caddytls: Allow disabling distributed solving (except http-01)

modules/caddytls/acmeissuer.go

@@ -244,6 +244,9 @@ func (iss *ACMEIssuer) makeIssuerTemplate(ctx caddy.Context) (certmagic.ACMEIssu
 			template.DNS01Solver = iss.Challenges.DNS.solver
 		}
 		template.ListenHost = iss.Challenges.BindHost
+		if iss.Challenges.Distributed != nil {
+			template.DisableDistributedSolvers = !*iss.Challenges.Distributed
+		}
 	}
 
 	if iss.PreferredChains != nil {
@@ -480,6 +483,20 @@ func (iss *ACMEIssuer) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
 			}
 			iss.Challenges.TLSALPN.Disabled = true
 
+		case "distributed":
+			if !d.NextArg() {
+				return d.ArgErr()
+			}
+			if d.Val() != "false" {
+				return d.Errf("only accepted value is 'false'")
+			}
+			if iss.Challenges == nil {
+				iss.Challenges = new(ChallengesConfig)
+			}
+			if iss.Challenges.Distributed == nil {
+				iss.Challenges.Distributed = new(bool)
+			}
+
 		case "alt_http_port":
 			if !d.NextArg() {
 				return d.ArgErr()

modules/caddytls/automation.go

@@ -456,6 +456,22 @@ type ChallengesConfig struct {
 	// Optionally customize the host to which a listener
 	// is bound if required for solving a challenge.
 	BindHost string `json:"bind_host,omitempty"`
+
+	// Whether distributed solving is enabled. This is
+	// enabled by default, so this is only used to
+	// disable it, which should only need to be done if
+	// you cannot reliably or affordably use storage
+	// backend for writing/distributing challenge info.
+	// (Applies to HTTP and TLS-ALPN challenges.)
+	// If set to false, challenges can only be solved
+	// from the Caddy instance that initiated the
+	// challenge, with the exception of HTTP challenges
+	// initiated with the same ACME account that this
+	// config uses. (Caddy can still solve those challenges
+	// without explicitly writing the info to storage.)
+	//
+	// Default: true
+	Distributed *bool `json:"distributed,omitempty"`
 }
 
 // HTTPChallengeConfig configures the ACME HTTP challenge.