certmagic: github.com/mholt/certmagic Index | Examples | Files

package certmagic

import "github.com/mholt/certmagic"

Package certmagic automates the obtaining and renewal of TLS certificates, including TLS & HTTPS best practices such as robust OCSP stapling, caching, HTTP->HTTPS redirects, and more.

Its high-level API serves your HTTP handlers over HTTPS if you simply give the domain name(s) and the http.Handler; CertMagic will create and run the HTTPS server for you, fully managing certificates during the lifetime of the server. Similarly, it can be used to start TLS listeners or return a ready-to-use tls.Config -- whatever layer you need TLS for, CertMagic makes it easy. See the HTTPS, Listen, and TLS functions for that.

If you need more control, create a Config using New() and then call Manage() on the config; but you'll have to be sure to solve the HTTP and TLS-ALPN challenges yourself (unless you disabled them or use the DNS challenge) by using the provided Config.GetCertificate function in your tls.Config and/or Config.HTTPChallangeHandler in your HTTP handler.

See the package's README for more instruction.

Index

Examples

Package Files

cache.go certificates.go certmagic.go client.go config.go crypto.go filestorage.go handshake.go httphandler.go maintain.go ocsp.go solvers.go storage.go user.go

Constants

const (
    // HTTPChallengePort is the officially-designated port for
    // the HTTP challenge according to the ACME spec.
    HTTPChallengePort = 80

    // TLSALPNChallengePort is the officially-designated port for
    // the TLS-ALPN challenge according to the ACME spec.
    TLSALPNChallengePort = 443
)
const (
    LetsEncryptStagingCA    = "https://acme-staging-v02.api.letsencrypt.org/directory"
    LetsEncryptProductionCA = "https://acme-v02.api.letsencrypt.org/directory"
)

Some well-known CA endpoints available to use.

const (
    // DefaultRenewInterval is how often to check certificates for renewal.
    DefaultRenewInterval = 12 * time.Hour

    // DefaultRenewDurationBefore is how long before expiration to renew certificates.
    DefaultRenewDurationBefore = (24 * time.Hour) * 30

    // DefaultRenewDurationBeforeAtStartup is how long before expiration to require
    // a renewed certificate when the process is first starting up (see mholt/caddy#1680).
    DefaultRenewDurationBeforeAtStartup = (24 * time.Hour) * 7

    // DefaultOCSPInterval is how often to check if OCSP stapling needs updating.
    DefaultOCSPInterval = 1 * time.Hour
)

Variables

var (
    // The endpoint of the directory for the ACME
    // CA we are to use
    CA  = LetsEncryptProductionCA

    // The email address to use when creating or
    // selecting an existing ACME server account
    Email string

    // The synchronization implementation - all
    // instances of certmagic in a cluster must
    // use the same value here, otherwise some
    // cert operations will not be properly
    // coordinated
    Sync Locker

    // Set to true if agreed to the CA's
    // subscriber agreement
    Agreed bool

    // Disable all HTTP challenges
    DisableHTTPChallenge bool

    // Disable all TLS-ALPN challenges
    DisableTLSALPNChallenge bool

    // How long before expiration to renew certificates
    RenewDurationBefore = DefaultRenewDurationBefore

    // How long before expiration to require a renewed
    // certificate when in interactive mode, like when
    // the program is first starting up (see
    // mholt/caddy#1680). A wider window between
    // RenewDurationBefore and this value will suppress
    // errors under duress (bad) but hopefully this duration
    // will give it enough time for the blockage to be
    // relieved.
    RenewDurationBeforeAtStartup = DefaultRenewDurationBeforeAtStartup

    // An optional event callback clients can set
    // to subscribe to certain things happening
    // internally by this config; invocations are
    // synchronous, so make them return quickly!
    OnEvent func(event string, data interface{})

    // The host (ONLY the host, not port) to listen
    // on if necessary to start a listener to solve
    // an ACME challenge
    ListenHost string

    // The alternate port to use for the ACME HTTP
    // challenge; if non-empty,  this port will be
    // used instead of HTTPChallengePort to spin up
    // a listener for the HTTP challenge
    AltHTTPPort int

    // The alternate port to use for the ACME
    // TLS-ALPN challenge; the system must forward
    // TLSALPNChallengePort to this port for
    // challenge to succeed
    AltTLSALPNPort int

    // The DNS provider to use when solving the
    // ACME DNS challenge
    DNSProvider challenge.Provider

    // The type of key to use when generating
    // certificates
    KeyType = certcrypto.RSA2048

    // The maximum amount of time to allow for
    // obtaining a certificate. If empty, the
    // default from the underlying lego lib is
    // used. If set, it must not be too low so
    // as to cancel orders too early, running
    // the risk of rate limiting.
    CertObtainTimeout time.Duration

    // Set the default server name for clients
    // not indicating a server name using SNI.
    // In most cases this will be the primary
    // domain that is being served.
    DefaultServerName string

    // The state needed to operate on-demand TLS
    OnDemand *OnDemandConfig

    // Add the must staple TLS extension to the
    // CSR generated by lego/acme
    MustStaple bool
)

Package defaults

var (
    // HTTPPort is the port on which to serve HTTP
    // and, by extension, the HTTP challenge (unless
    // AltHTTPPort is set).
    HTTPPort = 80

    // HTTPSPort is the port on which to serve HTTPS
    // and, by extension, the TLS-ALPN challenge
    // (unless AltTLSALPNPort is set).
    HTTPSPort = 443
)

Port variables must remain their defaults unless you forward packets from the defaults to whatever these are set to; otherwise ACME challenges will fail.

var (
    UserAgent   string
    HTTPTimeout = 30 * time.Second
)

Some default values passed down to the underlying lego client.

func HTTPS Uses

func HTTPS(domainNames []string, mux http.Handler) error

HTTPS serves mux for all domainNames using the HTTP and HTTPS ports, redirecting all HTTP requests to HTTPS.

This high-level convenience function is opinionated and applies sane defaults for production use, including timeouts for HTTP requests and responses. To allow very long-lived requests or connections, you should make your own http.Server values and use this package's Listen(), TLS(), or Config.TLSConfig() functions to customize to your needs. For example, servers which need to support large uploads or downloads with slow clients may need to use longer timeouts, thus this function is not suitable.

Calling this function signifies your acceptance to the CA's Subscriber Agreement and/or Terms of Service.

This is the simplest way for HTTP servers to use this package. Call HTTPS() with your domain names and your handler (or nil for the http.DefaultMux), and CertMagic will do the rest.

Code:

http.HandleFunc("/", func(w http.ResponseWriter, req *http.Request) {
    fmt.Fprintf(w, "Hello, HTTPS visitor!")
})

err := HTTPS([]string{"example.com", "www.example.com"}, nil)
if err != nil {
    log.Fatal(err)
}

func HostQualifies Uses

func HostQualifies(hostname string) bool

HostQualifies returns true if the hostname alone appears eligible for automagic TLS. For example: localhost, empty hostname, and IP addresses are not eligible because we cannot obtain certificates for those names. Wildcard names are allowed, as long as they conform to CABF requirements (only one wildcard label, and it must be the left-most label).

func Listen Uses

func Listen(domainNames []string) (net.Listener, error)

Listen manages certificates for domainName and returns a TLS listener.

Because this convenience function returns only a TLS-enabled listener and does not presume HTTP is also being served, the HTTP challenge will be disabled.

Calling this function signifies your acceptance to the CA's Subscriber Agreement and/or Terms of Service.

func NormalizedName Uses

func NormalizedName(serverName string) string

NormalizedName returns a cleaned form of serverName that is used for consistency when referring to a SNI value.

func TLS Uses

func TLS(domainNames []string) (*tls.Config, error)

TLS enables management of certificates for domainNames and returns a valid tls.Config.

Because this is a convenience function that returns only a tls.Config, it does not assume HTTP is being served on the HTTP port, so the HTTP challenge is disabled (no HTTPChallengeHandler is necessary).

Calling this function signifies your acceptance to the CA's Subscriber Agreement and/or Terms of Service.

type Cache Uses

type Cache struct {
    // How often to check certificates for renewal
    RenewInterval time.Duration

    // How often to check if OCSP stapling needs updating
    OCSPInterval time.Duration
    // contains filtered or unexported fields
}

Cache is a structure that stores certificates in memory. Generally, there should only be one per process. However, complex applications that virtualize the concept of a "process" (such as Caddy, which virtualizes processes as "instances" so it can do graceful, in-memory reloads of its configuration) may use more of these per OS process.

Using just one cache per process avoids duplication of certificates across multiple configurations and makes maintenance easier.

An empty cache is INVALID and must not be used. Be sure to call NewCertificateCache to get one.

These should be very long-lived values, and must not be copied. Before all references leave scope to be garbage collected, ensure you call Stop() to stop maintenance maintenance on the certificates stored in this cache.

func NewCache Uses

func NewCache(storage Storage) *Cache

NewCache returns a new, valid Cache backed by the given storage implementation. It also begins a maintenance goroutine for any managed certificates stored in this cache.

See the godoc for Cache to use it properly.

Note that all processes running in a cluster configuration must use the same storage value in order to share certificates. (A single storage value may be shared by multiple clusters as well.)

func (*Cache) RenewManagedCertificates Uses

func (certCache *Cache) RenewManagedCertificates(interactive bool) error

RenewManagedCertificates renews managed certificates, including ones loaded on-demand. Note that this is done automatically on a regular basis; normally you will not need to call this.

func (*Cache) Stop Uses

func (certCache *Cache) Stop()

Stop stops the maintenance goroutine for certificates in certCache.

type Certificate Uses

type Certificate struct {
    tls.Certificate

    // Names is the list of names this certificate is written for.
    // The first is the CommonName (if any), the rest are SAN.
    Names []string

    // NotAfter is when the certificate expires.
    NotAfter time.Time

    // OCSP contains the certificate's parsed OCSP response.
    OCSP *ocsp.Response

    // The hex-encoded hash of this cert's chain's bytes.
    Hash string
    // contains filtered or unexported fields
}

Certificate is a tls.Certificate with associated metadata tacked on. Even if the metadata can be obtained by parsing the certificate, we are more efficient by extracting the metadata onto this struct.

func (Certificate) NeedsRenewal Uses

func (c Certificate) NeedsRenewal() bool

NeedsRenewal returns true if the certificate is expiring soon or has expired.

type Config Uses

type Config struct {
    // The endpoint of the directory for the ACME
    // CA we are to use
    CA  string

    // The email address to use when creating or
    // selecting an existing ACME server account
    Email string

    // Set to true if agreed to the CA's
    // subscriber agreement
    Agreed bool

    // Disable all HTTP challenges
    DisableHTTPChallenge bool

    // Disable all TLS-ALPN challenges
    DisableTLSALPNChallenge bool

    // How long before expiration to renew certificates
    RenewDurationBefore time.Duration

    // How long before expiration to require a renewed
    // certificate when in interactive mode, like when
    // the program is first starting up (see
    // mholt/caddy#1680). A wider window between
    // RenewDurationBefore and this value will suppress
    // errors under duress (bad) but hopefully this duration
    // will give it enough time for the blockage to be
    // relieved.
    RenewDurationBeforeAtStartup time.Duration

    // An optional event callback clients can set
    // to subscribe to certain things happening
    // internally by this config; invocations are
    // synchronous, so make them return quickly!
    OnEvent func(event string, data interface{})

    // The host (ONLY the host, not port) to listen
    // on if necessary to start a listener to solve
    // an ACME challenge
    ListenHost string

    // The alternate port to use for the ACME HTTP
    // challenge; if non-empty,  this port will be
    // used instead of HTTPChallengePort to spin up
    // a listener for the HTTP challenge
    AltHTTPPort int

    // The alternate port to use for the ACME
    // TLS-ALPN challenge; the system must forward
    // TLSALPNChallengePort to this port for
    // challenge to succeed
    AltTLSALPNPort int

    // The DNS provider to use when solving the
    // ACME DNS challenge
    DNSProvider challenge.Provider

    // The type of key to use when generating
    // certificates
    KeyType certcrypto.KeyType

    // The maximum amount of time to allow for
    // obtaining a certificate. If empty, the
    // default from the underlying lego lib is
    // used. If set, it must not be too low so
    // as to cancel orders too early, running
    // the risk of rate limiting.
    CertObtainTimeout time.Duration

    // DefaultServerName specifies a server name
    // to use when choosing a certificate if the
    // ClientHello's ServerName field is empty
    DefaultServerName string

    // The state needed to operate on-demand TLS
    OnDemand *OnDemandConfig

    // Add the must staple TLS extension to the
    // CSR generated by lego/acme
    MustStaple bool
    // contains filtered or unexported fields
}

Config configures a certificate manager instance. An empty Config is not valid: use New() to obtain a valid Config.

func Manage Uses

func Manage(domainNames []string) (cfg *Config, err error)

Manage obtains certificates for domainNames and keeps them renewed using the returned Config.

You will need to ensure that you use a TLS config that gets certificates from this Config and that the HTTP and TLS-ALPN challenges can be solved. The easiest way to do this is to use cfg.TLSConfig() as your TLS config and to wrap your HTTP handler with cfg.HTTPChallengeHandler(). If you don't have an HTTP server, you will need to disable the HTTP challenge.

If you already have a TLS config you want to use, you can simply set its GetCertificate field to cfg.GetCertificate.

Calling this function signifies your acceptance to the CA's Subscriber Agreement and/or Terms of Service.

func New Uses

func New(cfg Config) *Config

New makes a valid config based on cfg and uses a default certificate cache. All calls to New() will use the same certificate cache.

func NewDefault Uses

func NewDefault() *Config

NewDefault returns a new, valid, default config.

Calling this function signifies your acceptance to the CA's Subscriber Agreement and/or Terms of Service.

func NewWithCache Uses

func NewWithCache(certCache *Cache, cfg Config) *Config

NewWithCache makes a valid new config based on cfg and uses the provided certificate cache. If certCache is nil, a new, default one will be created using DefaultStorage; or, if a default cache has already been created, it will be reused.

func (*Config) CacheManagedCertificate Uses

func (cfg *Config) CacheManagedCertificate(domain string) (Certificate, error)

CacheManagedCertificate loads the certificate for domain into the cache, from the TLS storage for managed certificates. It returns a copy of the Certificate that was put into the cache.

This is a lower-level method; normally you'll call Manage() instead.

This method is safe for concurrent use.

func (*Config) CacheUnmanagedCertificatePEMBytes Uses

func (cfg *Config) CacheUnmanagedCertificatePEMBytes(certBytes, keyBytes []byte) error

CacheUnmanagedCertificatePEMBytes makes a certificate out of the PEM bytes of the certificate and key, then caches it in memory.

This method is safe for concurrent use.

func (*Config) CacheUnmanagedCertificatePEMFile Uses

func (cfg *Config) CacheUnmanagedCertificatePEMFile(certFile, keyFile string) error

CacheUnmanagedCertificatePEMFile loads a certificate for host using certFile and keyFile, which must be in PEM format. It stores the certificate in the in-memory cache.

This method is safe for concurrent use.

func (*Config) CacheUnmanagedTLSCertificate Uses

func (cfg *Config) CacheUnmanagedTLSCertificate(tlsCert tls.Certificate) error

CacheUnmanagedTLSCertificate adds tlsCert to the certificate cache. It staples OCSP if possible.

This method is safe for concurrent use.

func (*Config) GetCertificate Uses

func (cfg *Config) GetCertificate(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error)

GetCertificate gets a certificate to satisfy clientHello. In getting the certificate, it abides the rules and settings defined in the Config that matches clientHello.ServerName. It first checks the in- memory cache, then, if the config enables "OnDemand", it accesses disk, then accesses the network if it must obtain a new certificate via ACME.

This method is safe for use as a tls.Config.GetCertificate callback.

func (*Config) HTTPChallengeHandler Uses

func (cfg *Config) HTTPChallengeHandler(h http.Handler) http.Handler

HTTPChallengeHandler wraps h in a handler that can solve the ACME HTTP challenge. cfg is required, and it must have a certificate cache backed by a functional storage facility, since that is where the challenge state is stored between initiation and solution.

If a request is not an ACME HTTP challenge, h willl be invoked.

func (*Config) HandleHTTPChallenge Uses

func (cfg *Config) HandleHTTPChallenge(w http.ResponseWriter, r *http.Request) bool

HandleHTTPChallenge uses cfg to solve challenge requests from an ACME server that were initiated by this instance or any other instance in this cluster (being, any instances using the same storage cfg does).

If the HTTP challenge is disabled, this function is a no-op.

If cfg is nil or if cfg does not have a certificate cache backed by usable storage, solving the HTTP challenge will fail.

It returns true if it handled the request; if so, the response has already been written. If false is returned, this call was a no-op and the request has not been handled.

func (*Config) Manage Uses

func (cfg *Config) Manage(domainNames []string) error

Manage causes the certificates for domainNames to be managed according to cfg. If cfg is enabled for OnDemand, then this simply whitelists the domain names. Otherwise, the certificate(s) for each name are loaded from storage or obtained from the CA; and if loaded from storage, renewed if they are expiring or expired. It then caches the certificate in memory and is prepared to serve them up during TLS handshakes.

func (*Config) ObtainCert Uses

func (cfg *Config) ObtainCert(name string, interactive bool) error

ObtainCert obtains a certificate for name using cfg, as long as a certificate does not already exist in storage for that name. The name must qualify and cfg must be flagged as Managed. This function is a no-op if storage already has a certificate for name.

It only obtains and stores certificates (and their keys), it does not load them into memory. If interactive is true, the user may be shown a prompt.

func (*Config) RenewCert Uses

func (cfg *Config) RenewCert(name string, interactive bool) error

RenewCert renews the certificate for name using cfg. It stows the renewed certificate and its assets in storage if successful.

func (*Config) RevokeCert Uses

func (cfg *Config) RevokeCert(domain string, interactive bool) error

RevokeCert revokes the certificate for domain via ACME protocol.

func (*Config) TLSConfig Uses

func (cfg *Config) TLSConfig() *tls.Config

TLSConfig is an opinionated method that returns a recommended, modern TLS configuration that can be used to configure TLS listeners, which also supports the TLS-ALPN challenge and serves up certificates managed by cfg.

Unlike the package TLS() function, this method does not, by itself, enable certificate management for any domain names.

Feel free to further customize the returned tls.Config, but do not mess with the GetCertificate or NextProtos fields unless you know what you're doing, as they're necessary to solve the TLS-ALPN challenge.

type ErrNotExist Uses

type ErrNotExist interface {
    error
}

ErrNotExist is returned by Storage implementations when a resource is not found. It is similar to os.IsNotExist except this is a type, not a variable.

type FileStorage Uses

type FileStorage struct {
    Path string
}

FileStorage facilitates forming file paths derived from a root directory. It is used to get file paths in a consistent, cross-platform way or persisting ACME assets on the file system.

func (*FileStorage) Delete Uses

func (fs *FileStorage) Delete(key string) error

Delete deletes the value at key.

func (*FileStorage) Exists Uses

func (fs *FileStorage) Exists(key string) bool

Exists returns true if key exists in fs.

func (*FileStorage) Filename Uses

func (fs *FileStorage) Filename(key string) string

Filename returns the key as a path on the file system prefixed by fs.Path.

func (*FileStorage) List Uses

func (fs *FileStorage) List(prefix string, recursive bool) ([]string, error)

List returns all keys that match prefix.

func (*FileStorage) Load Uses

func (fs *FileStorage) Load(key string) ([]byte, error)

Load retrieves the value at key.

func (*FileStorage) Lock Uses

func (fs *FileStorage) Lock(key string) error

Lock obtains a lock named by the given key. It blocks until the lock can be obtained or an error is returned.

func (*FileStorage) Stat Uses

func (fs *FileStorage) Stat(key string) (KeyInfo, error)

Stat returns information about key.

func (*FileStorage) Store Uses

func (fs *FileStorage) Store(key string, value []byte) error

Store saves value at key.

func (*FileStorage) String Uses

func (fs *FileStorage) String() string

func (*FileStorage) Unlock Uses

func (fs *FileStorage) Unlock(key string) error

Unlock releases the lock for name.

type KeyBuilder Uses

type KeyBuilder struct{}

KeyBuilder provides a namespace for methods that build keys and key prefixes, for addressing items in a Storage implementation.

var StorageKeys KeyBuilder

StorageKeys provides methods for accessing keys and key prefixes for items in a Storage. Typically, you will not need to use this because accessing storage is abstracted away for most cases. Only use this if you need to directly access TLS assets in your application.

func (KeyBuilder) CAPrefix Uses

func (keys KeyBuilder) CAPrefix(ca string) string

CAPrefix returns the storage key prefix for the given certificate authority URL.

func (KeyBuilder) OCSPStaple Uses

func (keys KeyBuilder) OCSPStaple(cert *Certificate, pemBundle []byte) string

OCSPStaple returns a key for the OCSP staple associated with the given certificate. If you have the PEM bundle handy, pass that in to save an extra encoding step.

func (KeyBuilder) Safe Uses

func (keys KeyBuilder) Safe(str string) string

Safe standardizes and sanitizes str for use as a storage key. This method is idempotent.

func (KeyBuilder) SiteCert Uses

func (keys KeyBuilder) SiteCert(ca, domain string) string

SiteCert returns the path to the certificate file for domain.

func (KeyBuilder) SiteMeta Uses

func (keys KeyBuilder) SiteMeta(ca, domain string) string

SiteMeta returns the path to the domain's asset metadata file.

func (KeyBuilder) SitePrefix Uses

func (keys KeyBuilder) SitePrefix(ca, domain string) string

SitePrefix returns a key prefix for items associated with the site using the given CA URL.

func (KeyBuilder) SitePrivateKey Uses

func (keys KeyBuilder) SitePrivateKey(ca, domain string) string

SitePrivateKey returns the path to domain's private key file.

func (KeyBuilder) UserPrefix Uses

func (keys KeyBuilder) UserPrefix(ca, email string) string

UserPrefix returns a key prefix for items related to the user with the given email for the given CA URL.

func (KeyBuilder) UserPrivateKey Uses

func (keys KeyBuilder) UserPrivateKey(ca, email string) string

UserPrivateKey gets the path to the private key file for the user with the given email address on the given CA URL.

func (KeyBuilder) UserReg Uses

func (keys KeyBuilder) UserReg(ca, email string) string

UserReg gets the path to the registration file for the user with the given email address for the given CA URL.

func (KeyBuilder) UsersPrefix Uses

func (keys KeyBuilder) UsersPrefix(ca string) string

UsersPrefix returns a key prefix for items related to users associated with the given CA URL.

type KeyInfo Uses

type KeyInfo struct {
    Key        string
    Modified   time.Time
    Size       int64
    IsTerminal bool // false for keys that only contain other keys (like directories)
}

KeyInfo holds information about a key in storage.

type Locker Uses

type Locker interface {
    // Lock acquires the lock for key, blocking until the lock
    // can be obtained or an error is returned. Note that, even
    // after acquiring a lock, an idempotent operation may have
    // already been performed by another process that acquired
    // the lock before - so always check to make sure idempotent
    // operations still need to be performed after acquiring the
    // lock.
    //
    // The actual implementation of obtaining of a lock must be
    // an atomic operation so that multiple Lock calls at the
    // same time always results in only one caller receiving the
    // lock at any given time.
    //
    // To prevent deadlocks, all implementations (where this concern
    // is relevant) should put a reasonable expiration on the lock in
    // case Unlock is unable to be called due to some sort of network
    // or system failure or crash.
    Lock(key string) error

    // Unlock releases the lock for key. This method must ONLY be
    // called after a successful call to Lock, and only after the
    // critical section is finished, even if it errored or timed
    // out. Unlock cleans up any resources allocated during Lock.
    Unlock(key string) error
}

Locker facilitates synchronization of certificate tasks across machines and networks.

type OnDemandConfig Uses

type OnDemandConfig struct {
    // If set, this function will be the absolute
    // authority on whether the hostname (according
    // to SNI) is allowed to try to get a cert.
    DecisionFunc func(name string) error

    // If no DecisionFunc is set, this whitelist
    // is the absolute authority as to whether
    // a certificate should be allowed to be tried.
    // Names are compared against SNI value.
    HostWhitelist []string

    // If no DecisionFunc or HostWhitelist are set,
    // then an HTTP request will be made to AskURL
    // to determine if a certificate should be
    // obtained. If the request fails or the response
    // is anything other than 2xx status code, the
    // issuance will be denied.
    AskURL *url.URL

    // If no DecisionFunc, HostWhitelist, or AskURL
    // are set, then only this many certificates may
    // be obtained on-demand; this field is required
    // if all others are empty, otherwise, all cert
    // issuances will fail.
    MaxObtain int32
    // contains filtered or unexported fields
}

OnDemandConfig contains some state relevant for providing on-demand TLS.

func (*OnDemandConfig) Allowed Uses

func (o *OnDemandConfig) Allowed(name string) error

Allowed returns whether the issuance for name is allowed according to o.

type Storage Uses

type Storage interface {
    // Locker provides atomic synchronization
    // operations, making Storage safe to share.
    Locker

    // Store puts value at key.
    Store(key string, value []byte) error

    // Load retrieves the value at key.
    Load(key string) ([]byte, error)

    // Delete deletes key.
    Delete(key string) error

    // Exists returns true if the key exists
    // and there was no error checking.
    Exists(key string) bool

    // List returns all keys that match prefix.
    // If recursive is true, non-terminal keys
    // will be enumerated (i.e. "directories"
    // should be walked); otherwise, only keys
    // prefixed exactly by prefix will be listed.
    List(prefix string, recursive bool) ([]string, error)

    // Stat returns information about key.
    Stat(key string) (KeyInfo, error)
}

Storage is a type that implements a key-value store. Keys are prefix-based, with forward slash '/' as separators and without a leading slash.

Processes running in a cluster will wish to use the same Storage value (its implementation and configuration) in order to share certificates and other TLS resources with the cluster.

Implementations of Storage must be safe for concurrent use.

var DefaultStorage Storage = defaultFileStorage

DefaultStorage is the default Storage implementation.

Package certmagic imports 40 packages (graph) and is imported by 18 packages. Updated 2019-02-04. Refresh now. Tools for package owners.