Hi Rich, some thoughts inline... On Aug 29, 2016 10:09, "Josh Aas" <j...@letsencrypt.org> wrote: > > Thanks for the intro Rich. > > I think it's important that we make HTTPS as easy as possible with > Apache httpd. I don't have a particular architecture in mind, my not > being an Apache dev, but I do have a user experience in mind -- the > simplest config option possible, without having to fetch/install > additional packages. When that option is set, httpd should turn on > HTTPS and get and manage certs as necessary without the user needing > to know much of anything about it. There can, of course, be other > options for more advanced users.
Be aware that httpd users must provision OpenSSL and other dependencies, or obtain a distribution which includes these. So these come "for free" in terms of additional burdens on this effort. SSLEngine on currently toggles SSL in a given host context. Adding an 'auto' or 'letsencrypt' toggle value would be trivial. > Doing this will obviously require an ACME client. I'm curious to hear > what httpd devs think is the best architecture for including the > client, storing the necessary data (cert chain, ACME account info), > and configuring the feature. This should be straightforward. We generally use default data store in the typical var path and our autoconf and run time directives allow users to override such defaults. Adding an ACME dependency isn't a hardship on folks, any more than the other 8 or so dependencies. > If we can come up with a plan that results in making HTTPS with httpd > easy, one that the httpd devs are happy with, I can help to make > funding available for the work. > > I'd also appreciate any recommendations for people to do the work. There are a number of dual project members between OpenSSL and httpd who take contract work through the openssl org. The ASF won't intermediate development contracts at the project level (only for our own infrastructure which obviously relies on commerical certs.) > I'll end this email with a link to a great example of seamless > integration in the caddy web server: > > https://www.youtube.com/watch?v=nk4EWHvvZtI > > Thanks, > > -- > Josh Aas > Executive Director > Internet Security Research Group > Let's Encrypt: A Free, Automated, and Open CA And thank you for raising this proposal!
