Revert "Run on plaintext HTTP to support Cloud Run"

This reverts commit 09b9673a60.

authority/config/config.go

@@ -227,10 +227,8 @@ func (c *Config) Validate() error {
 	}
 
 	// Validate address (a port is required)
-	if c.Address != "" {
-		if _, _, err := net.SplitHostPort(c.Address); err != nil {
-			return errors.Errorf("invalid address %s", c.Address)
-		}
+	if _, _, err := net.SplitHostPort(c.Address); err != nil {
+		return errors.Errorf("invalid address %s", c.Address)
 	}
 
 	if c.TLS == nil {

ca/ca.go

@@ -238,6 +238,13 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) {
 			return nil, errors.Wrap(err, "error creating SCEP authority")
 		}
 
+		// According to the RFC (https://tools.ietf.org/html/rfc8894#section-7.10),
+		// SCEP operations are performed using HTTP, so that's why the API is mounted
+		// to the insecure mux.
+		insecureMux.Route("/"+scepPrefix, func(r chi.Router) {
+			scepAPI.Route(r)
+		})
+
 		// The RFC also mentions usage of HTTPS, but seems to advise
 		// against it, because of potential interoperability issues.
 		// Currently I think it's not bad to use HTTPS also, so that's
@@ -259,6 +266,7 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) {
 			return nil, err
 		}
 		handler = m.Middleware(handler)
+		insecureHandler = m.Middleware(insecureHandler)
 	}
 
 	// Add logger if configured
@@ -268,24 +276,25 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) {
 			return nil, err
 		}
 		handler = logger.Middleware(handler)
+		insecureHandler = logger.Middleware(insecureHandler)
 	}
 
 	// Create context with all the necessary values.
 	baseContext := buildContext(auth, scepAuthority, acmeDB, acmeLinker)
 
-	if cfg.Address != "" {
-		ca.srv = server.New(cfg.Address, handler, tlsConfig)
-		ca.srv.BaseContext = func(net.Listener) context.Context {
-			return baseContext
-		}
+	ca.srv = server.New(cfg.Address, handler, tlsConfig)
+	ca.srv.BaseContext = func(net.Listener) context.Context {
+		return baseContext
 	}
 
-	if cfg.InsecureAddress != "" {
+	// only start the insecure server if the insecure address is configured
+	// and, currently, also only when it should serve SCEP endpoints.
+	if ca.shouldServeSCEPEndpoints() && cfg.InsecureAddress != "" {
 		// TODO: instead opt for having a single server.Server but two
 		// http.Servers handling the HTTP and HTTPS handler? The latter
 		// will probably introduce more complexity in terms of graceful
 		// reload.
-		ca.insecureSrv = server.New(cfg.InsecureAddress, handler, nil)
+		ca.insecureSrv = server.New(cfg.InsecureAddress, insecureHandler, nil)
 		ca.insecureSrv.BaseContext = func(net.Listener) context.Context {
 			return baseContext
 		}
@@ -326,13 +335,11 @@ func (ca *CA) Run() error {
 			log.Printf("Current context: %s", step.Contexts().GetCurrent().Name)
 		}
 		log.Printf("Config file: %s", ca.opts.configFile)
-		if ca.config.Address != "" {
-			baseURL := fmt.Sprintf("https://%s%s",
-				authorityInfo.DNSNames[0],
-				ca.config.Address[strings.LastIndex(ca.config.Address, ":"):])
-			log.Printf("The primary server URL is %s", baseURL)
-			log.Printf("Root certificates are available at %s/roots.pem", baseURL)
-		}
+		baseURL := fmt.Sprintf("https://%s%s",
+			authorityInfo.DNSNames[0],
+			ca.config.Address[strings.LastIndex(ca.config.Address, ":"):])
+		log.Printf("The primary server URL is %s", baseURL)
+		log.Printf("Root certificates are available at %s/roots.pem", baseURL)
 		if len(authorityInfo.DNSNames) > 1 {
 			log.Printf("Additional configured hostnames: %s",
 				strings.Join(authorityInfo.DNSNames[1:], ", "))
@@ -356,13 +363,11 @@ func (ca *CA) Run() error {
 		}()
 	}
 
-	if ca.srv != nil {
-		wg.Add(1)
-		go func() {
-			defer wg.Done()
-			errs <- ca.srv.ListenAndServe()
-		}()
-	}
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		errs <- ca.srv.ListenAndServe()
+	}()
 
 	// wait till error occurs; ensures the servers keep listening
 	err := <-errs