|
47 | 47 | # SHA-256). |
48 | 48 | CertFile = './pems/cert.pem' |
49 | 49 |
|
| 50 | +# The path to save a new cert retrieved from the CA if the current cert in |
| 51 | +# 'CertFile' above is still valid. |
| 52 | +# This is optional and is needed only if you have 'autorenewcert' turned on. |
| 53 | +# For multi-replica setups (multiple AMP Packager instances), only the replica |
| 54 | +# that will do the autorenewal of certs needs this config item set. |
| 55 | +# NewCertFile = './pems/newcert.pem' |
| 56 | + |
| 57 | +# The path to the Certificate Signing Request (CSR) that is needed to request |
| 58 | +# new certificates from the Certificate Authority using ACME. |
| 59 | +# CSRs are typically created using the openssl command: |
| 60 | +# openssl req -new -key /path/to/privkey -out /path/to/cert.csr |
| 61 | +# To verify: |
| 62 | +# openssl req -text -noout -verify -in cert.csr |
| 63 | +# The following docs list examples on how to go about generating CSRs: |
| 64 | +# https://www.digicert.com/csr-creation.htm?rid=011592 |
| 65 | +# https://www.ssl.com/how-to/manually-generate-a-certificate-signing-request-csr-using-openssl/ |
| 66 | +# https://geekflare.com/san-ssl-certificate/ |
| 67 | +# This is optional and is needed only if you have 'autorenewcert' turned on. |
| 68 | +# CSRFile = './pems/cert.csr' |
| 69 | + |
50 | 70 | # The path to the PEM file containing the private key that corresponds to the |
51 | 71 | # leaf certificate in CertFile. |
52 | 72 | KeyFile = './pems/privkey.pem' |
@@ -170,3 +190,81 @@ ForwardedRequestHeaders = [] |
170 | 190 | # Domain = "www.corp.amppackageexample.com" |
171 | 191 | # PathRE = "/world/.*" |
172 | 192 | # QueryRE = "" |
| 193 | + |
| 194 | +# IMPORTANT NOTE: the support of the ACME protocol and automatic renewal of certificates is currently in the |
| 195 | +# EXPERIMENTAL stage. Once we have more experience with people using it out in the wild, we will gradually |
| 196 | +# move it to PRODUCTION mode. |
| 197 | +# |
| 198 | +# ACME is a protocol that allows for automatic renewal of certificates. AMP Packager uses an ACME library |
| 199 | +# https://github.com/go-acme/lego to handle certificate renewal. Automatic certificate renewal is enabled |
| 200 | +# in AMP Packager via the 'autorenewcert' flag. Turning the flag on will enable AMP Packager to automatically |
| 201 | +# request certificate renewals whenever it has determined that the current certificate is expired or about to |
| 202 | +# expire. |
| 203 | +# |
| 204 | +# ACMEConfig only needs to be present in the toml file if 'autorenewcert' command line flag was turned on. |
| 205 | +# If the flag is on, at least one of ACMEConfig.Production or ACMEConfig.Development should be present. |
| 206 | +# Note that a recommended best practice for setting up the cert renewal that minimizes both cost and bombarding |
| 207 | +# your Certificate Authority with requests is that for a multi-instance setup of AMP packager, only one instance is |
| 208 | +# setup to do automatic cert renewals and the rest of the instances will just be configured to reload the fresh |
| 209 | +# certificate from disk when their in-memory copies expire. This also implies that the cert paths configured above |
| 210 | +# in 'CertFile' and 'NewCertFile' are located on a shared filesystem accessible by all AMP packager instances. |
| 211 | +# |
| 212 | +# For the full ACME spec, see: |
| 213 | +# https://tools.ietf.org/html/draft-ietf-acme-acme-02 |
| 214 | +# https://ietf-wg-acme.github.io/acme/draft-ietf-acme-acme.html |
| 215 | +# TODO(banaag): consider renaming ACMEConfig to ACME |
| 216 | +# [ACMEConfig] |
| 217 | + # This config will be used if 'autorenewcert' is turned on and 'development' is turned off. |
| 218 | + # If the flags above are on but we don't have an entry here, AMP Packager will not start. |
| 219 | + # [ACMEConfig.Production] |
| 220 | + # This is the ACME discovery URL that is used for ACME http requests to the Certificate Authority that |
| 221 | + # doles out the certificates. |
| 222 | + # Currently, the only CA that supports automatic signed exchange cert renewals is Digicert: |
| 223 | + # https://docs.digicert.com/certificate-tools/acme-user-guide/acme-directory-urls-signed-http-exchange-certificates/ |
| 224 | + # DiscoURL = "https://production-acme.discovery.url/" |
| 225 | + |
| 226 | + # This is the email address you used to create an account with the Certificate Authority that is registered to |
| 227 | + # request signed exchange certificates. |
| 228 | + # EmailAddress = "[email protected]" |
| 229 | + |
| 230 | + # For the remaining configuration items, it's important to understand the different challenges employed as |
| 231 | + # part of the ACME protocol. See: |
| 232 | + # https://ietf-wg-acme.github.io/acme/draft-ietf-acme-acme.html#identifier-validation-challenges |
| 233 | + # https://letsencrypt.org/docs/challenge-types/ |
| 234 | + # https://certbot.eff.org/docs/challenges.html?highlight=http |
| 235 | + # Note that you don't need to have all the challenges configured, it's typically sufficient to have one configured. |
| 236 | + # The exception arises when you have to deal with wildcard certificates, see below. |
| 237 | + |
| 238 | + # This is the http server root directory where the ACME http challenge token could be deposited. Note that you may |
| 239 | + # need to do some configuration work to get this setup to work where multiple instances of AMP Packager is running. |
| 240 | + # For example: |
| 241 | + # https://community.letsencrypt.org/t/how-to-nginx-configuration-to-enable-acme-challenge-support-on-all-http-virtual-hosts/5622/3 |
| 242 | + # HttpWebRootDir = '/path/to/www_root_dir' |
| 243 | + |
| 244 | + # This is the port used by the AMP Packager to respond to the HTTP challenge issued as part of ACME protocol. |
| 245 | + # Note that if your setup only opens up certain ports, you may need to do a configuration change where you forward |
| 246 | + # requests to this port using proxy_pass, for example: |
| 247 | + # https://medium.com/@dipeshwagle/add-https-using-lets-encrypt-to-nginx-configured-as-a-reverse-proxy-on-ubuntu-b4455a729176 |
| 248 | + # HttpChallengePort = 5002 |
| 249 | + |
| 250 | + # This is the port used by AMP packager to respond to the TLS challenge issued as part of the ACME protocol. |
| 251 | + # TlsChallengePort = 5003 |
| 252 | + |
| 253 | + # This is the DnsProvider to be used in fulfilling the ACME DNS challenge. Note that you only need the DNS challenge |
| 254 | + # setup if you have wildcard certificates. See: https://searchsecurity.techtarget.com/definition/wildcard-certificate |
| 255 | + # For the DNS challenge, go-acme/lego, there are certain environment variables that need to be set up which depends on |
| 256 | + # the DNS provider that you use to fulfill the DNS challenge. See: |
| 257 | + # https://go-acme.github.io/lego/dns/ |
| 258 | + # DnsProvider = "gcloud" |
| 259 | + |
| 260 | + # This config will be used if 'autorenewcert' is turned on and 'development' is turned on. |
| 261 | + # If the flags above are on but we don't have an entry here, AMP Packager will not start. |
| 262 | + # All the other fields below have the same semantics as the one in ACMEConfig.Production above. |
| 263 | + # For development mode, given that we don't require the SXG extension, one can use Let's Encrypt CA to generate the certs. |
| 264 | + # [ACMEConfig.Development] |
| 265 | + # DiscoURL = "https://development-acme.discovery.url/" |
| 266 | + # EmailAddress = "[email protected]" |
| 267 | + # HttpChallengePort = 5002 |
| 268 | + # HttpWebRootDir = '/path/to/www_root_dir' |
| 269 | + # TlsChallengePort = 5003 |
| 270 | + # DnsProvider = "gcloud" |
0 commit comments