a/certmagic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
aad674cda5
certmagic/certificates.go

630 lines
23 KiB
Go
Raw Normal View History

Initial commit
2018-12-10 13:15:26 +10:00
// Copyright 2015 Matthew Holt
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package certmagic
import (
Propagate context in the Storage interface methods (#155) * Add context propagation to the Storage interface Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Bump to Go 1.17 * Minor cleanup * filestorage: Honor context cancellation in List() Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
2022-03-08 05:26:52 +10:00
"context"
Initial commit
2018-12-10 13:15:26 +10:00
"crypto/tls"
"crypto/x509"
Initial implementation of ARI (#286) * Initial implementation of ARI * Enhance redundancy, robustness, and logging * Improve ARI updating; integrate on-demand TLS; detect changed window
2024-05-08 01:46:03 +10:00
"encoding/json"
Initial commit
2018-12-10 13:15:26 +10:00
"fmt"
Initial implementation of ARI (#286) * Initial implementation of ARI * Enhance redundancy, robustness, and logging * Improve ARI updating; integrate on-demand TLS; detect changed window
2024-05-08 01:46:03 +10:00
"math/rand"
Initial commit
2018-12-10 13:15:26 +10:00
"net"
storage: Require fs.ErrNotExist (fix #168) (#170) Also stop using the deprecated io/ioutil package. Update dependencies. Update Go version in go.mod.
2022-03-08 04:11:20 +10:00
"os"
Initial commit
2018-12-10 13:15:26 +10:00
"strings"
"time"
Initial implementation of ARI (#286) * Initial implementation of ARI * Enhance redundancy, robustness, and logging * Improve ARI updating; integrate on-demand TLS; detect changed window
2024-05-08 01:46:03 +10:00
"github.com/mholt/acmez/v2/acme"
Convert (most of the library) to structured logs (closes #19) Logging is now configurable through setting the Logging field on the various relevant struct types. This is a more useful, consistent, and higher-performing experience with logs than the std lib logger we used before. This isn't a 100% complete transition because there are some parts of the code base that don't have obvious or easy access to a logger. They are mostly fringe/edge cases though, and most are error logs, so you shouldn't see them under normal circumstances. They still emit to the std lib logger, so it's not like any errors get hidden: they are just unstructured until we find a way to give them access to a logger.
2020-07-30 11:38:12 +10:00
"go.uber.org/zap"
Initial commit
2018-12-10 13:15:26 +10:00
"golang.org/x/crypto/ocsp"
)
// Certificate is a tls.Certificate with associated metadata tacked on.
// Even if the metadata can be obtained by parsing the certificate,
Add hook for custom certificate selection logic (mholt/caddy#2588)
2019-05-24 08:11:32 +10:00
// we are more efficient by extracting the metadata onto this struct,
// but at the cost of slightly higher memory use.
Initial commit
2018-12-10 13:15:26 +10:00
type Certificate struct {
tls.Certificate
Consider client's signature support when choosing certificates This allows two certs (say, RSA and ECDSA) for the same names to be loaded, and CertMagic will consider which one the client supports and use that. We used to extract just select fields from the leaf certificate so that we didn't need to fill memory with more data than necessary, but in order to use the stdlib's SupportsCertificate() method, we have to keep the full tls.Certificate.Leaf field set for speed during handshakes.
2020-04-02 10:25:02 +10:00
// Names is the list of subject names this
// certificate is signed for.
Initial commit
2018-12-10 13:15:26 +10:00
Names []string
Consider client's signature support when choosing certificates This allows two certs (say, RSA and ECDSA) for the same names to be loaded, and CertMagic will consider which one the client supports and use that. We used to extract just select fields from the leaf certificate so that we didn't need to fill memory with more data than necessary, but in order to use the stdlib's SupportsCertificate() method, we have to keep the full tls.Certificate.Leaf field set for speed during handshakes.
2020-04-02 10:25:02 +10:00
// Optional; user-provided, and arbitrary.
Tags []string
Initial commit
2018-12-10 13:15:26 +10:00
// OCSP contains the certificate's parsed OCSP response.
Fix force-renewing revoked on-demand certs (#166) * Fix force-renewing revoked on-demand certs Follow-up to 9245be5a2f16135b9de55567682f49a2d343e1f0 * One more fix for on-demand logic of revoked certs * OCSP revocation checks at startup, too Required significant refactoring, hope it works. Yet again way too late at night for this...
2022-02-02 02:05:24 +10:00
// It is not necessarily the response that is stapled
// (e.g. if the status is not Good), it is simply the
// most recent OCSP response we have for this certificate.
Optional tags for unmanaged certificates This allows for user-loaded certificates to be associated with arbitrary values such as user-provided IDs or categories. This can be useful if multiple certificates satisfy a ClientHello but if a specific one still needs to be chosen. See for example: https://github.com/mholt/caddy/issues/2588 This is a breaking API change since we need to expose a tags parameter to the caching functions, but we're not 1.0 yet so we will try this API change and see how it goes.
2019-06-25 03:51:58 +10:00
ocsp *ocsp.Response
Initial commit
2018-12-10 13:15:26 +10:00
Getter method for cert hash Useful downstream where we need to see if cache has a specific cert
2023-07-10 13:47:35 +10:00
// The hex-encoded hash of this cert's chain's DER bytes.
Optional tags for unmanaged certificates This allows for user-loaded certificates to be associated with arbitrary values such as user-provided IDs or categories. This can be useful if multiple certificates satisfy a ClientHello but if a specific one still needs to be chosen. See for example: https://github.com/mholt/caddy/issues/2588 This is a breaking API change since we need to expose a tags parameter to the caching functions, but we're not 1.0 yet so we will try this API change and see how it goes.
2019-06-25 03:51:58 +10:00
hash string
Initial commit
2018-12-10 13:15:26 +10:00
Allow forced renewals; fix renew on OCSP revoke; change key on compromise (#134) * Begin refactor of ObtainCert and RenewCert to allow force renews * Don't reuse private key in case of revocation due to key compromise * Improve logging in renew * Run OCSP check at start of cache maintenance Otherwise we wait until first tick (currently 1 hour) which might be too long * Fix obtain; move some things around Obtain now tries to reuse private key if exists, but if it doesn't exist, that shouldn't be an error (so we clear the error in that case). Moved the removal of compromised private keys to have logging make more sense.
2021-06-13 05:47:47 +10:00
// Whether this certificate is under our management.
Initial commit
2018-12-10 13:15:26 +10:00
managed bool
Allow forced renewals; fix renew on OCSP revoke; change key on compromise (#134) * Begin refactor of ObtainCert and RenewCert to allow force renews * Don't reuse private key in case of revocation due to key compromise * Improve logging in renew * Run OCSP check at start of cache maintenance Otherwise we wait until first tick (currently 1 hour) which might be too long * Fix obtain; move some things around Obtain now tries to reuse private key if exists, but if it doesn't exist, that shouldn't be an error (so we clear the error in that case). Moved the removal of compromised private keys to have logging make more sense.
2021-06-13 05:47:47 +10:00
// The unique string identifying the issuer of this certificate.
issuerKey string
Initial implementation of ARI (#286) * Initial implementation of ARI * Enhance redundancy, robustness, and logging * Improve ARI updating; integrate on-demand TLS; detect changed window
2024-05-08 01:46:03 +10:00
// ACME Renewal Information, if available
ari acme.RenewalInfo
Initial commit
2018-12-10 13:15:26 +10:00
}
GetCertificate from external certificate sources (Managers) (#163) This work made possible by Tailscale: https://tailscale.com - thank you to the Tailscale team! * Implement custom GetCertificate callback Useful if another entity is managing certificates and can provide its own dynamically during handshakes. * Refactor CustomGetCertificate into OnDemandConfig * Set certs to managed=true This is only sorta true, but it allows handshake-time maintenance of the certificates that are cached from CustomGetCertificate. Our background maintenance routine skips certs that are OnDemand so it should be fine. * Change CustomGetCertificate into interface value Instead of a function * Case-insensitive subject name comparison Hostnames are case-insensitive Also add context to GetCertificate * Export a couple of outrageously useful functions * Allow multiple custom certificate getters Also minor refactoring and enhancements * Fix tests * Rename Getter -> Manager; refactor And don't cache externally managed certs * Minor updates to comments
2022-02-18 07:37:50 +10:00
// Empty returns true if the certificate struct is not filled out; at
// least the tls.Certificate.Certificate field is expected to be set.
func (cert Certificate) Empty() bool {
return len(cert.Certificate.Certificate) == 0
}
Getter method for cert hash Useful downstream where we need to see if cache has a specific cert
2023-07-10 13:47:35 +10:00
// Hash returns a checksum of the certificate chain's DER-encoded bytes.
func (cert Certificate) Hash() string { return cert.hash }
Initial implementation of ARI (#286) * Initial implementation of ARI * Enhance redundancy, robustness, and logging * Improve ARI updating; integrate on-demand TLS; detect changed window
2024-05-08 01:46:03 +10:00
// NeedsRenewal returns true if the certificate is expiring
// soon (according to ARI and/or cfg) or has expired.
Significant refactoring to improve correctness and flexibility (#39) * Significant refactor This refactoring expands the capabilities of the library for advanced use cases, as well as improving the overall architecture, including possible memory leak fixes if used over a long period with many certs loaded into memory. This refactor enables using different configs depending on the certificate. The public API has changed slightly, however, and arguably it is slightly less convenient/elegant. I have never quite found the perfect design for this package, and this certainly isn't it, but I think it's better than what we had before. There is still work to be done, but this is a good step forward. I've decoupled Storage from Cache, and made it easier and more correct for Configs (and Storage values) to be short-lived. Cache is the only value that should be long-lived. Note that CertMagic no longer automatically takes care of storage (i.e. it used to delete old OCSP staples, but now it doesn't). The functions to do this are still there and even exported, and now we expect the application to call the cleanup functions when it wants to. * Fix little oopsies * Create Manager abstraction so obtain/renew isn't limited to ACME
2019-04-21 02:44:55 +10:00
func (cert Certificate) NeedsRenewal(cfg *Config) bool {
Initial implementation of ARI (#286) * Initial implementation of ARI * Enhance redundancy, robustness, and logging * Improve ARI updating; integrate on-demand TLS; detect changed window
2024-05-08 01:46:03 +10:00
return cfg.certNeedsRenewal(cert.Leaf, cert.ari, true)
}
// certNeedsRenewal consults ACME Renewal Info (ARI) and certificate expiration to determine
// whether the leaf certificate needs to be renewed yet. If true is returned, the certificate
// should be renewed as soon as possible. The reasoning for a true return value is logged
// unless emitLogs is false; this can be useful to suppress noisy logs in the case where you
// first call this to determine if a cert in memory needs renewal, and then right after you
// call it again to see if the cert in storage still needs renewal -- you probably don't want
// to log the second time for checking the cert in storage which is mainly for synchronization.
func (cfg *Config) certNeedsRenewal(leaf *x509.Certificate, ari acme.RenewalInfo, emitLogs bool) bool {
expiration := expiresAt(leaf)
var logger *zap.Logger
if emitLogs {
logger = cfg.Logger.With(
zap.Strings("subjects", leaf.DNSNames),
zap.Time("expiration", expiration),
zap.String("ari_cert_id", ari.UniqueIdentifier),
zap.Timep("next_ari_update", ari.RetryAfter),
zap.Duration("renew_check_interval", cfg.certCache.options.RenewCheckInterval),
zap.Time("window_start", ari.SuggestedWindow.Start),
zap.Time("window_end", ari.SuggestedWindow.End))
} else {
logger = zap.NewNop()
}
Add config option to disable ARI This may be temporary until ARI is more mature
2024-08-09 00:08:29 +10:00
if !cfg.DisableARI {
// first check ARI: if it says it's time to renew, it's time to renew
// (notice that we don't strictly require an ARI window to also exist; we presume
// that if a time has been selected, a window does or did exist, even if it didn't
// get stored/encoded for some reason - but also: this allows administrators to
// manually or explicitly schedule a renewal time indepedently of ARI which could
// be useful)
selectedTime := ari.SelectedTime
// if, for some reason a random time in the window hasn't been selected yet, but an ARI
// window does exist, we can always improvise one... even if this is called repeatedly,
// a random time is a random time, whether you generate it once or more :D
// (code borrowed from our acme package)
if selectedTime.IsZero() &&
(!ari.SuggestedWindow.Start.IsZero() && !ari.SuggestedWindow.End.IsZero()) {
start, end := ari.SuggestedWindow.Start.Unix()+1, ari.SuggestedWindow.End.Unix()
selectedTime = time.Unix(rand.Int63n(end-start)+start, 0).UTC()
logger.Warn("no renewal time had been selected with ARI; chose an ephemeral one for now",
zap.Time("ephemeral_selected_time", selectedTime))
Initial implementation of ARI (#286) * Initial implementation of ARI * Enhance redundancy, robustness, and logging * Improve ARI updating; integrate on-demand TLS; detect changed window
2024-05-08 01:46:03 +10:00
}
Add config option to disable ARI This may be temporary until ARI is more mature
2024-08-09 00:08:29 +10:00
// if a renewal time has been selected, start with that
if !selectedTime.IsZero() {
// ARI spec recommends an algorithm that renews after the randomly-selected
// time OR just before it if the next waking time would be after it; this
// cutoff can actually be before the start of the renewal window, but the spec
// author says that's OK: https://github.com/aarongable/draft-acme-ari/issues/71
cutoff := ari.SelectedTime.Add(-cfg.certCache.options.RenewCheckInterval)
if time.Now().After(cutoff) {
logger.Info("certificate needs renewal based on ARI window",
zap.Time("selected_time", selectedTime),
zap.Time("renewal_cutoff", cutoff))
return true
}
// according to ARI, we are not ready to renew; however, we do not rely solely on
// ARI calculations... what if there is a bug in our implementation, or in the
// server's, or the stored metadata? for redundancy, give credence to the expiration
// date; ignore ARI if we are past a "dangerously close" limit, to avoid any
// possibility of a bug in ARI compromising a site's uptime: we should always always
// always give heed to actual validity period
if currentlyInRenewalWindow(leaf.NotBefore, expiration, 1.0/20.0) {
logger.Warn("certificate is in emergency renewal window; superceding ARI",
zap.Duration("remaining", time.Until(expiration)),
zap.Time("renewal_cutoff", cutoff))
return true
}
Initial implementation of ARI (#286) * Initial implementation of ARI * Enhance redundancy, robustness, and logging * Improve ARI updating; integrate on-demand TLS; detect changed window
2024-05-08 01:46:03 +10:00
}
}
// the normal check, in the absence of ARI, is to determine if we're near enough (or past)
// the expiration date based on the configured remaining:lifetime ratio
if currentlyInRenewalWindow(leaf.NotBefore, expiration, cfg.RenewalWindowRatio) {
logger.Info("certificate is in configured renewal window based on expiration date",
zap.Duration("remaining", time.Until(expiration)))
return true
}
// finally, if the certificate is expiring imminently, always attempt a renewal;
// we check both a (very low) lifetime ratio and also a strict difference between
// the time until expiration and the interval at which we run the standard maintenance
// routine to check for renewals, to accommodate both exceptionally long and short
// cert lifetimes
if currentlyInRenewalWindow(leaf.NotBefore, expiration, 1.0/50.0) ||
time.Until(expiration) < cfg.certCache.options.RenewCheckInterval*5 {
logger.Warn("certificate is in emergency renewal window; expiration imminent",
zap.Duration("remaining", time.Until(expiration)))
return true
}
return false
Change renewal window to a ratio of cert lifetime instead of hard coded This allows CertMagic to accommodate certificates with extremely short lifetimes (new defaults work with cert lifetimes < 24h, but I wouldn't want to push it < 30m with these defaults).
2020-02-25 11:42:27 +10:00
}
Renew managed on-demand certificates at handshake-time if necessary If the machine goes to sleep or the process gets suspended, background maintenance won't happen, so we need to check for expiration of all managed, on-demand certificates at every handshake. Fortunately, this is pretty cheap because it's simple date math. https://caddy.community/t/local-certificates-not-renewing-on-demand/9482
2020-08-18 04:14:46 +10:00
// Expired returns true if the certificate has expired.
func (cert Certificate) Expired() bool {
if cert.Leaf == nil {
// ideally cert.Leaf would never be nil, but this can happen for
// "synthetic" certs like those made to solve the TLS-ALPN challenge
// which adds a special cert directly to the cache, since
// tls.X509KeyPair() discards the leaf; oh well
return false
}
Add one second (at most) to account for NotAfter imprecision (#199) Fix #197
2022-08-17 10:08:34 +10:00
return time.Now().After(expiresAt(cert.Leaf))
Renew managed on-demand certificates at handshake-time if necessary If the machine goes to sleep or the process gets suspended, background maintenance won't happen, so we need to check for expiration of all managed, on-demand certificates at every handshake. Fortunately, this is pretty cheap because it's simple date math. https://caddy.community/t/local-certificates-not-renewing-on-demand/9482
2020-08-18 04:14:46 +10:00
}
Initial implementation of ARI (#286) * Initial implementation of ARI * Enhance redundancy, robustness, and logging * Improve ARI updating; integrate on-demand TLS; detect changed window
2024-05-08 01:46:03 +10:00
// currentlyInRenewalWindow returns true if the current time is within
// (or after) the renewal window, according to the given start/end
Change renewal window to a ratio of cert lifetime instead of hard coded This allows CertMagic to accommodate certificates with extremely short lifetimes (new defaults work with cert lifetimes < 24h, but I wouldn't want to push it < 30m with these defaults).
2020-02-25 11:42:27 +10:00
// dates and the ratio of the renewal window. If true is returned,
Initial implementation of ARI (#286) * Initial implementation of ARI * Enhance redundancy, robustness, and logging * Improve ARI updating; integrate on-demand TLS; detect changed window
2024-05-08 01:46:03 +10:00
// the certificate being considered is due for renewal. The ratio
// is remaining:total time, i.e. 1/3 = 1/3 of lifetime remaining,
// or 9/10 = 9/10 of time lifetime remaining.
Change renewal window to a ratio of cert lifetime instead of hard coded This allows CertMagic to accommodate certificates with extremely short lifetimes (new defaults work with cert lifetimes < 24h, but I wouldn't want to push it < 30m with these defaults).
2020-02-25 11:42:27 +10:00
func currentlyInRenewalWindow(notBefore, notAfter time.Time, renewalWindowRatio float64) bool {
if notAfter.IsZero() {
Initial commit
2018-12-10 13:15:26 +10:00
return false
}
Change renewal window to a ratio of cert lifetime instead of hard coded This allows CertMagic to accommodate certificates with extremely short lifetimes (new defaults work with cert lifetimes < 24h, but I wouldn't want to push it < 30m with these defaults).
2020-02-25 11:42:27 +10:00
lifetime := notAfter.Sub(notBefore)
if renewalWindowRatio == 0 {
renewalWindowRatio = DefaultRenewalWindowRatio
Initial commit
2018-12-10 13:15:26 +10:00
}
Change renewal window to a ratio of cert lifetime instead of hard coded This allows CertMagic to accommodate certificates with extremely short lifetimes (new defaults work with cert lifetimes < 24h, but I wouldn't want to push it < 30m with these defaults).
2020-02-25 11:42:27 +10:00
renewalWindow := time.Duration(float64(lifetime) * renewalWindowRatio)
renewalWindowStart := notAfter.Add(-renewalWindow)
return time.Now().After(renewalWindowStart)
Initial commit
2018-12-10 13:15:26 +10:00
}
Consider client's signature support when choosing certificates This allows two certs (say, RSA and ECDSA) for the same names to be loaded, and CertMagic will consider which one the client supports and use that. We used to extract just select fields from the leaf certificate so that we didn't need to fill memory with more data than necessary, but in order to use the stdlib's SupportsCertificate() method, we have to keep the full tls.Certificate.Leaf field set for speed during handshakes.
2020-04-02 10:25:02 +10:00
// HasTag returns true if cert.Tags has tag.
func (cert Certificate) HasTag(tag string) bool {
for _, t := range cert.Tags {
Optional tags for unmanaged certificates This allows for user-loaded certificates to be associated with arbitrary values such as user-provided IDs or categories. This can be useful if multiple certificates satisfy a ClientHello but if a specific one still needs to be chosen. See for example: https://github.com/mholt/caddy/issues/2588 This is a breaking API change since we need to expose a tags parameter to the caching functions, but we're not 1.0 yet so we will try this API change and see how it goes.
2019-06-25 03:51:58 +10:00
if t == tag {
return true
}
}
return false
}
Add one second (at most) to account for NotAfter imprecision (#199) Fix #197
2022-08-17 10:08:34 +10:00
// expiresAt return the time that a certificate expires. Account for the 1s
// resolution of ASN.1 UTCTime/GeneralizedTime by including the extra fraction
// of a second of certificate validity beyond the NotAfter value.
func expiresAt(cert *x509.Certificate) time.Time {
Refactor Managers into on-demand config (#231)
2023-05-12 04:36:44 +10:00
if cert == nil {
return time.Time{}
}
Add one second (at most) to account for NotAfter imprecision (#199) Fix #197
2022-08-17 10:08:34 +10:00
return cert.NotAfter.Truncate(time.Second).Add(1 * time.Second)
}
Initial commit
2018-12-10 13:15:26 +10:00
// CacheManagedCertificate loads the certificate for domain into the
// cache, from the TLS storage for managed certificates. It returns a
// copy of the Certificate that was put into the cache.
//
Compatibility with refactored lego core lego commit: 42941ccea6b431ebff203d4cb520991fb7b47951
2018-12-10 17:26:09 +10:00
// This is a lower-level method; normally you'll call Manage() instead.
//
Initial commit
2018-12-10 13:15:26 +10:00
// This method is safe for concurrent use.
Propagate context in the Storage interface methods (#155) * Add context propagation to the Storage interface Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Bump to Go 1.17 * Minor cleanup * filestorage: Honor context cancellation in List() Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
2022-03-08 05:26:52 +10:00
func (cfg *Config) CacheManagedCertificate(ctx context.Context, domain string) (Certificate, error) {
Implement SubjectTransformer This makes it possible to replace cert subjects with wildcards, for example Related: #280
2024-04-09 05:35:09 +10:00
domain = cfg.transformSubject(ctx, nil, domain)
Propagate context in the Storage interface methods (#155) * Add context propagation to the Storage interface Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Bump to Go 1.17 * Minor cleanup * filestorage: Honor context cancellation in List() Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
2022-03-08 05:26:52 +10:00
cert, err := cfg.loadManagedCertificate(ctx, domain)
Significant refactoring to improve correctness and flexibility (#39) * Significant refactor This refactoring expands the capabilities of the library for advanced use cases, as well as improving the overall architecture, including possible memory leak fixes if used over a long period with many certs loaded into memory. This refactor enables using different configs depending on the certificate. The public API has changed slightly, however, and arguably it is slightly less convenient/elegant. I have never quite found the perfect design for this package, and this certainly isn't it, but I think it's better than what we had before. There is still work to be done, but this is a good step forward. I've decoupled Storage from Cache, and made it easier and more correct for Configs (and Storage values) to be short-lived. Cache is the only value that should be long-lived. Note that CertMagic no longer automatically takes care of storage (i.e. it used to delete old OCSP staples, but now it doesn't). The functions to do this are still there and even exported, and now we expect the application to call the cleanup functions when it wants to. * Fix little oopsies * Create Manager abstraction so obtain/renew isn't limited to ACME
2019-04-21 02:44:55 +10:00
if err != nil {
return cert, err
}
cfg.certCache.cacheCertificate(cert)
Change OnEvent function; emit more events OnEvent can now control basic program flow for certain events. For example, it can cancel cert_obtaining or cert_renewing from happening. Slight API change adds context and changes to map[string]any for data. This is easier to work with in practice and conforms more with Caddy's new event system.
2022-08-27 04:17:10 +10:00
cfg.emit(ctx, "cached_managed_cert", map[string]any{"sans": cert.Names})
Significant refactoring to improve correctness and flexibility (#39) * Significant refactor This refactoring expands the capabilities of the library for advanced use cases, as well as improving the overall architecture, including possible memory leak fixes if used over a long period with many certs loaded into memory. This refactor enables using different configs depending on the certificate. The public API has changed slightly, however, and arguably it is slightly less convenient/elegant. I have never quite found the perfect design for this package, and this certainly isn't it, but I think it's better than what we had before. There is still work to be done, but this is a good step forward. I've decoupled Storage from Cache, and made it easier and more correct for Configs (and Storage values) to be short-lived. Cache is the only value that should be long-lived. Note that CertMagic no longer automatically takes care of storage (i.e. it used to delete old OCSP staples, but now it doesn't). The functions to do this are still there and even exported, and now we expect the application to call the cleanup functions when it wants to. * Fix little oopsies * Create Manager abstraction so obtain/renew isn't limited to ACME
2019-04-21 02:44:55 +10:00
return cert, nil
}
Implement multiple issuer support (#109) * Implement multiple issuer support This change refactors Config.Issuer to be Config.Issuers, an array of issuers. Each Issuer will be tried in turn until one succeeds. During retries, each attempt will try each configured Issuer. When loading certs from storage, CertMagic will look in each Issuer's storage location for a qualifying asset. If multiple Issuers have one in storage then the most-recently-issued cert will be selected. This is a breaking change in that Config now accepts a slice of Issuers rather than a single Issuer. The Revoker field is removed, as supporting it is optional anyway. If the Issuer is also a Revoker, it can be used implicitly to revoke certificates. Also added a const for ZeroSSL's ACME endpoint. * Load matching wildcard on-demand from storage With this change, a config using on-demand TLS can load a certificate for "sub.example.com" from storage using a matching wildcard cert (i.e. "*.example.com") if no better matching certificate is available. * Fix distributed solving with tls-alpn challenges The type assertion in handshake.go was problematic since there's no guarantee that an ACME issuer would be a concrete ACMEManager type. Refactored the code to accept IssuerKey values generally, rather than specific ACMEManager values only. This fixes solving tls-alpn challenges in distributed settings. More cleanup can be done, another time.
2020-11-17 03:53:41 +10:00
// loadManagedCertificate loads the managed certificate for domain from any
// of the configured issuers' storage locations, but it does not add it to
// the cache. It just loads from storage and returns it.
Propagate context in the Storage interface methods (#155) * Add context propagation to the Storage interface Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Bump to Go 1.17 * Minor cleanup * filestorage: Honor context cancellation in List() Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
2022-03-08 05:26:52 +10:00
func (cfg *Config) loadManagedCertificate(ctx context.Context, domain string) (Certificate, error) {
certRes, err := cfg.loadCertResourceAnyIssuer(ctx, domain)
Initial commit
2018-12-10 13:15:26 +10:00
if err != nil {
return Certificate{}, err
}
Propagate context in the Storage interface methods (#155) * Add context propagation to the Storage interface Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Bump to Go 1.17 * Minor cleanup * filestorage: Honor context cancellation in List() Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
2022-03-08 05:26:52 +10:00
cert, err := cfg.makeCertificateWithOCSP(ctx, certRes.CertificatePEM, certRes.PrivateKeyPEM)
Initial commit
2018-12-10 13:15:26 +10:00
if err != nil {
return cert, err
}
cert.managed = true
Allow forced renewals; fix renew on OCSP revoke; change key on compromise (#134) * Begin refactor of ObtainCert and RenewCert to allow force renews * Don't reuse private key in case of revocation due to key compromise * Improve logging in renew * Run OCSP check at start of cache maintenance Otherwise we wait until first tick (currently 1 hour) which might be too long * Fix obtain; move some things around Obtain now tries to reuse private key if exists, but if it doesn't exist, that shouldn't be an error (so we clear the error in that case). Moved the removal of compromised private keys to have logging make more sense.
2021-06-13 05:47:47 +10:00
cert.issuerKey = certRes.issuerKey
Initial implementation of ARI (#286) * Initial implementation of ARI * Enhance redundancy, robustness, and logging * Improve ARI updating; integrate on-demand TLS; detect changed window
2024-05-08 01:46:03 +10:00
if ari, err := certRes.getARI(); err == nil && ari != nil {
cert.ari = *ari
}
Significant refactoring to improve correctness and flexibility (#39) * Significant refactor This refactoring expands the capabilities of the library for advanced use cases, as well as improving the overall architecture, including possible memory leak fixes if used over a long period with many certs loaded into memory. This refactor enables using different configs depending on the certificate. The public API has changed slightly, however, and arguably it is slightly less convenient/elegant. I have never quite found the perfect design for this package, and this certainly isn't it, but I think it's better than what we had before. There is still work to be done, but this is a good step forward. I've decoupled Storage from Cache, and made it easier and more correct for Configs (and Storage values) to be short-lived. Cache is the only value that should be long-lived. Note that CertMagic no longer automatically takes care of storage (i.e. it used to delete old OCSP staples, but now it doesn't). The functions to do this are still there and even exported, and now we expect the application to call the cleanup functions when it wants to. * Fix little oopsies * Create Manager abstraction so obtain/renew isn't limited to ACME
2019-04-21 02:44:55 +10:00
return cert, nil
Initial commit
2018-12-10 13:15:26 +10:00
}
Initial implementation of ARI (#286) * Initial implementation of ARI * Enhance redundancy, robustness, and logging * Improve ARI updating; integrate on-demand TLS; detect changed window
2024-05-08 01:46:03 +10:00
// getARI unpacks ACME Renewal Information from the issuer data, if available.
// It is only an error if there is invalid JSON.
func (certRes CertificateResource) getARI() (*acme.RenewalInfo, error) {
acmeData, err := certRes.getACMEData()
if err != nil {
return nil, err
}
return acmeData.RenewalInfo, nil
}
// getACMEData returns the ACME certificate metadata from the IssuerData, but
// note that a non-ACME-issued certificate may return an empty value and nil
// since the JSON may still decode successfully but just not match any or all
// of the fields. Remember that the IssuerKey is used to store and access the
// cert files in the first place (it is part of the path) so in theory if you
// load a CertificateResource from an ACME issuer it should work as expected.
func (certRes CertificateResource) getACMEData() (acme.Certificate, error) {
if len(certRes.IssuerData) == 0 {
return acme.Certificate{}, nil
}
var acmeCert acme.Certificate
err := json.Unmarshal(certRes.IssuerData, &acmeCert)
return acmeCert, err
}
Initial commit
2018-12-10 13:15:26 +10:00
// CacheUnmanagedCertificatePEMFile loads a certificate for host using certFile
// and keyFile, which must be in PEM format. It stores the certificate in
Make cache options updateable; new remove methods These are useful for advanced applications (like Caddy) which would like to remove certificates from the cache in a controlled way, and operate the cache with new settings while running.
2023-07-09 01:56:51 +10:00
// the in-memory cache and returns the hash, useful for removing from the cache.
Initial commit
2018-12-10 13:15:26 +10:00
//
// This method is safe for concurrent use.
Make cache options updateable; new remove methods These are useful for advanced applications (like Caddy) which would like to remove certificates from the cache in a controlled way, and operate the cache with new settings while running.
2023-07-09 01:56:51 +10:00
func (cfg *Config) CacheUnmanagedCertificatePEMFile(ctx context.Context, certFile, keyFile string, tags []string) (string, error) {
Initial implementation of ZeroSSL API issuer (#279) * Initial implementation of ZeroSSL API issuer Still needs CA support for CommonName-less certs * Accommodate ZeroSSL CSR requirements; fix DNS prop check * Fix README example * Fix comment
2024-04-09 02:59:55 +10:00
cert, err := cfg.makeCertificateFromDiskWithOCSP(ctx, certFile, keyFile)
Initial commit
2018-12-10 13:15:26 +10:00
if err != nil {
Make cache options updateable; new remove methods These are useful for advanced applications (like Caddy) which would like to remove certificates from the cache in a controlled way, and operate the cache with new settings while running.
2023-07-09 01:56:51 +10:00
return "", err
Initial commit
2018-12-10 13:15:26 +10:00
}
Consider client's signature support when choosing certificates This allows two certs (say, RSA and ECDSA) for the same names to be loaded, and CertMagic will consider which one the client supports and use that. We used to extract just select fields from the leaf certificate so that we didn't need to fill memory with more data than necessary, but in order to use the stdlib's SupportsCertificate() method, we have to keep the full tls.Certificate.Leaf field set for speed during handshakes.
2020-04-02 10:25:02 +10:00
cert.Tags = tags
Significant refactoring to improve correctness and flexibility (#39) * Significant refactor This refactoring expands the capabilities of the library for advanced use cases, as well as improving the overall architecture, including possible memory leak fixes if used over a long period with many certs loaded into memory. This refactor enables using different configs depending on the certificate. The public API has changed slightly, however, and arguably it is slightly less convenient/elegant. I have never quite found the perfect design for this package, and this certainly isn't it, but I think it's better than what we had before. There is still work to be done, but this is a good step forward. I've decoupled Storage from Cache, and made it easier and more correct for Configs (and Storage values) to be short-lived. Cache is the only value that should be long-lived. Note that CertMagic no longer automatically takes care of storage (i.e. it used to delete old OCSP staples, but now it doesn't). The functions to do this are still there and even exported, and now we expect the application to call the cleanup functions when it wants to. * Fix little oopsies * Create Manager abstraction so obtain/renew isn't limited to ACME
2019-04-21 02:44:55 +10:00
cfg.certCache.cacheCertificate(cert)
Change OnEvent function; emit more events OnEvent can now control basic program flow for certain events. For example, it can cancel cert_obtaining or cert_renewing from happening. Slight API change adds context and changes to map[string]any for data. This is easier to work with in practice and conforms more with Caddy's new event system.
2022-08-27 04:17:10 +10:00
cfg.emit(ctx, "cached_unmanaged_cert", map[string]any{"sans": cert.Names})
Make cache options updateable; new remove methods These are useful for advanced applications (like Caddy) which would like to remove certificates from the cache in a controlled way, and operate the cache with new settings while running.
2023-07-09 01:56:51 +10:00
return cert.hash, nil
Initial commit
2018-12-10 13:15:26 +10:00
}
Make cache options updateable; new remove methods These are useful for advanced applications (like Caddy) which would like to remove certificates from the cache in a controlled way, and operate the cache with new settings while running.
2023-07-09 01:56:51 +10:00
// CacheUnmanagedTLSCertificate adds tlsCert to the certificate cache
//
// and returns the hash, useful for removing from the cache.
//
Initial commit
2018-12-10 13:15:26 +10:00
// It staples OCSP if possible.
//
// This method is safe for concurrent use.
Make cache options updateable; new remove methods These are useful for advanced applications (like Caddy) which would like to remove certificates from the cache in a controlled way, and operate the cache with new settings while running.
2023-07-09 01:56:51 +10:00
func (cfg *Config) CacheUnmanagedTLSCertificate(ctx context.Context, tlsCert tls.Certificate, tags []string) (string, error) {
Initial commit
2018-12-10 13:15:26 +10:00
var cert Certificate
err := fillCertFromLeaf(&cert, tlsCert)
if err != nil {
Make cache options updateable; new remove methods These are useful for advanced applications (like Caddy) which would like to remove certificates from the cache in a controlled way, and operate the cache with new settings while running.
2023-07-09 01:56:51 +10:00
return "", err
Initial commit
2018-12-10 13:15:26 +10:00
}
Log warning if manually-loaded cert has expired Or is expiring soon See https://github.com/caddyserver/caddy/issues/6016
2024-01-09 01:44:58 +10:00
if time.Now().After(cert.Leaf.NotAfter) {
cfg.Logger.Warn("unmanaged certificate has expired",
zap.Time("not_after", cert.Leaf.NotAfter),
zap.Strings("sans", cert.Names))
} else if time.Until(cert.Leaf.NotAfter) < 24*time.Hour {
cfg.Logger.Warn("unmanaged certificate expires within 1 day",
zap.Time("not_after", cert.Leaf.NotAfter),
zap.Strings("sans", cert.Names))
}
Propagate context in the Storage interface methods (#155) * Add context propagation to the Storage interface Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Bump to Go 1.17 * Minor cleanup * filestorage: Honor context cancellation in List() Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
2022-03-08 05:26:52 +10:00
err = stapleOCSP(ctx, cfg.OCSP, cfg.Storage, &cert, nil)
Make logger values required Eliminates a bajillion nil checks and footguns (except in tests, which bypass exported APIs, but that is expected) Most recent #207 Logging can still be disabled via zap.NewNop(), if necessary. (But disabling logging in CertMagic is a really bad idea.)
2022-09-27 02:19:28 +10:00
if err != nil {
Convert (most of the library) to structured logs (closes #19) Logging is now configurable through setting the Logging field on the various relevant struct types. This is a more useful, consistent, and higher-performing experience with logs than the std lib logger we used before. This isn't a 100% complete transition because there are some parts of the code base that don't have obvious or easy access to a logger. They are mostly fringe/edge cases though, and most are error logs, so you shouldn't see them under normal circumstances. They still emit to the std lib logger, so it's not like any errors get hidden: they are just unstructured until we find a way to give them access to a logger.
2020-07-30 11:38:12 +10:00
cfg.Logger.Warn("stapling OCSP", zap.Error(err))
Initial commit
2018-12-10 13:15:26 +10:00
}
Change OnEvent function; emit more events OnEvent can now control basic program flow for certain events. For example, it can cancel cert_obtaining or cert_renewing from happening. Slight API change adds context and changes to map[string]any for data. This is easier to work with in practice and conforms more with Caddy's new event system.
2022-08-27 04:17:10 +10:00
cfg.emit(ctx, "cached_unmanaged_cert", map[string]any{"sans": cert.Names})
Consider client's signature support when choosing certificates This allows two certs (say, RSA and ECDSA) for the same names to be loaded, and CertMagic will consider which one the client supports and use that. We used to extract just select fields from the leaf certificate so that we didn't need to fill memory with more data than necessary, but in order to use the stdlib's SupportsCertificate() method, we have to keep the full tls.Certificate.Leaf field set for speed during handshakes.
2020-04-02 10:25:02 +10:00
cert.Tags = tags
Significant refactoring to improve correctness and flexibility (#39) * Significant refactor This refactoring expands the capabilities of the library for advanced use cases, as well as improving the overall architecture, including possible memory leak fixes if used over a long period with many certs loaded into memory. This refactor enables using different configs depending on the certificate. The public API has changed slightly, however, and arguably it is slightly less convenient/elegant. I have never quite found the perfect design for this package, and this certainly isn't it, but I think it's better than what we had before. There is still work to be done, but this is a good step forward. I've decoupled Storage from Cache, and made it easier and more correct for Configs (and Storage values) to be short-lived. Cache is the only value that should be long-lived. Note that CertMagic no longer automatically takes care of storage (i.e. it used to delete old OCSP staples, but now it doesn't). The functions to do this are still there and even exported, and now we expect the application to call the cleanup functions when it wants to. * Fix little oopsies * Create Manager abstraction so obtain/renew isn't limited to ACME
2019-04-21 02:44:55 +10:00
cfg.certCache.cacheCertificate(cert)
Make cache options updateable; new remove methods These are useful for advanced applications (like Caddy) which would like to remove certificates from the cache in a controlled way, and operate the cache with new settings while running.
2023-07-09 01:56:51 +10:00
return cert.hash, nil
Initial commit
2018-12-10 13:15:26 +10:00
}
// CacheUnmanagedCertificatePEMBytes makes a certificate out of the PEM bytes
Make cache options updateable; new remove methods These are useful for advanced applications (like Caddy) which would like to remove certificates from the cache in a controlled way, and operate the cache with new settings while running.
2023-07-09 01:56:51 +10:00
// of the certificate and key, then caches it in memory, and returns the hash,
// which is useful for removing from the cache.
Initial commit
2018-12-10 13:15:26 +10:00
//
// This method is safe for concurrent use.
Make cache options updateable; new remove methods These are useful for advanced applications (like Caddy) which would like to remove certificates from the cache in a controlled way, and operate the cache with new settings while running.
2023-07-09 01:56:51 +10:00
func (cfg *Config) CacheUnmanagedCertificatePEMBytes(ctx context.Context, certBytes, keyBytes []byte, tags []string) (string, error) {
Propagate context in the Storage interface methods (#155) * Add context propagation to the Storage interface Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Bump to Go 1.17 * Minor cleanup * filestorage: Honor context cancellation in List() Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
2022-03-08 05:26:52 +10:00
cert, err := cfg.makeCertificateWithOCSP(ctx, certBytes, keyBytes)
Initial commit
2018-12-10 13:15:26 +10:00
if err != nil {
Make cache options updateable; new remove methods These are useful for advanced applications (like Caddy) which would like to remove certificates from the cache in a controlled way, and operate the cache with new settings while running.
2023-07-09 01:56:51 +10:00
return "", err
Initial commit
2018-12-10 13:15:26 +10:00
}
Consider client's signature support when choosing certificates This allows two certs (say, RSA and ECDSA) for the same names to be loaded, and CertMagic will consider which one the client supports and use that. We used to extract just select fields from the leaf certificate so that we didn't need to fill memory with more data than necessary, but in order to use the stdlib's SupportsCertificate() method, we have to keep the full tls.Certificate.Leaf field set for speed during handshakes.
2020-04-02 10:25:02 +10:00
cert.Tags = tags
Significant refactoring to improve correctness and flexibility (#39) * Significant refactor This refactoring expands the capabilities of the library for advanced use cases, as well as improving the overall architecture, including possible memory leak fixes if used over a long period with many certs loaded into memory. This refactor enables using different configs depending on the certificate. The public API has changed slightly, however, and arguably it is slightly less convenient/elegant. I have never quite found the perfect design for this package, and this certainly isn't it, but I think it's better than what we had before. There is still work to be done, but this is a good step forward. I've decoupled Storage from Cache, and made it easier and more correct for Configs (and Storage values) to be short-lived. Cache is the only value that should be long-lived. Note that CertMagic no longer automatically takes care of storage (i.e. it used to delete old OCSP staples, but now it doesn't). The functions to do this are still there and even exported, and now we expect the application to call the cleanup functions when it wants to. * Fix little oopsies * Create Manager abstraction so obtain/renew isn't limited to ACME
2019-04-21 02:44:55 +10:00
cfg.certCache.cacheCertificate(cert)
Change OnEvent function; emit more events OnEvent can now control basic program flow for certain events. For example, it can cancel cert_obtaining or cert_renewing from happening. Slight API change adds context and changes to map[string]any for data. This is easier to work with in practice and conforms more with Caddy's new event system.
2022-08-27 04:17:10 +10:00
cfg.emit(ctx, "cached_unmanaged_cert", map[string]any{"sans": cert.Names})
Make cache options updateable; new remove methods These are useful for advanced applications (like Caddy) which would like to remove certificates from the cache in a controlled way, and operate the cache with new settings while running.
2023-07-09 01:56:51 +10:00
return cert.hash, nil
Initial commit
2018-12-10 13:15:26 +10:00
}
// makeCertificateFromDiskWithOCSP makes a Certificate by loading the
// certificate and key files. It fills out all the fields in
// the certificate except for the Managed and OnDemand flags.
// (It is up to the caller to set those.) It staples OCSP.
Initial implementation of ZeroSSL API issuer (#279) * Initial implementation of ZeroSSL API issuer Still needs CA support for CommonName-less certs * Accommodate ZeroSSL CSR requirements; fix DNS prop check * Fix README example * Fix comment
2024-04-09 02:59:55 +10:00
func (cfg Config) makeCertificateFromDiskWithOCSP(ctx context.Context, certFile, keyFile string) (Certificate, error) {
storage: Require fs.ErrNotExist (fix #168) (#170) Also stop using the deprecated io/ioutil package. Update dependencies. Update Go version in go.mod.
2022-03-08 04:11:20 +10:00
certPEMBlock, err := os.ReadFile(certFile)
Initial commit
2018-12-10 13:15:26 +10:00
if err != nil {
return Certificate{}, err
}
storage: Require fs.ErrNotExist (fix #168) (#170) Also stop using the deprecated io/ioutil package. Update dependencies. Update Go version in go.mod.
2022-03-08 04:11:20 +10:00
keyPEMBlock, err := os.ReadFile(keyFile)
Initial commit
2018-12-10 13:15:26 +10:00
if err != nil {
return Certificate{}, err
}
Propagate context in the Storage interface methods (#155) * Add context propagation to the Storage interface Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Bump to Go 1.17 * Minor cleanup * filestorage: Honor context cancellation in List() Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
2022-03-08 05:26:52 +10:00
return cfg.makeCertificateWithOCSP(ctx, certPEMBlock, keyPEMBlock)
Significant refactoring to improve correctness and flexibility (#39) * Significant refactor This refactoring expands the capabilities of the library for advanced use cases, as well as improving the overall architecture, including possible memory leak fixes if used over a long period with many certs loaded into memory. This refactor enables using different configs depending on the certificate. The public API has changed slightly, however, and arguably it is slightly less convenient/elegant. I have never quite found the perfect design for this package, and this certainly isn't it, but I think it's better than what we had before. There is still work to be done, but this is a good step forward. I've decoupled Storage from Cache, and made it easier and more correct for Configs (and Storage values) to be short-lived. Cache is the only value that should be long-lived. Note that CertMagic no longer automatically takes care of storage (i.e. it used to delete old OCSP staples, but now it doesn't). The functions to do this are still there and even exported, and now we expect the application to call the cleanup functions when it wants to. * Fix little oopsies * Create Manager abstraction so obtain/renew isn't limited to ACME
2019-04-21 02:44:55 +10:00
}
// makeCertificateWithOCSP is the same as makeCertificate except that it also
// staples OCSP to the certificate.
Propagate context in the Storage interface methods (#155) * Add context propagation to the Storage interface Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Bump to Go 1.17 * Minor cleanup * filestorage: Honor context cancellation in List() Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
2022-03-08 05:26:52 +10:00
func (cfg Config) makeCertificateWithOCSP(ctx context.Context, certPEMBlock, keyPEMBlock []byte) (Certificate, error) {
Significant refactoring to improve correctness and flexibility (#39) * Significant refactor This refactoring expands the capabilities of the library for advanced use cases, as well as improving the overall architecture, including possible memory leak fixes if used over a long period with many certs loaded into memory. This refactor enables using different configs depending on the certificate. The public API has changed slightly, however, and arguably it is slightly less convenient/elegant. I have never quite found the perfect design for this package, and this certainly isn't it, but I think it's better than what we had before. There is still work to be done, but this is a good step forward. I've decoupled Storage from Cache, and made it easier and more correct for Configs (and Storage values) to be short-lived. Cache is the only value that should be long-lived. Note that CertMagic no longer automatically takes care of storage (i.e. it used to delete old OCSP staples, but now it doesn't). The functions to do this are still there and even exported, and now we expect the application to call the cleanup functions when it wants to. * Fix little oopsies * Create Manager abstraction so obtain/renew isn't limited to ACME
2019-04-21 02:44:55 +10:00
cert, err := makeCertificate(certPEMBlock, keyPEMBlock)
if err != nil {
return cert, err
}
Propagate context in the Storage interface methods (#155) * Add context propagation to the Storage interface Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Bump to Go 1.17 * Minor cleanup * filestorage: Honor context cancellation in List() Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
2022-03-08 05:26:52 +10:00
err = stapleOCSP(ctx, cfg.OCSP, cfg.Storage, &cert, certPEMBlock)
Make logger values required Eliminates a bajillion nil checks and footguns (except in tests, which bypass exported APIs, but that is expected) Most recent #207 Logging can still be disabled via zap.NewNop(), if necessary. (But disabling logging in CertMagic is a really bad idea.)
2022-09-27 02:19:28 +10:00
if err != nil {
Fix force-renewing revoked on-demand certs (#166) * Fix force-renewing revoked on-demand certs Follow-up to 9245be5a2f16135b9de55567682f49a2d343e1f0 * One more fix for on-demand logic of revoked certs * OCSP revocation checks at startup, too Required significant refactoring, hope it works. Yet again way too late at night for this...
2022-02-02 02:05:24 +10:00
cfg.Logger.Warn("stapling OCSP", zap.Error(err), zap.Strings("identifiers", cert.Names))
Significant refactoring to improve correctness and flexibility (#39) * Significant refactor This refactoring expands the capabilities of the library for advanced use cases, as well as improving the overall architecture, including possible memory leak fixes if used over a long period with many certs loaded into memory. This refactor enables using different configs depending on the certificate. The public API has changed slightly, however, and arguably it is slightly less convenient/elegant. I have never quite found the perfect design for this package, and this certainly isn't it, but I think it's better than what we had before. There is still work to be done, but this is a good step forward. I've decoupled Storage from Cache, and made it easier and more correct for Configs (and Storage values) to be short-lived. Cache is the only value that should be long-lived. Note that CertMagic no longer automatically takes care of storage (i.e. it used to delete old OCSP staples, but now it doesn't). The functions to do this are still there and even exported, and now we expect the application to call the cleanup functions when it wants to. * Fix little oopsies * Create Manager abstraction so obtain/renew isn't limited to ACME
2019-04-21 02:44:55 +10:00
}
return cert, nil
Initial commit
2018-12-10 13:15:26 +10:00
}
// makeCertificate turns a certificate PEM bundle and a key PEM block into
// a Certificate with necessary metadata from parsing its bytes filled into
// its struct fields for convenience (except for the OnDemand and Managed
// flags; it is up to the caller to set those properties!). This function
// does NOT staple OCSP.
Significant refactoring to improve correctness and flexibility (#39) * Significant refactor This refactoring expands the capabilities of the library for advanced use cases, as well as improving the overall architecture, including possible memory leak fixes if used over a long period with many certs loaded into memory. This refactor enables using different configs depending on the certificate. The public API has changed slightly, however, and arguably it is slightly less convenient/elegant. I have never quite found the perfect design for this package, and this certainly isn't it, but I think it's better than what we had before. There is still work to be done, but this is a good step forward. I've decoupled Storage from Cache, and made it easier and more correct for Configs (and Storage values) to be short-lived. Cache is the only value that should be long-lived. Note that CertMagic no longer automatically takes care of storage (i.e. it used to delete old OCSP staples, but now it doesn't). The functions to do this are still there and even exported, and now we expect the application to call the cleanup functions when it wants to. * Fix little oopsies * Create Manager abstraction so obtain/renew isn't limited to ACME
2019-04-21 02:44:55 +10:00
func makeCertificate(certPEMBlock, keyPEMBlock []byte) (Certificate, error) {
Initial commit
2018-12-10 13:15:26 +10:00
var cert Certificate
// Convert to a tls.Certificate
tlsCert, err := tls.X509KeyPair(certPEMBlock, keyPEMBlock)
if err != nil {
return cert, err
}
// Extract necessary metadata
err = fillCertFromLeaf(&cert, tlsCert)
if err != nil {
return cert, err
}
return cert, nil
}
Consider client's signature support when choosing certificates This allows two certs (say, RSA and ECDSA) for the same names to be loaded, and CertMagic will consider which one the client supports and use that. We used to extract just select fields from the leaf certificate so that we didn't need to fill memory with more data than necessary, but in order to use the stdlib's SupportsCertificate() method, we have to keep the full tls.Certificate.Leaf field set for speed during handshakes.
2020-04-02 10:25:02 +10:00
// fillCertFromLeaf populates cert from tlsCert. If it succeeds, it
// guarantees that cert.Leaf is non-nil.
Initial commit
2018-12-10 13:15:26 +10:00
func fillCertFromLeaf(cert *Certificate, tlsCert tls.Certificate) error {
if len(tlsCert.Certificate) == 0 {
Use fmt.Errorf; customize HTTPTimeout and UserAgent
2018-12-11 11:52:10 +10:00
return fmt.Errorf("certificate is empty")
Initial commit
2018-12-10 13:15:26 +10:00
}
cert.Certificate = tlsCert
Consider client's signature support when choosing certificates This allows two certs (say, RSA and ECDSA) for the same names to be loaded, and CertMagic will consider which one the client supports and use that. We used to extract just select fields from the leaf certificate so that we didn't need to fill memory with more data than necessary, but in order to use the stdlib's SupportsCertificate() method, we have to keep the full tls.Certificate.Leaf field set for speed during handshakes.
2020-04-02 10:25:02 +10:00
// the leaf cert should be the one for the site; we must set
// the tls.Certificate.Leaf field so that TLS handshakes are
// more efficient
GetCertificate from external certificate sources (Managers) (#163) This work made possible by Tailscale: https://tailscale.com - thank you to the Tailscale team! * Implement custom GetCertificate callback Useful if another entity is managing certificates and can provide its own dynamically during handshakes. * Refactor CustomGetCertificate into OnDemandConfig * Set certs to managed=true This is only sorta true, but it allows handshake-time maintenance of the certificates that are cached from CustomGetCertificate. Our background maintenance routine skips certs that are OnDemand so it should be fine. * Change CustomGetCertificate into interface value Instead of a function * Case-insensitive subject name comparison Hostnames are case-insensitive Also add context to GetCertificate * Export a couple of outrageously useful functions * Allow multiple custom certificate getters Also minor refactoring and enhancements * Fix tests * Rename Getter -> Manager; refactor And don't cache externally managed certs * Minor updates to comments
2022-02-18 07:37:50 +10:00
leaf := cert.Certificate.Leaf
if leaf == nil {
var err error
leaf, err = x509.ParseCertificate(tlsCert.Certificate[0])
if err != nil {
return err
}
cert.Certificate.Leaf = leaf
Initial commit
2018-12-10 13:15:26 +10:00
}
Consider client's signature support when choosing certificates This allows two certs (say, RSA and ECDSA) for the same names to be loaded, and CertMagic will consider which one the client supports and use that. We used to extract just select fields from the leaf certificate so that we didn't need to fill memory with more data than necessary, but in order to use the stdlib's SupportsCertificate() method, we have to keep the full tls.Certificate.Leaf field set for speed during handshakes.
2020-04-02 10:25:02 +10:00
// for convenience, we do want to assemble all the
// subjects on the certificate into one list
Initial commit
2018-12-10 13:15:26 +10:00
if leaf.Subject.CommonName != "" { // TODO: CommonName is deprecated
cert.Names = []string{strings.ToLower(leaf.Subject.CommonName)}
}
for _, name := range leaf.DNSNames {
if name != leaf.Subject.CommonName { // TODO: CommonName is deprecated
cert.Names = append(cert.Names, strings.ToLower(name))
}
}
for _, ip := range leaf.IPAddresses {
if ipStr := ip.String(); ipStr != leaf.Subject.CommonName { // TODO: CommonName is deprecated
cert.Names = append(cert.Names, strings.ToLower(ipStr))
}
}
for _, email := range leaf.EmailAddresses {
if email != leaf.Subject.CommonName { // TODO: CommonName is deprecated
cert.Names = append(cert.Names, strings.ToLower(email))
}
}
Major refactor to improve performance, correctness, and extensibility Breaking changes; thank goodness we're not 1.0 yet 😅 - read on! This change completely separates ACME-specific code from the rest of the certificate management process, allowing pluggable sources for certs that aren't ACME. Notably, most of Config was spliced into ACMEManager. Similarly, there's now Default and DefaultACME. Storage structure had to be reconfigured. Certificates are no longer in the acme/ subfolder since they can be obtained by ways other than ACME! Certificates moved to a new certificates/ subfolder. The subfolders in that folder use the path of the ACME endpoint instead of just the host, so that also changed. Be aware that unless you move your certs over, CertMagic will not find them and will attempt to get new ones. That is usually fine for most users, but for extremely large deployments, you will want to move them over first. Old certs path: acme/acme-staging-v02.api.letsencrypt.org/... New certs path: certificates/acme-staging-v02.api.letsencrypt.org-directory/... That's all for significant storage changes! But this refactor also vastly improves performance, especially at scale, and makes CertMagic way more resilient to errors. Retries are done on the staging endpoint by default, so they won't count against your rate limit. If your hardware can handle it, I'm now pretty confident that you can give CertMagic a million domain names and it will gracefully manage them, as fast as it can within internal and external rate limits, even in the presence of errors. Errors will of course slow some things down, but you should be good to go if you're monitoring logs and can fix any misconfigurations or other external errors! Several other mostly-minor enhancements fix bugs, especially at scale. For example, duplicated renewal tasks (that continuously fail) will not pile up on each other: only one will operate, under exponential backoff. Closes #50 and fixes #55
2020-02-22 07:32:57 +10:00
for _, u := range leaf.URIs {
if u.String() != leaf.Subject.CommonName { // TODO: CommonName is deprecated
cert.Names = append(cert.Names, u.String())
}
}
Initial commit
2018-12-10 13:15:26 +10:00
if len(cert.Names) == 0 {
Use fmt.Errorf; customize HTTPTimeout and UserAgent
2018-12-11 11:52:10 +10:00
return fmt.Errorf("certificate has no names")
Initial commit
2018-12-10 13:15:26 +10:00
}
Optional tags for unmanaged certificates This allows for user-loaded certificates to be associated with arbitrary values such as user-provided IDs or categories. This can be useful if multiple certificates satisfy a ClientHello but if a specific one still needs to be chosen. See for example: https://github.com/mholt/caddy/issues/2588 This is a breaking API change since we need to expose a tags parameter to the caching functions, but we're not 1.0 yet so we will try this API change and see how it goes.
2019-06-25 03:51:58 +10:00
cert.hash = hashCertificateChain(cert.Certificate.Certificate)
Add hook for custom certificate selection logic (mholt/caddy#2588)
2019-05-24 08:11:32 +10:00
Initial commit
2018-12-10 13:15:26 +10:00
return nil
}
Initial implementation of ARI (#286) * Initial implementation of ARI * Enhance redundancy, robustness, and logging * Improve ARI updating; integrate on-demand TLS; detect changed window
2024-05-08 01:46:03 +10:00
// managedCertInStorageNeedsRenewal returns true if cert (being a
// managed certificate) is expiring soon (according to cfg) or if
// ACME Renewal Information (ARI) is available and says that it is
// time to renew (it uses existing ARI; it does not update it).
// It returns false if there was an error, the cert is not expiring
// soon, and ARI window is still future. A certificate that is expiring
Initial commit
2018-12-10 13:15:26 +10:00
// soon in our cache but is not expiring soon in storage probably
// means that another instance renewed the certificate in the
// meantime, and it would be a good idea to simply load the cert
// into our cache rather than repeating the renewal process again.
Initial implementation of ARI (#286) * Initial implementation of ARI * Enhance redundancy, robustness, and logging * Improve ARI updating; integrate on-demand TLS; detect changed window
2024-05-08 01:46:03 +10:00
func (cfg *Config) managedCertInStorageNeedsRenewal(ctx context.Context, cert Certificate) (bool, error) {
Propagate context in the Storage interface methods (#155) * Add context propagation to the Storage interface Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Bump to Go 1.17 * Minor cleanup * filestorage: Honor context cancellation in List() Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
2022-03-08 05:26:52 +10:00
certRes, err := cfg.loadCertResourceAnyIssuer(ctx, cert.Names[0])
Initial commit
2018-12-10 13:15:26 +10:00
if err != nil {
return false, err
}
Initial implementation of ARI (#286) * Initial implementation of ARI * Enhance redundancy, robustness, and logging * Improve ARI updating; integrate on-demand TLS; detect changed window
2024-05-08 01:46:03 +10:00
_, _, needsRenew := cfg.managedCertNeedsRenewal(certRes, false)
Implement multiple issuer support (#109) * Implement multiple issuer support This change refactors Config.Issuer to be Config.Issuers, an array of issuers. Each Issuer will be tried in turn until one succeeds. During retries, each attempt will try each configured Issuer. When loading certs from storage, CertMagic will look in each Issuer's storage location for a qualifying asset. If multiple Issuers have one in storage then the most-recently-issued cert will be selected. This is a breaking change in that Config now accepts a slice of Issuers rather than a single Issuer. The Revoker field is removed, as supporting it is optional anyway. If the Issuer is also a Revoker, it can be used implicitly to revoke certificates. Also added a const for ZeroSSL's ACME endpoint. * Load matching wildcard on-demand from storage With this change, a config using on-demand TLS can load a certificate for "sub.example.com" from storage using a matching wildcard cert (i.e. "*.example.com") if no better matching certificate is available. * Fix distributed solving with tls-alpn challenges The type assertion in handshake.go was problematic since there's no guarantee that an ACME issuer would be a concrete ACMEManager type. Refactored the code to accept IssuerKey values generally, rather than specific ACMEManager values only. This fixes solving tls-alpn challenges in distributed settings. More cleanup can be done, another time.
2020-11-17 03:53:41 +10:00
return needsRenew, nil
Initial commit
2018-12-10 13:15:26 +10:00
}
Significant refactoring to improve correctness and flexibility (#39) * Significant refactor This refactoring expands the capabilities of the library for advanced use cases, as well as improving the overall architecture, including possible memory leak fixes if used over a long period with many certs loaded into memory. This refactor enables using different configs depending on the certificate. The public API has changed slightly, however, and arguably it is slightly less convenient/elegant. I have never quite found the perfect design for this package, and this certainly isn't it, but I think it's better than what we had before. There is still work to be done, but this is a good step forward. I've decoupled Storage from Cache, and made it easier and more correct for Configs (and Storage values) to be short-lived. Cache is the only value that should be long-lived. Note that CertMagic no longer automatically takes care of storage (i.e. it used to delete old OCSP staples, but now it doesn't). The functions to do this are still there and even exported, and now we expect the application to call the cleanup functions when it wants to. * Fix little oopsies * Create Manager abstraction so obtain/renew isn't limited to ACME
2019-04-21 02:44:55 +10:00
// reloadManagedCertificate reloads the certificate corresponding to the name(s)
// on oldCert into the cache, from storage. This also replaces the old certificate
// with the new one, so that all configurations that used the old cert now point
Optional tags for unmanaged certificates This allows for user-loaded certificates to be associated with arbitrary values such as user-provided IDs or categories. This can be useful if multiple certificates satisfy a ClientHello but if a specific one still needs to be chosen. See for example: https://github.com/mholt/caddy/issues/2588 This is a breaking API change since we need to expose a tags parameter to the caching functions, but we're not 1.0 yet so we will try this API change and see how it goes.
2019-06-25 03:51:58 +10:00
// to the new cert. It assumes that the new certificate for oldCert.Names[0] is
Fix force-renewing revoked on-demand certs (#166) * Fix force-renewing revoked on-demand certs Follow-up to 9245be5a2f16135b9de55567682f49a2d343e1f0 * One more fix for on-demand logic of revoked certs * OCSP revocation checks at startup, too Required significant refactoring, hope it works. Yet again way too late at night for this...
2022-02-02 02:05:24 +10:00
// already in storage. It returns the newly-loaded certificate if successful.
Propagate context in the Storage interface methods (#155) * Add context propagation to the Storage interface Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Bump to Go 1.17 * Minor cleanup * filestorage: Honor context cancellation in List() Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
2022-03-08 05:26:52 +10:00
func (cfg *Config) reloadManagedCertificate(ctx context.Context, oldCert Certificate) (Certificate, error) {
Make logger values required Eliminates a bajillion nil checks and footguns (except in tests, which bypass exported APIs, but that is expected) Most recent #207 Logging can still be disabled via zap.NewNop(), if necessary. (But disabling logging in CertMagic is a really bad idea.)
2022-09-27 02:19:28 +10:00
cfg.Logger.Info("reloading managed certificate", zap.Strings("identifiers", oldCert.Names))
Propagate context in the Storage interface methods (#155) * Add context propagation to the Storage interface Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Bump to Go 1.17 * Minor cleanup * filestorage: Honor context cancellation in List() Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
2022-03-08 05:26:52 +10:00
newCert, err := cfg.loadManagedCertificate(ctx, oldCert.Names[0])
Significant refactoring to improve correctness and flexibility (#39) * Significant refactor This refactoring expands the capabilities of the library for advanced use cases, as well as improving the overall architecture, including possible memory leak fixes if used over a long period with many certs loaded into memory. This refactor enables using different configs depending on the certificate. The public API has changed slightly, however, and arguably it is slightly less convenient/elegant. I have never quite found the perfect design for this package, and this certainly isn't it, but I think it's better than what we had before. There is still work to be done, but this is a good step forward. I've decoupled Storage from Cache, and made it easier and more correct for Configs (and Storage values) to be short-lived. Cache is the only value that should be long-lived. Note that CertMagic no longer automatically takes care of storage (i.e. it used to delete old OCSP staples, but now it doesn't). The functions to do this are still there and even exported, and now we expect the application to call the cleanup functions when it wants to. * Fix little oopsies * Create Manager abstraction so obtain/renew isn't limited to ACME
2019-04-21 02:44:55 +10:00
if err != nil {
Fix force-renewing revoked on-demand certs (#166) * Fix force-renewing revoked on-demand certs Follow-up to 9245be5a2f16135b9de55567682f49a2d343e1f0 * One more fix for on-demand logic of revoked certs * OCSP revocation checks at startup, too Required significant refactoring, hope it works. Yet again way too late at night for this...
2022-02-02 02:05:24 +10:00
return Certificate{}, fmt.Errorf("loading managed certificate for %v from storage: %v", oldCert.Names, err)
Initial commit
2018-12-10 13:15:26 +10:00
}
Significant refactoring to improve correctness and flexibility (#39) * Significant refactor This refactoring expands the capabilities of the library for advanced use cases, as well as improving the overall architecture, including possible memory leak fixes if used over a long period with many certs loaded into memory. This refactor enables using different configs depending on the certificate. The public API has changed slightly, however, and arguably it is slightly less convenient/elegant. I have never quite found the perfect design for this package, and this certainly isn't it, but I think it's better than what we had before. There is still work to be done, but this is a good step forward. I've decoupled Storage from Cache, and made it easier and more correct for Configs (and Storage values) to be short-lived. Cache is the only value that should be long-lived. Note that CertMagic no longer automatically takes care of storage (i.e. it used to delete old OCSP staples, but now it doesn't). The functions to do this are still there and even exported, and now we expect the application to call the cleanup functions when it wants to. * Fix little oopsies * Create Manager abstraction so obtain/renew isn't limited to ACME
2019-04-21 02:44:55 +10:00
cfg.certCache.replaceCertificate(oldCert, newCert)
Fix force-renewing revoked on-demand certs (#166) * Fix force-renewing revoked on-demand certs Follow-up to 9245be5a2f16135b9de55567682f49a2d343e1f0 * One more fix for on-demand logic of revoked certs * OCSP revocation checks at startup, too Required significant refactoring, hope it works. Yet again way too late at night for this...
2022-02-02 02:05:24 +10:00
return newCert, nil
Initial commit
2018-12-10 13:15:26 +10:00
}
Separate logic for qualifying names for any cert vs. public certs
2020-03-14 11:03:46 +10:00
// SubjectQualifiesForCert returns true if subj is a name which,
// as a quick sanity check, looks like it could be the subject
// of a certificate. Requirements are:
// - must not be empty
Fix race conditions (close #195) Also update setting acmez.Client.Logger in accordance with latest acmez commit, which removes redundant logger.
2022-08-02 15:04:11 +10:00
// - must not start or end with a dot (RFC 1034; RFC 6066 section 3)
Separate logic for qualifying names for any cert vs. public certs
2020-03-14 11:03:46 +10:00
// - must not contain common accidental special characters
func SubjectQualifiesForCert(subj string) bool {
// must not be empty
return strings.TrimSpace(subj) != "" &&
// must not start or end with a dot
!strings.HasPrefix(subj, ".") &&
!strings.HasSuffix(subj, ".") &&
Update subject certificate qualifications I suppose * is a valid subject -- technically -- but it probably won't be accepted by browsers. They usually only accept wildcards for subdomains. Related, but only tangentially: https://github.com/caddyserver/caddy/issues/3977
2021-01-20 07:53:32 +10:00
// if it has a wildcard, must be a left-most label (or exactly "*"
// which won't be trusted by browsers but still technically works)
(!strings.Contains(subj, "*") || strings.HasPrefix(subj, "*.") || subj == "*") &&
Separate logic for qualifying names for any cert vs. public certs
2020-03-14 11:03:46 +10:00
// must not contain other common special characters
!strings.ContainsAny(subj, "()[]{}<> \t\n\"\\!@#$%^&|;'+=")
}
Rename function
2020-03-13 08:02:48 +10:00
// SubjectQualifiesForPublicCert returns true if the subject
Update HostQualifies logic to be specific for public certs Because CertMagic can now be used for more than just publicly-trusted certificates.
2020-03-08 11:56:16 +10:00
// name appears eligible for automagic TLS with a public
Enhancements to make ZeroSSL issuer more usable in Caddy
2024-04-12 04:23:53 +10:00
// CA such as Let's Encrypt. For example: internal IP addresses
// and localhost are not eligible because we cannot obtain certs
Separate logic for qualifying names for any cert vs. public certs
2020-03-14 11:03:46 +10:00
// for those names with a public CA. Wildcard names are
// allowed, as long as they conform to CABF requirements (only
// one wildcard label, and it must be the left-most label).
func SubjectQualifiesForPublicCert(subj string) bool {
Refactor subject qualification logic This is necessary to support a nuance in Caddy where we have to see if a subject qualifies for a public certificate but with custom wildcard checking. So we separate the wildcard check from other checks.
2020-10-22 01:08:19 +10:00
// must at least qualify for a certificate
Separate logic for qualifying names for any cert vs. public certs
2020-03-14 11:03:46 +10:00
return SubjectQualifiesForCert(subj) &&
Enhancements to make ZeroSSL issuer more usable in Caddy
2024-04-12 04:23:53 +10:00
// loopback hosts and internal IPs are ineligible
Refactor subject qualification logic This is necessary to support a nuance in Caddy where we have to see if a subject qualifies for a public certificate but with custom wildcard checking. So we separate the wildcard check from other checks.
2020-10-22 01:08:19 +10:00
!SubjectIsInternal(subj) &&
Update HostQualifies logic to be specific for public certs Because CertMagic can now be used for more than just publicly-trusted certificates.
2020-03-08 11:56:16 +10:00
Update subject certificate qualifications I suppose * is a valid subject -- technically -- but it probably won't be accepted by browsers. They usually only accept wildcards for subdomains. Related, but only tangentially: https://github.com/caddyserver/caddy/issues/3977
2021-01-20 07:53:32 +10:00
// only one wildcard label allowed, and it must be left-most, with 3+ labels
Separate logic for qualifying names for any cert vs. public certs
2020-03-14 11:03:46 +10:00
(!strings.Contains(subj, "*") ||
(strings.Count(subj, "*") == 1 &&
Update subject certificate qualifications I suppose * is a valid subject -- technically -- but it probably won't be accepted by browsers. They usually only accept wildcards for subdomains. Related, but only tangentially: https://github.com/caddyserver/caddy/issues/3977
2021-01-20 07:53:32 +10:00
strings.Count(subj, ".") > 1 &&
Minor tweak
2020-03-18 13:01:38 +10:00
len(subj) > 2 &&
Refactor subject qualification logic This is necessary to support a nuance in Caddy where we have to see if a subject qualifies for a public certificate but with custom wildcard checking. So we separate the wildcard check from other checks.
2020-10-22 01:08:19 +10:00
strings.HasPrefix(subj, "*.")))
}
Reject common special characters in HostQualifies
2019-10-15 05:58:44 +10:00
Refactor subject qualification logic This is necessary to support a nuance in Caddy where we have to see if a subject qualifies for a public certificate but with custom wildcard checking. So we separate the wildcard check from other checks.
2020-10-22 01:08:19 +10:00
// SubjectIsIP returns true if subj is an IP address.
func SubjectIsIP(subj string) bool {
return net.ParseIP(subj) != nil
}
// SubjectIsInternal returns true if subj is an internal-facing
Enhancements to make ZeroSSL issuer more usable in Caddy
2024-04-12 04:23:53 +10:00
// hostname or address, including localhost/loopback hosts.
// Ports are ignored, if present.
Refactor subject qualification logic This is necessary to support a nuance in Caddy where we have to see if a subject qualifies for a public certificate but with custom wildcard checking. So we separate the wildcard check from other checks.
2020-10-22 01:08:19 +10:00
func SubjectIsInternal(subj string) bool {
Enhancements to make ZeroSSL issuer more usable in Caddy
2024-04-12 04:23:53 +10:00
subj = strings.ToLower(strings.TrimSuffix(hostOnly(subj), "."))
Refactor subject qualification logic This is necessary to support a nuance in Caddy where we have to see if a subject qualifies for a public certificate but with custom wildcard checking. So we separate the wildcard check from other checks.
2020-10-22 01:08:19 +10:00
return subj == "localhost" ||
strings.HasSuffix(subj, ".localhost") ||
Add .home.arpa to internal-only hostnames
2023-09-06 01:38:56 +10:00
strings.HasSuffix(subj, ".local") ||
Check for .internal with SubjectIsInternal (#305)
2024-08-10 10:24:33 +10:00
strings.HasSuffix(subj, ".internal") ||
Enhancements to make ZeroSSL issuer more usable in Caddy
2024-04-12 04:23:53 +10:00
strings.HasSuffix(subj, ".home.arpa") ||
isInternalIP(subj)
}
// isInternalIP returns true if the IP of addr
// belongs to a private network IP range. addr
// must only be an IP or an IP:port combination.
func isInternalIP(addr string) bool {
privateNetworks := []string{
"127.0.0.0/8", // IPv4 loopback
"0.0.0.0/16",
"10.0.0.0/8", // RFC1918
"172.16.0.0/12", // RFC1918
"192.168.0.0/16", // RFC1918
"169.254.0.0/16", // RFC3927 link-local
"::1/7", // IPv6 loopback
"fe80::/10", // IPv6 link-local
"fc00::/7", // IPv6 unique local addr
}
host := hostOnly(addr)
ip := net.ParseIP(host)
if ip == nil {
return false
}
for _, privateNetwork := range privateNetworks {
_, ipnet, _ := net.ParseCIDR(privateNetwork)
if ipnet.Contains(ip) {
return true
}
}
return false
}
// hostOnly returns only the host portion of hostport.
// If there is no port or if there is an error splitting
// the port off, the whole input string is returned.
func hostOnly(hostport string) string {
host, _, err := net.SplitHostPort(hostport)
if err != nil {
return hostport // OK; probably had no port to begin with
}
return host
Initial commit
2018-12-10 13:15:26 +10:00
}
Add MatchWildcard() method for comparing names with wildcards CertMagic currently does wildcard matching in two places: - Cache.AllMatchingCertificates() for finding all certs in cache - Config.getCertificate() for finding one cert in cache at handshake But those implementations will not use MatchWildcard() because their looping logic is slightly customized. Caddy, however, has need to compare DNS names with wildcards in at least two places: - Matching TLS connection policies by ServerName (SNI) - Matching TLS automation policies by subject names So this function is a good implementation for that.
2020-03-27 05:58:05 +10:00
// MatchWildcard returns true if subject (a candidate DNS name)
// matches wildcard (a reference DNS name), mostly according to
Improve wildcard matching tests Honoring RFC 2818
2021-02-11 07:36:08 +10:00
// RFC 6125-compliant wildcard rules. See also RFC 2818 which
// states that IP addresses must match exactly, but this function
// does not attempt to distinguish IP addresses from internal or
// external DNS names that happen to look like IP addresses.
GetCertificate from external certificate sources (Managers) (#163) This work made possible by Tailscale: https://tailscale.com - thank you to the Tailscale team! * Implement custom GetCertificate callback Useful if another entity is managing certificates and can provide its own dynamically during handshakes. * Refactor CustomGetCertificate into OnDemandConfig * Set certs to managed=true This is only sorta true, but it allows handshake-time maintenance of the certificates that are cached from CustomGetCertificate. Our background maintenance routine skips certs that are OnDemand so it should be fine. * Change CustomGetCertificate into interface value Instead of a function * Case-insensitive subject name comparison Hostnames are case-insensitive Also add context to GetCertificate * Export a couple of outrageously useful functions * Allow multiple custom certificate getters Also minor refactoring and enhancements * Fix tests * Rename Getter -> Manager; refactor And don't cache externally managed certs * Minor updates to comments
2022-02-18 07:37:50 +10:00
// It uses DNS wildcard matching logic and is case-insensitive.
Improve wildcard matching tests Honoring RFC 2818
2021-02-11 07:36:08 +10:00
// https://tools.ietf.org/html/rfc2818#section-3.1
Add MatchWildcard() method for comparing names with wildcards CertMagic currently does wildcard matching in two places: - Cache.AllMatchingCertificates() for finding all certs in cache - Config.getCertificate() for finding one cert in cache at handshake But those implementations will not use MatchWildcard() because their looping logic is slightly customized. Caddy, however, has need to compare DNS names with wildcards in at least two places: - Matching TLS connection policies by ServerName (SNI) - Matching TLS automation policies by subject names So this function is a good implementation for that.
2020-03-27 05:58:05 +10:00
func MatchWildcard(subject, wildcard string) bool {
GetCertificate from external certificate sources (Managers) (#163) This work made possible by Tailscale: https://tailscale.com - thank you to the Tailscale team! * Implement custom GetCertificate callback Useful if another entity is managing certificates and can provide its own dynamically during handshakes. * Refactor CustomGetCertificate into OnDemandConfig * Set certs to managed=true This is only sorta true, but it allows handshake-time maintenance of the certificates that are cached from CustomGetCertificate. Our background maintenance routine skips certs that are OnDemand so it should be fine. * Change CustomGetCertificate into interface value Instead of a function * Case-insensitive subject name comparison Hostnames are case-insensitive Also add context to GetCertificate * Export a couple of outrageously useful functions * Allow multiple custom certificate getters Also minor refactoring and enhancements * Fix tests * Rename Getter -> Manager; refactor And don't cache externally managed certs * Minor updates to comments
2022-02-18 07:37:50 +10:00
subject, wildcard = strings.ToLower(subject), strings.ToLower(wildcard)
Add MatchWildcard() method for comparing names with wildcards CertMagic currently does wildcard matching in two places: - Cache.AllMatchingCertificates() for finding all certs in cache - Config.getCertificate() for finding one cert in cache at handshake But those implementations will not use MatchWildcard() because their looping logic is slightly customized. Caddy, however, has need to compare DNS names with wildcards in at least two places: - Matching TLS connection policies by ServerName (SNI) - Matching TLS automation policies by subject names So this function is a good implementation for that.
2020-03-27 05:58:05 +10:00
if subject == wildcard {
return true
}
if !strings.Contains(wildcard, "*") {
return false
}
labels := strings.Split(subject, ".")
for i := range labels {
if labels[i] == "" {
continue // invalid label
}
labels[i] = "*"
candidate := strings.Join(labels, ".")
if candidate == wildcard {
return true
}
}
return false
}
Reference in New Issue Copy Permalink