v2.0.47: HTTPS Everywhere — TLS-only control plane, agents/CLI/MCP

Breaking change release. Plaintext HTTP listener removed. The certctl
control plane now terminates TLS 1.3 on :8443 via
http.Server.ListenAndServeTLS. No CERTCTL_TLS_ENABLED=false escape
hatch. No dual-listener mode. One-step cutover per docs/upgrade-to-tls.md.

Server
- cmd/server/tls.go: certHolder with SIGHUP hot-reload + atomic cert
  swap, buildServerTLSConfig (TLS 1.3 min, GetCertificate callback),
  preflightServerTLS validation
- cmd/server/main.go: ListenAndServeTLS in place of ListenAndServe,
  watchSIGHUP wiring, cert/key path config threading
- tls_test.go: 418-line regression coverage of reload, preflight,
  callback behavior, SAN validation

Config
- CERTCTL_TLS_CERT_PATH / CERTCTL_TLS_KEY_PATH (required)
- Plaintext rejection: agents/CLI/MCP pre-flight-fail on http://
  URLs with a pointer to docs/upgrade-to-tls.md

Agents, CLI, MCP
- All three pre-flight-reject http:// URLs with fail-loud diagnostic
- CERTCTL_SERVER_CA_BUNDLE_PATH for private-CA trust
- CERTCTL_SERVER_TLS_INSECURE_SKIP_VERIFY for dev-only bypass
  (loud warning on startup)
- install-agent.sh emits both vars as commented template lines

docker-compose
- certctl-tls-init sidecar generates SAN-valid self-signed cert into
  deploy/test/certs/ on first boot
- All demo-stack curls pin against ca.crt with --cacert

Helm chart
- Three TLS provisioning modes, exactly one required:
  - server.tls.existingSecret (operator-supplied)
  - server.tls.certManager.enabled (cert-manager integration)
  - server.tls.selfSigned.enabled (eval only — not for production)
- server-certificate.yaml template for cert-manager mode
- helm install without a TLS source fails at template render with
  a pointer to docs/tls.md

CI
- .github/workflows/ci.yml Helm Chart Validation step renders the
  chart in both existingSecret and cert-manager modes, plus an
  inverse guard-regression test that asserts helm template MUST
  refuse to render when no TLS source is configured. Previously
  the single `helm template` invocation hit the certctl.tls.required
  fail-loud guard and exit-1'd CI. Four invocations now: lint
  (existingSecret), template (existingSecret), template
  (cert-manager), template (no args — must fail).

Integration tests
- deploy/test/integration_test.go stands up the Compose stack over
  HTTPS, extracts the CA bundle, and exercises every certctl API
  over https://localhost:8443
- All 34 integration subtests green (per Phase 8 local CI-parity)

Documentation
- New: docs/tls.md (provisioning patterns, rotation, SIGHUP reload)
- New: docs/upgrade-to-tls.md (one-step cutover, no-downgrade
  warnings, fleet-roll sequencing)
- CHANGELOG.md: v2.2.0 "HTTPS Everywhere — The Irony" entry
  (file heading unchanged; release tag is v2.0.47)
- All curls in docs/, examples/, deploy/helm/ guides use
  https://localhost:8443 --cacert

Verification
- grep -rn "ListenAndServe[^T]" cmd/ internal/ → 0 hits
- grep -rn "\"http://" cmd/ internal/ → 2 benign hits (Caddy admin
  API default, SSRF doc comment) — zero certctl endpoints
- Tasks #197–#206 (Phases 0–8) all closed in the tracker

Files: 65 changed, 3489 insertions, 372 deletions (pre-CI-fix).

cmd/cli/main.go

@@ -3,7 +3,9 @@ package main
 import (
 	"flag"
 	"fmt"
+	"net/url"
 	"os"
+	"strings"
 
 	"github.com/shankar0123/certctl/internal/cli"
 )
@@ -43,22 +45,34 @@ Commands:
   version          Show CLI version
 
 Examples:
-  certctl-cli --server http://localhost:8443 --api-key mykey certs list
+  certctl-cli --server https://localhost:8443 --api-key mykey certs list
   certctl-cli certs renew mc-prod --format json
   certctl-cli import certs.pem
 `)
 	}
 
-	serverURL := fs.String("server", os.Getenv("CERTCTL_SERVER_URL"), "certctl server URL (env: CERTCTL_SERVER_URL)")
-	if *serverURL == "" {
-		*serverURL = "http://localhost:8443"
+	// HTTPS-Everywhere (v2.2): the server is HTTPS-only. The default URL uses
+	// https://; plaintext http:// is rejected by validateHTTPSScheme below.
+	defaultServer := os.Getenv("CERTCTL_SERVER_URL")
+	if defaultServer == "" {
+		defaultServer = "https://localhost:8443"
 	}
+	serverURL := fs.String("server", defaultServer, "certctl server URL — must be https:// (env: CERTCTL_SERVER_URL)")
 
 	apiKey := fs.String("api-key", os.Getenv("CERTCTL_API_KEY"), "API key for authentication (env: CERTCTL_API_KEY)")
 	format := fs.String("format", "table", "Output format: table, json")
+	caBundlePath := fs.String("ca-bundle", os.Getenv("CERTCTL_SERVER_CA_BUNDLE_PATH"), "Path to a PEM-encoded CA bundle that signed the server cert (env: CERTCTL_SERVER_CA_BUNDLE_PATH)")
+	insecure := fs.Bool("insecure", strings.EqualFold(os.Getenv("CERTCTL_SERVER_TLS_INSECURE_SKIP_VERIFY"), "true"), "Skip TLS certificate verification — dev only, never set in production (env: CERTCTL_SERVER_TLS_INSECURE_SKIP_VERIFY)")
 
 	fs.Parse(os.Args[1:])
 
+	if err := validateHTTPSScheme(*serverURL); err != nil {
+		fmt.Fprintf(os.Stderr, "Error: %v\n", err)
+		fmt.Fprintf(os.Stderr, "\nThe certctl control plane is HTTPS-only as of v2.2.\n")
+		fmt.Fprintf(os.Stderr, "See docs/upgrade-to-tls.md for the cutover walkthrough.\n")
+		os.Exit(1)
+	}
+
 	args := fs.Args()
 	if len(args) == 0 {
 		fs.Usage()
@@ -66,13 +80,16 @@ Examples:
 	}
 
 	// Create client
-	client := cli.NewClient(*serverURL, *apiKey, *format)
+	client, err := cli.NewClient(*serverURL, *apiKey, *format, *caBundlePath, *insecure)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Error: %v\n", err)
+		os.Exit(1)
+	}
 
 	// Dispatch to appropriate command
 	command := args[0]
 	cmdArgs := args[1:]
 
-	var err error
 	switch command {
 	case "certs":
 		err = handleCerts(client, cmdArgs)
@@ -237,3 +254,26 @@ func handleImport(client *cli.Client, args []string) error {
 func handleStatus(client *cli.Client) error {
 	return client.GetStatus()
 }
+
+// validateHTTPSScheme rejects plaintext and empty-scheme server URLs at
+// startup so operators get a fail-loud diagnostic before any network call,
+// not a TCP-refused or TLS-handshake-error downstream. See docs/upgrade-to-tls.md.
+func validateHTTPSScheme(serverURL string) error {
+	if serverURL == "" {
+		return fmt.Errorf("server URL is empty — set --server (or CERTCTL_SERVER_URL) to an https:// URL (e.g., https://certctl-server:8443)")
+	}
+	u, err := url.Parse(serverURL)
+	if err != nil {
+		return fmt.Errorf("server URL %q is not a valid URL: %w", serverURL, err)
+	}
+	switch strings.ToLower(u.Scheme) {
+	case "https":
+		return nil
+	case "http":
+		return fmt.Errorf("server URL %q uses plaintext http:// — the certctl control plane is HTTPS-only", serverURL)
+	case "":
+		return fmt.Errorf("server URL %q is missing a scheme — expected https://", serverURL)
+	default:
+		return fmt.Errorf("server URL %q uses unsupported scheme %q — expected https://", serverURL, u.Scheme)
+	}
+}

cmd/cli/main_test.go

@@ -0,0 +1,96 @@
+package main
+
+import (
+	"strings"
+	"testing"
+)
+
+// TestValidateHTTPSScheme pins the pre-flight URL-scheme guard that the
+// HTTPS-Everywhere milestone (v2.2, §3.2) requires on the certctl-cli binary
+// startup path. The CLI's diagnostic is distinct from the agent and MCP server
+// because it surfaces the --server flag alongside CERTCTL_SERVER_URL — so the
+// empty-URL case pins that flag-name substring separately. Every other case
+// mirrors the dispatch arms in cmd/cli/main.go:validateHTTPSScheme; drifting
+// the substrings is what this test is here to catch.
+func TestValidateHTTPSScheme(t *testing.T) {
+	tests := []struct {
+		name       string
+		serverURL  string
+		wantErr    bool
+		wantErrSub string // substring that MUST appear in the error message
+	}{
+		{
+			name:      "https URL passes",
+			serverURL: "https://certctl-server:8443",
+			wantErr:   false,
+		},
+		{
+			name:      "https URL with path passes",
+			serverURL: "https://certctl.example.com/api/v1",
+			wantErr:   false,
+		},
+		{
+			name:      "uppercase HTTPS scheme passes (url.Parse lowercases)",
+			serverURL: "HTTPS://certctl-server:8443",
+			wantErr:   false,
+		},
+		{
+			name:       "empty URL rejected mentions --server flag",
+			serverURL:  "",
+			wantErr:    true,
+			wantErrSub: "--server",
+		},
+		{
+			name:       "empty URL rejected also mentions CERTCTL_SERVER_URL",
+			serverURL:  "",
+			wantErr:    true,
+			wantErrSub: "CERTCTL_SERVER_URL",
+		},
+		{
+			name:       "plaintext http rejected",
+			serverURL:  "http://certctl-server:8443",
+			wantErr:    true,
+			wantErrSub: "plaintext http://",
+		},
+		{
+			name:       "bare host missing scheme rejected",
+			serverURL:  "localhost:8443",
+			wantErr:    true,
+			// url.Parse treats "localhost:8443" as scheme=localhost, opaque=8443
+			// — exercises the default arm (unsupported scheme) rather than the
+			// empty-scheme arm. Both are fail-closed, which is what we care about.
+			wantErrSub: "unsupported scheme",
+		},
+		{
+			name:       "path-only URL rejected",
+			serverURL:  "//certctl-server:8443",
+			wantErr:    true,
+			wantErrSub: "missing a scheme",
+		},
+		{
+			name:       "unsupported scheme rejected",
+			serverURL:  "ftp://certctl-server:8443",
+			wantErr:    true,
+			wantErrSub: "unsupported scheme",
+		},
+		{
+			name:       "ws scheme rejected",
+			serverURL:  "ws://certctl-server:8443",
+			wantErr:    true,
+			wantErrSub: "unsupported scheme",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := validateHTTPSScheme(tt.serverURL)
+			if (err != nil) != tt.wantErr {
+				t.Fatalf("validateHTTPSScheme(%q) err=%v wantErr=%v", tt.serverURL, err, tt.wantErr)
+			}
+			if tt.wantErr && tt.wantErrSub != "" && !strings.Contains(err.Error(), tt.wantErrSub) {
+				t.Errorf("validateHTTPSScheme(%q) err=%q must contain %q so operators see the right diagnostic",
+					tt.serverURL, err.Error(), tt.wantErrSub)
+			}
+		})
+	}
+}