From 2e5eb638503115a32ef1c29b59fd2520214bceac Mon Sep 17 00:00:00 2001 From: xenolf Date: Fri, 23 Oct 2015 16:29:05 +0200 Subject: [PATCH 1/4] Function name changed in lego --- config/letsencrypt/letsencrypt.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/letsencrypt/letsencrypt.go b/config/letsencrypt/letsencrypt.go index 279d23a27..1a3bbab3d 100644 --- a/config/letsencrypt/letsencrypt.go +++ b/config/letsencrypt/letsencrypt.go @@ -164,7 +164,7 @@ func newClient(leEmail string) (*acme.Client, error) { leUser.Registration = reg // TODO: we can just do the agreement once: when registering, right? - err = client.AgreeToTos() + err = client.AgreeToTOS() if err != nil { saveUser(leUser) // TODO: Might as well try, right? Error check? return nil, errors.New("error agreeing to terms: " + err.Error()) From f8ad050dda844d3e43ed56cf490b0921dc3acbea Mon Sep 17 00:00:00 2001 From: xenolf Date: Sat, 24 Oct 2015 04:35:55 +0200 Subject: [PATCH 2/4] Update for latest lego changes (cert bundling) --- config/letsencrypt/letsencrypt.go | 2 +- config/letsencrypt/renew.go | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/config/letsencrypt/letsencrypt.go b/config/letsencrypt/letsencrypt.go index 1a3bbab3d..876691ae2 100644 --- a/config/letsencrypt/letsencrypt.go +++ b/config/letsencrypt/letsencrypt.go @@ -189,7 +189,7 @@ func obtainCertificates(client *acme.Client, serverConfigs []*server.Config) ([] hosts = append(hosts, cfg.Host) } - certificates, err := client.ObtainCertificates(hosts) + certificates, err := client.ObtainCertificates(hosts, true) if err != nil { return nil, errors.New("error obtaining certs: " + err.Error()) } diff --git a/config/letsencrypt/renew.go b/config/letsencrypt/renew.go index 40f376cbf..dd80210dc 100644 --- a/config/letsencrypt/renew.go +++ b/config/letsencrypt/renew.go @@ -84,10 +84,11 @@ func processCertificateRenewal(configs []server.Config) []error { // Renew certificate. // TODO: revokeOld should be an option in the caddyfile - newCertMeta, err := client.RenewCertificate(certMeta, true) + // TODO: bundle should be an option in the caddyfile as well :) + newCertMeta, err := client.RenewCertificate(certMeta, true, true) if err != nil { time.Sleep(10 * time.Second) - newCertMeta, err = client.RenewCertificate(certMeta, true) + newCertMeta, err = client.RenewCertificate(certMeta, true, true) if err != nil { errs = append(errs, err) continue From 91465d8e6f33af94655abe50be0e38aae9db667c Mon Sep 17 00:00:00 2001 From: xenolf Date: Sat, 24 Oct 2015 04:36:54 +0200 Subject: [PATCH 3/4] Support for OCSP Stapling. Fixes #280 --- config/letsencrypt/letsencrypt.go | 3 +++ server/config.go | 1 + server/server.go | 1 + 3 files changed, 5 insertions(+) diff --git a/config/letsencrypt/letsencrypt.go b/config/letsencrypt/letsencrypt.go index 876691ae2..083daa34b 100644 --- a/config/letsencrypt/letsencrypt.go +++ b/config/letsencrypt/letsencrypt.go @@ -232,6 +232,9 @@ func saveCertsAndKeys(certificates []acme.CertificateResource) error { // autoConfigure enables TLS on cfg and appends, if necessary, a new config // to allConfigs that redirects plaintext HTTP to its new HTTPS counterpart. func autoConfigure(cfg *server.Config, allConfigs []server.Config) []server.Config { + bundleBytes, _ := ioutil.ReadFile(storage.SiteCertFile(cfg.Host)) + ocsp, _ := acme.GetOCSPForCert(bundleBytes) + cfg.TLS.OCSPStaple = ocsp cfg.TLS.Certificate = storage.SiteCertFile(cfg.Host) cfg.TLS.Key = storage.SiteKeyFile(cfg.Host) cfg.TLS.Enabled = true diff --git a/server/config.go b/server/config.go index dedd7ba37..a3bb5f50d 100644 --- a/server/config.go +++ b/server/config.go @@ -56,6 +56,7 @@ type TLSConfig struct { Certificate string Key string LetsEncryptEmail string + OCSPStaple []byte Ciphers []uint16 ProtocolMinVersion uint16 ProtocolMaxVersion uint16 diff --git a/server/server.go b/server/server.go index 24aa92eb5..a3c4f92dc 100644 --- a/server/server.go +++ b/server/server.go @@ -162,6 +162,7 @@ func ListenAndServeTLSWithSNI(srv *http.Server, tlsConfigs []TLSConfig) error { config.Certificates = make([]tls.Certificate, len(tlsConfigs)) for i, tlsConfig := range tlsConfigs { config.Certificates[i], err = tls.LoadX509KeyPair(tlsConfig.Certificate, tlsConfig.Key) + config.Certificates[i].OCSPStaple = tlsConfig.OCSPStaple if err != nil { return err } From f9f1aafe0c1083e876b5dcaf7e1aa1d291a75830 Mon Sep 17 00:00:00 2001 From: xenolf Date: Mon, 26 Oct 2015 00:53:36 +0100 Subject: [PATCH 4/4] Update to lego update. DevMode no longer exists. --- config/letsencrypt/letsencrypt.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/letsencrypt/letsencrypt.go b/config/letsencrypt/letsencrypt.go index 083daa34b..d058d88cd 100644 --- a/config/letsencrypt/letsencrypt.go +++ b/config/letsencrypt/letsencrypt.go @@ -152,7 +152,7 @@ func newClient(leEmail string) (*acme.Client, error) { } // The client facilitates our communication with the CA server. - client := acme.NewClient(caURL, &leUser, rsaKeySizeToUse, exposePort, true) // TODO: Dev mode is enabled + client := acme.NewClient(caURL, &leUser, rsaKeySizeToUse, exposePort) // If not registered, the user must register an account with the CA // and agree to terms