github.com/caddyserver/caddy/v2/modules/caddypki/acmeserver

No package summary is available.

Package

Files: 4. Third party imports: 11. Imports from organisation: 0. Tests: 0. Benchmarks: 0.

Constants

Vars

Types

ACMEChallenge

ACMEChallenge is an opaque string that represents supported ACME challenges.

Field name	Field type	Comment
type	`string`	No comment on field.

ACMEChallenges

ACMEChallenges is a list of ACME challenges.

Field name	Field type	Comment
type	`[]ACMEChallenge`	No comment on field.

Handler

Handler is an ACME server handler.

Field name	Field type	Comment
CA	`string`	The ID of the CA to use for signing. This refers to the ID given to the CA in the `pki` app. If omitted, the default ID is "local".
Lifetime	`caddy.Duration`	The lifetime for issued certificates
Host	`string`	The hostname or IP address by which ACME clients will access the server. This is used to populate the ACME directory endpoint. If not set, the Host header of the request will be used. COMPATIBILITY NOTE / TODO: This property may go away in the future. Do not rely on this property long-term; check release notes.
PathPrefix	`string`	The path prefix under which to serve all ACME endpoints. All other requests will not be served by this handler and will be passed through to the next one. Default: "/acme/". COMPATIBILITY NOTE / TODO: This property may go away in the future, as it is currently only required due to limitations in the underlying library. Do not rely on this property long-term; check release notes.
SignWithRoot	`bool`	If true, the CA's root will be the issuer instead of the intermediate. This is NOT recommended and should only be used when devices/clients do not properly validate certificate chains. EXPERIMENTAL: Might be changed or removed in the future.
Resolvers	`[]string`	The addresses of DNS resolvers to use when looking up the TXT records for solving DNS challenges. It accepts network addresses with port range of only 1. If the host is an IP address, it will be dialed directly to resolve the upstream server. If the host is not an IP address, the addresses are resolved using the name resolution convention of the Go standard library. If the array contains more than 1 resolver address, one is chosen at random.
Challenges	`ACMEChallenges`	Specify the set of enabled ACME challenges. An empty or absent value means all challenges are enabled. Accepted values are: "http-01", "dns-01", "tls-alpn-01"
Policy	`*Policy`	The policy to use for issuing certificates
logger	`*zap.Logger`	No comment on field.
resolvers	`[]caddy.NetworkAddress`	No comment on field.
ctx	`caddy.Context`	No comment on field.
acmeDB	`acme.DB`	No comment on field.
acmeAuth	`*authority.Authority`	No comment on field.
acmeClient	`acme.Client`	No comment on field.
acmeLinker	`acme.Linker`	No comment on field.
acmeEndpoints	`http.Handler`	No comment on field.

Policy

Policy defines the criteria for the ACME server of when to issue a certificate. Refer to the Certificate Issuance Policy on Smallstep website for the evaluation criteria.

Field name	Field type	Comment
Allow	`*RuleSet`	If a rule set is configured to allow a certain type of name, all other types of names are automatically denied.
Deny	`*RuleSet`	If a rule set is configured to deny a certain type of name, all other types of names are still allowed.
AllowWildcardNames	`bool`	If set to true, the ACME server will allow issuing wildcard certificates.

RuleSet

RuleSet is the specific set of SAN criteria for a certificate to be issued or denied.

Field name	Field type	Comment
Domains	`[]string`	Domains is a list of DNS domains that are allowed to be issued. It can be in the form of FQDN for specific domain name, or a wildcard domain name format, e.g. *.example.com, to allow sub-domains of a domain.
IPRanges	`[]string`	IP ranges in the form of CIDR notation or specific IP addresses to be approved or denied for certificates. Non-CIDR IP addresses are matched exactly.

databaseCloser

This type doesn't have documentation.

Field name	Field type	Comment
DB	`*db.AuthDB`	No comment on field.

resolverClient

This type doesn't have documentation.

Field name	Field type	Comment
	`acme.Client`	No comment on field.
resolver	`*net.Resolver`	No comment on field.
ctx	`context.Context`	No comment on field.

Functions

func (*ACMEChallenge) UnmarshalJSON

The unmarshaller first marshals the value into a string. Then it trims any space around it and lowercase it for normaliztion. The method does not and should not validate the value within accepted enums.

Uses: json.Unmarshal, strings.ToLower, strings.TrimSpace.

func (*Handler) Provision

Provision sets up the ACME server handler.

Uses: acme.NewLinker, acmeNoSQL.New, api.Route, authority.AuthConfig, caddypki.AuthorityConfig, caddypki.DefaultCAID, caddypki.PKI, fmt.Errorf, nosql.DB, provisioner.ACME, provisioner.Claims, provisioner.Duration, provisioner.List, provisioner.Options, provisioner.TypeACME, strings.Trim, time.Duration, time.Hour, time.Minute.

func (ACMEChallenge) String

String returns a string representation of the challenge.

Uses: strings.ToLower.

func (Handler) CaddyModule

CaddyModule returns the Caddy module information.

func (Handler) Cleanup

Cleanup implements caddy.CleanerUpper and closes any idle databases.

Uses: zap.Error, zap.String, zapcore.DebugLevel, zapcore.ErrorLevel.

func (Handler) ServeHTTP

Uses: acme.NewContext, authority.NewContext, strings.HasPrefix.

func (databaseCloser) Destruct

func (resolverClient) LookupTxt

Private functions

func init

func parseACMEServer

parseACMEServer sets up an ACME server handler from Caddyfile tokens.

acme_server [<matcher>] {
	ca        <id>
	lifetime  <duration>
	resolvers <addresses...>
	challenges <challenges...>
	allow_wildcard_names
	allow {
		domains <domains...>
		ip_ranges <addresses...>
	}
	deny {
		domains <domains...>
		ip_ranges <addresses...>
	}
	sign_with_root
}

References: caddypki.CA, httpcaddyfile.ConfigValue.

func stringToChallenges

func normalizeAllowRules

normalizeAllowRules returns nil if policy is nil, the Allow rule is nil, or all rules within the Allow rule are empty. Otherwise, it returns the X509NameOptions with the content of the Allow rule.

References: policy.X509NameOptions.

func normalizeDenyRules

normalizeDenyRules returns nil if policy is nil, the Deny rule is nil, or all rules within the Deny rule are empty. Otherwise, it returns the X509NameOptions with the content of the Deny rule.

References: policy.X509NameOptions.

func normalizeRules

normalizeRules returns nil if policy is nil, the Allow and Deny rules are nil,

References: provisioner.X509Options.

func validate

validate checks if the given challenge is supported.

References: fmt.Errorf.

func toSmallstepType

References: provisioner.ACMEChallenge.

func validate

validate checks if the given challenges are supported.

func getDatabaseKey

References: strings.ToLower, strings.TrimSpace.

func makeClient

makeClient creates an ACME client which will use a custom resolver instead of net.DefaultResolver.

References: acme.NewClient, context.Context, fmt.Errorf, net.Conn, net.DefaultResolver, net.Dialer, net.Resolver, time.Second, weakrand.Intn.

func openDatabase

References: db.Config, db.New, filepath.Join, fmt.Errorf, os.MkdirAll, zap.String, zapcore.DebugLevel.

Tests

Files: 1. Third party imports: 2. Imports from organisation: 0. Tests: 3. Benchmarks: 0.

Test functions

TestPolicyNormalizeAllowRules

References: policy.X509NameOptions, reflect.DeepEqual, testing.T.

TestPolicy_normalizeDenyRules

References: policy.X509NameOptions, reflect.DeepEqual, testing.T.

TestPolicy_normalizeRules

References: provisioner.X509Options, reflect.DeepEqual, testing.T.