-
-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
httpcaddyfile: Implement force_automate
#6712
Conversation
What's annoying about this is it's hard to test a real-world scenario because the TLS automation stuff has special conditions for But I did confirm at least that using I'm not able to test with a real domain right now (time/effort) so I can't confirm with certainty that the change to automation policies has the intended effect. The behaviour I'm seeing is that all hostnames are having certs automated, even a wildcard with a loaded cert, even if Configuring like |
Tested, works. While I cannot speak to the implementation and the general approach, I successfully tested this in production 🙈 with real domains and services. |
In another test I ran |
You just ran adapt with your old version of Caddy. Make sure you run adapt with the correct binary. Thanks for testing! Appreciated. |
You are absolutely right :D Sorry, for the confusion. |
Thanks for working on this. To be sure I'm clear, is there anything left on this issue? #5933 (comment) seems to suggest it has some unintuitive components... and I agree, this does feel like a hack; and I'm still wondering if we should just fix the existing behavior... |
@mholt from testing the feature for my specific use-case, it was feature complete for me. From how I interpret the hierarchy in Caddys (Caddyfile) config I would expect this option to allow me to force the tls automation, if there was something else set at the global level. I am not sure, if it is possible to load certificates globally.. The current behavior of using loaded certs from a separate site with a wildcard domain in sites with no tls directive (default) or one with just an email provide for automated certificates, is still unintuitive in my opinion. If this behavior will not be changed and this PR makes it to upstream, I would suggest changing it a little. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have one more thought before trying this in 2.9. What if we call it or something more specific like ignore_wildcard
or automate_separately
?
I still think |
2d9a7c4
to
13847c8
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Alrighty, sounds good to me. Let's try it, but let's be sure to document this as experimental, since I still have a hunch there's a cleaner way to do this. I suspect there may be edge cases we haven't tested for here as well; but I can't think of them.
Thank you for your patience with me on this one!
On Testing this, it doesn't seem to work when wildcard TLS has CN as domain. Also, i don't understand why dedicated Site TLS is being used globally. See this issue to reproduce #6694 |
It's not specific to CN / main domain of a certificate. It's due to the exact site-address match. There's probably an assumption that you wouldn't load a certificate from an external source inaan unrelated site block with a specific site-address and then This feature was motivated for opt-out of preferring an existing wildcard cert match vs provisioning a new cert with the exact site-address. # Ignore the self-signed cert, provision a new cert instead:
example.com {
tls force_automate
respond "hello world"
}
# This loads an external certificate that also matches
# for the site-address example.com
example.localhost {
tls cert.pem key.pem
respond "self-signed"
} That's your situation where Note that AFAIK this directive variant doesn't care about if it's a LetsEncrypt or self-signed certificate that is loaded externally or managed by Caddy, since a wildcard certificate match could be from any of that, thus Still given the name it should prioritize selecting a certificate with exact match that has Caddy automate management of that cert (that isn't wildcard, unless the site address is a wildcard itself). |
Closes #5933
I think this should work according to the JSON config output, but I didn't actually test it at runtime to verify that it yields the expected behaviour. @mholt you had a repro set up locally if you want to give it a spin while reviewing.