TLS Constraints

  • By Canonical Telco
Channel Revision Published Runs on
latest/beta 47 29 Apr 2024
Ubuntu 22.04
latest/edge 48 03 May 2024
Ubuntu 22.04
juju deploy tls-constraints --channel edge
Show information

Learn to deploy on juju >

Platform:

Ubuntu
22.04

Learn about configurations >

  • allowed-common-name | string

    Regex for describing custom filtering options for common names. The filter needs to be provided a python style regex string that will be used to filter out CSR’s with fields that don’t match with the provided regex. Ex: "myapp-([0-9]+)?\.mycompany\.com" If the filter is enabled after CSR’s that don’t match the regex are approved, they will not be reversed but any future CSR’s will be filtered including the ones that are coming from the same application. This may break automatic renewal requests.

  • allowed-country-code | string

    Regex for describing custom filtering options for country codes. The filter needs to be provided a python style regex string that will be used to filter out CSR’s with fields that don’t match with the provided regex. Ex: "(UK|US|CA|PL|AE|HU|FR|TR|IT)$" If the filter is enabled after CSR’s that don’t match the regex are approved, they will not be reversed but any future CSR’s will be filtered including the ones that are coming from the same application. This may break automatic renewal requests.

  • allowed-dns | string

    Regex for describing custom filtering options for DNS's. The filter needs to be provided a python style regex string that will be used to filter out CSR’s with fields that don’t match with the provided regex. Ex: "myapp-([0-9]+)?\.mycompany\.com"` If the filter is enabled after CSR’s that don’t match the regex are approved, they will not be reversed but any future CSR’s will be filtered including the ones that are coming from the same application. This may break automatic renewal requests.

  • allowed-email | string

    Regex for describing custom filtering options for emails. The filter needs to be provided a python style regex string that will be used to filter out CSR’s with fields that don’t match with the provided regex. Ex: ".*@canonical\.com" If the filter is enabled after CSR’s that don’t match the regex are approved, they will not be reversed but any future CSR’s will be filtered including the ones that are coming from the same application. This may break automatic renewal requests.

  • allowed-ips | string

    Regex for describing custom filtering options for IP's. The filter needs to be provided a python style regex string that will be used to filter out CSR’s with fields that don’t match with the provided regex. Ex: "172\.25\.0\.[0-9]*" If the filter is enabled after CSR’s that don’t match the regex are approved, they will not be reversed but any future CSR’s will be filtered including the ones that are coming from the same application. This may break automatic renewal requests.

  • allowed-oids | string

    Regex for describing custom filtering options for OID's. The filter needs to be provided a python style regex string that will be used to filter out CSR’s with fields that don’t match with the provided regex. Ex: "1\.3\.6\.1\.4\.1\.28978\.[0-9.]*" If the filter is enabled after CSR’s that don’t match the regex are approved, they will not be reversed but any future CSR’s will be filtered including the ones that are coming from the same application. This may break automatic renewal requests.

  • allowed-organization | string

    Regex for describing custom filtering options for organizations. The filter needs to be provided a python style regex string that will be used to filter out CSR’s with fields that don’t match with the provided regex. Ex: "Canonical Ltd\." If the filter is enabled after CSR’s that don’t match the regex are approved, they will not be reversed but any future CSR’s will be filtered including the ones that are coming from the same application. This may break automatic renewal requests.

  • limit-to-first-requester | boolean

    Default: True

    Limit requested identifiers (hostnames, IPs and OIDs) to first requester. This includes the value provided in the Common Name as well as in the Subject Alternative Name (SAN) field. Multiple units of the same application can request the same or different fields from each other, which will all be reserved to the application. An application can release the reservation on their fields by withdrawing their CSR, in which case any other application can reserve the previously taken fields. If this option is enabled after multiple applications have requested the same SAN fields, the filter will block any new CSR from taking these fields, and will continue to block these fields until the number of requirers that share that fields falls below 1.

  • limit-to-one-request | boolean

    Limit to one request will only allow a single CSR from any requirer. This CSR can be switched out at any point and replaced with another, but only a single CSR from an application will ever be forwarded. If this filter is enabled after multiple CSR’s have already been requested, the filter will deny any CSR until the number of CSR’s the requiring charm has requested is under 1.