Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

httpcaddyfile: Implement force_automate #6712

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

httpcaddyfile: Implement force_automate #6712

wants to merge 1 commit into from

Conversation

francislavoie
Copy link
Member

Closes #5933

I think this should work according to the JSON config output, but I didn't actually test it at runtime to verify that it yields the expected behaviour. @mholt you had a repro set up locally if you want to give it a spin while reviewing.

@francislavoie francislavoie added the feature ⚙️ New feature or request label Nov 27, 2024
@francislavoie francislavoie mentioned this pull request Nov 27, 2024
Open
@francislavoie
Copy link
Member Author

francislavoie commented Nov 27, 2024
edited
Loading

What's annoying about this is it's hard to test a real-world scenario because the TLS automation stuff has special conditions for .localhost domains (to use the internal issuer), so using fake domains may have different results than using real domains.

But I did confirm at least that using tls force_automate does correctly hoist a connection policy to the top making an automated cert take precedence over a wildcard loaded cert.

I'm not able to test with a real domain right now (time/effort) so I can't confirm with certainty that the change to automation policies has the intended effect. The behaviour I'm seeing is that all hostnames are having certs automated, even a wildcard with a loaded cert, even if auto_https ignore_loaded_certs is set. That probably shouldn't be happening, but in practice it's not a big deal cause local issuance is super fast and doesn't take up much storage etc.

Configuring like acme_ca global option or whatever to use a fake ACME issuer (e.g. another Caddy with acme_server) also might not produce a proper test result because that overrides a default, which changes how policy consolidation works. Like, any config added which doesn't just use plain defaults can make the test invalid.

@SimJoSt
Copy link

SimJoSt commented Nov 28, 2024

Tested, works.
Took me some time to solve some permission issues I caused myself after building it for linux arm64, but I made it :)

While I cannot speak to the implementation and the general approach, I successfully tested this in production 🙈 with real domains and services.

@SimJoSt
Copy link

SimJoSt commented Nov 28, 2024

In another test I ran caddy adapt, like mentioned in #5933 (comment) and ran into an issue.
Apparently, this command doesn't know about the new force_automate option for the tls directive yet, and fails.
It seems there are more places in the code where this new option needs to be defined.

@francislavoie
Copy link
Member Author

You just ran adapt with your old version of Caddy. Make sure you run adapt with the correct binary.

Thanks for testing! Appreciated.

@SimJoSt
Copy link

SimJoSt commented Nov 28, 2024

You are absolutely right :D Sorry, for the confusion. adapt works without any issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mholt mholt Awaiting requested review from mholt

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
feature ⚙️ New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Certificate for catch-all site is used for requests to other sites
2 participants
@francislavoie @SimJoSt