Menu
I have my own domain with web services written in Go. I am using the inbuilt Go web server, without Nginx or Apache in front.
I would like to start serving over HTTPS and I realized Let's Encrypt is just about to become THE WAY for doing that.
Can anyone share the whole setup procedure for configuring a Go app running on a Linux server?
653
For an internal LAN, where you own or control the devices, there really is no need for a certificate from Let's Encrypt - instead you can be your own certificate authority ! This is an excellent recommendation. Let's Encrypt provides some relevant information about a development environment certificate authority.
The best way to use Let's Encrypt without shell access is by using built-in support from your hosting provider. If your hosting provider offers Let's Encrypt support, they can request a free certificate on your behalf, install it, and keep it up-to-date automatically.
The biggest weakness of Let's Encrypt is compatibility Currently, the range of certificates is very manageable with only one certificate. This will not change in the future, because the extended validations required for OV or EV certificates cannot be automated and also cost money.
This is the minimal automatic setup of an HTTPS server using Go and Let's Encrypt certificates I have found:
package main import ( "crypto/tls" "log" "net/http" "golang.org/x/crypto/acme/autocert" ) func main() { certManager := autocert.Manager{ Prompt: autocert.AcceptTOS, HostPolicy: autocert.HostWhitelist("example.com"), //Your domain here Cache: autocert.DirCache("certs"), //Folder for storing certificates } http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { w.Write([]byte("Hello world")) }) server := &http.Server{ Addr: ":https", TLSConfig: &tls.Config{ GetCertificate: certManager.GetCertificate, }, } go http.ListenAndServe(":http", certManager.HTTPHandler(nil)) log.Fatal(server.ListenAndServeTLS("", "")) //Key and cert are coming from Let's Encrypt } More information on the autocert package: link
EDIT: Needed to make http available because of letsencrypt security issue, read more here. As a bonus of this fix we now have http-->https redirect. The old example will continue to work if you have already received certificates on it, but it will break for new sites.
69
I found a very simple solution, using the standalone mode.
INSTALL THE CERTBOT CLIENT (recommended by Let's Encrypt)
(go to the directory where you want to install the certbot client) git clone https://github.com/certbot/certbot cd certbot ./certbot-auto --help`
ISSUE CERTIFICATE (FIRST TIME)
N.B. this operation happens through the port 80, so in case your Go app listens on port 80, it needs to be switched off before running this command (which is very quick to run, by the way)
./certbot-auto certonly --standalone-supported-challenges http-01 -d www.yourdomain.com
ADD SSL LISTENER IN YOUR GO CODE
http.ListenAndServeTLS(":443", "/etc/letsencrypt/live/www.yourdomain.com/fullchain.pem", "/etc/letsencrypt/live/www.yourdomain.com/privkey.pem", nil)
TO RENEW CERTIFICATE (certificates expire after 90 days)
N.B. You can either run this manually (you will receive an email several days before the certificate expires), or set up a crontab
if your Go app doesn't listen to port 80 anymore, your Go app can keep running while you execute this command:./certbot-auto renew --standalone
if your Go app still listens to port 80, you can specify the commands to stop and restart the Go app:./certbot-auto renew --standalone --pre-hook "command to stop Go app" --post-hook "command to start Go app"
for the complete documentation of the Certbot commands: https://certbot.eff.org/docs/using.html
20
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With