Automatic HTTPs using ACME

Kore can automatically provision certificates from ACME providers such as Let's Encrypt and others.

Enabling ACME on a domain

Enabling ACME is quite straight forward. Make sure Kore was built with the ACME=1 directive set at compile time.

If ACME support was compiled in it can be verified by showing the version string for the Kore binary installed.

$ kore -v
master-8097d22d curl-7.64.1 pgsql python-3.7.7 acme
$

In your configuration, under the domain context you set the acme configuration option to yes.

domain kore.io {
    acme yes
    accesslog /var/log/kore.log
    route / serve_index
}

ACME configuration

There are a few ACME related configuration options.

Configuration option Description
acme_email An email address used for account registration.
acme_provider A URL to the directory for an ACME provider. Defaults to Let's Encrypt.

The default ACME provider is "https://acme-v02.api.letsencrypt.org/directory".

To control privilege separation for ACME use the privsep configuration option.

ACME architecture

When ACME is enabled, Kore will create a new acme process that stands alone from your workers. It is this process that will talk to the ACME servers and perform requests to them.

The acme process will communicate when needed with the keymgr who holds all your private keys (even the ACME account key is only held by keymgr).

ACME files

All certificates and private keys are stored under the directory that was configured via the acme privsep root.

The RSA account key is stored as account-key.pem in the keymgr_root directory while certificates and matching domain keys are stored under the certificates directory separated by hostnames.

results matching ""

    No results matching ""