-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Integrated lets encrypt support #1921
Conversation
Fails because of missing context dependency, but getting this:
It's pretty annoying to not being able to use govendor's full power because of all the unmanaged deps. |
I have added the context package via the |
|
||
// define the server configuration | ||
server := &http.Server{ | ||
Addr: c.String("server-addr"), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm wondering, with let's encrypt, do we want to use https:
as the address, and then start up a second server that listens for http:
and auto-redirects to https?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe yes, however you prefer.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Set Addr as ":https" for let's encrypt
Idle curiosity here, but why the (somewhat) moving target of https://golang.org/x/crypto/acme/autocert, versus https://github.com/xenolf/lego? I've used the latter as a CLI tool with some regularity, and particularly like that it offers many different options for DNS providers to do DNS-based validation. Thanks! |
The somewhat moving target compared to this from the Lego readme?
|
Hah. Nice catch, though I still believe that supporting DNS-based validation is a killer feature. From personal experience, I've used |
Just to be explicit here: supporting DNS-based validations means I can use Let's Encrypt to generate usable certificates for services that aren't Internet accessible. This may not be an important use case to all organizations, but I think it is like to be a requirement for some. |
@benschumacher the use case for DNS validation definitely makes sense for behind-the-firewall installations. @jmccann is this something you guys would be able to use? Is your DNS internal or external? I wonder if the official Go library is planning to support this capability, and if anyone has requested the feature yet. |
To being able to use the DNS challenge you must host your DNS setup on one of the supported providers. |
This isn't something we do currently AFAIK. Not sure where we host our DNS TBH. While I'd like to use let's encrypt at some point I think a company solution would have to be thought out and implemented. I don't know if/when I'd try to tackle that. So I think for now this doesn't pertain to me. However, 👍 to the PR from me because I want all the TLS hardening that comes with it. ;) |
@benschumacher it looks like there is some code in place to handle DNS challenge records, but I'm not sure the level of completeness and if it can be integrated into this PR any thoughts? |
@@ -21,6 +21,7 @@ deps_backend: | |||
go get -u github.com/elazarl/go-bindata-assetfs/... | |||
go get -u github.com/drone/mq/... | |||
go get -u github.com/tidwall/redlog | |||
go get -u golang.org/x/net/context |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we use context
from the stdlib now that drone is using Go 1.8?
|
||
certManager := autocert.Manager{ | ||
Prompt: autocert.AcceptTOS, | ||
Cache: autocert.DirCache(c.String("lets-encrypt-path")), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Missing HostPolicy
? The user can set white list for the custom domains.
m := autocert.Manager{
Prompt: autocert.AcceptTOS,
HostPolicy: autocert.HostWhitelist("example1.com", "example2.com"),
Cache: autocert.DirCache("/var/www/.cache"),
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We don't have any attribute for the domain
Below is an example of how we could serve http and https simultaneously. It is also a bit more simple. It does not give the ability to configure ciphers but there is a CL to remove insecure ciphers in the next version of Go var g errgroup.Group
g.Go(func() error {
return http.ListenAndServe(":http", http.RedirectHandler("https://example.com", 303))
})
g.Go(func() error {
return http.Serve(autocert.NewListener("example.com"), handler)
})
if err := g.Wait(); err != nil {
log.Fatal(err)
} In the Dockerfile we could add the following environment variable:
The acme library will then save to |
I added lets encrypt to another one of my projects based on the above code I posted. I ended up adding to drone as well. You can now visit http:https://beta.drone.io AND https://beta.drone.io. I appreciate the initial pr which inspired the final change. thanks @tboerger Lets encrypt can be enabled with the following environment variable:
The dockerfile was updated to expose 8000, 80, and 443. If you are using lets encrypt you need to bind to the following ports on the the host machine:
The dockerfile includes the below environment variable which instructs drone to cache the certs in the same directory as the sqlite database. No configuration should be required for this.
Below is what the code looks like now, for those interested:
|
No description provided.