Use Manager.HTTPHandler for automatic TLS support.

This is needed since the recent removal of the TLS-SNI challenge types. https://community.letsencrypt.org/t/tls-sni-challenges-disabled-for-most-new-issuance/50316 The HTTP-01 challenge type requires an additional listener on port 80.
2025-10-14 05:11:19 -04:00 · 2018-02-24 11:40:02 -08:00 · 2018-02-24 11:40:02 -08:00 · fcc274ac68
commit fcc274ac68
parent 9ab8ea3df4
2 changed files with 7 additions and 2 deletions
--- a/broker/README.md
+++ b/broker/README.md
@ -35,14 +35,15 @@ using the `--acme-email` option,
 so that Let's Encrypt can inform you of any problems.

 In order to fetch certificates automatically,
-the server needs to be listening on port 443 (the default).
+the server needs to open an additional HTTP listener on port 80.
 On Linux, you can use the `setcap` program,
 part of libcap2, to enable the broker to bind to low-numbered ports
 without having to run as root:
 ```
 setcap 'cap_net_bind_service=+ep' /usr/local/bin/broker
 ```
-You can control the listening port with the --addr option.
+You can control the listening broker port with the --addr option.
+Port 443 is the default.

 You'll need to provide the URL of the custom broker
 to the client plugin using the `--url $URL` flag.
--- a/broker/broker.go
+++ b/broker/broker.go
@ -260,6 +260,10 @@ func main() {
 			HostPolicy: autocert.HostWhitelist(acmeHostnames...),
 			Email:      acmeEmail,
 		}
+		go func() {
+			log.Printf("Starting HTTP-01 listener")
+			log.Fatal(http.ListenAndServe(":80",  certManager.HTTPHandler(nil)))
+		}()

 		server.TLSConfig = &tls.Config{GetCertificate: certManager.GetCertificate}
 		err = server.ListenAndServeTLS("", "")