Page MenuHomeWrite.as

Automatically set up certificate from Let's Encrypt
Closed, ResolvedPublic

Description

Overview

Make it easy for users to set up a secure site by automatically getting a certificate from Let's Encrypt.

Implementation

Use something like lego. See comments below.

If a user chooses Production, standalone and Secure during the setup process, before asking for the certificate / key paths, ask if the user wants to get a new certificate from Let's Encrypt. If so, do it -- if not, prompt for certificate / key paths.

If a user chooses Production, standalone, the "Web server mode" prompt should have the options:

  • Insecure (port 80)
  • Secure (port 443), manual
  • Secure (port 443), automated

The [server] config section should have a new bool indicating we should use autocert to serve the application instead of the standard server. Something like:

Autocert bool `ini:"autocert"`

If that's true, use the autocert pkg to handle requests.

Event Timeline

matt created this object with visibility "Public (No Login Required)".

Need a little time to read into the "magic" that happens in this library, but certmagic might be the easiest way to implement this.

matt edited projects, added WriteFreely; removed WriteFreely (v1.0).

From certmagic:

Before using this library, your domain names MUST be pointed (A/AAAA records) at your server (unless you use the DNS challenge)!

I could see this being an obstacle to implementing this. Especially if we have to differentiate between dev and prod for whether or not to do the automagic stuff, this might end up making installation too much of a pain.

We're using the autocert library with #write.as_for_teams / rWFMT, and it works really well. Since it's already battle-tested there, I'd say we go with that.

matt changed the edit policy from "Restricted Project (Project)" to "All Users".