diff --git a/go.mod b/go.mod index 224f7d0c..44da5139 100644 --- a/go.mod +++ b/go.mod @@ -18,7 +18,7 @@ require ( github.com/klauspost/compress v1.7.1-0.20190613161414-0b31f265a57b github.com/klauspost/cpuid v1.2.1 github.com/lucas-clemente/quic-go v0.7.1-0.20190908032346-fc962d18373a - github.com/mholt/certmagic v0.7.3 + github.com/mholt/certmagic v0.7.3-0.20190917224939-65d418add14f github.com/muhammadmuzzammil1998/jsonc v0.0.0-20190902132743-e4903c4dea48 github.com/rs/cors v1.6.0 github.com/russross/blackfriday/v2 v2.0.1 diff --git a/go.sum b/go.sum index d855faf1..a48d42f6 100644 --- a/go.sum +++ b/go.sum @@ -156,8 +156,8 @@ github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzp github.com/mattn/go-runewidth v0.0.4/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= github.com/mattn/go-tty v0.0.0-20180219170247-931426f7535a/go.mod h1:XPvLUNfbS4fJH25nqRHfWLMa1ONC8Amw+mIA639KxkE= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= -github.com/mholt/certmagic v0.7.3 h1:1QOfAmk5uyWcfXJFQqFZZiEsJbPMBQ1vw/ttpVOUXQU= -github.com/mholt/certmagic v0.7.3/go.mod h1:hqHzDsY32TwZpj/KswVylheSISjquF/eOVOaJTYV15w= +github.com/mholt/certmagic v0.7.3-0.20190917224939-65d418add14f h1:IocLraK7JNMvVbuZShaLJMsWMPgdElPNwmPPWPb0XMI= +github.com/mholt/certmagic v0.7.3-0.20190917224939-65d418add14f/go.mod h1:hqHzDsY32TwZpj/KswVylheSISjquF/eOVOaJTYV15w= github.com/miekg/dns v1.1.15 h1:CSSIDtllwGLMoA6zjdKnaE6Tx6eVUxQ29LUgGetiDCI= github.com/miekg/dns v1.1.15/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= diff --git a/modules/caddytls/acmemanager.go b/modules/caddytls/acmemanager.go index f9a64099..9df2e262 100644 --- a/modules/caddytls/acmemanager.go +++ b/modules/caddytls/acmemanager.go @@ -15,8 +15,10 @@ package caddytls import ( + "crypto/x509" "encoding/json" "fmt" + "io/ioutil" "net/url" "time" @@ -38,17 +40,19 @@ func init() { // after you have configured this struct // to your liking. type ACMEManagerMaker struct { - CA string `json:"ca,omitempty"` - Email string `json:"email,omitempty"` - RenewAhead caddy.Duration `json:"renew_ahead,omitempty"` - KeyType string `json:"key_type,omitempty"` - ACMETimeout caddy.Duration `json:"acme_timeout,omitempty"` - MustStaple bool `json:"must_staple,omitempty"` - Challenges ChallengesConfig `json:"challenges,omitempty"` - OnDemand bool `json:"on_demand,omitempty"` - Storage json.RawMessage `json:"storage,omitempty"` + CA string `json:"ca,omitempty"` + Email string `json:"email,omitempty"` + RenewAhead caddy.Duration `json:"renew_ahead,omitempty"` + KeyType string `json:"key_type,omitempty"` + ACMETimeout caddy.Duration `json:"acme_timeout,omitempty"` + MustStaple bool `json:"must_staple,omitempty"` + Challenges ChallengesConfig `json:"challenges,omitempty"` + OnDemand bool `json:"on_demand,omitempty"` + Storage json.RawMessage `json:"storage,omitempty"` + TrustedRootsPEMFiles []string `json:"trusted_roots_pem_files,omitempty"` - storage certmagic.Storage + storage certmagic.Storage + rootPool *x509.CertPool } // CaddyModule returns the Caddy module information. @@ -91,6 +95,20 @@ func (m *ACMEManagerMaker) Provision(ctx caddy.Context) error { m.Storage = nil // allow GC to deallocate } + // add any custom CAs to trust store + if len(m.TrustedRootsPEMFiles) > 0 { + m.rootPool = x509.NewCertPool() + for _, pemFile := range m.TrustedRootsPEMFiles { + pemData, err := ioutil.ReadFile(pemFile) + if err != nil { + return fmt.Errorf("loading trusted root CA's PEM file: %s: %v", pemFile, err) + } + if !m.rootPool.AppendCertsFromPEM(pemData) { + return fmt.Errorf("unable to add %s to trust pool: %v", pemFile, err) + } + } + } + return nil } @@ -150,6 +168,7 @@ func (m *ACMEManagerMaker) makeCertMagicConfig(ctx caddy.Context) certmagic.Conf OnDemand: ond, MustStaple: m.MustStaple, Storage: storage, + TrustedRoots: m.rootPool, // TODO: listenHost } }