New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Updating the toml to include ACME related entries. #49
Conversation
cc: @twifkak |
server/tomlconfig/config.go
Outdated
@@ -29,6 +29,7 @@ type Config struct { | |||
Listen ListenConfig | |||
Server ServerConfig | |||
SXG SXGConfig | |||
ACME SXGACMEConfig |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you want it to be [SXG.ACME]
, you should define it in SXGConfig
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
# ACME is a protocol that allows for automatic renewal of certificates. | ||
# Web Packager HTTP server uses an ACME library https://github.com/go-acme/lego | ||
# to handle certificate renewal. Automatic certificate renewal is enabled | ||
# in Web Packager HTTP server via the 'autorenewcert' flag. Turning the flag on |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm against having a command line flag for this purpose. That way the config gets scattered into two places, namely the toml config and the startup command.
Consider, for example, adding an Enable
parameter. Another approach is to enable ACME when one (or more) of the challenges are set correctly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added an explicit field in the TOML to indicate enabling cert auto renewal. I don't like the implicit setting of a parameter based on other parameters, I think that is not the right path.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please update this paragraph too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
# Web Packager HTTP server uses an ACME library https://github.com/go-acme/lego | ||
# to handle certificate renewal. Automatic certificate renewal is enabled | ||
# in Web Packager HTTP server via the 'autorenewcert' flag. Turning the flag on | ||
# will enable AMP Packager to automatically request certificate renewals |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not AMP Packager.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated all instances to Web Packager.
# whenever it has determined that the current certificate is expired or about to | ||
# expire. | ||
# | ||
# SXG.ACME only needs to be present in the toml file if 'autorenewcert' command |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will it be true, especially given you're working to add support for multi-cert cache (#48)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, this will still be true. I think we can set the default to SingleCertDiskCache is they don't want to autorenew certs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since we are going to add support for multi-cert cache either way, I still don't think multi-instance setup is the "best practice."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So multi-cert cache and multi-instance of webpackager solve different problems. The first solves keeping unexpired certs for the webpackager instance. The second assigns only one instance for certificate renewal (and other webpackager instances will be consumers). This way, if there are multiple instances of the webpackager running, not all of them will be requesting certs from ACME server.
@@ -132,6 +132,28 @@ func (c *SXGCertConfig) verify() error { | |||
return errs.ErrorOrNil() | |||
} | |||
|
|||
func (c *SXGACMEConfig) verify() error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This method doesn't look to be called.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
server/tomlconfig/config.go
Outdated
@@ -72,6 +73,42 @@ type SXGCertConfig struct { | |||
AllowTestCert bool | |||
} | |||
|
|||
// SXGACMEConfig represents the [SXG.ACME] section. | |||
type SXGACMEConfig struct { | |||
// DiscoveryURL is the Discovery Resource URL provided by the Certificate |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Consider removing GoDoc for these fields. In general we should have a GoDoc for each exposed field, but in this particular case we want to avoid duplicate with the example toml. It's also confusing these comments state "See Port Usage above" but this go module doesn't have the "Port Usage" section.
The GoDoc for Config
has a mention to the example toml.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
server/tomlconfig/verify.go
Outdated
if c.Email == "" { | ||
errs = multierror.Append(errs, wrapError("Email", errEmpty)) | ||
} | ||
if c.HTTPWebRootDir == "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does the user need to specify all these three parameters?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, good catch. Fixed the logic.
|
||
# This is the email address you used to create an account with the Certificate | ||
# Authority that is registered to request signed exchange certificates. | ||
Email = "user@company.com" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@example.com
is a much safer choice here. company.com
is a domain in real use.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
# Certificate Authority that doles out the certificates. Currently, the only | ||
# CA that supports automatic signed exchange cert renewals is DigiCert: | ||
# https://docs.digicert.com/certificate-tools/acme-user-guide/acme-directory-urls-signed-http-exchange-certificates/ | ||
DiscoveryURL = "https://production-acme.discovery.url/" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Consistency: Use single quotes for plain strings.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
# fulfill the DNS challenge: https://go-acme.github.io/lego/dns/ | ||
# To use this, build amppkg with `go build -tags dns01`; it is disabled by | ||
# default because it bloats the binary. | ||
#DnsProvider = "gcloud" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This config file states at the beginning: "Commented out lines show the default value for each parameter." It doesn't seem you've set the default value in the code though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed, DNSProvider should default to empty string.
@@ -211,7 +290,7 @@ | |||
|
|||
# The domain to limit signed URLs to, case-insensitive. The certificate is | |||
# supposed to cover this domain. Required. | |||
Domain = 'example.org' | |||
Domain = 'example.com' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any reason to change the domain from org
to com
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reverted back to org
server/tomlconfig/verify.go
Outdated
|
||
if c.HTTPWebRootDir == "" && c.HTTPChallengePort == 0 && | ||
c.TLSChallengePort == 0 && c.DNSProvider == "" { | ||
errs = multierror.Append(errs, wrapError("at least one of HTTPWebRootDir, HTTPChallengePort, TLSChallengePort or DNSProvider has to be non-empty", errEmpty)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
-
Should there be exactly one of these config parameters, or is it meaningful to set more than one parameter?
-
The first argument of
wrapError
is meant to be the parameter names, so it should be something likeone of {HTTP..., HTTP..., TLS..., DNS...}
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It isn't required to have exactly one parameter. They can all be set and it's up to the library to decide which method to use and to use the other settings as backup.
The first argument of wrapError is meant to be the parameter names, so it should be something like one of {HTTP..., HTTP..., TLS..., DNS...}.
So I'm not sure how this would work when we are generating the error because none of these parameters have values. Do I pass in all the parameter names with empty values to wrapError, is that what you mean?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you get it mostly right, I meant the first argument of wrapError
should look like a parameter name (a list of parameter names in this case) rather than a sentence. With another thought, I suggest:
newError(
"HTTPWebRootDir, HTTPChallengePort, TLSChallengePort, DNSProvider",
"at least one of these parameters must be non-empty",
)
Technically the parameter name(s) are just printed as part of error messages (Code).
It isn't required to have exactly one parameter. They can all be set and it's up to the library to decide which method to use and to use the other settings as backup.
This makes sense, but it's worth mentioned in the example toml.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
# IMPORTANT NOTE: the support of the ACME protocol and automatic renewal of | ||
# certificates is currently in the EXPERIMENTAL stage. Once we have more | ||
# experience with people using it out in the wild, we will gradually move it to | ||
# PRODUCTION mode. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"... to the PRODUCTION stage"?
s/to/to the/, s/mode/stage/.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
# experience with people using it out in the wild, we will gradually move it to | ||
# PRODUCTION mode. | ||
# | ||
# ACME is a protocol that allows for automatic renewal of certificates. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/allows for/allows/ ― "for" is not needed when "allow" is used to mean "enable."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
# PRODUCTION mode. | ||
# | ||
# ACME is a protocol that allows for automatic renewal of certificates. | ||
# Web Packager HTTP server uses an ACME library https://github.com/go-acme/lego |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"... uses the ACME library from github.com/go-acme/lego"
s/a/the/, add "from", (optionally) remove "https://".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
# https://medium.com/@dipeshwagle/add-https-using-lets-encrypt-to-nginx-configured-as-a-reverse-proxy-on-ubuntu-b4455a729176 | ||
HTTPChallengePort = 5002 | ||
|
||
# This is the port used by Web packager to respond to the TLS challenge issued |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/packager/Packager/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
# For the DNS challenge, go-acme/lego, there are certain environment variables | ||
# that need to be set up which depends on the DNS provider that you use to | ||
# fulfill the DNS challenge: https://go-acme.github.io/lego/dns/ | ||
# To use this, build amppkg with `go build -tags dns01`; it is disabled by |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This config is not for amppkg
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
# This is the ACME discovery URL that is used for ACME http requests to the | ||
# Certificate Authority that doles out the certificates. Currently, the only | ||
# CA that supports automatic signed exchange cert renewals is DigiCert: | ||
# https://docs.digicert.com/certificate-tools/acme-user-guide/acme-directory-urls-signed-http-exchange-certificates/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe mention "Required when ACME is enabled." (see: Cert.PEMFile
)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't see "Required when ACME is enabled." or anything similar, even in the latest commit. I guess you pushed a wrong thing?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's weird, not sure what happened. Fixed now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry but I can't tell what is updated...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think what happened is that you suggested to add "Required when ACME is enabled" then you said I should not add it to the "Enable = false" field, so I removed it. It was added to the other fields below though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oops, sorry, I made this comment at a wrong place.
# Certificate Authority that doles out the certificates. Currently, the only | ||
# CA that supports automatic signed exchange cert renewals is DigiCert: | ||
# https://docs.digicert.com/certificate-tools/acme-user-guide/acme-directory-urls-signed-http-exchange-certificates/ | ||
DiscoveryURL = 'https://production-acme.discovery.url/' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use some invalid value? So that verify
would raise an error when the user forgets to set this parameter properly (rather than waiting for the server failing the first attempt of ACME request).
e.g. DiscoveryURL = '<Your Discovery URL>'
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
production-acme is an invalid URL but I get your point. Replaced.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same: I don't see the url replaced.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
# different challenges employed as part of the ACME protocol: | ||
# https://ietf-wg-acme.github.io/acme/draft-ietf-acme-acme.html#identifier-validation-challenges | ||
# https://letsencrypt.org/docs/challenge-types/ | ||
# https://certbot.eff.org/docs/challenges.html?highlight=http |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove ?hightlight=http
? I don't see good reason to highlight "http" in the document.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was about to send some comments but made a mistake to get them lost. I'll do the review again next week. Sorry for inconvenience.
[SXG.ACME] | ||
# This field enables Web Packager to attempt to auto renew certificates using | ||
# ACME. Required when ACME is enabled. | ||
#Enable=false |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Spaces around the equal sign.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done. Also set the value to be true because it's already false by default.
# For the full ACME spec, see: | ||
# https://tools.ietf.org/html/rfc8555 | ||
[SXG.ACME] | ||
# This field enables Web Packager to attempt to auto renew certificates using |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/This field enables/Enable/ ― docs for bool params start with a verb phrase in this config.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
# DNSProvider is a supported method of validation, the others cannot be used. | ||
# See below. | ||
|
||
# This is the http server root directory where the ACME http challenge token |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove "This is" ― docs for non-bool params start with a noun phrase. Same below.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
# expire. | ||
# | ||
# Note that a recommended best practice for setting up the cert renewal that | ||
# minimizes both cost and bombarding your Certificate Authority with requests is |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Which "cost" does this approach minimize?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added explanation.
# whenever it has determined that the current certificate is expired or about to | ||
# expire. | ||
# | ||
# Note that a recommended best practice for setting up the cert renewal that |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Now I understand your standpoint. I found this paragraph hard for me to read correctly, to be honest, though. It's probably because of my limited English ability, but I'd like documentation to be easy to understand even for those less fluent in English than me.
The paragraph would become easier to read ("scan" or "skim" in particular) if it'd be written in the order of importance, starting from the most important part. In this case:
- The most important part is assumption ("setting up multiple instances"), because the rest of this paragraph is irrelevant if the user is setting up just a single instance.
- The recommended practice ("only one instance does cert renewals") comes next.
- The reason ("minimizes both cost and bombarding CA") is still very important, as it helps with deeper understanding, but what comes before why.
- The implication ("the certificate on a shared filesystem") can be a subtle trap thus should be mentioned clearly, but it is relatively obvious to experienced admins so can come to the last.
Here's my attempt: "If you set up more than one instance of webpkgserver, the recommended practice is to have only one instance handle automatic certificate renewals and let other instances reload the fresh certificate from the disk. It minimizes the cost [of what?] and prevents the webpkgserver instances from bombarding your Certificate Authority with certificate requests. Note this setup requires you to locate the certificate file on a shared filesystem accessible by all webpkgserver instances."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Merged your description with my changes above.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
# experience with people using it out in the wild, we will gradually move it to | ||
# the PRODUCTION stage. | ||
# | ||
# ACME is a protocol that allows automatic renewal of certificates. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The paragraph should start with a sentence to indicate "this section is meant for ACME config," then explain ACME protocol. Otherwise the reader might get confused as they see the ACME protocol explained suddenly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
# For the DNS challenge, go-acme/lego, there are certain environment variables | ||
# that need to be set up which depends on the DNS provider that you use to | ||
# fulfill the DNS challenge: https://go-acme.github.io/lego/dns/ | ||
# To use this, build webpkgserver with `go build -tags dns01`; it is disabled |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not obvious to anyone new to webpkgserver, so I suggest putting it right after the lead sentence. Then "Note that you only need the DNS challenge setup" makes more sense to readers.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Rearranged.
return errs.ErrorOrNil() | ||
} | ||
|
||
if c.DiscoveryURL == "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it okay to accept a relative url (an absolute path) though?
server/tomlconfig/verify.go
Outdated
|
||
if c.HTTPWebRootDir == "" && c.HTTPChallengePort == 0 && | ||
c.TLSChallengePort == 0 && c.DNSProvider == "" { | ||
errs = multierror.Append(errs, wrapError("at least one of HTTPWebRootDir, HTTPChallengePort, TLSChallengePort or DNSProvider has to be non-empty", errEmpty)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you get it mostly right, I meant the first argument of wrapError
should look like a parameter name (a list of parameter names in this case) rather than a sentence. With another thought, I suggest:
newError(
"HTTPWebRootDir, HTTPChallengePort, TLSChallengePort, DNSProvider",
"at least one of these parameters must be non-empty",
)
Technically the parameter name(s) are just printed as part of error messages (Code).
It isn't required to have exactly one parameter. They can all be set and it's up to the library to decide which method to use and to use the other settings as backup.
This makes sense, but it's worth mentioned in the example toml.
return errs.ErrorOrNil() | ||
} | ||
|
||
if c.DiscoveryURL == "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let me rephrase: I think we should reject relative urls thus verifyURL
isn't good enough.
# If you set up more than one instance of webpkgserver, the recommended practice | ||
# is to have only one instance handle automatic certificate renewals and let | ||
# other instances reload the fresh certificate from the disk. It minimizes the | ||
# cost (SXG certificates cost money and we don't need each webpackager instance |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for adding the explanation. It needs extra caution though. I presume it's not the case with DigiCert, but some providers allow purchased certificates to be installed only on a single (physical) machine.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The purchased certificates will still be in a single physical drive, it's just mounted on the machines that needs the certs. I can mention that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
-
I should have been a bit more clear, but "Some CAs allow certificates to be installed only on one machine" is just one example [*1]. Some other CAs may, for example, disallow certificates to be served from more than one machine.
-
Giving second thoughts, "minimize cost" is not really the point here. It depends on how CAs charge their clients. I guess that maybe DigiCert is charging for each certificate issued, but it's also possible to charge on a per-domain-per-year basis instead.
-
The real point is that this setup allows certificate sharing. "It allows certificates to be shared on all webpkgserver instances (which may help minimize the monetary cost, subject to Terms of Service set by your Certificate Authority) and prevents webpkgserver from bombarding your Certificate Authority with certificate requests."
[*1]: It was actually the case when I purchased a relatively cheap certificate ~15 years ago.
# For the full ACME spec, see: | ||
# https://tools.ietf.org/html/rfc8555 | ||
[SXG.ACME] | ||
# Enable enables Web Packager to attempt to auto renew certificates using |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/Enable enables/Enable/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
[SXG.ACME] | ||
# Enable enables Web Packager to attempt to auto renew certificates using | ||
# ACME. Required when ACME is enabled. | ||
#Enable = true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Again, recall "Commented out lines show the default value for each parameter." at the top of this config file; the value needs to be false
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah yes, sorry forgot about that rule.
# https://tools.ietf.org/html/rfc8555 | ||
[SXG.ACME] | ||
# Enable enables Web Packager to attempt to auto renew certificates using | ||
# ACME. Required when ACME is enabled. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I meant adding "Required when ACME is enabled" to DiscoveryURL
(and maybe other parameters, such as Email
).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Missed this, done.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This "Required when ACME is enabled." is not needed, possibly confusing to users. "ACME is enabled" means setting true to this param, essentially.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
# of the ACME protocol. | ||
TLSChallengePort = 5003 | ||
|
||
# The DnsProvider to be used in fulfilling the ACME DNS challenge. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- s/DnsProvider/DNS provider/
- s/in/for/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
@@ -202,6 +202,89 @@ | |||
# bytes for the OCSP response. | |||
#AllowTestCert = false | |||
|
|||
# IMPORTANT NOTE: the support of the ACME protocol and automatic renewal of |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't forget to remove TODO at Line 4.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
# experience with people using it out in the wild, we will gradually move it to | ||
# the PRODUCTION stage. | ||
# | ||
# This section is meant for ACME config, which allows the Web Packager to use |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/This section is meant for ACME config/Configure ACME/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
# experience with people using it out in the wild, we will gradually move it to | ||
# the PRODUCTION stage. | ||
# | ||
# This section is meant for ACME config, which allows the Web Packager to use |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We have used "webpkgserver" to reference the application elsewhere in this config file, so I prefer "webpkgserver" over "the Web Packager" or "Web Packager HTTP Server". I'm not saying "webpkgserver" is better or more correct; I just believe it's less confusing to readers if we use the same term consistently.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
# the PRODUCTION stage. | ||
# | ||
# This section is meant for ACME config, which allows the Web Packager to use | ||
# ACME to automatically renew Signed Exchange certificates. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"to use ACME" doesn't look to give much information (because it's implied by "This section is meant for ACME config" or "Configure ACME").
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
f89a8b0
to
0e63a50
Compare
# Required when ACME is enabled. | ||
Email = 'user@example.com' | ||
|
||
# For the remaining configuration items, it's important to understand the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: s/it's/it is/ since we (maybe "I") removed apostrophes (replaced short forms). I thinK I've used long forms in this config file.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
# others cannot be used. See DNSProvider for more detail. | ||
|
||
# The http server root directory where the ACME http challenge token should | ||
# be deposited. Note that you may need to do some configuration work to |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What kind of "configuration work" does the user need to do?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Configuration = setting one or more of the values in the toml.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you update the documentation here please?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry but I can't tell what is updated...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
" Note that you do not need to set the fields for all of these challenges. It
is typically sufficient to have a setting for just one of the challenges."
I used "set the fields" instead of "configure".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for your answer, but I was asking about "some configuration work" on this line, as in "... be deposited. Note that you may need to do some configuration work to get this setup to work where ..."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changed.
# If you set up more than one instance of webpkgserver, the recommended practice | ||
# is to have only one instance handle automatic certificate renewals and let | ||
# other instances reload the fresh certificate from the disk. It minimizes the | ||
# cost (SXG certificates cost money and we don't need each webpackager instance |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
-
I should have been a bit more clear, but "Some CAs allow certificates to be installed only on one machine" is just one example [*1]. Some other CAs may, for example, disallow certificates to be served from more than one machine.
-
Giving second thoughts, "minimize cost" is not really the point here. It depends on how CAs charge their clients. I guess that maybe DigiCert is charging for each certificate issued, but it's also possible to charge on a per-domain-per-year basis instead.
-
The real point is that this setup allows certificate sharing. "It allows certificates to be shared on all webpkgserver instances (which may help minimize the monetary cost, subject to Terms of Service set by your Certificate Authority) and prevents webpkgserver from bombarding your Certificate Authority with certificate requests."
[*1]: It was actually the case when I purchased a relatively cheap certificate ~15 years ago.
# to have a separate SXG certificate) and prevents the webpkgserver instances | ||
# from bombarding your Certificate Authority with certificate requests. Note | ||
# this setup requires you to locate the certificate file on a shared filesystem | ||
# accessible by all webpkgserver instances. Also note that some Certificate |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"Also note that ..." is possibly inaccurate and confusing (see my comment above), so I suggest a more general warning statement. My version above implies it by "subject to Terms of Service."
It's eventually the users' responsibility to use their purchased certificates (only) in a way allowed by their issuers. I just wanted to reduce the chance that users assume their certificates can be used on multiple machines just by reading our document, not consulting Terms of Service.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Replaced the verbage with your suggestion.
|
||
# The port used by the webpkgserver to respond to the HTTP challenge | ||
# issued as part of ACME protocol. Note that if your setup only opens up | ||
# certain ports, you may need to do a configuration change where you forward |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here: what "configuration change" does webpkgserver require?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changed it to refer to reverse proxy server configuration changes.
# The port used by the webpkgserver to respond to the HTTP challenge | ||
# issued as part of ACME protocol. Note that if your setup only opens up | ||
# certain ports, you may need to do a configuration change where you forward | ||
# requests to this port using proxy_pass, for example: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
proxy_pass
is Nginx-specific. I prefer a more general description as webpkgserver can work with other http servers (e.g. Apache).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Clarified the description.
# Exchange certificates. | ||
# | ||
# ACME is a protocol that allows automatic renewal of certificates. | ||
# webpkgserver uses the ACME library from github.com/go-acme/lego |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"webpkgserver uses the ACME library ..." is probably not very important for those who just use webpkgserver, especially those who don't set up DNSProvider.
"ACME is a protocol that allows automatic certificate renewal. Setting the Enable parameter to true will make webpkgserver automatically request a renewed certificate whenever it has determined that the current certificate is expired or about to expire.
If you set up more than one instance of webpkgserver, ...
webpkgserver uses the ACME library from github.com/go-acme/lego.
For the full ACME spec, see https://tools.ietf.org/html/rfc8555."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
# https://tools.ietf.org/html/rfc8555 | ||
[SXG.ACME] | ||
# Enable webpkgserver to attempt to auto renew certificates using | ||
# ACME. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Move ACME to the previous line?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
# others cannot be used. See DNSProvider for more detail. | ||
|
||
# The http server root directory where the ACME http challenge token should | ||
# be deposited. Note that you may need to do some configuration work to |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you update the documentation here please?
HTTPWebRootDir = '/path/to/www_root_dir' | ||
|
||
# The port used by the webpkgserver to respond to the HTTP challenge | ||
# issued as part of ACME protocol. Note that if your setup only opens up |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the update, but I found I still hadn't understood "if your setup only opens up certain ports."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Clarified.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for slow iterations. I think it's very close and hope this will be the last iteration...
server/tomlconfig/verify.go
Outdated
if err != nil { | ||
return err | ||
} | ||
switch u.Scheme { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Optional: switch
is maybe "too much" here.
if u.Scheme != "https" {
return errors.New("must be https://")
}
return verifyServePath(u.Path)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
# This is the ACME discovery URL that is used for ACME http requests to the | ||
# Certificate Authority that doles out the certificates. Currently, the only | ||
# CA that supports automatic signed exchange cert renewals is DigiCert: | ||
# https://docs.digicert.com/certificate-tools/acme-user-guide/acme-directory-urls-signed-http-exchange-certificates/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry but I can't tell what is updated...
HTTPWebRootDir = '/path/to/www_root_dir' | ||
|
||
# The port used by the webpkgserver to respond to the HTTP challenge | ||
# issued as part of ACME protocol. Note that if your network firewall setup |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've been confusing with this sentence, and I've now found why. If I understand correctly, even if the firewall accepted any incoming ports, the user would anyway need to set up a reverse proxy listening at 80/tcp (http) or 443/tcp (https) and route the challenge requests to this port. This sentence reads that the user needs to configure reverse proxy only when there's a firewall, which doesn't match my understanding.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removed the note about the firewall and changed the paragraph structure.
# The port used by the webpkgserver to respond to the HTTP challenge | ||
# issued as part of ACME protocol. Note that if your network firewall setup | ||
# only opens up certain ports, you may need to do a configuration change to | ||
# your reverse-proxy server where you forward requests to this port using a |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove one extra space between "server" and "where"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
|
||
# The port used by the webpkgserver to respond to the HTTP challenge | ||
# issued as part of ACME protocol. Note that if your network firewall setup | ||
# only opens up certain ports, you may need to do a configuration change to |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/do a configuration change to/change configuration of/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I changed the sentence to "You will need to configure your ..."
# only opens up certain ports, you may need to do a configuration change to | ||
# your reverse-proxy server where you forward requests to this port using a | ||
# mechamism similar to NGINX's proxy_pass (your choice of server will change | ||
# how you forward requests). An example specific to NGINX: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: s/specific to/for/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, I think "specific to" is correct.
# others cannot be used. See DNSProvider for more detail. | ||
|
||
# The http server root directory where the ACME http challenge token should | ||
# be deposited. Note that you may need to do some configuration work to |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry but I can't tell what is updated...
# This is the ACME discovery URL that is used for ACME http requests to the | ||
# Certificate Authority that doles out the certificates. Currently, the only | ||
# CA that supports automatic signed exchange cert renewals is DigiCert: | ||
# https://docs.digicert.com/certificate-tools/acme-user-guide/acme-directory-urls-signed-http-exchange-certificates/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oops, sorry, I made this comment at a wrong place.
# The port used by the webpkgserver to respond to the HTTP challenge | ||
# issued as part of ACME protocol. You will need to configure your | ||
# reverse-proxy server where you route the challenge requests to this port | ||
# using a mechamism similar to NGINX's proxy_pass (your choice of server will |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Optional: "... using proxy_pass on NGINX or a similar mechanism on the server of your choice."
# others cannot be used. See DNSProvider for more detail. | ||
|
||
# The http server root directory where the ACME http challenge token should | ||
# be deposited. Note that you may need to do some configuration work to |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for your answer, but I was asking about "some configuration work" on this line, as in "... be deposited. Note that you may need to do some configuration work to get this setup to work where ..."
# detail. | ||
|
||
# The http server root directory where the ACME http challenge token should | ||
# be deposited. Note that you may need configure your reverse-proxy server to |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, it's become a bit clearer, but I still don't understand why and how the user needs to configure their reverse-proxy server when running multiple webpkgserver instances.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok changed it some more, let me know if that's ok.
|
||
# The http server root directory where the ACME http challenge token should | ||
# be deposited. Note that if you are using a reverse-proxy server with | ||
# multiple instances of webpkgserver instances, you may need to configure it |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, I'm trying hard to understand this sentence and reading the linked page, but I'm still failing to understand. A couple of questions include:
- What does "it" refer to, as in "... to configure it in order to ..."?
- What does "this" refer to, as in "...to get this work."?
- Why does the user need to take extra care when they run multiple webpkgserver instances using the HTTPWebRootDir method?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, this whole note about multiple webpkgserver is confusing. Best to remove it and let the reader research what's best for their particular setup.
No description provided.