Page MenuHomeMusing Studio
Create Task
Maniphest T542

Automatically set up certificate from Let's Encrypt
Closed, ResolvedPublic
Actions

Description

Overview

Make it easy for users to set up a secure site by automatically getting a certificate from Let's Encrypt.

Implementation

Use something like lego. See comments below.

If a user chooses Production, standalone and Secure during the setup process, before asking for the certificate / key paths, ask if the user wants to get a new certificate from Let's Encrypt. If so, do it -- if not, prompt for certificate / key paths.

If a user chooses Production, standalone, the "Web server mode" prompt should have the options:

  • Insecure (port 80)
  • Secure (port 443), manual
  • Secure (port 443), automated

The [server] config section should have a new bool indicating we should use autocert to serve the application instead of the standard server. Something like:

Autocert bool `ini:"autocert"`

If that's true, use the autocert pkg to handle requests.

Revisions and Commits

rWF WriteFreely
rWF3321c750acc7 Merge pull request #142 from writeas/autocert
rWF1f7a0f0122f3 Add option for automated cert in config process
rWF3346e735d389 Fix autocert insecure server redirect
rWF42386beabca2 Fix autocert HostPolicy
rWF36fb7ecb2b6f Support automatically generated certificates

Related Objects
Search...

Event Timeline

matt created this task.Nov 22 2018, 3:32 PM
matt created this object with visibility "Public (No Login Required)".
matt added a subtask: T537: Work as a standalone server.
matt added a comment.Dec 14 2018, 2:22 PM

Need a little time to read into the "magic" that happens in this library, but certmagic might be the easiest way to implement this.

matt moved this task from v1.0 to Backlog on the WriteFreely board.Dec 22 2018, 3:56 PM
matt edited projects, added WriteFreely; removed WriteFreely (v1.0).
matt added a comment.Feb 4 2019, 10:30 PM

From certmagic:

Before using this library, your domain names MUST be pointed (A/AAAA records) at your server (unless you use the DNS challenge)!

I could see this being an obstacle to implementing this. Especially if we have to differentiate between dev and prod for whether or not to do the automagic stuff, this might end up making installation too much of a pain.

matt added a parent task: T564: Simplified application install.Feb 27 2019, 10:39 AM
matt moved this task from Backlog to Next Release on the WriteFreely board.Jul 2 2019, 2:45 PM

We're using the autocert library with #write.as_for_teams / rWFMT, and it works really well. Since it's already battle-tested there, I'd say we go with that.

matt updated the task description. (Show Details)Jul 2 2019, 4:20 PM
matt changed the edit policy from "Restricted Project (Project)" to "All Users".
matt claimed this task.Jul 21 2019, 12:49 AM
matt added a commit: rWF36fb7ecb2b6f: Support automatically generated certificates.Jul 21 2019, 12:54 AM
matt added a commit: rWF42386beabca2: Fix autocert HostPolicy.Jul 21 2019, 1:48 AM
matt added a commit: rWF3346e735d389: Fix autocert insecure server redirect.
matt added a commit: rWF1f7a0f0122f3: Add option for automated cert in config process.
GitHub <noreply@github.com> closed this task as Resolved by committing rWF3321c750acc7: Merge pull request #142 from writeas/autocert.Aug 2 2019, 3:12 AM
GitHub <noreply@github.com> added a commit: rWF3321c750acc7: Merge pull request #142 from writeas/autocert.
musing studio · developers