Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

caddyfile: Merge identical certificate automation policies #3550

Closed
zyclonite opened this issue Jul 6, 2020 · 4 comments
Closed

caddyfile: Merge identical certificate automation policies #3550

zyclonite opened this issue Jul 6, 2020 · 4 comments
Labels
feature ⚙️ New feature or request
Milestone

Comments

@zyclonite
Copy link

What did you do?

Start caddy2 with Caddyfile formatted config to serve some content hosted on the same domain but on two different https ports.
For the example i switched to letsencrypt staging, to prevent accidentally running into a rate limit.

What did you expect to see?

caddy requesting one certificate from letsencrypt and making example.com available on port 443 and 444
this worked already well with caddy1

What did you see instead?

caddy did not startup and failed with the following exception
adapting config using caddyfile: hostname appears in more than one automation policy, making certificate management ambiguous: example.com

Caddy version

latest docker container version 2.1.1

What is your environment & configuration?

docker command used

docker run --rm -it -p 80:80 -p 443:443 -p 444:444 \
  -v ~/.caddy/Caddyfile:/etc/caddy/Caddyfile \
  -v ~/.caddy/data:/data \
  -v ~/.caddy/site:/usr/share/caddy \
  caddy

Caddyfile

{
  debug
  acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
}
https://example.com {
  tls certs@example.com
  file_server
  root * /usr/share/caddy
}
https://example.com:444 {
  tls certs@example.com
  file_server
  root * /usr/share/caddy
}

Log output

2020/07/06 08:57:53.486	INFO	using provided configuration	{"config_file": "/etc/caddy/Caddyfile", "config_adapter": "caddyfile"}
run: adapting config using caddyfile: hostname appears in more than one automation policy, making certificate management ambiguous: example.com
@mholt
Copy link
Member

mholt commented Jul 6, 2020

That config specifies two certificate automation policies for the same domain name, example.com... but in your case they should happen to be equivalent. I guess we could be smarter about this and allow equivalent automation policies.

For now, remove your tls directives and just specify the email address in the global option email: https://caddyserver.com/docs/caddyfile/options

@mholt mholt changed the title Same domain with different ports breaks tls automation when using Caddyfile caddyfile: Merge identical certificate automation policies Jul 6, 2020
@mholt mholt added the feature ⚙️ New feature or request label Jul 6, 2020
@mholt
Copy link
Member

mholt commented Jul 6, 2020

Aha... I thought we already did this... we just need to move this de-duplication call before the ambiguity check:

// do a little verification & cleanup
if tlsApp.Automation != nil {
// ensure automation policies don't overlap subjects (this should be
// an error at provision-time as well, but catch it in the adapt phase
// for convenience)
automationHostSet := make(map[string]struct{})
for _, ap := range tlsApp.Automation.Policies {
for _, s := range ap.Subjects {
if _, ok := automationHostSet[s]; ok {
return nil, warnings, fmt.Errorf("hostname appears in more than one automation policy, making certificate management ambiguous: %s", s)
}
automationHostSet[s] = struct{}{}
}
}
// consolidate automation policies that are the exact same
tlsApp.Automation.Policies = consolidateAutomationPolicies(tlsApp.Automation.Policies)

That should fix it. @zyclonite Would you please try moving line 338 between lines 323 and 324 and see if that works for you? (It does for me but I want to make sure you confirm it.)

@zyclonite
Copy link
Author

@mholt tested the fix and it works nicely on both ports serving the same certificate.
thank you for the quick find!

@mholt mholt closed this as completed in 7bfe5b6 Jul 7, 2020
@mholt
Copy link
Member

mholt commented Jul 7, 2020

Great, thanks for confirming

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature ⚙️ New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants