Story #13446
Updated by Tom Clegg over 6 years ago
Background: Clients (including keepproxy) already have TLS support -- otherwise, they wouldn't be able to connect to keepproxy in a typical setup. However, keepstore itself does not have built-in support for TLS, and setting up Nginx alongside each keepstore is a burden.
Load certificate and key from configured location (e.g., /var/lib/acme/live/...) at startup
* If cert+key cannot be loaded, error out
Reload cert+key if -they change on disk- SIGHUP is received (acmetool or something similar will be refreshing certs)
* If cert+key cannot be loaded, log a warning and continue using old cert+key
https://blog.gopheracademy.com/advent-2016/exposing-go-on-the-internet/
The job of obtaining and renewing certificates and copying them to the appropriate locations is left to the operator. The easiest solution is probably to allow traffic on port 80 to keepstore nodes and use acmetool's "redirector" validation strategy. One could also obtain a certificate on a different node using split-horizon DNS or DNS validation, then copy it to the keepstore node.