic.NewCache(certmagic.CacheOptions{
GetConfigForCert: func(cert certmagic.Certificate) (certmagic.Config, error) {
inst.StorageMu.Lock()
cfgMap, ok := inst.Storage[configMapKey].(map[string]*Config)
inst.StorageMu.Unlock()
if ok {
for hostname, cfg := range cfgMap {
if cfg.Manager != nil && hostname == cert.Names[0] {
return *cfg.Manager, nil
}
}
}
// returning Default not strictly necessary, since Default is used as template
// anyway; but this makes it clear that that's what we fall back to
return certmagic.Default, nil
},
})
storageCleaningTicker := time.NewTicker(12 * time.Hour)
go func() {
for range storageCleaningTicker.C {
certmagic.CleanStorage(certmagic.Default.Storage, certmagic.CleanStorageOptions{
OCSPStaples: true,
})
}
}()
inst.OnShutdown = append(inst.OnShutdown, func() error {
certCache.Stop()
storageCleaningTicker.Stop()
return nil
})
inst.StorageMu.Lock()
inst.Storage[CertCacheInstStorageKey] = certCache
inst.StorageMu.Unlock()
}
return &Config{
Manager: certmagic.NewWithCache(certCache, certmagic.Config{}),
Manager: certmagic.New(certCache, certmagic.Config{}),
}, nil
}
......@@ -418,7 +445,6 @@ func SetDefaultTLSParams(config *Config) {
var supportedKeyTypes = map[string]certcrypto.KeyType{
"P384": certcrypto.EC384,
"P256": certcrypto.EC256,
"RSA8192": certcrypto.RSA8192,
"RSA4096": certcrypto.RSA4096,
"RSA2048": certcrypto.RSA2048,
}
......
......@@ -42,7 +42,7 @@ type configGroup map[string]*Config
func (cg configGroup) getConfig(hello *tls.ClientHelloInfo) *Config {
name := certmagic.NormalizedName(hello.ServerName)
if name == "" {
name = certmagic.NormalizedName(certmagic.DefaultServerName)
name = certmagic.NormalizedName(certmagic.Default.DefaultServerName)
}
// if SNI is empty, prefer matching IP address (it is
......
......@@ -63,7 +63,7 @@ func setupTLS(c *caddy.Controller) error {
if err != nil {
return fmt.Errorf("constructing cluster plugin %s: %v", clusterPluginName, err)
}
certmagic.DefaultStorage = storage
certmagic.Default.Storage = storage
} else {
return fmt.Errorf("unrecognized cluster plugin (was it included in the Caddy build?): %s", clusterPluginName)
}
......@@ -363,6 +363,14 @@ func setupTLS(c *caddy.Controller) error {
telemetry.Increment("tls_self_signed_count")
}
// store this as a custom config
cfgMap, ok := c.Get(configMapKey).(map[string]*Config)
if !ok || cfgMap == nil {
cfgMap = make(map[string]*Config)
}
cfgMap[config.Hostname] = config
c.Set(configMapKey, cfgMap)
return nil
}
......@@ -449,3 +457,5 @@ func loadCertsInDir(cfg *Config, c *caddy.Controller, dir string) error {
func constructDefaultClusterPlugin() (certmagic.Storage, error) {
return &certmagic.FileStorage{Path: caddy.AssetsPath()}, nil
}
const configMapKey = "tls_custom_configs"
......@@ -53,8 +53,8 @@ func TestSetupParseBasic(t *testing.T) {
}
defer os.RemoveAll(tmpdir)
certCache := certmagic.NewCache(&certmagic.FileStorage{Path: tmpdir})
cfg := &Config{Manager: certmagic.NewWithCache(certCache, certmagic.Config{})}
certmagic.Default.Storage = &certmagic.FileStorage{Path: tmpdir}
cfg := &Config{Manager: certmagic.NewDefault()}
RegisterConfigGetter("", func(c *caddy.Controller) *Config { return cfg })
c := caddy.NewTestController("", `tls `+certFile+` `+keyFile+``)
......@@ -139,8 +139,8 @@ func TestSetupParseWithOptionalParams(t *testing.T) {
}
defer os.RemoveAll(tmpdir)
certCache := certmagic.NewCache(&certmagic.FileStorage{Path: tmpdir})
cfg := &Config{Manager: certmagic.NewWithCache(certCache, certmagic.Config{})}
certmagic.Default.Storage = &certmagic.FileStorage{Path: tmpdir}
cfg := &Config{Manager: certmagic.NewDefault()}
RegisterConfigGetter("", func(c *caddy.Controller) *Config { return cfg })
c := caddy.NewTestController("", params)
......@@ -276,8 +276,7 @@ func TestSetupParseWithClientAuth(t *testing.T) {
clients verify_if_given
}`, tls.VerifyClientCertIfGiven, true, noCAs},
} {
certCache := certmagic.NewCache(certmagic.DefaultStorage)
cfg := &Config{Manager: certmagic.NewWithCache(certCache, certmagic.Config{})}
cfg := &Config{Manager: certmagic.NewDefault()}
RegisterConfigGetter("", func(c *caddy.Controller) *Config { return cfg })
c := caddy.NewTestController("", caseData.params)
......
......@@ -7,7 +7,7 @@ require (
github.com/caddyserver/builds v0.0.0-20170910200810-c62e2219460a
github.com/dustin/go-humanize v1.0.0
github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568
github.com/go-acme/lego v2.4.0+incompatible
github.com/go-acme/lego v2.5.0+incompatible
github.com/google/uuid v1.1.1
github.com/gorilla/websocket v1.4.0
github.com/hashicorp/go-syslog v1.0.0
......@@ -15,7 +15,7 @@ require (
github.com/klauspost/cpuid v1.2.0
github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348 // indirect
github.com/lucas-clemente/quic-go v0.10.2
github.com/mholt/certmagic v0.0.0-20190319183800-ee1543e2f234
github.com/mholt/certmagic v0.5.0
github.com/naoina/go-stringutil v0.1.0 // indirect
github.com/naoina/toml v0.1.1
github.com/russross/blackfriday v0.0.0-20170610170232-067529f716f4
......
......@@ -19,6 +19,8 @@ github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMo
github.com/go-acme/lego v2.3.1-0.20190318164254-3684cc738d37+incompatible/go.mod h1:yzMNe9CasVUhkquNvti5nAtPmG94USbYxYrZfTkIn0M=
github.com/go-acme/lego v2.4.0+incompatible h1:+BTLUfLtDc5qQauyiTCXH6lupEUOCvXyGlEjdeU0YQI=
github.com/go-acme/lego v2.4.0+incompatible/go.mod h1:yzMNe9CasVUhkquNvti5nAtPmG94USbYxYrZfTkIn0M=
github.com/go-acme/lego v2.5.0+incompatible h1:5fNN9yRQfv8ymH3DSsxla+4aYeQt2IgfZqHKVnK8f0s=
github.com/go-acme/lego v2.5.0+incompatible/go.mod h1:yzMNe9CasVUhkquNvti5nAtPmG94USbYxYrZfTkIn0M=
github.com/golang/mock v1.2.0 h1:28o5sBqPkBsMGnC6b4MvE2TzSr5/AT4c/1fLqVGIwlk=
github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
github.com/golang/protobuf v1.2.0 h1:P3YflyNX/ehuJFLhxviNdFxQPkGK5cDcApsge1SqnvM=
......@@ -49,6 +51,8 @@ github.com/lucas-clemente/quic-go-certificates v0.0.0-20160823095156-d2f86524cce
github.com/marten-seemann/qtls v0.2.3/go.mod h1:xzjG7avBwGGbdZ8dTGxlBnLArsVKLvwmjgmPuiQEcYk=
github.com/mholt/certmagic v0.0.0-20190319183800-ee1543e2f234 h1:6biVHmhBIOQCzdOClOJ97D/Ip9oH8TgFftq2bj/93YI=
github.com/mholt/certmagic v0.0.0-20190319183800-ee1543e2f234/go.mod h1:KvmxBmeVqj88J9Z9us/x04Yp/YYfMtmGkhQFWewFe6U=
github.com/mholt/certmagic v0.5.0 h1:lYXxsLUFya/I3BgDCrfuwcMQOB+4auzI8CCzpK41tjc=
github.com/mholt/certmagic v0.5.0/go.mod h1:g4cOPxcjV0oFq3qwpjSA30LReKD8AoIfwAY9VvG35NY=
github.com/miekg/dns v1.1.3 h1:1g0r1IvskvgL8rR+AcHzUA+oFmGcQlaIm4IqakufeMM=
github.com/miekg/dns v1.1.3/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
github.com/naoina/go-stringutil v0.1.0 h1:rCUeRUHjBjGTSHl0VC00jUPLz8/F9dDzYI70Hzifhks=
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment