Support for preferred_chains in Caddyfile

[Klooven]

As mentioned in #3854, Let's Encrypt now provides two different chains when acquiring a certificate: one with a cross-signed root certificate (default) and one with a self-signed root certificate.

I'd like to use the alternative chain, which seems to be possible using the preferred_chains option in Caddy. From what I've understood, though, this is currently only configurable through JSON.

Would it be possible to add a new global option in the Caddyfile to support changing the preferred chain without configuring Caddy using JSON?

[mholt]

Sure, pull requests welcomed to add that.

[Klooven]

Cool! I've been playing around with the Caddy source code and with my very limited experience of Go, I managed to get it work somehow... Only as a global option for now, though. I'll send in a PR for review in the near future.

A couple of questions @mholt:

---

caddy/modules/caddytls/acmeissuer.go

Lines 442 to 453 in 7b500e7

	type ChainPreference struct {
	// Prefer chains with the fewest number of bytes.
	Smallest *bool `json:"smallest,omitempty"`
	// Select first chain having a root with one of
	// these common names.
	RootCommonName []string `json:"root_common_name,omitempty"`
	// Select first chain that has any issuer with one
	// of these common names.
	AnyCommonName []string `json:"any_common_name,omitempty"`
	}

Should PreferredChains only accept one of the above options at the time?

• For example if I set Smallest to true, should RootCommonName and AnyCommonName be accepted?
• Or if I, for example, set RootCommonName to some value, should any of the other two remaining options be accepted?

---

I've used the following structure for the (global) config:

{
  preferred_chains [smallest] {
    root_common_name <common names...>
    any_common_name  <common names...>
  }
}

And for a "local" config the structure would be the same except that it is of course placed in the ACME issuer config:

localhost

...

tls {
  issuer acme {
    preferred_chains...
  }
}

The config could be done in the following ways, for example:

{
  preferred_chains smallest
}

{
  preferred_chains {
    root_common_name "Example root name" "Example root name 2"
  }
}

Does that structure seem good, or should I adjust it in some way?

[mholt]

@Klooven Nice work -- I think that structure looks good, at least good enough for a PR.

Congrats figuring out Go!

[Klooven]

Created PR #4192!

If everything is ok and it gets merged, I'd be happy to update the docs on the website as well.

[francislavoie]

Thanks @Klooven!

The relevant docs to update are in: https://github.com/caddyserver/website/blob/master/src/docs/markdown/caddyfile/options.md

And in: https://github.com/caddyserver/website/blob/master/src/docs/markdown/caddyfile/directives/tls.md