search

caddyserver / certmagic

Automatic HTTPS for any Go program: fully-managed TLS certificate issuance and renewal
https://pkg.go.dev/github.com/caddyserver/certmagic?tab=doc
Apache License 2.0
5.04k stars 293 forks source link

How to Config for On-Demand Wildcard Certificates #319

Open rjbasitali opened 1 week ago

rjbasitali commented 1 week ago

What is your question?

I have a proxy server which is using certmagic to issue on-demand TLS certificates, the on-demand function checks cache/database to decide if the domain is allowed or not so the TLS certificate is issued or denied, which works perfectly fine.

Now, I have to add support for issuing on-demand wildcard certificates and I'm using the same on-demand function to decide if the domain name is allowed to have a wildcard certificate and get the dns provider config from the cache/database for it so I could use the appropriate implementation of libdns (e.g. godaddy) to issue the wildcard using the dns challenge.

What have you already tried?

I've tried calling the following function from my on-demand function if a domain is allowed to have a wildcard, but it doesn't trigger anything (creation of certificate or errors):

func wildcard() error {
        config := certmagic.NewDefault()

    dnsACME := certmagic.NewACMEIssuer(config, certmagic.ACMEIssuer{
        DNS01Solver: &certmagic.DNS01Solver{
            DNSManager: certmagic.DNSManager{
                DNSProvider: &godaddy.Provider{
                        APIToken: apiKey,
                    },
                Logger:      srv.Logger,
            },
        },
        Email:                   cfg.CertEmail,
        CA:                       cfg.CertCA,
        Agreed:                  true,
        DisableHTTPChallenge:    true,
        DisableTLSALPNChallenge: true,
        Logger:                  srv.Logger,
    })

    config.Issuers = []certmagic.Issuer{dnsACME}

    config.OnDemand = &certmagic.OnDemandConfig{
        DecisionFunc: func(ctx context.Context, name string) error {
            return nil
        },
    }

        return config.ManageAsync(context.Background(), "*.xyz.com")
}

In the on-demand function I return an error errors.New("managing wildcard certificate async") so it doesn't continue issuing TLS certificate for abc.xyz.com and instead create a wildcard certficate in the above function *.xyz.com.

Bonus: What do you use this package for, and does it help you?

I'm using it in a custom reverse proxy written in Go and it has really helped me for the past years, as this reverse proxy also needs to provision the TLS certificates.

mholt commented 1 day ago

I guess I don't understand a few things.

Now, I have to add support for issuing on-demand wildcard certificates

What is your use case for on-demand wildcard certificates? That seems unusual to me.

I've tried calling the following function from my on-demand function if a domain is allowed to have a wildcard, but it doesn't trigger anything

That function starts managing a wildcard domain asynchronously with on-demand enabled, which means that it won't "trigger" anything until a TLS server associated with that config receives a handshake for a domain name in its SNI, but the SNI will never be a wildcard.🤷‍♂