Run on plaintext HTTP to support Cloud Run

authority/config/config.go

@@ -227,9 +227,11 @@ func (c *Config) Validate() error {
 	}
 
 	// Validate address (a port is required)
+	if c.Address != "" {
 		if _, _, err := net.SplitHostPort(c.Address); err != nil {
 			return errors.Errorf("invalid address %s", c.Address)
 		}
+	}
 
 	if c.TLS == nil {
 		c.TLS = &DefaultTLSOptions

ca/ca.go

@@ -238,13 +238,6 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) {
 			return nil, errors.Wrap(err, "error creating SCEP authority")
 		}
 
-		// According to the RFC (https://tools.ietf.org/html/rfc8894#section-7.10),
-		// SCEP operations are performed using HTTP, so that's why the API is mounted
-		// to the insecure mux.
-		insecureMux.Route("/"+scepPrefix, func(r chi.Router) {
-			scepAPI.Route(r)
-		})
-
 		// The RFC also mentions usage of HTTPS, but seems to advise
 		// against it, because of potential interoperability issues.
 		// Currently I think it's not bad to use HTTPS also, so that's
@@ -266,7 +259,6 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) {
 			return nil, err
 		}
 		handler = m.Middleware(handler)
-		insecureHandler = m.Middleware(insecureHandler)
 	}
 
 	// Add logger if configured
@@ -276,25 +268,24 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) {
 			return nil, err
 		}
 		handler = logger.Middleware(handler)
-		insecureHandler = logger.Middleware(insecureHandler)
 	}
 
 	// Create context with all the necessary values.
 	baseContext := buildContext(auth, scepAuthority, acmeDB, acmeLinker)
 
+	if cfg.Address != "" {
 		ca.srv = server.New(cfg.Address, handler, tlsConfig)
 		ca.srv.BaseContext = func(net.Listener) context.Context {
 			return baseContext
 		}
+	}
 
-	// only start the insecure server if the insecure address is configured
+	if cfg.InsecureAddress != "" {
-	// and, currently, also only when it should serve SCEP endpoints.
-	if ca.shouldServeSCEPEndpoints() && cfg.InsecureAddress != "" {
 		// TODO: instead opt for having a single server.Server but two
 		// http.Servers handling the HTTP and HTTPS handler? The latter
 		// will probably introduce more complexity in terms of graceful
 		// reload.
-		ca.insecureSrv = server.New(cfg.InsecureAddress, insecureHandler, nil)
+		ca.insecureSrv = server.New(cfg.InsecureAddress, handler, nil)
 		ca.insecureSrv.BaseContext = func(net.Listener) context.Context {
 			return baseContext
 		}
@@ -335,11 +326,13 @@ func (ca *CA) Run() error {
 			log.Printf("Current context: %s", step.Contexts().GetCurrent().Name)
 		}
 		log.Printf("Config file: %s", ca.opts.configFile)
+		if ca.config.Address != "" {
 			baseURL := fmt.Sprintf("https://%s%s",
 				authorityInfo.DNSNames[0],
 				ca.config.Address[strings.LastIndex(ca.config.Address, ":"):])
 			log.Printf("The primary server URL is %s", baseURL)
 			log.Printf("Root certificates are available at %s/roots.pem", baseURL)
+		}
 		if len(authorityInfo.DNSNames) > 1 {
 			log.Printf("Additional configured hostnames: %s",
 				strings.Join(authorityInfo.DNSNames[1:], ", "))
@@ -363,11 +356,13 @@ func (ca *CA) Run() error {
 		}()
 	}
 
+	if ca.srv != nil {
 		wg.Add(1)
 		go func() {
 			defer wg.Done()
 			errs <- ca.srv.ListenAndServe()
 		}()
+	}
 
 	// wait till error occurs; ensures the servers keep listening
 	err := <-errs