(reshuffled top post) On 14 Jan 2017, at 16:07, Rich Bowen <rbo...@rcbowen.com> wrote: > On Jan 10, 2017 12:15 PM, "Jacob Champion" <champio...@gmail.com > <mailto:champio...@gmail.com>> wrote: > On 01/10/2017 08:35 AM, Dirk-Willem van Gulik wrote: > Before I send someone into the woods - did anyone consider/do a quick > ‘mod_lets_encrypt’ (with or without a persistent store) — that > requires virtually no configuration ? > > Considered? Yes. Back in August there was some discussion on this list with > Josh Aas. I don't know what the current status is. .. > https://lists.apache.org/thread.html/ea902ae8e453b3a8d36345318fc74a54880d8bf14fed24e665c4b833@%3Cdev.httpd.apache.org%3E > > <https://lists.apache.org/thread.html/ea902ae8e453b3a8d36345318fc74a54880d8bf14fed24e665c4b833@%3Cdev.httpd.apache.org%3E> ... > https://lists.apache.org/thread.html/27d1fce7d30d9e31e2472045c260e4f8dcefd300a731ff9e435a5d4a@%3Cdev.httpd.apache.org%3E > > <https://lists.apache.org/thread.html/27d1fce7d30d9e31e2472045c260e4f8dcefd300a731ff9e435a5d4a@%3Cdev.httpd.apache.org%3E> > I talked with him at linuxcon, but there's been no followup. I for one would > love to see this happen.
So it seems we currently pull in enough sundry into mod_ssl to barely need something as ‘big’ as: https://github.com/kristapsdz/acme-client if we assume the HTTP method (only) — which makes sense if we assume that this module is first and foremost about zero configuration and convenience. By extend that also means we ‘trust’ ourselves and the user we start up as (prior to any fork, suid or chrooting). So I think we can narrow this down a lot (I just had to put something like this into a simple XMPP system) - as anyone who wants to do something more complex can use the many scripts available or use ‘real’ CA request processes. So we are talking about the configs which are as simple as # Defaults to /var/httpd/acme-private or something like we do for Mutexes. # ACMEDir /var/db/httpd/acme-private <VirtualHost foo.bar> ACME automatic … Where this implies SSLEnable, a set of sane/best-practice. ‘A+’, set of baseline SSL directives w.r.t. OSCP stapling and so on. And absolutely no further SSL statements in your vhost. And it implies that port 80 forwards to https. Perhaps disallow any port/listen stuff ? If you need SSL statements — then you are out of scope ? Is that fair ? Which reduces the footprint to: - fetching the ACME-CA-URLs on first run ever; on install —or— having these as part of the distribution. => Fair to assume we ship with the ACME CA url ? - pin the server. - reading -or- generating an RSA key & 0600 storing it in what we consider a safe enough place (prior to any chroot)ing. => Fair to assume key rollover is out of scope for this key (we could even do this empheral - and regenerate on renewal) ? => Fair to assume we just use one for all domains ? - Register this on first run. => Fair to assume things like contact email and EULA ok are out of scope ? - Build up a cert for each vhost; with all aliases added too as altnames. - for each vhost (altname) — get a challenge from the ACME server. => Fair to assume we do not care about account recovery ? - bring up that/all vhost on their port 80 (all vhosts that have LetsEncrypt set to auto/on). => so if I understand the spec right - only port 80 ==> thus fair to assume non-root startup is out of scope - as we need to bind to a port < 1024. So therefore: => fair to configure this ‘easier’ — i.e. if you do LetsEnrypt on on a domain SSL auto switches on and port 80 becomes an automatic redirect to https ? - Respond to the well know URI with each of he challenges. - Fetch/poll for the cert; save with 0600 and tight UID and be done. - Gracefully fail for each domain after N seconds - blocking https and with a sorry no ACME on http. => do we need to allow for an ErrorDocument customisation of the latter ? - Set up a sane virtual SSL set of directives; and then chroot/suid/fork and start your normal run. - Switch of http or make http a blind to https forwarder. - Can we assume that the server has a graceful restart every week ? => And thus declare ACME renewal from within out of scope ? Or do we need to auto disable SSL and go to http ? Does that make sense - or have I oversimplified it and lost the plot ? Dw