Matt Holt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							4a09cf0dc0 
							
						 
					 
					
						
						
							
							caddytls: Sync distributed storage cleaning ( #5940 )  
						
						... 
						
						
						
						* caddytls: Log out remote addr to detect abuse
* caddytls: Sync distributed storage cleaning
* Handle errors
* Update certmagic to fix tiny bug
* Split off port when logging remote IP
* Upgrade CertMagic 
						
						
					 
					
						2023-12-07 11:00:02 -07:00 
						 
				 
			
				
					
						
							
							
								Andreas Kohn 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							b24ae63ea6 
							
						 
					 
					
						
						
							
							caddytls: Context to DecisionFunc ( #5923 )  
						
						... 
						
						
						
						See https://github.com/caddyserver/certmagic/pull/255  
						
						
					 
					
						2023-12-07 10:40:13 -07:00 
						 
				 
			
				
					
						
							
							
								Mohammed Al Sahaf 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							4173e2c77a 
							
						 
					 
					
						
						
							
							tls: accept placeholders in string values of certificate loaders ( #5963 )  
						
						... 
						
						
						
						* tls: loader: accept placeholders in string values
* appease the linter 
						
						
					 
					
						2023-12-04 09:23:15 -07:00 
						 
				 
			
				
					
						
							
							
								Bas Westerbaan 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							289934f3d1 
							
						 
					 
					
						
						
							
							tls: Add X25519Kyber768Draft00 PQ "curve" behind build tag ( #5852 )  
						
						... 
						
						
						
						… when compiled with cfgo (https://github.com/cloudflare/go ). 
						
						
					 
					
						2023-10-11 13:45:37 -06:00 
						 
				 
			
				
					
						
							
							
								Matt Holt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							b377208ede 
							
						 
					 
					
						
						
							
							chore: Appease gosec linter ( #5777 )  
						
						... 
						
						
						
						These happen to be harmless memory aliasing
but I guess the linter can't know that and we
can't really prove it in general. 
						
						
					 
					
						2023-08-23 20:47:54 -06:00 
						 
				 
			
				
					
						
							
							
								Jacob Gadikian 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							d6f86cccf5 
							
						 
					 
					
						
						
							
							ci: use gci linter ( #5708 )  
						
						... 
						
						
						
						* use gofmput to format code
* use gci to format imports
* reconfigure gci
* linter autofixes
* rearrange imports a little
* export GOOS=windows golangci-lint run ./... --fix 
						
						
					 
					
						2023-08-14 09:41:15 -06:00 
						 
				 
			
				
					
						
							
							
								Matthew Holt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							080db93817 
							
						 
					 
					
						
						
							
							caddytls: Update docs for on-demand config  
						
						
						
						
					 
					
						2023-08-09 11:15:01 -06:00 
						 
				 
			
				
					
						
							
							
								Jacob Gadikian 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							b32f265eca 
							
						 
					 
					
						
						
							
							ci: Use gofumpt to format code ( #5707 )  
						
						
						
						
					 
					
						2023-08-07 19:40:31 +00:00 
						 
				 
			
				
					
						
							
							
								Matt Holt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							0e2c7e1d35 
							
						 
					 
					
						
						
							
							caddytls: Reuse certificate cache through reloads ( #5623 )  
						
						... 
						
						
						
						* caddytls: Don't purge cert cache on config reload
* Update CertMagic
This actually avoids reloading managed certs from storage
when already in the cache, d'oh.
* Fix bug; re-implement HasCertificateForSubject
* Update go.mod: CertMagic tag 
						
						
					 
					
						2023-07-11 19:10:58 +00:00 
						 
				 
			
				
					
						
							
							
								Matthew Holt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							4ba03c9d38 
							
						 
					 
					
						
						
							
							caddytls: Clarify some JSON config docs  
						
						
						
						
					 
					
						2023-06-04 22:15:50 -06:00 
						 
				 
			
				
					
						
							
							
								Matt Holt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							96919acc9d 
							
						 
					 
					
						
						
							
							caddyhttp: Refactor cert Managers ( fix   #5415 ) ( #5533 )  
						
						
						
						
					 
					
						2023-05-15 10:47:30 -06:00 
						 
				 
			
				
					
						
							
							
								Matt Holt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							a02ecb0f88 
							
						 
					 
					
						
						
							
							caddytls: Check for nil ALPN;  close   #5470  ( #5473 )  
						
						... 
						
						
						
						* Check for nil ALPN; close  #5470 
* Apply patch
* Actually I want to try this 
						
						
					 
					
						2023-05-13 07:09:20 -06:00 
						 
				 
			
				
					
						
							
							
								Matt Holt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							faf0399e80 
							
						 
					 
					
						
						
							
							caddytls: Configurable fallback SNI ( #5527 )  
						
						... 
						
						
						
						* Initial implementation of fallback_sni
* Apply upstream patch 
						
						
					 
					
						2023-05-10 14:29:29 -06:00 
						 
				 
			
				
					
						
							
							
								Francis Lavoie 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							e16a886814 
							
						 
					 
					
						
						
							
							caddytls: Eval replacer on automation policy subjects ( #5459 )  
						
						... 
						
						
						
						Also renamed the field to SubjectsRaw, which can be considered a breaking change but I don't expect this to affect much. 
						
						
					 
					
						2023-03-27 21:16:22 +00:00 
						 
				 
			
				
					
						
							
							
								Matt Holt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							0cc49c053f 
							
						 
					 
					
						
						
							
							caddytls: Zero out throttle window first ( #5443 )  
						
						... 
						
						
						
						* caddytls: Zero out throttle window first
* Don't error for on-demand 
Fixes b97c76fb47 
						
						
					 
					
						2023-03-20 12:06:00 -06:00 
						 
				 
			
				
					
						
							
							
								Matthew Holt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							a7af7c486e 
							
						 
					 
					
						
						
							
							caddytls: Allow on-demand w/o ask for internal-only  
						
						
						
						
					 
					
						2023-03-14 10:29:27 -06:00 
						 
				 
			
				
					
						
							
							
								Matthew Holt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							b97c76fb47 
							
						 
					 
					
						
						
							
							caddytls: Require 'ask' endpoint for on-demand TLS  
						
						
						
						
					 
					
						2023-03-14 10:02:44 -06:00 
						 
				 
			
				
					
						
							
							
								Francis Lavoie 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							be53e432fc 
							
						 
					 
					
						
						
							
							caddytls: Relax the warning for on-demand ( #5384 )  
						
						
						
						
					 
					
						2023-02-22 11:41:01 -07:00 
						 
				 
			
				
					
						
							
							
								Matthew Holt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							0a3efd1641 
							
						 
					 
					
						
						
							
							caddytls: Debug log for ask endpoint  
						
						
						
						
					 
					
						2023-01-30 09:30:53 -07:00 
						 
				 
			
				
					
						
							
							
								Yannick Ihmels 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							55035d327a 
							
						 
					 
					
						
						
							
							caddytls: Add dns_ttl config, improve Caddyfile tls options ( #5287 )  
						
						
						
						
					 
					
						2023-01-06 14:44:00 -05:00 
						 
				 
			
				
					
						
							
							
								Matthew Holt 
							
						 
					 
					
						
						
						
						
							
						
						
							e43b6d8178 
							
						 
					 
					
						
						
							
							core: Variadic Context.Logger(); soft deprecation  
						
						... 
						
						
						
						Ideally I'd just remove the parameter to caddy.Context.Logger(), but
this would break most Caddy plugins.
Instead, I'm making it variadic and marking it as partially deprecated.
In the future, I might completely remove the parameter once most
plugins have updated. 
						
						
					 
					
						2022-09-16 16:55:36 -06:00 
						 
				 
			
				
					
						
							
							
								David Manouchehri 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							616418281b 
							
						 
					 
					
						
						
							
							caddyhttp: Support TLS key logging for debugging ( #4808 )  
						
						... 
						
						
						
						* Add SSL key logging.
* Resolve merge conflict with master
* Add Caddyfile support; various fixes
* Also commit go.mod and go.sum, oops
* Appease linter
* Minor tweaks
* Add doc comment
Co-authored-by: Matt Holt <mholt@users.noreply.github.com> 
						
						
					 
					
						2022-09-16 14:05:37 -06:00 
						 
				 
			
				
					
						
							
							
								Matthew Holt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							258071d857 
							
						 
					 
					
						
						
							
							caddytls: Debug log on implicit tailscale error ( #5041 )  
						
						
						
						
					 
					
						2022-09-16 09:42:05 -06:00 
						 
				 
			
				
					
						
							
							
								Matthew Holt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							d35f618b10 
							
						 
					 
					
						
						
							
							caddytls: Error if placeholder is empty in 'ask'  
						
						... 
						
						
						
						Fixes  #5036  
					
						2022-09-13 08:59:03 -06:00 
						 
				 
			
				
					
						
							
							
								Francis Lavoie 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							d4d8bbcfc6 
							
						 
					 
					
						
						
							
							events: Implement event system ( #4912 )  
						
						... 
						
						
						
						Co-authored-by: Matt Holt <mholt@users.noreply.github.com> 
						
						
					 
					
						2022-08-31 15:01:30 -06:00 
						 
				 
			
				
					
						
							
							
								Matthew Holt 
							
						 
					 
					
						
						
						
						
							
						
						
							3aabbc49a2 
							
						 
					 
					
						
						
							
							caddytls: Log error if ask request fails  
						
						... 
						
						
						
						Errors returned from the DecisionFunc (whether to get a cert on-demand)
are used as a signal whether to allow a cert or not; *any* error
will forbid cert issuance.
We bubble up the error all the way to the caller, but that caller is the
Go standard library which might gobble it up.
Now we explicitly log connection errors so sysadmins can
ensure their ask endpoints are working.
Thanks to our sponsor AppCove for reporting this! 
						
						
					 
					
						2022-08-23 22:28:15 -06:00 
						 
				 
			
				
					
						
							
							
								WilczyńskiT 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							c7772588bd 
							
						 
					 
					
						
						
							
							core: Change net.IP to netip.Addr; use netip.Prefix ( #4966 )  
						
						... 
						
						
						
						Co-authored-by: Matt Holt <mholt@users.noreply.github.com> 
						
						
					 
					
						2022-08-17 16:10:57 -06:00 
						 
				 
			
				
					
						
							
							
								Matt Holt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							c79c08627d 
							
						 
					 
					
						
						
							
							caddyhttp: Enable HTTP/3 by default ( #4707 )  
						
						
						
						
					 
					
						2022-08-15 12:01:58 -06:00 
						 
				 
			
				
					
						
							
							
								Matthew Holt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							b9618b8b98 
							
						 
					 
					
						
						
							
							Improve docs for ZeroSSL issuer  
						
						
						
						
					 
					
						2022-08-08 12:50:06 -06:00 
						 
				 
			
				
					
						
							
							
								Francis Lavoie 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							141872ed80 
							
						 
					 
					
						
						
							
							chore: Bump up to Go 1.19, minimum 1.18 ( #4925 )  
						
						
						
						
					 
					
						2022-08-02 16:39:09 -04:00 
						 
				 
			
				
					
						
							
							
								Matthew Holt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							1bdd451913 
							
						 
					 
					
						
						
							
							caddytls: Remove PreferServerCipherSuites  
						
						... 
						
						
						
						It has been deprecated by Go 
						
						
					 
					
						2022-07-28 14:50:51 -06:00 
						 
				 
			
				
					
						
							
							
								Matt Holt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							412dcc07d3 
							
						 
					 
					
						
						
							
							caddytls: Reuse issuer between PreCheck and Issue ( #4866 )  
						
						... 
						
						
						
						This enables EAB reuse for ZeroSSLIssuer (which is now supported by ZeroSSL). 
						
						
					 
					
						2022-07-05 18:12:25 -06:00 
						 
				 
			
				
					
						
							
							
								Gr33nbl00d 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							0a14f97e49 
							
						 
					 
					
						
						
							
							caddytls: Make peer certificate verification pluggable ( #4389 )  
						
						... 
						
						
						
						* caddytls: Adding ClientCertValidator for custom client cert validations
* caddytls: Cleanups for ClientCertValidator changes
caddytls: Cleanups for ClientCertValidator changes
* Update modules/caddytls/connpolicy.go
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
* Update modules/caddytls/connpolicy.go
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
* Update modules/caddytls/connpolicy.go
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
* Update modules/caddytls/connpolicy.go
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
* Update modules/caddytls/connpolicy.go
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
* Update modules/caddytls/connpolicy.go
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
* Unexported field Validators, corrected renaming of LeafVerificationValidator to LeafCertClientAuth
* admin: Write proper status on invalid requests (#4569 ) (fix  #4561 )
* Apply suggestions from code review
* Register module; fix compilation
* Add log for deprecation notice
Co-authored-by: Roettges Florian <roettges.florian@scheidt-bachmann.de>
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
Co-authored-by: Alok Naushad <alokme123@gmail.com> 
						
						
					 
					
						2022-06-02 14:25:07 -06:00 
						 
				 
			
				
					
						
							
							
								Francis Lavoie 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							77a77c0219 
							
						 
					 
					
						
						
							
							caddytls: Add propagation_delay, support propagation_timeout -1 ( #4723 )  
						
						
						
						
					 
					
						2022-04-22 16:09:11 -06:00 
						 
				 
			
				
					
						
							
							
								Matthew Holt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							d06d0e79f8 
							
						 
					 
					
						
						
							
							go.mod: Upgrade CertMagic to v0.16.0  
						
						... 
						
						
						
						Includes several breaking changes; code base updated accordingly.
- Added lots of context arguments
- Use fs.ErrNotExist
- Rename ACMEManager -> ACMEIssuer; CertificateManager -> Manager 
						
						
					 
					
						2022-03-25 11:28:54 -06:00 
						 
				 
			
				
					
						
							
							
								Ran Chen 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							d9b1d46325 
							
						 
					 
					
						
						
							
							caddytls: dns_challenge_override_domain for challenge delegation ( #4596 )  
						
						... 
						
						
						
						* Add a override_domain option to allow DNS chanllenge delegation
CNAME can be used to delegate answering the chanllenge to another DNS
zone. One usage is to reduce the exposure of the DNS credential [1].
Based on the discussion in caddy/certmagic#160 , we are adding an option
to allow the user explicitly specify the domain to delegate, instead of
following the CNAME chain.
This needs caddy/certmagic#160 .
* rename override_domain to dns_challenge_override_domain
* Update CertMagic; fix spelling
Co-authored-by: Matthew Holt <mholt@users.noreply.github.com> 
						
						
					 
					
						2022-03-08 12:03:43 -07:00 
						 
				 
			
				
					
						
							
							
								Matt Holt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							57a708d189 
							
						 
					 
					
						
						
							
							caddytls: Support external certificate Managers (like Tailscale) ( #4541 )  
						
						... 
						
						
						
						Huge thank-you to Tailscale (https://tailscale.com ) for making this change possible!
This is a great feature for Caddy and Tailscale is a great fit for a standard implementation.
* caddytls: GetCertificate modules; Tailscale
* Caddyfile support for get_certificate
Also fix AP provisioning in case of empty subject list (persist loaded
module on struct, much like Issuers, to surive reprovisioning).
And implement start of HTTP cert getter, still WIP.
* Update modules/caddytls/automation.go
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
* Use tsclient package, check status for name
* Implement HTTP cert getter
And use reuse CertMagic's PEM functions for private keys.
* Remove cache option from Tailscale getter
Tailscale does its own caching and we don't need the added complexity...
for now, at least.
* Several updates
- Option to disable cert automation in auto HTTPS
- Support multiple cert managers
- Remove cache feature from cert manager modules
- Minor improvements to auto HTTPS logging
* Run go mod tidy
* Try to get certificates from Tailscale implicitly
Only for domains ending in .ts.net.
I think this is really cool!
Co-authored-by: Francis Lavoie <lavofr@gmail.com> 
						
						
					 
					
						2022-02-17 15:40:34 -07:00 
						 
				 
			
				
					
						
							
							
								Francis Lavoie 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							a79b4055e5 
							
						 
					 
					
						
						
							
							caddytls: Add internal Caddyfile lifetime, sign_with_root opts ( #4513 )  
						
						
						
						
					 
					
						2022-01-18 12:19:50 -07:00 
						 
				 
			
				
					
						
							
							
								GallopingKylin 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							66de438a98 
							
						 
					 
					
						
						
							
							caddytls: Fix MatchRemoteIP provisoning with multiple CIDR ranges ( #4522 )  
						
						
						
						
					 
					
						2022-01-13 11:56:18 -05:00 
						 
				 
			
				
					
						
							
							
								Matthew Holt 
							
						 
					 
					
						
						
						
						
							
						
						
							a1c41210d3 
							
						 
					 
					
						
						
							
							caddypki: Minor tweak, don't use context pointer  
						
						
						
						
					 
					
						2021-12-13 16:13:38 -07:00 
						 
				 
			
				
					
						
							
							
								Francis Lavoie 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							c04d24cafa 
							
						 
					 
					
						
						
							
							pki: Avoid provisioning the local CA when not necessary ( #4463 )  
						
						... 
						
						
						
						* pki: Avoid provisioning the `local` CA when not necessary
* pki: Refactor CA loading to keep the logic in the PKI app 
						
						
					 
					
						2021-12-13 12:25:35 -07:00 
						 
				 
			
				
					
						
							
							
								Matt Holt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							24fda7514d 
							
						 
					 
					
						
						
							
							caddytls: Mark storage clean timestamp at end of routine ( #4401 )  
						
						... 
						
						
						
						See discussion on 42b7134ffa3bf3e9e86514c82407979c2627a5ab 
						
						
					 
					
						2021-11-02 08:27:25 -06:00 
						 
				 
			
				
					
						
							
							
								KallyDev 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							c48fadc4a7 
							
						 
					 
					
						
						
							
							Move from deprecated ioutil to os and io packages ( #4364 )  
						
						
						
						
					 
					
						2021-09-29 11:17:48 -06:00 
						 
				 
			
				
					
						
							
							
								Matthew Holt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							501da21f20 
							
						 
					 
					
						
						
							
							General minor improvements to docs  
						
						
						
						
					 
					
						2021-09-24 18:31:01 -06:00 
						 
				 
			
				
					
						
							
							
								Matthew Holt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							81e5318021 
							
						 
					 
					
						
						
							
							caddytls: Remove "IssuerRaw" field  
						
						... 
						
						
						
						Has been deprecated and printing warnings for about 8 months now.
Replaced by "IssuersRaw" field in v2.3.0. 
						
						
					 
					
						2021-06-25 11:29:56 -06:00 
						 
				 
			
				
					
						
							
							
								Klooven 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							1e92258dd6 
							
						 
					 
					
						
						
							
							httpcaddyfile: Add preferred_chains global option and issuer subdirective ( #4192 )  
						
						... 
						
						
						
						* Added preferred_chains option to Caddyfile
* Caddyfile adapt tests for preferred_chains 
						
						
					 
					
						2021-06-08 14:10:37 -06:00 
						 
				 
			
				
					
						
							
							
								Peter Magnusson 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							4c2da18841 
							
						 
					 
					
						
						
							
							caddytls: Add Caddyfile support for propagation_timeout ( #4178 )  
						
						... 
						
						
						
						* add propagation_timeout to UnmarshalCaddyfile
- Closes  #4177 
* added caddyfile_adapt test 
						
						
					 
					
						2021-06-07 12:25:12 -06:00 
						 
				 
			
				
					
						
							
							
								Matthew Holt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							ecd5eeab38 
							
						 
					 
					
						
						
							
							go.mod: Update direct dependencies  
						
						
						
						
					 
					
						2021-06-03 12:18:25 -06:00 
						 
				 
			
				
					
						
							
							
								Francis Lavoie 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							61642b766b 
							
						 
					 
					
						
						
							
							caddytls: Run replacer on ask URL, for env vars ( #4154 )  
						
						... 
						
						
						
						Fixes  #3922  
					
						2021-05-08 22:37:27 -06:00 
						 
				 
			
				
					
						
							
							
								Matt Holt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							956f01163d 
							
						 
					 
					
						
						
							
							caddytls: Implement remote IP connection matcher ( #4123 )  
						
						... 
						
						
						
						* caddytls: Implement remote IP connection matcher
* Implement IP range negation
If both Ranges and NotRanges are specified, both must match. 
						
						
					 
					
						2021-04-30 10:14:52 -06:00