tls: Update to match CertMagic refactor (#2571)

* Update to match CertMagic's refactoring

* mod: CertMagic v0.5.0

caddy/caddymain/run.go

@@ -45,19 +45,19 @@ import (
 func init() {
 	caddy.TrapSignals()
 
-	flag.BoolVar(&certmagic.Agreed, "agree", false, "Agree to the CA's Subscriber Agreement")
-	flag.StringVar(&certmagic.CA, "ca", certmagic.CA, "URL to certificate authority's ACME server directory")
-	flag.StringVar(&certmagic.DefaultServerName, "default-sni", certmagic.DefaultServerName, "If a ClientHello ServerName is empty, use this ServerName to choose a TLS certificate")
-	flag.BoolVar(&certmagic.DisableHTTPChallenge, "disable-http-challenge", certmagic.DisableHTTPChallenge, "Disable the ACME HTTP challenge")
-	flag.BoolVar(&certmagic.DisableTLSALPNChallenge, "disable-tls-alpn-challenge", certmagic.DisableTLSALPNChallenge, "Disable the ACME TLS-ALPN challenge")
+	flag.BoolVar(&certmagic.Default.Agreed, "agree", false, "Agree to the CA's Subscriber Agreement")
+	flag.StringVar(&certmagic.Default.CA, "ca", certmagic.Default.CA, "URL to certificate authority's ACME server directory")
+	flag.StringVar(&certmagic.Default.DefaultServerName, "default-sni", certmagic.Default.DefaultServerName, "If a ClientHello ServerName is empty, use this ServerName to choose a TLS certificate")
+	flag.BoolVar(&certmagic.Default.DisableHTTPChallenge, "disable-http-challenge", certmagic.Default.DisableHTTPChallenge, "Disable the ACME HTTP challenge")
+	flag.BoolVar(&certmagic.Default.DisableTLSALPNChallenge, "disable-tls-alpn-challenge", certmagic.Default.DisableTLSALPNChallenge, "Disable the ACME TLS-ALPN challenge")
 	flag.StringVar(&disabledMetrics, "disabled-metrics", "", "Comma-separated list of telemetry metrics to disable")
 	flag.StringVar(&conf, "conf", "", "Caddyfile to load (default \""+caddy.DefaultConfigFile+"\")")
 	flag.StringVar(&cpu, "cpu", "100%", "CPU cap")
 	flag.BoolVar(&printEnv, "env", false, "Enable to print environment variables")
 	flag.StringVar(&envFile, "envfile", "", "Path to file with environment variables to load in KEY=VALUE format")
 	flag.BoolVar(&fromJSON, "json-to-caddyfile", false, "From JSON stdin to Caddyfile stdout")
 	flag.BoolVar(&plugins, "plugins", false, "List installed plugins")
-	flag.StringVar(&certmagic.Email, "email", "", "Default ACME CA account email address")
+	flag.StringVar(&certmagic.Default.Email, "email", "", "Default ACME CA account email address")
 	flag.DurationVar(&certmagic.HTTPTimeout, "catimeout", certmagic.HTTPTimeout, "Default ACME CA HTTP timeout")
 	flag.StringVar(&logfile, "log", "", "Process log file")
 	flag.IntVar(&logRollMB, "log-roll-mb", 100, "Roll process log when it reaches this many megabytes (0 to disable rolling)")

caddyhttp/httpserver/plugin.go

@@ -234,7 +234,7 @@ func (h *httpContext) MakeServers() ([]caddy.Server, error) {
 	// trusted CA (obviously not a perfect heuristic)
 	var looksLikeProductionCA bool
 	for _, publicCAEndpoint := range caddytls.KnownACMECAs {
-		if strings.Contains(certmagic.CA, publicCAEndpoint) {
+		if strings.Contains(certmagic.Default.CA, publicCAEndpoint) {
 			looksLikeProductionCA = true
 			break
 		}

caddytls/config.go

@@ -21,6 +21,7 @@ import (
 	"io/ioutil"
 	"os"
 	"sync/atomic"
+	"time"
 
 	"github.com/go-acme/lego/challenge/tlsalpn01"
 
@@ -117,22 +118,48 @@ func NewConfig(inst *caddy.Instance) (*Config, error) {
 				if err != nil {
 					return nil, fmt.Errorf("constructing cluster plugin %s: %v", clusterPluginName, err)
 				}
-				certmagic.DefaultStorage = storage
+				certmagic.Default.Storage = storage
 			} else {
 				return nil, fmt.Errorf("unrecognized cluster plugin (was it included in the Caddy build?): %s", clusterPluginName)
 			}
 		}
-		certCache = certmagic.NewCache(certmagic.DefaultStorage)
+		certCache = certmagic.NewCache(certmagic.CacheOptions{
+			GetConfigForCert: func(cert certmagic.Certificate) (certmagic.Config, error) {
+				inst.StorageMu.Lock()
+				cfgMap, ok := inst.Storage[configMapKey].(map[string]*Config)
+				inst.StorageMu.Unlock()
+				if ok {
+					for hostname, cfg := range cfgMap {
+						if cfg.Manager != nil && hostname == cert.Names[0] {
+							return *cfg.Manager, nil
+						}
+					}
+				}
+				// returning Default not strictly necessary, since Default is used as template
+				// anyway; but this makes it clear that that's what we fall back to
+				return certmagic.Default, nil
+			},
+		})
+		storageCleaningTicker := time.NewTicker(12 * time.Hour)
+		go func() {
+			for range storageCleaningTicker.C {
+				certmagic.CleanStorage(certmagic.Default.Storage, certmagic.CleanStorageOptions{
+					OCSPStaples: true,
+				})
+			}
+		}()
 		inst.OnShutdown = append(inst.OnShutdown, func() error {
 			certCache.Stop()
+			storageCleaningTicker.Stop()
 			return nil
 		})
+
 		inst.StorageMu.Lock()
 		inst.Storage[CertCacheInstStorageKey] = certCache
 		inst.StorageMu.Unlock()
 	}
 	return &Config{
-		Manager: certmagic.NewWithCache(certCache, certmagic.Config{}),
+		Manager: certmagic.New(certCache, certmagic.Config{}),
 	}, nil
 }
 
@@ -418,7 +445,6 @@ func SetDefaultTLSParams(config *Config) {
 var supportedKeyTypes = map[string]certcrypto.KeyType{
 	"P384":    certcrypto.EC384,
 	"P256":    certcrypto.EC256,
-	"RSA8192": certcrypto.RSA8192,
 	"RSA4096": certcrypto.RSA4096,
 	"RSA2048": certcrypto.RSA2048,
 }

caddytls/handshake.go

@@ -42,7 +42,7 @@ type configGroup map[string]*Config
 func (cg configGroup) getConfig(hello *tls.ClientHelloInfo) *Config {
 	name := certmagic.NormalizedName(hello.ServerName)
 	if name == "" {
-		name = certmagic.NormalizedName(certmagic.DefaultServerName)
+		name = certmagic.NormalizedName(certmagic.Default.DefaultServerName)
 	}
 
 	// if SNI is empty, prefer matching IP address (it is

caddytls/setup.go

@@ -63,7 +63,7 @@ func setupTLS(c *caddy.Controller) error {
 			if err != nil {
 				return fmt.Errorf("constructing cluster plugin %s: %v", clusterPluginName, err)
 			}
-			certmagic.DefaultStorage = storage
+			certmagic.Default.Storage = storage
 		} else {
 			return fmt.Errorf("unrecognized cluster plugin (was it included in the Caddy build?): %s", clusterPluginName)
 		}
@@ -363,6 +363,14 @@ func setupTLS(c *caddy.Controller) error {
 		telemetry.Increment("tls_self_signed_count")
 	}
 
+	// store this as a custom config
+	cfgMap, ok := c.Get(configMapKey).(map[string]*Config)
+	if !ok || cfgMap == nil {
+		cfgMap = make(map[string]*Config)
+	}
+	cfgMap[config.Hostname] = config
+	c.Set(configMapKey, cfgMap)
+
 	return nil
 }
 
@@ -449,3 +457,5 @@ func loadCertsInDir(cfg *Config, c *caddy.Controller, dir string) error {
 func constructDefaultClusterPlugin() (certmagic.Storage, error) {
 	return &certmagic.FileStorage{Path: caddy.AssetsPath()}, nil
 }
+
+const configMapKey = "tls_custom_configs"

caddytls/setup_test.go

@@ -53,8 +53,8 @@ func TestSetupParseBasic(t *testing.T) {
 	}
 	defer os.RemoveAll(tmpdir)
 
-	certCache := certmagic.NewCache(&certmagic.FileStorage{Path: tmpdir})
-	cfg := &Config{Manager: certmagic.NewWithCache(certCache, certmagic.Config{})}
+	certmagic.Default.Storage = &certmagic.FileStorage{Path: tmpdir}
+	cfg := &Config{Manager: certmagic.NewDefault()}
 	RegisterConfigGetter("", func(c *caddy.Controller) *Config { return cfg })
 	c := caddy.NewTestController("", `tls `+certFile+` `+keyFile+``)
 
@@ -139,8 +139,8 @@ func TestSetupParseWithOptionalParams(t *testing.T) {
 	}
 	defer os.RemoveAll(tmpdir)
 
-	certCache := certmagic.NewCache(&certmagic.FileStorage{Path: tmpdir})
-	cfg := &Config{Manager: certmagic.NewWithCache(certCache, certmagic.Config{})}
+	certmagic.Default.Storage = &certmagic.FileStorage{Path: tmpdir}
+	cfg := &Config{Manager: certmagic.NewDefault()}
 	RegisterConfigGetter("", func(c *caddy.Controller) *Config { return cfg })
 	c := caddy.NewTestController("", params)
 
@@ -276,8 +276,7 @@ func TestSetupParseWithClientAuth(t *testing.T) {
 			clients verify_if_given
 		}`, tls.VerifyClientCertIfGiven, true, noCAs},
 	} {
-		certCache := certmagic.NewCache(certmagic.DefaultStorage)
-		cfg := &Config{Manager: certmagic.NewWithCache(certCache, certmagic.Config{})}
+		cfg := &Config{Manager: certmagic.NewDefault()}
 		RegisterConfigGetter("", func(c *caddy.Controller) *Config { return cfg })
 		c := caddy.NewTestController("", caseData.params)
 

go.mod

@@ -7,15 +7,15 @@ require (
 	github.com/caddyserver/builds v0.0.0-20170910200810-c62e2219460a
 	github.com/dustin/go-humanize v1.0.0
 	github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568
-	github.com/go-acme/lego v2.4.0+incompatible
+	github.com/go-acme/lego v2.5.0+incompatible
 	github.com/google/uuid v1.1.1
 	github.com/gorilla/websocket v1.4.0
 	github.com/hashicorp/go-syslog v1.0.0
 	github.com/jimstudt/http-authentication v0.0.0-20140401203705-3eca13d6893a
 	github.com/klauspost/cpuid v1.2.0
 	github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348 // indirect
 	github.com/lucas-clemente/quic-go v0.10.2
-	github.com/mholt/certmagic v0.0.0-20190319183800-ee1543e2f234
+	github.com/mholt/certmagic v0.5.0
 	github.com/naoina/go-stringutil v0.1.0 // indirect
 	github.com/naoina/toml v0.1.1
 	github.com/russross/blackfriday v0.0.0-20170610170232-067529f716f4

go.sum

@@ -19,6 +19,8 @@ github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMo
 github.com/go-acme/lego v2.3.1-0.20190318164254-3684cc738d37+incompatible/go.mod h1:yzMNe9CasVUhkquNvti5nAtPmG94USbYxYrZfTkIn0M=
 github.com/go-acme/lego v2.4.0+incompatible h1:+BTLUfLtDc5qQauyiTCXH6lupEUOCvXyGlEjdeU0YQI=
 github.com/go-acme/lego v2.4.0+incompatible/go.mod h1:yzMNe9CasVUhkquNvti5nAtPmG94USbYxYrZfTkIn0M=
+github.com/go-acme/lego v2.5.0+incompatible h1:5fNN9yRQfv8ymH3DSsxla+4aYeQt2IgfZqHKVnK8f0s=
+github.com/go-acme/lego v2.5.0+incompatible/go.mod h1:yzMNe9CasVUhkquNvti5nAtPmG94USbYxYrZfTkIn0M=
 github.com/golang/mock v1.2.0 h1:28o5sBqPkBsMGnC6b4MvE2TzSr5/AT4c/1fLqVGIwlk=
 github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/protobuf v1.2.0 h1:P3YflyNX/ehuJFLhxviNdFxQPkGK5cDcApsge1SqnvM=
@@ -49,6 +51,8 @@ github.com/lucas-clemente/quic-go-certificates v0.0.0-20160823095156-d2f86524cce
 github.com/marten-seemann/qtls v0.2.3/go.mod h1:xzjG7avBwGGbdZ8dTGxlBnLArsVKLvwmjgmPuiQEcYk=
 github.com/mholt/certmagic v0.0.0-20190319183800-ee1543e2f234 h1:6biVHmhBIOQCzdOClOJ97D/Ip9oH8TgFftq2bj/93YI=
 github.com/mholt/certmagic v0.0.0-20190319183800-ee1543e2f234/go.mod h1:KvmxBmeVqj88J9Z9us/x04Yp/YYfMtmGkhQFWewFe6U=
+github.com/mholt/certmagic v0.5.0 h1:lYXxsLUFya/I3BgDCrfuwcMQOB+4auzI8CCzpK41tjc=
+github.com/mholt/certmagic v0.5.0/go.mod h1:g4cOPxcjV0oFq3qwpjSA30LReKD8AoIfwAY9VvG35NY=
 github.com/miekg/dns v1.1.3 h1:1g0r1IvskvgL8rR+AcHzUA+oFmGcQlaIm4IqakufeMM=
 github.com/miekg/dns v1.1.3/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
 github.com/naoina/go-stringutil v0.1.0 h1:rCUeRUHjBjGTSHl0VC00jUPLz8/F9dDzYI70Hzifhks=