Run on plaintext HTTP to support Cloud Run

authority/config/config.go

@@ -200,8 +200,6 @@ func (c *Config) Save(filename string) error {
 // Validate validates the configuration.
 func (c *Config) Validate() error {
 	switch {
-	case c.Address == "":
-		return errors.New("address cannot be empty")
 	case len(c.DNSNames) == 0:
 		return errors.New("dnsNames cannot be empty")
 	case c.AuthorityConfig == nil:
@@ -223,8 +221,10 @@ func (c *Config) Validate() error {
 	}
 
 	// Validate address (a port is required)
-	if _, _, err := net.SplitHostPort(c.Address); err != nil {
+	if c.Address != "" {
-		return errors.Errorf("invalid address %s", c.Address)
+		if _, _, err := net.SplitHostPort(c.Address); err != nil {
+			return errors.Errorf("invalid address %s", c.Address)
+		}
 	}
 
 	if c.TLS == nil {

authority/config/config_test.go

@@ -38,19 +38,6 @@ func TestConfigValidate(t *testing.T) {
 		tls    TLSOptions
 	}
 	tests := map[string]func(*testing.T) ConfigValidateTest{
-		"empty-address": func(t *testing.T) ConfigValidateTest {
-			return ConfigValidateTest{
-				config: &Config{
-					Root:             []string{"../testdata/secrets/root_ca.crt"},
-					IntermediateCert: "../testdata/secrets/intermediate_ca.crt",
-					IntermediateKey:  "../testdata/secrets/intermediate_ca_key",
-					DNSNames:         []string{"test.smallstep.com"},
-					Password:         "pass",
-					AuthorityConfig:  ac,
-				},
-				err: errors.New("address cannot be empty"),
-			}
-		},
 		"invalid-address": func(t *testing.T) ConfigValidateTest {
 			return ConfigValidateTest{
 				config: &Config{

ca/ca.go

@@ -169,9 +169,6 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) {
 	mux := chi.NewRouter()
 	handler := http.Handler(mux)
 
-	insecureMux := chi.NewRouter()
-	insecureHandler := http.Handler(insecureMux)
-
 	// Add regular CA api endpoints in / and /1.0
 	api.Route(mux)
 	mux.Route("/1.0", func(r chi.Router) {
@@ -232,13 +229,6 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) {
 			return nil, errors.Wrap(err, "error creating SCEP authority")
 		}
 
-		// According to the RFC (https://tools.ietf.org/html/rfc8894#section-7.10),
-		// SCEP operations are performed using HTTP, so that's why the API is mounted
-		// to the insecure mux.
-		insecureMux.Route("/"+scepPrefix, func(r chi.Router) {
-			scepAPI.Route(r)
-		})
-
 		// The RFC also mentions usage of HTTPS, but seems to advise
 		// against it, because of potential interoperability issues.
 		// Currently I think it's not bad to use HTTPS also, so that's
@@ -260,7 +250,6 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) {
 			return nil, err
 		}
 		handler = m.Middleware(handler)
-		insecureHandler = m.Middleware(insecureHandler)
 	}
 
 	// Add logger if configured
@@ -270,25 +259,24 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) {
 			return nil, err
 		}
 		handler = logger.Middleware(handler)
-		insecureHandler = logger.Middleware(insecureHandler)
 	}
 
 	// Create context with all the necessary values.
 	baseContext := buildContext(auth, scepAuthority, acmeDB, acmeLinker)
 
-	ca.srv = server.New(cfg.Address, handler, tlsConfig)
+	if cfg.Address != "" {
-	ca.srv.BaseContext = func(net.Listener) context.Context {
+		ca.srv = server.New(cfg.Address, handler, tlsConfig)
-		return baseContext
+		ca.srv.BaseContext = func(net.Listener) context.Context {
+			return baseContext
+		}
 	}
 
-	// only start the insecure server if the insecure address is configured
+	if cfg.InsecureAddress != "" {
-	// and, currently, also only when it should serve SCEP endpoints.
-	if ca.shouldServeSCEPEndpoints() && cfg.InsecureAddress != "" {
 		// TODO: instead opt for having a single server.Server but two
 		// http.Servers handling the HTTP and HTTPS handler? The latter
 		// will probably introduce more complexity in terms of graceful
 		// reload.
-		ca.insecureSrv = server.New(cfg.InsecureAddress, insecureHandler, nil)
+		ca.insecureSrv = server.New(cfg.InsecureAddress, handler, nil)
 		ca.insecureSrv.BaseContext = func(net.Listener) context.Context {
 			return baseContext
 		}
@@ -329,11 +317,13 @@ func (ca *CA) Run() error {
 			log.Printf("Current context: %s", step.Contexts().GetCurrent().Name)
 		}
 		log.Printf("Config file: %s", ca.opts.configFile)
-		baseURL := fmt.Sprintf("https://%s%s",
+		if ca.config.Address != "" {
-			authorityInfo.DNSNames[0],
+			baseURL := fmt.Sprintf("https://%s%s",
-			ca.config.Address[strings.LastIndex(ca.config.Address, ":"):])
+				authorityInfo.DNSNames[0],
-		log.Printf("The primary server URL is %s", baseURL)
+				ca.config.Address[strings.LastIndex(ca.config.Address, ":"):])
-		log.Printf("Root certificates are available at %s/roots.pem", baseURL)
+			log.Printf("The primary server URL is %s", baseURL)
+			log.Printf("Root certificates are available at %s/roots.pem", baseURL)
+		}
 		if len(authorityInfo.DNSNames) > 1 {
 			log.Printf("Additional configured hostnames: %s",
 				strings.Join(authorityInfo.DNSNames[1:], ", "))
@@ -357,11 +347,13 @@ func (ca *CA) Run() error {
 		}()
 	}
 
-	wg.Add(1)
+	if ca.srv != nil {
-	go func() {
+		wg.Add(1)
-		defer wg.Done()
+		go func() {
-		errs <- ca.srv.ListenAndServe()
+			defer wg.Done()
-	}()
+			errs <- ca.srv.ListenAndServe()
+		}()
+	}
 
 	// wait till error occurs; ensures the servers keep listening
 	err := <-errs