forked from TrueCloudLab/distribution
Added support for specifying ACME-server by using REGISTRY_HTTP_TLS_LETSENCRYPT_DIRECTORYURL
Signed-off-by: Alex Lavallee <73203142+lavalleeale@users.noreply.github.com>
This commit is contained in:
parent
6a57630cf4
commit
4bbe0ba080
4 changed files with 29 additions and 11 deletions
|
@ -131,6 +131,10 @@ type Configuration struct {
|
||||||
// Hosts specifies the hosts which are allowed to obtain Let's
|
// Hosts specifies the hosts which are allowed to obtain Let's
|
||||||
// Encrypt certificates.
|
// Encrypt certificates.
|
||||||
Hosts []string `yaml:"hosts,omitempty"`
|
Hosts []string `yaml:"hosts,omitempty"`
|
||||||
|
|
||||||
|
// DirectoryURL points to the CA directory endpoint.
|
||||||
|
// If empty, LetsEncrypt is used.
|
||||||
|
DirectoryURL string `yaml:"directoryurl,omitempty"`
|
||||||
} `yaml:"letsencrypt,omitempty"`
|
} `yaml:"letsencrypt,omitempty"`
|
||||||
} `yaml:"tls,omitempty"`
|
} `yaml:"tls,omitempty"`
|
||||||
|
|
||||||
|
|
|
@ -89,9 +89,10 @@ var configStruct = Configuration{
|
||||||
MinimumTLS string `yaml:"minimumtls,omitempty"`
|
MinimumTLS string `yaml:"minimumtls,omitempty"`
|
||||||
CipherSuites []string `yaml:"ciphersuites,omitempty"`
|
CipherSuites []string `yaml:"ciphersuites,omitempty"`
|
||||||
LetsEncrypt struct {
|
LetsEncrypt struct {
|
||||||
CacheFile string `yaml:"cachefile,omitempty"`
|
CacheFile string `yaml:"cachefile,omitempty"`
|
||||||
Email string `yaml:"email,omitempty"`
|
Email string `yaml:"email,omitempty"`
|
||||||
Hosts []string `yaml:"hosts,omitempty"`
|
Hosts []string `yaml:"hosts,omitempty"`
|
||||||
|
DirectoryURL string `yaml:"directoryurl,omitempty"`
|
||||||
} `yaml:"letsencrypt,omitempty"`
|
} `yaml:"letsencrypt,omitempty"`
|
||||||
} `yaml:"tls,omitempty"`
|
} `yaml:"tls,omitempty"`
|
||||||
Headers http.Header `yaml:"headers,omitempty"`
|
Headers http.Header `yaml:"headers,omitempty"`
|
||||||
|
@ -113,9 +114,10 @@ var configStruct = Configuration{
|
||||||
MinimumTLS string `yaml:"minimumtls,omitempty"`
|
MinimumTLS string `yaml:"minimumtls,omitempty"`
|
||||||
CipherSuites []string `yaml:"ciphersuites,omitempty"`
|
CipherSuites []string `yaml:"ciphersuites,omitempty"`
|
||||||
LetsEncrypt struct {
|
LetsEncrypt struct {
|
||||||
CacheFile string `yaml:"cachefile,omitempty"`
|
CacheFile string `yaml:"cachefile,omitempty"`
|
||||||
Email string `yaml:"email,omitempty"`
|
Email string `yaml:"email,omitempty"`
|
||||||
Hosts []string `yaml:"hosts,omitempty"`
|
Hosts []string `yaml:"hosts,omitempty"`
|
||||||
|
DirectoryURL string `yaml:"directoryurl,omitempty"`
|
||||||
} `yaml:"letsencrypt,omitempty"`
|
} `yaml:"letsencrypt,omitempty"`
|
||||||
}{
|
}{
|
||||||
ClientCAs: []string{"/path/to/ca.pem"},
|
ClientCAs: []string{"/path/to/ca.pem"},
|
||||||
|
|
|
@ -240,6 +240,7 @@ http:
|
||||||
cachefile: /path/to/cache-file
|
cachefile: /path/to/cache-file
|
||||||
email: emailused@letsencrypt.com
|
email: emailused@letsencrypt.com
|
||||||
hosts: [myregistryaddress.org]
|
hosts: [myregistryaddress.org]
|
||||||
|
directoryurl: https://acme-v02.api.letsencrypt.org/directory
|
||||||
debug:
|
debug:
|
||||||
addr: localhost:5001
|
addr: localhost:5001
|
||||||
prometheus:
|
prometheus:
|
||||||
|
@ -823,6 +824,7 @@ http:
|
||||||
cachefile: /path/to/cache-file
|
cachefile: /path/to/cache-file
|
||||||
email: emailused@letsencrypt.com
|
email: emailused@letsencrypt.com
|
||||||
hosts: [myregistryaddress.org]
|
hosts: [myregistryaddress.org]
|
||||||
|
directoryurl: https://acme-v02.api.letsencrypt.org/directory
|
||||||
debug:
|
debug:
|
||||||
addr: localhost:5001
|
addr: localhost:5001
|
||||||
headers:
|
headers:
|
||||||
|
@ -914,11 +916,12 @@ TLS certificates provided by
|
||||||
> ensure that you have the `ca-certificates` package installed in order to verify
|
> ensure that you have the `ca-certificates` package installed in order to verify
|
||||||
> letsencrypt certificates.
|
> letsencrypt certificates.
|
||||||
|
|
||||||
| Parameter | Required | Description |
|
| Parameter | Required | Description |
|
||||||
|-----------|----------|-------------------------------------------------------|
|
|----------------|----------|-----------------------------------------------------------------------|
|
||||||
| `cachefile` | yes | Absolute path to a file where the Let's Encrypt agent can cache data. |
|
| `cachefile` | yes | Absolute path to a file where the Let's Encrypt agent can cache data. |
|
||||||
| `email` | yes | The email address used to register with Let's Encrypt. |
|
| `email` | yes | The email address used to register with Let's Encrypt. |
|
||||||
| `hosts` | no | The hostnames allowed for Let's Encrypt certificates. |
|
| `hosts` | no | The hostnames allowed for Let's Encrypt certificates. |
|
||||||
|
| `directoryurl` | no | The url to use for the ACME server. |
|
||||||
|
|
||||||
### `debug`
|
### `debug`
|
||||||
|
|
||||||
|
|
|
@ -188,6 +188,14 @@ func getCipherSuiteNames(ids []uint16) []string {
|
||||||
return names
|
return names
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// set ACME-server/DirectoryURL, if provided
|
||||||
|
func setDirectoryURL(directoryurl string) *acme.Client {
|
||||||
|
if len(directoryurl) > 0 {
|
||||||
|
return &acme.Client{DirectoryURL: directoryurl}
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
// ListenAndServe runs the registry's HTTP server.
|
// ListenAndServe runs the registry's HTTP server.
|
||||||
func (registry *Registry) ListenAndServe() error {
|
func (registry *Registry) ListenAndServe() error {
|
||||||
config := registry.config
|
config := registry.config
|
||||||
|
@ -236,6 +244,7 @@ func (registry *Registry) ListenAndServe() error {
|
||||||
Cache: autocert.DirCache(config.HTTP.TLS.LetsEncrypt.CacheFile),
|
Cache: autocert.DirCache(config.HTTP.TLS.LetsEncrypt.CacheFile),
|
||||||
Email: config.HTTP.TLS.LetsEncrypt.Email,
|
Email: config.HTTP.TLS.LetsEncrypt.Email,
|
||||||
Prompt: autocert.AcceptTOS,
|
Prompt: autocert.AcceptTOS,
|
||||||
|
Client: setDirectoryURL(config.HTTP.TLS.LetsEncrypt.DirectoryURL),
|
||||||
}
|
}
|
||||||
tlsConf.GetCertificate = m.GetCertificate
|
tlsConf.GetCertificate = m.GetCertificate
|
||||||
tlsConf.NextProtos = append(tlsConf.NextProtos, acme.ALPNProto)
|
tlsConf.NextProtos = append(tlsConf.NextProtos, acme.ALPNProto)
|
||||||
|
|
Loading…
Reference in a new issue