Skip to content

add letsencrypt to Gitea #4189

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 34 commits into from Aug 21, 2018
Merged

add letsencrypt to Gitea #4189

Changes from 1 commit
Commits
Show all changes
34 commits
Select commit Hold shift + click to select a range
aa3fccb
add letsencrypt to Gitea
flynnnnnnnnnn Jun 8, 2018
2771df7
downgrade cypto lib
flynnnnnnnnnn Jun 8, 2018
dd01b57
fix typo
flynnnnnnnnnn Jun 8, 2018
ce3840f
update docs
Jun 9, 2018
95a4191
Merge branch 'master' into letsencrypt
Jun 9, 2018
c56d4a2
let user customize directory and set email
flynnnnnnnnnn Jun 10, 2018
1d0097a
Update to using named port
Jun 10, 2018
caa2d3a
Merge branch 'master' into letsencrypt
Jun 10, 2018
6bbf48c
add docs
Jun 11, 2018
42411f8
redirect to AppURL instead of assuming port 443
HarukaMa Jun 12, 2018
e5afbb9
Merge branch 'master' into letsencrypt
Jun 12, 2018
6fcb86b
Update IP listening on for LE
Jun 13, 2018
f58c5b4
Merge branch 'master' into letsencrypt
Jun 13, 2018
fd0103f
Merge branch 'master' into letsencrypt
techknowlogick Jun 19, 2018
f09fb9c
Merge branch 'master' into letsencrypt
techknowlogick Jul 3, 2018
75dd8ed
dont use protocol for letsencrypt
flynnnnnnnnnn Jul 4, 2018
89c5e1c
Merge branch 'master' into letsencrypt
Jul 4, 2018
bfe3769
resolve variable name
flynnnnnnnnnn Jul 4, 2018
c195fe1
Merge branch 'letsencrypt' of https://github.com/flufmonster/gitea in…
Jul 4, 2018
ceebba5
Merge branch 'master' into letsencrypt
techknowlogick Jul 5, 2018
5c57c62
Merge branch 'master' into letsencrypt
techknowlogick Jul 8, 2018
9169a46
update docs
Jul 12, 2018
f961204
added check for TOS acceptance
Jul 12, 2018
7a79c2b
update docs
Jul 12, 2018
60708ca
update docs
Jul 12, 2018
34b5519
Merge branch 'master' into letsencrypt
Jul 12, 2018
be6b426
fix use of variable
Jul 12, 2018
793c460
Merge branch 'master' into letsencrypt
techknowlogick Jul 21, 2018
aa80181
allow listen to other ports for redir
Jul 21, 2018
77a65fa
Merge branch 'master' into letsencrypt
Jul 21, 2018
d3cbc0c
Add log statement re: TOS
Jul 26, 2018
9112ba2
Merge branch 'master' into letsencrypt
Jul 26, 2018
9042772
Merge branch 'master' into letsencrypt
Aug 14, 2018
3d84f1f
Merge branch 'master' into letsencrypt
daviian Aug 21, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Update IP listening on for LE
  • Loading branch information
Fluf authored Jun 13, 2018
commit 6fcb86b00418e63168ca664a90aba13adebdb2d9
2 changes: 1 addition & 1 deletion cmd/web.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,7 @@ func runLetsEncrypt(listenAddr, domain, directory, email string, m http.Handler)
Cache: autocert.DirCache(directory),
Email: email,
}
go http.ListenAndServe(":http", certManager.HTTPHandler(http.HandlerFunc(runLetsEncryptFallbackHandler))) // all traffic coming into HTTP will be redirect to HTTPS automatically (LE HTTP-01 validatio happens here)
go http.ListenAndServe(listenAddr+":http", certManager.HTTPHandler(http.HandlerFunc(runLetsEncryptFallbackHandler))) // all traffic coming into HTTP will be redirect to HTTPS automatically (LE HTTP-01 validatio happens here)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I hope that certManager has panic-handling :trollface: Otherwise this might just silently fail 😄

server := &http.Server{
Addr: listenAddr,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AFAIK Let's Encrypt enforces port 443

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's Encrypt only enforces a port when requesting the certificate.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The HTTP port is not really required, the autocert HTTP handler does only a simple redirect to HTTPS, so this port 443 is enforced by Let's Encrypt.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The HTTP port is required. The HTTP handler doesn't just do a simple redirect it also handles the HTTP-01 validation per the acme standard: https://tools.ietf.org/html/draft-ietf-acme-acme-07#section-8.3 and here is the code https://github.com/golang/crypto/blob/master/acme/autocert/autocert.go#L333

I think what you are thinking of is the TLS-SNI challenge which was disabled permanently due to security issues. A new version of TLS only challenge is being worked on but it is still only being discussed on mailing lists.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You are right on that, but since you are not defining a fallback handler HTTPS must run on 443: https://github.com/golang/crypto/blob/master/acme/autocert/autocert.go#L323-L326

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've just setup a fallback handler to redirect to AppURL so that the user is redirected to the correct place.

Handler: m,
Expand Down