-
Notifications
You must be signed in to change notification settings - Fork 11
/
tls.go
90 lines (74 loc) · 3.08 KB
/
tls.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
package netserver
import (
"fmt"
"github.com/caddyserver/caddy"
"github.com/caddyserver/caddy/caddytls"
"github.com/mholt/certmagic"
)
// activateTLS
func activateTLS(cctx caddy.Context) error {
operatorPresent := !caddy.Started()
// Follow steps stipulated in https://github.com/caddyserver/caddy/wiki/Writing-a-Plugin:-Server-Type#automatic-tls (indicated below by numbered comments)
// 1. Prints a message to stdout, "Activating privacy features..." (if the operator is present; i.e. caddy.Started() == false) because the process can take a few seconds
if !caddy.Quiet && operatorPresent {
fmt.Print("Activating privacy features...")
}
ctx := cctx.(*netContext)
// 2. Sets the Managed field to true on all configs that should be fully managed
for _, cfg := range ctx.configs {
if caddytls.QualifiesForManagedTLS(cfg) {
cfg.TLS.Managed = true
}
}
// 3. Calls ObtainCert() for each managed config.
// place certificates and keys on disk
for _, cfg := range ctx.configs {
if cfg.TLS.Managed {
err := cfg.TLS.Manager.ObtainCert(cfg.TLS.Hostname, operatorPresent)
if err != nil {
return err
}
}
}
// 4. Configures the server struct to use the newly-obtained certificates by setting the Enabled field of the TLS config to true
// and calling caddytls.CacheManagedCertificate() which actually loads the cert into memory for use
for _, cfg := range ctx.configs {
if cfg == nil || cfg.TLS == nil || !cfg.TLS.Managed {
continue
}
cfg.TLS.Enabled = true
if certmagic.HostQualifies(cfg.Hostname) {
_, err := cfg.TLS.Manager.CacheManagedCertificate(cfg.Hostname)
if err != nil {
return err
}
}
// 5. Calls caddytls.SetDefaultTLSParams() to make sure all the necessary fields have a value
// Make sure any config values not explicitly set are set to default
caddytls.SetDefaultTLSParams(cfg.TLS)
}
// 6. Calls caddytls.RenewManagedCertificates(true) to ensure that all certificates that were loaded into memory have been renewed if necessary
// renew all relevant certificates that need renewal. this is important
// to do right away so we guarantee that renewals aren't missed, and
// also the user can respond to any potential errors that occur.
// renew all relevant certificates that need renewal. this is important
// to do right away so we guarantee that renewals aren't missed, and
// also the user can respond to any potential errors that occur.
// (skip if upgrading, because the parent process is likely already listening
// on the ports we'd need to do ACME before we finish starting; parent process
// already running renewal ticker, so renewal won't be missed anyway.)
if !caddy.IsUpgrade() {
ctx.instance.StorageMu.RLock()
certCache, ok := ctx.instance.Storage[caddytls.CertCacheInstStorageKey].(*certmagic.Cache)
ctx.instance.StorageMu.RUnlock()
if ok && certCache != nil {
if err := certCache.RenewManagedCertificates(); err != nil {
return err
}
}
}
if !caddy.Quiet && operatorPresent {
fmt.Println(" done.")
}
return nil
}