write Caddy module for getting TLS certs from tailscaled #3096
Comments
DentonGentry
added
L2 Few
|
Great questions -- and nice work following the code.
Yes, exactly! So yeah, using the ACMEIssuer or InternalIssuer for boilerplate are great starting points.
No, the CSR is generated for you. You can just extract whatever info you need to get a cert.
Yep, so all your issuer module needs to do is look at the Subjects in the CSR and you can decide whether to return a cert or not. When Caddy is asked to manage a certificate for a domain (or IP address), it will call There is one other module type called a |
|
Thanks for the tips! I'm taking next week off but I'll try to get to this whenever I have some "fun" time free. (unless somebody wants to beat me to it! :)) |
|
I think this is being done in caddyserver/caddy#4541 |
Tracking bug for writing a Caddy module to get TLS certs from the machine's tailscaled via the localapi. (using https://pkg.go.dev/tailscale.com/client/tailscale#GetCertificate)
@mholt, any pointers on what type of module we'd need to be? Got an example of a similar one?
Grepping around backwards from
tls.Config.GetCertificate....ConnectionPolicy...https://caddyserver.com/docs/json/apps/http/servers/tls_connection_policies/AutomationPolicy.... https://caddyserver.com/docs/json/apps/tls/automation/policies/"Fulfilled by modules in namespace:
tls.issuance"I guess we want to be one of these? https://caddyserver.com/docs/json/apps/tls/automation/policies/issuers/
So e.g.
https://github.com/caddyserver/caddy/blob/master/modules/caddytls/acmeissuer.go
https://github.com/caddyserver/caddy/blob/master/modules/caddytls/internalissuer.go
Do we really have to do all the CSR stuff? https://pkg.go.dev/github.com/caddyserver/certmagic#Issuer
We already do that, and handle caching for certs that are still valid.
The hook I really want is given the SNI name, choose to give you a cert pair or not.
The text was updated successfully, but these errors were encountered: