caddytls: Improve alt chain preference settings

This allows for finer-grained control when choosing alternate chains than simply the previous/Certbot-esque behavior of "choose first chain that contains an issuer's common name." This update allows you to sort by length (if optimizing for efficiency on the wire) and also to select the chain with a specific root CommonName.
caddyserver · Dec 15, 2020 · e384f07 · e384f07
1 parent 132525d
commit e384f07
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 8 deletions.
diff --git a/go.mod b/go.mod
@@ -6,7 +6,7 @@ require (
 	github.com/Masterminds/sprig/v3 v3.1.0
 	github.com/alecthomas/chroma v0.8.2
 	github.com/aryann/difflib v0.0.0-20170710044230-e206f873d14a
-	github.com/caddyserver/certmagic v0.12.1-0.20201209195841-b726d1ed13c3
+	github.com/caddyserver/certmagic v0.12.1-0.20201215190346-201f83a06067
 	github.com/dustin/go-humanize v1.0.1-0.20200219035652-afde56e7acac
 	github.com/go-chi/chi v4.1.2+incompatible
 	github.com/google/cel-go v0.6.0

diff --git a/go.sum b/go.sum
@@ -85,8 +85,8 @@ github.com/bombsimon/wsl/v2 v2.0.0/go.mod h1:mf25kr/SqFEPhhcxW1+7pxzGlW+hIl/hYTK
 github.com/boombuler/barcode v1.0.0/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
 github.com/bradfitz/go-smtpd v0.0.0-20170404230938-deb6d6237625/go.mod h1:HYsPBTaaSFSlLx/70C2HPIMNZpVV8+vt/A+FMnYP11g=
 github.com/buger/jsonparser v0.0.0-20181115193947-bf1c66bbce23/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s=
-github.com/caddyserver/certmagic v0.12.1-0.20201209195841-b726d1ed13c3 h1:NW/7kFV4p6VLwG5eQa6ECivSqxAO0MmnAsAV7esFp0o=
-github.com/caddyserver/certmagic v0.12.1-0.20201209195841-b726d1ed13c3/go.mod h1:tr26xh+9fY5dN0J6IPAlMj07qpog22PJKa7Nw7j835U=
+github.com/caddyserver/certmagic v0.12.1-0.20201215190346-201f83a06067 h1:gpjCX6/8hHRgVXxy1v2AQdoAX6XRXIA8fBUZtEpnVg0=
+github.com/caddyserver/certmagic v0.12.1-0.20201215190346-201f83a06067/go.mod h1:tr26xh+9fY5dN0J6IPAlMj07qpog22PJKa7Nw7j835U=
 github.com/census-instrumentation/opencensus-proto v0.2.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko=

diff --git a/modules/caddytls/acmeissuer.go b/modules/caddytls/acmeissuer.go
@@ -74,10 +74,11 @@ type ACMEIssuer struct {
 	// is internal or for development/testing purposes.
 	TrustedRootsPEMFiles []string `json:"trusted_roots_pem_files,omitempty"`
 
-	// List of preferred certificate chains, by issuer's CommonName. If empty,
-	// or if no matching chain is found, the first chain offered by the server
-	// will be used.
-	PreferredChains []string `json:"preferred_chains,omitempty"`
+	// Preferences for selecting alternate certificate chains, if offered
+	// by the CA. By default, the first offered chain will be selected.
+	// If configured, the chains may be sorted and the first matching chain
+	// will be selected.
+	PreferredChains *ChainPreference `json:"preferred_chains,omitempty"`
 
 	rootPool *x509.CertPool
 	template certmagic.ACMEManager
@@ -163,7 +164,6 @@ func (iss *ACMEIssuer) makeIssuerTemplate() (certmagic.ACMEManager, error) {
 		CertObtainTimeout: time.Duration(iss.ACMETimeout),
 		TrustedRoots:      iss.rootPool,
 		ExternalAccount:   iss.ExternalAccount,
-		PreferredChains:   iss.PreferredChains,
 		Logger:            iss.logger,
 	}
 
@@ -182,6 +182,14 @@ func (iss *ACMEIssuer) makeIssuerTemplate() (certmagic.ACMEManager, error) {
 		template.ListenHost = iss.Challenges.BindHost
 	}
 
+	if iss.PreferredChains != nil {
+		template.PreferredChains = certmagic.ChainPreference{
+			Smallest:       iss.PreferredChains.Smallest,
+			AnyCommonName:  iss.PreferredChains.AnyCommonName,
+			RootCommonName: iss.PreferredChains.RootCommonName,
+		}
+	}
+
 	return template, nil
 }
 
@@ -407,6 +415,22 @@ func onDemandAskRequest(ask string, name string) error {
 	return nil
 }
 
+// ChainPreference describes the client's preferred certificate chain,
+// useful if the CA offers alternate chains. The first matching chain
+// will be selected.
+type ChainPreference struct {
+	// Prefer chains with the fewest number of bytes.
+	Smallest *bool `json:"smallest,omitempty"`
+
+	// Select first chain having a root with one of
+	// these common names.
+	RootCommonName []string `json:"root_common_name,omitempty"`
+
+	// Select first chain that has any issuer with one
+	// of these common names.
+	AnyCommonName []string `json:"any_common_name,omitempty"`
+}
+
 // Interface guards
 var (
 	_ certmagic.PreChecker  = (*ACMEIssuer)(nil)