added common container pitfalls to readme

2025-10-16 12:35:34 +00:00 · 2021-01-20 17:31:49 +01:00 · 2021-01-20 17:31:49 +01:00 · c45ebd3450
commit c45ebd3450
parent 8faf537327
4 changed files with 152 additions and 65 deletions
--- a/README.md
+++ b/README.md
@ -283,6 +283,15 @@ The LEGO package imports various api clients for providing the DNS challenges -
 In case this happens usually googling the error message is sufficient to find the go module replace directive that pins the needed version.
 Please open an issue if you could not fix a dependency error on your own.
 - Container Pitfalls
 Be careful with containers that are configured to automatically restart on errors!
 When obtaining (or storing) a certificate fails for whatever reason, and your container will crash and restart automatically, you might get blocked due to the letsencrypt APIs rate limits. 
 Another common pitfall is to forget mounting the cache directory into your container, this way simplecert will obtain a new cert on every deployment, which will also likely cause rate limit issues after a while.
 You can read more about the letsencrypt API rate limits here: https://letsencrypt.org/docs/rate-limits/
 ## License
 MIT
--- a/examples/custom/main.go
+++ b/examples/custom/main.go
@ -1,65 +0,0 @@
 //
 //  simplecert
 //
 //  Created by Philipp Mieden
 //  Contact: dreadl0ck@protonmail.ch
 //  Copyright © 2018 bestbytes. All rights reserved.
 //
 package main
 import (
 	"fmt"
 	"log"
 	"net/http"
 	"github.com/foomo/simplecert"
 	"github.com/foomo/tlsconfig"
 )
 type Handler struct{}
 func (h Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	w.WriteHeader(http.StatusOK)
 	w.Write([]byte("hello from simplecert"))
 }
 func main() {
 	// do the cert magic
 	cfg := simplecert.Default
 	cfg.Domains = []string{"yourdomain.com", "www.yourdomain.com"}
 	cfg.CacheDir = "letsencrypt"
 	cfg.SSLEmail = "you@emailprovider.com"
 	cfg.Local = true
 	certReloader, err := simplecert.Init(cfg, func() {
 		// this function will be called upon receiving the syscall.SIGINT or syscall.SIGABRT signal
 		// and can be used to stop your backend gracefully
 		fmt.Println("cleaning up...")
 	})
 	if err != nil {
 		log.Fatal("simplecert init failed: ", err)
 	}
 	// redirect HTTP to HTTPS
 	log.Println("starting HTTP Listener on Port 80")
 	go http.ListenAndServe(":80", http.HandlerFunc(simplecert.Redirect))
 	// init strict tlsConfig with certReloader
 	tlsconf := tlsconfig.NewServerTLSConfig(tlsconfig.TLSModeServerStrict)
 	// now set GetCertificate to the reloaders GetCertificateFunc to enable hot reload
 	tlsconf.GetCertificate = certReloader.GetCertificateFunc()
 	// init server
 	s := &http.Server{
 		Addr:      ":443",
 		TLSConfig: tlsconf,
 		Handler:   Handler{},
 	}
 	log.Println("now visit: https://" + cfg.Domains[0])
 	// lets go
 	log.Fatal(s.ListenAndServeTLS("", ""))
 }
--- a/examples/simple/main.go
+++ b/examples/simple/main.go
--- a/examples/production/main.go
+++ b/examples/production/main.go
@ -0,0 +1,143 @@
 //
 //  simplecert
 //
 //  Created by Philipp Mieden
 //  Contact: dreadl0ck@protonmail.ch
 //  Copyright © 2018 bestbytes. All rights reserved.
 //
 package main
 import (
 	"context"
 	"fmt"
 	"log"
 	"net/http"
 	"os"
 	"time"
 	"github.com/foomo/simplecert"
 	"github.com/foomo/tlsconfig"
 )
 type Handler struct{}
 func (h Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	w.WriteHeader(http.StatusOK)
 	w.Write([]byte("hello from simplecert!"))
 }
 // This example demonstrates how spin up a custom HTTPS webserver for production deployment.
 // It shows how to configure and start your service in a way that the certificate can be automatically renewed via the TLS challenge, before it expires.
 // For this to succeed, we need to temporarily free port 443 (on which your service is running) and complete the challenge.
 // Once the challenge has been completed the service will be restarted via the DidRenewCertificate hook.
 // Requests to port 80 will always be redirected to the TLS secured version of your site.
 func main() {
 	var (
 		// the structure that handles reloading the certificate
 		certReloader *simplecert.CertReloader
 		err          error
 		numRenews    int
 		ctx, cancel  = context.WithCancel(context.Background())
 		// init strict tlsConfig (this will enforce the use of modern TLS configurations)
 		// you could use a less strict configuration if you have a customer facing web application that has visitors with old browsers
 		tlsConf = tlsconfig.NewServerTLSConfig(tlsconfig.TLSModeServerStrict)
 		// a simple constructor for a http.Server with our Handler
 		makeServer = func() *http.Server {
 			return &http.Server{
 				Addr:      ":443",
 				Handler:   Handler{},
 				TLSConfig: tlsConf,
 			}
 		}
 		// init server
 		srv = makeServer()
 		// init simplecert configuration
 		cfg = simplecert.Default
 	)
 	// configure
 	cfg.Domains = []string{"yourdomain.com", "www.yourdomain.com"}
 	cfg.CacheDir = "letsencrypt"
 	cfg.SSLEmail = "you@emailprovider.com"
 	// disable HTTP challenges - we will only use the TLS challenge for this example.
 	cfg.HTTPAddress = ""
 	// this function will be called just before certificate renewal starts and is used to gracefully stop the service
 	// (we need to free port 443 in order to complete the TLS challenge)
 	cfg.WillRenewCertificate = func() {
 		// stop server
 		cancel()
 	}
 	// this function will be called after the certificate has been renewed, and is used to restart your service.
 	cfg.DidRenewCertificate = func() {
 		numRenews++
 		// restart server: both context and server instance need to be recreated!
 		ctx, cancel = context.WithCancel(context.Background())
 		srv = makeServer()
 		// force reload the updated cert from disk
 		certReloader.ReloadNow()
 		go serve(ctx, srv)
 	}
 	log.Println("hello world")
 	// init config
 	certReloader, err = simplecert.Init(cfg, func() {
 		os.Exit(0)
 	})
 	if err != nil {
 		log.Fatal("simplecert init failed: ", err)
 	}
 	// redirect HTTP to HTTPS
 	log.Println("starting HTTP Listener on Port 80")
 	go http.ListenAndServe(":80", http.HandlerFunc(simplecert.Redirect))
 	// enable hot reload
 	tlsConf.GetCertificate = certReloader.GetCertificateFunc()
 	// start serving
 	log.Println("will serve at: https://" + cfg.Domains[0])
 	serve(ctx, srv)
 	fmt.Println("waiting forever")
 	<-make(chan bool)
 }
 func serve(ctx context.Context, srv *http.Server) {
 	// lets go
 	go func() {
 		if err := srv.ListenAndServeTLS("", ""); err != nil && err != http.ErrServerClosed {
 			log.Fatalf("listen: %+s\n", err)
 		}
 	}()
 	log.Printf("server started")
 	<-ctx.Done()
 	log.Printf("server stopped")
 	ctxShutDown, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer func() {
 		cancel()
 	}()
 	err := srv.Shutdown(ctxShutDown)
 	if err == http.ErrServerClosed {
 		log.Printf("server exited properly")
 	} else if err != nil {
 		log.Printf("server encountered an error on exit: %+s\n", err)
 	}
 }