acme port config option, explain why using a https reverse proxy will not work for acme tls-alpn-01 verification

related to #218 by mgkirs
This commit is contained in:
Mechiel Lukkien 2024-10-03 21:16:19 +02:00
parent 7ecc3f68ce
commit 7d3f307156
No known key found for this signature in database
2 changed files with 6 additions and 3 deletions

View file

@ -123,7 +123,7 @@ type ACME struct {
DirectoryURL string `sconf-doc:"For letsencrypt, use https://acme-v02.api.letsencrypt.org/directory."` DirectoryURL string `sconf-doc:"For letsencrypt, use https://acme-v02.api.letsencrypt.org/directory."`
RenewBefore time.Duration `sconf:"optional" sconf-doc:"How long before expiration to renew the certificate. Default is 30 days."` RenewBefore time.Duration `sconf:"optional" sconf-doc:"How long before expiration to renew the certificate. Default is 30 days."`
ContactEmail string `sconf-doc:"Email address to register at ACME provider. The provider can email you when certificates are about to expire. If you configure an address for which email is delivered by this server, keep in mind that TLS misconfigurations could result in such notification emails not arriving."` ContactEmail string `sconf-doc:"Email address to register at ACME provider. The provider can email you when certificates are about to expire. If you configure an address for which email is delivered by this server, keep in mind that TLS misconfigurations could result in such notification emails not arriving."`
Port int `sconf:"optional" sconf-doc:"TLS port for ACME validation, 443 by default. You should only override this if you cannot listen on port 443 directly. ACME will make requests to port 443, so you'll have to add an external mechanism to get the connection here, e.g. by configuring port forwarding."` Port int `sconf:"optional" sconf-doc:"TLS port for ACME validation, 443 by default. You should only override this if you cannot listen on port 443 directly. ACME will make requests to port 443, so you'll have to add an external mechanism to get the tls connection here, e.g. by configuring firewall-level port forwarding. Validation over the https port uses tls-alpn-01 with application-layer protocol negotiation, which essentially means the original tls connection must make it here unmodified, an https reverse proxy will not work."`
IssuerDomainName string `sconf:"optional" sconf-doc:"If set, used for suggested CAA DNS records, for restricting TLS certificate issuance to a Certificate Authority. If empty and DirectyURL is for Let's Encrypt, this value is set automatically to letsencrypt.org."` IssuerDomainName string `sconf:"optional" sconf-doc:"If set, used for suggested CAA DNS records, for restricting TLS certificate issuance to a Certificate Authority. If empty and DirectyURL is for Let's Encrypt, this value is set automatically to letsencrypt.org."`
ExternalAccountBinding *ExternalAccountBinding `sconf:"optional" sconf-doc:"ACME providers can require that a request for a new ACME account reference an existing non-ACME account known to the provider. External account binding references that account by a key id, and authorizes new ACME account requests by signing it with a key known both by the ACME client and ACME provider."` ExternalAccountBinding *ExternalAccountBinding `sconf:"optional" sconf-doc:"ACME providers can require that a request for a new ACME account reference an existing non-ACME account known to the provider. External account binding references that account by a key id, and authorizes new ACME account requests by signing it with a key known both by the ACME client and ACME provider."`
// ../rfc/8555:2111 // ../rfc/8555:2111

View file

@ -113,8 +113,11 @@ See https://pkg.go.dev/github.com/mjl-/sconf for details.
# TLS port for ACME validation, 443 by default. You should only override this if # TLS port for ACME validation, 443 by default. You should only override this if
# you cannot listen on port 443 directly. ACME will make requests to port 443, so # you cannot listen on port 443 directly. ACME will make requests to port 443, so
# you'll have to add an external mechanism to get the connection here, e.g. by # you'll have to add an external mechanism to get the tls connection here, e.g. by
# configuring port forwarding. (optional) # configuring firewall-level port forwarding. Validation over the https port uses
# tls-alpn-01 with application-layer protocol negotiation, which essentially means
# the original tls connection must make it here unmodified, an https reverse proxy
# will not work. (optional)
Port: 0 Port: 0
# If set, used for suggested CAA DNS records, for restricting TLS certificate # If set, used for suggested CAA DNS records, for restricting TLS certificate