Search code examples
gosslopensslgo-gin

AutoTLS and Gin (gin-gonic) fail to read SSL certificate

I'm trying to make a microservice environment with Gin (gin-gonic) with a simple code:

package main

import (
    "example.com/MSHandler/ms1"

    "log"

    "github.com/gin-gonic/autotls"
    "github.com/gin-gonic/gin"
)



func main() {
    // Create GIN
    router := gin.Default()

    // Call MS

    // Call MS1
    router.GET("/ms1", ms1.CallMS1)

    // Run GIN
    // router.Run(":443")

    // Run with Let's Encrypt
    log.Fatal(autotls.Run(router, "exampleMS.org"))
}

Each time I try to reach the website, the website is marked as unsafe. My SSL certificates were generated with openssl and they are both (.key and .pem) in ~/.ssl folder (I'm using Ubuntu). Do my certificates need to be in the same folder as the application?

I've read some articles on the web and here, but nothing points directly to autoTLS.

Solution

  • The package github.com/gin-gonic/autotls uses golang.org/x/crypto/acme/autocert underneath. So if you want to read the doc, go to https://pkg.go.dev/golang.org/x/crypto/acme/autocert. And how Let's Encrypt works is a must read document.

    Notes:

    1. autocert apply certificates from https://letsencrypt.org/, so you don't need to provide your own certificate generated with openssl. If you want to use a self-signed certificate, you don't need autocert (and autotls). And a self-signed certificate is not trusted by the clients by default.

    2. autocert will create a new ECDSA P-256 key for you. If you want to use your own private key, set the key with autocert.Manager.

    3. Since it needs to apply certificates from https://letsencrypt.org/, the public network should be available to your application.

    4. Let's Encrypt will verify that you're the domain owner by sending an HTTP request to your website. Make sure your website is accessible on the domain (it's exampleMS.org according to your demo). And this request is sent to the HTTP port 80. So you should make sure this port is not blocked too. To be more exactly:

      The Let’s Encrypt CA will look at the domain name being requested and issue one or more sets of challenges. These are different ways that the agent can prove control of the domain. For example, the CA might give the agent a choice of either:

      • Provisioning a DNS record under example.com, or
      • Provisioning an HTTP resource under a well-known URI

    5. There are several demos provided by autotls, in case you don't know.