From f3d2bd7a19757e3efd9ccf5ebad84836d61e9bba Mon Sep 17 00:00:00 2001 From: Brandon Weeks Date: Tue, 7 Jun 2022 19:04:16 -0700 Subject: [PATCH] Run on plaintext HTTP to support Cloud Run --- authority/config/config.go | 6 +++-- ca/ca.go | 47 +++++++++++++++++--------------------- 2 files changed, 25 insertions(+), 28 deletions(-) diff --git a/authority/config/config.go b/authority/config/config.go index c5e74b39..49789aaa 100644 --- a/authority/config/config.go +++ b/authority/config/config.go @@ -227,8 +227,10 @@ func (c *Config) Validate() error { } // Validate address (a port is required) - if _, _, err := net.SplitHostPort(c.Address); err != nil { - return errors.Errorf("invalid address %s", c.Address) + if c.Address != "" { + if _, _, err := net.SplitHostPort(c.Address); err != nil { + return errors.Errorf("invalid address %s", c.Address) + } } if c.TLS == nil { diff --git a/ca/ca.go b/ca/ca.go index a7999edf..ac517a10 100644 --- a/ca/ca.go +++ b/ca/ca.go @@ -238,13 +238,6 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) { return nil, errors.Wrap(err, "error creating SCEP authority") } - // According to the RFC (https://tools.ietf.org/html/rfc8894#section-7.10), - // SCEP operations are performed using HTTP, so that's why the API is mounted - // to the insecure mux. - insecureMux.Route("/"+scepPrefix, func(r chi.Router) { - scepAPI.Route(r) - }) - // The RFC also mentions usage of HTTPS, but seems to advise // against it, because of potential interoperability issues. // Currently I think it's not bad to use HTTPS also, so that's @@ -266,7 +259,6 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) { return nil, err } handler = m.Middleware(handler) - insecureHandler = m.Middleware(insecureHandler) } // Add logger if configured @@ -276,25 +268,24 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) { return nil, err } handler = logger.Middleware(handler) - insecureHandler = logger.Middleware(insecureHandler) } // Create context with all the necessary values. baseContext := buildContext(auth, scepAuthority, acmeDB, acmeLinker) - ca.srv = server.New(cfg.Address, handler, tlsConfig) - ca.srv.BaseContext = func(net.Listener) context.Context { - return baseContext + if cfg.Address != "" { + ca.srv = server.New(cfg.Address, handler, tlsConfig) + ca.srv.BaseContext = func(net.Listener) context.Context { + return baseContext + } } - // only start the insecure server if the insecure address is configured - // and, currently, also only when it should serve SCEP endpoints. - if ca.shouldServeSCEPEndpoints() && cfg.InsecureAddress != "" { + if cfg.InsecureAddress != "" { // TODO: instead opt for having a single server.Server but two // http.Servers handling the HTTP and HTTPS handler? The latter // will probably introduce more complexity in terms of graceful // reload. - ca.insecureSrv = server.New(cfg.InsecureAddress, insecureHandler, nil) + ca.insecureSrv = server.New(cfg.InsecureAddress, handler, nil) ca.insecureSrv.BaseContext = func(net.Listener) context.Context { return baseContext } @@ -335,11 +326,13 @@ func (ca *CA) Run() error { log.Printf("Current context: %s", step.Contexts().GetCurrent().Name) } log.Printf("Config file: %s", ca.opts.configFile) - baseURL := fmt.Sprintf("https://%s%s", - authorityInfo.DNSNames[0], - ca.config.Address[strings.LastIndex(ca.config.Address, ":"):]) - log.Printf("The primary server URL is %s", baseURL) - log.Printf("Root certificates are available at %s/roots.pem", baseURL) + if ca.config.Address != "" { + baseURL := fmt.Sprintf("https://%s%s", + authorityInfo.DNSNames[0], + ca.config.Address[strings.LastIndex(ca.config.Address, ":"):]) + log.Printf("The primary server URL is %s", baseURL) + log.Printf("Root certificates are available at %s/roots.pem", baseURL) + } if len(authorityInfo.DNSNames) > 1 { log.Printf("Additional configured hostnames: %s", strings.Join(authorityInfo.DNSNames[1:], ", ")) @@ -363,11 +356,13 @@ func (ca *CA) Run() error { }() } - wg.Add(1) - go func() { - defer wg.Done() - errs <- ca.srv.ListenAndServe() - }() + if ca.srv != nil { + wg.Add(1) + go func() { + defer wg.Done() + errs <- ca.srv.ListenAndServe() + }() + } // wait till error occurs; ensures the servers keep listening err := <-errs