about summary refs log tree commit diff stats
path: root/internal
diff options
context:
space:
mode:
authorAlan Pearce2024-12-09 17:24:42 +0100
committerAlan Pearce2024-12-09 17:24:42 +0100
commite9f32ba273e258ad7340f14da434abbbf223fade (patch)
treef448f6845671ffe74d51fb28a71441e19d43608e /internal
parent8661363281c2902d2dba875e7f51c3d34d404595 (diff)
downloadwebsite-e9f32ba273e258ad7340f14da434abbbf223fade.tar.lz
website-e9f32ba273e258ad7340f14da434abbbf223fade.tar.zst
website-e9f32ba273e258ad7340f14da434abbbf223fade.zip
tls: reduce visual noise
Diffstat (limited to 'internal')
-rw-r--r--internal/server/tls.go30
1 files changed, 16 insertions, 14 deletions
diff --git a/internal/server/tls.go b/internal/server/tls.go
index 183ce70..fc87049 100644
--- a/internal/server/tls.go
+++ b/internal/server/tls.go
@@ -35,11 +35,14 @@ func (s *Server) serveTLS() (err error) {
 
 	// setting cfg.Logger is too late somehow
 	certmagic.Default.Logger = log.GetLogger().Named("certmagic")
-	certmagic.DefaultACME.Agreed = true
-	certmagic.DefaultACME.Email = s.config.Email
-	certmagic.DefaultACME.ListenHost = s.runtimeConfig.ListenAddress
-	certmagic.DefaultACME.AltHTTPPort = s.runtimeConfig.Port
-	certmagic.DefaultACME.AltTLSALPNPort = s.runtimeConfig.TLSPort
+	cfg := certmagic.NewDefault()
+
+	acme := certmagic.DefaultACME
+	acme.Agreed = true
+	acme.Email = s.config.Email
+	acme.ListenHost = s.runtimeConfig.ListenAddress
+	acme.AltHTTPPort = s.runtimeConfig.Port
+	acme.AltTLSALPNPort = s.runtimeConfig.TLSPort
 
 	if s.runtimeConfig.Development {
 		ca := s.runtimeConfig.ACMECA
@@ -58,11 +61,11 @@ func (s *Server) serveTLS() (err error) {
 		}
 
 		// caddy's ACME server (step-ca) doesn't specify an OCSP server
-		certmagic.Default.OCSP.DisableStapling = true
+		cfg.OCSP.DisableStapling = true
 
-		certmagic.DefaultACME.CA = s.runtimeConfig.ACMECA
-		certmagic.DefaultACME.TrustedRoots = cp
-		certmagic.DefaultACME.DisableTLSALPNChallenge = true
+		acme.CA = s.runtimeConfig.ACMECA
+		acme.TrustedRoots = cp
+		acme.DisableTLSALPNChallenge = true
 	} else {
 		rc := &redisConfig{}
 		_, err = conf.Parse("REDIS", rc)
@@ -76,8 +79,7 @@ func (s *Server) serveTLS() (err error) {
 			return errors.WithMessage(err, "could not parse PowerDNS ACME config")
 		}
 
-		certmagic.DefaultACME.CA = certmagic.LetsEncryptProductionCA
-		certmagic.DefaultACME.DNS01Solver = &certmagic.DNS01Solver{
+		acme.DNS01Solver = &certmagic.DNS01Solver{
 			DNSManager: certmagic.DNSManager{
 				DNSProvider: pdns,
 				Logger:      certmagic.Default.Logger,
@@ -115,7 +117,7 @@ func (s *Server) serveTLS() (err error) {
 		httpMux := http.NewServeMux()
 		httpMux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
 			if certmagic.LooksLikeHTTPChallenge(r) &&
-				certmagic.DefaultACME.HandleHTTPChallenge(w, r) {
+				acme.HandleHTTPChallenge(w, r) {
 				return
 			}
 			url := r.URL
@@ -156,11 +158,11 @@ func (s *Server) serveTLS() (err error) {
 		"https_port",
 		s.runtimeConfig.TLSPort,
 	)
-	err = certmagic.ManageAsync(context.TODO(), certificateDomains)
+	err = cfg.ManageAsync(context.TODO(), certificateDomains)
 	if err != nil {
 		return errors.WithMessage(err, "could not enable TLS")
 	}
-	tlsConfig := certmagic.NewDefault().TLSConfig()
+	tlsConfig := cfg.TLSConfig()
 	tlsConfig.NextProtos = append([]string{"h2", "http/1.1"}, tlsConfig.NextProtos...)
 
 	sln, err := listenfd.GetListenerTLS(