There is an option to manage the certificate myself?

job_noam · January 31, 2022, 6:49am

Hi,

I already have a certificate manager that creates and renews my certificates.
I’m importing those certificates into my CDN and I also want to import them to another Caddy envierments.
It’s more than 50K domains so I can’t use the custom SSL feature on Caddy.
What is the best way to do that on Caddy without active the SSL management in Caddy?

Thanks a lot,
Noam

francislavoie · January 31, 2022, 7:02am

I’m not sure I understand what you mean. What’s the problem here?

Do you realize you can specify the cert and key to use explicitly with the tls directive?

It sounds like this WIP feature might be useful for you though:

github.com/caddyserver/caddy

caddytls: Support custom GetCertificate modules (like Tailscale)

caddyserver:master ← caddyserver:getcert

opened 12:17AM - 22 Jan 22 UTC

mholt

+450 -158

Sometimes there are external tools or services that are managing certificates wh…ere we just need to call `GetCertificate()` during a handshake. The implementer of that function takes care of caching, renewal logic, etc. This adds support for `CertificateGetter` modules, in the `tls.get_certificate` namespace. These differ from Issuer modules in that `Issue()` takes a CSR, whereas `GetCertificate()` takes a `*tls.ClientHelloInfo`. Also, using an Issuer implies that Caddy/CertMagic also generate and manage the private key, AND store the certificate and key in storage, since we're the ones maintaining the cert. In the case of GetCertificate, we don't want to be bothered about private keys or persisting in storage; we just want a cert. So basically, we use Issuers when we claim that we're managing the certificate. And we use `CustomGetCertificate` only to get a certificate from something we know is managing it for us. The return value of our `GetCertificate()` is optional. If it returns nil+nil, it is passed by as if it was not specified at all; thus could fall back to traditional Issuer management for a name. Specifying a certificate getter module implicitly enables On-Demand TLS for that policy (as if `on_demand: true` was set) because certificates given by `GetCertificate()` have to be called during a handshake. Our `GetCertificate()` signature is slightly different from `tls.Config.GetCertificate` in that it adds a `bool` middle return value, which if true, tells CertMagic to add the certificate to its cache. Once cached, the module's `GetCertificate()` will only be called again once the cert nears expiration. Modules should return `false` for this value if they want to be called for every single TLS handshake. This initial implementation integrates natively with [Tailscale](https://tailscale.com/blog/tls-certs/), although it requires being run as root or as a regular user that has access to the Tailscale socket. I'm still learning about this. Here's an example automation policy for using Tailscale certs: ```json { "subjects": ["yourhost.your-alias.ts.net"], "get_certificate": { "via": "tailscale" } } ``` Or as a Caddyfile: ``` tls { get_certificate tailscale } ``` A follow-up commit may also add support for an HTTP getter, to download the cert over HTTP. This feature will remain experimental (and subject to change) even after being released, as we learn about it from experience. Will be adding Caddyfile support soon, too. Huge thanks to Tailscale for making this feature possible! Excited to release this and share more about it. /cc @bradfitz TODO: - [x] Figure out why go.sum blew up (why is smallstep adding kms now, on this branch? :thinking: ) Builds on https://github.com/caddyserver/certmagic/pull/163

system · March 2, 2022, 6:50am

This topic was automatically closed after 30 days. New replies are no longer allowed.