LetsEncrypt certs with Go

polaris · · 1015 次点击    
这是一个分享于 的资源,其中的信息可能已经有所发展或是发生改变。
<p>I implemented package that will reload SSL once it is updated on disk. It is good for LetsEncrypt certs that might be automatically updated monthly.</p> <p>Sample code: </p> <pre><code>// log.Println(http.ListenAndServeTLS(&#34;:7544&#34;, // &#34;/home/user/cert/game01.example.com/fullchain.pem&#34;, // &#34;/home/user/cert/game01.example.com/privkey.pem&#34;, nil)) for { log.Println(pyrahttp.ListenAndServeLetsEncrypt(&#34;:7544&#34;, &#34;/home/user/cert/game01.example.com/fullchain.pem&#34;, &#34;/home/user/cert/game01.example.com/privkey.pem&#34;, nil)) time.Sleep(time.Second * 5) } </code></pre> <p>My code is based on code from hydrogen18 <a href="http://www.hydrogen18.com/blog/stop-listening-http-server-go.html">http://www.hydrogen18.com/blog/stop-listening-http-server-go.html</a> and net/http package.</p> <pre><code>go get -u github.com/CossackPyra/pyrahttp </code></pre> <hr/>**评论:**<br/><br/>mwholt: <pre><p>An easier and safer way to do this would simply be to use the <a href="https://golang.org/pkg/crypto/tls/#Config">GetCertificate</a> callback to cache the certificate and load the new one once its mod time/expiration time changes.</p></pre>threemux: <pre><p>Would you consider doing a short blog post or gist on this? I know I&#39;d be interested in seeing the approach.</p></pre>mwholt: <pre><p>Sure, I&#39;m almost done implementing it into Caddy, so when that is done I can get around to it.</p></pre>threemux: <pre><p>Awesome - thanks!</p></pre>bkeroack: <pre><p>It&#39;s not clear whether that&#39;s called for every request (which would be horrible in terms of performance), or only once when first calling ListenAndServe(). The latter case is not useful because you still have to restart the server when the certificate changes.</p></pre>mwholt: <pre><blockquote> <p>It&#39;s not clear whether that&#39;s called for every request ... or only once when first calling ListenAndServe()</p> </blockquote> <p>Neither; it&#39;s per-handshake.</p> <blockquote> <p>(which would be horrible in terms of performance)</p> </blockquote> <p>Why? If you don&#39;t write a GetCertificate function, Go uses its own which even includes looping over mutations of the hostname. It&#39;s not &#34;horrible&#34; - just write reasonable code.</p></pre>bkeroack: <pre><p>You&#39;re right. I should have written &#34;could be horrible if you aren&#39;t careful&#34;.</p></pre>bkeroack: <pre><p><a href="http://www.hydrogen18.com/blog/stop-listening-http-server-go.html" rel="nofollow">http://www.hydrogen18.com/blog/stop-listening-http-server-go.html</a></p> <p>That is a great blog post. Exactly what I was looking for when trying to figure out how to change certificates dynamically without restarting the application.</p></pre>pyratzu: <pre><p>&#34;for loop&#34; is not required. pyrahttp.ListenAndServeLetsEncrypt will return error if invalid certificate is provide. if you provide valid certificate then it will reload without looping throw &#34;for loop&#34;</p></pre>

入群交流(和以上内容无关):加入Go大咖交流群,或添加微信:liuxiaoyan-s 备注:入群;或加QQ群:692541889

1015 次点击  
加入收藏 微博
暂无回复
添加一条新回复 (您需要 登录 后才能回复 没有账号 ?)
  • 请尽量让自己的回复能够对别人有帮助
  • 支持 Markdown 格式, **粗体**、~~删除线~~、`单行代码`
  • 支持 @ 本站用户;支持表情(输入 : 提示),见 Emoji cheat sheet
  • 图片支持拖拽、截图粘贴等方式上传