[tor-commits] [snowflake/master] Use Manager.HTTPHandler for automatic TLS support.
dcf at torproject.org
dcf at torproject.org
Mon Mar 5 23:16:48 UTC 2018
commit fcc274ac68dcb9063ca631fac9e8905e90088660
Author: David Fifield <david at bamsoftware.com>
Date: Sat Feb 24 11:40:02 2018 -0800
Use Manager.HTTPHandler for automatic TLS support.
This is needed since the recent removal of the TLS-SNI challenge types.
https://community.letsencrypt.org/t/tls-sni-challenges-disabled-for-most-new-issuance/50316
The HTTP-01 challenge type requires an additional listener on port 80.
---
broker/README.md | 5 +++--
broker/broker.go | 4 ++++
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/broker/README.md b/broker/README.md
index 38a8029..fb6181e 100644
--- a/broker/README.md
+++ b/broker/README.md
@@ -35,14 +35,15 @@ using the `--acme-email` option,
so that Let's Encrypt can inform you of any problems.
In order to fetch certificates automatically,
-the server needs to be listening on port 443 (the default).
+the server needs to open an additional HTTP listener on port 80.
On Linux, you can use the `setcap` program,
part of libcap2, to enable the broker to bind to low-numbered ports
without having to run as root:
```
setcap 'cap_net_bind_service=+ep' /usr/local/bin/broker
```
-You can control the listening port with the --addr option.
+You can control the listening broker port with the --addr option.
+Port 443 is the default.
You'll need to provide the URL of the custom broker
to the client plugin using the `--url $URL` flag.
diff --git a/broker/broker.go b/broker/broker.go
index b544e64..a799f29 100644
--- a/broker/broker.go
+++ b/broker/broker.go
@@ -260,6 +260,10 @@ func main() {
HostPolicy: autocert.HostWhitelist(acmeHostnames...),
Email: acmeEmail,
}
+ go func() {
+ log.Printf("Starting HTTP-01 listener")
+ log.Fatal(http.ListenAndServe(":80", certManager.HTTPHandler(nil)))
+ }()
server.TLSConfig = &tls.Config{GetCertificate: certManager.GetCertificate}
err = server.ListenAndServeTLS("", "")
More information about the tor-commits
mailing list