caddytls: Support external certificate Managers (like Tailscale) (#4541)

Huge thank-you to Tailscale (https://tailscale.com) for making this change possible!
This is a great feature for Caddy and Tailscale is a great fit for a standard implementation.

* caddytls: GetCertificate modules; Tailscale

* Caddyfile support for get_certificate

Also fix AP provisioning in case of empty subject list (persist loaded
module on struct, much like Issuers, to surive reprovisioning).

And implement start of HTTP cert getter, still WIP.

* Update modules/caddytls/automation.go

Co-authored-by: Francis Lavoie <lavofr@gmail.com>

* Use tsclient package, check status for name

* Implement HTTP cert getter

And use reuse CertMagic's PEM functions for private keys.

* Remove cache option from Tailscale getter

Tailscale does its own caching and we don't need the added complexity...
for now, at least.

* Several updates

- Option to disable cert automation in auto HTTPS
- Support multiple cert managers
- Remove cache feature from cert manager modules
- Minor improvements to auto HTTPS logging

* Run go mod tidy

* Try to get certificates from Tailscale implicitly

Only for domains ending in .ts.net.

I think this is really cool!

Co-authored-by: Francis Lavoie <lavofr@gmail.com>

modules/caddytls/folderloader.go

@@ -61,10 +61,14 @@ func (fl FolderLoader) LoadCertificates() ([]Certificate, error) {
 				return nil
 			}
 
-			cert, err := x509CertFromCertAndKeyPEMFile(fpath)
+			bundle, err := os.ReadFile(fpath)
 			if err != nil {
 				return err
 			}
+			cert, err := tlsCertFromCertAndKeyPEMBundle(bundle)
+			if err != nil {
+				return fmt.Errorf("%s: %w", fpath, err)
+			}
 
 			certs = append(certs, Certificate{Certificate: cert})
 
@@ -77,12 +81,7 @@ func (fl FolderLoader) LoadCertificates() ([]Certificate, error) {
 	return certs, nil
 }
 
-func x509CertFromCertAndKeyPEMFile(fpath string) (tls.Certificate, error) {
-	bundle, err := os.ReadFile(fpath)
-	if err != nil {
-		return tls.Certificate{}, err
-	}
-
+func tlsCertFromCertAndKeyPEMBundle(bundle []byte) (tls.Certificate, error) {
 	certBuilder, keyBuilder := new(bytes.Buffer), new(bytes.Buffer)
 	var foundKey bool // use only the first key in the file
 
@@ -96,8 +95,7 @@ func x509CertFromCertAndKeyPEMFile(fpath string) (tls.Certificate, error) {
 
 		if derBlock.Type == "CERTIFICATE" {
 			// Re-encode certificate as PEM, appending to certificate chain
-			err = pem.Encode(certBuilder, derBlock)
-			if err != nil {
+			if err := pem.Encode(certBuilder, derBlock); err != nil {
 				return tls.Certificate{}, err
 			}
 		} else if derBlock.Type == "EC PARAMETERS" {
@@ -105,18 +103,16 @@ func x509CertFromCertAndKeyPEMFile(fpath string) (tls.Certificate, error) {
 			// parameters and key (parameter block should come first)
 			if !foundKey {
 				// Encode parameters
-				err = pem.Encode(keyBuilder, derBlock)
-				if err != nil {
+				if err := pem.Encode(keyBuilder, derBlock); err != nil {
 					return tls.Certificate{}, err
 				}
 
 				// Key must immediately follow
 				derBlock, bundle = pem.Decode(bundle)
 				if derBlock == nil || derBlock.Type != "EC PRIVATE KEY" {
-					return tls.Certificate{}, fmt.Errorf("%s: expected elliptic private key to immediately follow EC parameters", fpath)
+					return tls.Certificate{}, fmt.Errorf("expected elliptic private key to immediately follow EC parameters")
 				}
-				err = pem.Encode(keyBuilder, derBlock)
-				if err != nil {
+				if err := pem.Encode(keyBuilder, derBlock); err != nil {
 					return tls.Certificate{}, err
 				}
 				foundKey = true
@@ -124,28 +120,27 @@ func x509CertFromCertAndKeyPEMFile(fpath string) (tls.Certificate, error) {
 		} else if derBlock.Type == "PRIVATE KEY" || strings.HasSuffix(derBlock.Type, " PRIVATE KEY") {
 			// RSA key
 			if !foundKey {
-				err = pem.Encode(keyBuilder, derBlock)
-				if err != nil {
+				if err := pem.Encode(keyBuilder, derBlock); err != nil {
 					return tls.Certificate{}, err
 				}
 				foundKey = true
 			}
 		} else {
-			return tls.Certificate{}, fmt.Errorf("%s: unrecognized PEM block type: %s", fpath, derBlock.Type)
+			return tls.Certificate{}, fmt.Errorf("unrecognized PEM block type: %s", derBlock.Type)
 		}
 	}
 
 	certPEMBytes, keyPEMBytes := certBuilder.Bytes(), keyBuilder.Bytes()
 	if len(certPEMBytes) == 0 {
-		return tls.Certificate{}, fmt.Errorf("%s: failed to parse PEM data", fpath)
+		return tls.Certificate{}, fmt.Errorf("failed to parse PEM data")
 	}
 	if len(keyPEMBytes) == 0 {
-		return tls.Certificate{}, fmt.Errorf("%s: no private key block found", fpath)
+		return tls.Certificate{}, fmt.Errorf("no private key block found")
 	}
 
 	cert, err := tls.X509KeyPair(certPEMBytes, keyPEMBytes)
 	if err != nil {
-		return tls.Certificate{}, fmt.Errorf("%s: making X509 key pair: %v", fpath, err)
+		return tls.Certificate{}, fmt.Errorf("making X509 key pair: %v", err)
 	}
 
 	return cert, nil