Skip to content

httpcaddyfile: Map default_bind to BindHost in globalACMEDefaults #7278

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mholt merged 6 commits into from
Oct 6, 2025
Merged

httpcaddyfile: Map default_bind to BindHost in globalACMEDefaults #7278

Changes from 1 commit
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
775c0ac
Implement BindHost fallback in ACME issuer
Monviech Sep 27, 2025
69efaea
Fix indentation
Monviech Oct 4, 2025
30afee4
Skip creating empty challenges stub in adapted json config
Monviech Oct 4, 2025
31f70ca
Skip setting BindHost for DNS Challenge
Monviech Oct 4, 2025
5bdcbd5
golangci-lint fix
Monviech Oct 4, 2025
cf80cad
Merge branch 'master' into default_bind_tlsapp
mholt Oct 6, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
Implement BindHost fallback in ACME issuer
  • Loading branch information
@Monviech
Monviech authored Sep 27, 2025
commit 775c0ac7caa1fd3bdade3b6e83dbf728692ee2cf
14 changes: 14 additions & 0 deletions caddyconfig/httpcaddyfile/tlsapp.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -607,6 +607,20 @@
}
acmeIssuer.Challenges.TLSALPN.AlternatePort = globalHTTPSPort.(int)
}
// If BindHost is still unset, fall back to the first default_bind address if set
// This avoids binding the automation policy to the wildcard socket, which is unexpected behavior when a more selective socket is specified via default_bind
// In BSD it is valid to bind to the wildcard socket even though a more selective socket is already open (still unexpected behavior by the caller though)
// In Linux the same call will error with EADDRINUSE whenever the listener for the automation policy is opened
if acmeIssuer.Challenges == nil {
acmeIssuer.Challenges = new(caddytls.ChallengesConfig)

Check failure on line 615 in caddyconfig/httpcaddyfile/tlsapp.go

View workflow job for this annotation

GitHub Actions / lint (mac) 

File is not properly formatted (gci)
}
if acmeIssuer.Challenges.BindHost == "" {
if defBinds, ok := options["default_bind"].([]ConfigValue); ok && len(defBinds) > 0 {
if abp, ok := defBinds[0].Value.(addressesWithProtocols); ok && len(abp.addresses) > 0 {
acmeIssuer.Challenges.BindHost = abp.addresses[0]
}
}
}
if globalCertLifetime != nil && acmeIssuer.CertificateLifetime == 0 {
acmeIssuer.CertificateLifetime = globalCertLifetime.(caddy.Duration)
}
Expand Down
Loading