[摘要] let's Encrypt 是一个免费提供 HTTPS 的签名服务, 这里提供一个示例,用 certmagic 实现 fasthttp 与 net/http 上支持 HTTPS
0. 基本配置
我的域名, 包括 tsingson.io 与 www.tsingson.io , 在 DNS 上加上 A 记录, 指向我的服务器 IP
为了在 let's Encrypt 获取 HTTPS 签名证书, 使用 tsingson_at_me_com 这个邮箱进行管理
服务器上, 把 HTTPS 签名证书文件存在 /home/go/bin/ 路径下
1. 使用 certmagic 库获取 HTTPS证书, 生产模式( 另有测试模式)
package autotls
import (
"github.com/mholt/certmagic"
"golang.org/x/xerrors"
)
// LetsEncryptTLS the management of let's Encrypt to get domain's key and cert file
// path to save the cache of key/cert file
// email is your email , to manage domain in let's Encrypt
// domainName , like tsingson.io / www.tsingson.io ... the domain name list
func LetsEncryptTLS(path string, email string, domainName ...string) (err error) {
config := certmagic.Config{
Agreed: true,
Storage: &certmagic.FileStorage{Path: path},
CA: certmagic.LetsEncryptProductionCA, // use certmagic.LetsEncryptStagingCA for testing
Email: email, // your email to management let's Encrypt
}
cache := certmagic.NewCache(certmagic.CacheOptions{
GetConfigForCert: func(cert certmagic.Certificate) (certmagic.Config, error) {
return config, nil
},
})
magic := certmagic.New(cache, config)
if len(domainName) == 0 {
return xerrors.New("Need one DomainName at least")
}
err = magic.Manage(domainName)
if err != nil {
return
}
return
}
调用方式, 见代码
go autotls.LetsEncryptTLS("/home/go/bin/", "tsingson@me.com", "www.tsingson.io", "tsingson.io")
time.Sleep(1 * time.Minute) // 等待一下, 让 HTTPS 证书缓存成功........
首次运行前, 请创建 /home/go/bin 路径
运行时会打印日志, 约有 3秒左右, 会成功获取 HTTPS 签名证书, 存在以下路径( 注: 生产模式 )
/home/go/bin/acme # tree .
.
└── acme-v02.api.letsencrypt.org
├── challenge_tokens
├── sites
│ ├── tsingson.io
│ │ ├── tsingson.io.crt
│ │ ├── tsingson.io.json
│ │ └── tsingson.io.key
│ └── www.tsingson.io
│ ├── www.tsingson.io.crt
│ ├── www.tsingson.io.json
│ └── www.tsingson.io.key
└── users
└── tsingson@me.com
├── tsingson.json
└── tsingson.key
7 directories, 8 files
certmagic 的 Manage 将来会自动更新 HTTPS 证书
注: 测试模式, 缓存的 HTTPS 证书存储路径不太一样, 请自行检查路径
2. 在 net/http 上使用
package main
import (
// "fmt"
// "io"
"net/http"
"log"
"github.com/tsingson/vk/fast/autotls"
)
func HelloServer(w http.ResponseWriter, req *http.Request) {
w.Header().Set("Content-Type", "text/plain")
w.Write([]byte("This is an example server.\n"))
// fmt.Fprintf(w, "This is an example server.\n")
// io.WriteString(w, "This is an example server.\n")
}
func main() {
go autotls.LetsEncryptTLS("/home/go/bin/", "tsingson@me.com", "www.tsingson.io", "tsingson.io")
time.Sleep(1 * time.Minute)
http.HandleFunc("/hello", HelloServer)
err := http.ListenAndServeTLS(":443", "/home/go/bin/acme-v02.api.letsencrypt.org/site/tsingson.io/tsingson.io.crt", "/home/go/bin/acme-v02.api.letsencrypt.org/site/tsingson.io/tsingson.io.key", nil)
if err != nil {
log.Fatal("ListenAndServe: ", err)
}
}
3. 在 fasthttp 上使用
package main
import (
"log"
"github.com/valyala/fasthttp"
"github.com/tsingson/vk/fast/autotls"
)
func main() {
go autotls.LetsEncryptTLS("/home/go/bin/", "tsingson@me.com", "www.tsingson.io", "tsingson.io")
time.Sleep(1 * time.Minute)
fs := &fasthttp.FS{
// Path to directory to serve.
Root: "/home/www/static-site",
// Generate index pages if client requests directory contents.
GenerateIndexPages: true,
// Enable transparent compression to save network traffic.
Compress: true,
}
// Create request handler for serving static files.
h := fs.NewRequestHandler()
s := &fasthttp.Server{
Handler: h,
}
// Start the server.
if err := fasthttp.ListenAndServeTLS(":443", "/home/go/bin/acme-v02.api.letsencrypt.org/site/tsingson.io/tsingson.io.crt", "/home/go/bin/acme-v02.api.letsencrypt.org/site/tsingson.io/tsingson.io.key", h); err != nil {
log.Fatalf("error in ListenAndServe: %s", err)
}
}
4. 小结
浏览器上验证, 步骤省略………
Done. 完美…….
let's Encrypt 的测试模式, 在浏览器上验证, 会提示, 不是安全的 HTTPS 签名证书.
换成生产模式就好了………..
_
_
_
关于我
网名 tsingson (三明智, 江湖人称3爷)
原 ustarcom IPTV/OTT 事业部播控产品线技术架构湿/解决方案工程湿角色(8年), 自由职业者,
喜欢音乐(口琴,是第三/四/五届广东国际口琴嘉年华的主策划人之一), 摄影与越野,
喜欢 golang 语言 (商用项目中主要用 postgres + golang )
_