Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/bradfitz/autocertdelegate

Get LetsEncrypt TLS certs for internal-only TLS servers via a delegated golang.org/x/crypto/acme/autocert server.
https://github.com/bradfitz/autocertdelegate

Last synced: about 2 months ago
JSON representation

Get LetsEncrypt TLS certs for internal-only TLS servers via a delegated golang.org/x/crypto/acme/autocert server.

Host: GitHub
URL: https://github.com/bradfitz/autocertdelegate
Owner: bradfitz
License: bsd-3-clause
Created: 2019-12-25T04:28:47.000Z (over 4 years ago)
Default Branch: master
Last Pushed: 2020-03-06T23:21:12.000Z (over 4 years ago)
Last Synced: 2024-07-18T04:33:35.333Z (2 months ago)
Language: Go
Size: 6.84 KB
Stars: 246
Watchers: 12
Forks: 19
Open Issues: 2
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# autocertdelegate

## What

[I wanted](https://twitter.com/bradfitz/status/1206058552357355520)
internal HTTPS servers to have valid TLS certs with minimal fuss.

In particular:

* I didn't want to deal with being my own CA or configuring all my
devices to trust a new root.
* I didn't want to use LetsEncrypt DNS challenges because there are
tons of DNS providers and I don't want API clients for tons of DNS
providers and I don't want to configure secrets (or anything)
anywhere.
* I don't want to expose my internal services to the internet or deal
with updating firewall rules to only allow LetsEncrypt.

## How

See https://godoc.org/github.com/bradfitz/autocertdelegate

It provides a client that plugs in to an http.Server to get certs & a
server handler for a public-facing server that does the LetsEncrypt
ALPN challenges. You then do split-horizon DNS to give out internal
IPs to internal clients and a public IP (of the delegate server) to
everybody else (namely LetsEncrypt doing the ALPN challenges).

Then internal clients just ask the delegate server for the certs, and
the delegate server does a little challenge itself to test the
internal clients.

## Is it secure?

I built this for my own use on my home network.
Maybe you'll find it useful, but maybe you'll find it insecure.
Beauty is in the eye of the downloader.

## Contributing

I'm releasing as a Go project under the Go AUTHORs/LICENSEs, as it's
related to golang.org/x/crypto/acme/autocert. As such, I'm not
accepting any PRs unless you've contributed to Go or otherwise done
the Google CLA.