From d2f6de01856917b19e1f1ba6028f7e05d60e674b Mon Sep 17 00:00:00 2001 From: Daenney Date: Sat, 4 Mar 2023 18:24:02 +0100 Subject: [feature] Allow loading TLS certs from disk (#1586) Currently, GtS only supports using the built-in LE client directly for TLS. However, admins may still want to use GtS directly (so without a reverse proxy) but with certificates provided through some other mechanism. They may have some centralised way of provisioning these things themselves, or simply prefer to use LE but with a different challenge like DNS-01 which is not supported by autocert. This adds support for loading a public/private keypair from disk instead of using LE and reconfigures the server to use a TLS listener if we succeed in doing so. Additionally, being able to load TLS keypair from disk opens up the path to using a custom CA for testing purposes avoinding the need for a constellation of containers and something like Pebble or Step CA to provide LE APIs. --- docs/configuration/letsencrypt.md | 42 ------------------------- docs/configuration/tls.md | 66 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 66 insertions(+), 42 deletions(-) delete mode 100644 docs/configuration/letsencrypt.md create mode 100644 docs/configuration/tls.md (limited to 'docs/configuration') diff --git a/docs/configuration/letsencrypt.md b/docs/configuration/letsencrypt.md deleted file mode 100644 index 011ab4690..000000000 --- a/docs/configuration/letsencrypt.md +++ /dev/null @@ -1,42 +0,0 @@ -# LetsEncrypt - -## Settings - -```yaml -############################## -##### LETSENCRYPT CONFIG ##### -############################## - -# Config pertaining to the automatic acquisition and use of LetsEncrypt HTTPS certificates. - -# Bool. Whether or not letsencrypt should be enabled for the server. -# If false, the rest of the settings here will be ignored. -# If you serve GoToSocial behind a reverse proxy like nginx or traefik, leave this turned off. -# If you don't, then turn it on so that you can use https. -# Options: [true, false] -# Default: false -letsencrypt-enabled: false - -# Int. Port to listen for letsencrypt certificate challenges on. -# If letsencrypt is enabled, this port must be reachable or you won't be able to obtain certs. -# If letsencrypt is disabled, this port will not be used. -# This *must not* be the same as the webserver/API port specified above. -# Examples: [80, 8000, 1312] -# Default: 80 -letsencrypt-port: 80 - -# String. Directory in which to store LetsEncrypt certificates. -# It is a good move to make this a sub-path within your storage directory, as it makes -# backup easier, but you might wish to move them elsewhere if they're also accessed by other services. -# In any case, make sure GoToSocial has permissions to write to / read from this directory. -# Examples: ["/home/gotosocial/storage/certs", "/acmecerts"] -# Default: "/gotosocial/storage/certs" -letsencrypt-cert-dir: "/gotosocial/storage/certs" - -# String. Email address to use when registering LetsEncrypt certs. -# Most likely, this will be the email address of the instance administrator. -# LetsEncrypt will send notifications about expiring certificates etc to this address. -# Examples: ["admin@example.org"] -# Default: "" -letsencrypt-email-address: "" -``` diff --git a/docs/configuration/tls.md b/docs/configuration/tls.md new file mode 100644 index 000000000..79bc509eb --- /dev/null +++ b/docs/configuration/tls.md @@ -0,0 +1,66 @@ +# TLS + +It's possible to configure TLS support in one of two ways: +* Built-in support for Lets Encrypt / ACME compatible vendors +* Loading TLS files from disk + +It is not possible to have both methods enabled at the same time. + +Note that when using TLS files loaded from disk you are responsible for restarting the instance when the files change. They are not automatically reloaded. + +## Settings + +```yaml +############################## +##### LETSENCRYPT CONFIG ##### +############################## + +# Config pertaining to the automatic acquisition and use of LetsEncrypt HTTPS certificates. + +# Bool. Whether or not letsencrypt should be enabled for the server. +# If false, the rest of the settings here will be ignored. +# If you serve GoToSocial behind a reverse proxy like nginx or traefik, leave this turned off. +# If you don't, then turn it on so that you can use https. +# Options: [true, false] +# Default: false +letsencrypt-enabled: false + +# Int. Port to listen for letsencrypt certificate challenges on. +# If letsencrypt is enabled, this port must be reachable or you won't be able to obtain certs. +# If letsencrypt is disabled, this port will not be used. +# This *must not* be the same as the webserver/API port specified above. +# Examples: [80, 8000, 1312] +# Default: 80 +letsencrypt-port: 80 + +# String. Directory in which to store LetsEncrypt certificates. +# It is a good move to make this a sub-path within your storage directory, as it makes +# backup easier, but you might wish to move them elsewhere if they're also accessed by other services. +# In any case, make sure GoToSocial has permissions to write to / read from this directory. +# Examples: ["/home/gotosocial/storage/certs", "/acmecerts"] +# Default: "/gotosocial/storage/certs" +letsencrypt-cert-dir: "/gotosocial/storage/certs" + +# String. Email address to use when registering LetsEncrypt certs. +# Most likely, this will be the email address of the instance administrator. +# LetsEncrypt will send notifications about expiring certificates etc to this address. +# Examples: ["admin@example.org"] +# Default: "" +letsencrypt-email-address: "" + +############################## +##### MANUAL TLS CONFIG ##### +############################## + +# String. Path to a PEM-encoded file on disk that includes the certificate chain +# and the public key +# Examples: ["/gotosocial/storage/certs/chain.pem"] +# Default: "" +tls-certificate-chain: "" + +# String. Path to a PEM-encoded file on disk containing the private key for the +# associated tls-certificate-chain +# Examples: ["/gotosocial/storage/certs/private.pem"] +# Default: "" +tls-certificate-key: "" +``` -- cgit v1.2.3