Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

caddytls: Add support for ZeroSSL; add Caddyfile support for issuers #3633

Merged
merged 10 commits into from
Aug 11, 2020

Conversation

mholt
Copy link
Member

@mholt mholt commented Aug 4, 2020

Configuring issuers explicitly in a Caddyfile is not easily compatible
with existing ACME-specific parameters such as email or acme_ca which
infer the kind of issuer it creates (this is complicated now because
the ZeroSSL issuer wraps the ACME issuer)... oh well, we can revisit
that later if we need to.

New Caddyfile global option:

{
    cert_issuer <name> ...
}

Or, alternatively, as a tls subdirective:

tls {
    issuer <name> ...
}

For example, to use ZeroSSL with an API key:

{
    cert_issuser zerossl API_KEY
}

For now, that still uses ZeroSSL's ACME endpoint; it fetches EAB
credentials for you. You can also provide the EAB credentials directly
just like any other ACME endpoint:

{
    cert_issuer acme {
        eab KEY_ID MAC_KEY
    }
}

All these examples use the new global option (or tls subdirective). You
can still use traditional/existing options with ZeroSSL, since it's
just another ACME endpoint:

{
    acme_ca  https://acme.zerossl.com/v2/DV90
    acme_eab KEY_ID MAC_KEY
}

That's all there is to it. You just can't mix-and-match acme_* options
with cert_issuer, because it becomes confusing/ambiguous/complicated to
merge the settings.


The latest commits on this PR make it possible to implicitly configure the ZeroSSL issuer by specifying a CA endpoint containing acme.zerossl.com and an email address; no API key required:

{
    acme_ca https://acme.zerossl.com/v2/DV90
    email   [email protected]
}

(And similarly for with the tls directive.)

In other words, even though using ZeroSSL (the first time) requires the ZeroSSLIssuer type (to generate the EAB credentials when making an ACME account), it's very easy to configure ZeroSSL: Caddy will mostly auto-detect it and wrap the ACMEIssuer properly with ZeroSSLIssuer. You can also explicitly configure ZeroSSL as shown above.

No issuer defaults are changed with this PR.


With version 2.3 (to clarify: not 2.2, the release for which this change is slated), we can then work on making one CA a fallback of another. For example, if ZeroSSL is the primary CA but is down, then switch to Let's Encrypt. Or vice-versa, if LE is down (or you've hit rate limits), switch to ZeroSSL.

Configuring issuers explicitly in a Caddyfile is not easily compatible
with existing ACME-specific parameters such as email or acme_ca which
infer the kind of issuer it creates (this is complicated now because
the ZeroSSL issuer wraps the ACME issuer)... oh well, we can revisit
that later if we need to.

New Caddyfile global option:

    {
        cert_issuer <name> ...
    }

Or, alternatively, as a tls subdirective:

    tls {
        issuer <name> ...
    }

For example, to use ZeroSSL with an API key:

    {
        cert_issuser zerossl API_KEY
    }

For now, that still uses ZeroSSL's ACME endpoint; it fetches EAB
credentials for you. You can also provide the EAB credentials directly
just like any other ACME endpoint:

    {
        cert_issuer acme {
            eab KEY_ID MAC_KEY
        }
    }

All these examples use the new global option (or tls subdirective). You
can still use traditional/existing options with ZeroSSL, since it's
just another ACME endpoint:

    {
        acme_ca  https://acme.zerossl.com/v2/DV90
        acme_eab KEY_ID MAC_KEY
    }

That's all there is to it. You just can't mix-and-match acme_* options
with cert_issuer, because it becomes confusing/ambiguous/complicated to
merge the settings.
@mholt mholt added this to the v2.2.0 milestone Aug 4, 2020
@mholt mholt self-assigned this Aug 4, 2020
This test was asserting buggy behavior, oops - glad this branch both
discovers and fixes the bug at the same time!
@mholt mholt added the under review 🧐 Review is pending before merging label Aug 4, 2020
@mholt
Copy link
Member Author

mholt commented Aug 4, 2020

Sigh -- failing test on s390x VM is unrelated.

Update: We have confirmation from IBM that the connection errors are due to power outages related to Hurricane Isaias.

@francislavoie
Copy link
Member

LGTM 👍

Fix godoc comment

Co-authored-by: Francis Lavoie <[email protected]>
@mholt mholt removed the under review 🧐 Review is pending before merging label Aug 5, 2020
@mholt mholt modified the milestones: v2.2.0, v2.3.0 Aug 10, 2020
mholt added 5 commits August 10, 2020 15:28
Also transform the ACMEIssuer into ZeroSSLIssuer implicitly if set to
the ZeroSSL endpoint without EAB (the ZeroSSLIssuer is needed to
generate EAB if not already provided); this is now possible with either
an API key or an email address.
@mholt mholt modified the milestones: v2.3.0, v2.2.0 Aug 10, 2020
@mholt mholt merged commit 66863aa into master Aug 11, 2020
@mholt mholt deleted the zerossl branch August 11, 2020 14:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants