webnet/tailscale
1
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

cmd/derper: add --acme-email flag for GCP cert mode (#18278)

Browse Source 
GCP Certificate Manager requires an email contact on ACME accounts.
Add --acme-email flag that is required for --certmode=gcp and
optional for --certmode=letsencrypt.

Fixes #18277

Signed-off-by: Raj Singh <raj@tailscale.com>
This commit is contained in:
Raj Singh
2025-12-25 01:57:11 -05:00
committed by GitHub
parent 2917ea8d0e
commit d451cd54a7
3 changed files with 21 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
cmd/derper/cert.go
+8 -1
View File
@@ -44,7 +44,7 @@ type certProvider interface {
HTTPHandler(fallback http.Handler) http.Handler
}
func certProviderByCertMode(mode, dir, hostname, eabKID, eabKey string) (certProvider, error) {
func certProviderByCertMode(mode, dir, hostname, eabKID, eabKey, email string) (certProvider, error) {
if dir == "" {
return nil, errors.New("missing required --certdir flag")
}
@@ -59,6 +59,9 @@ func certProviderByCertMode(mode, dir, hostname, eabKID, eabKey string) (certPro
if eabKID == "" || eabKey == "" {
return nil, errors.New("--certmode=gcp requires --acme-eab-kid and --acme-eab-key flags")
}
if email == "" {
return nil, errors.New("--certmode=gcp requires --acme-email flag")
}
keyBytes, err := decodeEABKey(eabKey)
if err != nil {
return nil, err
@@ -73,6 +76,10 @@ func certProviderByCertMode(mode, dir, hostname, eabKID, eabKey string) (certPro
}
if hostname == "derp.tailscale.com" {
certManager.HostPolicy = prodAutocertHostPolicy
}
if email != "" {
certManager.Email = email
} else if hostname == "derp.tailscale.com" {
certManager.Email = "security@tailscale.com"
}
return certManager, nil