Skip to content

Commit

Permalink
go.mod: Upgrade ACMEz to v3; and upgrade CertMagic
Browse files Browse the repository at this point in the history
  • Loading branch information
mholt committed Dec 19, 2024
1 parent 66c80ca commit ed1c594
Show file tree
Hide file tree
Showing 10 changed files with 47 additions and 29 deletions.
2 changes: 1 addition & 1 deletion caddyconfig/httpcaddyfile/builtins.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ import (
"time"

"github.com/caddyserver/certmagic"
"github.com/mholt/acmez/v2/acme"
"github.com/mholt/acmez/v3/acme"
"go.uber.org/zap/zapcore"

"github.com/caddyserver/caddy/v2"
Expand Down
2 changes: 1 addition & 1 deletion caddyconfig/httpcaddyfile/options.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ import (
"strconv"

"github.com/caddyserver/certmagic"
"github.com/mholt/acmez/v2/acme"
"github.com/mholt/acmez/v3/acme"

"github.com/caddyserver/caddy/v2"
"github.com/caddyserver/caddy/v2/caddyconfig"
Expand Down
2 changes: 1 addition & 1 deletion caddyconfig/httpcaddyfile/tlsapp.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ import (
"strings"

"github.com/caddyserver/certmagic"
"github.com/mholt/acmez/v2/acme"
"github.com/mholt/acmez/v3/acme"

"github.com/caddyserver/caddy/v2"
"github.com/caddyserver/caddy/v2/caddyconfig"
Expand Down
10 changes: 6 additions & 4 deletions caddytest/integration/acme_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,17 +6,19 @@ import (
"crypto/elliptic"
"crypto/rand"
"fmt"
"log/slog"
"net"
"net/http"
"strings"
"testing"

"github.com/caddyserver/caddy/v2"
"github.com/caddyserver/caddy/v2/caddytest"
"github.com/mholt/acmez/v2"
"github.com/mholt/acmez/v2/acme"
"github.com/mholt/acmez/v3"
"github.com/mholt/acmez/v3/acme"
smallstepacme "github.com/smallstep/certificates/acme"
"go.uber.org/zap"
"go.uber.org/zap/exp/zapslog"
)

const acmeChallengePort = 9081
Expand Down Expand Up @@ -48,7 +50,7 @@ func TestACMEServerWithDefaults(t *testing.T) {
Client: &acme.Client{
Directory: "https://acme.localhost:9443/acme/local/directory",
HTTPClient: tester.Client,
Logger: logger,
Logger: slog.New(zapslog.NewHandler(logger.Core())),
},
ChallengeSolvers: map[string]acmez.Solver{
acme.ChallengeTypeHTTP01: &naiveHTTPSolver{logger: logger},
Expand Down Expand Up @@ -117,7 +119,7 @@ func TestACMEServerWithMismatchedChallenges(t *testing.T) {
Client: &acme.Client{
Directory: "https://acme.localhost:9443/acme/local/directory",
HTTPClient: tester.Client,
Logger: logger,
Logger: slog.New(zapslog.NewHandler(logger.Core())),
},
ChallengeSolvers: map[string]acmez.Solver{
acme.ChallengeTypeHTTP01: &naiveHTTPSolver{logger: logger},
Expand Down
10 changes: 6 additions & 4 deletions caddytest/integration/acmeserver_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,13 +5,15 @@ import (
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"log/slog"
"strings"
"testing"

"github.com/caddyserver/caddy/v2/caddytest"
"github.com/mholt/acmez/v2"
"github.com/mholt/acmez/v2/acme"
"github.com/mholt/acmez/v3"
"github.com/mholt/acmez/v3/acme"
"go.uber.org/zap"
"go.uber.org/zap/exp/zapslog"
)

func TestACMEServerDirectory(t *testing.T) {
Expand Down Expand Up @@ -76,7 +78,7 @@ func TestACMEServerAllowPolicy(t *testing.T) {
Client: &acme.Client{
Directory: "https://acme.localhost:9443/acme/local/directory",
HTTPClient: tester.Client,
Logger: logger,
Logger: slog.New(zapslog.NewHandler(logger.Core())),
},
ChallengeSolvers: map[string]acmez.Solver{
acme.ChallengeTypeHTTP01: &naiveHTTPSolver{logger: logger},
Expand Down Expand Up @@ -165,7 +167,7 @@ func TestACMEServerDenyPolicy(t *testing.T) {
Client: &acme.Client{
Directory: "https://acme.localhost:9443/acme/local/directory",
HTTPClient: tester.Client,
Logger: logger,
Logger: slog.New(zapslog.NewHandler(logger.Core())),
},
ChallengeSolvers: map[string]acmez.Solver{
acme.ChallengeTypeHTTP01: &naiveHTTPSolver{logger: logger},
Expand Down
10 changes: 5 additions & 5 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -9,15 +9,15 @@ require (
github.com/Masterminds/sprig/v3 v3.3.0
github.com/alecthomas/chroma/v2 v2.14.0
github.com/aryann/difflib v0.0.0-20210328193216-ff5ff6dc229b
github.com/caddyserver/certmagic v0.21.5-0.20241105180249-4293198e094d
github.com/caddyserver/certmagic v0.21.5-0.20241219182349-258b5328e49e
github.com/caddyserver/zerossl v0.1.3
github.com/dustin/go-humanize v1.0.1
github.com/go-chi/chi/v5 v5.0.12
github.com/google/cel-go v0.21.0
github.com/google/uuid v1.6.0
github.com/klauspost/compress v1.17.11
github.com/klauspost/cpuid/v2 v2.2.8
github.com/mholt/acmez/v2 v2.0.3
github.com/klauspost/cpuid/v2 v2.2.9
github.com/mholt/acmez/v3 v3.0.0
github.com/prometheus/client_golang v1.19.1
github.com/quic-go/quic-go v0.48.2
github.com/smallstep/certificates v0.26.1
Expand All @@ -37,9 +37,9 @@ require (
go.uber.org/automaxprocs v1.6.0
go.uber.org/zap v1.27.0
go.uber.org/zap/exp v0.3.0
golang.org/x/crypto v0.30.0
golang.org/x/crypto v0.31.0
golang.org/x/crypto/x509roots/fallback v0.0.0-20241104001025-71ed71b4faf9
golang.org/x/net v0.32.0
golang.org/x/net v0.33.0
golang.org/x/sync v0.10.0
golang.org/x/term v0.27.0
golang.org/x/time v0.7.0
Expand Down
20 changes: 10 additions & 10 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -89,8 +89,8 @@ github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
github.com/bradfitz/go-smtpd v0.0.0-20170404230938-deb6d6237625/go.mod h1:HYsPBTaaSFSlLx/70C2HPIMNZpVV8+vt/A+FMnYP11g=
github.com/buger/jsonparser v0.0.0-20181115193947-bf1c66bbce23/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s=
github.com/caddyserver/certmagic v0.21.5-0.20241105180249-4293198e094d h1:+zOduGxxC4WBAnlDf5Uf0TXbWXRqjUXkJKevDZZa79A=
github.com/caddyserver/certmagic v0.21.5-0.20241105180249-4293198e094d/go.mod h1:swUXjQ1T9ZtMv95qj7/InJvWLXURU85r+CfG0T+ZbDE=
github.com/caddyserver/certmagic v0.21.5-0.20241219182349-258b5328e49e h1:AFPVZ2IOgM6NdL2GwMMf+V7NDU3IQ9t4aPbcNbHsitY=
github.com/caddyserver/certmagic v0.21.5-0.20241219182349-258b5328e49e/go.mod h1:n1sCo7zV1Ez2j+89wrzDxo4N/T1Ws/Vx8u5NvuBFabw=
github.com/caddyserver/zerossl v0.1.3 h1:onS+pxp3M8HnHpN5MMbOMyNjmTheJyWRaZYwn+YTAyA=
github.com/caddyserver/zerossl v0.1.3/go.mod h1:CxA0acn7oEGO6//4rtrRjYgEoa4MFw/XofZnrYwGqG4=
github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
Expand Down Expand Up @@ -304,8 +304,8 @@ github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+o
github.com/klauspost/compress v1.12.3/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg=
github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc=
github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0=
github.com/klauspost/cpuid/v2 v2.2.8 h1:+StwCXwm9PdpiEkPyzBXIy+M9KUb4ODm0Zarf1kS5BM=
github.com/klauspost/cpuid/v2 v2.2.8/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws=
github.com/klauspost/cpuid/v2 v2.2.9 h1:66ze0taIn2H33fBvCkXuv9BmCwDfafmiIVpKV9kKGuY=
github.com/klauspost/cpuid/v2 v2.2.9/go.mod h1:rqkxqrZ1EhYM9G+hXH7YdowN5R5RGN6NK4QwQ3WMXF8=
github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
Expand Down Expand Up @@ -344,8 +344,8 @@ github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D
github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d h1:5PJl274Y63IEHC+7izoQE9x6ikvDFZS2mDVS3drnohI=
github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE=
github.com/mholt/acmez/v2 v2.0.3 h1:CgDBlEwg3QBp6s45tPQmFIBrkRIkBT4rW4orMM6p4sw=
github.com/mholt/acmez/v2 v2.0.3/go.mod h1:pQ1ysaDeGrIMvJ9dfJMk5kJNkn7L2sb3UhyrX6Q91cw=
github.com/mholt/acmez/v3 v3.0.0 h1:r1NcjuWR0VaKP2BTjDK9LRFBw/WvURx3jlaEUl9Ht8E=
github.com/mholt/acmez/v3 v3.0.0/go.mod h1:L1wOU06KKvq7tswuMDwKdcHeKpFFgkppZy/y0DFxagQ=
github.com/microcosm-cc/bluemonday v1.0.1/go.mod h1:hsXNsILzKxV+sX77C5b8FSuKF00vh2OMYv+xgHpAMF4=
github.com/miekg/dns v1.1.62 h1:cN8OuEF1/x5Rq6Np+h1epln8OiyPWV+lROx9LxcGgIQ=
github.com/miekg/dns v1.1.62/go.mod h1:mvDlcItzm+br7MToIKqkglaGhlFMHJ9DTNNWONWXbNQ=
Expand Down Expand Up @@ -595,8 +595,8 @@ golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5y
golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
golang.org/x/crypto v0.30.0 h1:RwoQn3GkWiMkzlX562cLB7OxWvjH1L8xutO2WoJcRoY=
golang.org/x/crypto v0.30.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
golang.org/x/crypto/x509roots/fallback v0.0.0-20241104001025-71ed71b4faf9 h1:4cEcP5+OjGppY79LCQ5Go2B1Boix2x0v6pvA01P3FoA=
golang.org/x/crypto/x509roots/fallback v0.0.0-20241104001025-71ed71b4faf9/go.mod h1:kNa9WdvYnzFwC79zRpLRMJbdEFlhyM5RPFBBZp/wWH8=
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
Expand Down Expand Up @@ -628,8 +628,8 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v
golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
golang.org/x/net v0.32.0 h1:ZqPmj8Kzc+Y6e0+skZsuACbx+wzMgo5MQsJh9Qd6aYI=
golang.org/x/net v0.32.0/go.mod h1:CwU0IoeOlnQQWJ6ioyFrfRuomB8GKF6KbYXZVyeXNfs=
golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
golang.org/x/oauth2 v0.0.0-20181017192945-9dcd33a902f4/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
golang.org/x/oauth2 v0.0.0-20181203162652-d668ce993890/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
Expand Down
2 changes: 1 addition & 1 deletion modules/caddytls/acmeissuer.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ import (

"github.com/caddyserver/certmagic"
"github.com/caddyserver/zerossl"
"github.com/mholt/acmez/v2/acme"
"github.com/mholt/acmez/v3/acme"
"go.uber.org/zap"
"go.uber.org/zap/zapcore"

Expand Down
2 changes: 1 addition & 1 deletion modules/caddytls/automation.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ import (
"strings"

"github.com/caddyserver/certmagic"
"github.com/mholt/acmez/v2"
"github.com/mholt/acmez/v3"
"go.uber.org/zap"
"go.uber.org/zap/zapcore"

Expand Down
16 changes: 15 additions & 1 deletion modules/caddytls/connpolicy.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ import (
"os"
"strings"

"github.com/mholt/acmez/v2"
"github.com/mholt/acmez/v3"
"go.uber.org/zap"
"go.uber.org/zap/zapcore"

Expand Down Expand Up @@ -350,6 +350,20 @@ func (p *ConnectionPolicy) buildStandardTLSConfig(ctx caddy.Context) error {
if err := p.ClientAuthentication.ConfigureTLSConfig(cfg); err != nil {
return fmt.Errorf("configuring TLS client authentication: %v", err)
}

// Prevent privilege escalation in case multiple vhosts are configured for
// this TLS server; we could potentially figure out if that's the case, but
// that might be complex to get right every time. Actually, two proper
// solutions could leave tickets enabled, but I am not sure how to do them
// properly without significant time investment; there may be new Go
// APIs that alloaw this (Wrap/UnwrapSession?) but I do not know how to use
// them at this time. TODO: one of these is a possible future enhancement:
// A) Prevent resumptions across server identities (certificates): binding the ticket to the
// certificate we would serve in a full handshake, or even bind a ticket to the exact SNI
// it was issued under (though there are proposals for session resumption across hostnames).
// B) Prevent resumptions falsely authenticating a client: include the realm in the ticket,
// so that it can be validated upon resumption.
cfg.SessionTicketsDisabled = true
}

if p.InsecureSecretsLog != "" {
Expand Down

8 comments on commit ed1c594

@jum
Copy link
Contributor

@jum jum commented on ed1c594 Dec 27, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this commit is in (the revision I compiled is visible in the stack trace below), I get this panic:

goroutine 89 [running]:
github.com/caddyserver/certmagic.(*Cache).maintainAssets.func1()
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/maintain.go:50 +0x78
panic({0x14166a0?, 0x28e7840?})
	runtime/panic.go:785 +0x124
go.uber.org/zap/exp/zapslog.NewHandler(...)
	go.uber.org/zap/exp@v0.3.0/zapslog/handler.go:59
github.com/caddyserver/certmagic.(*ACMEIssuer).newBasicACMEClient(0x40007bb040)
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/acmeclient.go:281 +0x22c
github.com/caddyserver/certmagic.(*ACMEIssuer).GetRenewalInfo(_, {_, _}, {{{0x4000311920, 0x2, 0x2}, {0x159ab40, 0x4000311b90}, {0x0, 0x0, ...}, ...}, ...})
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/acmeclient.go:288 +0x44
github.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).GetRenewalInfo(_, {_, _}, {{{0x4000311920, 0x2, 0x2}, {0x159ab40, 0x4000311b90}, {0x0, 0x0, ...}, ...}, ...})
	github.com/caddyserver/caddy/v2@v2.9.0-beta.3.0.20241224155840-afa778ae0550/modules/caddytls/acmeissuer.go:271 +0x6c
github.com/caddyserver/certmagic.(*Config).updateARI(_, {_, _}, {{{0x4000311920, 0x2, 0x2}, {0x159ab40, 0x4000311b90}, {0x0, 0x0, ...}, ...}, ...}, ...)
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/maintain.go:527 +0xb50
github.com/caddyserver/certmagic.(*Cache).RenewManagedCertificates(0x40006c6f00, {0x1b77a80, 0x4000b82e10})
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/maintain.go:179 +0xe58
github.com/caddyserver/certmagic.(*Cache).maintainAssets(0x40006c6f00, 0x8)
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/maintain.go:71 +0x2d4
github.com/caddyserver/certmagic.(*Cache).maintainAssets.func1()
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/maintain.go:53 +0x1f8
panic({0x14166a0?, 0x28e7840?})
	runtime/panic.go:785 +0x124
go.uber.org/zap/exp/zapslog.NewHandler(...)
	go.uber.org/zap/exp@v0.3.0/zapslog/handler.go:59
github.com/caddyserver/certmagic.(*ACMEIssuer).newBasicACMEClient(0x40007bb040)
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/acmeclient.go:281 +0x22c
github.com/caddyserver/certmagic.(*ACMEIssuer).GetRenewalInfo(_, {_, _}, {{{0x4000311920, 0x2, 0x2}, {0x159ab40, 0x4000311b90}, {0x0, 0x0, ...}, ...}, ...})
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/acmeclient.go:288 +0x44
github.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).GetRenewalInfo(_, {_, _}, {{{0x4000311920, 0x2, 0x2}, {0x159ab40, 0x4000311b90}, {0x0, 0x0, ...}, ...}, ...})
	github.com/caddyserver/caddy/v2@v2.9.0-beta.3.0.20241224155840-afa778ae0550/modules/caddytls/acmeissuer.go:271 +0x6c
github.com/caddyserver/certmagic.(*Config).updateARI(_, {_, _}, {{{0x4000311920, 0x2, 0x2}, {0x159ab40, 0x4000311b90}, {0x0, 0x0, ...}, ...}, ...}, ...)
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/maintain.go:527 +0xb50
github.com/caddyserver/certmagic.(*Cache).RenewManagedCertificates(0x40006c6f00, {0x1b77a80, 0x4000660870})
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/maintain.go:179 +0xe58
github.com/caddyserver/certmagic.(*Cache).maintainAssets(0x40006c6f00, 0x7)
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/maintain.go:71 +0x2d4
github.com/caddyserver/certmagic.(*Cache).maintainAssets.func1()
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/maintain.go:53 +0x1f8
panic({0x14166a0?, 0x28e7840?})
	runtime/panic.go:785 +0x124
go.uber.org/zap/exp/zapslog.NewHandler(...)
	go.uber.org/zap/exp@v0.3.0/zapslog/handler.go:59
github.com/caddyserver/certmagic.(*ACMEIssuer).newBasicACMEClient(0x40007bb040)
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/acmeclient.go:281 +0x22c
github.com/caddyserver/certmagic.(*ACMEIssuer).GetRenewalInfo(_, {_, _}, {{{0x4000311920, 0x2, 0x2}, {0x159ab40, 0x4000311b90}, {0x0, 0x0, ...}, ...}, ...})
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/acmeclient.go:288 +0x44
github.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).GetRenewalInfo(_, {_, _}, {{{0x4000311920, 0x2, 0x2}, {0x159ab40, 0x4000311b90}, {0x0, 0x0, ...}, ...}, ...})
	github.com/caddyserver/caddy/v2@v2.9.0-beta.3.0.20241224155840-afa778ae0550/modules/caddytls/acmeissuer.go:271 +0x6c
github.com/caddyserver/certmagic.(*Config).updateARI(_, {_, _}, {{{0x4000311920, 0x2, 0x2}, {0x159ab40, 0x4000311b90}, {0x0, 0x0, ...}, ...}, ...}, ...)
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/maintain.go:527 +0xb50
github.com/caddyserver/certmagic.(*Cache).RenewManagedCertificates(0x40006c6f00, {0x1b77a80, 0x400058dcc0})
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/maintain.go:179 +0xe58
github.com/caddyserver/certmagic.(*Cache).maintainAssets(0x40006c6f00, 0x6)
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/maintain.go:71 +0x2d4
github.com/caddyserver/certmagic.(*Cache).maintainAssets.func1()
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/maintain.go:53 +0x1f8
panic({0x14166a0?, 0x28e7840?})
	runtime/panic.go:785 +0x124
go.uber.org/zap/exp/zapslog.NewHandler(...)
	go.uber.org/zap/exp@v0.3.0/zapslog/handler.go:59
github.com/caddyserver/certmagic.(*ACMEIssuer).newBasicACMEClient(0x40007bb040)
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/acmeclient.go:281 +0x22c
github.com/caddyserver/certmagic.(*ACMEIssuer).GetRenewalInfo(_, {_, _}, {{{0x4000311920, 0x2, 0x2}, {0x159ab40, 0x4000311b90}, {0x0, 0x0, ...}, ...}, ...})
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/acmeclient.go:288 +0x44
github.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).GetRenewalInfo(_, {_, _}, {{{0x4000311920, 0x2, 0x2}, {0x159ab40, 0x4000311b90}, {0x0, 0x0, ...}, ...}, ...})
	github.com/caddyserver/caddy/v2@v2.9.0-beta.3.0.20241224155840-afa778ae0550/modules/caddytls/acmeissuer.go:271 +0x6c
github.com/caddyserver/certmagic.(*Config).updateARI(_, {_, _}, {{{0x4000311920, 0x2, 0x2}, {0x159ab40, 0x4000311b90}, {0x0, 0x0, ...}, ...}, ...}, ...)
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/maintain.go:527 +0xb50
github.com/caddyserver/certmagic.(*Cache).RenewManagedCertificates(0x40006c6f00, {0x1b77a80, 0x4000238b40})
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/maintain.go:179 +0xe58
github.com/caddyserver/certmagic.(*Cache).maintainAssets(0x40006c6f00, 0x5)
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/maintain.go:71 +0x2d4
github.com/caddyserver/certmagic.(*Cache).maintainAssets.func1()
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/maintain.go:53 +0x1f8
panic({0x14166a0?, 0x28e7840?})
	runtime/panic.go:785 +0x124
go.uber.org/zap/exp/zapslog.NewHandler(...)
	go.uber.org/zap/exp@v0.3.0/zapslog/handler.go:59
github.com/caddyserver/certmagic.(*ACMEIssuer).newBasicACMEClient(0x40007bb040)
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/acmeclient.go:281 +0x22c
github.com/caddyserver/certmagic.(*ACMEIssuer).GetRenewalInfo(_, {_, _}, {{{0x4000311920, 0x2, 0x2}, {0x159ab40, 0x4000311b90}, {0x0, 0x0, ...}, ...}, ...})
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/acmeclient.go:288 +0x44
github.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).GetRenewalInfo(_, {_, _}, {{{0x4000311920, 0x2, 0x2}, {0x159ab40, 0x4000311b90}, {0x0, 0x0, ...}, ...}, ...})
	github.com/caddyserver/caddy/v2@v2.9.0-beta.3.0.20241224155840-afa778ae0550/modules/caddytls/acmeissuer.go:271 +0x6c
github.com/caddyserver/certmagic.(*Config).updateARI(_, {_, _}, {{{0x4000311920, 0x2, 0x2}, {0x159ab40, 0x4000311b90}, {0x0, 0x0, ...}, ...}, ...}, ...)
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/maintain.go:527 +0xb50
github.com/caddyserver/certmagic.(*Cache).RenewManagedCertificates(0x40006c6f00, {0x1b77a80, 0x4000a1c870})
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/maintain.go:179 +0xe58
github.com/caddyserver/certmagic.(*Cache).maintainAssets(0x40006c6f00, 0x4)
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/maintain.go:71 +0x2d4
github.com/caddyserver/certmagic.(*Cache).maintainAssets.func1()
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/maintain.go:53 +0x1f8
panic({0x14166a0?, 0x28e7840?})
	runtime/panic.go:785 +0x124
go.uber.org/zap/exp/zapslog.NewHandler(...)
	go.uber.org/zap/exp@v0.3.0/zapslog/handler.go:59
github.com/caddyserver/certmagic.(*ACMEIssuer).newBasicACMEClient(0x40007bb040)
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/acmeclient.go:281 +0x22c
github.com/caddyserver/certmagic.(*ACMEIssuer).GetRenewalInfo(_, {_, _}, {{{0x4000311920, 0x2, 0x2}, {0x159ab40, 0x4000311b90}, {0x0, 0x0, ...}, ...}, ...})
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/acmeclient.go:288 +0x44
github.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).GetRenewalInfo(_, {_, _}, {{{0x4000311920, 0x2, 0x2}, {0x159ab40, 0x4000311b90}, {0x0, 0x0, ...}, ...}, ...})
	github.com/caddyserver/caddy/v2@v2.9.0-beta.3.0.20241224155840-afa778ae0550/modules/caddytls/acmeissuer.go:271 +0x6c
github.com/caddyserver/certmagic.(*Config).updateARI(_, {_, _}, {{{0x4000311920, 0x2, 0x2}, {0x159ab40, 0x4000311b90}, {0x0, 0x0, ...}, ...}, ...}, ...)
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/maintain.go:527 +0xb50
github.com/caddyserver/certmagic.(*Cache).RenewManagedCertificates(0x40006c6f00, {0x1b77a80, 0x4000239090})
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/maintain.go:179 +0xe58
github.com/caddyserver/certmagic.(*Cache).maintainAssets(0x40006c6f00, 0x3)
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/maintain.go:71 +0x2d4
github.com/caddyserver/certmagic.(*Cache).maintainAssets.func1()
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/maintain.go:53 +0x1f8
panic({0x14166a0?, 0x28e7840?})
	runtime/panic.go:785 +0x124
go.uber.org/zap/exp/zapslog.NewHandler(...)
	go.uber.org/zap/exp@v0.3.0/zapslog/handler.go:59
github.com/caddyserver/certmagic.(*ACMEIssuer).newBasicACMEClient(0x40007bb040)
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/acmeclient.go:281 +0x22c
github.com/caddyserver/certmagic.(*ACMEIssuer).GetRenewalInfo(_, {_, _}, {{{0x4000311920, 0x2, 0x2}, {0x159ab40, 0x4000311b90}, {0x0, 0x0, ...}, ...}, ...})
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/acmeclient.go:288 +0x44
github.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).GetRenewalInfo(_, {_, _}, {{{0x4000311920, 0x2, 0x2}, {0x159ab40, 0x4000311b90}, {0x0, 0x0, ...}, ...}, ...})
	github.com/caddyserver/caddy/v2@v2.9.0-beta.3.0.20241224155840-afa778ae0550/modules/caddytls/acmeissuer.go:271 +0x6c
github.com/caddyserver/certmagic.(*Config).updateARI(_, {_, _}, {{{0x4000311920, 0x2, 0x2}, {0x159ab40, 0x4000311b90}, {0x0, 0x0, ...}, ...}, ...}, ...)
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/maintain.go:527 +0xb50
github.com/caddyserver/certmagic.(*Cache).RenewManagedCertificates(0x40006c6f00, {0x1b77a80, 0x40002e4820})
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/maintain.go:179 +0xe58
github.com/caddyserver/certmagic.(*Cache).maintainAssets(0x40006c6f00, 0x2)
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/maintain.go:71 +0x2d4
github.com/caddyserver/certmagic.(*Cache).maintainAssets.func1()
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/maintain.go:53 +0x1f8
panic({0x14166a0?, 0x28e7840?})
	runtime/panic.go:785 +0x124
go.uber.org/zap/exp/zapslog.NewHandler(...)
	go.uber.org/zap/exp@v0.3.0/zapslog/handler.go:59
github.com/caddyserver/certmagic.(*ACMEIssuer).newBasicACMEClient(0x40007bb040)
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/acmeclient.go:281 +0x22c
github.com/caddyserver/certmagic.(*ACMEIssuer).GetRenewalInfo(_, {_, _}, {{{0x4000311920, 0x2, 0x2}, {0x159ab40, 0x4000311b90}, {0x0, 0x0, ...}, ...}, ...})
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/acmeclient.go:288 +0x44
github.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).GetRenewalInfo(_, {_, _}, {{{0x4000311920, 0x2, 0x2}, {0x159ab40, 0x4000311b90}, {0x0, 0x0, ...}, ...}, ...})
	github.com/caddyserver/caddy/v2@v2.9.0-beta.3.0.20241224155840-afa778ae0550/modules/caddytls/acmeissuer.go:271 +0x6c
github.com/caddyserver/certmagic.(*Config).updateARI(_, {_, _}, {{{0x4000311920, 0x2, 0x2}, {0x159ab40, 0x4000311b90}, {0x0, 0x0, ...}, ...}, ...}, ...)
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/maintain.go:527 +0xb50
github.com/caddyserver/certmagic.(*Cache).RenewManagedCertificates(0x40006c6f00, {0x1b77a80, 0x4000c18e10})
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/maintain.go:179 +0xe58
github.com/caddyserver/certmagic.(*Cache).maintainAssets(0x40006c6f00, 0x1)
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/maintain.go:71 +0x2d4
github.com/caddyserver/certmagic.(*Cache).maintainAssets.func1()
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/maintain.go:53 +0x1f8
panic({0x14166a0?, 0x28e7840?})
	runtime/panic.go:785 +0x124
go.uber.org/zap/exp/zapslog.NewHandler(...)
	go.uber.org/zap/exp@v0.3.0/zapslog/handler.go:59
github.com/caddyserver/certmagic.(*ACMEIssuer).newBasicACMEClient(0x40007bb040)
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/acmeclient.go:281 +0x22c
github.com/caddyserver/certmagic.(*ACMEIssuer).GetRenewalInfo(_, {_, _}, {{{0x4000311920, 0x2, 0x2}, {0x159ab40, 0x4000311b90}, {0x0, 0x0, ...}, ...}, ...})
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/acmeclient.go:288 +0x44
github.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).GetRenewalInfo(_, {_, _}, {{{0x4000311920, 0x2, 0x2}, {0x159ab40, 0x4000311b90}, {0x0, 0x0, ...}, ...}, ...})
	github.com/caddyserver/caddy/v2@v2.9.0-beta.3.0.20241224155840-afa778ae0550/modules/caddytls/acmeissuer.go:271 +0x6c
github.com/caddyserver/certmagic.(*Config).updateARI(_, {_, _}, {{{0x4000311920, 0x2, 0x2}, {0x159ab40, 0x4000311b90}, {0x0, 0x0, ...}, ...}, ...}, ...)
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/maintain.go:527 +0xb50
github.com/caddyserver/certmagic.(*Cache).RenewManagedCertificates(0x40006c6f00, {0x1b77a80, 0x40002a80a0})
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/maintain.go:179 +0xe58
github.com/caddyserver/certmagic.(*Cache).maintainAssets(0x40006c6f00, 0x0)
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/maintain.go:71 +0x2d4
created by github.com/caddyserver/certmagic.NewCache in goroutine 35
	github.com/caddyserver/certmagic@v0.21.5-0.20241219182349-258b5328e49e/cache.go:127 +0x1ec

@mholt
Copy link
Member Author

@mholt mholt commented on ed1c594 Dec 27, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jum Could you please open an issue:

It's not immediately clear to me what is going on, so I'll need your help to understand it better.

Ideally, we need to be able to reproduce the bug in the most minimal way possible using the latest version of Caddy. This allows us to write regression tests to verify the fix is working. If we can't reproduce it, then you'll have to test our changes for us until it's fixed -- and then we can't add test cases, either.

I've attached a template below that will help make this easier and faster! This will require some effort on your part -- please understand that we will be dedicating time to fix the bug you are reporting if you can just help us understand it and reproduce it easily.

This template will ask for some information you've already provided; that's OK, just fill it out the best you can. 👍 I've also included some helpful tips below the template. Feel free to let me know if you have any questions!

Thank you again for your report, we look forward to resolving it!

Template

## 1. Environment

### 1a. Operating system and version

```
paste here
```


### 1b. Caddy version (run `caddy version` or paste commit SHA)

This should be the latest version of Caddy:

```
paste here
```


## 2. Description

### 2a. What happens (briefly explain what is wrong)




### 2b. Why it's a bug (if it's not obvious)




### 2c. Log output

```
paste terminal output or logs here
```



### 2d. Workaround(s)




### 2e. Relevant links




## 3. Tutorial (minimal steps to reproduce the bug)




Instructions -- please heed otherwise we cannot help you (help us help you!)

  1. Environment: Please fill out your OS and Caddy versions, even if you don't think they are relevant. (They are always relevant.) If you built Caddy from source, provide the commit SHA and specify your exact Go version.

  2. Description: Describe at a high level what the bug is. What happens? Why is it a bug? Not all bugs are obvious, so convince readers that it's actually a bug.

    • 2c) Log output: Paste terminal output and/or complete logs in a code block. DO NOT REDACT INFORMATION except for credentials. Please enable debug and access logs.
    • 2d) Workaround: What are you doing to work around the problem in the meantime? This can help others who encounter the same problem, until we implement a fix.
    • 2e) Relevant links: Please link to any related issues, pull requests, docs, and/or discussion. This can add crucial context to your report.
  3. Tutorial: What are the minimum required specific steps someone needs to take in order to experience the same bug? Your goal here is to make sure that anyone else can have the same experience with the bug as you do. You are writing a tutorial, so make sure to carry it out yourself before posting it. Please:

    • Start with an empty config. Add only the lines/parameters that are absolutely required to reproduce the bug.
    • Do not run Caddy inside containers.
    • Run Caddy manually in your terminal; do not use systemd or other init systems.
    • If making HTTP requests, avoid web browsers. Use a simpler HTTP client instead, like curl.
    • Do not redact any information from your config (except credentials). Domain names are public knowledge and often necessary for quick resolution of an issue!
    • Note that ignoring this advice may result in delays, or even in your issue being closed. 😞 Only actionable issues are kept open, and if there is not enough information or clarity to reproduce the bug, then the report is not actionable.

Example of a tutorial:

Create a config file:
{ ... }

Open terminal and run Caddy:

$ caddy ...

Make an HTTP request:

$ curl ...

Notice that the result is ___ but it should be ___.

@mholt
Copy link
Member Author

@mholt mholt commented on ed1c594 Dec 27, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Be sure to include the full panic logs, seems the actual error is missing.

@jum
Copy link
Contributor

@jum jum commented on ed1c594 Dec 27, 2024 via email

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jum
Copy link
Contributor

@jum jum commented on ed1c594 Dec 27, 2024 via email

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jum
Copy link
Contributor

@jum jum commented on ed1c594 Dec 27, 2024 via email

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mholt
Copy link
Member Author

@mholt mholt commented on ed1c594 Dec 27, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. The stack trace goes into zapslog, where it's iterating the handler options (passed as variadic arguments) and calls v.apply() on them -- apparently, v is nil, and sure enough, on the line we invoke with, we pass in a literal nil value... tracked it back down to a random article about slog + zap, which reminds me once again to never trust random articles on the Internet.

Context: mholt/acmez#29 (comment)

Will push a fix shortly.

@mholt
Copy link
Member Author

@mholt mholt commented on ed1c594 Dec 27, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, this is already fixed in caddyserver/certmagic@2cfc589 -- based on a hunch I had.

Please sign in to comment.