{"id":39076312,"url":"https://github.com/cloud-gov/cf-domain-broker-alb","last_synced_at":"2026-01-17T18:26:56.754Z","repository":{"id":38025188,"uuid":"130743421","full_name":"cloud-gov/cf-domain-broker-alb","owner":"cloud-gov","description":"A Cloud Foundry service broker that provides a custom domain service. Traffic is encrypted using an SSL certificate generated by Let's Encrypt.","archived":false,"fork":false,"pushed_at":"2025-07-18T18:23:20.000Z","size":11898,"stargazers_count":1,"open_issues_count":0,"forks_count":1,"subscribers_count":6,"default_branch":"main","last_synced_at":"2025-07-18T23:23:05.207Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cloud-gov.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2018-04-23T19:03:29.000Z","updated_at":"2025-07-18T18:23:23.000Z","dependencies_parsed_at":"2023-07-13T19:44:19.758Z","dependency_job_id":"d9e6830d-27ad-4905-a931-44e1402736b8","html_url":"https://github.com/cloud-gov/cf-domain-broker-alb","commit_stats":null,"previous_names":["18f/cf-domain-broker-alb"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/cloud-gov/cf-domain-broker-alb","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloud-gov%2Fcf-domain-broker-alb","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloud-gov%2Fcf-domain-broker-alb/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloud-gov%2Fcf-domain-broker-alb/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloud-gov%2Fcf-domain-broker-alb/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cloud-gov","download_url":"https://codeload.github.com/cloud-gov/cf-domain-broker-alb/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloud-gov%2Fcf-domain-broker-alb/sbom","scorecard":{"id":1832,"data":{"date":"2025-08-11","repo":{"name":"github.com/cloud-gov/cf-domain-broker-alb","commit":"34e3d5f10afe3d2827ceb0e8af72a8b1faa5ffc9"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":6.4,"checks":[{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":10,"reason":"GitHub workflow tokens follow principle of least privilege","details":["Info: topLevel 'pull-requests' permission set to 'read': .github/workflows/security-considerations.yml:4","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Maintained","score":2,"reason":"3 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Code-Review","score":10,"reason":"all changesets reviewed","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":9,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Warn: One or no descriptive hints of disclosure, vulnerability, and/or timelines in security policy","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: third-party GitHubAction not pinned by hash: .github/workflows/security-considerations.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/cloud-gov/cf-domain-broker-alb/security-considerations.yml/main?enable=pin","Info:   0 out of   1 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"License","score":9,"reason":"license file detected","details":["Info: project has a license file: LICENSE.md:0","Warn: project license file does not contain an FSF or OSI license."],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Vulnerabilities","score":6,"reason":"4 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GO-2022-0635","Warn: Project is vulnerable to: GO-2022-0646","Warn: Project is vulnerable to: GO-2020-0028 / GHSA-9jcx-pr2f-qvq5","Warn: Project is vulnerable to: GO-2020-0008 / GHSA-44r7-7p62-q3fr"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":2,"reason":"SAST tool is not run on all commits -- score normalized to 2","details":["Warn: 7 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-14T12:43:24.911Z","repository_id":38025188,"created_at":"2025-08-14T12:43:24.911Z","updated_at":"2025-08-14T12:43:24.911Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28515476,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-17T17:57:59.192Z","status":"ssl_error","status_checked_at":"2026-01-17T17:57:52.527Z","response_time":85,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-01-17T18:26:55.989Z","updated_at":"2026-01-17T18:26:56.745Z","avatar_url":"https://github.com/cloud-gov.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Custom Domain Service Broker\n\nA [Cloud Foundry](https://www.cloudfoundry.org/) [service broker](https://docs.cloudfoundry.org/services/) that provides a custom domain service. Traffic is encrypted using an SSL certificate generated by [Let's Encrypt](https://letsencrypt.org/).\n\nFor the CDN version of this broker: https://github.com/18F/cf-cdn-service-broker\n\n## Let's Encrypt V1 End of Life \n\nThe Let's Encrypt V1 endpoint is reaching end of life in June of 2020. In November of 2019, Let's Encrypt shutdown the creation of new users via the V1 API. https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430\n\nIn response to disabling new user creation, this broker has been changed to use an existing user's credentials. This is implemented in `LoadRandomUser` in `models/models.go`. The pool of user ids to select from is configured via an environment variable `USER_ID_POOL`. This environment variable is injected via bosh from credhub. The envar is configured in `bosh/manifest.yml` and the value is set in credhub as `/bosh/domain-broker/user-id-pool`. These values should be set as a comma separated list in double quotes.\n\n`LoadRandomUser` will select a user from the pool, use the Let's Encrypt `reg` and `key` and create a new user entry in the broker database. Effectively, the user is the same in the eyes of Let's Encrypt but a different user in the broker database. This maintains the one user to one domain relationship in the broker database.\n\nThe random selection of users from a pool aims to minimize the impact of the following rate limits:\n *\t- 300 Pending Authorizations per account\n *\t- Failed Validation limit of 5 failures per account, per hostname, per hour.\n\n## Deployment\n\n### Automated\n\nThe easiest/recommended way to deploy the broker is via the [Concourse](http://concourse.ci/) pipeline.\n\n1. Create a `ci/credentials.yml` file, and fill in the templated values from [the pipeline](ci/pipeline.yml).\n1. Deploy the pipeline.\n\n    ```bash\n    fly -t lite set-pipeline -n -c ci/pipeline.yml -p deploy-domains-broker -l ci/credentials.yml\n    ```\n\n### Updating ALBs\nOn startup, the broker automatically detects ALBs based on their name. To pick up changes, simply restart the broker.\n\n## Usage\n\n1. Target the space your application is running in.\n\n    ```bash\n    $ cf target -o \u003corg\u003e -s \u003cspace\u003e\n    ```\n\n1. Add your domain to your Cloud Foundry organization:\n\n    ````bash\n    $ cf create-domain \u003corg\u003e my.domain.gov\n    ```\n\n1. Create a service instance.\n\n    ```bash\n    $ cf create-service custom-domain custom-domain my-domain -c '{\"domains\": [\"my.domain.gov\"]}'\n\n    Create in progress. Use 'cf services' or 'cf service my-domain' to check operation status.\n    ```\n\n    If you have more than one domain you can pass them as a list to the domains parameter, just keep in mind that the broker will wait until all domains are CNAME'd:\n\n    ```bash\n    $ cf create-service cdn-route cdn-route my-cdn-route -c '{\"domains\": [\"my.domain.gov\",\"www.my.domain.gov\"]}'\n\n    Create in progress. Use 'cf services' or 'cf service my-domain' to check operation status.\n    ```\n\n1. Get the DNS instructions. (note that the target of the CNAME will probably be different for you)\n\n    ```bash\n    $ cf service my-domain\n\n    Last Operation\n    Status: create in progress\n    Message: Provisioning in progress; CNAME domain \"my.domain.gov\" to \"production-domains-0-792003535.us-gov-west-1.elb.amazonaws.com\"\n    ```\n\n1. Create/update your DNS configuration.\n\n1. Wait up to 30 minutes for the CloudFront distribution to be provisioned and the DNS changes to propagate.\n\n1. Visit `my.domain.gov`, and see that you have a valid certificate (i.e. that visiting your site in a modern browser doesn't give you a certificate warning).\n\n1. Add your domain to a Cloud Foundry application:\n\n    ```bash\n    $ cf map-route \u003capp\u003e my.domain.gov\n    ```\n\n## Debugging\n\nBy default, Cloud Controller will expire asynchronous service instances that have been pending for over one week. If your instance expires, run a dummy update\nto restore it to the pending state so that Cloud Controller will continue to check for updates:\n\n```bash\ncf update-service my-domain -c '{\"timestamp\": 20161001}'\n```\n\n## Tests\n\n```bash\ngo test -v $(go list ./... | grep -v /vendor/)\n```\n\n## Contributing\n\nSee [CONTRIBUTING](CONTRIBUTING.md) for additional information.\n\n## Public domain\n\nThis project is in the worldwide [public domain](LICENSE.md). As stated in [CONTRIBUTING](CONTRIBUTING.md):\n\n\u003e This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the [CC0 1.0 Universal public domain dedication](https://creativecommons.org/publicdomain/zero/1.0/).\n\u003e\n\u003e All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloud-gov%2Fcf-domain-broker-alb","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcloud-gov%2Fcf-domain-broker-alb","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloud-gov%2Fcf-domain-broker-alb/lists"}