[tor-commits] [meek/master] Add an --acme-email option.

commit e1fe61923fa2e22257615b65c5abfbcbc90dbceb Author: David Fifield david@bamsoftware.com Date: Thu Mar 30 18:56:17 2017 -0700

Add an --acme-email option.

Sets the notification email for Let's Encrypt. --- doc/meek-server.1.txt | 11 ++++++++--- meek-server/meek-server.go | 16 +++++++++------- 2 files changed, 17 insertions(+), 10 deletions(-)

diff --git a/doc/meek-server.1.txt b/doc/meek-server.1.txt index bbbcc7d..4c8f174 100644 --- a/doc/meek-server.1.txt +++ b/doc/meek-server.1.txt @@ -21,9 +21,10 @@ sequence of HTTP requests and responses. You will need to configure TLS certificates. There are two ways to set up certificates:

-* **--acme-hostnames**=__HOSTNAME__ will automatically get certificates - for __HOSTNAME__ using Let's Encrypt. This only works when meek-server - is running on port 443. +* **--acme-hostnames**=__HOSTNAME__ (with optional + **--acme-email**=__EMAIL__) will automatically get certificates for + __HOSTNAME__ using Let's Encrypt. This only works when meek-server is + running on port 443. * **--cert**=__FILENAME__ and **--key**=__FILENAME__ allow use to use your own externally acquired certificate.

@@ -49,6 +50,10 @@ setcap 'cap_net_bind_service=+ep' /usr/local/bin/meek-server

OPTIONS ------- +**--acme-email**=__EMAIL__:: + Optional email address to register for Let's Encrypt notifications + when using **--acme-hostnames**. + **--acme-hostnames**=__HOSTNAME__[,__HOSTNAME__]...:: Comma-separated list of hostnames to honor when getting automatic certificates from Let's Encrypt. meek-server has to be running on diff --git a/meek-server/meek-server.go b/meek-server/meek-server.go index b8449a0..cb07f6e 100644 --- a/meek-server/meek-server.go +++ b/meek-server/meek-server.go @@ -4,7 +4,7 @@ // // Sample usage in torrc: // ServerTransportListenAddr meek 0.0.0.0:443 -// ServerTransportPlugin meek exec ./meek-server --acme-hostnames meek-server.example --log meek-server.log +// ServerTransportPlugin meek exec ./meek-server --acme-hostnames meek-server.example --acme-email admin@meek-server.example --log meek-server.log // Using your own TLS certificate: // ServerTransportListenAddr meek 0.0.0.0:8443 // ServerTransportPlugin meek exec ./meek-server --cert cert.pem --key key.pem --log meek-server.log @@ -343,12 +343,14 @@ func getCertificateCacheDir() (string, error) { }

func main() { + var acmeEmail string var acmeHostnamesCommas string var disableTLS bool var certFilename, keyFilename string var logFilename string var port int

+ flag.StringVar(&acmeEmail, "acme-email", "", "optional contact email for Let's Encrypt notifications") flag.StringVar(&acmeHostnamesCommas, "acme-hostnames", "", "comma-separated hostnames for automatic TLS certificate") flag.BoolVar(&disableTLS, "disable-tls", false, "don't use HTTPS") flag.StringVar(&certFilename, "cert", "", "TLS certificate file") @@ -374,7 +376,7 @@ func main() {

// Handle the various ways of setting up TLS. The legal configurations // are: - // --acme-hostnames + // --acme-hostnames (with optional --acme-email) // --cert and --key together // --disable-tls // The outputs of this block of code are the disableTLS, @@ -382,12 +384,12 @@ func main() { var missing443Listener = false var getCertificate func (*tls.ClientHelloInfo) (*tls.Certificate, error) if disableTLS { - if acmeHostnamesCommas != "" || certFilename != "" || keyFilename != "" { - log.Fatalf("The --acme-hostnames, --cert, and --key options are not allowed with --disable-tls.") + if acmeEmail != "" || acmeHostnamesCommas != "" || certFilename != "" || keyFilename != "" { + log.Fatalf("The --acme-email, --acme-hostnames, --cert, and --key options are not allowed with --disable-tls.") } } else if certFilename != "" && keyFilename != "" { - if acmeHostnamesCommas != "" { - log.Fatalf("The --cert and --key options are not allowed with --acme-hostnames.") + if acmeEmail != "" || acmeHostnamesCommas != "" { + log.Fatalf("The --cert and --key options are not allowed with --acme-email or --acme-hostnames.") } ctx, err := newCertContext(certFilename, keyFilename) if err != nil { @@ -423,7 +425,7 @@ func main() { certManager := &autocert.Manager{ Prompt: autocert.AcceptTOS, HostPolicy: autocert.HostWhitelist(acmeHostnames...), - // Email: acmeEmail, + Email: acmeEmail, Cache: cache, } getCertificate = certManager.GetCertificate