tls: Add acme_ca_root and tls/ca_root to caddyfile (#3040)

caddyconfig/httpcaddyfile/builtins.go

@@ -116,6 +116,9 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 	if acmeCA := h.Option("acme_ca"); acmeCA != nil {
 		mgr.CA = acmeCA.(string)
 	}
+	if caPemFile := h.Option("acme_ca_root"); caPemFile != nil {
+		mgr.TrustedRootsPEMFiles = append(mgr.TrustedRootsPEMFiles, caPemFile.(string))
+	}
 
 	for h.Next() {
 		// file certificate loader
@@ -233,6 +236,13 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 				}
 				mgr.Challenges.DNSRaw = caddyconfig.JSONModuleObject(dnsProvModule.New(), "provider", provName, h.warnings)
 			
+			case "ca_root":
+				arg := h.RemainingArgs()
+				if len(arg) != 1 {
+					return nil, h.ArgErr()
+				}
+				mgr.TrustedRootsPEMFiles = append(mgr.TrustedRootsPEMFiles, arg[0])
+
 			default:
 				return nil, h.Errf("unknown subdirective: %s", h.Val())
 			}

caddyconfig/httpcaddyfile/httptype.go

@@ -71,7 +71,7 @@ func (st ServerType) Setup(originalServerBlocks []caddyfile.ServerBlock,
 				val, err = parseOptExperimentalHTTP3(disp)
 			case "storage":
 				val, err = parseOptStorage(disp)
-			case "acme_ca", "acme_dns":
+			case "acme_ca", "acme_dns", "acme_ca_root":
 				val, err = parseOptACME(disp)
 			case "email":
 				val, err = parseOptEmail(disp)

caddyconfig/httpcaddyfile/parser_test.go

@@ -45,6 +45,24 @@ func TestParse(t *testing.T) {
 			expectWarn:  false,
 			expectError: true,
 		},
+		{
+			input: `
+			{
+				email test@anon.com
+				acme_ca https://ca.custom
+				acme_ca_root /root/certs/ca.crt
+			}
+
+			https://caddy {
+				tls {
+					ca https://ca.custom
+					ca_root /root/certs/ca.crt
+				}
+			}
+			`,
+			expectWarn:  false,
+			expectError: false,
+		},
 	} {
 
 		adapter := caddyfile.Adapter{