mirror of
https://github.com/caddyserver/caddy.git
synced 2025-03-09 15:39:02 -04:00
caddytls: Reorder provisioning steps (fix #6877)
Also add a quick check to allow users to load their own certs for ECH (outer) domains.
This commit is contained in:
Matthew Holt
parent
d2a2311bfd
commit
4ebcfed9c9
@ -182,17 +182,6 @@ func (t *TLS) Provision(ctx caddy.Context) error {
|
|||||||
t.dns = dnsMod
|
t.dns = dnsMod
|
||||||
}
|
}
|
||||||
|
|
||||||
// ECH (Encrypted ClientHello) initialization
|
|
||||||
if t.EncryptedClientHello != nil {
|
|
||||||
t.EncryptedClientHello.configs = make(map[string][]echConfig)
|
|
||||||
outerNames, err := t.EncryptedClientHello.Provision(ctx)
|
|
||||||
if err != nil {
|
|
||||||
return fmt.Errorf("provisioning Encrypted ClientHello components: %v", err)
|
|
||||||
}
|
|
||||||
// outer names should have certificates to reduce client brittleness
|
|
||||||
t.automateNames = append(t.automateNames, outerNames...)
|
|
||||||
}
|
|
||||||
|
|
||||||
// set up a new certificate cache; this (re)loads all certificates
|
// set up a new certificate cache; this (re)loads all certificates
|
||||||
cacheOpts := certmagic.CacheOptions{
|
cacheOpts := certmagic.CacheOptions{
|
||||||
GetConfigForCert: func(cert certmagic.Certificate) (*certmagic.Config, error) {
|
GetConfigForCert: func(cert certmagic.Certificate) (*certmagic.Config, error) {
|
||||||
@ -243,31 +232,34 @@ func (t *TLS) Provision(ctx caddy.Context) error {
|
|||||||
t.certificateLoaders = append(t.certificateLoaders, modIface.(CertificateLoader))
|
t.certificateLoaders = append(t.certificateLoaders, modIface.(CertificateLoader))
|
||||||
}
|
}
|
||||||
|
|
||||||
// on-demand permission module
|
// using the certificate loaders we just initialized, load
|
||||||
if t.Automation != nil && t.Automation.OnDemand != nil && t.Automation.OnDemand.PermissionRaw != nil {
|
// manual/static (unmanaged) certificates - we do this in
|
||||||
if t.Automation.OnDemand.Ask != "" {
|
// provision so that other apps (such as http) can know which
|
||||||
return fmt.Errorf("on-demand TLS config conflict: both 'ask' endpoint and a 'permission' module are specified; 'ask' is deprecated, so use only the permission module")
|
// certificates have been manually loaded, and also so that
|
||||||
}
|
// commands like validate can be a better test
|
||||||
val, err := ctx.LoadModule(t.Automation.OnDemand, "PermissionRaw")
|
certCacheMu.RLock()
|
||||||
|
magic := certmagic.New(certCache, certmagic.Config{
|
||||||
|
Storage: ctx.Storage(),
|
||||||
|
Logger: t.logger,
|
||||||
|
OnEvent: t.onEvent,
|
||||||
|
OCSP: certmagic.OCSPConfig{
|
||||||
|
DisableStapling: t.DisableOCSPStapling,
|
||||||
|
},
|
||||||
|
DisableStorageCheck: t.DisableStorageCheck,
|
||||||
|
})
|
||||||
|
certCacheMu.RUnlock()
|
||||||
|
for _, loader := range t.certificateLoaders {
|
||||||
|
certs, err := loader.LoadCertificates()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("loading on-demand TLS permission module: %v", err)
|
return fmt.Errorf("loading certificates: %v", err)
|
||||||
}
|
}
|
||||||
t.Automation.OnDemand.permission = val.(OnDemandPermission)
|
for _, cert := range certs {
|
||||||
}
|
hash, err := magic.CacheUnmanagedTLSCertificate(ctx, cert.Certificate, cert.Tags)
|
||||||
|
if err != nil {
|
||||||
// run replacer on ask URL (for environment variables) -- return errors to prevent surprises (#5036)
|
return fmt.Errorf("caching unmanaged certificate: %v", err)
|
||||||
if t.Automation != nil && t.Automation.OnDemand != nil && t.Automation.OnDemand.Ask != "" {
|
}
|
||||||
t.Automation.OnDemand.Ask, err = repl.ReplaceOrErr(t.Automation.OnDemand.Ask, true, true)
|
t.loaded[hash] = ""
|
||||||
if err != nil {
|
|
||||||
return fmt.Errorf("preparing 'ask' endpoint: %v", err)
|
|
||||||
}
|
}
|
||||||
perm := PermissionByHTTP{
|
|
||||||
Endpoint: t.Automation.OnDemand.Ask,
|
|
||||||
}
|
|
||||||
if err := perm.Provision(ctx); err != nil {
|
|
||||||
return fmt.Errorf("provisioning 'ask' module: %v", err)
|
|
||||||
}
|
|
||||||
t.Automation.OnDemand.permission = perm
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// automation/management policies
|
// automation/management policies
|
||||||
@ -302,6 +294,33 @@ func (t *TLS) Provision(ctx caddy.Context) error {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// on-demand permission module
|
||||||
|
if t.Automation != nil && t.Automation.OnDemand != nil && t.Automation.OnDemand.PermissionRaw != nil {
|
||||||
|
if t.Automation.OnDemand.Ask != "" {
|
||||||
|
return fmt.Errorf("on-demand TLS config conflict: both 'ask' endpoint and a 'permission' module are specified; 'ask' is deprecated, so use only the permission module")
|
||||||
|
}
|
||||||
|
val, err := ctx.LoadModule(t.Automation.OnDemand, "PermissionRaw")
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("loading on-demand TLS permission module: %v", err)
|
||||||
|
}
|
||||||
|
t.Automation.OnDemand.permission = val.(OnDemandPermission)
|
||||||
|
}
|
||||||
|
|
||||||
|
// run replacer on ask URL (for environment variables) -- return errors to prevent surprises (#5036)
|
||||||
|
if t.Automation != nil && t.Automation.OnDemand != nil && t.Automation.OnDemand.Ask != "" {
|
||||||
|
t.Automation.OnDemand.Ask, err = repl.ReplaceOrErr(t.Automation.OnDemand.Ask, true, true)
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("preparing 'ask' endpoint: %v", err)
|
||||||
|
}
|
||||||
|
perm := PermissionByHTTP{
|
||||||
|
Endpoint: t.Automation.OnDemand.Ask,
|
||||||
|
}
|
||||||
|
if err := perm.Provision(ctx); err != nil {
|
||||||
|
return fmt.Errorf("provisioning 'ask' module: %v", err)
|
||||||
|
}
|
||||||
|
t.Automation.OnDemand.permission = perm
|
||||||
|
}
|
||||||
|
|
||||||
// session ticket ephemeral keys (STEK) service and provider
|
// session ticket ephemeral keys (STEK) service and provider
|
||||||
if t.SessionTickets != nil {
|
if t.SessionTickets != nil {
|
||||||
err := t.SessionTickets.provision(ctx)
|
err := t.SessionTickets.provision(ctx)
|
||||||
@ -310,32 +329,19 @@ func (t *TLS) Provision(ctx caddy.Context) error {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// load manual/static (unmanaged) certificates - we do this in
|
// ECH (Encrypted ClientHello) initialization
|
||||||
// provision so that other apps (such as http) can know which
|
if t.EncryptedClientHello != nil {
|
||||||
// certificates have been manually loaded, and also so that
|
t.EncryptedClientHello.configs = make(map[string][]echConfig)
|
||||||
// commands like validate can be a better test
|
outerNames, err := t.EncryptedClientHello.Provision(ctx)
|
||||||
certCacheMu.RLock()
|
|
||||||
magic := certmagic.New(certCache, certmagic.Config{
|
|
||||||
Storage: ctx.Storage(),
|
|
||||||
Logger: t.logger,
|
|
||||||
OnEvent: t.onEvent,
|
|
||||||
OCSP: certmagic.OCSPConfig{
|
|
||||||
DisableStapling: t.DisableOCSPStapling,
|
|
||||||
},
|
|
||||||
DisableStorageCheck: t.DisableStorageCheck,
|
|
||||||
})
|
|
||||||
certCacheMu.RUnlock()
|
|
||||||
for _, loader := range t.certificateLoaders {
|
|
||||||
certs, err := loader.LoadCertificates()
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("loading certificates: %v", err)
|
return fmt.Errorf("provisioning Encrypted ClientHello components: %v", err)
|
||||||
}
|
}
|
||||||
for _, cert := range certs {
|
|
||||||
hash, err := magic.CacheUnmanagedTLSCertificate(ctx, cert.Certificate, cert.Tags)
|
// outer names should have certificates to reduce client brittleness
|
||||||
if err != nil {
|
for _, outerName := range outerNames {
|
||||||
return fmt.Errorf("caching unmanaged certificate: %v", err)
|
if !t.HasCertificateForSubject(outerName) {
|
||||||
|
t.automateNames = append(t.automateNames, outerNames...)
|
||||||
}
|
}
|
||||||
t.loaded[hash] = ""
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user