Managers: Ability to call GetCertificate from external certificate sources #163
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Useful if another entity is managing certificates and can provide its own dynamically during handshakes.
1 task
This is only sorta true, but it allows handshake-time maintenance of the certificates that are cached from CustomGetCertificate. Our background maintenance routine skips certs that are OnDemand so it should be fine.
Instead of a function
Hostnames are case-insensitive Also add context to GetCertificate
Also minor refactoring and enhancements
|
(I'm pretty much ready to merge this, but I am spending some time double-checking the On-Demand coupling to CustomGetCertificate, since I wonder if it's possible to use CustomGetCertificate without requiring on-demand.) |
And don't cache externally managed certs
mholt
changed the title
|
And that's a wrap! I think. 🙂 Instead of It no longer implicitly enables or requires On-Demand TLS to be enabled; they are orthogonal concepts. Thank you to Tailscale for making this change possible! |
crccw
pushed a commit
to crccw/certmagic
that referenced
this pull request
Feb 23, 2022
…ver#163) This work made possible by Tailscale: https://tailscale.com - thank you to the Tailscale team! * Implement custom GetCertificate callback Useful if another entity is managing certificates and can provide its own dynamically during handshakes. * Refactor CustomGetCertificate into OnDemandConfig * Set certs to managed=true This is only sorta true, but it allows handshake-time maintenance of the certificates that are cached from CustomGetCertificate. Our background maintenance routine skips certs that are OnDemand so it should be fine. * Change CustomGetCertificate into interface value Instead of a function * Case-insensitive subject name comparison Hostnames are case-insensitive Also add context to GetCertificate * Export a couple of outrageously useful functions * Allow multiple custom certificate getters Also minor refactoring and enhancements * Fix tests * Rename Getter -> Manager; refactor And don't cache externally managed certs * Minor updates to comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is useful if another entity is managing certificates and can provide its own certs dynamically during handshakes.
For example, Tailscale's client has a
GetCertificate()function: https://pkg.go.dev/tailscale.com/client/tailscale#GetCertificate