2

In Golang, with autocert, I keep seeing examples like this:

server := &http.Server{
        Addr:      ":https",
        Handler:   r,
        TLSConfig: &tls.Config{
            GetCertificate: certManager.GetCertificate,
        },
    }

    go http.ListenAndServe(":http", certManager.HTTPHandler(nil))

However, I have a server with many sites (go apps) and I use NGINX to proxy the traffic. Can I do something like this?

server := &http.Server{
        Addr:      ":8443",
        Handler:   r,
        TLSConfig: &tls.Config{
            GetCertificate: certManager.GetCertificate,
        },
    }

    go http.ListenAndServe(":8080", certManager.HTTPHandler(nil))

If not, are there any other solutions for this?

If so, I'm not sure what I could be doing wrong. I do see that one of the returns of the certManager.GetCertificate method is error.

So second part of this question is, how can I catch certManager.GetCertificate's error? My app loads and compiles fine. No errors are thrown.

E_net4
  • 27,810
  • 13
  • 101
  • 139
Chemdream
  • 618
  • 2
  • 9
  • 25
  • your way of using autocert looks correct. Are you facing any trouble using this? – Piyushh Jun 09 '20 at 05:25
  • @iwasidiotic Yes but I can't see any errors because of the way certManager.GetCertificate is being used. How can I see errors there? The temp folder is created, but no certs are dropped into it. Thanks! – Chemdream Jun 09 '20 at 11:36
  • if you load balance you might have hard time distributing the same token across all nodes when using HTTP-01. For HTTP-01 to succeed, port 80 must be open and respond with the corresponding secret at the right url. For TLS-ALPN-01, the ssl termination can not be done on the nginx side of the setup. If you browse this https://github.com/go-acme/lego, they recommend using DNS-01. I recommend you read the letsencrypt doc. to log things out i would write a client that catch and log errors. –  Jun 10 '20 at 06:10
  • i have put client (last sentence) but i meant to just fork and update. –  Jun 10 '20 at 06:20
  • Use the `certManager.GetCertificate,` outside the server variable scope for error handling and then pass the variable to the scope variable like `cert, err := certManager.GetCertificate() if err !=nil{fmt.Println(err)}` , in general your `certManager.GetCertificate` should return an error – bitcodr Jun 10 '20 at 06:27
  • @bitcodr then would I pass cert to GetCertificate in TLSConfig? – Chemdream Jun 10 '20 at 10:13
  • I'm hoping tomorrow I'll be able to test to see what the error is. Thanks! – Chemdream Jun 10 '20 at 22:25
  • @bitcodr certManager.GetCertificate() requires an argument. and GetCertificate doesn't like using cert as it's value. I'm not sure that will work? – Chemdream Jun 11 '20 at 17:35

0 Answers0