Comments (8)
I am asking to serve domain.com certificate for the associated IP address X.X.X.X.
@vmihailenco Assuming you're integrating certmagic using its TLSConfig
, you should be able to do this by overriding TLSConfig.GetCertificate
.
Something like (untested):
tlsCfg := certm.TLSConfig()
getCrt := tlsCfg.GetCertificate
tlsCfg.GetCertificate = func(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
if hello.ServerName=="x.x.x.x" {
hello.ServerName = "domain.com"
}
return getCrt(hello)
}
from certmagic.
Also the comment
// CertSelection chooses one of the certificates
// with which the ClientHello will be completed;
// if not set, DefaultCertificateSelector will
// be used
CertSelection CertificateSelector
is not quite right. DefaultCertificateSelector
is only used as default when getAllMatchingCerts
returns at least one certificate. If there are no matches DefaultCertificateSelector
is not used. That is how I read the code at https://github.com/caddyserver/certmagic/blob/master/handshake.go#L189-L193
from certmagic.
Hi, thanks for the issue!
hello.ServerName contains IP address
That is an invalid use of ServerName:
the only server names supported are DNS hostnames
— RFC 6066
(Accordingly, most clients like Firefox leave ServerName empty when accessing a site by IP address.)
So what this means:
if SNI is empty, prefer matching IP address
is that the server's (local) IP address will be the fallback matching attempt if there's no ServerName to match on.
DefaultCertificateSelector is only used as default when getAllMatchingCerts returns at least one certificate. If there are no matches DefaultCertificateSelector is not used. That is how I read the code at https://github.com/caddyserver/certmagic/blob/master/handshake.go#L189-L193
That's correct; by default, CertMagic will not select a certificate that does not match the server name (or IP address), because that would be an invalid match and the client should reject it. I can update the godoc.
from certmagic.
Thanks for the answer! I trust you that certmagic is following the spec, but is there anything I can do to better handle such invalid requests?
It looks like setting certmagic.Default.CertSelection = certmagic.DefaultCertificateSelector
does the trick since I no longer see those errors. Hard to tell whether that improves the situation or not but I feel better without the errors in the log.
is that the server's (local) IP address will be the fallback matching attempt if there's no ServerName to match on.
This makes sense and I guess it means that there should be some way to register a certificate for an IP address?
As an idea certmagic could automatically register certificate for domain's IP address, .e.g.
certmagic.Register("domain.com", someCert)
addrs := net.LookupHost("domain.com")
for _, addr := range addrs {
certmagic.Register(addr, someCert)
}
I am not asking to add this to certmagic, but perhaps I can do something like that in user space? I've tried searching through the code but could not find anything...
from certmagic.
CertMagic is already capable of managing certificates for IP addresses: just pass in an IP address instead of (or in addition to) a domain name. Of course, good luck finding a CA that's willing to issue a certificate for your IP address (that's a very rare edge case, typically). But it's common with internal infrastructures when you use your own internal ACME CA.
from certmagic.
I am asking to serve domain.com certificate for the associated IP address X.X.X.X.
from certmagic.
@DisposaBoy thanks - that seems to be exactly what I need.
from certmagic.
That's clever @DisposaBoy -- I never even considered that. Thanks!
from certmagic.
Related Issues (20)
- Question: About `ACMEIssuer.AltTLSALPNPort` parameter HOT 3
- Feature Request: Use `log/slog` instead of Zap HOT 8
- Using Certmagic with pebble HOT 1
- DecisionFunc and certificate clean up HOT 2
- Gandi dns-01 challenge fail: 400 Absolute rrset_name must end with mydomain.org HOT 1
- How do I use CacheUnmanagedTLSCertificate correctly? HOT 6
- Support zerossl IP cert HOT 3
- Support customizable certificate validity period HOT 2
- Add: Deactivating an Authorization (7.5.2) HOT 4
- Certificate Import HOT 16
- Add proxy option for OCSP stapling requests HOT 6
- Ability to disable logs with `no information found to solve challenge for identifier` HOT 3
- Config option for what the Caddy ask endpoint protects / DecisionFunc HOT 2
- Can DNS be used alongside ALPN? HOT 5
- How to manually issue a certificate HOT 3
- Is FallbackServerName still experimental? HOT 3
- Question: How to issue wildcard certificates rather than exact subject name in OnDemand? HOT 3
- FileStorage Delete doesn't delete non-empty directories HOT 7
- Implement ARI HOT 2
- How to disable logs? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from certmagic.