Run on plaintext HTTP to support Cloud Run

authority/config/config.go

@@ -227,8 +227,10 @@ func (c *Config) Validate() error {
 	}
 
 	// Validate address (a port is required)
-	if _, _, err := net.SplitHostPort(c.Address); err != nil {
+	if c.Address != "" {
-		return errors.Errorf("invalid address %s", c.Address)
+		if _, _, err := net.SplitHostPort(c.Address); err != nil {
+			return errors.Errorf("invalid address %s", c.Address)
+		}
 	}
 
 	if c.TLS == nil {

ca/ca.go

@@ -238,13 +238,6 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) {
 			return nil, errors.Wrap(err, "error creating SCEP authority")
 		}
 
-		// According to the RFC (https://tools.ietf.org/html/rfc8894#section-7.10),
-		// SCEP operations are performed using HTTP, so that's why the API is mounted
-		// to the insecure mux.
-		insecureMux.Route("/"+scepPrefix, func(r chi.Router) {
-			scepAPI.Route(r)
-		})
-
 		// The RFC also mentions usage of HTTPS, but seems to advise
 		// against it, because of potential interoperability issues.
 		// Currently I think it's not bad to use HTTPS also, so that's
@@ -266,7 +259,6 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) {
 			return nil, err
 		}
 		handler = m.Middleware(handler)
-		insecureHandler = m.Middleware(insecureHandler)
 	}
 
 	// Add logger if configured
@@ -276,25 +268,24 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) {
 			return nil, err
 		}
 		handler = logger.Middleware(handler)
-		insecureHandler = logger.Middleware(insecureHandler)
 	}
 
 	// Create context with all the necessary values.
 	baseContext := buildContext(auth, scepAuthority, acmeDB, acmeLinker)
 
-	ca.srv = server.New(cfg.Address, handler, tlsConfig)
+	if cfg.Address != "" {
-	ca.srv.BaseContext = func(net.Listener) context.Context {
+		ca.srv = server.New(cfg.Address, handler, tlsConfig)
-		return baseContext
+		ca.srv.BaseContext = func(net.Listener) context.Context {
+			return baseContext
+		}
 	}
 
-	// only start the insecure server if the insecure address is configured
+	if cfg.InsecureAddress != "" {
-	// and, currently, also only when it should serve SCEP endpoints.
-	if ca.shouldServeSCEPEndpoints() && cfg.InsecureAddress != "" {
 		// TODO: instead opt for having a single server.Server but two
 		// http.Servers handling the HTTP and HTTPS handler? The latter
 		// will probably introduce more complexity in terms of graceful
 		// reload.
-		ca.insecureSrv = server.New(cfg.InsecureAddress, insecureHandler, nil)
+		ca.insecureSrv = server.New(cfg.InsecureAddress, handler, nil)
 		ca.insecureSrv.BaseContext = func(net.Listener) context.Context {
 			return baseContext
 		}
@@ -335,11 +326,13 @@ func (ca *CA) Run() error {
 			log.Printf("Current context: %s", step.Contexts().GetCurrent().Name)
 		}
 		log.Printf("Config file: %s", ca.opts.configFile)
-		baseURL := fmt.Sprintf("https://%s%s",
+		if ca.config.Address != "" {
-			authorityInfo.DNSNames[0],
+			baseURL := fmt.Sprintf("https://%s%s",
-			ca.config.Address[strings.LastIndex(ca.config.Address, ":"):])
+				authorityInfo.DNSNames[0],
-		log.Printf("The primary server URL is %s", baseURL)
+				ca.config.Address[strings.LastIndex(ca.config.Address, ":"):])
-		log.Printf("Root certificates are available at %s/roots.pem", baseURL)
+			log.Printf("The primary server URL is %s", baseURL)
+			log.Printf("Root certificates are available at %s/roots.pem", baseURL)
+		}
 		if len(authorityInfo.DNSNames) > 1 {
 			log.Printf("Additional configured hostnames: %s",
 				strings.Join(authorityInfo.DNSNames[1:], ", "))
@@ -363,11 +356,13 @@ func (ca *CA) Run() error {
 		}()
 	}
 
-	wg.Add(1)
+	if ca.srv != nil {
-	go func() {
+		wg.Add(1)
-		defer wg.Done()
+		go func() {
-		errs <- ca.srv.ListenAndServe()
+			defer wg.Done()
-	}()
+			errs <- ca.srv.ListenAndServe()
+		}()
+	}
 
 	// wait till error occurs; ensures the servers keep listening
 	err := <-errs