Changed to passing a Domain object, hardened the lints and update the readme.md

[bsutton]

This is what I've done.
See what you think.

[codecov]

Codecov Report

Attention: 196 lines in your changes are missing coverage. Please review.

Comparison is base (39d0dc2) 35.19% compared to head (60b43ed) 35.00%.

Files	Patch %	Lines
lib/src/letsencrypt.dart	22.50%	93 Missing ⚠️
lib/src/certificates_handler_io.dart	63.55%	43 Missing ⚠️
lib/src/certs_handler.dart	19.35%	25 Missing ⚠️
lib/src/logging.dart	57.14%	9 Missing ⚠️
lib/src/domain_certificate_file_path.dart	0.00%	8 Missing ⚠️
lib/src/security_context_builder.dart	0.00%	7 Missing ⚠️
lib/src/domain.dart	33.33%	6 Missing ⚠️
lib/src/check_certificate_status.dart	0.00%	5 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master       #6      +/-   ##
==========================================
- Coverage   35.19%   35.00%   -0.20%     
==========================================
  Files           2        9       +7     
  Lines         429      440      +11     
==========================================
+ Hits          151      154       +3     
- Misses        278      286       +8     

Flag	Coverage Δ
unittests	35.00% <39.50%> (-0.20%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[gmpassos]

Let's upgrade to:

lints: ^3.0.0

[bsutton]

As requested I've move to lints 3.x

[gmpassos]

Let's bump the version to 1.3.0

[bsutton]

I now have a secure server up and running using the new code :)

[bsutton]

I think this is now ready to be merged unless you have any specific issues.

The key point is the breaking change to startServer

[gmpassos]

Please, check if any dependency need to be updated:

acme_client: ^1.3.0

[gmpassos]

Hi, I will check this PR this week. Do you have any update to it?

[bsutton]

No I'm done.

…

On Tue, 23 Jan 2024, 9:01 am Graciliano Monteiro Passos, < ***@***.***> wrote: Hi, I will check this PR this week. Do you have any update to it? — Reply to this email directly, view it on GitHub <#6 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAG32OEHWY5CYLFMX7QJZNDYP3OT7AVCNFSM6AAAAABAMNOSE2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMBUHEYDAMBQGQ> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[gmpassos]

Also add a documentation for setcap to avoid execution as root:

Enabling the dart VM:

sudo setcap 'cap_net_bind_service=+ep' /usr/lib/dart/bin/dart

Enabling a self-executable (from dart compile exe your_tool.dart):

sudo setcap 'cap_net_bind_service=+ep' your_tool.exe

[bsutton]

FWIW: I use the dcli package to do this (I'm the author). ``` import 'package:dcli/dcli.dart'; void main() { final shell = Shell.current; if (!shell.isPriviliegedProcess()) { print('you must run as root)'; exit(1); } /// stop executing as sudo shell.releasePrivileges(); shell.withPrivilige(() { // execute code that requires root }); ```

…

On Wed, Jan 24, 2024 at 8:37 AM Graciliano Monteiro Passos < ***@***.***> wrote: ***@***.**** commented on this pull request. ------------------------------ In README.md <#6 (comment)> : > +certificate. + + +You do this by passing in 'production: false' (the default) when creating +the LetsEncrypt certificate. +Staging certificates still have rate limits but they are much more generours + +```dart +final LetsEncrypt letsEncrypt = LetsEncrypt(certificatesHandler, production: false); +``` + + +## Permissions +On Linux you need to be root (sudo) to open a port below 1024. If you try +to start your server with the default ports (80, 443) you will fail. + Also add a documentation for setcap to avoid execution as root: Enabling the dart VM: sudo setcap 'cap_net_bind_service=+ep' /usr/lib/dart/bin/dart Enabling a self-executable (from dart compile exe your_tool.dart): sudo setcap 'cap_net_bind_service=+ep' your_tool.exe — Reply to this email directly, view it on GitHub <#6 (review)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAG32ODLOFBPMV27STFJCJLYQAUSHAVCNFSM6AAAAABAMNOSE2VHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMYTQMZZHE3TIMRSHE> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[gmpassos]

Nice package!

I usually avoid running server processes as root due to security risks. I recommend using setcap on the binary to enable the server to listen on low ports. I don't think we should advise executing server processes as root.

[bsutton]

Fair enough.

…

On Thu, 25 Jan 2024, 6:58 am Graciliano Monteiro Passos, < ***@***.***> wrote: Nice package! I usually avoid running server processes as root due to security risks. I recommend using setcap on the binary to enable the server to listen on low ports. I don't think we should advise executing server processes as root. — Reply to this email directly, view it on GitHub <#6 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAG32OB4762HTIUVYX2Y62TYQFRXTAVCNFSM6AAAAABAMNOSE2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMBYHAZDIMZUGE> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[gmpassos]

FYI:

Preparing release and testing it in real projects:
#12