From d5b95136d5f162645a6bfaa76833cbf5520f7e45 Mon Sep 17 00:00:00 2001
From: Alan Pearce
Date: Wed, 26 Jun 2024 23:10:51 +0200
Subject: enable TLS for local development (using caddy as acme server)

---
 internal/server/tls.go | 66 ++++++++++++++++++++++++++++++++++++--------------
 1 file changed, 48 insertions(+), 18 deletions(-)

(limited to 'internal/server/tls.go')

diff --git a/internal/server/tls.go b/internal/server/tls.go
index 370134c..84dae74 100644
--- a/internal/server/tls.go
+++ b/internal/server/tls.go
@@ -2,6 +2,8 @@ package server
 
 import (
 	"context"
+	"crypto/x509"
+	"website/internal/log"
 
 	"github.com/ardanlabs/conf/v3"
 	"github.com/caddyserver/caddy/v2"
@@ -19,25 +21,45 @@ type redisConfig struct {
 }
 
 func (s *Server) serveTLS() (err error) {
-	rc := &redisConfig{}
-	_, err = conf.Parse("REDIS", rc)
-	if err != nil {
-		return errors.Wrap(err, "could not parse redis config")
-	}
+	if s.runtimeConfig.Development {
+		ca := s.runtimeConfig.ACMECACert
+		if ca == "" {
+			return errors.New("Need ACME_CA_CERT to enable TLS in development")
+		}
+
+		cp := x509.NewCertPool()
+		cp.AppendCertsFromPEM([]byte(ca))
+
+		cfg := certmagic.NewDefault()
+		issuer := certmagic.NewACMEIssuer(cfg, certmagic.ACMEIssuer{
+			CA:                      "https://localhost/acme/local/directory",
+			TrustedRoots:            cp,
+			DisableTLSALPNChallenge: true,
+			AltHTTPPort:             s.runtimeConfig.Port,
+		})
 
-	rs := certmagic_redis.New()
-	rs.Address = []string{rc.Address}
-	rs.Username = rc.Username
-	rs.Password = rc.Password
-	rs.EncryptionKey = rc.EncryptionKey
-	rs.KeyPrefix = rc.KeyPrefix
-
-	certmagic.Default.Storage = rs
-	err = rs.Provision(caddy.Context{
-		Context: context.Background(),
-	})
-	if err != nil {
-		return errors.Wrap(err, "could not provision redis storage")
+		certmagic.DefaultACME = *issuer
+	} else {
+		rc := &redisConfig{}
+		_, err = conf.Parse("REDIS", rc)
+		if err != nil {
+			return errors.Wrap(err, "could not parse redis config")
+		}
+
+		rs := certmagic_redis.New()
+		rs.Address = []string{rc.Address}
+		rs.Username = rc.Username
+		rs.Password = rc.Password
+		rs.EncryptionKey = rc.EncryptionKey
+		rs.KeyPrefix = rc.KeyPrefix
+
+		certmagic.Default.Storage = rs
+		err = rs.Provision(caddy.Context{
+			Context: context.Background(),
+		})
+		if err != nil {
+			return errors.Wrap(err, "could not provision redis storage")
+		}
 	}
 
 	certmagic.DefaultACME.Agreed = true
@@ -46,5 +68,13 @@ func (s *Server) serveTLS() (err error) {
 	certmagic.HTTPPort = s.runtimeConfig.Port
 	certmagic.HTTPSPort = s.runtimeConfig.TLSPort
 
+	log.Debug(
+		"starting certmagic",
+		"http_port",
+		certmagic.HTTPPort,
+		"https_port",
+		certmagic.HTTPSPort,
+	)
+
 	return certmagic.HTTPS(s.config.Domains, s.Server.Handler)
 }
-- 
cgit 1.4.1