README
¶
SSL Certificates Storage
Go tools for managing SSL certificates from acme/autocert
The autocert package provides automatic access to certificates from Let's Encrypt and any other ACME-based CA. This repository contains a collection of tools to simplify the task of managing certificates acquired through this method.
Want to have SSL and don't know where to start => Check out the sslmgr package
Tools:
- LayeredCache - chain autocert.Cache implementations
- Functional - define an autocert.Cache by using anonymous functions
Cache Implementations:
- Firestore - if you are looking for quick and easy
- MongoDB - when flexibility and robustness are important
- DynamoDB - if your infra lives in AWS
- S3 - throw those certs in a bucket
Why should I use this? Is this for me?
The default storage mechanism used by autocert is the file system. Containerized and virtual workloads often don't have a persistent file system. Furthermore, file system storage is not suitable for servers spanning multiple machines or distributed systems.
See that the autocert.Cache interface is what controlls where/how certificates are stored/fetched from:
m := autocert.Manager{
Prompt: autocert.AcceptTOS, // To always accept the terms, the callers can use AcceptTOS
HostPolicy: autocert.HostWhitelist(hostnames...), // Specifies which hostnames the Manager is allowed to respond to
Cache: cache, // Cache is used by Manager to store and retrieve previously obtained certificates and other account data as opaque blobs
}
I have implemented the autocert.Cache interface with popular data stores on major cloud providers; so that you dont have to!
But wait, why can't I just get a new certificate every time I deploy?
Unless you have a corporate deal with Lets Encrypt, you are limited to 5 duplicate certificates (certificates for the same set of names) per week on a rolling basis. This means that if your deployments don't have persistent storage, you can only deploy 5 different times (or even less if your deployments span multiple machines) within a week!
Documentation
¶
Index ¶
Constants ¶
const ( // PolicyWriteDeepFirst will write to caches starting from the last layer // provided. This is the default behavior, as the more common use case // will be for the last layer to be the most persistent e.g. DB call PolicyWriteDeepFirst = WritePolicy("DEEP_FIRST") // PolicyWriteShallowFirst will write to caches starting from the top, // often least persistent, layer e.g. a struct in process heap PolicyWriteShallowFirst = WritePolicy("SHALLOW_FIRST") )
Variables ¶
Functions ¶
Types ¶
type DynamoDB ¶
type DynamoDB struct {
// contains filtered or unexported fields
}
DynamoDB represents a DynamoDB implementation of autocert.Cache
func NewDynamoDB ¶
func NewDynamoDB(credentials *credentials.Credentials, region, table string) *DynamoDB
NewDynamoDB returns a DynamoDB certificate cache
func (*DynamoDB) Delete ¶
Delete removes a certificate data from the cache under the specified key. If there's no such key in the cache, Delete returns nil.
type Firestore ¶
type Firestore struct {
// contains filtered or unexported fields
}
Firestore is a Google Firestore implementation of autocert.Cache
func NewFirestore ¶
NewFirestore is the default constructor for a Firestore CertCache
func NewFirestoreWithCollection ¶
NewFirestoreWithCollection is a constructor for a FirestoreCertCache with a custom Firestore Collection name
func (*Firestore) Delete ¶
Delete removes a certificate data from the cache under the specified key. If there's no such key in the cache, Delete returns nil.
type Functional ¶
type Functional struct {
// contains filtered or unexported fields
}
Functional allows the user to use functions to define a cert cache. If we have the get function always return an autocert.ErrCacheMiss error, we can use this cert cache for testing next cache layer's preconditions, or simply logging events (see Newlogger() function)
func NewFunctional ¶
func NewFunctional( get func(context.Context, string) ([]byte, error), put func(context.Context, string, []byte) error, del func(context.Context, string) error, ) *Functional
NewFunctional is the constructor for a functional Cert Cache
func NewLogger ¶
func NewLogger() *Functional
NewLogger is the constructor for a Functional cert cache implementation which does nothing other than log events
func (*Functional) Delete ¶
func (f *Functional) Delete(ctx context.Context, key string) error
Delete removes a certificate data from the cache under the specified key. If there's no such key in the cache, Delete returns nil.
type LayeredCache ¶
type LayeredCache struct {
// contains filtered or unexported fields
}
LayeredCache is an implementation of the autocert.Cache interface. The behavior of the cache consists in checking itself for hits, and having a fall back storage layer to search in the event of a cache miss
func NewLayered ¶
func NewLayered(layers ...autocert.Cache) *LayeredCache
NewLayered returns a new layered cache given autocert.Cache implementations
func NewLayeredWithPolicy ¶
func NewLayeredWithPolicy(wp WritePolicy, layers ...autocert.Cache) *LayeredCache
NewLayeredWithPolicy returns a new layered cache and allows the user to specify the write policy
func (*LayeredCache) Delete ¶
func (c *LayeredCache) Delete(ctx context.Context, key string) error
Delete removes a certificate data from the cache under the specified key. If there's no such key in the cache, Delete returns nil.
type MongoDB ¶
type MongoDB struct {
// contains filtered or unexported fields
}
MongoDB represents a MongoDB implementation of autocert.Cache
func NewMongoDB ¶
NewMongoDB returns a Mongo cache given a mongodb connection string e.g. fmt.Sprintf("mongodb://%s:%s@%s/%s", username, password, host, db)
func (*MongoDB) Delete ¶
Delete removes a certificate data from the cache under the specified key. If there's no such key in the cache, Delete returns nil.
type S3 ¶
type S3 struct {
// contains filtered or unexported fields
}
S3 represents an AWS S3 implementation of autocert.Cache
func NewS3 ¶
func NewS3(credentials *credentials.Credentials, bucket, region string) *S3
NewS3 returns an S3 certificate cache
func (*S3) Delete ¶
Delete removes a certificate data from the cache under the specified key. If there's no such key in the cache, Delete returns nil.
type WritePolicy ¶
type WritePolicy string
WritePolicy determines the order in which the layered cache executes Put