You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
No, the CSR is generated for you. You can just extract whatever info you need to get a cert.
The hook I really want is given the SNI name, choose to give you a cert pair or not.
Yep, so all your issuer module needs to do is look at the Subjects in the CSR and you can decide whether to return a cert or not.
When Caddy is asked to manage a certificate for a domain (or IP address), it will call Issue() on the configured Issuer to get the certificate, which it then saves to storage and loads into its in-memory cache. That in-memory cache is where it draws from to serve certificates during TLS handshakes. Managed certs, which are all the ones that come from an Issuer, are tracked for expiration and Caddy will call Issue() again when time is running out. If Issue() returns certificates that still expire soon, Caddy will just keep trying over time until it gets a certificate that isn't expiring soon.
There is one other module type called a CertificateLoader which simply loads certificates into that in-memory cache, but these are not considered "managed" so the user would have to reload the config in order to re-load them into the cache: https://pkg.go.dev/github.com/caddyserver/caddy/v2/modules/caddytls#CertificateLoader -- but I think Issuer is what you want.
Tracking bug for writing a Caddy module to get TLS certs from the machine's tailscaled via the localapi. (using https://pkg.go.dev/tailscale.com/client/tailscale#GetCertificate)
@mholt, any pointers on what type of module we'd need to be? Got an example of a similar one?
Grepping around backwards from
tls.Config.GetCertificate
....ConnectionPolicy
...https://caddyserver.com/docs/json/apps/http/servers/tls_connection_policies/AutomationPolicy
.... https://caddyserver.com/docs/json/apps/tls/automation/policies/"Fulfilled by modules in namespace:
tls.issuance
"I guess we want to be one of these? https://caddyserver.com/docs/json/apps/tls/automation/policies/issuers/
So e.g.
https://github.com/caddyserver/caddy/blob/master/modules/caddytls/acmeissuer.go
https://github.com/caddyserver/caddy/blob/master/modules/caddytls/internalissuer.go
Do we really have to do all the CSR stuff? https://pkg.go.dev/github.com/caddyserver/certmagic#Issuer
We already do that, and handle caching for certs that are still valid.
The hook I really want is given the SNI name, choose to give you a cert pair or not.
The text was updated successfully, but these errors were encountered: