tls/acme: Ability to customize trusted roots for ACME servers (#2756)

Closes #2702
2019-09-24 15:46:39 -07:00 · 2019-09-24 15:46:39 -07:00 · 11696793bd
parent 3e8bff594a
commit 11696793bd
3 changed files with 32 additions and 13 deletions
--- a/go.mod
+++ b/go.mod
@ -18,7 +18,7 @@ require (
 	github.com/klauspost/compress v1.7.1-0.20190613161414-0b31f265a57b
 	github.com/klauspost/cpuid v1.2.1
 	github.com/lucas-clemente/quic-go v0.7.1-0.20190908032346-fc962d18373a
-	github.com/mholt/certmagic v0.7.3
+	github.com/mholt/certmagic v0.7.3-0.20190917224939-65d418add14f
 	github.com/muhammadmuzzammil1998/jsonc v0.0.0-20190902132743-e4903c4dea48
 	github.com/rs/cors v1.6.0
 	github.com/russross/blackfriday/v2 v2.0.1
--- a/go.sum
+++ b/go.sum
@ -156,8 +156,8 @@ github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzp
 github.com/mattn/go-runewidth v0.0.4/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
 github.com/mattn/go-tty v0.0.0-20180219170247-931426f7535a/go.mod h1:XPvLUNfbS4fJH25nqRHfWLMa1ONC8Amw+mIA639KxkE=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
-github.com/mholt/certmagic v0.7.3 h1:1QOfAmk5uyWcfXJFQqFZZiEsJbPMBQ1vw/ttpVOUXQU=
-github.com/mholt/certmagic v0.7.3/go.mod h1:hqHzDsY32TwZpj/KswVylheSISjquF/eOVOaJTYV15w=
+github.com/mholt/certmagic v0.7.3-0.20190917224939-65d418add14f h1:IocLraK7JNMvVbuZShaLJMsWMPgdElPNwmPPWPb0XMI=
+github.com/mholt/certmagic v0.7.3-0.20190917224939-65d418add14f/go.mod h1:hqHzDsY32TwZpj/KswVylheSISjquF/eOVOaJTYV15w=
 github.com/miekg/dns v1.1.15 h1:CSSIDtllwGLMoA6zjdKnaE6Tx6eVUxQ29LUgGetiDCI=
 github.com/miekg/dns v1.1.15/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
--- a/modules/caddytls/acmemanager.go
+++ b/modules/caddytls/acmemanager.go
@ -15,8 +15,10 @@
 package caddytls

 import (
+	"crypto/x509"
 	"encoding/json"
 	"fmt"
+	"io/ioutil"
 	"net/url"
 	"time"

@ -38,17 +40,19 @@ func init() {
 // after you have configured this struct
 // to your liking.
 type ACMEManagerMaker struct {
-	CA          string           `json:"ca,omitempty"`
-	Email       string           `json:"email,omitempty"`
-	RenewAhead  caddy.Duration   `json:"renew_ahead,omitempty"`
-	KeyType     string           `json:"key_type,omitempty"`
-	ACMETimeout caddy.Duration   `json:"acme_timeout,omitempty"`
-	MustStaple  bool             `json:"must_staple,omitempty"`
-	Challenges  ChallengesConfig `json:"challenges,omitempty"`
-	OnDemand    bool             `json:"on_demand,omitempty"`
-	Storage     json.RawMessage  `json:"storage,omitempty"`
+	CA                   string           `json:"ca,omitempty"`
+	Email                string           `json:"email,omitempty"`
+	RenewAhead           caddy.Duration   `json:"renew_ahead,omitempty"`
+	KeyType              string           `json:"key_type,omitempty"`
+	ACMETimeout          caddy.Duration   `json:"acme_timeout,omitempty"`
+	MustStaple           bool             `json:"must_staple,omitempty"`
+	Challenges           ChallengesConfig `json:"challenges,omitempty"`
+	OnDemand             bool             `json:"on_demand,omitempty"`
+	Storage              json.RawMessage  `json:"storage,omitempty"`
+	TrustedRootsPEMFiles []string         `json:"trusted_roots_pem_files,omitempty"`

-	storage certmagic.Storage
+	storage  certmagic.Storage
+	rootPool *x509.CertPool
 }

 // CaddyModule returns the Caddy module information.
@ -91,6 +95,20 @@ func (m *ACMEManagerMaker) Provision(ctx caddy.Context) error {
 		m.Storage = nil // allow GC to deallocate
 	}

+	// add any custom CAs to trust store
+	if len(m.TrustedRootsPEMFiles) > 0 {
+		m.rootPool = x509.NewCertPool()
+		for _, pemFile := range m.TrustedRootsPEMFiles {
+			pemData, err := ioutil.ReadFile(pemFile)
+			if err != nil {
+				return fmt.Errorf("loading trusted root CA's PEM file: %s: %v", pemFile, err)
+			}
+			if !m.rootPool.AppendCertsFromPEM(pemData) {
+				return fmt.Errorf("unable to add %s to trust pool: %v", pemFile, err)
+			}
+		}
+	}
+
 	return nil
 }

@ -150,6 +168,7 @@ func (m *ACMEManagerMaker) makeCertMagicConfig(ctx caddy.Context) certmagic.Conf
 		OnDemand:                ond,
 		MustStaple:              m.MustStaple,
 		Storage:                 storage,
+		TrustedRoots:            m.rootPool,
 		// TODO: listenHost
 	}
 }