caddyserver · mholt · Jun 12, 2020 · Jun 12, 2020 · Jun 12, 2020 · Jun 12, 2020
diff --git a/caddyconfig/httpcaddyfile/options.go b/caddyconfig/httpcaddyfile/options.go
@@ -30,9 +30,7 @@ func init() {
 	RegisterGlobalOption("order", parseOptOrder)
 	RegisterGlobalOption("experimental_http3", parseOptTrue)
 	RegisterGlobalOption("storage", parseOptStorage)
-	RegisterGlobalOption("acme_ca", parseOptSingleString)
-	RegisterGlobalOption("acme_eab_kid", parseOptSingleString)
-	RegisterGlobalOption("acme_eab_hmac_key", parseOptSingleString)
+	RegisterGlobalOption("acme_ca", parseOptAcmeCa)
 	RegisterGlobalOption("acme_dns", parseOptSingleString)
 	RegisterGlobalOption("acme_ca_root", parseOptSingleString)
 	RegisterGlobalOption("email", parseOptSingleString)
@@ -182,6 +180,38 @@ func parseOptStorage(d *caddyfile.Dispenser) (interface{}, error) {
 	return storage, nil
 }
 
+func parseOptAcmeCa(d *caddyfile.Dispenser) (interface{}, error) {
+
+	if !d.Next() { // consume option name
+		return nil, d.ArgErr()
+	}
+	if !d.Next() { // get url value
+		return nil, d.ArgErr()
+	}
+	acme := new(caddytls.ACMECAConfig)
+	acme.CA = d.Val()
+	for nesting := d.Nesting(); d.NextBlock(nesting); {
+		switch d.Val() {
+		case "key_id":
+			if !d.NextArg() {
+				return nil, d.ArgErr()
+			}
+			acme.KeyID = d.Val()
+
+		case "hmac":
+			if !d.NextArg() {
+				return nil, d.ArgErr()
+			}
+			acme.HMAC = d.Val()
+
+		default:
+			return nil, d.Errf("unrecognized parameter '%s'", d.Val())
+		}
+	}
+
+	return acme, nil
+}
+
 func parseOptSingleString(d *caddyfile.Dispenser) (interface{}, error) {
 	d.Next() // consume parameter name
 	if !d.Next() {

diff --git a/caddyconfig/httpcaddyfile/tlsapp.go b/caddyconfig/httpcaddyfile/tlsapp.go
@@ -350,14 +350,12 @@ func newBaseAutomationPolicy(options map[string]interface{}, warnings []caddycon
 	acmeCA, hasACMECA := options["acme_ca"]
 	acmeDNS, hasACMEDNS := options["acme_dns"]
 	acmeCARoot, hasACMECARoot := options["acme_ca_root"]
-	acmeEabKeyId, hasACMEEabKeyId := options["acme_eab_kid"]
-	acmeEabHmacKey, hasACMEEabHmacKey := options["acme_eab_hmac_key"]
 
 	email, hasEmail := options["email"]
 	localCerts, hasLocalCerts := options["local_certs"]
 	keyType, hasKeyType := options["key_type"]
 
-	hasGlobalAutomationOpts := hasACMECA || hasACMEDNS || hasACMECARoot || hasACMEEabKeyId || hasACMEEabHmacKey || hasEmail || hasLocalCerts || hasKeyType
+	hasGlobalAutomationOpts := hasACMECA || hasACMEDNS || hasACMECARoot || hasEmail || hasLocalCerts || hasKeyType
 
 	// if there are no global options related to automation policies
 	// set, then we can just return right away
@@ -374,14 +372,20 @@ func newBaseAutomationPolicy(options map[string]interface{}, warnings []caddycon
 		// internal issuer enabled trumps any ACME configurations; useful in testing
 		ap.Issuer = new(caddytls.InternalIssuer) // we'll encode it later
 	} else {
-		if acmeCA == nil {
-			acmeCA = ""
+		var caConfig *caddytls.ACMECAConfig
+
+		if !hasACMECA {
+			fmt.Println("********* DOH SHOULD NOT HERE ****************")
+			caConfig = new(caddytls.ACMECAConfig)
+		} else {
+			caConfig = acmeCA.(*caddytls.ACMECAConfig)
 		}
+
 		if email == nil {
 			email = ""
 		}
 		mgr := &caddytls.ACMEIssuer{
-			CA:    acmeCA.(string),
+			CA:    caConfig.CA,
 			Email: email.(string),
 		}
 		if acmeDNS != nil {
@@ -400,10 +404,10 @@ func newBaseAutomationPolicy(options map[string]interface{}, warnings []caddycon
 			mgr.TrustedRootsPEMFiles = []string{acmeCARoot.(string)}
 		}
 
-		if acmeEabKeyId != nil && acmeEabHmacKey != nil {
+		if caConfig.KeyID != "" && caConfig.HMAC != "" {
 			mgr.ExternalAccount = &caddytls.ExternalAccountBinding{
-				KeyID: acmeEabKeyId.(string),
-				HMAC: acmeEabHmacKey.(string),
+				KeyID: caConfig.KeyID,
+				HMAC: caConfig.HMAC,
 			}
 		}
 

diff --git a/caddytest/integration/caddyfile_adapt/global_options.txt b/caddytest/integration/caddyfile_adapt/global_options.txt
@@ -7,7 +7,6 @@
 	storage file_system {
 		root /data
 	}
-	acme_ca https://example.com
 	acme_ca_root /path/to/ca.crt
 
 	email test@example.com

diff --git a/caddytest/integration/caddyfile_adapt/global_options_acme.txt b/caddytest/integration/caddyfile_adapt/global_options_acme.txt
@@ -7,9 +7,10 @@
 	storage file_system {
 		root /data
 	}
-	acme_ca https://example.com
-	acme_eab_kid 4K2scIVbBpNd-78scadB2g
-	acme_eab_hmac_key abcdefghijklmnopqrstuvwx-abcdefghijklnopqrstuvwxyz12ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefgh
+	acme_ca https://example.com {
+		key_id 4K2scIVbBpNd-78scadB2g
+		hmac abcdefghijklmnopqrstuvwx-abcdefghijklnopqrstuvwxyz12ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefgh
+	}
 	acme_ca_root /path/to/ca.crt
 
 	email test@example.com

diff --git a/modules/caddytls/automation.go b/modules/caddytls/automation.go
@@ -326,6 +326,15 @@ type RateLimit struct {
 	Burst int `json:"burst,omitempty"`
 }
 
+// ACME CA Config stores configuration specific
+// to a custom ACME CA
+type ACMECAConfig struct {
+	CA string
+	//External account binding key id
+	KeyID string `json:"key_id,omitempty"`
+	//External account binding hmac key
+	HMAC string `json:"hmac,omitempty"`
+}
 // ConfigSetter is implemented by certmagic.Issuers that
 // need access to a parent certmagic.Config as part of
 // their provisioning phase. For example, the ACMEIssuer