search

caddyserver / caddy

Fast and extensible multi-platform HTTP/1-2-3 web server with automatic HTTPS
https://caddyserver.com
Apache License 2.0
57.4k stars 4k forks source link

ZeroSSL Issuer can't use dns_challenge_override_domain #6348

Closed W0n9 closed 4 months ago

W0n9 commented 4 months ago

When I update from v2.7.6 to v2.8.0, it raised error

$ caddy_v2.8.0 validate
2024/05/30 03:12:59.439 INFO    using adjacent Caddyfile
2024/05/30 03:12:59.439 INFO    using config from file  {"file": "Caddyfile"}
Error: adapting config using caddyfile: parsing caddyfile tokens for 'tls': unrecognized zerossl issuer property: dns_challenge_override_domain, at Caddyfile:6

Here is my Caddyfile

example.com {
    reverse_proxy 127.0.0.1
    tls {
        # dns_challenge_override_domain acme.example.com
        issuer zerossl apikey {
            dns_challenge_override_domain acme.example.com
        }
    }
}

But it works at v2.7.6

$ caddy_v2.7.6 validate
2024/05/30 03:14:09.948 INFO    using provided configuration    {"config_file": "Caddyfile", "config_adapter": ""}
2024/05/30 03:14:09.950 INFO    tls.cache.maintenance   started background certificate maintenance      {"cache": "0xc00051dc80"}
2024/05/30 03:14:09.950 INFO    http.auto_https server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2024/05/30 03:14:09.950 INFO    http.auto_https enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}
2024/05/30 03:14:09.951 INFO    tls.cache.maintenance   stopped background certificate maintenance      {"cache": "0xc00051dc80"}
Valid configuration

And I modify Caddyfile to this, v2.8.0 works

example.com {
    reverse_proxy 127.0.0.1
    tls {
        dns_challenge_override_domain acme.example.com
        # issuer zerossl apikey {
        #   dns_challenge_override_domain acme.example.com
        # }
    }
}
$ caddy_v2.8.0 validate
2024/05/30 03:20:58.767 INFO    using adjacent Caddyfile
2024/05/30 03:20:58.768 INFO    using config from file  {"file": "Caddyfile"}
2024/05/30 03:20:58.769 INFO    adapted config to JSON  {"adapter": "caddyfile"}
2024/05/30 03:20:58.769 INFO    tls.cache.maintenance   started background certificate maintenance      {"cache": "0xc000345a80"}
2024/05/30 03:20:58.769 INFO    http.auto_https server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2024/05/30 03:20:58.770 INFO    http.auto_https enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}
2024/05/30 03:20:58.770 INFO    tls.cache.maintenance   stopped background certificate maintenance      {"cache": "0xc000345a80"}
Valid configuration

But I tried to use zerossl with dns_challenge_override_domain, it still raised error

example.com {
    reverse_proxy 127.0.0.1
    tls {
        dns_challenge_override_domain acme.example.com
        issuer zerossl apikey
    }
}
$ caddy_v2.8.0 validate
2024/05/30 03:23:30.519 INFO    using adjacent Caddyfile
2024/05/30 03:23:30.519 INFO    using config from file  {"file": "Caddyfile"}
Error: adapting config using caddyfile: parsing caddyfile tokens for 'tls': cannot mix issuer subdirective (explicit issuers) with other issuer-specific subdirectives (implicit issuers), at Caddyfile:6

It maybe about this? https://github.com/caddyserver/caddy/blob/e6f46c8d78b77d0aefe50750dfd6f6a18ba138e5/modules/caddytls/zerosslissuer.go#L127-L137

francislavoie commented 4 months ago

See the release notes, the zerossl issuer no longer uses ACME (it now uses their API), so any ACME related config is no longer valid.

W0n9 commented 4 months ago

Hi @francislavoie I do use API key for ZeroSSL Issuer. But how can I zerossl issuer with domain delegation in this situation?

francislavoie commented 4 months ago

I don't see how domain delegation makes sense if you're using ZeroSSL's API. Domain delegation is specifically only needed for the ACME DNS challenge because domain verification is done via DNS queries. If you're using ZeroSSL's API, then none of the ACME challenges apply.

If you want to continue using ZeroSSL's ACME, then use the acme module with the ca configured to ZeroSSL's URL, and use EAB to authenticate. See the release notes, which explain.

W0n9 commented 4 months ago

I see!!! Thank you. Before v2.8.0,Caddy just use zerossl API to generate the EAB credentials to use ACME. ref: https://github.com/caddyserver/caddy/pull/6229/commits/bbb6344ee99d61dd6fb8abb353c831046978acf4#diff-86c7d385b669cc8420f1bf112bf546b74292e843d8c76b9d333fbde25ee6ed77