* caddypki: Add support for multiple intermediates in signing chain
* Move intermediate lifetime configuration check
In #7272 a check was changed to ensure that generated intermediate
certificates would always use a lifetime that falls within the
lifetime of the root. However, when a root and intermediate(s)
are supplied, the configuration value was being used instead of
the actual lifetimes of the certificates. The check was moved to
only be performed when an intermediate is generated; not when
loaded from disk.
* Add tests for `pemDecodeCertificateChain` and `pemDecodeCertificate`
* Use `crypto.Signer` instead of `any` in appropriate places
* Use latest Smallstep packages
---------
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
* caddytls: correct documentation of `LeafFolderLoader`
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* fmt...
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
---------
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* client_auth: wire up leaf verifier Caddyfile
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* review feedback + tests
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
---------
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* chore: upgrade .golangci.yml and workflow to v2
run `golangci-lint fmt`
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* run `golangci-lint run --fix`
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* more lint fixes
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* bring back comments to .golangci.yml
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* appease the linter some more
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* oops
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* use embedded structs
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* use embedded structs where they were used before
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* disable rule `-QF1006`
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* missed a spot
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
---------
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* caddytls: Prefer managed wildcard certs over individual subdomain certs
* Repurpose force_automate as no_wildcard
* Fix a couple bugs
* Restore force_automate and use automate loader as wildcard override
* core: add modular `network_proxy` support
Co-authored-by: @ImpostorKeanu
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* move modules around
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* add caddyfile implementation
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* address feedbcak
* Apply suggestions from code review
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
* adapt ForwardProxyURL to use the NetworkProxyRaw
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* remove redundant `url` in log
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
* code review
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* remove `.source` from the module ID
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
---------
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
Publishing a DNS record for a name that doesn't have any could make wildcards ineffective, which would be surprising for site owners and could lead to downtime.
* caddytls: Initial commit of Encrypted ClientHello (ECH)
* WIP Caddyfile
* Fill out Caddyfile support
* Enhance godoc comments
* Augment, don't overwrite, HTTPS records
* WIP
* WIP: publication history
* Fix republication logic
* Apply global DNS module to ACME challenges
This allows DNS challenges to be enabled without locally-configured DNS modules
* Ignore false positive from prealloc linter
* ci: Use only latest Go version (1.24 currently)
We no longer support older Go versions, for security benefits.
* Remove old commented code
Static ECH keys for now
* Implement SendAsRetry
* caddyhttp: Add `MatchWithError` to replace SetVar hack
* Error in IP matchers on TLS handshake not complete
* Use MatchWithError everywhere possible
* Move implementations to MatchWithError versions
* Looser interface checking to allow fallback
* CEL factories can return RequestMatcherWithError
* Clarifying comment since it's subtle that an err is returned
* Return 425 Too Early status in IP matchers
* Keep AnyMatch signature the same for now
* Apparently Deprecated can't be all-uppercase to get IDE linting
* Linter
* caddytls: Support new tls.context module
This allows modules to manipulate the context passed into CertMagic's GetCertificate function, which can be useful for tracing/metrics, or other
custom logic.
This is experimental and may resolve the request of a sponsor, so we'll see how it goes!
* Derpy derp
