-
-
Notifications
You must be signed in to change notification settings - Fork 290
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Managers: Ability to call GetCertificate from external certificate sources #163
Conversation
Useful if another entity is managing certificates and can provide its own dynamically during handshakes.
This is only sorta true, but it allows handshake-time maintenance of the certificates that are cached from CustomGetCertificate. Our background maintenance routine skips certs that are OnDemand so it should be fine.
Instead of a function
Hostnames are case-insensitive Also add context to GetCertificate
Also minor refactoring and enhancements
(I'm pretty much ready to merge this, but I am spending some time double-checking the On-Demand coupling to CustomGetCertificate, since I wonder if it's possible to use CustomGetCertificate without requiring on-demand.) |
And don't cache externally managed certs
And that's a wrap! I think. 🙂 Instead of It no longer implicitly enables or requires On-Demand TLS to be enabled; they are orthogonal concepts. Thank you to Tailscale for making this change possible! |
…ver#163) This work made possible by Tailscale: https://tailscale.com - thank you to the Tailscale team! * Implement custom GetCertificate callback Useful if another entity is managing certificates and can provide its own dynamically during handshakes. * Refactor CustomGetCertificate into OnDemandConfig * Set certs to managed=true This is only sorta true, but it allows handshake-time maintenance of the certificates that are cached from CustomGetCertificate. Our background maintenance routine skips certs that are OnDemand so it should be fine. * Change CustomGetCertificate into interface value Instead of a function * Case-insensitive subject name comparison Hostnames are case-insensitive Also add context to GetCertificate * Export a couple of outrageously useful functions * Allow multiple custom certificate getters Also minor refactoring and enhancements * Fix tests * Rename Getter -> Manager; refactor And don't cache externally managed certs * Minor updates to comments
This is useful if another entity is managing certificates and can provide its own certs dynamically during handshakes.
For example, Tailscale's client has a
GetCertificate()
function: https://pkg.go.dev/tailscale.com/client/tailscale#GetCertificate