How to set up Let's Encrypt for a Go server application

Question

I have my own domain with web services written in Go. I am using the inbuilt Go web server, without Nginx or Apache in front.

I would like to start serving over HTTPS an

Answer 1

I found a very simple solution, using the standalone mode.


INSTALL THE CERTBOT CLIENT (recommended by Let's Encrypt)

(go to the directory where you want to install the certbot client)
git clone https://github.com/certbot/certbot
cd certbot
./certbot-auto --help`

ISSUE CERTIFICATE (FIRST TIME)

N.B. this operation happens through the port 80, so in case your Go app listens on port 80, it needs to be switched off before running this command (which is very quick to run, by the way)

./certbot-auto certonly --standalone-supported-challenges http-01 -d www.yourdomain.com

ADD SSL LISTENER IN YOUR GO CODE

http.ListenAndServeTLS(":443", "/etc/letsencrypt/live/www.yourdomain.com/fullchain.pem", "/etc/letsencrypt/live/www.yourdomain.com/privkey.pem", nil)

Done!

TO RENEW CERTIFICATE (certificates expire after 90 days)

N.B. You can either run this manually (you will receive an email several days before the certificate expires), or set up a crontab

if your Go app doesn't listen to port 80 anymore, your Go app can keep running while you execute this command:
./certbot-auto renew --standalone

if your Go app still listens to port 80, you can specify the commands to stop and restart the Go app:
./certbot-auto renew --standalone --pre-hook "command to stop Go app" --post-hook "command to start Go app"

for the complete documentation of the Certbot commands: https://certbot.eff.org/docs/using.html

Answer 2

This is the minimal automatic setup of an HTTPS server using Go and Let's Encrypt certificates I have found:

package main

import (
    "crypto/tls"
    "log"
    "net/http"

    "golang.org/x/crypto/acme/autocert"
)

func main() {
    certManager := autocert.Manager{
        Prompt:     autocert.AcceptTOS,
        HostPolicy: autocert.HostWhitelist("example.com"), //Your domain here
        Cache:      autocert.DirCache("certs"),            //Folder for storing certificates
    }

    http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
        w.Write([]byte("Hello world"))
    })

    server := &http.Server{
        Addr: ":https",
        TLSConfig: &tls.Config{
            GetCertificate: certManager.GetCertificate,
        },
    }

    go http.ListenAndServe(":http", certManager.HTTPHandler(nil))

    log.Fatal(server.ListenAndServeTLS("", "")) //Key and cert are coming from Let's Encrypt
}

More information on the autocert package: link

EDIT: Needed to make http available because of letsencrypt security issue, read more here. As a bonus of this fix we now have http-->https redirect. The old example will continue to work if you have already received certificates on it, but it will break for new sites.