add letsencrypt to Gitea

Gopkg.toml

@@ -15,7 +15,7 @@ ignored = ["google.golang.org/appengine*"]
   name = "code.gitea.io/sdk"
 
 [[constraint]]
-  revision = "9f005a07e0d31d45e6656d241bb5c0f2efd4bc94"
+  revision = "12dd70caea0268ac0d6c2707d0611ef601e7c64e"
   name = "golang.org/x/crypto"
 
 [[constraint]]

cmd/web.go

@@ -5,6 +5,7 @@
 package cmd
 
 import (
+	"crypto/tls"
 	"fmt"
 	"net"
 	"net/http"
@@ -22,6 +23,7 @@ import (
 	"github.com/Unknwon/com"
 	context2 "github.com/gorilla/context"
 	"github.com/urfave/cli"
+	"golang.org/x/crypto/acme/autocert"
 	ini "gopkg.in/ini.v1"
 )
 
@@ -71,6 +73,33 @@ func runHTTPRedirector() {
 	}
 }
 
+func runLetsEncrypt(listenAddr, domain, directory, email string, m http.Handler) error {
+	certManager := autocert.Manager{
+		Prompt:     autocert.AcceptTOS,
+		HostPolicy: autocert.HostWhitelist(domain),
+		Cache:      autocert.DirCache(directory),
+		Email:      email,
+	}
+	go http.ListenAndServe(listenAddr+":http", certManager.HTTPHandler(http.HandlerFunc(runLetsEncryptFallbackHandler))) // all traffic coming into HTTP will be redirect to HTTPS automatically (LE HTTP-01 validatio happens here)
+	server := &http.Server{
+		Addr:    listenAddr,
+		Handler: m,
+		TLSConfig: &tls.Config{
+			GetCertificate: certManager.GetCertificate,
+		},
+	}
+	return server.ListenAndServeTLS("", "")
+}
+
+func runLetsEncryptFallbackHandler(w http.ResponseWriter, r *http.Request) {
+	if r.Method != "GET" && r.Method != "HEAD" {
+		http.Error(w, "Use HTTPS", http.StatusBadRequest)
+		return
+	}
+	target := setting.AppURL + r.URL.RequestURI()
+	http.Redirect(w, r, target, http.StatusFound)
+}
+
 func runWeb(ctx *cli.Context) error {
 	if ctx.IsSet("config") {
 		setting.CustomConf = ctx.String("config")
@@ -147,6 +176,8 @@ func runWeb(ctx *cli.Context) error {
 			go runHTTPRedirector()
 		}
 		err = runHTTPS(listenAddr, setting.CertFile, setting.KeyFile, context2.ClearHandler(m))
+	case setting.LetsEncrypt:
+		err = runLetsEncrypt(listenAddr, setting.Domain, setting.LetsEncryptDirectory, setting.LetsEncryptEmail, context2.ClearHandler(m))
 	case setting.FCGI:
 		listener, err := net.Listen("tcp", listenAddr)
 		if err != nil {

docs/content/doc/advanced/config-cheat-sheet.en-us.md

@@ -82,7 +82,7 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`.
 
 ## Server (`server`)
 
-- `PROTOCOL`: **http**: \[http, https, fcgi, unix\]
+- `PROTOCOL`: **http**: \[http, https, fcgi, unix, letsencrypt\] If using letsencrypt you must set `DOMAIN` to valid domain (ensure DNS is set and port 80 is accessible by letsencrypt validation server). 
 - `DOMAIN`: **localhost**: Domain name of this server.
 - `ROOT_URL`: **%(PROTOCOL)s://%(DOMAIN)s:%(HTTP\_PORT)s/**:
    Overwrite the automatically generated public URL.
@@ -119,6 +119,8 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`.
 - `REDIRECT_OTHER_PORT`: **false**: If true and `PROTOCOL` is https, redirects http requests
    on another (https) port.
 - `PORT_TO_REDIRECT`: **80**: Port used when `REDIRECT_OTHER_PORT` is true.
+- `LETSENCRYPT_DIRECTORY`: **https**: Directory that Letsencrypt will use to cache information such as certs and private keys
+- `LETSENCRYPT_EMAIL`: **email@example.com**: Email used by Letsencrypt to notify about problems with issued certificates. (No default)
 
 ## Database (`database`)
 

docs/content/doc/usage/https-support.md

@@ -32,6 +32,20 @@ KEY_FILE = key.pem
 ```
 To learn more about the config values, please checkout the [Config Cheat Sheet](../config-cheat-sheet#server).
 
+## Using Let's Encrypt
+
+[Let's Encrypt](https://letsencrypt.org/) is a Certificate Authority that allows you to automatically request and renew SSL/TLS certificates. In addition to starting Gitea on your configured port, to request HTTPS certificates Gitea will also need to listed on port 80, and will set up an autoredirect to HTTPS for you. Let's Encrypt will need to be able to access Gitea via the Internet to verify your ownership of the domain.
+
+```ini
+[server]
+PROTOCOL=letsencrypt
+DOMAIN=git.example.com
+LETSENCRYPT_DIRECTORY=https
+LETSENCRYPT_EMAIL=email@example.com
+```
+
+To learn more about the config values, please checkout the [Config Cheat Sheet](../config-cheat-sheet#server).
+
 ## Using reverse proxy
 
 Setup up your reverse proxy like shown in the [reverse proxy guide](../reverse-proxies).

modules/setting/setting.go

@@ -43,10 +43,11 @@ type Scheme string
 
 // enumerates all the scheme types
 const (
-	HTTP       Scheme = "http"
-	HTTPS      Scheme = "https"
-	FCGI       Scheme = "fcgi"
-	UnixSocket Scheme = "unix"
+	HTTP        Scheme = "http"
+	HTTPS       Scheme = "https"
+	FCGI        Scheme = "fcgi"
+	UnixSocket  Scheme = "unix"
+	LetsEncrypt Scheme = "letsencrypt"
 )
 
 // LandingPage describes the default page
@@ -105,6 +106,8 @@ var (
 	LandingPageURL       LandingPage
 	UnixSocketPermission uint32
 	EnablePprof          bool
+	LetsEncryptDirectory string
+	LetsEncryptEmail     string
 
 	SSH = struct {
 		Disabled             bool           `ini:"DISABLE_SSH"`
@@ -709,6 +712,10 @@ func NewContext() {
 			log.Fatal(4, "Failed to parse unixSocketPermission: %s", UnixSocketPermissionRaw)
 		}
 		UnixSocketPermission = uint32(UnixSocketPermissionParsed)
+	} else if sec.Key("PROTOCOL").String() == "letsencrypt" {
+		Protocol = LetsEncrypt
+		LetsEncryptDirectory = sec.Key("LETSENCRYPT_DIRECTORY").MustString("https")
+		LetsEncryptEmail = sec.Key("LETSENCRYPT_EMAIL").MustString("")
 	}
 	Domain = sec.Key("DOMAIN").MustString("localhost")
 	HTTPAddr = sec.Key("HTTP_ADDR").MustString("0.0.0.0")