Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/crypto/acme/autocert: clarify usage of (*Manager).GetCertificate #24894

Closed
gertcuykens opened this issue Apr 17, 2018 · 9 comments
Closed

x/crypto/acme/autocert: clarify usage of (*Manager).GetCertificate #24894

gertcuykens opened this issue Apr 17, 2018 · 9 comments
Labels
Documentation FrozenDueToAge
Milestone
Unreleased

Comments

@gertcuykens
Copy link
Contributor

gertcuykens commented Apr 17, 2018
edited

Would be nice to have a example of cert, err := m.GetCertificate(...) so the certificates can be used in GRPC. I fail to come up with a solution.

    m := &autocert.Manager{
        Cache:      autocert.DirCache("tls"),
        Prompt:     autocert.AcceptTOS,
        HostPolicy: autocert.HostWhitelist("example.com"),
    }
    go http.ListenAndServe(":http", m.HTTPHandler(nil))
    cert, err := m.GetCertificate(...)
    if err != nil {
        t.Fatalf("Failed to generate certificates %s", err)
    }
    creds := credentials.NewServerTLSFromCert(cert)
    srv := grpc.NewServer(grpc.Creds(creds))
    reflection.Register(srv)

https://godoc.org/golang.org/x/crypto/acme/autocert

https://stackoverflow.com/questions/49874945/acme-certificate-for-grpc

SOLUTION:

        m := &autocert.Manager{
		Cache:      autocert.DirCache("tls"),
		Prompt:     autocert.AcceptTOS,
		HostPolicy: autocert.HostWhitelist("gps.nyimbo.nl"),
	}
	go http.ListenAndServe(":http", m.HTTPHandler(nil))
	creds := credentials.NewTLS(&tls.Config{GetCertificate: m.GetCertificate})
	srv := grpc.NewServer(grpc.Creds(creds))
	reflection.Register(srv)
@x1ddos
Copy link

x1ddos commented Apr 17, 2018

What's the credentials, grpc and reflection packages? Where are they coming from.

@gertcuykens
Copy link
Contributor Author

gertcuykens commented Apr 17, 2018
edited

grpc is from "google.golang.org/grpc"
credentials is from "google.golang.org/grpc/credentials"
reflection is just for grpc build in service discovery "google.golang.org/grpc/reflection"

https://github.com/grpc/grpc-go/tree/master/examples

@agnivade
Copy link
Contributor

I am not clear what is the issue about. Do you want an example to be added for the GetCertificate method ?

@gertcuykens
Copy link
Contributor Author

gertcuykens commented Apr 17, 2018
edited

https://godoc.org/golang.org/x/crypto/acme/autocert#Manager.GetCertificate requires a hello *tls.ClientHelloInfo I have no idea how I should provide one, sorry

Once I know how to make a hello *tls.ClientHelloInfo manually, the rest should be ok

@agnivade
Copy link
Contributor

I don't have much experience about the package, but from the documentation it seems this function serves as a hook for tls.Config.

s := &http.Server{
    Addr:      ":https",
    TLSConfig: &tls.Config{GetCertificate: m.GetCertificate},
}

@agnivade agnivade changed the title crypto/acme/autocert: ACME certificate for GRPC crypto/acme/autocert: clarify usage of (*Manager).GetCertificate Apr 17, 2018
@agnivade agnivade changed the title crypto/acme/autocert: clarify usage of (*Manager).GetCertificate x/crypto/acme/autocert: clarify usage of (*Manager).GetCertificate Apr 17, 2018
@gopherbot gopherbot added this to the Unreleased milestone Apr 17, 2018
@gertcuykens
Copy link
Contributor Author

gertcuykens commented Apr 17, 2018
edited

Exactly and this makes it complicated for me because a grpc server needs the certificates directly. A grpc server has no TLSConfig hook as the build in https golang server does. I need the return value form the function GetCertificate itself to pass to credentials.NewServerTLSFromCert
image

@bradfitz
Copy link
Contributor

Is there a bug against grpc about this too? It might be best handled by them.

Even if we were to documented some convoluted workaround to make the pieces all fit together, not everybody will read the docs and want to jump through those hoops.

It might be best if grpc made some API changes on their side to make this easy.

@gertcuykens gertcuykens mentioned this issue Apr 17, 2018
Closed
@FiloSottile
Copy link
Contributor

Use NewTLS instead of NewServerTLSFromCert.

https://godoc.org/google.golang.org/grpc/credentials#NewTLS

We can't add examples for how to plug a tls.Config into all possible client libraries, but let us know if you have an idea of how we could have made that more clear.

@gertcuykens
Copy link
Contributor Author

Thank you, feel free to paste answer in stackoverflow

@golang golang locked and limited conversation to collaborators Apr 17, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Documentation FrozenDueToAge
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
6 participants
@bradfitz @x1ddos @gertcuykens @FiloSottile @agnivade @gopherbot