Documentation ¶
Overview ¶
Package certmagic automates the obtaining and renewal of TLS certificates, including TLS & HTTPS best practices such as robust OCSP stapling, caching, HTTP->HTTPS redirects, and more.
Its high-level API serves your HTTP handlers over HTTPS if you simply give the domain name(s) and the http.Handler; CertMagic will create and run the HTTPS server for you, fully managing certificates during the lifetime of the server. Similarly, it can be used to start TLS listeners or return a ready-to-use tls.Config -- whatever layer you need TLS for, CertMagic makes it easy. See the HTTPS, Listen, and TLS functions for that.
If you need more control, create a Cache using NewCache() and then make a Config using New(). You can then call Manage() on the config. But if you use this lower-level API, you'll have to be sure to solve the HTTP and TLS-ALPN challenges yourself (unless you disabled them or use the DNS challenge) by using the provided Config.GetCertificate function in your tls.Config and/or Config.HTTPChallangeHandler in your HTTP handler.
See the package's README for more instruction.
Index ¶
- Constants
- Variables
- func CleanStorage(ctx context.Context, storage Storage, opts CleanStorageOptions)
- func CleanUpOwnLocks(logger *zap.Logger)
- func HTTPS(domainNames []string, mux http.Handler) error
- func Listen(domainNames []string) (net.Listener, error)
- func LooksLikeHTTPChallenge(r *http.Request) bool
- func ManageAsync(ctx context.Context, domainNames []string) error
- func ManageSync(domainNames []string) error
- func MatchWildcard(subject, wildcard string) bool
- func SolveHTTPChallenge(logger *zap.Logger, w http.ResponseWriter, r *http.Request, ...) bool
- func SubjectIsIP(subj string) bool
- func SubjectIsInternal(subj string) bool
- func SubjectQualifiesForCert(subj string) bool
- func SubjectQualifiesForPublicCert(subj string) bool
- func TLS(domainNames []string) (*tls.Config, error)
- type ACMEDNSProvider
- type ACMEManager
- func (am *ACMEManager) GetAccount(ctx context.Context, privateKeyPEM []byte) (acme.Account, error)
- func (am *ACMEManager) HTTPChallengeHandler(h http.Handler) http.Handler
- func (am *ACMEManager) HandleHTTPChallenge(w http.ResponseWriter, r *http.Request) bool
- func (am *ACMEManager) Issue(ctx context.Context, csr *x509.CertificateRequest) (*IssuedCertificate, error)
- func (am *ACMEManager) IssuerKey() string
- func (am *ACMEManager) PreCheck(_ context.Context, names []string, interactive bool) error
- func (am *ACMEManager) Revoke(ctx context.Context, cert CertificateResource, reason int) error
- type Cache
- type CacheOptions
- type Certificate
- type CertificateResource
- type CertificateSelector
- type ChainPreference
- type Challenge
- type CleanStorageOptions
- type Config
- func (cfg *Config) CacheManagedCertificate(domain string) (Certificate, error)
- func (cfg *Config) CacheUnmanagedCertificatePEMBytes(certBytes, keyBytes []byte, tags []string) error
- func (cfg *Config) CacheUnmanagedCertificatePEMFile(certFile, keyFile string, tags []string) error
- func (cfg *Config) CacheUnmanagedTLSCertificate(tlsCert tls.Certificate, tags []string) error
- func (cfg *Config) ClientCredentials(ctx context.Context, identifiers []string) ([]tls.Certificate, error)
- func (cfg *Config) GetCertificate(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error)
- func (cfg *Config) ManageAsync(ctx context.Context, domainNames []string) error
- func (cfg *Config) ManageSync(domainNames []string) error
- func (cfg *Config) ObtainCert(ctx context.Context, name string, interactive bool) error
- func (cfg *Config) RenewCert(ctx context.Context, name string, interactive bool) error
- func (cfg *Config) RevokeCert(ctx context.Context, domain string, reason int, interactive bool) error
- func (cfg *Config) TLSConfig() *tls.Config
- func (cfg *Config) Unmanage(domainNames []string)
- type ConfigGetter
- type DNS01Solver
- type ErrNoRetry
- type ErrNotExist
- type FileStorage
- func (fs *FileStorage) Delete(key string) error
- func (fs *FileStorage) Exists(key string) bool
- func (fs *FileStorage) Filename(key string) string
- func (fs *FileStorage) List(prefix string, recursive bool) ([]string, error)
- func (fs *FileStorage) Load(key string) ([]byte, error)
- func (fs *FileStorage) Lock(ctx context.Context, key string) error
- func (fs *FileStorage) Stat(key string) (KeyInfo, error)
- func (fs *FileStorage) Store(key string, value []byte) error
- func (fs *FileStorage) String() string
- func (fs *FileStorage) Unlock(key string) error
- type IssuedCertificate
- type Issuer
- type KeyBuilder
- func (keys KeyBuilder) CertsPrefix(issuerKey string) string
- func (keys KeyBuilder) CertsSitePrefix(issuerKey, domain string) string
- func (keys KeyBuilder) OCSPStaple(cert *Certificate, pemBundle []byte) string
- func (keys KeyBuilder) Safe(str string) string
- func (keys KeyBuilder) SiteCert(issuerKey, domain string) string
- func (keys KeyBuilder) SiteMeta(issuerKey, domain string) string
- func (keys KeyBuilder) SitePrivateKey(issuerKey, domain string) string
- type KeyGenerator
- type KeyInfo
- type KeyType
- type Locker
- type OCSPConfig
- type OnDemandConfig
- type PreChecker
- type Revoker
- type RingBufferRateLimiter
- func (r *RingBufferRateLimiter) Allow() bool
- func (r *RingBufferRateLimiter) MaxEvents() int
- func (r *RingBufferRateLimiter) SetMaxEvents(maxEvents int)
- func (r *RingBufferRateLimiter) SetWindow(window time.Duration)
- func (r *RingBufferRateLimiter) Stop()
- func (r *RingBufferRateLimiter) Wait(ctx context.Context) error
- func (r *RingBufferRateLimiter) Window() time.Duration
- type StandardKeyGenerator
- type Storage
Examples ¶
Constants ¶
const ( LetsEncryptStagingCA = "https://acme-staging-v02.api.letsencrypt.org/directory" LetsEncryptProductionCA = "https://acme-v02.api.letsencrypt.org/directory" ZeroSSLProductionCA = "https://acme.zerossl.com/v2/DV90" )
Some well-known CA endpoints available to use.
const ( // HTTPChallengePort is the officially-designated port for // the HTTP challenge according to the ACME spec. HTTPChallengePort = 80 // TLSALPNChallengePort is the officially-designated port for // the TLS-ALPN challenge according to the ACME spec. TLSALPNChallengePort = 443 )
const ( ED25519 = KeyType("ed25519") P256 = KeyType("p256") P384 = KeyType("p384") RSA2048 = KeyType("rsa2048") RSA4096 = KeyType("rsa4096") RSA8192 = KeyType("rsa8192") )
Constants for all key types we support.
const ( // DefaultRenewCheckInterval is how often to check certificates for expiration. // Scans are very lightweight, so this can be semi-frequent. This default should // be smaller than <Minimum Cert Lifetime>*DefaultRenewalWindowRatio/3, which // gives certificates plenty of chance to be renewed on time. DefaultRenewCheckInterval = 10 * time.Minute // DefaultRenewalWindowRatio is how much of a certificate's lifetime becomes the // renewal window. The renewal window is the span of time at the end of the // certificate's validity period in which it should be renewed. A default value // of ~1/3 is pretty safe and recommended for most certificates. DefaultRenewalWindowRatio = 1.0 / 3.0 // DefaultOCSPCheckInterval is how often to check if OCSP stapling needs updating. DefaultOCSPCheckInterval = 1 * time.Hour )
Variables ¶
var ( // RateLimitEvents is how many new events can be allowed // in RateLimitEventsWindow. RateLimitEvents = 10 // RateLimitEventsWindow is the size of the sliding // window that throttles events. RateLimitEventsWindow = 1 * time.Minute )
These internal rate limits are designed to prevent accidentally firehosing a CA's ACME endpoints. They are not intended to replace or replicate the CA's actual rate limits.
Let's Encrypt's rate limits can be found here: https://letsencrypt.org/docs/rate-limits/
Currently (as of December 2019), Let's Encrypt's most relevant rate limit for large deployments is 300 new orders per account per 3 hours (on average, or best case, that's about 1 every 36 seconds, or 2 every 72 seconds, etc.); but it's not reasonable to try to assume that our internal state is the same as the CA's (due to process restarts, config changes, failed validations, etc.) and ultimately, only the CA's actual rate limiter is the authority. Thus, our own rate limiters do not attempt to enforce external rate limits. Doing so causes problems when the domains are not in our control (i.e. serving customer sites) and/or lots of domains fail validation: they clog our internal rate limiter and nearly starve out (or at least slow down) the other domains that need certificates. Failed transactions are already retried with exponential backoff, so adding in rate limiting can slow things down even more.
Instead, the point of our internal rate limiter is to avoid hammering the CA's endpoint when there are thousands or even millions of certificates under management. Our goal is to allow small bursts in a relatively short timeframe so as to not block any one domain for too long, without unleashing thousands of requests to the CA at once.
var ( UserAgent string HTTPTimeout = 30 * time.Second )
Some default values passed down to the underlying ACME client.
var ( // HTTPPort is the port on which to serve HTTP // and, as such, the HTTP challenge (unless // Default.AltHTTPPort is set). HTTPPort = 80 // HTTPSPort is the port on which to serve HTTPS // and, as such, the TLS-ALPN challenge // (unless Default.AltTLSALPNPort is set). HTTPSPort = 443 )
Port variables must remain their defaults unless you forward packets from the defaults to whatever these are set to; otherwise ACME challenges will fail.
var AttemptsCtxKey retryStateCtxKey
AttemptsCtxKey is the context key for the value that holds the attempt counter. The value counts how many times the operation has been attempted. A value of 0 means first attempt.
var Default = Config{ RenewalWindowRatio: DefaultRenewalWindowRatio, Storage: defaultFileStorage, KeySource: DefaultKeyGenerator, }
Default contains the package defaults for the various Config fields. This is used as a template when creating your own Configs with New() or NewDefault(), and it is also used as the Config by all the high-level functions in this package that abstract away most configuration (HTTPS(), TLS(), Listen(), etc).
The fields of this value will be used for Config fields which are unset. Feel free to modify these defaults, but do not use this Config by itself: it is only a template. Valid configurations can be obtained by calling New() (if you have your own certificate cache) or NewDefault() (if you only need a single config and want to use the default cache).
Even if the Issuers or Storage fields are not set, defaults will be applied in the call to New().
var DefaultACME = ACMEManager{ CA: LetsEncryptProductionCA, TestCA: LetsEncryptStagingCA, }
DefaultACME specifies default settings to use for ACMEManagers. Using this value is optional but can be convenient.
var DefaultKeyGenerator = StandardKeyGenerator{KeyType: P256}
DefaultKeyGenerator is the default key source.
Functions ¶
func CleanStorage ¶
func CleanStorage(ctx context.Context, storage Storage, opts CleanStorageOptions)
CleanStorage removes assets which are no longer useful, according to opts.
func CleanUpOwnLocks ¶
CleanUpOwnLocks immediately cleans up all current locks obtained by this process. Since this does not cancel the operations that the locks are synchronizing, this should be called only immediately before process exit. Errors are only reported if a logger is given.
func HTTPS ¶
HTTPS serves mux for all domainNames using the HTTP and HTTPS ports, redirecting all HTTP requests to HTTPS. It uses the Default config.
This high-level convenience function is opinionated and applies sane defaults for production use, including timeouts for HTTP requests and responses. To allow very long-lived connections, you should make your own http.Server values and use this package's Listen(), TLS(), or Config.TLSConfig() functions to customize to your needs. For example, servers which need to support large uploads or downloads with slow clients may need to use longer timeouts, thus this function is not suitable.
Calling this function signifies your acceptance to the CA's Subscriber Agreement and/or Terms of Service.
Example ¶
This is the simplest way for HTTP servers to use this package. Call HTTPS() with your domain names and your handler (or nil for the http.DefaultMux), and CertMagic will do the rest.
http.HandleFunc("/", func(w http.ResponseWriter, req *http.Request) { fmt.Fprintf(w, "Hello, HTTPS visitor!") }) err := HTTPS([]string{"example.com", "www.example.com"}, nil) if err != nil { log.Fatal(err) }
Output:
func Listen ¶
Listen manages certificates for domainName and returns a TLS listener. It uses the Default config.
Because this convenience function returns only a TLS-enabled listener and does not presume HTTP is also being served, the HTTP challenge will be disabled. The package variable Default is modified so that the HTTP challenge is disabled.
Calling this function signifies your acceptance to the CA's Subscriber Agreement and/or Terms of Service.
func LooksLikeHTTPChallenge ¶
LooksLikeHTTPChallenge returns true if r looks like an ACME HTTP challenge request from an ACME server.
func ManageAsync ¶
ManageAsync is the same as ManageSync, except that certificates are managed asynchronously. This means that the function will return before certificates are ready, and errors that occur during certificate obtain or renew operations are only logged. It is vital that you monitor the logs if using this method, which is only recommended for automated/non-interactive environments.
func ManageSync ¶
ManageSync obtains certificates for domainNames and keeps them renewed using the Default config.
This is a slightly lower-level function; you will need to wire up support for the ACME challenges yourself. You can obtain a Config to help you do that by calling NewDefault().
You will need to ensure that you use a TLS config that gets certificates from this Config and that the HTTP and TLS-ALPN challenges can be solved. The easiest way to do this is to use NewDefault().TLSConfig() as your TLS config and to wrap your HTTP handler with NewDefault().HTTPChallengeHandler(). If you don't have an HTTP server, you will need to disable the HTTP challenge.
If you already have a TLS config you want to use, you can simply set its GetCertificate field to NewDefault().GetCertificate.
Calling this function signifies your acceptance to the CA's Subscriber Agreement and/or Terms of Service.
func MatchWildcard ¶
MatchWildcard returns true if subject (a candidate DNS name) matches wildcard (a reference DNS name), mostly according to RFC 6125-compliant wildcard rules. See also RFC 2818 which states that IP addresses must match exactly, but this function does not attempt to distinguish IP addresses from internal or external DNS names that happen to look like IP addresses. It uses DNS wildcard matching logic. https://tools.ietf.org/html/rfc2818#section-3.1
func SolveHTTPChallenge ¶
func SolveHTTPChallenge(logger *zap.Logger, w http.ResponseWriter, r *http.Request, challenge acme.Challenge) bool
SolveHTTPChallenge solves the HTTP challenge. It should be used only on HTTP requests that are from ACME servers trying to validate an identifier (i.e. LooksLikeHTTPChallenge() == true). It returns true if the request criteria check out and it answered with key authentication, in which case no further handling of the request is necessary.
func SubjectIsIP ¶
SubjectIsIP returns true if subj is an IP address.
func SubjectIsInternal ¶
SubjectIsInternal returns true if subj is an internal-facing hostname or address.
func SubjectQualifiesForCert ¶
SubjectQualifiesForCert returns true if subj is a name which, as a quick sanity check, looks like it could be the subject of a certificate. Requirements are: - must not be empty - must not start or end with a dot (RFC 1034) - must not contain common accidental special characters
func SubjectQualifiesForPublicCert ¶
SubjectQualifiesForPublicCert returns true if the subject name appears eligible for automagic TLS with a public CA such as Let's Encrypt. For example: localhost and IP addresses are not eligible because we cannot obtain certs for those names with a public CA. Wildcard names are allowed, as long as they conform to CABF requirements (only one wildcard label, and it must be the left-most label).
func TLS ¶
TLS enables management of certificates for domainNames and returns a valid tls.Config. It uses the Default config.
Because this is a convenience function that returns only a tls.Config, it does not assume HTTP is being served on the HTTP port, so the HTTP challenge is disabled (no HTTPChallengeHandler is necessary). The package variable Default is modified so that the HTTP challenge is disabled.
Calling this function signifies your acceptance to the CA's Subscriber Agreement and/or Terms of Service.
Types ¶
type ACMEDNSProvider ¶
type ACMEDNSProvider interface { libdns.RecordAppender libdns.RecordDeleter }
ACMEDNSProvider defines the set of operations required for ACME challenges. A DNS provider must be able to append and delete records in order to solve ACME challenges. Find one you can use at https://github.com/libdns. If your provider isn't implemented yet, feel free to contribute!
type ACMEManager ¶
type ACMEManager struct { // The endpoint of the directory for the ACME // CA we are to use CA string // TestCA is the endpoint of the directory for // an ACME CA to use to test domain validation, // but any certs obtained from this CA are // discarded TestCA string // The email address to use when creating or // selecting an existing ACME server account Email string // The PEM-encoded private key of the ACME // account to use; only needed if the account // is already created on the server and // can be looked up with the ACME protocol AccountKeyPEM string // Set to true if agreed to the CA's // subscriber agreement Agreed bool // An optional external account to associate // with this ACME account ExternalAccount *acme.EAB // Disable all HTTP challenges DisableHTTPChallenge bool // Disable all TLS-ALPN challenges DisableTLSALPNChallenge bool // The host (ONLY the host, not port) to listen // on if necessary to start a listener to solve // an ACME challenge ListenHost string // The alternate port to use for the ACME HTTP // challenge; if non-empty, this port will be // used instead of HTTPChallengePort to spin up // a listener for the HTTP challenge AltHTTPPort int // The alternate port to use for the ACME // TLS-ALPN challenge; the system must forward // TLSALPNChallengePort to this port for // challenge to succeed AltTLSALPNPort int // The solver for the dns-01 challenge; // usually this is a DNS01Solver value // from this package DNS01Solver acmez.Solver // TrustedRoots specifies a pool of root CA // certificates to trust when communicating // over a network to a peer. TrustedRoots *x509.CertPool // The maximum amount of time to allow for // obtaining a certificate. If empty, the // default from the underlying ACME lib is // used. If set, it must not be too low so // as to cancel challenges too early. CertObtainTimeout time.Duration // Address of custom DNS resolver to be used // when communicating with ACME server Resolver string // Callback function that is called before a // new ACME account is registered with the CA; // it allows for last-second config changes // of the ACMEManager and the Account. // (TODO: this feature is still EXPERIMENTAL and subject to change) NewAccountFunc func(context.Context, *ACMEManager, acme.Account) (acme.Account, error) // Preferences for selecting alternate // certificate chains PreferredChains ChainPreference // Set a logger to enable logging Logger *zap.Logger // contains filtered or unexported fields }
ACMEManager gets certificates using ACME. It implements the PreChecker, Issuer, and Revoker interfaces.
It is NOT VALID to use an ACMEManager without calling NewACMEManager(). It fills in any default values from DefaultACME as well as setting up internal state that is necessary for valid use. Always call NewACMEManager() to get a valid ACMEManager value.
func NewACMEManager ¶
func NewACMEManager(cfg *Config, template ACMEManager) *ACMEManager
NewACMEManager constructs a valid ACMEManager based on a template configuration; any empty values will be filled in by defaults in DefaultACME, and if any required values are still empty, sensible defaults will be used.
Typically, you'll create the Config first with New() or NewDefault(), then call NewACMEManager(), then assign the return value to the Issuers field of the Config.
func (*ACMEManager) GetAccount ¶
GetAccount first tries loading the account with the associated private key from storage. If it does not exist in storage, it will be retrieved from the ACME server and added to storage. The account must already exist; it does not create a new account.
func (*ACMEManager) HTTPChallengeHandler ¶
func (am *ACMEManager) HTTPChallengeHandler(h http.Handler) http.Handler
HTTPChallengeHandler wraps h in a handler that can solve the ACME HTTP challenge. cfg is required, and it must have a certificate cache backed by a functional storage facility, since that is where the challenge state is stored between initiation and solution.
If a request is not an ACME HTTP challenge, h will be invoked.
func (*ACMEManager) HandleHTTPChallenge ¶
func (am *ACMEManager) HandleHTTPChallenge(w http.ResponseWriter, r *http.Request) bool
HandleHTTPChallenge uses am to solve challenge requests from an ACME server that were initiated by this instance or any other instance in this cluster (being, any instances using the same storage am does).
If the HTTP challenge is disabled, this function is a no-op.
If am is nil or if am does not have a certificate cache backed by usable storage, solving the HTTP challenge will fail.
It returns true if it handled the request; if so, the response has already been written. If false is returned, this call was a no-op and the request has not been handled.
func (*ACMEManager) Issue ¶
func (am *ACMEManager) Issue(ctx context.Context, csr *x509.CertificateRequest) (*IssuedCertificate, error)
Issue implements the Issuer interface. It obtains a certificate for the given csr using the ACME configuration am.
func (*ACMEManager) IssuerKey ¶
func (am *ACMEManager) IssuerKey() string
IssuerKey returns the unique issuer key for the confgured CA endpoint.
func (*ACMEManager) PreCheck ¶
PreCheck performs a few simple checks before obtaining or renewing a certificate with ACME, and returns whether this batch is eligible for certificates if using Let's Encrypt. It also ensures that an email address is available.
func (*ACMEManager) Revoke ¶
func (am *ACMEManager) Revoke(ctx context.Context, cert CertificateResource, reason int) error
Revoke implements the Revoker interface. It revokes the given certificate.
type Cache ¶
type Cache struct {
// contains filtered or unexported fields
}
Cache is a structure that stores certificates in memory. A Cache indexes certificates by name for quick access during TLS handshakes, and avoids duplicating certificates in memory. Generally, there should only be one per process. However, that is not a strict requirement; but using more than one is a code smell, and may indicate an over-engineered design.
An empty cache is INVALID and must not be used. Be sure to call NewCache to get a valid value.
These should be very long-lived values and must not be copied. Before all references leave scope to be garbage collected, ensure you call Stop() to stop maintenance on the certificates stored in this cache and release locks.
Caches are not usually manipulated directly; create a Config value with a pointer to a Cache, and then use the Config to interact with the cache. Caches are agnostic of any particular storage or ACME config, since each certificate may be managed and stored differently.
func NewCache ¶
func NewCache(opts CacheOptions) *Cache
NewCache returns a new, valid Cache for efficiently accessing certificates in memory. It also begins a maintenance goroutine to tend to the certificates in the cache. Call Stop() when you are done with the cache so it can clean up locks and stuff.
Most users of this package will not need to call this because a default certificate cache is created for you. Only advanced use cases require creating a new cache.
This function panics if opts.GetConfigForCert is not set. The reason is that a cache absolutely needs to be able to get a Config with which to manage TLS assets, and it is not safe to assume that the Default config is always the correct one, since you have created the cache yourself.
See the godoc for Cache to use it properly. When no longer needed, caches should be stopped with Stop() to clean up resources even if the process is being terminated, so that it can clean up any locks for other processes to unblock!
func (*Cache) AllMatchingCertificates ¶
func (certCache *Cache) AllMatchingCertificates(name string) []Certificate
AllMatchingCertificates returns a list of all certificates that could be used to serve the given SNI name, including exact SAN matches and wildcard matches.
func (*Cache) RenewManagedCertificates ¶
RenewManagedCertificates renews managed certificates, including ones loaded on-demand. Note that this is done automatically on a regular basis; normally you will not need to call this. This method assumes non-interactive mode (i.e. operating in the background).
type CacheOptions ¶
type CacheOptions struct { // REQUIRED. A function that returns a configuration // used for managing a certificate, or for accessing // that certificate's asset storage (e.g. for // OCSP staples, etc). The returned Config MUST // be associated with the same Cache as the caller. // // The reason this is a callback function, dynamically // returning a Config (instead of attaching a static // pointer to a Config on each certificate) is because // the config for how to manage a domain's certificate // might change from maintenance to maintenance. The // cache is so long-lived, we cannot assume that the // host's situation will always be the same; e.g. the // certificate might switch DNS providers, so the DNS // challenge (if used) would need to be adjusted from // the last time it was run ~8 weeks ago. GetConfigForCert ConfigGetter // How often to check certificates for renewal; // if unset, DefaultOCSPCheckInterval will be used. OCSPCheckInterval time.Duration // How often to check certificates for renewal; // if unset, DefaultRenewCheckInterval will be used. RenewCheckInterval time.Duration // Maximum number of certificates to allow in the cache. // If reached, certificates will be randomly evicted to // make room for new ones. 0 means unlimited. Capacity int // Set a logger to enable logging Logger *zap.Logger }
CacheOptions is used to configure certificate caches. Once a cache has been created with certain options, those settings cannot be changed.
type Certificate ¶
type Certificate struct { tls.Certificate // Names is the list of subject names this // certificate is signed for. Names []string // Optional; user-provided, and arbitrary. Tags []string // contains filtered or unexported fields }
Certificate is a tls.Certificate with associated metadata tacked on. Even if the metadata can be obtained by parsing the certificate, we are more efficient by extracting the metadata onto this struct, but at the cost of slightly higher memory use.
func DefaultCertificateSelector ¶
func DefaultCertificateSelector(hello *tls.ClientHelloInfo, choices []Certificate) (Certificate, error)
DefaultCertificateSelector is the default certificate selection logic given a choice of certificates. If there is at least one certificate in choices, it always returns a certificate without error. It chooses the first non-expired certificate that the client supports if possible, otherwise it returns an expired certificate that the client supports, otherwise it just returns the first certificate in the list of choices.
func (Certificate) Expired ¶
func (cert Certificate) Expired() bool
Expired returns true if the certificate has expired.
func (Certificate) HasTag ¶
func (cert Certificate) HasTag(tag string) bool
HasTag returns true if cert.Tags has tag.
func (Certificate) NeedsRenewal ¶
func (cert Certificate) NeedsRenewal(cfg *Config) bool
NeedsRenewal returns true if the certificate is expiring soon (according to cfg) or has expired.
type CertificateResource ¶
type CertificateResource struct { // The list of names on the certificate; // for convenience only. SANs []string `json:"sans,omitempty"` // The PEM-encoding of DER-encoded ASN.1 data // for the cert or chain. CertificatePEM []byte `json:"-"` // The PEM-encoding of the certificate's private key. PrivateKeyPEM []byte `json:"-"` // Any extra information associated with the certificate, // usually provided by the issuer implementation. IssuerData interface{} `json:"issuer_data,omitempty"` }
CertificateResource associates a certificate with its private key and other useful information, for use in maintaining the certificate.
func (*CertificateResource) NamesKey ¶
func (cr *CertificateResource) NamesKey() string
NamesKey returns the list of SANs as a single string, truncated to some ridiculously long size limit. It can act as a key for the set of names on the resource.
type CertificateSelector ¶
type CertificateSelector interface {
SelectCertificate(*tls.ClientHelloInfo, []Certificate) (Certificate, error)
}
CertificateSelector is a type which can select a certificate to use given multiple choices.
type ChainPreference ¶
type ChainPreference struct { // Prefer chains with the fewest number of bytes. Smallest *bool // Select first chain having a root with one of // these common names. RootCommonName []string // Select first chain that has any issuer with one // of these common names. AnyCommonName []string }
ChainPreference describes the client's preferred certificate chain, useful if the CA offers alternate chains. The first matching chain will be selected.
type Challenge ¶
Challenge is an ACME challenge, but optionally paired with data that can make it easier or more efficient to solve.
func GetACMEChallenge ¶
GetACMEChallenge returns an active ACME challenge for the given identifier, or false if no active challenge for that identifier is known.
type CleanStorageOptions ¶
type CleanStorageOptions struct { OCSPStaples bool ExpiredCerts bool ExpiredCertGracePeriod time.Duration }
CleanStorageOptions specifies how to clean up a storage unit.
type Config ¶
type Config struct { // How much of a certificate's lifetime becomes the // renewal window, which is the span of time at the // end of the certificate's validity period in which // it should be renewed; for most certificates, the // global default is good, but for extremely short- // lived certs, you may want to raise this to ~0.5. RenewalWindowRatio float64 // An optional event callback clients can set // to subscribe to certain things happening // internally by this config; invocations are // synchronous, so make them return quickly! OnEvent func(event string, data interface{}) // DefaultServerName specifies a server name // to use when choosing a certificate if the // ClientHello's ServerName field is empty. DefaultServerName string // The state needed to operate on-demand TLS; // if non-nil, on-demand TLS is enabled and // certificate operations are deferred to // TLS handshakes (or as-needed). // TODO: Can we call this feature "Reactive/Lazy/Passive TLS" instead? OnDemand *OnDemandConfig // Adds the must staple TLS extension to the CSR. MustStaple bool // The source for getting new certificates; the // default Issuer is ACMEManager. If multiple // issuers are specified, they will be tried in // turn until one succeeds. Issuers []Issuer // The source of new private keys for certificates; // the default KeySource is StandardKeyGenerator. KeySource KeyGenerator // CertSelection chooses one of the certificates // with which the ClientHello will be completed; // if not set, DefaultCertificateSelector will // be used. CertSelection CertificateSelector // OCSP configures how OCSP is handled. By default, // OCSP responses are fetched for every certificate // with a responder URL, and cached on disk. Changing // these defaults is STRONGLY discouraged unless you // have a compelling reason to put clients at greater // risk and reduce their privacy. OCSP OCSPConfig // The storage to access when storing or loading // TLS assets. Default is the local file system. Storage Storage // Set a logger to enable logging. Logger *zap.Logger // contains filtered or unexported fields }
Config configures a certificate manager instance. An empty Config is not valid: use New() to obtain a valid Config.
func New ¶
New makes a new, valid config based on cfg and uses the provided certificate cache. certCache MUST NOT be nil or this function will panic.
Use this method when you have an advanced use case that requires a custom certificate cache and config that may differ from the Default. For example, if not all certificates are managed/renewed the same way, you need to make your own Cache value with a GetConfigForCert callback that returns the correct configuration for each certificate. However, for the vast majority of cases, there will be only a single Config, thus the default cache (which always uses the default Config) and default config will suffice, and you should use NewDefault() instead.
func NewDefault ¶
func NewDefault() *Config
NewDefault makes a valid config based on the package Default config. Most users will call this function instead of New() since most use cases require only a single config for any and all certificates.
If your requirements are more advanced (for example, multiple configs depending on the certificate), then use New() instead. (You will need to make your own Cache first.) If you only need a single Config to manage your certs (even if that config changes, as long as it is the only one), customize the Default package variable before calling NewDefault().
All calls to NewDefault() will return configs that use the same, default certificate cache. All configs returned by NewDefault() are based on the values of the fields of Default at the time it is called.
This is the only way to get a config that uses the default certificate cache.
func (*Config) CacheManagedCertificate ¶
func (cfg *Config) CacheManagedCertificate(domain string) (Certificate, error)
CacheManagedCertificate loads the certificate for domain into the cache, from the TLS storage for managed certificates. It returns a copy of the Certificate that was put into the cache.
This is a lower-level method; normally you'll call Manage() instead.
This method is safe for concurrent use.
func (*Config) CacheUnmanagedCertificatePEMBytes ¶
func (cfg *Config) CacheUnmanagedCertificatePEMBytes(certBytes, keyBytes []byte, tags []string) error
CacheUnmanagedCertificatePEMBytes makes a certificate out of the PEM bytes of the certificate and key, then caches it in memory.
This method is safe for concurrent use.
func (*Config) CacheUnmanagedCertificatePEMFile ¶
CacheUnmanagedCertificatePEMFile loads a certificate for host using certFile and keyFile, which must be in PEM format. It stores the certificate in the in-memory cache.
This method is safe for concurrent use.
func (*Config) CacheUnmanagedTLSCertificate ¶
func (cfg *Config) CacheUnmanagedTLSCertificate(tlsCert tls.Certificate, tags []string) error
CacheUnmanagedTLSCertificate adds tlsCert to the certificate cache. It staples OCSP if possible.
This method is safe for concurrent use.
func (*Config) ClientCredentials ¶
func (cfg *Config) ClientCredentials(ctx context.Context, identifiers []string) ([]tls.Certificate, error)
ClientCredentials returns a list of TLS client certificate chains for the given identifiers. The return value can be used in a tls.Config to enable client authentication using managed certificates. Any certificates that need to be obtained or renewed for these identifiers will be managed accordingly.
func (*Config) GetCertificate ¶
func (cfg *Config) GetCertificate(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error)
GetCertificate gets a certificate to satisfy clientHello. In getting the certificate, it abides the rules and settings defined in the Config that matches clientHello.ServerName. It first checks the in- memory cache, then, if the config enables "OnDemand", it accesses disk, then accesses the network if it must obtain a new certificate via ACME.
This method is safe for use as a tls.Config.GetCertificate callback.
func (*Config) ManageAsync ¶
ManageAsync is the same as ManageSync, except that ACME operations are performed asynchronously (in the background). This method returns before certificates are ready. It is crucial that the administrator monitors the logs and is notified of any errors so that corrective action can be taken as soon as possible. Any errors returned from this method occurred before ACME transactions started.
As long as logs are monitored, this method is typically recommended for non-interactive environments.
If there are failures loading, obtaining, or renewing a certificate, it will be retried with exponential backoff for up to about 30 days, with a maximum interval of about 24 hours. Cancelling ctx will cancel retries and shut down any goroutines spawned by ManageAsync.
func (*Config) ManageSync ¶
ManageSync causes the certificates for domainNames to be managed according to cfg. If cfg.OnDemand is not nil, then this simply whitelists the domain names and defers the certificate operations to when they are needed. Otherwise, the certificates for each name are loaded from storage or obtained from the CA. If loaded from storage, they are renewed if they are expiring or expired. It then caches the certificate in memory and is prepared to serve them up during TLS handshakes.
Note that name whitelisting for on-demand management only takes effect if cfg.OnDemand.DecisionFunc is not set (is nil); it will not overwrite an existing DecisionFunc, nor will it overwrite its decision; i.e. the implicit whitelist is only used if no DecisionFunc is set.
This method is synchronous, meaning that certificates for all domainNames must be successfully obtained (or renewed) before it returns. It returns immediately on the first error for any of the given domainNames. This behavior is recommended for interactive use (i.e. when an administrator is present) so that errors can be reported and fixed immediately.
func (*Config) ObtainCert ¶
ObtainCert obtains a certificate for name using cfg, as long as a certificate does not already exist in storage for that name. The name must qualify and cfg must be flagged as Managed. This function is a no-op if storage already has a certificate for name.
It only obtains and stores certificates (and their keys), it does not load them into memory. If interactive is true, the user may be shown a prompt. TODO: consider moving interactive param into the Config struct, and maybe retry settings into the Config struct as well? (same for RenewCert)
func (*Config) RenewCert ¶
RenewCert renews the certificate for name using cfg. It stows the renewed certificate and its assets in storage if successful. It DOES NOT update the in-memory cache with the new certificate.
func (*Config) RevokeCert ¶
func (cfg *Config) RevokeCert(ctx context.Context, domain string, reason int, interactive bool) error
RevokeCert revokes the certificate for domain via ACME protocol. It requires that cfg.Issuers is properly configured with the same issuer that issued the certificate being revoked. See RFC 5280 §5.3.1 for reason codes.
func (*Config) TLSConfig ¶
TLSConfig is an opinionated method that returns a recommended, modern TLS configuration that can be used to configure TLS listeners, which also supports the TLS-ALPN challenge and serves up certificates managed by cfg.
Unlike the package TLS() function, this method does not, by itself, enable certificate management for any domain names.
Feel free to further customize the returned tls.Config, but do not mess with the GetCertificate or NextProtos fields unless you know what you're doing, as they're necessary to solve the TLS-ALPN challenge.
type ConfigGetter ¶
type ConfigGetter func(Certificate) (*Config, error)
ConfigGetter is a function that returns a prepared, valid config that should be used when managing the given certificate or its assets.
type DNS01Solver ¶
type DNS01Solver struct { // The implementation that interacts with the DNS // provider to set or delete records. (REQUIRED) DNSProvider ACMEDNSProvider // The TTL for the temporary challenge records. TTL time.Duration // Maximum time to wait for temporary record to appear. PropagationTimeout time.Duration // Preferred DNS resolver(s) to use when doing DNS lookups. Resolvers []string // contains filtered or unexported fields }
DNS01Solver is a type that makes libdns providers usable as ACME dns-01 challenge solvers. See https://github.com/libdns/libdns
type ErrNoRetry ¶
type ErrNoRetry struct{ Err error }
ErrNoRetry is an error type which signals to stop retries early.
func (ErrNoRetry) Error ¶
func (e ErrNoRetry) Error() string
func (ErrNoRetry) Unwrap ¶
func (e ErrNoRetry) Unwrap() error
Unwrap makes it so that e wraps e.Err.
type ErrNotExist ¶
type ErrNotExist interface { error }
ErrNotExist is returned by Storage implementations when a resource is not found. It is similar to os.IsNotExist except this is a type, not a variable. TODO: use new Go error wrapping conventions
type FileStorage ¶
type FileStorage struct {
Path string
}
FileStorage facilitates forming file paths derived from a root directory. It is used to get file paths in a consistent, cross-platform way or persisting ACME assets on the file system.
func (*FileStorage) Delete ¶
func (fs *FileStorage) Delete(key string) error
Delete deletes the value at key.
func (*FileStorage) Exists ¶
func (fs *FileStorage) Exists(key string) bool
Exists returns true if key exists in fs.
func (*FileStorage) Filename ¶
func (fs *FileStorage) Filename(key string) string
Filename returns the key as a path on the file system prefixed by fs.Path.
func (*FileStorage) List ¶
func (fs *FileStorage) List(prefix string, recursive bool) ([]string, error)
List returns all keys that match prefix.
func (*FileStorage) Load ¶
func (fs *FileStorage) Load(key string) ([]byte, error)
Load retrieves the value at key.
func (*FileStorage) Lock ¶
func (fs *FileStorage) Lock(ctx context.Context, key string) error
Lock obtains a lock named by the given key. It blocks until the lock can be obtained or an error is returned.
func (*FileStorage) Stat ¶
func (fs *FileStorage) Stat(key string) (KeyInfo, error)
Stat returns information about key.
func (*FileStorage) Store ¶
func (fs *FileStorage) Store(key string, value []byte) error
Store saves value at key.
func (*FileStorage) String ¶
func (fs *FileStorage) String() string
func (*FileStorage) Unlock ¶
func (fs *FileStorage) Unlock(key string) error
Unlock releases the lock for name.
type IssuedCertificate ¶
type IssuedCertificate struct { // The PEM-encoding of DER-encoded ASN.1 data. Certificate []byte // Any extra information to serialize alongside the // certificate in storage. Metadata interface{} }
IssuedCertificate represents a certificate that was just issued.
type Issuer ¶
type Issuer interface { // Issue obtains a certificate for the given CSR. It // must honor context cancellation if it is long-running. // It can also use the context to find out if the current // call is part of a retry, via AttemptsCtxKey. Issue(ctx context.Context, request *x509.CertificateRequest) (*IssuedCertificate, error) // IssuerKey must return a string that uniquely identifies // this particular configuration of the Issuer such that // any certificates obtained by this Issuer will be treated // as identical if they have the same SANs. // // Certificates obtained from Issuers with the same IssuerKey // will overwrite others with the same SANs. For example, an // Issuer might be able to obtain certificates from different // CAs, say A and B. It is likely that the CAs have different // use cases and purposes (e.g. testing and production), so // their respective certificates should not overwrite eaach // other. IssuerKey() string }
Issuer is a type that can issue certificates.
type KeyBuilder ¶
type KeyBuilder struct{}
KeyBuilder provides a namespace for methods that build keys and key prefixes, for addressing items in a Storage implementation.
var StorageKeys KeyBuilder
StorageKeys provides methods for accessing keys and key prefixes for items in a Storage. Typically, you will not need to use this because accessing storage is abstracted away for most cases. Only use this if you need to directly access TLS assets in your application.
func (KeyBuilder) CertsPrefix ¶
func (keys KeyBuilder) CertsPrefix(issuerKey string) string
CertsPrefix returns the storage key prefix for the given certificate issuer.
func (KeyBuilder) CertsSitePrefix ¶
func (keys KeyBuilder) CertsSitePrefix(issuerKey, domain string) string
CertsSitePrefix returns a key prefix for items associated with the site given by domain using the given issuer key.
func (KeyBuilder) OCSPStaple ¶
func (keys KeyBuilder) OCSPStaple(cert *Certificate, pemBundle []byte) string
OCSPStaple returns a key for the OCSP staple associated with the given certificate. If you have the PEM bundle handy, pass that in to save an extra encoding step.
func (KeyBuilder) Safe ¶
func (keys KeyBuilder) Safe(str string) string
Safe standardizes and sanitizes str for use as a single component of a storage key. This method is idempotent.
func (KeyBuilder) SiteCert ¶
func (keys KeyBuilder) SiteCert(issuerKey, domain string) string
SiteCert returns the path to the certificate file for domain that is associated with the issuer with the given issuerKey.
func (KeyBuilder) SiteMeta ¶
func (keys KeyBuilder) SiteMeta(issuerKey, domain string) string
SiteMeta returns the path to the metadata file for domain that is associated with the certificate from the given issuer with the given issuerKey.
func (KeyBuilder) SitePrivateKey ¶
func (keys KeyBuilder) SitePrivateKey(issuerKey, domain string) string
SitePrivateKey returns the path to the private key file for domain that is associated with the certificate from the given issuer with the given issuerKey.
type KeyGenerator ¶
type KeyGenerator interface { // GenerateKey generates a private key. The returned // PrivateKey must be able to expose its associated // public key. GenerateKey() (crypto.PrivateKey, error) }
KeyGenerator can generate a private key.
type KeyInfo ¶
type KeyInfo struct { Key string Modified time.Time Size int64 IsTerminal bool // false for keys that only contain other keys (like directories) }
KeyInfo holds information about a key in storage. Key and IsTerminal are required; Modified and Size are optional if the storage implementation is not able to get that information. Setting them will make certain operations more consistent or predictable, but it is not crucial to basic functionality.
type Locker ¶
type Locker interface { // Lock acquires the lock for key, blocking until the lock // can be obtained or an error is returned. Note that, even // after acquiring a lock, an idempotent operation may have // already been performed by another process that acquired // the lock before - so always check to make sure idempotent // operations still need to be performed after acquiring the // lock. // // The actual implementation of obtaining of a lock must be // an atomic operation so that multiple Lock calls at the // same time always results in only one caller receiving the // lock at any given time. // // To prevent deadlocks, all implementations (where this concern // is relevant) should put a reasonable expiration on the lock in // case Unlock is unable to be called due to some sort of network // failure or system crash. Additionally, implementations should // honor context cancellation as much as possible (in case the // caller wishes to give up and free resources before the lock // can be obtained). Lock(ctx context.Context, key string) error // Unlock releases the lock for key. This method must ONLY be // called after a successful call to Lock, and only after the // critical section is finished, even if it errored or timed // out. Unlock cleans up any resources allocated during Lock. Unlock(key string) error }
Locker facilitates synchronization of certificate tasks across machines and networks.
type OCSPConfig ¶
type OCSPConfig struct { // Disable automatic OCSP stapling; strongly // discouraged unless you have a good reason. // Disabling this puts clients at greater risk // and reduces their privacy. DisableStapling bool // A map of OCSP responder domains to replacement // domains for querying OCSP servers. Used for // overriding the OCSP responder URL that is // embedded in certificates. Mapping to an empty // URL will disable OCSP from that responder. ResponderOverrides map[string]string }
OCSPConfig configures how OCSP is handled.
type OnDemandConfig ¶
type OnDemandConfig struct { // If set, this function will be called to determine // whether a certificate can be obtained or renewed // for the given name. If an error is returned, the // request will be denied. DecisionFunc func(name string) error // contains filtered or unexported fields }
OnDemandConfig configures on-demand TLS (certificate operations as-needed, like during TLS handshakes, rather than immediately).
When this package's high-level convenience functions are used (HTTPS, Manage, etc., where the Default config is used as a template), this struct regulates certificate operations using an implicit whitelist containing the names passed into those functions if no DecisionFunc is set. This ensures some degree of control by default to avoid certificate operations for aribtrary domain names. To override this whitelist, manually specify a DecisionFunc. To impose rate limits, specify your own DecisionFunc.
type PreChecker ¶
PreChecker is an interface that can be optionally implemented by Issuers. Pre-checks are performed before each call (or batch of identical calls) to Issue(), giving the issuer the option to ensure it has all the necessary information/state.
type Revoker ¶
type Revoker interface {
Revoke(ctx context.Context, cert CertificateResource, reason int) error
}
Revoker can revoke certificates. Reason codes are defined by RFC 5280 §5.3.1: https://tools.ietf.org/html/rfc5280#section-5.3.1 and are available as constants in our ACME library.
type RingBufferRateLimiter ¶
type RingBufferRateLimiter struct {
// contains filtered or unexported fields
}
RingBufferRateLimiter uses a ring to enforce rate limits consisting of a maximum number of events within a single sliding window of a given duration. An empty value is not valid; use NewRateLimiter to get one.
func NewRateLimiter ¶
func NewRateLimiter(maxEvents int, window time.Duration) *RingBufferRateLimiter
NewRateLimiter returns a rate limiter that allows up to maxEvents in a sliding window of size window. If maxEvents and window are both 0, or if maxEvents is non-zero and window is 0, rate limiting is disabled. This function panics if maxEvents is less than 0 or if maxEvents is 0 and window is non-zero, which is considered to be an invalid configuration, as it would never allow events.
func (*RingBufferRateLimiter) Allow ¶
func (r *RingBufferRateLimiter) Allow() bool
Allow returns true if the event is allowed to happen right now. It does not wait. If the event is allowed, a ticket is claimed.
func (*RingBufferRateLimiter) MaxEvents ¶
func (r *RingBufferRateLimiter) MaxEvents() int
MaxEvents returns the maximum number of events that are allowed within the sliding window.
func (*RingBufferRateLimiter) SetMaxEvents ¶
func (r *RingBufferRateLimiter) SetMaxEvents(maxEvents int)
SetMaxEvents changes the maximum number of events that are allowed in the sliding window. If the new limit is lower, the oldest events will be forgotten. If the new limit is higher, the window will suddenly have capacity for new reservations. It panics if maxEvents is 0 and window size is not zero.
func (*RingBufferRateLimiter) SetWindow ¶
func (r *RingBufferRateLimiter) SetWindow(window time.Duration)
SetWindow changes r's sliding window duration to window. Goroutines that are already blocked on a call to Wait() will not be affected. It panics if window is non-zero but the max event limit is 0.
func (*RingBufferRateLimiter) Stop ¶
func (r *RingBufferRateLimiter) Stop()
Stop cleans up r's scheduling goroutine.
func (*RingBufferRateLimiter) Wait ¶
func (r *RingBufferRateLimiter) Wait(ctx context.Context) error
Wait blocks until the event is allowed to occur. It returns an error if the context is cancelled.
func (*RingBufferRateLimiter) Window ¶
func (r *RingBufferRateLimiter) Window() time.Duration
Window returns the size of the sliding window.
type StandardKeyGenerator ¶
type StandardKeyGenerator struct { // The type of keys to generate. KeyType KeyType }
StandardKeyGenerator is the standard, in-memory key source that uses crypto/rand.
func (StandardKeyGenerator) GenerateKey ¶
func (kg StandardKeyGenerator) GenerateKey() (crypto.PrivateKey, error)
GenerateKey generates a new private key according to kg.KeyType.
type Storage ¶
type Storage interface { // Locker provides atomic synchronization // operations, making Storage safe to share. Locker // Store puts value at key. Store(key string, value []byte) error // Load retrieves the value at key. Load(key string) ([]byte, error) // Delete deletes key. An error should be // returned only if the key still exists // when the method returns. Delete(key string) error // Exists returns true if the key exists // and there was no error checking. Exists(key string) bool // List returns all keys that match prefix. // If recursive is true, non-terminal keys // will be enumerated (i.e. "directories" // should be walked); otherwise, only keys // prefixed exactly by prefix will be listed. List(prefix string, recursive bool) ([]string, error) // Stat returns information about key. Stat(key string) (KeyInfo, error) }
Storage is a type that implements a key-value store. Keys are prefix-based, with forward slash '/' as separators and without a leading slash.
Processes running in a cluster will wish to use the same Storage value (its implementation and configuration) in order to share certificates and other TLS resources with the cluster.
The Load, Delete, List, and Stat methods should return ErrNotExist if the key does not exist.
Implementations of Storage must be safe for concurrent use.