Support {s3,web}.root_domains for the Caddy on-demand TLS endpoint (<admin>/check?domain=xx) #610

quentin · 2023-08-08T09:17:05Z

quentin commented

2023-08-08 09:17:05 +00:00

Context

Tricot does not support DNS01 challenge, hence it does not support wildcard certificate,
hence we must provision simple certificates for vhost-style URL on S3 AND for people having no dedicated domain name and using our root domain (web.deuxfleurs.fr).

Furthermore, the S3 specification allows dots in bucket name, but not wildcard certificates. Amazon decided to not support domains with dots for websites and s3 vhost-style access but we are currently supporting it on our production deployment.

Conclusion: the on-demand TLS endpoint must not only support FQDN bucket on the web endpoint, but also buckets expanded with a root domain on the S3+Web endpoints.

Content of this PR

Extend the <admin>/check?domain=xx API endpoint to support domains built with the bucket name expanded with either the S3 or Web root_domain.
See the associated reference documentation for more detailed explanations.

Limitations

Buckets that are not in the global namespace are not supported.

## Context [Tricot](https://git.deuxfleurs.fr/Deuxfleurs/tricot) does not support DNS01 challenge, hence it does not support wildcard certificate, hence we must provision simple certificates for vhost-style URL on S3 AND for people having no dedicated domain name and using our root domain (`web.deuxfleurs.fr`). Furthermore, the S3 specification allows dots in bucket name, but not wildcard certificates. Amazon decided to not support domains with dots for websites and s3 vhost-style access but we are currently supporting it on our production deployment. **Conclusion:** the on-demand TLS endpoint must not only support FQDN bucket on the web endpoint, but also buckets expanded with a root domain on the S3+Web endpoints. ## Content of this PR Extend the `<admin>/check?domain=xx` API endpoint to support domains built with the bucket name expanded with either the S3 or Web `root_domain`. See the associated reference documentation for more detailed explanations. ## Limitations Buckets that are not in the global namespace are not supported.

quentin added the

Improvement

label 2023-08-08 09:17:05 +00:00

quentin added 1 commit 2023-08-08 09:17:06 +00:00

continuous-integration/drone/push Build is passing Details

continuous-integration/drone/pr Build is passing Details

24e533f262

support {s3,web}.root_domains in /check endpoint

quentin referenced this pull request from Deuxfleurs/tricot

2023-08-08 14:46:08 +00:00

Add support for a "ask" parameter for on-demand TLS similar to Caddy's one #8

jpds reviewed 2023-08-16 10:15:56 +00:00

doc/book/reference-manual/admin-api.md

					
				@ -47,0 +95,4 @@

				 - Otherwise, returns 404 Not Found, 400 Bad Request or 5xx requests.

				*Note 1: because in the path-style URL mode, there is only one domain that is not known by Garage, hence it is not supported by this API endpoint.

				You must manually declare the domain in your reverse-proxy. Idem for K2V.*