英文:
AutoTLS and Gin (gin-gonic) fail to read SSL certificate
问题
我正在尝试使用Gin(gin-gonic)创建一个微服务环境,使用以下简单的代码:
package main
import (
"example.com/MSHandler/ms1"
"log"
"github.com/gin-gonic/autotls"
"github.com/gin-gonic/gin"
)
func main() {
// 创建GIN实例
router := gin.Default()
// 调用微服务
// 调用MS1
router.GET("/ms1", ms1.CallMS1)
// 运行GIN
// router.Run(":443")
// 使用Let's Encrypt运行
log.Fatal(autotls.Run(router, "exampleMS.org"))
}
每次我尝试访问网站时,网站都被标记为不安全。我的SSL证书是使用openssl生成的,它们都在~/.ssl文件夹中(我使用的是Ubuntu)。我的证书需要与应用程序放在同一个文件夹中吗?
我在网上和这里读了一些文章,但没有直接指出autoTLS的问题。
英文:
I'm trying to make a microservice environment with Gin (gin-gonic) with a simple code:
package main
import (
"example.com/MSHandler/ms1"
"log"
"github.com/gin-gonic/autotls"
"github.com/gin-gonic/gin"
)
func main() {
// Create GIN
router := gin.Default()
// Call MS
// Call MS1
router.GET("/ms1", ms1.CallMS1)
// Run GIN
// router.Run(":443")
// Run with Let's Encrypt
log.Fatal(autotls.Run(router, "exampleMS.org"))
}
Each time I try to reach the website, the website is marked as unsafe. My SSL certificates were generated with openssl and they are both (.key and .pem) in ~/.ssl folder (I'm using Ubuntu). Do my certificates need to be in the same folder as the application?
I've read some articles on the web and here, but nothing points directly to autoTLS.
答案1
得分: 1
包github.com/gin-gonic/autotls
在底层使用了golang.org/x/crypto/acme/autocert
。所以如果你想阅读文档,请访问https://pkg.go.dev/golang.org/x/crypto/acme/autocert。而且Let's Encrypt的工作原理是一份必读的文档。
注意事项:
-
autocert
会从https://letsencrypt.org/申请证书,所以你不需要提供使用openssl
生成的自己的证书。如果你想使用自签名证书,你不需要autocert
(和autotls
)。而且自签名证书默认情况下不被客户端信任。 -
autocert
会为你创建一个新的ECDSA P-256密钥。如果你想使用自己的私钥,可以使用autocert.Manager来设置密钥。 -
由于它需要从https://letsencrypt.org/申请证书,所以你的应用程序需要能够访问公共网络。
-
Let's Encrypt将通过向你的网站发送HTTP请求来验证你是否是域名的所有者。请确保你的网站在该域名上可访问(根据你的演示,域名是
exampleMS.org
)。而且这个请求会发送到HTTP端口80
。所以你应该确保该端口也没有被阻塞。更准确地说:Let’s Encrypt CA将查看被请求的域名,并发出一个或多个挑战。这些是代理程序可以证明对域名的控制权的不同方式。例如,CA可能给代理程序提供以下选择之一:
- 在example.com下创建DNS记录,或者
- 在一个众所周知的URI下创建HTTP资源
-
autotls
提供了几个演示示例,以防你不清楚如何使用。
英文:
The package github.com/gin-gonic/autotls
uses golang.org/x/crypto/acme/autocert
underneath. So if you want to read the doc, go to https://pkg.go.dev/golang.org/x/crypto/acme/autocert. And how Let's Encrypt works is a must read document.
Notes:
-
autocert
apply certificates from https://letsencrypt.org/, so you don't need to provide your own certificate generated withopenssl
. If you want to use a self-signed certificate, you don't needautocert
(andautotls
). And a self-signed certificate is not trusted by the clients by default. -
autocert
will create a new ECDSA P-256 key for you. If you want to use your own private key, set the key with autocert.Manager. -
Since it needs to apply certificates from https://letsencrypt.org/, the public network should be available to your application.
-
Let's Encrypt will verify that you're the domain owner by sending an HTTP request to your website. Make sure your website is accessible on the domain (it's
exampleMS.org
according to your demo). And this request is sent to the HTTP port80
. So you should make sure this port is not blocked too. To be more exactly:> The Let’s Encrypt CA will look at the domain name being requested and issue one or more sets of challenges. These are different ways that the agent can prove control of the domain. For example, the CA might give the agent a choice of either:
>
> - Provisioning a DNS record under example.com, or
> - Provisioning an HTTP resource under a well-known URI -
There are several demos provided by
autotls
, in case you don't know.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论