search

caddyserver / certmagic

Automatic HTTPS for any Go program: fully-managed TLS certificate issuance and renewal
https://pkg.go.dev/github.com/caddyserver/certmagic?tab=doc
Apache License 2.0
5k stars 289 forks source link

Config option for what the Caddy ask endpoint protects / DecisionFunc #272

Open franklouwers opened 7 months ago

franklouwers commented 7 months ago

What would you like to have changed?

Being completely unfamiliar with the CertMagic codebase, I am not sure ;) I was asked on the Caddy forum to request a config option for the Ask function / DecisionFunc (https://caddy.community/t/why-is-caddy-forcing-an-on-demand-tls-ask-on-startup-for-certs-where-it-has-a-valid-cert/23018/14)

Why is this feature a useful, necessary, and/or important addition to this project?

In Caddy, even if there's a valid (syntactically + non-expired) cert, if Caddy hasn't cached anything about the on-demand domain (eg because Caddy just got restarted), it will contact the Ask endpoint. If that endpoint is down, it will refuse the TLS handshake.

To me, it would make a lot of sense to not contact the Ask service if Caddy can determine there is a cert on-disk which is still valid. I believe that to do that, a DecisionFunc would be needed in CertMagic?

What alternatives are there, or what are you doing in the meantime to work around the lack of this feature?

No idea.

Please link to any relevant issues, pull requests, or other discussions.

Caddy use case and discussion: https://caddy.community/t/why-is-caddy-forcing-an-on-demand-tls-ask-on-startup-for-certs-where-it-has-a-valid-cert/23018/14

franklouwers commented 7 months ago

cc @mholt

mholt commented 7 months ago

Thanks -- yeah, maybe we can make exactly what the DecisionFunc guards configurable.