3. Security and Validation

acme

Version

view snapshot (current)

Configures an ACME (RFC 8555) client, e.g. to retrieve TLS certificates from Let's Encrypt.

To store the key material and certificates, you can use the local file system or your Kubernetes cluster.

To use ACME:

  1. Register your domain and point the DNS record to your server(s) runnig Membrane.
  2. Let Membrane listen on port 80 and use the <acmeHttpChallenge /> (see below).
  3. Let Membrane listen on port 443 and use <ssl><acme .../><ssl> (see below). Here, you have to configure where Membrane will store the keys and certificates.

Syntax

acme:
  '$ref': <string>
  azureDns: {}
  azureTableStorage: {}
  contacts: <string>
  directoryUrl: <string>
  dnsOperator: {}
  experimental: <boolean>
  fileStorage: {}
  hosts: <string>
  httpClientConfig: {}
  kubernetesStorage: {}
  memoryStorage: {}
  renewal: <string>
  retry: <number>
  termsOfServiceAgreed: <boolean>
  validity: <string>
acme:
  '$ref': <string>
  azureDns: {}
  azureTableStorage: {}
  contacts: <string>
  directoryUrl: <string>
  dnsOperator: {}
  experimental: <boolean>
  fileStorage: {}
  hosts: <string>
  httpClientConfig: {}
  kubernetesStorage: {}
  memoryStorage: {}
  renewal: <string>
  retry: <number>
  termsOfServiceAgreed: <boolean>
  validity: <string>

Sample

<serviceProxy port="80">
  <acmeHttpChallenge />
    <groovy>
      exc.setResponse(Response.ok("here").build());
      RETURN
    </groovy>
</serviceProxy>

<serviceProxy host="test.example.com" port="443">
  <ssl>
    <acme
      directoryUrl="https://acme-staging-v02.api.letsencrypt.org/directory"
      contacts="mailto:webmaster@example.com"
      termsOfServiceAgreed="true">
      <fileStorage dir="C:\tmp" />
    </acme>
  </ssl>
    ...
</serviceProxy>

<serviceProxy host="test.example.com" port="443">
  <ssl>
    <acme
      directoryUrl="https://acme-staging-v02.api.letsencrypt.org/directory"
      contacts="mailto:webmaster@example.com"
      termsOfServiceAgreed="true"&gt;
  <kubernetesStorage namespace="membrane"
      masterLease="membrane" accountSecret="acme-account" prefix="acme-" />
    </acme>
  </ssl>
    ...
</serviceProxy>
<serviceProxy port="80">
  <acmeHttpChallenge />
    <groovy>
      exc.setResponse(Response.ok("here").build());
      RETURN
    </groovy>
</serviceProxy>

<serviceProxy host="test.example.com" port="443">
  <ssl>
    <acme
      directoryUrl="https://acme-staging-v02.api.letsencrypt.org/directory"
      contacts="mailto:webmaster@example.com"
      termsOfServiceAgreed="true">
      <fileStorage dir="C:\tmp" />
    </acme>
  </ssl>
    ...
</serviceProxy>

<serviceProxy host="test.example.com" port="443">
  <ssl>
    <acme
      directoryUrl="https://acme-staging-v02.api.letsencrypt.org/directory"
      contacts="mailto:webmaster@example.com"
      termsOfServiceAgreed="true"&gt;
  <kubernetesStorage namespace="membrane"
      masterLease="membrane" accountSecret="acme-account" prefix="acme-" />
    </acme>
  </ssl>
    ...
</serviceProxy>

Attributes

NameRequiredDefaultDescriptionExamples
$reffalse-Reference a component defined under components.-
contactsfalse--mailto:webmaster
directoryUrlfalse---
experimentalfalse---
hostsfalse---
renewalfalse1/3When to renew the certificate. Can be "1/3" (meaning that the certificate will be renewed when 1/3 of the validity period is left) or "never" (meaning that renewal will never be attempted). If you choose "never", someone else should take care of renewing the key and certificate and update the storage accordingly.-
retryfalse10000Number of milliseconds after which a retry should be attempted. (in case of any error, e.g. in case the ACME server cannot be reached or validation failed.)-
termsOfServiceAgreedfalse---
validityfalse--PT7D

Child Structure

ElementCardinalityDescription
azureDns0..1Configures Azure DNS for ACME DNS-01 validation.
azureTableStorage0..1
dnsOperator0..1
fileStorage0..1
httpClientConfig0..1Configuration container for Membrane's HTTP client. Allows defining proxy, connection, authentication, TLS, and retry behavior. Can be used as a reusable bean and referenced via . Most of its sub-elements are optional.
kubernetesStorage0..1
memoryStorage0..1For testing purposes only.

Can be used in

components ssl