a/certmagic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
360 Commits 2 Branches 68 Tags 1.4 MiB
master
Commit Graph

360 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Matthew Holt
aad674cda5
ari: Fix panic when loaded cert has no RetryAfter 2024-09-05 10:53:29 -06:00
Matthew Holt
80bb9a843f Debug log when creating CSR 2024-09-04 15:23:58 -06:00
Nick Ubels
3bad5b6bb5
Check for .internal with SubjectIsInternal (#305) 2024-08-09 18:24:33 -06:00
Matthew Holt
ba418d86ad
go.mod: Upgrade acmez 
This stores the account with the cert metadata
 2024-08-08 12:42:12 -06:00
Matthew Holt
5ee48a3108
Add config option to disable ARI 
This may be temporary until ARI is more mature
 2024-08-08 08:08:29 -06:00
a
1a2275d54c
fs storage: Use temporary files when writing (#300) 
* fix: use an tmp file to flush new certs to disk

* add readme
 2024-08-04 13:37:03 -06:00
Matthew Holt
16c9db1449
zerossl: Make CNAME target absolute (fix #304) 2024-08-02 17:26:49 -06:00
Matthew Holt
1ff1ad8413
Normalize domain before managing 
Fix github.com/caddyserver/caddy/issues/6456
 2024-07-22 08:53:24 -06:00
Matthew Holt
16e2e0b344
Synchronize ARI fetching (fix #297) 2024-06-28 10:33:21 -06:00
Matt Holt
193db7523a
Sync ACME account registration (#293) 
https://caddy.community/t/lets-encrypt-hits-rate-limit-too-many-registrations-for-this-ip/24343
 2024-06-06 05:17:18 -06:00
Matthew Holt
88e840d8b9
Fix tests 2024-06-03 21:55:10 -06:00
Matthew Holt
a1e1bd6ab5
More logging about account loading/creation 2024-06-03 19:47:29 -06:00
Matthew Holt
ed73243f8b
Export interface for GetRenewalInfo 
We can't assume the ARI-supporting issuer types are exactly *ACMEIssuer; they may be implemented by third party packages (such as caddytls.ACMEIssuer).
 2024-06-01 17:59:39 -06:00
Matthew Holt
bd400cc9fb
Make Storage a required field for now (close #291) 2024-05-29 16:07:09 -06:00
Michel Bardelmeijer
c1a6da75c4
Change log for error finding HTTP validation to WARN level (#290) 2024-05-24 11:50:51 -06:00
Mohammed Al Sahaf
6e96d7c4bb
downgrade minimum Go version (#289) 
* downgrade minimum Go version

* Use latest zerossl

---------

Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
 2024-05-15 13:19:57 -06:00
Matt Holt
8ac11fafd0
Apply DefaultServerName more broadly during handshake (#287) 2024-05-13 09:08:05 -06:00
Matthew Holt
2ef8fdfaaf
Stricter TLS-ALPN challenge matching 
According to RFC 8737.
 2024-05-08 20:10:52 -06:00
Matthew Holt
c0c618654f
Fix inconsistency in go.mod 
Not sure how that happened...
 2024-05-07 09:52:31 -06:00
Matthew Holt
8d308414fb
Mention ARI in readme 2024-05-07 09:51:34 -06:00
Matthew Holt
e5f9915e75
go.mod: Upgrade to acmez v2.0.1 2024-05-07 09:48:13 -06:00
Matt Holt
0e88b3eaa1
Initial implementation of ARI (#286) 
* Initial implementation of ARI

* Enhance redundancy, robustness, and logging

* Improve ARI updating; integrate on-demand TLS; detect changed window
 2024-05-07 09:46:03 -06:00
Matthew Holt
fa7161a1a8
go.mod: Upgrade to ACMEz v2.0.0 2024-04-23 15:57:28 -06:00
Matthew Holt
140a6fa920
Improve API from previous commit to pair Subject with Issuer 2024-04-23 11:25:19 -06:00
Matthew Holt
81683c8d20
Add optional issuerKey to Cache.RemoveManaged 2024-04-23 10:47:06 -06:00
Matthew Holt
855d4670a4 Fix derp 2024-04-19 11:43:53 -06:00
Andreas Kohn
27ab129028
Use configured email to pin to specific account key in storage (#283) 
* Use the `email` configuration in the ACME issuer to "pin" an account to a key

When the issuer is configured with both an email and key material, these should match -- but that also means we
can use the email information to predict the key-key, skipping the potentially expensive storage.List operation.

* `continue` when we cannot load the private key for an account

Not being able to load this might be caused by a storage problem, or it could have been something
we did earlier. In either case we do not know whether this is the account we're looking for, and breaking
out now will trigger expensive calls to the ACME server to lookup the account and then save that account
again even though it was perfectly fine to begin with.

* Add unit tests for the changed behaviors
 2024-04-18 13:42:33 -06:00
Matthew Holt
f64401c80d
Add log about account 
And cert chain
 2024-04-16 14:52:47 -06:00
Goksan
6cb1f8262d
filestorage: Use RemoveAll() to delete directories (#282) 
According to the godoc
 2024-04-15 08:52:29 -06:00
Matthew Holt
fb2d9bff95
Write CSR PEM to cert_obtained events 
Close caddyserver/caddy#5999
 2024-04-13 07:33:47 -06:00
Matthew Holt
167015dd65
Implement distributed HTTP solver for ZeroSSL 2024-04-12 15:41:19 -06:00
Matthew Holt
aa4d957707
Return error if cert manager returns error 
Don't try to issue certificate. If a cert manager returns an error, it indicates that
it was supposed to be able to get a cert for that
name but was unable to do so.
 2024-04-12 10:09:24 -06:00
Matthew Holt
7681257d05
Try cert Manager before asking permission 
Managers are expected to have 'asking permission' built in
 2024-04-12 08:48:27 -06:00
Matthew Holt
f7ea6fb698
Enhancements to make ZeroSSL issuer more usable in Caddy 2024-04-11 12:23:53 -06:00
Matthew Holt
74862ff45a
Upgrade acmez to v2 beta 
Adds support for customizing NotBefore/NotAfter times of certs
 2024-04-08 14:05:43 -06:00
Matthew Holt
30e4f93722
Log issuer when cert is obtained or renwed successfully 2024-04-08 13:35:23 -06:00
Matthew Holt
b29d2a03a0
Implement SubjectTransformer 
This makes it possible to replace cert subjects with wildcards, for example

Related: #280
 2024-04-08 13:35:09 -06:00
Matthew Holt
52cbe735c6
Add consts for GTS 2024-04-08 12:44:35 -06:00
Matthew Holt
28e3a67376
Remove deprecated call to rand.Seed 2024-04-08 12:41:42 -06:00
Matthew Holt
98d2930e1d
Improve DNS related logging 2024-04-08 12:24:15 -06:00
Matt Holt
6095ab8069
Initial implementation of ZeroSSL API issuer (#279) 
* Initial implementation of ZeroSSL API issuer

Still needs CA support for CommonName-less certs

* Accommodate ZeroSSL CSR requirements; fix DNS prop check

* Fix README example

* Fix comment
 2024-04-08 10:59:55 -06:00
Goksan
c61a4feb39
Update readme examples to use TLS-ALPN const from ACMEz (#277) 2024-03-20 20:43:30 -06:00
Matt Holt
c82ff34ad2
Retry with new account if account disappeared remotely (#269) 
* Retry with new account if account disappeared remotely

* Emit log when account is missing from ACME server
 2024-03-14 15:35:35 -06:00
pgeh
c3c4a1263a
DNS propagation check succeeds if any configured resolver succeeds (#274) 
* Changed solver DNS propagation check to only check authoritative nameservers directly if there are no explicitly given resolvers.

* Changed solver DNS propagation check to only succeed of any one of the checked nameservers has the required TXT entry
 2024-03-14 15:21:07 -06:00
Matthew Holt
7a2236bee7
Bump minimum Go version to 1.21 2024-03-06 12:26:33 -07:00
Matthew Holt
23f868079e
Use context.WIthoutCancel when releasing locks 
Fulfills a TODO. Makes it so locks can be released when shutting down/reloading.
 2024-03-05 14:41:45 -07:00
Matthew Holt
8613f4a444
Configurable HTTP proxy for OCSP requests (close #267) 2024-03-01 10:30:36 -07:00
Francis Lavoie
857856663d
Demote "storage cleaning happened too recently" from WARN to INFO (#270) 2024-02-19 16:48:18 -07:00
Matthew Holt
3dd8f7da62 Log warning if manually-loaded cert has expired 
Or is expiring soon

See https://github.com/caddyserver/caddy/issues/6016
 2024-01-08 08:45:02 -07:00
dependabot[bot]
1652b4f5f5
Bump golang.org/x/crypto from 0.14.0 to 0.17.0 (#264) 
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.14.0 to 0.17.0.
- [Commits](https://github.com/golang/crypto/compare/v0.14.0...v0.17.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-12-18 20:05:32 -07:00