> On 14 Jan 2017, at 19:05, William A Rowe Jr <[email protected]> wrote:
>
> On Sat, Jan 14, 2017 at 10:22 AM, Eric Covener <[email protected]> wrote:
>> On Sat, Jan 14, 2017 at 11:19 AM, Eric Covener <[email protected]> wrote:
>>>
>>> I think if a feature/directive will turn on something that will write
>>> to configured keystores, it really shouldn't do or dictate much else.
>>
>> Poorly phrased, but I think obtaining a cert should be separate from
>> things like further SSL configuration.
>
> I think Dirk is suggesting that the core mod_ssl continues to exist, with
> sane defaults that require next to no specific directives other than to
> perhaps set the https protocol on port 443, and (I vote optionally) have
> a one line toggle for rewriting all port 80 requests to 443.
>
> Note that h2 requests will continue to be honored on either port 80
> or 443, so this has to be crafted somewhat carefully.
>
> I'm 100% in support of ensuring that mod_ssl runs with the most
> sensible choices in the most minimal config.
>
> Any mod_letsencrypt can provision the certs but needs to do so
> while still root, before servicing requests (although there could be
> some bounce-step where the MPM begins satisfying requests,
> including the verification request necessary for letsencrypt.) We
> certainly don't want to parse any web response whatsoever while
> running as root.
Some of this will be needed - we need to be root to bind to port 80 — as the
protocol (in my reading) seems to demand it (now would be a good time to
petition the draft to change this for a random higher port).
In fact - that may be a nice feature - an, essential, empheral port.
And we will need to be able to respond to an HTTP request to a well known URL
with the public key/token — and post that have some fork/pid be root enough to
write a few things to safe places.
> I do believe the proposal should require a one line directive to
> enable this, particularly for the compiled-in static many modules
> build of httpd. It's shouldn't be simply a matter of loading some
> mod_letsencrypt without also some 'LetsEncrypt on" directive
> in the ssl vhost config.
The alternative is bundling a small shell script, like stripped down
‘dehydrate’:
https://github.com/lukas2511/dehydrated/blob/master/dehydrated
<https://github.com/lukas2511/dehydrated/blob/master/dehydrated>
as a tool. And augment it with examples. But then you are back to square one.
Dw.
