From 38677aaa58eb76a416fa42146956f3e3a5981e75 Mon Sep 17 00:00:00 2001 From: Matthew Holt Date: Mon, 24 Jun 2019 12:16:10 -0600 Subject: [PATCH] caddytls: Support tags for manually-loaded certificates --- go.mod | 7 ++++--- go.sum | 12 ++++++------ modules/caddyhttp/caddyhttp.go | 1 + modules/caddytls/fileloader.go | 13 +++++++------ modules/caddytls/folderloader.go | 8 +++++--- modules/caddytls/tls.go | 12 ++++++++++-- 6 files changed, 33 insertions(+), 20 deletions(-) diff --git a/go.mod b/go.mod index edf5e6c52..76585954c 100644 --- a/go.mod +++ b/go.mod @@ -6,7 +6,7 @@ require ( github.com/DataDog/zstd v1.4.0 // indirect github.com/Masterminds/goutils v1.1.0 // indirect github.com/Masterminds/semver v1.4.2 // indirect - github.com/Masterminds/sprig v2.20.0+incompatible // indirect + github.com/Masterminds/sprig v2.20.0+incompatible github.com/andybalholm/brotli v0.0.0-20190430215306-5c318f9037cb github.com/dustin/go-humanize v1.0.0 github.com/go-acme/lego v2.6.0+incompatible @@ -16,14 +16,15 @@ require ( github.com/imdario/mergo v0.3.7 // indirect github.com/klauspost/compress v1.7.1-0.20190613161414-0b31f265a57b github.com/klauspost/cpuid v1.2.1 - github.com/mholt/certmagic v0.6.2-0.20190621004807-be4f86a2eb60 + github.com/mholt/certmagic v0.6.2-0.20190624175158-6a42ef9fe8c2 github.com/rs/cors v1.6.0 github.com/shurcooL/sanitized_anchor_name v1.0.0 // indirect github.com/starlight-go/starlight v0.0.0-20181207205707-b06f321544f3 go.starlark.net v0.0.0-20190604130855-6ddc71c0ba77 golang.org/x/net v0.0.0-20190603091049-60506f45cf65 - golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 // indirect + golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 gopkg.in/russross/blackfriday.v2 v2.0.1 + gopkg.in/yaml.v2 v2.2.2 // indirect ) replace gopkg.in/russross/blackfriday.v2 v2.0.1 => github.com/russross/blackfriday/v2 v2.0.1 diff --git a/go.sum b/go.sum index d540fef79..97cf12824 100644 --- a/go.sum +++ b/go.sum @@ -32,12 +32,8 @@ github.com/klauspost/compress v1.7.1-0.20190613161414-0b31f265a57b/go.mod h1:RyI github.com/klauspost/cpuid v1.2.0/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek= github.com/klauspost/cpuid v1.2.1 h1:vJi+O/nMdFt0vqm8NZBI6wzALWdA2X+egi0ogNyrC/w= github.com/klauspost/cpuid v1.2.1/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek= -github.com/mholt/certmagic v0.5.2-0.20190605043235-e49d0d405641 h1:wNqOQ0DFxcZDNpPChhHfL8KscFMnxARN6Q2FiX4/VKI= -github.com/mholt/certmagic v0.5.2-0.20190605043235-e49d0d405641/go.mod h1:g4cOPxcjV0oFq3qwpjSA30LReKD8AoIfwAY9VvG35NY= -github.com/mholt/certmagic v0.6.0 h1:gZwuBuONw2v8/fZh2nd39kvjFNjnSF2uIR4GzKaaryw= -github.com/mholt/certmagic v0.6.0/go.mod h1:g4cOPxcjV0oFq3qwpjSA30LReKD8AoIfwAY9VvG35NY= -github.com/mholt/certmagic v0.6.2-0.20190621004807-be4f86a2eb60 h1:SALetD3LrWGNvna2JIwY1dG4W6rBKtoBehQtHjEKTpo= -github.com/mholt/certmagic v0.6.2-0.20190621004807-be4f86a2eb60/go.mod h1:g4cOPxcjV0oFq3qwpjSA30LReKD8AoIfwAY9VvG35NY= +github.com/mholt/certmagic v0.6.2-0.20190624175158-6a42ef9fe8c2 h1:xKE9kZ5C8gelJC3+BNM6LJs1x21rivK7yxfTZMAuY2s= +github.com/mholt/certmagic v0.6.2-0.20190624175158-6a42ef9fe8c2/go.mod h1:g4cOPxcjV0oFq3qwpjSA30LReKD8AoIfwAY9VvG35NY= github.com/miekg/dns v1.1.3 h1:1g0r1IvskvgL8rR+AcHzUA+oFmGcQlaIm4IqakufeMM= github.com/miekg/dns v1.1.3/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= @@ -70,5 +66,9 @@ golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 h1:SvFZT6jyqRaOeXpc5h/JSfZenJ2O330aBsf7JfSUXmQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/square/go-jose.v2 v2.2.2 h1:orlkJ3myw8CN1nVQHBFfloD+L3egixIa4FvUP6RosSA= gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= +gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw= +gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= diff --git a/modules/caddyhttp/caddyhttp.go b/modules/caddyhttp/caddyhttp.go index 68568a984..036a3ab82 100644 --- a/modules/caddyhttp/caddyhttp.go +++ b/modules/caddyhttp/caddyhttp.go @@ -243,6 +243,7 @@ func (app *App) automaticHTTPS() error { }) // manage their certificates + log.Printf("[INFO] Enabling automatic HTTPS for %v", domains) err := tlsApp.Manage(domains) if err != nil { return fmt.Errorf("%s: managing certificate for %s: %s", srvName, domains, err) diff --git a/modules/caddytls/fileloader.go b/modules/caddytls/fileloader.go index 63592f956..d8e2d21d1 100644 --- a/modules/caddytls/fileloader.go +++ b/modules/caddytls/fileloader.go @@ -21,14 +21,15 @@ type fileLoader []CertKeyFilePair // CertKeyFilePair pairs certificate and key file names along with their // encoding format so that they can be loaded from disk. type CertKeyFilePair struct { - Certificate string `json:"certificate"` - Key string `json:"key"` - Format string `json:"format,omitempty"` // "pem" is default + Certificate string `json:"certificate"` + Key string `json:"key"` + Format string `json:"format,omitempty"` // "pem" is default + Tags []string `json:"tags,omitempty"` } // LoadCertificates returns the certificates to be loaded by fl. -func (fl fileLoader) LoadCertificates() ([]tls.Certificate, error) { - var certs []tls.Certificate +func (fl fileLoader) LoadCertificates() ([]Certificate, error) { + var certs []Certificate for _, pair := range fl { certData, err := ioutil.ReadFile(pair.Certificate) if err != nil { @@ -52,7 +53,7 @@ func (fl fileLoader) LoadCertificates() ([]tls.Certificate, error) { return nil, err } - certs = append(certs, cert) + certs = append(certs, Certificate{Certificate: cert, Tags: pair.Tags}) } return certs, nil } diff --git a/modules/caddytls/folderloader.go b/modules/caddytls/folderloader.go index bcc22d865..c4917081b 100644 --- a/modules/caddytls/folderloader.go +++ b/modules/caddytls/folderloader.go @@ -29,8 +29,8 @@ type folderLoader []string // listed in fl from all files ending with .pem. This method of loading // certificates expects the certificate and key to be bundled into the // same file. -func (fl folderLoader) LoadCertificates() ([]tls.Certificate, error) { - var certs []tls.Certificate +func (fl folderLoader) LoadCertificates() ([]Certificate, error) { + var certs []Certificate for _, dir := range fl { err := filepath.Walk(dir, func(fpath string, info os.FileInfo, err error) error { if err != nil { @@ -48,7 +48,7 @@ func (fl folderLoader) LoadCertificates() ([]tls.Certificate, error) { return err } - certs = append(certs, cert) + certs = append(certs, Certificate{Certificate: cert}) return nil }) @@ -120,3 +120,5 @@ func x509CertFromCertAndKeyPEMFile(fpath string) (tls.Certificate, error) { return cert, nil } + +var _ CertificateLoader = (folderLoader)(nil) diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go index 63bc21d30..7f5b1e911 100644 --- a/modules/caddytls/tls.go +++ b/modules/caddytls/tls.go @@ -98,7 +98,7 @@ func (t *TLS) Start() error { Storage: t.ctx.Storage(), }) for _, cert := range certs { - err := magic.CacheUnmanagedTLSCertificate(cert) + err := magic.CacheUnmanagedTLSCertificate(cert.Certificate, cert.Tags) if err != nil { return fmt.Errorf("caching unmanaged certificate: %v", err) } @@ -182,8 +182,16 @@ func (t *TLS) getAutomationPolicyForName(name string) AutomationPolicy { } // CertificateLoader is a type that can load certificates. +// Certificates can optionally be associated with tags. type CertificateLoader interface { - LoadCertificates() ([]tls.Certificate, error) + LoadCertificates() ([]Certificate, error) +} + +// Certificate is a TLS certificate, optionally +// associated with arbitrary tags. +type Certificate struct { + tls.Certificate + Tags []string } // AutomationConfig designates configuration for the