README
¶
autocertdelegate
What
I wanted internal HTTPS servers to have valid TLS certs with minimal fuss.
In particular:
- I didn't want to deal with being my own CA or configuring all my devices to trust a new root.
- I didn't want to use LetsEncrypt DNS challenges because there are tons of DNS providers and I don't want API clients for tons of DNS providers and I don't want to configure secrets (or anything) anywhere.
- I don't want to expose my internal services to the internet or deal with updating firewall rules to only allow LetsEncrypt.
How
See https://godoc.org/github.com/bradfitz/autocertdelegate
It provides a client that plugs in to an http.Server to get certs & a server handler for a public-facing server that does the LetsEncrypt ALPN challenges. You then do split-horizon DNS to give out internal IPs to internal clients and a public IP (of the delegate server) to everybody else (namely LetsEncrypt doing the ALPN challenges).
Then internal clients just ask the delegate server for the certs, and the delegate server does a little challenge itself to test the internal clients.
Is it secure?
I built this for my own use on my home network. Maybe you'll find it useful, but maybe you'll find it insecure. Beauty is in the eye of the downloader.
Contributing
I'm releasing as a Go project under the Go AUTHORs/LICENSEs, as it's related to golang.org/x/crypto/acme/autocert. As such, I'm not accepting any PRs unless you've contributed to Go or otherwise done the Google CLA.
Documentation
¶
Overview ¶
Package autocertdelegate provides a mechanism to provision LetsEncrypt certs for internal LAN TLS servers (that aren't reachable publicly) via a delegated server that is.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Client ¶
type Client struct {
// contains filtered or unexported fields
}
Client fetches certs from the Server. Its GetCertificate method is suitable for use by an HTTP server's TLSConfig.GetCertificate.
func NewClient ¶
NewClient returns a new client fetching from the provided server hostname. The server must be a hostname only (without a scheme or path).
func (*Client) GetCertificate ¶
func (c *Client) GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error)
GetCertificate fetches a certificate suitable for responding to the provided hello. The signature of GetCertificate is suitable for use by an HTTP server's TLSConfig.GetCertificate.
type Server ¶
type Server struct {
// contains filtered or unexported fields
}
Server is an http.Handler that runs on the Internet-facing daemon and gets the TLS certs from LetsEncrypt (using ALPN challenges) and gives them out to internal clients.
It will only give them out to internal clients whose DNS names resolve to internal IP addresses and who can provide that they are running code on that IP address. (This assumes that such hostnames aren't multi-user systems with untrusted users.)
func (*Server) ServeHTTP ¶
func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request)
ServeHTTP is the HTTP handler to get challenges & certs for the Client. The Handler only responds to GET requests over TLS. It can be installed at any path, but the client only makes requests to the root. It's assumed that any existing HTTP mux is routing based on the hostname.
Source Files