about summary refs log tree commit diff stats
path: root/internal/server
diff options
context:
space:
mode:
authorAlan Pearce2024-11-30 11:29:29 +0100
committerAlan Pearce2024-11-30 11:29:29 +0100
commita96b875fb2619317f60d2f45fe4580882ebe0c16 (patch)
treedb17d641f6dec4e5decd348b56f5faef2d2a4a07 /internal/server
parent5908bed6043d98e190b28fb56b141e4c08704076 (diff)
downloadwebsite-a96b875fb2619317f60d2f45fe4580882ebe0c16.tar.lz
website-a96b875fb2619317f60d2f45fe4580882ebe0c16.tar.zst
website-a96b875fb2619317f60d2f45fe4580882ebe0c16.zip
tls: change certmanager defaults instead of creating new config
Diffstat (limited to 'internal/server')
-rw-r--r--internal/server/tls.go54
1 files changed, 21 insertions, 33 deletions
diff --git a/internal/server/tls.go b/internal/server/tls.go
index 716495c..8e7ba31 100644
--- a/internal/server/tls.go
+++ b/internal/server/tls.go
@@ -36,10 +36,11 @@ func (s *Server) serveTLS() (err error) {
 
 	// setting cfg.Logger is too late somehow
 	certmagic.Default.Logger = log.GetLogger().Named("certmagic")
-	cfg := certmagic.NewDefault()
-	cfg.DefaultServerName = s.config.Domains[0]
-
-	var issuer *certmagic.ACMEIssuer
+	certmagic.DefaultACME.Agreed = true
+	certmagic.DefaultACME.Email = s.config.Email
+	certmagic.DefaultACME.ListenHost = s.runtimeConfig.ListenAddress
+	certmagic.DefaultACME.AltHTTPPort = s.runtimeConfig.Port
+	certmagic.DefaultACME.AltTLSALPNPort = s.runtimeConfig.TLSPort
 
 	if s.runtimeConfig.Development {
 		ca := s.runtimeConfig.ACMECA
@@ -58,17 +59,11 @@ func (s *Server) serveTLS() (err error) {
 		}
 
 		// caddy's ACME server (step-ca) doesn't specify an OCSP server
-		cfg.OCSP.DisableStapling = true
-
-		issuer = certmagic.NewACMEIssuer(cfg, certmagic.ACMEIssuer{
-			CA:                      s.runtimeConfig.ACMECA,
-			TrustedRoots:            cp,
-			DisableTLSALPNChallenge: true,
-			ListenHost:              s.runtimeConfig.ListenAddress,
-			AltHTTPPort:             s.runtimeConfig.Port,
-			AltTLSALPNPort:          s.runtimeConfig.TLSPort,
-			Logger:                  certmagic.Default.Logger,
-		})
+		certmagic.Default.OCSP.DisableStapling = true
+
+		certmagic.DefaultACME.CA = s.runtimeConfig.ACMECA
+		certmagic.DefaultACME.TrustedRoots = cp
+		certmagic.DefaultACME.DisableTLSALPNChallenge = true
 	} else {
 		rc := &redisConfig{}
 		_, err = conf.Parse("REDIS", rc)
@@ -82,20 +77,13 @@ func (s *Server) serveTLS() (err error) {
 			return errors.WithMessage(err, "could not parse PowerDNS ACME config")
 		}
 
-		issuer = certmagic.NewACMEIssuer(cfg, certmagic.ACMEIssuer{
-			CA:                      certmagic.LetsEncryptProductionCA,
-			Email:                   s.config.Email,
-			Agreed:                  true,
-			Logger:                  certmagic.Default.Logger,
-			DisableHTTPChallenge:    true,
-			DisableTLSALPNChallenge: true,
-			DNS01Solver: &certmagic.DNS01Solver{
-				DNSManager: certmagic.DNSManager{
-					DNSProvider: pdns,
-					Logger:      certmagic.Default.Logger,
-				},
+		certmagic.DefaultACME.CA = certmagic.LetsEncryptProductionCA
+		certmagic.DefaultACME.DNS01Solver = &certmagic.DNS01Solver{
+			DNSManager: certmagic.DNSManager{
+				DNSProvider: pdns,
+				Logger:      certmagic.Default.Logger,
 			},
-		})
+		}
 
 		certificateDomains = append(slices.Clone(s.config.Domains), wildcardDomain)
 
@@ -108,7 +96,7 @@ func (s *Server) serveTLS() (err error) {
 		rs.TlsEnabled = rc.TLSEnabled
 		rs.TlsInsecure = rc.TLSInsecure
 
-		cfg.Storage = rs
+		certmagic.Default.Storage = rs
 		err = rs.Provision(caddy.Context{
 			Context: context.Background(),
 		})
@@ -116,7 +104,6 @@ func (s *Server) serveTLS() (err error) {
 			return errors.WithMessage(err, "could not provision redis storage")
 		}
 	}
-	cfg.Issuers[0] = issuer
 
 	ln, err := listenfd.GetListener(
 		1,
@@ -130,7 +117,8 @@ func (s *Server) serveTLS() (err error) {
 	go func(ln net.Listener, srv *http.Server) {
 		httpMux := http.NewServeMux()
 		httpMux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
-			if certmagic.LooksLikeHTTPChallenge(r) && issuer.HandleHTTPChallenge(w, r) {
+			if certmagic.LooksLikeHTTPChallenge(r) &&
+				certmagic.DefaultACME.HandleHTTPChallenge(w, r) {
 				return
 			}
 			url := r.URL
@@ -167,11 +155,11 @@ func (s *Server) serveTLS() (err error) {
 		"https_port",
 		s.runtimeConfig.TLSPort,
 	)
-	err = cfg.ManageAsync(context.TODO(), certificateDomains)
+	err = certmagic.ManageAsync(context.TODO(), certificateDomains)
 	if err != nil {
 		return errors.WithMessage(err, "could not enable TLS")
 	}
-	tlsConfig := cfg.TLSConfig()
+	tlsConfig := certmagic.NewDefault().TLSConfig()
 	tlsConfig.NextProtos = append([]string{"h2", "http/1.1"}, tlsConfig.NextProtos...)
 
 	sln, err := listenfd.GetListenerTLS(