Add implementation of CertFetcher abstraction on top of Lego/ACME library.

[banaag]

No description provided.

[googlebot]

All (the pull request submitter and all commit authors) CLAs are signed, but one or more commits were authored or co-authored by someone other than the pull request submitter.

We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that by leaving a comment that contains only @googlebot I consent. in this pull request.

Note to project maintainer: There may be cases where the author cannot leave a comment, or the comment is not properly detected as consent. In those cases, you can manually confirm consent of the commit author(s), and set the cla label to yes (if enabled on your project).

ℹ️ Googlers: Go here for more info.

[banaag]

@googlebot

[googlebot]

CLAs look good, thanks!

ℹ️ Googlers: Go here for more info.

[twifkak]

Nice progress! Haven't reviewed tests yet, but let me know if there's anything in particular there you want me to notice. :)

[twifkak]

Please run dep ensure and add the vendor/ files to this PR. (https://golang.github.io/dep/)

[banaag]

Will do this in next commit.

[twifkak]

OK for this PR. I think for some future PR it'd be preferable if we can host the challenge URLs on the same port as the rest of amppkg. (Agree/disagree?)

Naive ideas:

• https://golang.org/pkg/net/http/httputil/#ReverseProxy
• implement a custom challenge.Provider (https://github.com/go-acme/lego/blob/a5a29187fea9f555ea43fae16ca65066c452d330/challenge/http01/http_challenge_server.go#L25)

We'd also talked about, instead of the reverse-proxy approach, adding a new config field with a path to a directory where we'd dump the challenge responses, to be served by a normal web server (e.g. /var/www/html/.well-known/acme-challenge). Especially useful if having to coexist with certbot. If that's still your thinking, then I guess the custom ProviderServer seems like the way to go?

[Gregable]

My 2c based on what I know so far is that we should lean towards the reverse proxy if we're picking exactly one.

The idea here is that this may be running on some remote server in a Google Cloud, Amazon, etc installation where shared filesystem may be difficult. The publisher already needs to set up reverse proxy rules for the Packager anyway, so adding one new rule should be fairly easy in any configuration.

[twifkak]

Good point, and I think agreed. If most people are using some CDN for their TLS termination, then they're probably using ACME DNS-01 challenge type, which won't interfere. This is probably the more common use-case.

If people are going full DIY, running their own Apache/nginx with certbot to manage their own TLS certs, then they're using HTTP-01 challenge type (certbot doc), so it would have to share the /.well-known/acme-challenge/ URL path prefix. I'm not sure if there's a way to tell Apache/nginx to say "rev-proxy only if there isn't a file on disk".

[banaag]

Sorry, twifkak@, forgot to give you a heads up about this and my decision to do the proxy method after discussions with gregable@. At this point, let's go the direction of the reverse proxy method and address the co-mingling of certbot/DIY method with the reverse proxy at a later time. It's possible that DevRel type folks may have encountered this in the field and have suitable suggestions.

[twifkak]

Sounds good. Still would lean towards it running on the same port (future PR OK), unless you see a problem with that.

[twifkak]

Add a TODO to make sure we present the TOS URL to the user and prompt for confirmation. (The plan is to move this to some separate setup command outside the server?)

[banaag]

Done.

[Gregable]

My 2c based on what I know so far is that we should lean towards the reverse proxy if we're picking exactly one.

The idea here is that this may be running on some remote server in a Google Cloud, Amazon, etc installation where shared filesystem may be difficult. The publisher already needs to set up reverse proxy rules for the Packager anyway, so adding one new rule should be fairly easy in any configuration.

[Gregable]

Maybe document what you did to generate these.

[banaag]

Done.

[twifkak]

Thanks for the nit fixes. LGTM once Travis is happy.

[twifkak]

Sounds good. Still would lean towards it running on the same port (future PR OK), unless you see a problem with that.

[twifkak]

Should this be ec.GenerateKey or something?

[twifkak]

Instead of doing this, you may be interested in https://godoc.org/github.com/stretchr/testify/suite which supports SetupTest() and TearDownTest() methods.

(Also, assert.X(t, ...) becomes this.Assert().X(...) which is neither better nor worse.)

[twifkak]

Maybe also assert the cert subject or something just to make sure it's been populated.

[twifkak]

Add a quick comment to say what this does, e.g. "Builds a fake ACME server that supports /newOrder and /finalize; tests should add a custom implementation of /certificate."

[banaag]

Thanks for the approvals. Per an offline conversation with twifkak@, we will need to move the amppackager project from dep to go modules (issue #270) in order to resolve the travis failures for this PR.

[twifkak]

LICENSE files LGTM for new vendored deps, and vendored deps outside golang.org/x seem fairly minimal, and changes for existing vendored deps seem harmless.

On of these days, I would love to understand the difference between the lists of deps in go.mod, go.sum, vendor, and vendor/modules.txt. All 4 are different... for good reasons I hope.