Revert "Run on plaintext HTTP to support Cloud Run"

This reverts commit 09b9673a60.

authority/config/config.go

@@ -201,6 +201,8 @@ func (c *Config) Save(filename string) error {
 // Validate validates the configuration.
 func (c *Config) Validate() error {
 	switch {
+	case c.Address == "":
+		return errors.New("address cannot be empty")
 	case len(c.DNSNames) == 0:
 		return errors.New("dnsNames cannot be empty")
 	case c.AuthorityConfig == nil:
@@ -222,10 +224,8 @@ func (c *Config) Validate() error {
 	}
 
 	// Validate address (a port is required)
-	if c.Address != "" {
+	if _, _, err := net.SplitHostPort(c.Address); err != nil {
-		if _, _, err := net.SplitHostPort(c.Address); err != nil {
+		return errors.Errorf("invalid address %s", c.Address)
-			return errors.Errorf("invalid address %s", c.Address)
-		}
 	}
 
 	if c.TLS == nil {

authority/config/config_test.go

@@ -38,6 +38,19 @@ func TestConfigValidate(t *testing.T) {
 		tls    TLSOptions
 	}
 	tests := map[string]func(*testing.T) ConfigValidateTest{
+		"empty-address": func(t *testing.T) ConfigValidateTest {
+			return ConfigValidateTest{
+				config: &Config{
+					Root:             []string{"../testdata/secrets/root_ca.crt"},
+					IntermediateCert: "../testdata/secrets/intermediate_ca.crt",
+					IntermediateKey:  "../testdata/secrets/intermediate_ca_key",
+					DNSNames:         []string{"test.smallstep.com"},
+					Password:         "pass",
+					AuthorityConfig:  ac,
+				},
+				err: errors.New("address cannot be empty"),
+			}
+		},
 		"invalid-address": func(t *testing.T) ConfigValidateTest {
 			return ConfigValidateTest{
 				config: &Config{

ca/ca.go

@@ -170,6 +170,9 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) {
 	mux := chi.NewRouter()
 	handler := http.Handler(mux)
 
+	insecureMux := chi.NewRouter()
+	insecureHandler := http.Handler(insecureMux)
+
 	// Add regular CA api endpoints in / and /1.0
 	api.Route(mux)
 	mux.Route("/1.0", func(r chi.Router) {
@@ -230,6 +233,13 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) {
 			return nil, errors.Wrap(err, "error creating SCEP authority")
 		}
 
+		// According to the RFC (https://tools.ietf.org/html/rfc8894#section-7.10),
+		// SCEP operations are performed using HTTP, so that's why the API is mounted
+		// to the insecure mux.
+		insecureMux.Route("/"+scepPrefix, func(r chi.Router) {
+			scepAPI.Route(r)
+		})
+
 		// The RFC also mentions usage of HTTPS, but seems to advise
 		// against it, because of potential interoperability issues.
 		// Currently I think it's not bad to use HTTPS also, so that's
@@ -251,6 +261,7 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) {
 			return nil, err
 		}
 		handler = m.Middleware(handler)
+		insecureHandler = m.Middleware(insecureHandler)
 	}
 
 	// Add logger if configured
@@ -260,24 +271,25 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) {
 			return nil, err
 		}
 		handler = logger.Middleware(handler)
+		insecureHandler = logger.Middleware(insecureHandler)
 	}
 
 	// Create context with all the necessary values.
 	baseContext := buildContext(auth, scepAuthority, acmeDB, acmeLinker)
 
-	if cfg.Address != "" {
+	ca.srv = server.New(cfg.Address, handler, tlsConfig)
-		ca.srv = server.New(cfg.Address, handler, tlsConfig)
+	ca.srv.BaseContext = func(net.Listener) context.Context {
-		ca.srv.BaseContext = func(net.Listener) context.Context {
+		return baseContext
-			return baseContext
-		}
 	}
 
-	if cfg.InsecureAddress != "" {
+	// only start the insecure server if the insecure address is configured
+	// and, currently, also only when it should serve SCEP endpoints.
+	if ca.shouldServeSCEPEndpoints() && cfg.InsecureAddress != "" {
 		// TODO: instead opt for having a single server.Server but two
 		// http.Servers handling the HTTP and HTTPS handler? The latter
 		// will probably introduce more complexity in terms of graceful
 		// reload.
-		ca.insecureSrv = server.New(cfg.InsecureAddress, handler, nil)
+		ca.insecureSrv = server.New(cfg.InsecureAddress, insecureHandler, nil)
 		ca.insecureSrv.BaseContext = func(net.Listener) context.Context {
 			return baseContext
 		}
@@ -318,13 +330,11 @@ func (ca *CA) Run() error {
 			log.Printf("Current context: %s", step.Contexts().GetCurrent().Name)
 		}
 		log.Printf("Config file: %s", ca.opts.configFile)
-		if ca.config.Address != "" {
+		baseURL := fmt.Sprintf("https://%s%s",
-			baseURL := fmt.Sprintf("https://%s%s",
+			authorityInfo.DNSNames[0],
-				authorityInfo.DNSNames[0],
+			ca.config.Address[strings.LastIndex(ca.config.Address, ":"):])
-				ca.config.Address[strings.LastIndex(ca.config.Address, ":"):])
+		log.Printf("The primary server URL is %s", baseURL)
-			log.Printf("The primary server URL is %s", baseURL)
+		log.Printf("Root certificates are available at %s/roots.pem", baseURL)
-			log.Printf("Root certificates are available at %s/roots.pem", baseURL)
-		}
 		if len(authorityInfo.DNSNames) > 1 {
 			log.Printf("Additional configured hostnames: %s",
 				strings.Join(authorityInfo.DNSNames[1:], ", "))
@@ -348,13 +358,11 @@ func (ca *CA) Run() error {
 		}()
 	}
 
-	if ca.srv != nil {
+	wg.Add(1)
-		wg.Add(1)
+	go func() {
-		go func() {
+		defer wg.Done()
-			defer wg.Done()
+		errs <- ca.srv.ListenAndServe()
-			errs <- ca.srv.ListenAndServe()
+	}()
-		}()
-	}
 
 	// wait till error occurs; ensures the servers keep listening
 	err := <-errs