commit fcc274ac68dcb9063ca631fac9e8905e90088660 Author: David Fifield david@bamsoftware.com Date: Sat Feb 24 11:40:02 2018 -0800

Use Manager.HTTPHandler for automatic TLS support.

This is needed since the recent removal of the TLS-SNI challenge types. https://community.letsencrypt.org/t/tls-sni-challenges-disabled-for-most-new... The HTTP-01 challenge type requires an additional listener on port 80. --- broker/README.md | 5 +++-- broker/broker.go | 4 ++++ 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/broker/README.md b/broker/README.md index 38a8029..fb6181e 100644 --- a/broker/README.md +++ b/broker/README.md @@ -35,14 +35,15 @@ using the `--acme-email` option, so that Let's Encrypt can inform you of any problems.

In order to fetch certificates automatically, -the server needs to be listening on port 443 (the default). +the server needs to open an additional HTTP listener on port 80. On Linux, you can use the `setcap` program, part of libcap2, to enable the broker to bind to low-numbered ports without having to run as root: ``` setcap 'cap_net_bind_service=+ep' /usr/local/bin/broker ``` -You can control the listening port with the --addr option. +You can control the listening broker port with the --addr option. +Port 443 is the default.

You'll need to provide the URL of the custom broker to the client plugin using the `--url $URL` flag. diff --git a/broker/broker.go b/broker/broker.go index b544e64..a799f29 100644 --- a/broker/broker.go +++ b/broker/broker.go @@ -260,6 +260,10 @@ func main() { HostPolicy: autocert.HostWhitelist(acmeHostnames...), Email: acmeEmail, } + go func() { + log.Printf("Starting HTTP-01 listener") + log.Fatal(http.ListenAndServe(":80", certManager.HTTPHandler(nil))) + }()

server.TLSConfig = &tls.Config{GetCertificate: certManager.GetCertificate} err = server.ListenAndServeTLS("", "")