TLS¶
For any connection beyond loopback, encrypt it with TLS. gdc serve
supports three approaches: bring your own certificate, generate a
self-signed one, or obtain certificates automatically. Choose one — they
can't be combined.
Choosing an approach¶
| Approach | Best for |
|---|---|
| Your own certificate | You already have a certificate (from your organisation's CA or a public one). |
| Self-signed | Internal or development setups where you control both ends and can pin the certificate. |
| Automatic (ACME) | A public server with a real domain name; certificates are issued and renewed for you. |
Your own certificate¶
Provide a certificate and its private key:
Clients trust it through your normal certificate chain.
Self-signed¶
Have gdc generate a self-signed certificate on startup:
Add extra names (hostnames or IPs) that clients will use to reach it:
gdc serve --bind 0.0.0.0:8088 --self-signed-tls \
--self-signed-san gdc.internal --self-signed-san 10.0.0.5
Because a self-signed certificate isn't backed by a public authority, clients must pin it — trust exactly this certificate and nothing else. On the connecting side, point clients at the server's certificate:
This "pin exactly this certificate" model is fail-closed: a client configured to pin will refuse any other certificate.
Automatic certificates (ACME / Let's Encrypt)¶
For a public server with a real domain, gdc can obtain and renew certificates automatically:
Additional options let you control the process:
| Flag | Description |
|---|---|
--acme-domain <domain> |
The domain to get a certificate for. |
--acme-contact-email <email> |
Contact address (required with a domain). |
--acme-directory <url> |
The certificate authority's directory (defaults to Let's Encrypt production). |
--acme-cache-dir <path> |
Where to cache issued certificates. |
--acme-http01-bind <addr> |
Address for the validation challenge (defaults to port 80). |
The domain must resolve to this server, and the validation address must be reachable, for issuance to succeed.
One approach at a time
The three approaches are mutually exclusive. Pick the one that fits your deployment; combining them is rejected.