Page MenuHomewrite.as

Automatically set up certificate from Let's Encrypt
Closed, ResolvedPublic

Description

Overview

Make it easy for users to set up a secure site by automatically getting a certificate from Let's Encrypt.

Implementation

Use something like lego. See comments below.

If a user chooses Production, standalone and Secure during the setup process, before asking for the certificate / key paths, ask if the user wants to get a new certificate from Let's Encrypt. If so, do it -- if not, prompt for certificate / key paths.

If a user chooses Production, standalone, the "Web server mode" prompt should have the options:

  • Insecure (port 80)
  • Secure (port 443), manual
  • Secure (port 443), automated

The [server] config section should have a new bool indicating we should use autocert to serve the application instead of the standard server. Something like:

Autocert bool `ini:"autocert"`

If that's true, use the autocert pkg to handle requests.

Event Timeline

matt created this task.Nov 22 2018, 3:32 PM
matt created this object with visibility "Public (No Login Required)".
matt added a comment.Dec 14 2018, 2:22 PM

Need a little time to read into the "magic" that happens in this library, but certmagic might be the easiest way to implement this.

matt moved this task from v1.0 to Far Future on the WriteFreely board.Dec 22 2018, 3:56 PM
matt edited projects, added WriteFreely; removed WriteFreely (v1.0).
matt added a comment.Feb 4 2019, 10:30 PM

From certmagic:

Before using this library, your domain names MUST be pointed (A/AAAA records) at your server (unless you use the DNS challenge)!

I could see this being an obstacle to implementing this. Especially if we have to differentiate between dev and prod for whether or not to do the automagic stuff, this might end up making installation too much of a pain.

matt moved this task from Far Future to Next Release on the WriteFreely board.Jul 2 2019, 2:45 PM

We're using the autocert library with #write.as_for_teams / rWFMT, and it works really well. Since it's already battle-tested there, I'd say we go with that.

matt updated the task description. (Show Details)Jul 2 2019, 4:20 PM
matt changed the edit policy from "Restricted Project (Project)" to "All Users".
matt claimed this task.Jul 21 2019, 12:49 AM