LetsEncrypt in Go
The essence of the problem is that the LetsEncrypt certificates are valid for 3 months and are updated every month. It's easy enough to automate certonly certificate renewal via cron, but Go does not yet have an easy way to automatically pick up new renewed certificates.
The cycle is optional. It is needed if you want the server not to fall when there is an error in the new certificate, the https service will go out when the certificate disappears, and comes to life if a normal certificate appears.
There is no easy way to stop the http or https server in the net / http package. Therefore, I was inspired by this post . I copied the ListenAndServeTLS code and some more code from net / http, and got pyrahttp.ListenAndServeLetsEncrypt working.
http.Server gets my implementation of net.Listener. In Accept (), it calls TCPListener.Accept () with Deadline in one minute. In the case of a deadline or a new connection, the listner checks the certificate file, and if it is updated, it returns a ReloadError, which causes the server to reboot into ListenAndServeLetsEncrypt .
')
I hope now more happy servers on Go will be able to live to their two or three years without restarting.
If you have several domains, subdomains, servers (virtual), and you are wondering how to start using LetsEncrypt, then I chose the solution when I have one server with the code LetsEncrypt, and on all other requests to /.well-known/acme-challenge are proxied to the LetsEncrypt server. This allows you to get one certificate for several servers, which I can later merge into one server or place for a common proxy.
More precisely now there is
// log.Println(http.ListenAndServeTLS(":7544", // "/home/user/cert/game01.example.com/fullchain.pem", // "/home/user/cert/game01.example.com/privkey.pem", nil)) for { log.Println(pyrahttp.ListenAndServeLetsEncrypt(":7544", "/home/user/cert/game01.example.com/fullchain.pem", "/home/user/cert/game01.example.com/privkey.pem", nil)) time.Sleep(time.Second * 5) } The cycle is optional. It is needed if you want the server not to fall when there is an error in the new certificate, the https service will go out when the certificate disappears, and comes to life if a normal certificate appears.
How it works
There is no easy way to stop the http or https server in the net / http package. Therefore, I was inspired by this post . I copied the ListenAndServeTLS code and some more code from net / http, and got pyrahttp.ListenAndServeLetsEncrypt working.
http.Server gets my implementation of net.Listener. In Accept (), it calls TCPListener.Accept () with Deadline in one minute. In the case of a deadline or a new connection, the listner checks the certificate file, and if it is updated, it returns a ReloadError, which causes the server to reboot into ListenAndServeLetsEncrypt .
')
I hope now more happy servers on Go will be able to live to their two or three years without restarting.
Install / Update
go get -u github.com/CossackPyra/pyrahttp PS
If you have several domains, subdomains, servers (virtual), and you are wondering how to start using LetsEncrypt, then I chose the solution when I have one server with the code LetsEncrypt, and on all other requests to /.well-known/acme-challenge are proxied to the LetsEncrypt server. This allows you to get one certificate for several servers, which I can later merge into one server or place for a common proxy.
Source: https://habr.com/ru/post/274749/
All Articles