job_noam
(Noam)
January 31, 2022, 6:49am
1
Hi,
I already have a certificate manager that creates and renews my certificates.
I’m importing those certificates into my CDN and I also want to import them to another Caddy envierments.
It’s more than 50K domains so I can’t use the custom SSL feature on Caddy.
What is the best way to do that on Caddy without active the SSL management in Caddy?
Thanks a lot,
Noam
I’m not sure I understand what you mean. What’s the problem here?
Do you realize you can specify the cert and key to use explicitly with the tls
directive?
It sounds like this WIP feature might be useful for you though:
caddyserver:master
← caddyserver:getcert
opened 12:17AM - 22 Jan 22 UTC
Sometimes there are external tools or services that are managing certificates wh… ere we just need to call `GetCertificate()` during a handshake. The implementer of that function takes care of caching, renewal logic, etc. This adds support for `CertificateGetter` modules, in the `tls.get_certificate` namespace.
These differ from Issuer modules in that `Issue()` takes a CSR, whereas `GetCertificate()` takes a `*tls.ClientHelloInfo`. Also, using an Issuer implies that Caddy/CertMagic also generate and manage the private key, AND store the certificate and key in storage, since we're the ones maintaining the cert. In the case of GetCertificate, we don't want to be bothered about private keys or persisting in storage; we just want a cert. So basically, we use Issuers when we claim that we're managing the certificate. And we use `CustomGetCertificate` only to get a certificate from something we know is managing it for us.
The return value of our `GetCertificate()` is optional. If it returns nil+nil, it is passed by as if it was not specified at all; thus could fall back to traditional Issuer management for a name.
Specifying a certificate getter module implicitly enables On-Demand TLS for that policy (as if `on_demand: true` was set) because certificates given by `GetCertificate()` have to be called during a handshake.
Our `GetCertificate()` signature is slightly different from `tls.Config.GetCertificate` in that it adds a `bool` middle return value, which if true, tells CertMagic to add the certificate to its cache. Once cached, the module's `GetCertificate()` will only be called again once the cert nears expiration. Modules should return `false` for this value if they want to be called for every single TLS handshake.
This initial implementation integrates natively with [Tailscale](https://tailscale.com/blog/tls-certs/), although it requires being run as root or as a regular user that has access to the Tailscale socket. I'm still learning about this.
Here's an example automation policy for using Tailscale certs:
```json
{
"subjects": ["yourhost.your-alias.ts.net"],
"get_certificate": { "via": "tailscale" }
}
```
Or as a Caddyfile:
```
tls {
get_certificate tailscale
}
```
A follow-up commit may also add support for an HTTP getter, to download the cert over HTTP.
This feature will remain experimental (and subject to change) even after being released, as we learn about it from experience.
Will be adding Caddyfile support soon, too.
Huge thanks to Tailscale for making this feature possible! Excited to release this and share more about it. /cc @bradfitz
TODO:
- [x] Figure out why go.sum blew up (why is smallstep adding kms now, on this branch? :thinking: )
Builds on https://github.com/caddyserver/certmagic/pull/163
1 Like
system
(system)
Closed
March 2, 2022, 6:50am
3
This topic was automatically closed after 30 days. New replies are no longer allowed.