Documentation ¶
Index ¶
- Constants
- Variables
- func TOSAgree(agreementURL string) bool
- func TOSDecline(agreementURL string) bool
- type AcmeWrapper
- func (w *AcmeWrapper) AcmeDisabled(set bool) error
- func (w *AcmeWrapper) AddSNI(domain string, cert *tls.Certificate)
- func (w *AcmeWrapper) CertNeedsUpdate() bool
- func (w *AcmeWrapper) GetCertificate() *tls.Certificate
- func (w *AcmeWrapper) GetEmail() string
- func (w *AcmeWrapper) GetPrivateKey() crypto.PrivateKey
- func (w *AcmeWrapper) GetRegistration() *acme.RegistrationResource
- func (w *AcmeWrapper) RemSNI(domain string)
- func (w *AcmeWrapper) Renew() (err error)
- func (w *AcmeWrapper) SetNewCert(certfile, keyfile string) error
- func (w *AcmeWrapper) TLSConfig() *tls.Config
- func (w *AcmeWrapper) TLSConfigGetCertificate(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error)
- type Config
- type LoggerInterface
- type TOSCallback
Constants ¶
const ( // DefaultServer is the server to use by default DefaultServer = "https://acme-v01.api.letsencrypt.org/directory" // DefaultKeyType represents the type for the private key DefaultKeyType = acme.RSA2048 // DefaultAddress is thedefault port to use for initializing certs on startup DefaultAddress = ":443" // DefaultRenewTime is the time period before cert expiration to attempt renewal DefaultRenewTime = 30 * 24 * time.Hour // DefaultRetryDelay is the time between renew attempts after a previous attempt failed DefaultRetryDelay = 1 * 24 * time.Hour // DefaultRenewCheck is the time between checks of the certificate to make sure it doesn't // need to be renewed DefaultRenewCheck = 12 * time.Hour )
Variables ¶
var ErrNotHandled = errors.New("not handled")
ErrNotHandled is returned by read and write file callbacks if the file should be read from filesystem.
Functions ¶
func TOSAgree ¶
TOSAgree always agrees to the terms of service. This should only be really used if you realize that you could be selling your soul without being notified.
func TOSDecline ¶
TOSDecline always declines to the terms of service. This can be usd for testing, when you want to make sure that ACME is really off, or that the user is being loaded.
Types ¶
type AcmeWrapper ¶
type AcmeWrapper struct { sync.Mutex // configmutex ensures that settings for the ACME stuff don't happen in parallel Config Config // contains filtered or unexported fields }
AcmeWrapper is the main object which controls tls certificates and their renewals
func New ¶
func New(c Config) (*AcmeWrapper, error)
New generates an AcmeWrapper given a configuration
func (*AcmeWrapper) AcmeDisabled ¶
func (w *AcmeWrapper) AcmeDisabled(set bool) error
AcmeDisabled allows to enable/disable acme-based certificate. Note that it is assumed that this function is only called during server runtime (ie, your server is already listening). its main purpose is to enable live reload of acme configuration. Do NOT set AcmeDisabled in AcmeWrapper.Config, since it will panic.
func (*AcmeWrapper) AddSNI ¶
func (w *AcmeWrapper) AddSNI(domain string, cert *tls.Certificate)
AddSNI adds a domain name and certificate pair to the AcmeWrapper. Whenever a request is for the passed domain, its associated certifcate is returned.
func (*AcmeWrapper) CertNeedsUpdate ¶
func (w *AcmeWrapper) CertNeedsUpdate() bool
CertNeedsUpdate returns whether the current certificate either does not exist, or is <X days from expiration, where X is set up in config, or does not match the domains set up in configuration.
func (*AcmeWrapper) GetCertificate ¶
func (w *AcmeWrapper) GetCertificate() *tls.Certificate
GetCertificate returns the current TLS certificate
func (*AcmeWrapper) GetEmail ¶
func (w *AcmeWrapper) GetEmail() string
GetEmail returns the user email (if any) NOTE: NOT threadsafe
func (*AcmeWrapper) GetPrivateKey ¶
func (w *AcmeWrapper) GetPrivateKey() crypto.PrivateKey
GetPrivateKey returns the private key for the given user. NOTE: NOT threadsafe
func (*AcmeWrapper) GetRegistration ¶
func (w *AcmeWrapper) GetRegistration() *acme.RegistrationResource
GetRegistration returns the registration currently being used NOTE: NOT threadsafe
func (*AcmeWrapper) RemSNI ¶
func (w *AcmeWrapper) RemSNI(domain string)
RemSNI removes a domain name and certificate pair from the AcmeWrapper. It is assumed that they were added using AddSNI.
func (*AcmeWrapper) Renew ¶
func (w *AcmeWrapper) Renew() (err error)
Renew generates a new certificate
func (*AcmeWrapper) SetNewCert ¶
func (w *AcmeWrapper) SetNewCert(certfile, keyfile string) error
SetNewCert loads a new TLS key/cert from the given files. Running it with the same filenames as existing cert will reload them
func (*AcmeWrapper) TLSConfig ¶
func (w *AcmeWrapper) TLSConfig() *tls.Config
TLSConfig returns a TLS configuration that will automatically work with the golang ssl listener. This sets it up so that the server automatically uses a working cert, and updates the cert when necessary.
func (*AcmeWrapper) TLSConfigGetCertificate ¶
func (w *AcmeWrapper) TLSConfigGetCertificate(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error)
TLSConfigGetCertificate is the main function used in the ACME wrapper. This is set in tls.Config to the GetCertificate property. Note that Certificates must be empty for it to be called correctly, so unless you know what you're doing, just use AcmeWrapper.TLSConfig()
type Config ¶
type Config struct { // The ACME server to query for key/cert. Default (Let's Encrypt) used if not set Server string // The domain for which to generate your certificate. Suppose you own mysite.com. // The domains to pass in are Domains: []string{"mysite.com","www.mysite.com"}. Don't // forget about the www version of your domain. Domains []string // The file to read/write the private key from/to. If this is not empty, and the file does not exist, // then the user is assumed not to be registered, and the file is created. if this is empty, then // a new private key is generated and used for all queries. The private key is lost on stopping the program. PrivateKeyFile string PrivateKeyType acme.KeyType // The private key type. Default is 2048 (RSA) // The file to read/write registration info to. The ACME protocol requires remembering some details // about a registration. Therefore, the file is saved at the given location. // If not given, and PrivateKeyFile is given, then gives an error - if you're saving your private key, // you need to save your user registration. RegistrationFile string Email string `json:"email"` // Optional user email // File names at which to read/write the TLS key and certificate. These are optional. If there // is no file given, then the keys are kept in memory. NOTE: You need write access to these files, // since they are overwritten each time a new certificate is requested. // Also, it is HIGHLY recommended that you save the files, since Let's Encrypt has fairly low limits // for how often certs for the same site can be requested (5/week at the time of writing). TLSCertFile string TLSKeyFile string RenewTime time.Duration // The time in seconds until expiration of current cert that renew is attempted. If not set, default is 30d RetryDelay time.Duration // The time in seconds to delay between attempts at renewing if renewal fails. (1 day) RenewCheck time.Duration // The time between checks for renewal. Default is 12h // The callback to use prompting the user to agree to the terms of service. A special Agree is built in, so // you can set TOSCallback: TOSAgree TOSCallback TOSCallback // If there is no certificate set up at all, we need to generate an initial one // to jump-start the server. Therefore, you should input the port that you // will use when running listen. If there are no certs, it runs a temporary mini // server at that location to generate initial certificates. Once that is done, // all further renewals are done through the SNI interface to your own server code. // The default here is 443 Address string // This callback is run before each attempt at renewing. If not set, it simply isn't run. RenewCallback func() // RenewFailedCallback is run if renewing failed. RenewFailedCallback func(error) // When this is set to True, no ACME-related things happen - it just passes through your // key and cert directly. AcmeDisabled bool // When this callback is defined, it will be used to save all files. // If this callback returns acmewrapper.ErrNotHandled, it will fallback to save file to disk. SaveFileCallback func(path string, contents []byte) error // When this callback is defined, it will be used to load all files. // If this callback does not find the file at the provided path, it must return os.ErrNotExist. // If this callback returns acmewrapper.ErrNotHandled, it will fallback to load file from disk. LoadFileCallback func(path string) (contents []byte, err error) }
Config is the setup to use for generating your TLS keys. While the only required component is Server, it is recommended that you save at least your TLS cert and key
type LoggerInterface ¶
type LoggerInterface interface {
Printf(format string, v ...interface{})
}
LoggerInterface represents anything that can Printf.
var Logger LoggerInterface
Logger allows to use a custom logger for logging purposes
type TOSCallback ¶
TOSCallback is a callback to run when the TOS have changed, and need to be agreed to. The returned bool is agree/not agree