Skip to content

add letsencrypt to Gitea #4189

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 34 commits into from Aug 21, 2018
Merged

add letsencrypt to Gitea #4189

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
34 commits
Select commit Hold shift + click to select a range
aa3fccb
add letsencrypt to Gitea
flynnnnnnnnnn Jun 8, 2018
2771df7
downgrade cypto lib
flynnnnnnnnnn Jun 8, 2018
dd01b57
fix typo
flynnnnnnnnnn Jun 8, 2018
ce3840f
update docs
Jun 9, 2018
95a4191
Merge branch 'master' into letsencrypt
Jun 9, 2018
c56d4a2
let user customize directory and set email
flynnnnnnnnnn Jun 10, 2018
1d0097a
Update to using named port
Jun 10, 2018
caa2d3a
Merge branch 'master' into letsencrypt
Jun 10, 2018
6bbf48c
add docs
Jun 11, 2018
42411f8
redirect to AppURL instead of assuming port 443
HarukaMa Jun 12, 2018
e5afbb9
Merge branch 'master' into letsencrypt
Jun 12, 2018
6fcb86b
Update IP listening on for LE
Jun 13, 2018
f58c5b4
Merge branch 'master' into letsencrypt
Jun 13, 2018
fd0103f
Merge branch 'master' into letsencrypt
techknowlogick Jun 19, 2018
f09fb9c
Merge branch 'master' into letsencrypt
techknowlogick Jul 3, 2018
75dd8ed
dont use protocol for letsencrypt
flynnnnnnnnnn Jul 4, 2018
89c5e1c
Merge branch 'master' into letsencrypt
Jul 4, 2018
bfe3769
resolve variable name
flynnnnnnnnnn Jul 4, 2018
c195fe1
Merge branch 'letsencrypt' of https://github.com/flufmonster/gitea in…
Jul 4, 2018
ceebba5
Merge branch 'master' into letsencrypt
techknowlogick Jul 5, 2018
5c57c62
Merge branch 'master' into letsencrypt
techknowlogick Jul 8, 2018
9169a46
update docs
Jul 12, 2018
f961204
added check for TOS acceptance
Jul 12, 2018
7a79c2b
update docs
Jul 12, 2018
60708ca
update docs
Jul 12, 2018
34b5519
Merge branch 'master' into letsencrypt
Jul 12, 2018
be6b426
fix use of variable
Jul 12, 2018
793c460
Merge branch 'master' into letsencrypt
techknowlogick Jul 21, 2018
aa80181
allow listen to other ports for redir
Jul 21, 2018
77a65fa
Merge branch 'master' into letsencrypt
Jul 21, 2018
d3cbc0c
Add log statement re: TOS
Jul 26, 2018
9112ba2
Merge branch 'master' into letsencrypt
Jul 26, 2018
9042772
Merge branch 'master' into letsencrypt
Aug 14, 2018
3d84f1f
Merge branch 'master' into letsencrypt
daviian Aug 21, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
let user customize directory and set email
  • Loading branch information
@flynnnnnnnnnn
flynnnnnnnnnn committed Jun 10, 2018
commit c56d4a2003e79beeada91c76e076577145aa6c9f
7 changes: 4 additions & 3 deletions cmd/web.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,11 +73,12 @@ func runHTTPRedirector() {
}
}

func runLetsEncrypt(listenAddr, domain string, m http.Handler) error {
func runLetsEncrypt(listenAddr, domain, directory, email string, m http.Handler) error {
certManager := autocert.Manager{
Prompt: autocert.AcceptTOS,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This HAS to be behind its own setting (LETSENCRYPT_ACCEPT_TOS) 😱 People will not read the comments...

HostPolicy: autocert.HostWhitelist(domain),
Cache: autocert.DirCache("https"),
Cache: autocert.DirCache(directory),
Email: email,
}
go http.ListenAndServe(":80", certManager.HTTPHandler(nil)) // all traffic coming into HTTP will be redirect to HTTPS automatically
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't this also only listen on listenAddr ?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

for the HTTP validation that LetsEncrypt does, their servers need to be able to access port 80 on the server requesting the certificate.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe you should just write :http

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@flufmonster yes but listening only on listenAddr+":80" should be enough since it will be the facing interface also for web access. If I remember listenAddr is by default 0.0.0.0 so by default we have the same comportment but if someone want to listen only to one interface via configuring listenAddr we shouldn't listen on all interface even for LE.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @sapk I've updated this so it only listens on listenAddr instead of 0.0.0.0

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this should be handled in same code as http to https functionality already built into gitea

// required for letsencrypt validation
Expand Down Expand Up @@ -168,7 +169,7 @@ func runWeb(ctx *cli.Context) error {
}
err = runHTTPS(listenAddr, setting.CertFile, setting.KeyFile, context2.ClearHandler(m))
case setting.LetsEncrypt:
err = runLetsEncrypt(listenAddr, setting.Domain, context2.ClearHandler(m))
err = runLetsEncrypt(listenAddr, setting.Domain, setting.LetsEncryptDirectory, setting.LetsEncryptEmail, context2.ClearHandler(m))
case setting.FCGI:
listener, err := net.Listen("tcp", listenAddr)
if err != nil {
Expand Down
2 changes: 2 additions & 0 deletions docs/content/doc/advanced/config-cheat-sheet.en-us.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,8 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`.
- `REDIRECT_OTHER_PORT`: **false**: If true and `PROTOCOL` is https, redirects http requests
on another (https) port.
- `PORT_TO_REDIRECT`: **80**: Port used when `REDIRECT_OTHER_PORT` is true.
- `LETSENCRYPT_DIRECTORY`: **https**: Directory that Letsencrypt will use to cache information such as certs and private keys
- `LETSENCRYPT_EMAIL`: **[email protected]**: Email used by Letsencrypt to notify about problems with issued certificates. (No default)

## Database (`database`)

Expand Down
4 changes: 4 additions & 0 deletions modules/setting/setting.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,8 @@ var (
LandingPageURL LandingPage
UnixSocketPermission uint32
EnablePprof bool
LetsEncryptDirectory string
LetsEncryptEmail string

SSH = struct {
Disabled bool `ini:"DISABLE_SSH"`
Expand Down Expand Up @@ -712,6 +714,8 @@ func NewContext() {
UnixSocketPermission = uint32(UnixSocketPermissionParsed)
} else if sec.Key("PROTOCOL").String() == "letsencrypt" {
Protocol = LetsEncrypt
LetsEncryptDirectory = sec.Key("LETSENCRYPT_DIRECTORY").MustString("https")
LetsEncryptEmail = sec.Key("LETSENCRYPT_EMAIL").MustString("")
}
Domain = sec.Key("DOMAIN").MustString("localhost")
HTTPAddr = sec.Key("HTTP_ADDR").MustString("0.0.0.0")
Expand Down