Cutlery/caddy
1
0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2026-04-08 02:01:48 -04:00
Code Issues Actions Packages Projects Releases Wiki Activity

caddyfile: Add renewal_window_ratio global option and tls subdirective (#7473)
Some checks failed
Tests / test (./cmd/caddy/caddy, ~1.26.0, ubuntu-latest, 0, 1.26, linux) (push) Failing after 15s
Details
Tests / test (s390x on IBM Z) (push) Has been skipped
Details
Tests / goreleaser-check (push) Has been skipped
Details
Cross-Build / build (~1.26.0, 1.26, aix) (push) Failing after 14s
Details
Cross-Build / build (~1.26.0, 1.26, darwin) (push) Failing after 14s
Details
Cross-Build / build (~1.26.0, 1.26, dragonfly) (push) Failing after 15s
Details
Cross-Build / build (~1.26.0, 1.26, freebsd) (push) Failing after 15s
Details
Cross-Build / build (~1.26.0, 1.26, illumos) (push) Failing after 15s
Details
Cross-Build / build (~1.26.0, 1.26, linux) (push) Failing after 14s
Details
Cross-Build / build (~1.26.0, 1.26, netbsd) (push) Failing after 25s
Details
Cross-Build / build (~1.26.0, 1.26, openbsd) (push) Failing after 20s
Details
Cross-Build / build (~1.26.0, 1.26, solaris) (push) Failing after 15s
Details
Cross-Build / build (~1.26.0, 1.26, windows) (push) Failing after 34s
Details
Lint / lint (ubuntu-latest, linux) (push) Failing after 15s
Details
Lint / govulncheck (push) Successful in 1m32s
Details
Lint / dependency-review (push) Failing after 16s
Details
OpenSSF Scorecard supply-chain security / Scorecard analysis (push) Failing after 24s
Details
Tests / test (./cmd/caddy/caddy, ~1.26.0, macos-14, 0, 1.26, mac) (push) Has been cancelled
Details
Tests / test (./cmd/caddy/caddy.exe, ~1.26.0, windows-latest, True, 1.26, windows) (push) Has been cancelled
Details
Lint / lint (macos-14, mac) (push) Has been cancelled
Details
Lint / lint (windows-latest, windows) (push) Has been cancelled
Details

Browse Source 
* caddyfile: Add renewal_window_ratio global option

Adds support for configuring the TLS certificate renewal window ratio
directly in the Caddyfile global options block. This allows users to
customize when certificates should be renewed without needing to use
JSON configuration.

Example usage:
    {
        renewal_window_ratio 0.1666
    }

Fixes #7467

* caddyfile: Add renewal_window_ratio to tls directive and tests

Adds support for renewal_window_ratio in the tls directive (not just
global options) and adds caddyfile adapt tests for both the global
option and tls directive.

* fix: inherit global renewal_window_ratio in site policies

* fix: correct test expected output for policy consolidation

* fix: properly inherit global renewal_window_ratio without removing other code
This commit is contained in:
mehrdadbn9 2026-02-14 01:17:02 +03:30 committed by GitHub
parent 6718bd470f
commit 929d0e502a
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
5 changed files with 160 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
caddyconfig/httpcaddyfile/builtins.go
View File

@ -113,6 +113,7 @@ func parseBind(h Helper) ([]ConfigValue, error) {
// issuer <module_name> [...]
// get_certificate <module_name> [...]
// insecure_secrets_log <log_file>
// renewal_window_ratio <ratio>
// }
func parseTLS(h Helper) ([]ConfigValue, error) {
h.Next() // consume directive name
@ -129,6 +130,7 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
var onDemand bool
var reusePrivateKeys bool
var forceAutomate bool
var renewalWindowRatio float64
// Track which DNS challenge options are set
var dnsOptionsSet []string
@ -473,6 +475,20 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
}
cp.InsecureSecretsLog = h.Val()
case "renewal_window_ratio":
arg := h.RemainingArgs()
if len(arg) != 1 {
return nil, h.ArgErr()
}
ratio, err := strconv.ParseFloat(arg[0], 64)
if err != nil {
return nil, h.Errf("parsing renewal_window_ratio: %v", err)
}
if ratio <= 0 || ratio >= 1 {
return nil, h.Errf("renewal_window_ratio must be between 0 and 1 (exclusive)")
}
renewalWindowRatio = ratio
default:
return nil, h.Errf("unknown subdirective: %s", h.Val())
}
@ -597,6 +613,14 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
})
}
// renewal window ratio
if renewalWindowRatio > 0 {
configVals = append(configVals, ConfigValue{
Class: "tls.renewal_window_ratio",
Value: renewalWindowRatio,
})
}
// if enabled, the names in the site addresses will be
// added to the automation policies
if forceAutomate {

20
caddyconfig/httpcaddyfile/options.go
View File

@ -65,6 +65,7 @@ func init() {
RegisterGlobalOption("persist_config", parseOptPersistConfig)
RegisterGlobalOption("dns", parseOptDNS)
RegisterGlobalOption("ech", parseOptECH)
RegisterGlobalOption("renewal_window_ratio", parseOptRenewalWindowRatio)
}
func parseOptTrue(d *caddyfile.Dispenser, _ any) (any, error) { return true, nil }
@ -624,3 +625,22 @@ func parseOptECH(d *caddyfile.Dispenser, _ any) (any, error) {
return ech, nil
}
func parseOptRenewalWindowRatio(d *caddyfile.Dispenser, _ any) (any, error) {
d.Next() // consume option name
if !d.Next() {
return 0, d.ArgErr()
}
val := d.Val()
ratio, err := strconv.ParseFloat(val, 64)
if err != nil {
return 0, d.Errf("parsing renewal_window_ratio: %v", err)
}
if ratio <= 0 || ratio >= 1 {
return 0, d.Errf("renewal_window_ratio must be between 0 and 1 (exclusive)")
}
if d.Next() {
return 0, d.ArgErr()
}
return ratio, nil
}

13
caddyconfig/httpcaddyfile/tlsapp.go
View File

@ -143,6 +143,12 @@ func (st ServerType) buildTLSApp(
ap.KeyType = keyTypeVals[0].Value.(string)
}
if renewalWindowRatioVals, ok := sblock.pile["tls.renewal_window_ratio"]; ok {
ap.RenewalWindowRatio = renewalWindowRatioVals[0].Value.(float64)
} else if globalRenewalWindowRatio, ok := options["renewal_window_ratio"]; ok {
ap.RenewalWindowRatio = globalRenewalWindowRatio.(float64)
}
// certificate issuers
if issuerVals, ok := sblock.pile["tls.cert_issuer"]; ok {
var issuers []certmagic.Issuer
@ -607,7 +613,8 @@ func newBaseAutomationPolicy(
_, hasLocalCerts := options["local_certs"]
keyType, hasKeyType := options["key_type"]
ocspStapling, hasOCSPStapling := options["ocsp_stapling"]
hasGlobalAutomationOpts := hasIssuers || hasLocalCerts || hasKeyType || hasOCSPStapling
renewalWindowRatio, hasRenewalWindowRatio := options["renewal_window_ratio"]
hasGlobalAutomationOpts := hasIssuers || hasLocalCerts || hasKeyType || hasOCSPStapling || hasRenewalWindowRatio
globalACMECA := options["acme_ca"]
globalACMECARoot := options["acme_ca_root"]
@ -654,6 +661,10 @@ func newBaseAutomationPolicy(
ap.OCSPOverrides = ocspConfig.ResponderOverrides
}
if hasRenewalWindowRatio {
ap.RenewalWindowRatio = renewalWindowRatio.(float64)
}
return ap, nil
}

41
caddytest/integration/caddyfile_adapt/renewal_window_ratio_global.caddyfiletest Normal file
View File

@ -0,0 +1,41 @@
{
renewal_window_ratio 0.1666
}
example.com {
}
----------
{
"apps": {
"http": {
"servers": {
"srv0": {
"listen": [
":443"
],
"routes": [
{
"match": [
{
"host": [
"example.com"
]
}
],
"terminal": true
}
]
}
}
},
"tls": {
"automation": {
"policies": [
{
"renewal_window_ratio": 0.1666
}
]
}
}
}
}

63
caddytest/integration/caddyfile_adapt/renewal_window_ratio_tls_directive.caddyfiletest Normal file
View File

@ -0,0 +1,63 @@
{
renewal_window_ratio 0.1666
}
a.example.com {
tls {
renewal_window_ratio 0.25
}
}
b.example.com {
}
----------
{
"apps": {
"http": {
"servers": {
"srv0": {
"listen": [
":443"
],
"routes": [
{
"match": [
{
"host": [
"a.example.com"
]
}
],
"terminal": true
},
{
"match": [
{
"host": [
"b.example.com"
]
}
],
"terminal": true
}
]
}
}
},
"tls": {
"automation": {
"policies": [
{
"subjects": [
"a.example.com"
],
"renewal_window_ratio": 0.25
},
{
"renewal_window_ratio": 0.1666
}
]
}
}
}
}