6. Security

acme

Configures an ACME (RFC 8555) client, e.g. to retrieve TLS certificates from Let's Encrypt.

To store the key material and certificates, you can use the local file system or your Kubernetes cluster.

To use ACME:

  1. Register your domain and point the DNS record to your server(s) runnig Membrane.
  2. Let Membrane listen on port 80 and use the <acmeHttpChallenge /> (see below).
  3. Let Membrane listen on port 443 and use <ssl><acme .../><ssl> (see below). Here, you have to configure where Membrane will store the keys and certificates.



Can be used in:

ssl and bean

Syntax

<acme directoryUrl="[acme server URL]"
contacts="mailto:webmaster@example.com"
termsOfServiceAgreed="[true,false]">
	[storage]
	[validation]
</acme>

Sample

<serviceProxy port="80">
  <acmeHttpChallenge />
    <groovy>
      exc.setResponse(Response.ok("here").build());
      RETURN
    </groovy>
</serviceProxy>

<serviceProxy host="test.example.com" port="443">
  <ssl>
    <acme
      directoryUrl="https://acme-staging-v02.api.letsencrypt.org/directory"
      contacts="mailto:webmaster@example.com"
      termsOfServiceAgreed="true">
      <fileStorage dir="C:\tmp" />
    </acme>
  </ssl>
    ...
</serviceProxy>

<serviceProxy host="test.example.com" port="443">
  <ssl>
    <acme
      directoryUrl="https://acme-staging-v02.api.letsencrypt.org/directory"
      contacts="mailto:webmaster@example.com"
      termsOfServiceAgreed="true"&gt;
  <kubernetesStorage namespace="membrane"
      masterLease="membrane" accountSecret="acme-account" prefix="acme-" />
    </acme>
  </ssl>
    ...
</serviceProxy>

Attributes

NameRequiredDefaultDescriptionExample
termsOfServiceAgreed false - - -
renewal false 1/3
 When to renew the certificate. Can be "1/3" (meaning that the certificate will be renewed when 1/3 of the validity period is left) or "never" (meaning that renewal will never be attempted). If you choose "never", someone else should take care of renewing the key and certificate and update the storage accordingly. -
hosts false - - -
directoryUrl false - - -
experimental false - - -
validity false - - PT7D
contacts false - - mailto:webmaster
retry false 10000
 Number of milliseconds after which a retry should be attempted. (in case of any error, e.g. in case the ACME server cannot be reached or validation failed.) -

Other optional Child Elements


httpClientConfig