caddyserver/certmagic

Config option for what the Caddy ask endpoint protects / DecisionFunc

franklouwers opened this issue · 2 comments

What would you like to have changed?

Being completely unfamiliar with the CertMagic codebase, I am not sure ;) I was asked on the Caddy forum to request a config option for the Ask function / DecisionFunc (https://caddy.community/t/why-is-caddy-forcing-an-on-demand-tls-ask-on-startup-for-certs-where-it-has-a-valid-cert/23018/14)

Why is this feature a useful, necessary, and/or important addition to this project?

In Caddy, even if there's a valid (syntactically + non-expired) cert, if Caddy hasn't cached anything about the on-demand domain (eg because Caddy just got restarted), it will contact the Ask endpoint. If that endpoint is down, it will refuse the TLS handshake.

To me, it would make a lot of sense to not contact the Ask service if Caddy can determine there is a cert on-disk which is still valid. I believe that to do that, a DecisionFunc would be needed in CertMagic?

What alternatives are there, or what are you doing in the meantime to work around the lack of this feature?

No idea.

Please link to any relevant issues, pull requests, or other discussions.

Caddy use case and discussion: https://caddy.community/t/why-is-caddy-forcing-an-on-demand-tls-ask-on-startup-for-certs-where-it-has-a-valid-cert/23018/14

Thanks -- yeah, maybe we can make exactly what the DecisionFunc guards configurable.