Let's Encrypt Automation Daemon
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
maze.io apt signing key ec71648702 Tabfix 3 years ago
debian Tabfix 3 years ago
hook Initial import 3 years ago
.gitignore Initial commit 3 years ago
LICENSE Initial commit 3 years ago
README.md Typofix 3 years ago
build.sh Make executable 3 years ago
changelog.sh Added changelog.sh 3 years ago
checker.go Initial import 3 years ago
config.go Initial import 3 years ago
lead.conf.example Added example config 3 years ago
lead.go Debian stuffs 3 years ago
logger.go Initial import 3 years ago
manager.go Initial import 3 years ago
server.go Initial import 3 years ago
util.go Initial import 3 years ago



LetsEncrypt Automation Daemon


LEAD automagically requests configured certificates and keeps them up to date.

Requests received on HTTP will be redirected to their HTTPS ports.


An example configuration can be found in lead.conf.example.


A simple haproxy example may look like follows, it loads bundles dropped by LEAD from /etc/lead/bundles/:

log         /dev/log local0
chroot      /var/lib/haproxy
stats       socket /var/run/haproxy.sock mode 666 level admin
stats       timeout 30s
user        haproxy
group       haproxy

ca-base     /etc/ssl/certs
crt-base    /etc/lead/bundles

ssl-default-bind-ciphers AES:ALL:!aNULL:!eNULL:!DES:!RC4:!DHE:!EDH:!MD5:!PSK:!aECDH:@STRENGTH
ssl-default-bind-options no-sslv3

    log         global
    mode        http
    option      dontlognull
    timeout     connect 5000
    timeout     client 50000
    timeout     server 50000
    errorfile   400 /etc/haproxy/errors/400.http
    errorfile   403 /etc/haproxy/errors/403.http
    errorfile   408 /etc/haproxy/errors/408.http
    errorfile   500 /etc/haproxy/errors/500.http
    errorfile   502 /etc/haproxy/errors/502.http
    errorfile   503 /etc/haproxy/errors/503.http
    errorfile   504 /etc/haproxy/errors/504.http

frontend http
    bind            :80
    reqadd          X-Forwarded-Proto:\ http
    default_backend lead-http

backend webserver
    mode            http
    balance         roundrobin
    option          forwardfor
    http-request    set-header X-Forwarded-Port %[dst_port]
    http-request    add-header X-Forwarded-Proto https if { ssl_fc }
    option          httpchk HEAD / HTTP/1.1\r\nHost:localhost
    server          server-a check
    server          server-a check

frontend https-loop
    bind   ssl crt /etc/lead/bundles/ npn spdy/2
    mode            tcp
    default_backend webserver

frontend https
    bind            :443
    mode            tcp
    option          tcplog

    acl             sni.lead req.ssl_sni -m end .acme.invalid
    acl             sni      req.ssl_sni -m found
    acl             tls      req.ssl_hello_type 1

    tcp-request     inspect-delay 5s
    tcp-request     content accept if tls

    use_backend     lead if sni.lead
    default_backend https-loop

backend https-loop
    mode            tcp
    option          tcplog

backend lead
    mode            tcp
    server          lead check

backend lead-http
    mode            http
    option          forwardfor
    server          lead check