autotls

package

v0.0.9 Latest Latest Go to latest Published: Jan 9, 2024 License: MIT Imports: 28 Imported by: 3

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/mjl-/mox

Links

Open Source Insights

Documentation ¶

Overview ¶

Package autotls automatically configures TLS (for SMTP, IMAP, HTTP) by requesting certificates with ACME, typically from Let's Encrypt.

Index ¶

type Manager
- func Load(name, acmeDir, contactEmail, directoryURL string, eabKeyID string, ...) (*Manager, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type Manager ¶

type Manager struct {
	ACMETLSConfig *tls.Config // For serving HTTPS on port 443, which is required for certificate requests to succeed.
	TLSConfig     *tls.Config // For all TLS servers not used for validating ACME requests. Like SMTP and IMAP (including with STARTTLS) and HTTPS on ports other than 443.
	Manager       *autocert.Manager

	sync.Mutex
	// contains filtered or unexported fields
}

Manager is in charge of a single ACME identity, and automatically requests certificates for allowlisted hosts.

func Load ¶

func Load(name, acmeDir, contactEmail, directoryURL string, eabKeyID string, eabKey []byte, getPrivateKey func(host string, keyType autocert.KeyType) (crypto.Signer, error), shutdown <-chan struct{}) (*Manager, error)

Load returns an initialized autotls manager for "name" (used for the ACME key file and requested certs and their keys). All files are stored within acmeDir.

contactEmail must be a valid email address to which notifications about ACME can be sent. directoryURL is the ACME starting point.

eabKeyID and eabKey are for external account binding when making a new account, which some ACME providers require.

getPrivateKey is called to get the private key for the host and key type. It can be used to deliver a specific (e.g. always the same) private key for a host, or a newly generated key.

When shutdown is closed, no new TLS connections can be created.

func (*Manager) CertAvailable ¶ added in v0.0.9

func (m *Manager) CertAvailable(ctx context.Context, log mlog.Log, host dns.Domain) (bool, error)

CertAvailable checks whether a non-expired ECDSA certificate is available in the cache for host. No other checks than expiration are done.

func (*Manager) HostPolicy ¶

func (m *Manager) HostPolicy(ctx context.Context, host string) (rerr error)

HostPolicy decides if a host is allowed for use with ACME, i.e. whether a certificate will be returned if present and/or will be requested if not yet present. Only hosts added with SetAllowedHostnames are allowed. During shutdown, no new connections are allowed.

func (*Manager) Hostnames ¶

func (m *Manager) Hostnames() []dns.Domain

Hostnames returns the allowed host names for use with ACME.

func (*Manager) SetAllowedHostnames ¶ added in v0.0.2

func (m *Manager) SetAllowedHostnames(log mlog.Log, resolver dns.Resolver, hostnames map[dns.Domain]struct{}, publicIPs []string, checkHosts bool)

SetAllowedHostnames sets a new list of allowed hostnames for automatic TLS. After setting the host names, a goroutine is start to check that new host names are fully served by publicIPs (only if non-empty and there is no unspecified address in the list). If no, log an error with a warning that ACME validation may fail.

Source Files ¶

View all Source files

autotls.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL