[tor-commits] [meek/master] Add an --acme-email option.

dcf at torproject.org dcf at torproject.org
Tue Apr 11 08:54:17 UTC 2017


commit e1fe61923fa2e22257615b65c5abfbcbc90dbceb
Author: David Fifield <david at bamsoftware.com>
Date:   Thu Mar 30 18:56:17 2017 -0700

    Add an --acme-email option.
    
    Sets the notification email for Let's Encrypt.
---
 doc/meek-server.1.txt      | 11 ++++++++---
 meek-server/meek-server.go | 16 +++++++++-------
 2 files changed, 17 insertions(+), 10 deletions(-)

diff --git a/doc/meek-server.1.txt b/doc/meek-server.1.txt
index bbbcc7d..4c8f174 100644
--- a/doc/meek-server.1.txt
+++ b/doc/meek-server.1.txt
@@ -21,9 +21,10 @@ sequence of HTTP requests and responses.
 You will need to configure TLS certificates. There are two ways to set
 up certificates:
 
-* **--acme-hostnames**=__HOSTNAME__ will automatically get certificates
-  for __HOSTNAME__ using Let's Encrypt. This only works when meek-server
-  is running on port 443.
+* **--acme-hostnames**=__HOSTNAME__ (with optional
+  **--acme-email**=__EMAIL__) will automatically get certificates for
+  __HOSTNAME__ using Let's Encrypt. This only works when meek-server is
+  running on port 443.
 * **--cert**=__FILENAME__ and **--key**=__FILENAME__ allow use to use
   your own externally acquired certificate.
 
@@ -49,6 +50,10 @@ setcap 'cap_net_bind_service=+ep' /usr/local/bin/meek-server
 
 OPTIONS
 -------
+**--acme-email**=__EMAIL__::
+    Optional email address to register for Let's Encrypt notifications
+    when using **--acme-hostnames**.
+
 **--acme-hostnames**=__HOSTNAME__[,__HOSTNAME__]...::
     Comma-separated list of hostnames to honor when getting automatic
     certificates from Let's Encrypt. meek-server has to be running on
diff --git a/meek-server/meek-server.go b/meek-server/meek-server.go
index b8449a0..cb07f6e 100644
--- a/meek-server/meek-server.go
+++ b/meek-server/meek-server.go
@@ -4,7 +4,7 @@
 //
 // Sample usage in torrc:
 // 	ServerTransportListenAddr meek 0.0.0.0:443
-// 	ServerTransportPlugin meek exec ./meek-server --acme-hostnames meek-server.example --log meek-server.log
+// 	ServerTransportPlugin meek exec ./meek-server --acme-hostnames meek-server.example --acme-email admin at meek-server.example --log meek-server.log
 // Using your own TLS certificate:
 // 	ServerTransportListenAddr meek 0.0.0.0:8443
 // 	ServerTransportPlugin meek exec ./meek-server --cert cert.pem --key key.pem --log meek-server.log
@@ -343,12 +343,14 @@ func getCertificateCacheDir() (string, error) {
 }
 
 func main() {
+	var acmeEmail string
 	var acmeHostnamesCommas string
 	var disableTLS bool
 	var certFilename, keyFilename string
 	var logFilename string
 	var port int
 
+	flag.StringVar(&acmeEmail, "acme-email", "", "optional contact email for Let's Encrypt notifications")
 	flag.StringVar(&acmeHostnamesCommas, "acme-hostnames", "", "comma-separated hostnames for automatic TLS certificate")
 	flag.BoolVar(&disableTLS, "disable-tls", false, "don't use HTTPS")
 	flag.StringVar(&certFilename, "cert", "", "TLS certificate file")
@@ -374,7 +376,7 @@ func main() {
 
 	// Handle the various ways of setting up TLS. The legal configurations
 	// are:
-	//   --acme-hostnames
+	//   --acme-hostnames (with optional --acme-email)
 	//   --cert and --key together
 	//   --disable-tls
 	// The outputs of this block of code are the disableTLS,
@@ -382,12 +384,12 @@ func main() {
 	var missing443Listener = false
 	var getCertificate func (*tls.ClientHelloInfo) (*tls.Certificate, error)
 	if disableTLS {
-		if acmeHostnamesCommas != "" || certFilename != "" || keyFilename != "" {
-			log.Fatalf("The --acme-hostnames, --cert, and --key options are not allowed with --disable-tls.")
+		if acmeEmail != "" || acmeHostnamesCommas != "" || certFilename != "" || keyFilename != "" {
+			log.Fatalf("The --acme-email, --acme-hostnames, --cert, and --key options are not allowed with --disable-tls.")
 		}
 	} else if certFilename != "" && keyFilename != "" {
-		if acmeHostnamesCommas != "" {
-			log.Fatalf("The --cert and --key options are not allowed with --acme-hostnames.")
+		if acmeEmail != "" || acmeHostnamesCommas != "" {
+			log.Fatalf("The --cert and --key options are not allowed with --acme-email or --acme-hostnames.")
 		}
 		ctx, err := newCertContext(certFilename, keyFilename)
 		if err != nil {
@@ -423,7 +425,7 @@ func main() {
 		certManager := &autocert.Manager{
 			Prompt:     autocert.AcceptTOS,
 			HostPolicy: autocert.HostWhitelist(acmeHostnames...),
-			// Email:      acmeEmail,
+			Email:      acmeEmail,
 			Cache:      cache,
 		}
 		getCertificate = certManager.GetCertificate



More information about the tor-commits mailing list