diff --git a/go.sum b/go.sum index 68584116735..0edc55f2720 100644 --- a/go.sum +++ b/go.sum @@ -68,10 +68,6 @@ github.com/aws/smithy-go v1.19.0 h1:KWFKQV80DpP3vJrrA9sVAHQ5gc2z8i4EzrLhLlWXcBM= github.com/aws/smithy-go v1.19.0/go.mod h1:NukqUGpCZIILqqiV0NIjeFh24kd/FAa4beRb6nbIUPE= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= -github.com/caddyserver/certmagic v0.20.1-0.20240412214119-167015dd6570 h1:SsAXjoQx2wOmLl6mEwJEwh7wwys2hb/l/mhtmxA3wts= -github.com/caddyserver/certmagic v0.20.1-0.20240412214119-167015dd6570/go.mod h1:e1NhB1rF5KZnAuAX6oSyhE7sg1Ru5bWgggw5RtauhEY= -github.com/caddyserver/certmagic v0.20.1-0.20240418194233-27ab129028e1 h1:jyf7BgZCwGqrqjv2+wOX662oZr9QqeSjzwA9bCG+paM= -github.com/caddyserver/certmagic v0.20.1-0.20240418194233-27ab129028e1/go.mod h1:e1NhB1rF5KZnAuAX6oSyhE7sg1Ru5bWgggw5RtauhEY= github.com/caddyserver/certmagic v0.20.1-0.20240419174353-855d4670a49d h1:fi1dMdHOoyWHXpxpCbaB+H4xdAgQcBP2AXSqpXVpIcg= github.com/caddyserver/certmagic v0.20.1-0.20240419174353-855d4670a49d/go.mod h1:e1NhB1rF5KZnAuAX6oSyhE7sg1Ru5bWgggw5RtauhEY= github.com/caddyserver/zerossl v0.1.2 h1:tlEu1VzWGoqcCpivs9liKAKhfpJWYJkHEMmlxRbVAxE= diff --git a/modules/caddytls/acmeissuer.go b/modules/caddytls/acmeissuer.go index 800e4d98ff1..39133228251 100644 --- a/modules/caddytls/acmeissuer.go +++ b/modules/caddytls/acmeissuer.go @@ -89,13 +89,12 @@ type ACMEIssuer struct { PreferredChains *ChainPreference `json:"preferred_chains,omitempty"` // The validity period to ask the CA to issue a certificate for. - // Default: 0 (don't ask a custom lifetime to the CA) - // This value is used to compute the "notAfter" field of the ACME order, + // Default: 0 (CA chooses lifetime). + // This value is used to compute the "notAfter" field of the ACME order; // therefore the system must have a reasonably synchronized clock. - // Important : Let's Encrypt and ZeroSSL don't allow custom - // validity period and will refuse to issue a certicate if this is set. - // For CAs that support it, there are often limits - // on the allowed validity periods. Please refer to your CA documentation. + // NOTE: Not all CAs support this. Check with your CA's ACME + // documentation to see if this is allowed and what values may + // be used. CertificateLifetime caddy.Duration `json:"certificate_lifetime,omitempty"` rootPool *x509.CertPool @@ -369,8 +368,11 @@ func (iss *ACMEIssuer) UnmarshalCaddyfile(d *caddyfile.Dispenser) error { if err != nil { return d.Errf("invalid lifetime %s: %v", lifetimeStr, err) } - // TODO: Add check that valid lifetime must be >= 0 + if lifetime < 0 { + return d.Errf("lifetime must be >= 0: %s", lifetime) + } iss.CertificateLifetime = caddy.Duration(lifetime) + case "dir": if iss.CA != "" { return d.Errf("directory is already specified: %s", iss.CA)