diff options
| -rw-r--r-- | internal/server/tls.go | 54 |
1 files changed, 21 insertions, 33 deletions
diff --git a/internal/server/tls.go b/internal/server/tls.go index 716495c..8e7ba31 100644 --- a/internal/server/tls.go +++ b/internal/server/tls.go @@ -36,10 +36,11 @@ func (s *Server) serveTLS() (err error) { // setting cfg.Logger is too late somehow certmagic.Default.Logger = log.GetLogger().Named("certmagic") - cfg := certmagic.NewDefault() - cfg.DefaultServerName = s.config.Domains[0] - - var issuer *certmagic.ACMEIssuer + certmagic.DefaultACME.Agreed = true + certmagic.DefaultACME.Email = s.config.Email + certmagic.DefaultACME.ListenHost = s.runtimeConfig.ListenAddress + certmagic.DefaultACME.AltHTTPPort = s.runtimeConfig.Port + certmagic.DefaultACME.AltTLSALPNPort = s.runtimeConfig.TLSPort if s.runtimeConfig.Development { ca := s.runtimeConfig.ACMECA @@ -58,17 +59,11 @@ func (s *Server) serveTLS() (err error) { } // caddy's ACME server (step-ca) doesn't specify an OCSP server - cfg.OCSP.DisableStapling = true - - issuer = certmagic.NewACMEIssuer(cfg, certmagic.ACMEIssuer{ - CA: s.runtimeConfig.ACMECA, - TrustedRoots: cp, - DisableTLSALPNChallenge: true, - ListenHost: s.runtimeConfig.ListenAddress, - AltHTTPPort: s.runtimeConfig.Port, - AltTLSALPNPort: s.runtimeConfig.TLSPort, - Logger: certmagic.Default.Logger, - }) + certmagic.Default.OCSP.DisableStapling = true + + certmagic.DefaultACME.CA = s.runtimeConfig.ACMECA + certmagic.DefaultACME.TrustedRoots = cp + certmagic.DefaultACME.DisableTLSALPNChallenge = true } else { rc := &redisConfig{} _, err = conf.Parse("REDIS", rc) @@ -82,20 +77,13 @@ func (s *Server) serveTLS() (err error) { return errors.WithMessage(err, "could not parse PowerDNS ACME config") } - issuer = certmagic.NewACMEIssuer(cfg, certmagic.ACMEIssuer{ - CA: certmagic.LetsEncryptProductionCA, - Email: s.config.Email, - Agreed: true, - Logger: certmagic.Default.Logger, - DisableHTTPChallenge: true, - DisableTLSALPNChallenge: true, - DNS01Solver: &certmagic.DNS01Solver{ - DNSManager: certmagic.DNSManager{ - DNSProvider: pdns, - Logger: certmagic.Default.Logger, - }, + certmagic.DefaultACME.CA = certmagic.LetsEncryptProductionCA + certmagic.DefaultACME.DNS01Solver = &certmagic.DNS01Solver{ + DNSManager: certmagic.DNSManager{ + DNSProvider: pdns, + Logger: certmagic.Default.Logger, }, - }) + } certificateDomains = append(slices.Clone(s.config.Domains), wildcardDomain) @@ -108,7 +96,7 @@ func (s *Server) serveTLS() (err error) { rs.TlsEnabled = rc.TLSEnabled rs.TlsInsecure = rc.TLSInsecure - cfg.Storage = rs + certmagic.Default.Storage = rs err = rs.Provision(caddy.Context{ Context: context.Background(), }) @@ -116,7 +104,6 @@ func (s *Server) serveTLS() (err error) { return errors.WithMessage(err, "could not provision redis storage") } } - cfg.Issuers[0] = issuer ln, err := listenfd.GetListener( 1, @@ -130,7 +117,8 @@ func (s *Server) serveTLS() (err error) { go func(ln net.Listener, srv *http.Server) { httpMux := http.NewServeMux() httpMux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { - if certmagic.LooksLikeHTTPChallenge(r) && issuer.HandleHTTPChallenge(w, r) { + if certmagic.LooksLikeHTTPChallenge(r) && + certmagic.DefaultACME.HandleHTTPChallenge(w, r) { return } url := r.URL @@ -167,11 +155,11 @@ func (s *Server) serveTLS() (err error) { "https_port", s.runtimeConfig.TLSPort, ) - err = cfg.ManageAsync(context.TODO(), certificateDomains) + err = certmagic.ManageAsync(context.TODO(), certificateDomains) if err != nil { return errors.WithMessage(err, "could not enable TLS") } - tlsConfig := cfg.TLSConfig() + tlsConfig := certmagic.NewDefault().TLSConfig() tlsConfig.NextProtos = append([]string{"h2", "http/1.1"}, tlsConfig.NextProtos...) sln, err := listenfd.GetListenerTLS( |