forked from TrueCloudLab/certificates
Run on plaintext HTTP to support Cloud Run
This commit is contained in:
parent
860baeb1c5
commit
09b9673a60
3 changed files with 25 additions and 46 deletions
|
@ -200,8 +200,6 @@ func (c *Config) Save(filename string) error {
|
|||
// Validate validates the configuration.
|
||||
func (c *Config) Validate() error {
|
||||
switch {
|
||||
case c.Address == "":
|
||||
return errors.New("address cannot be empty")
|
||||
case len(c.DNSNames) == 0:
|
||||
return errors.New("dnsNames cannot be empty")
|
||||
case c.AuthorityConfig == nil:
|
||||
|
@ -223,9 +221,11 @@ func (c *Config) Validate() error {
|
|||
}
|
||||
|
||||
// Validate address (a port is required)
|
||||
if c.Address != "" {
|
||||
if _, _, err := net.SplitHostPort(c.Address); err != nil {
|
||||
return errors.Errorf("invalid address %s", c.Address)
|
||||
}
|
||||
}
|
||||
|
||||
if c.TLS == nil {
|
||||
c.TLS = &DefaultTLSOptions
|
||||
|
|
|
@ -38,19 +38,6 @@ func TestConfigValidate(t *testing.T) {
|
|||
tls TLSOptions
|
||||
}
|
||||
tests := map[string]func(*testing.T) ConfigValidateTest{
|
||||
"empty-address": func(t *testing.T) ConfigValidateTest {
|
||||
return ConfigValidateTest{
|
||||
config: &Config{
|
||||
Root: []string{"../testdata/secrets/root_ca.crt"},
|
||||
IntermediateCert: "../testdata/secrets/intermediate_ca.crt",
|
||||
IntermediateKey: "../testdata/secrets/intermediate_ca_key",
|
||||
DNSNames: []string{"test.smallstep.com"},
|
||||
Password: "pass",
|
||||
AuthorityConfig: ac,
|
||||
},
|
||||
err: errors.New("address cannot be empty"),
|
||||
}
|
||||
},
|
||||
"invalid-address": func(t *testing.T) ConfigValidateTest {
|
||||
return ConfigValidateTest{
|
||||
config: &Config{
|
||||
|
|
24
ca/ca.go
24
ca/ca.go
|
@ -169,9 +169,6 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) {
|
|||
mux := chi.NewRouter()
|
||||
handler := http.Handler(mux)
|
||||
|
||||
insecureMux := chi.NewRouter()
|
||||
insecureHandler := http.Handler(insecureMux)
|
||||
|
||||
// Add regular CA api endpoints in / and /1.0
|
||||
api.Route(mux)
|
||||
mux.Route("/1.0", func(r chi.Router) {
|
||||
|
@ -232,13 +229,6 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) {
|
|||
return nil, errors.Wrap(err, "error creating SCEP authority")
|
||||
}
|
||||
|
||||
// According to the RFC (https://tools.ietf.org/html/rfc8894#section-7.10),
|
||||
// SCEP operations are performed using HTTP, so that's why the API is mounted
|
||||
// to the insecure mux.
|
||||
insecureMux.Route("/"+scepPrefix, func(r chi.Router) {
|
||||
scepAPI.Route(r)
|
||||
})
|
||||
|
||||
// The RFC also mentions usage of HTTPS, but seems to advise
|
||||
// against it, because of potential interoperability issues.
|
||||
// Currently I think it's not bad to use HTTPS also, so that's
|
||||
|
@ -260,7 +250,6 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) {
|
|||
return nil, err
|
||||
}
|
||||
handler = m.Middleware(handler)
|
||||
insecureHandler = m.Middleware(insecureHandler)
|
||||
}
|
||||
|
||||
// Add logger if configured
|
||||
|
@ -270,25 +259,24 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) {
|
|||
return nil, err
|
||||
}
|
||||
handler = logger.Middleware(handler)
|
||||
insecureHandler = logger.Middleware(insecureHandler)
|
||||
}
|
||||
|
||||
// Create context with all the necessary values.
|
||||
baseContext := buildContext(auth, scepAuthority, acmeDB, acmeLinker)
|
||||
|
||||
if cfg.Address != "" {
|
||||
ca.srv = server.New(cfg.Address, handler, tlsConfig)
|
||||
ca.srv.BaseContext = func(net.Listener) context.Context {
|
||||
return baseContext
|
||||
}
|
||||
}
|
||||
|
||||
// only start the insecure server if the insecure address is configured
|
||||
// and, currently, also only when it should serve SCEP endpoints.
|
||||
if ca.shouldServeSCEPEndpoints() && cfg.InsecureAddress != "" {
|
||||
if cfg.InsecureAddress != "" {
|
||||
// TODO: instead opt for having a single server.Server but two
|
||||
// http.Servers handling the HTTP and HTTPS handler? The latter
|
||||
// will probably introduce more complexity in terms of graceful
|
||||
// reload.
|
||||
ca.insecureSrv = server.New(cfg.InsecureAddress, insecureHandler, nil)
|
||||
ca.insecureSrv = server.New(cfg.InsecureAddress, handler, nil)
|
||||
ca.insecureSrv.BaseContext = func(net.Listener) context.Context {
|
||||
return baseContext
|
||||
}
|
||||
|
@ -329,11 +317,13 @@ func (ca *CA) Run() error {
|
|||
log.Printf("Current context: %s", step.Contexts().GetCurrent().Name)
|
||||
}
|
||||
log.Printf("Config file: %s", ca.opts.configFile)
|
||||
if ca.config.Address != "" {
|
||||
baseURL := fmt.Sprintf("https://%s%s",
|
||||
authorityInfo.DNSNames[0],
|
||||
ca.config.Address[strings.LastIndex(ca.config.Address, ":"):])
|
||||
log.Printf("The primary server URL is %s", baseURL)
|
||||
log.Printf("Root certificates are available at %s/roots.pem", baseURL)
|
||||
}
|
||||
if len(authorityInfo.DNSNames) > 1 {
|
||||
log.Printf("Additional configured hostnames: %s",
|
||||
strings.Join(authorityInfo.DNSNames[1:], ", "))
|
||||
|
@ -357,11 +347,13 @@ func (ca *CA) Run() error {
|
|||
}()
|
||||
}
|
||||
|
||||
if ca.srv != nil {
|
||||
wg.Add(1)
|
||||
go func() {
|
||||
defer wg.Done()
|
||||
errs <- ca.srv.ListenAndServe()
|
||||
}()
|
||||
}
|
||||
|
||||
// wait till error occurs; ensures the servers keep listening
|
||||
err := <-errs
|
||||
|
|
Loading…
Reference in a new issue