caddytls: Fixes regarding internal-named domains, issuer configs

Should address #7147
2025-11-10 08:36:54 -05:00 · 2025-10-29 15:42:33 -06:00 · 2025-10-29 15:42:33 -06:00 · c3a41434e4
commit c3a41434e4
parent 895b56063a
3 changed files with 19 additions and 13 deletions
--- a/caddyconfig/httpcaddyfile/tlsapp.go
+++ b/caddyconfig/httpcaddyfile/tlsapp.go
@ -459,7 +459,8 @@ func (st ServerType) buildTLSApp(
 	}

 	// if there are any global options set for issuers (ACME ones in particular), make sure they
-	// take effect in every automation policy that does not have any issuers
+	// take effect in every automation policy that does not have any issuers, by creating one or
+	// more issuers to be iterated in the next step below
 	if tlsApp.Automation != nil {
 		globalEmail := options["email"]
 		globalACMECA := options["acme_ca"]
@ -467,19 +468,20 @@ func (st ServerType) buildTLSApp(
 		_, globalACMEDNS := options["acme_dns"] // can be set to nil (to use globally-defined "dns" value instead), but it is still set
 		globalACMEEAB := options["acme_eab"]
 		globalPreferredChains := options["preferred_chains"]
-		hasGlobalACMEDefaults := globalEmail != nil || globalACMECA != nil || globalACMECARoot != nil || globalACMEDNS || globalACMEEAB != nil || globalPreferredChains != nil
-		if hasGlobalACMEDefaults {
-			for i := range tlsApp.Automation.Policies {
+		hasGlobalACMEDefaults := globalEmail != nil || globalACMECA != nil || globalACMECARoot != nil ||
+			globalACMEDNS || globalACMEEAB != nil || globalPreferredChains != nil
+		for i := range tlsApp.Automation.Policies {
+			if hasGlobalACMEDefaults {
 				ap := tlsApp.Automation.Policies[i]
-				if len(ap.Issuers) == 0 && automationPolicyHasAllPublicNames(ap) {
-					// for public names, create default issuers which will later be filled in with configured global defaults
-					// (internal names will implicitly use the internal issuer at auto-https time)
-					emailStr, _ := globalEmail.(string)
-					ap.Issuers = caddytls.DefaultIssuers(emailStr)
-
+				if len(ap.Issuers) == 0 {
 					// if a specific endpoint is configured, can't use multiple default issuers
 					if globalACMECA != nil {
 						ap.Issuers = []certmagic.Issuer{new(caddytls.ACMEIssuer)}
+					} else if automationPolicyHasAllPublicNames(ap) {
+						// for public names, create default issuers which will later be filled in with configured global defaults
+						// (internal names will implicitly use the internal issuer at auto-https time)
+						emailStr, _ := globalEmail.(string)
+						ap.Issuers = caddytls.DefaultIssuers(emailStr)
 					}
 				}
 			}
--- a/caddytest/integration/pki_test.go
+++ b/caddytest/integration/pki_test.go
@ -103,5 +103,5 @@ func TestIntermediateLifetimeLessThanRoot(t *testing.T) {
        }
      }
    }
-	`, "json", "intermediate certificate lifetime must be less than root certificate lifetime (86400h0m0s)")
+	`, "json", "intermediate certificate lifetime must be less than actual root certificate lifetime (86400h0m0s)")
 }
--- a/modules/caddytls/automation.go
+++ b/modules/caddytls/automation.go
@ -404,8 +404,12 @@ func (ap *AutomationPolicy) isWildcardOrDefault() bool {
 // DefaultIssuers returns empty Issuers (not provisioned) to be used as defaults.
 // This function is experimental and has no compatibility promises.
 func DefaultIssuers(userEmail string) []certmagic.Issuer {
-	issuers := []certmagic.Issuer{new(ACMEIssuer)}
-	if strings.TrimSpace(userEmail) != "" {
+	issuers := []certmagic.Issuer{
+		&ACMEIssuer{
+			Email: userEmail,
+		},
+	}
+	if strings.TrimSpace(userEmail) != "" { // ZeroSSL requires an email address
 		issuers = append(issuers, &ACMEIssuer{
 			CA:    certmagic.ZeroSSLProductionCA,
 			Email: userEmail,