Automatic HTTPs using ACME
Kore can automatically provision certificates from ACME providers such as Let's Encrypt and others.
Enabling ACME on a domain
Enabling ACME is quite straight forward. Make sure Kore was built with the ACME=1 directive set at compile time.
If ACME support was compiled in it can be verified by showing the version string for the Kore binary installed.
$ kore -v
master-8097d22d curl-7.64.1 pgsql python-3.7.7 acme
$
In your configuration, under the domain context you set the acme configuration option to yes.
domain kore.io {
acme yes
accesslog /var/log/kore.log
route / serve_index
}
ACME configuration
There are a few ACME related configuration options.
Configuration option | Description |
---|---|
acme_email | An email address used for account registration. |
acme_provider | A URL to the directory for an ACME provider. Defaults to Let's Encrypt. |
The default ACME provider is "https://acme-v02.api.letsencrypt.org/directory".
To control privilege separation for ACME use the privsep configuration option.
ACME architecture
When ACME is enabled, Kore will create a new acme process that stands alone from your workers. It is this process that will talk to the ACME servers and perform requests to them.
The acme process will communicate when needed with the keymgr who holds all your private keys (even the ACME account key is only held by keymgr).
ACME files
All certificates and private keys are stored under the directory that was configured via the acme privsep root.
The RSA account key is stored as account-key.pem in the keymgr_root directory while certificates and matching domain keys are stored under the certificates directory separated by hostnames.