letsencrypt: Major refactor of Activate(), fixes #474 and closes #397

Makes restarts cleaner and improves configuration usability related to the tls directive

caddy/restart.go

@@ -131,14 +131,13 @@ func getCertsForNewCaddyfile(newCaddyfile Input) error {
 		return errors.New("loading Caddyfile: " + err.Error())
 	}
 
-	// TODO: Yuck, this is hacky. port 443 not set until letsencrypt is activated, so we change it here.
-	for i := range configs {
-		if configs[i].Port == "" && letsencrypt.ConfigQualifies(configs, i) {
-			configs[i].Port = "443"
-		}
-	}
+	// first mark the configs that are qualified for managed TLS
+	letsencrypt.MarkQualified(configs)
+
+	// we must make sure port is set before we group by bind address
+	letsencrypt.EnableTLS(configs)
 
-	// only get certs for configs that bind to an address we're already listening on
+	// we only need to issue certs for hosts where we already have an active listener
 	groupings, err := arrangeBindings(configs)
 	if err != nil {
 		return errors.New("arranging bindings: " + err.Error())
@@ -156,8 +155,8 @@ GroupLoop:
 	}
 	serversMu.Unlock()
 
-	// obtain certs for eligible configs; letsencrypt pkg will filter out the rest.
-	configs, err = letsencrypt.ObtainCertsAndConfigure(configsToSetup, letsencrypt.AlternatePort)
+	// place certs on the disk
+	err = letsencrypt.ObtainCerts(configsToSetup, letsencrypt.AlternatePort)
 	if err != nil {
 		return errors.New("obtaining certs: " + err.Error())
 	}

caddy/setup/tls.go

@@ -11,12 +11,12 @@ import (
 
 // TLS sets up the TLS configuration (but does not activate Let's Encrypt; that is handled elsewhere).
 func TLS(c *Controller) (middleware.Middleware, error) {
-	if c.Scheme == "http" {
+	if c.Scheme == "http" && c.Port != "80" {
 		c.TLS.Enabled = false
 		log.Printf("[WARNING] TLS disabled for %s://%s. To force TLS over the plaintext HTTP port, "+
 			"specify port 80 explicitly (https://%s:80).", c.Scheme, c.Address(), c.Host)
 	} else {
-		c.TLS.Enabled = true // assume this for now
+		c.TLS.Enabled = true
 	}
 
 	for c.Next() {
@@ -32,13 +32,6 @@ func TLS(c *Controller) (middleware.Middleware, error) {
 		case 2:
 			c.TLS.Certificate = args[0]
 			c.TLS.Key = args[1]
-
-			// manual HTTPS configuration without port specified should be
-			// served on the HTTPS port; that is what user would expect, and
-			// makes it consistent with how the letsencrypt package works.
-			if c.Port == "" {
-				c.Port = "443"
-			}
 		}
 
 		// Optional block with extra parameters
@@ -86,8 +79,9 @@ func TLS(c *Controller) (middleware.Middleware, error) {
 	return nil, nil
 }
 
-// SetDefaultTLSParams sets the default TLS cipher suites, protocol versions and server preferences
-// of a server.Config if they were not previously set.
+// SetDefaultTLSParams sets the default TLS cipher suites, protocol versions,
+// and server preferences of a server.Config if they were not previously set
+// (it does not overwrite; only fills in missing values).
 func SetDefaultTLSParams(c *server.Config) {
 	// If no ciphers provided, use all that Caddy supports for the protocol
 	if len(c.TLS.Ciphers) == 0 {
@@ -107,6 +101,11 @@ func SetDefaultTLSParams(c *server.Config) {
 
 	// Prefer server cipher suites
 	c.TLS.PreferServerCipherSuites = true
+
+	// Default TLS port is 443; only use if port is not manually specified
+	if c.Port == "" {
+		c.Port = "443"
+	}
 }
 
 // Map of supported protocols

server/config.go

@@ -69,6 +69,7 @@ type TLSConfig struct {
 	Certificate      string
 	Key              string
 	LetsEncryptEmail string
+	Managed          bool // will be set to true if config qualifies for automatic, managed TLS
 	//DisableHTTPRedir         bool // TODO: not a good idea - should we really allow it?
 	OCSPStaple               []byte
 	Ciphers                  []uint16