diff options
| author |  Daenney <daenney@users.noreply.github.com> | 2023-03-04 18:24:02 +0100 |
|---|---|---|
| committer |  GitHub <noreply@github.com> | 2023-03-04 17:24:02 +0000 |
| commit | d2f6de01856917b19e1f1ba6028f7e05d60e674b (patch) | |
| tree | a8dd7a0718f67dc7248a5e2c9c98db20a6fb2741 /docs/configuration/letsencrypt.md | |
| parent | use updateattachment when updating to ensure cache is invalidated (#1587) (diff) | |
| download | gotosocial-d2f6de01856917b19e1f1ba6028f7e05d60e674b.tar.xz | |
[feature] Allow loading TLS certs from disk (#1586)
Currently, GtS only supports using the built-in LE client directly for
TLS. However, admins may still want to use GtS directly (so without a
reverse proxy) but with certificates provided through some other
mechanism. They may have some centralised way of provisioning these
things themselves, or simply prefer to use LE but with a different
challenge like DNS-01 which is not supported by autocert.
This adds support for loading a public/private keypair from disk instead
of using LE and reconfigures the server to use a TLS listener if we
succeed in doing so.
Additionally, being able to load TLS keypair from disk opens up the path
to using a custom CA for testing purposes avoinding the need for a
constellation of containers and something like Pebble or Step CA to
provide LE APIs.
Diffstat (limited to 'docs/configuration/letsencrypt.md')
| -rw-r--r-- | docs/configuration/letsencrypt.md | 42 |
1 files changed, 0 insertions, 42 deletions
diff --git a/docs/configuration/letsencrypt.md b/docs/configuration/letsencrypt.md deleted file mode 100644 index 011ab4690..000000000 --- a/docs/configuration/letsencrypt.md +++ /dev/null @@ -1,42 +0,0 @@ -# LetsEncrypt - -## Settings - -```yaml -############################## -##### LETSENCRYPT CONFIG ##### -############################## - -# Config pertaining to the automatic acquisition and use of LetsEncrypt HTTPS certificates. - -# Bool. Whether or not letsencrypt should be enabled for the server. -# If false, the rest of the settings here will be ignored. -# If you serve GoToSocial behind a reverse proxy like nginx or traefik, leave this turned off. -# If you don't, then turn it on so that you can use https. -# Options: [true, false] -# Default: false -letsencrypt-enabled: false - -# Int. Port to listen for letsencrypt certificate challenges on. -# If letsencrypt is enabled, this port must be reachable or you won't be able to obtain certs. -# If letsencrypt is disabled, this port will not be used. -# This *must not* be the same as the webserver/API port specified above. -# Examples: [80, 8000, 1312] -# Default: 80 -letsencrypt-port: 80 - -# String. Directory in which to store LetsEncrypt certificates. -# It is a good move to make this a sub-path within your storage directory, as it makes -# backup easier, but you might wish to move them elsewhere if they're also accessed by other services. -# In any case, make sure GoToSocial has permissions to write to / read from this directory. -# Examples: ["/home/gotosocial/storage/certs", "/acmecerts"] -# Default: "/gotosocial/storage/certs" -letsencrypt-cert-dir: "/gotosocial/storage/certs" - -# String. Email address to use when registering LetsEncrypt certs. -# Most likely, this will be the email address of the instance administrator. -# LetsEncrypt will send notifications about expiring certificates etc to this address. -# Examples: ["admin@example.org"] -# Default: "" -letsencrypt-email-address: "" -``` |