On Sat, Jan 14, 2017 at 10:22 AM, Eric Covener <cove...@gmail.com> wrote: > On Sat, Jan 14, 2017 at 11:19 AM, Eric Covener <cove...@gmail.com> wrote: >> >> I think if a feature/directive will turn on something that will write >> to configured keystores, it really shouldn't do or dictate much else. > > Poorly phrased, but I think obtaining a cert should be separate from > things like further SSL configuration.
I think Dirk is suggesting that the core mod_ssl continues to exist, with sane defaults that require next to no specific directives other than to perhaps set the https protocol on port 443, and (I vote optionally) have a one line toggle for rewriting all port 80 requests to 443. Note that h2 requests will continue to be honored on either port 80 or 443, so this has to be crafted somewhat carefully. I'm 100% in support of ensuring that mod_ssl runs with the most sensible choices in the most minimal config. Any mod_letsencrypt can provision the certs but needs to do so while still root, before servicing requests (although there could be some bounce-step where the MPM begins satisfying requests, including the verification request necessary for letsencrypt.) We certainly don't want to parse any web response whatsoever while running as root. I do believe the proposal should require a one line directive to enable this, particularly for the compiled-in static many modules build of httpd. It's shouldn't be simply a matter of loading some mod_letsencrypt without also some 'LetsEncrypt on" directive in the ssl vhost config.
